@nekzus/liop 2.1.0-alpha.4 → 2.1.0-alpha.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/dist/bin/agent.js +301 -4
  2. package/dist/bin/agent.js.map +1 -1
  3. package/dist/bridge.js +3 -1
  4. package/dist/chunk-32ADSAJS.js +104 -0
  5. package/dist/chunk-32ADSAJS.js.map +1 -0
  6. package/dist/chunk-4KIGYPIQ.js +3298 -0
  7. package/dist/chunk-4KIGYPIQ.js.map +1 -0
  8. package/dist/chunk-72MNYFR6.js +64 -0
  9. package/dist/chunk-72MNYFR6.js.map +1 -0
  10. package/dist/chunk-AL7H7DTW.js +463 -0
  11. package/dist/chunk-AL7H7DTW.js.map +1 -0
  12. package/dist/chunk-CT6NHSYP.js +30 -0
  13. package/dist/chunk-CT6NHSYP.js.map +1 -0
  14. package/dist/chunk-IJHTRIZC.js +56 -0
  15. package/dist/chunk-IJHTRIZC.js.map +1 -0
  16. package/dist/chunk-J3WPBMJ5.js +332 -0
  17. package/dist/chunk-J3WPBMJ5.js.map +1 -0
  18. package/dist/chunk-MMYZR7G7.js +815 -0
  19. package/dist/chunk-MMYZR7G7.js.map +1 -0
  20. package/dist/chunk-ODJT7ZUF.js +300 -0
  21. package/dist/chunk-ODJT7ZUF.js.map +1 -0
  22. package/dist/chunk-OUUTDSOW.js +24 -0
  23. package/dist/chunk-OUUTDSOW.js.map +1 -0
  24. package/dist/chunk-QLCOEP5J.js +68 -0
  25. package/dist/chunk-QLCOEP5J.js.map +1 -0
  26. package/dist/chunk-RDWCGZ2A.js +87 -0
  27. package/dist/chunk-RDWCGZ2A.js.map +1 -0
  28. package/dist/chunk-RWRRBYG4.js +1 -0
  29. package/dist/chunk-SSURAA3I.js +469 -0
  30. package/dist/chunk-SSURAA3I.js.map +1 -0
  31. package/dist/chunk-Y73XGYY7.js +1597 -0
  32. package/dist/chunk-Y73XGYY7.js.map +1 -0
  33. package/dist/client.js +8 -1
  34. package/dist/gateway.js +9 -1
  35. package/dist/index.js +58 -4
  36. package/dist/index.js.map +1 -1
  37. package/dist/kyber-3ULIJSE3.js +3 -0
  38. package/dist/{kyber-2WDOTUQX.js.map → kyber-3ULIJSE3.js.map} +1 -1
  39. package/dist/mesh.js +4 -1
  40. package/dist/server.js +6 -1
  41. package/dist/types.js +2 -1
  42. package/dist/verifier-3FAKCFNN.js +5 -0
  43. package/dist/{verifier-KZ4QYF5M.js.map → verifier-3FAKCFNN.js.map} +1 -1
  44. package/dist/workers/logic-execution.js +255 -1
  45. package/dist/workers/logic-execution.js.map +1 -1
  46. package/dist/workers/zk-verifier.js +173 -1
  47. package/dist/workers/zk-verifier.js.map +1 -1
  48. package/package.json +1 -1
  49. package/dist/chunk-AEWYQWVZ.js +0 -42
  50. package/dist/chunk-AEWYQWVZ.js.map +0 -1
  51. package/dist/chunk-ANFXJGMP.js +0 -2
  52. package/dist/chunk-ANFXJGMP.js.map +0 -1
  53. package/dist/chunk-CPLE5VZ5.js +0 -33
  54. package/dist/chunk-CPLE5VZ5.js.map +0 -1
  55. package/dist/chunk-DBXGYHKY.js +0 -2
  56. package/dist/chunk-DBXGYHKY.js.map +0 -1
  57. package/dist/chunk-DQ6UW6L7.js +0 -2
  58. package/dist/chunk-DQ6UW6L7.js.map +0 -1
  59. package/dist/chunk-JIUFKRVG.js +0 -13
  60. package/dist/chunk-JIUFKRVG.js.map +0 -1
  61. package/dist/chunk-PWCXZWSE.js +0 -2
  62. package/dist/chunk-PWCXZWSE.js.map +0 -1
  63. package/dist/chunk-RYYRR4N5.js +0 -31
  64. package/dist/chunk-RYYRR4N5.js.map +0 -1
  65. package/dist/chunk-S6RJHZV2.js +0 -2
  66. package/dist/chunk-S6RJHZV2.js.map +0 -1
  67. package/dist/chunk-SB5XJXKV.js +0 -2
  68. package/dist/chunk-SB5XJXKV.js.map +0 -1
  69. package/dist/chunk-T3L6OCM3.js +0 -3
  70. package/dist/chunk-T3L6OCM3.js.map +0 -1
  71. package/dist/chunk-TNBXOZNG.js +0 -2
  72. package/dist/chunk-TNBXOZNG.js.map +0 -1
  73. package/dist/chunk-V5MKJT6S.js +0 -2
  74. package/dist/chunk-V5MKJT6S.js.map +0 -1
  75. package/dist/chunk-VDNV2I4I.js +0 -3
  76. package/dist/chunk-VDNV2I4I.js.map +0 -1
  77. package/dist/kyber-2WDOTUQX.js +0 -2
  78. package/dist/verifier-KZ4QYF5M.js +0 -2
package/dist/chunk-4KIGYPIQ.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/rpc/server.ts","../src/security/auth-config.ts","../src/security/jwt-validator.ts","../src/security/oauth-server.ts","../src/security/taint-analyzer.ts","../src/server/ner-scanner.ts","../src/server/output-sanitizer.ts","../src/server/pii.ts","../src/server/index.ts"],"names":["grpc","crypto","__dirname","logic"],"mappings":";;;;;;;;;;;;;;;;;;;;AAiBA,IAAM,oBAAA,GAAuB;AAAA,EAC5B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,2BAAA,EAA6B,GAAA;AAAA,EAC7B,qCAAA,EAAuC,CAAA;AAAA,EACvC,8BAAA,EAAgC,EAAA;AAAA,EAChC,iCAAA,EAAmC,EAAA;AAAA,EACnC,qBAAA,EAAuB;AACxB,CAAA;AAEO,IAAM,gBAAN,MAAoB;AAAA,EAClB,MAAA;AAAA,EAER,WAAA,GAAc;AACb,IAAA,IAAA,CAAK,MAAA,GAAS,IAASA,KAAA,CAAA,MAAA,CAAO,oBAAoB,CAAA;AAAA,EACnD;AAAA,EAEO,WAAW,QAAA,EAQT;AACR,IAAA,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,MAAA,CAAO,SAAA,CAAU,OAAA,EAAS;AAAA,MAChD,iBAAiB,QAAA,CAAS,eAAA;AAAA,MAC1B,cAAc,QAAA,CAAS;AAAA,KACvB,CAAA;AAAA,EACF;AAAA,EAEA,MAAa,MAAA,CACZ,IAAA,GAAe,KAAA,EACf,GAAA,EACkB;AAClB,IAAA,MAAM,WAAA,GAAc,wBAAwB,GAAG,CAAA;AAC/C,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACvC,MAAA,IAAA,CAAK,MAAA,CAAO,SAAA;AAAA,QACX,WAAW,IAAI,CAAA,CAAA;AAAA,QACf,WAAA;AAAA,QACA,CAAC,OAAO,YAAA,KAAiB;AACxB,UAAA,IAAI,KAAA,EAAO;AACV,YAAA,MAAA,CAAO,KAAK,CAAA;AACZ,YAAA;AAAA,UACD;AACA,UAAA,GAAA,CAAI,IAAA,CAAK,CAAA,oCAAA,EAAuC,YAAY,CAAA,CAAE,CAAA;AAC9D,UAAA,OAAA,CAAQ,YAAY,CAAA;AAAA,QACrB;AAAA,OACD;AAAA,IACD,CAAC,CAAA;AAAA,EACF;AAAA,EAEA,MAAa,IAAA,GAAsB;AAClC,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC/B,MAAA,IAAA,CAAK,MAAA,CAAO,YAAY,MAAM;AAC7B,QAAA,GAAA,CAAI,KAAK,6BAA6B,CAAA;AACtC,QAAA,OAAA,EAAQ;AAAA,MACT,CAAC,CAAA;AAAA,IACF,CAAC,CAAA;AAAA,EACF;AACD;;;ACUO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE5B,QAAA,EAAU,mBAAA;AAAA;AAAA,EAEV,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,CAAA;AAAA;AAAA,EAEnB,gBAAA,EAAkB;AACnB;AChEO,IAAM,eAAN,MAAmB;AAAA,EACR,YAAA;AAAA,EAGA,MAAA;AAAA,EACA,QAAA;AAAA,EAEjB,WAAA,CACC,MAAA,EACA,QAAA,EACA,UAAA,EACC;AACD,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAEhB,IAAA,IAAI,sBAAsB,GAAA,EAAK;AAI9B,MAAA,IAAA,CAAK,YAAA,GAAoB,wBAAmB,UAAA,EAAY;AAAA,QACvD,aAAa,aAAA,CAAc,cAAA;AAAA,QAC3B,kBAAkB,aAAA,CAAc;AAAA,OAChC,CAAA;AAAA,IACF,CAAA,MAAO;AAGN,MAAA,IAAA,CAAK,YAAA,GAAoB,uBAAkB,UAAU,CAAA;AAAA,IACtD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,SAAS,KAAA,EAAkC;AAahD,IAAA,MAAM,OAAA,GAAU,KAAK,kBAAA,EAAmB;AAExC,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAW,IAAA,CAAA,SAAA,CAAU,KAAA,EAAO,KAAK,YAAA,EAAc;AAAA,MAClE,MAAA,EAAQ,OAAA,CAAQ,MAAA,GAAS,CAAA,GAAI,UAAU,IAAA,CAAK,MAAA;AAAA,MAC5C,UAAU,IAAA,CAAK,QAAA;AAAA;AAAA;AAAA,MAGf,UAAA,EAAY,CAAC,aAAA,CAAc,gBAAA,EAAkB,OAAO,CAAA;AAAA;AAAA,MAEpD,gBAAgB,aAAA,CAAc,iBAAA;AAAA;AAAA,MAE9B,cAAA,EAAgB,CAAC,KAAA,EAAO,OAAO;AAAA,KAC/B,CAAA;AAED,IAAA,OAAO;AAAA,MACN,KAAA;AAAA,MACA,QAAA,EAAU,QAAQ,GAAA,IAAO,SAAA;AAAA,MACzB,MAAA,EAAQ,OAAO,OAAA,CAAQ,KAAA,KAAU,QAAA,GAAW,QAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA,GAAI,EAAC;AAAA,MACxE,WAAW,OAAA,CAAQ;AAAA,KACpB;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBQ,kBAAA,GAA+B;AACtC,IAAA,MAAM,OAAA,GAAU,CAAC,IAAA,CAAK,MAAM,CAAA;AAC5B,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,GAAG,CAAA,GACzC,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GACvB,IAAA,CAAK,MAAA;AAIR,IAAA,MAAM,iBAAA,GAAoB;AAAA,MACzB,YAAA;AAAA,MACA,iBAAA;AAAA,MACA,gBAAA;AAAA,MACA,gBAAA;AAAA,MACA,iBAAA;AAAA,MACA,iBAAA;AAAA,MACA,iBAAA;AAAA,MACA;AAAA,KACD;AAGA,IAAA,IAAI,eAAA,GAAkB,EAAA;AACtB,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,WAAW,CAAA;AAC/B,MAAA,eAAA,GAAkB,GAAG,GAAA,CAAI,QAAQ,CAAA,CAAA,EAAI,GAAA,CAAI,QAAQ,MAAM,CAAA,CAAA;AAAA,IACxD,CAAA,CAAA,MAAQ;AAEP,MAAA,OAAO,OAAA;AAAA,IACR;AAGA,IAAA,MAAM,gBAAgB,iBAAA,CAAkB,IAAA;AAAA,MACvC,CAAC,cAAc,eAAA,KAAoB;AAAA,KACpC;AAEA,IAAA,IAAI,CAAC,eAAe,OAAO,OAAA;AAG3B,IAAA,MAAM,UAAA,GAAa,WAAA,CAAY,OAAA,CAAQ,mBAAA,EAAqB,EAAE,CAAA;AAG9D,IAAA,KAAA,MAAW,aAAa,iBAAA,EAAmB;AAC1C,MAAA,MAAM,KAAA,GAAQ,CAAA,OAAA,EAAU,SAAS,CAAA,EAAG,UAAU,CAAA,CAAA;AAC9C,MAAA,IAAI,CAAC,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC7B,QAAA,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,MACnB;AAAA,IACD;AAIA,IAAA,IAAI,UAAA,EAAY;AACf,MAAA,KAAA,MAAW,aAAa,iBAAA,EAAmB;AAC1C,QAAA,MAAM,KAAA,GAAQ,UAAU,SAAS,CAAA,CAAA;AACjC,QAAA,IAAI,CAAC,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC7B,UAAA,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,QACnB;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AAEN,MAAA,KAAA,MAAW,aAAa,iBAAA,EAAmB;AAC1C,QAAA,MAAM,KAAA,GAAQ,UAAU,SAAS,CAAA,KAAA,CAAA;AACjC,QAAA,IAAI,CAAC,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG;AAC7B,UAAA,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,QACnB;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,OAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA,GAAoB;AACnB,IAAA,OAAO,IAAA,CAAK,MAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAsB;AACrB,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACb;AACD;AC1KO,SAAS,kBACf,MAAA,EACoB;AAEpB,EAAA,MAAM,EAAE,UAAA,EAAY,SAAA,EAAU,GAAIC,OAAA,CAAO,oBAAoB,SAAS,CAAA;AACtE,EAAA,MAAM,aAAa,UAAA,CAAW,MAAA,CAAO,EAAE,MAAA,EAAQ,OAAO,CAAA;AACtD,EAAA,MAAM,YAAY,SAAA,CAAU,MAAA,CAAO,EAAE,MAAA,EAAQ,OAAO,CAAA;AACpD,EAAA,MAAM,GAAA,GAAMA,OAAA,CACV,UAAA,CAAW,QAAQ,EACnB,MAAA,CAAO,SAAA,CAAU,CAAA,IAAK,EAAE,EACxB,MAAA,CAAO,KAAK,CAAA,CACZ,KAAA,CAAM,GAAG,EAAE,CAAA;AAEb,EAAA,MAAM,kBAAA,GAAqB;AAAA,IAC1B,GAAG,UAAA;AAAA,IACH,GAAA;AAAA,IACA,GAAA,EAAK,KAAA;AAAA,IACL,GAAA,EAAK;AAAA,GACN;AAEA,EAAA,MAAM,iBAAA,GAAoB;AAAA,IACzB,GAAG,SAAA;AAAA,IACH,GAAA;AAAA,IACA,GAAA,EAAK,KAAA;AAAA,IACL,GAAA,EAAK;AAAA,GACN;AAEA,EAAA,MAAM,YAAA,GAAe;AAAA,IACpB,IAAA,EAAM,CAAC,kBAAkB;AAAA,GAC1B;AAEA,EAAA,MAAM,UAAA,GAAiC;AAAA,IACtC,IAAA,EAAM,CAAC,iBAAiB;AAAA,GACzB;AAGA,EAAA,MAAM,UAAA,GAA4B;AAAA;AAAA,IAEjC,MAAA,EAAQ,CAAC,QAAA,EAAU,gBAAA,EAAkB,GAAG,WAAW,CAAA;AAAA;AAAA,IAGnD,OAAA,EAAS,MAAA,CAAO,OAAA,CAAQ,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACnC,WAAW,CAAA,CAAE,SAAA;AAAA,MACb,eAAe,CAAA,CAAE,aAAA;AAAA,MACjB,WAAA,EAAa,CAAC,oBAAoB,CAAA;AAAA,MAClC,gBAAgB,EAAC;AAAA;AAAA,MACjB,eAAe,EAAC;AAAA;AAAA,MAChB,OAAO,CAAA,CAAE,KAAA;AAAA,MACT,0BAAA,EAA4B,oBAAA;AAAA,MAC5B,4BAAA,EAA8B;AAAA,KAC/B,CAAE,CAAA;AAAA;AAAA,IAGF,QAAA,EAAU;AAAA,MACT,iBAAA,EAAmB,EAAE,OAAA,EAAS,IAAA,EAAK;AAAA,MACnC,eAAA,EAAiB,EAAE,OAAA,EAAS,KAAA,EAAM;AAAA;AAAA,MAClC,kBAAA,EAAoB;AAAA,QACnB,OAAA,EAAS,IAAA;AAAA,QACT,oBAAoB,MAAM,IAAA;AAAA,QAC1B,qBAAA,EAAuB,CAAC,IAAA,EAAM,SAAA,EAAW,MAAA,KAAW;AACnD,UAAA,OAAO;AAAA,YACN,KAAA,EAAO,OAAO,KAAA,IAAS,EAAA;AAAA,YACvB,iBAAA,EAAmB,KAAA;AAAA,YACnB,GAAA,EAAK;AAAA,cACJ,IAAA,EAAM,EAAE,GAAA,EAAK,OAAA;AAAQ;AACtB,WACD;AAAA,QACD;AAAA;AACD,KACD;AAAA;AAAA;AAAA,IAIA,OAAA,EAAS;AAAA,MACR,WAAA,EAAa;AAAA;AAAA,KAEd;AAAA;AAAA,IAGA,YAAA,EAAc;AAAA,MACb,KAAK,MAAM;AACV,QAAA,MAAM,IAAI,KAAA;AAAA,UACT;AAAA,SACD;AAAA,MACD;AAAA,KACD;AAAA;AAAA,IAGA,IAAA,EAAM,YAAA;AAAA;AAAA,IAGN,GAAA,EAAK;AAAA,MACJ,iBAAA,EAAmB;AAAA;AAAA,KACpB;AAAA;AAAA,IAGA,OAAA,EAAS;AAAA,MACR,IAAA,EAAM,CAACA,OAAA,CAAO,WAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,KAAK,CAAC;AAAA,KAC9C;AAAA;AAAA,IAGA,gBAAA,EAAkB,CAAC,IAAA,EAAM,KAAA,KAAU;AAClC,MAAA,IAAI,KAAA,CAAM,SAAS,aAAA,EAAe;AACjC,QAAA,OAAO;AAAA,UACN,OAAO,KAAA,CAAM;AAAA,SACd;AAAA,MACD;AACA,MAAA,OAAO,EAAC;AAAA,IACT;AAAA,GACD;AAIA,EAAA,MAAM,gBAAA,GAAmB,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,GAAG,CAAA,GAChD,MAAA,CAAO,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GACzB,MAAA,CAAO,MAAA;AAEV,EAAA,MAAM,QAAA,GAAW,IAAI,QAAA,CAAS,gBAAA,EAAkB,UAAU,CAAA;AAG1D,EAAA,QAAA,CAAS,KAAA,GAAQ,IAAA;AAEjB,EAAA,OAAO;AAAA,IACN,QAAA;AAAA,IACA,IAAA,EAAM;AAAA,GACP;AACD;AChIO,IAAM,aAAA,GAAN,MAAM,cAAA,CAAc;AAAA,EACT,SAAA;AAAA,EACA,aAAA;AAAA;AAAA,EAGjB,OAAwB,yBAAA,mBAA4B,IAAI,GAAA,CAAI;AAAA;AAAA,IAE3D,YAAA;AAAA,IACA,aAAA;AAAA,IACA,QAAA;AAAA,IACA,IAAA;AAAA;AAAA,IAEA,SAAA;AAAA,IACA,aAAA;AAAA,IACA,QAAA;AAAA;AAAA,IAEA,eAAA;AAAA,IACA,YAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA;AAAA,IAEA,WAAA;AAAA,IACA,OAAA;AAAA,IACA,QAAA;AAAA,IACA,OAAA;AAAA,IACA,OAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,YAAA;AAAA,IACA,WAAA;AAAA,IACA,aAAA;AAAA,IACA,aAAA;AAAA,IACA,MAAA;AAAA,IACA,WAAA;AAAA,IACA,SAAA;AAAA,IACA,UAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACA,CAAA;AAAA;AAAA,EAGD,OAAwB,sBAAA,mBAAyB,IAAI,GAAA,CAAI;AAAA,IACxD,KAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACA,CAAA;AAAA;AAAA,EAGD,OAAwB,cAAA,mBAAiB,IAAI,IAAI,CAAC,QAAA,EAAU,aAAa,CAAC,CAAA;AAAA,EAE1E,WAAA,CAAY,SAAA,EAAqB,aAAA,GAA0B,EAAC,EAAG;AAC9D,IAAA,IAAA,CAAK,SAAA,GAAY,IAAI,GAAA,CAAI,SAAA,CAAU,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AAC9D,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,GAAA,CAAI,aAAA,CAAc,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AAAA,EACvE;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA,CACC,KAAA,EACA,mBAAA,GAAgC,EAAC,EACd;AACnB,IAAA,MAAM,UAAA,GAAa,MAAM,WAAA,EAAY;AACrC,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,UAAU,CAAA,EAAG;AACnC,MAAA,OAAO,WAAA;AAAA,IACR;AAEA,IAAA,MAAM,kBAAkB,IAAI,GAAA;AAAA,MAC3B,oBAAoB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa;AAAA,KAC/C;AACA,IAAA,IAAI,IAAA,CAAK,cAAc,GAAA,CAAI,UAAU,KAAK,eAAA,CAAgB,GAAA,CAAI,UAAU,CAAA,EAAG;AAC1E,MAAA,OAAO,WAAA;AAAA,IACR;AAEA,IAAA,OAAO,QAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,OAAA,CACC,UAAA,EACA,WAAA,EACA,oBAAA,GAA+B,EAAA,EACP;AACxB,IAAA,IAAI,GAAA;AACJ,IAAA,IAAI;AAEH,MAAA,MAAM,OAAA,GAAU,CAAA;AAAA,EAA0C,UAAU;AAAA,CAAA,CAAA;AACpE,MAAA,GAAA,GAAY,YAAM,OAAA,EAAS;AAAA,QAC1B,WAAA,EAAa,IAAA;AAAA,QACb,UAAA,EAAY,QAAA;AAAA,QACZ,SAAA,EAAW;AAAA,OACX,CAAA;AAAA,IACF,CAAA,CAAA,MAAQ;AAEP,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,MAAM,eAAA,uBAAsB,GAAA,EAAY;AACxC,IAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AAGpC,IAAA,IAAA,CAAK,uBAAA,CAAwB,KAAK,eAAe,CAAA;AAGjD,IAAA,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,eAAA,EAAiB,WAAW,CAAA;AAGrD,IAAA,MAAM,cAAc,IAAA,CAAK,qBAAA;AAAA,MACxB,GAAA;AAAA,MACA,eAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,IAAI,aAAa,OAAO,WAAA;AAGxB,IAAA,IACC,WAAA,KAAgB,MAAA,IAChB,WAAA,GAAc,CAAA,IACd,cAAc,oBAAA,EACb;AACD,MAAA,MAAM,iBAAA,GAAoB,IAAA,CAAK,4BAAA,CAA6B,GAAG,CAAA;AAC/D,MAAA,IAAI,iBAAA,EAAmB;AAEtB,QAAA,iBAAA,CAAkB,MAAA,GAAS,kBAAkB,MAAA,CAAO,OAAA;AAAA,UACnD,YAAA;AAAA,UACA,GAAG,oBAAoB,CAAA,QAAA;AAAA,SACxB;AACA,QAAA,OAAO,iBAAA;AAAA,MACR;AAAA,IACD;AAGA,IAAA,IACC,WAAA,KAAgB,MAAA,IAChB,WAAA,GAAc,CAAA,IACd,cAAc,oBAAA,EACb;AACD,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,sBAAA,CAAuB,GAAG,CAAA;AACpD,MAAA,IAAI,YAAA,EAAc;AACjB,QAAA,YAAA,CAAa,MAAA,GAAS,aAAa,MAAA,CAAO,OAAA;AAAA,UACzC,YAAA;AAAA,UACA,GAAG,oBAAoB,CAAA,QAAA;AAAA,SACxB;AACA,QAAA,OAAO,YAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,qBAAqB,UAAA,EAA8B;AAClD,IAAA,IAAI,GAAA;AACJ,IAAA,IAAI;AACH,MAAA,GAAA,GAAY,KAAA,CAAA,KAAA,CAAM,CAAA;AAAA,EAAsB,UAAU;AAAA,CAAA,CAAA,EAAO;AAAA,QACxD,WAAA,EAAa,IAAA;AAAA,QACb,UAAA,EAAY;AAAA,OACZ,CAAA;AAAA,IACF,CAAA,CAAA,MAAQ;AACP,MAAA,OAAO,EAAC;AAAA,IACT;AAEA,IAAA,MAAM,eAAA,uBAAsB,GAAA,EAAY;AACxC,IAAA,IAAA,CAAK,uBAAA,CAAwB,KAAK,eAAe,CAAA;AAEjD,IAAA,MAAM,MAAA,uBAAa,GAAA,EAAY;AAE/B,IAAA,MAAM,QAAA,GAAiC;AAAA,MACtC,gBAAA,EAAkB,CAAC,IAAA,KAAS;AAC3B,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,eAAA,CAAgB,IAAI,CAAA;AAC1C,QAAA,IAAI,CAAC,QAAA,IAAY,QAAA,KAAa,QAAA,EAAU;AAGxC,QAAA,IACC,IAAA,CAAK,OAAO,IAAA,KAAS,YAAA,IACrB,gBAAgB,GAAA,CAAK,IAAA,CAAK,MAAA,CAA4B,IAAI,CAAA,EACzD;AACD,UAAA,MAAA,CAAO,IAAI,QAAQ,CAAA;AAAA,QACpB;AAGA,QAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,UAAA,MAAM,eAAe,IAAA,CAAK,MAAA;AAC1B,UAAA,IACC,aAAa,QAAA,IACb,IAAA,CAAK,kBAAA,CAAmB,YAAA,CAAa,MAAM,CAAA,EAC1C;AACD,YAAA,MAAA,CAAO,IAAI,QAAQ,CAAA;AAAA,UACpB;AAAA,QACD;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AACpB,IAAA,OAAO,KAAA,CAAM,KAAK,MAAM,CAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,6BAA6B,GAAA,EAAwC;AAC5E,IAAA,MAAM,cAAA,uBAAqB,GAAA,EAAoB;AAE/C,IAAA,MAAM,QAAA,GAAiC;AAAA,MACtC,cAAA,EAAgB,CAAC,IAAA,KAAS;AACzB,QAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAE7C,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAG9C,QAAA,IAAI,CAAC,UAAA,IAAc,CAAC,cAAA,CAAc,cAAA,CAAe,IAAI,UAAU,CAAA;AAC9D,UAAA;AAGD,QAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,CAAkB,MAAA,CAAO,MAAM,CAAA,EAAG;AAG5C,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA;AACjC,QAAA,IACC,CAAC,QAAA,IACA,QAAA,CAAS,IAAA,KAAS,yBAAA,IAClB,SAAS,IAAA,KAAS,oBAAA;AAEnB,UAAA;AAED,QAAA,MAAM,EAAA,GAAK,QAAA;AACX,QAAA,MAAM,WAAA,GAAc,EAAA,CAAG,MAAA,CAAO,MAAA,GAAS,CAAA,GAAI,EAAA,CAAG,MAAA,CAAO,CAAC,CAAA,GAAI,EAAA,CAAG,MAAA,CAAO,CAAC,CAAA;AACrE,QAAA,IAAI,CAAC,WAAA,IAAe,WAAA,CAAY,IAAA,KAAS,YAAA,EAAc;AAEvD,QAAA,MAAM,YAAa,WAAA,CAAiC,IAAA;AACpD,QAAA,MAAM,SAAS,IAAA,CAAK,qBAAA;AAAA,UACnB,EAAA,CAAG,IAAA;AAAA,UACH;AAAA,SACD;AAEA,QAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC3B,UAAA,MAAM,OAAA,GAAU,cAAA,CAAe,GAAA,CAAI,KAAK,CAAA,IAAK,CAAA;AAC7C,UAAA,cAAA,CAAe,GAAA,CAAI,KAAA,EAAO,OAAA,GAAU,CAAC,CAAA;AAAA,QACtC;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AAEpB,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,CAAA,IAAK,cAAA,EAAgB;AAC5C,MAAA,IAAI,SAAS,CAAA,EAAG;AACf,QAAA,OAAO;AAAA,UACN,MAAA,EACC,CAAA,mBAAA,EAAsB,KAAK,CAAA,iCAAA,EAAoC,KAAK,CAAA,6KAAA;AAAA,SAGtE;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,IAAA,EAA2B;AACpD,IAAA,IAAI,IAAA,CAAK,kBAAA,CAAmB,IAAI,CAAA,EAAG,OAAO,IAAA;AAG1C,IAAA,IAAI,IAAA,CAAK,SAAS,gBAAA,EAAkB;AACnC,MAAA,MAAM,IAAA,GAAO,IAAA;AACb,MAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,QAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAC1C,QAAA,IACC,WACC,MAAA,KAAW,OAAA,IAAW,MAAA,KAAW,QAAA,IAAY,WAAW,UAAA,CAAA,EACxD;AACD,UAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,MAAA,CAAO,MAAM,CAAA;AAAA,QAC5C;AAAA,MACD;AAAA,IACD;AAGA,IAAA,OAAO,KAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,qBAAA,CAAsB,MAAkB,SAAA,EAA6B;AAC5E,IAAA,MAAM,SAAmB,EAAC;AAE1B,IAAA,MAAM,QAAA,GAAiC;AAAA,MACtC,gBAAA,EAAkB,CAAC,IAAA,KAAS;AAC3B,QAAA,IACC,KAAK,MAAA,CAAO,IAAA,KAAS,gBACpB,IAAA,CAAK,MAAA,CAA4B,SAAS,SAAA,EAC1C;AACD,UAAA,MAAM,IAAA,GAAO,IAAA,CAAK,eAAA,CAAgB,IAAI,CAAA;AAEtC,UAAA,IAAI,IAAA,IAAQ,SAAS,QAAA,EAAU;AAC9B,YAAA,MAAA,CAAO,KAAK,IAAI,CAAA;AAAA,UACjB;AAAA,QACD;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,MAAM,QAAQ,CAAA;AACrB,IAAA,OAAO,MAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,uBAAuB,GAAA,EAAwC;AACtE,IAAA,IAAI,SAAA,GAAmC,IAAA;AAEvC,IAAA,MAAM,QAAA,GAAiC;AAAA,MACtC,cAAA,EAAgB,CAAC,IAAA,KAAS;AACzB,QAAA,IAAI,SAAA,EAAW;AAIf,QAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,UAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,UAAA,IACC,OAAO,MAAA,CAAO,IAAA,KAAS,gBACtB,MAAA,CAAO,MAAA,CAA4B,SAAS,MAAA,EAC5C;AACD,YAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAC1C,YAAA,IAAI,MAAA,KAAW,KAAA,IAAS,MAAA,KAAW,KAAA,EAAO;AAEzC,cAAA,IACC,KAAK,SAAA,CAAU,IAAA;AAAA,gBACd,CAAC,GAAA,KACA,GAAA,CAAI,IAAA,KAAS,mBACb,IAAA,CAAK,gBAAA;AAAA,kBACH,GAAA,CAA4B;AAAA;AAC9B,eACF,EACC;AACD,gBAAA,SAAA,GAAY;AAAA,kBACX,MAAA,EACC,sBAAsB,MAAM,CAAA,iHAAA;AAAA,iBAE9B;AAAA,cACD;AAAA,YACD;AAAA,UACD;AAAA,QACD;AAAA,MACD,CAAA;AAAA;AAAA,MAGA,gBAAA,EAAkB,CAAC,IAAA,KAAS;AAC3B,QAAA,IAAI,SAAA,EAAW;AAGf,QAAA,IAAI,IAAA,CAAK,QAAA,IAAY,IAAA,CAAK,MAAA,CAAO,SAAS,gBAAA,EAAkB;AAC3D,UAAA,MAAM,OAAO,IAAA,CAAK,MAAA;AAClB,UAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,YAAA,MAAM,SAAS,IAAA,CAAK,eAAA;AAAA,cACnB,IAAA,CAAK;AAAA,aACN;AACA,YAAA,IAAI,MAAA,KAAW,MAAA,IAAU,MAAA,KAAW,UAAA,EAAY;AAC/C,cAAA,MAAM,UAAA,GAAc,KAAK,MAAA,CAAkC,MAAA;AAC3D,cAAA,IAAI,IAAA,CAAK,iBAAA,CAAkB,UAAU,CAAA,EAAG;AACvC,gBAAA,SAAA,GAAY;AAAA,kBACX,MAAA,EACC;AAAA,iBAEF;AAAA,cACD;AAAA,YACD;AAAA,UACD;AAAA,QACD;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AACpB,IAAA,OAAO,SAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAiB,IAAA,EAA2B;AACnD,IAAA,IAAI,IAAA,CAAK,IAAA,KAAS,gBAAA,EAAkB,OAAO,KAAA;AAC3C,IAAA,MAAM,IAAA,GAAO,IAAA;AACb,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB,OAAO,KAAA;AACpD,IAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAC1C,IAAA,OAAO,MAAA,KAAW,KAAA,IAAS,IAAA,CAAK,iBAAA,CAAkB,OAAO,MAAM,CAAA;AAAA,EAChE;AAAA;AAAA,EAIQ,uBAAA,CACP,KACA,eAAA,EACO;AACP,IAAA,MAAM,QAAA,GAAiC;AAAA,MACtC,cAAA,EAAgB,CAAC,IAAA,KAAS;AACzB,QAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAE7C,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAC9C,QAAA,IAAI,CAAC,UAAA,EAAY;AAGjB,QAAA,IAAI,CAAC,IAAA,CAAK,kBAAA,CAAmB,MAAA,CAAO,MAAM,CAAA,EAAG;AAE7C,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA;AACjC,QAAA,IAAI,CAAC,QAAA,EAAU;AAEf,QAAA,IACC,QAAA,CAAS,IAAA,KAAS,yBAAA,IAClB,QAAA,CAAS,SAAS,oBAAA,EACjB;AACD,UAAA,MAAM,EAAA,GAAK,QAAA;AAEX,UAAA,IACC,cAAA,CAAc,uBAAuB,GAAA,CAAI,UAAU,KACnD,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,EAClB;AACD,YAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,MAAA,CAAO,CAAC,CAAA;AACzB,YAAA,IAAI,KAAA,CAAM,SAAS,YAAA,EAAc;AAChC,cAAA,eAAA,CAAgB,GAAA,CAAI,MAAM,IAAI,CAAA;AAAA,YAC/B;AAAA,UACD;AAEA,UAAA,IACC,cAAA,CAAc,eAAe,GAAA,CAAI,UAAU,KAC3C,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,EAClB;AACD,YAAA,MAAM,WAAA,GAAc,EAAA,CAAG,MAAA,CAAO,CAAC,CAAA;AAC/B,YAAA,IAAI,WAAA,CAAY,SAAS,YAAA,EAAc;AACtC,cAAA,eAAA,CAAgB,GAAA,CAAI,YAAY,IAAI,CAAA;AAAA,YACrC;AAAA,UACD;AAAA,QACD;AAAA,MACD,CAAA;AAAA;AAAA,MAGA,cAAA,EAAgB,CAAC,IAAA,KAAS;AACzB,QAAA,IAAI,CAAC,IAAA,CAAK,kBAAA,CAAmB,IAAA,CAAK,KAAK,CAAA,EAAG;AAE1C,QAAA,IAAI,IAAA,CAAK,IAAA,CAAK,IAAA,KAAS,qBAAA,EAAuB;AAC7C,UAAA,KAAA,MAAW,UAAA,IAAc,IAAA,CAAK,IAAA,CAAK,YAAA,EAAc;AAChD,YAAA,IAAI,UAAA,CAAW,EAAA,CAAG,IAAA,KAAS,YAAA,EAAc;AACxC,cAAA,eAAA,CAAgB,GAAA,CAAI,UAAA,CAAW,EAAA,CAAG,IAAI,CAAA;AAAA,YACvC;AAAA,UACD;AAAA,QACD;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AAGpB,IAAA,MAAM,aAAA,GAAsC;AAAA,MAC3C,kBAAA,EAAoB,CAAC,IAAA,KAAS;AAC7B,QAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,IAAA,CAAK,EAAA,CAAG,SAAS,YAAA,EAAc;AAEjD,QAAA,IACC,KAAK,IAAA,CAAK,IAAA,KAAS,kBAAA,IAClB,IAAA,CAAK,KAAgC,QAAA,EACrC;AACD,UAAA,MAAM,SAAS,IAAA,CAAK,IAAA;AACpB,UAAA,IAAI,IAAA,CAAK,kBAAA,CAAmB,MAAA,CAAO,MAAM,CAAA,EAAG;AAC3C,YAAA,eAAA,CAAgB,GAAA,CAAI,IAAA,CAAK,EAAA,CAAG,IAAI,CAAA;AAAA,UACjC;AAAA,QACD;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,KAAK,aAAa,CAAA;AAAA,EAC1B;AAAA;AAAA,EAIQ,cAAA,CACP,GAAA,EACA,eAAA,EACA,WAAA,EACO;AAGP,IAAA,KAAA,IAAS,SAAA,GAAY,CAAA,EAAG,SAAA,GAAY,CAAA,EAAG,SAAA,EAAA,EAAa;AACnD,MAAA,MAAM,aAAa,WAAA,CAAY,IAAA;AAE/B,MAAA,MAAM,QAAA,GAAiC;AAAA,QACtC,kBAAA,EAAoB,CAAC,IAAA,KAAS;AAC7B,UAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,IAAA,CAAK,EAAA,CAAG,SAAS,YAAA,EAAc;AAEjD,UAAA,IACC,KAAK,mBAAA,CAAoB,IAAA,CAAK,IAAA,EAAM,eAAA,EAAiB,WAAW,CAAA,EAC/D;AACD,YAAA,WAAA,CAAY,GAAA,CAAI,IAAA,CAAK,EAAA,CAAG,IAAI,CAAA;AAAA,UAC7B;AAAA,QACD,CAAA;AAAA,QAEA,oBAAA,EAAsB,CAAC,IAAA,KAAS;AAC/B,UAAA,IAAI,IAAA,CAAK,IAAA,CAAK,IAAA,KAAS,YAAA,EAAc;AAErC,UAAA,IACC,KAAK,mBAAA,CAAoB,IAAA,CAAK,KAAA,EAAO,eAAA,EAAiB,WAAW,CAAA,EAChE;AACD,YAAA,WAAA,CAAY,GAAA,CAAK,IAAA,CAAK,IAAA,CAA0B,IAAI,CAAA;AAAA,UACrD;AAAA,QACD,CAAA;AAAA,QAEA,mBAAA,EAAqB,CAAC,IAAA,KAAS;AAC9B,UAAA,IAAI,IAAA,CAAK,EAAA,IAAM,IAAA,CAAK,EAAA,CAAG,SAAS,YAAA,EAAc;AAC7C,YAAA,IACC,IAAA,CAAK,wBAAA;AAAA,cACJ,IAAA;AAAA,cACA,IAAA;AAAA,cACA,eAAA;AAAA,cACA;AAAA,aACD,EACC;AACD,cAAA,WAAA,CAAY,GAAA,CAAI,IAAA,CAAK,EAAA,CAAG,IAAI,CAAA;AAAA,YAC7B;AAAA,UACD;AAAA,QACD,CAAA;AAAA;AAAA;AAAA,QAIA,cAAA,EAAgB,CAAC,IAAA,KAAS;AACzB,UAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAE7C,UAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,UAAA,MAAM,UAAA,GAAa,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAE9C,UAAA,IACC,eAAe,MAAA,IACf,MAAA,CAAO,OAAO,IAAA,KAAS,YAAA,IACvB,KAAK,SAAA,CAAU,IAAA;AAAA,YAAK,CAAC,GAAA,KACpB,IAAA,CAAK,mBAAA,CAAoB,GAAA,EAAK,iBAAiB,WAAW;AAAA,WAC3D,EACC;AACD,YAAA,WAAA,CAAY,GAAA,CAAK,MAAA,CAAO,MAAA,CAA4B,IAAI,CAAA;AAAA,UACzD;AAAA,QACD;AAAA,OACD;AAEA,MAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AAGpB,MAAA,IAAI,WAAA,CAAY,SAAS,UAAA,EAAY;AAAA,IACtC;AAAA,EACD;AAAA;AAAA,EAIQ,qBAAA,CACP,GAAA,EACA,eAAA,EACA,WAAA,EACwB;AACxB,IAAA,IAAI,SAAA,GAAmC,IAAA;AAEvC,IAAA,MAAM,QAAA,GAAiC;AAAA,MACtC,eAAA,EAAiB,CAAC,IAAA,KAAS;AAC1B,QAAA,IAAI,SAAA,EAAW;AAEf,QAAA,IAAI,CAAC,KAAK,QAAA,EAAU;AAEpB,QAAA,IACC,KAAK,mBAAA,CAAoB,IAAA,CAAK,QAAA,EAAU,eAAA,EAAiB,WAAW,CAAA,EACnE;AACD,UAAA,MAAM,IAAA,GAAO,KAAK,GAAA,EAAK,KAAA,CAAM,OAC1B,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,IAAA,GAAO,CAAA,GACtB,MAAA;AACH,UAAA,MAAM,YAAY,IAAA,CAAK,mBAAA;AAAA,YACtB,IAAA,CAAK,QAAA;AAAA,YACL,eAAA;AAAA,YACA;AAAA,WACD;AACA,UAAA,SAAA,GAAY;AAAA,YACX,QACC,CAAA,kFAAA,EACG,SAAA,GAAY,CAAA,WAAA,EAAc,SAAS,OAAO,EAAE,CAAA,sEAAA,CAAA;AAAA,YAEhD,IAAA;AAAA,YACA;AAAA,WACD;AAAA,QACD;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AAEpB,IAAA,OAAO,SAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,mBAAA,CACP,IAAA,EACA,eAAA,EACA,WAAA,EACU;AACV,IAAA,QAAQ,KAAK,IAAA;AAAM,MAClB,KAAK,YAAA;AACJ,QAAA,OAAO,WAAA,CAAY,GAAA,CAAK,IAAA,CAA0B,IAAI,CAAA;AAAA,MAEvD,KAAK,kBAAA;AACJ,QAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,UACX,IAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACD;AAAA,MAED,KAAK,gBAAA;AACJ,QAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,UACX,IAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACD;AAAA,MAED,KAAK,iBAAA,EAAmB;AACvB,QAAA,MAAM,SAAA,GAAY,IAAA;AAClB,QAAA,OAAO,SAAA,CAAU,WACd,IAAA,CAAK,mBAAA;AAAA,UACL,SAAA,CAAU,QAAA;AAAA,UACV,eAAA;AAAA,UACA;AAAA,SACD,GACC,KAAA;AAAA,MACJ;AAAA,MAEA,KAAK,oBAAA;AAAA,MACL,KAAK,yBAAA,EAA2B;AAC/B,QAAA,MAAM,EAAA,GAAK,IAAA;AAGX,QAAA,OAAO,IAAA,CAAK,wBAAA;AAAA,UACX,EAAA;AAAA,UACA,IAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACD;AAAA,MACD;AAAA,MAEA,KAAK,kBAAA;AAAA,MACL,KAAK,mBAAA,EAAqB;AACzB,QAAA,MAAM,GAAA,GAAM,IAAA;AACZ,QAAA,OACC,IAAA,CAAK,mBAAA,CAAoB,GAAA,CAAI,IAAA,EAAM,eAAA,EAAiB,WAAW,CAAA,IAC/D,IAAA,CAAK,mBAAA,CAAoB,GAAA,CAAI,KAAA,EAAO,eAAA,EAAiB,WAAW,CAAA;AAAA,MAElE;AAAA,MAEA,KAAK,iBAAA,EAAmB;AACvB,QAAA,MAAM,KAAA,GAAQ,IAAA;AACd,QAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,UACX,KAAA,CAAM,QAAA;AAAA,UACN,eAAA;AAAA,UACA;AAAA,SACD;AAAA,MACD;AAAA,MAEA,KAAK,uBAAA,EAAyB;AAC7B,QAAA,MAAM,IAAA,GAAO,IAAA;AAEb,QAAA,OACC,KAAK,mBAAA,CAAoB,IAAA,CAAK,MAAM,eAAA,EAAiB,WAAW,KAChE,IAAA,CAAK,mBAAA;AAAA,UACJ,IAAA,CAAK,UAAA;AAAA,UACL,eAAA;AAAA,UACA;AAAA,aAED,IAAA,CAAK,mBAAA,CAAoB,IAAA,CAAK,SAAA,EAAW,iBAAiB,WAAW,CAAA;AAAA,MAEvE;AAAA,MAEA,KAAK,kBAAA,EAAoB;AACxB,QAAA,MAAM,GAAA,GAAM,IAAA;AACZ,QAAA,OAAO,IAAI,UAAA,CAAW,IAAA;AAAA,UACrB,CAAC,IAAA,KACA,IAAA,CAAK,IAAA,KAAS,UAAA,IACd,KAAK,mBAAA,CAAoB,IAAA,CAAK,KAAA,EAAO,eAAA,EAAiB,WAAW;AAAA,SACnE;AAAA,MACD;AAAA,MAEA,KAAK,iBAAA,EAAmB;AACvB,QAAA,MAAM,GAAA,GAAM,IAAA;AACZ,QAAA,OAAO,IAAI,QAAA,CAAS,IAAA;AAAA,UACnB,CAAC,OACA,EAAA,KAAO,IAAA,IACP,KAAK,mBAAA,CAAoB,EAAA,EAAI,iBAAiB,WAAW;AAAA,SAC3D;AAAA,MACD;AAAA,MAEA,KAAK,iBAAA,EAAmB;AACvB,QAAA,MAAM,IAAA,GAAO,IAAA;AACb,QAAA,OAAO,KAAK,WAAA,CAAY,IAAA;AAAA,UAAK,CAAC,IAAA,KAC7B,IAAA,CAAK,mBAAA,CAAoB,IAAA,EAAM,iBAAiB,WAAW;AAAA,SAC5D;AAAA,MACD;AAAA,MAEA,KAAK,eAAA,EAAiB;AACrB,QAAA,MAAM,MAAA,GAAS,IAAA;AACf,QAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,UACX,MAAA,CAAO,QAAA;AAAA,UACP,eAAA;AAAA,UACA;AAAA,SACD;AAAA,MACD;AAAA,MAEA;AAEC,QAAA,OAAO,KAAA;AAAA;AACT,EACD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,mBAAA,CACP,MAAA,EACA,eAAA,EACA,WAAA,EACU;AACV,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAG5C,IAAA,IACC,OAAO,MAAA,CAAO,IAAA,KAAS,YAAA,IACvB,eAAA,CAAgB,IAAK,MAAA,CAAO,MAAA,CAA4B,IAAI,CAAA,IAC5D,YACA,IAAA,CAAK,SAAA,CAAU,IAAI,QAAA,CAAS,WAAA,EAAa,CAAA,EACxC;AACD,MAAA,OAAO,IAAA;AAAA,IACR;AAIA,IAAA,IACC,MAAA,CAAO,MAAA,CAAO,IAAA,KAAS,kBAAA,IACvB,QAAA,IACA,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,CAAA,EACxC;AACD,MAAA,MAAM,eAAe,MAAA,CAAO,MAAA;AAC5B,MAAA,IACC,aAAa,QAAA,IACb,IAAA,CAAK,kBAAA,CAAmB,YAAA,CAAa,MAAM,CAAA,EAC1C;AACD,QAAA,OAAO,IAAA;AAAA,MACR;AAAA,IACD;AAIA,IAAA,IAAI,KAAK,mBAAA,CAAoB,MAAA,CAAO,MAAA,EAAQ,eAAA,EAAiB,WAAW,CAAA,EAAG;AAC1E,MAAA,OAAO,IAAA;AAAA,IACR;AAIA,IAAA,IACC,MAAA,CAAO,QAAA,IACP,MAAA,CAAO,MAAA,CAAO,IAAA,KAAS,YAAA,IACvB,eAAA,CAAgB,GAAA,CAAK,MAAA,CAAO,MAAA,CAA4B,IAAI,CAAA,EAC3D;AAGD,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,IAAA,KAAS,SAAA,EAAW;AACvC,QAAA,MAAM,MAAA,GAAU,OAAO,QAAA,CAA2B,KAAA;AAClD,QAAA,IACC,OAAO,WAAW,QAAA,IAClB,IAAA,CAAK,UAAU,GAAA,CAAI,MAAA,CAAO,WAAA,EAAa,CAAA,EACtC;AACD,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,KAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAAA,CACP,IAAA,EACA,eAAA,EACA,WAAA,EACU;AAEV,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,MAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,MAAA,MAAM,UAAA,GAAa,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAG9C,MAAA,IACC,UAAA,IACA,cAAA,CAAc,yBAAA,CAA0B,GAAA,CAAI,UAAU,CAAA,IACtD,IAAA,CAAK,mBAAA,CAAoB,MAAA,CAAO,MAAA,EAAQ,eAAA,EAAiB,WAAW,CAAA,EACnE;AACD,QAAA,OAAO,IAAA;AAAA,MACR;AAGA,MAAA,IAAI,IAAA,CAAK,mBAAmB,MAAA,CAAO,MAAM,KAAK,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA,EAAG;AAChE,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA;AACjC,QAAA,IACC,QAAA,CAAS,IAAA,KAAS,yBAAA,IAClB,QAAA,CAAS,SAAS,oBAAA,EACjB;AACD,UAAA,OAAO,IAAA,CAAK,wBAAA;AAAA,YACX,QAAA;AAAA,YACA,UAAA;AAAA,YACA,eAAA;AAAA,YACA;AAAA,WACD;AAAA,QACD;AAAA,MACD;AAIA,MAAA,IACC,KAAK,mBAAA,CAAoB,MAAA,CAAO,MAAA,EAAQ,eAAA,EAAiB,WAAW,CAAA,EACnE;AACD,QAAA,OAAO,IAAA;AAAA,MACR;AAIA,MAAA,IACC,KAAK,SAAA,CAAU,IAAA;AAAA,QAAK,CAAC,GAAA,KACpB,IAAA,CAAK,mBAAA,CAAoB,GAAA,EAAK,iBAAiB,WAAW;AAAA,OAC3D,EACC;AACD,QAAA,OAAO,IAAA;AAAA,MACR;AAAA,IACD;AAKA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,MAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,MAAA,MAAM,UAAA,GAAa,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAC9C,MAAA,IACC,eAAe,MAAA,IACf,MAAA,CAAO,OAAO,IAAA,KAAS,YAAA,IACvB,KAAK,SAAA,CAAU,IAAA;AAAA,QAAK,CAAC,GAAA,KACpB,IAAA,CAAK,mBAAA,CAAoB,GAAA,EAAK,iBAAiB,WAAW;AAAA,OAC3D,EACC;AAED,QAAA,WAAA,CAAY,GAAA,CAAK,MAAA,CAAO,MAAA,CAA4B,IAAI,CAAA;AAAA,MACzD;AAAA,IACD;AAKA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,YAAA,EAAc;AACtC,MAAA,MAAM,MAAA,GAAU,KAAK,MAAA,CAA4B,IAAA;AACjD,MAAA,IAAI,WAAA,CAAY,GAAA,CAAI,MAAM,CAAA,EAAG;AAC5B,QAAA,OAAO,IAAA;AAAA,MACR;AAEA,MAAA,MAAM,YAAA,uBAAmB,GAAA,CAAI;AAAA,QAC5B,MAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,YAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,OACA,CAAA;AACD,MAAA,IAAI,CAAC,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA,EAAG;AAC9B,QAAA,OAAO,KAAK,SAAA,CAAU,IAAA;AAAA,UAAK,CAAC,GAAA,KAC3B,IAAA,CAAK,mBAAA,CAAoB,GAAA,EAAK,iBAAiB,WAAW;AAAA,SAC3D;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,KAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,wBAAA,CACP,QAAA,EAIA,UAAA,EACA,eAAA,EACA,WAAA,EACU;AAEV,IAAA,MAAM,gBAAA,GAAmB,IAAI,GAAA,CAAI,eAAe,CAAA;AAChD,IAAA,MAAM,iBAAA,GAAoB,IAAI,GAAA,CAAI,WAAW,CAAA;AAE7C,IAAA,IAAI,QAAA,CAAS,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG;AAC/B,MAAA,MAAM,WACL,UAAA,KAAe,IAAA,IAAQ,cAAA,CAAc,cAAA,CAAe,IAAI,UAAU,CAAA;AACnE,MAAA,MAAM,gBAAA,GAAmB,WAAW,CAAA,GAAI,CAAA;AAExC,MAAA,IACC,QAAA,CAAS,OAAO,MAAA,GAAS,gBAAA,IACzB,SAAS,MAAA,CAAO,gBAAgB,CAAA,CAAE,IAAA,KAAS,YAAA,EAC1C;AACD,QAAA,gBAAA,CAAiB,GAAA;AAAA,UACf,QAAA,CAAS,MAAA,CAAO,gBAAgB,CAAA,CAAuB;AAAA,SACzD;AAAA,MACD;AAAA,IACD;AAGA,IAAA,IACC,SAAS,IAAA,KAAS,yBAAA,IAClB,QAAA,CAAS,IAAA,CAAK,SAAS,gBAAA,EACtB;AACD,MAAA,OAAO,IAAA,CAAK,mBAAA;AAAA,QACX,QAAA,CAAS,IAAA;AAAA,QACT,gBAAA;AAAA,QACA;AAAA,OACD;AAAA,IACD;AAGA,IAAA,IAAI,uBAAA,GAA0B,KAAA;AAC9B,IAAA,MAAM,cAAA,GAAuC;AAAA,MAC5C,eAAA,EAAiB,CAAC,IAAA,KAAS;AAC1B,QAAA,IACC,IAAA,CAAK,YACL,IAAA,CAAK,mBAAA;AAAA,UACJ,IAAA,CAAK,QAAA;AAAA,UACL,gBAAA;AAAA,UACA;AAAA,SACD,EACC;AACD,UAAA,uBAAA,GAA0B,IAAA;AAAA,QAC3B;AAAA,MACD,CAAA;AAAA,MACA,eAAA,EAAiB,CAAC,IAAA,KAAS;AAC1B,QAAA,MAAM,SAAA,GAAY,IAAA;AAClB,QAAA,IACC,SAAA,CAAU,YACV,IAAA,CAAK,mBAAA;AAAA,UACJ,SAAA,CAAU,QAAA;AAAA,UACV,gBAAA;AAAA,UACA;AAAA,SACD,EACC;AACD,UAAA,uBAAA,GAA0B,IAAA;AAAA,QAC3B;AAAA,MACD;AAAA,KACD;AAEA,IAAA,MAAA,CAAO,QAAA,CAAS,MAAoB,cAAc,CAAA;AAElD,IAAA,OAAO,uBAAA;AAAA,EACR;AAAA;AAAA;AAAA,EAKQ,gBAAgB,MAAA,EAA+C;AACtE,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,IAAY,MAAA,CAAO,QAAA,CAAS,SAAS,YAAA,EAAc;AAC9D,MAAA,OAAQ,OAAO,QAAA,CAA8B,IAAA;AAAA,IAC9C;AACA,IAAA,IAAI,MAAA,CAAO,QAAA,IAAY,MAAA,CAAO,QAAA,CAAS,SAAS,SAAA,EAAW;AAC1D,MAAA,MAAM,GAAA,GAAO,OAAO,QAAA,CAA2B,KAAA;AAC/C,MAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAAA,IACrC;AACA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA,EAGQ,mBAAmB,IAAA,EAA2B;AAErD,IAAA,IAAI,IAAA,CAAK,SAAS,kBAAA,EAAoB;AACrC,MAAA,MAAM,MAAA,GAAS,IAAA;AACf,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,eAAA,CAAgB,MAAM,CAAA;AAC5C,MAAA,IACC,QAAA,KAAa,aACb,MAAA,CAAO,MAAA,CAAO,SAAS,YAAA,IACtB,MAAA,CAAO,MAAA,CAA4B,IAAA,KAAS,KAAA,EAC5C;AACD,QAAA,OAAO,IAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,IACC,IAAA,CAAK,IAAA,KAAS,YAAA,IACb,IAAA,CAA0B,SAAS,SAAA,EACnC;AACD,MAAA,OAAO,IAAA;AAAA,IACR;AACA,IAAA,OAAO,KAAA;AAAA,EACR;AAAA;AAAA,EAGQ,mBAAA,CACP,IAAA,EACA,eAAA,EACA,WAAA,EACqB;AACrB,IAAA,IAAI,IAAA,CAAK,SAAS,YAAA,EAAc;AAC/B,MAAA,MAAM,OAAQ,IAAA,CAA0B,IAAA;AACxC,MAAA,IAAI,YAAY,GAAA,CAAI,IAAI,CAAA,EAAG,OAAO,aAAa,IAAI,CAAA,gBAAA,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,IAAA,CAAK,SAAS,kBAAA,EAAoB;AACrC,MAAA,MAAM,GAAA,GAAM,IAAA;AACZ,MAAA,KAAA,MAAW,IAAA,IAAQ,IAAI,UAAA,EAAY;AAClC,QAAA,IACC,IAAA,CAAK,SAAS,UAAA,IACd,IAAA,CAAK,oBAAoB,IAAA,CAAK,KAAA,EAAO,eAAA,EAAiB,WAAW,CAAA,EAChE;AACD,UAAA,MAAM,UACL,IAAA,CAAK,GAAA,CAAI,SAAS,YAAA,GACd,IAAA,CAAK,IAAyB,IAAA,GAC/B,SAAA;AACJ,UAAA,OAAO,aAAa,OAAO,CAAA,4BAAA,CAAA;AAAA,QAC5B;AAAA,MACD;AAAA,IACD;AAEA,IAAA,IAAI,IAAA,CAAK,SAAS,gBAAA,EAAkB;AACnC,MAAA,MAAM,IAAA,GAAO,IAAA;AACb,MAAA,IAAI,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,kBAAA,EAAoB;AAC5C,QAAA,MAAM,aAAa,IAAA,CAAK,eAAA;AAAA,UACvB,IAAA,CAAK;AAAA,SACN;AACA,QAAA,IAAI,UAAA,EAAY,OAAO,CAAA,WAAA,EAAc,UAAU,CAAA,cAAA,CAAA;AAAA,MAChD;AAAA,IACD;AAEA,IAAA,OAAO,MAAA;AAAA,EACR;AACD,CAAA;;;ACtjCA,IAAM,kBAAA,GAA6C;AAAA,EAClD,OAAA,EAAS,YAAA;AAAA,EACT,UAAA,EAAY,YAAA;AAAA,EACZ,SAAA,EAAW,YAAA;AAAA,EACX,UAAA,EAAY,YAAA;AAAA,EACZ,YAAA,EAAc,YAAA;AAAA,EACd,UAAA,EAAY,YAAA;AAAA,EACZ,QAAA,EAAU,YAAA;AAAA,EACV,WAAA,EAAa,YAAA;AAAA,EACb,aAAA,EAAe,YAAA;AAAA,EACf,SAAA,EAAW,YAAA;AAAA,EACX,aAAA,EAAe,YAAA;AAAA,EACf,WAAA,EAAa,YAAA;AAAA,EACb,aAAA,EAAe,YAAA;AAAA,EACf,UAAA,EAAY,YAAA;AAAA,EACZ,QAAA,EAAU,YAAA;AAAA,EACV,OAAA,EAAS,YAAA;AAAA,EACT,mBAAA,EAAqB,YAAA;AAAA,EACrB,UAAA,EAAY,YAAA;AAAA,EACZ,SAAA,EAAW,YAAA;AAAA,EACX,YAAA,EAAc,YAAA;AAAA;AAAA,EAEd,YAAA,EAAc,WAAA;AAAA,EACd,QAAA,EAAU,WAAA;AAAA,EACV,UAAA,EAAY,WAAA;AAAA,EACZ,SAAA,EAAW,WAAA;AAAA,EACX,MAAA,EAAQ;AACT,CAAA;AAgBA,IAAM,eAAA,GAAkB,CAAA;AAGxB,IAAM,gBAAA,GAAmB,6CAAA;AASlB,IAAM,UAAA,GAAN,MAAM,WAAA,CAAW;AAAA,EACvB,OAAe,GAAA,GAAwB,IAAA;AAAA;AAAA;AAAA;AAAA,EAKvC,MAAc,MAAA,GAA6B;AAC1C,IAAA,IAAI,CAAC,YAAW,GAAA,EAAK;AAEpB,MAAA,MAAM,GAAA,GAAO,MAAM,OAAO,kBAAkB,CAAA;AAE5C,MAAA,WAAA,CAAW,GAAA,GAAO,IAAI,OAAA,IAAW,GAAA;AACjC,MAAA,WAAA,CAAW,GAAA,CAAI,SAAS,kBAAkB,CAAA;AAAA,IAC3C;AACA,IAAA,OAAO,WAAA,CAAW,GAAA;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,KAAK,IAAA,EAAsC;AAChD,IAAA,IAAI,KAAK,MAAA,GAAS,eAAA,IAAmB,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAA,EAAG;AACjE,MAAA,OAAO,EAAE,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,EAAC,EAAE;AAAA,IACxC;AAEA,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,EAAO;AAC9B,IAAA,MAAM,GAAA,GAAM,IAAI,IAAI,CAAA;AACpB,IAAA,MAAM,WAAwB,EAAC;AAE/B,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,EAAO,CAAE,IAAI,OAAO,CAAA;AACvC,IAAA,KAAA,MAAW,UAAU,MAAA,EAAQ;AAC5B,MAAA,MAAM,OAAA,GAAU,OAAO,IAAA,EAAK;AAC5B,MAAA,IAAI,OAAA,CAAQ,UAAU,eAAA,EAAiB;AACtC,QAAA,QAAA,CAAS,KAAK,EAAE,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,SAAS,CAAA;AAAA,MAChD;AAAA,IACD;AAEA,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,EAAO,CAAE,IAAI,OAAO,CAAA;AACvC,IAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC3B,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,EAAK;AAC3B,MAAA,IAAI,OAAA,CAAQ,UAAU,eAAA,EAAiB;AACtC,QAAA,QAAA,CAAS,KAAK,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,EAAM,SAAS,CAAA;AAAA,MAC/C;AAAA,IACD;AAEA,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,aAAA,EAAc,CAAE,IAAI,OAAO,CAAA;AAC5C,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACvB,MAAA,MAAM,OAAA,GAAU,IAAI,IAAA,EAAK;AACzB,MAAA,IAAI,OAAA,CAAQ,UAAU,eAAA,EAAiB;AACtC,QAAA,QAAA,CAAS,KAAK,EAAE,IAAA,EAAM,cAAA,EAAgB,IAAA,EAAM,SAAS,CAAA;AAAA,MACtD;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,QAAA,EAAU,SAAS,MAAA,GAAS,CAAA;AAAA,MAC5B;AAAA,KACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAA,CACL,KAAA,EACA,IAAA,mBAAO,IAAI,SAAgB,EACF;AACzB,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AAC1C,MAAA,OAAO,EAAE,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,EAAC,EAAE;AAAA,IACxC;AAEA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,MAAA,OAAO,IAAA,CAAK,KAAK,KAAK,CAAA;AAAA,IACvB;AAEA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,MAAA,IAAI,IAAA,CAAK,GAAA,CAAI,KAAe,CAAA,EAAG;AAC9B,QAAA,OAAO,EAAE,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,EAAC,EAAE;AAAA,MACxC;AACA,MAAA,IAAA,CAAK,IAAI,KAAe,CAAA;AAExB,MAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,KAAK,IAC/B,KAAA,GACA,MAAA,CAAO,OAAO,KAAgC,CAAA;AAEjD,MAAA,MAAM,cAA2B,EAAC;AAElC,MAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC3B,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,QAAA,CAAS,OAAO,IAAI,CAAA;AAC9C,QAAA,IAAI,OAAO,QAAA,EAAU;AACpB,UAAA,WAAA,CAAY,IAAA,CAAK,GAAG,MAAA,CAAO,QAAQ,CAAA;AAEnC,UAAA,IAAI,MAAA,CAAO,SAAS,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,KAAS,QAAQ,CAAA,EAAG;AACrD,YAAA,OAAO,EAAE,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,WAAA,EAAY;AAAA,UAChD;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,QAAA,EAAU,YAAY,MAAA,GAAS,CAAA;AAAA,QAC/B,QAAA,EAAU;AAAA,OACX;AAAA,IACD;AAEA,IAAA,OAAO,EAAE,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,EAAC,EAAE;AAAA,EACxC;AACD;;;AClLA,IAAM,cAAA,GAAkD;AAAA,EACvD,gBAAA,EAAkB,CAAA;AAAA,EAClB,gBAAA,EAAkB;AACnB,CAAA;AASO,SAAS,cAAA,CACf,QACA,MAAA,EACU;AACV,EAAA,MAAM,MAAA,GAAS,EAAE,GAAG,cAAA,EAAgB,GAAG,MAAA,EAAO;AAC9C,EAAA,MAAM,IAAA,uBAAW,OAAA,EAAgB;AAEjC,EAAA,SAAS,KAAK,IAAA,EAAwB;AACrC,IAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,MAAA,EAAW;AACxC,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,MAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,IAAI,CAAA,EAAG;AAC3B,QAAA,OAAO,IAAA;AAAA,MACR;AAEA,MAAA,IAAI,KAAA,GAAQ,IAAA;AAGZ,MAAA,IAAI,MAAA,CAAO,gBAAA,IAAoB,KAAA,GAAQ,CAAA,EAAG;AACzC,QAAA,KAAA,GAAQ,CAAA;AAAA,MACT;AAGA,MAAA,MAAM,MAAA,GAAS,MAAM,MAAA,CAAO,gBAAA;AAC5B,MAAA,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,MAAM,CAAA,GAAI,MAAA;AAErC,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,IAAI,OAAO,IAAA,KAAS,QAAA,IAAY,OAAO,SAAS,SAAA,EAAW;AAC1D,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAE7B,MAAA,IAAI,IAAA,CAAK,GAAA,CAAI,IAAc,CAAA,EAAG;AAC7B,QAAA,OAAO,IAAA;AAAA,MACR;AACA,MAAA,IAAA,CAAK,IAAI,IAAc,CAAA;AAEvB,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAI,CAAA,EAAG;AACxB,QAAA,OAAO,KAAK,GAAA,CAAI,CAAC,IAAA,KAAS,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,MACrC;AAEA,MAAA,MAAM,SAAkC,EAAC;AACzC,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,GAAG,CAAA,IAAK,MAAA,CAAO,OAAA;AAAA,QAC/B;AAAA,OACD,EAAG;AACF,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,IAAA,CAAK,GAAG,CAAA;AAAA,MACvB;AACA,MAAA,OAAO,MAAA;AAAA,IACR;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAEA,EAAA,OAAO,KAAK,MAAM,CAAA;AACnB;;;AC5EA,SAAS,YAAY,UAAA,EAA6B;AACjD,EAAA,MAAM,MAAA,GAAS,UAAA,CAAW,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAC3C,EAAA,IAAI,OAAO,MAAA,GAAS,EAAA,IAAM,MAAA,CAAO,MAAA,GAAS,IAAI,OAAO,KAAA;AAErD,EAAA,IAAI,GAAA,GAAM,CAAA;AACV,EAAA,IAAI,MAAA,GAAS,KAAA;AAEb,EAAA,KAAA,IAAS,IAAI,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG,CAAA,IAAK,GAAG,CAAA,EAAA,EAAK;AAC5C,IAAA,IAAI,QAAQ,QAAA,CAAS,MAAA,CAAO,MAAA,CAAO,CAAC,GAAG,EAAE,CAAA;AAEzC,IAAA,IAAI,MAAA,EAAQ;AACX,MAAA,KAAA,IAAS,CAAA;AACT,MAAA,IAAI,QAAQ,CAAA,EAAG;AACd,QAAA,KAAA,IAAS,CAAA;AAAA,MACV;AAAA,IACD;AAEA,IAAA,GAAA,IAAO,KAAA;AACP,IAAA,MAAA,GAAS,CAAC,MAAA;AAAA,EACX;AAEA,EAAA,OAAO,MAAM,EAAA,KAAO,CAAA;AACrB;AAMA,SAAS,YAAY,IAAA,EAAuB;AAC3C,EAAA,MAAM,YAAY,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,EAAE,EAAE,WAAA,EAAY;AAEvD,EAAA,IAAI,CAAC,kCAAA,CAAmC,IAAA,CAAK,SAAS,GAAG,OAAO,KAAA;AAEhE,EAAA,MAAM,UAAA,GAAa,UAAU,SAAA,CAAU,CAAC,IAAI,SAAA,CAAU,SAAA,CAAU,GAAG,CAAC,CAAA;AAEpE,EAAA,IAAI,aAAA,GAAgB,EAAA;AACpB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,UAAA,CAAW,QAAQ,CAAA,EAAA,EAAK;AAC3C,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,UAAA,CAAW,CAAC,CAAA;AACxC,IAAA,IAAI,QAAA,IAAY,EAAA,IAAM,QAAA,IAAY,EAAA,EAAI;AACrC,MAAA,aAAA,IAAA,CAAkB,QAAA,GAAW,IAAI,QAAA,EAAS;AAAA,IAC3C,CAAA,MAAA,IAAW,QAAA,IAAY,EAAA,IAAM,QAAA,IAAY,EAAA,EAAI;AAC5C,MAAA,aAAA,IAAiB,UAAA,CAAW,OAAO,CAAC,CAAA;AAAA,IACrC,CAAA,MAAO;AACN,MAAA,OAAO,KAAA;AAAA,IACR;AAAA,EACD;AAEA,EAAA,IAAI;AACH,IAAA,OAAO,MAAA,CAAO,aAAa,CAAA,GAAI,GAAA,KAAQ,EAAA;AAAA,EACxC,SAAS,EAAA,EAAI;AACZ,IAAA,OAAO,KAAA;AAAA,EACR;AACD;AAUO,IAAM,YAAA,GAAe;AAAA,EAC3B,KAAA,EAAO;AAAA,IACN,IAAA,EAAM,OAAA;AAAA,IACN,OAAA,EAAS,sDAAA;AAAA,IACT,SAAA,EAAW,CAAC,KAAA,KACX,CAAC,KAAA,CAAM,QAAA,CAAS,cAAc,CAAA,IAAK,CAAC,KAAA,CAAM,QAAA,CAAS,WAAW;AAAA,GAChE;AAAA,EACA,WAAA,EAAa;AAAA,IACZ,IAAA,EAAM,aAAA;AAAA,IACN,OAAA,EAAS,0BAAA;AAAA,IACT,SAAA,EAAW;AAAA,GACZ;AAAA,EACA,UAAA,EAAY;AAAA,IACX,IAAA,EAAM,YAAA;AAAA,IACN,OAAA,EAAS,yCAAA;AAAA,IACT,SAAA,EAAW,CAAC,KAAA,KAAkB;AAC7B,MAAA,MAAM,OAAA,GAAU,CAAC,WAAA,EAAa,SAAA,EAAW,iBAAiB,CAAA;AAC1D,MAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AAEpC,MAAA,MAAM,QAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA,CAAE,IAAI,MAAM,CAAA;AACzC,MAAA,OAAO,MAAM,KAAA,CAAM,CAAC,MAAM,CAAA,IAAK,CAAA,IAAK,KAAK,GAAG,CAAA;AAAA,IAC7C;AAAA,GACD;AAAA,EACA,KAAA,EAAO;AAAA,IACN,IAAA,EAAM,OAAA;AAAA;AAAA,IAEN,OAAA,EAAS,+DAAA;AAAA,IACT,SAAA,EAAW,CAAC,KAAA,KAAkB;AAC7B,MAAA,MAAM,MAAA,GAAS,KAAA,CAAM,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtC,MAAA,IAAI,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,MAAA,GAAS,IAAI,OAAO,KAAA;AAEpD,MAAA,IAAI,WAAA,CAAY,IAAA,CAAK,MAAM,CAAA,EAAG,OAAO,KAAA;AACrC,MAAA,IAAI,MAAA,KAAW,cAAc,OAAO,KAAA;AACpC,MAAA,OAAO,IAAA;AAAA,IACR;AAAA,GACD;AAAA,EACA,GAAA,EAAK;AAAA,IACJ,IAAA,EAAM,KAAA;AAAA,IACN,OAAA,EAAS,gCAAA;AAAA,IACT,SAAA,EAAW,CAAC,KAAA,KAAkB;AAC7B,MAAA,MAAM,MAAA,GAAS,KAAA,CAAM,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtC,MAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,EAAG,OAAO,KAAA;AAEhC,MAAA,MAAM,OAAO,QAAA,CAAS,MAAA,CAAO,UAAU,CAAA,EAAG,CAAC,GAAG,EAAE,CAAA;AAChD,MAAA,IAAI,SAAS,CAAA,IAAK,IAAA,KAAS,GAAA,IAAO,IAAA,IAAQ,KAAK,OAAO,KAAA;AAEtD,MAAA,MAAM,QAAQ,QAAA,CAAS,MAAA,CAAO,UAAU,CAAA,EAAG,CAAC,GAAG,EAAE,CAAA;AACjD,MAAA,IAAI,KAAA,KAAU,GAAG,OAAO,KAAA;AAExB,MAAA,MAAM,SAAS,QAAA,CAAS,MAAA,CAAO,UAAU,CAAA,EAAG,CAAC,GAAG,EAAE,CAAA;AAClD,MAAA,IAAI,MAAA,KAAW,GAAG,OAAO,KAAA;AAEzB,MAAA,IAAI,YAAY,IAAA,CAAK,MAAM,CAAA,IAAK,MAAA,KAAW,aAAa,OAAO,KAAA;AAE/D,MAAA,OAAO,IAAA;AAAA,IACR;AAAA,GACD;AAAA,EACA,IAAA,EAAM;AAAA,IACL,IAAA,EAAM,MAAA;AAAA,IACN,OAAA,EAAS,sCAAA;AAAA,IACT,SAAA,EAAW;AAAA,GACZ;AAAA,EACA,YAAA,EAAc;AAAA,IACb,IAAA,EAAM,cAAA;AAAA;AAAA,IAEN,OAAA,EAAS;AAAA;AAEX;AAMO,IAAM,WAAA,GAAc;AAAA,EAC1B,aAAA,EAAe;AAAA,IACd,YAAA,CAAa,KAAA;AAAA,IACb,YAAA,CAAa,WAAA;AAAA,IACb,YAAA,CAAa,UAAA;AAAA,IACb,YAAA,CAAa,KAAA;AAAA,IACb,YAAA,CAAa,YAAA;AAAA,IACb,YAAA,CAAa;AAAA,GACd;AAAA,EACA,YAAA,EAAc;AAAA,IACb,YAAA,CAAa,KAAA;AAAA,IACb,YAAA,CAAa,WAAA;AAAA,IACb,YAAA,CAAa,UAAA;AAAA,IACb,YAAA,CAAa,KAAA;AAAA,IACb,YAAA,CAAa,GAAA;AAAA,IACb,YAAA,CAAa;AAAA,GACd;AAAA,EACA,OAAA,EAAS;AAAA,IACR,YAAA,CAAa,KAAA;AAAA,IACb,YAAA,CAAa,WAAA;AAAA,IACb,YAAA,CAAa,UAAA;AAAA,IACb,YAAA,CAAa,KAAA;AAAA,IACb,YAAA,CAAa,IAAA;AAAA,IACb,YAAA,CAAa;AAAA;AAEf;AAEO,IAAM,UAAA,GAAN,MAAM,WAAA,CAAW;AAAA,EACf,QAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMR,OAAwB,YAAA,mBAAe,IAAI,GAAA,CAAI;AAAA;AAAA,IAE9C,MAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA,IACA,QAAA;AAAA,IACA,QAAA;AAAA,IACA,YAAA;AAAA,IACA,QAAA;AAAA,IACA,WAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA;AAAA,IACA,QAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA,IACA,OAAA;AAAA,IACA,OAAA;AAAA,IACA,OAAA;AAAA,IACA,QAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA,SAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA;AAAA,IAEA,WAAA;AAAA,IACA,YAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,SAAA;AAAA;AAAA,IAEA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,YAAA;AAAA,IACA,WAAA;AAAA,IACA,WAAA;AAAA,IACA,WAAA;AAAA,IACA,YAAA;AAAA;AAAA,IAEA,YAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA;AAAA,IAEA,WAAA;AAAA,IACA,aAAA;AAAA,IACA,UAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA;AAAA,IAEA,WAAA;AAAA,IACA,UAAA;AAAA;AAAA,IAEA,UAAA;AAAA,IACA,oBAAA;AAAA,IACA,YAAA;AAAA,IACA,QAAA;AAAA,IACA,QAAA;AAAA,IACA,WAAA;AAAA,IACA,QAAA;AAAA,IACA,QAAA;AAAA,IACA,WAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACA,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMO,0BAAA;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA;AAAA,EAER,YACC,QAAA,GAAsB,IACtB,aAAA,GAA0B,IAC1B,UAAA,EACC;AACD,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,gBAAA,GAAmB,IAAI,GAAA,CAAI,aAAA,CAAc,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AACzE,IAAA,IAAA,CAAK,aAAa,UAAA,IAAc,IAAA;AAGhC,IAAA,IAAA,CAAK,0BAAA,uBAAiC,GAAA,EAAI;AAC1C,IAAA,IAAA,CAAK,sBAAsB,EAAC;AAE5B,IAAA,KAAA,MAAW,KAAA,IAAS,KAAK,gBAAA,EAAkB;AAC1C,MAAA,IAAI,KAAA,CAAM,SAAS,CAAA,EAAG;AAIrB,QAAA,IAAA,CAAK,0BAAA,CAA2B,GAAA;AAAA,UAC/B,KAAA;AAAA,UACA,IAAI,MAAA;AAAA,YAAA,CACF,MAAM;AAGN,cAAA,MAAM,YAAY,KAAA,CAChB,KAAA,CAAM,EAAE,CAAA,CACR,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAA,EAAI,EAAE,WAAA,EAAa,GAAG,CAAA,CAAE,WAAA,EAAa,CAAA,CAAA,CAAG,CAAA,CACnD,KAAK,EAAE,CAAA;AAGT,cAAA,MAAM,YAAA,GAAe,CAAA,KAAA,EAAQ,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,CAAE,WAAA,EAAa,CAAA,EAAG,KAAA,CAAM,KAAA,CAAM,CAAC,CAAC,CAAA,CAAA;AAC3E,cAAA,OACC,CAAA,UAAA,EAAa,SAAS,CAAA,WAAA,EACnB,YAAY,kBACX,SAAS,CAAA,CAAA,CAAA;AAAA,YAEf,CAAA;AAAG;AACJ,SACD;AAAA,MACD,CAAA,MAAO;AACN,QAAA,IAAA,CAAK,mBAAA,CAAoB,KAAK,KAAK,CAAA;AAAA,MACpC;AAAA,IACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAa,IAAA,CACZ,KAAA,EACA,IAAA,mBAAO,IAAI,SAAgB,EACF;AACzB,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW,OAAO,IAAA;AAGlD,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAG9B,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,EAAK;AAC3B,MAAA,IACE,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IAAK,QAAQ,QAAA,CAAS,GAAG,CAAA,IAC/C,OAAA,CAAQ,WAAW,GAAG,CAAA,IAAK,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/C;AACD,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAEjC,UAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,IAAA,CAAK,QAAQ,IAAI,CAAA;AAC9C,UAAA,IAAI,WAAW,OAAO,SAAA;AAAA,QACvB,SAAS,EAAA,EAAI;AAAA,QAEb;AAAA,MACD;AAGA,MAAA,MAAM,gBAAA,GAAmB,IAAA,CAAK,WAAA,CAAY,KAAK,CAAA;AAC/C,MAAA,IAAI,kBAAkB,OAAO,gBAAA;AAG7B,MAAA,IAAI,KAAK,UAAA,EAAY;AACpB,QAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK,KAAK,CAAA;AAClD,QAAA,IAAI,UAAU,QAAA,EAAU;AACvB,UAAA,MAAM,YAAA,GAAe,UAAU,QAAA,CAAS,IAAA;AAAA,YACvC,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,KAAS;AAAA,WACnB;AACA,UAAA,IAAI,YAAA,EAAc;AACjB,YAAA,OAAO,CAAA,kCAAA,EAAqC,aAAa,IAAI,CAAA,CAAA,CAAA;AAAA,UAC9D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO,IAAA;AAAA,IACR;AAGA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAE9B,MAAA,IAAI,IAAA,CAAK,GAAA,CAAI,KAAe,CAAA,EAAG,OAAO,IAAA;AACtC,MAAA,IAAA,CAAK,IAAI,KAAe,CAAA;AAExB,MAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,KAAA,MAAW,WAAW,KAAA,EAAO;AAC5B,UAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,IAAA,CAAK,SAAS,IAAI,CAAA;AAC/C,UAAA,IAAI,WAAW,OAAO,SAAA;AAAA,QACvB;AAAA,MACD,CAAA,MAAO;AACN,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,CAAA,IAAK,MAAA,CAAO,OAAA;AAAA,UACjC;AAAA,SACD,EAAG;AAEF,UAAA,IAAI,KAAK,gBAAA,CAAiB,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACjD,YAAA,OAAO,kBAAkB,GAAG,CAAA,CAAA;AAAA,UAC7B;AAGA,UAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA;AAC7C,UAAA,IAAI,gBAAgB,OAAO,cAAA;AAG3B,UAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,IAAA,CAAK,OAAO,IAAI,CAAA;AAC7C,UAAA,IAAI,WAAW,OAAO,SAAA;AAAA,QACvB;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAc,GAAA,EAA4B;AACjD,IAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY;AAGnC,IAAA,IAAI,WAAA,CAAW,YAAA,CAAa,GAAA,CAAI,UAAU,GAAG,OAAO,IAAA;AAGpD,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,OAAO,CAAA,IAAK,KAAK,0BAAA,EAA4B;AAC/D,MAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA,EAAG;AACtB,QAAA,OAAO,CAAA,uBAAA,EAA0B,GAAG,CAAA,2BAAA,EAA8B,KAAK,CAAA,CAAA,CAAA;AAAA,MACxE;AAAA,IACD;AAGA,IAAA,KAAA,MAAW,KAAA,IAAS,KAAK,mBAAA,EAAqB;AAC7C,MAAA,IAAI,UAAA,CAAW,QAAA,CAAS,KAAK,CAAA,EAAG;AAC/B,QAAA,OAAO,CAAA,uBAAA,EAA0B,GAAG,CAAA,4BAAA,EAA+B,KAAK,CAAA,CAAA,CAAA;AAAA,MACzE;AAAA,IACD;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA,EAEQ,YAAY,IAAA,EAA6B;AAChD,IAAA,KAAA,MAAW,IAAA,IAAQ,KAAK,QAAA,EAAU;AACjC,MAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,QAAA,IAAI,KAAK,WAAA,EAAY,CAAE,SAAS,IAAA,CAAK,WAAA,EAAa,CAAA,EAAG;AACpD,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD,CAAA,MAAA,IAAW,gBAAgB,MAAA,EAAQ;AAClC,QAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,IAAA,CAAK,SAAA,GAAY,CAAA;AAClC,QAAA,IAAI,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,EAAG;AACpB,UAAA,OAAO,IAAA,CAAK,MAAA;AAAA,QACb;AAAA,MACD,CAAA,MAAA,IAAW,OAAO,IAAA,KAAS,QAAA,IAAY,SAAS,IAAA,EAAM;AAErD,QAAA,MAAM,GAAA,GAAM,IAAA;AAEZ,QAAA,IAAI,OAAO,GAAA,CAAI,OAAA,KAAY,QAAA,EAAU;AACpC,UAAA,IAAI,IAAA,CAAK,aAAY,CAAE,QAAA,CAAS,IAAI,OAAA,CAAQ,WAAA,EAAa,CAAA,EAAG;AAC3D,YAAA,IAAI,CAAC,GAAA,CAAI,SAAA,IAAa,IAAI,SAAA,CAAU,GAAA,CAAI,OAAO,CAAA,EAAG;AACjD,cAAA,OAAO,GAAA,CAAI,IAAA;AAAA,YACZ;AAAA,UACD;AAAA,QACD,CAAA,MAAA,IAAW,GAAA,CAAI,OAAA,YAAmB,MAAA,EAAQ;AACzC,UAAA,IAAI,GAAA,CAAI,OAAA,CAAQ,MAAA,EAAQ,GAAA,CAAI,QAAQ,SAAA,GAAY,CAAA;AAGhD,UAAA,IAAI,KAAA,GAAQ,GAAA,CAAI,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AACjC,UAAA,OAAO,UAAU,IAAA,EAAM;AACtB,YAAA,MAAM,WAAA,GAAc,MAAM,CAAC,CAAA;AAC3B,YAAA,IAAI,CAAC,GAAA,CAAI,SAAA,IAAa,GAAA,CAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AACjD,cAAA,OAAO,GAAA,CAAI,IAAA;AAAA,YACZ;AACA,YAAA,IAAI,CAAC,GAAA,CAAI,OAAA,CAAQ,MAAA,EAAQ;AACzB,YAAA,KAAA,GAAQ,GAAA,CAAI,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAAA,UAC9B;AAAA,QACD;AAAA,MACD;AAAA,IACD;AACA,IAAA,OAAO,IAAA;AAAA,EACR;AACD;;;AC1aA,IAAMC,aAAY,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAC,CAAA;AA+GtD,IAAM,UAAA,GAAN,MAAM,WAAA,CAAW;AAAA,EAicvB,WAAA,CACS,YACA,MAAA,EACP;AAFO,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAER,IAAA,MAAM,aAAa,IAAA,CAAK,MAAA,EAAQ,UAAU,iBAAA,GACvC,IAAI,YAAW,GACf,IAAA;AAEH,IAAA,IAAA,CAAK,aAAa,IAAI,UAAA;AAAA,MACrB,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,WAAA,IAAe,WAAA,CAAY,aAAA;AAAA,MAClD,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,IAAiB;AAAA,QACvC,IAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAA;AAAA,QACA,WAAA;AAAA,QACA,UAAA;AAAA,QACA,SAAA;AAAA,QACA,QAAA;AAAA,QACA,MAAA;AAAA,QACA,YAAA;AAAA,QACA,SAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,KAAA;AAAA,QACA,eAAA;AAAA,QACA,eAAA;AAAA,QACA,gBAAA;AAAA,QACA,UAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACD;AAAA,MACA;AAAA,KACD;AAGA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,SAAA;AACxC,IAAA,IAAA,CAAK,gBAAA,GACJ,UAAU,QAAA,IACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,yBAAA,IAA6B,OAAA,EAAS,EAAE,CAAA;AACrE,IAAA,IAAA,CAAK,oBAAA,GACJ,UAAU,YAAA,IACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,mBAAA,IAAuB,IAAA,EAAM,EAAE,CAAA;AAC5D,IAAA,IAAA,CAAK,sBAAA,GACJ,UAAU,kBAAA,IACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,0BAAA,IAA8B,IAAA,EAAM,EAAE,CAAA;AAGnE,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,IAAiB;AAAA,MAC7D,IAAA;AAAA,MACA,MAAA;AAAA,MACA,UAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,QAAA;AAAA,MACA,MAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA,KAAA;AAAA,MACA,eAAA;AAAA,MACA,eAAA;AAAA,MACA,gBAAA;AAAA,MACA,UAAA;AAAA,MACA,OAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACD;AACA,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,iBAAiB,EAAC;AAC/D,IAAA,IAAA,CAAK,aAAA,GAAgB,IAAI,aAAA,CAAc,aAAA,EAAe,aAAa,CAAA;AAGnE,IAAA,MAAM,IAAA,GAAO,MAAA,CAAA,IAAA,CAAY,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA;AAC3C,IAAA,MAAM,SAAA,GAAY,OAAO,KAAA,GAAQ,KAAA;AAEjC,IAAA,IAAI,WAAqB,EAAC;AAC1B,IAAA,IAAI,IAAA,EAAM;AACT,MAAA,IAAI;AACH,QAAA,MAAM,GAAA,GAAM,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AACzC,QAAA,MAAM,MAAA,GAAS,GAAA,CAAI,OAAA,CAAQ,kBAAkB,CAAA;AAC7C,QAAA,MAAM,WAAA,GAAc,aAAA;AAAA,UACnB,KAAK,IAAA,CAAK,IAAA,CAAK,QAAQ,MAAM,CAAA,EAAG,QAAQ,YAAY;AAAA,SACrD,CAAE,IAAA;AACF,QAAA,QAAA,GAAW,CAAC,YAAY,WAAW,CAAA;AAAA,MACpC,SAAS,EAAA,EAAI;AACZ,QAAA,QAAA,GAAW,CAAC,YAAY,KAAK,CAAA;AAAA,MAC9B;AAAA,IACD;AAEA,IAAA,MAAM,SAAS,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IAAU,QAAQ,GAAA,CAAI,MAAA;AAG9D,IAAA,IAAI,KAAK,MAAA,EAAQ,YAAA,IAAgB,CAAC,IAAA,CAAK,WAAW,YAAA,EAAc;AAC/D,MAAA,IAAA,CAAK,UAAA,CAAW,YAAA,GAAe,IAAA,CAAK,MAAA,CAAO,YAAA;AAAA,IAI5C;AAGA,IAAA,MAAM,WAAA,GAAc;AAAA,MACnB,IAAA,CAAK,OAAA,CAAQA,UAAAA,EAAW,CAAA,yBAAA,EAA4B,SAAS,CAAA,CAAE,CAAA;AAAA;AAAA,MAC/D,IAAA,CAAK,OAAA,CAAQA,UAAAA,EAAW,CAAA,0BAAA,EAA6B,SAAS,CAAA,CAAE;AAAA;AAAA,KACjE;AAEA,IAAA,MAAM,cAAA,GACL,WAAA,CAAY,IAAA,CAAK,CAAC,CAAA,KAAS,cAAW,CAAC,CAAC,CAAA,IAAK,WAAA,CAAY,CAAC,CAAA;AAE3D,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,OAAA,CAAQ;AAAA,MAC7B,QAAA,EAAU,cAAA;AAAA,MACV,YAAY,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,UAAA,KAAe,SAAS,CAAA,GAAI,CAAA,CAAA;AAAA,MACjE,YAAY,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,UAAA,KAAe,SAAS,CAAA,GAAI,CAAA,CAAA;AAAA,MACjE,aACC,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,WAAA,KAAgB,SAAS,GAAA,GAAM,GAAA,CAAA;AAAA,MACzD,QAAA,EAAU,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,QAAA,IAAY,MAAA;AAAA,MAC/C,SAAA,EAAW,IAAI,UAAA,EAAW;AAAA,MAC1B,QAAA;AAAA;AAAA;AAAA,MAGA,cAAA,EAAgB;AAAA,QACf,sBAAA,EACC,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,SAAA,IACzB,MAAA,CAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,uBAAA,IAA2B,IAAA,EAAM,EAAE;AAAA;AACjE,KACA,CAAA;AAGD,IAAA,MAAM,aAAa,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,UAAA,KAAe,SAAS,CAAA,GAAI,CAAA,CAAA;AACxE,IAAA,IAAI,IAAA,CAAK,UAAA,IAAc,UAAA,GAAa,CAAA,EAAG;AACtC,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,UAAA,EAAY,CAAA,EAAA,EAAK;AACpC,QAAA,IAAA,CAAK,UAAA,CAAW,IAAI,EAAE,QAAA,EAAU,MAAM,CAAA,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACtD,UAAA,GAAA,CAAI,KAAA;AAAA,YACH,CAAA,8CAAA,EAAiD,IAAI,OAAO,CAAA;AAAA,WAC7D;AAAA,QACD,CAAC,CAAA;AAAA,MACF;AAAA,IACD;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,IAAA,KAAS,OAAA,EAAS;AACxC,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,MAAA,IAAU,uBAAA;AAC1C,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,YAAY,aAAA,CAAc,QAAA;AAG5D,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,OAAA,IAAW;AAAA,QAC3C;AAAA,UACC,SAAA,EAAW,OAAA,CAAQ,GAAA,CAAI,oBAAA,IAAwB,iBAAA;AAAA,UAC/C,aAAA,EACC,OAAA,CAAQ,GAAA,CAAI,wBAAA,IAA4B,sBAAA;AAAA,UACzC,WAAA,EAAa,CAAC,oBAAoB,CAAA;AAAA,UAClC,KAAA,EACC;AAAA;AACF,OACD;AAEA,MAAA,MAAM,EAAE,QAAA,EAAU,IAAA,EAAK,GAAI,iBAAA,CAAkB;AAAA,QAC5C,MAAA;AAAA,QACA;AAAA,OACA,CAAA;AAED,MAAA,IAAA,CAAK,aAAA,GAAgB,QAAA;AACrB,MAAA,IAAA,CAAK,YAAA,GAAe,IAAI,YAAA,CAAa,MAAA,EAAQ,UAAU,IAAI,CAAA;AAAA,IAC5D,CAAA,MAAA,IAAW,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,SAAS,MAAA,EAAQ;AAC9C,MAAA,MAAM,WACL,IAAA,CAAK,MAAA,CAAO,KAAK,QAAA,IACjB,OAAA,CAAQ,IAAI,cAAA,IACZ,uBAAA;AACD,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,YAAY,aAAA,CAAc,QAAA;AAC5D,MAAA,MAAM,UAAU,QAAA,CAAS,QAAA,CAAS,OAAO,CAAA,GACtC,QAAA,GACA,GAAG,QAAQ,CAAA,KAAA,CAAA;AACd,MAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,CAAA,EAAG,OAAO,CAAA,KAAA,CAAO,CAAA;AACzC,MAAA,IAAA,CAAK,YAAA,GAAe,IAAI,YAAA,CAAa,QAAA,EAAU,UAAU,OAAO,CAAA;AAAA,IACjE;AAKA,IAAA,IAAA,CAAK,QAAA;AAAA,MACJ,6BAAA;AAAA,MACA,+BAAA;AAAA,MACA,qFAAA;AAAA,MACA,YAAA;AAAA,MACA,MAAM,OAAA,CAAQ,OAAA,CAAQ,IAAA,CAAK,mBAAmB;AAAA,KAC/C;AAEA,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,cAAA,EAAgB;AACtC,MAAA,IAAA,CAAK,kBAAA,EAAmB;AAAA,IACzB;AAAA,EACD;AAAA,EA/nBQ,UAAA,uBACH,GAAA,EAAI;AAAA,EACD,eAAA,uBAGA,GAAA,EAAI;AAAA,EACK,YAAA,GAAe,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAA;AAAA;AAAA,EAC9B,kBAAA,GAAqB,CAAA;AAAA,EACrB,uBAAuB,EAAA,GAAK,GAAA;AAAA;AAAA;AAAA,EAGrC,eAAA,uBAA6C,GAAA,EAAI;AAAA,EACxC,oBAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAGT,mBAA6B,EAAC;AAAA,EACrB,sBAAA;AAAA;AAAA;AAAA,EAIT,gBAAA,uBACH,GAAA,EAAI;AAAA;AAAA,EAGQ,aAAA;AAAA,EAET,KAAA,uBAUA,GAAA,EAAI;AAAA,EACJ,SAAA,uBAGA,GAAA,EAAI;AAAA,EACJ,OAAA,uBAQA,GAAA,EAAI;AAAA,EACJ,YAAA,GAA+C,IAAA;AAAA,EAC/C,iBAA4C,EAAC;AAAA,EAE7C,UAAA;AAAA,EACA,UAAA;AAAA,EACA,QAAA,GAA4B,IAAA;AAAA,EAC5B,SAAA,GAAkC,IAAA;AAAA,EAClC,SAAA,GAA2B,IAAA;AAAA,EAC5B,YAAA;AAAA;AAAA,EAEA,aAAA;AAAA,EACC,QAAA,uBAQA,GAAA,EAAI;AAAA,EACJ,kBAAA,uBAAsC,GAAA,EAAI;AAAA,EAC1C,sBAAA,GAAyB,CAAA;AAAA;AAAA,EAGjC,OAAwB,kBAAA,GACvB,2EAAA;AAAA,EAEO,aAAa,OAAA,EAAgC;AACpD,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,KAAA,CAAM,WAAA,CAAW,kBAAkB,CAAA;AAC3D,IAAA,OAAO,SAAS,MAAA,EAAQ,KAAA,GAAQ,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAK,GAAI,IAAA;AAAA,EAC/D;AAAA,EAEQ,iBAAiB,KAAA,EAAyB;AACjD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AACtC,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,EAAK;AAC3B,IAAA,IACE,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IAAK,QAAQ,QAAA,CAAS,GAAG,CAAA,IAC/C,OAAA,CAAQ,WAAW,GAAG,CAAA,IAAK,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/C;AACD,MAAA,IAAI;AACH,QAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,MAC1B,CAAA,CAAA,MAAQ;AACP,QAAA,OAAO,KAAA;AAAA,MACR;AAAA,IACD;AACA,IAAA,OAAO,KAAA;AAAA,EACR;AAAA,EAEQ,kBAAA,CACP,SAAA,EACA,KAAA,EACA,MAAA,EACA,WAAW,cAAA,EACK;AAEhB,IAAA,IAAI,MAAA,EAAQ;AACX,MAAA,MAAM,OAAA,GAAU,KAAA,CAAM,OAAA,CAAQ,MAAA,EAAQ,GAAG,CAAA;AAEzC,MAAA,IAAI,OAAO,uBAAA,EAAyB;AACnC,QAAA,MAAM,qBAAA,GAAwB;AAAA;AAAA;AAAA,UAG7B,8EAAA;AAAA,UACA;AAAA,SACD;AACA,QAAA,IAAI,qBAAA,CAAsB,KAAK,CAAC,CAAA,KAAM,EAAE,IAAA,CAAK,OAAO,CAAC,CAAA,EAAG;AACvD,UAAA,OAAO,yEAAA;AAAA,QACR;AAAA,MACD;AAEA,MAAA,IAAI,MAAA,CAAO,uBAAuB,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC,CAAA,EAAG;AAC/D,QAAA,OAAO,yDAAA;AAAA,MACR;AAAA,IACD;AAIA,IAAA,IAAI,eAAA,GAAkB,EAAA;AACtB,IAAA,IAAI,OAAO,MAAA,EAAQ,uBAAA,KAA4B,QAAA,EAAU;AACxD,MAAA,eAAA,GACC,MAAA,CAAO,wBAAwB,oBAAA,IAAwB,EAAA;AAAA,IACzD;AACA,IAAA,MAAM,cAAA,GAAiB,KAAK,aAAA,CAAc,OAAA;AAAA,MACzC,KAAA;AAAA,MACA,KAAK,cAAA,CAAe,MAAA;AAAA,MACpB;AAAA,KACD;AACA,IAAA,IAAI,cAAA,EAAgB;AACnB,MAAA,OAAO,CAAA,2BAAA,EAA8B,eAAe,MAAM,CAAA,CAAA;AAAA,IAC3D;AAGA,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,aAAA,CAAc,oBAAA,CAAqB,KAAK,CAAA;AAErE,IAAA,IAAI,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC/B,MAAA,MAAM,SAAA,GAAY,MAAA,EAAQ,eAAA,IAAmB,IAAA,CAAK,MAAA,EAAQ,eAAA;AAC1D,MAAA,IAAI,SAAA,EAAW;AACd,QAAA,IAAI;AACH,UAAA,MAAM,cAAc,IAAA,CAAK,qBAAA;AAAA,YACxB,SAAA;AAAA,YACA,CAAC,MAAA,KAAW;AACX,cAAA,MAAM,YAAA,GAAe,MAAA,CAAO,QAAQ,CAAA,IAAK,EAAC;AAC1C,cAAA,MAAM,UAAA,GAAa,YAAA,CAAa,SAAS,CAAA,IAAK,EAAC;AAE/C,cAAA,KAAA,MAAW,SAAS,eAAA,EAAiB;AACpC,gBAAA,MAAM,WAAA,GAAc,KAAK,aAAA,CAAc,aAAA;AAAA,kBACtC,KAAA;AAAA,kBACA,MAAA,EAAQ;AAAA,iBACT;AAEA,gBAAA,IAAI,UAAA,GAAa,EAAA;AACjB,gBAAA,IAAI,SAAA,GAAY,QAAA;AAEhB,gBAAA,IAAI,MAAA,EAAQ,wBAAwB,KAAA,CAAA,EAAW;AAC9C,kBAAA,UAAA,GAAa,MAAA,CAAO,mBAAA;AACpB,kBAAA,SAAA,GAAY,UAAA;AAAA,gBACb,CAAA,MAAA,IAAW,gBAAgB,WAAA,EAAa;AACvC,kBAAA,UAAA,GAAa,CAAA;AACb,kBAAA,SAAA,GAAY,WAAA;AAAA,gBACb,CAAA,MAAA,IAAW,gBAAgB,WAAA,EAAa;AACvC,kBAAA,UAAA,GAAa,CAAA;AACb,kBAAA,SAAA,GAAY,WAAA;AAAA,gBACb;AAEA,gBAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACnC,gBAAA,IAAI,SAAS,UAAA,EAAY;AACxB,kBAAA,OAAO;AAAA,oBACN,QAAQ,CAAA,4DAAA,EAA+D,KAAK,CAAA,OAAA,EAAU,UAAU,oBAAoB,SAAS,CAAA,6CAAA;AAAA,mBAC9H;AAAA,gBACD;AAAA,cACD;AAGA,cAAA,MAAM,iBAAA,GAAoB,EAAE,GAAG,UAAA,EAAW;AAC1C,cAAA,KAAA,MAAW,SAAS,eAAA,EAAiB;AACpC,gBAAA,iBAAA,CAAkB,KAAK,CAAA,GAAA,CAAK,iBAAA,CAAkB,KAAK,KAAK,CAAA,IAAK,CAAA;AAAA,cAC9D;AAEA,cAAA,MAAM,mBAAA,GAAsB,EAAE,GAAG,YAAA,EAAa;AAC9C,cAAA,mBAAA,CAAoB,SAAS,CAAA,GAAI,iBAAA;AAEjC,cAAA,MAAM,aAAA,GAAgB,EAAE,GAAG,MAAA,EAAO;AAClC,cAAA,aAAA,CAAc,QAAQ,CAAA,GAAI,mBAAA;AAE1B,cAAA,OAAO,EAAE,MAAA,EAAQ,IAAA,EAAM,aAAA,EAAc;AAAA,YACtC;AAAA,WACD;AAEA,UAAA,IAAI,WAAA,EAAa;AAChB,YAAA,OAAO,WAAA;AAAA,UACR;AAAA,QACD,SAAS,CAAA,EAAY;AACpB,UAAA,MAAM,WAAW,CAAA,YAAa,KAAA,GAAQ,CAAA,CAAE,OAAA,GAAU,OAAO,CAAC,CAAA;AAE1D,UAAA,GAAA,CAAI,KAAA;AAAA,YACH,yDAAyD,QAAQ,CAAA,4BAAA;AAAA,WAClE;AACA,UAAA,MAAM,gBAAgB,IAAA,CAAK,mBAAA;AAAA,YAC1B,QAAA;AAAA,YACA,SAAA;AAAA,YACA,eAAA;AAAA,YACA;AAAA,WACD;AACA,UAAA,IAAI,eAAe,OAAO,aAAA;AAAA,QAC3B;AAAA,MACD,CAAA,MAAO;AACN,QAAA,MAAM,gBAAgB,IAAA,CAAK,mBAAA;AAAA,UAC1B,QAAA;AAAA,UACA,SAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACD;AACA,QAAA,IAAI,eAAe,OAAO,aAAA;AAAA,MAC3B;AAAA,IACD;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA,EAEQ,oBAAA,CACP,QAAA,EACA,MAAA,EACA,MAAA,EACgB;AAChB,IAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,gBAAA,CAAiB,MAAM,CAAA;AAG3C,IAAA,IACC,UACA,OAAO,MAAA,KAAW,QAAA,IACjB,MAAA,CAAmC,YAAY,IAAA,EAC/C;AACD,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,IAAI,OAAO,YAAA,EAAc;AAKxB,MAAA,MAAM,mBAAmB,MAAM;AAC9B,QAAA,IAAI,EAAE,MAAA,CAAO,YAAA,YAAwB,CAAA,CAAE,SAAA,CAAA,EAAY;AAClD,UAAA,OAAO,MAAA,CAAO,YAAA;AAAA,QACf;AACA,QAAA,MAAM,MAAM,MAAA,CAAO,YAAA;AAEnB,QAAA,IAAI,EAAE,GAAA,CAAI,IAAA,CAAK,QAAA,YAAoB,EAAE,QAAA,CAAA,EAAW;AAC/C,UAAA,OAAO,GAAA;AAAA,QACR;AAEA,QAAA,OAAO,IAAI,MAAA,EAAO;AAAA,MACnB,CAAA,GAAG;AAEH,MAAA,MAAM,YAAA,GAAe,eAAA,CAAgB,SAAA,CAAU,MAAM,CAAA;AACrD,MAAA,IAAI,CAAC,aAAa,OAAA,EAAS;AAG1B,QAAA,OAAO,CAAA,mCAAA,EAAsC,QAAQ,CAAA,EAAA,EAAK,YAAA,CAAa,MAAM,MAAA,CAC3E,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,EAAE,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,IAAK,QAAQ,IAAI,CAAA,CAAE,OAAO,EAAE,CAAA,CACzD,IAAA;AAAA,UACA;AAAA,SACA,CAAA,gIAAA,CAAA;AAAA,MACH;AAAA,IACD;AAEA,IAAA,IACC,MAAA,CAAO,2BACP,IAAA,CAAK,8BAAA;AAAA,MACJ,IAAA,CAAK,+BAA+B,MAAM,CAAA;AAAA,MAC1C,MAAA,CAAO,uBAAA;AAAA,MACP,KAAK,cAAA,CAAe;AAAA,KACrB,EACC;AACD,MAAA,MAAM,KAAA,GACL,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,KAAqB,GAAA;AAElC,MAAA,OAAO,QACJ,gPAAA,GACA,gFAAA;AAAA,IACJ;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,+BAA+B,KAAA,EAAyB;AAC/D,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,EAAK;AAC3B,MAAA,IACE,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IAAK,QAAQ,QAAA,CAAS,GAAG,CAAA,IAC/C,OAAA,CAAQ,WAAW,GAAG,CAAA,IAAK,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/C;AACD,QAAA,IAAI;AACH,UAAA,OAAO,IAAA,CAAK,8BAAA,CAA+B,IAAA,CAAK,KAAA,CAAM,OAAO,CAAC,CAAA;AAAA,QAC/D,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AACA,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACxC,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,MAAM,GAAA,GAAM,KAAA;AAGZ,IAAA,IAAI,GAAA,CAAI,uBAAuB,MAAA,EAAW;AACzC,MAAA,OAAO,IAAA,CAAK,8BAAA,CAA+B,GAAA,CAAI,kBAAkB,CAAA;AAAA,IAClE;AAEA,IAAA,IAAI,CAAC,MAAM,OAAA,CAAQ,GAAA,CAAI,OAAO,CAAA,IAAK,GAAA,CAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG;AAC5D,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,MAAM,QAAkB,EAAC;AACzB,IAAA,KAAA,MAAW,IAAA,IAAQ,IAAI,OAAA,EAAS;AAC/B,MAAA,IAAI,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,IAAY,UAAU,IAAA,EAAM;AACvD,QAAA,MAAM,IAAK,IAAA,CAA4B,IAAA;AACvC,QAAA,IAAI,OAAO,MAAM,QAAA,EAAU;AAC1B,UAAA,KAAA,CAAM,KAAK,CAAC,CAAA;AAAA,QACb;AAAA,MACD;AAAA,IACD;AACA,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,MAAA,KAAW,CAAA,GAAI,MAAM,CAAC,CAAA,GAAI,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA;AAC9D,IAAA,OAAO,IAAA,CAAK,+BAA+B,MAAM,CAAA;AAAA,EAClD;AAAA,EAEQ,8BAAA,CACP,KAAA,EACA,SAAA,EACA,YAAA,EACU;AACV,IAAA,IAAI,CAAC,SAAA,EAAW;AACf,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,MAAM,OAAA,GACL,OAAO,SAAA,KAAc,QAAA,IACrB,OAAO,SAAA,CAAU,aAAA,KAAkB,QAAA,GAChC,SAAA,CAAU,aAAA,GACV,EAAA;AACJ,IAAA,MAAM,eAAA,GACL,OAAO,SAAA,KAAc,QAAA,IACrB,OAAO,SAAA,CAAU,oBAAA,KAAyB,SAAA,GACvC,SAAA,CAAU,oBAAA,GACV,IAAA;AAEJ,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,EAAK;AAC3B,MAAA,IACE,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IAAK,QAAQ,QAAA,CAAS,GAAG,CAAA,IAC/C,OAAA,CAAQ,WAAW,GAAG,CAAA,IAAK,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/C;AACD,QAAA,IAAI;AACH,UAAA,OAAO,IAAA,CAAK,8BAAA;AAAA,YACX,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,YAClB,SAAA;AAAA,YACA;AAAA,WACD;AAAA,QACD,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AACA,MAAA,OAAO,KAAA;AAAA,IACR;AAEA,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,MAAA,IACC,KAAA,CAAM,MAAA,GAAS,CAAA,IACf,KAAA,CAAM,KAAA,CAAM,CAAC,IAAA,KAAS,OAAO,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAI,CAAA,EAC9D;AAED,QAAA,IAAI,KAAA,CAAM,SAAS,OAAA,EAAS;AAC3B,UAAA,OAAO,IAAA;AAAA,QACR;AACA,QAAA,OAAO,KAAA,CAAM,IAAA;AAAA,UAAK,CAAC,IAAA,KAClB,IAAA,CAAK,8BAAA,CAA+B,IAAA,EAAM,WAAW,YAAY;AAAA,SAClE;AAAA,MACD;AAEA,MAAA,IACC,KAAA,CAAM,MAAA,GAAS,CAAA,IACf,KAAA,CAAM,KAAA,CAAM,CAAC,IAAA,KAAS,OAAO,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAI,CAAA,EAC9D;AACD,QAAA,IAAI,CAAC,iBAAiB,OAAO,IAAA;AAC7B,QAAA,OAAO,KAAA;AAAA,MACR;AAEA,MAAA,OAAO,KAAA,CAAM,IAAA;AAAA,QAAK,CAAC,IAAA,KAClB,IAAA,CAAK,8BAAA,CAA+B,IAAA,EAAM,WAAW,YAAY;AAAA,OAClE;AAAA,IACD;AAEA,IAAA,IAAI,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,MAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,KAAgC,CAAA;AAIzD,MAAA,IAAI,YAAA,KAAiB,MAAA,IAAa,YAAA,GAAe,CAAA,IAAK,eAAe,EAAA,EAAI;AACxE,QAAA,IAAI,IAAA,CAAK,MAAA,GAAS,CAAA,EAAG,OAAO,IAAA;AAE5B,QAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,CAAO,KAAgC,CAAA;AAC7D,QAAA,IACC,MAAA,CAAO,IAAA;AAAA,UACN,CAAC,MAAM,KAAA,CAAM,OAAA,CAAQ,CAAC,CAAA,IAAM,OAAO,CAAA,KAAM,QAAA,IAAY,CAAA,KAAM;AAAA,SAC5D,EACC;AACD,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAGA,MAAA,IAAI,IAAA,CAAK,SAAS,OAAA,EAAS;AAC1B,QAAA,OAAO,IAAA;AAAA,MACR;AAEA,MAAA,OAAO,MAAA,CAAO,MAAA,CAAO,KAAgC,CAAA,CAAE,IAAA;AAAA,QAAK,CAAC,KAAA,KAC5D,IAAA,CAAK,8BAAA,CAA+B,KAAA,EAAO,WAAW,YAAY;AAAA,OACnE;AAAA,IACD;AAEA,IAAA,OAAO,KAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuMQ,iBAAA,GAA4B;AACnC,IAAA,MAAM,KAAA,GAAQ;AAAA,MACb,gCAAA;AAAA,MACA,kCAAA;AAAA,MACA,EAAA;AAAA,MACA,SAAA;AAAA,MACA,EAAA;AAAA,MACA,mBAAA;AAAA,MACA,2BAAA;AAAA,MACA,qBAAA;AAAA,MACA,QAAA;AAAA,MACA,EAAA;AAAA,MACA,sBAAA;AAAA,MACA,sDAAA;AAAA,MACA,uCAAA;AAAA,MACA,iDAAA;AAAA,MACA,uDAAA;AAAA,MACA,EAAA;AAAA,MACA,6CAAA;AAAA,MACA,4GAAA;AAAA,MACA,mHAAA;AAAA,MACA,kHAAA;AAAA,MACA,iGAAA;AAAA,MACA,EAAA;AAAA,MACA,uBAAA;AAAA,MACA,sDAAA;AAAA,MACA,gEAAA;AAAA,MACA,kDAAA;AAAA,MACA,EAAA;AAAA,MACA,0DAAA;AAAA,MACA,sEAAA;AAAA,MACA,sFAAA;AAAA,MACA,0FAAA;AAAA,MACA,wEAAA;AAAA,MACA,gFAAA;AAAA,MACA,iFAAA;AAAA,MACA,oFAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,EAAe,MAAA,EAAQ;AACjD,MAAA,KAAA,CAAM,IAAA;AAAA,QACL,wBAAwB,IAAA,CAAK,MAAA,CAAO,SAAS,aAAA,CAAc,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,OACtE;AAAA,IACD;AAEA,IAAA,KAAA,CAAM,IAAA;AAAA,MACL,EAAA;AAAA,MACA,6BAAA;AAAA,MACA,4EAAA;AAAA,MACA,4EAAA;AAAA,MACA,kEAAA;AAAA,MACA,mEAAA;AAAA,MACA,EAAA;AAAA,MACA,yBAAA;AAAA,MACA,yHAAA;AAAA,MACA,gEAAA;AAAA,MACA,EAAA;AAAA,MACA,0BAAA;AAAA,MACA,iEAAA;AAAA,MACA,sEAAA;AAAA,MACA,EAAA;AAAA,MACA,sBAAA;AAAA,MACA,8DAAA;AAAA,MACA,EAAA;AAAA,MACA,wCAAA;AAAA,MACA,kEAAA;AAAA,MACA,8GAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,yBAAA,CACP,MAAA,EACA,KAAA,GAAQ,CAAA,EACC;AAET,IAAA,IAAI,KAAA,GAAQ,GAAG,OAAO,OAAA;AAEtB,IAAA,MAAM,aAAa,MAAA,CAAO,IAAA;AAC1B,IAAA,MAAM,aAAa,MAAA,CAAO,UAAA;AAG1B,IAAA,MAAM,QAAQ,MAAA,CAAO,KAAA;AAGrB,IAAA,IAAI,UAAA,EAAY;AACf,MAAA,MAAM,MAAA,GAAS,MAAA,CAAO,OAAA,CAAQ,UAAU,CAAA,CAAE,IAAI,CAAC,CAAC,GAAA,EAAK,IAAI,CAAA,KAAM;AAC9D,QAAA,MAAM,WAAW,IAAA,CAAK,IAAA;AACtB,QAAA,IAAI,QAAA,KAAa,OAAA,IAAW,IAAA,CAAK,KAAA,EAAO;AACvC,UAAA,MAAM,SAAS,IAAA,CAAK,yBAAA;AAAA,YACnB,IAAA,CAAK,KAAA;AAAA,YACL,KAAA,GAAQ;AAAA,WACT;AACA,UAAA,OAAO,CAAA,EAAG,GAAG,CAAA,UAAA,EAAa,MAAM,CAAA,CAAA,CAAA;AAAA,QACjC;AACA,QAAA,IAAI,QAAA,KAAa,QAAA,IAAY,IAAA,CAAK,UAAA,EAAY;AAC7C,UAAA,MAAM,MAAA,GAAS,IAAA,CAAK,yBAAA,CAA0B,IAAA,EAAM,QAAQ,CAAC,CAAA;AAC7D,UAAA,OAAO,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,MAAM,CAAA,CAAA,CAAA;AAAA,QACxB;AACA,QAAA,OAAO,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,QAAA,IAAY,SAAS,CAAA,CAAA,CAAA;AAAA,MACvC,CAAC,CAAA;AACD,MAAA,OAAO,CAAA,CAAA,EAAI,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA;AAAA,IAC7B;AAGA,IAAA,IAAI,UAAA,KAAe,WAAW,KAAA,EAAO;AACpC,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,yBAAA,CAA0B,KAAA,EAAO,QAAQ,CAAC,CAAA;AACpE,MAAA,OAAO,YAAY,YAAY,CAAA,CAAA;AAAA,IAChC;AAGA,IAAA,IAAI,YAAY,OAAO,UAAA;AACvB,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,CAAE,KAAK,IAAI,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,OAAA,CACZ,OAAA,GAOI,EAAC,EACW;AAChB,IAAA,OAAO,IAAA,CAAK,cAAc,OAAO,CAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKO,IAAA,CACN,IAAA,EACA,WAAA,EACA,KAAA,EACA,SACA,MAAA,EACO;AACP,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,IAAI,CAAA,EAAG;AACzB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yBAAA,EAA4B,IAAI,CAAA,CAAE,CAAA;AAAA,IACnD;AAEA,IAAA,MAAM,MAAA,GAAS,CAAA,CAAE,MAAA,CAAO,KAAK,CAAA;AAC7B,IAAA,MAAM,eAAA,GAAkB,gBAAgB,MAAM,CAAA;AAE9C,IAAA,IAAI,gBAAA,GAAmB,WAAA;AACvB,IAAA,IAAI,YAAA,GAAe,OAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,YAAmB,EAAE,SAAA,EAAW;AAC1D,MAAA,MAAM,WAAA,GAAc,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,iBAAiB,EAAC;AAK7D,MAAA,gBAAA,IACC,wUAAA;AAMD,MAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC3B,QAAA,gBAAA,IAAoB;AAAA,mBAAA,EAAwB,WAAA,CAAY,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA;AAAA,MACnE;AAEA,MAAA,IAAI,KAAK,YAAA,EAAc;AACtB,QAAA,MAAM,YAAA,GAAe,IAAA,CAAK,yBAAA,CAA0B,IAAA,CAAK,YAAY,CAAA;AACrE,QAAA,gBAAA,IAAoB;AAAA,gBAAA,EAAqB,YAAY,CAAA,4CAAA,CAAA;AAAA,MACtD;AAEA,MAAA,YAAA,GAAe,OACd,MACA,MAAA,KACI;AACJ,QAAA,MAAM,QAAA,GAAW,mBAAA;AACjB,QAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,CAAA,IAAK;AAAA,UACnD,QAAA,EAAU,CAAA;AAAA,UACV,WAAA,EAAa;AAAA,SACd;AAEA,QAAA,IACC,KAAA,CAAM,YAAY,IAAA,CAAK,kBAAA,IACvB,MAAM,KAAA,CAAM,WAAA,GAAc,KAAK,oBAAA,EAC9B;AACD,UAAA,OAAO;AAAA,YACN,OAAA,EAAS;AAAA,cACR;AAAA,gBACC,IAAA,EAAM,MAAA;AAAA,gBACN,IAAA,EAAM;AAAA;AACP,aACD;AAAA,YACA,OAAA,EAAS;AAAA,WACV;AAAA,QACD;AAEA,QAAA,MAAM,eAAgB,IAAA,CACpB,OAAA;AACF,QAAA,MAAM,WAAA,GACJ,KAAiC,uBAAA,KAA4B,IAAA;AAE/D,QAAA,MAAM,WAAA,GAAcD,QAClB,UAAA,CAAW,QAAQ,EACnB,MAAA,CAAO,YAAY,CAAA,CACnB,MAAA,CAAO,KAAK,CAAA;AACd,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,YAAA,CAAa,YAAY,CAAA;AAC5C,QAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA;AAE9C,QAAA,IACC,CAAC,WAAA,IACD,MAAA,IACA,MAAM,MAAA,CAAO,SAAA,GAAY,KAAK,YAAA,EAC7B;AAED,UAAA,IAAI,KAAA,EAAO;AACV,YAAC,KAAiC,OAAA,GAAU,KAAA;AAG5C,YAAA,MAAM,kBAAkB,IAAA,CAAK,kBAAA;AAAA,cAC5B,IAAA;AAAA,cACA,KAAA;AAAA,cACA,MAAA;AAAA,cACA;AAAA,aACD;AACA,YAAA,IAAI,eAAA,EAAiB;AACpB,cAAA,OAAO;AAAA,gBACN,SAAS,CAAC,EAAE,MAAM,MAAA,EAAQ,IAAA,EAAM,iBAAiB,CAAA;AAAA,gBACjD,OAAA,EAAS;AAAA,eACV;AAAA,YACD;AACA,YAAA,OAAO,MAAM,IAAA,CAAK,mBAAA,CAAoB,IAAA,EAAM,OAAO,IAAI,CAAA;AAAA,UACxD;AAAA,QACD;AAEA,QAAA,IAAI,CAAC,KAAA,EAAO;AACX,UAAA,KAAA,CAAM,QAAA,EAAA;AACN,UAAA,KAAA,CAAM,WAAA,GAAc,GAAA;AACpB,UAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AACxC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS;AAAA,cACR;AAAA,gBACC,IAAA,EAAM,MAAA;AAAA,gBACN,IAAA,EAAM;AAAA;AACP,aACD;AAAA,YACA,OAAA,EAAS;AAAA,WACV;AAAA,QACD;AAEA,QAAA,IAAI;AAGH,UAAA,MAAME,SAAQ,IAAA,CAAK,YAAA;AAAA,YACjB,IAAA,CAAiC;AAAA,WACnC;AAEA,UAAC,KAAiC,OAAA,GAAUA,MAAAA;AAG5C,UAAA,MAAM,kBAAkB,IAAA,CAAK,kBAAA;AAAA,YAC5B,IAAA;AAAA,YACAA,MAAAA;AAAA,YACA,MAAA;AAAA,YACA;AAAA,WACD;AACA,UAAA,IAAI,eAAA,EAAiB;AACpB,YAAA,KAAA,CAAM,QAAA,EAAA;AACN,YAAA,KAAA,CAAM,WAAA,GAAc,GAAA;AACpB,YAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AACxC,YAAA,OAAO;AAAA,cACN,SAAS,CAAC,EAAE,MAAM,MAAA,EAAQ,IAAA,EAAM,iBAAiB,CAAA;AAAA,cACjD,OAAA,EAAS;AAAA,aACV;AAAA,UACD;AAEA,UAAA,MAAM,SAAS,MAAM,IAAA,CAAK,mBAAA,CAAoB,IAAA,EAAMA,QAAO,IAAI,CAAA;AAE/D,UAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,YAAA,IAAA,CAAK,eAAA,CAAgB,IAAI,QAAA,EAAU;AAAA,cAClC,QAAA,EAAU,CAAA;AAAA,cACV,WAAA,EAAa;AAAA,aACb,CAAA;AACD,YAAA,IAAA,CAAK,UAAA,CAAW,IAAI,WAAA,EAAa;AAAA,cAChC,IAAA,EAAM,WAAA;AAAA,cACN,SAAA,EAAW;AAAA,aACX,CAAA;AAAA,UACF,CAAA,MAAO;AACN,YAAA,KAAA,CAAM,QAAA,EAAA;AACN,YAAA,KAAA,CAAM,WAAA,GAAc,GAAA;AACpB,YAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AAAA,UACzC;AAEA,UAAA,OAAO,MAAA;AAAA,QACR,SAAS,KAAA,EAAgB;AACxB,UAAA,MAAM,CAAA,GAAI,KAAA;AACV,UAAA,KAAA,CAAM,QAAA,EAAA;AACN,UAAA,KAAA,CAAM,WAAA,GAAc,GAAA;AACpB,UAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AACxC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS;AAAA,cACR,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,CAAA,2BAAA,EAA8B,CAAA,CAAE,OAAO,CAAA,CAAA;AAAG,aACjE;AAAA,YACA,OAAA,EAAS;AAAA,WACV;AAAA,QACD;AAAA,MACD,CAAA;AAAA,IACD;AAEA,IAAA,MAAM,WAAA,GAAc;AAAA,MACnB,IAAA,EAAM,QAAA;AAAA,MACN,UAAA,EAAa,eAAA,CAA4C,UAAA,IAAc,EAAC;AAAA,MACxE,UAAW,eAAA,CAA4C;AAAA,KACxD;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,IAAI,IAAA,EAAM;AAAA,MACpB,IAAA,EAAM,EAAE,IAAA,EAAM,WAAA,EAAa,kBAAkB,WAAA,EAAY;AAAA,MACzD,OAAA,EAAS,YAAA;AAAA,MACT,MAAA;AAAA,MACA;AAAA,KACA,CAAA;AAGD,IAAA,IAAI,KAAK,QAAA,EAAU;AAClB,MAAA,IAAA,CAAK,SAAS,kBAAA,CAAmB,IAAI,CAAA,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACrD,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,CAAA,yCAAA,EAA4C,IAAI,CAAA,EAAA,EAAK,GAAA,CAAI,OAAO,CAAA;AAAA,SACjE;AAAA,MACD,CAAC,CAAA;AAAA,IACF;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKO,MAAA,CACN,IAAA,EACA,WAAA,EACA,IAAA,EACA,OAAA,EAGO;AACP,IAAA,IAAI,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,EAAG;AAC3B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2BAAA,EAA8B,IAAI,CAAA,CAAE,CAAA;AAAA,IACrD;AACA,IAAA,IAAA,CAAK,OAAA,CAAQ,IAAI,IAAA,EAAM;AAAA,MACtB,MAAA,EAAQ,EAAE,IAAA,EAAM,WAAA,EAAa,WAAW,IAAA,EAAK;AAAA,MAC7C;AAAA,KACA,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,sBAAA,GAA+B;AACrC,IAAA,IAAA,CAAK,MAAA;AAAA,MACJ,oBAAA;AAAA,MACA,yKAAA;AAAA,MACA,EAAC;AAAA,MACD,CAAC,QAAA,KAAa;AACb,QAAA,OAAO;AAAA,UACN,WAAA,EAAa,iCAAA;AAAA,UACb,QAAA,EAAU;AAAA,YACT;AAAA,cACC,IAAA,EAAM,MAAA;AAAA,cACN,OAAA,EAAS;AAAA,gBACR,IAAA,EAAM,MAAA;AAAA,gBACN,IAAA,EAAM,CAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kJAAA,EAuBX,KAAK,YAAA,GACF;;AAAA;AAAA,EAA0C,IAAA,CAAK,UAAU,IAAA,CAAK,YAAA,EAAc,MAAM,CAAC,CAAC,KACpF,EACJ;;AAAA,yDAAA;AAAA;AAGK;AACD;AACD,SACD;AAAA,MACD;AAAA,KACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKO,QAAA,CACN,IAAA,EACA,GAAA,EACA,WAAA,EACA,UACA,OAAA,EACO;AACP,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AAAA,IAC1D;AACA,IAAA,IAAA,CAAK,SAAA,CAAU,IAAI,GAAA,EAAK,EAAE,MAAM,GAAA,EAAK,WAAA,EAAa,QAAA,EAAU,OAAA,EAAS,CAAA;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAAA,GAAmC;AAC1C,IAAA,OAAO;AAAA,MACN,mCAAA;AAAA,MACA,mCAAA;AAAA,MACA,EAAA;AAAA,MACA,2CAAA;AAAA,MACA,uJAAA;AAAA,MACA,gHAAA;AAAA,MACA,2GAAA;AAAA,MACA,EAAA;AAAA,MACA,6BAAA;AAAA,MACA,uJAAA;AAAA,MACA,yFAAA;AAAA,MACA,EAAA;AAAA,MACA,mCAAA;AAAA,MACA,0IAAA;AAAA,MACA,mJAAA;AAAA,MACA,oFAAA;AAAA,MACA,mDAAA;AAAA,MACA,EAAA;AAAA,MACA,0BAAA;AAAA,MACA,2GAAA;AAAA,MACA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA,EAKO,eACN,MAAA,EACA,IAAA,GAAe,kCACf,GAAA,GAAc,sBAAA,EACd,cAAsB,sEAAA,EACf;AAEP,IAAA,MAAA,CAAO,QAAA,GACN,gVAAA;AAED,IAAA,IAAA,CAAK,YAAA,GAAe,MAAA;AAIpB,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,yBAAA,CAA0B,MAAM,CAAA;AAC1D,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AACrD,MAAA,IACC,MAAM,MAAA,CAAO,KAAA,CAAM,WACnB,KAAA,CAAM,MAAA,CAAO,MAAM,OAAA,YAAmB,CAAA,CAAE,aACxC,KAAA,CAAM,IAAA,CAAK,eACX,CAAC,KAAA,CAAM,KAAK,WAAA,CAAY,QAAA,CAAS,iBAAiB,CAAA,EACjD;AACD,QAAA,KAAA,CAAM,KAAK,WAAA,IAAe;AAAA,gBAAA,EAAqB,YAAY,2BAA2B,GAAG,CAAA,+CAAA,CAAA;AACzF,QAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AAAA,MAC/B;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,0BAA0B,CAAA,EAAG;AACpD,MAAA,IAAA,CAAK,QAAA;AAAA,QACJ,2BAAA;AAAA,QACA,0BAAA;AAAA,QACA,kFAAA;AAAA,QACA,YAAA;AAAA,QACA,MAAM,OAAA,CAAQ,OAAA,CAAQ,IAAA,CAAK,0BAA0B;AAAA,OACtD;AAAA,IACD;AAEA,IAAA,IAAA,CAAK,QAAA;AAAA,MACJ,IAAA;AAAA,MACA,GAAA;AAAA,MACA,WAAA;AAAA,MACA,kBAAA;AAAA,MACA,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC;AAAA,KAC/B;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKO,aAAA,GAAsB;AAC5B,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AACtB,IAAA,GAAA,CAAI,KAAK,iDAAiD,CAAA;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,uBAAuB,QAAA,EAAyC;AACvE,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAW,IAAA,CAAK,gBAAA;AACtB,IAAA,MAAM,eAAe,IAAA,CAAK,oBAAA;AAE1B,IAAA,MAAM,SAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAQ,KAAK,EAAC;AAEtD,IAAA,MAAM,SAAS,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,KAAM,GAAA,GAAM,IAAI,QAAQ,CAAA;AAEtD,IAAA,IAAI,MAAA,CAAO,UAAU,YAAA,EAAc;AAClC,MAAA,MAAM,aAAA,GAAgB,KAAK,IAAA,CAAA,CAAM,MAAA,CAAO,CAAC,CAAA,GAAI,QAAA,GAAW,OAAO,GAAI,CAAA;AACnE,MAAA,OAAO;AAAA,QACN,OAAA,EAAS;AAAA,UACR;AAAA,YACC,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EACC,wCAAwC,QAAQ,CAAA,MAAA,EACzC,YAAY,CAAA,KAAA,EAAQ,QAAA,GAAW,GAAI,CAAA,sBAAA,EAC3B,aAAa,CAAA,EAAA;AAAA;AAC9B,SACD;AAAA,QACA,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AAEA,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AACf,IAAA,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AACzC,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,oBAAA,GAA8C;AACrD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAW,IAAA,CAAK,gBAAA;AACtB,IAAA,MAAM,YAAY,IAAA,CAAK,sBAAA;AAEvB,IAAA,IAAA,CAAK,gBAAA,GAAmB,KAAK,gBAAA,CAAiB,MAAA;AAAA,MAC7C,CAAC,CAAA,KAAM,GAAA,GAAM,CAAA,GAAI;AAAA,KAClB;AAEA,IAAA,IAAI,IAAA,CAAK,gBAAA,CAAiB,MAAA,IAAU,SAAA,EAAW;AAC9C,MAAA,MAAM,gBAAgB,IAAA,CAAK,IAAA;AAAA,QAAA,CACzB,IAAA,CAAK,gBAAA,CAAiB,CAAC,CAAA,GAAI,WAAW,GAAA,IAAO;AAAA,OAC/C;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS;AAAA,UACR;AAAA,YACC,IAAA,EAAM,MAAA;AAAA,YACN,MACC,CAAA,mDAAA,EACO,SAAS,oBAAoB,QAAA,GAAW,GAAI,yBACpC,aAAa,CAAA,EAAA;AAAA;AAC9B,SACD;AAAA,QACA,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AAEA,IAAA,IAAA,CAAK,gBAAA,CAAiB,KAAK,GAAG,CAAA;AAC9B,IAAA,OAAO,IAAA;AAAA,EACR;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,QAAA,CACZ,OAAA,EACA,QAAA,GAAW,cAAA,EACe;AAC1B,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,QAAQ,IAAI,CAAA;AACzC,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmB,OAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,IAClD;AAGA,IAAA,MAAM,iBAAA,GAAoB,KAAK,oBAAA,EAAqB;AACpD,IAAA,IAAI,mBAAmB,OAAO,iBAAA;AAC9B,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,sBAAA,CAAuB,OAAA,CAAQ,IAAI,CAAA;AAChE,IAAA,IAAI,iBAAiB,OAAO,eAAA;AAE5B,IAAA,IAAI;AAEH,MAAA,MAAM,aAAa,KAAA,CAAM,MAAA,CAAO,MAAM,OAAA,CAAQ,SAAA,IAAa,EAAE,CAAA;AAG7D,MAAA,IACE,OAAA,CAAQ,SAAA,EACN,uBAAA,KAA4B,IAAA,EAC9B;AACD,QAAC,WAAuC,uBAAA,GAA0B,IAAA;AAAA,MACnE;AAGA,MAAA,IACC,UAAA,IACA,OAAQ,UAAA,CAAuC,OAAA,KAAY,QAAA,EAC1D;AACD,QAAA,MAAM,UAAW,UAAA,CACf,OAAA;AACF,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AACvC,QAAA,IAAI,KAAA,EAAO;AACV,UAAA,MAAM,kBAAkB,IAAA,CAAK,kBAAA;AAAA,YAC5B,OAAA,CAAQ,IAAA;AAAA,YACR,KAAA;AAAA,YACA,KAAA,CAAM,MAAA;AAAA,YACN;AAAA,WACD;AACA,UAAA,IAAI,eAAA,EAAiB;AACpB,YAAA,OAAO;AAAA,cACN,SAAS,CAAC,EAAE,MAAM,MAAA,EAAQ,IAAA,EAAM,iBAAiB,CAAA;AAAA,cACjD,OAAA,EAAS;AAAA,aACV;AAAA,UACD;AACA,UAAC,WAAuC,OAAA,GAAU,KAAA;AAClD,UAAA,OAAO,MAAM,IAAA,CAAK,mBAAA;AAAA,YACjB,UAAA;AAAA,YACA,KAAA;AAAA,YACA,OAAA,CAAQ;AAAA,WACT;AAAA,QACD;AAAA,MACD;AAEA,MAAA,MAAM,SAAS,MAAM,KAAA,CAAM,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA;AACjD,MAAA,OAAO,MAAA;AAAA,IACR,SAAS,KAAA,EAAgB;AACxB,MAAA,MAAM,CAAA,GAAI,KAAA;AACV,MAAA,IAAI,CAAA,YAAa,EAAE,QAAA,EAAU;AAC5B,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,CAAC,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,CAAA,kBAAA,EAAqB,CAAA,CAAE,OAAO,CAAA,CAAA,EAAI,CAAA;AAAA,UAClE,OAAA,EAAS;AAAA,SACV;AAAA,MACD;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS;AAAA,UACR,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,CAAA,0BAAA,EAA6B,CAAA,CAAE,OAAO,CAAA,CAAA;AAAG,SAChE;AAAA,QACA,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKO,SAAA,GAAoB;AAC1B,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAI,CAAA;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA,EAKO,WAAA,GAAwB;AAC9B,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,MAAM,CAAA;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,UAAU,OAAA,EAAqD;AAC3E,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAQ,IAAI,CAAA;AAC3C,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqB,OAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,IACpD;AACA,IAAA,OAAO,MAAM,KAAA,CAAM,OAAA,CAAQ,OAAO,CAAA;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKO,aAAA,GAA4B;AAClC,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,aAAa,GAAA,EAEvB;AACF,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,GAAA,CAAI,GAAG,CAAA;AACvC,IAAA,IAAI,CAAC,QAAA,EAAU;AACd,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuB,GAAG,CAAA,CAAE,CAAA;AAAA,IAC7C;AAEA,IAAA,IAAI,IAAA,GAAO,yBAAA;AACX,IAAA,IAAI,OAAO,QAAA,CAAS,OAAA,KAAY,UAAA,EAAY;AAC3C,MAAA,IAAA,GAAO,MAAM,SAAS,OAAA,EAAQ;AAAA,IAC/B,CAAA,MAAA,IAAW,OAAO,QAAA,CAAS,OAAA,KAAY,QAAA,EAAU;AAChD,MAAA,IAAA,GAAO,QAAA,CAAS,OAAA;AAAA,IACjB,CAAA,MAAA,IAAW,SAAS,WAAA,EAAa;AAChC,MAAA,IAAA,GAAO,QAAA,CAAS,WAAA;AAAA,IACjB;AAEA,IAAA,OAAO;AAAA,MACN,QAAA,EAAU;AAAA,QACT;AAAA,UACC,KAAK,QAAA,CAAS,GAAA;AAAA,UACd,QAAA,EAAU,SAAS,QAAA,IAAY,YAAA;AAAA,UAC/B;AAAA;AACD;AACD,KACD;AAAA,EACD;AAAA,EAEO,aAAA,GAA4B;AAClC,IAAA,OAAO,IAAA,CAAK,UAAA;AAAA,EACb;AAAA,EAEO,WAAA,GAA+B;AACrC,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKO,eAAe,OAAA,EAAoC;AACzD,IAAA,IAAA,CAAK,cAAA,GAAiB,OAAA;AAAA,EACvB;AAAA,EAEO,YAAA,GAA8B;AACpC,IAAA,OAAO,IAAA,CAAK,SAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,aAAA,CACZ,OAAA,GAOI,EAAC,EACW;AAChB,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,GAAA,CAAI,cAAA,GACzB,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,cAAA,EAAgB,EAAE,CAAA,GAC9C,MAAA;AACH,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,IAAA,IAAQ,OAAA,IAAW,KAAA;AAGxC,IAAA,MAAM,kBAAA,GAAqB,mBAAA;AAC3B,IAAA,IACC,IAAA,CAAK,QAAQ,SAAA,IACb,CAAC,mBAAmB,IAAA,CAAK,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,EAC7C;AACD,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,mBAAA,EAAsB,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,8FAAA;AAAA,OAC5C;AAAA,IACD;AAGA,IAAA,IAAA,CAAK,QAAA,GAAW,IAAI,QAAA,CAAS,OAAA,CAAQ,UAAU,CAAA;AAC/C,IAAA,MAAM,IAAA,CAAK,SAAS,KAAA,EAAM;AAI1B,IAAA,MAAM,cAAc,IAAA,CAAK,QAAA;AACzB,IAAA,IAAA,CAAK,QAAA,CAAS,wBAAwB,MAAoB;AACzD,MAAA,MAAM,QAAQ,IAAA,CAAK,SAAA,EAAU,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QAC1C,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,aAAa,CAAA,CAAE,WAAA;AAAA,QACf,aAAa,CAAA,CAAE;AAAA,OAChB,CAAE,CAAA;AAEF,MAAA,MAAM,SAAA,GAAY,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACjE,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,KAAK,CAAA,CAAE,GAAA;AAAA,QACP,aAAa,CAAA,CAAE,WAAA;AAAA,QACf,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,MAAM,OAAO,CAAA,CAAE,YAAY,QAAA,GAAW,CAAA,CAAE,UAAU,CAAA,CAAE;AAAA,OACrD,CAAE,CAAA;AAEF,MAAA,OAAO;AAAA,QACN,MAAA,EAAQ,YAAY,SAAA,EAAU;AAAA,QAC9B,QAAA,EAAU,IAAA;AAAA,QACV,KAAA;AAAA,QACA,SAAA;AAAA,QACA,YAAY,IAAA,CAAK,UAAA;AAAA,QACjB,YAAA,EAAc,KAAK,YAAA,KAAiB,MAAA;AAAA,QACpC,SAAA,EAAW,KAAK,MAAA,EAAQ,SAAA;AAAA,QACxB,QAAA,EAAU,IAAA,CAAK,MAAA,EAAQ,QAAA,GACpB;AAAA,UACA,MAAA,EAAQ,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,MAAA,IAAU,gBAAA;AAAA,UACvC,aAAA,EAAe,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,aAAA,IAAiB,CAAA;AAAA,UACrD,cAAA,EAAgB,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,kBAAkB;AAAC,SACzD,GACC;AAAA,OACJ;AAAA,IACD,CAAC,CAAA;AAGD,IAAA,KAAA,MAAW,IAAA,IAAQ,IAAA,CAAK,SAAA,EAAU,EAAG;AACpC,MAAA,MAAM,IAAA,CAAK,SAAS,kBAAA,CAAmB,IAAA,CAAK,IAAI,CAAA,CAAE,KAAA,CAAM,IAAI,IAAI,CAAA;AAAA,IACjE;AAGA,IAAA,MAAM,KAAK,QAAA,CAAS,gBAAA,EAAiB,CAAE,KAAA,CAAM,IAAI,IAAI,CAAA;AAGrD,IAAA,IAAA,CAAK,SAAA,GAAY,IAAI,aAAA,EAAc;AAEnC,IAAA,IAAA,CAAK,UAAU,UAAA,CAAW;AAAA,MACzB,eAAA,EAAiB,CAAC,IAAA,EAAM,QAAA,KAAa;AACpC,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,CAAA,8CAAA,EAAiD,QAAQ,eAAe,CAAA;AAAA,SACzE;AAEA,QAAA,IAAI,KAAK,YAAA,EAAc;AACtB,UAAA,MAAM,aAAa,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,eAAe,EAAE,CAAC,CAAA;AAGvD,UAAA,IAAI,CAAC,UAAA,EAAY;AAChB,YAAA,QAAA,CAAS;AAAA,cACR,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACD;AAEA,UAAA,MAAM,KAAA,GAAQ,WAAW,UAAA,CAAW,SAAS,IAC1C,UAAA,CAAW,KAAA,CAAM,CAAC,CAAA,GAClB,UAAA;AAGH,UAAA,MAAM,SAAA,GAAYF,OAAAA,CAChB,UAAA,CAAW,QAAQ,CAAA,CACnB,MAAA,CAAO,KAAK,CAAA,CACZ,MAAA,CAAO,KAAK,CAAA,CACZ,WAAA,EAAY;AAGd,UAAA,IAAA,CAAK,kBAAA,EAAmB;AACxB,UAAA,IAAI,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,SAAS,CAAA,EAAG;AAC3C,YAAA,QAAA,CAAS;AAAA,cACR,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACD;AAGA,UAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,cAAA;AAC1C,UAAA,MAAM,kBAAA,GAAqB,mCAAA;AAE3B,UAAA,IAAI,cAAA,EAAgB;AACnB,YAAA,IAAI,UAAU,cAAA,EAAgB;AAC7B,cAAA,GAAA,CAAI,IAAA;AAAA,gBACH,iEAAiE,cAAc,CAAA;AAAA,eAChF;AACA,cAAA,OAAO,qBAAwB,CAAA,CAAE,IAAA;AAAA,gBAChC,OAAO,EAAE,eAAA,EAAgB,KAAM;AAC9B,kBAAA,MAAM,EAAE,SAAA,EAAW,SAAA,EAAU,GAC5B,MAAM,gBAAgB,eAAA,EAAgB;AAEvC,kBAAA,MAAM,YAAA,GAAeA,QAAO,UAAA,EAAW;AAEvC,kBAAA,IAAA,CAAK,QAAA,CAAS,IAAI,YAAA,EAAc;AAAA,oBAC/B,iBAAiB,OAAA,CAAQ,eAAA;AAAA,oBACzB,QAAA,EAAU,SAAA;AAAA,oBACV,WAAW,OAAA,CAAQ,SAAA;AAAA,oBACnB;AAAA,mBACA,CAAA;AAED,kBAAA,QAAA,CAAS,IAAA,EAAM;AAAA,oBACd,QAAA,EAAU,IAAA;AAAA,oBACV,aAAA,EAAe,YAAA;AAAA,oBACf,aAAA,EAAe,EAAA;AAAA,oBACf,gBAAA,EAAkB;AAAA,mBAClB,CAAA;AAAA,gBACF;AAAA,eACD;AACA,cAAA;AAAA,YACD;AAGA,YAAA,QAAA,CAAS;AAAA,cACR,MAAW,KAAA,CAAA,MAAA,CAAO,iBAAA;AAAA,cAClB,SACC,KAAA,IAAS,kBAAA,CAAmB,IAAA,CAAK,KAAK,IACnC,0FAAA,GACA;AAAA,aACJ,CAAA;AACD,YAAA;AAAA,UACD;AAEA,UAAA,IAAA,CAAK,aACH,QAAA,CAAS,KAAK,CAAA,CACd,IAAA,CAAK,CAAC,QAAA,KAAa;AACnB,YAAA,MAAM,UAAA,GAAa,gBAAA,CAAiB,YAAA,EAAc,QAAQ,CAAA;AAC1D,YAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,cAAA,QAAA,CAAS;AAAA,gBACR,MAAW,KAAA,CAAA,MAAA,CAAO,iBAAA;AAAA,gBAClB,OAAA,EAAS,WAAW,MAAA,IAAU;AAAA,eAC9B,CAAA;AACD,cAAA;AAAA,YACD;AAEA,YAAA,OAAO,qBAAwB,CAAA,CAAE,IAAA;AAAA,cAChC,OAAO,EAAE,eAAA,EAAgB,KAAM;AAC9B,gBAAA,MAAM,EAAE,SAAA,EAAW,SAAA,EAAU,GAC5B,MAAM,gBAAgB,eAAA,EAAgB;AAEvC,gBAAA,MAAM,YAAA,GAAeA,QAAO,UAAA,EAAW;AAEvC,gBAAA,IAAA,CAAK,QAAA,CAAS,IAAI,YAAA,EAAc;AAAA,kBAC/B,iBAAiB,OAAA,CAAQ,eAAA;AAAA,kBACzB,QAAA,EAAU,SAAA;AAAA,kBACV,WAAW,OAAA,CAAQ,SAAA;AAAA,kBACnB;AAAA,iBACA,CAAA;AAED,gBAAA,QAAA,CAAS,IAAA,EAAM;AAAA,kBACd,QAAA,EAAU,IAAA;AAAA,kBACV,aAAA,EAAe,YAAA;AAAA,kBACf,aAAA,EAAe,EAAA;AAAA,kBACf,gBAAA,EAAkB;AAAA,iBAClB,CAAA;AAAA,cACF;AAAA,aACD;AAAA,UACD,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,GAAA,KAAQ;AACf,YAAA,QAAA,CAAS;AAAA,cACR,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS,CAAA,mBAAA,EAAsB,GAAA,CAAI,OAAO,CAAA;AAAA,aAC1C,CAAA;AAAA,UACF,CAAC,CAAA;AAAA,QACH,CAAA,MAAO;AACN,UAAA,OAAO,qBAAwB,CAAA,CAAE,IAAA,CAAK,OAAO,EAAE,iBAAgB,KAAM;AACpE,YAAA,MAAM,EAAE,SAAA,EAAW,SAAA,EAAU,GAC5B,MAAM,gBAAgB,eAAA,EAAgB;AAEvC,YAAA,MAAM,YAAA,GAAeA,QAAO,UAAA,EAAW;AAEvC,YAAA,IAAA,CAAK,QAAA,CAAS,IAAI,YAAA,EAAc;AAAA,cAC/B,iBAAiB,OAAA,CAAQ,eAAA;AAAA,cACzB,QAAA,EAAU,SAAA;AAAA,cACV,WAAW,OAAA,CAAQ;AAAA,aACnB,CAAA;AAED,YAAA,QAAA,CAAS,IAAA,EAAM;AAAA,cACd,QAAA,EAAU,IAAA;AAAA,cACV,aAAA,EAAe,YAAA;AAAA,cACf,aAAA,EAAe,EAAA;AAAA,cACf,gBAAA,EAAkB;AAAA,aAClB,CAAA;AAAA,UACF,CAAC,CAAA;AAAA,QACF;AAAA,MACD,CAAA;AAAA,MACA,YAAA,EAAc,OACb,IAAA,KACI;AACJ,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,CAAA,kDAAA,EAAqD,QAAQ,aAAa,CAAA;AAAA,SAC3E;AAEA,QAAA,MAAM,UAAU,YAAY;AAC3B,UAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,aAAa,CAAA;AACvD,UAAA,IAAI,CAAC,OAAA,EAAS;AACb,YAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,cAClB,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACD;AAGA,UAAA,IAAI,QAAQ,SAAA,EAAW;AACtB,YAAA,IAAA,CAAK,kBAAA,EAAmB;AACxB,YAAA,IAAI,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,OAAA,CAAQ,SAAS,CAAA,EAAG;AACnD,cAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,gBAClB,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,gBAClB,OAAA,EAAS;AAAA,eACT,CAAA;AACD,cAAA;AAAA,YACD;AAAA,UACD;AAGA,UAAA,MAAM,WAAW,OAAA,CAAQ,eAAA;AACzB,UAAA,MAAM,UAAU,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,QAAQ,CAAA,GAAI,MAAA;AACtD,UAAA,MAAM,aAAa,OAAA,EAAS,MAAA;AAG5B,UAAA,IAAI;AACH,YAAA,MAAM,GAAA,GAAM,MAAM,cAAA,EAAe;AACjC,YAAA,MAAM,eAAe,GAAA,CAAI,KAAA;AAAA,cACxB,IAAI,UAAA,CAAW,OAAA,CAAQ,cAAc,CAAA;AAAA,cACrC,OAAA,CAAQ;AAAA,aACT;AACA,YAAA,MAAM,MAAA,GAAS,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA;AAEvC,YAAA,MAAM,UAAA,GAAa,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAClD,YAAA,MAAM,OAAA,GAAU,UAAA,CAAW,QAAA,CAAS,CAAA,EAAG,CAAA;AACvC,YAAA,MAAM,aAAA,GAAgB,UAAA,CAAW,QAAA,CAAS,CAAA,EAAG,CAAA,EAAG,CAAA;AAEhD,YAAA,MAAM,WAAWA,OAAAA,CAAO,gBAAA;AAAA,cACvB,aAAA;AAAA,cACA,MAAA;AAAA,cACA,OAAO,IAAA,CAAK,OAAA,CAAQ,aAAa,IAAI,UAAA,CAAW,EAAE,CAAC;AAAA,aACpD;AACA,YAAA,QAAA,CAAS,WAAW,OAAO,CAAA;AAC3B,YAAA,IAAI,SAAA,GAAY,QAAA,CAAS,MAAA,CAAO,aAAa,CAAA;AAC7C,YAAA,SAAA,GAAY,OAAO,MAAA,CAAO,CAAC,WAAW,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA;AAEvD,YAAA,MAAM,gBAAA,GAAmB,SAAA,CAAU,QAAA,CAAS,OAAO,CAAA;AACnD,YAAA,MAAM,QACL,IAAA,CAAK,YAAA,CAAa,gBAAgB,CAAA,IAAK,iBAAiB,IAAA,EAAK;AAE9D,YAAA,MAAM,kBAAkB,IAAA,CAAK,kBAAA;AAAA,cAC5B,QAAA,IAAY,cAAA;AAAA,cACZ,KAAA;AAAA,cACA,UAAA;AAAA,cACA,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,aAC9B;AAEA,YAAA,IAAI,eAAA,EAAiB;AACpB,cAAA,GAAA,CAAI,IAAA,CAAK,CAAA,8BAAA,EAAiC,eAAe,CAAA,CAAE,CAAA;AAC3D,cAAA,MAAM,aAAA,GAA+B;AAAA,gBACpC,iBAAA,EAAmB,eAAA;AAAA,gBACnB,mBAAA,EAAqB,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,gBACnC,UAAA,EAAY,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,gBAC1B,QAAA,EAAU;AAAA,eACX;AACA,cAAA,IAAA,CAAK,KAAA,CAAM,eAAe,MAAM;AAC/B,gBAAA,IAAA,CAAK,GAAA,EAAI;AAAA,cACV,CAAC,CAAA;AACD,cAAA;AAAA,YACD;AAAA,UACD,SAAS,eAAA,EAA0B;AAClC,YAAA,MAAM,WACL,eAAA,YAA2B,KAAA,GACxB,eAAA,CAAgB,OAAA,GAChB,OAAO,eAAe,CAAA;AAC1B,YAAA,GAAA,CAAI,KAAA,CAAM,CAAA,wCAAA,EAA2C,QAAQ,CAAA,CAAE,CAAA;AAC/D,YAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,cAClB,MAAW,KAAA,CAAA,MAAA,CAAO,QAAA;AAAA,cAClB,OAAA,EAAS,oCAAoC,QAAQ,CAAA;AAAA,aACrD,CAAA;AACD,YAAA;AAAA,UACD;AAEA,UAAA,IAAI;AAEH,YAAA,MAAM,WAAW,UAAA,GACd;AAAA,cACA,OAAA,EAAS,WAAW,SAAA,IAAa,CAAA;AAAA,cACjC,WAAA,EAAa,WAAW,aAAA,IAAiB,CAAA;AAAA,cACzC,qBAAA,EACC,WAAW,uBAAA,IAA2B;AAAA,aACxC,GACC,KAAA,CAAA;AAGH,YAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI;AAAA,cAChD,YAAY,OAAA,CAAQ,cAAA;AAAA,cACpB,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA;AAAA,cACzC,YAAY,OAAA,CAAQ,WAAA;AAAA,cACpB,QAAQ,OAAA,CAAQ,MAAA;AAAA,cAChB,UAAU,OAAA,CAAQ,SAAA;AAAA,cAClB,SAAS,IAAA,CAAK,cAAA;AAAA,cACd,cAAc,OAAA,CAAQ,aAAA;AAAA,cACtB,WAAA,EAAa,IAAA;AAAA,cACb;AAAA;AAAA,aACA,CAAA;AAED,YAAA,MAAM,qBAAA,GAAwB,cAAA,CAAe,cAAA,CAAe,MAAM,CAAA;AAElE,YAAA,IAAI,WAAA;AACJ,YAAA,IAAI,gBAAA,GAA4B,qBAAA;AAChC,YAAA,IAAI;AACH,cAAA,WAAA,GACC,OAAO,qBAAA,KAA0B,QAAA,GAC9B,qBAAA,GACA,IAAA,CAAK,UAAU,qBAAqB,CAAA;AAGxC,cAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,WAAW,CAAA;AACtC,cAAA,IAAI,QAAQ,iBAAA,EAAmB;AAC9B,gBAAA,GAAA,CAAI,IAAA;AAAA,kBACH,CAAA,mCAAA,EAAsC,QAAQ,iBAAiB,CAAA;AAAA,iBAChE;AACA,gBAAA,MAAM,QAAA,GAAW,QAAQ,SAAA,IAAa,gBAAA;AACtC,gBAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,QAAA;AAAA,kBAC7B;AAAA,oBACC,MAAM,OAAA,CAAQ,iBAAA;AAAA,oBACd,SAAA,EAAW,OAAA,CAAQ,iBAAA,IAAqB;AAAC,mBAC1C;AAAA,kBACA;AAAA,iBACD;AAEA,gBAAA,IAAI,WAAW,OAAA,EAAS;AACvB,kBAAA,GAAA,CAAI,IAAA;AAAA,oBACH,CAAA,wCAAA,EAA2C,UAAA,CAAW,OAAA,CAAQ,CAAC,EAAE,IAAI,CAAA;AAAA,mBACtE;AACA,kBAAA,MAAM,aAAA,GAA+B;AAAA,oBACpC,iBAAA,EACC,UAAA,CAAW,OAAA,CAAQ,CAAC,EAAE,IAAA,IAAQ,eAAA;AAAA,oBAC/B,mBAAA,EAAqB,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,oBACnC,UAAA,EAAY,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,oBAC1B,QAAA,EAAU;AAAA,mBACX;AACA,kBAAA,IAAA,CAAK,KAAA,CAAM,eAAe,MAAM;AAC/B,oBAAA,IAAA,CAAK,GAAA,EAAI;AAAA,kBACV,CAAC,CAAA;AACD,kBAAA;AAAA,gBACD;AAEA,gBAAA,MAAM,mBAAA,GAAsB,eAAe,UAAU,CAAA;AACrD,gBAAA,WAAA,GAAc,IAAA,CAAK,UAAU,mBAAmB,CAAA;AAChD,gBAAA,gBAAA,GACC,IAAA,CAAK,+BAA+B,mBAAmB,CAAA;AAAA,cACzD;AAAA,YACD,CAAA,CAAA,MAAQ;AACP,cAAA,WAAA,GAAc,OAAO,qBAAqB,CAAA;AAAA,YAC3C;AAGA,YAAA,MAAM,kBAAkB,IAAA,CAAK,oBAAA;AAAA,cAC5B,QAAA,IAAY,cAAA;AAAA,cACZ,gBAAA;AAAA,cACA;AAAA,aACD;AACA,YAAA,IAAI,eAAA,EAAiB;AACpB,cAAA,GAAA,CAAI,IAAA;AAAA,gBACH,CAAA,qCAAA,EAAwC,QAAA,IAAY,cAAc,CAAA,EAAA,EAAK,eAAe,CAAA;AAAA,eACvF;AAEA,cAAA,MAAM,KAAA,GACL,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,KAAqB,GAAA;AAElC,cAAA,MAAM,YAAA,GAAe,QAClB,eAAA,GACA,6EAAA;AAEH,cAAA,MAAM,aAAA,GAA+B;AAAA,gBACpC,iBAAA,EAAmB,YAAA;AAAA,gBACnB,mBAAA,EAAqB,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,gBACnC,UAAA,EAAY,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,gBAC1B,QAAA,EAAU;AAAA,eACX;AAEA,cAAA,IAAA,CAAK,KAAA,CAAM,eAAe,MAAM;AAC/B,gBAAA,IAAA,CAAK,GAAA,EAAI;AAAA,cACV,CAAC,CAAA;AACD,cAAA;AAAA,YACD;AAEA,YAAA,MAAM,QAAA,GAA0B;AAAA,cAC/B,iBAAA,EAAmB,WAAA;AAAA,cACnB,qBAAqB,MAAA,CAAO,IAAA;AAAA,gBAC3B,eAAe,QAAA,IAAY,EAAA;AAAA,gBAC3B;AAAA,eACD;AAAA,cACA,UAAA,EAAY,cAAA,CAAe,UAAA,GACxB,MAAA,CAAO,IAAA,CAAK,cAAA,CAAe,UAAA,EAAY,QAAQ,CAAA,GAC/C,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX;AAGA,YAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK,gBAAgB,CAAA;AAC7D,YAAA,MAAM,uBAAuB,IAAA,CAAK,8BAAA;AAAA,cACjC,IAAA,CAAK,+BAA+B,gBAAgB,CAAA;AAAA,cACpD,UAAA,EAAY,uBAAA;AAAA,cACZ,KAAK,cAAA,EAAgB;AAAA,aACtB;AACA,YAAA,IAAI,aAAa,oBAAA,EAAsB;AAEtC,cAAA,MAAM,iBACL,SAAA,IAAa,oCAAA;AACd,cAAA,GAAA,CAAI,IAAA;AAAA,gBACH,oDAAoD,cAAc,CAAA;AAAA,eACnE;AACA,cAAA,QAAA,CAAS,iBAAA,GACR,6EAAA;AACD,cAAA,QAAA,CAAS,QAAA,GAAW,IAAA;AAAA,YACrB;AAEA,YAAA,IAAA,CAAK,KAAA,CAAM,UAAU,MAAM;AAC1B,cAAA,IAAA,CAAK,GAAA,EAAI;AAAA,YACV,CAAC,CAAA;AAAA,UACF,SAAS,KAAA,EAAgB;AACxB,YAAA,MAAM,CAAA,GAAI,KAAA;AACV,YAAA,MAAM,QACL,OAAA,CAAQ,GAAA,CAAI,aAAa,aAAA,IACzB,OAAA,CAAQ,IAAI,QAAA,KAAa,MAAA;AAE1B,YAAA,MAAM,MAAA,GAAS,CAAA,CAAE,OAAA,IAAW,MAAA,CAAO,KAAK,CAAA;AACxC,YAAA,GAAA,CAAI,KAAA,CAAM,CAAA,4BAAA,EAA+B,MAAM,CAAA,CAAE,CAAA;AAEjD,YAAA,MAAM,YAAA,GAAe,KAAA,GAClB,CAAA,iBAAA,EAAoB,MAAM,CAAA,CAAA,GAC1B,wGAAA;AAGH,YAAA,MAAM,aAAA,GAA+B;AAAA,cACpC,iBAAA,EAAmB,YAAA;AAAA,cACnB,mBAAA,EAAqB,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,cACnC,UAAA,EAAY,MAAA,CAAO,IAAA,CAAK,EAAE,CAAA;AAAA,cAC1B,QAAA,EAAU;AAAA,aACX;AAEA,YAAA,IAAI;AACH,cAAA,IAAA,CAAK,KAAA,CAAM,eAAe,MAAM;AAC/B,gBAAA,IAAA,CAAK,GAAA,EAAI;AAAA,cACV,CAAC,CAAA;AAAA,YACF,SAAS,SAAA,EAAW;AACnB,cAAA,IAAA,CAAK,GAAA,EAAI;AAAA,YACV;AAAA,UACD;AAAA,QACD,CAAA;AAEA,QAAA,IAAI,KAAK,YAAA,EAAc;AACtB,UAAA,MAAM,aAAa,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,eAAe,EAAE,CAAC,CAAA;AAGvD,UAAA,IAAI,CAAC,UAAA,EAAY;AAChB,YAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,cAClB,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACD;AAEA,UAAA,MAAM,KAAA,GAAQ,WAAW,UAAA,CAAW,SAAS,IAC1C,UAAA,CAAW,KAAA,CAAM,CAAC,CAAA,GAClB,UAAA;AAEH,UAAA,MAAM,SAAA,GAAYA,OAAAA,CAChB,UAAA,CAAW,QAAQ,CAAA,CACnB,MAAA,CAAO,KAAK,CAAA,CACZ,MAAA,CAAO,KAAK,CAAA,CACZ,WAAA,EAAY;AAGd,UAAA,IAAA,CAAK,kBAAA,EAAmB;AACxB,UAAA,IAAI,IAAA,CAAK,kBAAA,CAAmB,GAAA,CAAI,SAAS,CAAA,EAAG;AAC3C,YAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,cAClB,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS;AAAA,aACT,CAAA;AACD,YAAA;AAAA,UACD;AAGA,UAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,cAAA;AAC1C,UAAA,MAAM,kBAAA,GAAqB,mCAAA;AAE3B,UAAA,IAAI,cAAA,EAAgB;AACnB,YAAA,IAAI,UAAU,cAAA,EAAgB;AAC7B,cAAA,GAAA,CAAI,IAAA;AAAA,gBACH,iFAAiF,cAAc,CAAA;AAAA,eAChG;AACA,cAAA,MAAM,OAAA,EAAQ;AACd,cAAA;AAAA,YACD;AAGA,YAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,cAClB,MAAW,KAAA,CAAA,MAAA,CAAO,iBAAA;AAAA,cAClB,SACC,KAAA,IAAS,kBAAA,CAAmB,IAAA,CAAK,KAAK,IACnC,0FAAA,GACA;AAAA,aACJ,CAAA;AACD,YAAA;AAAA,UACD;AAEA,UAAA,IAAI;AACH,YAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,YAAA,CAAa,SAAS,KAAK,CAAA;AACvD,YAAA,MAAM,UAAA,GAAa,gBAAA,CAAiB,YAAA,EAAc,QAAQ,CAAA;AAC1D,YAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,cAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,gBAClB,MAAW,KAAA,CAAA,MAAA,CAAO,iBAAA;AAAA,gBAClB,OAAA,EAAS,WAAW,MAAA,IAAU;AAAA,eAC9B,CAAA;AACD,cAAA;AAAA,YACD;AACA,YAAA,MAAM,OAAA,EAAQ;AAAA,UACf,SAAS,GAAA,EAAc;AACtB,YAAA,IAAA,CAAK,KAAK,OAAA,EAAS;AAAA,cAClB,MAAW,KAAA,CAAA,MAAA,CAAO,eAAA;AAAA,cAClB,OAAA,EAAS,sBACR,GAAA,YAAe,KAAA,GAAQ,IAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAChD,CAAA;AAAA,aACA,CAAA;AAAA,UACF;AAAA,QACD,CAAA,MAAO;AACN,UAAA,MAAM,OAAA,EAAQ;AAAA,QACf;AAAA,MACD;AAAA,KACA,CAAA;AAED,IAAA,IAAA,CAAK,SAAA,GAAY,MAAM,IAAA,CAAK,SAAA,CAAU,OAAO,IAAI,CAAA;AACjD,IAAA,GAAA,CAAI,IAAA;AAAA,MACH,CAAA,wDAAA,EAA2D,IAAA,CAAK,QAAA,CAAS,SAAA,EAAW,CAAA;AAAA,KACrF;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBAAA,CACb,KAAA,EACA,UAAA,EACA,QAAA,EAC0B;AAC1B,IAAA,IAAI;AAEH,MAAA,MAAM,WAAW,QAAA,GAAW,IAAA,CAAK,MAAM,GAAA,CAAI,QAAQ,GAAG,MAAA,GAAS,KAAA,CAAA;AAC/D,MAAA,MAAM,WAAW,QAAA,GACd;AAAA,QACA,OAAA,EAAS,SAAS,SAAA,IAAa,CAAA;AAAA,QAC/B,WAAA,EAAa,SAAS,aAAA,IAAiB,CAAA;AAAA,QACvC,qBAAA,EAAuB,SAAS,uBAAA,IAA2B;AAAA,OAC5D,GACC,KAAA,CAAA;AAGH,MAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI;AAAA,QAChD,UAAA,EAAY,IAAI,UAAA,CAAW,CAAC,CAAA;AAAA,QAC5B,cAAc,KAAA,CAAM,IAAA,CAAK,IAAI,UAAA,CAAW,CAAC,CAAC,CAAA;AAAA,QAC1C,cAAA,EAAgB,IAAI,UAAA,CAAW,CAAC,CAAA;AAAA,QAChC,UAAA,EAAY,MAAA,CAAO,IAAA,CAAK,UAAU,CAAA;AAAA,QAClC,QAAQ,EAAC;AAAA,QACT,SAAS,IAAA,CAAK,cAAA;AAAA,QACd,YAAA,EAAc,iBAAA;AAAA,QACd,WAAA,EAAa,KAAA;AAAA;AAAA,QACb;AAAA;AAAA,OACA,CAAA;AAGD,MAAA,MAAM,WAAW,cAAA,CAAe,MAAA;AAChC,MAAA,MAAM,eAAA,GAAkB,eAAe,QAAQ,CAAA;AAG/C,MAAA,MAAM,UAAA,GAAa,KAAK,SAAA,CAAU;AAAA,QACjC,kBAAA,EAAoB,eAAA;AAAA,QACpB,UAAU,cAAA,CAAe,QAAA;AAAA,QACzB,YAAY,cAAA,CAAe,UAAA;AAAA,QAC3B,MAAA,EAAQ;AAAA,OACR,CAAA;AAED,MAAA,MAAM,OAAA,GAAU;AAAA,QACf;AAAA,UACC,IAAA,EAAM,MAAA;AAAA,UACN,IAAA,EAAM;AAAA;AACP,OACD;AAEA,MAAA,MAAM,aAAa,QAAA,GAChB,IAAA,CAAK,MAAM,GAAA,CAAI,QAAQ,GAAG,MAAA,GAC1B,KAAA,CAAA;AACH,MAAA,MAAM,kBAAkB,IAAA,CAAK,oBAAA;AAAA,QAC5B,QAAA,IAAY,cAAA;AAAA,QACZ,eAAA;AAAA;AAAA,QACA;AAAA,OACD;AACA,MAAA,IAAI,eAAA,EAAiB;AAEpB,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,CAAA,qCAAA,EAAwC,QAAA,IAAY,cAAc,CAAA,EAAA,EAAK,eAAe,CAAA;AAAA,SACvF;AAEA,QAAA,MAAM,KAAA,GACL,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,KAAqB,GAAA;AAElC,QAAA,MAAM,YAAA,GAAe,QAClB,eAAA,GACA,2IAAA;AAEH,QAAA,OAAO;AAAA,UACN,OAAA,EAAS;AAAA,YACR;AAAA,cACC,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM;AAAA;AACP,WACD;AAAA,UACA,OAAA,EAAS;AAAA,SACV;AAAA,MACD;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK,eAAe,CAAA;AAC5D,MAAA,MAAM,uBAAuB,IAAA,CAAK,8BAAA;AAAA,QACjC,eAAA;AAAA;AAAA,QACA,UAAA,EAAY,uBAAA;AAAA,QACZ,KAAK,cAAA,EAAgB;AAAA,OACtB;AACA,MAAA,IAAI,aAAa,oBAAA,EAAsB;AAGtC,QAAA,MAAM,iBACL,SAAA,IACA,gGAAA;AACD,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,wDAAwD,cAAc,CAAA;AAAA,SACvE;AAEA,QAAA,MAAM,KAAA,GACL,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,KAAqB,GAAA;AAElC,QAAA,MAAM,YAAA,GAAe,KAAA,GAClB,CAAA,kCAAA,EAAqC,cAAc,CAAA,CAAA,GACnD,2IAAA;AAEH,QAAA,OAAO;AAAA,UACN,OAAA,EAAS;AAAA,YACR;AAAA,cACC,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM;AAAA;AACP,WACD;AAAA,UACA,OAAA,EAAS;AAAA,SACV;AAAA,MACD;AAEA,MAAA,OAAO,EAAE,OAAA,EAAQ;AAAA,IAClB,SAAS,KAAA,EAAgB;AACxB,MAAA,MAAM,CAAA,GAAI,KAAA;AACV,MAAA,MAAM,KAAA,GACL,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,KAAqB,GAAA;AAElC,MAAA,MAAM,MAAA,GAAS,CAAA,CAAE,OAAA,IAAW,MAAA,CAAO,KAAK,CAAA;AACxC,MAAA,GAAA,CAAI,KAAA,CAAM,CAAA,uCAAA,EAA0C,MAAM,CAAA,CAAE,CAAA;AAG5D,MAAA,MAAM,KAAA,GACL,MAAA,CAAO,QAAA,CAAS,sBAAsB,KACtC,MAAA,CAAO,QAAA,CAAS,0BAA0B,CAAA,IAC1C,OAAO,QAAA,CAAS,YAAY,CAAA,IAC5B,MAAA,CAAO,SAAS,YAAY,CAAA;AAE7B,MAAA,MAAM,eAAe,KAAA,GAClB,gGAAA,GACA,KAAA,GACC,CAAA,iBAAA,EAAoB,MAAM,CAAA,CAAA,GAC1B,wGAAA;AAEJ,MAAA,OAAO;AAAA,QACN,OAAA,EAAS;AAAA,UACR;AAAA,YACC,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM;AAAA;AACP,SACD;AAAA,QACA,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAa,KAAA,GAAuB;AACnC,IAAA,IAAI,KAAK,UAAA,EAAY;AACpB,MAAA,MAAM,KAAK,UAAA,CAAW,KAAA,CAAM,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA,IAC5C;AACA,IAAA,IAAI,KAAK,SAAA,EAAW;AACnB,MAAA,MAAM,IAAA,CAAK,UAAU,IAAA,EAAK;AAAA,IAC3B;AACA,IAAA,IAAI,KAAK,QAAA,EAAU;AAClB,MAAA,MAAM,IAAA,CAAK,SAAS,IAAA,EAAK;AAAA,IAC1B;AAAA,EACD;AAAA,EAEQ,kBAAA,GAA2B;AAClC,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