@naylence/advanced-security 0.3.15 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/dist/browser/index.cjs +2673 -3
- package/dist/browser/index.mjs +2684 -14
- package/dist/cjs/advanced-security-isomorphic.js +4 -0
- package/dist/cjs/advanced-security-isomorphic.js.map +1 -1
- package/dist/cjs/naylence/fame/expr/ast.js +135 -0
- package/dist/cjs/naylence/fame/expr/ast.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/builtins.js +477 -0
- package/dist/cjs/naylence/fame/expr/builtins.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/errors.js +88 -0
- package/dist/cjs/naylence/fame/expr/errors.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/evaluator.js +385 -0
- package/dist/cjs/naylence/fame/expr/evaluator.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/index.js +21 -0
- package/dist/cjs/naylence/fame/expr/index.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/limits.js +80 -0
- package/dist/cjs/naylence/fame/expr/limits.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/parser.js +429 -0
- package/dist/cjs/naylence/fame/expr/parser.js.map +1 -0
- package/dist/cjs/naylence/fame/expr/tokenizer.js +336 -0
- package/dist/cjs/naylence/fame/expr/tokenizer.js.map +1 -0
- package/dist/cjs/naylence/fame/factory-manifest.js +2 -0
- package/dist/cjs/naylence/fame/factory-manifest.js.map +1 -1
- package/dist/cjs/naylence/fame/security/auth/index.js +7 -0
- package/dist/cjs/naylence/fame/security/auth/index.js.map +1 -0
- package/dist/cjs/naylence/fame/security/auth/policy/advanced-authorization-policy-factory.js +70 -0
- package/dist/cjs/naylence/fame/security/auth/policy/advanced-authorization-policy-factory.js.map +1 -0
- package/dist/cjs/naylence/fame/security/auth/policy/advanced-authorization-policy.js +562 -0
- package/dist/cjs/naylence/fame/security/auth/policy/advanced-authorization-policy.js.map +1 -0
- package/dist/cjs/naylence/fame/security/auth/policy/expr-builtins.js +129 -0
- package/dist/cjs/naylence/fame/security/auth/policy/expr-builtins.js.map +1 -0
- package/dist/cjs/naylence/fame/security/auth/policy/index.js +15 -0
- package/dist/cjs/naylence/fame/security/auth/policy/index.js.map +1 -0
- package/dist/cjs/naylence/fame/security/index.js +2 -0
- package/dist/cjs/naylence/fame/security/index.js.map +1 -1
- package/dist/cjs/naylence/fame/security/register-advanced-security-factories.js +2 -0
- package/dist/cjs/naylence/fame/security/register-advanced-security-factories.js.map +1 -1
- package/dist/cjs/naylence/fame/security/strict-overlay-security-profile.js +64 -0
- package/dist/cjs/naylence/fame/security/strict-overlay-security-profile.js.map +1 -0
- package/dist/cjs/package.json +3 -0
- package/dist/cjs/plugin.js +2 -0
- package/dist/cjs/plugin.js.map +1 -1
- package/dist/cjs/version.js +2 -2
- package/dist/cjs/version.js.map +1 -1
- package/dist/esm/advanced-security-isomorphic.js +4 -0
- package/dist/esm/advanced-security-isomorphic.js.map +1 -1
- package/dist/esm/naylence/fame/expr/ast.js +135 -0
- package/dist/esm/naylence/fame/expr/ast.js.map +1 -0
- package/dist/esm/naylence/fame/expr/builtins.js +477 -0
- package/dist/esm/naylence/fame/expr/builtins.js.map +1 -0
- package/dist/esm/naylence/fame/expr/errors.js +88 -0
- package/dist/esm/naylence/fame/expr/errors.js.map +1 -0
- package/dist/esm/naylence/fame/expr/evaluator.js +385 -0
- package/dist/esm/naylence/fame/expr/evaluator.js.map +1 -0
- package/dist/esm/naylence/fame/expr/index.js +21 -0
- package/dist/esm/naylence/fame/expr/index.js.map +1 -0
- package/dist/esm/naylence/fame/expr/limits.js +80 -0
- package/dist/esm/naylence/fame/expr/limits.js.map +1 -0
- package/dist/esm/naylence/fame/expr/parser.js +429 -0
- package/dist/esm/naylence/fame/expr/parser.js.map +1 -0
- package/dist/esm/naylence/fame/expr/tokenizer.js +336 -0
- package/dist/esm/naylence/fame/expr/tokenizer.js.map +1 -0
- package/dist/esm/naylence/fame/factory-manifest.js +2 -0
- package/dist/esm/naylence/fame/factory-manifest.js.map +1 -1
- package/dist/esm/naylence/fame/security/auth/index.js +7 -0
- package/dist/esm/naylence/fame/security/auth/index.js.map +1 -0
- package/dist/esm/naylence/fame/security/auth/policy/advanced-authorization-policy-factory.js +70 -0
- package/dist/esm/naylence/fame/security/auth/policy/advanced-authorization-policy-factory.js.map +1 -0
- package/dist/esm/naylence/fame/security/auth/policy/advanced-authorization-policy.js +562 -0
- package/dist/esm/naylence/fame/security/auth/policy/advanced-authorization-policy.js.map +1 -0
- package/dist/esm/naylence/fame/security/auth/policy/expr-builtins.js +129 -0
- package/dist/esm/naylence/fame/security/auth/policy/expr-builtins.js.map +1 -0
- package/dist/esm/naylence/fame/security/auth/policy/index.js +15 -0
- package/dist/esm/naylence/fame/security/auth/policy/index.js.map +1 -0
- package/dist/esm/naylence/fame/security/index.js +2 -0
- package/dist/esm/naylence/fame/security/index.js.map +1 -1
- package/dist/esm/naylence/fame/security/register-advanced-security-factories.js +2 -0
- package/dist/esm/naylence/fame/security/register-advanced-security-factories.js.map +1 -1
- package/dist/esm/naylence/fame/security/strict-overlay-security-profile.js +64 -0
- package/dist/esm/naylence/fame/security/strict-overlay-security-profile.js.map +1 -0
- package/dist/esm/package.json +3 -0
- package/dist/esm/plugin.js +2 -0
- package/dist/esm/plugin.js.map +1 -1
- package/dist/esm/version.js +2 -2
- package/dist/esm/version.js.map +1 -1
- package/dist/node/index.cjs +2795 -6
- package/dist/node/index.mjs +2770 -15
- package/dist/node/node.cjs +2819 -3
- package/dist/node/node.mjs +2796 -15
- package/dist/types/advanced-security-isomorphic.d.ts +2 -0
- package/dist/types/advanced-security-isomorphic.d.ts.map +1 -1
- package/dist/types/naylence/fame/expr/ast.d.ts +85 -0
- package/dist/types/naylence/fame/expr/ast.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/builtins.d.ts +79 -0
