@jmruthers/pace-core 0.5.136 → 0.5.137

package/src/utils/security.ts

@@ -0,0 +1,156 @@
+
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+export interface SecurityEvent {
+  type: string;
+  timestamp: Date;
+  userId?: string;
+  details: Record<string, unknown>;
+}
+
+export function logSecurityEvent(event: SecurityEvent): void {
+  // In production, this should log to your security monitoring system
+  // For now, we'll log to console.warn for testing purposes
+  console.warn('[SECURITY EVENT]', {
+    ...event,
+    timestamp: event.timestamp.toISOString()
+  });
+}
+
+export function validateUserSession(userId: string, sessionToken?: string): Promise<boolean> {
+  // Mock implementation - replace with actual session validation
+  if (!userId || typeof userId !== 'string') {
+    logSecurityEvent({
+      type: 'invalid_session_validation',
+      timestamp: new Date(),
+      details: { reason: 'Invalid userId provided' }
+    });
+    return Promise.resolve(false);
+  }
+  
+  if (sessionToken && sessionToken.length < 10) {
+    logSecurityEvent({
+      type: 'suspicious_session_token',
+      timestamp: new Date(),
+      userId,
+      details: { reason: 'Session token too short' }
+    });
+    return Promise.resolve(false);
+  }
+  
+  return Promise.resolve(true);
+}
+
+export function createSecureSession(
+  _supabaseClient: SupabaseClient,
+  sessionData: { userId: string; deviceFingerprint?: string }
+): Promise<string> {
+  // Mock implementation - in production, create actual secure session
+  const sessionId = `sess_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  
+  logSecurityEvent({
+    type: 'session_created',
+    timestamp: new Date(),
+    userId: sessionData.userId,
+    details: { 
+      sessionId,
+      hasDeviceFingerprint: !!sessionData.deviceFingerprint
+    }
+  });
+  
+  return Promise.resolve(sessionId);
+}
+
+export function invalidateSession(
+  _supabaseClient: SupabaseClient,
+  sessionId: string
+): Promise<void> {
+  // Mock implementation - in production, invalidate actual session
+  logSecurityEvent({
+    type: 'session_invalidated',
+    timestamp: new Date(),
+    details: { sessionId }
+  });
+  
+  return Promise.resolve();
+}
+
+export function getSecurityHeaders(): Record<string, string> {
+  return {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'X-XSS-Protection': '1; mode=block',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
+  };
+}
+
+export function validateSecurityHeaders(headers: Record<string, string>): boolean {
+  const requiredHeaders = ['X-Content-Type-Options', 'X-Frame-Options'];
+  const missingHeaders = requiredHeaders.filter(header => !headers[header]);
+  
+  if (missingHeaders.length > 0) {
+    logSecurityEvent({
+      type: 'missing_security_headers',
+      timestamp: new Date(),
+      details: { missingHeaders }
+    });
+    return false;
+  }
+  
+  return true;
+}
+
+export function generateDeviceFingerprint(): string {
+  // Basic device fingerprinting - in production, use more sophisticated methods
+  const canvas = document.createElement('canvas');
+  const ctx = canvas.getContext('2d');
+  if (ctx) {
+    ctx.textBaseline = 'top';
+    ctx.font = '14px Arial';
+    ctx.fillText('Device fingerprint', 2, 2);
+  }
+  
+  const fingerprint = [
+    navigator.userAgent,
+    navigator.language,
+    screen.width + 'x' + screen.height,
+    new Date().getTimezoneOffset(),
+    canvas.toDataURL()
+  ].join('|');
+  
+  // Simple hash function for demonstration
+  let hash = 0;
+  for (let i = 0; i < fingerprint.length; i++) {
+    const char = fingerprint.charCodeAt(i);
+    hash = ((hash << 5) - hash) + char;
+    hash = hash & hash; // Convert to 32-bit integer
+  }
+  
+  return Math.abs(hash).toString(16);
+}
+
+export function validateDeviceFingerprint(fingerprint: string, expectedFingerprint?: string): boolean {
+  if (!fingerprint || typeof fingerprint !== 'string') {
+    logSecurityEvent({
+      type: 'invalid_device_fingerprint',
+      timestamp: new Date(),
+      details: { reason: 'Invalid fingerprint format' }
+    });
+    return false;
+  }
+  
+  if (expectedFingerprint && fingerprint !== expectedFingerprint) {
+    logSecurityEvent({
+      type: 'device_fingerprint_mismatch',
+      timestamp: new Date(),
+      details: { 
+        provided: fingerprint,
+        expected: expectedFingerprint
+      }
+    });
+    return false;
+  }
+  
+  return true;
+}

