@mysten/seal 0.2.0 → 0.3.1

package/dist/esm/key-store.js

@@ -1,183 +0,0 @@
-import { fromBase64, toBase64, toHex } from "@mysten/bcs";
-import { combine as externalCombine } from "shamir-secret-sharing";
-import { AesGcm256 } from "./aes.js";
-import { G1Element, G2Element } from "./bls12381.js";
-import { elgamalDecrypt, toPublicKey, toVerificationKey } from "./elgamal.js";
-import { BonehFranklinBLS12381Services, DST } from "./ibe.js";
-import { KeyServerType } from "./key-server.js";
-import { createFullId } from "./utils.js";
-class KeyStore {
-  constructor() {
-    this.keys_map = /* @__PURE__ */ new Map();
-  }
-  createMapKey(fullId, objectId) {
-    return toHex(fullId) + ":" + toHex(objectId);
-  }
-  /** @internal */
-  addKey(fullId, objectId, key) {
-    this.keys_map.set(this.createMapKey(fullId, objectId), key);
-  }
-  /**
-   * Get a key from this KeyStore or undefined if the key is not found.
-   *
-   * @param fullId The full ID used to derive the key.
-   * @param objectId The object ID of the key server holding the key.
-   */
-  getKey(fullId, objectId) {
-    return this.keys_map.get(this.createMapKey(fullId, objectId));
-  }
-  /**
-   * Check if the key store has a key for the given full ID and object ID.
-   *
-   * @param fullId The full ID used to derive the key.
-   * @param objectId The object ID of the key server holding the key.
-   */
-  hasKey(fullId, objectId) {
-    return this.keys_map.has(this.createMapKey(fullId, objectId));
-  }
-  /**
-   * Look up URLs of key servers and fetch key from servers with request signature,
-   * cert and ephPk, then updates the caching keys_map.
-   */
-  async fetchKeys({
-    keyServers,
-    threshold: _threshold,
-    packageId,
-    ids,
-    txBytes,
-    sessionKey
-  }) {
-    if (ids.length !== 1) {
-      throw new Error("Only one ID is supported");
-    }
-    const fullId = createFullId(DST, packageId, ids[0]);
-    const remainingKeyServers = keyServers.filter((ks) => !this.hasKey(fullId, ks.objectId));
-    if (remainingKeyServers.length === 0) {
-      return;
-    }
-    const cert = sessionKey.getCertificate();
-    const signedRequest = await sessionKey.createRequestParams(txBytes);
-    await Promise.all(
-      remainingKeyServers.map(async (server) => {
-        if (server.keyType !== KeyServerType.BonehFranklinBLS12381) {
-          console.warn("Server has invalid key type: " + server.keyType);
-          return;
-        }
-        const res = await fetchKey(
-          server.url,
-          signedRequest.request_signature,
-          txBytes,
-          signedRequest.decryption_key,
-          cert
-        );
-        const key = G1Element.fromBytes(res.key);
-        if (!BonehFranklinBLS12381Services.verifyUserSecretKey(
-          key,
-          fullId,
-          G2Element.fromBytes(server.pk)
-        )) {
-          console.warn("Received invalid key from key server " + server.objectId);
-          return;
-        }
-        this.addKey(fullId, server.objectId, key);
-      })
-    );
-  }
-  /**
-   * Decrypt the given encrypted bytes with the given cached secret keys for the full ID.
-   * It's assumed that fetchKeys has been called to fetch the secret keys for enough key servers
-   * otherwise, this will throw an error.
-   *
-   * @param encryptedObject - EncryptedObject.
-   * @returns - The decrypted plaintext corresponding to ciphertext.