- package/dist/types/naylence/fame/expr/builtins.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/errors.d.ts +61 -0
- package/dist/types/naylence/fame/expr/errors.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/evaluator.d.ts +90 -0
- package/dist/types/naylence/fame/expr/evaluator.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/index.d.ts +16 -0
- package/dist/types/naylence/fame/expr/index.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/limits.d.ts +65 -0
- package/dist/types/naylence/fame/expr/limits.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/parser.d.ts +102 -0
- package/dist/types/naylence/fame/expr/parser.d.ts.map +1 -0
- package/dist/types/naylence/fame/expr/tokenizer.d.ts +51 -0
- package/dist/types/naylence/fame/expr/tokenizer.d.ts.map +1 -0
- package/dist/types/naylence/fame/factory-manifest.d.ts +1 -1
- package/dist/types/naylence/fame/factory-manifest.d.ts.map +1 -1
- package/dist/types/naylence/fame/security/auth/index.d.ts +7 -0
- package/dist/types/naylence/fame/security/auth/index.d.ts.map +1 -0
- package/dist/types/naylence/fame/security/auth/policy/advanced-authorization-policy-factory.d.ts +47 -0
- package/dist/types/naylence/fame/security/auth/policy/advanced-authorization-policy-factory.d.ts.map +1 -0
- package/dist/types/naylence/fame/security/auth/policy/advanced-authorization-policy.d.ts +73 -0
- package/dist/types/naylence/fame/security/auth/policy/advanced-authorization-policy.d.ts.map +1 -0
- package/dist/types/naylence/fame/security/auth/policy/expr-builtins.d.ts +14 -0
- package/dist/types/naylence/fame/security/auth/policy/expr-builtins.d.ts.map +1 -0
- package/dist/types/naylence/fame/security/auth/policy/index.d.ts +12 -0
- package/dist/types/naylence/fame/security/auth/policy/index.d.ts.map +1 -0
- package/dist/types/naylence/fame/security/index.d.ts +2 -0
- package/dist/types/naylence/fame/security/index.d.ts.map +1 -1
- package/dist/types/naylence/fame/security/register-advanced-security-factories.d.ts +1 -0
- package/dist/types/naylence/fame/security/register-advanced-security-factories.d.ts.map +1 -1
- package/dist/types/naylence/fame/security/strict-overlay-security-profile.d.ts +11 -0
- package/dist/types/naylence/fame/security/strict-overlay-security-profile.d.ts.map +1 -0
- package/dist/types/plugin.d.ts.map +1 -1
- package/dist/types/version.d.ts +1 -1
- package/dist/types/version.d.ts.map +1 -1
- package/package.json +5 -4
|
@@ -0,0 +1,562 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Expression-based authorization policy implementation.
|
|
3
|
+
*
|
|
4
|
+
* Extends the basic policy with support for `when` expression evaluation.
|
|
5
|
+
* This is part of the BSL-licensed Advanced Security package.
|
|
6
|
+
*/
|
|
7
|
+
import { compileGlobPattern, compileGlobOnlyScopeRequirement, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, VALID_ACTIONS, VALID_EFFECTS, VALID_ORIGIN_TYPES, } from "@naylence/runtime";
|
|
8
|
+
import { parse } from "../../../expr/parser.js";
|
|
9
|
+
import { evaluateAsBoolean, } from "../../../expr/evaluator.js";
|
|
10
|
+
import { DEFAULT_EXPRESSION_LIMITS } from "../../../expr/limits.js";
|
|
11
|
+
import { createAuthFunctionRegistry } from "./expr-builtins.js";
|
|
12
|
+
/**
|
|
13
|
+
* Simple console logger implementation.
|
|
14
|
+
*/
|
|
15
|
+
const defaultLogger = {
|
|
16
|
+
debug: () => { },
|
|
17
|
+
warning: (event, data) => {
|
|
18
|
+
console.warn(`[naylence.security.auth.policy.expression] ${event}`, data);
|
|
19
|
+
},
|
|
20
|
+
};
|
|
21
|
+
/**
|
|
22
|
+
* Extracts the target address string from the envelope.
|
|
23
|
+
*/
|
|
24
|
+
function extractAddress(envelope) {
|
|
25
|
+
const to = envelope.to;
|
|
26
|
+
if (!to) {
|
|
27
|
+
return undefined;
|
|
28
|
+
}
|
|
29
|
+
if (typeof to === "string") {
|
|
30
|
+
return to;
|
|
31
|
+
}
|
|
32
|
+
if (typeof to === "object" && "toString" in to) {
|
|
33
|
+
return to.toString();
|
|
34
|
+
}
|
|
35
|
+
return undefined;
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* Extracts granted scopes from the authorization context.
|
|
39
|
+
*/
|
|
40
|
+
function extractGrantedScopes(context) {
|
|
41
|
+
const authContext = context?.security?.authorization;
|
|
42
|
+
if (!authContext) {
|
|
43
|
+
return [];
|
|
44
|
+
}
|
|
45
|
+
if (Array.isArray(authContext.grantedScopes)) {
|
|
46
|
+
return authContext.grantedScopes;
|
|
47
|
+
}
|
|
48
|
+
const claims = authContext.claims;
|
|
49
|
+
if (claims) {
|
|
50
|
+
const scopeClaim = claims.scope ?? claims.scopes ?? claims.scp;
|
|
51
|
+
if (typeof scopeClaim === "string") {
|
|
52
|
+
return scopeClaim.split(/\s+/).filter((s) => s.length > 0);
|
|
53
|
+
}
|
|
54
|
+
if (Array.isArray(scopeClaim)) {
|
|
55
|
+
return scopeClaim.filter((s) => typeof s === "string");
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
return [];
|
|
59
|
+
}
|
|
60
|
+
/**
|
|
61
|
+
* Extracts claims from the authorization context.
|
|
62
|
+
*/
|
|
63
|
+
function extractClaims(context) {
|
|
64
|
+
const authContext = context?.security?.authorization;
|
|
65
|
+
if (!authContext?.claims) {
|
|
66
|
+
return {};
|
|
67
|
+
}
|
|
68
|
+
return authContext.claims;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Creates a safe envelope subset for expression bindings.
|
|
72
|
+
*/
|
|
73
|
+
function createEnvelopeBindings(envelope) {
|
|
74
|
+
const frame = envelope.frame;
|
|
75
|
+
const envelopeRecord = envelope;
|
|
76
|
+
return {
|
|
77
|
+
id: envelope.id ?? null,
|
|
78
|
+
traceId: envelopeRecord.traceId ?? null,
|
|
79
|
+
corrId: envelopeRecord.corrId ?? null,
|
|
80
|
+
flowId: envelopeRecord.flowId ?? null,
|
|
81
|
+
to: extractAddress(envelope) ?? null,
|
|
82
|
+
frame: frame
|
|
83
|
+
? { type: frame.type ?? null }
|
|
84
|
+
: { type: null },
|
|
85
|
+
};
|
|
86
|
+
}
|
|
87
|
+
/**
|
|
88
|
+
* Creates delivery context bindings for expression evaluation.
