@kingironman2011/better-auth-bsky 0.2.0

package/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 KingIronMan2011
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,238 @@
+# @kingironman2011/better-auth-bsky
+
+A [better-auth](https://better-auth.com) plugin that adds ATProto / Bluesky OAuth 2.1 authentication using [`@atcute/oauth-node-client`](https://github.com/mary-ext/atcute). Supports DPoP, PAR, and PKCE — the standard way to authenticate ATProto/Bluesky users without app passwords.
+
+## Installation
+
+```bash
+pnpm add @kingironman2011/better-auth-bsky better-auth @atcute/oauth-node-client
+```
+
+## Usage
+
+### Server
+
+```typescript
+import { betterAuth } from "better-auth";
+import { atproto } from "@kingironman2011/better-auth-bsky";
+
+export const auth = betterAuth({
+  // ... your config
+  plugins: [
+    atproto({
+      clientName: "My App",
+    }),
+  ],
+});
+```
+
+### Client
+
+```typescript
+import { createAuthClient } from "better-auth/client";
+import { atprotoClient } from "@kingironman2011/better-auth-bsky/client";
+
+const client = createAuthClient({
+  plugins: [atprotoClient()],
+});
+
+// Sign in — returns { url, redirect: true }
+const { data } = await client.signIn.atproto({
+  handle: "user.bsky.social",
+  callbackURL: "/dashboard",
+});
+window.location.href = data.url;
+
+// Check ATProto session
+const session = await client.atproto.getSession();
+
+// Restore ATProto session (lightweight token refresh check)
+const status = await client.atproto.restore();
+
+// Sign out (revokes ATProto OAuth session)
+await client.atproto.signOut();
+```
+
+## Configuration
+
+```typescript
+atproto({
+  // Required
+  clientName: "My App",
+
+  // Optional — app identity shown during authorization
+  clientUri: "https://myapp.com",
+  logoUri: "https://myapp.com/logo.png",
+  tosUri: "https://myapp.com/tos",
+  policyUri: "https://myapp.com/privacy",
+
+  // Optional — OAuth scopes (default: "atproto")
+  // Accepts a string or array of scope strings (e.g. from @atcute/oauth-types scope builders)
+  // The base "atproto" scope is always included automatically
+  scope: "atproto",
+
+  // Optional — private keys for confidential client mode
+  // If omitted, runs as a public client (shorter token lifetime)
+  keyset: [privateJwk],
+
+  // Optional — block new user creation (existing users can still sign in)
+  disableSignUp: false,
+
+  // Optional — custom profile-to-user field mapping
+  // Called during sign-in to populate user name, email, and image
+  mapProfileToUser: (profile) => ({
+    name: profile.displayName || profile.handle,
+    image: profile.avatar,
+  }),
+
+  // Optional — override endpoint paths
+  clientMetadataPath: "/oauth-client-metadata.json", // default
+  jwksPath: "/.well-known/jwks.json", // default
+  callbackPath: "/atproto/callback", // default
+  signInPath: "/sign-in/atproto", // default
+});
+```
+
+## Public vs Confidential Client
+
+The plugin auto-detects the client type based on whether `keyset` is provided.
+
+|                              | Public              | Confidential           |
+| ---------------------------- | ------------------- | ---------------------- |
+| Config                       | No `keyset`         | `keyset: [privateJwk]` |
+| `token_endpoint_auth_method` | `none`              | `private_key_jwt`      |
+| Max session lifetime         | 14 days             | 180 days               |
+| JWKS endpoint                | Not served          | Serves public keys     |
+| Loopback support             | Yes (auto-detected) | Yes (dev only)         |
+
+### Generating a keypair
+
+```typescript
+import { generateAtprotoKeypair } from "@kingironman2011/better-auth-bsky";
+
+const privateJwk = await generateAtprotoKeypair();
+// Store securely — do NOT commit to version control
+```
+
+## Endpoints
+
+All paths are relative to better-auth's `basePath`.
