@nevermined-io/cli 1.4.0 → 1.5.0

package/dist/utils/widget-redirect-flow.js

@@ -0,0 +1,296 @@
+import { createServer } from 'http';
+import { randomBytes, timingSafeEqual } from 'crypto';
+import { openBrowser } from './browser.js';
+/**
+ * Map a CLI environment name to the embed app's `network` value. The
+ * `embed` origin is shared across the sandbox/live pair within a tier
+ * (`embed.nevermined.app` for both `sandbox` and `live`), differentiated
+ * only by the backend the session is validated against — so the embed
+ * app cannot infer the network from the origin and we must pass it.
+ *
+ * `custom` has no fixed tier, so we sniff `NVM_BACKEND_URL`: a backend
+ * host containing `live` selects `live`, otherwise we fall back to
+ * `sandbox` (matching the embed app's own default).
+ *
+ * NOTE: `live` is only matched as a dot/slash-bounded segment (the
+ * `api.live.<host>` convention), so a hyphenated host like
+ * `https://api-live.example.com` would fall through to `sandbox`. That's
+ * intentional given the naming convention; a `custom` deployment that
+ * doesn't follow it should set `NVM_BACKEND_URL` to a conforming host.
+ */
+export function resolveEmbedNetwork(environment) {
+    switch (environment) {
+        case 'live':
+        case 'staging_live':
+            return 'live';
+        case 'sandbox':
+        case 'staging_sandbox':
+            return 'sandbox';
+        case 'custom':
+            return /(^|[.\/])live([.\/]|$)/.test((process.env.NVM_BACKEND_URL || '').toLowerCase())
+                ? 'live'
+                : 'sandbox';
+    }
+}
+const SELF_MINT_FETCH_TIMEOUT_MS = 15_000;
+/**
+ * Default timeout for a redirect-mode CLI flow. Mirrors the existing
+ * `nvm login` callback timeout — 5 minutes is enough for the user to
+ * tab into the browser, complete a card enrolment + delegation, and
+ * land back at the CLI.
+ */
+const REDIRECT_TIMEOUT_MS = 5 * 60 * 1000;
+/**
+ * Constant-time string equality for the CSRF `state` nonce. The state we
+ * issue is a 32-char hex string (`randomBytes(16).toString('hex')`), so
+ * we ALWAYS allocate fixed 16-byte buffers from `hex` regardless of the
+ * caller-supplied value's encoding. Computing buffer length from string
+ * length would diverge on non-ASCII input (`a.length` is UTF-16 code
+ * units; `Buffer.from(a, 'utf8').length` is byte count), and a crafted
+ * non-hex `received` could otherwise throw inside `timingSafeEqual`.
+ *
+ * Inputs must already have been verified to be 32 hex chars by the
+ * caller (or we reject up front).
+ */
+function safeEqualHexState(received, expected) {
+    if (!/^[0-9a-f]{32}$/i.test(received) || !/^[0-9a-f]{32}$/i.test(expected))
+        return false;
+    return timingSafeEqual(Buffer.from(received, 'hex'), Buffer.from(expected, 'hex'));
+}
+/**
+ * Shared redirect-mode handshake for any CLI command that hands the user
+ * off to a `/cards/*` page on the standalone embed app (`embed.<tier>`)
+ * and waits for a localhost callback.
+ *
+ * Flow:
+ *   1. Bind a one-shot HTTP server on `127.0.0.1:0` (the OS picks a free port).
+ *   2. Compute `returnUrl = http://127.0.0.1:<port>/callback` and hand it
+ *      to `opts.mintSession`. The caller mints a widget session bound to
+ *      that exact returnUrl (which the backend can validate against the
+ *      session-specific allow-list at creation time). We use the literal
+ *      `127.0.0.1` rather than `localhost` because the server binds to
+ *      `127.0.0.1` and Node 17+ resolves `localhost` to `::1` first on
+ *      modern hosts — the browser would stall on the IPv6 attempt before
+ *      falling back to IPv4.
+ *   3. Open the browser at `{embed}/<path>?sessionToken=…&returnUrl=…&state=<rand>`.
+ *   4. Resolve when the embed page redirects to `/callback?…&state=<echo>`.
+ *      `state` is compared in constant time.
