npm - @naylence/advanced-security - Versions diffs - 0.3.7-test.114 → 0.3.7-test.116 - Mend

@naylence/advanced-security 0.3.7-test.114 → 0.3.7-test.116

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (421) hide show

package/dist/esm/naylence/fame/security/keys/x5c-key-manager.js ADDED Viewed

@@ -0,0 +1,405 @@
+import { DeliveryOriginType, DefaultKeyManager, getKeyStore, getLogger, currentTraceId, validateJwkComplete, JWKValidationError, TaskSpawner, } from "@naylence/runtime";
+import { validateJwkX5cCertificate, } from "../cert/util.js";
+const logger = getLogger("naylence.fame.security.keys.x5c_key_manager");
+let x509ModulePromise = null;
+async function loadX509Module() {
+    if (!x509ModulePromise) {
+        x509ModulePromise = import("@peculiar/x509")
+            .then((mod) => {
+            if (mod && typeof mod.X509Certificate === "function") {
+                return { X509Certificate: mod.X509Certificate };
+            }
+            return null;
+        })
+            .catch((error) => {
+            logger.warning("certificate_module_unavailable", {
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return null;
+        });
+    }
+    return x509ModulePromise;
+}
+function decodeBase64Cert(value) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(value, "base64");
+    }
+    const binary = atob(value);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i += 1) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+export class X5CKeyManager extends TaskSpawner {
+    constructor({ keyStore = null, certPurgeIntervalSeconds = 3600, } = {}) {
+        super();
+        this.priority = 1000;
+        this.purgeTask = null;
+        this.keyStore = keyStore ?? getKeyStore();
+        this.inner = new DefaultKeyManager({ keyStore: this.keyStore });
+        this.certPurgeInterval = certPurgeIntervalSeconds;
+    }
+    async onNodeStarted(node) {
+        await this.inner.onNodeStarted(node);
+        this.startPurgeLoop();
+        logger.debug("x5c_key_manager_started", {
+            cert_purge_interval: this.certPurgeInterval,
+        });
+    }
+    async onNodeStopped(node) {
+        logger.debug("x5c_key_manager_stopping");
+        await this.shutdownTasks({ gracePeriod: 200, joinTimeout: 100 });
+        this.purgeTask = null;
+        await this.inner.onNodeStopped(node);
+        logger.debug("x5c_key_manager_stopped");
+    }
+    async getKey(kid) {
+        return this.inner.getKey(kid);
+    }
+    async hasKey(kid) {
+        return this.inner.hasKey(kid);
+    }
+    async addKeys(options) {
+        const { keys, sid, physicalPath, systemId, origin, skipSidValidation = false, } = options;
+        const trustStore = resolveTrustStorePath();
+        const enforceNameConstraints = true;
+        const validKeys = [];
+        let rejectedCount = 0;
+        for (const key of keys) {
+            try {
+                validateJwkComplete(key);
+                if (Array.isArray(key.x5c) && trustStore) {
+                    const validationResult = validateJwkX5cCertificateWrapper({
+                        jwk: key,
+                        trustStore,
+                        enforceNameConstraints,
+                        origin,
+                        systemId,
+                        physicalPath,
+                    });
+                    if (!validationResult.accepted) {
+                        rejectedCount += 1;
+                        if (validationResult.skip) {
+                            continue;
+                        }
+                    }
+                }
+                validKeys.push(key);
+            }
+            catch (error) {
+                if (error instanceof JWKValidationError) {
+                    logger.warning("rejected_invalid_jwk_in_announce", {
+                        kid: typeof key?.kid === "string" ? key.kid : "unknown",
+                        from_system_id: systemId,
+                        from_physical_path: physicalPath,
+                        error: error.message,
+                    });
+                    rejectedCount += 1;
+                    continue;