+
+| Method | Path                          | Purpose                                                       |
+| ------ | ----------------------------- | ------------------------------------------------------------- |
+| GET    | `/oauth-client-metadata.json` | OAuth client metadata document                                |
+| GET    | `/.well-known/jwks.json`      | Public JWKS (confidential mode only)                          |
+| POST   | `/sign-in/atproto`            | Start OAuth flow (`{ handle, callbackURL? }`)                 |
+| GET    | `/atproto/callback`           | OAuth callback (code exchange, profile sync, user management) |
+| GET    | `/atproto/session`            | Current user's ATProto info (DID, handle, PDS)                |
+| POST   | `/atproto/restore`            | Lightweight session check with token refresh                  |
+| POST   | `/atproto/sign-out`           | Revoke ATProto OAuth session                                  |
+
+Additionally, `getAtprotoClient` is a server-only endpoint (not exposed over HTTP). It returns an authenticated `@atcute/client` `Client` and `OAuthSession` for making XRPC calls on behalf of a user:
+
+```typescript
+const { client, session } = await auth.api.getAtprotoClient({
+  body: { did: "did:plc:abc123" },
+  // or: { userId: "user-id" }
+});
+```
+
+### Rate Limiting
+
+The plugin applies rate limits to sensitive endpoints:
+
+- `/sign-in/atproto`: 5 requests per 60 seconds
+- `/atproto/callback`: 10 requests per 60 seconds
+
+## Database Schema
+
+The plugin extends the `user` table and adds two new tables via better-auth's migration system.
+
+**`user` table extensions:**
+
+| Column          | Type   | Notes                            |
+| --------------- | ------ | -------------------------------- |
+| `atprotoDid`    | string | Unique, the user's permanent DID |
+| `atprotoHandle` | string | Current ATProto handle           |
+
+**`atprotoSession`** — persists OAuth sessions for `@atcute/oauth-node-client`:
+
+| Column        | Type   | Notes                                     |
+| ------------- | ------ | ----------------------------------------- |
+| `id`          | string | PK                                        |
+| `did`         | string | Unique, the user's DID                    |
+| `sessionData` | string | JSON blob (DPoP key, tokens, auth method) |
+| `userId`      | string | FK to `user.id` (cascade delete)          |
+| `handle`      | string | ATProto handle (can change)               |
+| `pdsUrl`      | string | User's PDS endpoint                       |
+| `updatedAt`   | date   |                                           |
+
+**`atprotoState`** — temporary OAuth authorization states (~10min TTL):
+
+| Column      | Type   | Notes                                       |
+| ----------- | ------ | ------------------------------------------- |
+| `id`        | string | PK                                          |
+| `stateKey`  | string | Unique, the OAuth state parameter           |
+| `stateData` | string | JSON blob (DPoP key, PKCE verifier, issuer) |
+| `expiresAt` | number | Unix timestamp                              |
+
+## How it Works
+
+1. **Sign-in**: Client POSTs handle to `/sign-in/atproto`. The plugin resolves the handle to a DID, discovers the user's PDS and authorization server, generates PKCE + DPoP keys, sends a PAR request, and returns the authorization URL.
+
+2. **Authorization**: User authorizes at their PDS authorization server (e.g. bsky.social).
+
+3. **Callback**: PDS redirects back to `/atproto/callback`. The plugin exchanges the code for tokens (with DPoP proof), fetches the user's profile (display name, avatar, etc.), then either finds an existing user, links to a currently-logged-in user, or creates a new user. Profile fields are synced to the user record, the ATProto session is persisted, a better-auth session cookie is set, and the user is redirected to the `callbackURL`.
+
+4. **Account linking**: If a user is already signed in via another method and completes the ATProto OAuth flow, their ATProto account is linked to their existing user. This respects better-auth's `account.accountLinking.enabled` configuration.
+
+5. **Session restoration**: On server restart, `oauthClient.restore(did)` rehydrates sessions from the database and handles token refresh automatically. The `/atproto/restore` endpoint exposes this to the client.
+
+6. **Authenticated API calls**: Use `auth.api.getAtprotoClient({ body: { did } })` server-side to get an authenticated `@atcute/client` `Client` for making XRPC calls on behalf of a user.