+ *
+ * Rejects on bind failure, mint failure, 5-minute timeout, or
+ * state-mismatched callback (the bad request gets a styled error page
+ * and the server stays alive — the legitimate callback can still land).
+ */
+export async function runWidgetRedirectFlow(opts) {
+    const state = randomBytes(16).toString('hex');
+    return new Promise((resolve, reject) => {
+        let resolved = false;
+        let timeout;
+        const finalize = (err, value) => {
+            if (resolved)
+                return;
+            resolved = true;
+            if (timeout)
+                clearTimeout(timeout);
+            server.close();
+            if (err)
+                reject(err);
+            else if (value)
+                resolve(value);
+        };
+        const server = createServer((req, res) => {
+            const url = new URL(req.url || '/', 'http://localhost');
+            if (url.pathname !== '/callback') {
+                res.writeHead(404).end('Not found');
+                return;
+            }
+            const receivedState = url.searchParams.get('state');
+            if (!receivedState || !safeEqualHexState(receivedState, state)) {
+                // INTENTIONALLY do NOT close the server here. The state nonce
+                // is 128 bits of randomness, so brute-forcing one bad callback
+                // per request is infeasible. Closing on first 400 would let an
+                // attacker (or a misconfigured redirect) DoS the legitimate
+                // browser callback that's about to arrive. The 5-minute timer
+                // is the upper bound on how long we'll wait either way.
+                res.writeHead(400, { 'Content-Type': 'text/html' }).end(errorHtml('Callback rejected', 'State mismatch. This callback did not match the request that started the flow — close this tab and re-run the command.'));
+                return;
+            }
+            // Convert URLSearchParams → plain object, dropping the bookkeeping
+            // `state` field (the caller doesn't need to re-validate it).
+            const query = {};
+            for (const [key, value] of url.searchParams.entries()) {
+                if (key === 'state')
+                    continue;
+                query[key] = value;
+            }
+            res.writeHead(200, { 'Content-Type': 'text/html' }).end(successHtml(opts.successPageTitle ?? 'All done', 'You can close this tab and return to your terminal.'));
+            finalize(undefined, { state, query });
+        });
+        timeout = setTimeout(() => {
+            finalize(new Error(opts.timeoutMessage ?? 'Browser flow timed out after 5 minutes. Please try again.'));
+        }, REDIRECT_TIMEOUT_MS);
+        server.on('error', (err) => {
+            finalize(new Error(`Failed to start local callback server: ${err.message}`));
+        });
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            if (!addr || typeof addr === 'string') {
+                finalize(new Error('Failed to obtain local callback port'));
+                return;
+            }
+            // Symmetric with the server bind above (`127.0.0.1` only). Using
+            // the `localhost` alias here would cause an IPv6 stall on modern
+            // Linux/macOS where Node's `dns.lookup` prefers `::1`. The backend
+            // returnUrl allow-list accepts both forms.
+            const returnUrl = `http://127.0.0.1:${addr.port}/callback`;
+            // Mint the session now that returnUrl is known. The backend's
+            // allow-list check at session creation can validate the URL the
+            // browser will actually be redirected to.
+            void (async () => {
+                let sessionToken;
+                try {
+                    const minted = await opts.mintSession({ returnUrl });
+                    sessionToken = minted.sessionToken;
+                }
+                catch (mintErr) {
+                    finalize(mintErr instanceof Error ? mintErr : new Error(String(mintErr)));
+                    return;
+                }
+                const browserUrl = buildEmbedUrl({
+                    embedUrl: opts.embedUrl,
+                    embedPath: opts.embedPath,
+                    sessionToken,
+                    returnUrl,
+                    state,
+                    network: opts.network,
+                    extra: opts.extraSearchParams,
+                });
+                if (opts.noBrowser) {
+                    opts.log('Open this URL in your browser to continue:');
+                    opts.log('');
+                    opts.log(browserUrl);
+                    opts.log('');
+                    opts.log('Waiting for completion...');
+                }
+                else {
+                    opts.log('Opening browser...');
+                    openBrowser(browserUrl).catch(() => {
+                        opts.log('Could not open the browser automatically. Open this URL manually:');
+                        opts.log('');
+                        opts.log(browserUrl);
+                    });
+                    opts.log('Waiting for completion...');
+                }
+            })();
+        });
+    });
+}
+function buildEmbedUrl(opts) {
+    const url = new URL(opts.embedPath, opts.embedUrl);
+    url.searchParams.set('sessionToken', opts.sessionToken);
+    url.searchParams.set('returnUrl', opts.returnUrl);
+    url.searchParams.set('state', opts.state);
+    if (opts.extra) {
+        for (const [k, v] of Object.entries(opts.extra)) {
+            url.searchParams.set(k, v);
+        }
+    }
+    // Set AFTER `extra` so a caller can never accidentally clobber the
+    // network the embed app keys its backend selection off of —
+    // `URLSearchParams.set` overwrites, so writing it last makes it win.