|
|
89
|
+
*/
|
|
90
|
+
function createDeliveryBindings(context, action) {
|
|
91
|
+
return {
|
|
92
|
+
origin_type: context?.originType ?? null,
|
|
93
|
+
routing_action: action,
|
|
94
|
+
};
|
|
95
|
+
}
|
|
96
|
+
/**
|
|
97
|
+
* Expression-based authorization policy that evaluates rules with `when` expressions.
|
|
98
|
+
*
|
|
99
|
+
* Features:
|
|
100
|
+
* - All features of BasicAuthorizationPolicy
|
|
101
|
+
* - Expression evaluation for `when` clauses
|
|
102
|
+
* - Deterministic, side-effect-free evaluation
|
|
103
|
+
* - Missing fields evaluate to null (not error)
|
|
104
|
+
* - Parse/evaluation errors cause rule to not match
|
|
105
|
+
*/
|
|
106
|
+
export class AdvancedAuthorizationPolicy {
|
|
107
|
+
constructor(options) {
|
|
108
|
+
const { policyDefinition, warnOnUnknownFields = true, expressionLimits = DEFAULT_EXPRESSION_LIMITS, logger = defaultLogger, } = options;
|
|
109
|
+
this.expressionLimits = expressionLimits;
|
|
110
|
+
this.logger = logger;
|
|
111
|
+
// Validate and extract default effect
|
|
112
|
+
this.defaultEffect = this.validateDefaultEffect(policyDefinition.default_effect);
|
|
113
|
+
// Warn about unknown policy fields
|
|
114
|
+
if (warnOnUnknownFields) {
|
|
115
|
+
this.warnUnknownPolicyFields(policyDefinition);
|
|
116
|
+
}
|
|
117
|
+
// Compile rules for efficient evaluation
|
|
118
|
+
this.compiledRules = this.compileRules(policyDefinition.rules, warnOnUnknownFields);
|
|
119
|
+
this.logger.debug("expression_policy_compiled", {
|
|
120
|
+
defaultEffect: this.defaultEffect,
|
|
121
|
+
ruleCount: this.compiledRules.length,
|
|
122
|
+
rulesWithWhen: this.compiledRules.filter((r) => r.whenAst).length,
|
|
123
|
+
});
|
|
124
|
+
}
|
|
125
|
+
/**
|
|
126
|
+
* Evaluates the policy against a request.
|
|
127
|
+
*/
|
|
128
|
+
async evaluateRequest(_node, envelope, context, action) {
|
|
129
|
+
const resolvedAction = action ?? "*";
|
|
130
|
+
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
131
|
+
const address = extractAddress(envelope);
|
|
132
|
+
const grantedScopes = extractGrantedScopes(context);
|
|
133
|
+
const rawFrameType = envelope.frame
|
|
134
|
+
?.type;
|
|
135
|
+
const frameTypeNormalized = typeof rawFrameType === "string" && rawFrameType.trim().length > 0
|
|
136
|
+
? rawFrameType.trim().toLowerCase()
|
|
137
|
+
: "";
|
|
138
|
+
const rawOriginType = context?.originType;
|
|
139
|
+
const originTypeNormalized = typeof rawOriginType === "string"
|
|
140
|
+
? this.normalizeOriginTypeToken(rawOriginType) ?? undefined
|
|
141
|
+
: undefined;
|
|
142
|
+
// Prepare expression bindings (lazy)
|
|
143
|
+
let expressionBindings = null;
|
|
144
|
+
let functionRegistry = null;
|
|
145
|
+
const evaluationTrace = [];
|
|
146
|
+
// Evaluate rules in order (first match wins)
|
|
147
|
+
for (const rule of this.compiledRules) {
|
|
148
|
+
const step = {
|
|
149
|
+
ruleId: rule.id,
|
|
150
|
+
result: false,
|
|
151
|
+
};
|
|
152
|
+
// Check frame type match
|
|
153
|
+
if (rule.frameTypes) {
|
|
154
|
+
if (!frameTypeNormalized) {
|
|
155
|
+
step.expression = "frame_type: missing";
|
|
156
|
+
step.result = false;
|
|
157
|
+
evaluationTrace.push(step);
|
|
158
|
+
continue;
|
|
159
|
+
}
|
|
160
|
+
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
161
|
+
step.expression = `frame_type: ${rawFrameType ?? "unknown"} not in rule set`;
|
|
162
|
+
step.result = false;
|
|
163
|
+
evaluationTrace.push(step);
|
|
164
|
+
continue;
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
// Check origin type match
|
|
168
|
+
if (rule.originTypes) {
|
|
169
|
+
if (originTypeNormalized === undefined) {
|
|
170
|
+
step.expression = "origin_type: missing (rule requires origin)";
|
|
171
|
+
step.result = false;
|
|
172
|
+
evaluationTrace.push(step);
|
|
173
|
+
continue;
|
|
174
|
+
}
|
|
175
|
+
if (!rule.originTypes.has(originTypeNormalized)) {
|
|
176
|
+
step.expression = `origin_type: ${rawOriginType ?? "unknown"} not in [${Array.from(rule.originTypes).join(", ")}]`;
|
|
177
|
+
step.result = false;
|
|
178
|
+
evaluationTrace.push(step);
|
|
179
|
+
continue;
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
// Check action match
|
|
183
|
+
if (!rule.actions.has("*") && !rule.actions.has(resolvedActionNormalized)) {
|
|
184
|
+
step.expression = `action: ${resolvedActionNormalized} not in [${Array.from(rule.actions).join(", ")}]`;
|
|
185
|
+
step.result = false;
|
|
186
|
+
evaluationTrace.push(step);
|
|
187
|
+
continue;
|
|
188
|
+
}
|
|
189
|
+
// Check address match
|
|
190
|
+
if (rule.addressPatterns) {
|
|
191
|
+
if (!address) {
|
|
192
|
+
step.expression = "address: pattern requires address, but none provided";
|
|
193
|
+
step.result = false;
|
|
194
|
+
evaluationTrace.push(step);
|
|
195
|
+
continue;
|
|
196
|
+
}
|
|
197
|
+
const matched = rule.addressPatterns.some((p) => p.match(address));
|
|
198
|
+
if (!matched) {
|
|
199
|
+
const patterns = rule.addressPatterns.map((p) => p.source).join(", ");
|
|
200
|
+
step.expression = `address: none of [${patterns}] matched ${address}`;
|
|
201
|
+
step.result = false;
|
|
202
|
+
evaluationTrace.push(step);
|
|
203
|
+
continue;
|
|
204
|
+
}
|
|
205
|
+
}
|
|
206
|
+
// Check scope match
|
|
207
|
+
if (rule.scopeMatcher) {
|
|
208
|
+
if (!rule.scopeMatcher(grantedScopes)) {
|
|
209
|
+
step.expression = "scope: requirement not satisfied";
|
|
210
|
+
step.boundValues = { grantedScopes: [...grantedScopes] };
|
|
211
|
+
step.result = false;
|
|
212
|
+
evaluationTrace.push(step);
|
|
213
|
+
continue;