+
+## Identity Mapping
+
+- **DID** is the permanent identifier, stored as `account.accountId` with `account.providerId = "atproto"`, and on the user record as `atprotoDid`
+- **Email** uses a deterministic placeholder: `{did}@atproto.invalid` (RFC 2606 reserved TLD). Override via `mapProfileToUser` if you have access to the user's email
+- **Handle** is tracked on both `atprotoSession.handle` and `user.atprotoHandle`, and updated on each sign-in
+- **Profile** data (display name, avatar, banner, bio) is fetched on sign-in and mapped to user fields via `mapProfileToUser`
+
+## Exports
+
+### `@kingironman2011/better-auth-bsky` (main)
+
+| Export                      | Type     | Description                                       |
+| --------------------------- | -------- | ------------------------------------------------- |
+| `atproto`                   | function | Server plugin factory                             |
+| `atprotoClient`             | function | Client plugin factory                             |
+| `generateAtprotoKeypair`    | function | Generate ES256 keypair for confidential mode      |
+| `extractPublicJwk`          | function | Extract public JWK from a private JWK             |
+| `fetchAtprotoProfilePublic` | function | Fetch a profile via the Bluesky public API        |
+| `atprotoPlaceholderEmail`   | function | Generate deterministic placeholder email from DID |
+| `DbSessionStore`            | class    | Database-backed OAuth session store               |
+| `DbStateStore`              | class    | Database-backed OAuth state store                 |
+| `atprotoSchema`             | object   | Database schema definition for migrations         |
+| `AtprotoPluginOptions`      | type     | Plugin configuration options                      |
+| `AtprotoProfile`            | type     | Profile data shape from ATProto                   |
+
+### `@kingironman2011/better-auth-bsky/client`
+
+| Export          | Type     | Description           |
+| --------------- | -------- | --------------------- |
+| `atprotoClient` | function | Client plugin factory |
+
+## Development
+
+```bash
+pnpm install
+pnpm run build       # build with tsdown
+pnpm run test        # vitest run
+pnpm run test:watch  # vitest watch
+pnpm run lint        # lint + typecheck + fmt check
+pnpm run demo        # interactive demo with Cloudflare tunnel
+pnpm run demo:local  # demo on localhost only (no tunnel)
+```
+
+## License
+
+[MIT](LICENSE.md)

package/dist/client.d.ts

@@ -0,0 +1,63 @@
+import { t as atproto } from "./server-DO9pjTl1.js";
+
+//#region src/client.d.ts
+declare const atprotoClient: () => {
+  id: "atproto";
+  $InferServerPlugin: ReturnType<typeof atproto>;
+  getActions: ($fetch: import("better-auth/client").BetterFetch) => {
+    signIn: {
+      atproto: (data: {
+        handle: string;
+        callbackURL?: string;
+      }) => Promise<{
+        data: unknown;
+        error: null;
+      } | {
+        data: null;
+        error: {
+          message?: string | undefined;
+          status: number;
+          statusText: string;
+        };
+      }>;
+    };
+    atproto: {
+      getSession: () => Promise<{
+        data: unknown;
+        error: null;
+      } | {
+        data: null;
+        error: {
+          message?: string | undefined;
+          status: number;
+          statusText: string;
+        };
+      }>;
+      restore: () => Promise<{
+        data: unknown;
+        error: null;
+      } | {
+        data: null;
+        error: {
+          message?: string | undefined;
+          status: number;
+          statusText: string;
+        };