-   */
-  async decrypt(encryptedObject) {
-    if (!encryptedObject.encrypted_shares.BonehFranklinBLS12381) {
-      throw new Error("Encryption mode not supported");
-    }
-    const fullId = createFullId(
-      DST,
-      encryptedObject.package_id,
-      new Uint8Array(encryptedObject.id)
-    );
-    const in_keystore = encryptedObject.services.map((_, i) => i).filter((i) => this.hasKey(fullId, encryptedObject.services[i][0]));
-    if (in_keystore.length < encryptedObject.threshold) {
-      throw new Error("Not enough shares. Please fetch more keys.");
-    }
-    const encryptedShares = encryptedObject.encrypted_shares.BonehFranklinBLS12381.shares;
-    if (encryptedShares.length !== encryptedObject.services.length) {
-      throw new Error("Invalid input");
-    }
-    const nonce = G2Element.fromBytes(
-      encryptedObject.encrypted_shares.BonehFranklinBLS12381.encapsulation
-    );
-    const shares = in_keystore.map((i) => {
-      const [objectId, index] = encryptedObject.services[i];
-      const info = new Uint8Array([index]);
-      let share = BonehFranklinBLS12381Services.decrypt(
-        nonce,
-        this.getKey(fullId, objectId),
-        encryptedShares[i],
-        info
-      );
-      return { index, share };
-    });
-    const key = await combine(shares);
-    if (encryptedObject.ciphertext.Aes256Gcm) {
-      try {
-        return AesGcm256.decrypt(key, encryptedObject.ciphertext);
-      } catch {
-        throw new Error("Decryption failed");
-      }
-    } else if (encryptedObject.ciphertext.Plain) {
-      return key;
-    } else {
-      throw new Error("Invalid encrypted object");
-    }
-  }
-}
-async function fetchKey(url, requestSig, txBytes, enc_key, certificate) {
-  const enc_key_pk = toPublicKey(enc_key);
-  const enc_verification_key = toVerificationKey(enc_key);
-  const body = {
-    ptb: toBase64(txBytes.slice(1)),
-    // removes the byte of the transaction type version
-    enc_key: toBase64(enc_key_pk),
-    enc_verification_key: toBase64(enc_verification_key),
-    request_signature: requestSig,
-    // already b64
-    certificate
-  };
-  const response = await fetch(url + "/v1/fetch_key", {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify(body)
-  });
-  const resp = await response.json();
-  const key = elgamalDecrypt(enc_key, resp.decryption_keys[0].encrypted_key.map(fromBase64));
-  return {
-    fullId: resp.decryption_keys[0].fullId,
-    key
-  };
-}
-async function combine(shares) {
-  if (shares.length === 0) {
-    throw new Error("Invalid input");
-  } else if (shares.length === 1) {
-    return Promise.resolve(shares[0].share);
-  }
-  return externalCombine(
-    shares.map(({ index, share }) => {
-      const packedShare = new Uint8Array(share.length + 1);
-      packedShare.set(share, 0);
-      packedShare[share.length] = index;
-      return packedShare;
-    })
-  );
-}
-export {
-  KeyStore
-};
-//# sourceMappingURL=key-store.js.map

package/dist/esm/key-store.js.map

@@ -1,7 +0,0 @@
-{
-  "version": 3,