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
// Check when expression
|
|
217
|
+
if (rule.whenParseError) {
|
|
218
|
+
// Parse error - rule does not match
|
|
219
|
+
step.expression = `when: parse error - ${rule.whenParseError}`;
|
|
220
|
+
step.result = false;
|
|
221
|
+
evaluationTrace.push(step);
|
|
222
|
+
continue;
|
|
223
|
+
}
|
|
224
|
+
if (rule.whenAst) {
|
|
225
|
+
// Lazy initialization of expression bindings
|
|
226
|
+
if (!expressionBindings) {
|
|
227
|
+
expressionBindings = {
|
|
228
|
+
claims: extractClaims(context),
|
|
229
|
+
envelope: createEnvelopeBindings(envelope),
|
|
230
|
+
delivery: createDeliveryBindings(context, resolvedAction),
|
|
231
|
+
time: {
|
|
232
|
+
now_ms: Date.now(),
|
|
233
|
+
now_iso: new Date().toISOString(),
|
|
234
|
+
},
|
|
235
|
+
};
|
|
236
|
+
}
|
|
237
|
+
const functions = functionRegistry ?? createAuthFunctionRegistry(grantedScopes);
|
|
238
|
+
functionRegistry = functions;
|
|
239
|
+
const evalContext = {
|
|
240
|
+
bindings: expressionBindings,
|
|
241
|
+
limits: this.expressionLimits,
|
|
242
|
+
source: rule.whenSource,
|
|
243
|
+
functions,
|
|
244
|
+
};
|
|
245
|
+
const whenResult = evaluateAsBoolean(rule.whenAst, evalContext);
|
|
246
|
+
if (whenResult.error) {
|
|
247
|
+
// Evaluation error - rule does not match
|
|
248
|
+
step.expression = `when: evaluation error - ${whenResult.error}`;
|
|
249
|
+
step.result = false;
|
|
250
|
+
evaluationTrace.push(step);
|
|
251
|
+
continue;
|
|
252
|
+
}
|
|
253
|
+
if (!whenResult.value) {
|
|
254
|
+
// Expression evaluated to false
|
|
255
|
+
step.expression = `when: expression evaluated to false`;
|
|
256
|
+
step.boundValues = {
|
|
257
|
+
whenExpression: rule.whenSource,
|
|
258
|
+
};
|
|
259
|
+
step.result = false;
|
|
260
|
+
evaluationTrace.push(step);
|
|
261
|
+
continue;
|
|
262
|
+
}
|
|
263
|
+
// Expression evaluated to true
|
|
264
|
+
step.expression = `when: expression evaluated to true`;
|
|
265
|
+
}
|
|
266
|
+
// Rule matched
|
|
267
|
+
step.result = true;
|
|
268
|
+
if (!step.expression) {
|
|
269
|
+
step.expression = "all conditions matched";
|
|
270
|
+
}
|
|
271
|
+
step.boundValues = {
|
|
272
|
+
action: resolvedAction,
|
|
273
|
+
address,
|
|
274
|
+
grantedScopes: [...grantedScopes],
|
|
275
|
+
...(rule.whenSource ? { whenExpression: rule.whenSource } : {}),
|
|
276
|
+
};
|
|
277
|
+
evaluationTrace.push(step);
|
|
278
|
+
this.logger.debug("rule_matched", {
|
|
279
|
+
ruleId: rule.id,
|
|
280
|
+
effect: rule.effect,
|
|
281
|
+
action: resolvedAction,
|
|
282
|
+
address,
|
|
283
|
+
hadWhenClause: Boolean(rule.whenAst),
|
|
284
|
+
});
|
|
285
|
+
return {
|
|
286
|
+
effect: rule.effect,
|
|
287
|
+
reason: rule.description ?? `Matched rule: ${rule.id}`,
|
|
288
|
+
matchedRule: rule.id,
|
|
289
|
+
evaluationTrace,
|
|
290
|
+
};
|
|
291
|
+
}
|
|
292
|
+
// No rule matched, apply default effect
|
|
293
|
+
this.logger.debug("no_rule_matched", {
|
|
294
|
+
defaultEffect: this.defaultEffect,
|
|
295
|
+
action: resolvedAction,
|
|
296
|
+
address,
|
|
297
|
+
});
|
|
298
|
+
return {
|
|
299
|
+
effect: this.defaultEffect,
|
|
300
|
+
reason: `No rule matched, applying default effect: ${this.defaultEffect}`,
|
|
301
|
+
evaluationTrace,
|
|
302
|
+
};
|
|
303
|
+
}
|
|
304
|
+
validateDefaultEffect(effect) {
|
|
305
|
+
if (effect === undefined || effect === null) {
|
|
306
|
+
return "deny";
|
|
307
|
+
}
|
|
308
|
+
if (effect !== "allow" && effect !== "deny") {
|
|
309
|
+
throw new Error(`Invalid default_effect: "${String(effect)}". Must be "allow" or "deny"`);
|
|
310
|
+
}
|
|
311
|
+
return effect;
|
|
312
|
+
}
|
|
313
|
+
warnUnknownPolicyFields(definition) {
|
|
314
|
+
for (const key of Object.keys(definition)) {
|
|
315
|
+
if (!KNOWN_POLICY_FIELDS.has(key)) {
|
|
316
|
+
this.logger.warning("unknown_policy_field", { field: key });
|
|
317
|
+
}
|
|
318
|
+
}
|
|
319
|
+
}
|
|
320
|
+
compileRules(rules, warnOnUnknown) {
|
|
321
|
+
return rules.map((rule, index) => this.compileRule(rule, index, warnOnUnknown));
|
|
322
|
+
}
|
|
323
|
+
compileRule(rule, index, warnOnUnknown) {
|
|
324
|
+
const id = rule.id ?? `rule_${index}`;
|
|
325
|
+
// Validate effect
|
|
326
|
+
if (!VALID_EFFECTS.includes(rule.effect)) {
|
|
327
|
+
throw new Error(`Invalid effect in rule "${id}": "${String(rule.effect)}". Must be "allow" or "deny"`);
|
|
328
|
+
}
|
|
329
|
+
// Compile action(s)
|
|
330
|
+
const actions = this.compileActions(rule.action, id);
|
|
331
|
+
// Compile address patterns
|
|
332
|
+
const addressPatterns = this.compileAddress(rule.address, id);
|
|
333
|
+
// Compile frame type gating
|
|
334
|
+
const frameTypes = this.compileFrameTypes(rule.frame_type, id);
|
|
335
|
+
// Compile origin type gating
|
|
336
|
+
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
337
|
+
// Compile scope matcher
|
|
338
|
+
let scopeMatcher;
|
|
339
|
+
if (rule.scope !== undefined) {
|
|
340
|
+
try {
|
|
341
|
+
const compiled = compileGlobOnlyScopeRequirement(rule.scope, id);
|
|
342
|
+
scopeMatcher = (scopes) => compiled.evaluate(scopes);
|
|
343
|
+
}
|
|
344
|
+
catch (error) {
|
|
345
|
+
throw new Error(`Invalid scope requirement in rule "${id}": ${error instanceof Error ? error.message : String(error)}`);
|
|
346
|
+
}
|
|
347
|
+
}
|
|
348
|
+
// Compile when expression
|
|
349
|
+
let whenAst;
|
|
350
|
+
let whenSource;
|
|
351
|
+
let whenParseError;
|
|
352
|
+
if (typeof rule.when === "string" && rule.when.trim().length > 0) {
|
|
353
|
+
whenSource = rule.when.trim();
|
|
354
|
+
try {
|
|
355
|
+