+                }
+                throw error;
+            }
+        }
+        if (validKeys.length === 0) {
+            logger.warning("no_valid_keys_in_announce", {
+                from_system_id: systemId,
+                from_physical_path: physicalPath,
+                total_keys: keys.length,
+                rejected_count: rejectedCount,
+            });
+            return;
+        }
+        logger.debug("adding_keys", {
+            key_ids: validKeys.map((key) => typeof key?.kid === "string" ? key.kid : "unknown"),
+            source_system_id: systemId,
+            from_physical_path: physicalPath,
+            trace_id: currentTraceId(),
+            origin,
+            valid_count: validKeys.length,
+            rejected_count: rejectedCount,
+        });
+        const hasEncryptionKeys = validKeys.some((key) => typeof key?.use === "string" && key.use === "enc");
+        if (hasEncryptionKeys) {
+            logger.debug("checking_for_old_encryption_keys_to_remove", {
+                physical_path: physicalPath,
+                origin,
+                new_enc_keys: validKeys
+                    .filter((key) => typeof key?.use === "string" && key.use === "enc")
+                    .map((key) => (typeof key?.kid === "string" ? key.kid : "unknown")),
+            });
+            try {
+                const grouped = await this.keyStore.getKeysGroupedByPath();
+                const existingEncKeyIds = new Set();
+                const pathsWithOldKeys = [];
+                const physicalPathSuffix = `@${physicalPath}`;
+                for (const [path, records] of Object.entries(grouped)) {
+                    if (path !== physicalPath && !path.endsWith(physicalPathSuffix)) {
+                        continue;
+                    }
+                    const encKeysAtPath = records.filter((record) => typeof record?.use === "string" && record.use === "enc");
+                    if (encKeysAtPath.length === 0) {
+                        continue;
+                    }
+                    pathsWithOldKeys.push(path);
+                    for (const record of encKeysAtPath) {
+                        if (typeof record?.kid === "string") {
+                            existingEncKeyIds.add(record.kid);
+                        }
+                    }
+                }
+                if (existingEncKeyIds.size > 0) {
+                    logger.debug("found_existing_encryption_keys_across_paths", {
+                        physical_path: physicalPath,
+                        paths_checked: pathsWithOldKeys,
+                        existing_enc_key_ids: Array.from(existingEncKeyIds),
+                    });
+                    const newEncKeyIds = new Set(validKeys
+                        .filter((key) => typeof key?.use === "string" && key.use === "enc")
+                        .map((key) => (typeof key?.kid === "string" ? key.kid : ""))
+                        .filter((kid) => kid.length > 0));
+                    const keysToRemove = Array.from(existingEncKeyIds).filter((kid) => !newEncKeyIds.has(kid));
+                    if (keysToRemove.length > 0) {
+                        logger.info("removing_old_encryption_keys_for_key_rotation", {
+                            physical_path: physicalPath,
+                            paths_with_old_keys: pathsWithOldKeys,
+                            old_key_ids: keysToRemove,
+                            new_key_ids: Array.from(newEncKeyIds),
+                            origin,
+                        });
+                        for (const kid of keysToRemove) {
+                            await this.keyStore.removeKey(kid);
+                            logger.debug("removed_old_encryption_key_from_all_paths", {
+                                kid,
+                            });
+                        }
+                    }
+                }
+            }
+            catch (error) {
+                logger.warning("failed_to_remove_old_encryption_keys", {
+                    physical_path: physicalPath,
+                    error: error instanceof Error ? error.message : String(error),