-  "sources": ["../../src/key-store.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromBase64, toBase64, toHex } from '@mysten/bcs';\nimport { combine as externalCombine } from 'shamir-secret-sharing';\n\nimport { AesGcm256 } from './aes.js';\nimport { G1Element, G2Element } from './bls12381.js';\nimport { elgamalDecrypt, toPublicKey, toVerificationKey } from './elgamal.js';\nimport { BonehFranklinBLS12381Services, DST } from './ibe.js';\nimport type { KeyServer } from './key-server.js';\nimport { KeyServerType } from './key-server.js';\nimport type { Certificate, SessionKey } from './session-key.js';\nimport type { EncryptedObject } from './types.js';\nimport { createFullId } from './utils.js';\n\n/**\n * A class to cache user secret keys after they have been fetched from key servers.\n */\nexport class KeyStore {\n\t// A caching map for: fullId:object_id -> partial key.\n\tprivate readonly keys_map: Map<string, G1Element>;\n\n\tconstructor() {\n\t\tthis.keys_map = new Map();\n\t}\n\n\tprivate createMapKey(fullId: Uint8Array, objectId: Uint8Array): string {\n\t\treturn toHex(fullId) + ':' + toHex(objectId);\n\t}\n\n\t/** @internal */\n\taddKey(fullId: Uint8Array, objectId: Uint8Array, key: G1Element) {\n\t\tthis.keys_map.set(this.createMapKey(fullId, objectId), key);\n\t}\n\n\t/**\n\t * Get a key from this KeyStore or undefined if the key is not found.\n\t *\n\t * @param fullId The full ID used to derive the key.\n\t * @param objectId The object ID of the key server holding the key.\n\t */\n\tprivate getKey(fullId: Uint8Array, objectId: Uint8Array): G1Element | undefined {\n\t\treturn this.keys_map.get(this.createMapKey(fullId, objectId));\n\t}\n\n\t/**\n\t * Check if the key store has a key for the given full ID and object ID.\n\t *\n\t * @param fullId The full ID used to derive the key.\n\t * @param objectId The object ID of the key server holding the key.\n\t */\n\tprivate hasKey(fullId: Uint8Array, objectId: Uint8Array): boolean {\n\t\treturn this.keys_map.has(this.createMapKey(fullId, objectId));\n\t}\n\n\t/**\n\t * Look up URLs of key servers and fetch key from servers with request signature,\n\t * cert and ephPk, then updates the caching keys_map.\n\t */\n\tasync fetchKeys({\n\t\tkeyServers,\n\t\tthreshold: _threshold,\n\t\tpackageId,\n\t\tids,\n\t\ttxBytes,\n\t\tsessionKey,\n\t}: {\n\t\tkeyServers: KeyServer[];\n\t\tthreshold: number;\n\t\tpackageId: Uint8Array;\n\t\tids: Uint8Array[];\n\t\ttxBytes: Uint8Array;\n\t\tsessionKey: SessionKey;\n\t}) {\n\t\t// TODO: support multiple ids.\n\t\tif (ids.length !== 1) {\n\t\t\tthrow new Error('Only one ID is supported');\n\t\t}\n\t\tconst fullId = createFullId(DST, packageId, ids[0]);\n\t\tconst remainingKeyServers = keyServers.filter((ks) => !this.hasKey(fullId, ks.objectId));\n\t\tif (remainingKeyServers.length === 0) {\n\t\t\treturn;\n\t\t}\n\n\t\tconst cert = sessionKey.getCertificate();\n\t\tconst signedRequest = await sessionKey.createRequestParams(txBytes);\n\n\t\t// TODO: wait for t valid keys, either from completed promises (not failures) or from the cache.\n\t\t// TODO: detect an expired session key and raise an error.