+    url.searchParams.set('network', opts.network);
+    return url.toString();
+}
+function successHtml(title, message) {
+    // Plain HTML, no third-party assets, no scripts. The page is shown
+    // once and the user closes the tab; keep it self-contained so a
+    // captive-portal-style network doesn't break the success state.
+    return buildHtmlPage(title, message, '#f8f9fa', '#0f5132', '#d1e7dd');
+}
+function errorHtml(title, message) {
+    // Same shell as the success page (so the layout looks consistent if
+    // the user sees both back-to-back), but tinted red so a state mismatch
+    // or other 4xx response is visually distinct from "we're done".
+    return buildHtmlPage(title, message, '#f8f9fa', '#842029', '#f8d7da');
+}
+function buildHtmlPage(title, message, pageBg, fgColor, panelBg) {
+    return `<!doctype html>
+<html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head>
+<body style="font-family: system-ui, sans-serif; display:flex; align-items:center; justify-content:center; min-height:100vh; margin:0; background:${pageBg};">
+  <div style="text-align:center; max-width: 480px; padding: 24px; background:${panelBg}; color:${fgColor}; border-radius:8px;">
+    <h2 style="margin: 0 0 12px;">${escapeHtml(title)}</h2>
+    <p style="margin: 0;">${escapeHtml(message)}</p>
+  </div>
+</body></html>`;
+}
+function escapeHtml(value) {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+/**
+ * Hosts a request to `mintSelfWidgetSession` may be sent over plaintext
+ * without warning. Loopback addresses are always safe; every other host
+ * must use `https:` because we're about to send the user's NVM API key
+ * in the `Authorization` header. The `custom` environment variable
+ * (`NVM_BACKEND_URL`) is the only realistic way a user could accidentally
+ * point this at a plaintext non-localhost URL.
+ */
+const LOOPBACK_HOSTNAMES = new Set([
+    'localhost',
+    '127.0.0.1',
+    '::1',
+    '[::1]',
+]);
+export async function mintSelfWidgetSession(args) {
+    const url = new URL('/api/v1/widgets/session/self', args.backendUrl);
+    // Refuse to send the API key over plaintext to a non-loopback host.
+    // All four built-in environments are `https://`, so this only bites
+    // when a user has set `NVM_BACKEND_URL` to a custom plaintext
+    // endpoint — exactly the case where they'd otherwise leak the key
+    // without realising.
+    if (url.protocol === 'http:' &&
+        !LOOPBACK_HOSTNAMES.has(url.hostname.toLowerCase())) {
+        throw new Error(`Refusing to send the NVM API key over plaintext to ${url.host}. Set NVM_BACKEND_URL to an https:// endpoint, or use a loopback host (localhost / 127.0.0.1 / [::1]).`);
+    }
+    // 15s ceiling for the request — without it, an unreachable backend
+    // (DNS failure, TLS handshake hang, network partition) leaves the CLI
+    // frozen with no output. `AbortSignal.timeout` (Node 17.3+) is the
+    // idiomatic replacement for a hand-rolled `AbortController` + setTimeout.
+    let response;
+    try {
+        response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${args.nvmApiKey}`,
+            },
+            body: JSON.stringify({
+                orgId: args.orgId,
+                ...(args.returnUrl ? { returnUrl: args.returnUrl } : {}),
+            }),
+            signal: AbortSignal.timeout(SELF_MINT_FETCH_TIMEOUT_MS),
+        });
+    }
+    catch (cause) {
+        if (cause instanceof Error && (cause.name === 'TimeoutError' || cause.name === 'AbortError')) {
+            throw new Error(`Self-mint widget session request timed out after ${SELF_MINT_FETCH_TIMEOUT_MS / 1000}s — check that ${args.backendUrl} is reachable.`);
+        }
+        throw cause;
+    }
+    if (!response.ok) {
+        const detail = await response
+            .json()
+            .catch(() => ({ message: response.statusText }));
+        const message = detail.message ??