whenAst = parse(whenSource, this.expressionLimits);
|
|
356
|
+
}
|
|
357
|
+
catch (error) {
|
|
358
|
+
// Parse error - store for evaluation time
|
|
359
|
+
whenParseError =
|
|
360
|
+
error instanceof Error ? error.message : String(error);
|
|
361
|
+
this.logger.warning("when_parse_error", {
|
|
362
|
+
ruleId: id,
|
|
363
|
+
expression: whenSource,
|
|
364
|
+
error: whenParseError,
|
|
365
|
+
});
|
|
366
|
+
}
|
|
367
|
+
}
|
|
368
|
+
// Warn about unknown fields
|
|
369
|
+
if (warnOnUnknown) {
|
|
370
|
+
for (const key of Object.keys(rule)) {
|
|
371
|
+
if (!KNOWN_RULE_FIELDS.has(key)) {
|
|
372
|
+
this.logger.warning("unknown_rule_field", { ruleId: id, field: key });
|
|
373
|
+
}
|
|
374
|
+
}
|
|
375
|
+
}
|
|
376
|
+
return {
|
|
377
|
+
id,
|
|
378
|
+
description: rule.description,
|
|
379
|
+
effect: rule.effect,
|
|
380
|
+
actions,
|
|
381
|
+
frameTypes,
|
|
382
|
+
originTypes,
|
|
383
|
+
addressPatterns,
|
|
384
|
+
scopeMatcher,
|
|
385
|
+
whenAst,
|
|
386
|
+
whenSource,
|
|
387
|
+
whenParseError,
|
|
388
|
+
};
|
|
389
|
+
}
|
|
390
|
+
compileActions(action, ruleId) {
|
|
391
|
+
if (action === undefined) {
|
|
392
|
+
return new Set(["*"]);
|
|
393
|
+
}
|
|
394
|
+
if (typeof action === "string") {
|
|
395
|
+
const normalized = this.normalizeActionToken(action);
|
|
396
|
+
if (!normalized) {
|
|
397
|
+
throw new Error(`Invalid action in rule "${ruleId}": "${action}". Must be one of: ${VALID_ACTIONS.join(", ")}`);
|
|
398
|
+
}
|
|
399
|
+
return new Set([normalized]);
|
|
400
|
+
}
|
|
401
|
+
if (!Array.isArray(action)) {
|
|
402
|
+
throw new Error(`Invalid action in rule "${ruleId}": must be a string or array of strings`);
|
|
403
|
+
}
|
|
404
|
+
if (action.length === 0) {
|
|
405
|
+
throw new Error(`Invalid action in rule "${ruleId}": array must not be empty`);
|
|
406
|
+
}
|
|
407
|
+
const actions = new Set();
|
|
408
|
+
for (const a of action) {
|
|
409
|
+
if (typeof a !== "string") {
|
|
410
|
+
throw new Error(`Invalid action in rule "${ruleId}": all values must be strings`);
|
|
411
|
+
}
|
|
412
|
+
const normalized = this.normalizeActionToken(a);
|
|
413
|
+
if (!normalized) {
|
|
414
|
+
throw new Error(`Invalid action in rule "${ruleId}": "${a}". Must be one of: ${VALID_ACTIONS.join(", ")}`);
|
|
415
|
+
}
|
|
416
|
+
actions.add(normalized);
|
|
417
|
+
}
|
|
418
|
+
return actions;
|
|
419
|
+
}
|
|
420
|
+
compileAddress(address, ruleId) {
|
|
421
|
+
if (address === undefined) {
|
|
422
|
+
return undefined;
|
|
423
|
+
}
|
|
424
|
+
const context = `address in rule "${ruleId}"`;
|
|
425
|
+
if (typeof address === "string") {
|
|
426
|
+
const trimmed = address.trim();
|
|
427
|
+
if (!trimmed) {
|
|
428
|
+
throw new Error(`Invalid address in rule "${ruleId}": value must not be empty`);
|
|
429
|
+
}
|
|
430
|
+
try {
|
|
431
|
+
return [compileGlobPattern(trimmed, context)];
|
|
432
|
+
}
|
|
433
|
+
catch (error) {
|
|
434
|
+
throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
|
|
435
|
+
}
|
|
436
|
+
}
|
|
437
|
+
if (!Array.isArray(address)) {
|
|
438
|
+
throw new Error(`Invalid address in rule "${ruleId}": must be a string or array of strings`);
|
|
439
|
+
}
|
|
440
|
+
if (address.length === 0) {
|
|
441
|
+
throw new Error(`Invalid address in rule "${ruleId}": array must not be empty`);
|
|
442
|
+
}
|
|
443
|
+
const patterns = [];
|
|
444
|
+
for (const addr of address) {
|
|
445
|
+
if (typeof addr !== "string") {
|
|
446
|
+
throw new Error(`Invalid address in rule "${ruleId}": all values must be strings`);
|
|
447
|
+
}
|
|
448
|
+
const trimmed = addr.trim();
|
|
449
|
+
if (!trimmed) {
|
|
450
|
+
throw new Error(`Invalid address in rule "${ruleId}": values must not be empty`);
|
|
451
|
+
}
|
|
452
|
+
try {
|
|
453
|
+
patterns.push(compileGlobPattern(trimmed, context));
|
|
454
|
+
}
|
|
455
|
+
catch (error) {
|
|
456
|
+
throw new Error(`Invalid address in rule "${ruleId}": ${error instanceof Error ? error.message : String(error)}`);
|
|
457
|
+
}
|
|
458
|
+
}
|
|
459
|
+
return patterns;
|
|
460
|
+
}
|
|
461
|
+
compileFrameTypes(frameType, ruleId) {
|
|
462
|
+
if (frameType === undefined) {
|
|
463
|
+
return undefined;
|
|
464
|
+
}
|
|
465
|
+
if (typeof frameType === "string") {
|
|
466
|
+
const normalized = frameType.trim().toLowerCase();
|
|
467
|
+
if (!normalized) {
|
|
468
|
+
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
469
|
+
}
|
|
470
|
+
return new Set([normalized]);
|
|
471
|
+
}
|
|
472
|
+
if (!Array.isArray(frameType)) {
|
|
473
|
+
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
474
|
+
}
|
|
475
|
+
if (frameType.length === 0) {
|
|
476
|
+
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
477
|
+
}
|
|
478
|
+
const frameTypes = new Set();
|
|
479
|
+
for (const ft of frameType) {
|
|
480
|
+
if (typeof ft !== "string") {
|
|
481
|
+
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
482
|
+
}
|
|
483
|
+
const normalized = ft.trim().toLowerCase();
|
|
484
|
+
if (!normalized) {
|
|
485
|
+
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
486
|
+
}
|
|
487
|
+
frameTypes.add(normalized);
|
|
488
|
+
}
|
|
489
|
+
return frameTypes;
|
|
490
|
+
}
|
|
491
|
+
compileOriginTypes(originType, ruleId) {
|
|
492
|
+
if (originType === undefined) {
|
|
493
|
+
return undefined;
|
|
494
|
+
}
|
|
495
|
+
if (typeof originType === "string") {
|
|
496
|
+
const trimmed = originType.trim();
|
|
497
|
+
if (!trimmed) {
|
|
498
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": value must not be empty`);
|
|
499
|
+
}
|
|
500
|
+