\n\t\tawait Promise.all(\n\t\t\tremainingKeyServers.map(async (server) => {\n\t\t\t\tif (server.keyType !== KeyServerType.BonehFranklinBLS12381) {\n\t\t\t\t\tconsole.warn('Server has invalid key type: ' + server.keyType);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst res = await fetchKey(\n\t\t\t\t\tserver.url,\n\t\t\t\t\tsignedRequest.request_signature,\n\t\t\t\t\ttxBytes,\n\t\t\t\t\tsignedRequest.decryption_key,\n\t\t\t\t\tcert,\n\t\t\t\t);\n\n\t\t\t\tconst key = G1Element.fromBytes(res.key);\n\t\t\t\tif (\n\t\t\t\t\t!BonehFranklinBLS12381Services.verifyUserSecretKey(\n\t\t\t\t\t\tkey,\n\t\t\t\t\t\tfullId,\n\t\t\t\t\t\tG2Element.fromBytes(server.pk),\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\tconsole.warn('Received invalid key from key server ' + server.objectId);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tthis.addKey(fullId, server.objectId, key);\n\t\t\t}),\n\t\t);\n\t}\n\n\t/**\n\t * Decrypt the given encrypted bytes with the given cached secret keys for the full ID.\n\t * It's assumed that fetchKeys has been called to fetch the secret keys for enough key servers\n\t * otherwise, this will throw an error.\n\t *\n\t * @param encryptedObject - EncryptedObject.\n\t * @returns - The decrypted plaintext corresponding to ciphertext.\n\t */\n\tasync decrypt(encryptedObject: typeof EncryptedObject.$inferType): Promise<Uint8Array> {\n\t\tif (!encryptedObject.encrypted_shares.BonehFranklinBLS12381) {\n\t\t\tthrow new Error('Encryption mode not supported');\n\t\t}\n\n\t\tconst fullId = createFullId(\n\t\t\tDST,\n\t\t\tencryptedObject.package_id,\n\t\t\tnew Uint8Array(encryptedObject.id),\n\t\t);\n\n\t\t// Get the indices of the service whose keys are in the keystore.\n\t\tconst in_keystore = encryptedObject.services\n\t\t\t.map((_, i) => i)\n\t\t\t.filter((i) => this.hasKey(fullId, encryptedObject.services[i][0]));\n\t\tif (in_keystore.length < encryptedObject.threshold) {\n\t\t\tthrow new Error('Not enough shares. Please fetch more keys.');\n\t\t}\n\n\t\tconst encryptedShares = encryptedObject.encrypted_shares.BonehFranklinBLS12381.shares;\n\t\tif (encryptedShares.length !== encryptedObject.services.length) {\n\t\t\tthrow new Error('Invalid input');\n\t\t}\n\n\t\tconst nonce = G2Element.fromBytes(\n\t\t\tencryptedObject.encrypted_shares.BonehFranklinBLS12381.encapsulation,\n\t\t);\n\n\t\t// Decrypt each share.\n\t\tconst shares = in_keystore.map((i: number) => {\n\t\t\tconst [objectId, index] = encryptedObject.services[i];\n\t\t\t// Use the index as the unique info parameter to allow for multiple shares per key server.\n\t\t\tconst info = new Uint8Array([index]);\n\t\t\tlet share = BonehFranklinBLS12381Services.decrypt(\n\t\t\t\tnonce,\n\t\t\t\tthis.getKey(fullId, objectId)!,\n\t\t\t\tencryptedShares[i],\n\t\t\t\tinfo,\n\t\t\t);\n\t\t\t// The Shamir secret sharing library expects the index/x-coordinate to be at the end of the share.\n\t\t\treturn { index, share };\n\t\t});\n\n\t\t// Combine the decrypted shares into the key.\n\t\tconst key = await combine(shares);\n\n\t\tif (encryptedObject.ciphertext.Aes256Gcm) {\n\t\t\ttry {\n\t\t\t\t// Decrypt the ciphertext with the key.