,cAAA;AACjC,IAAA,IAAI,CAAC,KAAA,EAAO;AAEZ,IAAA,IAAI;AACH,MAAA,IAAO,EAAA,CAAA,UAAA,CAAW,KAAK,CAAA,EAAG;AACzB,QAAA,MAAM,KAAA,GAAW,YAAS,KAAK,CAAA;AAE/B,QAAA,IAAI,KAAA,CAAM,OAAA,IAAW,IAAA,CAAK,sBAAA,EAAwB;AACjD,UAAA;AAAA,QACD;AAEA,QAAA,MAAM,OAAA,GAAa,EAAA,CAAA,YAAA,CAAa,KAAA,EAAO,OAAO,CAAA;AAC9C,QAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAC/B,QAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAI,CAAA,EAAG;AACxB,UAAA,IAAA,CAAK,mBAAmB,KAAA,EAAM;AAC9B,UAAA,KAAA,MAAW,QAAQ,IAAA,EAAM;AACxB,YAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,cAAA,IAAA,CAAK,mBAAmB,GAAA,CAAI,IAAA,CAAK,IAAA,EAAK,CAAE,aAAa,CAAA;AAAA,YACtD;AAAA,UACD;AACA,UAAA,IAAA,CAAK,yBAAyB,KAAA,CAAM,OAAA;AACpC,UAAA,GAAA,CAAI,IAAA;AAAA,YACH,CAAA,oBAAA,EAAuB,IAAA,CAAK,kBAAA,CAAmB,IAAI,8BAA8B,KAAK,CAAA;AAAA,WACvF;AAAA,QACD;AAAA,MACD,CAAA,MAAO;AAEN,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AAC9B,QAAA,IAAI,CAAI,EAAA,CAAA,UAAA,CAAW,GAAG,CAAA,EAAG;AACxB,UAAG,EAAA,CAAA,SAAA,CAAU,GAAA,EAAK,EAAE,SAAA,EAAW,MAAM,CAAA;AAAA,QACtC;AACA,QAAG,EAAA,CAAA,aAAA,CAAc,OAAO,IAAA,CAAK,SAAA,CAAU,EAAC,EAAG,IAAA,EAAM,CAAC,CAAA,EAAG,OAAO,CAAA;AAC5D,QAAA,IAAA,CAAK,sBAAA,GAAyB,KAAK,GAAA,EAAI;AACvC,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,uDAAuD,KAAK,CAAA;AAAA,SAC7D;AAAA,MACD;AAAA,IACD,SAAS,GAAA,EAAc;AACtB,MAAA,GAAA,CAAI,KAAA;AAAA,QACH,gDACC,GAAA,YAAe,KAAA,GAAQ,IAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAChD,CAAA;AAAA,OACD;AAAA,IACD;AAAA,EACD;AAAA,EAEO,YAAY,KAAA,EAAqB;AACvC,IAAA,IAAI,CAAC,KAAA,EAAO;AACZ,IAAA,MAAM,IAAA,GAAOA,OAAAA,CACX,UAAA,CAAW,QAAQ,CAAA,CACnB,MAAA,CAAO,KAAK,CAAA,CACZ,MAAA,CAAO,KAAK,CAAA,CACZ,WAAA,EAAY;AACd,IAAA,IAAA,CAAK,gBAAgB,IAAI,CAAA;AAAA,EAC1B;AAAA,EAEO,gBAAgB,IAAA,EAAoB;AAC1C,IAAA,IAAI,CAAC,IAAA,EAAM;AACX,IAAA,MAAM,cAAA,GAAiB,KAAK,WAAA,EAAY;AAExC,IAAA,IAAA,CAAK,kBAAA,EAAmB;AACxB,IAAA,IAAA,CAAK,kBAAA,CAAmB,IAAI,cAAc,CAAA;AAE1C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,EAAQ,IAAA,EAAM,cAAA;AACjC,IAAA,IAAI,KAAA,EAAO;AACV,MAAA,IAAI;AACH,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AAC9B,QAAA,IAAI,CAAI,EAAA,CAAA,UAAA,CAAW,GAAG,CAAA,EAAG;AACxB,UAAG,EAAA,CAAA,SAAA,CAAU,GAAA,EAAK,EAAE,SAAA,EAAW,MAAM,CAAA;AAAA,QACtC;AACA,QAAA,MAAM,MAAA,GAAS,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,kBAAkB,CAAA;AACjD,QAAG,EAAA,CAAA,aAAA,CAAc,OAAO,IAAA,CAAK,SAAA,CAAU,QAAQ,IAAA,EAAM,CAAC,GAAG,OAAO,CAAA;AAEhE,QAAA,MAAM,KAAA,GAAW,YAAS,KAAK,CAAA;AAC/B,QAAA,IAAA,CAAK,yBAAyB,KAAA,CAAM,OAAA;AAEpC,QAAA,GAAA,CAAI,IAAA;AAAA,UACH,CAAA,2CAAA,EAA8C,cAAc,CAAA,IAAA,EAAO,KAAK,CAAA;AAAA,SACzE;AAAA,MACD,SAAS,GAAA,EAAc;AACtB,QAAA,GAAA,CAAI,KAAA;AAAA,UACH,8CACC,GAAA,YAAe,KAAA,GAAQ,IAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAChD,CAAA;AAAA,SACD;AAAA,MACD;AAAA,IACD;AAAA,EACD;AAAA,EAEQ,oBACP,SAAA,EACyD;AACzD,IAAA,IAAI;AACH,MAAA,IAAI,CAAI,EAAA,CAAA,UAAA,CAAW,SAAS,CAAA,EAAG;AAC9B,QAAA,OAAO,EAAC;AAAA,MACT;AACA,MAAA,MAAM,OAAA,GAAa,EAAA,CAAA,YAAA,CAAa,SAAA,EAAW,OAAO,CAAA;AAClD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,OAAA,IAAW,IAAI,CAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AACP,MAAA,OAAO,EAAC;AAAA,IACT;AAAA,EACD;AAAA,EAEQ,oBAAA,CACP,WACA,MAAA,EACO;AACP,IAAA,MAAM,QAAA,GAAW,GAAG,SAAS,CAAA,IAAA,CAAA;AAC7B,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAClC,IAAA,IAAI,CAAI,EAAA,CAAA,UAAA,CAAW,GAAG,CAAA,EAAG;AACxB,MAAG,EAAA,CAAA,SAAA,CAAU,GAAA,EAAK,EAAE,SAAA,EAAW,MAAM,CAAA;AAAA,IACtC;AACA,IAAG,EAAA,CAAA,aAAA,CAAc,UAAU,IAAA,CAAK,SAAA,CAAU,QAAQ,IAAA,EAAM,CAAC,GAAG,OAAO,CAAA;AACnE,IAAG,EAAA,CAAA,UAAA,CAAW,UAAU,SAAS,CAAA;AAAA,EAClC;AAAA,EAEQ,qBAAA,CACP,WACA,MAAA,EAMI;AACJ,IAAA,MAAM,QAAA,GAAW,GAAG,SAAS,CAAA,KAAA,CAAA;AAC7B,IAAA,MAAM,UAAA,GAAa,GAAA;AAEnB,IAAA,IAAI,QAAA,GAAW,CAAA;AAEf,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAClC,IAAA,IAAI,CAAI,EAAA,CAAA,UAAA,CAAW,GAAG,CAAA,EAAG;AACxB,MAAA,IAAI;AACH,QAAG,EAAA,CAAA,SAAA,CAAU,GAAA,EAAK,EAAE,SAAA,EAAW,MAAM,CAAA;AAAA,MACtC,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACD;AAEA,IAAA,OAAO,WAAW,UAAA,EAAY;AAC7B,MAAA,IAAI;AACH,QAAG,EAAA,CAAA,aAAA,CAAc,UAAU,OAAA,CAAQ,GAAA,CAAI,UAAS,EAAG,EAAE,IAAA,EAAM,IAAA,EAAM,CAAA;AACjE,QAAA;AAAA,MACD,SAAS,CAAA,EAAY;AACpB,QAAA,IACC,CAAA,IACA,OAAO,CAAA,KAAM,QAAA,IACb,UAAU,CAAA,IACT,CAAA,CAA8B,SAAS,QAAA,EACvC;AACD,UAAA,QAAA,EAAA;AAKA,QACD,CAAA,MAAO;AACN,UAAA,MAAM,CAAA;AAAA,QACP;AAAA,MACD;AAAA,IACD;AAEA,IAAA,IAAI,YAAY,UAAA,EAAY;AAC3B,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AAEA,IAAA,IAAI;AACH,MAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,mBAAA,CAAoB,SAAS,CAAA;AACxD,MAAA,MAAM,EAAE,MAAA,EAAQ,aAAA,EAAc,GAAI,OAAO,aAAa,CAAA;AACtD,MAAA,IAAI,aAAA,EAAe;AAClB,QAAA,IAAA,CAAK,oBAAA,CAAqB,WAAW,aAAa,CAAA;AAAA,MACnD;AACA,MAAA,OAAO,MAAA;AAAA,IACR,CAAA,SAAE;AACD,MAAA,IAAI;AACH,QAAA,IAAO,EAAA,CAAA,UAAA,CAAW,QAAQ,CAAA,EAAG;AAC5B,UAAG,cAAW,QAAQ,CAAA;AAAA,QACvB;AAAA,MACD,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACD;AAAA,EACD;AAAA,EAEQ,mBAAA,CACP,QAAA,EACA,SAAA,EACA,eAAA,EACA,MAAA,EACgB;AAChB,IAAA,IAAI,YAAA,GAAe,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,QAAQ,CAAA;AACrD,IAAA,IAAI,CAAC,YAAA,EAAc;AAClB,MAAA,YAAA,uBAAmB,GAAA,EAAiC;AACpD,MAAA,IAAA,CAAK,gBAAA,CAAiB,GAAA,CAAI,QAAA,EAAU,YAAY,CAAA;AAAA,IACjD;AAEA,IAAA,IAAI,UAAA,GAAa,YAAA,CAAa,GAAA,CAAI,SAAS,CAAA;AAC3C,IAAA,IAAI,CAAC,UAAA,EAAY;AAChB,MAAA,UAAA,uBAAiB,GAAA,EAAoB;AACrC,MAAA,YAAA,CAAa,GAAA,CAAI,WAAW,UAAU,CAAA;AAAA,IACvC;AAEA,IAAA,KAAA,MAAW,SAAS,eAAA,EAAiB;AACpC,MAAA,MAAM,WAAA,GAAc,KAAK,aAAA,CAAc,aAAA;AAAA,QACtC,KAAA;AAAA,QACA,MAAA,EAAQ;AAAA,OACT;AAEA,MAAA,IAAI,UAAA,GAAa,EAAA;AACjB,MAAA,IAAI,SAAA,GAAY,QAAA;AAEhB,MAAA,IAAI,MAAA,EAAQ,wBAAwB,MAAA,EAAW;AAC9C,QAAA,UAAA,GAAa,MAAA,CAAO,mBAAA;AACpB,QAAA,SAAA,GAAY,UAAA;AAAA,MACb,CAAA,MAAA,IAAW,gBAAgB,WAAA,EAAa;AACvC,QAAA,UAAA,GAAa,CAAA;AACb,QAAA,SAAA,GAAY,WAAA;AAAA,MACb,CAAA,MAAA,IAAW,gBAAgB,WAAA,EAAa;AACvC,QAAA,UAAA,GAAa,CAAA;AACb,QAAA,SAAA,GAAY,WAAA;AAAA,MACb;AAEA,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,GAAA,CAAI,KAAK,CAAA,IAAK,CAAA;AACvC,MAAA,IAAI,SAAS,UAAA,EAAY;AACxB,QAAA,OAAO,CAAA,4DAAA,EAA+D,KAAK,CAAA,OAAA,EAAU,UAAU,oBAAoB,SAAS,CAAA,6CAAA,CAAA;AAAA,MAC7H;AAAA,IACD;AAEA,IAAA,KAAA,MAAW,SAAS,eAAA,EAAiB;AACpC,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,GAAA,CAAI,KAAK,CAAA,IAAK,CAAA;AACvC,MAAA,UAAA,CAAW,GAAA,CAAI,KAAA,EAAO,KAAA,GAAQ,CAAC,CAAA;AAAA,IAChC;AAEA,IAAA,OAAO,IAAA;AAAA,EACR;AACD","file":"chunk-4KIGYPIQ.js","sourcesContent":["import * as grpc from \"@grpc/grpc-js\";\nimport { log } from \"../utils/logger.js\";\nimport { liopV1 } from \"./proto.js\";\nimport { createServerCredentials, type LiopTlsOptions } from \"./tls.js\";\nimport type {\n\tIntentRequest,\n\tIntentResponse,\n\tLogicRequest,\n\tLogicResponse,\n} from \"./types.js\";\n\n/**\n * LIOP gRPC Service Implementation\n * Handles intent negotiation and secure logic execution.\n */\n\n/** Production-grade gRPC channel options per official grpc-node recommendations */\nconst GRPC_CHANNEL_OPTIONS = {\n\t\"grpc.keepalive_time_ms\": 30_000,\n\t\"grpc.keepalive_timeout_ms\": 10_000,\n\t\"grpc.keepalive_permit_without_calls\": 1,\n\t\"grpc.max_send_message_length\": -1,\n\t\"grpc.max_receive_message_length\": -1,\n\t\"grpc.enable_retries\": 1,\n};\n\nexport class LiopRpcServer {\n\tprivate server: grpc.Server;\n\n\tconstructor() {\n\t\tthis.server = new grpc.Server(GRPC_CHANNEL_OPTIONS);\n\t}\n\n\tpublic addService(handlers: {\n\t\tnegotiateIntent: (\n\t\t\tcall: grpc.ServerUnaryCall<IntentRequest, IntentResponse>,\n\t\t\tcallback: grpc.sendUnaryData<IntentResponse>,\n\t\t) => void;\n\t\texecuteLogic: (\n\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t) => void;\n\t}): void {\n\t\tthis.server.addService(liopV1.LogicMesh.service, {\n\t\t\tNegotiateIntent: handlers.negotiateIntent,\n\t\t\tExecuteLogic: handlers.executeLogic,\n\t\t});\n\t}\n\n\tpublic async listen(\n\t\tport: number = 50051,\n\t\ttls?: LiopTlsOptions,\n\t): Promise<number> {\n\t\tconst credentials = createServerCredentials(tls);\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.server.bindAsync(\n\t\t\t\t`0.0.0.0:${port}`,\n\t\t\t\tcredentials,\n\t\t\t\t(error, assignedPort) => {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\treject(error);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\tlog.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);\n\t\t\t\t\tresolve(assignedPort);\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\tpublic async stop(): Promise<void> {\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.server.tryShutdown(() => {\n\t\t\t\tlog.info(\"[LIOP-RPC] Server shut down\");\n\t\t\t\tresolve();\n\t\t\t});\n\t\t});\n\t}\n}\n","/**\n * LIOP OAuth 2.1 Hybrid Auth — Configuration Types\n *\n * Defines the auth configuration interface consumed by LiopServerOptions.\n * Designed for zero-friction developer experience: most values auto-resolve.\n *\n * Standards: NIST SP 800-207, OWASP API-A07, MCP Spec 2025-11-25\n */\n\n/**\n * Role of this node in the LIOP auth hierarchy.\n * - \"nexus\": Runs the embedded Authorization Server (oidc-provider) + Resource Server.\n * - \"node\": Resource Server only; validates JWTs issued by the Nexus.\n * - \"none\": Auth disabled (dev mode, stdio/local transport).\n */\nexport type AuthRole = \"nexus\" | \"node\" | \"none\";\n\n/**\n * OAuth client registration for M2M (Client Credentials) flows.\n * Used exclusively by the Nexus role.\n */\nexport interface OAuthClientConfig {\n\t/** Unique identifier for the OAuth client. */\n\tclient_id: string;\n\t/** Client secret for authentication (client_secret_post). */\n\tclient_secret: string;\n\t/** OAuth grant types allowed for this client (e.g., [\"client_credentials\"]). */\n\tgrant_types: string[];\n\t/** Space-delimited scopes this client can request. */\n\tscope: string;\n}\n\n/**\n * LIOP Auth Configuration.\n *\n * Minimal surface for developers:\n * - Nexus node: { role: \"nexus\" }\n * - Data node: { role: \"node\" }\n * - Dev/stdio: omit or { role: \"none\" }\n *\n * All other fields auto-resolve from env, DHT, or secure defaults.\n */\nexport interface LiopAuthConfig {\n\t/** Role of this node in the auth hierarchy. */\n\trole: AuthRole;\n\t/**\n\t * OIDC Issuer URL. Auto-derived:\n\t * - Nexus: inferred from listen address (e.g., \"http://localhost:3000\")\n\t * - Node: resolved from Nexus /health endpoint\n\t */\n\tissuer?: string;\n\t/**\n\t * JWT audience claim.\n\t * Default: \"urn:liop:mesh:api\"\n\t */\n\taudience?: string;\n\t/**\n\t * URL of the Nexus authorization server (node role only).\n\t * Fallback: env.LIOP_NEXUS_URL → DHT auto-discovery.\n\t */\n\tnexusUrl?: string;\n\t/**\n\t * Required scopes for accessing this node's tools.\n\t * Default: auto-derived from registered tools.\n\t */\n\trequiredScopes?: string[];\n\t/**\n\t * Pre-registered OAuth clients (nexus role only).\n\t * Fallback: auto-detected from env.LIOP_OAUTH_CLIENT_ID + env.LIOP_OAUTH_CLIENT_SECRET.\n\t */\n\tclients?: OAuthClientConfig[];\n\t/**\n\t * Path to local token revocation JSON list (Resource Token Revocation List).\n\t * Saved as an array of SHA-256 hashes of revoked access tokens.\n\t */\n\trevocationPath?: string;\n\t/**\n\t * Pre-shared local test token for isolated testing in non-production environments.\n\t * A token matching this will bypass remote JWKS check only on this specific node.\n\t */\n\tlocalTestToken?: string;\n}\n\n/**\n * Secure defaults for the OAuth subsystem.\n * Sources: NIST SP 800-207 §3.1, NIST SP 800-63B, OWASP API-A07\n */\nexport const AUTH_DEFAULTS = {\n\t/** JWT audience claim for the LIOP mesh API. */\n\taudience: \"urn:liop:mesh:api\",\n\t/** M2M token time-to-live in seconds (1 hour). */\n\ttokenTtlSeconds: 3600,\n\t/** JWKS cache TTL in milliseconds (10 min — jose default). */\n\tjwksCacheTtlMs: 600_000,\n\t/** Minimum interval between JWKS refetches (30s — jose default). */\n\tjwksCooldownMs: 30_000,\n\t/** Clock tolerance for JWT expiration checks (mesh clock skew). */\n\tclockToleranceSec: 5,\n\t/** JWT signing algorithm (aligned with libp2p Ed25519 PeerID curve). */\n\tsigningAlgorithm: \"EdDSA\" as const,\n} as const;\n","/**\n * LIOP JWT Validator — Token Verification Engine\n *\n * Validates JWT Access Tokens using the `jose` library.\n * Supports two modes:\n * - Local JWKS (Nexus role): Keys in memory, zero network latency.\n * - Remote JWKS (Node role): Fetched from Nexus /oidc/jwks with 10min cache.\n *\n * Standards: NIST SP 800-207 (continuous verification), OWASP API-A01\n * Source: panva/jose DeepWiki — createRemoteJWKSet, jwtVerify\n */\n\nimport * as jose from \"jose\";\nimport { AUTH_DEFAULTS } from \"./auth-config.js\";\n\n/**\n * Authorization context extracted from a validated JWT.\n * Compatible with MCP TypeScript SDK AuthInfo interface.\n */\nexport interface AuthInfo {\n\t/** Raw JWT string. */\n\ttoken: string;\n\t/** Subject claim (client_id for M2M flows). */\n\tclientId: string;\n\t/** Space-delimited scopes parsed into an array. */\n\tscopes: string[];\n\t/** Token expiration timestamp (Unix seconds). */\n\texpiresAt?: number;\n}\n\n/**\n * JWT Validator with dual-mode JWKS resolution.\n *\n * - Nexus role: `new JwtValidator(issuer, audience, localJwks)` (createLocalJWKSet)\n * - Node role: `new JwtValidator(issuer, audience, new URL(jwksUri))` (createRemoteJWKSet)\n */\nexport class JwtValidator {\n\tprivate readonly jwksResolver: ReturnType<\n\t\ttypeof jose.createRemoteJWKSet | typeof jose.createLocalJWKSet\n\t>;\n\tprivate readonly issuer: string;\n\tprivate readonly audience: string;\n\n\tconstructor(\n\t\tissuer: string,\n\t\taudience: string,\n\t\tjwksSource: URL | jose.JSONWebKeySet,\n\t) {\n\t\tthis.issuer = issuer;\n\t\tthis.audience = audience;\n\n\t\tif (jwksSource instanceof URL) {\n\t\t\t// Remote JWKS (node role): fetch from Nexus with intelligent caching.\n\t\t\t// jose docs: cacheMaxAge defaults to 10min, cooldownDuration to 30s.\n\t\t\t// These prevent JWKS endpoint abuse while keeping key rotation responsive.\n\t\t\tthis.jwksResolver = jose.createRemoteJWKSet(jwksSource, {\n\t\t\t\tcacheMaxAge: AUTH_DEFAULTS.jwksCacheTtlMs,\n\t\t\t\tcooldownDuration: AUTH_DEFAULTS.jwksCooldownMs,\n\t\t\t});\n\t\t} else {\n\t\t\t// Local JWKS (nexus role): keys already loaded in memory.\n\t\t\t// Zero network latency for token validation on the issuing node.\n\t\t\tthis.jwksResolver = jose.createLocalJWKSet(jwksSource);\n\t\t}\n\t}\n\n\t/**\n\t * Validates a JWT access token and extracts authorization context.\n\t *\n\t * Checks performed (jose.jwtVerify):\n\t * - Cryptographic signature verification (EdDSA or ES256)\n\t * - Issuer claim matches configured issuer\n\t * - Audience claim matches configured audience\n\t * - Token is not expired (with clock tolerance for mesh skew)\n\t * - Required claims (sub, scope) are present\n\t *\n\t * @throws JOSEError if validation fails (expired, wrong issuer, bad signature, etc.)\n\t */\n\tasync validate(token: string): Promise<AuthInfo> {\n\t\t// Build a comprehensive list of acceptable issuer aliases to handle\n\t\t// the Docker host/container networking mismatch. In the LIOP demo topology:\n\t\t// - Nexus OAuth server runs inside Docker on port 3000\n\t\t// - Docker hostname: \"nexus\" (from docker-compose.yml)\n\t\t// - Container name: \"liop-nexus\"\n\t\t// - Host-published ports: 13000 (HTTP), 13001 (libp2p)\n\t\t// - The JWT `iss` claim is set by the Nexus to its own configured issuer\n\t\t// - Nodes (Bank, Vault, Oracle) validate using their LIOP_NEXUS_URL\n\t\t//\n\t\t// All of these are equivalent endpoints for the same Authorization Server,\n\t\t// so any token issued by one alias must be accepted by a validator configured\n\t\t// with any other alias. Aligned with RFC 9728 Zero-Trust peer remapping.\n\t\tconst issuers = this.buildIssuerAliases();\n\n\t\tconst { payload } = await jose.jwtVerify(token, this.jwksResolver, {\n\t\t\tissuer: issuers.length > 1 ? issuers : this.issuer,\n\t\t\taudience: this.audience,\n\t\t\t// Algorithm whitelist: only accept EdDSA (Ed25519) or ES256.\n\t\t\t// Prevents algorithm confusion attacks (OWASP API-A01).\n\t\t\talgorithms: [AUTH_DEFAULTS.signingAlgorithm, \"ES256\"],\n\t\t\t// Clock tolerance for P2P mesh nodes with slight time drift.\n\t\t\tclockTolerance: AUTH_DEFAULTS.clockToleranceSec,\n\t\t\t// Enforce required claims to prevent malformed tokens.\n\t\t\trequiredClaims: [\"sub\", \"scope\"],\n\t\t});\n\n\t\treturn {\n\t\t\ttoken,\n\t\t\tclientId: payload.sub ?? \"unknown\",\n\t\t\tscopes: typeof payload.scope === \"string\" ? payload.scope.split(\" \") : [],\n\t\t\texpiresAt: payload.exp,\n\t\t};\n\t}\n\n\t/**\n\t * Builds a complete set of issuer URL aliases for the LIOP demo topology.\n\t *\n\t * The LIOP mesh runs on Docker Desktop with the following network layout:\n\t * Container hostnames: \"nexus\", \"liop-nexus\" (internal port 3000)\n\t * Host-published ports: 13000 (HTTP/MCP), 13001 (libp2p TCP)\n\t * Loopback addresses: 127.0.0.1, localhost\n\t *\n\t * The Nexus OAuth server may set its issuer to any of these depending on\n\t * how it was configured, and nodes may resolve it via LIOP_NEXUS_URL\n\t * which varies by context. This method generates all equivalent aliases\n\t * so that jose.jwtVerify accepts the token regardless of which alias\n\t * was used as `iss` in the JWT.\n\t *\n\t * Security note: This does NOT weaken validation — the cryptographic\n\t * signature is still verified against the same JWKS keys. Only the\n\t * string comparison of the `iss` claim is relaxed across known aliases.\n\t */\n\tprivate buildIssuerAliases(): string[] {\n\t\tconst issuers = [this.issuer];\n\t\tconst cleanIssuer = this.issuer.endsWith(\"/\")\n\t\t\t? this.issuer.slice(0, -1)\n\t\t\t: this.issuer;\n\n\t\t// Known LIOP Nexus authority patterns (host:port).\n\t\t// If the configured issuer matches ANY of these, inject ALL others as aliases.\n\t\tconst NEXUS_AUTHORITIES = [\n\t\t\t\"nexus:3000\",\n\t\t\t\"liop-nexus:3000\",\n\t\t\t\"127.0.0.1:3000\",\n\t\t\t\"localhost:3000\",\n\t\t\t\"127.0.0.1:13000\",\n\t\t\t\"localhost:13000\",\n\t\t\t\"127.0.0.1:13001\",\n\t\t\t\"localhost:13001\",\n\t\t];\n\n\t\t// Extract just the authority (host:port) from the issuer URL\n\t\tlet issuerAuthority = \"\";\n\t\ttry {\n\t\t\tconst url = new URL(cleanIssuer);\n\t\t\tissuerAuthority = `${url.hostname}:${url.port || \"3000\"}`;\n\t\t} catch {\n\t\t\t// Non-URL issuer (e.g. \"urn:...\" or malformed) — skip aliasing\n\t\t\treturn issuers;\n\t\t}\n\n\t\t// Check if the configured issuer matches any known Nexus authority\n\t\tconst isNexusIssuer = NEXUS_AUTHORITIES.some(\n\t\t\t(authority) => issuerAuthority === authority,\n\t\t);\n\n\t\tif (!isNexusIssuer) return issuers;\n\n\t\t// Extract the path suffix (e.g., \"/oidc\" or \"\")\n\t\tconst pathSuffix = cleanIssuer.replace(/^https?:\\/\\/[^/]+/, \"\");\n\n\t\t// Generate all alias permutations with the same path suffix\n\t\tfor (const authority of NEXUS_AUTHORITIES) {\n\t\t\tconst alias = `http://${authority}${pathSuffix}`;\n\t\t\tif (!issuers.includes(alias)) {\n\t\t\t\tissuers.push(alias);\n\t\t\t}\n\t\t}\n\n\t\t// Also add versions without the path suffix if it exists\n\t\t// (the Nexus default issuer is \"http://localhost:3000\" without \"/oidc\")\n\t\tif (pathSuffix) {\n\t\t\tfor (const authority of NEXUS_AUTHORITIES) {\n\t\t\t\tconst alias = `http://${authority}`;\n\t\t\t\tif (!issuers.includes(alias)) {\n\t\t\t\t\tissuers.push(alias);\n\t\t\t\t}\n\t\t\t}\n\t\t} else {\n\t\t\t// Conversely, add \"/oidc\" variants since some consumers include it\n\t\t\tfor (const authority of NEXUS_AUTHORITIES) {\n\t\t\t\tconst alias = `http://${authority}/oidc`;\n\t\t\t\tif (!issuers.includes(alias)) {\n\t\t\t\t\tissuers.push(alias);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn issuers;\n\t}\n\n\t/**\n\t * Returns the configured issuer URL for PRM (RFC 9728) metadata.\n\t */\n\tgetIssuer(): string {\n\t\treturn this.issuer;\n\t}\n\n\t/**\n\t * Returns the configured audience for PRM metadata.\n\t */\n\tgetAudience(): string {\n\t\treturn this.audience;\n\t}\n}\n","/**\n * LIOP Embedded OAuth 2.1 Authorization Server\n *\n * Implements a lightweight, high-performance OAuth 2.1 / OIDC Authorization Server\n * for the Nexus node using `panva/node-oidc-provider`.\n *\n * Security Hardening:\n * - M2M (Machine-to-Machine) Client Credentials Grant ONLY (Zero human interaction interface).\n * - Algorithmic whitelist: EdDSA (Ed25519) for token signing.\n * - JWT Access Tokens: Allows stateless, cryptographically-secure validation on data nodes (NIST SP 800-207).\n * - Interaction Lockout: Throws exception on any interactive flow attempt to prevent hijack attacks (OWASP).\n *\n * Standards: OAuth 2.1, RFC 6749, RFC 7519, NIST SP 800-63B\n */\n\nimport crypto from \"node:crypto\";\nimport type * as jose from \"jose\";\n// oidc-provider is a CommonJS module with a default export containing the Provider class\nimport Provider, { type Configuration } from \"oidc-provider\";\nimport { LIOP_SCOPES } from \"./rbac.js\";\n\nexport interface OAuthServerClientConfig {\n\tclient_id: string;\n\tclient_secret: string;\n\tgrant_types: string[];\n\tscope: string;\n}\n\nexport interface OAuthServerConfig {\n\tissuer: string;\n\tclients: OAuthServerClientConfig[];\n}\n\nexport interface OAuthServerResult {\n\tprovider: Provider;\n\tjwks: jose.JSONWebKeySet;\n}\n\n/**\n * Creates and configures the embedded node-oidc-provider instance for the Nexus.\n *\n * @param config - Server configuration containing the issuer URL and allowed M2M clients.\n */\nexport function createOAuthServer(\n\tconfig: OAuthServerConfig,\n): OAuthServerResult {\n\t// 1. Generate Ed25519 (EdDSA) signing keys sychronously (zero network friction)\n\tconst { privateKey, publicKey } = crypto.generateKeyPairSync(\"ed25519\");\n\tconst privateJwk = privateKey.export({ format: \"jwk\" }) as jose.JWK;\n\tconst publicJwk = publicKey.export({ format: \"jwk\" }) as jose.JWK;\n\tconst kid = crypto\n\t\t.createHash(\"sha256\")\n\t\t.update(publicJwk.x || \"\")\n\t\t.digest(\"hex\")\n\t\t.slice(0, 16);\n\n\tconst privateJwkComplete = {\n\t\t...privateJwk,\n\t\tkid,\n\t\tuse: \"sig\",\n\t\talg: \"EdDSA\",\n\t};\n\n\tconst publicJwkComplete = {\n\t\t...publicJwk,\n\t\tkid,\n\t\tuse: \"sig\",\n\t\talg: \"EdDSA\",\n\t};\n\n\tconst jwksInternal = {\n\t\tkeys: [privateJwkComplete],\n\t};\n\n\tconst jwksPublic: jose.JSONWebKeySet = {\n\t\tkeys: [publicJwkComplete],\n\t};\n\n\t// 2. Configure OpenID Connect Provider\n\tconst oidcConfig: Configuration = {\n\t\t// Supported scopes at the Authorization Server level (RFC 6749)\n\t\tscopes: [\"openid\", \"offline_access\", ...LIOP_SCOPES],\n\n\t\t// Define registered Machine-to-Machine clients\n\t\tclients: config.clients.map((c) => ({\n\t\t\tclient_id: c.client_id,\n\t\t\tclient_secret: c.client_secret,\n\t\t\tgrant_types: [\"client_credentials\"],\n\t\t\tresponse_types: [], // CC Grant does not use response types\n\t\t\tredirect_uris: [], // M2M flows require no redirects\n\t\t\tscope: c.scope,\n\t\t\ttoken_endpoint_auth_method: \"client_secret_post\",\n\t\t\tid_token_signed_response_alg: \"EdDSA\",\n\t\t})),\n\n\t\t// [SEC] Features whitelist: Enable Client Credentials, disable all human interactions\n\t\tfeatures: {\n\t\t\tclientCredentials: { enabled: true },\n\t\t\tdevInteractions: { enabled: false }, // Prevent development interactions UI\n\t\t\tresourceIndicators: {\n\t\t\t\tenabled: true,\n\t\t\t\tuseGrantedResource: () => true,\n\t\t\t\tgetResourceServerInfo: (_ctx, _resource, client) => {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tscope: client.scope || \"\",\n\t\t\t\t\t\taccessTokenFormat: \"jwt\",\n\t\t\t\t\t\tjwt: {\n\t\t\t\t\t\t\tsign: { alg: \"EdDSA\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t};\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\n\t\t// [SEC] Emit M2M Access Tokens as JWTs instead of opaque strings\n\t\t// This enables high-performance local validation at resource servers (NIST SP 800-207)\n\t\tformats: {\n\t\t\tAccessToken: \"jwt\",\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: library typings mismatch in oidc-provider\n\t\t} as any,\n\n\t\t// [SEC] Lockout: Throw immediate error on any interactive login flow attempt\n\t\tinteractions: {\n\t\t\turl: () => {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t\"InteractionsNotSupportedException: This Authorization Server is strictly configured for Machine-to-Machine flows.\",\n\t\t\t\t);\n\t\t\t},\n\t\t},\n\n\t\t// Keys used for signing Issued Tokens (ID Tokens, Access Tokens)\n\t\tjwks: jwksInternal,\n\n\t\t// Token life configurations (NIST SP 800-63B token rotation guidelines)\n\t\tttl: {\n\t\t\tClientCredentials: 3600, // Access Token valid for 1 hour\n\t\t},\n\n\t\t// Allow HTTP locally for development/Docker testnets (production MUST use HTTPS in proxy)\n\t\tcookies: {\n\t\t\tkeys: [crypto.randomBytes(32).toString(\"hex\")],\n\t\t},\n\n\t\t// Map scopes directly into the JWT token claims during client_credentials grant\n\t\textraTokenClaims: (_ctx, token) => {\n\t\t\tif (token.kind === \"AccessToken\") {\n\t\t\t\treturn {\n\t\t\t\t\tscope: token.scope,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {};\n\t\t},\n\t};\n\n\t// Initialize the provider with normalized trailing slashes if needed\n\t// node-oidc-provider expects a clean URL as issuer\n\tconst normalizedIssuer = config.issuer.endsWith(\"/\")\n\t\t? config.issuer.slice(0, -1)\n\t\t: config.issuer;\n\n\tconst provider = new Provider(normalizedIssuer, oidcConfig);\n\n\t// Make sure the provider trusts local proxies (like Nginx/Cloudflare or Docker network gateways)\n\tprovider.proxy = true;\n\n\treturn {\n\t\tprovider,\n\t\tjwks: jwksPublic,\n\t};\n}\n","/**\n * LIOP Taint Analyzer — Static Information Flow Control (IFC)\n *\n * Performs AST-level taint tracking on injected Logic-on-Origin code\n * to detect side-channel data exfiltration via scalar derivation\n * (charCodeAt, boolean inference, arithmetic on PII fields).\n *\n * Architecture: 3-pass analysis using Acorn ESTree parser.\n * Pass 1 — Identify record-bound variables (callback params of env.records methods)\n * Pass 2 — Propagate taint through assignments and expressions\n * Pass 3 — Check return statements for tainted values flowing to output\n *\n * References:\n * - Acorn ESTree spec: https://github.com/estree/estree\n * - Acorn-Walk SimpleVisitors: https://github.com/acornjs/acorn/tree/master/acorn-walk\n * - OWASP Information Flow Control patterns\n */\n\nimport * as acorn from \"acorn\";\nimport { type SimpleVisitors, simple } from \"acorn-walk\";\n\n// ── Public API ───────────────────────────────────────────────────────\n\nexport type FieldSensitivity = \"forbidden\" | \"sensitive\" | \"public\";\n\nexport interface TaintViolation {\n\t/** Human-readable reason for the block */\n\treason: string;\n\t/** Source line number (1-indexed) if available */\n\tline?: number;\n\t/** The specific operation that triggered the violation */\n\toperation?: string;\n}\n\n/**\n * Static taint analyzer for LIOP Logic-on-Origin payloads.\n *\n * Detects when PII field values are derived into scalar outputs\n * (charCodeAt, boolean inference, arithmetic) that would bypass\n * the Egress Shield's pattern-based detection.\n */\nexport class TaintAnalyzer {\n\tprivate readonly piiFields: Set<string>;\n\tprivate readonly sensitiveKeys: Set<string>;\n\n\t/** String methods that extract character-level information from PII */\n\tprivate static readonly TAINT_PROPAGATING_METHODS = new Set([\n\t\t// Character extraction\n\t\t\"charCodeAt\",\n\t\t\"codePointAt\",\n\t\t\"charAt\",\n\t\t\"at\",\n\t\t// Search/position (reveals content structure)\n\t\t\"indexOf\",\n\t\t\"lastIndexOf\",\n\t\t\"search\",\n\t\t// Comparison (reveals ordering/content)\n\t\t\"localeCompare\",\n\t\t\"startsWith\",\n\t\t\"endsWith\",\n\t\t\"includes\",\n\t\t// Transformation (preserves PII content in different form)\n\t\t\"substring\",\n\t\t\"slice\",\n\t\t\"substr\",\n\t\t\"split\",\n\t\t\"match\",\n\t\t\"matchAll\",\n\t\t\"replace\",\n\t\t\"replaceAll\",\n\t\t\"normalize\",\n\t\t\"toLowerCase\",\n\t\t\"toUpperCase\",\n\t\t\"trim\",\n\t\t\"trimStart\",\n\t\t\"trimEnd\",\n\t\t\"padStart\",\n\t\t\"padEnd\",\n\t\t\"repeat\",\n\t]);\n\n\t/** Array iteration methods whose callbacks receive individual records */\n\tprivate static readonly ARRAY_CALLBACK_METHODS = new Set([\n\t\t\"map\",\n\t\t\"forEach\",\n\t\t\"filter\",\n\t\t\"find\",\n\t\t\"some\",\n\t\t\"every\",\n\t\t\"flatMap\",\n\t\t\"findIndex\",\n\t]);\n\n\t/** Reduce-family methods where the record param is the SECOND callback arg */\n\tprivate static readonly REDUCE_METHODS = new Set([\"reduce\", \"reduceRight\"]);\n\n\tconstructor(piiFields: string[], sensitiveKeys: string[] = []) {\n\t\tthis.piiFields = new Set(piiFields.map((f) => f.toLowerCase()));\n\t\tthis.sensitiveKeys = new Set(sensitiveKeys.map((f) => f.toLowerCase()));\n\t}\n\n\t/**\n\t * Classifies a field into forbidden, sensitive, or public tiers (NIST SP 800-226).\n\t */\n\tclassifyField(\n\t\tfield: string,\n\t\tpolicySensitiveKeys: string[] = [],\n\t): FieldSensitivity {\n\t\tconst lowerField = field.toLowerCase();\n\t\tif (this.piiFields.has(lowerField)) {\n\t\t\treturn \"forbidden\";\n\t\t}\n\n\t\tconst lowerPolicyKeys = new Set(\n\t\t\tpolicySensitiveKeys.map((k) => k.toLowerCase()),\n\t\t);\n\t\tif (this.sensitiveKeys.has(lowerField) || lowerPolicyKeys.has(lowerField)) {\n\t\t\treturn \"sensitive\";\n\t\t}\n\n\t\treturn \"public\";\n\t}\n\n\t/**\n\t * Analyzes injected source code for PII taint violations.\n\t *\n\t * @param sourceCode - The raw JavaScript logic extracted from the LIOP envelope\n\t * @param recordCount - Size of source dataset (enables correlation/min-max gates for small sets)\n\t * @param minMaxBlockThreshold - Threshold below which extrema/correlation extraction is blocked\n\t * @returns A TaintViolation if PII-derived values flow to output, null if clean\n\t */\n\tanalyze(\n\t\tsourceCode: string,\n\t\trecordCount?: number,\n\t\tminMaxBlockThreshold: number = 50,\n\t): TaintViolation | null {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\t// Wrap in function body to handle bare `return` statements\n\t\t\tconst wrapped = `function liop_analysis_wrapper(env) {\\n${sourceCode}\\n}`;\n\t\t\tast = acorn.parse(wrapped, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t\tlocations: true,\n\t\t\t});\n\t\t} catch {\n\t\t\t// Syntax errors are handled downstream by the sandbox VM\n\t\t\treturn null;\n\t\t}\n\n\t\tconst recordBoundVars = new Set<string>();\n\t\tconst taintedVars = new Set<string>();\n\n\t\t// Pass 1: Identify variables bound to individual records\n\t\tthis.identifyRecordBoundVars(ast, recordBoundVars);\n\n\t\t// Pass 2: Propagate taint through variable assignments\n\t\tthis.propagateTaint(ast, recordBoundVars, taintedVars);\n\n\t\t// Pass 3: Check if any return statement contains tainted values\n\t\tconst taintResult = this.checkReturnStatements(\n\t\t\tast,\n\t\t\trecordBoundVars,\n\t\t\ttaintedVars,\n\t\t);\n\t\tif (taintResult) return taintResult;\n\n\t\t// Pass 4: Correlation Guard — detect multiple reduce on same field (F-01)\n\t\tif (\n\t\t\trecordCount !== undefined &&\n\t\t\trecordCount > 0 &&\n\t\t\trecordCount < minMaxBlockThreshold\n\t\t) {\n\t\t\tconst correlationResult = this.detectCorrelatedAggregations(ast);\n\t\t\tif (correlationResult) {\n\t\t\t\t// Augment error with the actual threshold for clarity (Phase 109 requirement)\n\t\t\t\tcorrelationResult.reason = correlationResult.reason.replace(\n\t\t\t\t\t\"50 records\",\n\t\t\t\t\t`${minMaxBlockThreshold} records`,\n\t\t\t\t);\n\t\t\t\treturn correlationResult;\n\t\t\t}\n\t\t}\n\n\t\t// Pass 5: Min/Max Gate — block extrema extraction on small datasets (F-02)\n\t\tif (\n\t\t\trecordCount !== undefined &&\n\t\t\trecordCount > 0 &&\n\t\t\trecordCount < minMaxBlockThreshold\n\t\t) {\n\t\t\tconst minMaxResult = this.detectMinMaxExtraction(ast);\n\t\t\tif (minMaxResult) {\n\t\t\t\tminMaxResult.reason = minMaxResult.reason.replace(\n\t\t\t\t\t\"50 records\",\n\t\t\t\t\t`${minMaxBlockThreshold} records`,\n\t\t\t\t);\n\t\t\t\treturn minMaxResult;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Extracts all unique field names accessed via env.records operations.\n\t * Used by the Query Budget to enforce per-field query limits.