const normalized = this.normalizeOriginTypeToken(trimmed);
|
|
501
|
+
if (!normalized) {
|
|
502
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": "${originType}". Must be one of: ${VALID_ORIGIN_TYPES.join(", ")}`);
|
|
503
|
+
}
|
|
504
|
+
return new Set([normalized]);
|
|
505
|
+
}
|
|
506
|
+
if (!Array.isArray(originType)) {
|
|
507
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": must be a string or array of strings`);
|
|
508
|
+
}
|
|
509
|
+
if (originType.length === 0) {
|
|
510
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": array must not be empty`);
|
|
511
|
+
}
|
|
512
|
+
const originTypes = new Set();
|
|
513
|
+
for (const ot of originType) {
|
|
514
|
+
if (typeof ot !== "string") {
|
|
515
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": all values must be strings`);
|
|
516
|
+
}
|
|
517
|
+
const trimmed = ot.trim();
|
|
518
|
+
if (!trimmed) {
|
|
519
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": values must not be empty`);
|
|
520
|
+
}
|
|
521
|
+
const normalized = this.normalizeOriginTypeToken(trimmed);
|
|
522
|
+
if (!normalized) {
|
|
523
|
+
throw new Error(`Invalid origin_type in rule "${ruleId}": "${ot}". Must be one of: ${VALID_ORIGIN_TYPES.join(", ")}`);
|
|
524
|
+
}
|
|
525
|
+
originTypes.add(normalized);
|
|
526
|
+
}
|
|
527
|
+
return originTypes;
|
|
528
|
+
}
|
|
529
|
+
normalizeActionToken(value) {
|
|
530
|
+
const trimmed = value.trim();
|
|
531
|
+
if (!trimmed) {
|
|
532
|
+
return null;
|
|
533
|
+
}
|
|
534
|
+
if (trimmed === "*") {
|
|
535
|
+
return "*";
|
|
536
|
+
}
|
|
537
|
+
const normalized = trimmed.replace(/[\s_-]+/g, "").toLowerCase();
|
|
538
|
+
const map = {
|
|
539
|
+
connect: "Connect",
|
|
540
|
+
forwardupstream: "ForwardUpstream",
|
|
541
|
+
forwarddownstream: "ForwardDownstream",
|
|
542
|
+
forwardpeer: "ForwardPeer",
|
|
543
|
+
deliverlocal: "DeliverLocal",
|
|
544
|
+
};
|
|
545
|
+
return map[normalized] ?? null;
|
|
546
|
+
}
|
|
547
|
+
normalizeOriginTypeToken(value) {
|
|
548
|
+
const trimmed = value.trim();
|
|
549
|
+
if (!trimmed) {
|
|
550
|
+
return null;
|
|
551
|
+
}
|
|
552
|
+
const normalized = trimmed.replace(/[\s_-]+/g, "").toLowerCase();
|
|
553
|
+
const map = {
|
|
554
|
+
downstream: "downstream",
|
|
555
|
+
upstream: "upstream",
|
|
556
|
+
peer: "peer",
|
|
557
|
+
local: "local",
|
|
558
|
+
};
|
|
559
|
+
return map[normalized] ?? null;
|
|
560
|
+
}
|
|
561
|
+
}
|
|
562
|
+
//# sourceMappingURL=advanced-authorization-policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"advanced-authorization-policy.js","sourceRoot":"","sources":["../../../../../../../src/naylence/fame/security/auth/policy/advanced-authorization-policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAiBH,OAAO,EACL,kBAAkB,EAClB,+BAA+B,EAC/B,mBAAmB,EACnB,iBAAiB,EACjB,aAAa,EACb,aAAa,EACb,kBAAkB,GAEnB,MAAM,mBAAmB,CAAC;AAI3B,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAChD,OAAO,EACL,iBAAiB,GAElB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAUhE;;GAEG;AACH,MAAM,aAAa,GAAW;IAC5B,KAAK,EAAE,GAAG,EAAE,GAA6B,CAAC;IAC1C,OAAO,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QACvB,OAAO,CAAC,IAAI,CAAC,8CAA8C,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;IAC5E,CAAC;CACF,CAAC;AA8BF;;GAEG;AACH,SAAS,cAAc,CAAC,QAAsB;IAC5C,MAAM,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IACvB,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,UAAU,IAAI,EAAE,EAAE,CAAC;QAC/C,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,OAA6B;IAE7B,MAAM,WAAW,GAAG,OAAO,EAAE,QAAQ,EAAE,aAAa,CAAC;IACrD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7C,OAAO,WAAW,CAAC,aAAa,CAAC;IACnC,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAA6C,CAAC;IACzE,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,GAAG,CAAC;QAE/D,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC,MAAM,CACtB,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAC1C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,OAA6B;IAE7B,MAAM,WAAW,GAAG,OAAO,EAAE,QAAQ,EAAE,aAAa,CAAC;IACrD,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,WAAW,CAAC,MAAmC,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,QAAsB;IAEtB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAA4C,CAAC;IACpE,MAAM,cAAc,GAAG,QAAmC,CAAC;IAE3D,OAAO;QACL,EAAE,EAAE,QAAQ,CAAC,EAAY,IAAI,IAAI;QACjC,OAAO,EAAE,cAAc,CAAC,OAAiB,IAAI,IAAI;QACjD,MAAM,EAAE,cAAc,CAAC,MAAgB,IAAI,IAAI;QAC/C,MAAM,EAAE,cAAc,CAAC,MAAgB,IAAI,IAAI;QAC/C,EAAE,EAAE,cAAc,CAAC,QAAQ,CAAC,IAAI,IAAI;QACpC,KAAK,EAAE,KAAK;YACV,CAAC,CAAC,EAAE,IAAI,EAAG,KAAK,CAAC,IAAsB,IAAI,IAAI,EAAE;YACjD,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;KACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,OAAwC,EACxC,MAAkB;IAElB,OAAO;QACL,WAAW,EAAE,OAAO,EAAE,UAAU,IAAI,IAAI;QACxC,cAAc,EAAE,MAAM;KACvB,CAAC;AACJ,CAAC;AA6BD;;;;;;;;;GASG;AACH,MAAM,OAAO,2BAA2B;IAMtC,YAAY,OAA2C;QACrD,MAAM,EACJ,gBAAgB,EAChB,mBAAmB,GAAG,IAAI,EAC1B,gBAAgB,GAAG,yBAAyB,EAC5C,MAAM,GAAG,aAAa,GACvB,GAAG,OAAO,CAAC;QAEZ,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,sCAAsC;QACtC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,qBAAqB,CAC7C,gBAAgB,CAAC,cAAc,CAChC,CAAC;QAEF,mCAAmC;QACnC,IAAI,mBAAmB,EAAE,CAAC;YACxB,IAAI,CAAC,uBAAuB,CAAC,gBAAgB,CAAC,CAAC;QACjD,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,YAAY,CACpC,gBAAgB,CAAC,KAAK,EACtB,mBAAmB,CACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;YAC9C,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM;YACpC,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM;SAClE,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,KAAe,EACf,QAAsB,EACtB,OAA6B,EAC7B,MAAmB;QAEnB