+                    origin,
+                });
+            }
+        }
+        const addKeyOptions = {
+            keys: validKeys,
+            physicalPath,
+            systemId,
+            origin,
+        };
+        if (skipSidValidation) {
+            addKeyOptions.skipSidValidation = true;
+        }
+        if (typeof sid === "string") {
+            addKeyOptions.sid = sid;
+        }
+        await this.inner.addKeys(addKeyOptions);
+    }
+    async announceKeysToUpstream() {
+        await this.inner.announceKeysToUpstream();
+    }
+    async handleKeyRequest(options) {
+        await this.inner.handleKeyRequest(options);
+    }
+    async removeKeysForPath(physicalPath) {
+        return this.inner.removeKeysForPath(physicalPath);
+    }
+    async getKeysForPath(physicalPath) {
+        return this.inner.getKeysForPath(physicalPath);
+    }
+    async purgeExpiredCertificates() {
+        logger.debug("certificate_purge_starting");
+        const module = await loadX509Module();
+        if (!module) {
+            logger.warning("certificate_purge_skipped", {
+                reason: "x509_module_unavailable",
+            });
+            return 0;
+        }
+        const now = new Date();
+        const keysGrouped = await this.keyStore.getKeysGroupedByPath();
+        const keysToRemove = [];
+        for (const keys of Object.values(keysGrouped)) {
+            for (const key of keys) {
+                const chain = key.x5c;
+                if (!Array.isArray(chain) || chain.length === 0) {
+                    continue;
+                }
+                const [leaf] = chain;
+                if (typeof leaf !== "string") {
+                    continue;
+                }
+                try {
+                    const raw = decodeBase64Cert(leaf);
+                    const cert = new module.X509Certificate(raw);
+                    const expiration = cert.notAfter;
+                    if (expiration && expiration.getTime() < now.getTime()) {
+                        logger.debug("expired_certificate_found", {
+                            kid: typeof key.kid === "string" ? key.kid : "unknown",
+                            physical_path: typeof key.physical_path === "string"
+                                ? key.physical_path
+                                : "unknown",
+                            expired_at: expiration.toISOString(),
+                        });
+                        if (typeof key.kid === "string") {
+                            const removal = {
+                                kid: key.kid,
+                            };
+                            if (typeof key.physical_path === "string") {
+                                removal.physicalPath = key.physical_path;
+                            }
+                            keysToRemove.push(removal);
+                        }
+                    }
+                }
+                catch (error) {
+                    logger.warning("certificate_parsing_failed_during_purge", {
+                        kid: typeof key.kid === "string" ? key.kid : "unknown",
+                        error: error instanceof Error ? error.message : String(error),
+                        message: "Could not parse certificate for expiry check",
+                    });
+                }
+            }
+        }
+        let purgedCount = 0;
+        for (const keyInfo of keysToRemove) {
+            try {
+                const removed = await this.keyStore.removeKey(keyInfo.kid);
+                if (removed) {
+                    purgedCount += 1;
+                    logger.debug("expired_certificate_purged", {
+                        kid: keyInfo.kid,
+                        physical_path: keyInfo.physicalPath ?? "unknown",
+                    });
+                }
+            }
+            catch (error) {
+                logger.error("certificate_purge_failed", {
+                    kid: keyInfo.kid,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        logger.debug("certificate_purge_completed", {
+            purged_count: purgedCount,