\n\t\t\t\treturn AesGcm256.decrypt(key, encryptedObject.ciphertext);\n\t\t\t} catch {\n\t\t\t\tthrow new Error('Decryption failed');\n\t\t\t}\n\t\t} else if (encryptedObject.ciphertext.Plain) {\n\t\t\t// In case `Plain` mode is used, return the key.\n\t\t\treturn key;\n\t\t} else {\n\t\t\tthrow new Error('Invalid encrypted object');\n\t\t}\n\t}\n}\n\n/**\n * Helper function to request a Seal key from URL with requestSig, txBytes, ephemeral pubkey.\n * Then decrypt the Seal key with ephemeral secret key.\n */\nasync function fetchKey(\n\turl: string,\n\trequestSig: string,\n\ttxBytes: Uint8Array,\n\tenc_key: Uint8Array,\n\tcertificate: Certificate,\n): Promise<{ fullId: Uint8Array; key: Uint8Array }> {\n\tconst enc_key_pk = toPublicKey(enc_key);\n\tconst enc_verification_key = toVerificationKey(enc_key);\n\tconst body = {\n\t\tptb: toBase64(txBytes.slice(1)), // removes the byte of the transaction type version\n\t\tenc_key: toBase64(enc_key_pk),\n\t\tenc_verification_key: toBase64(enc_verification_key),\n\t\trequest_signature: requestSig, // already b64\n\t\tcertificate,\n\t};\n\tconst response = await fetch(url + '/v1/fetch_key', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t},\n\t\tbody: JSON.stringify(body),\n\t});\n\tconst resp = await response.json();\n\t// TODO: handle the different error responses.\n\t// TODO: handle multiple decryption keys.\n\tconst key = elgamalDecrypt(enc_key, resp.decryption_keys[0].encrypted_key.map(fromBase64));\n\treturn {\n\t\tfullId: resp.decryption_keys[0].fullId,\n\t\tkey,\n\t};\n}\n\nasync function combine(shares: { index: number; share: Uint8Array }[]): Promise<Uint8Array> {\n\tif (shares.length === 0) {\n\t\tthrow new Error('Invalid input');\n\t} else if (shares.length === 1) {\n\t\t// The Shamir secret sharing library expects at least two shares.\n\t\t// If there is only one and the threshold is 1, the reconstructed secret is the same as the share.\n\t\treturn Promise.resolve(shares[0].share);\n\t}\n\n\t// The Shamir secret sharing library expects the index/x-coordinate to be at the end of the share\n\treturn externalCombine(\n\t\tshares.map(({ index, share }) => {\n\t\t\tconst packedShare = new Uint8Array(share.length + 1);\n\t\t\tpackedShare.set(share, 0);\n\t\t\tpackedShare[share.length] = index;\n\t\t\treturn packedShare;\n\t\t}),\n\t);\n}\n"],
-  "mappings": "AAGA,SAAS,YAAY,UAAU,aAAa;AAC5C,SAAS,WAAW,uBAAuB;AAE3C,SAAS,iBAAiB;AAC1B,SAAS,WAAW,iBAAiB;AACrC,SAAS,gBAAgB,aAAa,yBAAyB;AAC/D,SAAS,+BAA+B,WAAW;AAEnD,SAAS,qBAAqB;AAG9B,SAAS,oBAAoB;AAKtB,MAAM,SAAS;AAAA,EAIrB,cAAc;AACb,SAAK,WAAW,oBAAI,IAAI;AAAA,EACzB;AAAA,EAEQ,aAAa,QAAoB,UAA8B;AACtE,WAAO,MAAM,MAAM,IAAI,MAAM,MAAM,QAAQ;AAAA,EAC5C;AAAA;AAAA,EAGA,OAAO,QAAoB,UAAsB,KAAgB;AAChE,SAAK,SAAS,IAAI,KAAK,aAAa,QAAQ,QAAQ,GAAG,GAAG;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,OAAO,QAAoB,UAA6C;AAC/E,WAAO,KAAK,SAAS,IAAI,KAAK,aAAa,QAAQ,QAAQ,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,OAAO,QAAoB,UAA+B;AACjE,WAAO,KAAK,SAAS,IAAI,KAAK,aAAa,QAAQ,QAAQ,CAAC;