npm - @highstate/k8s - Versions diffs - 0.9.26 → 0.9.28 - Mend

@highstate/k8s 0.9.26 → 0.9.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/chunk-EBX6NFKK.js +168 -0
package/dist/chunk-EBX6NFKK.js.map +1 -0
package/dist/highstate.manifest.json +3 -2
package/dist/index.js +19 -149
package/dist/index.js.map +1 -1
package/dist/units/reduced-access-cluster/index.js +90 -0
package/dist/units/reduced-access-cluster/index.js.map +1 -0
package/package.json +16 -10
package/src/rbac.ts +71 -16
package/src/units/reduced-access-cluster/index.ts +93 -0
package/src/worker.ts +9 -6

package/dist/chunk-EBX6NFKK.js ADDED Viewed

@@ -0,0 +1,168 @@
+import { Secret } from './chunk-KHNUUVL4.js';
+import { getProvider, getNamespaceName } from './chunk-WGMJCZSK.js';
+import { ComponentResource, output, normalizeInputs, interpolate, toPromise } from '@highstate/pulumi';
+import { KubeConfig } from '@kubernetes/client-node';
+import { core, rbac } from '@pulumi/kubernetes';
+import { map, unique } from 'remeda';
+import { stringify } from 'yaml';
+var ClusterAccessScope = class _ClusterAccessScope extends ComponentResource {
+  /**
+   * The cluster entity with the reduced access.
+   */
+  cluster;
+  constructor(name, args, opts) {
+    super("highstate:k8s:ClusterAccessScope", name, args, opts);
+    const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply((cluster) => {
+      const provider = getProvider(cluster);
+      const namespaceName = output(args.namespace).metadata.name;
+      const serviceAccount2 = new core.v1.ServiceAccount(
+        name,
+        {
+          metadata: {
+            name,
+            namespace: namespaceName
+          }
+        },
+        { provider }
+      );
+      const clusterRole = new rbac.v1.ClusterRole(
+        name,
+        {
+          metadata: {
+            name: interpolate`highstate.${namespaceName}.${name}`,
+            annotations: {
+              "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`
+            }
+          },
+          rules: normalizeInputs(args.rule, args.rules)
+        },
+        { provider }
+      );
+      const createRoleBinding = (namespace) => {
+        return new rbac.v1.RoleBinding(
+          name,
+          {
+            metadata: { name, namespace },
+            roleRef: {
+              kind: "ClusterRole",
+              name: clusterRole.metadata.name,
+              apiGroup: "rbac.authorization.k8s.io"
+            },
+            subjects: [
+              {
+                kind: "ServiceAccount",
+                name: serviceAccount2.metadata.name,
+                namespace: namespaceName
+              }
+            ]
+          },
+          { provider }
+        );
+      };
+      if (args.allowOriginNamespace ?? true) {
+        createRoleBinding(namespaceName);
+      }
+      output(args.extraNamespaces ?? []).apply(map(getNamespaceName)).apply(map(createRoleBinding));
+      return { serviceAccount: serviceAccount2, kubeconfig: cluster.kubeconfig };
+    });
+    const accessTokenSecret = Secret.create(`${name}-token`, {
+      namespace: args.namespace,
+      type: "kubernetes.io/service-account-token",
+      metadata: {
+        annotations: {
+          "kubernetes.io/service-account.name": serviceAccount.metadata.name
+        }
+      }
+    });
+    this.cluster = output({
+      cluster: output(args.namespace).cluster,
+      kubeconfig,
+      newToken: accessTokenSecret.getValue("token"),
+      serviceAccount: serviceAccount.metadata.name
+    }).apply(({ cluster, kubeconfig: kubeconfig2, newToken, serviceAccount: serviceAccount2 }) => {
+      const config = new KubeConfig();
+      config.loadFromString(kubeconfig2);
+      config.users = [];
+      config.contexts = [];
+      config.addUser({ name: serviceAccount2, token: newToken });
+      config.addContext({
+        name: config.clusters[0].name,
+        cluster: config.clusters[0].name,
+        user: serviceAccount2
+      });
+      config.setCurrentContext(config.clusters[0].name);
+      return {
+        ...cluster,
+        kubeconfig: stringify(JSON.parse(config.exportConfig()))
+      };
+    });
+  }
+  /**
+   * Creates `ClusterAccessScope` for the given resources with the specified verbs.
+   *
+   * All resources must belong to the same namespace in the same cluster.
+   *
+   * @param name The name of the resource and the ServiceAccount.
+   * @param resources The resources to create access scope for.
+   * @param verbs The verbs to allow on the resources.
+   */
+  static async forResources(name, args, opts) {
+    const resolved = await toPromise(
+      output(args.resources).apply(
+        (resources) => resources.map((r) => ({
+          namespaceId: r.namespace.metadata.uid,
+          namespace: r.namespace,
+          metadata: r.metadata,
+          apiVersion: r.apiVersion,
+          kind: r.kind
+        }))
+      )
+    );
+    if (resolved.length === 0) {
+      throw new Error("No resources provided to forResources.");
+    }
+    if (unique(resolved.map((r) => r.namespaceId)).length > 1) {
+      throw new Error("All resources must belong to the same namespace.");
+    }
+    const saNamespaceId = await toPromise(output(args.namespace).metadata.uid);
+    if (resolved[0].namespaceId !== saNamespaceId) {
+      throw new Error("The resources must belong to the same namespace as the ServiceAccount.");
+    }
+    if (args.collectionAccess) {
+      const uniqueTypes = unique(resolved.map((r) => `${r.apiVersion}::${r.kind}`));
+      return new _ClusterAccessScope(
+        name,
+        {
+          namespace: args.namespace,
+          rules: uniqueTypes.map((t) => {
+            const [apiVersion, kind] = t.split("::");
+            return {
+              apiGroups: apiVersion === "v1" ? [""] : [apiVersion.split("/")[0]],
+              resources: [`${kind.toLowerCase()}s`],
+              verbs: args.verbs
+            };
+          })
+        },
+        opts
+      );
+    }
+    return new _ClusterAccessScope(
+      name,
+      {
+        namespace: args.namespace,
+        rules: resolved.map((r) => ({
+          apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
+          resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
+          resourceNames: r.metadata?.name ? [r.metadata.name] : void 0,
+          verbs: args.verbs
+        }))
+      },
+      opts
+    );
+  }
+};
+export { ClusterAccessScope };
+//# sourceMappingURL=chunk-EBX6NFKK.js.map
+//# sourceMappingURL=chunk-EBX6NFKK.js.map

package/dist/chunk-EBX6NFKK.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/rbac.ts"],"names":["serviceAccount","kubeconfig"],"mappings":";;;;;;;;AAqFO,IAAM,kBAAA,GAAN,MAAM,mBAAA,SAA2B,iBAAA,CAAkB;AAAA;AAAA;AAAA;AAAA,EAI/C,OAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAc,IAAA,EAA8B,IAAA,EAAiC;AACvF,IAAA,KAAA,CAAM,kCAAA,EAAoC,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAE1D,IAAA,MAAM,EAAE,cAAA,EAAgB,UAAA,EAAW,GAAI,MAAA,CAAO,KAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,KAAA,CAAM,CAAA,OAAA,KAAW;AACrF,MAAA,MAAM,QAAA,GAAW,YAAY,OAAO,CAAA;AACpC,MAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,IAAA,CAAK,SAAS,EAAE,QAAA,CAAS,IAAA;AAEtD,MAAA,MAAMA,eAAAA,GAAiB,IAAI,IAAA,CAAK,EAAA,CAAG,cAAA;AAAA,QACjC,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU;AAAA,YACR,IAAA;AAAA,YACA,SAAA,EAAW;AAAA;AACb,SACF;AAAA,QACA,EAAE,QAAA;AAAS,OACb;AAEA,MAAA,MAAM,WAAA,GAAc,IAAI,IAAA,CAAK,EAAA,CAAG,WAAA;AAAA,QAC9B,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,WAAA,CAAA,UAAA,EAAwB,aAAa,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAAA,YACnD,WAAA,EAAa;AAAA,cACX,2BAAA,EAA6B,WAAA,CAAA,6CAAA,EAA2D,IAAI,CAAA,oBAAA,EAAuB,aAAa,CAAA,EAAA;AAAA;AAClI,WACF;AAAA,UACA,KAAA,EAAO,eAAA,CAAgB,IAAA,CAAK,IAAA,EAAM,KAAK,KAAK;AAAA,SAC9C;AAAA,QACA,EAAE,QAAA;AAAS,OACb;AAEA,MAAA,MAAM,iBAAA,GAAoB,CAAC,SAAA,KAA6B;AACtD,QAAA,OAAO,IAAI,KAAK,EAAA,CAAG,WAAA;AAAA,UACjB,IAAA;AAAA,UACA;AAAA,YACE,QAAA,EAAU,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC5B,OAAA,EAAS;AAAA,cACP,IAAA,EAAM,aAAA;AAAA,cACN,IAAA,EAAM,YAAY,QAAA,CAAS,IAAA;AAAA,cAC3B,QAAA,EAAU;AAAA,aACZ;AAAA,YACA,QAAA,EAAU;AAAA,cACR;AAAA,gBACE,IAAA,EAAM,gBAAA;AAAA,gBACN,IAAA,EAAMA,gBAAe,QAAA,CAAS,IAAA;AAAA,gBAC9B,SAAA,EAAW;AAAA;AACb;AACF,WACF;AAAA,UACA,EAAE,QAAA;AAAS,SACb;AAAA,MACF,CAAA;AAEA,MAAA,IAAI,IAAA,CAAK,wBAAwB,IAAA,EAAM;AACrC,QAAA,iBAAA,CAAkB,aAAa,CAAA;AAAA,MACjC;AAEA,MAAA,MAAA,CAAO,IAAA,CAAK,eAAA,IAAmB,EAAE,CAAA,CAC9B,KAAA,CAAM,GAAA,CAAI,gBAAgB,CAAC,CAAA,CAC3B,KAAA,CAAM,GAAA,CAAI,iBAAiB,CAAC,CAAA;AAE/B,MAAA,OAAO,EAAE,cAAA,EAAAA,eAAAA,EAAgB,UAAA,EAAY,QAAQ,UAAA,EAAW;AAAA,IAC1D,CAAC,CAAA;AAED,IAAA,MAAM,iBAAA,GAAoB,MAAA,CAAO,MAAA,CAAO,CAAA,EAAG,IAAI,CAAA,MAAA,CAAA,EAAU;AAAA,MACvD,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,IAAA,EAAM,qCAAA;AAAA,MACN,QAAA,EAAU;AAAA,QACR,WAAA,EAAa;AAAA,UACX,oCAAA,EAAsC,eAAe,QAAA,CAAS;AAAA;AAChE;AACF,KACD,CAAA;AAED,IAAA,IAAA,CAAK,UAAU,MAAA,CAAO;AAAA,MACpB,OAAA,EAAS,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA;AAAA,MAChC,UAAA;AAAA,MACA,QAAA,EAAU,iBAAA,CAAkB,QAAA,CAAS,OAAO,CAAA;AAAA,MAC5C,cAAA,EAAgB,eAAe,QAAA,CAAS;AAAA,KACzC,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,OAAA,EAAS,UAAA,EAAAC,WAAAA,EAAY,QAAA,EAAU,cAAA,EAAAD,eAAAA,EAAe,KAAM;AAC9D,MAAA,MAAM,MAAA,GAAS,IAAI,UAAA,EAAW;AAC9B,MAAA,MAAA,CAAO,eAAeC,WAAU,CAAA;AAGhC,MAAA,MAAA,CAAO,QAAQ,EAAC;AAChB,MAAA,MAAA,CAAO,WAAW,EAAC;AAEnB,MAAA,MAAA,CAAO,QAAQ,EAAE,IAAA,EAAMD,eAAAA,EAAgB,KAAA,EAAO,UAAU,CAAA;AAExD,MAAA,MAAA,CAAO,UAAA,CAAW;AAAA,QAChB,IAAA,EAAM,MAAA,CAAO,QAAA,CAAS,CAAC,CAAA,CAAE,IAAA;AAAA,QACzB,OAAA,EAAS,MAAA,CAAO,QAAA,CAAS,CAAC,CAAA,CAAE,IAAA;AAAA,QAC5B,IAAA,EAAMA;AAAA,OACP,CAAA;AAED,MAAA,MAAA,CAAO,iBAAA,CAAkB,MAAA,CAAO,QAAA,CAAS,CAAC,EAAE,IAAI,CAAA;AAEhD,MAAA,OAAO;AAAA,QACL,GAAG,OAAA;AAAA,QACH,YAAY,SAAA,CAAU,IAAA,CAAK,MAAM,MAAA,CAAO,YAAA,EAAc,CAAC;AAAA,OACzD;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,YAAA,CACX,IAAA,EACA,IAAA,EACA,IAAA,EAC6B;AAC7B,IAAA,MAAM,WAAW,MAAM,SAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,KAAA;AAAA,QAAM,CAAA,SAAA,KAC3B,SAAA,CAAU,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,UAClB,WAAA,EAAa,CAAA,CAAE,SAAA,CAAU,QAAA,CAAS,GAAA;AAAA,UAClC,WAAW,CAAA,CAAE,SAAA;AAAA,UACb,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,YAAY,CAAA,CAAE,UAAA;AAAA,UACd,MAAM,CAAA,CAAE;AAAA,SACV,CAAE;AAAA;AACJ,KACF;AAEA,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AACzB,MAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,IAC1D;AAEA,IAAA,IAAI,MAAA,CAAO,SAAS,GAAA,CAAI,CAAA,CAAA,KAAK,EAAE,WAAW,CAAC,CAAA,CAAE,MAAA,GAAS,CAAA,EAAG;AACvD,MAAA,MAAM,IAAI,MAAM,kDAAkD,CAAA;AAAA,IACpE;AAEA,IAAA,MAAM,aAAA,GAAgB,MAAM,SAAA,CAAU,MAAA,CAAO,KAAK,SAAS,CAAA,CAAE,SAAS,GAAG,CAAA;AAEzE,IAAA,IAAI,QAAA,CAAS,CAAC,CAAA,CAAE,WAAA,KAAgB,aAAA,EAAe;AAC7C,MAAA,MAAM,IAAI,MAAM,wEAAwE,CAAA;AAAA,IAC1F;AAEA,IAAA,IAAI,KAAK,gBAAA,EAAkB;AAEzB,MAAA,MAAM,WAAA,GAAc,MAAA,CAAO,QAAA,CAAS,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,EAAG,CAAA,CAAE,UAAU,CAAA,EAAA,EAAK,CAAA,CAAE,IAAI,CAAA,CAAE,CAAC,CAAA;AAE1E,MAAA,OAAO,IAAI,mBAAA;AAAA,QACT,IAAA;AAAA,QACA;AAAA,UACE,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAA,EAAO,WAAA,CAAY,GAAA,CAAI,CAAA,CAAA,KAAK;AAC1B,YAAA,MAAM,CAAC,UAAA,EAAY,IAAI,CAAA,GAAI,CAAA,CAAE,MAAM,IAAI,CAAA;AAEvC,YAAA,OAAO;AAAA,cACL,SAAA,EAAW,UAAA,KAAe,IAAA,GAAO,CAAC,EAAE,CAAA,GAAI,CAAC,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,cACjE,WAAW,CAAC,CAAA,EAAG,IAAA,CAAK,WAAA,EAAa,CAAA,CAAA,CAAG,CAAA;AAAA,cACpC,OAAO,IAAA,CAAK;AAAA,aACd;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA;AAAA,OACF;AAAA,IACF;AAEA,IAAA,OAAO,IAAI,mBAAA;AAAA,MACT,IAAA;AAAA,MACA;AAAA,QACE,WAAW,IAAA,CAAK,SAAA;AAAA,QAChB,KAAA,EAAO,QAAA,CAAS,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,UACxB,SAAA,EAAW,CAAA,CAAE,UAAA,KAAe,IAAA,GAAO,CAAC,EAAE,CAAA,GAAI,CAAC,CAAA,CAAE,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,UACrE,SAAA,EAAW,CAAC,CAAA,CAAE,IAAA,CAAK,WAAA,MAAiB,CAAA,CAAE,QAAA,EAAU,IAAA,GAAO,GAAA,GAAM,EAAA,CAAG,CAAA;AAAA,UAChE,aAAA,EAAe,EAAE,QAAA,EAAU,IAAA,GAAO,CAAC,CAAA,CAAE,QAAA,CAAS,IAAI,CAAA,GAAI,MAAA;AAAA,UACtD,OAAO,IAAA,CAAK;AAAA,SACd,CAAE;AAAA,OACJ;AAAA,MACA;AAAA,KACF;AAAA,EACF;AACF","file":"chunk-EBX6NFKK.js","sourcesContent":["import type { k8s } from \"@highstate/library\"\nimport type { Namespace } from \"./namespace\"\nimport {\n ComponentResource,\n type ComponentResourceOptions,\n type Input,\n type InputArray,\n interpolate,\n normalizeInputs,\n type Output,\n output,\n toPromise,\n} from \"@highstate/pulumi\"\nimport { KubeConfig } from \"@kubernetes/client-node\"\nimport { core, rbac, type types } from \"@pulumi/kubernetes\"\nimport { map, unique } from \"remeda\"\nimport { stringify } from \"yaml\"\nimport { Secret } from \"./secret\"\nimport { getNamespaceName, getProvider, type NamespaceLike, type ScopedResource } from \"./shared\"\n\nexport type ClusterAccessScopeArgs = {\n /**\n * The namespace to locate the ServiceAccount in.\n */\n namespace: Input<Namespace>\n\n /**\n * The RBAC rule to apply to the `ServiceAccount`.\n *\n * It will be used to create ClusterRole.\n */\n rule?: Input<types.input.rbac.v1.PolicyRule>\n\n /**\n * The RBAC rules to apply to the `ServiceAccount`.\n *\n * It will be used to create `ClusterRole`.\n */\n rules?: InputArray<types.input.rbac.v1.PolicyRule>\n\n /**\n * Whether to allow the `ServiceAccount` to access resources in the namespace where it is created.\n *\n * By default, it is set to `true`.\n */\n allowOriginNamespace?: boolean\n\n /**\n * The extra namespaces to bind to the `ClusterRole` and allow `ServiceAccount` to access them\n * with specified `rules`.\n */\n extraNamespaces?: InputArray<NamespaceLike>\n\n /**\n * Whether to create `ClusterRoleBinding` to bind the `ServiceAccount` to the `ClusterRole`.\n *\n * This will allow the `ServiceAccount` to access all namespaces and cluster resources.\n */\n clusterWide?: boolean\n}\n\nexport type ClusterAccessScopeForResourcesArgs = {\n /**\n * The namespace to locate the `ServiceAccount` in.\n */\n namespace: Input<Namespace>\n\n /**\n * The verbs to allow on the resources.\n */\n verbs: string[]\n\n /**\n * The resources to allow verbs on.\n */\n resources: InputArray<ScopedResource>\n\n /**\n * Whether to allow access on the whole collection rather than specific resources.\n *\n * The provided resources in this case will be used to determine the types and api groups only.\n */\n collectionAccess?: boolean\n}\n\nexport class ClusterAccessScope extends ComponentResource {\n /**\n * The cluster entity with the reduced access.\n */\n readonly cluster: Output<k8s.Cluster>\n\n constructor(name: string, args: ClusterAccessScopeArgs, opts?: ComponentResourceOptions) {\n super(\"highstate:k8s:ClusterAccessScope\", name, args, opts)\n\n const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply(cluster => {\n const provider = getProvider(cluster)\n const namespaceName = output(args.namespace).metadata.name\n\n const serviceAccount = new core.v1.ServiceAccount(\n name,\n {\n metadata: {\n name,\n namespace: namespaceName,\n },\n },\n { provider },\n )\n\n const clusterRole = new rbac.v1.ClusterRole(\n name,\n {\n metadata: {\n name: interpolate`highstate.${namespaceName}.${name}`,\n annotations: {\n \"kubernetes.io/description\": interpolate`Created by Highstate for the ServiceAccount \"${name}\" in the namespace \"${namespaceName}\".`,\n },\n },\n rules: normalizeInputs(args.rule, args.rules),\n },\n { provider },\n )\n\n const createRoleBinding = (namespace: Input<string>) => {\n return new rbac.v1.RoleBinding(\n name,\n {\n metadata: { name, namespace },\n roleRef: {\n kind: \"ClusterRole\",\n name: clusterRole.metadata.name,\n apiGroup: \"rbac.authorization.k8s.io\",\n },\n subjects: [\n {\n kind: \"ServiceAccount\",\n name: serviceAccount.metadata.name,\n namespace: namespaceName,\n },\n ],\n },\n { provider },\n )\n }\n\n if (args.allowOriginNamespace ?? true) {\n createRoleBinding(namespaceName)\n }\n\n output(args.extraNamespaces ?? [])\n .apply(map(getNamespaceName))\n .apply(map(createRoleBinding))\n\n return { serviceAccount, kubeconfig: cluster.kubeconfig }\n })\n\n const accessTokenSecret = Secret.create(`${name}-token`, {\n namespace: args.namespace,\n type: \"kubernetes.io/service-account-token\",\n metadata: {\n annotations: {\n \"kubernetes.io/service-account.name\": serviceAccount.metadata.name,\n },\n },\n })\n\n this.cluster = output({\n cluster: output(args.namespace).cluster,\n kubeconfig,\n newToken: accessTokenSecret.getValue(\"token\"),\n serviceAccount: serviceAccount.metadata.name,\n }).apply(({ cluster, kubeconfig, newToken, serviceAccount }) => {\n const config = new KubeConfig()\n config.loadFromString(kubeconfig)\n\n // clear all existing contexts and users\n config.users = []\n config.contexts = []\n\n config.addUser({ name: serviceAccount, token: newToken })\n\n config.addContext({\n name: config.clusters[0].name,\n cluster: config.clusters[0].name,\n user: serviceAccount,\n })\n\n config.setCurrentContext(config.clusters[0].name)\n\n return {\n ...cluster,\n kubeconfig: stringify(JSON.parse(config.exportConfig())),\n }\n })\n }\n\n /**\n * Creates `ClusterAccessScope` for the given resources with the specified verbs.\n *\n * All resources must belong to the same namespace in the same cluster.\n *\n * @param name The name of the resource and the ServiceAccount.\n * @param resources The resources to create access scope for.\n * @param verbs The verbs to allow on the resources.\n */\n static async forResources(\n name: string,\n args: ClusterAccessScopeForResourcesArgs,\n opts?: ComponentResourceOptions,\n ): Promise<ClusterAccessScope> {\n const resolved = await toPromise(\n output(args.resources).apply(resources =>\n resources.map(r => ({\n namespaceId: r.namespace.metadata.uid,\n namespace: r.namespace,\n metadata: r.metadata,\n apiVersion: r.apiVersion,\n kind: r.kind,\n })),\n ),\n )\n\n if (resolved.length === 0) {\n throw new Error(\"No resources provided to forResources.\")\n }\n\n if (unique(resolved.map(r => r.namespaceId)).length > 1) {\n throw new Error(\"All resources must belong to the same namespace.\")\n }\n\n const saNamespaceId = await toPromise(output(args.namespace).metadata.uid)\n\n if (resolved[0].namespaceId !== saNamespaceId) {\n throw new Error(\"The resources must belong to the same namespace as the ServiceAccount.\")\n }\n\n if (args.collectionAccess) {\n // when collection access is requested, we only need to know the types and api groups\n const uniqueTypes = unique(resolved.map(r => `${r.apiVersion}::${r.kind}`))\n\n return new ClusterAccessScope(\n name,\n {\n namespace: args.namespace,\n rules: uniqueTypes.map(t => {\n const [apiVersion, kind] = t.split(\"::\")\n\n return {\n apiGroups: apiVersion === \"v1\" ? [\"\"] : [apiVersion.split(\"/\")[0]],\n resources: [`${kind.toLowerCase()}s`],\n verbs: args.verbs,\n }\n }),\n },\n opts,\n )\n }\n\n return new ClusterAccessScope(\n name,\n {\n namespace: args.namespace,\n rules: resolved.map(r => ({\n apiGroups: r.apiVersion === \"v1\" ? [\"\"] : [r.apiVersion.split(\"/\")[0]],\n resources: [r.kind.toLowerCase() + (r.metadata?.name ? \"s\" : \"\")],\n resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,\n verbs: args.verbs,\n })),\n },\n opts,\n )\n }\n}\n"]}

package/dist/highstate.manifest.json CHANGED Viewed

@@ -7,7 +7,8 @@
     "./dist/units/dns01-issuer/index.js": 2212294583,
     "./dist/units/existing-cluster/index.js": 2212294583,
     "./dist/units/gateway-api/index.js": 2212294583,
-    "./dist/impl/gateway-route.js": 1435582042,
-    "./dist/impl/tls-certificate.js": 1974375171
+    "./dist/units/reduced-access-cluster/index.js": 2212294583,
+    "./dist/impl/gateway-route.js": 3163300938,
+    "./dist/impl/tls-certificate.js": 1653334405
   }
 }