+        });
+        return purgedCount;
+    }
+    startPurgeLoop() {
+        if (this.purgeTask) {
+            return;
+        }
+        this.purgeTask = this.spawn(async (signal) => {
+            logger.debug("certificate_purge_loop_started", {
+                interval_seconds: this.certPurgeInterval,
+            });
+            try {
+                while (!signal?.aborted) {
+                    const waitPromise = new Promise((resolve) => {
+                        const timeout = setTimeout(() => resolve(), this.certPurgeInterval * 1000);
+                        if (signal) {
+                            signal.addEventListener("abort", () => {
+                                clearTimeout(timeout);
+                                resolve();
+                            }, { once: true });
+                        }
+                    });
+                    await waitPromise;
+                    if (signal?.aborted) {
+                        break;
+                    }
+                    try {
+                        const purged = await this.purgeExpiredCertificates();
+                        if (purged > 0) {
+                            logger.debug("certificate_purge_cycle_completed", {
+                                purged_count: purged,
+                            });
+                        }
+                    }
+                    catch (error) {
+                        logger.error("certificate_purge_cycle_failed", {
+                            error: error instanceof Error ? error.message : String(error),
+                        });
+                    }
+                }
+            }
+            catch (error) {
+                if (signal?.aborted) {
+                    logger.debug("certificate_purge_loop_cancelled");
+                }
+                else {
+                    logger.error("certificate_purge_loop_failed", {
+                        error: error instanceof Error ? error.message : String(error),
+                    });
+                }
+            }
+            finally {
+                logger.debug("certificate_purge_loop_stopped");
+            }
+        }, { name: "cert-purge" });
+    }
+}
+function validateJwkX5cCertificateWrapper(options) {
+    const { jwk, trustStore, enforceNameConstraints, origin, systemId, physicalPath, } = options;
+    let result;
+    try {
+        result = validateJwkX5cCertificate({
+            jwk,
+            trustStorePem: trustStore,
+            enforceNameConstraints,
+            strict: false,
+        });
+    }
+    catch (error) {
+        logger.warning("rejected_key_due_to_certificate_validation_failure", {
+            kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
+            from_system_id: systemId,
+            from_physical_path: physicalPath,
+            origin,
+            error: error instanceof Error ? error.message : String(error),
+            scenario: "node_attach",
+        });
+        return {
+            accepted: false,
+            skip: origin === DeliveryOriginType.DOWNSTREAM ||
+                origin === DeliveryOriginType.UPSTREAM,
+        };
+    }
+    if (result.isValid) {
+        return { accepted: true, skip: false };
+    }
+    logger.warning("rejected_key_due_to_certificate_validation_failure", {
+        kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
+        from_system_id: systemId,
+        from_physical_path: physicalPath,
+        origin,
+        error: result.error ?? "unknown",
+        scenario: "node_attach",
+    });
+    return {
+        accepted: false,
+        skip: origin === DeliveryOriginType.DOWNSTREAM ||
+            origin === DeliveryOriginType.UPSTREAM,
+    };
+}
+function resolveTrustStorePath() {
+    try {
+        if (typeof process === "undefined" || !process.env) {
+            return null;
+        }
+        if (process.env.FAME_TRUST_STORE_PATH) {
+            return process.env.FAME_TRUST_STORE_PATH;
+        }
+        return process.env.FAME_CA_CERT_FILE ?? null;
+    }
+    catch (error) {
+        logger.debug("trust_store_resolution_failed", {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