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAU;AAAA,IACf;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD,GAOG;AAEF,QAAI,IAAI,WAAW,GAAG;AACrB,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC3C;AACA,UAAM,SAAS,aAAa,KAAK,WAAW,IAAI,CAAC,CAAC;AAClD,UAAM,sBAAsB,WAAW,OAAO,CAAC,OAAO,CAAC,KAAK,OAAO,QAAQ,GAAG,QAAQ,CAAC;AACvF,QAAI,oBAAoB,WAAW,GAAG;AACrC;AAAA,IACD;AAEA,UAAM,OAAO,WAAW,eAAe;AACvC,UAAM,gBAAgB,MAAM,WAAW,oBAAoB,OAAO;AAIlE,UAAM,QAAQ;AAAA,MACb,oBAAoB,IAAI,OAAO,WAAW;AACzC,YAAI,OAAO,YAAY,cAAc,uBAAuB;AAC3D,kBAAQ,KAAK,kCAAkC,OAAO,OAAO;AAC7D;AAAA,QACD;AACA,cAAM,MAAM,MAAM;AAAA,UACjB,OAAO;AAAA,UACP,cAAc;AAAA,UACd;AAAA,UACA,cAAc;AAAA,UACd;AAAA,QACD;AAEA,cAAM,MAAM,UAAU,UAAU,IAAI,GAAG;AACvC,YACC,CAAC,8BAA8B;AAAA,UAC9B;AAAA,UACA;AAAA,UACA,UAAU,UAAU,OAAO,EAAE;AAAA,QAC9B,GACC;AACD,kBAAQ,KAAK,0CAA0C,OAAO,QAAQ;AACtE;AAAA,QACD;AAEA,aAAK,OAAO,QAAQ,OAAO,UAAU,GAAG;AAAA,MACzC,CAAC;AAAA,IACF;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,QAAQ,iBAAyE;AACtF,QAAI,CAAC,gBAAgB,iBAAiB,uBAAuB;AAC5D,YAAM,IAAI,MAAM,+BAA+B;AAAA,IAChD;AAEA,UAAM,SAAS;AAAA,MACd;AAAA,MACA,gBAAgB;AAAA,MAChB,IAAI,WAAW,gBAAgB,EAAE;AAAA,IAClC;AAGA,UAAM,cAAc,gBAAgB,SAClC,IAAI,CAAC,GAAG,MAAM,CAAC,EACf,OAAO,CAAC,MAAM,KAAK,OAAO,QAAQ,gBAAgB,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;AACnE,QAAI,YAAY,SAAS,gBAAgB,WAAW;AACnD,YAAM,IAAI,MAAM,4CAA4C;AAAA,IAC7D;AAEA,UAAM,kBAAkB,gBAAgB,iBAAiB,sBAAsB;AAC/E,QAAI,gBAAgB,WAAW,gBAAgB,SAAS,QAAQ;AAC/D,YAAM,IAAI,MAAM,eAAe;AAAA,IAChC;AAEA,UAAM,QAAQ,UAAU;AAAA,MACvB,gBAAgB,iBAAiB,sBAAsB;AAAA,IACxD;AAGA,UAAM,SAAS,YAAY,IAAI,CAAC,MAAc;AAC7C,YAAM,CAAC,UAAU,KAAK,IAAI,gBAAgB,SAAS,CAAC;AAEpD,YAAM,OAAO,IAAI,WAAW,CAAC,KAAK,CAAC;AACnC,UAAI,QAAQ,8BAA8B;AAAA,QACzC;AAAA,QACA,KAAK,OAAO,QAAQ,QAAQ;AAAA,QAC5B,gBAAgB,CAAC;AAAA,QACjB;AAAA,MACD;AAEA,aAAO,EAAE,OAAO,MAAM;AAAA,IACvB,CAAC;AAGD,UAAM,MAAM,MAAM,QAAQ,MAAM;AAEhC,QAAI,gBAAgB,WAAW,WAAW;AACzC,UAAI;AAEH,eAAO,UAAU,QAAQ,KAAK,gBAAgB,UAAU;AAAA,MACzD,QAAQ;AACP,cAAM,IAAI,MAAM,mBAAmB;AAAA,MACpC;AAAA,IACD,WAAW,gBAAgB,WAAW,OAAO;AAE5C,aAAO;AAAA,IACR,OAAO;AACN,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC3C;AAAA,EACD;AACD;AAMA,eAAe,SACd,KACA,YACA,SACA,SACA,aACmD;AACnD,QAAM,aAAa,YAAY,OAAO;AACtC,QAAM,uBAAuB,kBAAkB,OAAO;AACtD,QAAM,OAAO;AAAA,IACZ,KAAK,SAAS,QAAQ,MAAM,CAAC,CAAC;AAAA;AAAA,IAC9B,SAAS,SAAS,UAAU;AAAA,IAC5B,sBAAsB,SAAS,oBAAoB;AAAA,IACnD,mBAAmB;AAAA;AAAA,IACnB;AAAA,EACD;AACA,QAAM,WAAW,MAAM,MAAM,MAAM,iBAAiB;AAAA,IACnD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,IACjB;AAAA,IACA,MAAM,KAAK,UAAU,IAAI;AAAA,EAC1B,CAAC;AACD,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,QAAM,MAAM,eAAe,SAAS,KAAK,gBAAgB,CAAC,EAAE,cAAc,IAAI,UAAU,CAAC;AACzF,SAAO;AAAA,IACN,QAAQ,KAAK,gBAAgB,CAAC,EAAE;AAAA,IAChC;AAAA,EACD;AACD;AAEA,eAAe,QAAQ,QAAqE;AAC3F,MAAI,OAAO,WAAW,GAAG;AACxB,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC,WAAW,OAAO,WAAW,GAAG;AAG/B,WAAO,QAAQ,QAAQ,OAAO,CAAC,EAAE,KAAK;AAAA,EACvC;AAGA,SAAO;AAAA,IACN,OAAO,IAAI,CAAC,EAAE,OAAO,MAAM,MAAM;AAChC,YAAM,cAAc,IAAI,WAAW,MAAM,SAAS,CAAC;AACnD,kBAAY,IAAI,OAAO,CAAC;AACxB,kBAAY,MAAM,MAAM,IAAI;AAC5B,aAAO;AAAA,IACR,CAAC;AAAA,EACF;AACD;",
-  "names": []
-}