,MAAM,cAAc,GAAe,MAAM,IAAI,GAAG,CAAC;QACjD,MAAM,wBAAwB,GAC5B,IAAI,CAAC,oBAAoB,CAAC,cAAc,CAAC,IAAI,cAAc,CAAC;QAC9D,MAAM,OAAO,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,aAAa,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,YAAY,GAAI,QAAQ,CAAC,KAAuC;YACpE,EAAE,IAAI,CAAC;QACT,MAAM,mBAAmB,GACvB,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;YAChE,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,CAAC,CAAC,EAAE,CAAC;QACT,MAAM,aAAa,GAAG,OAAO,EAAE,UAAU,CAAC;QAC1C,MAAM,oBAAoB,GACxB,OAAO,aAAa,KAAK,QAAQ;YAC/B,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,aAAa,CAAC,IAAI,SAAS;YAC3D,CAAC,CAAC,SAAS,CAAC;QAEhB,qCAAqC;QACrC,IAAI,kBAAkB,GAAqC,IAAI,CAAC;QAChE,IAAI,gBAAgB,GAA4B,IAAI,CAAC;QAErD,MAAM,eAAe,GAAkC,EAAE,CAAC;QAE1D,6CAA6C;QAC7C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACtC,MAAM,IAAI,GAAgC;gBACxC,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,MAAM,EAAE,KAAK;aACd,CAAC;YAEF,yBAAyB;YACzB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAI,CAAC,mBAAmB,EAAE,CAAC;oBACzB,IAAI,CAAC,UAAU,GAAG,qBAAqB,CAAC;oBACxC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CAAC;oBAC9C,IAAI,CAAC,UAAU,GAAG,eAAe,YAAY,IAAI,SAAS,kBAAkB,CAAC;oBAC7E,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;YACH,CAAC;YAED,0BAA0B;YAC1B,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACrB,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;oBACvC,IAAI,CAAC,UAAU,GAAG,6CAA6C,CAAC;oBAChE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,CAAC;oBAChD,IAAI,CAAC,UAAU,GAAG,gBAAgB,aAAa,IAAI,SAAS,YAAY,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;oBACnH,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;YACH,CAAC;YAED,qBAAqB;YACrB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,EAAE,CAAC;gBAC1E,IAAI,CAAC,UAAU,GAAG,WAAW,wBAAwB,YAAY,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;gBACxG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3B,SAAS;YACX,CAAC;YAED,sBAAsB;YACtB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,IAAI,CAAC,UAAU,GAAG,sDAAsD,CAAC;oBACzE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;gBACnE,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACtE,IAAI,CAAC,UAAU,GAAG,qBAAqB,QAAQ,aAAa,OAAO,EAAE,CAAC;oBACtE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;YACH,CAAC;YAED,oBAAoB;YACpB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,EAAE,CAAC;oBACtC,IAAI,CAAC,UAAU,GAAG,kCAAkC,CAAC;oBACrD,IAAI,CAAC,WAAW,GAAG,EAAE,aAAa,EAAE,CAAC,GAAG,aAAa,CAAC,EAAE,CAAC;oBACzD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;YACH,CAAC;YAED,wBAAwB;YACxB,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,oCAAoC;gBACpC,IAAI,CAAC,UAAU,GAAG,uBAAuB,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC/D,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3B,SAAS;YACX,CAAC;YAED,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,6CAA6C;gBAC7C,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,kBAAkB,GAAG;wBACnB,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC;wBAC9B,QAAQ,EAAE,sBAAsB,CAAC,QAAQ,CAAC;wBAC1C,QAAQ,EAAE,sBAAsB,CAAC,OAAO,EAAE,cAAc,CAAC;wBACzD,IAAI,EAAE;4BACJ,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE;4BAClB,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;yBAClC;qBACF,CAAC;gBACJ,CAAC;gBAED,MAAM,SAAS,GACb,gBAAgB,IAAI,0BAA0B,CAAC,aAAa,CAAC,CAAC;gBAChE,gBAAgB,GAAG,SAAS,CAAC;gBAE7B,MAAM,WAAW,GAAsB;oBACrC,QAAQ,EAAE,kBAAkB;oBAC5B,MAAM,EAAE,IAAI,CAAC,gBAAgB;oBAC7B,MAAM,EAAE,IAAI,CAAC,UAAU;oBACvB,SAAS;iBACV,CAAC;gBAEF,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;gBAEhE,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;oBACrB,yCAAyC;oBACzC,IAAI,CAAC,UAAU,GAAG,4BAA4B,UAAU,CAAC,KAAK,EAAE,CAAC;oBACjE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;oBACtB,gCAAgC;oBAChC,IAAI,CAAC,UAAU,GAAG,qCAAqC,CAAC;oBACxD,IAAI,CAAC,WAAW,GAAG;wBACjB,cAAc,EAAE,IAAI,CAAC,UAAU;qBAChC,CAAC;oBACF,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;oBACpB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,+BAA+B;gBAC/B,IAAI,CAAC,UAAU,GAAG,oCAAoC,CAAC;YACzD,CAAC;YAED,eAAe;YACf,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACrB,IAAI,CAAC,UAAU,GAAG,wBAAwB,CAAC;YAC7C,CAAC;YACD,IAAI,CAAC,WAAW,GAAG;gBACjB,MAAM,EAAE,cAAc;gBACtB,OAAO;gBACP,aAAa,EAAE,CAAC,GAAG,aAAa,CAAC;gBACjC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChE,CAAC;YACF,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE3B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE;gBAChC,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,MAAM,EAAE,cAAc;gBACtB,OAAO;gBACP,aAAa,EAAE,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC;aACrC,CAAC,CAAC;YAEH,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,MAAM,EAAE,IAAI,CAAC,WAAW,IAAI,iBAAiB,IAAI,CAAC,EAAE,EAAE;gBACtD,WAAW,EAAE,IAAI,CAAC,EAAE;gBACpB,eAAe;aAChB,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE;YACnC,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,MAAM,EAAE,cAAc;YACtB,OAAO;SACR,CAAC,CAAC;QAEH,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,aAAa;YAC1B,MAAM,EAAE,6CAA6C,IAAI,CAAC,aAAa,EAAE;YACzE,eAAe;SAChB,CAAC;IACJ,CAAC;IAEO,qBAAqB,CAAC,MAAe;QAC3C,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YAC5C,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,CAAC,MAAM,CAAC,8BAA8B,CACzE,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,uBAAuB,CAC7B,UAAyC;QAEzC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAEO,YAAY,CAClB,KAAoC,EACpC,aAAsB;QAEtB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;IAClF,CAAC;IAEO,WAAW,CACjB,IAAiC,EACjC,KAAa,EACb,aAAsB;QAEtB,MAAM,EAAE,GAAG,IAAI,CAAC,EAAE,IAAI,QAAQ,KAAK,EAAE,CAAC;QAEtC,kBAAkB;QAClB,