+            `Self-mint widget session failed (HTTP ${response.status})`;
+        const err = new Error(message);
+        err.status = response.status;
+        err.apiCode = detail.code;
+        throw err;
+    }
+    return (await response.json());
+}
+//# sourceMappingURL=widget-redirect-flow.js.map

package/dist/utils/widget-redirect-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"widget-redirect-flow.js","sourceRoot":"","sources":["../../src/utils/widget-redirect-flow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,MAAM,CAAA;AACpE,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAA;AAGrD,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAA;AAW1C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAA4B;IAC9D,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC;QACZ,KAAK,cAAc;YACjB,OAAO,MAAM,CAAA;QACf,KAAK,SAAS,CAAC;QACf,KAAK,iBAAiB;YACpB,OAAO,SAAS,CAAA;QAClB,KAAK,QAAQ;YACX,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBACrF,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,SAAS,CAAA;IACjB,CAAC;AACH,CAAC;AAED,MAAM,0BAA0B,GAAG,MAAM,CAAA;AAEzC;;;;;GAKG;AACH,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;AAEzC;;;;;;;;;;;GAWG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,QAAgB;IAC3D,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAA;IACxF,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAA;AACpF,CAAC;AA6CD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAA+B;IAE/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAE7C,OAAO,IAAI,OAAO,CAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC/D,IAAI,QAAQ,GAAG,KAAK,CAAA;QACpB,IAAI,OAAkD,CAAA;QAEtD,MAAM,QAAQ,GAAG,CAAC,GAAW,EAAE,KAAgC,EAAQ,EAAE;YACvE,IAAI,QAAQ;gBAAE,OAAM;YACpB,QAAQ,GAAG,IAAI,CAAA;YACf,IAAI,OAAO;gBAAE,YAAY,CAAC,OAAO,CAAC,CAAA;YAClC,MAAM,CAAC,KAAK,EAAE,CAAA;YACd,IAAI,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAA;iBACf,IAAI,KAAK;gBAAE,OAAO,CAAC,KAAK,CAAC,CAAA;QAChC,CAAC,CAAA;QAED,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YACxE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAA;YACvD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBACnC,OAAM;YACR,CAAC;YAED,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;YACnD,IAAI,CAAC,aAAa,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,KAAK,CAAC,EAAE,CAAC;gBAC/D,8DAA8D;gBAC9D,+DAA+D;gBAC/D,+DAA+D;gBAC/D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,wDAAwD;gBACxD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACrD,SAAS,CACP,mBAAmB,EACnB,wHAAwH,CACzH,CACF,CAAA;gBACD,OAAM;YACR,CAAC;YAED,mEAAmE;YACnE,6DAA6D;YAC7D,MAAM,KAAK,GAA2B,EAAE,CAAA;YACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,EAAE,CAAC;gBACtD,IAAI,GAAG,KAAK,OAAO;oBAAE,SAAQ;gBAC7B,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;YACpB,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC,GAAG,CACrD,WAAW,CACT,IAAI,CAAC,gBAAgB,IAAI,UAAU,EACnC,qDAAqD,CACtD,CACF,CAAA;YACD,QAAQ,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAA;QACvC,CAAC,CAAC,CAAA;QAEF,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YACxB,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,2DAA2D,CAAC,CAAC,CAAA;QACzG,CAAC,EAAE,mBAAmB,CAAC,CAAA;QAEvB,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,KAAK,CAAC,0CAA0C,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;QAC9E,CAAC,CAAC,CAAA;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAA;YAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACtC,QAAQ,CAAC,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC,CAAA;gBAC3D,OAAM;YACR,CAAC;YACD,iEAAiE;YACjE,iEAAiE;YACjE,mEAAmE;YACnE,2CAA2C;YAC3C,MAAM,SAAS,GAAG,oBAAoB,IAAI,CAAC,IAAI,WAAW,CAAA;YAE1D,8DAA8D;YAC9D,gEAAgE;YAChE,0CAA0C;YAC1C,KAAK,CAAC,KAAK,IAAI,EAAE;gBACf,IAAI,YAAoB,CAAA;gBACxB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;oBACpD,YAAY,GAAG,MAAM,CAAC,YAAY,CAAA;gBACpC,CAAC;gBAAC,OAAO,OAAO,EAAE,CAAC;oBACjB,QAAQ,CAAC,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;oBACzE,OAAM;gBACR,CAAC;gBAED,MAAM,UAAU,GAAG,aAAa,CAAC;oBAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,YAAY;oBACZ,SAAS;oBACT,KAAK;oBACL,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,KAAK,EAAE,IAAI,CAAC,iBAAiB;iBAC9B,CAAC,CAAA;gBAEF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACnB,IAAI,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;oBACtD,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;oBACZ,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;oBACpB,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;oBACZ,IAAI,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;gBACvC,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;oBAC9B,WAAW,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;wBACjC,IAAI,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;wBAC7E,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;wBACZ,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;oBACtB,CAAC,CAAC,CAAA;oBACF,IAAI,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;gBACvC,CAAC;YACH,CAAC,CAAC,EAAE,CAAA;QACN,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC;AAYD,SAAS,aAAa,CAAC,IAA0B;IAC/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;IACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,CAAA;IACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;IACzC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QAC5B,CAAC;IACH,CAAC;IACD,mEAAmE;IACnE,4DAA4D;IAC5D,qEAAqE;IACrE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IAC7C,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;AACvB,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,OAAe;IACjD,mEAAmE;IACnE,gEAAgE;IAChE,gEAAgE;IAChE,OAAO,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;AACvE,CAAC;AAED,SAAS,SAAS,CAAC,KAAa,EAAE,OAAe;IAC/C,oEAAoE;IACpE,uEAAuE;IACvE,gEAAgE;IAChE,OAAO,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;AACvE,CAAC;AAED,SAAS,aAAa,CACpB,KAAa,EACb,OAAe,EACf,MAAc,EACd,OAAe,EACf,OAAe;IAEf,OAAO;2CACkC,UAAU,CAAC,KAAK,CAAC;oJACwF,MAAM;+EAC3E,OAAO,WAAW,OAAO;oCACpE,UAAU,CAAC,KAAK,CAAC;4BACzB,UAAU,CAAC,OAAO,CAAC;;eAEhC,CAAA;AACf,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;AAC3B,CAAC;AAkBD;;;;;;;GAOG;AACH,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IACtD,WAAW;IACX,WAAW;IACX,KAAK;IACL,OAAO;CACR,CAAC,CAAA;AAEF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,IAK3C;IACC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,8BAA8B,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAEpE,oEAAoE;IACpE,oEAAoE;IACpE,8DAA8D;IAC9D,kEAAkE;IAClE,qBAAqB;IACrB,IACE,GAAG,CAAC,QAAQ,KAAK,OAAO;QACxB,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EACnD,CAAC;QACD,MAAM,IAAI,KAAK,CACb,sDAAsD,GAAG,CAAC,IAAI,wGAAwG,CACvK,CAAA;IACH,CAAC;IAED,mEAAmE;IACnE,sEAAsE;IACtE,mEAAmE;IACnE,0EAA0E;IAC1E,IAAI,QAAkB,CAAA;IACtB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC1B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,IAAI,CAAC,SAAS,EAAE;aAC1C;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACzD,CAAC;YACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,0BAA0B,CAAC;SACxD,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,EAAE,CAAC;YAC7F,MAAM,IAAI,KAAK,CACb,oDAAoD,0BAA0B,GAAG,IAAI,kBAAkB,IAAI,CAAC,UAAU,gBAAgB,CACvI,CAAA;QACH,CAAC;QACD,MAAM,KAAK,CAAA;IACb,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,MAAM,QAAQ;aAC1B,IAAI,EAAE;aACN,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAA;QAClD,MAAM,OAAO,GACV,MAA+B,CAAC,OAAO;YACxC,yCAAyC,QAAQ,CAAC,MAAM,GAAG,CAAA;QAC7D,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,OAAO,CAAkD,CAAA;QAC/E,GAAG,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAA;QAC5B,GAAG,CAAC,OAAO,GAAI,MAA4B,CAAC,IAAI,CAAA;QAChD,MAAM,GAAG,CAAA;IACX,CAAC;IACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;AAC3D,CAAC"}