package/src/utils/securityMonitor.ts

@@ -0,0 +1,45 @@
+
+interface SecurityEvent {
+  id?: string;
+  action: string;
+  details: Record<string, any>;
+  timestamp?: number;
+}
+
+interface SecurityAlert {
+  id: string;
+  type: string;
+  message: string;
+  timestamp: Date;
+}
+
+class SecurityMonitor {
+  private events: SecurityEvent[] = [];
+
+  logEvent(event: SecurityEvent) {
+    const eventWithId = {
+      ...event,
+      id: Math.random().toString(36).substr(2, 9),
+      timestamp: Date.now()
+    };
+    this.events.push(eventWithId);
+  }
+
+  getEvents(): SecurityEvent[] {
+    return [...this.events];
+  }
+
+  clearEvents() {
+    this.events = [];
+  }
+
+  createAlert(alert: Omit<SecurityAlert, 'id' | 'timestamp'>): SecurityAlert {
+    return {
+      ...alert,
+      id: Math.random().toString(36).substr(2, 9),
+      timestamp: new Date()
+    };
+  }
+}
+
+export const securityMonitor = new SecurityMonitor();

package/src/utils/sessionTracking.ts

@@ -0,0 +1,126 @@
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+// Define the tracking parameters locally since old RBAC types are removed
+interface TrackUserSessionParams {
+  p_session_type: 'event_switch' | 'session_expired';
+  p_event_id?: string;
+  p_app_id?: string;
+  ip_address?: string;
+  user_agent?: string;
+}
+
+/**
+ * Hook for manual session tracking (event switches and session expiration).
+ * 
+ * Note: Login and logout tracking is automatically handled by UnifiedAuthProvider.
+ * You should only use this hook for tracking event switches or session expirations.
+ * 
+ * @param supabaseClient - Supabase client instance
+ * @param appName - Optional application name for tracking
+ * @returns Object containing tracking functions for event switches and session expiration
+ */
+export function useSessionTracking(supabaseClient: SupabaseClient, appName?: string) {
+  // Resolve app name to app_id
+  const resolveAppId = async (): Promise<string | undefined> => {
+    if (!appName) return undefined;
+    
+    try {
+      const { data, error } = await supabaseClient
+        .from('rbac_apps')
+        .select('id')
+        .eq('name', appName)
+        .eq('is_active', true)
+        .single();
+      
+      if (error || !data) {
+        console.warn('App not found or inactive:', appName);
+        return undefined;
+      }
+      
+      return data.id;
+    } catch (error) {
+      console.error('Failed to resolve app ID:', error);
+      return undefined;
+    }
+  };
+  /**
+   * Track an event switch
+   * @param eventId - ID of the event being switched to
+   */
+  const trackEventSwitch = async (eventId: string) => {
+    try {
+      const { data: { user } } = await supabaseClient.auth.getUser();
+      if (!user) {
+        console.warn('No authenticated user found for session tracking');
+        return;
+      }
+
+      const appId = await resolveAppId();
+
+      const params: TrackUserSessionParams = {
+        p_session_type: 'event_switch',
+        p_event_id: eventId,
+        p_app_id: appId
+      };
+
+      const { error } = await supabaseClient.rpc('rbac_session_track', {
+        p_user_id: user?.id,
+        p_session_type: params.p_session_type,
+        p_event_id: params.p_event_id,
+        p_app_id: params.p_app_id,
+        p_ip_address: params.ip_address,
+        p_user_agent: params.user_agent
+      });
+      
+      if (error) {
+        console.error('Failed to track event switch session:', error);
+      } else {
+        console.log('Event switch session tracked successfully');
+      }
+    } catch (error) {
+      console.error('Failed to track event switch:', error);
+    }
+  };
+
+  /**
+   * Track a session expiration
+   */
+  const trackSessionExpired = async () => {
+    try {
+      const { data: { user } } = await supabaseClient.auth.getUser();
+      if (!user) {
+        console.warn('No authenticated user found for session tracking');
+        return;
+      }
+
+      const appId = await resolveAppId();
+
+      const params: TrackUserSessionParams = {
+        p_session_type: 'session_expired',
+        p_app_id: appId
+      };
+
+      const { error } = await supabaseClient.rpc('rbac_session_track', {
+        p_user_id: user?.id,
+        p_session_type: params.p_session_type,
+        p_event_id: params.p_event_id,
+        p_app_id: params.p_app_id,
+        p_ip_address: params.ip_address,
+        p_user_agent: params.user_agent
+      });
+      
+      if (error) {
+        console.error('Failed to track session expiration:', error);
+      } else {
+        console.log('Session expiration tracked successfully');
+      }
+    } catch (error) {
+      console.error('Failed to track session expiration:', error);
+    }
+  };
+
+  return {
+    trackEventSwitch,
+    trackSessionExpired
+  };
+} 