package/dist/index.js CHANGED Viewed

@@ -1,25 +1,25 @@
+export { Gateway, HttpRoute, mapHttpRouteRuleMatch, resolveBackendRef } from './chunk-UF3ADZGM.js';
 export { Chart, RenderedChart, getChartService, getChartServiceOutput, resolveHelmChart } from './chunk-7CAKYZQ4.js';
+export { dns01SolverMediator } from './chunk-HH2JJELM.js';
+import { ClusterAccessScope } from './chunk-EBX6NFKK.js';
+export { ClusterAccessScope } from './chunk-EBX6NFKK.js';
 export { Deployment } from './chunk-PODFA5KM.js';
 export { StatefulSet } from './chunk-5BNGVYWY.js';
 import { Workload, getWorkloadComponents, ConfigMap } from './chunk-OEGSMSYV.js';
 export { ConfigMap, ExposableWorkload, NativeNetworkPolicy, NetworkPolicy, PersistentVolumeClaim, Workload, exposableWorkloadExtraArgs, getAutoVolumeName, getBestEndpoint, getExposableWorkloadComponents, getWorkloadComponents, getWorkloadVolumeResourceUuid, mapContainerEnvironment, mapContainerToRaw, mapEnvironmentSource, mapVolumeMount, mapWorkloadVolume, networkPolicyMediator, podSpecDefaults, requireBestEndpoint, workloadExtraArgs } from './chunk-OEGSMSYV.js';
-export { dns01SolverMediator } from './chunk-HH2JJELM.js';
-export { createK8sTerminal, detectExternalIps } from './chunk-O3ZNJMTN.js';
-export { Gateway, HttpRoute, mapHttpRouteRuleMatch, resolveBackendRef } from './chunk-UF3ADZGM.js';
 export { Service, getServiceType, isEndpointFromCluster, l4EndpointToServicePort, mapContainerPortToServicePort, mapServiceToLabelSelector } from './chunk-SI7X6N46.js';
-import { Secret } from './chunk-KHNUUVL4.js';
 export { Secret } from './chunk-KHNUUVL4.js';
-import { commonExtraArgs, Namespace, mapMetadata, getProvider, getNamespaceName, images_exports } from './chunk-WGMJCZSK.js';
+export { createK8sTerminal, detectExternalIps } from './chunk-O3ZNJMTN.js';
+import { commonExtraArgs, Namespace, mapMetadata, getProvider, images_exports } from './chunk-WGMJCZSK.js';
 export { Namespace, ScopedResource, commonExtraArgs, getNamespaceName, getProvider, getProviderAsync, images_exports as images, mapMetadata, mapNamespaceNameToSelector, mapSelectorLikeToSelector, validateCluster } from './chunk-WGMJCZSK.js';
 import './chunk-PZ5AY32C.js';
 import { getOrCreate, text, trimIndentation } from '@highstate/contract';
-import { output, interpolate, toPromise, ComponentResource, normalizeInputs, normalize } from '@highstate/pulumi';
-import { batch, core, rbac } from '@pulumi/kubernetes';
+import { output, interpolate, toPromise, normalize } from '@highstate/pulumi';
+import { batch } from '@pulumi/kubernetes';
 import { deepmerge } from 'deepmerge-ts';
-import { omit, map, unique, omitBy, mapValues, merge } from 'remeda';
-import { KubeConfig } from '@kubernetes/client-node';
+import { omit, omitBy, mapValues, merge } from 'remeda';
 import { parseL34Endpoint } from '@highstate/common';
-import { ComponentResource as ComponentResource$1, output as output$1 } from '@pulumi/pulumi';
+import { ComponentResource, output as output$1 } from '@pulumi/pulumi';
 import { serializeFunction } from '@pulumi/pulumi/runtime/index.js';
 import { readPackageJSON } from 'pkg-types';
@@ -602,137 +602,6 @@ var ExternalJob = class extends Job {
     );
   }
 };
-var ClusterAccessScope = class _ClusterAccessScope extends ComponentResource {
-  /**
-   * The cluster entity with the reduced access.
-   */
-  cluster;
-  constructor(name, args, opts) {
-    super("highstate:k8s:ClusterAccessScope", name, args, opts);
-    const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply((cluster) => {
-      const provider = getProvider(cluster);
-      const namespaceName = output(args.namespace).metadata.name;
-      const serviceAccount2 = new core.v1.ServiceAccount(
-        name,
-        {
-          metadata: {
-            name,
-            namespace: namespaceName
-          }
-        },
-        { provider }
-      );
-      const clusterRole = new rbac.v1.ClusterRole(
-        name,
-        {
-          metadata: {
-            name: interpolate`highstate.${namespaceName}.${name}`,
-            annotations: {
-              "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`
-            }
-          },
-          rules: normalizeInputs(args.rule, args.rules)
-        },
-        { provider }
-      );
-      const createRoleBinding = (namespace) => {
-        return new rbac.v1.RoleBinding(
-          name,
-          {
-            metadata: { name, namespace },
-            roleRef: {
-              kind: "ClusterRole",
-              name: clusterRole.metadata.name,
-              apiGroup: "rbac.authorization.k8s.io"
-            },
-            subjects: [
-              {
-                kind: "ServiceAccount",
-                name: serviceAccount2.metadata.name,
-                namespace: namespaceName
-              }
-            ]
-          },
-          { provider }
-        );
-      };
-      if (args.allowOriginNamespace ?? true) {
-        createRoleBinding(namespaceName);
-      }
-      output(args.extraNamespaces ?? []).apply(map(getNamespaceName)).apply(map(createRoleBinding));
-      return { serviceAccount: serviceAccount2, kubeconfig: cluster.kubeconfig };
-    });
-    const accessTokenSecret = Secret.create(`${name}-token`, {
-      namespace: args.namespace,
-      type: "kubernetes.io/service-account-token",
-      metadata: {
-        annotations: {
-          "kubernetes.io/service-account.name": serviceAccount.metadata.name
-        }
-      }
-    });
-    this.cluster = output({
-      cluster: output(args.namespace).cluster,
-      kubeconfig,
-      newToken: accessTokenSecret.getValue("token"),
-      serviceAccount: serviceAccount.metadata.name
-    }).apply(({ cluster, kubeconfig: kubeconfig2, newToken, serviceAccount: serviceAccount2 }) => {
-      const config = new KubeConfig();
-      config.loadFromString(kubeconfig2);
-      config.users = [];
-      config.contexts = [];
-      config.addUser({ name: serviceAccount2, token: newToken });
-      config.addContext({
-        name: config.clusters[0].name,
-        cluster: config.clusters[0].name,
-        user: serviceAccount2
-      });
-      config.setCurrentContext(config.clusters[0].name);
-      return {
-        ...cluster,
-        kubeconfig: config.exportConfig()
-      };
-    });
-  }
-  /**
-   * Creates `ClusterAccessScope` for the given resources with the specified verbs.
-   *
-   * All resources must belong to the same namespace in the same cluster.
-   *
-   * @param name The name of the resource and the ServiceAccount.
-   * @param resources The resources to create access scope for.
-   * @param verbs The verbs to allow on the resources.
-   */
-  static async forResources(name, resources, verbs) {
-    const resolved = await toPromise(
-      output(resources).apply(
-        (resources2) => resources2.map((r) => ({
-          namespaceId: r.namespace.metadata.uid,
-          namespace: r.namespace,
-          metadata: r.metadata,
-          apiVersion: r.apiVersion,
-          kind: r.kind
-        }))
-      )
-    );
-    if (resolved.length === 0) {
-      throw new Error("No resources provided to forResources.");
-    }
-    if (unique(resolved.map((r) => r.namespaceId)).length !== 1) {
-      throw new Error("All resources must belong to the same namespace.");
-    }
-    return new _ClusterAccessScope(name, {
-      namespace: resolved[0].namespace,
-      rules: resolved.map((r) => ({
-        apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
-        resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
-        // TODO: critical
-        // resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,
-        verbs
-      }))
-    });
-  }
-};
 // src/scripting/environment.ts
 var emptyDistributionEnvironment = {
@@ -775,7 +644,7 @@ var functionScriptImages = {
 };
 // src/scripting/bundle.ts
-var ScriptBundle = class extends ComponentResource$1 {
+var ScriptBundle = class extends ComponentResource {
   /**
    * The config map containing the scripts.
    */
@@ -1033,12 +902,13 @@ function createScriptContainer(options) {
     };
   });
 }
-async function createMonitorWorker(resources) {
-  const scope = await ClusterAccessScope.forResources("monitor", resources, [
-    "get",
-    "list",
-    "watch"
-  ]);
+async function createMonitorWorker(namespace, resources) {
+  const scope = await ClusterAccessScope.forResources("monitor", {
+    namespace,
+    resources,
+    verbs: ["get", "list", "watch"],
+    collectionAccess: true
+  });
   return output$1({
     name: "monitor",
     image: images_exports["worker-k8s-monitor"].image,
@@ -1049,6 +919,6 @@ async function createMonitorWorker(resources) {
   });
 }
-export { ClusterAccessScope, CronJob, Job, ScriptBundle, createMonitorWorker, createScriptContainer, emptyScriptEnvironment, functionScriptImages };
+export { CronJob, Job, ScriptBundle, createMonitorWorker, createScriptContainer, emptyScriptEnvironment, functionScriptImages };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/cron-job.ts","../src/job.ts","../src/rbac.ts","../src/scripting/environment.ts","../src/scripting/bundle.ts","../src/scripting/container.ts","../src/worker.ts"],"names":["args","podTemplate","output","interpolate","getOrCreate","toPromise","batch","deepmerge","omit","serviceAccount","kubeconfig","resources","ComponentResource","scriptEnvironment","hasFunctionScripts","options"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAkDO,IAAe,OAAA,GAAf,MAAe,QAAA,SAAgB,QAAA,CAAS;AAAA,EACnC,WAAA,CACR,IAAA,EACA,IAAA,EACA,IAAA,EACA,IAAA,EAEA,UAAA,EACA,IAAA,EACA,YAAA,EACA,UAAA,EACA,SAAA,EACA,QAAA,EACA,aAAA,EAKS,MAKA,MAAA,EACT;AACA,IAAA,KAAA;AAAA,MACE,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,UAAA;AAAA,MACA,IAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AAnBS,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAKA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAeX;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAA,GAAqC;AACvC,IAAA,OAAO,MAAA,CAAO;AAAA,MACZ,IAAA,EAAM,UAAA;AAAA,MACN,SAAA,EAAW,KAAK,OAAA,CAAQ,EAAA;AAAA,MACxB,WAAA,EAAa,KAAK,OAAA,CAAQ,IAAA;AAAA,MAC1B,UAAU,IAAA,CAAK;AAAA,KAChB,CAAA;AAAA,EACH;AAAA,EAEU,eAAA,GAAgD;AACxD,IAAA,OAAO,MAAA,CAAO;AAAA,MACZ,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa,WAAA,CAAA,UAAA,EAAwB,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA,CAAA;AAAA,MACvD,WAAA,EAAa,gCAAA;AAAA,MACb,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA,EAEA,IAAc,YAAA,GAAuB;AACnC,IAAA,OAAO,SAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,MAAA,CAAO,IAAA,EAAc,IAAA,EAAmB,IAAA,EAA0C;AACvF,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,aAAA,CACL,IAAA,EACA,IAAA,EACA,IAAA,EACS;AACT,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,IAAI,aAAa,IAAA,EAAM;AAAA,QAC5B,GAAG,IAAA;AAAA,QACH,IAAA,EAAM,MAAA,CAAO,IAAA,CAAK,QAAQ,EAAE,QAAA,CAAS,IAAA;AAAA,QACrC,SAAA,EAAW,UAAU,gBAAA,CAAiB,IAAA,CAAK,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO;AAAA,OACpF,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,WAAA,CACX,IAAA,EACA,IAAA,EACA,IAAA,EACkB;AAClB,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,MAAM,SAAQ,QAAA,CAAS,IAAA,CAAK,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO,CAAA;AAAA,IAC7E;AAEA,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,KAAA,CAAM,IAAA,EAAc,IAAA,EAAmB,IAAA,EAA0C;AACtF,IAAA,OAAO,IAAI,YAAA,CAAa,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,IAAA,CAAK,IAAA,EAAc,IAAA,EAA0B,IAAA,EAA0C;AAC5F,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,GAAA,CAAI,IAAA,EAAc,IAAA,EAA2B,IAAA,EAA0C;AAC5F,IAAA,OAAO,IAAI,eAAA,CAAgB,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC7C;AAAA,EAEA,OAAwB,YAAA,mBAAe,IAAI,GAAA,EAAqB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAahE,OAAO,GAAA,CAAI,MAAA,EAA4B,OAAA,EAAsC;AAC3E,IAAA,OAAO,WAAA;AAAA,MACL,QAAA,CAAQ,YAAA;AAAA,MACR,CAAA,EAAG,MAAA,CAAO,WAAW,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,SAAS,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,OAAO,SAAS,CAAA,CAAA;AAAA,MAC9F,CAAA,IAAA,KAAQ;AACN,QAAA,OAAO,QAAA,CAAQ,IAAI,IAAA,EAAM;AAAA,UACvB,IAAA,EAAM,OAAO,QAAA,CAAS,IAAA;AAAA,UACtB,SAAA,EAAW,SAAA,CAAU,WAAA,CAAY,MAAA,EAAQ,OAAO;AAAA,SACjD,CAAA;AAAA,MACH;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,aAAa,QAAA,CACX,MAAA,EACA,OAAA,EACkB;AAClB,IAAA,MAAM,cAAA,GAAiB,MAAM,SAAA,CAAU,MAAM,CAAA;AAC7C,IAAA,OAAO,QAAA,CAAQ,GAAA,CAAI,cAAA,EAAgB,OAAO,CAAA;AAAA,EAC5C;AACF;AAEA,IAAM,gBAAA,GAAmB,CAAC,GAAG,eAAA,EAAiB,aAAa,YAAY,CAAA;AAEvE,IAAM,cAAA,GAAN,cAA6B,OAAA,CAAQ;AAAA,EACnC,WAAA,CAAY,IAAA,EAAc,IAAA,EAAmB,IAAA,EAAiC;AAC5E,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC9D,MAAA,OAAO,IAAI,MAAM,EAAA,CAAG,OAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAM,MAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAA,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAO,SAAA;AAAA,cACL;AAAA,gBACE,WAAA,EAAa;AAAA,kBACX,IAAA,EAAM;AAAA,oBACJ,QAAA,EAAU,SAAA;AAAA,sBACR;AAAA,wBACE,IAAA,EAAM;AAAA,0BACJ,aAAA,EAAe;AAAA;AACjB,uBACF;AAAA,sBACAA;AAAA;AACF;AACF,iBACF;AAAA,gBACA,UAAUD,KAAAA,CAAK;AAAA,eACjB;AAAA,cACA,IAAA,CAAKA,OAAM,gBAAgB;AAAA,aAC7B;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA;AAAA,UACE,GAAG,IAAA;AAAA,UACH,MAAA,EAAQ,IAAA;AAAA,UACR,QAAA,EAAU,YAAY,OAAO;AAAA;AAC/B,OACF;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,uBAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACA,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,OAAA,CAAQ,QAAA;AAAA,MACR,aAAA;AAAA,MAEA,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AACF,CAAA;AAEA,IAAM,YAAA,GAAN,cAA2B,OAAA,CAAQ;AAAA,EACjC,WAAA,CAAY,IAAA,EAAc,IAAA,EAAmB,IAAA,EAAiC;AAC5E,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC9D,MAAA,OAAO,IAAI,MAAM,EAAA,CAAG,YAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAM,MAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAA,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAO,SAAA;AAAA,cACL;AAAA,gBACE,WAAA,EAAa;AAAA,kBACX,IAAA,EAAM;AAAA,oBACJ,QAAA,EAAUA;AAAA;AACZ,iBACF;AAAA,gBACA,UAAUD,KAAAA,CAAK;AAAA,eACjB;AAAA,cACA,IAAA,CAAKA,OAAM,gBAAgB;AAAA,aAC7B;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA;AAAA,UACE,GAAG,IAAA;AAAA,UACH,MAAA,EAAQ,IAAA;AAAA,UACR,QAAA,EAAU,YAAY,OAAO;AAAA;AAC/B,OACF;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,4BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACA,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,OAAA,CAAQ,QAAA;AAAA,MACR,aAAA;AAAA,MAEA,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AACF,CAAA;AAmBA,IAAM,cAAA,GAAN,cAA6B,OAAA,CAAQ;AAAA,EACnC,WAAA,CAAY,IAAA,EAAc,IAAA,EAA0B,IAAA,EAAiC;AACnF,IAAA,KAAA;AAAA,MACE,8BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,UAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,MAAA,CAAO,EAAE,CAAA;AAAA,MACT,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,QAAA;AAAA,MACrB,OAAO,MAAS,CAAA;AAAA,MAEhB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE;AAAA,KACvB;AAAA,EACF;AACF,CAAA;AAcA,IAAM,eAAA,GAAN,cAA8B,OAAA,CAAQ;AAAA,EACpC,WAAA,CAAY,IAAA,EAAc,IAAA,EAA2B,IAAA,EAAiC;AACpF,IAAA,MAAM,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC9D,MAAA,OAAO,KAAA,CAAM,GAAG,OAAA,CAAQ,GAAA;AAAA,QACtB,IAAA;AAAA,QACA,WAAA,CAAA,EAAc,OAAO,IAAA,CAAK,SAAS,EAAE,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAA;AAAA,QAC/D,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,+BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,MAAA,CAAO,EAAE,CAAA;AAAA,MACT,MAAA,CAAO,EAAE,CAAA;AAAA,MACT,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,OAAA,CAAQ,QAAA;AAAA,MACR,OAAO,MAAS,CAAA;AAAA,MAEhB,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AACF,CAAA;AC3YO,IAAe,GAAA,GAAf,MAAe,IAAA,SAAY,QAAA,CAAS;AAAA,EAC/B,WAAA,CACR,IAAA,EACA,IAAA,EACA,IAAA,EACA,IAAA,EAEA,UAAA,EACA,IAAA,EACA,YAAA,EACA,UAAA,EACA,SAAA,EACA,QAAA,EACA,aAAA,EAKS,MAKA,MAAA,EACT;AACA,IAAA,KAAA;AAAA,MACE,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,UAAA;AAAA,MACA,IAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AAnBS,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAKA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAeX;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAA,GAAqC;AACvC,IAAA,OAAOE,MAAAA,CAAO;AAAA,MACZ,IAAA,EAAM,KAAA;AAAA,MACN,SAAA,EAAW,KAAK,OAAA,CAAQ,EAAA;AAAA,MACxB,WAAA,EAAa,KAAK,OAAA,CAAQ,IAAA;AAAA,MAC1B,UAAU,IAAA,CAAK;AAAA,KAChB,CAAA;AAAA,EACH;AAAA,EAEU,eAAA,GAAgD;AACxD,IAAA,OAAOA,MAAAA,CAAO;AAAA,MACZ,KAAA,EAAO,KAAA;AAAA,MACP,WAAA,EAAaC,WAAAA,CAAAA,MAAAA,EAAoB,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA,CAAA;AAAA,MACnD,WAAA,EAAa,2BAAA;AAAA,MACb,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA,EAEA,IAAc,YAAA,GAAuB;AACnC,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,MAAA,CAAO,IAAA,EAAc,IAAA,EAAe,IAAA,EAAsC;AAC/E,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,aAAA,CACL,IAAA,EACA,IAAA,EACA,IAAA,EACK;AACL,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,IAAI,SAAS,IAAA,EAAM;AAAA,QACxB,GAAG,IAAA;AAAA,QACH,IAAA,EAAMD,MAAAA,CAAO,IAAA,CAAK,QAAQ,EAAE,QAAA,CAAS,IAAA;AAAA,QACrC,SAAA,EAAW,UAAU,gBAAA,CAAiB,IAAA,CAAK,UAAUA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO;AAAA,OACpF,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,WAAA,CACX,IAAA,EACA,IAAA,EACA,IAAA,EACc;AACd,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,MAAM,KAAI,QAAA,CAAS,IAAA,CAAK,UAAUA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO,CAAA;AAAA,IACzE;AAEA,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,KAAA,CAAM,IAAA,EAAc,IAAA,EAAe,IAAA,EAAsC;AAC9E,IAAA,OAAO,IAAI,QAAA,CAAS,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,IAAA,CAAK,IAAA,EAAc,IAAA,EAAsB,IAAA,EAAsC;AACpF,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,GAAA,CAAI,IAAA,EAAc,IAAA,EAAuB,IAAA,EAAsC;AACpF,IAAA,OAAO,IAAI,WAAA,CAAY,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACzC;AAAA,EAEA,OAAwB,QAAA,mBAAW,IAAI,GAAA,EAAiB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaxD,OAAO,GAAA,CAAI,MAAA,EAA4B,OAAA,EAAkC;AACvE,IAAA,OAAOE,WAAAA;AAAA,MACL,IAAA,CAAI,QAAA;AAAA,MACJ,CAAA,EAAG,MAAA,CAAO,WAAW,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,SAAS,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,OAAO,SAAS,CAAA,CAAA;AAAA,MAC9F,CAAA,IAAA,KAAQ;AACN,QAAA,OAAO,IAAA,CAAI,IAAI,IAAA,EAAM;AAAA,UACnB,IAAA,EAAM,OAAO,QAAA,CAAS,IAAA;AAAA,UACtB,SAAA,EAAW,SAAA,CAAU,WAAA,CAAY,MAAA,EAAQ,OAAO;AAAA,SACjD,CAAA;AAAA,MACH;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,aAAa,QAAA,CACX,MAAA,EACA,OAAA,EACc;AACd,IAAA,MAAM,cAAA,GAAiB,MAAMC,SAAAA,CAAU,MAAM,CAAA;AAC7C,IAAA,OAAO,IAAA,CAAI,GAAA,CAAI,cAAA,EAAgB,OAAO,CAAA;AAAA,EACxC;AACF;AAEA,IAAM,YAAA,GAAe,CAAC,GAAG,eAAA,EAAiB,aAAa,YAAY,CAAA;AAEnE,IAAM,UAAA,GAAN,cAAyB,GAAA,CAAI;AAAA,EAC3B,WAAA,CAAY,IAAA,EAAc,IAAA,EAAe,IAAA,EAAiC;AACxE,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,MAAMH,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC1D,MAAA,OAAO,IAAII,MAAM,EAAA,CAAG,GAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAMJ,MAAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAF,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAOM,SAAAA;AAAA,cACL;AAAA,gBACE,QAAA,EAAUA,SAAAA;AAAA,kBACR;AAAA,oBACE,IAAA,EAAM;AAAA,sBACJ,aAAA,EAAe;AAAA;AACjB,mBACF;AAAA,kBACAN;AAAA;AACF,eACF;AAAA,cACAO,IAAAA,CAAKR,OAAM,YAAY;AAAA,aACzB;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,mBAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,GAAA,CAAI,UAAA;AAAA,MACJ,GAAA,CAAI,IAAA;AAAA,MACJE,MAAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACAA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,GAAA,CAAI,QAAA;AAAA,MACJ,aAAA;AAAA,MAEA,GAAA,CAAI,IAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAAA,EACF;AACF,CAAA;AAEA,IAAM,QAAA,GAAN,cAAuB,GAAA,CAAI;AAAA,EACzB,WAAA,CAAY,IAAA,EAAc,IAAA,EAAe,IAAA,EAAiC;AACxE,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,MAAMA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC1D,MAAA,OAAO,IAAII,MAAM,EAAA,CAAG,QAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAMJ,MAAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAF,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAOM,SAAAA;AAAA,cACL,EAAE,UAAUN,YAAAA,EAAY;AAAA,cACxBO,IAAAA,CAAKR,OAAM,YAAY;AAAA,aACzB;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,wBAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,GAAA,CAAI,UAAA;AAAA,MACJ,GAAA,CAAI,IAAA;AAAA,MACJE,MAAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACAA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,GAAA,CAAI,QAAA;AAAA,MACJ,aAAA;AAAA,MAEA,GAAA,CAAI,IAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAEA,IAAA,IAAA,CAAK,eAAA,CAAgB;AAAA,MACnB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAAA,EACH;AACF,CAAA;AAmBA,IAAM,UAAA,GAAN,cAAyB,GAAA,CAAI;AAAA,EAC3B,WAAA,CAAY,IAAA,EAAc,IAAA,EAAsB,IAAA,EAAiC;AAC/E,IAAA,KAAA;AAAA,MACE,0BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEAA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,UAAA;AAAA,MACjBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA;AAAA,MACjBA,MAAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1BA,MAAAA,CAAO,EAAE,CAAA;AAAA,MACTA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,QAAA;AAAA,MACjBA,OAAO,MAAS,CAAA;AAAA,MAEhBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA;AAAA,MACjBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE;AAAA,KACnB;AAAA,EACF;AACF,CAAA;AAcA,IAAM,WAAA,GAAN,cAA0B,GAAA,CAAI;AAAA,EAC5B,WAAA,CAAY,IAAA,EAAc,IAAA,EAAuB,IAAA,EAAiC;AAChF,IAAA,MAAM,MAAMA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC1D,MAAA,OAAOI,KAAAA,CAAM,GAAG,GAAA,CAAI,GAAA;AAAA,QAClB,IAAA;AAAA,QACAH,WAAAA,CAAAA,EAAcD,OAAO,IAAA,CAAK,SAAS,EAAE,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAA;AAAA,QAC/D,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,2BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,GAAA,CAAI,UAAA;AAAA,MACJ,GAAA,CAAI,IAAA;AAAA,MACJA,MAAAA,CAAO,EAAE,CAAA;AAAA,MACTA,MAAAA,CAAO,EAAE,CAAA;AAAA,MACTA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,GAAA,CAAI,QAAA;AAAA,MACJA,OAAO,MAAS,CAAA;AAAA,MAEhB,GAAA,CAAI,IAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAAA,EACF;AACF,CAAA;ACvWO,IAAM,kBAAA,GAAN,MAAM,mBAAA,SAA2B,iBAAA,CAAkB;AAAA;AAAA;AAAA;AAAA,EAI/C,OAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAc,IAAA,EAA8B,IAAA,EAAiC;AACvF,IAAA,KAAA,CAAM,kCAAA,EAAoC,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAE1D,IAAA,MAAM,EAAE,cAAA,EAAgB,UAAA,EAAW,GAAIA,MAAAA,CAAO,KAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,KAAA,CAAM,CAAA,OAAA,KAAW;AACrF,MAAA,MAAM,QAAA,GAAW,YAAY,OAAO,CAAA;AACpC,MAAA,MAAM,aAAA,GAAgBA,MAAAA,CAAO,IAAA,CAAK,SAAS,EAAE,QAAA,CAAS,IAAA;AAEtD,MAAA,MAAMO,eAAAA,GAAiB,IAAI,IAAA,CAAK,EAAA,CAAG,cAAA;AAAA,QACjC,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU;AAAA,YACR,IAAA;AAAA,YACA,SAAA,EAAW;AAAA;AACb,SACF;AAAA,QACA,EAAE,QAAA;AAAS,OACb;AAEA,MAAA,MAAM,WAAA,GAAc,IAAI,IAAA,CAAK,EAAA,CAAG,WAAA;AAAA,QAC9B,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU;AAAA,YACR,IAAA,EAAMN,WAAAA,CAAAA,UAAAA,EAAwB,aAAa,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAAA,YACnD,WAAA,EAAa;AAAA,cACX,2BAAA,EAA6BA,WAAAA,CAAAA,6CAAAA,EAA2D,IAAI,CAAA,oBAAA,EAAuB,aAAa,CAAA,EAAA;AAAA;AAClI,WACF;AAAA,UACA,KAAA,EAAO,eAAA,CAAgB,IAAA,CAAK,IAAA,EAAM,KAAK,KAAK;AAAA,SAC9C;AAAA,QACA,EAAE,QAAA;AAAS,OACb;AAEA,MAAA,MAAM,iBAAA,GAAoB,CAAC,SAAA,KAA6B;AACtD,QAAA,OAAO,IAAI,KAAK,EAAA,CAAG,WAAA;AAAA,UACjB,IAAA;AAAA,UACA;AAAA,YACE,QAAA,EAAU,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC5B,OAAA,EAAS;AAAA,cACP,IAAA,EAAM,aAAA;AAAA,cACN,IAAA,EAAM,YAAY,QAAA,CAAS,IAAA;AAAA,cAC3B,QAAA,EAAU;AAAA,aACZ;AAAA,YACA,QAAA,EAAU;AAAA,cACR;AAAA,gBACE,IAAA,EAAM,gBAAA;AAAA,gBACN,IAAA,EAAMM,gBAAe,QAAA,CAAS,IAAA;AAAA,gBAC9B,SAAA,EAAW;AAAA;AACb;AACF,WACF;AAAA,UACA,EAAE,QAAA;AAAS,SACb;AAAA,MACF,CAAA;AAEA,MAAA,IAAI,IAAA,CAAK,wBAAwB,IAAA,EAAM;AACrC,QAAA,iBAAA,CAAkB,aAAa,CAAA;AAAA,MACjC;AAEA,MAAAP,MAAAA,CAAO,IAAA,CAAK,eAAA,IAAmB,EAAE,CAAA,CAC9B,KAAA,CAAM,GAAA,CAAI,gBAAgB,CAAC,CAAA,CAC3B,KAAA,CAAM,GAAA,CAAI,iBAAiB,CAAC,CAAA;AAE/B,MAAA,OAAO,EAAE,cAAA,EAAAO,eAAAA,EAAgB,UAAA,EAAY,QAAQ,UAAA,EAAW;AAAA,IAC1D,CAAC,CAAA;AAED,IAAA,MAAM,iBAAA,GAAoB,MAAA,CAAO,MAAA,CAAO,CAAA,EAAG,IAAI,CAAA,MAAA,CAAA,EAAU;AAAA,MACvD,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,IAAA,EAAM,qCAAA;AAAA,MACN,QAAA,EAAU;AAAA,QACR,WAAA,EAAa;AAAA,UACX,oCAAA,EAAsC,eAAe,QAAA,CAAS;AAAA;AAChE;AACF,KACD,CAAA;AAED,IAAA,IAAA,CAAK,UAAUP,MAAAA,CAAO;AAAA,MACpB,OAAA,EAASA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA;AAAA,MAChC,UAAA;AAAA,MACA,QAAA,EAAU,iBAAA,CAAkB,QAAA,CAAS,OAAO,CAAA;AAAA,MAC5C,cAAA,EAAgB,eAAe,QAAA,CAAS;AAAA,KACzC,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,OAAA,EAAS,UAAA,EAAAQ,WAAAA,EAAY,QAAA,EAAU,cAAA,EAAAD,eAAAA,EAAe,KAAM;AAC9D,MAAA,MAAM,MAAA,GAAS,IAAI,UAAA,EAAW;AAC9B,MAAA,MAAA,CAAO,eAAeC,WAAU,CAAA;AAGhC,MAAA,MAAA,CAAO,QAAQ,EAAC;AAChB,MAAA,MAAA,CAAO,WAAW,EAAC;AAEnB,MAAA,MAAA,CAAO,QAAQ,EAAE,IAAA,EAAMD,eAAAA,EAAgB,KAAA,EAAO,UAAU,CAAA;AAExD,MAAA,MAAA,CAAO,UAAA,CAAW;AAAA,QAChB,IAAA,EAAM,MAAA,CAAO,QAAA,CAAS,CAAC,CAAA,CAAE,IAAA;AAAA,QACzB,OAAA,EAAS,MAAA,CAAO,QAAA,CAAS,CAAC,CAAA,CAAE,IAAA;AAAA,QAC5B,IAAA,EAAMA;AAAA,OACP,CAAA;AAED,MAAA,MAAA,CAAO,iBAAA,CAAkB,MAAA,CAAO,QAAA,CAAS,CAAC,EAAE,IAAI,CAAA;AAEhD,MAAA,OAAO;AAAA,QACL,GAAG,OAAA;AAAA,QACH,UAAA,EAAY,OAAO,YAAA;AAAa,OAClC;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,YAAA,CACX,IAAA,EACA,SAAA,EACA,KAAA,EAC6B;AAC7B,IAAA,MAAM,WAAW,MAAMJ,SAAAA;AAAA,MACrBH,MAAAA,CAAO,SAAS,CAAA,CAAE,KAAA;AAAA,QAAM,CAAAS,UAAAA,KACtBA,UAAAA,CAAU,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,UAClB,WAAA,EAAa,CAAA,CAAE,SAAA,CAAU,QAAA,CAAS,GAAA;AAAA,UAClC,WAAW,CAAA,CAAE,SAAA;AAAA,UACb,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,YAAY,CAAA,CAAE,UAAA;AAAA,UACd,MAAM,CAAA,CAAE;AAAA,SACV,CAAE;AAAA;AACJ,KACF;AAEA,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AACzB,MAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,IAC1D;AAGA,IAAA,IAAI,MAAA,CAAO,SAAS,GAAA,CAAI,CAAA,CAAA,KAAK,EAAE,WAAW,CAAC,CAAA,CAAE,MAAA,KAAW,CAAA,EAAG;AACzD,MAAA,MAAM,IAAI,MAAM,kDAAkD,CAAA;AAAA,IACpE;AAEA,IAAA,OAAO,IAAI,oBAAmB,IAAA,EAAM;AAAA,MAClC,SAAA,EAAW,QAAA,CAAS,CAAC,CAAA,CAAE,SAAA;AAAA,MACvB,KAAA,EAAO,QAAA,CAAS,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,QACxB,SAAA,EAAW,CAAA,CAAE,UAAA,KAAe,IAAA,GAAO,CAAC,EAAE,CAAA,GAAI,CAAC,CAAA,CAAE,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,QACrE,SAAA,EAAW,CAAC,CAAA,CAAE,IAAA,CAAK,WAAA,MAAiB,CAAA,CAAE,QAAA,EAAU,IAAA,GAAO,GAAA,GAAM,EAAA,CAAG,CAAA;AAAA;AAAA;AAAA,QAGhE;AAAA,OACF,CAAE;AAAA,KACH,CAAA;AAAA,EACH;AACF;;;AClIA,IAAM,4BAAA,GAA+B;AAAA,EACnC,oBAAoB,EAAC;AAAA,EACrB,mBAAmB,EAAC;AAAA,EACpB,UAAU;AACZ,CAAA;AAEO,IAAM,sBAAA,GAAoD;AAAA,EAC/D,MAAA,EAAQ;AAAA,IACN,GAAG,4BAAA;AAAA,IACH,KAAA,EAAO,gFAAA;AAAA,IACP,gBAAA,EAAkB;AAAA;AAAA,MAEhB,kCAAA;AAAA,MACA;AAAA;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,GAAG,4BAAA;AAAA,IACH,KAAA,EAAO,gFAAA;AAAA,IACP,gBAAA,EAAkB;AAAA;AAAA,MAEhB,6BAAA;AAAA,MACA,8BAAA;AAAA,MACA,8BAAA;AAAA,MACA;AAAA;AACF,GACF;AAAA,EAEA,cAAc,EAAC;AAAA,EACf,gBAAgB,EAAC;AAAA,EACjB,OAAO,EAAC;AAAA,EACR,SAAS,EAAC;AAAA,EACV,cAAc,EAAC;AAAA,EACf,aAAa,EAAC;AAAA,EACd,kBAAkB;AACpB;AAEO,IAAM,oBAAA,GAA2D;AAAA,EACtE,MAAA,EAAQ,kFAAA;AAAA,EACR,MAAA,EAAQ;AACV;;;ACpFO,IAAM,YAAA,GAAN,cAA2BC,mBAAAA,CAAkB;AAAA;AAAA;AAAA;AAAA,EAIzC,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,OAAA;AAAA;AAAA;AAAA;AAAA,EAKA,YAAA;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA;AAAA;AAAA;AAAA;AAAA,EAKA,YAAA;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAc,IAAA,EAAwB,IAAA,EAAiC;AACjF,IAAA,KAAA,CAAM,4BAAA,EAA8B,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAEpD,IAAA,MAAM,iBAAA,GAAoBV,SAAO,IAAI,CAAA,CAClC,MAAM,CAAAF,KAAAA,KAAQ,UAAUA,KAAAA,CAAK,WAAA,EAAaA,MAAK,YAAY,CAAC,EAC5D,KAAA,CAAM,CAAAA,UAAQO,SAAAA,CAAU,sBAAA,EAAwB,GAAGP,KAAI,CAAC,CAAA;AAI3D,IAAA,MAAM,kBAAA,GAAqB,iBAAA,CAAkB,KAAA,CAAM,CAAAa,kBAAAA,KAAqB;AACtE,MAAA,OAAO,MAAA,CAAO,OAAOA,kBAAAA,CAAkB,KAAK,EAAE,IAAA,CAAK,CAAA,IAAA,KAAQ,OAAO,IAAA,KAAS,UAAU,CAAA;AAAA,IACvF,CAAC,CAAA;AAED,IAAA,IAAA,CAAK,eAAe,IAAA,CAAK,YAAA;AACzB,IAAA,IAAA,CAAK,cAAc,iBAAA,CAAkB,WAAA;AAErC,IAAA,IAAA,CAAK,QAAQ,kBAAA,CAAmB,KAAA;AAAA,MAAM,CAAAC,mBAAAA,KACpCZ,QAAAA;AAAA,QACEY,mBAAAA,GACI,qBAAqB,IAAA,CAAK,YAAY,IACtC,iBAAA,CAAkB,IAAA,CAAK,YAAY,CAAA,CAAE;AAAA;AAC3C,KACF;AAEA,IAAA,IAAA,CAAK,mBAAmBZ,QAAAA,CAAO,EAAE,iBAAA,EAAmB,kBAAA,EAAoB,CAAA,CAAE,KAAA;AAAA,MACxE,CAAC,EAAE,iBAAA,EAAAW,kBAAAA,EAAmB,kBAAA,EAAAC,qBAAmB,KAAM;AAC7C,QAAA,MAAM,gBAAA,GAAmB;AAAA,UACvB,GAAGD,kBAAAA,CAAkB,gBAAA;AAAA,UACrB,GAAGA,kBAAAA,CAAkB,IAAA,CAAK,YAAY,CAAA,CAAE;AAAA,SAC1C;AAEA,QAAA,IAAIC,mBAAAA,EAAoB;AACtB,UAAA,gBAAA,CAAiB,KAAK,8BAA8B,CAAA;AAAA,QACtD;AAEA,QAAA,OAAO,gBAAA,CAAiB,IAAI,gBAAgB,CAAA;AAAA,MAC9C;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,SAAA,GAAYZ,QAAAA,CAAO,EAAE,iBAAA,EAAmB,MAAM,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,iBAAA,EAAAW,kBAAAA,EAAmB,IAAA,EAAAb,OAAK,KAAM;AAC1F,MAAA,OAAO,SAAA,CAAU,MAAA;AAAA,QACf,IAAA;AAAA,QACA;AAAA,UACE,WAAWA,KAAAA,CAAK,SAAA;AAAA,UAEhB,IAAA,EAAM,gBAAA,CAAiB,IAAA,CAAK,YAAA,EAAca,kBAAiB;AAAA,SAC7D;AAAA,QACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,IAAA;AAAK,OAC1B;AAAA,IACF,CAAC,CAAA;AAED,IAAA,IAAA,CAAK,OAAA,GAAUX,SAAO,EAAE,kBAAA,EAAoB,SAAS,iBAAA,CAAkB,OAAA,EAAS,CAAA,CAAE,KAAA;AAAA,MAChF,CAAC,EAAE,kBAAA,EAAAY,mBAAAA,EAAoB,SAAQ,KAAM;AACnC,QAAA,OAAO;AAAA,UACL,GAAG,OAAA;AAAA,UACH;AAAA,YACE,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,IAAA;AAAA,YAE9B,SAAA,EAAW;AAAA,cACT,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,IAAA;AAAA,cAC9B,WAAA,EAAa;AAAA;AAAA;AACf,WACF;AAAA,UACA,GAAIA,mBAAAA,GAAqB,CAAC,EAAE,IAAA,EAAM,cAAA,EAAgB,QAAA,EAAU,EAAC,EAAG,CAAA,GAAI;AAAC,SACvE;AAAA,MACF;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,eAAeZ,QAAAA,CAAO;AAAA,MACzB,kBAAA;AAAA,MACA,cAAc,iBAAA,CAAkB;AAAA,KACjC,EAAE,KAAA,CAAM,CAAC,EAAE,kBAAA,EAAAY,mBAAAA,EAAoB,cAAa,KAAM;AACjD,MAAA,OAAO;AAAA,QACL,GAAG,YAAA;AAAA,QACH;AAAA,UACE,QAAQ,IAAA,CAAK,SAAA;AAAA,UACb,SAAA,EAAW;AAAA,SACb;AAAA,QACA,GAAIA,mBAAAA,GACA,CAAC,EAAE,IAAA,EAAM,gBAAgB,SAAA,EAAW,uBAAA,EAAyB,CAAA,GAC7D;AAAC,OACP;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AACF;AAEA,SAAS,qBAAqB,KAAA,EAAuB;AACnD,EAAA,IAAI,KAAA,CAAM,UAAA,CAAW,YAAY,CAAA,EAAG;AAClC,IAAA,OAAO,KAAA,CAAM,OAAA,CAAQ,YAAA,EAAc,EAAE,CAAA;AAAA,EACvC;AAEA,EAAA,OAAO,KAAA;AACT;AAEA,eAAe,gBAAA,CACb,cACA,WAAA,EACiC;AACjC,EAAA,MAAM,aAAqC,EAAC;AAC5C,EAAA,MAAM,UAAoB,EAAC;AAE3B,EAAA,MAAM,uBAAA,GAA0B,YAAY,YAAY,CAAA;AACxD,EAAA,MAAM,YAAA,GAAe,EAAE,GAAG,WAAA,CAAY,YAAA,EAAa;AAEnD,EAAA,IAAI,kBAAA,GAAqB,KAAA;AAEzB,EAAA,KAAA,MAAW,GAAA,IAAO,YAAY,KAAA,EAAO;AACnC,IAAA,IAAI,OAAO,WAAA,CAAY,KAAA,CAAM,GAAG,MAAM,UAAA,EAAY;AAChD,MAAA,MAAM,aAAa,MAAM,iBAAA,CAAkB,WAAA,CAAY,KAAA,CAAM,GAAG,CAAC,CAAA;AAEjE,MAAA,UAAA,CAAW,GAAG,CAAA,GAAI,IAAA;AAAA;AAAA;AAAA,QAAA,EAGd,WAAW,IAAI;;AAAA,gBAAA,EAEP,WAAW,UAAU,CAAA;AAAA,MAAA,CAAA;AAGjC,MAAA,kBAAA,GAAqB,IAAA;AAAA,IACvB,CAAA,MAAO;AACL,MAAA,UAAA,CAAW,GAAG,CAAA,GAAI,WAAA,CAAY,KAAA,CAAM,GAAG,CAAA;AAAA,IACzC;AAAA,EACF;AAEA,EAAA,IAAI,kBAAA,EAAoB;AACtB,IAAA,MAAM,WAAA,GAAc,MAAM,eAAA,EAAgB;AAE1C,IAAA,WAAA,CAAY,YAAA,GAAe,MAAA;AAAA,MACzB,SAAA,CAAU,WAAA,CAAY,YAAA,IAAgB,IAAI,oBAAoB,CAAA;AAAA,MAC9D,CAAC,CAAA,EAAG,GAAA,KAAQ,GAAA,CAAI,WAAW,aAAa;AAAA,KAC1C;AAEA,IAAA,WAAA,CAAY,eAAA,GAAkB,MAAA;AAAA,MAC5B,SAAA,CAAU,WAAA,CAAY,eAAA,IAAmB,IAAI,oBAAoB,CAAA;AAAA,MACjE,CAAC,CAAA,EAAG,GAAA,KAAQ,GAAA,CAAI,WAAW,aAAa;AAAA,KAC1C;AAEA,IAAA,UAAA,CAAW,cAAc,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,WAAA,EAAa,MAAM,CAAC,CAAA;AAEhE,IAAA,YAAA,CAAa,yBAAyB,CAAA,GAAI,IAAA;AAAA;AAAA;;AAAA;AAAA;AAAA,IAAA,CAAA;AAAA,EAO5C;AAEA,EAAA,IAAI,uBAAA,CAAwB,kBAAA,CAAmB,MAAA,GAAS,CAAA,EAAG;AACzD,IAAA,UAAA,CAAW,yBAAyB,CAAA,GAAI,wBAAA;AAAA,MACtC,YAAA;AAAA,MACA,uBAAA,CAAwB;AAAA,KAC1B;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK;AAAA;AAAA;AAAA;AAAA,IAAA,CAIZ,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,OAAO,IAAA,CAAK,uBAAA,CAAwB,iBAAiB,CAAA,CAAE,SAAS,CAAA,EAAG;AACrE,IAAA,KAAA,MAAW,GAAA,IAAO,wBAAwB,iBAAA,EAAmB;AAC3D,MAAA,UAAA,CAAW,eAAe,GAAG,CAAA,CAAE,CAAA,GAAI,uBAAA,CAAwB,kBAAkB,GAAG,CAAA;AAEhF,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,4CAAA,EAC2B,GAAG,CAAA;AAAA,6BAAA,EAClB,GAAG;AAAA,oCAAA,EACI,GAAG,CAAA;AAAA,MAAA,CAClC,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,IAAI,uBAAA,CAAwB,QAAA,CAAS,MAAA,GAAS,CAAA,EAAG;AAC/C,IAAA,UAAA,CAAW,qBAAqB,CAAA,GAAI,wBAAA;AAAA,MAClC,YAAA;AAAA,MACA,uBAAA,CAAwB;AAAA,KAC1B;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK;AAAA;AAAA;AAAA;AAAA,IAAA,CAIZ,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA,CAAE,SAAS,CAAA,EAAG;AACxC,IAAA,KAAA,MAAW,OAAO,YAAA,EAAc;AAC9B,MAAA,UAAA,CAAW,CAAA,MAAA,EAAS,GAAG,CAAA,CAAE,CAAA,GAAI,aAAa,GAAG,CAAA;AAE7C,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,sCAAA,EACqB,GAAG,CAAA;AAAA,uBAAA,EAClB,GAAG;AAAA,8BAAA,EACI,GAAG,CAAA;AAAA,MAAA,CAC5B,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,IAAI,OAAO,IAAA,CAAK,WAAA,CAAY,cAAc,CAAA,CAAE,SAAS,CAAA,EAAG;AACtD,IAAA,MAAM,iBAA2B,EAAC;AAElC,IAAA,KAAA,MAAW,GAAA,IAAO,YAAY,cAAA,EAAgB;AAC5C,MAAA,UAAA,CAAW,WAAW,GAAG,CAAA,CAAE,CAAA,GAAI,WAAA,CAAY,eAAe,GAAG,CAAA;AAE7D,MAAA,cAAA,CAAe,IAAA,CAAK;AAAA,wCAAA,EACgB,GAAG,CAAA;AAAA,yBAAA,EAClB,GAAG;AAAA,gCAAA,EACI,GAAG,CAAA;AAAA,MAAA,CAC9B,CAAA;AAAA,IACH;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK;AAAA;AAAA,MAAA,EAET,cAAA,CAAe,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,MAAM,CAAA,CAAE,IAAA,CAAK,MAAM,CAAC;AAAA;;AAAA;AAAA;AAAA,IAAA,CAKjD,CAAA;AAAA,EACH;AAEA,EAAA,UAAA,CAAW,eAAe,IAAI,eAAA,CAAgB;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA,EAAA,EAS5C,OAAA,CAAQ,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,MAAM,CAAA,CAAE,IAAA,CAAK,MAAM,CAAC;;AAAA;AAAA;AAAA;AAAA,EAAA,CAKxC,CAAA;AAED,EAAA,OAAO,UAAA;AACT;AAEA,SAAS,wBAAA,CAAyB,cAAkC,QAAA,EAA4B;AAC9F,EAAA,IAAI,iBAAiB,QAAA,EAAU;AAC7B,IAAA,OAAO,IAAA;AAAA;AAAA;;AAAA,yBAAA,EAIgB,QAAA,CAAS,IAAA,CAAK,GAAG,CAAC;AAAA,IAAA,CAAA;AAAA,EAE3C,CAAA,MAAO;AACL,IAAA,OAAO,IAAA;AAAA;AAAA;;AAAA;AAAA,yBAAA,EAKgB,QAAA,CAAS,IAAA,CAAK,GAAG,CAAC;AAAA,IAAA,CAAA;AAAA,EAE3C;AACF;ACxTO,SAAS,sBAAsB,OAAA,EAA6C;AACjF,EAAA,MAAM,MAAA,GAASZ,QAAAA,CAAO,OAAA,CAAQ,MAAM,CAAA;AAEpC,EAAA,OAAOA,QAAAA,CAAO;AAAA,IACZ,OAAA;AAAA,IACA,OAAO,MAAA,CAAO,KAAA;AAAA,IACd,cAAc,MAAA,CAAO,YAAA;AAAA,IACrB,SAAS,MAAA,CAAO,OAAA;AAAA,IAChB,aAAa,MAAA,CAAO,WAAA;AAAA,IACpB,kBAAkB,MAAA,CAAO;AAAA,GAC1B,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,OAAA,EAAAa,QAAAA,EAAS,KAAA,EAAO,YAAA,EAAc,OAAA,EAAS,WAAA,EAAa,gBAAA,EAAiB,KAAM;AACrF,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,SAAS,CAAC,wBAAA,EAA0B,CAAA,SAAA,EAAYA,QAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,MAE9D,GAAGA,QAAAA;AAAA,MAEH,YAAA,EAAc,CAAC,GAAG,YAAA,EAAc,GAAIA,QAAAA,CAAQ,YAAA,IAAgB,EAAG,CAAA;AAAA,MAC/D,OAAA,EAAS,CAAC,GAAG,OAAA,EAAS,GAAIA,QAAAA,CAAQ,OAAA,IAAW,EAAG,CAAA;AAAA,MAChD,WAAA,EAAa,KAAA,CAAM,WAAA,EAAaA,QAAAA,CAAQ,WAAW,CAAA;AAAA,MACnD,gBAAA,EAAkB,CAAC,GAAG,gBAAA,EAAkB,GAAIA,QAAAA,CAAQ,gBAAA,IAAoB,EAAG;AAAA,KAC7E;AAAA,EACF,CAAC,CAAA;AACH;ACzCA,eAAsB,oBACpB,SAAA,EACqC;AACrC,EAAA,MAAM,KAAA,GAAQ,MAAM,kBAAA,CAAmB,YAAA,CAAa,WAAW,SAAA,EAAW;AAAA,IACxE,KAAA;AAAA,IACA,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,OAAOb,QAAAA,CAAO;AAAA,IACZ,IAAA,EAAM,SAAA;AAAA,IACN,KAAA,EAAO,cAAA,CAAO,oBAAoB,CAAA,CAAE,KAAA;AAAA,IAEpC,MAAA,EAAQ;AAAA,MACN,UAAA,EAAY,MAAM,OAAA,CAAQ,UAAA;AAAA,MAC1B,SAAA,EAAWA,QAAAA,CAAO,SAAS,CAAA,CAAE,KAAA,CAAM,CAAAS,UAAAA,KAAaA,UAAAA,CAAU,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,MAAM,CAAC;AAAA;AAC9E,GACD,CAAA;AACH","file":"index.js","sourcesContent":["import type { RequiredKeys, UnitTerminal } from \"@highstate/contract\"\nimport type { k8s } from \"@highstate/library\"\nimport type { Container } from \"./container\"\nimport type { NetworkPolicy } from \"./network-policy\"\nimport { getOrCreate } from \"@highstate/contract\"\nimport {\n type ComponentResourceOptions,\n type Input,\n type Inputs,\n interpolate,\n type Output,\n output,\n toPromise,\n type Unwrap,\n} from \"@highstate/pulumi\"\nimport { batch, type types } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { omit } from \"remeda\"\nimport { Namespace } from \"./namespace\"\nimport { commonExtraArgs, getProvider, mapMetadata, type ScopedResourceArgs } from \"./shared\"\nimport {\n getWorkloadComponents,\n Workload,\n type WorkloadArgs,\n type WorkloadTerminalArgs,\n} from \"./workload\"\n\nexport type CronJobArgs = ScopedResourceArgs &\n Omit<RequiredKeys<Partial<types.input.batch.v1.CronJobSpec>, \"schedule\">, \"jobTemplate\"> & {\n jobTemplate?: {\n metadata?: types.input.meta.v1.ObjectMeta\n spec?: Omit<types.input.batch.v1.JobSpec, \"template\"> & {\n template?: {\n metadata?: types.input.meta.v1.ObjectMeta\n spec?: Partial<types.input.core.v1.PodSpec>\n }\n }\n }\n } & WorkloadArgs\n\nexport type CreateOrGetCronJobArgs = CronJobArgs & {\n /*\n The cron job entity to patch/retrieve.\n /\n existing: Input<k8s.ScopedResource> \| undefined\n}\n\n/\n Represents a Kubernetes CronJob resource with metadata and spec.\n /\nexport abstract class CronJob extends Workload {\n protected constructor(\n type: string,\n name: string,\n args: Inputs,\n opts: ComponentResourceOptions \| undefined,\n\n apiVersion: Output<string>,\n kind: Output<string>,\n terminalArgs: Output<Unwrap<WorkloadTerminalArgs>>,\n containers: Output<Container[]>,\n namespace: Output<Namespace>,\n metadata: Output<types.output.meta.v1.ObjectMeta>,\n networkPolicy: Output<NetworkPolicy \| undefined>,\n\n /\n The spec of the underlying Kubernetes cron job.\n /\n readonly spec: Output<types.output.batch.v1.CronJobSpec>,\n\n /\n The status of the underlying Kubernetes cron job.\n /\n readonly status: Output<types.output.batch.v1.CronJobStatus>,\n ) {\n super(\n type,\n name,\n args,\n opts,\n apiVersion,\n kind,\n terminalArgs,\n containers,\n namespace,\n metadata,\n networkPolicy,\n )\n }\n\n /\n The Highstate cron job entity.\n /\n get entity(): Output<k8s.ScopedResource> {\n return output({\n type: \"cron-job\",\n clusterId: this.cluster.id,\n clusterName: this.cluster.name,\n metadata: this.metadata,\n })\n }\n\n protected getTerminalMeta(): Output<UnitTerminal[\"meta\"]> {\n return output({\n title: \"CronJob\",\n globalTitle: interpolate`CronJob \| ${this.metadata.name}`,\n description: \"The shell inside the cron job.\",\n icon: \"devicon:kubernetes\",\n })\n }\n\n protected get resourceType(): string {\n return \"cronjob\"\n }\n\n /\n Creates a new cron job.\n /\n static create(name: string, args: CronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new CreatedCronJob(name, args, opts)\n }\n\n /\n Creates a new cron job or patches an existing one.\n \n @param name The name of the resource. May not be the same as the cron job name.\n * @param args The arguments to create or patch the cron job with.\n * @param opts Optional resource options.\n /\n static createOrPatch(\n name: string,\n args: CreateOrGetCronJobArgs,\n opts?: ComponentResourceOptions,\n ): CronJob {\n if (args.existing) {\n return new CronJobPatch(name, {\n ...args,\n name: output(args.existing).metadata.name,\n namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster),\n })\n }\n\n return new CreatedCronJob(name, args, opts)\n }\n\n /\n Creates a new cron job or gets an existing one.\n \n @param name The name of the resource. May not be the same as the cron job name. Will not be used when existing cron job is retrieved.\n * @param args The arguments to create or get the cron job with.\n * @param opts Optional resource options.\n /\n static async createOrGet(\n name: string,\n args: CreateOrGetCronJobArgs,\n opts?: ComponentResourceOptions,\n ): Promise<CronJob> {\n if (args.existing) {\n return await CronJob.forAsync(args.existing, output(args.namespace).cluster)\n }\n\n return new CreatedCronJob(name, args, opts)\n }\n\n /\n Patches an existing cron job.\n \n Will throw an error if the cron job does not exist.\n \n @param name The name of the resource. May not be the same as the cron job name.\n * @param args The arguments to patch the cron job with.\n * @param opts Optional resource options.\n /\n static patch(name: string, args: CronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new CronJobPatch(name, args, opts)\n }\n\n /\n Wraps an existing Kubernetes cron job.\n /\n static wrap(name: string, args: WrappedCronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new WrappedCronJob(name, args, opts)\n }\n\n /\n Gets an existing cron job.\n \n Will throw an error if the cron job does not exist.\n /\n static get(name: string, args: ExternalCronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new ExternalCronJob(name, args, opts)\n }\n\n private static readonly cronJobCache = new Map<string, CronJob>()\n\n /\n Gets an existing cron job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the cron job for.\n * @param cluster The cluster where the cron job is located.\n /\n static for(entity: k8s.ScopedResource, cluster: Input<k8s.Cluster>): CronJob {\n return getOrCreate(\n CronJob.cronJobCache,\n `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,\n name => {\n return CronJob.get(name, {\n name: entity.metadata.name,\n namespace: Namespace.forResource(entity, cluster),\n })\n },\n )\n }\n\n /\n Gets an existing cron job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the cron job for.\n * @param cluster The cluster where the cron job is located.\n /\n static async forAsync(\n entity: Input<k8s.ScopedResource>,\n cluster: Input<k8s.Cluster>,\n ): Promise<CronJob> {\n const resolvedEntity = await toPromise(entity)\n return CronJob.for(resolvedEntity, cluster)\n }\n}\n\nconst cronJobExtraArgs = [...commonExtraArgs, \"container\", \"containers\"] as const\n\nclass CreatedCronJob extends CronJob {\n constructor(name: string, args: CronJobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const cronJob = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.CronJob(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n {\n jobTemplate: {\n spec: {\n template: deepmerge(\n {\n spec: {\n restartPolicy: \"Never\",\n },\n },\n podTemplate,\n ),\n },\n },\n schedule: args.schedule,\n },\n omit(args, cronJobExtraArgs) as types.input.batch.v1.CronJobSpec,\n )\n }),\n },\n {\n ...opts,\n parent: this,\n provider: getProvider(cluster),\n },\n )\n })\n\n super(\n \"highstate:k8s:CronJob\",\n name,\n args,\n opts,\n\n cronJob.apiVersion,\n cronJob.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n cronJob.metadata,\n networkPolicy,\n\n cronJob.spec,\n cronJob.status,\n )\n }\n}\n\nclass CronJobPatch extends CronJob {\n constructor(name: string, args: CronJobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const cronJob = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.CronJobPatch(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n {\n jobTemplate: {\n spec: {\n template: podTemplate,\n },\n },\n schedule: args.schedule,\n } satisfies types.input.batch.v1.CronJobSpec,\n omit(args, cronJobExtraArgs) as types.input.batch.v1.CronJobSpec,\n )\n }),\n },\n {\n ...opts,\n parent: this,\n provider: getProvider(cluster),\n },\n )\n })\n\n super(\n \"highstate:k8s:CronJobPatch\",\n name,\n args,\n opts,\n\n cronJob.apiVersion,\n cronJob.