+//# sourceMappingURL=x5c-key-manager.js.map

package/dist/esm/naylence/fame/security/keys/x5c-key-manager.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"x5c-key-manager.js","sourceRoot":"","sources":["../../../../../../src/naylence/fame/security/keys/x5c-key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAKlB,iBAAiB,EACjB,WAAW,EACX,SAAS,EACT,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAElB,WAAW,GAEZ,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,GAE1B,MAAM,iBAAiB,CAAC;AAEzB,MAAM,MAAM,GAAG,SAAS,CAAC,6CAA6C,CAAC,CAAC;AAQxE,IAAI,iBAAiB,GAAsC,IAAI,CAAC;AAEhE,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,iBAAiB,GAAG,MAAM,CAAC,gBAAgB,CAAC;aACzC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;YACZ,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,eAAe,KAAK,UAAU,EAAE,CAAC;gBACrD,OAAO,EAAE,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC;YAClD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;aACD,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACf,MAAM,CAAC,OAAO,CAAC,gCAAgC,EAAE;gBAC/C,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACP,CAAC;IAED,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,MAAM,OAAO,aAAc,SAAQ,WAAW;IAQ5C,YAAY,EACV,QAAQ,GAAG,IAAI,EACf,wBAAwB,GAAG,IAAI,MACP,EAAE;QAC1B,KAAK,EAAE,CAAC;QAXM,aAAQ,GAAG,IAAI,CAAC;QAKxB,cAAS,GAA6B,IAAI,CAAC;QAOjD,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,WAAW,EAAE,CAAC;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,iBAAiB,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChE,IAAI,CAAC,iBAAiB,GAAG,wBAAwB,CAAC;IACpD,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,IAAc;QACvC,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,cAAc,EAAE,CAAC;QAEtB,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;YACtC,mBAAmB,EAAE,IAAI,CAAC,iBAAiB;SAC5C,CAAC,CAAC;IACL,CAAC;IAEM,KAAK,CAAC,aAAa,CAAC,IAAc;QACvC,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,aAAa,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QACjE,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACtB,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC1C,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,GAAW;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,GAAW;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,OAOpB;QACC,MAAM,EACJ,IAAI,EACJ,GAAG,EACH,YAAY,EACZ,QAAQ,EACR,MAAM,EACN,iBAAiB,GAAG,KAAK,GAC1B,GAAG,OAAO,CAAC;QAEZ,MAAM,UAAU,GAAG,qBAAqB,EAAE,CAAC;QAC3C,MAAM,sBAAsB,GAAG,IAAI,CAAC;QAEpC,MAAM,SAAS,GAAmC,EAAE,CAAC;QACrD,IAAI,aAAa,GAAG,CAAC,CAAC;QAEtB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC;gBACH,mBAAmB,CAAC,GAAiB,CAAC,CAAC;gBAEvC,IAAI,KAAK,CAAC,OAAO,CAAE,GAA+B,CAAC,GAAG,CAAC,IAAI,UAAU,EAAE,CAAC;oBACtE,MAAM,gBAAgB,GAAG,gCAAgC,CAAC;wBACxD,GAAG,EAAE,GAA8B;wBACnC,UAAU;wBACV,sBAAsB;wBACtB,MAAM;wBACN,QAAQ;wBACR,YAAY;qBACb,CAAC,CAAC;oBAEH,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC;wBAC/B,aAAa,IAAI,CAAC,CAAC;wBACnB,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;4BAC1B,SAAS;wBACX,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,kBAAkB,EAAE,CAAC;oBACxC,MAAM,CAAC,OAAO,CAAC,kCAAkC,EAAE;wBACjD,GAAG,EAAE,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;wBACvD,cAAc,EAAE,QAAQ;wBACxB,kBAAkB,EAAE,YAAY;wBAChC,KAAK,EAAE,KAAK,CAAC,OAAO;qBACrB,CAAC,CAAC;oBACH,aAAa,IAAI,CAAC,CAAC;oBACnB,SAAS;gBACX,CAAC;gBACD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,OAAO,CAAC,2BAA2B,EAAE;gBAC1C,cAAc,EAAE,QAAQ;gBACxB,kBAAkB,EAAE,YAAY;gBAChC,UAAU,EAAE,IAAI,CAAC,MAAM;gBACvB,cAAc,EAAE,aAAa;aAC9B,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,aAAa,EAAE;YAC1B,OAAO,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC7B,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CACnD;YACD,gBAAgB,EAAE,QAAQ;YAC1B,kBAAkB,EAAE,YAAY;YAChC,QAAQ,EAAE,cAAc,EAAE;YAC1B,MAAM;YACN,WAAW,EAAE,SAAS,CAAC,MAAM;YAC7B,cAAc,EAAE,aAAa;SAC9B,CAAC,CAAC;QAEH,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CACtC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAC3D,CAAC;QAEF,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,4CAA4C,EAAE;gBACzD,aAAa,EAAE,YAAY;gBAC3B,MAAM;gBACN,YAAY,EAAE,SAAS;qBACpB,