\n\t */\n\textractQueriedFields(sourceCode: string): string[] {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\tast = acorn.parse(`function w(env) {\\n${sourceCode}\\n}`, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t});\n\t\t} catch {\n\t\t\treturn [];\n\t\t}\n\n\t\tconst recordBoundVars = new Set<string>();\n\t\tthis.identifyRecordBoundVars(ast, recordBoundVars);\n\n\t\tconst fields = new Set<string>();\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tMemberExpression: (node) => {\n\t\t\t\tconst propName = this.getPropertyName(node);\n\t\t\t\tif (!propName || propName === \"length\") return;\n\n\t\t\t\t// Case 1: r.field (direct property access on record-bound variable)\n\t\t\t\tif (\n\t\t\t\t\tnode.object.type === \"Identifier\" &&\n\t\t\t\t\trecordBoundVars.has((node.object as acorn.Identifier).name)\n\t\t\t\t) {\n\t\t\t\t\tfields.add(propName);\n\t\t\t\t}\n\n\t\t\t\t// Case 2: env.records[N].field (direct index member access)\n\t\t\t\tif (node.object.type === \"MemberExpression\") {\n\t\t\t\t\tconst parentMember = node.object as acorn.MemberExpression;\n\t\t\t\t\tif (\n\t\t\t\t\t\tparentMember.computed &&\n\t\t\t\t\t\tthis.isEnvRecordsAccess(parentMember.object)\n\t\t\t\t\t) {\n\t\t\t\t\t\tfields.add(propName);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\t\treturn Array.from(fields);\n\t}\n\n\t// ── Pass 4: Correlation Guard ─────────────────────────────────────\n\n\t/**\n\t * Detects when 2+ reduce/aggregation calls access the same field.\n\t * This prevents differencing attacks: sum(all.field) - sum(excl1.field) = individual value.\n\t * Exempt: .length access (metadata, not field access).\n\t */\n\tprivate detectCorrelatedAggregations(ast: acorn.Node): TaintViolation | null {\n\t\tconst fieldAggCounts = new Map<string, number>();\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t// Only track reduce/reduceRight aggregations\n\t\t\t\tif (!methodName || !TaintAnalyzer.REDUCE_METHODS.has(methodName))\n\t\t\t\t\treturn;\n\n\t\t\t\t// Must be called on env.records or a derivation of it (.slice(), .filter())\n\t\t\t\tif (!this.isEnvRecordsChain(callee.object)) return;\n\n\t\t\t\t// Extract the field name accessed in the callback\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\t!callback ||\n\t\t\t\t\t(callback.type !== \"ArrowFunctionExpression\" &&\n\t\t\t\t\t\tcallback.type !== \"FunctionExpression\")\n\t\t\t\t)\n\t\t\t\t\treturn;\n\n\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\t\t\t\tconst recordParam = fn.params.length > 1 ? fn.params[1] : fn.params[0];\n\t\t\t\tif (!recordParam || recordParam.type !== \"Identifier\") return;\n\n\t\t\t\tconst paramName = (recordParam as acorn.Identifier).name;\n\t\t\t\tconst fields = this.extractFieldsFromBody(\n\t\t\t\t\tfn.body as acorn.Node,\n\t\t\t\t\tparamName,\n\t\t\t\t);\n\n\t\t\t\tfor (const field of fields) {\n\t\t\t\t\tconst current = fieldAggCounts.get(field) ?? 0;\n\t\t\t\t\tfieldAggCounts.set(field, current + 1);\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\tfor (const [field, count] of fieldAggCounts) {\n\t\t\tif (count >= 2) {\n\t\t\t\treturn {\n\t\t\t\t\treason:\n\t\t\t\t\t\t`Correlation guard: ${count} aggregations detected on field '${field}'. ` +\n\t\t\t\t\t\t\"Multiple correlated aggregations on the same field can enable differencing attacks. \" +\n\t\t\t\t\t\t\"Use a single aggregation per numeric field, or increase dataset size above 50 records.\",\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks if a node is env.records or a chain like env.records.slice(N) / env.records.filter(...)\n\t */\n\tprivate isEnvRecordsChain(node: acorn.Node): boolean {\n\t\tif (this.isEnvRecordsAccess(node)) return true;\n\n\t\t// Handle env.records.slice(N), env.records.filter(...)\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst member = call.callee as acorn.MemberExpression;\n\t\t\t\tconst method = this.getPropertyName(member);\n\t\t\t\tif (\n\t\t\t\t\tmethod &&\n\t\t\t\t\t(method === \"slice\" || method === \"filter\" || method === \"toSorted\")\n\t\t\t\t) {\n\t\t\t\t\treturn this.isEnvRecordsChain(member.object);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// Handle [...env.records] (SpreadElement in ArrayExpression assigned to var)\n\t\treturn false;\n\t}\n\n\t/**\n\t * Extracts field names accessed on a record parameter within a function body.\n\t * e.g., in `(s, r) => s + r.balance`, extracts \"balance\".\n\t * Ignores .length as it's metadata, not a field access.\n\t */\n\tprivate extractFieldsFromBody(body: acorn.Node, paramName: string): string[] {\n\t\tconst fields: string[] = [];\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tMemberExpression: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.object.type === \"Identifier\" &&\n\t\t\t\t\t(node.object as acorn.Identifier).name === paramName\n\t\t\t\t) {\n\t\t\t\t\tconst prop = this.getPropertyName(node);\n\t\t\t\t\t// Exempt .length — it's array metadata, not a data field\n\t\t\t\t\tif (prop && prop !== \"length\") {\n\t\t\t\t\t\tfields.push(prop);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(body, visitors);\n\t\treturn fields;\n\t}\n\n\t// ── Pass 5: Min/Max Gate ──────────────────────────────────────────\n\n\t/**\n\t * Detects Math.min/max and sort()[0] patterns that expose individual\n\t * record values from small datasets.\n\t */\n\tprivate detectMinMaxExtraction(ast: acorn.Node): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (violation) return;\n\n\t\t\t\t// Pattern: Math.min(...env.records.map(r => r.field))\n\t\t\t\t// Pattern: Math.max(...env.records.map(r => r.field))\n\t\t\t\tif (node.callee.type === \"MemberExpression\") {\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tif (\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\t(callee.object as acorn.Identifier).name === \"Math\"\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst method = this.getPropertyName(callee);\n\t\t\t\t\t\tif (method === \"min\" || method === \"max\") {\n\t\t\t\t\t\t\t// Check if any argument is a spread of env.records.map\n\t\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t\tnode.arguments.some(\n\t\t\t\t\t\t\t\t\t(arg) =>\n\t\t\t\t\t\t\t\t\t\targ.type === \"SpreadElement\" &&\n\t\t\t\t\t\t\t\t\t\tthis.isRecordsMapCall(\n\t\t\t\t\t\t\t\t\t\t\t(arg as acorn.SpreadElement).argument,\n\t\t\t\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\tviolation = {\n\t\t\t\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t\t\t\t`Min/Max gate: Math.${method}() on individual records blocked for small datasets (n < 50). ` +\n\t\t\t\t\t\t\t\t\t\t\"Use avg/stddev/count for privacy-safe aggregations.\",\n\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// Pattern: env.records.sort(...)[0].field or [...env.records].sort(...)[0].field\n\t\t\tMemberExpression: (node) => {\n\t\t\t\tif (violation) return;\n\n\t\t\t\t// Check for sort result indexed access: .sort(...)[0]\n\t\t\t\tif (node.computed && node.object.type === \"CallExpression\") {\n\t\t\t\t\tconst call = node.object as acorn.CallExpression;\n\t\t\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\t\t\tconst method = this.getPropertyName(\n\t\t\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (method === \"sort\" || method === \"toSorted\") {\n\t\t\t\t\t\t\tconst sortTarget = (call.callee as acorn.MemberExpression).object;\n\t\t\t\t\t\t\tif (this.isEnvRecordsChain(sortTarget)) {\n\t\t\t\t\t\t\t\tviolation = {\n\t\t\t\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t\t\t\t\"Min/Max gate: .sort()[index] on individual records blocked for small datasets (n < 50). \" +\n\t\t\t\t\t\t\t\t\t\t\"Use avg/stddev/count for privacy-safe aggregations.\",\n\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\t\treturn violation;\n\t}\n\n\t/**\n\t * Checks if a node is env.records.map(callback) — used by Min/Max Gate.\n\t */\n\tprivate isRecordsMapCall(node: acorn.Node): boolean {\n\t\tif (node.type !== \"CallExpression\") return false;\n\t\tconst call = node as acorn.CallExpression;\n\t\tif (call.callee.type !== \"MemberExpression\") return false;\n\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\tconst method = this.getPropertyName(callee);\n\t\treturn method === \"map\" && this.isEnvRecordsChain(callee.object);\n\t}\n\n\t// ── Pass 1: Record-Bound Variable Identification ──────────────────\n\n\tprivate identifyRecordBoundVars(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t): void {\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst member = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(member);\n\t\t\t\tif (!methodName) return;\n\n\t\t\t\t// Check if this is env.records.METHOD(callback)\n\t\t\t\tif (!this.isEnvRecordsAccess(member.object)) return;\n\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (!callback) return;\n\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.ARRAY_CALLBACK_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 0\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst param = fn.params[0];\n\t\t\t\t\t\tif (param.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(param.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.REDUCE_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 1\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst recordParam = fn.params[1];\n\t\t\t\t\t\tif (recordParam.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(recordParam.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// for (const r of env.records) → r is record-bound\n\t\t\tForOfStatement: (node) => {\n\t\t\t\tif (!this.isEnvRecordsAccess(node.right)) return;\n\n\t\t\t\tif (node.left.type === \"VariableDeclaration\") {\n\t\t\t\t\tfor (const declarator of node.left.declarations) {\n\t\t\t\t\t\tif (declarator.id.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(declarator.id.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\t// Also handle: const r = env.records[N]\n\t\tconst indexVisitors: SimpleVisitors<void> = {\n\t\t\tVariableDeclarator: (node) => {\n\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\tif (\n\t\t\t\t\tnode.init.type === \"MemberExpression\" &&\n\t\t\t\t\t(node.init as acorn.MemberExpression).computed\n\t\t\t\t) {\n\t\t\t\t\tconst member = node.init as acorn.MemberExpression;\n\t\t\t\t\tif (this.isEnvRecordsAccess(member.object)) {\n\t\t\t\t\t\trecordBoundVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, indexVisitors);\n\t}\n\n\t// ── Pass 2: Taint Propagation ─────────────────────────────────────\n\n\tprivate propagateTaint(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): void {\n\t\t// Multiple iterations to handle transitive taint chains\n\t\t// (e.g., const a = r.name; const b = a; const c = b.charCodeAt(0))\n\t\tfor (let iteration = 0; iteration < 3; iteration++) {\n\t\t\tconst sizeBefore = taintedVars.size;\n\n\t\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\t\tVariableDeclarator: (node) => {\n\t\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.init, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\tAssignmentExpression: (node) => {\n\t\t\t\t\tif (node.left.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.right, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((node.left as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\tFunctionDeclaration: (node) => {\n\t\t\t\t\tif (node.id && node.id.type === \"Identifier\") {\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\tthis.doesCallbackProduceTaint(\n\t\t\t\t\t\t\t\tnode,\n\t\t\t\t\t\t\t\tnull,\n\t\t\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t\t\t)\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\ttaintedVars.add(node.id.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\t// Imperative taint: array.push(taintedValue) contaminates the array\n\t\t\t\t// Covers for-of and forEach patterns that push PII-derived values\n\t\t\t\tCallExpression: (node) => {\n\t\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tmethodName === \"push\" &&\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\tnode.arguments.some((arg) =>\n\t\t\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t};\n\n\t\t\tsimple(ast, visitors);\n\n\t\t\t// Fixed point: stop if no new tainted vars discovered\n\t\t\tif (taintedVars.size === sizeBefore) break;\n\t\t}\n\t}\n\n\t// ── Pass 3: Return Statement Sink Detection ───────────────────────\n\n\tprivate checkReturnStatements(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (violation) return; // Already found one\n\n\t\t\t\tif (!node.argument) return;\n\n\t\t\t\tif (\n\t\t\t\t\tthis.isExpressionTainted(node.argument, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst line = node.loc?.start.line\n\t\t\t\t\t\t? node.loc.start.line - 1 // Adjust for wrapper function offset\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tconst operation = this.describeTaintSource(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t\tviolation = {\n\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t`PII side-channel detected: output contains values derived from restricted fields. ` +\n\t\t\t\t\t\t\t`${operation ? `Operation: ${operation}. ` : \"\"}` +\n\t\t\t\t\t\t\t`Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,\n\t\t\t\t\t\tline,\n\t\t\t\t\t\toperation,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\treturn violation;\n\t}\n\n\t// ── Core Taint Evaluation ─────────────────────────────────────────\n\n\t/**\n\t * Recursively determines if an AST expression produces a tainted value.\n\t * A value is tainted if it derives from a PII field on a record-bound variable.\n\t */\n\tprivate isExpressionTainted(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tswitch (node.type) {\n\t\t\tcase \"Identifier\":\n\t\t\t\treturn taintedVars.has((node as acorn.Identifier).name);\n\n\t\t\tcase \"MemberExpression\":\n\t\t\t\treturn this.isMemberExprTainted(\n\t\t\t\t\tnode as acorn.MemberExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"CallExpression\":\n\t\t\t\treturn this.isCallExprTainted(\n\t\t\t\t\tnode as acorn.CallExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"YieldExpression\": {\n\t\t\t\tconst yieldNode = node as acorn.YieldExpression;\n\t\t\t\treturn yieldNode.argument\n\t\t\t\t\t? this.isExpressionTainted(\n\t\t\t\t\t\t\tyieldNode.argument,\n\t\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t\t)\n\t\t\t\t\t: false;\n\t\t\t}\n\n\t\t\tcase \"FunctionExpression\":\n\t\t\tcase \"ArrowFunctionExpression\": {\n\t\t\t\tconst fn = node as\n\t\t\t\t\t| acorn.FunctionExpression\n\t\t\t\t\t| acorn.ArrowFunctionExpression;\n\t\t\t\treturn this.doesCallbackProduceTaint(\n\t\t\t\t\tfn,\n\t\t\t\t\tnull,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"BinaryExpression\":\n\t\t\tcase \"LogicalExpression\": {\n\t\t\t\tconst bin = node as acorn.BinaryExpression;\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(bin.left, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(bin.right, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"UnaryExpression\": {\n\t\t\t\tconst unary = node as acorn.UnaryExpression;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tunary.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ConditionalExpression\": {\n\t\t\t\tconst cond = node as acorn.ConditionalExpression;\n\t\t\t\t// If the test involves tainted values, the branch choice leaks info\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(cond.test, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tcond.consequent,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t) ||\n\t\t\t\t\tthis.isExpressionTainted(cond.alternate, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ObjectExpression\": {\n\t\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\t\treturn obj.properties.some(\n\t\t\t\t\t(prop) =>\n\t\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ArrayExpression\": {\n\t\t\t\tconst arr = node as acorn.ArrayExpression;\n\t\t\t\treturn arr.elements.some(\n\t\t\t\t\t(el) =>\n\t\t\t\t\t\tel !== null &&\n\t\t\t\t\t\tthis.isExpressionTainted(el, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"TemplateLiteral\": {\n\t\t\t\tconst tmpl = node as acorn.TemplateLiteral;\n\t\t\t\treturn tmpl.expressions.some((expr) =>\n\t\t\t\t\tthis.isExpressionTainted(expr, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"SpreadElement\": {\n\t\t\t\tconst spread = node as acorn.SpreadElement;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tspread.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tdefault:\n\t\t\t\t// Literals, ThisExpression, etc. are never tainted\n\t\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Checks if a MemberExpression accesses a PII field on a record-bound variable.\n\t * Examples: r.accountHolder, r[\"name\"], taintedVar.length, taintedVar[0]\n\t */\n\tprivate isMemberExprTainted(\n\t\tmember: acorn.MemberExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tconst propName = this.getPropertyName(member);\n\n\t\t// Case 1: recordBoundVar.piiField (direct PII access via callback param)\n\t\tif (\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name) &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 2: env.records[N].piiField (direct indexed access without callback)\n\t\t// AST: MemberExpression { object: MemberExpression { object: env.records, computed: true }, property: piiField }\n\t\tif (\n\t\t\tmember.object.type === \"MemberExpression\" &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\tconst parentMember = member.object as acorn.MemberExpression;\n\t\t\tif (\n\t\t\t\tparentMember.computed &&\n\t\t\t\tthis.isEnvRecordsAccess(parentMember.object)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Case 3: taintedVar.anything (any property access on tainted value)\n\t\t// .length on a tainted string leaks PII info, .charCodeAt leaks chars, etc.\n\t\tif (this.isExpressionTainted(member.object, recordBoundVars, taintedVars)) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 4: Computed access on record-bound var with PII field\n\t\t// e.g., r[\"account\" + \"Holder\"]\n\t\tif (\n\t\t\tmember.computed &&\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name)\n\t\t) {\n\t\t\t// Conservative: if computed access on record, check if the property\n\t\t\t// expression evaluates to a PII field (for string literals only)\n\t\t\tif (member.property.type === \"Literal\") {\n\t\t\t\tconst litVal = (member.property as acorn.Literal).value;\n\t\t\t\tif (\n\t\t\t\t\ttypeof litVal === \"string\" &&\n\t\t\t\t\tthis.piiFields.has(litVal.toLowerCase())\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if a CallExpression produces a tainted result.\n\t * Handles: taintedObj.method(), env.records.map(r => r.piiField), etc.\n\t */\n\tprivate isCallExprTainted(\n\t\tcall: acorn.CallExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Pattern: taintedObj.method() — method on tainted object propagates taint\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t// tainted.charCodeAt() / tainted.split() / etc.\n\t\t\tif (\n\t\t\t\tmethodName &&\n\t\t\t\tTaintAnalyzer.TAINT_PROPAGATING_METHODS.has(methodName) &&\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// env.records.map/filter/reduce(callback) — check if callback produces taint\n\t\t\tif (this.isEnvRecordsAccess(callee.object) && call.arguments[0]) {\n\t\t\t\tconst callback = call.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\treturn this.doesCallbackProduceTaint(\n\t\t\t\t\t\tcallback as acorn.ArrowFunctionExpression,\n\t\t\t\t\t\tmethodName,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Tainted array/string method chains: tainted.reduce(...), tainted.map(...)\n\t\t\t// Handles patterns like r.accountHolder.split('').reduce((a,c) => ...)\n\t\t\tif (\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// Math.round(taintedArg) / JSON.stringify(taintedArg) — function calls with tainted arguments\n\t\t\t// on safe objects still produce tainted results\n\t\t\tif (\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Pattern: someArray.push(taintedValue) — marks the receiving array as tainted\n\t\t// This covers imperative for-of patterns:\n\t\t// for (const r of env.records) { codes.push(r.name.charCodeAt(0)) }\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\t\t\tif (\n\t\t\t\tmethodName === \"push\" &&\n\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\t// Mark the array variable as tainted (it now contains PII-derived values)\n\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t}\n\t\t}\n\n\t\t// Check if any argument is tainted (for functions that might propagate)\n\t\t// Conservative: if calling a function WITH tainted args, consider result tainted\n\t\t// This catches: someHelper(r.name), parseInt(taintedVar), etc.\n\t\tif (call.callee.type === \"Identifier\") {\n\t\t\tconst fnName = (call.callee as acorn.Identifier).name;\n\t\t\tif (taintedVars.has(fnName)) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t\t// Allow safe math/utility functions that don't propagate PII\n\t\t\tconst SAFE_GLOBALS = new Set([\n\t\t\t\t\"Math\",\n\t\t\t\t\"Number\",\n\t\t\t\t\"parseInt\",\n\t\t\t\t\"parseFloat\",\n\t\t\t\t\"isNaN\",\n\t\t\t\t\"isFinite\",\n\t\t\t]);\n\t\t\tif (!SAFE_GLOBALS.has(fnName)) {\n\t\t\t\treturn call.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if an array method callback produces tainted output.\n\t * e.g., env.records.map(r => r.name.charCodeAt(0)) → tainted result\n\t */\n\tprivate doesCallbackProduceTaint(\n\t\tcallback:\n\t\t\t| acorn.ArrowFunctionExpression\n\t\t\t| acorn.FunctionExpression\n\t\t\t| acorn.FunctionDeclaration,\n\t\tmethodName: string | null,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Create a temporary scope with callback params as record-bound\n\t\tconst scopedRecordVars = new Set(recordBoundVars);\n\t\tconst scopedTaintedVars = new Set(taintedVars);\n\n\t\tif (callback.params.length > 0) {\n\t\t\tconst isReduce =\n\t\t\t\tmethodName !== null && TaintAnalyzer.REDUCE_METHODS.has(methodName);\n\t\t\tconst recordParamIndex = isReduce ? 1 : 0;\n\n\t\t\tif (\n\t\t\t\tcallback.params.length > recordParamIndex &&\n\t\t\t\tcallback.params[recordParamIndex].type === \"Identifier\"\n\t\t\t) {\n\t\t\t\tscopedRecordVars.add(\n\t\t\t\t\t(callback.params[recordParamIndex] as acorn.Identifier).name,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// For arrow functions with expression body: (r) => r.name.charCodeAt(0)\n\t\tif (\n\t\t\tcallback.type === \"ArrowFunctionExpression\" &&\n\t\t\tcallback.body.type !== \"BlockStatement\"\n\t\t) {\n\t\t\treturn this.isExpressionTainted(\n\t\t\t\tcallback.body,\n\t\t\t\tscopedRecordVars,\n\t\t\t\tscopedTaintedVars,\n\t\t\t);\n\t\t}\n\n\t\t// For block bodies, check return statements or yield expressions within the callback\n\t\tlet hasTaintedReturnOrYield = false;\n\t\tconst returnVisitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.argument &&\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\tscopedRecordVars,\n\t\t\t\t\t\tscopedTaintedVars,\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\thasTaintedReturnOrYield = true;\n\t\t\t\t}\n\t\t\t},\n\t\t\tYieldExpression: (node) => {\n\t\t\t\tconst yieldNode = node as acorn.YieldExpression;\n\t\t\t\tif (\n\t\t\t\t\tyieldNode.argument &&\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tyieldNode.argument,\n\t\t\t\t\t\tscopedRecordVars,\n\t\t\t\t\t\tscopedTaintedVars,\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\thasTaintedReturnOrYield = true;\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(callback.body as acorn.Node, returnVisitors);\n\n\t\treturn hasTaintedReturnOrYield;\n\t}\n\n\t// ── Utility Methods ───────────────────────────────────────────────\n\n\t/** Extracts the property name from a MemberExpression (dot or bracket with string literal) */\n\tprivate getPropertyName(member: acorn.MemberExpression): string | null {\n\t\tif (!member.computed && member.property.type === \"Identifier\") {\n\t\t\treturn (member.property as acorn.Identifier).name;\n\t\t}\n\t\tif (member.computed && member.property.type === \"Literal\") {\n\t\t\tconst val = (member.property as acorn.Literal).value;\n\t\t\tif (typeof val === \"string\") return val;\n\t\t}\n\t\treturn null;\n\t}\n\n\t/** Checks if an expression resolves to `env.records` or `records` */\n\tprivate isEnvRecordsAccess(node: acorn.Node): boolean {\n\t\t// Direct: env.records\n\t\tif (node.type === \"MemberExpression\") {\n\t\t\tconst member = node as acorn.MemberExpression;\n\t\t\tconst propName = this.getPropertyName(member);\n\t\t\tif (\n\t\t\t\tpropName === \"records\" &&\n\t\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\t\t(member.object as acorn.Identifier).name === \"env\"\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\t// Bare: records (injected as sandbox global)\n\t\tif (\n\t\t\tnode.type === \"Identifier\" &&\n\t\t\t(node as acorn.Identifier).name === \"records\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\t/** Generates a human-readable description of the taint source for error messages */\n\tprivate describeTaintSource(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): string | undefined {\n\t\tif (node.type === \"Identifier\") {\n\t\t\tconst name = (node as acorn.Identifier).name;\n\t\t\tif (taintedVars.has(name)) return `variable '${name}' is PII-derived`;\n\t\t}\n\n\t\tif (node.type === \"ObjectExpression\") {\n\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\tfor (const prop of obj.properties) {\n\t\t\t\tif (\n\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst keyName =\n\t\t\t\t\t\tprop.key.type === \"Identifier\"\n\t\t\t\t\t\t\t? (prop.key as acorn.Identifier).name\n\t\t\t\t\t\t\t: \"unknown\";\n\t\t\t\t\treturn `property '${keyName}' contains PII-derived value`;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst methodName = this.getPropertyName(\n\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t);\n\t\t\t\tif (methodName) return `result of .${methodName}() on PII data`;\n\t\t\t}\n\t\t}\n\n\t\treturn undefined;\n\t}\n}\n","/**\n * LIOP NER Content Scanner (The Shield V3 — Named Entity Recognition Layer)\n *\n * Lightweight NER scanner using `compromise` NLP for detecting\n * person names, places, and organizations in free-text output values.\n *\n * This layer operates AFTER the regex-based PII scanner and\n * catches entities that lack a deterministic format pattern\n * (e.g., \"Evelyn Reed\" cannot be detected by regex).\n *\n * Architecture: opt-in per-server via `enableNerScanning: true`.\n * Performance: ~10ms for typical SDK output sizes (< 10KB).\n *\n * @see https://github.com/spencermountain/compromise\n */\n// Types for compromise (minimal)\ntype NlpDoc = {\n\tpeople: () => { out: (type: string) => string[] };\n\tplaces: () => { out: (type: string) => string[] };\n\torganizations: () => { out: (type: string) => string[] };\n};\ntype NlpStatic = ((text: string) => NlpDoc) & {\n\taddWords: (words: Record<string, string>) => void;\n};\n\n/**\n * Medical/pharmaceutical vocabulary safelist.\n * These terms are tagged as #Medication to prevent the NER\n * from misclassifying them as person/organization names.\n * Extends progressively — add terms as false positives arise.\n */\nconst MEDICAL_VOCABULARY: Record<string, string> = {\n\taspirin: \"Medication\",\n\tlisinopril: \"Medication\",\n\tmetformin: \"Medication\",\n\tamlodipine: \"Medication\",\n\tatorvastatin: \"Medication\",\n\tomeprazole: \"Medication\",\n\tlosartan: \"Medication\",\n\tsimvastatin: \"Medication\",\n\tlevothyroxine: \"Medication\",\n\tibuprofen: \"Medication\",\n\tacetaminophen: \"Medication\",\n\tamoxicillin: \"Medication\",\n\tciprofloxacin: \"Medication\",\n\tprednisone: \"Medication\",\n\twarfarin: \"Medication\",\n\tinsulin: \"Medication\",\n\thydrochlorothiazide: \"Medication\",\n\tgabapentin: \"Medication\",\n\talbuterol: \"Medication\",\n\tpantoprazole: \"Medication\",\n\t// Generic clinical terms\n\thypertension: \"Condition\",\n\tdiabetes: \"Condition\",\n\tbronchitis: \"Condition\",\n\tpneumonia: \"Condition\",\n\tasthma: \"Condition\",\n};\n\n/** Single named entity detected by the NER scanner. */\nexport interface NerEntity {\n\ttype: \"person\" | \"place\" | \"organization\";\n\ttext: string;\n}\n\n/** Result of an NER scan operation. */\nexport interface NerScanResult {\n\tdetected: boolean;\n\tentities: NerEntity[];\n}\n\n// Minimum string length to attempt NER analysis.\n// Shorter strings are unlikely to contain meaningful named entities.\nconst MIN_TEXT_LENGTH = 4;\n\n// Pattern to identify strings that are purely numeric/symbolic (skip NER)\nconst NON_TEXT_PATTERN = /^[\\d\\s.,:;!?()[\\]{}<>@#$%^&*+=|\\\\/\"'`~_-]+$/;\n\n/**\n * Scans text content for named entities that may represent PII.\n * Uses `compromise/three` for person, place, and organization detection.\n *\n * Designed for egress filtering — optimized for recall over precision\n * to ensure sensitive data does not leak through aliased output keys.\n */\nexport class NerScanner {\n\tprivate static nlp: NlpStatic | null = null;\n\n\t/**\n\t * Lazy loads the compromise library only when needed.\n\t */\n\tprivate async getNlp(): Promise<NlpStatic> {\n\t\tif (!NerScanner.nlp) {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: dynamic import of optional dependency\n\t\t\tconst mod = (await import(\"compromise/three\")) as any;\n\t\t\t// compromise export can vary depending on bundling\n\t\t\tNerScanner.nlp = (mod.default || mod) as NlpStatic;\n\t\t\tNerScanner.nlp.addWords(MEDICAL_VOCABULARY);\n\t\t}\n\t\treturn NerScanner.nlp;\n\t}\n\n\t/**\n\t * Scans a single string value for named entities.\n\t * Returns detected entities if the text contains recognizable PII.\n\t */\n\tasync scan(text: string): Promise<NerScanResult> {\n\t\tif (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tconst nlp = await this.getNlp();\n\t\tconst doc = nlp(text);\n\t\tconst entities: NerEntity[] = [];\n\n\t\tconst people = doc.people().out(\"array\");\n\t\tfor (const person of people) {\n\t\t\tconst trimmed = person.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"person\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst places = doc.places().out(\"array\");\n\t\tfor (const place of places) {\n\t\t\tconst trimmed = place.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"place\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst orgs = doc.organizations().out(\"array\");\n\t\tfor (const org of orgs) {\n\t\t\tconst trimmed = org.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"organization\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tdetected: entities.length > 0,\n\t\t\tentities,\n\t\t};\n\t}\n\n\t/**\n\t * Recursively scans all string values within an object/array.\n\t * Stops at the first detection for performance (fail-fast).\n\t */\n\tasync scanDeep(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<NerScanResult> {\n\t\tif (input === null || input === undefined) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tif (typeof input === \"string\") {\n\t\t\treturn this.scan(input);\n\t\t}\n\n\t\tif (typeof input === \"object\") {\n\t\t\tif (seen.has(input as object)) {\n\t\t\t\treturn { detected: false, entities: [] };\n\t\t\t}\n\t\t\tseen.add(input as object);\n\n\t\t\tconst values = Array.isArray(input)\n\t\t\t\t? input\n\t\t\t\t: Object.values(input as Record<string, unknown>);\n\n\t\t\tconst allEntities: NerEntity[] = [];\n\n\t\t\tfor (const value of values) {\n\t\t\t\tconst result = await this.scanDeep(value, seen);\n\t\t\t\tif (result.detected) {\n\t\t\t\t\tallEntities.push(...result.entities);\n\t\t\t\t\t// Fail-fast: return immediately on first person detection\n\t\t\t\t\tif (result.entities.some((e) => e.type === \"person\")) {\n\t\t\t\t\t\treturn { detected: true, entities: allEntities };\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tdetected: allEntities.length > 0,\n\t\t\t\tentities: allEntities,\n\t\t\t};\n\t\t}\n\n\t\treturn { detected: false, entities: [] };\n\t}\n}\n","/**\n * LIOP Egress Shield Output Sanitizer (NIST SP 800-226 and OWASP DLP 2025 compliant)\n * Recursively sanitizes execution outputs by rounding floating-point numbers\n * and clamping negative values to zero floor where appropriate.\n *\n * Implements absolute immutability, returning a fresh copy of the data.\n */\n\nexport interface OutputSanitizerConfig {\n\t/** Maximum decimal places for floating-point values (default: 4) */\n\tmaxDecimalPlaces?: number;\n\t/** Clamp negative values to zero floor (default: true) */\n\tclampNonNegative?: boolean;\n}\n\nconst DEFAULT_CONFIG: Required<OutputSanitizerConfig> = {\n\tmaxDecimalPlaces: 4,\n\tclampNonNegative: true,\n};\n\n/**\n * Recursively walks a JSON-like tree, rounding floats and clamping negative values.