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n cronJob.metadata,\n networkPolicy,\n\n cronJob.spec,\n cronJob.status,\n )\n }\n}\n\nexport type WrappedCronJobArgs = {\n /\n The underlying Kubernetes cron job to wrap.\n /\n cronJob: Input<batch.v1.CronJob>\n\n /\n The namespace where the cron job is located.\n /\n namespace: Input<Namespace>\n\n /\n The args for the terminal to use.\n /\n terminal?: Input<WorkloadTerminalArgs>\n}\n\nclass WrappedCronJob extends CronJob {\n constructor(name: string, args: WrappedCronJobArgs, opts?: ComponentResourceOptions) {\n super(\n \"highstate:k8s:WrappedCronJob\",\n name,\n args,\n opts,\n\n output(args.cronJob).apiVersion,\n output(args.cronJob).kind,\n output(args.terminal ?? {}),\n output([]),\n output(args.namespace),\n output(args.cronJob).metadata,\n output(undefined),\n\n output(args.cronJob).spec,\n output(args.cronJob).status,\n )\n }\n}\n\nexport type ExternalCronJobArgs = {\n /\n The name of the cron job to get.\n /\n name: Input<string>\n\n /\n The namespace where the cron job is located.\n /\n namespace: Input<Namespace>\n}\n\nclass ExternalCronJob extends CronJob {\n constructor(name: string, args: ExternalCronJobArgs, opts?: ComponentResourceOptions) {\n const cronJob = output(args.namespace).cluster.apply(cluster => {\n return batch.v1.CronJob.get(\n name,\n interpolate`${output(args.namespace).metadata.name}/${args.name}`,\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:ExternalCronJob\",\n name,\n args,\n opts,\n\n cronJob.apiVersion,\n cronJob.kind,\n output({}),\n output([]),\n output(args.namespace),\n cronJob.metadata,\n output(undefined),\n\n cronJob.spec,\n cronJob.status,\n )\n }\n}\n","import type { k8s } from \"@highstate/library\"\nimport type { Container } from \"./container\"\nimport type { NetworkPolicy } from \"./network-policy\"\nimport { getOrCreate, type UnitTerminal } from \"@highstate/contract\"\nimport {\n type ComponentResourceOptions,\n type Input,\n type Inputs,\n interpolate,\n type Output,\n output,\n toPromise,\n type Unwrap,\n} from \"@highstate/pulumi\"\nimport { batch, type types } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { omit } from \"remeda\"\nimport { Namespace } from \"./namespace\"\nimport { commonExtraArgs, getProvider, mapMetadata, type ScopedResourceArgs } from \"./shared\"\nimport {\n getWorkloadComponents,\n Workload,\n type WorkloadArgs,\n type WorkloadTerminalArgs,\n} from \"./workload\"\n\nexport type JobArgs = ScopedResourceArgs &\n Omit<Partial<types.input.batch.v1.JobSpec>, \"template\"> & {\n template?: {\n metadata?: types.input.meta.v1.ObjectMeta\n spec?: Partial<types.input.core.v1.PodSpec>\n }\n } & WorkloadArgs\n\nexport type CreateOrGetJobArgs = JobArgs & {\n /\n The job entity to patch/retrieve.\n /\n existing: Input<k8s.ScopedResource> \| undefined\n}\n\n/\n Represents a Kubernetes Job resource with metadata and spec.\n /\nexport abstract class Job extends Workload {\n protected constructor(\n type: string,\n name: string,\n args: Inputs,\n opts: ComponentResourceOptions \| undefined,\n\n apiVersion: Output<string>,\n kind: Output<string>,\n terminalArgs: Output<Unwrap<WorkloadTerminalArgs>>,\n containers: Output<Container[]>,\n namespace: Output<Namespace>,\n metadata: Output<types.output.meta.v1.ObjectMeta>,\n networkPolicy: Output<NetworkPolicy \| undefined>,\n\n /\n The spec of the underlying Kubernetes job.\n /\n readonly spec: Output<types.output.batch.v1.JobSpec>,\n\n /\n The status of the underlying Kubernetes job.\n /\n readonly status: Output<types.output.batch.v1.JobStatus>,\n ) {\n super(\n type,\n name,\n args,\n opts,\n apiVersion,\n kind,\n terminalArgs,\n containers,\n namespace,\n metadata,\n networkPolicy,\n )\n }\n\n /\n The Highstate job entity.\n /\n get entity(): Output<k8s.ScopedResource> {\n return output({\n type: \"job\",\n clusterId: this.cluster.id,\n clusterName: this.cluster.name,\n metadata: this.metadata,\n })\n }\n\n protected getTerminalMeta(): Output<UnitTerminal[\"meta\"]> {\n return output({\n title: \"Job\",\n globalTitle: interpolate`Job \| ${this.metadata.name}`,\n description: \"The shell inside the job.\",\n icon: \"devicon:kubernetes\",\n })\n }\n\n protected get resourceType(): string {\n return \"job\"\n }\n\n /\n Creates a new job.\n /\n static create(name: string, args: JobArgs, opts?: ComponentResourceOptions): Job {\n return new CreatedJob(name, args, opts)\n }\n\n /\n Creates a new job or patches an existing one.\n \n @param name The name of the resource. May not be the same as the job name.\n * @param args The arguments to create or patch the job with.\n * @param opts Optional resource options.\n /\n static createOrPatch(\n name: string,\n args: CreateOrGetJobArgs,\n opts?: ComponentResourceOptions,\n ): Job {\n if (args.existing) {\n return new JobPatch(name, {\n ...args,\n name: output(args.existing).metadata.name,\n namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster),\n })\n }\n\n return new CreatedJob(name, args, opts)\n }\n\n /\n Creates a new job or gets an existing one.\n \n @param name The name of the resource. May not be the same as the job name. Will not be used when existing job is retrieved.\n * @param args The arguments to create or get the job with.\n * @param opts Optional resource options.\n /\n static async createOrGet(\n name: string,\n args: CreateOrGetJobArgs,\n opts?: ComponentResourceOptions,\n ): Promise<Job> {\n if (args.existing) {\n return await Job.forAsync(args.existing, output(args.namespace).cluster)\n }\n\n return new CreatedJob(name, args, opts)\n }\n\n /\n Patches an existing job.\n \n Will throw an error if the job does not exist.\n \n @param name The name of the resource. May not be the same as the job name.\n * @param args The arguments to patch the job with.\n * @param opts Optional resource options.\n /\n static patch(name: string, args: JobArgs, opts?: ComponentResourceOptions): Job {\n return new JobPatch(name, args, opts)\n }\n\n /\n Wraps an existing Kubernetes job.\n /\n static wrap(name: string, args: WrappedJobArgs, opts?: ComponentResourceOptions): Job {\n return new WrappedJob(name, args, opts)\n }\n\n /\n Gets an existing job.\n \n Will throw an error if the job does not exist.\n /\n static get(name: string, args: ExternalJobArgs, opts?: ComponentResourceOptions): Job {\n return new ExternalJob(name, args, opts)\n }\n\n private static readonly jobCache = new Map<string, Job>()\n\n /\n Gets an existing job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the job for.\n * @param cluster The cluster where the job is located.\n /\n static for(entity: k8s.ScopedResource, cluster: Input<k8s.Cluster>): Job {\n return getOrCreate(\n Job.jobCache,\n `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,\n name => {\n return Job.get(name, {\n name: entity.metadata.name,\n namespace: Namespace.forResource(entity, cluster),\n })\n },\n )\n }\n\n /\n Gets an existing job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the job for.\n * @param cluster The cluster where the job is located.\n /\n static async forAsync(\n entity: Input<k8s.ScopedResource>,\n cluster: Input<k8s.Cluster>,\n ): Promise<Job> {\n const resolvedEntity = await toPromise(entity)\n return Job.for(resolvedEntity, cluster)\n }\n}\n\nconst jobExtraArgs = [...commonExtraArgs, \"container\", \"containers\"] as const\n\nclass CreatedJob extends Job {\n constructor(name: string, args: JobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const job = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.Job(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n {\n template: deepmerge(\n {\n spec: {\n restartPolicy: \"Never\",\n },\n },\n podTemplate,\n ),\n },\n omit(args, jobExtraArgs) as types.input.batch.v1.JobSpec,\n )\n }),\n },\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:Job\",\n name,\n args,\n opts,\n\n job.apiVersion,\n job.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n job.metadata,\n networkPolicy,\n\n job.spec,\n job.status,\n )\n }\n}\n\nclass JobPatch extends Job {\n constructor(name: string, args: JobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const job = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.JobPatch(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n { template: podTemplate } satisfies types.input.batch.v1.JobSpec,\n omit(args, jobExtraArgs) as types.input.batch.v1.JobSpec,\n )\n }),\n },\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:JobPatch\",\n name,\n args,\n opts,\n\n job.apiVersion,\n job.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n job.metadata,\n networkPolicy,\n\n job.spec,\n job.status,\n )\n\n this.registerOutputs({\n metadata: this.metadata,\n spec: this.spec,\n status: this.status,\n })\n }\n}\n\nexport type WrappedJobArgs = {\n /\n The underlying Kubernetes job to wrap.\n /\n job: Input<batch.v1.Job>\n\n /\n The namespace where the job is located.\n /\n namespace: Input<Namespace>\n\n /\n The args for the terminal to use.\n /\n terminal?: Input<WorkloadTerminalArgs>\n}\n\nclass WrappedJob extends Job {\n constructor(name: string, args: WrappedJobArgs, opts?: ComponentResourceOptions) {\n super(\n \"highstate:k8s:WrappedJob\",\n name,\n args,\n opts,\n\n output(args.job).apiVersion,\n output(args.job).kind,\n output(args.terminal ?? {}),\n output([]),\n output(args.namespace),\n output(args.job).metadata,\n output(undefined),\n\n output(args.job).spec,\n output(args.job).status,\n )\n }\n}\n\nexport type ExternalJobArgs = {\n /\n The name of the job to get.\n /\n name: Input<string>\n\n /\n The namespace where the job is located.\n /\n namespace: Input<Namespace>\n}\n\nclass ExternalJob extends Job {\n constructor(name: string, args: ExternalJobArgs, opts?: ComponentResourceOptions) {\n const job = output(args.namespace).cluster.apply(cluster => {\n return batch.v1.Job.get(\n name,\n interpolate`${output(args.namespace).metadata.name}/${args.name}`,\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:ExternalJob\",\n name,\n args,\n opts,\n\n job.apiVersion,\n job.kind,\n output({}),\n output([]),\n output(args.namespace),\n job.metadata,\n output(undefined),\n\n job.spec,\n job.status,\n )\n }\n}\n","import type { k8s } from \"@highstate/library\"\nimport type { Namespace } from \"./namespace\"\nimport {\n ComponentResource,\n type ComponentResourceOptions,\n type Input,\n type InputArray,\n interpolate,\n normalizeInputs,\n type Output,\n output,\n toPromise,\n} from \"@highstate/pulumi\"\nimport { KubeConfig } from \"@kubernetes/client-node\"\nimport { core, rbac, type types } from \"@pulumi/kubernetes\"\nimport { map, unique } from \"remeda\"\nimport { Secret } from \"./secret\"\nimport { getNamespaceName, getProvider, type NamespaceLike, type ScopedResource } from \"./shared\"\n\nexport type ClusterAccessScopeArgs = {\n /\n The namespace to locate the ServiceAccount in.\n /\n namespace: Input<Namespace>\n\n /\n The RBAC rule to apply to the `ServiceAccount`.\n \n It will be used to create ClusterRole.\n /\n rule?: Input<types.input.rbac.v1.PolicyRule>\n\n /\n The RBAC rules to apply to the `ServiceAccount`.\n \n It will be used to create `ClusterRole`.\n /\n rules?: InputArray<types.input.rbac.v1.PolicyRule>\n\n /\n Whether to allow the `ServiceAccount` to access resources in the namespace where it is created.\n \n By default, it is set to `true`.\n /\n allowOriginNamespace?: boolean\n\n /\n The extra namespaces to bind to the `ClusterRole` and allow `ServiceAccount` to access them\n * with specified `rules`.\n /\n extraNamespaces?: InputArray<NamespaceLike>\n\n /\n Whether to create `ClusterRoleBinding` to bind the `ServiceAccount` to the `ClusterRole`.\n \n This will allow the `ServiceAccount` to access all namespaces and cluster resources.\n /\n clusterWide?: boolean\n}\n\nexport class ClusterAccessScope extends ComponentResource {\n /\n The cluster entity with the reduced access.\n /\n readonly cluster: Output<k8s.Cluster>\n\n constructor(name: string, args: ClusterAccessScopeArgs, opts?: ComponentResourceOptions) {\n super(\"highstate:k8s:ClusterAccessScope\", name, args, opts)\n\n const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply(cluster => {\n const provider = getProvider(cluster)\n const namespaceName = output(args.namespace).metadata.name\n\n const serviceAccount = new core.v1.ServiceAccount(\n name,\n {\n metadata: {\n name,\n namespace: namespaceName,\n },\n },\n { provider },\n )\n\n const clusterRole = new rbac.v1.ClusterRole(\n name,\n {\n metadata: {\n name: interpolate`highstate.${namespaceName}.${name}`,\n annotations: {\n \"kubernetes.io/description\": interpolate`Created by Highstate for the ServiceAccount \"${name}\" in the namespace \"${namespaceName}\".`,\n },\n },\n rules: normalizeInputs(args.rule, args.rules),\n },\n { provider },\n )\n\n const createRoleBinding = (namespace: Input<string>) => {\n return new rbac.v1.RoleBinding(\n name,\n {\n metadata: { name, namespace },\n roleRef: {\n kind: \"ClusterRole\",\n name: clusterRole.metadata.name,\n apiGroup: \"rbac.authorization.k8s.io\",\n },\n subjects: [\n {\n kind: \"ServiceAccount\",\n name: serviceAccount.metadata.name,\n namespace: namespaceName,\n },\n ],\n },\n { provider },\n )\n }\n\n if (args.allowOriginNamespace ?? true) {\n createRoleBinding(namespaceName)\n }\n\n output(args.extraNamespaces ?? [])\n .apply(map(getNamespaceName))\n .apply(map(createRoleBinding))\n\n return { serviceAccount, kubeconfig: cluster.kubeconfig }\n })\n\n const accessTokenSecret = Secret.create(`${name}-token`, {\n namespace: args.namespace,\n type: \"kubernetes.io/service-account-token\",\n metadata: {\n annotations: {\n \"kubernetes.io/service-account.name\": serviceAccount.metadata.name,\n },\n },\n })\n\n this.cluster = output({\n cluster: output(args.namespace).cluster,\n kubeconfig,\n newToken: accessTokenSecret.getValue(\"token\"),\n serviceAccount: serviceAccount.metadata.name,\n }).apply(({ cluster, kubeconfig, newToken, serviceAccount }) => {\n const config = new KubeConfig()\n config.loadFromString(kubeconfig)\n\n // clear all existing contexts and users\n config.users = []\n config.contexts = []\n\n config.addUser({ name: serviceAccount, token: newToken })\n\n config.addContext({\n name: config.clusters[0].name,\n cluster: config.clusters[0].name,\n user: serviceAccount,\n })\n\n config.setCurrentContext(config.clusters[0].name)\n\n return {\n ...cluster,\n kubeconfig: config.exportConfig(),\n }\n })\n }\n\n /\n Creates `ClusterAccessScope` for the given resources with the specified verbs.\n \n All resources must belong to the same namespace in the same cluster.\n \n @param name The name of the resource and the ServiceAccount.\n * @param resources The resources to create access scope for.\n * @param verbs The verbs to allow on the resources.\n /\n static async forResources(\n name: string,\n resources: InputArray<ScopedResource>,\n verbs: string[],\n ): Promise<ClusterAccessScope> {\n const resolved = await toPromise(\n output(resources).apply(resources =>\n resources.map(r => ({\n namespaceId: r.namespace.metadata.uid,\n namespace: r.namespace,\n metadata: r.metadata,\n apiVersion: r.apiVersion,\n kind: r.kind,\n })),\n ),\n )\n\n if (resolved.length === 0) {\n throw new Error(\"No resources provided to forResources.\")\n }\n\n // verify all resources belong to the same namespace\n if (unique(resolved.map(r => r.namespaceId)).length !== 1) {\n throw new Error(\"All resources must belong to the same namespace.\")\n }\n\n return new ClusterAccessScope(name, {\n namespace: resolved[0].namespace,\n rules: resolved.map(r => ({\n apiGroups: r.apiVersion === \"v1\" ? [\"\"] : [r.apiVersion.split(\"/\")[0]],\n resources: [r.kind.toLowerCase() + (r.metadata?.name ? \"s\" : \"\")],\n // TODO: critical\n // resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,\n verbs,\n })),\n })\n }\n}\n","import type { InputL34Endpoint } from \"@highstate/common\"\nimport type { Input, InputArray, InputRecord } from \"@highstate/pulumi\"\nimport type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from \"../container\"\n\nexport type ScriptDistribution = \"alpine\" \| \"ubuntu\"\n\nexport type DistributionEnvironment = {\n /\n The image that should be used for the distribution.\n /\n image?: Input<string>\n\n /\n The utility packages that should be installed before running \"preInstallScripts\".\n \n Useful for installing tools like `curl` to install additional repositories.\n /\n preInstallPackages?: InputArray<string>\n\n /\n The pre-install scripts that should be run before installing packages.\n * Typically, these scripts are used to install additional repositories.\n /\n preInstallScripts?: InputRecord<string>\n\n /\n The packages that are available in the environment.\n /\n packages?: InputArray<string>\n\n /\n The endpoint which the script is allowed to access scoped to the distribution.\n \n Typically, this is used to allow access to the package manager.\n \n Will be used to generate a network policy.\n /\n allowedEndpoints?: InputArray<InputL34Endpoint>\n}\n\nexport type ScriptProgram = () => unknown\n\nexport type ScriptEnvironment = {\n [distribution in ScriptDistribution]?: DistributionEnvironment\n} & {\n /\n The setup scripts that should be run before the script.\n /\n setupScripts?: InputRecord<string>\n\n /\n The cleanup scripts that should be run after the script.\n /\n cleanupScripts?: InputRecord<string>\n\n /\n The arbitrary files available in the environment including scripts.\n /\n files?: InputRecord<string \| ScriptProgram>\n\n /\n The volumes that should be defined in the environment.\n /\n volumes?: InputArray<WorkloadVolume>\n\n /\n The volume mounts that should be defined in the environment.\n /\n volumeMounts?: InputArray<ContainerVolumeMount>\n\n /\n The environment variables that should be defined in the environment.\n /\n environment?: Input<ContainerEnvironment>\n\n /\n The endpoint which the script is allowed to access.\n \n Will be used to generate a network policy.\n /\n allowedEndpoints?: InputArray<InputL34Endpoint>\n}\n\nexport type ResolvedScriptEnvironment = Omit<Required<ScriptEnvironment>, ScriptDistribution> & {\n [distribution in ScriptDistribution]: Required<DistributionEnvironment>\n}\n\nconst emptyDistributionEnvironment = {\n preInstallPackages: [],\n preInstallScripts: {},\n packages: [],\n}\n\nexport const emptyScriptEnvironment: ResolvedScriptEnvironment = {\n alpine: {\n ...emptyDistributionEnvironment,\n image: \"alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c\",\n allowedEndpoints: [\n //\n \"tcp://dl-cdn.alpinelinux.org:443\",\n \"tcp://dl-cdn.alpinelinux.org:80\",\n ],\n },\n\n ubuntu: {\n ...emptyDistributionEnvironment,\n image: \"ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782\",\n allowedEndpoints: [\n //\n \"tcp://archive.ubuntu.com:80\",\n \"tcp://archive.ubuntu.com:443\",\n \"tcp://security.ubuntu.com:80\",\n \"tcp://security.ubuntu.com:443\",\n ],\n },\n\n setupScripts: {},\n cleanupScripts: {},\n files: {},\n volumes: [],\n volumeMounts: [],\n environment: {},\n allowedEndpoints: [],\n}\n\nexport const functionScriptImages: Record<ScriptDistribution, string> = {\n alpine: \"oven/bun@sha256:6b14922b0885c3890cdb0b396090af1da486ba941df5ee94391eef64f7113c61\",\n ubuntu: \"oven/bun@sha256:66b431441dc4c36d7e8164bfc61e6348ec1d7ce2862fc3a29f5dc9856e8205e4\",\n}\n","import type { network } from \"@highstate/library\"\nimport type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from \"../container\"\nimport type { ScopedResourceArgs } from \"../shared\"\nimport { parseL34Endpoint } from \"@highstate/common\"\nimport { text, trimIndentation } from \"@highstate/contract\"\nimport { type InputArray, normalize } from \"@highstate/pulumi\"\nimport {\n ComponentResource,\n type ComponentResourceOptions,\n type Input,\n type Output,\n output,\n type Unwrap,\n} from \"@pulumi/pulumi\"\nimport { serializeFunction } from \"@pulumi/pulumi/runtime/index.js\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { readPackageJSON } from \"pkg-types\"\nimport { mapValues, omitBy } from \"remeda\"\nimport { ConfigMap } from \"../config-map\"\nimport {\n emptyScriptEnvironment,\n functionScriptImages,\n type ResolvedScriptEnvironment,\n type ScriptDistribution,\n type ScriptEnvironment,\n} from \"./environment\"\n\nexport type ScriptBundleArgs = ScopedResourceArgs & {\n /\n The environment to bundle the scripts from.\n /\n environment?: Input<ScriptEnvironment>\n\n /\n The environments to bundle the scripts from.\n /\n environments?: InputArray<ScriptEnvironment>\n\n /\n The distribution to use for the scripts.\n /\n distribution: ScriptDistribution\n}\n\nexport class ScriptBundle extends ComponentResource {\n /\n The config map containing the scripts.\n /\n readonly configMap: Output<ConfigMap>\n\n /\n The volumes that should be included in the workload.\n /\n readonly volumes: Output<WorkloadVolume[]>\n\n /\n The volume mounts that should be defined in the container.\n /\n readonly volumeMounts: Output<ContainerVolumeMount[]>\n\n /\n The environment variables that should be defined in the container.\n /\n readonly environment: Output<ContainerEnvironment>\n\n /\n The image to use for the scripts.