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC;qBAClE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;aACtE,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC;gBAE3D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;gBAC5C,MAAM,gBAAgB,GAAa,EAAE,CAAC;gBACtC,MAAM,kBAAkB,GAAG,IAAI,YAAY,EAAE,CAAC;gBAE9C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,IAAI,IAAI,KAAK,YAAY,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;wBAChE,SAAS;oBACX,CAAC;oBAED,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAClC,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,MAAM,EAAE,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,KAAK,KAAK,CACpE,CAAC;oBAEF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBAC/B,SAAS;oBACX,CAAC;oBAED,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBAC5B,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;wBACnC,IAAI,OAAO,MAAM,EAAE,GAAG,KAAK,QAAQ,EAAE,CAAC;4BACpC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;wBACpC,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,IAAI,iBAAiB,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;oBAC/B,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;wBAC1D,aAAa,EAAE,YAAY;wBAC3B,aAAa,EAAE,gBAAgB;wBAC/B,oBAAoB,EAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC;qBACpD,CAAC,CAAC;oBAEH,MAAM,YAAY,GAAG,IAAI,GAAG,CAC1B,SAAS;yBACN,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAC3D;yBACA,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,GAAG,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;yBAC3D,MAAM,CAAC,CAAC,GAAG,EAAiB,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAClD,CAAC;oBAEF,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CACvD,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAChC,CAAC;oBAEF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC5B,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;4BAC3D,aAAa,EAAE,YAAY;4BAC3B,mBAAmB,EAAE,gBAAgB;4BACrC,WAAW,EAAE,YAAY;4BACzB,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC;4BACrC,MAAM;yBACP,CAAC,CAAC;wBAEH,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;4BAC/B,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;4BACnC,MAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE;gCACxD,GAAG;6BACJ,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,OAAO,CAAC,sCAAsC,EAAE;oBACrD,aAAa,EAAE,YAAY;oBAC3B,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;oBAC7D,MAAM;iBACP,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAOf;YACF,IAAI,EAAE,SAAS;YACf,YAAY;YACZ,QAAQ;YACR,MAAM;SACP,CAAC;QAEF,IAAI,iBAAiB,EAAE,CAAC;YACtB,aAAa,CAAC,iBAAiB,GAAG,IAAI,CAAC;QACzC,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;QAC1B,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1C,CAAC;IAEM,KAAK,CAAC,sBAAsB;QACjC,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,CAAC;IAC5C,CAAC;IAEM,KAAK,CAAC,gBAAgB,CAAC,OAO7B;QACC,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC;IAEM,KAAK,CAAC,iBAAiB,CAAC,YAAoB;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACpD,CAAC;IAEM,KAAK,CAAC,cAAc,CACzB,YAAoB;QAEpB,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC;IAEM,KAAK,CAAC,wBAAwB;QACnC,MAAM,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,OAAO,CAAC,2BAA2B,EAAE;gBAC1C,MAAM,EAAE,yBAAyB;aAClC,CAAC,CAAC;YACH,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC;QAC/D,MAAM,YAAY,GAAkD,EAAE,CAAC;QAEvE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,KAAK,GAAI,GAA+B,CAAC,GAAG,CAAC;gBACnD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAChD,SAAS;gBACX,CAAC;gBAED,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;gBACrB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC7B,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;oBACnC,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;oBAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC;oBAEjC,IAAI,UAAU,IAAI,UAAU,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;wBACvD,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE;4BACxC,GAAG,EAAE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;4BACtD,aAAa,EACX,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ;gCACnC,CAAC,CAAC,GAAG,CAAC,aAAa;gCACnB,CAAC,CAAC,SAAS;4BACf,