\n *\n * @param output - The raw or DP-modified output object/value to sanitize\n * @param config - Sanitization parameters (rounding depth, negative clamping)\n * @returns A sanitized deep copy of the output\n */\nexport function sanitizeOutput(\n\toutput: unknown,\n\tconfig?: OutputSanitizerConfig,\n): unknown {\n\tconst merged = { ...DEFAULT_CONFIG, ...config };\n\tconst seen = new WeakSet<object>();\n\n\tfunction walk(node: unknown): unknown {\n\t\tif (node === null || node === undefined) {\n\t\t\treturn node;\n\t\t}\n\n\t\tif (typeof node === \"number\") {\n\t\t\tif (!Number.isFinite(node)) {\n\t\t\t\treturn node;\n\t\t\t}\n\n\t\t\tlet value = node;\n\n\t\t\t// 1. Clamp negative values to 0 if configured\n\t\t\tif (merged.clampNonNegative && value < 0) {\n\t\t\t\tvalue = 0;\n\t\t\t}\n\n\t\t\t// 2. Round to maximum decimal places\n\t\t\tconst factor = 10 ** merged.maxDecimalPlaces;\n\t\t\tvalue = Math.round(value * factor) / factor;\n\n\t\t\treturn value;\n\t\t}\n\n\t\tif (typeof node === \"string\" || typeof node === \"boolean\") {\n\t\t\treturn node;\n\t\t}\n\n\t\tif (typeof node === \"object\") {\n\t\t\t// Circular reference protection\n\t\t\tif (seen.has(node as object)) {\n\t\t\t\treturn node;\n\t\t\t}\n\t\t\tseen.add(node as object);\n\n\t\t\tif (Array.isArray(node)) {\n\t\t\t\treturn node.map((item) => walk(item));\n\t\t\t}\n\n\t\t\tconst result: Record<string, unknown> = {};\n\t\t\tfor (const [key, val] of Object.entries(\n\t\t\t\tnode as Record<string, unknown>,\n\t\t\t)) {\n\t\t\t\tresult[key] = walk(val);\n\t\t\t}\n\t\t\treturn result;\n\t\t}\n\n\t\treturn node;\n\t}\n\n\treturn walk(output);\n}\n","/**\n * LIOP Professional PII Engine (The Shield V2 - Tier-1 Military Edition)\n * Implements high-fidelity detection based on NIST and OWASP standards.\n * Features Multi-Layer Verification (Regex + Algorithmic Validators).\n */\n\n/**\n * Validates a credit card number using the Luhn algorithm.\n * Prevents false positives from random 16-digit IDs.\n */\nfunction isLuhnValid(cardNumber: string): boolean {\n\tconst digits = cardNumber.replace(/\\D/g, \"\");\n\tif (digits.length < 13 || digits.length > 19) return false;\n\n\tlet sum = 0;\n\tlet isEven = false;\n\n\tfor (let i = digits.length - 1; i >= 0; i--) {\n\t\tlet digit = parseInt(digits.charAt(i), 10);\n\n\t\tif (isEven) {\n\t\t\tdigit *= 2;\n\t\t\tif (digit > 9) {\n\t\t\t\tdigit -= 9;\n\t\t\t}\n\t\t}\n\n\t\tsum += digit;\n\t\tisEven = !isEven;\n\t}\n\n\treturn sum % 10 === 0;\n}\n\n/**\n * Validates an International Bank Account Number (IBAN) using ISO 7064 Modulo 97.\n * Uses BigInt algebra to avoid JS floating point truncation with 30-digit numbers.\n */\nfunction isIbanValid(iban: string): boolean {\n\tconst sanitized = iban.replace(/\\s+/g, \"\").toUpperCase();\n\n\tif (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized)) return false;\n\n\tconst rearranged = sanitized.substring(4) + sanitized.substring(0, 4);\n\n\tlet numericString = \"\";\n\tfor (let i = 0; i < rearranged.length; i++) {\n\t\tconst charCode = rearranged.charCodeAt(i);\n\t\tif (charCode >= 65 && charCode <= 90) {\n\t\t\tnumericString += (charCode - 55).toString();\n\t\t} else if (charCode >= 48 && charCode <= 57) {\n\t\t\tnumericString += rearranged.charAt(i);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\ttry {\n\t\treturn BigInt(numericString) % 97n === 1n;\n\t} catch (_e) {\n\t\treturn false;\n\t}\n}\n\nexport type PiiRuleDefinition = {\n\tname: string;\n\tpattern: string | RegExp;\n\tvalidator?: (match: string) => boolean;\n};\n\nexport type PiiRule = string | RegExp | PiiRuleDefinition;\n\nexport const PII_PATTERNS = {\n\tEMAIL: {\n\t\tname: \"EMAIL\",\n\t\tpattern: /\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b/gi,\n\t\tvalidator: (match: string) =>\n\t\t\t!match.endsWith(\"@example.com\") && !match.endsWith(\"@test.com\"),\n\t} as PiiRuleDefinition,\n\tCREDIT_CARD: {\n\t\tname: \"CREDIT_CARD\",\n\t\tpattern: /\\b(?:\\d[ -]*?){13,16}\\b/g,\n\t\tvalidator: isLuhnValid,\n\t} as PiiRuleDefinition,\n\tIP_ADDRESS: {\n\t\tname: \"IP_ADDRESS\",\n\t\tpattern: /\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst safeIps = [\"127.0.0.1\", \"0.0.0.0\", \"255.255.255.255\"];\n\t\t\tif (safeIps.includes(match)) return false;\n\t\t\t// Validate valid IPv4 ranges\n\t\t\tconst parts = match.split(\".\").map(Number);\n\t\t\treturn parts.every((p) => p >= 0 && p <= 255);\n\t\t},\n\t} as PiiRuleDefinition,\n\tPHONE: {\n\t\tname: \"PHONE\",\n\t\t// Strict boundary to avoid matching long numeric IDs wrapped in symbols\n\t\tpattern: /(?:(?:\\+?\\d{1,3}[-. ]?)?\\(?\\d{3}\\)?[-. ]?\\d{3}[-. ]?\\d{4})\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length < 7 || digits.length > 15) return false;\n\t\t\t// Reject fake test numbers like 0000000000 or 1234567890\n\t\t\tif (/^(\\d)\\1+$/.test(digits)) return false;\n\t\t\tif (digits === \"1234567890\") return false;\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tSSN: {\n\t\tname: \"SSN\",\n\t\tpattern: /\\b\\d{3}[- ]?\\d{2}[- ]?\\d{4}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length !== 9) return false;\n\n\t\t\tconst area = parseInt(digits.substring(0, 3), 10);\n\t\t\tif (area === 0 || area === 666 || area >= 900) return false;\n\n\t\t\tconst group = parseInt(digits.substring(3, 5), 10);\n\t\t\tif (group === 0) return false;\n\n\t\t\tconst serial = parseInt(digits.substring(5, 9), 10);\n\t\t\tif (serial === 0) return false;\n\n\t\t\tif (/^(\\d)\\1+$/.test(digits) || digits === \"123456789\") return false;\n\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tIBAN: {\n\t\tname: \"IBAN\",\n\t\tpattern: /\\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\\b/gi,\n\t\tvalidator: isIbanValid,\n\t} as PiiRuleDefinition,\n\tPASSPORT_MRZ: {\n\t\tname: \"PASSPORT_MRZ\",\n\t\t// Machina Readable Zone line match for standard international passports\n\t\tpattern: /\\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\\b|\\s|$)/g,\n\t} as PiiRuleDefinition,\n};\n\n/**\n * Regional and Cultural Security Presets for Out-Of-The-Box compliance.\n * Developers can override, merge, or omit these based on local laws.\n */\nexport const PII_PRESETS = {\n\tGLOBAL_STRICT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t\tPII_PATTERNS.IBAN,\n\t],\n\tUS_COMPLIANT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.SSN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n\tEU_GDPR: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.IBAN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n};\n\nexport class PiiScanner {\n\tprivate patterns: PiiRule[];\n\tprivate forbiddenKeysSet: Set<string>;\n\tprivate nerScanner: import(\"./ner-scanner.js\").NerScanner | null;\n\n\t/**\n\t * Safelist of keys that contain forbidden substrings but are NOT PII.\n\t * Prevents false positives from fuzzy matching (e.g., \"grid\" contains \"id\").\n\t */\n\tprivate static readonly KEY_SAFELIST = new Set([\n\t\t// Common words containing \"id\" substring\n\t\t\"grid\",\n\t\t\"video\",\n\t\t\"android\",\n\t\t\"identity\",\n\t\t\"provide\",\n\t\t\"override\",\n\t\t\"validate\",\n\t\t\"hidden\",\n\t\t\"widget\",\n\t\t\"guidelines\",\n\t\t\"beside\",\n\t\t\"guideline\",\n\t\t\"outside\",\n\t\t\"inside\",\n\t\t\"collide\",\n\t\t\"decide\",\n\t\t\"divide\",\n\t\t\"aside\",\n\t\t\"ride\",\n\t\t\"side\",\n\t\t\"wide\",\n\t\t\"hide\",\n\t\t\"tide\",\n\t\t\"pride\",\n\t\t\"bride\",\n\t\t\"slide\",\n\t\t\"guide\",\n\t\t\"stride\",\n\t\t\"oxide\",\n\t\t\"dioxide\",\n\t\t\"suicide\",\n\t\t\"homicide\",\n\t\t\"pesticide\",\n\t\t\"valid\",\n\t\t\"invalid\",\n\t\t\"void\",\n\t\t\"avoid\",\n\t\t// Common words containing \"name\" substring\n\t\t\"diagnosis\",\n\t\t\"medication\",\n\t\t\"namespace\",\n\t\t\"namesake\",\n\t\t\"rename\",\n\t\t\"filename\",\n\t\t\"hostname\",\n\t\t\"typename\",\n\t\t\"unnamed\",\n\t\t\"renamed\",\n\t\t// Common words containing \"phone\" substring\n\t\t\"phonetic\",\n\t\t\"phoneme\",\n\t\t\"microphone\",\n\t\t\"headphone\",\n\t\t\"telephone\",\n\t\t\"saxophone\",\n\t\t\"smartphone\",\n\t\t// Common words containing \"address\" substring\n\t\t\"streetview\",\n\t\t\"addressable\",\n\t\t\"addressing\",\n\t\t// Common words containing \"city\" substring\n\t\t\"cityscape\",\n\t\t\"electricity\",\n\t\t\"capacity\",\n\t\t\"velocity\",\n\t\t\"opacity\",\n\t\t// Common technical terms\n\t\t\"timestamp\",\n\t\t\"timezone\",\n\t\t// LIOP Protocol Internal Keys (must never be blocked)\n\t\t\"image_id\",\n\t\t\"computation_result\",\n\t\t\"zk_receipt\",\n\t\t\"testid\",\n\t\t\"toolid\",\n\t\t\"sessionid\",\n\t\t\"peerid\",\n\t\t\"nodeid\",\n\t\t\"requestid\",\n\t\t\"correlationid\",\n\t\t\"traceid\",\n\t\t\"spanid\",\n\t]);\n\n\t/**\n\t * Short forbidden tokens (< 4 chars) that require boundary-aware matching.\n\t * Uses regex boundary detection to avoid false positives.\n\t */\n\tprivate shortTokenBoundaryPatterns: Map<string, RegExp>;\n\n\t/**\n\t * Long forbidden tokens (>= 4 chars) that use substring containment.\n\t */\n\tprivate longForbiddenTokens: string[];\n\n\tconstructor(\n\t\tpatterns: PiiRule[] = [],\n\t\tforbiddenKeys: string[] = [],\n\t\tnerScanner?: import(\"./ner-scanner.js\").NerScanner | null,\n\t) {\n\t\tthis.patterns = patterns;\n\t\tthis.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));\n\t\tthis.nerScanner = nerScanner ?? null;\n\n\t\t// Pre-compute fuzzy matching structures for performance\n\t\tthis.shortTokenBoundaryPatterns = new Map();\n\t\tthis.longForbiddenTokens = [];\n\n\t\tfor (const token of this.forbiddenKeysSet) {\n\t\t\tif (token.length < 4) {\n\t\t\t\t// Short tokens: require word boundary (camelCase, snake_case, kebab-case, or exact)\n\t\t\t\t// \"id\" matches: \"patientId\", \"record_id\", \"user-id\", \"id\"\n\t\t\t\t// \"id\" does NOT match: \"grid\", \"video\", \"android\"\n\t\t\t\tthis.shortTokenBoundaryPatterns.set(\n\t\t\t\t\ttoken,\n\t\t\t\t\tnew RegExp(\n\t\t\t\t\t\t(() => {\n\t\t\t\t\t\t\t// Build a case-insensitive character class pattern for each letter\n\t\t\t\t\t\t\t// e.g. \"id\" -> \"[iI][dD]\" — used for snake/kebab/exact matches only\n\t\t\t\t\t\t\tconst ciPattern = token\n\t\t\t\t\t\t\t\t.split(\"\")\n\t\t\t\t\t\t\t\t.map((c) => `[${c.toLowerCase()}${c.toUpperCase()}]`)\n\t\t\t\t\t\t\t\t.join(\"\");\n\t\t\t\t\t\t\t// camelCase: strictly requires uppercase first letter preceded by lowercase\n\t\t\t\t\t\t\t// e.g. \"patientId\" matches, \"valid_ages\" does NOT\n\t\t\t\t\t\t\tconst camelPattern = `[a-z]${token.charAt(0).toUpperCase()}${token.slice(1)}`;\n\t\t\t\t\t\t\treturn (\n\t\t\t\t\t\t\t\t`(?:^|[_-])${ciPattern}(?:$|[_-])|` + // snake/kebab boundary\n\t\t\t\t\t\t\t\t`${camelPattern}(?:$|[A-Z_-])|` + // camelCase boundary (strict uppercase start)\n\t\t\t\t\t\t\t\t`^${ciPattern}$` // exact match\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t})(),\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tthis.longForbiddenTokens.push(token);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Scans any input (string, object, array) for PII violations.\n\t * Returns the pattern/rule name that triggered the violation, or null if safe.\n\t *\n\t * Detection pipeline (fail-fast):\n\t * 1. Exact key match (O(1) Set lookup)\n\t * 2. Fuzzy key match (boundary detection for short tokens, substring for long)\n\t * 3. Regex/algorithmic pattern match on string values\n\t * 4. NER content scan on string values (if enabled)\n\t */\n\tpublic async scan(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<string | null> {\n\t\tif (input === null || input === undefined) return null;\n\n\t\t// 1. String Scan (Direct Regex/String/Definition check)\n\t\tif (typeof input === \"string\") {\n\t\t\t// SECURITY PATCH: JSON Deep-Parsing Recursion (Fortification V2)\n\t\t\t// Defeats Double JSON Encoding bypasses by forcefully parsing stringified JSON back into objects.\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\tconst parsed = JSON.parse(trimmed);\n\t\t\t\t\t// Successfully parsed JSON string. Recursively scan the unescaped object.\n\t\t\t\t\tconst violation = await this.scan(parsed, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t} catch (_e) {\n\t\t\t\t\t// Silent fallback: It looked like JSON but wasn't valid. Proceed with raw string check.\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check string value against regex patterns\n\t\t\tconst patternViolation = this.checkString(input);\n\t\t\tif (patternViolation) return patternViolation;\n\n\t\t\t// Layer 3: NER Content Scan — detect person names in free-text values\n\t\t\tif (this.nerScanner) {\n\t\t\t\tconst nerResult = await this.nerScanner.scan(input);\n\t\t\t\tif (nerResult.detected) {\n\t\t\t\t\tconst personEntity = nerResult.entities.find(\n\t\t\t\t\t\t(e) => e.type === \"person\",\n\t\t\t\t\t);\n\t\t\t\t\tif (personEntity) {\n\t\t\t\t\t\treturn `PII Entity Detected: person name \"${personEntity.text}\"`;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn null;\n\t\t}\n\n\t\t// 2. Recursive Objects/Arrays Scan\n\t\tif (typeof input === \"object\") {\n\t\t\t// Protection against circular references\n\t\t\tif (seen.has(input as object)) return null;\n\t\t\tseen.add(input as object);\n\n\t\t\tif (Array.isArray(input)) {\n\t\t\t\tfor (const element of input) {\n\t\t\t\t\tconst violation = await this.scan(element, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfor (const [key, value] of Object.entries(\n\t\t\t\t\tinput as Record<string, unknown>,\n\t\t\t\t)) {\n\t\t\t\t\t// Layer 1: Exact key match — O(1) constant time\n\t\t\t\t\tif (this.forbiddenKeysSet.has(key.toLowerCase())) {\n\t\t\t\t\t\treturn `Forbidden Key: ${key}`;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Layer 2: Fuzzy key match — catches aliases and variations\n\t\t\t\t\tconst fuzzyViolation = this.checkKeyFuzzy(key);\n\t\t\t\t\tif (fuzzyViolation) return fuzzyViolation;\n\n\t\t\t\t\t// Recurse into values\n\t\t\t\t\tconst violation = await this.scan(value, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks a key against fuzzy matching rules.\n\t * Short tokens use boundary-aware regex; long tokens use substring containment.\n\t */\n\tprivate checkKeyFuzzy(key: string): string | null {\n\t\tconst normalized = key.toLowerCase();\n\n\t\t// Skip safelisted keys entirely\n\t\tif (PiiScanner.KEY_SAFELIST.has(normalized)) return null;\n\n\t\t// Short token boundary matching (e.g., \"id\" in \"patientId\" but not \"grid\")\n\t\tfor (const [token, pattern] of this.shortTokenBoundaryPatterns) {\n\t\t\tif (pattern.test(key)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} matches boundary pattern \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\t// Long token substring matching (e.g., \"name\" in \"firstName\", \"names\")\n\t\tfor (const token of this.longForbiddenTokens) {\n\t\t\tif (normalized.includes(token)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} contains restricted token \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate checkString(text: string): string | null {\n\t\tfor (const rule of this.patterns) {\n\t\t\tif (typeof rule === \"string\") {\n\t\t\t\tif (text.toLowerCase().includes(rule.toLowerCase())) {\n\t\t\t\t\treturn rule;\n\t\t\t\t}\n\t\t\t} else if (rule instanceof RegExp) {\n\t\t\t\tif (rule.global) rule.lastIndex = 0;\n\t\t\t\tif (rule.test(text)) {\n\t\t\t\t\treturn rule.source;\n\t\t\t\t}\n\t\t\t} else if (typeof rule === \"object\" && rule !== null) {\n\t\t\t\t// PiiRuleDefinition (Military Grade Multi-layer)\n\t\t\t\tconst def = rule as PiiRuleDefinition;\n\n\t\t\t\tif (typeof def.pattern === \"string\") {\n\t\t\t\t\tif (text.toLowerCase().includes(def.pattern.toLowerCase())) {\n\t\t\t\t\t\tif (!def.validator || def.validator(def.pattern)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else if (def.pattern instanceof RegExp) {\n\t\t\t\t\tif (def.pattern.global) def.pattern.lastIndex = 0;\n\n\t\t\t\t\t// Use matchAll or exec to get the specific match for the validator\n\t\t\t\t\tlet match = def.pattern.exec(text);\n\t\t\t\t\twhile (match !== null) {\n\t\t\t\t\t\tconst matchedText = match[0];\n\t\t\t\t\t\tif (!def.validator || def.validator(matchedText)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!def.pattern.global) break; // Break if not global\n\t\t\t\t\t\tmatch = def.pattern.exec(text);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn null;\n\t}\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport { createMlKem768 } from \"mlkem\";\nimport { FixedQueue, Piscina } from \"piscina\";\nimport { z } from \"zod\";\nimport { zodToJsonSchema } from \"zod-to-json-schema\";\nimport { type LiopManifest, MeshNode } from \"../mesh/node.js\";\nimport { LiopRpcServer } from \"../rpc/server.js\";\nimport type { LogicRequest, LogicResponse } from \"../rpc/types.js\";\nimport { AUTH_DEFAULTS } from \"../security/auth-config.js\";\nimport { JwtValidator } from \"../security/jwt-validator.js\";\nimport { createOAuthServer } from \"../security/oauth-server.js\";\nimport { authorizeRequest } from \"../security/rbac.js\";\nimport { TaintAnalyzer } from \"../security/taint-analyzer.js\";\nimport type {\n\tCallToolRequest,\n\tCallToolResult,\n\tGetPromptRequest,\n\tGetPromptResult,\n\tPrompt,\n\tResource,\n\tServerInfo,\n\tTool,\n} from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\nimport { NerScanner } from \"./ner-scanner.js\";\nimport {\n\ttype OutputSanitizerConfig,\n\tsanitizeOutput,\n} from \"./output-sanitizer.js\";\nimport { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from \"./pii.js\";\n\nexport {\n\tNerScanner,\n\ttype OutputSanitizerConfig,\n\tPII_PATTERNS,\n\tPII_PRESETS,\n\ttype PiiRule,\n\tPiiScanner,\n\tsanitizeOutput,\n};\n\nexport type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (\n\targs: z.infer<z.ZodObject<T>>,\n\textra: { signal?: AbortSignal },\n) => Promise<CallToolResult>;\n\nconst __dirname = path.dirname(fileURLToPath(import.meta.url));\n\nexport interface LiopServerOptions {\n\tcapabilities?: Record<string, unknown>;\n\tworkerPool?: {\n\t\tenabled?: boolean;\n\t\tminThreads?: number;\n\t\tmaxThreads?: number;\n\t\tidleTimeout?: number;\n\t\t/** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */\n\t\tmaxHeapMb?: number;\n\t\t/** Maximum number of tasks allowed in the queue. Default is \"auto\". */\n\t\tmaxQueue?: number | \"auto\";\n\t};\n\tsecurity?: {\n\t\tpiiPatterns?: PiiRule[];\n\t\tforbiddenKeys?: string[];\n\t\tsensitiveKeys?: string[];\n\t\t/** Enable NLP-based Named Entity Recognition scanning on output values. */\n\t\tenableNerScanning?: boolean;\n\t\t/** Rate limiting configuration for tool calls (OWASP A01). */\n\t\trateLimit?: {\n\t\t\t/** Maximum calls per window per tool (default: 15). */\n\t\t\tmaxPerWindow?: number;\n\t\t\t/** Maximum calls per window across ALL tools combined (default: 40). */\n\t\t\tglobalMaxPerWindow?: number;\n\t\t\t/** Sliding window duration in milliseconds (default: 60000 = 1 min). */\n\t\t\twindowMs?: number;\n\t\t};\n\t};\n\ttaxonomy?: {\n\t\tdomain?: string;\n\t\tclearanceTier?: number;\n\t\texecutionTypes?: string[];\n\t};\n\t/**\n\t * OAuth 2.1 Hybrid Auth configuration.\n\t *\n\t * Minimal usage:\n\t * - Nexus (Authorization Server): `{ role: \"nexus\" }`\n\t * - Data Node (Resource Server): `{ role: \"node\" }`\n\t * - Disabled (dev/stdio): omit or `{ role: \"none\" }`\n\t *\n\t * All other values (issuer, JWKS, audience) auto-resolve from\n\t * env vars, DHT discovery, or secure defaults.\n\t */\n\tauth?: import(\"../security/auth-config.js\").LiopAuthConfig;\n\t/**\n\t * Canonical slug for deterministic token resolution.\n\t * Agents/clients resolve `LIOP_TOKEN_<tokenSlug>` from environment.\n\t * Must match SCREAMING_SNAKE_CASE: /^[A-Z][A-Z0-9_]*$/ (e.g., \"BANK\", \"VAULT\", \"HFT_ORACLE\").\n\t */\n\ttokenSlug?: string;\n\t/**\n\t * Path to a shared JSON file for persistent Query Budget tracking across multiple server instances.\n\t */\n\tbudgetStorePath?: string;\n}\n\nexport interface AggregationPolicy {\n\t/** Maximum number of object-type array elements allowed (default: 10) */\n\tmaxOutputRows?: number;\n\t/** Allow arrays containing only primitive values (default: true) */\n\tallowPrimitiveArrays?: boolean;\n\t/** Block min/max extraction when dataset size < this value (default: 50) */\n\tminMaxBlockThreshold?: number;\n}\n\nexport interface LogicExecutionPolicy {\n\t/**\n\t * Validate the business payload returned by sandbox logic (post-execution).\n\t * This runs before final egress checks and blocks non-conforming outputs.\n\t */\n\toutputSchema?: z.ZodType<unknown>;\n\t/**\n\t * Enforce aggregation-first heuristics (preflight + post-check).\n\t */\n\tenforceAggregationFirst?: boolean | AggregationPolicy;\n\t/**\n\t * Optional additional deny patterns checked against extracted logic source.\n\t */\n\tpreflightDenyPatterns?: RegExp[];\n\t/**\n\t * Differential Privacy epsilon per query (default: 1.0).\n\t * Lower = stronger privacy + more noise. Standard: Apple iOS uses 1.0.\n\t */\n\tdpEpsilon?: number;\n\t/**\n\t * DP sensitivity: max change when one record added/removed (default: 1.0).\n\t * For SUM queries on a field with range [0, X], set sensitivity = X.\n\t */\n\tdpSensitivity?: number;\n\t/**\n\t * Dataset size threshold below which Differential Privacy is active (default: 50).\n\t */\n\tdpSmallDatasetThreshold?: number;\n\t/**\n\t * Max queries per numeric field per PQC session (default: 5).\n\t * Prevents multi-query differencing attacks.\n\t */\n\tqueryBudgetPerField?: number;\n\t/**\n\t * Domain-specific sensitive keys that fall under the \"sensitive\" query budget tier.\n\t */\n\tsensitiveKeys?: string[];\n\t/**\n\t * Path to a shared JSON file for persistent Query Budget tracking across multiple server instances.\n\t */\n\tbudgetStorePath?: string;\n}\n\nexport class LiopServer {\n\tprivate logicCache: Map<string, { hash: string; timestamp: number }> =\n\t\tnew Map();\n\tprivate connectionStats: Map<\n\t\tstring,\n\t\t{ failures: number; lastAttempt: number }\n\t> = new Map();\n\tprivate readonly CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours\n\tprivate readonly THROTTLE_THRESHOLD = 5;\n\tprivate readonly THROTTLE_COOLDOWN_MS = 60 * 1000; // 60 seconds\n\n\t// [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration\n\tprivate toolCallWindows: Map<string, number[]> = new Map();\n\tprivate readonly toolCallMaxPerWindow: number;\n\tprivate readonly toolCallWindowMs: number;\n\n\t// [OWASP-A01] Global cross-tool rate limiter — prevents distributed micro-query attacks\n\tprivate globalCallWindow: number[] = [];\n\tprivate readonly globalCallMaxPerWindow: number;\n\n\t// [DP] Query Budget — tracks per-field query counts to prevent multi-query differencing\n\t// Structure: clientId -> toolName -> field -> count\n\tprivate fieldQueryBudget: Map<string, Map<string, Map<string, number>>> =\n\t\tnew Map();\n\n\t// [SEC] AST-level taint tracker for PII side-channel prevention\n\tprivate readonly taintAnalyzer: TaintAnalyzer;\n\n\tprivate tools: Map<\n\t\tstring,\n\t\t{\n\t\t\ttool: Tool;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\thandler: ToolHandler<any>;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\tschema: z.ZodObject<any>;\n\t\t\tpolicy?: LogicExecutionPolicy;\n\t\t}\n\t> = new Map();\n\tprivate resources: Map<\n\t\tstring,\n\t\tResource & { content?: string | (() => Promise<string>) }\n\t> = new Map();\n\tprivate prompts: Map<\n\t\tstring,\n\t\t{\n\t\t\tprompt: Prompt;\n\t\t\thandler: (\n\t\t\t\trequest: GetPromptRequest,\n\t\t\t) => GetPromptResult | Promise<GetPromptResult>;\n\t\t}\n\t> = new Map();\n\tprivate activeSchema: Record<string, unknown> | null = null;\n\tprivate sandboxRecords: Record<string, unknown>[] = [];\n\n\tprivate piiScanner: PiiScanner;\n\tprivate workerPool: Piscina;\n\tprivate meshNode: MeshNode | null = null;\n\tprivate rpcServer: LiopRpcServer | null = null;\n\tprivate boundPort: number | null = null;\n\tpublic jwtValidator?: JwtValidator;\n\t// biome-ignore lint/suspicious/noExplicitAny: Loaded dynamically in Phase C\n\tpublic oauthProvider?: any;\n\tprivate sessions: Map<\n\t\tstring,\n\t\t{\n\t\t\tcapability_hash: string;\n\t\t\tkyber_sk: Uint8Array;\n\t\t\tagent_did?: string;\n\t\t\ttokenHash?: string;\n\t\t}\n\t> = new Map();\n\tprivate revokedTokenHashes: Set<string> = new Set();\n\tprivate lastRevocationLoadTime = 0;\n\n\t// Compact envelope: @LIOP{target,name}\\n<code>\\n@END\n\tprivate static readonly LIOP_COMPACT_REGEX =\n\t\t/@LIOP\\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\\}\\n(?<logic>[\\s\\S]*?)\\n@END/m;\n\n\tprivate extractLogic(payload: string): string | null {\n\t\tconst compact = payload.match(LiopServer.LIOP_COMPACT_REGEX);\n\t\treturn compact?.groups?.logic ? compact.groups.logic.trim() : null;\n\t}\n\n\tprivate parseUnknownJson(input: unknown): unknown {\n\t\tif (typeof input !== \"string\") return input;\n\t\tconst trimmed = input.trim();\n\t\tif (\n\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t) {\n\t\t\ttry {\n\t\t\t\treturn JSON.parse(trimmed);\n\t\t\t} catch {\n\t\t\t\treturn input;\n\t\t\t}\n\t\t}\n\t\treturn input;\n\t}\n\n\tprivate runPreflightPolicy(\n\t\t_toolName: string,\n\t\tlogic: string,\n\t\tpolicy?: LogicExecutionPolicy,\n\t\tclientId = \"local-client\",\n\t): string | null {\n\t\t// Phase 1: Regex-based row-level export detection (fast path)\n\t\tif (policy) {\n\t\t\tconst compact = logic.replace(/\\s+/g, \" \");\n\n\t\t\tif (policy.enforceAggregationFirst) {\n\t\t\t\tconst rowExtractionPatterns = [\n\t\t\t\t\t// Block raw record dumps but allow safe aggregation chains\n\t\t\t\t\t// (.reduce, .length, .filter().length, .every, .some)\n\t\t\t\t\t/return\\s+env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter|every|some|find)\\b)/i,\n\t\t\t\t\t/return\\s*\\{[\\s\\S]*\\b(accounts|patients|rows|records)\\s*:\\s*env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter)\\b)/i,\n\t\t\t\t];\n\t\t\t\tif (rowExtractionPatterns.some((p) => p.test(compact))) {\n\t\t\t\t\treturn \"Preflight policy rejected: potential row-level export pattern detected.\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (policy.preflightDenyPatterns?.some((p) => p.test(compact))) {\n\t\t\t\treturn \"Preflight policy rejected: custom deny pattern matched.\";\n\t\t\t}\n\t\t}\n\n\t\t// Phase 2: AST-level taint tracking (detects PII side-channel derivation)\n\t\t// Pass recordCount and minMaxBlockThreshold to enable Correlation Guard (Pass 4) and Min/Max Gate (Pass 5)\n\t\tlet minMaxThreshold = 50;\n\t\tif (typeof policy?.enforceAggregationFirst === \"object\") {\n\t\t\tminMaxThreshold =\n\t\t\t\tpolicy.enforceAggregationFirst.minMaxBlockThreshold ?? 50;\n\t\t}\n\t\tconst taintViolation = this.taintAnalyzer.analyze(\n\t\t\tlogic,\n\t\t\tthis.sandboxRecords.length,\n\t\t\tminMaxThreshold,\n\t\t);\n\t\tif (taintViolation) {\n\t\t\treturn `Preflight policy rejected: ${taintViolation.reason}`;\n\t\t}\n\n\t\t// Phase 3: Query Budget Enforcement (prevents multi-query differencing)\n\t\tconst extractedFields = this.taintAnalyzer.extractQueriedFields(logic);\n\n\t\tif (extractedFields.length > 0) {\n\t\t\tconst storePath = policy?.budgetStorePath || this.config?.budgetStorePath;\n\t\t\tif (storePath) {\n\t\t\t\ttry {\n\t\t\t\t\tconst budgetError = this.executeWithBudgetLock(\n\t\t\t\t\t\tstorePath,\n\t\t\t\t\t\t(budget) => {\n\t\t\t\t\t\t\tconst clientBudget = budget[clientId] || {};\n\t\t\t\t\t\t\tconst toolBudget = clientBudget[_toolName] || {};\n\n\t\t\t\t\t\t\tfor (const field of extractedFields) {\n\t\t\t\t\t\t\t\tconst sensitivity = this.taintAnalyzer.classifyField(\n\t\t\t\t\t\t\t\t\tfield,\n\t\t\t\t\t\t\t\t\tpolicy?.sensitiveKeys,\n\t\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\t\t\tlet queryLimit = 25; // default public\n\t\t\t\t\t\t\t\tlet sensLabel = \"public\";\n\n\t\t\t\t\t\t\t\tif (policy?.queryBudgetPerField !== undefined) {\n\t\t\t\t\t\t\t\t\tqueryLimit = policy.queryBudgetPerField;\n\t\t\t\t\t\t\t\t\tsensLabel = \"override\";\n\t\t\t\t\t\t\t\t} else if (sensitivity === \"forbidden\") {\n\t\t\t\t\t\t\t\t\tqueryLimit = 3;\n\t\t\t\t\t\t\t\t\tsensLabel = \"forbidden\";\n\t\t\t\t\t\t\t\t} else if (sensitivity === \"sensitive\") {\n\t\t\t\t\t\t\t\t\tqueryLimit = 8;\n\t\t\t\t\t\t\t\t\tsensLabel = \"sensitive\";\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tconst count = toolBudget[field] ?? 0;\n\t\t\t\t\t\t\t\tif (count >= queryLimit) {\n\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\tresult: `Preflight policy rejected: Query budget exceeded for field '${field}' (max ${queryLimit} per session for ${sensLabel} fields). Rotate PQC session to reset budget.`,\n\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t// All within budget, increment them\n\t\t\t\t\t\t\tconst updatedToolBudget = { ...toolBudget };\n\t\t\t\t\t\t\tfor (const field of extractedFields) {\n\t\t\t\t\t\t\t\tupdatedToolBudget[field] = (updatedToolBudget[field] ?? 0) + 1;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tconst updatedClientBudget = { ...clientBudget };\n\t\t\t\t\t\t\tupdatedClientBudget[_toolName] = updatedToolBudget;\n\n\t\t\t\t\t\t\tconst updatedBudget = { ...budget };\n\t\t\t\t\t\t\tupdatedBudget[clientId] = updatedClientBudget;\n\n\t\t\t\t\t\t\treturn { result: null, updatedBudget };\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\n\t\t\t\t\tif (budgetError) {\n\t\t\t\t\t\treturn budgetError;\n\t\t\t\t\t}\n\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\tconst errorMsg = e instanceof Error ? e.message : String(e);\n\t\t\t\t\t// Fallback to in-memory on filesystem locking errors\n\t\t\t\t\tlog.error(\n\t\t\t\t\t\t`[LIOP-Server] Error applying persistent query budget: ${errorMsg}. Falling back to in-memory.`,\n\t\t\t\t\t);\n\t\t\t\t\tconst inMemoryError = this.applyInMemoryBudget(\n\t\t\t\t\t\tclientId,\n\t\t\t\t\t\t_toolName,\n\t\t\t\t\t\textractedFields,\n\t\t\t\t\t\tpolicy,\n\t\t\t\t\t);\n\t\t\t\t\tif (inMemoryError) return inMemoryError;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tconst inMemoryError = this.applyInMemoryBudget(\n\t\t\t\t\tclientId,\n\t\t\t\t\t_toolName,\n\t\t\t\t\textractedFields,\n\t\t\t\t\tpolicy,\n\t\t\t\t);\n\t\t\t\tif (inMemoryError) return inMemoryError;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate validateOutputPolicy(\n\t\ttoolName: string,\n\t\toutput: unknown,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\tif (!policy) return null;\n\t\tconst parsed = this.parseUnknownJson(output);\n\n\t\t// If it's a system execution error result, skip schema validation\n\t\tif (\n\t\t\tparsed &&\n\t\t\ttypeof parsed === \"object\" &&\n\t\t\t(parsed as Record<string, unknown>).isError === true\n\t\t) {\n\t\t\treturn null;\n\t\t}\n\n\t\tif (policy.outputSchema) {\n\t\t\t// SEC-HARDENING: Force strict mode on ZodObject schemas to prevent\n\t\t\t// key aliasing bypasses via .passthrough(). However, respect schemas\n\t\t\t// that explicitly use .catchall() — calling .strict() would override\n\t\t\t// the catchall with ZodNever, destroying the developer's intent.\n\t\t\tconst effectiveSchema = (() => {\n\t\t\t\tif (!(policy.outputSchema instanceof z.ZodObject)) {\n\t\t\t\t\treturn policy.outputSchema;\n\t\t\t\t}\n\t\t\t\tconst obj = policy.outputSchema as z.ZodObject<z.ZodRawShape>;\n\t\t\t\t// If schema has an explicit catchall (not ZodNever), respect it\n\t\t\t\tif (!(obj._def.catchall instanceof z.ZodNever)) {\n\t\t\t\t\treturn obj;\n\t\t\t\t}\n\t\t\t\t// Otherwise force strict to block unrecognized keys by default\n\t\t\t\treturn obj.strict();\n\t\t\t})();\n\n\t\t\tconst schemaResult = effectiveSchema.safeParse(parsed);\n\t\t\tif (!schemaResult.success) {\n\t\t\t\t// SEC-CRITICAL: Never expose rejected data in error messages.\n\t\t\t\t// Only report the structural violation (unrecognized keys, type mismatches).\n\t\t\t\treturn `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues\n\t\t\t\t\t.map((i) => `${i.path.join(\".\") || \"<root>\"} ${i.message}`)\n\t\t\t\t\t.join(\n\t\t\t\t\t\t\"; \",\n\t\t\t\t\t)}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;\n\t\t\t}\n\t\t}\n\n\t\tif (\n\t\t\tpolicy.enforceAggregationFirst &&\n\t\t\tthis.violatesAggregationFirstPolicy(\n\t\t\t\tthis.unwrapForAggregationPolicyScan(parsed),\n\t\t\t\tpolicy.enforceAggregationFirst,\n\t\t\t\tthis.sandboxRecords.length,\n\t\t\t)\n\t\t) {\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\treturn isDev\n\t\t\t\t? \"Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results.\"\n\t\t\t\t: \"Aggregation-First Policy Violation: Output blocked due to privacy constraints.\";\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Proxied tools stringify a full MCP CallToolResult (`{ content: [...] }`).\n\t * Aggregation-first heuristics must scan the inner business JSON, not the MCP envelope\n\t * (otherwise `content` looks like a tabular array of objects and everything blocks).\n\t */\n\tprivate unwrapForAggregationPolicyScan(input: unknown): unknown {\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.unwrapForAggregationPolicyScan(JSON.parse(trimmed));\n\t\t\t\t} catch {\n\t\t\t\t\treturn input;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn input;\n\t\t}\n\n\t\tif (!input || typeof input !== \"object\") {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst rec = input as Record<string, unknown>;\n\n\t\t// Extract inner business computation result if encapsulated inside a LIOP envelope\n\t\tif (rec.computation_result !== undefined) {\n\t\t\treturn this.unwrapForAggregationPolicyScan(rec.computation_result);\n\t\t}\n\n\t\tif (!Array.isArray(rec.content) || rec.content.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst texts: string[] = [];\n\t\tfor (const part of rec.content) {\n\t\t\tif (part && typeof part === \"object\" && \"text\" in part) {\n\t\t\t\tconst t = (part as { text?: unknown }).text;\n\t\t\t\tif (typeof t === \"string\") {\n\t\t\t\t\ttexts.push(t);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (texts.