\n /\n readonly image: Output<string>\n\n /\n The distribution to use for the scripts.\n /\n readonly distribution: ScriptDistribution\n\n /\n The list of endpoints that the script is allowed to access.\n /\n readonly allowedEndpoints: Output<network.L34Endpoint[]>\n\n constructor(name: string, args: ScriptBundleArgs, opts?: ComponentResourceOptions) {\n super(\"highstate:k8s:ScriptBundle\", name, args, opts)\n\n const scriptEnvironment = output(args)\n .apply(args => normalize(args.environment, args.environments))\n .apply(args => deepmerge(emptyScriptEnvironment, ...args)) as Output<\n Unwrap<ResolvedScriptEnvironment>\n >\n\n const hasFunctionScripts = scriptEnvironment.apply(scriptEnvironment => {\n return Object.values(scriptEnvironment.files).some(file => typeof file === \"function\")\n })\n\n this.distribution = args.distribution\n this.environment = scriptEnvironment.environment\n\n this.image = hasFunctionScripts.apply(hasFunctionScripts =>\n output(\n hasFunctionScripts\n ? functionScriptImages[args.distribution]\n : scriptEnvironment[args.distribution].image,\n ),\n )\n\n this.allowedEndpoints = output({ scriptEnvironment, hasFunctionScripts }).apply(\n ({ scriptEnvironment, hasFunctionScripts }) => {\n const allowedEndpoints = [\n ...scriptEnvironment.allowedEndpoints,\n ...scriptEnvironment[args.distribution].allowedEndpoints,\n ]\n\n if (hasFunctionScripts) {\n allowedEndpoints.push(\"tcp://registry.npmjs.org:443\")\n }\n\n return allowedEndpoints.map(parseL34Endpoint)\n },\n )\n\n this.configMap = output({ scriptEnvironment, args }).apply(({ scriptEnvironment, args }) => {\n return ConfigMap.create(\n name,\n {\n namespace: args.namespace,\n\n data: createScriptData(this.distribution, scriptEnvironment),\n },\n { ...opts, parent: this },\n )\n })\n\n this.volumes = output({ hasFunctionScripts, volumes: scriptEnvironment.volumes }).apply(\n ({ hasFunctionScripts, volumes }) => {\n return [\n ...volumes,\n {\n name: this.configMap.metadata.name,\n\n configMap: {\n name: this.configMap.metadata.name,\n defaultMode: 0o550, // read and execute permissions\n },\n },\n ...(hasFunctionScripts ? [{ name: \"node-modules\", emptyDir: {} }] : []),\n ]\n },\n )\n\n this.volumeMounts = output({\n hasFunctionScripts,\n volumeMounts: scriptEnvironment.volumeMounts,\n }).apply(({ hasFunctionScripts, volumeMounts }) => {\n return [\n ...volumeMounts,\n {\n volume: this.configMap,\n mountPath: \"/scripts\",\n },\n ...(hasFunctionScripts\n ? [{ name: \"node-modules\", mountPath: \"/scripts/node_modules\" }]\n : []),\n ]\n })\n }\n}\n\nfunction stripWorkspacePrefix(value: string): string {\n if (value.startsWith(\"workspace:\")) {\n return value.replace(\"workspace:\", \"\")\n }\n\n return value\n}\n\nasync function createScriptData(\n distribution: ScriptDistribution,\n environment: Unwrap<ResolvedScriptEnvironment>,\n): Promise<Record<string, string>> {\n const scriptData: Record<string, string> = {}\n const actions: string[] = []\n\n const distributionEnvironment = environment[distribution]\n const setupScripts = { ...environment.setupScripts }\n\n let hasFunctionScripts = false\n\n for (const key in environment.files) {\n if (typeof environment.files[key] === \"function\") {\n const serialized = await serializeFunction(environment.files[key])\n\n scriptData[key] = text`\n #!/usr/local/bin/bun\n \n ${serialized.text}\n\n exports.${serialized.exportName}()\n `\n\n hasFunctionScripts = true\n } else {\n scriptData[key] = environment.files[key]\n }\n }\n\n if (hasFunctionScripts) {\n const packageJson = await readPackageJSON()\n\n packageJson.dependencies = omitBy(\n mapValues(packageJson.dependencies ?? {}, stripWorkspacePrefix),\n (_, key) => key.startsWith(\"@highstate/\"),\n )\n\n packageJson.devDependencies = omitBy(\n mapValues(packageJson.devDependencies ?? {}, stripWorkspacePrefix),\n (_, key) => key.startsWith(\"@highstate/\"),\n )\n\n scriptData[\"package.json\"] = JSON.stringify(packageJson, null, 2)\n\n setupScripts[\"resolve-dependencies.sh\"] = text`\n #!/usr/local/bin/bun\n set -e\n\n cd /scripts\n bun install --production\n `\n }\n\n if (distributionEnvironment.preInstallPackages.length > 0) {\n scriptData[\"pre-install-packages.sh\"] = getInstallPackagesScript(\n distribution,\n distributionEnvironment.preInstallPackages,\n )\n\n actions.push(`\n echo \"+ Installing pre-install packages...\"\n /scripts/pre-install-packages.sh\n echo \"+ Pre-install packages installed successfully\"\n `)\n }\n\n if (Object.keys(distributionEnvironment.preInstallScripts).length > 0) {\n for (const key in distributionEnvironment.preInstallScripts) {\n scriptData[`pre-install-${key}`] = distributionEnvironment.preInstallScripts[key]\n\n actions.push(`\n echo \"+ Running pre-install script '${key}'...\"\n /scripts/pre-install-${key}\n echo \"+ Pre-install script '${key}'... Done\"\n `)\n }\n }\n\n if (distributionEnvironment.packages.length > 0) {\n scriptData[\"install-packages.sh\"] = getInstallPackagesScript(\n distribution,\n distributionEnvironment.packages,\n )\n\n actions.push(`\n echo \"+ Installing packages...\"\n /scripts/install-packages.sh\n echo \"+ Packages installed successfully\"\n `)\n }\n\n if (Object.keys(setupScripts).length > 0) {\n for (const key in setupScripts) {\n scriptData[`setup-${key}`] = setupScripts[key]\n\n actions.push(`\n echo \"+ Running setup script '${key}'...\"\n /scripts/setup-${key}\n echo \"+ Setup script '${key}'... Done\"\n `)\n }\n }\n\n if (Object.keys(environment.cleanupScripts).length > 0) {\n const cleanupActions: string[] = []\n\n for (const key in environment.cleanupScripts) {\n scriptData[`cleanup-${key}`] = environment.cleanupScripts[key]\n\n cleanupActions.push(`\n echo \"+ Running cleanup script '${key}'...\"\n /scripts/cleanup-${key}\n echo \"+ Cleanup script '${key}'... Done\"\n `)\n }\n\n actions.push(`\n function cleanup() {\n ${cleanupActions.map(s => s.trim()).join(\"\\n\\n\")}\n }\n\n trap cleanup EXIT\n trap cleanup SIGTERM\n `)\n }\n\n scriptData[\"entrypoint.sh\"] = trimIndentation(`\n #!/bin/sh\n set -e\n\n if [ -z \"$1\" ]; then\n echo \"Usage: entrypoint.sh <main script> [args...]\"\n exit 1\n fi\n\n ${actions.map(s => s.trim()).join(\"\\n\\n\")}\n\n echo \"+ Running main script...\"\n $@\n echo \"+ Main script completed\"\n `)\n\n return scriptData\n}\n\nfunction getInstallPackagesScript(distribution: ScriptDistribution, packages: string[]): string {\n if (distribution === \"alpine\") {\n return text`\n #!/bin/sh\n set -e\n\n apk add --no-cache ${packages.join(\" \")}\n `\n } else {\n return text`\n #!/bin/sh\n set -e\n\n apt-get update\n apt-get install -y ${packages.join(\" \")}\n `\n }\n}\n","import type { Container } from \"../container\"\nimport type { ScriptBundle } from \"./bundle\"\nimport { type Input, type Output, output } from \"@pulumi/pulumi\"\nimport { merge } from \"remeda\"\n\nexport type ScriptContainer = Container & {\n /\n The script bundle to use.\n /\n bundle: Input<ScriptBundle>\n\n /\n The name of the main script to run.\n * The script must be available in the bundle.\n /\n main: Input<string>\n}\n\n/\n Creates a spec for a container that runs a script.\n * This spec can be used to create a complete workload or an init container.\n \n @param options The options to create the container spec.\n * @returns The container spec.\n */\nexport function createScriptContainer(options: ScriptContainer): Output<Container> {\n const bundle = output(options.bundle)\n\n return output({\n options,\n image: bundle.image,\n volumeMounts: bundle.volumeMounts,\n volumes: bundle.volumes,\n environment: bundle.environment,\n allowedEndpoints: bundle.allowedEndpoints,\n }).apply(({ options, image, volumeMounts, volumes, environment, allowedEndpoints }) => {\n return {\n image,\n command: [\"/scripts/entrypoint.sh\", `/scripts/${options.main}`],\n\n ...options,\n\n volumeMounts: [...volumeMounts, ...(options.volumeMounts ?? [])],\n volumes: [...volumes, ...(options.volumes ?? [])],\n environment: merge(environment, options.environment),\n allowedEndpoints: [...allowedEndpoints, ...(options.allowedEndpoints ?? [])],\n } as Container\n })\n}\n","import type { UnitWorker } from \"@highstate/contract\"\nimport type { k8s } from \"@highstate/library\"\nimport type { DeepInput, InputArray, Unwrap } from \"@highstate/pulumi\"\nimport { type Output, output } from \"@pulumi/pulumi\"\nimport { ClusterAccessScope } from \"./rbac\"\nimport { images, type ScopedResource } from \"./shared\"\n\nexport async function createMonitorWorker(\n resources: InputArray<ScopedResource>,\n): Promise<Output<Unwrap<UnitWorker>>> {\n const scope = await ClusterAccessScope.forResources(\"monitor\", resources, [\n \"get\",\n \"list\",\n \"watch\",\n ])\n\n return output({\n name: \"monitor\",\n image: images[\"worker-k8s-monitor\"].image,\n\n params: {\n kubeconfig: scope.cluster.kubeconfig,\n resources: output(resources).apply(resources => resources.map(r => r.entity)),\n } satisfies DeepInput<k8s.MonitorWorkerParams>,\n })\n}\n"]}
1	+ {"version":3,"sources":["../src/cron-job.ts","../src/job.ts","../src/scripting/environment.ts","../src/scripting/bundle.ts","../src/scripting/container.ts","../src/worker.ts"],"names":["args","podTemplate","output","interpolate","getOrCreate","toPromise","batch","deepmerge","omit","scriptEnvironment","hasFunctionScripts","options","resources"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAkDO,IAAe,OAAA,GAAf,MAAe,QAAA,SAAgB,QAAA,CAAS;AAAA,EACnC,WAAA,CACR,IAAA,EACA,IAAA,EACA,IAAA,EACA,IAAA,EAEA,UAAA,EACA,IAAA,EACA,YAAA,EACA,UAAA,EACA,SAAA,EACA,QAAA,EACA,aAAA,EAKS,MAKA,MAAA,EACT;AACA,IAAA,KAAA;AAAA,MACE,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,UAAA;AAAA,MACA,IAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AAnBS,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAKA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAeX;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAA,GAAqC;AACvC,IAAA,OAAO,MAAA,CAAO;AAAA,MACZ,IAAA,EAAM,UAAA;AAAA,MACN,SAAA,EAAW,KAAK,OAAA,CAAQ,EAAA;AAAA,MACxB,WAAA,EAAa,KAAK,OAAA,CAAQ,IAAA;AAAA,MAC1B,UAAU,IAAA,CAAK;AAAA,KAChB,CAAA;AAAA,EACH;AAAA,EAEU,eAAA,GAAgD;AACxD,IAAA,OAAO,MAAA,CAAO;AAAA,MACZ,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa,WAAA,CAAA,UAAA,EAAwB,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA,CAAA;AAAA,MACvD,WAAA,EAAa,gCAAA;AAAA,MACb,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA,EAEA,IAAc,YAAA,GAAuB;AACnC,IAAA,OAAO,SAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,MAAA,CAAO,IAAA,EAAc,IAAA,EAAmB,IAAA,EAA0C;AACvF,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,aAAA,CACL,IAAA,EACA,IAAA,EACA,IAAA,EACS;AACT,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,IAAI,aAAa,IAAA,EAAM;AAAA,QAC5B,GAAG,IAAA;AAAA,QACH,IAAA,EAAM,MAAA,CAAO,IAAA,CAAK,QAAQ,EAAE,QAAA,CAAS,IAAA;AAAA,QACrC,SAAA,EAAW,UAAU,gBAAA,CAAiB,IAAA,CAAK,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO;AAAA,OACpF,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,WAAA,CACX,IAAA,EACA,IAAA,EACA,IAAA,EACkB;AAClB,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,MAAM,SAAQ,QAAA,CAAS,IAAA,CAAK,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO,CAAA;AAAA,IAC7E;AAEA,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,KAAA,CAAM,IAAA,EAAc,IAAA,EAAmB,IAAA,EAA0C;AACtF,IAAA,OAAO,IAAI,YAAA,CAAa,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,IAAA,CAAK,IAAA,EAAc,IAAA,EAA0B,IAAA,EAA0C;AAC5F,IAAA,OAAO,IAAI,cAAA,CAAe,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,GAAA,CAAI,IAAA,EAAc,IAAA,EAA2B,IAAA,EAA0C;AAC5F,IAAA,OAAO,IAAI,eAAA,CAAgB,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC7C;AAAA,EAEA,OAAwB,YAAA,mBAAe,IAAI,GAAA,EAAqB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAahE,OAAO,GAAA,CAAI,MAAA,EAA4B,OAAA,EAAsC;AAC3E,IAAA,OAAO,WAAA;AAAA,MACL,QAAA,CAAQ,YAAA;AAAA,MACR,CAAA,EAAG,MAAA,CAAO,WAAW,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,SAAS,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,OAAO,SAAS,CAAA,CAAA;AAAA,MAC9F,CAAA,IAAA,KAAQ;AACN,QAAA,OAAO,QAAA,CAAQ,IAAI,IAAA,EAAM;AAAA,UACvB,IAAA,EAAM,OAAO,QAAA,CAAS,IAAA;AAAA,UACtB,SAAA,EAAW,SAAA,CAAU,WAAA,CAAY,MAAA,EAAQ,OAAO;AAAA,SACjD,CAAA;AAAA,MACH;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,aAAa,QAAA,CACX,MAAA,EACA,OAAA,EACkB;AAClB,IAAA,MAAM,cAAA,GAAiB,MAAM,SAAA,CAAU,MAAM,CAAA;AAC7C,IAAA,OAAO,QAAA,CAAQ,GAAA,CAAI,cAAA,EAAgB,OAAO,CAAA;AAAA,EAC5C;AACF;AAEA,IAAM,gBAAA,GAAmB,CAAC,GAAG,eAAA,EAAiB,aAAa,YAAY,CAAA;AAEvE,IAAM,cAAA,GAAN,cAA6B,OAAA,CAAQ;AAAA,EACnC,WAAA,CAAY,IAAA,EAAc,IAAA,EAAmB,IAAA,EAAiC;AAC5E,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC9D,MAAA,OAAO,IAAI,MAAM,EAAA,CAAG,OAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAM,MAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAA,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAO,SAAA;AAAA,cACL;AAAA,gBACE,WAAA,EAAa;AAAA,kBACX,IAAA,EAAM;AAAA,oBACJ,QAAA,EAAU,SAAA;AAAA,sBACR;AAAA,wBACE,IAAA,EAAM;AAAA,0BACJ,aAAA,EAAe;AAAA;AACjB,uBACF;AAAA,sBACAA;AAAA;AACF;AACF,iBACF;AAAA,gBACA,UAAUD,KAAAA,CAAK;AAAA,eACjB;AAAA,cACA,IAAA,CAAKA,OAAM,gBAAgB;AAAA,aAC7B;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA;AAAA,UACE,GAAG,IAAA;AAAA,UACH,MAAA,EAAQ,IAAA;AAAA,UACR,QAAA,EAAU,YAAY,OAAO;AAAA;AAC/B,OACF;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,uBAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACA,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,OAAA,CAAQ,QAAA;AAAA,MACR,aAAA;AAAA,MAEA,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AACF,CAAA;AAEA,IAAM,YAAA,GAAN,cAA2B,OAAA,CAAQ;AAAA,EACjC,WAAA,CAAY,IAAA,EAAc,IAAA,EAAmB,IAAA,EAAiC;AAC5E,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC9D,MAAA,OAAO,IAAI,MAAM,EAAA,CAAG,YAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAM,MAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAA,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAO,SAAA;AAAA,cACL;AAAA,gBACE,WAAA,EAAa;AAAA,kBACX,IAAA,EAAM;AAAA,oBACJ,QAAA,EAAUA;AAAA;AACZ,iBACF;AAAA,gBACA,UAAUD,KAAAA,CAAK;AAAA,eACjB;AAAA,cACA,IAAA,CAAKA,OAAM,gBAAgB;AAAA,aAC7B;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA;AAAA,UACE,GAAG,IAAA;AAAA,UACH,MAAA,EAAQ,IAAA;AAAA,UACR,QAAA,EAAU,YAAY,OAAO;AAAA;AAC/B,OACF;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,4BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACA,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,OAAA,CAAQ,QAAA;AAAA,MACR,aAAA;AAAA,MAEA,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AACF,CAAA;AAmBA,IAAM,cAAA,GAAN,cAA6B,OAAA,CAAQ;AAAA,EACnC,WAAA,CAAY,IAAA,EAAc,IAAA,EAA0B,IAAA,EAAiC;AACnF,IAAA,KAAA;AAAA,MACE,8BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,UAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,MAAA,CAAO,EAAE,CAAA;AAAA,MACT,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,QAAA;AAAA,MACrB,OAAO,MAAS,CAAA;AAAA,MAEhB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,IAAA;AAAA,MACrB,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE;AAAA,KACvB;AAAA,EACF;AACF,CAAA;AAcA,IAAM,eAAA,GAAN,cAA8B,OAAA,CAAQ;AAAA,EACpC,WAAA,CAAY,IAAA,EAAc,IAAA,EAA2B,IAAA,EAAiC;AACpF,IAAA,MAAM,UAAU,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC9D,MAAA,OAAO,KAAA,CAAM,GAAG,OAAA,CAAQ,GAAA;AAAA,QACtB,IAAA;AAAA,QACA,WAAA,CAAA,EAAc,OAAO,IAAA,CAAK,SAAS,EAAE,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAA;AAAA,QAC/D,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,+BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,MAAA,CAAO,EAAE,CAAA;AAAA,MACT,MAAA,CAAO,EAAE,CAAA;AAAA,MACT,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,OAAA,CAAQ,QAAA;AAAA,MACR,OAAO,MAAS,CAAA;AAAA,MAEhB,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AACF,CAAA;AC3YO,IAAe,GAAA,GAAf,MAAe,IAAA,SAAY,QAAA,CAAS;AAAA,EAC/B,WAAA,CACR,IAAA,EACA,IAAA,EACA,IAAA,EACA,IAAA,EAEA,UAAA,EACA,IAAA,EACA,YAAA,EACA,UAAA,EACA,SAAA,EACA,QAAA,EACA,aAAA,EAKS,MAKA,MAAA,EACT;AACA,IAAA,KAAA;AAAA,MACE,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,UAAA;AAAA,MACA,IAAA;AAAA,MACA,YAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACF;AAnBS,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAKA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAeX;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAA,GAAqC;AACvC,IAAA,OAAOE,MAAAA,CAAO;AAAA,MACZ,IAAA,EAAM,KAAA;AAAA,MACN,SAAA,EAAW,KAAK,OAAA,CAAQ,EAAA;AAAA,MACxB,WAAA,EAAa,KAAK,OAAA,CAAQ,IAAA;AAAA,MAC1B,UAAU,IAAA,CAAK;AAAA,KAChB,CAAA;AAAA,EACH;AAAA,EAEU,eAAA,GAAgD;AACxD,IAAA,OAAOA,MAAAA,CAAO;AAAA,MACZ,KAAA,EAAO,KAAA;AAAA,MACP,WAAA,EAAaC,WAAAA,CAAAA,MAAAA,EAAoB,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA,CAAA;AAAA,MACnD,WAAA,EAAa,2BAAA;AAAA,MACb,IAAA,EAAM;AAAA,KACP,CAAA;AAAA,EACH;AAAA,EAEA,IAAc,YAAA,GAAuB;AACnC,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,MAAA,CAAO,IAAA,EAAc,IAAA,EAAe,IAAA,EAAsC;AAC/E,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,aAAA,CACL,IAAA,EACA,IAAA,EACA,IAAA,EACK;AACL,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,IAAI,SAAS,IAAA,EAAM;AAAA,QACxB,GAAG,IAAA;AAAA,QACH,IAAA,EAAMD,MAAAA,CAAO,IAAA,CAAK,QAAQ,EAAE,QAAA,CAAS,IAAA;AAAA,QACrC,SAAA,EAAW,UAAU,gBAAA,CAAiB,IAAA,CAAK,UAAUA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO;AAAA,OACpF,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,WAAA,CACX,IAAA,EACA,IAAA,EACA,IAAA,EACc;AACd,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,MAAM,KAAI,QAAA,CAAS,IAAA,CAAK,UAAUA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAO,CAAA;AAAA,IACzE;AAEA,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,KAAA,CAAM,IAAA,EAAc,IAAA,EAAe,IAAA,EAAsC;AAC9E,IAAA,OAAO,IAAI,QAAA,CAAS,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,IAAA,CAAK,IAAA,EAAc,IAAA,EAAsB,IAAA,EAAsC;AACpF,IAAA,OAAO,IAAI,UAAA,CAAW,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,GAAA,CAAI,IAAA,EAAc,IAAA,EAAuB,IAAA,EAAsC;AACpF,IAAA,OAAO,IAAI,WAAA,CAAY,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EACzC;AAAA,EAEA,OAAwB,QAAA,mBAAW,IAAI,GAAA,EAAiB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaxD,OAAO,GAAA,CAAI,MAAA,EAA4B,OAAA,EAAkC;AACvE,IAAA,OAAOE,WAAAA;AAAA,MACL,IAAA,CAAI,QAAA;AAAA,MACJ,CAAA,EAAG,MAAA,CAAO,WAAW,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,SAAS,CAAA,CAAA,EAAI,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,OAAO,SAAS,CAAA,CAAA;AAAA,MAC9F,CAAA,IAAA,KAAQ;AACN,QAAA,OAAO,IAAA,CAAI,IAAI,IAAA,EAAM;AAAA,UACnB,IAAA,EAAM,OAAO,QAAA,CAAS,IAAA;AAAA,UACtB,SAAA,EAAW,SAAA,CAAU,WAAA,CAAY,MAAA,EAAQ,OAAO;AAAA,SACjD,CAAA;AAAA,MACH;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,aAAa,QAAA,CACX,MAAA,EACA,OAAA,EACc;AACd,IAAA,MAAM,cAAA,GAAiB,MAAMC,SAAAA,CAAU,MAAM,CAAA;AAC7C,IAAA,OAAO,IAAA,CAAI,GAAA,CAAI,cAAA,EAAgB,OAAO,CAAA;AAAA,EACxC;AACF;AAEA,IAAM,YAAA,GAAe,CAAC,GAAG,eAAA,EAAiB,aAAa,YAAY,CAAA;AAEnE,IAAM,UAAA,GAAN,cAAyB,GAAA,CAAI;AAAA,EAC3B,WAAA,CAAY,IAAA,EAAc,IAAA,EAAe,IAAA,EAAiC;AACxE,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,MAAMH,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC1D,MAAA,OAAO,IAAII,MAAM,EAAA,CAAG,GAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAMJ,MAAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAF,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAOM,SAAAA;AAAA,cACL;AAAA,gBACE,QAAA,EAAUA,SAAAA;AAAA,kBACR;AAAA,oBACE,IAAA,EAAM;AAAA,sBACJ,aAAA,EAAe;AAAA;AACjB,mBACF;AAAA,kBACAN;AAAA;AACF,eACF;AAAA,cACAO,IAAAA,CAAKR,OAAM,YAAY;AAAA,aACzB;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,mBAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,GAAA,CAAI,UAAA;AAAA,MACJ,GAAA,CAAI,IAAA;AAAA,MACJE,MAAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACAA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,GAAA,CAAI,QAAA;AAAA,MACJ,aAAA;AAAA,MAEA,GAAA,CAAI,IAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAAA,EACF;AACF,CAAA;AAEA,IAAM,QAAA,GAAN,cAAuB,GAAA,CAAI;AAAA,EACzB,WAAA,CAAY,IAAA,EAAc,IAAA,EAAe,IAAA,EAAiC;AACxE,IAAA,MAAM,EAAE,WAAA,EAAa,UAAA,EAAY,aAAA,EAAc,GAAI,qBAAA;AAAA,MACjD,IAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAM,IAAA;AAAA,MACN;AAAA,KACF;AAEA,IAAA,MAAM,MAAMA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC1D,MAAA,OAAO,IAAII,MAAM,EAAA,CAAG,QAAA;AAAA,QAClB,IAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU,WAAA,CAAY,IAAA,EAAM,IAAI,CAAA;AAAA,UAChC,IAAA,EAAMJ,MAAAA,CAAO,EAAE,IAAA,EAAM,aAAa,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,IAAA,EAAAF,KAAAA,EAAM,WAAA,EAAAC,cAAY,KAAM;AACnE,YAAA,OAAOM,SAAAA;AAAA,cACL,EAAE,UAAUN,YAAAA,EAAY;AAAA,cACxBO,IAAAA,CAAKR,OAAM,YAAY;AAAA,aACzB;AAAA,UACF,CAAC;AAAA,SACH;AAAA,QACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,wBAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,GAAA,CAAI,UAAA;AAAA,MACJ,GAAA,CAAI,IAAA;AAAA,MACJE,MAAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1B,UAAA;AAAA,MACAA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,GAAA,CAAI,QAAA;AAAA,MACJ,aAAA;AAAA,MAEA,GAAA,CAAI,IAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAEA,IAAA,IAAA,CAAK,eAAA,CAAgB;AAAA,MACnB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAAA,EACH;AACF,CAAA;AAmBA,IAAM,UAAA,GAAN,cAAyB,GAAA,CAAI;AAAA,EAC3B,WAAA,CAAY,IAAA,EAAc,IAAA,EAAsB,IAAA,EAAiC;AAC/E,IAAA,KAAA;AAAA,MACE,0BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEAA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,UAAA;AAAA,MACjBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA;AAAA,MACjBA,MAAAA,CAAO,IAAA,CAAK,QAAA,IAAY,EAAE,CAAA;AAAA,MAC1BA,MAAAA,CAAO,EAAE,CAAA;AAAA,MACTA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,QAAA;AAAA,MACjBA,OAAO,MAAS,CAAA;AAAA,MAEhBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA;AAAA,MACjBA,MAAAA,CAAO,IAAA,CAAK,GAAG,CAAA,CAAE;AAAA,KACnB;AAAA,EACF;AACF,CAAA;AAcA,IAAM,WAAA,GAAN,cAA0B,GAAA,CAAI;AAAA,EAC5B,WAAA,CAAY,IAAA,EAAc,IAAA,EAAuB,IAAA,EAAiC;AAChF,IAAA,MAAM,MAAMA,MAAAA,CAAO,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,CAAQ,MAAM,CAAA,OAAA,KAAW;AAC1D,MAAA,OAAOI,KAAAA,CAAM,GAAG,GAAA,CAAI,GAAA;AAAA,QAClB,IAAA;AAAA,QACAH,WAAAA,CAAAA,EAAcD,OAAO,IAAA,CAAK,SAAS,EAAE,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAA;AAAA,QAC/D,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,MAAM,QAAA,EAAU,WAAA,CAAY,OAAO,CAAA;AAAE,OAC1D;AAAA,IACF,CAAC,CAAA;AAED,IAAA,KAAA;AAAA,MACE,2BAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MAEA,GAAA,CAAI,UAAA;AAAA,MACJ,GAAA,CAAI,IAAA;AAAA,MACJA,MAAAA,CAAO,EAAE,CAAA;AAAA,MACTA,MAAAA,CAAO,EAAE,CAAA;AAAA,MACTA,MAAAA,CAAO,KAAK,SAAS,CAAA;AAAA,MACrB,GAAA,CAAI,QAAA;AAAA,MACJA,OAAO,MAAS,CAAA;AAAA,MAEhB,GAAA,CAAI,IAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAAA,EACF;AACF,CAAA;;;AC5UA,IAAM,4BAAA,GAA+B;AAAA,EACnC,oBAAoB,EAAC;AAAA,EACrB,mBAAmB,EAAC;AAAA,EACpB,UAAU;AACZ,CAAA;AAEO,IAAM,sBAAA,GAAoD;AAAA,EAC/D,MAAA,EAAQ;AAAA,IACN,GAAG,4BAAA;AAAA,IACH,KAAA,EAAO,gFAAA;AAAA,IACP,gBAAA,EAAkB;AAAA;AAAA,MAEhB,kCAAA;AAAA,MACA;AAAA;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,GAAG,4BAAA;AAAA,IACH,KAAA,EAAO,gFAAA;AAAA,IACP,gBAAA,EAAkB;AAAA;AAAA,MAEhB,6BAAA;AAAA,MACA,8BAAA;AAAA,MACA,8BAAA;AAAA,MACA;AAAA;AACF,GACF;AAAA,EAEA,cAAc,EAAC;AAAA,EACf,gBAAgB,EAAC;AAAA,EACjB,OAAO,EAAC;AAAA,EACR,SAAS,EAAC;AAAA,EACV,cAAc,EAAC;AAAA,EACf,aAAa,EAAC;AAAA,EACd,kBAAkB;AACpB;AAEO,IAAM,oBAAA,GAA2D;AAAA,EACtE,MAAA,EAAQ,kFAAA;AAAA,EACR,MAAA,EAAQ;AACV;;;ACpFO,IAAM,YAAA,GAAN,cAA2B,iBAAA,CAAkB;AAAA;AAAA;AAAA;AAAA,EAIzC,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,OAAA;AAAA;AAAA;AAAA;AAAA,EAKA,YAAA;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA;AAAA;AAAA;AAAA;AAAA,EAKA,YAAA;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAc,IAAA,EAAwB,IAAA,EAAiC;AACjF,IAAA,KAAA,CAAM,4BAAA,EAA8B,IAAA,EAAM,IAAA,EAAM,IAAI,CAAA;AAEpD,IAAA,MAAM,iBAAA,GAAoBA,SAAO,IAAI,CAAA,CAClC,MAAM,CAAAF,KAAAA,KAAQ,UAAUA,KAAAA,CAAK,WAAA,EAAaA,MAAK,YAAY,CAAC,EAC5D,KAAA,CAAM,CAAAA,UAAQO,SAAAA,CAAU,sBAAA,EAAwB,GAAGP,KAAI,CAAC,CAAA;AAI3D,IAAA,MAAM,kBAAA,GAAqB,iBAAA,CAAkB,KAAA,CAAM,CAAAS,kBAAAA,KAAqB;AACtE,MAAA,OAAO,MAAA,CAAO,OAAOA,kBAAAA,CAAkB,KAAK,EAAE,IAAA,CAAK,CAAA,IAAA,KAAQ,OAAO,IAAA,KAAS,UAAU,CAAA;AAAA,IACvF,CAAC,CAAA;AAED,IAAA,IAAA,CAAK,eAAe,IAAA,CAAK,YAAA;AACzB,IAAA,IAAA,CAAK,cAAc,iBAAA,CAAkB,WAAA;AAErC,IAAA,IAAA,CAAK,QAAQ,kBAAA,CAAmB,KAAA;AAAA,MAAM,CAAAC,mBAAAA,KACpCR,QAAAA;AAAA,QACEQ,mBAAAA,GACI,qBAAqB,IAAA,CAAK,YAAY,IACtC,iBAAA,CAAkB,IAAA,CAAK,YAAY,CAAA,CAAE;AAAA;AAC3C,KACF;AAEA,IAAA,IAAA,CAAK,mBAAmBR,QAAAA,CAAO,EAAE,iBAAA,EAAmB,kBAAA,EAAoB,CAAA,CAAE,KAAA;AAAA,MACxE,CAAC,EAAE,iBAAA,EAAAO,kBAAAA,EAAmB,kBAAA,EAAAC,qBAAmB,KAAM;AAC7C,QAAA,MAAM,gBAAA,GAAmB;AAAA,UACvB,GAAGD,kBAAAA,CAAkB,gBAAA;AAAA,UACrB,GAAGA,kBAAAA,CAAkB,IAAA,CAAK,YAAY,CAAA,CAAE;AAAA,SAC1C;AAEA,QAAA,IAAIC,mBAAAA,EAAoB;AACtB,UAAA,gBAAA,CAAiB,KAAK,8BAA8B,CAAA;AAAA,QACtD;AAEA,QAAA,OAAO,gBAAA,CAAiB,IAAI,gBAAgB,CAAA;AAAA,MAC9C;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,SAAA,GAAYR,QAAAA,CAAO,EAAE,iBAAA,EAAmB,MAAM,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,iBAAA,EAAAO,kBAAAA,EAAmB,IAAA,EAAAT,OAAK,KAAM;AAC1F,MAAA,OAAO,SAAA,CAAU,MAAA;AAAA,QACf,IAAA;AAAA,QACA;AAAA,UACE,WAAWA,KAAAA,CAAK,SAAA;AAAA,UAEhB,IAAA,EAAM,gBAAA,CAAiB,IAAA,CAAK,YAAA,EAAcS,kBAAiB;AAAA,SAC7D;AAAA,QACA,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,IAAA;AAAK,OAC1B;AAAA,IACF,CAAC,CAAA;AAED,IAAA,IAAA,CAAK,OAAA,GAAUP,SAAO,EAAE,kBAAA,EAAoB,SAAS,iBAAA,CAAkB,OAAA,EAAS,CAAA,CAAE,KAAA;AAAA,MAChF,CAAC,EAAE,kBAAA,EAAAQ,mBAAAA,EAAoB,SAAQ,KAAM;AACnC,QAAA,OAAO;AAAA,UACL,GAAG,OAAA;AAAA,UACH;AAAA,YACE,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,IAAA;AAAA,YAE9B,SAAA,EAAW;AAAA,cACT,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,QAAA,CAAS,IAAA;AAAA,cAC9B,WAAA,EAAa;AAAA;AAAA;AACf,WACF;AAAA,UACA,GAAIA,mBAAAA,GAAqB,CAAC,EAAE,IAAA,EAAM,cAAA,EAAgB,QAAA,EAAU,EAAC,EAAG,CAAA,GAAI;AAAC,SACvE;AAAA,MACF;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,eAAeR,QAAAA,CAAO;AAAA,MACzB,kBAAA;AAAA,MACA,cAAc,iBAAA,CAAkB;AAAA,KACjC,EAAE,KAAA,CAAM,CAAC,EAAE,kBAAA,EAAAQ,mBAAAA,EAAoB,cAAa,KAAM;AACjD,MAAA,OAAO;AAAA,QACL,GAAG,YAAA;AAAA,QACH;AAAA,UACE,QAAQ,IAAA,CAAK,SAAA;AAAA,UACb,SAAA,EAAW;AAAA,SACb;AAAA,QACA,GAAIA,mBAAAA,GACA,CAAC,EAAE,IAAA,EAAM,gBAAgB,SAAA,EAAW,uBAAA,EAAyB,CAAA,GAC7D;AAAC,OACP;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AACF;AAEA,SAAS,qBAAqB,KAAA,EAAuB;AACnD,EAAA,IAAI,KAAA,CAAM,UAAA,CAAW,YAAY,CAAA,EAAG;AAClC,IAAA,OAAO,KAAA,CAAM,OAAA,CAAQ,YAAA,EAAc,EAAE,CAAA;AAAA,EACvC;AAEA,EAAA,OAAO,KAAA;AACT;AAEA,eAAe,gBAAA,CACb,cACA,WAAA,EACiC;AACjC,EAAA,MAAM,aAAqC,EAAC;AAC5C,EAAA,MAAM,UAAoB,EAAC;AAE3B,EAAA,MAAM,uBAAA,GAA0B,YAAY,YAAY,CAAA;AACxD,EAAA,MAAM,YAAA,GAAe,EAAE,GAAG,WAAA,CAAY,YAAA,EAAa;AAEnD,EAAA,IAAI,kBAAA,GAAqB,KAAA;AAEzB,EAAA,KAAA,MAAW,GAAA,IAAO,YAAY,KAAA,EAAO;AACnC,IAAA,IAAI,OAAO,WAAA,CAAY,KAAA,CAAM,GAAG,MAAM,UAAA,EAAY;AAChD,MAAA,MAAM,aAAa,MAAM,iBAAA,CAAkB,WAAA,CAAY,KAAA,CAAM,GAAG,CAAC,CAAA;AAEjE,MAAA,UAAA,CAAW,GAAG,CAAA,GAAI,IAAA;AAAA;AAAA;AAAA,QAAA,EAGd,WAAW,IAAI;;AAAA,gBAAA,EAEP,WAAW,UAAU,CAAA;AAAA,MAAA,CAAA;AAGjC,MAAA,kBAAA,GAAqB,IAAA;AAAA,IACvB,CAAA,MAAO;AACL,MAAA,UAAA,CAAW,GAAG,CAAA,GAAI,WAAA,CAAY,KAAA,CAAM,GAAG,CAAA;AAAA,IACzC;AAAA,EACF;AAEA,EAAA,IAAI,kBAAA,EAAoB;AACtB,IAAA,MAAM,WAAA,GAAc,MAAM,eAAA,EAAgB;AAE1C,IAAA,WAAA,CAAY,YAAA,GAAe,MAAA;AAAA,MACzB,SAAA,CAAU,WAAA,CAAY,YAAA,IAAgB,IAAI,oBAAoB,CAAA;AAAA,MAC9D,CAAC,CAAA,EAAG,GAAA,KAAQ,GAAA,CAAI,WAAW,aAAa;AAAA,KAC1C;AAEA,IAAA,WAAA,CAAY,eAAA,GAAkB,MAAA;AAAA,MAC5B,SAAA,CAAU,WAAA,CAAY,eAAA,IAAmB,IAAI,oBAAoB,CAAA;AAAA,MACjE,CAAC,CAAA,EAAG,GAAA,KAAQ,GAAA,CAAI,WAAW,aAAa;AAAA,KAC1C;AAEA,IAAA,UAAA,CAAW,cAAc,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,WAAA,EAAa,MAAM,CAAC,CAAA;AAEhE,IAAA,YAAA,CAAa,yBAAyB,CAAA,GAAI,IAAA;AAAA;AAAA;;AAAA;AAAA;AAAA,IAAA,CAAA;AAAA,EAO5C;AAEA,EAAA,IAAI,uBAAA,CAAwB,kBAAA,CAAmB,MAAA,GAAS,CAAA,EAAG;AACzD,IAAA,UAAA,CAAW,yBAAyB,CAAA,GAAI,wBAAA;AAAA,MACtC,YAAA;AAAA,MACA,uBAAA,CAAwB;AAAA,KAC1B;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK;AAAA;AAAA;AAAA;AAAA,IAAA,CAIZ,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,OAAO,IAAA,CAAK,uBAAA,CAAwB,iBAAiB,CAAA,CAAE,SAAS,CAAA,EAAG;AACrE,IAAA,KAAA,MAAW,GAAA,IAAO,wBAAwB,iBAAA,EAAmB;AAC3D,MAAA,UAAA,CAAW,eAAe,GAAG,CAAA,CAAE,CAAA,GAAI,uBAAA,CAAwB,kBAAkB,GAAG,CAAA;AAEhF,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,4CAAA,EAC2B,GAAG,CAAA;AAAA,6BAAA,EAClB,GAAG;AAAA,oCAAA,EACI,GAAG,CAAA;AAAA,MAAA,CAClC,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,IAAI,uBAAA,CAAwB,QAAA,CAAS,MAAA,GAAS,CAAA,EAAG;AAC/C,IAAA,UAAA,CAAW,qBAAqB,CAAA,GAAI,wBAAA;AAAA,MAClC,YAAA;AAAA,MACA,uBAAA,CAAwB;AAAA,KAC1B;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK;AAAA;AAAA;AAAA;AAAA,IAAA,CAIZ,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA,CAAE,SAAS,CAAA,EAAG;AACxC,IAAA,KAAA,MAAW,OAAO,YAAA,EAAc;AAC9B,MAAA,UAAA,CAAW,CAAA,MAAA,EAAS,GAAG,CAAA,CAAE,CAAA,GAAI,aAAa,GAAG,CAAA;AAE7C,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,sCAAA,EACqB,GAAG,CAAA;AAAA,uBAAA,EAClB,GAAG;AAAA,8BAAA,EACI,GAAG,CAAA;AAAA,MAAA,CAC5B,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,IAAI,OAAO,IAAA,CAAK,WAAA,CAAY,cAAc,CAAA,CAAE,SAAS,CAAA,EAAG;AACtD,IAAA,MAAM,iBAA2B,EAAC;AAElC,IAAA,KAAA,MAAW,GAAA,IAAO,YAAY,cAAA,EAAgB;AAC5C,MAAA,UAAA,CAAW,WAAW,GAAG,CAAA,CAAE,CAAA,GAAI,WAAA,CAAY,eAAe,GAAG,CAAA;AAE7D,MAAA,cAAA,CAAe,IAAA,CAAK;AAAA,wCAAA,EACgB,GAAG,CAAA;AAAA,yBAAA,EAClB,GAAG;AAAA,gCAAA,EACI,GAAG,CAAA;AAAA,MAAA,CAC9B,CAAA;AAAA,IACH;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK;AAAA;AAAA,MAAA,EAET,cAAA,CAAe,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,MAAM,CAAA,CAAE,IAAA,CAAK,MAAM,CAAC;AAAA;;AAAA;AAAA;AAAA,IAAA,CAKjD,CAAA;AAAA,EACH;AAEA,EAAA,UAAA,CAAW,eAAe,IAAI,eAAA,CAAgB;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA,EAAA,EAS5C,OAAA,CAAQ,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,MAAM,CAAA,CAAE,IAAA,CAAK,MAAM,CAAC;;AAAA;AAAA;AAAA;AAAA,EAAA,CAKxC,CAAA;AAED,EAAA,OAAO,UAAA;AACT;AAEA,SAAS,wBAAA,CAAyB,cAAkC,QAAA,EAA4B;AAC9F,EAAA,IAAI,iBAAiB,QAAA,EAAU;AAC7B,IAAA,OAAO,IAAA;AAAA;AAAA;;AAAA,yBAAA,EAIgB,QAAA,CAAS,IAAA,CAAK,GAAG,CAAC;AAAA,IAAA,CAAA;AAAA,EAE3C,CAAA,MAAO;AACL,IAAA,OAAO,IAAA;AAAA;AAAA;;AAAA;AAAA,yBAAA,EAKgB,QAAA,CAAS,IAAA,CAAK,GAAG,CAAC;AAAA,IAAA,CAAA;AAAA,EAE3C;AACF;ACxTO,SAAS,sBAAsB,OAAA,EAA6C;AACjF,EAAA,MAAM,MAAA,GAASR,QAAAA,CAAO,OAAA,CAAQ,MAAM,CAAA;AAEpC,EAAA,OAAOA,QAAAA,CAAO;AAAA,IACZ,OAAA;AAAA,IACA,OAAO,MAAA,CAAO,KAAA;AAAA,IACd,cAAc,MAAA,CAAO,YAAA;AAAA,IACrB,SAAS,MAAA,CAAO,OAAA;AAAA,IAChB,aAAa,MAAA,CAAO,WAAA;AAAA,IACpB,kBAAkB,MAAA,CAAO;AAAA,GAC1B,CAAA,CAAE,KAAA,CAAM,CAAC,EAAE,OAAA,EAAAS,QAAAA,EAAS,KAAA,EAAO,YAAA,EAAc,OAAA,EAAS,WAAA,EAAa,gBAAA,EAAiB,KAAM;AACrF,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,SAAS,CAAC,wBAAA,EAA0B,CAAA,SAAA,EAAYA,QAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,MAE9D,GAAGA,QAAAA;AAAA,MAEH,YAAA,EAAc,CAAC,GAAG,YAAA,EAAc,GAAIA,QAAAA,CAAQ,YAAA,IAAgB,EAAG,CAAA;AAAA,MAC/D,OAAA,EAAS,CAAC,GAAG,OAAA,EAAS,GAAIA,QAAAA,CAAQ,OAAA,IAAW,EAAG,CAAA;AAAA,MAChD,WAAA,EAAa,KAAA,CAAM,WAAA,EAAaA,QAAAA,CAAQ,WAAW,CAAA;AAAA,MACnD,gBAAA,EAAkB,CAAC,GAAG,gBAAA,EAAkB,GAAIA,QAAAA,CAAQ,gBAAA,IAAoB,EAAG;AAAA,KAC7E;AAAA,EACF,CAAC,CAAA;AACH;ACxCA,eAAsB,mBAAA,CACpB,WACA,SAAA,EACqC;AACrC,EAAA,MAAM,KAAA,GAAQ,MAAM,kBAAA,CAAmB,YAAA,CAAa,SAAA,EAAW;AAAA,IAC7D,SAAA;AAAA,IACA,SAAA;AAAA,IACA,KAAA,EAAO,CAAC,KAAA,EAAO,MAAA,EAAQ,OAAO,CAAA;AAAA,IAC9B,gBAAA,EAAkB;AAAA,GACnB,CAAA;AAED,EAAA,OAAOT,QAAAA,CAAO;AAAA,IACZ,IAAA,EAAM,SAAA;AAAA,IACN,KAAA,EAAO,cAAA,CAAO,oBAAoB,CAAA,CAAE,KAAA;AAAA,IAEpC,MAAA,EAAQ;AAAA,MACN,UAAA,EAAY,MAAM,OAAA,CAAQ,UAAA;AAAA,MAC1B,SAAA,EAAWA,QAAAA,CAAO,SAAS,CAAA,CAAE,KAAA,CAAM,CAAAU,UAAAA,KAAaA,UAAAA,CAAU,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,MAAM,CAAC;AAAA;AAC9E,GACD,CAAA;AACH","file":"index.js","sourcesContent":["import type { RequiredKeys, UnitTerminal } from \"@highstate/contract\"\nimport type { k8s } from \"@highstate/library\"\nimport type { Container } from \"./container\"\nimport type { NetworkPolicy } from \"./network-policy\"\nimport { getOrCreate } from \"@highstate/contract\"\nimport {\n type ComponentResourceOptions,\n type Input,\n type Inputs,\n interpolate,\n type Output,\n output,\n toPromise,\n type Unwrap,\n} from \"@highstate/pulumi\"\nimport { batch, type types } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { omit } from \"remeda\"\nimport { Namespace } from \"./namespace\"\nimport { commonExtraArgs, getProvider, mapMetadata, type ScopedResourceArgs } from \"./shared\"\nimport {\n getWorkloadComponents,\n Workload,\n type WorkloadArgs,\n type WorkloadTerminalArgs,\n} from \"./workload\"\n\nexport type CronJobArgs = ScopedResourceArgs &\n Omit<RequiredKeys<Partial<types.input.batch.v1.CronJobSpec>, \"schedule\">, \"jobTemplate\"> & {\n jobTemplate?: {\n metadata?: types.input.meta.v1.ObjectMeta\n spec?: Omit<types.input.batch.v1.JobSpec, \"template\"> & {\n template?: {\n metadata?: types.input.meta.v1.ObjectMeta\n spec?: Partial<types.input.core.v1.PodSpec>\n }\n }\n }\n } & WorkloadArgs\n\nexport type CreateOrGetCronJobArgs = CronJobArgs & {\n /*\n The cron job entity to patch/retrieve.\n /\n existing: Input<k8s.ScopedResource> \| undefined\n}\n\n/\n Represents a Kubernetes CronJob resource with metadata and spec.\n /\nexport abstract class CronJob extends Workload {\n protected constructor(\n type: string,\n name: string,\n args: Inputs,\n opts: ComponentResourceOptions \| undefined,\n\n apiVersion: Output<string>,\n kind: Output<string>,\n terminalArgs: Output<Unwrap<WorkloadTerminalArgs>>,\n containers: Output<Container[]>,\n namespace: Output<Namespace>,\n metadata: Output<types.output.meta.v1.ObjectMeta>,\n networkPolicy: Output<NetworkPolicy \| undefined>,\n\n /\n The spec of the underlying Kubernetes cron job.\n /\n readonly spec: Output<types.output.batch.v1.CronJobSpec>,\n\n /\n The status of the underlying Kubernetes cron job.\n /\n readonly status: Output<types.output.batch.v1.CronJobStatus>,\n ) {\n super(\n type,\n name,\n args,\n opts,\n apiVersion,\n kind,\n terminalArgs,\n containers,\n namespace,\n metadata,\n networkPolicy,\n )\n }\n\n /\n The Highstate cron job entity.\n /\n get entity(): Output<k8s.ScopedResource> {\n return output({\n type: \"cron-job\",\n clusterId: this.cluster.id,\n clusterName: this.cluster.name,\n metadata: this.metadata,\n })\n }\n\n protected getTerminalMeta(): Output<UnitTerminal[\"meta\"]> {\n return output({\n title: \"CronJob\",\n globalTitle: interpolate`CronJob \| ${this.metadata.name}`,\n description: \"The shell inside the cron job.\",\n icon: \"devicon:kubernetes\",\n })\n }\n\n protected get resourceType(): string {\n return \"cronjob\"\n }\n\n /\n Creates a new cron job.\n /\n static create(name: string, args: CronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new CreatedCronJob(name, args, opts)\n }\n\n /\n Creates a new cron job or patches an existing one.\n \n @param name The name of the resource. May not be the same as the cron job name.\n * @param args The arguments to create or patch the cron job with.\n * @param opts Optional resource options.\n /\n static createOrPatch(\n name: string,\n args: CreateOrGetCronJobArgs,\n opts?: ComponentResourceOptions,\n ): CronJob {\n if (args.existing) {\n return new CronJobPatch(name, {\n ...args,\n name: output(args.existing).metadata.name,\n namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster),\n })\n }\n\n return new CreatedCronJob(name, args, opts)\n }\n\n /\n Creates a new cron job or gets an existing one.\n \n @param name The name of the resource. May not be the same as the cron job name. Will not be used when existing cron job is retrieved.\n * @param args The arguments to create or get the cron job with.\n * @param opts Optional resource options.\n /\n static async createOrGet(\n name: string,\n args: CreateOrGetCronJobArgs,\n opts?: ComponentResourceOptions,\n ): Promise<CronJob> {\n if (args.existing) {\n return await CronJob.forAsync(args.existing, output(args.namespace).cluster)\n }\n\n return new CreatedCronJob(name, args, opts)\n }\n\n /\n Patches an existing cron job.\n \n Will throw an error if the cron job does not exist.\n \n @param name The name of the resource. May not be the same as the cron job name.\n * @param args The arguments to patch the cron job with.\n * @param opts Optional resource options.\n /\n static patch(name: string, args: CronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new CronJobPatch(name, args, opts)\n }\n\n /\n Wraps an existing Kubernetes cron job.\n /\n static wrap(name: string, args: WrappedCronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new WrappedCronJob(name, args, opts)\n }\n\n /\n Gets an existing cron job.\n \n Will throw an error if the cron job does not exist.\n /\n static get(name: string, args: ExternalCronJobArgs, opts?: ComponentResourceOptions): CronJob {\n return new ExternalCronJob(name, args, opts)\n }\n\n private static readonly cronJobCache = new Map<string, CronJob>()\n\n /\n Gets an existing cron job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the cron job for.\n * @param cluster The cluster where the cron job is located.\n /\n static for(entity: k8s.ScopedResource, cluster: Input<k8s.Cluster>): CronJob {\n return getOrCreate(\n CronJob.cronJobCache,\n `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,\n name => {\n return CronJob.get(name, {\n name: entity.metadata.name,\n namespace: Namespace.forResource(entity, cluster),\n })\n },\n )\n }\n\n /\n Gets an existing cron job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the cron job for.\n * @param cluster The cluster where the cron job is located.\n /\n static async forAsync(\n entity: Input<k8s.ScopedResource>,\n cluster: Input<k8s.Cluster>,\n ): Promise<CronJob> {\n const resolvedEntity = await toPromise(entity)\n return CronJob.for(resolvedEntity, cluster)\n }\n}\n\nconst cronJobExtraArgs = [...commonExtraArgs, \"container\", \"containers\"] as const\n\nclass CreatedCronJob extends CronJob {\n constructor(name: string, args: CronJobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const cronJob = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.CronJob(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n {\n jobTemplate: {\n spec: {\n template: deepmerge(\n {\n spec: {\n restartPolicy: \"Never\",\n },\n },\n podTemplate,\n ),\n },\n },\n schedule: args.schedule,\n },\n omit(args, cronJobExtraArgs) as types.input.batch.v1.CronJobSpec,\n )\n }),\n },\n {\n ...opts,\n parent: this,\n provider: getProvider(cluster),\n },\n )\n })\n\n super(\n \"highstate:k8s:CronJob\",\n name,\n args,\n opts,\n\n cronJob.apiVersion,\n cronJob.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n cronJob.metadata,\n networkPolicy,\n\n cronJob.spec,\n cronJob.status,\n )\n }\n}\n\nclass CronJobPatch extends CronJob {\n constructor(name: string, args: CronJobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const cronJob = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.CronJobPatch(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n {\n jobTemplate: {\n spec: {\n template: podTemplate,\n },\n },\n schedule: args.schedule,\n } satisfies types.input.batch.v1.CronJobSpec,\n omit(args, cronJobExtraArgs) as types.input.batch.v1.CronJobSpec,\n )\n }),\n },\n {\n ...opts,\n parent: this,\n provider: getProvider(cluster),\n },\n )\n })\n\n super(\n \"highstate:k8s:CronJobPatch\",\n name,\n args,\n opts,\n\n cronJob.apiVersion,\n cronJob.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n cronJob.metadata,\n networkPolicy,\n\n cronJob.spec,\n cronJob.status,\n )\n }\n}\n\nexport type WrappedCronJobArgs = {\n /\n The underlying Kubernetes cron job to wrap.\n /\n cronJob: Input<batch.v1.CronJob>\n\n /\n The namespace where the cron job is located.\n /\n namespace: Input<Namespace>\n\n /\n The args for the terminal to use.\n /\n terminal?: Input<WorkloadTerminalArgs>\n}\n\nclass WrappedCronJob extends CronJob {\n constructor(name: string, args: WrappedCronJobArgs, opts?: ComponentResourceOptions) {\n super(\n \"highstate:k8s:WrappedCronJob\",\n name,\n args,\n opts,\n\n output(args.cronJob).apiVersion,\n output(args.cronJob).kind,\n output(args.terminal ?? {}),\n output([]),\n output(args.namespace),\n output(args.cronJob).metadata,\n output(undefined),\n\n output(args.cronJob).spec,\n output(args.cronJob).status,\n )\n }\n}\n\nexport type ExternalCronJobArgs = {\n /\n The name of the cron job to get.\n /\n name: Input<string>\n\n /\n The namespace where the cron job is located.\n /\n namespace: Input<Namespace>\n}\n\nclass ExternalCronJob extends CronJob {\n constructor(name: string, args: ExternalCronJobArgs, opts?: ComponentResourceOptions) {\n const cronJob = output(args.namespace).cluster.apply(cluster => {\n return batch.v1.CronJob.get(\n name,\n interpolate`${output(args.namespace).metadata.name}/${args.name}`,\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:ExternalCronJob\",\n name,\n args,\n opts,\n\n cronJob.apiVersion,\n cronJob.kind,\n output({}),\n output([]),\n output(args.namespace),\n cronJob.metadata,\n output(undefined),\n\n cronJob.spec,\n cronJob.status,\n )\n }\n}\n","import type { k8s } from \"@highstate/library\"\nimport type { Container } from \"./container\"\nimport type { NetworkPolicy } from \"./network-policy\"\nimport { getOrCreate, type UnitTerminal } from \"@highstate/contract\"\nimport {\n type ComponentResourceOptions,\n type Input,\n type Inputs,\n interpolate,\n type Output,\n output,\n toPromise,\n type Unwrap,\n} from \"@highstate/pulumi\"\nimport { batch, type types } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { omit } from \"remeda\"\nimport { Namespace } from \"./namespace\"\nimport { commonExtraArgs, getProvider, mapMetadata, type ScopedResourceArgs } from \"./shared\"\nimport {\n getWorkloadComponents,\n Workload,\n type WorkloadArgs,\n type WorkloadTerminalArgs,\n} from \"./workload\"\n\nexport type JobArgs = ScopedResourceArgs &\n Omit<Partial<types.input.batch.v1.JobSpec>, \"template\"> & {\n template?: {\n metadata?: types.input.meta.v1.ObjectMeta\n spec?: Partial<types.input.core.v1.PodSpec>\n }\n } & WorkloadArgs\n\nexport type CreateOrGetJobArgs = JobArgs & {\n /\n The job entity to patch/retrieve.\n /\n existing: Input<k8s.ScopedResource> \| undefined\n}\n\n/\n Represents a Kubernetes Job resource with metadata and spec.\n /\nexport abstract class Job extends Workload {\n protected constructor(\n type: string,\n name: string,\n args: Inputs,\n opts: ComponentResourceOptions \| undefined,\n\n apiVersion: Output<string>,\n kind: Output<string>,\n terminalArgs: Output<Unwrap<WorkloadTerminalArgs>>,\n containers: Output<Container[]>,\n namespace: Output<Namespace>,\n metadata: Output<types.output.meta.v1.ObjectMeta>,\n networkPolicy: Output<NetworkPolicy \| undefined>,\n\n /\n The spec of the underlying Kubernetes job.\n /\n readonly spec: Output<types.output.batch.v1.JobSpec>,\n\n /\n The status of the underlying Kubernetes job.\n /\n readonly status: Output<types.output.batch.v1.JobStatus>,\n ) {\n super(\n type,\n name,\n args,\n opts,\n apiVersion,\n kind,\n terminalArgs,\n containers,\n namespace,\n metadata,\n networkPolicy,\n )\n }\n\n /\n The Highstate job entity.