package/src/utils/validation.ts

@@ -0,0 +1,111 @@
+/**
+ * @file Internal utilities for validation module
+ * @internal This file contains implementation details that should not be used directly
+ */
+
+/**
+ * Utility functions for validating data in the application
+ */
+
+/**
+ * Check if a string is a valid email
+ */
+export function isValidEmail(email: string): boolean {
+  const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailPattern.test(email);
+}
+
+/**
+ * Check if a string is empty (either null, undefined, or just whitespace)
+ */
+export function isEmpty(value: string | null | undefined): boolean {
+  return value === null || value === undefined || value.trim() === '';
+}
+
+/**
+ * Check if a password meets minimum requirements
+ */
+export function isStrongPassword(password: string): boolean {
+  // Minimum 8 characters, at least one uppercase, one lowercase, one number
+  const passwordPattern = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/;
+  return passwordPattern.test(password);
+}
+
+/**
+ * Check if a URL is valid
+ */
+export function isValidUrl(url: string): boolean {
+  try {
+    new URL(url);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a date string is valid
+ */
+export function isValidDate(dateStr: string): boolean {
+  const date = new Date(dateStr);
+  return !isNaN(date.getTime());
+}
+
+/**
+ * Check if a value is within a range
+ */
+export function isWithinRange(value: number, min: number, max: number): boolean {
+  return value >= min && value <= max;
+}
+
+/**
+ * Check if a value matches a specific pattern
+ */
+export function matchesPattern(value: string, pattern: RegExp): boolean {
+  return pattern.test(value);
+}
+
+/**
+ * Utility function to deep merge objects for schema combination
+ * @internal
+ */
+export function deepMerge<T extends Record<string, unknown>>(
+  target: T, 
+  source: Record<string, unknown>
+): T {
+  const output = { ...target };
+  
+  if (isObject(target) && isObject(source)) {
+    Object.keys(source).forEach(key => {
+      if (isObject(source[key])) {
+        if (!(key in target)) {
+          Object.assign(output, { [key]: source[key] });
+        } else {
+          // Use a type assertion to safely handle the indexing
+          const targetKey = key as keyof typeof target;
+          const targetValue = target[targetKey];
+          
+          if (isObject(targetValue)) {
+            // Safe cast using type assertion
+            output[targetKey] = deepMerge(
+              targetValue as Record<string, unknown>,
+              source[key] as Record<string, unknown>
+            ) as unknown as T[keyof T];
+          }
+        }
+      } else {
+        Object.assign(output, { [key]: source[key] });
+      }
+    });
+  }
+  
+  return output as T;
+}
+
+/**
+ * Type guard to check if a value is a plain object
+ * @internal
+ */
+export function isObject(item: unknown): item is Record<string, unknown> {
+  return item !== null && typeof item === 'object' && !Array.isArray(item);
+}