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst joined = texts.length === 1 ? texts[0] : texts.join(\"\\n\");\n\t\treturn this.unwrapForAggregationPolicyScan(joined);\n\t}\n\n\tprivate violatesAggregationFirstPolicy(\n\t\tinput: unknown,\n\t\tpolicyObj?: boolean | AggregationPolicy,\n\t\trecordsCount?: number,\n\t): boolean {\n\t\tif (!policyObj) {\n\t\t\treturn false;\n\t\t}\n\n\t\tconst maxRows =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.maxOutputRows === \"number\"\n\t\t\t\t? policyObj.maxOutputRows\n\t\t\t\t: 10;\n\t\tconst allowPrimitives =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.allowPrimitiveArrays === \"boolean\"\n\t\t\t\t? policyObj.allowPrimitiveArrays\n\t\t\t\t: true;\n\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tJSON.parse(trimmed),\n\t\t\t\t\t\tpolicyObj,\n\t\t\t\t\t\trecordsCount,\n\t\t\t\t\t);\n\t\t\t\t} catch {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false;\n\t\t}\n\n\t\tif (Array.isArray(input)) {\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item === \"object\" && item !== null)\n\t\t\t) {\n\t\t\t\t// Treat tabular row export as non-aggregated leakage risk if above threshold.\n\t\t\t\tif (input.length > maxRows) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\treturn input.some((item) =>\n\t\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item !== \"object\" || item === null)\n\t\t\t) {\n\t\t\t\tif (!allowPrimitives) return true;\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn input.some((item) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\tif (input && typeof input === \"object\") {\n\t\t\tconst keys = Object.keys(input as Record<string, unknown>);\n\n\t\t\t// K-ANONYMITY: If source dataset is too small (< 10), enforce restriction.\n\t\t\t// Allow basic statistical summaries (max 3 keys: count/avg/stddev, no nesting).\n\t\t\tif (recordsCount !== undefined && recordsCount > 0 && recordsCount < 10) {\n\t\t\t\tif (keys.length > 3) return true;\n\t\t\t\t// Check for nesting/arrays in a small sample\n\t\t\t\tconst values = Object.values(input as Record<string, unknown>);\n\t\t\t\tif (\n\t\t\t\t\tvalues.some(\n\t\t\t\t\t\t(v) => Array.isArray(v) || (typeof v === \"object\" && v !== null),\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Treat flat dictionary with too many keys as non-aggregated leakage risk (Dynamic Key Bypass).\n\t\t\tif (keys.length > maxRows) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn Object.values(input as Record<string, unknown>).some((value) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(value, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tconstructor(\n\t\tprivate serverInfo: ServerInfo,\n\t\tprivate config?: LiopServerOptions,\n\t) {\n\t\tconst nerScanner = this.config?.security?.enableNerScanning\n\t\t\t? new NerScanner()\n\t\t\t: null;\n\n\t\tthis.piiScanner = new PiiScanner(\n\t\t\tthis.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT,\n\t\t\tthis.config?.security?.forbiddenKeys ?? [\n\t\t\t\t\"id\",\n\t\t\t\t\"name\",\n\t\t\t\t\"fullName\",\n\t\t\t\t\"firstName\",\n\t\t\t\t\"lastName\",\n\t\t\t\t\"address\",\n\t\t\t\t\"street\",\n\t\t\t\t\"city\",\n\t\t\t\t\"postalCode\",\n\t\t\t\t\"zipCode\",\n\t\t\t\t\"phone\",\n\t\t\t\t\"email\",\n\t\t\t\t\"ssn\",\n\t\t\t\t\"accountHolder\",\n\t\t\t\t\"accountNumber\",\n\t\t\t\t\"account_number\",\n\t\t\t\t\"password\",\n\t\t\t\t\"token\",\n\t\t\t\t\"secret\",\n\t\t\t\t\"privateKey\",\n\t\t\t],\n\t\t\tnerScanner,\n\t\t);\n\n\t\t// [OWASP-A01] Rate limit: config > env > default (15 calls/min per-tool, 40 global)\n\t\tconst rlConfig = this.config?.security?.rateLimit;\n\t\tthis.toolCallWindowMs =\n\t\t\trlConfig?.windowMs ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? \"60000\", 10);\n\t\tthis.toolCallMaxPerWindow =\n\t\t\trlConfig?.maxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? \"15\", 10);\n\t\tthis.globalCallMaxPerWindow =\n\t\t\trlConfig?.globalMaxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX ?? \"40\", 10);\n\n\t\t// [SEC] Initialize AST-level taint analyzer with PII field definitions\n\t\tconst forbiddenKeys = this.config?.security?.forbiddenKeys ?? [\n\t\t\t\"id\",\n\t\t\t\"name\",\n\t\t\t\"fullName\",\n\t\t\t\"firstName\",\n\t\t\t\"lastName\",\n\t\t\t\"address\",\n\t\t\t\"street\",\n\t\t\t\"city\",\n\t\t\t\"postalCode\",\n\t\t\t\"zipCode\",\n\t\t\t\"phone\",\n\t\t\t\"email\",\n\t\t\t\"ssn\",\n\t\t\t\"accountHolder\",\n\t\t\t\"accountNumber\",\n\t\t\t\"account_number\",\n\t\t\t\"password\",\n\t\t\t\"token\",\n\t\t\t\"secret\",\n\t\t\t\"privateKey\",\n\t\t];\n\t\tconst sensitiveKeys = this.config?.security?.sensitiveKeys ?? [];\n\t\tthis.taintAnalyzer = new TaintAnalyzer(forbiddenKeys, sensitiveKeys);\n\n\t\t// Initialize Zero-Blocking Worker Pool for Heavy Cryptography & Sandboxing\n\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\tlet execArgv: string[] = [];\n\t\tif (isTS) {\n\t\t\ttry {\n\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t).href;\n\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t} catch (_e) {\n\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t}\n\t\t}\n\n\t\tconst isTest = process.env.NODE_ENV === \"test\" || process.env.VITEST;\n\n\t\t// Sync capabilities to serverInfo for MCP Handshakes\n\t\tif (this.config?.capabilities && !this.serverInfo.capabilities) {\n\t\t\tthis.serverInfo.capabilities = this.config.capabilities as Record<\n\t\t\t\tstring,\n\t\t\t\tunknown\n\t\t\t>;\n\t\t}\n\n\t\t// Support both flat dist/ and original src/ structure\n\t\tconst workerPaths = [\n\t\t\tpath.resolve(__dirname, `./workers/logic-execution${workerExt}`), // Flat dist/ (tsup)\n\t\t\tpath.resolve(__dirname, `../workers/logic-execution${workerExt}`), // Original src/\n\t\t];\n\n\t\tconst workerFilename =\n\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\tthis.workerPool = new Piscina({\n\t\t\tfilename: workerFilename,\n\t\t\tminThreads: this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2),\n\t\t\tmaxThreads: this.config?.workerPool?.maxThreads ?? (isTest ? 1 : 8),\n\t\t\tidleTimeout:\n\t\t\t\tthis.config?.workerPool?.idleTimeout ?? (isTest ? 500 : 5000),\n\t\t\tmaxQueue: this.config?.workerPool?.maxQueue ?? \"auto\",\n\t\t\ttaskQueue: new FixedQueue(),\n\t\t\texecArgv,\n\t\t\t// [DoS Defense] Enforce hard memory ceiling per worker thread.\n\t\t\t// Workers exceeding this limit are terminated by Node.js runtime.\n\t\t\tresourceLimits: {\n\t\t\t\tmaxOldGenerationSizeMb:\n\t\t\t\t\tthis.config?.workerPool?.maxHeapMb ??\n\t\t\t\t\tNumber.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? \"64\", 10),\n\t\t\t},\n\t\t});\n\n\t\t// Pre-warm the worker thread pool asynchronously during initialization\n\t\tconst minThreads = this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2);\n\t\tif (this.workerPool && minThreads > 0) {\n\t\t\tfor (let i = 0; i < minThreads; i++) {\n\t\t\t\tthis.workerPool.run({ isWarmup: true }).catch((err) => {\n\t\t\t\t\tlog.debug(\n\t\t\t\t\t\t`[LiopServer] Worker pool warm-up ping failed: ${err.message}`,\n\t\t\t\t\t);\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\n\t\t// [SEC] Initialize JWT Validator and OAuth Server if auth is enabled\n\t\tif (this.config?.auth?.role === \"nexus\") {\n\t\t\tconst issuer = this.config.auth.issuer || \"http://localhost:3000\";\n\t\t\tconst audience = this.config.auth.audience || AUTH_DEFAULTS.audience;\n\n\t\t\t// Auto-detect or default clients for the Nexus\n\t\t\tconst clients = this.config.auth.clients || [\n\t\t\t\t{\n\t\t\t\t\tclient_id: process.env.LIOP_OAUTH_CLIENT_ID || \"liop-mesh-agent\",\n\t\t\t\t\tclient_secret:\n\t\t\t\t\t\tprocess.env.LIOP_OAUTH_CLIENT_SECRET || \"dev-secret-change-me\",\n\t\t\t\t\tgrant_types: [\"client_credentials\"],\n\t\t\t\t\tscope:\n\t\t\t\t\t\t\"liop:tools:call liop:tools:list liop:resources:read liop:schema:read liop:mesh:query\",\n\t\t\t\t},\n\t\t\t];\n\n\t\t\tconst { provider, jwks } = createOAuthServer({\n\t\t\t\tissuer,\n\t\t\t\tclients,\n\t\t\t});\n\n\t\t\tthis.oauthProvider = provider;\n\t\t\tthis.jwtValidator = new JwtValidator(issuer, audience, jwks);\n\t\t} else if (this.config?.auth?.role === \"node\") {\n\t\t\tconst nexusUrl =\n\t\t\t\tthis.config.auth.nexusUrl ||\n\t\t\t\tprocess.env.LIOP_NEXUS_URL ||\n\t\t\t\t\"http://localhost:3000\";\n\t\t\tconst audience = this.config.auth.audience || AUTH_DEFAULTS.audience;\n\t\t\tconst baseUrl = nexusUrl.endsWith(\"/oidc\")\n\t\t\t\t? nexusUrl\n\t\t\t\t: `${nexusUrl}/oidc`;\n\t\t\tconst jwksUri = new URL(`${baseUrl}/jwks`);\n\t\t\tthis.jwtValidator = new JwtValidator(nexusUrl, audience, jwksUri);\n\t\t}\n\n\t\t// [Token Economy] Auto-register LIOP protocol spec as a single Resource.\n\t\t// This centralizes the envelope documentation that was previously\n\t\t// duplicated in every tool description, reducing token overhead.\n\t\tthis.resource(\n\t\t\t\"LIOP Envelope Specification\",\n\t\t\t\"liop://protocol/envelope-spec\",\n\t\t\t\"Complete Logic-on-Origin envelope format, execution rules, and security constraints\",\n\t\t\t\"text/plain\",\n\t\t\t() => Promise.resolve(this.buildEnvelopeSpec()),\n\t\t);\n\n\t\tif (this.config?.auth?.revocationPath) {\n\t\t\tthis.loadRevocationList();\n\t\t}\n\t}\n\t/**\n\t * Builds the centralized LIOP envelope specification document.\n\t * Served as a single Resource (liop://protocol/envelope-spec) instead\n\t * of being duplicated across every tool description.\n\t */\n\tprivate buildEnvelopeSpec(): string {\n\t\tconst lines = [\n\t\t\t\"LIOP v1 Envelope Specification\",\n\t\t\t\"================================\",\n\t\t\t\"\",\n\t\t\t\"FORMAT:\",\n\t\t\t\"\",\n\t\t\t\"Compact Envelope:\",\n\t\t\t\" @LIOP{wasi_v1,TaskName}\",\n\t\t\t\" <JavaScript code>\",\n\t\t\t\" @END\",\n\t\t\t\"\",\n\t\t\t\"RUNTIME ENVIRONMENT:\",\n\t\t\t\"- env.records: Array of data objects from the origin\",\n\t\t\t\"- Must use 'return' to output results\",\n\t\t\t\"- Zero-Trust WASI Sandbox (Node.js Worker Pool)\",\n\t\t\t\"- Return aggregated objects, NOT raw row-level arrays\",\n\t\t\t\"\",\n\t\t\t\"SANDBOX RUNTIME RESTRICTIONS & WORKAROUNDS:\",\n\t\t\t\"- Date is poisoned: The 'Date' class/constructor is undefined (Date.now(), Date.parse(), etc. will throw).\",\n\t\t\t\" Workaround: Use lexicographical string comparison on ISO 8601 date strings (e.g., record.date >= '2024-01-01').\",\n\t\t\t\"- Poisoned globals: eval, Function, setTimeout, setInterval, Buffer, ArrayBuffer, and TypedArrays are undefined.\",\n\t\t\t\"- Frozen prototypes: Any modifications to Object.prototype, Array.prototype, etc., are blocked.\",\n\t\t\t\"\",\n\t\t\t\"SECURITY CONSTRAINTS:\",\n\t\t\t\"- PII Egress Shield blocks raw identifiers in output\",\n\t\t\t\"- Aggregation-First policy: prefer counts, averages, summaries\",\n\t\t\t\"- AST Guardian: static analysis before execution\",\n\t\t\t\"\",\n\t\t\t\"DIFFERENTIAL PRIVACY (DP) MECHANISM (Laplace Mechanism):\",\n\t\t\t\"- Default field noise scale is derived from node global sensitivity.\",\n\t\t\t\"- COUNT / LENGTH Optimization: To obtain EXACT counts without noise (sensitivity=1),\",\n\t\t\t\" the return keys MUST contain 'count', 'length', 'size', 'num', 'positive', 'negative',\",\n\t\t\t\" or start with 'total_' or 'num_' (e.g. 'total_tx', 'credits_count').\",\n\t\t\t\"- AVERAGE Optimization: Keys containing 'avg', 'mean' or 'average' scale noise\",\n\t\t\t\" down automatically by dividing sensitivity by dataset size (sensitivity / n).\",\n\t\t\t\"- SUM / OTHER queries: Receive full Laplace noise based on global node sensitivity\",\n\t\t\t\" (e.g., Sensitivity=100,000 in Bank to protect balances).\",\n\t\t];\n\n\t\tif (this.config?.security?.forbiddenKeys?.length) {\n\t\t\tlines.push(\n\t\t\t\t`- Restricted fields: ${this.config.security.forbiddenKeys.join(\", \")}`,\n\t\t\t);\n\t\t}\n\n\t\tlines.push(\n\t\t\t\"\",\n\t\t\t\"TAINT TRACKING (Phase 108):\",\n\t\t\t\"- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)\",\n\t\t\t\"- Operations on restricted fields are tracked through variable assignments\",\n\t\t\t\"- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked\",\n\t\t\t\"- Allowed: aggregations on non-PII fields (balance, amount, date)\",\n\t\t\t\"\",\n\t\t\t\"K-ANONYMITY THRESHOLDS:\",\n\t\t\t\"- Small Datasets (< 10 records): Maximum of 3 scalar output fields. Nesting or arrays in output are strictly forbidden.\",\n\t\t\t\"- Large Datasets (>= 10 records): Maximum of 10 output fields.\",\n\t\t\t\"\",\n\t\t\t\"RATE LIMITS (OWASP A01):\",\n\t\t\t\"- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)\",\n\t\t\t\"- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)\",\n\t\t\t\"\",\n\t\t\t\"OPTIONAL PARAMETERS:\",\n\t\t\t\"- __liop_bypass_ast_cache: boolean (force AST re-evaluation)\",\n\t\t\t\"\",\n\t\t\t\"AUTHENTICATION (tokenSlug Convention):\",\n\t\t\t\"- Restricted nodes declare authRequired: true in their manifest.\",\n\t\t\t\"- Token resolution: LIOP_TOKEN_<tokenSlug> (deterministic) > LIOP_TOKEN_<PeerID> > LIOP_TOKEN_<ProviderName>\",\n\t\t\t\"- Format: tokenSlug must match SCREAMING_SNAKE_CASE /^[A-Z][A-Z0-9_]*$/ (e.g., BANK, VAULT, HFT_ORACLE).\",\n\t\t);\n\n\t\treturn lines.join(\"\\n\");\n\t}\n\n\t/**\n\t * Extracts a compact, human-readable field summary from a JSON Schema.\n\t *\n\t * Walks the schema structure to find actual data property names and types,\n\t * rather than returning top-level schema metadata keys (type, items, etc.).\n\t *\n\t * Example output for a banking schema:\n\t * \"Array of {id(string), accountHolder(string), balance(number), transactions(array of {date(string), amount(number)})}\"\n\t */\n\tprivate extractSchemaFieldSummary(\n\t\tschema: Record<string, unknown>,\n\t\tdepth = 0,\n\t): string {\n\t\t// Prevent excessive recursion in deeply nested schemas\n\t\tif (depth > 3) return \"{...}\";\n\n\t\tconst schemaType = schema.type as string | undefined;\n\t\tconst properties = schema.properties as\n\t\t\t| Record<string, Record<string, unknown>>\n\t\t\t| undefined;\n\t\tconst items = schema.items as Record<string, unknown> | undefined;\n\n\t\t// Object with properties → list field names with their types\n\t\tif (properties) {\n\t\t\tconst fields = Object.entries(properties).map(([key, prop]) => {\n\t\t\t\tconst propType = prop.type as string | undefined;\n\t\t\t\tif (propType === \"array\" && prop.items) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(\n\t\t\t\t\t\tprop.items as Record<string, unknown>,\n\t\t\t\t\t\tdepth + 1,\n\t\t\t\t\t);\n\t\t\t\t\treturn `${key}(array of ${nested})`;\n\t\t\t\t}\n\t\t\t\tif (propType === \"object\" && prop.properties) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(prop, depth + 1);\n\t\t\t\t\treturn `${key}(${nested})`;\n\t\t\t\t}\n\t\t\t\treturn `${key}(${propType || \"unknown\"})`;\n\t\t\t});\n\t\t\treturn `{${fields.join(\", \")}}`;\n\t\t}\n\n\t\t// Array type → describe the items structure\n\t\tif (schemaType === \"array\" && items) {\n\t\t\tconst itemsSummary = this.extractSchemaFieldSummary(items, depth + 1);\n\t\t\treturn `Array of ${itemsSummary}`;\n\t\t}\n\n\t\t// Simple type or unknown structure → fallback to key listing\n\t\tif (schemaType) return schemaType;\n\t\treturn Object.keys(schema).join(\", \");\n\t}\n\n\t/**\n\t * Convenience alias for connectToMesh(), matching official documentation.\n\t */\n\tpublic async connect(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\treturn this.connectToMesh(options);\n\t}\n\n\t/**\n\t * Register a new Tool\n\t */\n\tpublic tool<T extends z.ZodRawShape>(\n\t\tname: string,\n\t\tdescription: string,\n\t\tshape: T,\n\t\thandler: ToolHandler<T>,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): void {\n\t\tif (this.tools.has(name)) {\n\t\t\tthrow new Error(`Tool already registered: ${name}`);\n\t\t}\n\n\t\tconst schema = z.object(shape);\n\t\tconst generatedSchema = zodToJsonSchema(schema);\n\n\t\tlet finalDescription = description;\n\t\tlet finalHandler = handler;\n\n\t\t// LIOP Zero-Shot Autonomy Middleware: Detect Logic-on-Origin tools\n\t\tif (shape.payload && shape.payload instanceof z.ZodString) {\n\t\t\tconst blockedKeys = this.config?.security?.forbiddenKeys || [];\n\n\t\t\t// [Token Economy] Centralized description: reference the protocol spec\n\t\t\t// Resource instead of duplicating the full envelope format per tool.\n\t\t\t// Same information, delivered once via liop://protocol/envelope-spec.\n\t\t\tfinalDescription +=\n\t\t\t\t\"\\n\\nPayload: LIOP v1 envelope (WASI sandbox).\" +\n\t\t\t\t\" Format: @LIOP{wasi_v1,TaskName}\\\\n<JS code>\\\\n@END\" +\n\t\t\t\t\" | Access data: env.records. Return aggregated object.\" +\n\t\t\t\t\" Note: If dataset size < 10 (synthetic demo), Egress K-Anonymity blocks output if it has >3 keys or any array/nested object.\" +\n\t\t\t\t\" | Full spec: resource liop://protocol/envelope-spec\";\n\n\t\t\tif (blockedKeys.length > 0) {\n\t\t\t\tfinalDescription += `\\nRestricted fields: ${blockedKeys.join(\", \")}.`;\n\t\t\t}\n\n\t\t\tif (this.activeSchema) {\n\t\t\t\tconst schemaDigest = this.extractSchemaFieldSummary(this.activeSchema);\n\t\t\t\tfinalDescription += `\\nData structure: ${schemaDigest}. Full schema: resource liop://schema/global`;\n\t\t\t}\n\n\t\t\tfinalHandler = async (\n\t\t\t\targs: z.infer<z.ZodObject<T>>,\n\t\t\t\t_extra: { signal?: AbortSignal },\n\t\t\t) => {\n\t\t\t\tconst clientId = \"global_connection\"; // Simplify for now, treating the instance as one connection\n\t\t\t\tconst now = Date.now();\n\t\t\t\tconst stats = this.connectionStats.get(clientId) || {\n\t\t\t\t\tfailures: 0,\n\t\t\t\t\tlastAttempt: 0,\n\t\t\t\t};\n\n\t\t\t\tif (\n\t\t\t\t\tstats.failures >= this.THROTTLE_THRESHOLD &&\n\t\t\t\t\tnow - stats.lastAttempt < this.THROTTLE_COOLDOWN_MS\n\t\t\t\t) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadValue = (args as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst bypassCache =\n\t\t\t\t\t(args as Record<string, unknown>).__liop_bypass_ast_cache === true;\n\n\t\t\t\tconst payloadHash = crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(payloadValue)\n\t\t\t\t\t.digest(\"hex\");\n\t\t\t\tconst logic = this.extractLogic(payloadValue);\n\t\t\t\tconst cached = this.logicCache.get(payloadHash);\n\n\t\t\t\tif (\n\t\t\t\t\t!bypassCache &&\n\t\t\t\t\tcached &&\n\t\t\t\t\tnow - cached.timestamp < this.CACHE_TTL_MS\n\t\t\t\t) {\n\t\t\t\t\t// Hash verified. Skips boundaries check (already validated!). Extract logic directly.\n\t\t\t\t\tif (logic) {\n\t\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing\n\t\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tlogic,\n\t\t\t\t\t\t\tpolicy,\n\t\t\t\t\t\t\t\"mcp-client\",\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn await this.executeInWorkerPool(args, logic, name);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!logic) {\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"Error: Malformed payload. Missing @LIOP boundary.\\\\nYou MUST wrap your logic exactly like this:\\\\n\\\\n@LIOP{wasi_v1,DynamicAudit}\\\\n// Your JS code here\\\\n@END\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Logic check already performed above, extraction is guaranteed at this point.\n\t\t\t\t\t// biome-ignore lint/style/noNonNullAssertion: safe extraction after check\n\t\t\t\t\tconst logic = this.extractLogic(\n\t\t\t\t\t\t(args as Record<string, unknown>).payload as string,\n\t\t\t\t\t)!;\n\t\t\t\t\t// Extract pure logic and deliver it to the developer's function\n\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing (Includes PII Shield)\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\tname,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\tpolicy,\n\t\t\t\t\t\t\"mcp-client\",\n\t\t\t\t\t);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\n\t\t\t\t\tconst result = await this.executeInWorkerPool(args, logic, name);\n\n\t\t\t\t\tif (!result.isError) {\n\t\t\t\t\t\tthis.connectionStats.set(clientId, {\n\t\t\t\t\t\t\tfailures: 0,\n\t\t\t\t\t\t\tlastAttempt: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t\tthis.logicCache.set(payloadHash, {\n\t\t\t\t\t\t\thash: payloadHash,\n\t\t\t\t\t\t\ttimestamp: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t} else {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t}\n\n\t\t\t\t\treturn result;\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{ type: \"text\", text: `ExecutionRuntimeException: ${e.message}` },\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t};\n\t\t}\n\n\t\tconst inputSchema = {\n\t\t\ttype: \"object\",\n\t\t\tproperties: (generatedSchema as Record<string, unknown>).properties || {},\n\t\t\trequired: (generatedSchema as Record<string, unknown>).required,\n\t\t};\n\n\t\tthis.tools.set(name, {\n\t\t\ttool: { name, description: finalDescription, inputSchema },\n\t\t\thandler: finalHandler,\n\t\t\tschema,\n\t\t\tpolicy,\n\t\t});\n\n\t\t// [LIOP-ALPHA] Auto-announce capability to the Mesh P2P DHT if node is active\n\t\tif (this.meshNode) {\n\t\t\tthis.meshNode.announceCapability(name).catch((err) => {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Mesh] Failed to auto-announce tool ${name}: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t}\n\n\t/**\n\t * Register a dynamic prompt\n\t */\n\tpublic prompt(\n\t\tname: string,\n\t\tdescription: string | undefined,\n\t\targs: Prompt[\"arguments\"],\n\t\thandler: (\n\t\t\trequest: GetPromptRequest,\n\t\t) => GetPromptResult | Promise<GetPromptResult>,\n\t): void {\n\t\tif (this.prompts.has(name)) {\n\t\t\tthrow new Error(`Prompt already registered: ${name}`);\n\t\t}\n\t\tthis.prompts.set(name, {\n\t\t\tprompt: { name, description, arguments: args },\n\t\t\thandler,\n\t\t});\n\t}\n\n\t/**\n\t * Enables LIOP Zero-Shot Autonomy by registering the Blind Analyst standard prompt.\n\t */\n\tpublic enableZeroShotAutonomy(): void {\n\t\tthis.prompt(\n\t\t\t\"liop_blind_analyst\",\n\t\t\t\"The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.\",\n\t\t\t[],\n\t\t\t(_request) => {\n\t\t\t\treturn {\n\t\t\t\t\tdescription: \"LIOP Blind Analyst Instructions\",\n\t\t\t\t\tmessages: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\trole: \"user\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: `You are the \"Blind Analyst\" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.\nYour objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.\n\nINDUSTRIAL CONSTRAINTS & PROTOCOL RULES:\n1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.\n2. AGGREGATION FIRST & K-ANONYMITY THRESHOLDS: Always prefer returning counts, averages, or anonymized summaries.\n - Dataset < 10 records: Maximum of 3 scalar output fields. Nesting or arrays in output are strictly forbidden.\n - Dataset >= 10 records: Maximum of 10 output fields.\n3. LAPLACE DIFFERENTIAL PRIVACY (DP) COMPLIANCE:\n - Legitimate COUNT queries: To obtain EXACT, un-noised counts, you MUST name your return keys containing 'count', 'length', 'size', 'num', 'positive', 'negative', or starting with 'total_' or 'num_' (e.g. 'total_tx', 'credits_count'). This forces sensitivity=1.0, rounds values, and clamps to non-negative values.\n - Legitimate AVERAGE queries: Use 'avg_', '_average' or 'mean_' keys to automatically scale down Laplace noise by dividing sensitivity by the dataset size (sensitivity / n).\n - Legitimate SUM queries: Return keys without count/average suffixes will receive full Laplacian noise scaled by the node's global sensitivity (which can be up to 100,000 in Bank nodes to protect raw balances). Do NOT attempt to bypass this by renaming sum fields to count fields, as it violates protocol integrity.\n4. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.\n Structure:\n @LIOP{wasi_v1,AnalysisTask}\n // Your JS Code Here\n @END\n5. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.\n6. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).\n7. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.\n8. SANDBOX RUNTIME: The 'Date' class/constructor is poisoned and set to undefined. Calling 'new Date()', 'Date.now()', or 'Date.parse()' will throw exceptions.\n Workaround: Perform chronological operations and filtering using lexicographical string comparisons on ISO 8601 date strings (e.g., 'record.date >= \"2024-01-01\"').\n Additionally, standard globals like 'eval', 'Function', 'setTimeout', 'setInterval', 'Buffer', ArrayBuffer, and TypedArrays are also undefined.${\n\t\t\tthis.activeSchema\n\t\t\t\t? `\\n\\nCURRENT DATA DICTIONARY (STRICT):\\n${JSON.stringify(this.activeSchema, null, 2)}`\n\t\t\t\t: \"\"\n\t\t}\n\nProtocol Adherence is mandatory for successful execution.`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t};\n\t\t\t},\n\t\t);\n\t}\n\n\t/**\n\t * Register a dynamic resource\n\t */\n\tpublic resource(\n\t\tname: string,\n\t\turi: string,\n\t\tdescription?: string,\n\t\tmimeType?: string,\n\t\tcontent?: string | (() => Promise<string>),\n\t): void {\n\t\tif (this.resources.has(uri)) {\n\t\t\tthrow new Error(`Resource URI already registered: ${uri}`);\n\t\t}\n\t\tthis.resources.set(uri, { name, uri, description, mimeType, content });\n\t}\n\n\t/**\n\t * Builds execution guidelines served as a resource to guide LLM code generation.\n\t */\n\tprivate buildExecutionGuidelines(): string {\n\t\treturn [\n\t\t\t\"LIOP Sandbox Execution Guidelines\",\n\t\t\t\"=================================\",\n\t\t\t\"\",\n\t\t\t\"1. DATE POISONING & FILTERING WORKAROUND:\",\n\t\t\t\" The global 'Date' class is set to undefined inside the sandbox. Calling 'new Date()', 'Date.now()', or 'Date.parse()' will throw a ReferenceError.\",\n\t\t\t\" - Workaround: Perform chronological filtering using lexicographical string comparisons on ISO 8601 strings.\",\n\t\t\t\" Example: const filtered = env.records.filter(r => r.date >= '2024-01-01' && r.date <= '2024-12-31');\",\n\t\t\t\"\",\n\t\t\t\"2. K-ANONYMITY CONSTRAINTS:\",\n\t\t\t\" - Datasets with LESS than 10 records: The returned object must contain at most 3 scalar fields, and must NOT contain any arrays or nested objects.\",\n\t\t\t\" - Datasets with 10 or MORE records: The returned object can contain up to 10 fields.\",\n\t\t\t\"\",\n\t\t\t\"3. DIFFERENTIAL PRIVACY SUFFIXES:\",\n\t\t\t\" To avoid Laplacian noise adding random perturbations to your counts or averages, you must name your object keys using specific terms:\",\n\t\t\t\" - Counts (Exact, no noise): Key names must contain 'count', 'length', 'size', 'num', 'positive', 'negative', or start with 'total_' or 'num_'.\",\n\t\t\t\" - Averages (Reduced noise): Key names must contain 'avg', 'mean', or 'average'.\",\n\t\t\t\" - Sums/Other: Will receive full Laplace noise.\",\n\t\t\t\"\",\n\t\t\t\"4. GENERAL RESTRICTIONS:\",\n\t\t\t\" - Do not use 'eval', 'Function', 'setTimeout', 'setInterval', 'Buffer', 'ArrayBuffer', or TypedArrays.\",\n\t\t\t\" - Do not attempt to modify prototypes (Object.prototype, Array.prototype).\",\n\t\t].join(\"\\n\");\n\t}\n\n\t/**\n\t * Broadcasts the Data Dictionary to the LLM prior to code injection.\n\t */\n\tpublic dataDictionary(\n\t\tschema: Record<string, unknown>,\n\t\tname: string = \"Global Medical Data Dictionary\",\n\t\turi: string = \"liop://schema/global\",\n\t\tdescription: string = \"Exposes the internal database schema for Zero-Shot Autonomy planning\",\n\t): void {\n\t\t// Inject $comment directive to assist LLMs directly inside the JSON Schema representation\n\t\tschema.$comment =\n\t\t\t\"LIOP DIRECTIVES: 1. Date is undefined (Date.now(), new Date() throw). Workaround: use lexicographical string comparison on ISO 8601 string dates (e.g. record.date >= '2024-01-01'). 2. Small datasets (<10 records) limit outputs to max 3 scalar keys with NO nesting. 3. DP counts must contain count/length/size/num/total_ prefix/suffix.\";\n\n\t\tthis.activeSchema = schema;\n\n\t\t// [Token Economy] Retroactively update tool descriptions with schema field references.\n\t\t// Extracts actual data property names from the JSON Schema structure.\n\t\tconst schemaDigest = this.extractSchemaFieldSummary(schema);\n\t\tfor (const [toolName, entry] of this.tools.entries()) {\n\t\t\tif (\n\t\t\t\tentry.schema.shape.payload &&\n\t\t\t\tentry.schema.shape.payload instanceof z.ZodString &&\n\t\t\t\tentry.tool.description &&\n\t\t\t\t!entry.tool.description.includes(\"Data structure:\")\n\t\t\t) {\n\t\t\t\tentry.tool.description += `\\nData structure: ${schemaDigest}. Full schema: resource ${uri}. Guidelines: resource liop://schema/guidelines`;\n\t\t\t\tthis.tools.set(toolName, entry);\n\t\t\t}\n\t\t}\n\n\t\tif (!this.resources.has(\"liop://schema/guidelines\")) {\n\t\t\tthis.resource(\n\t\t\t\t\"LIOP Execution Guidelines\",\n\t\t\t\t\"liop://schema/guidelines\",\n\t\t\t\t\"Directives for generating compliant JavaScript code for the LIOP Sandbox runtime\",\n\t\t\t\t\"text/plain\",\n\t\t\t\t() => Promise.resolve(this.buildExecutionGuidelines()),\n\t\t\t);\n\t\t}\n\n\t\tthis.resource(\n\t\t\tname,\n\t\t\turi,\n\t\t\tdescription,\n\t\t\t\"application/json\",\n\t\t\tJSON.stringify(schema, null, 2),\n\t\t);\n\t}\n\n\t/**\n\t * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).\n\t */\n\tpublic clearAstCache(): void {\n\t\tthis.logicCache.clear();\n\t\tlog.info(\"[LIOP-SDK] AST Security Cache cleared by Admin.\");\n\t}\n\n\t/**\n\t * Sliding window rate limiter for tool call frequency.\n\t * Prevents micro-query exfiltration attacks where an attacker\n\t * makes hundreds of individually-legitimate calls to reconstruct\n\t * the full dataset field by field. (OWASP A01)\n\t */\n\tprivate checkToolCallRateLimit(toolName: string): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxPerWindow = this.toolCallMaxPerWindow;\n\n\t\tconst window = this.toolCallWindows.get(toolName) || [];\n\t\t// Evict expired timestamps outside the sliding window\n\t\tconst active = window.filter((t) => now - t < windowMs);\n\n\t\tif (active.length >= maxPerWindow) {\n\t\t\tconst retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1000);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Too many calls to ${toolName}. ` +\n\t\t\t\t\t\t\t`Max ${maxPerWindow} per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tactive.push(now);\n\t\tthis.toolCallWindows.set(toolName, active);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Global cross-tool rate limiter.\n\t * Prevents attackers from distributing micro-queries across multiple tools\n\t * to evade per-tool rate limits. (OWASP A01)\n\t */\n\tprivate checkGlobalRateLimit(): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxGlobal = this.globalCallMaxPerWindow;\n\n\t\tthis.globalCallWindow = this.globalCallWindow.filter(\n\t\t\t(t) => now - t < windowMs,\n\t\t);\n\n\t\tif (this.globalCallWindow.length >= maxGlobal) {\n\t\t\tconst retryAfterSec = Math.ceil(\n\t\t\t\t(this.globalCallWindow[0] + windowMs - now) / 1000,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Global call limit exceeded. ` +\n\t\t\t\t\t\t\t`Max ${maxGlobal} total calls per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tthis.globalCallWindow.push(now);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Emulates calling a tool (used locally or via LIOPMcpBridge)\n\t */\n\tpublic async callTool(\n\t\trequest: CallToolRequest,\n\t\tclientId = \"local-client\",\n\t): Promise<CallToolResult> {\n\t\tconst entry = this.tools.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Tool not found: ${request.name}`);\n\t\t}\n\n\t\t// [OWASP-A01] Rate limiting: prevent micro-query exfiltration\n\t\tconst globalLimitResult = this.checkGlobalRateLimit();\n\t\tif (globalLimitResult) return globalLimitResult;\n\t\tconst rateLimitResult = this.checkToolCallRateLimit(request.name);\n\t\tif (rateLimitResult) return rateLimitResult;\n\n\t\ttry {\n\t\t\t// Validate inputs natively with Zod before execution\n\t\t\tconst parsedArgs = entry.schema.parse(request.arguments || {});\n\n\t\t\t// Re-inject the bypass flag if present since Zod might strip unrecognized keys\n\t\t\tif (\n\t\t\t\t(request.arguments as Record<string, unknown>)\n\t\t\t\t\t?.__liop_bypass_ast_cache === true\n\t\t\t) {\n\t\t\t\t(parsedArgs as Record<string, unknown>).