\n /\n get entity(): Output<k8s.ScopedResource> {\n return output({\n type: \"job\",\n clusterId: this.cluster.id,\n clusterName: this.cluster.name,\n metadata: this.metadata,\n })\n }\n\n protected getTerminalMeta(): Output<UnitTerminal[\"meta\"]> {\n return output({\n title: \"Job\",\n globalTitle: interpolate`Job \| ${this.metadata.name}`,\n description: \"The shell inside the job.\",\n icon: \"devicon:kubernetes\",\n })\n }\n\n protected get resourceType(): string {\n return \"job\"\n }\n\n /\n Creates a new job.\n /\n static create(name: string, args: JobArgs, opts?: ComponentResourceOptions): Job {\n return new CreatedJob(name, args, opts)\n }\n\n /\n Creates a new job or patches an existing one.\n \n @param name The name of the resource. May not be the same as the job name.\n * @param args The arguments to create or patch the job with.\n * @param opts Optional resource options.\n /\n static createOrPatch(\n name: string,\n args: CreateOrGetJobArgs,\n opts?: ComponentResourceOptions,\n ): Job {\n if (args.existing) {\n return new JobPatch(name, {\n ...args,\n name: output(args.existing).metadata.name,\n namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster),\n })\n }\n\n return new CreatedJob(name, args, opts)\n }\n\n /\n Creates a new job or gets an existing one.\n \n @param name The name of the resource. May not be the same as the job name. Will not be used when existing job is retrieved.\n * @param args The arguments to create or get the job with.\n * @param opts Optional resource options.\n /\n static async createOrGet(\n name: string,\n args: CreateOrGetJobArgs,\n opts?: ComponentResourceOptions,\n ): Promise<Job> {\n if (args.existing) {\n return await Job.forAsync(args.existing, output(args.namespace).cluster)\n }\n\n return new CreatedJob(name, args, opts)\n }\n\n /\n Patches an existing job.\n \n Will throw an error if the job does not exist.\n \n @param name The name of the resource. May not be the same as the job name.\n * @param args The arguments to patch the job with.\n * @param opts Optional resource options.\n /\n static patch(name: string, args: JobArgs, opts?: ComponentResourceOptions): Job {\n return new JobPatch(name, args, opts)\n }\n\n /\n Wraps an existing Kubernetes job.\n /\n static wrap(name: string, args: WrappedJobArgs, opts?: ComponentResourceOptions): Job {\n return new WrappedJob(name, args, opts)\n }\n\n /\n Gets an existing job.\n \n Will throw an error if the job does not exist.\n /\n static get(name: string, args: ExternalJobArgs, opts?: ComponentResourceOptions): Job {\n return new ExternalJob(name, args, opts)\n }\n\n private static readonly jobCache = new Map<string, Job>()\n\n /\n Gets an existing job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the job for.\n * @param cluster The cluster where the job is located.\n /\n static for(entity: k8s.ScopedResource, cluster: Input<k8s.Cluster>): Job {\n return getOrCreate(\n Job.jobCache,\n `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,\n name => {\n return Job.get(name, {\n name: entity.metadata.name,\n namespace: Namespace.forResource(entity, cluster),\n })\n },\n )\n }\n\n /\n Gets an existing job for a given entity.\n * Prefer this method over `get` when possible.\n \n It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.\n \n This method is idempotent and will return the same instance for the same entity.\n \n @param entity The entity to get the job for.\n * @param cluster The cluster where the job is located.\n /\n static async forAsync(\n entity: Input<k8s.ScopedResource>,\n cluster: Input<k8s.Cluster>,\n ): Promise<Job> {\n const resolvedEntity = await toPromise(entity)\n return Job.for(resolvedEntity, cluster)\n }\n}\n\nconst jobExtraArgs = [...commonExtraArgs, \"container\", \"containers\"] as const\n\nclass CreatedJob extends Job {\n constructor(name: string, args: JobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const job = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.Job(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n {\n template: deepmerge(\n {\n spec: {\n restartPolicy: \"Never\",\n },\n },\n podTemplate,\n ),\n },\n omit(args, jobExtraArgs) as types.input.batch.v1.JobSpec,\n )\n }),\n },\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:Job\",\n name,\n args,\n opts,\n\n job.apiVersion,\n job.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n job.metadata,\n networkPolicy,\n\n job.spec,\n job.status,\n )\n }\n}\n\nclass JobPatch extends Job {\n constructor(name: string, args: JobArgs, opts?: ComponentResourceOptions) {\n const { podTemplate, containers, networkPolicy } = getWorkloadComponents(\n name,\n args,\n () => this,\n opts,\n )\n\n const job = output(args.namespace).cluster.apply(cluster => {\n return new batch.v1.JobPatch(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {\n return deepmerge(\n { template: podTemplate } satisfies types.input.batch.v1.JobSpec,\n omit(args, jobExtraArgs) as types.input.batch.v1.JobSpec,\n )\n }),\n },\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:JobPatch\",\n name,\n args,\n opts,\n\n job.apiVersion,\n job.kind,\n output(args.terminal ?? {}),\n containers,\n output(args.namespace),\n job.metadata,\n networkPolicy,\n\n job.spec,\n job.status,\n )\n\n this.registerOutputs({\n metadata: this.metadata,\n spec: this.spec,\n status: this.status,\n })\n }\n}\n\nexport type WrappedJobArgs = {\n /\n The underlying Kubernetes job to wrap.\n /\n job: Input<batch.v1.Job>\n\n /\n The namespace where the job is located.\n /\n namespace: Input<Namespace>\n\n /\n The args for the terminal to use.\n /\n terminal?: Input<WorkloadTerminalArgs>\n}\n\nclass WrappedJob extends Job {\n constructor(name: string, args: WrappedJobArgs, opts?: ComponentResourceOptions) {\n super(\n \"highstate:k8s:WrappedJob\",\n name,\n args,\n opts,\n\n output(args.job).apiVersion,\n output(args.job).kind,\n output(args.terminal ?? {}),\n output([]),\n output(args.namespace),\n output(args.job).metadata,\n output(undefined),\n\n output(args.job).spec,\n output(args.job).status,\n )\n }\n}\n\nexport type ExternalJobArgs = {\n /\n The name of the job to get.\n /\n name: Input<string>\n\n /\n The namespace where the job is located.\n /\n namespace: Input<Namespace>\n}\n\nclass ExternalJob extends Job {\n constructor(name: string, args: ExternalJobArgs, opts?: ComponentResourceOptions) {\n const job = output(args.namespace).cluster.apply(cluster => {\n return batch.v1.Job.get(\n name,\n interpolate`${output(args.namespace).metadata.name}/${args.name}`,\n { ...opts, parent: this, provider: getProvider(cluster) },\n )\n })\n\n super(\n \"highstate:k8s:ExternalJob\",\n name,\n args,\n opts,\n\n job.apiVersion,\n job.kind,\n output({}),\n output([]),\n output(args.namespace),\n job.metadata,\n output(undefined),\n\n job.spec,\n job.status,\n )\n }\n}\n","import type { InputL34Endpoint } from \"@highstate/common\"\nimport type { Input, InputArray, InputRecord } from \"@highstate/pulumi\"\nimport type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from \"../container\"\n\nexport type ScriptDistribution = \"alpine\" \| \"ubuntu\"\n\nexport type DistributionEnvironment = {\n /\n The image that should be used for the distribution.\n /\n image?: Input<string>\n\n /\n The utility packages that should be installed before running \"preInstallScripts\".\n \n Useful for installing tools like `curl` to install additional repositories.\n /\n preInstallPackages?: InputArray<string>\n\n /\n The pre-install scripts that should be run before installing packages.\n * Typically, these scripts are used to install additional repositories.\n /\n preInstallScripts?: InputRecord<string>\n\n /\n The packages that are available in the environment.\n /\n packages?: InputArray<string>\n\n /\n The endpoint which the script is allowed to access scoped to the distribution.\n \n Typically, this is used to allow access to the package manager.\n \n Will be used to generate a network policy.\n /\n allowedEndpoints?: InputArray<InputL34Endpoint>\n}\n\nexport type ScriptProgram = () => unknown\n\nexport type ScriptEnvironment = {\n [distribution in ScriptDistribution]?: DistributionEnvironment\n} & {\n /\n The setup scripts that should be run before the script.\n /\n setupScripts?: InputRecord<string>\n\n /\n The cleanup scripts that should be run after the script.\n /\n cleanupScripts?: InputRecord<string>\n\n /\n The arbitrary files available in the environment including scripts.\n /\n files?: InputRecord<string \| ScriptProgram>\n\n /\n The volumes that should be defined in the environment.\n /\n volumes?: InputArray<WorkloadVolume>\n\n /\n The volume mounts that should be defined in the environment.\n /\n volumeMounts?: InputArray<ContainerVolumeMount>\n\n /\n The environment variables that should be defined in the environment.\n /\n environment?: Input<ContainerEnvironment>\n\n /\n The endpoint which the script is allowed to access.\n \n Will be used to generate a network policy.\n /\n allowedEndpoints?: InputArray<InputL34Endpoint>\n}\n\nexport type ResolvedScriptEnvironment = Omit<Required<ScriptEnvironment>, ScriptDistribution> & {\n [distribution in ScriptDistribution]: Required<DistributionEnvironment>\n}\n\nconst emptyDistributionEnvironment = {\n preInstallPackages: [],\n preInstallScripts: {},\n packages: [],\n}\n\nexport const emptyScriptEnvironment: ResolvedScriptEnvironment = {\n alpine: {\n ...emptyDistributionEnvironment,\n image: \"alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c\",\n allowedEndpoints: [\n //\n \"tcp://dl-cdn.alpinelinux.org:443\",\n \"tcp://dl-cdn.alpinelinux.org:80\",\n ],\n },\n\n ubuntu: {\n ...emptyDistributionEnvironment,\n image: \"ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782\",\n allowedEndpoints: [\n //\n \"tcp://archive.ubuntu.com:80\",\n \"tcp://archive.ubuntu.com:443\",\n \"tcp://security.ubuntu.com:80\",\n \"tcp://security.ubuntu.com:443\",\n ],\n },\n\n setupScripts: {},\n cleanupScripts: {},\n files: {},\n volumes: [],\n volumeMounts: [],\n environment: {},\n allowedEndpoints: [],\n}\n\nexport const functionScriptImages: Record<ScriptDistribution, string> = {\n alpine: \"oven/bun@sha256:6b14922b0885c3890cdb0b396090af1da486ba941df5ee94391eef64f7113c61\",\n ubuntu: \"oven/bun@sha256:66b431441dc4c36d7e8164bfc61e6348ec1d7ce2862fc3a29f5dc9856e8205e4\",\n}\n","import type { network } from \"@highstate/library\"\nimport type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from \"../container\"\nimport type { ScopedResourceArgs } from \"../shared\"\nimport { parseL34Endpoint } from \"@highstate/common\"\nimport { text, trimIndentation } from \"@highstate/contract\"\nimport { type InputArray, normalize } from \"@highstate/pulumi\"\nimport {\n ComponentResource,\n type ComponentResourceOptions,\n type Input,\n type Output,\n output,\n type Unwrap,\n} from \"@pulumi/pulumi\"\nimport { serializeFunction } from \"@pulumi/pulumi/runtime/index.js\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { readPackageJSON } from \"pkg-types\"\nimport { mapValues, omitBy } from \"remeda\"\nimport { ConfigMap } from \"../config-map\"\nimport {\n emptyScriptEnvironment,\n functionScriptImages,\n type ResolvedScriptEnvironment,\n type ScriptDistribution,\n type ScriptEnvironment,\n} from \"./environment\"\n\nexport type ScriptBundleArgs = ScopedResourceArgs & {\n /\n The environment to bundle the scripts from.\n /\n environment?: Input<ScriptEnvironment>\n\n /\n The environments to bundle the scripts from.\n /\n environments?: InputArray<ScriptEnvironment>\n\n /\n The distribution to use for the scripts.\n /\n distribution: ScriptDistribution\n}\n\nexport class ScriptBundle extends ComponentResource {\n /\n The config map containing the scripts.\n /\n readonly configMap: Output<ConfigMap>\n\n /\n The volumes that should be included in the workload.\n /\n readonly volumes: Output<WorkloadVolume[]>\n\n /\n The volume mounts that should be defined in the container.\n /\n readonly volumeMounts: Output<ContainerVolumeMount[]>\n\n /\n The environment variables that should be defined in the container.\n /\n readonly environment: Output<ContainerEnvironment>\n\n /\n The image to use for the scripts.\n /\n readonly image: Output<string>\n\n /\n The distribution to use for the scripts.\n /\n readonly distribution: ScriptDistribution\n\n /\n The list of endpoints that the script is allowed to access.\n /\n readonly allowedEndpoints: Output<network.L34Endpoint[]>\n\n constructor(name: string, args: ScriptBundleArgs, opts?: ComponentResourceOptions) {\n super(\"highstate:k8s:ScriptBundle\", name, args, opts)\n\n const scriptEnvironment = output(args)\n .apply(args => normalize(args.environment, args.environments))\n .apply(args => deepmerge(emptyScriptEnvironment, ...args)) as Output<\n Unwrap<ResolvedScriptEnvironment>\n >\n\n const hasFunctionScripts = scriptEnvironment.apply(scriptEnvironment => {\n return Object.values(scriptEnvironment.files).some(file => typeof file === \"function\")\n })\n\n this.distribution = args.distribution\n this.environment = scriptEnvironment.environment\n\n this.image = hasFunctionScripts.apply(hasFunctionScripts =>\n output(\n hasFunctionScripts\n ? functionScriptImages[args.distribution]\n : scriptEnvironment[args.distribution].image,\n ),\n )\n\n this.allowedEndpoints = output({ scriptEnvironment, hasFunctionScripts }).apply(\n ({ scriptEnvironment, hasFunctionScripts }) => {\n const allowedEndpoints = [\n ...scriptEnvironment.allowedEndpoints,\n ...scriptEnvironment[args.distribution].allowedEndpoints,\n ]\n\n if (hasFunctionScripts) {\n allowedEndpoints.push(\"tcp://registry.npmjs.org:443\")\n }\n\n return allowedEndpoints.map(parseL34Endpoint)\n },\n )\n\n this.configMap = output({ scriptEnvironment, args }).apply(({ scriptEnvironment, args }) => {\n return ConfigMap.create(\n name,\n {\n namespace: args.namespace,\n\n data: createScriptData(this.distribution, scriptEnvironment),\n },\n { ...opts, parent: this },\n )\n })\n\n this.volumes = output({ hasFunctionScripts, volumes: scriptEnvironment.volumes }).apply(\n ({ hasFunctionScripts, volumes }) => {\n return [\n ...volumes,\n {\n name: this.configMap.metadata.name,\n\n configMap: {\n name: this.configMap.metadata.name,\n defaultMode: 0o550, // read and execute permissions\n },\n },\n ...(hasFunctionScripts ? [{ name: \"node-modules\", emptyDir: {} }] : []),\n ]\n },\n )\n\n this.volumeMounts = output({\n hasFunctionScripts,\n volumeMounts: scriptEnvironment.volumeMounts,\n }).apply(({ hasFunctionScripts, volumeMounts }) => {\n return [\n ...volumeMounts,\n {\n volume: this.configMap,\n mountPath: \"/scripts\",\n },\n ...(hasFunctionScripts\n ? [{ name: \"node-modules\", mountPath: \"/scripts/node_modules\" }]\n : []),\n ]\n })\n }\n}\n\nfunction stripWorkspacePrefix(value: string): string {\n if (value.startsWith(\"workspace:\")) {\n return value.replace(\"workspace:\", \"\")\n }\n\n return value\n}\n\nasync function createScriptData(\n distribution: ScriptDistribution,\n environment: Unwrap<ResolvedScriptEnvironment>,\n): Promise<Record<string, string>> {\n const scriptData: Record<string, string> = {}\n const actions: string[] = []\n\n const distributionEnvironment = environment[distribution]\n const setupScripts = { ...environment.setupScripts }\n\n let hasFunctionScripts = false\n\n for (const key in environment.files) {\n if (typeof environment.files[key] === \"function\") {\n const serialized = await serializeFunction(environment.files[key])\n\n scriptData[key] = text`\n #!/usr/local/bin/bun\n \n ${serialized.text}\n\n exports.${serialized.exportName}()\n `\n\n hasFunctionScripts = true\n } else {\n scriptData[key] = environment.files[key]\n }\n }\n\n if (hasFunctionScripts) {\n const packageJson = await readPackageJSON()\n\n packageJson.dependencies = omitBy(\n mapValues(packageJson.dependencies ?? {}, stripWorkspacePrefix),\n (_, key) => key.startsWith(\"@highstate/\"),\n )\n\n packageJson.devDependencies = omitBy(\n mapValues(packageJson.devDependencies ?? {}, stripWorkspacePrefix),\n (_, key) => key.startsWith(\"@highstate/\"),\n )\n\n scriptData[\"package.json\"] = JSON.stringify(packageJson, null, 2)\n\n setupScripts[\"resolve-dependencies.sh\"] = text`\n #!/usr/local/bin/bun\n set -e\n\n cd /scripts\n bun install --production\n `\n }\n\n if (distributionEnvironment.preInstallPackages.length > 0) {\n scriptData[\"pre-install-packages.sh\"] = getInstallPackagesScript(\n distribution,\n distributionEnvironment.preInstallPackages,\n )\n\n actions.push(`\n echo \"+ Installing pre-install packages...\"\n /scripts/pre-install-packages.sh\n echo \"+ Pre-install packages installed successfully\"\n `)\n }\n\n if (Object.keys(distributionEnvironment.preInstallScripts).length > 0) {\n for (const key in distributionEnvironment.preInstallScripts) {\n scriptData[`pre-install-${key}`] = distributionEnvironment.preInstallScripts[key]\n\n actions.push(`\n echo \"+ Running pre-install script '${key}'...\"\n /scripts/pre-install-${key}\n echo \"+ Pre-install script '${key}'... Done\"\n `)\n }\n }\n\n if (distributionEnvironment.packages.length > 0) {\n scriptData[\"install-packages.sh\"] = getInstallPackagesScript(\n distribution,\n distributionEnvironment.packages,\n )\n\n actions.push(`\n echo \"+ Installing packages...\"\n /scripts/install-packages.sh\n echo \"+ Packages installed successfully\"\n `)\n }\n\n if (Object.keys(setupScripts).length > 0) {\n for (const key in setupScripts) {\n scriptData[`setup-${key}`] = setupScripts[key]\n\n actions.push(`\n echo \"+ Running setup script '${key}'...\"\n /scripts/setup-${key}\n echo \"+ Setup script '${key}'... Done\"\n `)\n }\n }\n\n if (Object.keys(environment.cleanupScripts).length > 0) {\n const cleanupActions: string[] = []\n\n for (const key in environment.cleanupScripts) {\n scriptData[`cleanup-${key}`] = environment.cleanupScripts[key]\n\n cleanupActions.push(`\n echo \"+ Running cleanup script '${key}'...\"\n /scripts/cleanup-${key}\n echo \"+ Cleanup script '${key}'... Done\"\n `)\n }\n\n actions.push(`\n function cleanup() {\n ${cleanupActions.map(s => s.trim()).join(\"\\n\\n\")}\n }\n\n trap cleanup EXIT\n trap cleanup SIGTERM\n `)\n }\n\n scriptData[\"entrypoint.sh\"] = trimIndentation(`\n #!/bin/sh\n set -e\n\n if [ -z \"$1\" ]; then\n echo \"Usage: entrypoint.sh <main script> [args...]\"\n exit 1\n fi\n\n ${actions.map(s => s.trim()).join(\"\\n\\n\")}\n\n echo \"+ Running main script...\"\n $@\n echo \"+ Main script completed\"\n `)\n\n return scriptData\n}\n\nfunction getInstallPackagesScript(distribution: ScriptDistribution, packages: string[]): string {\n if (distribution === \"alpine\") {\n return text`\n #!/bin/sh\n set -e\n\n apk add --no-cache ${packages.join(\" \")}\n `\n } else {\n return text`\n #!/bin/sh\n set -e\n\n apt-get update\n apt-get install -y ${packages.join(\" \")}\n `\n }\n}\n","import type { Container } from \"../container\"\nimport type { ScriptBundle } from \"./bundle\"\nimport { type Input, type Output, output } from \"@pulumi/pulumi\"\nimport { merge } from \"remeda\"\n\nexport type ScriptContainer = Container & {\n /\n The script bundle to use.\n /\n bundle: Input<ScriptBundle>\n\n /\n The name of the main script to run.\n * The script must be available in the bundle.\n /\n main: Input<string>\n}\n\n/\n Creates a spec for a container that runs a script.\n * This spec can be used to create a complete workload or an init container.\n \n @param options The options to create the container spec.\n * @returns The container spec.\n */\nexport function createScriptContainer(options: ScriptContainer): Output<Container> {\n const bundle = output(options.bundle)\n\n return output({\n options,\n image: bundle.image,\n volumeMounts: bundle.volumeMounts,\n volumes: bundle.volumes,\n environment: bundle.environment,\n allowedEndpoints: bundle.allowedEndpoints,\n }).apply(({ options, image, volumeMounts, volumes, environment, allowedEndpoints }) => {\n return {\n image,\n command: [\"/scripts/entrypoint.sh\", `/scripts/${options.main}`],\n\n ...options,\n\n volumeMounts: [...volumeMounts, ...(options.volumeMounts ?? [])],\n volumes: [...volumes, ...(options.volumes ?? [])],\n environment: merge(environment, options.environment),\n allowedEndpoints: [...allowedEndpoints, ...(options.allowedEndpoints ?? [])],\n } as Container\n })\n}\n","import type { UnitWorker } from \"@highstate/contract\"\nimport type { k8s } from \"@highstate/library\"\nimport type { DeepInput, Input, InputArray, Unwrap } from \"@highstate/pulumi\"\nimport type { Namespace } from \"./namespace\"\nimport { type Output, output } from \"@pulumi/pulumi\"\nimport { ClusterAccessScope } from \"./rbac\"\nimport { images, type ScopedResource } from \"./shared\"\n\nexport async function createMonitorWorker(\n namespace: Input<Namespace>,\n resources: InputArray<ScopedResource>,\n): Promise<Output<Unwrap<UnitWorker>>> {\n const scope = await ClusterAccessScope.forResources(\"monitor\", {\n namespace,\n resources,\n verbs: [\"get\", \"list\", \"watch\"],\n collectionAccess: true,\n })\n\n return output({\n name: \"monitor\",\n image: images[\"worker-k8s-monitor\"].image,\n\n params: {\n kubeconfig: scope.cluster.kubeconfig,\n resources: output(resources).apply(resources => resources.map(r => r.entity)),\n } satisfies DeepInput<k8s.MonitorWorkerParams>,\n })\n}\n"]}