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE;yBACrC,CAAC,CAAC;wBACH,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;4BAChC,MAAM,OAAO,GAA2C;gCACtD,GAAG,EAAE,GAAG,CAAC,GAAG;6BACb,CAAC;4BACF,IAAI,OAAO,GAAG,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;gCAC1C,OAAO,CAAC,YAAY,GAAG,GAAG,CAAC,aAAa,CAAC;4BAC3C,CAAC;4BACD,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;wBAC7B,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,CAAC,OAAO,CAAC,yCAAyC,EAAE;wBACxD,GAAG,EAAE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;wBACtD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;wBAC7D,OAAO,EAAE,8CAA8C;qBACxD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACnC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC3D,IAAI,OAAO,EAAE,CAAC;oBACZ,WAAW,IAAI,CAAC,CAAC;oBACjB,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;wBACzC,GAAG,EAAE,OAAO,CAAC,GAAG;wBAChB,aAAa,EAAE,OAAO,CAAC,YAAY,IAAI,SAAS;qBACjD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;oBACvC,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;YAC1C,YAAY,EAAE,WAAW;SAC1B,CAAC,CAAC;QAEH,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,cAAc;QACpB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CACzB,KAAK,EAAE,MAAM,EAAE,EAAE;YACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;gBAC7C,gBAAgB,EAAE,IAAI,CAAC,iBAAiB;aACzC,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;oBACxB,MAAM,WAAW,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;wBAChD,MAAM,OAAO,GAAG,UAAU,CACxB,GAAG,EAAE,CAAC,OAAO,EAAE,EACf,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAC9B,CAAC;wBACF,IAAI,MAAM,EAAE,CAAC;4BACX,MAAM,CAAC,gBAAgB,CACrB,OAAO,EACP,GAAG,EAAE;gCACH,YAAY,CAAC,OAAO,CAAC,CAAC;gCACtB,OAAO,EAAE,CAAC;4BACZ,CAAC,EACD,EAAE,IAAI,EAAE,IAAI,EAAE,CACf,CAAC;wBACJ,CAAC;oBACH,CAAC,CAAC,CAAC;oBAEH,MAAM,WAAW,CAAC;oBAClB,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;wBACpB,MAAM;oBACR,CAAC;oBAED,IAAI,CAAC;wBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,wBAAwB,EAAE,CAAC;wBACrD,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;4BACf,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;gCAChD,YAAY,EAAE,MAAM;6BACrB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;4BAC7C,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;yBAC9D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;oBACpB,MAAM,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;gBACnD,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;wBAC5C,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;qBAC9D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;oBAAS,CAAC;gBACT,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACjD,CAAC;QACH,CAAC,EACD,EAAE,IAAI,EAAE,YAAY,EAAE,CACvB,CAAC;IACJ,CAAC;CACF;AAOD,SAAS,gCAAgC,CAAC,OAOzC;IACC,MAAM,EACJ,GAAG,EACH,UAAU,EACV,sBAAsB,EACtB,MAAM,EACN,QAAQ,EACR,YAAY,GACb,GAAG,OAAO,CAAC;IAEZ,IAAI,MAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,yBAAyB,CAAC;YACjC,GAAG;YACH,aAAa,EAAE,UAAU;YACzB,sBAAsB;YACtB,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,OAAO,CAAC,oDAAoD,EAAE;YACnE,GAAG,EAAE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;YACtD,cAAc,EAAE,QAAQ;YACxB,kBAAkB,EAAE,YAAY;YAChC,MAAM;YACN,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC7D,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;QACH,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,IAAI,EACF,MAAM,KAAK,kBAAkB,CAAC,UAAU;gBACxC,MAAM,KAAK,kBAAkB,CAAC,QAAQ;SACzC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,oDAAoD,EAAE;QACnE,GAAG,EAAE,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACtD,cAAc,EAAE,QAAQ;QACxB,kBAAkB,EAAE,YAAY;QAChC,MAAM;QACN,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,SAAS;QAChC,QAAQ,EAAE,aAAa;KACxB,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,IAAI,EACF,MAAM,KAAK,kBAAkB,CAAC,UAAU;YACxC,MAAM,KAAK,kBAAkB,CAAC,QAAQ;KACzC,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB;IAC5B,IAAI,CAAC;QACH,IAAI,OAAO,OAAO,KAAK,WAAW,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;YACtC,OAAO,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;QAC3C,CAAC;QAED,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;YAC5C,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}