__liop_bypass_ast_cache = true;\n\t\t\t}\n\n\t\t\t// [LOGIC-ON-ORIGIN] Intercept code injection directly\n\t\t\tif (\n\t\t\t\tparsedArgs &&\n\t\t\t\ttypeof (parsedArgs as Record<string, unknown>).payload === \"string\"\n\t\t\t) {\n\t\t\t\tconst payload = (parsedArgs as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst logic = this.extractLogic(payload);\n\t\t\t\tif (logic) {\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\tentry.policy,\n\t\t\t\t\t\tclientId,\n\t\t\t\t\t);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\t\t\t\t\t(parsedArgs as Record<string, unknown>).payload = logic;\n\t\t\t\t\treturn await this.executeInWorkerPool(\n\t\t\t\t\t\tparsedArgs,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst result = await entry.handler(parsedArgs, {});\n\t\t\treturn result;\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tif (e instanceof z.ZodError) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [{ type: \"text\", text: `Validation Error: ${e.message}` }],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{ type: \"text\", text: `Internal Execution Error: ${e.message}` },\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Retrieves registered tools\n\t */\n\tpublic listTools(): Tool[] {\n\t\treturn Array.from(this.tools.values()).map((t) => t.tool);\n\t}\n\n\t/**\n\t * Retrieves registered prompts\n\t */\n\tpublic listPrompts(): Prompt[] {\n\t\treturn Array.from(this.prompts.values()).map((p) => p.prompt);\n\t}\n\n\t/**\n\t * Gets a specific prompt by name\n\t */\n\tpublic async getPrompt(request: GetPromptRequest): Promise<GetPromptResult> {\n\t\tconst entry = this.prompts.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Prompt not found: ${request.name}`);\n\t\t}\n\t\treturn await entry.handler(request);\n\t}\n\n\t/**\n\t * Retrieves registered resources\n\t */\n\tpublic listResources(): Resource[] {\n\t\treturn Array.from(this.resources.values());\n\t}\n\n\t/**\n\t * Reads a specific resource by URI\n\t */\n\tpublic async readResource(uri: string): Promise<{\n\t\tcontents: Array<{ uri: string; mimeType?: string; text: string }>;\n\t}> {\n\t\tconst resource = this.resources.get(uri);\n\t\tif (!resource) {\n\t\t\tthrow new Error(`Resource not found: ${uri}`);\n\t\t}\n\n\t\tlet text = \"No description provided\";\n\t\tif (typeof resource.content === \"function\") {\n\t\t\ttext = await resource.content();\n\t\t} else if (typeof resource.content === \"string\") {\n\t\t\ttext = resource.content;\n\t\t} else if (resource.description) {\n\t\t\ttext = resource.description;\n\t\t}\n\n\t\treturn {\n\t\t\tcontents: [\n\t\t\t\t{\n\t\t\t\t\turi: resource.uri,\n\t\t\t\t\tmimeType: resource.mimeType || \"text/plain\",\n\t\t\t\t\ttext,\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t}\n\n\tpublic getServerInfo(): ServerInfo {\n\t\treturn this.serverInfo;\n\t}\n\n\tpublic getMeshNode(): MeshNode | null {\n\t\treturn this.meshNode;\n\t}\n\n\t/**\n\t * Injects data into the secure sandbox context for Logic-on-Origin tools.\n\t */\n\tpublic setSandboxData(records: Record<string, unknown>[]) {\n\t\tthis.sandboxRecords = records;\n\t}\n\n\tpublic getBoundPort(): number | null {\n\t\treturn this.boundPort;\n\t}\n\n\t/**\n\t * Connects to the libp2p Kademlia DHT and announces capabilities.\n\t * Boots the gRPC server for secure Logic-on-Origin.\n\t */\n\tpublic async connectToMesh(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\tconst envPort = process.env.LIOP_GRPC_PORT\n\t\t\t? Number.parseInt(process.env.LIOP_GRPC_PORT, 10)\n\t\t\t: undefined;\n\t\tconst port = options.port ?? envPort ?? 50051;\n\n\t\t// [Fail-Fast] Validate tokenSlug format at startup to prevent silent mismatches\n\t\tconst TOKEN_SLUG_PATTERN = /^[A-Z][A-Z0-9_]*$/;\n\t\tif (\n\t\t\tthis.config?.tokenSlug &&\n\t\t\t!TOKEN_SLUG_PATTERN.test(this.config.tokenSlug)\n\t\t) {\n\t\t\tthrow new Error(\n\t\t\t\t`Invalid tokenSlug \"${this.config.tokenSlug}\". Must match SCREAMING_SNAKE_CASE: /^[A-Z][A-Z0-9_]*$/ (e.g., \"BANK\", \"VAULT\", \"HFT_ORACLE\").`,\n\t\t\t);\n\t\t}\n\n\t\t// 1. Initialize Mesh Node (Discovery)\n\t\tthis.meshNode = new MeshNode(options.meshConfig);\n\t\tawait this.meshNode.start();\n\n\t\t// 2. Register LIOP Manifest Protocol Handler\n\t\t// This allows remote peers to query our tool/resource metadata dynamically.\n\t\tconst meshNodeRef = this.meshNode;\n\t\tthis.meshNode.registerManifestHandler((): LiopManifest => {\n\t\t\tconst tools = this.listTools().map((t) => ({\n\t\t\t\tname: t.name,\n\t\t\t\tdescription: t.description,\n\t\t\t\tinputSchema: t.inputSchema as Record<string, unknown>,\n\t\t\t}));\n\n\t\t\tconst resources = Array.from(this.resources.values()).map((r) => ({\n\t\t\t\tname: r.name,\n\t\t\t\turi: r.uri,\n\t\t\t\tdescription: r.description,\n\t\t\t\tmimeType: r.mimeType,\n\t\t\t\ttext: typeof r.content === \"string\" ? r.content : r.description,\n\t\t\t}));\n\n\t\t\treturn {\n\t\t\t\tpeerId: meshNodeRef.getPeerId(),\n\t\t\t\tgrpcPort: port,\n\t\t\t\ttools,\n\t\t\t\tresources,\n\t\t\t\tserverInfo: this.serverInfo,\n\t\t\t\tauthRequired: this.jwtValidator !== undefined,\n\t\t\t\ttokenSlug: this.config?.tokenSlug,\n\t\t\t\ttaxonomy: this.config?.taxonomy\n\t\t\t\t\t? {\n\t\t\t\t\t\t\tdomain: this.config.taxonomy.domain || \"Unknown Domain\",\n\t\t\t\t\t\t\tclearanceTier: this.config.taxonomy.clearanceTier ?? 0,\n\t\t\t\t\t\t\texecutionTypes: this.config.taxonomy.executionTypes || [],\n\t\t\t\t\t\t}\n\t\t\t\t\t: undefined,\n\t\t\t};\n\t\t});\n\n\t\t// 3. Announce local tools to the DHT\n\t\tfor (const tool of this.listTools()) {\n\t\t\tawait this.meshNode.announceCapability(tool.name).catch(log.info);\n\t\t}\n\n\t\t// 4. Announce manifest availability\n\t\tawait this.meshNode.announceManifest().catch(log.info);\n\n\t\t// 5. Initialize gRPC Server (Execution)\n\t\tthis.rpcServer = new LiopRpcServer();\n\n\t\tthis.rpcServer.addService({\n\t\t\tnegotiateIntent: (call, callback) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Negotiating intent for capability: ${request.capability_hash}`,\n\t\t\t\t);\n\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst authHeader = call.metadata.get(\"authorization\")[0] as\n\t\t\t\t\t\t| string\n\t\t\t\t\t\t| undefined;\n\t\t\t\t\tif (!authHeader) {\n\t\t\t\t\t\tcallback({\n\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\tdetails: \"Missing Authorization header in gRPC metadata\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\tconst token = authHeader.startsWith(\"Bearer \")\n\t\t\t\t\t\t? authHeader.slice(7)\n\t\t\t\t\t\t: authHeader;\n\n\t\t\t\t\t// Calculate SHA-256 hash of the incoming token\n\t\t\t\t\tconst tokenHash = crypto\n\t\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t\t.update(token)\n\t\t\t\t\t\t.digest(\"hex\")\n\t\t\t\t\t\t.toLowerCase();\n\n\t\t\t\t\t// 1. Check local revocation list\n\t\t\t\t\tthis.loadRevocationList();\n\t\t\t\t\tif (this.revokedTokenHashes.has(tokenHash)) {\n\t\t\t\t\t\tcallback({\n\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\tdetails: \"Token has been revoked by the resource owner\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\t// 2. Validate Pre-Shared Local Access Token (Sovereign Node Auth)\n\t\t\t\t\tconst localTestToken = this.config?.auth?.localTestToken;\n\t\t\t\t\tconst isTestTokenPattern = /^[a-zA-Z0-9_-]+-local-test-token$/;\n\n\t\t\t\t\tif (localTestToken) {\n\t\t\t\t\t\tif (token === localTestToken) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Bypass authentication for matching localTestToken: ${localTestToken}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(\n\t\t\t\t\t\t\t\tasync ({ Kyber768Wrapper }) => {\n\t\t\t\t\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\n\t\t\t\t\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t\t\t\t\t\tagent_did: request.agent_did,\n\t\t\t\t\t\t\t\t\t\ttokenHash,\n\t\t\t\t\t\t\t\t\t});\n\n\t\t\t\t\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Strictly require the specific static access token\n\t\t\t\t\t\tcallback({\n\t\t\t\t\t\t\tcode: grpc.status.PERMISSION_DENIED,\n\t\t\t\t\t\t\tdetails:\n\t\t\t\t\t\t\t\ttoken && isTestTokenPattern.test(token)\n\t\t\t\t\t\t\t\t\t? \"Pre-shared local test token is invalid for this resource domain (segregation violation).\"\n\t\t\t\t\t\t\t\t\t: \"Access Denied: This restricted node requires its specific static access token.\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\tthis.jwtValidator\n\t\t\t\t\t\t.validate(token)\n\t\t\t\t\t\t.then((authInfo) => {\n\t\t\t\t\t\t\tconst authResult = authorizeRequest(\"tools/call\", authInfo);\n\t\t\t\t\t\t\tif (!authResult.allowed) {\n\t\t\t\t\t\t\t\tcallback({\n\t\t\t\t\t\t\t\t\tcode: grpc.status.PERMISSION_DENIED,\n\t\t\t\t\t\t\t\t\tdetails: authResult.reason || \"Access Denied\",\n\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(\n\t\t\t\t\t\t\t\tasync ({ Kyber768Wrapper }) => {\n\t\t\t\t\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\n\t\t\t\t\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t\t\t\t\t\tagent_did: request.agent_did,\n\t\t\t\t\t\t\t\t\t\ttokenHash,\n\t\t\t\t\t\t\t\t\t});\n\n\t\t\t\t\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t})\n\t\t\t\t\t\t.catch((err) => {\n\t\t\t\t\t\t\tcallback({\n\t\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\t\tdetails: `Invalid JWT token: ${err.message}`,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t});\n\t\t\t\t} else {\n\t\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(async ({ Kyber768Wrapper }) => {\n\t\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\n\t\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t\t\tagent_did: request.agent_did,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t\t});\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t},\n\t\t\texecuteLogic: async (\n\t\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t\t) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Executing Logic-on-Origin for session: ${request.session_token}`,\n\t\t\t\t);\n\n\t\t\t\tconst proceed = async () => {\n\t\t\t\t\tconst session = this.sessions.get(request.session_token);\n\t\t\t\t\tif (!session) {\n\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\tdetails: \"Invalid session token\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Verify if the token associated with this session has been revoked in the meantime\n\t\t\t\t\tif (session.tokenHash) {\n\t\t\t\t\t\tthis.loadRevocationList();\n\t\t\t\t\t\tif (this.revokedTokenHashes.has(session.tokenHash)) {\n\t\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\t\tdetails: \"Token has been revoked by the resource owner\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\t// [SECURITY] Resolve the negotiated tool to enforce its policies\n\t\t\t\t\tconst toolName = session.capability_hash;\n\t\t\t\t\tconst toolDef = toolName ? this.tools.get(toolName) : undefined;\n\t\t\t\t\tconst toolPolicy = toolDef?.policy;\n\n\t\t\t\t\t// [SECURITY] Preflight check on gRPC execution path (decrypt Logic-on-Origin)\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst kem = await createMlKem768();\n\t\t\t\t\t\tconst sharedSecret = kem.decap(\n\t\t\t\t\t\t\tnew Uint8Array(request.pqc_ciphertext),\n\t\t\t\t\t\t\tsession.kyber_sk,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst aesKey = Buffer.from(sharedSecret);\n\n\t\t\t\t\t\tconst wasmBuffer = Buffer.from(request.wasm_binary);\n\t\t\t\t\t\tconst authTag = wasmBuffer.subarray(-16);\n\t\t\t\t\t\tconst encryptedData = wasmBuffer.subarray(0, -16);\n\n\t\t\t\t\t\tconst decipher = crypto.createDecipheriv(\n\t\t\t\t\t\t\t\"aes-256-gcm\",\n\t\t\t\t\t\t\taesKey,\n\t\t\t\t\t\t\tBuffer.from(request.aes_nonce || new Uint8Array(12)),\n\t\t\t\t\t\t);\n\t\t\t\t\t\tdecipher.setAuthTag(authTag);\n\t\t\t\t\t\tlet decrypted = decipher.update(encryptedData);\n\t\t\t\t\t\tdecrypted = Buffer.concat([decrypted, decipher.final()]);\n\n\t\t\t\t\t\tconst decryptedPayload = decrypted.toString(\"utf-8\");\n\t\t\t\t\t\tconst logic =\n\t\t\t\t\t\t\tthis.extractLogic(decryptedPayload) || decryptedPayload.trim();\n\n\t\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\t\t\t\tlogic,\n\t\t\t\t\t\t\ttoolPolicy,\n\t\t\t\t\t\t\tsession.agent_did || request.session_token,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\t\tlog.info(`[LIOP-RPC] Preflight blocked: ${preflightReason}`);\n\t\t\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\t\t\tsemantic_evidence: preflightReason,\n\t\t\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch (decryptionError: unknown) {\n\t\t\t\t\t\tconst errorMsg =\n\t\t\t\t\t\t\tdecryptionError instanceof Error\n\t\t\t\t\t\t\t\t? decryptionError.message\n\t\t\t\t\t\t\t\t: String(decryptionError);\n\t\t\t\t\t\tlog.error(`[LIOP-RPC] Preflight decryption failed: ${errorMsg}`);\n\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\tcode: grpc.status.INTERNAL,\n\t\t\t\t\t\t\tdetails: `Preflight logic analysis failed: ${errorMsg}`,\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\t// [DP] Prepare Differential Privacy configuration from tool policy\n\t\t\t\t\t\tconst dpConfig = toolPolicy\n\t\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\t\tepsilon: toolPolicy.dpEpsilon ?? 1.0,\n\t\t\t\t\t\t\t\t\tsensitivity: toolPolicy.dpSensitivity ?? 1.0,\n\t\t\t\t\t\t\t\t\tsmallDatasetThreshold:\n\t\t\t\t\t\t\t\t\t\ttoolPolicy.dpSmallDatasetThreshold ?? 50,\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t: undefined;\n\n\t\t\t\t\t\t// Pass to Worker Pool for PQC Decryption and WASI/V8 execution\n\t\t\t\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\t\t\t\tciphertext: request.pqc_ciphertext,\n\t\t\t\t\t\t\tsecretKeyObj: Array.from(session.kyber_sk),\n\t\t\t\t\t\t\twasmBinary: request.wasm_binary,\n\t\t\t\t\t\t\tinputs: request.inputs,\n\t\t\t\t\t\t\taesNonce: request.aes_nonce,\n\t\t\t\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\t\t\t\tsessionToken: request.session_token,\n\t\t\t\t\t\t\tisEncrypted: true,\n\t\t\t\t\t\t\tdpConfig, // Apply DP noise inside worker before ZK-Receipt commitment\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\tconst sanitizedWorkerOutput = sanitizeOutput(workerResponse.output);\n\n\t\t\t\t\t\tlet finalOutput: string;\n\t\t\t\t\t\tlet validationOutput: unknown = sanitizedWorkerOutput;\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tfinalOutput =\n\t\t\t\t\t\t\t\ttypeof sanitizedWorkerOutput === \"string\"\n\t\t\t\t\t\t\t\t\t? sanitizedWorkerOutput\n\t\t\t\t\t\t\t\t\t: JSON.stringify(sanitizedWorkerOutput);\n\n\t\t\t\t\t\t\t// [PROTOCOL TRANSFORMER] Support for Proxied Tool Calls\n\t\t\t\t\t\t\tconst decoded = JSON.parse(finalOutput);\n\t\t\t\t\t\t\tif (decoded.__liop_proxy_tool) {\n\t\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t\t`[LIOP-RPC] Executing Proxied Tool: ${decoded.__liop_proxy_tool}`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tconst clientId = session.agent_did || \"unknown-client\";\n\t\t\t\t\t\t\t\tconst toolResult = await this.callTool(\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tname: decoded.__liop_proxy_tool,\n\t\t\t\t\t\t\t\t\t\targuments: decoded.__liop_proxy_args || {},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tclientId,\n\t\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\t\t\tif (toolResult.isError) {\n\t\t\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t\t\t`[LIOP-RPC] Proxy tool execution failed: ${toolResult.content[0].text}`,\n\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\t\t\t\t\tsemantic_evidence:\n\t\t\t\t\t\t\t\t\t\t\ttoolResult.content[0].text || \"Unknown error\",\n\t\t\t\t\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tconst sanitizedToolResult = sanitizeOutput(toolResult);\n\t\t\t\t\t\t\t\tfinalOutput = JSON.stringify(sanitizedToolResult);\n\t\t\t\t\t\t\t\tvalidationOutput =\n\t\t\t\t\t\t\t\t\tthis.unwrapForAggregationPolicyScan(sanitizedToolResult);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\tfinalOutput = String(sanitizedWorkerOutput);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// [SECURITY] Output Schema & Policy validation for gRPC Egress\n\t\t\t\t\t\tconst policyViolation = this.validateOutputPolicy(\n\t\t\t\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\t\t\t\tvalidationOutput,\n\t\t\t\t\t\t\ttoolPolicy,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (policyViolation) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Output policy blocked for ${toolName || \"unknown_tool\"}: ${policyViolation}`,\n\t\t\t\t\t\t\t);\n\n\t\t\t\t\t\t\tconst isDev =\n\t\t\t\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t\t\t\t? policyViolation\n\t\t\t\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement.\";\n\n\t\t\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\t\t\tsemantic_evidence: errorMessage,\n\t\t\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t\t\t};\n\n\t\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst response: LogicResponse = {\n\t\t\t\t\t\t\tsemantic_evidence: finalOutput,\n\t\t\t\t\t\t\tcryptographic_proof: Buffer.from(\n\t\t\t\t\t\t\t\tworkerResponse.image_id || \"\",\n\t\t\t\t\t\t\t\t\"hex\",\n\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\tzk_receipt: workerResponse.zk_receipt\n\t\t\t\t\t\t\t\t? Buffer.from(workerResponse.zk_receipt, \"base64\")\n\t\t\t\t\t\t\t\t: Buffer.from(\"\"),\n\t\t\t\t\t\t\tis_error: false,\n\t\t\t\t\t\t};\n\n\t\t\t\t\t\t// Final PII check for gRPC egress\n\t\t\t\t\t\tconst violation = await this.piiScanner.scan(validationOutput);\n\t\t\t\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\t\tthis.unwrapForAggregationPolicyScan(validationOutput),\n\t\t\t\t\t\t\ttoolPolicy?.enforceAggregationFirst,\n\t\t\t\t\t\t\tthis.sandboxRecords?.length,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller\n\t\t\t\t\t\t\tconst internalReason =\n\t\t\t\t\t\t\t\tviolation || \"Aggregation-First Policy Violation\";\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tresponse.semantic_evidence =\n\t\t\t\t\t\t\t\t\"[LIOP] Egress Security Violation. Output blocked due to policy enforcement.\";\n\t\t\t\t\t\t\tresponse.is_error = true;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tcall.write(response, () => {\n\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t});\n\t\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\t\tconst isDev =\n\t\t\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\t\t\tprocess.env.NODE_ENV === \"test\";\n\n\t\t\t\t\t\tconst detail = e.message || String(error);\n\t\t\t\t\t\tlog.error(`[LIOP-RPC] Execution Error: ${detail}`);\n\n\t\t\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t\t\t? `Execution Error: ${detail}`\n\t\t\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\t\t\t\t// Send error response before closing, avoiding \"stream closed without results\"\n\t\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\t\tsemantic_evidence: errorMessage,\n\t\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t\t};\n\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t} catch (_writeErr) {\n\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t};\n\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst authHeader = call.metadata.get(\"authorization\")[0] as\n\t\t\t\t\t\t| string\n\t\t\t\t\t\t| undefined;\n\t\t\t\t\tif (!authHeader) {\n\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\tdetails: \"Missing Authorization header in gRPC metadata\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\tconst token = authHeader.startsWith(\"Bearer \")\n\t\t\t\t\t\t? authHeader.slice(7)\n\t\t\t\t\t\t: authHeader;\n\n\t\t\t\t\tconst tokenHash = crypto\n\t\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t\t.update(token)\n\t\t\t\t\t\t.digest(\"hex\")\n\t\t\t\t\t\t.toLowerCase();\n\n\t\t\t\t\t// 1. Check local revocation list\n\t\t\t\t\tthis.loadRevocationList();\n\t\t\t\t\tif (this.revokedTokenHashes.has(tokenHash)) {\n\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\tdetails: \"Token has been revoked by the resource owner\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\t// 2. Validate Pre-Shared Local Access Token (Sovereign Node Auth)\n\t\t\t\t\tconst localTestToken = this.config?.auth?.localTestToken;\n\t\t\t\t\tconst isTestTokenPattern = /^[a-zA-Z0-9_-]+-local-test-token$/;\n\n\t\t\t\t\tif (localTestToken) {\n\t\t\t\t\t\tif (token === localTestToken) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Bypass authentication in executeLogic for matching localTestToken: ${localTestToken}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tawait proceed();\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Strictly require the specific static access token\n\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\tcode: grpc.status.PERMISSION_DENIED,\n\t\t\t\t\t\t\tdetails:\n\t\t\t\t\t\t\t\ttoken && isTestTokenPattern.test(token)\n\t\t\t\t\t\t\t\t\t? \"Pre-shared local test token is invalid for this resource domain (segregation violation).\"\n\t\t\t\t\t\t\t\t\t: \"Access Denied: This restricted node requires its specific static access token.\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst authInfo = await this.jwtValidator.validate(token);\n\t\t\t\t\t\tconst authResult = authorizeRequest(\"tools/call\", authInfo);\n\t\t\t\t\t\tif (!authResult.allowed) {\n\t\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\t\tcode: grpc.status.PERMISSION_DENIED,\n\t\t\t\t\t\t\t\tdetails: authResult.reason || \"Access Denied\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tawait proceed();\n\t\t\t\t\t} catch (err: unknown) {\n\t\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\t\tdetails: `Invalid JWT token: ${\n\t\t\t\t\t\t\t\terr instanceof Error ? err.message : String(err)\n\t\t\t\t\t\t\t}`,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tawait proceed();\n\t\t\t\t}\n\t\t\t},\n\t\t});\n\n\t\tthis.boundPort = await this.rpcServer.listen(port);\n\t\tlog.info(\n\t\t\t`[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`,\n\t\t);\n\t}\n\n\t/**\n\t * Internal worker execution with Egress Filtering logic.\n\t */\n\tprivate async executeInWorkerPool(\n\t\t_args: Record<string, unknown>,\n\t\trawPayload: string,\n\t\ttoolName?: string,\n\t): Promise<CallToolResult> {\n\t\ttry {\n\t\t\t// [DP] Prepare Differential Privacy configuration\n\t\t\tconst dpPolicy = toolName ? this.tools.get(toolName)?.policy : undefined;\n\t\t\tconst dpConfig = dpPolicy\n\t\t\t\t? {\n\t\t\t\t\t\tepsilon: dpPolicy.dpEpsilon ?? 1.0,\n\t\t\t\t\t\tsensitivity: dpPolicy.dpSensitivity ?? 1.0,\n\t\t\t\t\t\tsmallDatasetThreshold: dpPolicy.dpSmallDatasetThreshold ?? 50,\n\t\t\t\t\t}\n\t\t\t\t: undefined;\n\n\t\t\t// Transparent local execution without dynamic PQC\n\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\tciphertext: new Uint8Array(0),\n\t\t\t\tsecretKeyObj: Array.from(new Uint8Array(0)),\n\t\t\t\tkyberPublicKey: new Uint8Array(0),\n\t\t\t\twasmBinary: Buffer.from(rawPayload),\n\t\t\t\tinputs: {},\n\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\tsessionToken: \"local-dev-token\",\n\t\t\t\tisEncrypted: false, // Use plaintext for local Logic-on-Origin injection\n\t\t\t\tdpConfig, // Pass DP Config to apply inside worker before ZK-Receipt commitment\n\t\t\t});\n\n\t\t\t// DP is now applied directly inside the worker to ensure ZK-Receipt integrity\n\t\t\tconst dpOutput = workerResponse.output;\n\t\t\tconst sanitizedOutput = sanitizeOutput(dpOutput);\n\n\t\t\t// Standard MCP Content Array\n\t\t\tconst textOutput = JSON.stringify({\n\t\t\t\tcomputation_result: sanitizedOutput,\n\t\t\t\timage_id: workerResponse.image_id,\n\t\t\t\tzk_receipt: workerResponse.zk_receipt,\n\t\t\t\tstatus: \"Worker Pool Execution Success\",\n\t\t\t});\n\n\t\t\tconst content = [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\ttext: textOutput,\n\t\t\t\t},\n\t\t\t];\n\n\t\t\tconst toolPolicy = toolName\n\t\t\t\t? this.tools.get(toolName)?.policy\n\t\t\t\t: undefined;\n\t\t\tconst policyViolation = this.validateOutputPolicy(\n\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\tsanitizedOutput, // Phase 109: Validate NOISY output to ensure invariants\n\t\t\t\ttoolPolicy,\n\t\t\t);\n\t\t\tif (policyViolation) {\n\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller in Production\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Output policy blocked for ${toolName || \"unknown_tool\"}: ${policyViolation}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? policyViolation\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Professional PII Protection Guard\n\t\t\tconst violation = await this.piiScanner.scan(sanitizedOutput);\n\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\tsanitizedOutput, // Phase 109: Validate NOISY output\n\t\t\t\ttoolPolicy?.enforceAggregationFirst,\n\t\t\t\tthis.sandboxRecords?.length,\n\t\t\t);\n\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t// SEC-CRITICAL: Log the specific violation reason server-side only.\n\t\t\t\t// Never expose detection details (entity names, matched values) to the caller in Production.\n\t\t\t\tconst internalReason =\n\t\t\t\t\tviolation ||\n\t\t\t\t\t\"Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.\";\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? `[LIOP] Egress Security Violation: ${internalReason}`\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn { content };\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\tconst detail = e.message || String(error);\n\t\t\tlog.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);\n\n\t\t\t// [OOM Hardening] Detect V8 worker termination due to heap limit\n\t\t\tconst isOom =\n\t\t\t\tdetail.includes(\"worker_thread_exited\") ||\n\t\t\t\tdetail.includes(\"ERR_WORKER_OUT_OF_MEMORY\") ||\n\t\t\t\tdetail.includes(\"terminated\") ||\n\t\t\t\tdetail.includes(\"heap limit\");\n\n\t\t\tconst errorMessage = isOom\n\t\t\t\t? \"[LIOP] Execution terminated: memory limit exceeded (64MB heap). Reduce data processing volume.\"\n\t\t\t\t: isDev\n\t\t\t\t\t? `WorkerPoolError: ${detail}`\n\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Safely destroys the worker pool, gRPC server, and Mesh node.\n\t * Recommended to be called during graceful shutdowns or test teardowns.\n\t */\n\tpublic async close(): Promise<void> {\n\t\tif (this.workerPool) {\n\t\t\tawait this.workerPool.close({ force: true });\n\t\t}\n\t\tif (this.rpcServer) {\n\t\t\tawait this.rpcServer.stop();\n\t\t}\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t}\n\n\tprivate loadRevocationList(): void {\n\t\tconst rPath = this.config?.auth?.revocationPath;\n\t\tif (!rPath) return;\n\n\t\ttry {\n\t\t\tif (fs.existsSync(rPath)) {\n\t\t\t\tconst stats = fs.statSync(rPath);\n\t\t\t\t// If file has not changed since last load, skip reading\n\t\t\t\tif (stats.mtimeMs <= this.lastRevocationLoadTime) {\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tconst content = fs.readFileSync(rPath, \"utf-8\");\n\t\t\t\tconst list = JSON.parse(content);\n\t\t\t\tif (Array.isArray(list)) {\n\t\t\t\t\tthis.revokedTokenHashes.clear();\n\t\t\t\t\tfor (const item of list) {\n\t\t\t\t\t\tif (typeof item === \"string\") {\n\t\t\t\t\t\t\tthis.revokedTokenHashes.add(item.trim().toLowerCase());\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tthis.lastRevocationLoadTime = stats.mtimeMs;\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LiopServer] Loaded ${this.revokedTokenHashes.size} revoked token hashes from ${rPath}`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t// Initialize an empty revocation list file\n\t\t\t\tconst dir = path.dirname(rPath);\n\t\t\t\tif (!fs.existsSync(dir)) {\n\t\t\t\t\tfs.mkdirSync(dir, { recursive: true });\n\t\t\t\t}\n\t\t\t\tfs.writeFileSync(rPath, JSON.stringify([], null, 2), \"utf-8\");\n\t\t\t\tthis.lastRevocationLoadTime = Date.now();\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LiopServer] Created empty local revocation list at ${rPath}`,\n\t\t\t\t);\n\t\t\t}\n\t\t} catch (err: unknown) {\n\t\t\tlog.error(\n\t\t\t\t`[LiopServer] Failed to load revocation list: ${\n\t\t\t\t\terr instanceof Error ? err.message : String(err)\n\t\t\t\t}`,\n\t\t\t);\n\t\t}\n\t}\n\n\tpublic revokeToken(token: string): void {\n\t\tif (!token) return;\n\t\tconst hash = crypto\n\t\t\t.createHash(\"sha256\")\n\t\t\t.update(token)\n\t\t\t.digest(\"hex\")\n\t\t\t.toLowerCase();\n\t\tthis.revokeTokenHash(hash);\n\t}\n\n\tpublic revokeTokenHash(hash: string): void {\n\t\tif (!hash) return;\n\t\tconst normalizedHash = hash.toLowerCase();\n\n\t\tthis.loadRevocationList();\n\t\tthis.revokedTokenHashes.add(normalizedHash);\n\n\t\tconst rPath = this.config?.auth?.revocationPath;\n\t\tif (rPath) {\n\t\t\ttry {\n\t\t\t\tconst dir = path.dirname(rPath);\n\t\t\t\tif (!fs.existsSync(dir)) {\n\t\t\t\t\tfs.mkdirSync(dir, { recursive: true });\n\t\t\t\t}\n\t\t\t\tconst hashes = Array.from(this.revokedTokenHashes);\n\t\t\t\tfs.writeFileSync(rPath, JSON.stringify(hashes, null, 2), \"utf-8\");\n\n\t\t\t\tconst stats = fs.statSync(rPath);\n\t\t\t\tthis.lastRevocationLoadTime = stats.mtimeMs;\n\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LiopServer] Persisted revocation for hash ${normalizedHash} to ${rPath}`,\n\t\t\t\t);\n\t\t\t} catch (err: unknown) {\n\t\t\t\tlog.error(\n\t\t\t\t\t`[LiopServer] Failed to persist revocation: ${\n\t\t\t\t\t\terr instanceof Error ? err.message : String(err)\n\t\t\t\t\t}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate getPersistentBudget(\n\t\tstorePath: string,\n\t): Record<string, Record<string, Record<string, number>>> {\n\t\ttry {\n\t\t\tif (!fs.existsSync(storePath)) {\n\t\t\t\treturn {};\n\t\t\t}\n\t\t\tconst content = fs.readFileSync(storePath, \"utf-8\");\n\t\t\treturn JSON.parse(content || \"{}\");\n\t\t} catch {\n\t\t\treturn {};\n\t\t}\n\t}\n\n\tprivate savePersistentBudget(\n\t\tstorePath: string,\n\t\tbudget: Record<string, Record<string, Record<string, number>>>,\n\t): void {\n\t\tconst tempPath = `${storePath}.tmp`;\n\t\tconst dir = path.dirname(storePath);\n\t\tif (!fs.existsSync(dir)) {\n\t\t\tfs.mkdirSync(dir, { recursive: true });\n\t\t}\n\t\tfs.writeFileSync(tempPath, JSON.stringify(budget, null, 2), \"utf-8\");\n\t\tfs.renameSync(tempPath, storePath);\n\t}\n\n\tprivate executeWithBudgetLock<T>(\n\t\tstorePath: string,\n\t\taction: (\n\t\t\tbudget: Record<string, Record<string, Record<string, number>>>,\n\t\t) => {\n\t\t\tresult: T;\n\t\t\tupdatedBudget?: Record<string, Record<string, Record<string, number>>>;\n\t\t},\n\t): T {\n\t\tconst lockPath = `${storePath}.lock`;\n\t\tconst maxRetries = 100;\n\t\tconst delayMs = 15;\n\t\tlet attempts = 0;\n\n\t\tconst dir = path.dirname(storePath);\n\t\tif (!fs.existsSync(dir)) {\n\t\t\ttry {\n\t\t\t\tfs.mkdirSync(dir, { recursive: true });\n\t\t\t} catch {\n\t\t\t\t// Ignore concurrent directory creation\n\t\t\t}\n\t\t}\n\n\t\twhile (attempts < maxRetries) {\n\t\t\ttry {\n\t\t\t\tfs.writeFileSync(lockPath, process.pid.toString(), { flag: \"wx\" });\n\t\t\t\tbreak;\n\t\t\t} catch (e: unknown) {\n\t\t\t\tif (\n\t\t\t\t\te &&\n\t\t\t\t\ttypeof e === \"object\" &&\n\t\t\t\t\t\"code\" in e &&\n\t\t\t\t\t(e as Record<string, unknown>).code === \"EEXIST\"\n\t\t\t\t) {\n\t\t\t\t\tattempts++;\n\t\t\t\t\tconst jitter = Math.floor(Math.random() * 10);\n\t\t\t\t\tconst targetTime = Date.now() + delayMs + jitter;\n\t\t\t\t\twhile (Date.now() < targetTime) {\n\t\t\t\t\t\t// Sync spin wait\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\tthrow e;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (attempts >= maxRetries) {\n\t\t\tthrow new Error(\n\t\t\t\t\"Timeout acquiring lock for persistent query budget database\",\n\t\t\t);\n\t\t}\n\n\t\ttry {\n\t\t\tconst currentBudget = this.getPersistentBudget(storePath);\n\t\t\tconst { result, updatedBudget } = action(currentBudget);\n\t\t\tif (updatedBudget) {\n\t\t\t\tthis.savePersistentBudget(storePath, updatedBudget);\n\t\t\t}\n\t\t\treturn result;\n\t\t} finally {\n\t\t\ttry {\n\t\t\t\tif (fs.existsSync(lockPath)) {\n\t\t\t\t\tfs.unlinkSync(lockPath);\n\t\t\t\t}\n\t\t\t} catch {\n\t\t\t\t// Ignore lock removal errors\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate applyInMemoryBudget(\n\t\tclientId: string,\n\t\t_toolName: string,\n\t\textractedFields: string[],\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\tlet clientBudget = this.fieldQueryBudget.get(clientId);\n\t\tif (!clientBudget) {\n\t\t\tclientBudget = new Map<string, Map<string, number>>();\n\t\t\tthis.fieldQueryBudget.set(clientId, clientBudget);\n\t\t}\n\n\t\tlet toolBudget = clientBudget.get(_toolName);\n\t\tif (!toolBudget) {\n\t\t\ttoolBudget = new Map<string, number>();\n\t\t\tclientBudget.set(_toolName, toolBudget);\n\t\t}\n\n\t\tfor (const field of extractedFields) {\n\t\t\tconst sensitivity = this.taintAnalyzer.classifyField(\n\t\t\t\tfield,\n\t\t\t\tpolicy?.sensitiveKeys,\n\t\t\t);\n\n\t\t\tlet queryLimit = 25; // default public\n\t\t\tlet sensLabel = \"public\";\n\n\t\t\tif (policy?.queryBudgetPerField !== undefined) {\n\t\t\t\tqueryLimit = policy.queryBudgetPerField;\n\t\t\t\tsensLabel = \"override\";\n\t\t\t} else if (sensitivity === \"forbidden\") {\n\t\t\t\tqueryLimit = 3;\n\t\t\t\tsensLabel = \"forbidden\";\n\t\t\t} else if (sensitivity === \"sensitive\") {\n\t\t\t\tqueryLimit = 8;\n\t\t\t\tsensLabel = \"sensitive\";\n\t\t\t}\n\n\t\t\tconst count = toolBudget.get(field) ?? 0;\n\t\t\tif (count >= queryLimit) {\n\t\t\t\treturn `Preflight policy rejected: Query budget exceeded for field '${field}' (max ${queryLimit} per session for ${sensLabel} fields). Rotate PQC session to reset budget.`;\n\t\t\t}\n\t\t}\n\n\t\tfor (const field of extractedFields) {\n\t\t\tconst count = toolBudget.get(field) ?? 0;\n\t\t\ttoolBudget.set(field, count + 1);\n\t\t}\n\n\t\treturn null;\n\t}\n}\n"]}