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACb,2BAA2B,EAAE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,8BAA8B,CACtF,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAErD,2BAA2B;QAC3B,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAE9D,4BAA4B;QAC5B,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAE/D,6BAA6B;QAC7B,MAAM,WAAW,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAElE,wBAAwB;QACxB,IAAI,YAAkE,CAAC;QACvE,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,+BAA+B,CAC9C,IAAI,CAAC,KAAyB,EAC9B,EAAE,CACH,CAAC;gBACF,YAAY,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,sCAAsC,EAAE,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACvG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,IAAI,OAA4B,CAAC;QACjC,IAAI,UAA8B,CAAC;QACnC,IAAI,cAAkC,CAAC;QAEvC,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjE,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,OAAO,GAAG,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACrD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,0CAA0C;gBAC1C,cAAc;oBACZ,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACzD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE;oBACtC,MAAM,EAAE,EAAE;oBACV,UAAU,EAAE,UAAU;oBACtB,KAAK,EAAE,cAAc;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,IAAI,aAAa,EAAE,CAAC;YAClB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBAChC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACxE,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,EAAE;YACF,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO;YACP,UAAU;YACV,WAAW;YACX,eAAe;YACf,YAAY;YACZ,OAAO;YACP,UAAU;YACV,cAAc;SACf,CAAC;IACJ,CAAC;IAEO,cAAc,CACpB,MAAuD,EACvD,MAAc;QAEd,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxB,CAAC;QAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,OAAO,MAAM,sBAAsB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC/F,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,yCAAyC,CAC3E,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,4BAA4B,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,GAAG,EAAc,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,+BAA+B,CACjE,CAAC;YACJ,CAAC;YACD,MAAM,UAAU,GAAG,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,OAAO,CAAC,sBAAsB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1F,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,cAAc,CACpB,OAAsC,EACtC,MAAc;QAEd,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YAC1B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,OAAO,GAAG,oBAAoB,MAAM,GAAG,CAAC;QAE9C,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,4BAA4B,CAC/D,CAAC;YACJ,CAAC;YACD,IAAI,CAAC;gBACH,OAAO,CAAC,kBAAkB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YAChD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,yCAAyC,CAC5E,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,4BAA4B,CAC/D,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAsB,EAAE,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,+BAA+B,CAClE,CAAC;YACJ,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,6BAA6B,CAChE,CAAC;YACJ,CAAC;YACD,IAAI,CAAC;gBACH,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YACtD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,4BAA4B,MAAM,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,iBAAiB,CACvB,SAAwC,EACxC,MAAc;QAEd,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAClD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,+BAA+B,MAAM,4BAA4B,CAClE,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,+BAA+B,MAAM,yCAAyC,CAC/E,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,+BAA+B,MAAM,4BAA4B,CAClE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QACrC,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;YAC3B,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CACb,+BAA+B,MAAM,+BAA+B,CACrE,CAAC;YACJ,CAAC;YACD,MAAM,UAAU,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YAC3C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,+BAA+B,MAAM,6BAA6B,CACnE,CAAC;YACJ,CAAC;YACD,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC7B,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,kBAAkB,CACxB,UAAyC,EACzC,MAAc;QAEd,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,4BAA4B,CACnE,CAAC;YACJ,CAAC;YACD,MAAM,UAAU,GAAG,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,OAAO,UAAU,sBAAsB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7G,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,yCAAyC,CAChF,CAAC;QACJ,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,4BAA4B,CACnE,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QACtC,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,+BAA+B,CACtE,CAAC;YACJ,CAAC;YACD,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,6BAA6B,CACpE,CAAC;YACJ,CAAC;YACD,MAAM,UAAU,GAAG,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,OAAO,EAAE,sBAAsB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACrG,CAAC;YACJ,CAAC;YACD,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,oBAAoB,CAAC,KAAa;QACxC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;YACpB,OAAO,GAAG,CAAC;QACb,CAAC;QACD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACjE,MAAM,GAAG,GAA+B;YACtC,OAAO,EAAE,SAAS;YAClB,eAAe,EAAE,iBAAiB;YAClC,iBAAiB,EAAE,mBAAmB;YACtC,WAAW,EAAE,aAAa;YAC1B,YAAY,EAAE,cAAc;SAC7B,CAAC;QACF,OAAO,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IACjC,CAAC;IAEO,wBAAwB,CAAC,KAAa;QAC5C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACjE,MAAM,GAAG,GAA2B;YAClC,UAAU,EAAE,YAAY;YACxB,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,OAAO;SACf,CAAC;QACF,OAAO,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IACjC,CAAC;CACF"}
|