+      }>;
+      signOut: () => Promise<{
+        data: unknown;
+        error: null;
+      } | {
+        data: null;
+        error: {
+          message?: string | undefined;
+          status: number;
+          statusText: string;
+        };
+      }>;
+    };
+  };
+};
+//#endregion
+export { atprotoClient };
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","names":[],"sources":["../src/client.ts"],"mappings":";;;cAGa,aAAA;;sBAIiB,UAAA,QAAkB,OAAA;;;;QAGhB,MAAA;QAAgB,WAAA;MAAA,MAAsB,OAAA"}

package/dist/client.js

@@ -0,0 +1,22 @@
+//#region src/client.ts
+const atprotoClient = () => ({
+	id: "atproto",
+	$InferServerPlugin: {},
+	getActions: ($fetch) => ({
+		signIn: { atproto: async (data) => {
+			return $fetch("/sign-in/atproto", {
+				method: "POST",
+				body: data
+			});
+		} },
+		atproto: {
+			getSession: async () => $fetch("/atproto/session", { method: "GET" }),
+			restore: async () => $fetch("/atproto/restore", { method: "POST" }),
+			signOut: async () => $fetch("/atproto/sign-out", { method: "POST" })
+		}
+	})
+});
+//#endregion
+export { atprotoClient };
+
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","names":[],"sources":["../src/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"better-auth/client\";\nimport type { atproto } from \"./server.js\";\n\nexport const atprotoClient = () =>\n  ({\n    id: \"atproto\",\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- required by better-auth plugin inference\n    $InferServerPlugin: {} as ReturnType<typeof atproto>,\n    getActions: ($fetch) => ({\n      signIn: {\n        atproto: async (data: { handle: string; callbackURL?: string }) => {\n          return $fetch(\"/sign-in/atproto\", {\n            method: \"POST\",\n            body: data,\n          });\n        },\n      },\n      atproto: {\n        getSession: async () => $fetch(\"/atproto/session\", { method: \"GET\" }),\n        restore: async () => $fetch(\"/atproto/restore\", { method: \"POST\" }),\n        signOut: async () => $fetch(\"/atproto/sign-out\", { method: \"POST\" }),\n      },\n    }),\n  }) satisfies BetterAuthClientPlugin;\n"],"mappings":";AAGA,MAAa,uBACV;CACC,IAAI;CAEJ,oBAAoB,CAAC;CACrB,aAAa,YAAY;EACvB,QAAQ,EACN,SAAS,OAAO,SAAmD;GACjE,OAAO,OAAO,oBAAoB;IAChC,QAAQ;IACR,MAAM;GACR,CAAC;EACH,EACF;EACA,SAAS;GACP,YAAY,YAAY,OAAO,oBAAoB,EAAE,QAAQ,MAAM,CAAC;GACpE,SAAS,YAAY,OAAO,oBAAoB,EAAE,QAAQ,OAAO,CAAC;GAClE,SAAS,YAAY,OAAO,qBAAqB,EAAE,QAAQ,OAAO,CAAC;EACrE;CACF;AACF"}

package/dist/index.d.ts

@@ -0,0 +1,79 @@
+import { a as AtprotoProfile, i as AtprotoPluginOptions, n as atprotoPlaceholderEmail, o as atprotoSchema, r as fetchAtprotoProfilePublic, t as atproto } from "./server-DO9pjTl1.js";
+import { atprotoClient } from "./client.js";
+import { ClientAssertionPrivateJwk, SessionStore, StateStore, StoredSession, StoredState } from "@atcute/oauth-node-client";
+import { PublicJwk } from "@atcute/oauth-crypto";
+import { Did } from "@atcute/lexicons";
+
+//#region src/key-utils.d.ts
+/**
+ * Generates an ES256 keypair for ATProto confidential client authentication.
+ * The returned JWK includes private key material and should be stored securely.
+ */
+declare function generateAtprotoKeypair(kid?: string): Promise<ClientAssertionPrivateJwk>;
+/**
+ * Extracts the public portion of a JWK by stripping private key fields.
+ * Safe to serve at the JWKS endpoint.
+ */
+declare function extractPublicJwk(privateJwk: ClientAssertionPrivateJwk): PublicJwk;
+//#endregion
+//#region src/stores.d.ts
+/**
+ * A generic better-auth adapter interface matching the subset we need.
+ * This avoids importing better-auth's full type tree.