package/src/utils/validationUtils.ts

@@ -0,0 +1,120 @@
+
+/**
+ * @file Validation utilities
+ * 
+ * Shared validation utilities with enhanced security
+ */
+
+import { z } from 'zod';
+import { sanitizeUserInput, sanitizeFormData, type SanitizationOptions } from './sanitization';
+
+/**
+ * Validates user input against a schema with automatic sanitization
+ */
+export function validateUserInput<T>(
+  schema: z.ZodSchema<T>, 
+  data: unknown,
+  sanitizationRules?: Record<string, SanitizationOptions>
+): { success: boolean; data?: T; error?: string } {
+  return sanitizeFormData(data, schema, sanitizationRules);
+}
+
+/**
+ * Sanitizes user input by removing potentially dangerous characters
+ * @deprecated Use sanitizeUserInput from lib/sanitization instead
+ */
+export function sanitizeUserInput_deprecated(input: string): string {
+  // Log deprecation warning
+  console.warn('sanitizeUserInput is deprecated. Use sanitizeUserInput from lib/sanitization instead.');
+  return sanitizeUserInput(input);
+}
+
+/**
+ * Enhanced email validation with sanitization
+ */
+export const emailSchema = z.string()
+  .transform(email => email.toLowerCase().trim())
+  .pipe(z.string().min(1, 'Email is required').email('Invalid email format').max(254, 'Email too long'));
+
+/**
+ * Enhanced password validation
+ */
+export const passwordSchema = z.string()
+  .min(8, 'Password must be at least 8 characters')
+  .max(128, 'Password too long')
+  .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
+  .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
+  .regex(/[0-9]/, 'Password must contain at least one number')
+  .regex(/[^A-Za-z0-9]/, 'Password must contain at least one special character');
+
+/**
+ * Username validation with sanitization
+ */
+export const usernameSchema = z.string()
+  .transform(username => username.toLowerCase().trim())
+  .pipe(z.string().min(3, 'Username must be at least 3 characters').max(30, 'Username too long').regex(/^[a-zA-Z0-9_-]+$/, 'Username can only contain letters, numbers, hyphens, and underscores'));
+
+/**
+ * Name validation with sanitization
+ */
+export const nameSchema = z.string()
+  .min(1, 'Name is required')
+  .max(100, 'Name too long')
+  .refine(name => {
+    // Check for XSS attempts and other invalid patterns
+    const dangerousPatterns = [
+      /<script/i,
+      /<img/i,
+      /on\w+\s*=/i,
+      /javascript:/i,
+      /data:/i,
+      /vbscript:/i
+    ];
+    
+    return !dangerousPatterns.some(pattern => pattern.test(name));
+  }, 'Name contains invalid characters')
+  .transform(name => sanitizeUserInput(name, { 
+    allowHtml: false, 
+    maxLength: 100, 
+    trim: true 
+  }));
+
+/**
+ * Phone number validation with sanitization
+ */
+export const phoneSchema = z.string()
+  .min(10, 'Phone number must be at least 10 digits')
+  .max(20, 'Phone number too long')
+  .regex(/^[\+]?[0-9\s\-\(\)\.]+$/, 'Invalid phone number format')
+  .refine(phone => {
+    // Remove all non-digit characters and check length
+    const digitsOnly = phone.replace(/\D/g, '');
+    return digitsOnly.length >= 10 && digitsOnly.length <= 15;
+  }, 'Phone number must be between 10 and 15 digits');
+
+/**
+ * URL validation with sanitization
+ */
+export const urlSchema = z.string()
+  .min(1, 'URL is required')
+  .max(2048, 'URL too long')
+  .refine(url => {
+    try {
+      const parsed = new URL(url);
+      return ['http:', 'https:'].includes(parsed.protocol);
+    } catch {
+      return false;
+    }
+  }, 'Invalid URL format')
+  .refine(url => {
+    // Additional security checks
+    const dangerousPatterns = [
+      /javascript:/i,
+      /data:/i,
+      /vbscript:/i,
+      /file:/i,
+      /mailto:/i
+    ];
+    
+    return !dangerousPatterns.some(pattern => pattern.test(url));
+  }, 'URL contains invalid protocol');

package/src/validation/index.ts

@@ -4,8 +4,8 @@
  * @module Validation
  * @since 0.1.0
  * 
- * Re-exports all validation utilities and schemas from utils/validation.
- * This module provides a cleaner import path for consumers.
+ * Re-export validation utilities from utils/validation for convenience.
+ * This provides a top-level validation entry point.
  */
 
 export * from '../utils/validation';