package/dist/units/reduced-access-cluster/index.js ADDED Viewed

@@ -0,0 +1,90 @@
+import { ClusterAccessScope } from '../../chunk-EBX6NFKK.js';
+import { Deployment } from '../../chunk-PODFA5KM.js';
+import { StatefulSet } from '../../chunk-5BNGVYWY.js';
+import { PersistentVolumeClaim, ConfigMap } from '../../chunk-OEGSMSYV.js';
+import { Service } from '../../chunk-SI7X6N46.js';
+import { Secret } from '../../chunk-KHNUUVL4.js';
+import { createK8sTerminal } from '../../chunk-O3ZNJMTN.js';
+import { Namespace } from '../../chunk-WGMJCZSK.js';
+import '../../chunk-PZ5AY32C.js';
+import { text, trimIndentation } from '@highstate/contract';
+import { k8s } from '@highstate/library';
+import { forUnit, toPromise, output, interpolate, fileFromString, secret } from '@highstate/pulumi';
+import { join } from 'remeda';
+var { name, args, inputs, outputs } = forUnit(k8s.reducedAccessCluster);
+var resolvedInputs = await toPromise(inputs);
+var resources = [
+  ...resolvedInputs.deployments.map((r) => Deployment.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.statefulSets.map((r) => StatefulSet.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.services.map((r) => Service.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.persistentVolumeClaims.map(
+    (r) => PersistentVolumeClaim.for(r, inputs.k8sCluster)
+  ),
+  ...resolvedInputs.secrets.map((r) => Secret.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.configMaps.map((r) => ConfigMap.for(r, inputs.k8sCluster))
+];
+var accessScope = await ClusterAccessScope.forResources(args.serviceAccountName ?? name, {
+  namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),
+  verbs: args.verbs,
+  resources
+});
+var resourceLines = await toPromise(
+  output(
+    resources.map((r) => interpolate`- ${r.kind} "${r.metadata.namespace}/${r.metadata.name}"`)
+  ).apply(join("\n"))
+);
+var reduced_access_cluster_default = outputs({
+  k8sCluster: accessScope.cluster,
+  $terminals: [createK8sTerminal(accessScope.cluster.kubeconfig)],
+  $pages: {
+    index: {
+      meta: {
+        title: "Reduced Access Cluster"
+      },
+      content: [
+        {
+          type: "markdown",
+          content: text`
+            The access to this cluster was reduced to the following resources:
+            ${resourceLines}
+          `
+        },
+        {
+          type: "markdown",
+          content: text`
+            You can access these resources using the following kubeconfig:
+          `
+        },
+        {
+          type: "file",
+          file: fileFromString("kubeconfig", accessScope.cluster.kubeconfig, {
+            contentType: "text/yaml",
+            isSecret: true
+          })
+        },
+        {
+          type: "markdown",
+          content: secret(
+            interpolate`
+              You can also copy the following content of the kubeconfig file:
+              \`\`\`yaml
+              ${accessScope.cluster.kubeconfig}
+              \`\`\`
+            `.apply(trimIndentation)
+          )
+        },
+        {
+          type: "markdown",
+          content: "You can also use terminal to verify the access to the resources."
+        }
+      ]
+    }
+  }
+});
+export { reduced_access_cluster_default as default };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/units/reduced-access-cluster/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/units/reduced-access-cluster/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;AAcA,IAAM,EAAE,MAAM,IAAA,EAAM,MAAA,EAAQ,SAAQ,GAAI,OAAA,CAAQ,IAAI,oBAAoB,CAAA;AAExE,IAAM,cAAA,GAAiB,MAAM,SAAA,CAAU,MAAM,CAAA;AAE7C,IAAM,SAAA,GAAY;AAAA,EAChB,GAAG,cAAA,CAAe,WAAA,CAAY,GAAA,CAAI,CAAA,CAAA,KAAK,WAAW,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EAC3E,GAAG,cAAA,CAAe,YAAA,CAAa,GAAA,CAAI,CAAA,CAAA,KAAK,YAAY,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EAC7E,GAAG,cAAA,CAAe,QAAA,CAAS,GAAA,CAAI,CAAA,CAAA,KAAK,QAAQ,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EACrE,GAAG,eAAe,sBAAA,CAAuB,GAAA;AAAA,IAAI,CAAA,CAAA,KAC3C,qBAAA,CAAsB,GAAA,CAAI,CAAA,EAAG,OAAO,UAAU;AAAA,GAChD;AAAA,EACA,GAAG,cAAA,CAAe,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,KAAK,OAAO,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EACnE,GAAG,cAAA,CAAe,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,UAAU,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,UAAU,CAAC;AAC3E,CAAA;AAEA,IAAM,cAAc,MAAM,kBAAA,CAAmB,YAAA,CAAa,IAAA,CAAK,sBAAsB,IAAA,EAAM;AAAA,EACzF,WAAW,SAAA,CAAU,GAAA,CAAI,cAAA,CAAe,SAAA,EAAW,OAAO,UAAU,CAAA;AAAA,EACpE,OAAO,IAAA,CAAK,KAAA;AAAA,EACZ;AACF,CAAC,CAAA;AAED,IAAM,gBAAgB,MAAM,SAAA;AAAA,EAC1B,MAAA;AAAA,IACE,SAAA,CAAU,GAAA,CAAI,CAAA,CAAA,KAAK,WAAA,CAAA,EAAA,EAAgB,EAAE,IAAI,CAAA,EAAA,EAAK,CAAA,CAAE,QAAA,CAAS,SAAS,CAAA,CAAA,EAAI,CAAA,CAAE,QAAA,CAAS,IAAI,CAAA,CAAA,CAAG;AAAA,GAC1F,CAAE,KAAA,CAAM,IAAA,CAAK,IAAI,CAAC;AACpB,CAAA;AAEA,IAAO,iCAAQ,OAAA,CAAQ;AAAA,EACrB,YAAY,WAAA,CAAY,OAAA;AAAA,EAExB,YAAY,CAAC,iBAAA,CAAkB,WAAA,CAAY,OAAA,CAAQ,UAAU,CAAC,CAAA;AAAA,EAE9D,MAAA,EAAQ;AAAA,IACN,KAAA,EAAO;AAAA,MACL,IAAA,EAAM;AAAA,QACJ,KAAA,EAAO;AAAA,OACT;AAAA,MACA,OAAA,EAAS;AAAA,QACP;AAAA,UACE,IAAA,EAAM,UAAA;AAAA,UACN,OAAA,EAAS,IAAA;AAAA;AAAA;AAAA,YAAA,EAGL,aAAa;AAAA,UAAA;AAAA,SAEnB;AAAA,QACA;AAAA,UACE,IAAA,EAAM,UAAA;AAAA,UACN,OAAA,EAAS,IAAA;AAAA;AAAA,UAAA;AAAA,SAGX;AAAA,QACA;AAAA,UACE,IAAA,EAAM,MAAA;AAAA,UACN,IAAA,EAAM,cAAA,CAAe,YAAA,EAAc,WAAA,CAAY,QAAQ,UAAA,EAAY;AAAA,YACjE,WAAA,EAAa,WAAA;AAAA,YACb,QAAA,EAAU;AAAA,WACX;AAAA,SACH;AAAA,QACA;AAAA,UACE,IAAA,EAAM,UAAA;AAAA,UACN,OAAA,EAAS,MAAA;AAAA,YACP,WAAA;AAAA;;AAAA;AAAA,cAAA,EAII,WAAA,CAAY,QAAQ,UAAU;AAAA;AAAA,YAAA,CAAA,CAEhC,MAAM,eAAe;AAAA;AACzB,SACF;AAAA,QACA;AAAA,UACE,IAAA,EAAM,UAAA;AAAA,UACN,OAAA,EAAS;AAAA;AACX;AACF;AACF;AAEJ,CAAC","file":"index.js","sourcesContent":["import { text, trimIndentation } from \"@highstate/contract\"\nimport { k8s } from \"@highstate/library\"\nimport { fileFromString, forUnit, interpolate, output, secret, toPromise } from \"@highstate/pulumi\"\nimport { join } from \"remeda\"\nimport { createK8sTerminal } from \"../../cluster\"\nimport { ConfigMap } from \"../../config-map\"\nimport { Deployment } from \"../../deployment\"\nimport { Namespace } from \"../../namespace\"\nimport { PersistentVolumeClaim } from \"../../pvc\"\nimport { ClusterAccessScope } from \"../../rbac\"\nimport { Secret } from \"../../secret\"\nimport { Service } from \"../../service\"\nimport { StatefulSet } from \"../../stateful-set\"\n\nconst { name, args, inputs, outputs } = forUnit(k8s.reducedAccessCluster)\n\nconst resolvedInputs = await toPromise(inputs)\n\nconst resources = [\n ...resolvedInputs.deployments.map(r => Deployment.for(r, inputs.k8sCluster)),\n ...resolvedInputs.statefulSets.map(r => StatefulSet.for(r, inputs.k8sCluster)),\n ...resolvedInputs.services.map(r => Service.for(r, inputs.k8sCluster)),\n ...resolvedInputs.persistentVolumeClaims.map(r =>\n PersistentVolumeClaim.for(r, inputs.k8sCluster),\n ),\n ...resolvedInputs.secrets.map(r => Secret.for(r, inputs.k8sCluster)),\n ...resolvedInputs.configMaps.map(r => ConfigMap.for(r, inputs.k8sCluster)),\n]\n\nconst accessScope = await ClusterAccessScope.forResources(args.serviceAccountName ?? name, {\n namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),\n verbs: args.verbs,\n resources,\n})\n\nconst resourceLines = await toPromise(\n output(\n resources.map(r => interpolate`- ${r.kind} \"${r.metadata.namespace}/${r.metadata.name}\"`),\n ).apply(join(\"\\n\")),\n)\n\nexport default outputs({\n k8sCluster: accessScope.cluster,\n\n $terminals: [createK8sTerminal(accessScope.cluster.kubeconfig)],\n\n $pages: {\n index: {\n meta: {\n title: \"Reduced Access Cluster\",\n },\n content: [\n {\n type: \"markdown\",\n content: text`\n The access to this cluster was reduced to the following resources:\n \n ${resourceLines}\n `,\n },\n {\n type: \"markdown\",\n content: text`\n You can access these resources using the following kubeconfig:\n `,\n },\n {\n type: \"file\",\n file: fileFromString(\"kubeconfig\", accessScope.cluster.kubeconfig, {\n contentType: \"text/yaml\",\n isSecret: true,\n }),\n },\n {\n type: \"markdown\",\n content: secret(\n interpolate`\n You can also copy the following content of the kubeconfig file:\n\n \\`\\`\\`yaml\n ${accessScope.cluster.kubeconfig}\n \\`\\`\\`\n `.apply(trimIndentation),\n ),\n },\n {\n type: \"markdown\",\n content: \"You can also use terminal to verify the access to the resources.\",\n },\n ],\n },\n },\n})\n"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/k8s",
-  "version": "0.9.26",
+  "version": "0.9.28",
   "type": "module",
   "files": [
     "dist",
@@ -35,6 +35,10 @@
       "./units/gateway-api": {
         "mode": "manual",
         "version": "1"
+      },
+      "./units/reduced-access-cluster": {
+        "mode": "manual",
+        "version": "1"
       }
     }
   },
@@ -49,6 +53,7 @@
     "./units/dns01-issuer": "./dist/units/dns01-issuer/index.js",
     "./units/existing-cluster": "./dist/units/existing-cluster/index.js",
     "./units/gateway-api": "./dist/units/gateway-api/index.js",
+    "./units/reduced-access-cluster": "./dist/units/reduced-access-cluster/index.js",
     "./impl/gateway-route": "./dist/impl/gateway-route.js",
     "./impl/tls-certificate": "./dist/impl/tls-certificate.js"
   },
@@ -65,12 +70,12 @@
     "biome:check": "biome check --error-on-warnings"
   },
   "dependencies": {
-    "@highstate/cert-manager": "^0.9.26",
-    "@highstate/common": "^0.9.26",
-    "@highstate/contract": "^0.9.26",
-    "@highstate/gateway-api": "^0.9.26",
-    "@highstate/library": "^0.9.26",
-    "@highstate/pulumi": "^0.9.26",
+    "@highstate/cert-manager": "^0.9.28",
+    "@highstate/common": "^0.9.28",
+    "@highstate/contract": "^0.9.28",
+    "@highstate/gateway-api": "^0.9.28",
+    "@highstate/library": "^0.9.28",
+    "@highstate/pulumi": "^0.9.28",
     "@kubernetes/client-node": "^1.1.0",
     "@pulumi/command": "^1.0.2",
     "@pulumi/kubernetes": "^4.18.0",
@@ -80,13 +85,14 @@
     "glob": "^11.0.1",
     "nano-spawn": "^0.2.0",
     "pkg-types": "^2.1.0",
-    "remeda": "^2.21.0"
+    "remeda": "^2.21.0",
+    "yaml": "^2.8.1"
   },
   "devDependencies": {
     "@biomejs/biome": "2.2.0",
-    "@highstate/cli": "^0.9.26",
+    "@highstate/cli": "^0.9.28",
     "@typescript/native-preview": "^7.0.0-dev.20250920.1",
     "type-fest": "^4.41.0"
   },
-  "gitHead": "64e8a656a17dfcce88727c24969f9a3b73539ac9"
+  "gitHead": "6de09d98fa66e808c42aba7fe65e6e0762945b9b"
 }

package/src/rbac.ts CHANGED Viewed

@@ -14,6 +14,7 @@ import {
 import { KubeConfig } from "@kubernetes/client-node"
 import { core, rbac, type types } from "@pulumi/kubernetes"
 import { map, unique } from "remeda"
+import { stringify } from "yaml"
 import { Secret } from "./secret"
 import { getNamespaceName, getProvider, type NamespaceLike, type ScopedResource } from "./shared"
@@ -58,6 +59,30 @@ export type ClusterAccessScopeArgs = {
   clusterWide?: boolean
 }
+export type ClusterAccessScopeForResourcesArgs = {
+  /**
+   * The namespace to locate the `ServiceAccount` in.
+   */
+  namespace: Input<Namespace>
+  /**
+   * The verbs to allow on the resources.
+   */
+  verbs: string[]
+  /**
+   * The resources to allow verbs on.
+   */
+  resources: InputArray<ScopedResource>
+  /**
+   * Whether to allow access on the whole collection rather than specific resources.
+   *
+   * The provided resources in this case will be used to determine the types and api groups only.
+   */
+  collectionAccess?: boolean
+}
 export class ClusterAccessScope extends ComponentResource {
   /**
    * The cluster entity with the reduced access.
@@ -164,7 +189,7 @@ export class ClusterAccessScope extends ComponentResource {
       return {
         ...cluster,
-        kubeconfig: config.exportConfig(),
+        kubeconfig: stringify(JSON.parse(config.exportConfig())),
       }
     })
   }
@@ -180,11 +205,11 @@ export class ClusterAccessScope extends ComponentResource {
    */
   static async forResources(
     name: string,
-    resources: InputArray<ScopedResource>,
-    verbs: string[],
+    args: ClusterAccessScopeForResourcesArgs,
+    opts?: ComponentResourceOptions,
   ): Promise<ClusterAccessScope> {
     const resolved = await toPromise(
-      output(resources).apply(resources =>
+      output(args.resources).apply(resources =>
         resources.map(r => ({
           namespaceId: r.namespace.metadata.uid,
           namespace: r.namespace,
@@ -199,20 +224,50 @@ export class ClusterAccessScope extends ComponentResource {
       throw new Error("No resources provided to forResources.")
     }
-    // verify all resources belong to the same namespace
-    if (unique(resolved.map(r => r.namespaceId)).length !== 1) {
+    if (unique(resolved.map(r => r.namespaceId)).length > 1) {
       throw new Error("All resources must belong to the same namespace.")
     }
-    return new ClusterAccessScope(name, {
-      namespace: resolved[0].namespace,
-      rules: resolved.map(r => ({
-        apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
-        resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
-        // TODO: critical
-        // resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,
-        verbs,
-      })),
-    })
+    const saNamespaceId = await toPromise(output(args.namespace).metadata.uid)
+    if (resolved[0].namespaceId !== saNamespaceId) {
+      throw new Error("The resources must belong to the same namespace as the ServiceAccount.")
+    }
+    if (args.collectionAccess) {
+      // when collection access is requested, we only need to know the types and api groups
+      const uniqueTypes = unique(resolved.map(r => `${r.apiVersion}::${r.kind}`))
+      return new ClusterAccessScope(
+        name,
+        {
+          namespace: args.namespace,
+          rules: uniqueTypes.map(t => {
+            const [apiVersion, kind] = t.split("::")
+            return {
+              apiGroups: apiVersion === "v1" ? [""] : [apiVersion.split("/")[0]],
+              resources: [`${kind.toLowerCase()}s`],
+              verbs: args.verbs,
+            }
+          }),
+        },
+        opts,
+      )
+    }
+    return new ClusterAccessScope(
+      name,
+      {
+        namespace: args.namespace,
+        rules: resolved.map(r => ({
+          apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
+          resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
+          resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,
+          verbs: args.verbs,
+        })),
+      },
+      opts,
+    )
   }
 }

package/src/units/reduced-access-cluster/index.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { text, trimIndentation } from "@highstate/contract"
+import { k8s } from "@highstate/library"
+import { fileFromString, forUnit, interpolate, output, secret, toPromise } from "@highstate/pulumi"
+import { join } from "remeda"
+import { createK8sTerminal } from "../../cluster"
+import { ConfigMap } from "../../config-map"
+import { Deployment } from "../../deployment"
+import { Namespace } from "../../namespace"
+import { PersistentVolumeClaim } from "../../pvc"
+import { ClusterAccessScope } from "../../rbac"
+import { Secret } from "../../secret"
+import { Service } from "../../service"
+import { StatefulSet } from "../../stateful-set"
+const { name, args, inputs, outputs } = forUnit(k8s.reducedAccessCluster)
+const resolvedInputs = await toPromise(inputs)
+const resources = [
+  ...resolvedInputs.deployments.map(r => Deployment.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.statefulSets.map(r => StatefulSet.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.services.map(r => Service.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.persistentVolumeClaims.map(r =>
+    PersistentVolumeClaim.for(r, inputs.k8sCluster),
+  ),
+  ...resolvedInputs.secrets.map(r => Secret.for(r, inputs.k8sCluster)),
+  ...resolvedInputs.configMaps.map(r => ConfigMap.for(r, inputs.k8sCluster)),
+]
+const accessScope = await ClusterAccessScope.forResources(args.serviceAccountName ?? name, {
+  namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),
+  verbs: args.verbs,
+  resources,
+})
+const resourceLines = await toPromise(
+  output(
+    resources.map(r => interpolate`- ${r.kind} "${r.metadata.namespace}/${r.metadata.name}"`),
+  ).apply(join("\n")),
+)
+export default outputs({
+  k8sCluster: accessScope.cluster,
+  $terminals: [createK8sTerminal(accessScope.cluster.kubeconfig)],
+  $pages: {
+    index: {
+      meta: {
+        title: "Reduced Access Cluster",
+      },
+      content: [
+        {
+          type: "markdown",
+          content: text`
+            The access to this cluster was reduced to the following resources:
+            ${resourceLines}
+          `,
+        },
+        {
+          type: "markdown",
+          content: text`
+            You can access these resources using the following kubeconfig:
+          `,
+        },
+        {
+          type: "file",
+          file: fileFromString("kubeconfig", accessScope.cluster.kubeconfig, {
+            contentType: "text/yaml",
+            isSecret: true,
+          }),
+        },
+        {
+          type: "markdown",
+          content: secret(
+            interpolate`
+              You can also copy the following content of the kubeconfig file:
+              \`\`\`yaml
+              ${accessScope.cluster.kubeconfig}
+              \`\`\`
+            `.apply(trimIndentation),
+          ),
+        },
+        {
+          type: "markdown",
+          content: "You can also use terminal to verify the access to the resources.",
+        },
+      ],
+    },
+  },
+})

package/src/worker.ts CHANGED Viewed

@@ -1,18 +1,21 @@
 import type { UnitWorker } from "@highstate/contract"
 import type { k8s } from "@highstate/library"
-import type { DeepInput, InputArray, Unwrap } from "@highstate/pulumi"
+import type { DeepInput, Input, InputArray, Unwrap } from "@highstate/pulumi"
+import type { Namespace } from "./namespace"
 import { type Output, output } from "@pulumi/pulumi"
 import { ClusterAccessScope } from "./rbac"
 import { images, type ScopedResource } from "./shared"
 export async function createMonitorWorker(
+  namespace: Input<Namespace>,
   resources: InputArray<ScopedResource>,
 ): Promise<Output<Unwrap<UnitWorker>>> {
-  const scope = await ClusterAccessScope.forResources("monitor", resources, [
-    "get",
-    "list",
-    "watch",
-  ])
+  const scope = await ClusterAccessScope.forResources("monitor", {
+    namespace,
+    resources,
+    verbs: ["get", "list", "watch"],
+    collectionAccess: true,
+  })
   return output({
     name: "monitor",