+ */
+interface DbAdapter {
+  findOne: <T>(data: {
+    model: string;
+    where: {
+      field: string;
+      value: unknown;
+    }[];
+  }) => Promise<T | null>;
+  create: <T>(data: {
+    model: string;
+    data: Record<string, unknown>;
+  }) => Promise<T>;
+  update: <T>(data: {
+    model: string;
+    where: {
+      field: string;
+      value: unknown;
+    }[];
+    update: Record<string, unknown>;
+  }) => Promise<T | null>;
+  delete: (data: {
+    model: string;
+    where: {
+      field: string;
+      value: unknown;
+    }[];
+  }) => Promise<void>;
+  deleteMany: (data: {
+    model: string;
+    where: {
+      field: string;
+      value: unknown;
+    }[];
+  }) => Promise<number>;
+}
+/** Database-backed session store for @atcute/oauth-node-client. */
+declare class DbSessionStore implements SessionStore {
+  private adapter;
+  constructor(adapter: DbAdapter);
+  get(did: Did): Promise<StoredSession | undefined>;
+  set(did: Did, session: StoredSession): Promise<void>;
+  delete(did: Did): Promise<void>;
+  clear(): Promise<void>;
+}
+/** Database-backed state store for @atcute/oauth-node-client. */
+declare class DbStateStore implements StateStore {
+  private adapter;
+  constructor(adapter: DbAdapter);
+  get(stateKey: string): Promise<StoredState | undefined>;
+  set(stateKey: string, state: StoredState): Promise<void>;
+  delete(stateKey: string): Promise<void>;
+  clear(): Promise<void>;
+}
+//#endregion
+export { type AtprotoPluginOptions, type AtprotoProfile, DbSessionStore, DbStateStore, atproto, atprotoClient, atprotoPlaceholderEmail, atprotoSchema, extractPublicJwk, fetchAtprotoProfilePublic, generateAtprotoKeypair };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","names":[],"sources":["../src/key-utils.ts","../src/stores.ts"],"mappings":";;;;;;;;;;;iBAasB,sBAAA,CACpB,GAAA,YACC,OAAO,CAAC,yBAAA;AAFX;;;;AAAA,iBAUgB,gBAAA,CACd,UAAA,EAAY,yBAAA,GACX,SAAS;;;;;;;UCbK,SAAA;EACf,OAAA,MAAa,IAAA;IACX,KAAA;IACA,KAAA;MAAS,KAAA;MAAe,KAAA;IAAA;EAAA,MACpB,OAAA,CAAQ,CAAA;EACd,MAAA,MAAY,IAAA;IACV,KAAA;IACA,IAAA,EAAM,MAAA;EAAA,MACF,OAAA,CAAQ,CAAA;EACd,MAAA,MAAY,IAAA;IACV,KAAA;IACA,KAAA;MAAS,KAAA;MAAe,KAAA;IAAA;IACxB,MAAA,EAAQ,MAAA;EAAA,MACJ,OAAA,CAAQ,CAAA;EACd,MAAA,GAAS,IAAA;IACP,KAAA;IACA,KAAA;MAAS,KAAA;MAAe,KAAA;IAAA;EAAA,MACpB,OAAA;EACN,UAAA,GAAa,IAAA;IACX,KAAA;IACA,KAAA;MAAS,KAAA;MAAe,KAAA;IAAA;EAAA,MACpB,OAAA;AAAA;;cAIK,cAAA,YAA0B,YAAA;EAAA,QACjB,OAAA;cAAA,OAAA,EAAS,SAAA;EAEvB,GAAA,CAAI,GAAA,EAAK,GAAA,GAAM,OAAA,CAAQ,aAAA;EAYvB,GAAA,CAAI,GAAA,EAAK,GAAA,EAAK,OAAA,EAAS,aAAA,GAAgB,OAAA;EA2BvC,MAAA,CAAO,GAAA,EAAK,GAAA,GAAM,OAAA;EAOlB,KAAA,IAAS,OAAA;AAAA;;cAUJ,YAAA,YAAwB,UAAA;EAAA,QACf,OAAA;cAAA,OAAA,EAAS,SAAA;EAEvB,GAAA,CAAI,QAAA,WAAmB,OAAA,CAAQ,WAAA;EAkB/B,GAAA,CAAI,QAAA,UAAkB,KAAA,EAAO,WAAA,GAAc,OAAA;EAY3C,MAAA,CAAO,QAAA,WAAmB,OAAA;EAO1B,KAAA,IAAS,OAAA;AAAA"}

package/dist/index.js

@@ -0,0 +1,32 @@
+import { a as DbStateStore, i as DbSessionStore, n as atprotoPlaceholderEmail, o as atprotoSchema, r as fetchAtprotoProfilePublic, t as atproto } from "./server-DS4UMolW.js";
+import { atprotoClient } from "./client.js";
+import { generateClientAssertionKey } from "@atcute/oauth-node-client";
+//#region src/key-utils.ts
+/** Private key fields to strip when extracting a public JWK. */
+const PRIVATE_KEY_FIELDS = /* @__PURE__ */ new Set([
+	"d",
+	"p",
+	"q",
+	"dp",
+	"dq",
+	"qi"
+]);
+/**
+* Generates an ES256 keypair for ATProto confidential client authentication.