package/dist/chunk-444EZN6N.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/utils/security/secureStorage.ts"],"sourcesContent":["\n/**\n * @file Secure Storage Utilities\n * @description Encrypted storage wrapper for sensitive data\n */\n\nexport interface SecureStorageOptions {\n  encrypt?: boolean;\n  expiry?: number; // TTL in milliseconds\n}\n\n/**\n * Secure storage implementation with encryption support\n */\nclass SecureStorageImpl {\n  private encryptionKey: CryptoKey | null = null;\n  private initialized = false;\n\n  /**\n   * Initialize secure storage with encryption\n   */\n  async init(): Promise<void> {\n    if (this.initialized) return;\n\n    try {\n      // Check if Web Crypto API is available\n      if (window.crypto && window.crypto.subtle) {\n        // Generate or retrieve encryption key\n        const keyData = localStorage.getItem('_sec_key');\n        if (keyData) {\n          try {\n            const keyBuffer = this.base64ToArrayBuffer(keyData);\n            this.encryptionKey = await window.crypto.subtle.importKey(\n              'raw',\n              keyBuffer,\n              { name: 'AES-GCM' },\n              false,\n              ['encrypt', 'decrypt']\n            );\n          } catch (error) {\n            await this.generateNewKey();\n          }\n        } else {\n          await this.generateNewKey();\n        }\n      }\n      this.initialized = true;\n    } catch (error) {\n      this.initialized = true;\n    }\n  }\n\n  /**\n   * Store item securely\n   */\n  async setItem(\n    key: string,\n    value: string,\n    options: SecureStorageOptions = {}\n  ): Promise<void> {\n    await this.init();\n\n    const data = {\n      value,\n      timestamp: Date.now(),\n      expiry: options.expiry ? Date.now() + options.expiry : undefined,\n    };\n\n    const serialized = JSON.stringify(data);\n    \n    if (options.encrypt && this.encryptionKey) {\n      try {\n        const encrypted = await this.encrypt(serialized);\n        localStorage.setItem(`_sec_${key}`, encrypted);\n        return;\n      } catch (error) {\n        // Silent fail - store as plain text\n      }\n    }\n\n    localStorage.setItem(key, serialized);\n  }\n\n  /**\n   * Retrieve item securely\n   */\n  async getItem(key: string): Promise<string | null> {\n    await this.init();\n\n    // Try encrypted storage first\n    const encryptedData = localStorage.getItem(`_sec_${key}`);\n    if (encryptedData && this.encryptionKey) {\n      try {\n        const decrypted = await this.decrypt(encryptedData);\n        const parsed = JSON.parse(decrypted);\n        \n        // Check expiry\n        if (parsed.expiry && Date.now() > parsed.expiry) {\n          await this.removeItem(key);\n          return null;\n        }\n        \n        return parsed.value;\n      } catch (error) {\n        // Silent fail - try plain storage\n      }\n    }\n\n    // Fallback to plain storage\n    const plainData = localStorage.getItem(key);\n    if (!plainData) return null;\n\n    try {\n      const parsed = JSON.parse(plainData);\n      \n      // Check expiry\n      if (parsed.expiry && Date.now() > parsed.expiry) {\n        await this.removeItem(key);\n        return null;\n      }\n      \n      return parsed.value || plainData;\n    } catch (error) {\n      // If parsing fails, return as-is (backward compatibility)\n      return plainData;\n    }\n  }\n\n  /**\n   * Remove item\n   */\n  async removeItem(key: string): Promise<void> {\n    localStorage.removeItem(key);\n    localStorage.removeItem(`_sec_${key}`);\n  }\n\n  /**\n   * Clear all secure storage\n   */\n  async clear(): Promise<void> {\n    const keys = Object.keys(localStorage);\n    for (const key of keys) {\n      if (key.startsWith('_sec_')) {\n        localStorage.removeItem(key);\n      }\n    }\n  }\n\n  /**\n   * Generate new encryption key\n   */\n  private async generateNewKey(): Promise<void> {\n    if (!window.crypto?.subtle) return;\n\n    try {\n      this.encryptionKey = await window.crypto.subtle.generateKey(\n        { name: 'AES-GCM', length: 256 },\n        true,\n        ['encrypt', 'decrypt']\n      );\n\n      // Export and store key\n      const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);\n      const keyData = this.arrayBufferToBase64(exportedKey);\n      localStorage.setItem('_sec_key', keyData);\n    } catch (error) {\n      // Silent fail - encryption not available\n    }\n  }\n\n  /**\n   * Encrypt data\n   */\n  private async encrypt(data: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Encryption not available');\n    }\n\n    const encoder = new TextEncoder();\n    const dataBuffer = encoder.encode(data);\n    const iv = window.crypto.getRandomValues(new Uint8Array(12));\n\n    const encrypted = await window.crypto.subtle.encrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      dataBuffer\n    );\n\n    // Combine IV and encrypted data\n    const combined = new Uint8Array(iv.length + encrypted.byteLength);\n    combined.set(iv);\n    combined.set(new Uint8Array(encrypted), iv.length);\n\n    return this.arrayBufferToBase64(combined.buffer);\n  }\n\n  /**\n   * Decrypt data\n   */\n  private async decrypt(encryptedData: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Decryption not available');\n    }\n\n    const combined = this.base64ToArrayBuffer(encryptedData);\n    const iv = combined.slice(0, 12);\n    const encrypted = combined.slice(12);\n\n    const decrypted = await window.crypto.subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      encrypted\n    );\n\n    const decoder = new TextDecoder();\n    return decoder.decode(decrypted);\n  }\n\n  /**\n   * Convert ArrayBuffer to base64\n   */\n  private arrayBufferToBase64(buffer: ArrayBuffer): string {\n    const bytes = new Uint8Array(buffer);\n    let binary = '';\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Convert base64 to ArrayBuffer\n   */\n  private base64ToArrayBuffer(base64: string): ArrayBuffer {\n    const binary = atob(base64);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes.buffer;\n  }\n}\n\nexport const secureStorage = new SecureStorageImpl();\n"],"mappings":";;;;;AAAA,IAcM,mBAqOO;AAnPb;AAAA;AAAA;AAcA,IAAM,oBAAN,MAAwB;AAAA,MAAxB;AACE,aAAQ,gBAAkC;AAC1C,aAAQ,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA,MAKtB,MAAM,OAAsB;AAC1B,YAAI,KAAK,YAAa;AAEtB,YAAI;AAEF,cAAI,OAAO,UAAU,OAAO,OAAO,QAAQ;AAEzC,kBAAM,UAAU,aAAa,QAAQ,UAAU;AAC/C,gBAAI,SAAS;AACX,kBAAI;AACF,sBAAM,YAAY,KAAK,oBAAoB,OAAO;AAClD,qBAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,kBAC9C;AAAA,kBACA;AAAA,kBACA,EAAE,MAAM,UAAU;AAAA,kBAClB;AAAA,kBACA,CAAC,WAAW,SAAS;AAAA,gBACvB;AAAA,cACF,SAAS,OAAO;AACd,sBAAM,KAAK,eAAe;AAAA,cAC5B;AAAA,YACF,OAAO;AACL,oBAAM,KAAK,eAAe;AAAA,YAC5B;AAAA,UACF;AACA,eAAK,cAAc;AAAA,QACrB,SAAS,OAAO;AACd,eAAK,cAAc;AAAA,QACrB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,QACJ,KACA,OACA,UAAgC,CAAC,GAClB;AACf,cAAM,KAAK,KAAK;AAEhB,cAAM,OAAO;AAAA,UACX;AAAA,UACA,WAAW,KAAK,IAAI;AAAA,UACpB,QAAQ,QAAQ,SAAS,KAAK,IAAI,IAAI,QAAQ,SAAS;AAAA,QACzD;AAEA,cAAM,aAAa,KAAK,UAAU,IAAI;AAEtC,YAAI,QAAQ,WAAW,KAAK,eAAe;AACzC,cAAI;AACF,kBAAM,YAAY,MAAM,KAAK,QAAQ,UAAU;AAC/C,yBAAa,QAAQ,QAAQ,GAAG,IAAI,SAAS;AAC7C;AAAA,UACF,SAAS,OAAO;AAAA,UAEhB;AAAA,QACF;AAEA,qBAAa,QAAQ,KAAK,UAAU;AAAA,MACtC;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,QAAQ,KAAqC;AACjD,cAAM,KAAK,KAAK;AAGhB,cAAM,gBAAgB,aAAa,QAAQ,QAAQ,GAAG,EAAE;AACxD,YAAI,iBAAiB,KAAK,eAAe;AACvC,cAAI;AACF,kBAAM,YAAY,MAAM,KAAK,QAAQ,aAAa;AAClD,kBAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,gBAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,oBAAM,KAAK,WAAW,GAAG;AACzB,qBAAO;AAAA,YACT;AAEA,mBAAO,OAAO;AAAA,UAChB,SAAS,OAAO;AAAA,UAEhB;AAAA,QACF;AAGA,cAAM,YAAY,aAAa,QAAQ,GAAG;AAC1C,YAAI,CAAC,UAAW,QAAO;AAEvB,YAAI;AACF,gBAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,cAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,kBAAM,KAAK,WAAW,GAAG;AACzB,mBAAO;AAAA,UACT;AAEA,iBAAO,OAAO,SAAS;AAAA,QACzB,SAAS,OAAO;AAEd,iBAAO;AAAA,QACT;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,WAAW,KAA4B;AAC3C,qBAAa,WAAW,GAAG;AAC3B,qBAAa,WAAW,QAAQ,GAAG,EAAE;AAAA,MACvC;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,QAAuB;AAC3B,cAAM,OAAO,OAAO,KAAK,YAAY;AACrC,mBAAW,OAAO,MAAM;AACtB,cAAI,IAAI,WAAW,OAAO,GAAG;AAC3B,yBAAa,WAAW,GAAG;AAAA,UAC7B;AAAA,QACF;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,iBAAgC;AAC5C,YAAI,CAAC,OAAO,QAAQ,OAAQ;AAE5B,YAAI;AACF,eAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,YAC9C,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,YAC/B;AAAA,YACA,CAAC,WAAW,SAAS;AAAA,UACvB;AAGA,gBAAM,cAAc,MAAM,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK,aAAa;AAClF,gBAAM,UAAU,KAAK,oBAAoB,WAAW;AACpD,uBAAa,QAAQ,YAAY,OAAO;AAAA,QAC1C,SAAS,OAAO;AAAA,QAEhB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,QAAQ,MAA+B;AACnD,YAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,gBAAM,IAAI,MAAM,0BAA0B;AAAA,QAC5C;AAEA,cAAM,UAAU,IAAI,YAAY;AAChC,cAAM,aAAa,QAAQ,OAAO,IAAI;AACtC,cAAM,KAAK,OAAO,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,cAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,UAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,UACtB,KAAK;AAAA,UACL;AAAA,QACF;AAGA,cAAM,WAAW,IAAI,WAAW,GAAG,SAAS,UAAU,UAAU;AAChE,iBAAS,IAAI,EAAE;AACf,iBAAS,IAAI,IAAI,WAAW,SAAS,GAAG,GAAG,MAAM;AAEjD,eAAO,KAAK,oBAAoB,SAAS,MAAM;AAAA,MACjD;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,QAAQ,eAAwC;AAC5D,YAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,gBAAM,IAAI,MAAM,0BAA0B;AAAA,QAC5C;AAEA,cAAM,WAAW,KAAK,oBAAoB,aAAa;AACvD,cAAM,KAAK,SAAS,MAAM,GAAG,EAAE;AAC/B,cAAM,YAAY,SAAS,MAAM,EAAE;AAEnC,cAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,UAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,UACtB,KAAK;AAAA,UACL;AAAA,QACF;AAEA,cAAM,UAAU,IAAI,YAAY;AAChC,eAAO,QAAQ,OAAO,SAAS;AAAA,MACjC;AAAA;AAAA;AAAA;AAAA,MAKQ,oBAAoB,QAA6B;AACvD,cAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,YAAI,SAAS;AACb,iBAAS,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK;AACzC,oBAAU,OAAO,aAAa,MAAM,CAAC,CAAC;AAAA,QACxC;AACA,eAAO,KAAK,MAAM;AAAA,MACpB;AAAA;AAAA;AAAA;AAAA,MAKQ,oBAAoB,QAA6B;AACvD,cAAM,SAAS,KAAK,MAAM;AAC1B,cAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,iBAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,gBAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,QAChC;AACA,eAAO,MAAM;AAAA,MACf;AAAA,IACF;AAEO,IAAM,gBAAgB,IAAI,kBAAkB;AAAA;AAAA;","names":[]}