+* The returned JWK includes private key material and should be stored securely.
+*/
+async function generateAtprotoKeypair(kid) {
+	return generateClientAssertionKey(kid ?? "atproto-key", "ES256");
+}
+/**
+* Extracts the public portion of a JWK by stripping private key fields.
+* Safe to serve at the JWKS endpoint.
+*/
+function extractPublicJwk(privateJwk) {
+	const entries = Object.entries(privateJwk).filter(([key]) => !PRIVATE_KEY_FIELDS.has(key));
+	return Object.fromEntries(entries);
+}
+//#endregion
+export { DbSessionStore, DbStateStore, atproto, atprotoClient, atprotoPlaceholderEmail, atprotoSchema, extractPublicJwk, fetchAtprotoProfilePublic, generateAtprotoKeypair };
+
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":[],"sources":["../src/key-utils.ts"],"sourcesContent":["import type { PublicJwk } from \"@atcute/oauth-crypto\";\nimport {\n  type ClientAssertionPrivateJwk,\n  generateClientAssertionKey,\n} from \"@atcute/oauth-node-client\";\n\n/** Private key fields to strip when extracting a public JWK. */\nconst PRIVATE_KEY_FIELDS = new Set([\"d\", \"p\", \"q\", \"dp\", \"dq\", \"qi\"]);\n\n/**\n * Generates an ES256 keypair for ATProto confidential client authentication.\n * The returned JWK includes private key material and should be stored securely.\n */\nexport async function generateAtprotoKeypair(\n  kid?: string,\n): Promise<ClientAssertionPrivateJwk> {\n  return generateClientAssertionKey(kid ?? \"atproto-key\", \"ES256\");\n}\n\n/**\n * Extracts the public portion of a JWK by stripping private key fields.\n * Safe to serve at the JWKS endpoint.\n */\nexport function extractPublicJwk(\n  privateJwk: ClientAssertionPrivateJwk,\n): PublicJwk {\n  const entries = Object.entries(privateJwk).filter(\n    ([key]) => !PRIVATE_KEY_FIELDS.has(key),\n  );\n  // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- Object.fromEntries loses type info\n  return Object.fromEntries(entries) as PublicJwk;\n}\n"],"mappings":";;;;;AAOA,MAAM,qCAAqB,IAAI,IAAI;CAAC;CAAK;CAAK;CAAK;CAAM;CAAM;AAAI,CAAC;;;;;AAMpE,eAAsB,uBACpB,KACoC;CACpC,OAAO,2BAA2B,OAAO,eAAe,OAAO;AACjE;;;;;AAMA,SAAgB,iBACd,YACW;CACX,MAAM,UAAU,OAAO,QAAQ,UAAU,CAAC,CAAC,QACxC,CAAC,SAAS,CAAC,mBAAmB,IAAI,GAAG,CACxC;CAEA,OAAO,OAAO,YAAY,OAAO;AACnC"}