npm - @nextera.one/axis-server-sdk - Versions diffs - 1.3.0 → 1.4.0 - Mend

@nextera.one/axis-server-sdk 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/decorators/handler.decorator.ts","../src/decorators/intent.decorator.ts","../src/decorators/intent-body.decorator.ts","../src/decorators/intent-sensors.decorator.ts","../src/decorators/tlv-field.decorator.ts","../src/decorators/dto-schema.util.ts","../src/core/tlv.ts","../src/base/axis-tlv.dto.ts","../src/base/axis-id.dto.ts","../src/base/axis-partial-type.ts","../src/base/axis-response.dto.ts","../src/engine/intent.router.ts","../src/sensor/axis-sensor.ts","../src/core/constants.ts","../src/core/varint.ts","../src/core/signature.ts","../src/core/axis-bin.ts","../src/codec/ats1.constants.ts","../src/codec/ats1.ts","../src/codec/ats1.passkey.schemas.ts","../src/codec/tlv.encode.ts","../src/codec/axis1.encode.ts","../src/codec/axis1.signing.ts","../src/crypto/b64url.ts","../src/crypto/canonical-json.ts","../src/contract/execution-meter.ts","../src/contract/contract.interface.ts","../src/types/tlv.ts","../src/types/frame.ts","../src/types/packet.ts","../src/security/scopes.ts","../src/security/capabilities.ts","../src/risk/index.ts","../src/core/opcodes.ts","../src/core/receipt.ts","../src/core/intent-sensitivity.ts","../src/core/timeouts.ts","../src/core/frame-validator.ts","../src/upload/axis-files.handlers.ts","../src/upload/upload.tokens.ts","../src/upload/disk-upload-file.store.ts","../src/core/index.ts","../src/core/axis-error.ts","../src/crypto/index.ts","../src/crypto/proof-verification.service.ts","../src/decorators/index.ts","../src/decorators/axis-request.decorator.ts","../src/decorators/sensor.decorator.ts","../src/engine/index.ts","../src/engine/axis-observation.ts","../src/engine/handler-discovery.service.ts","../src/engine/sensor-bands.ts","../src/engine/sensor-discovery.service.ts","../src/engine/registry/sensor.registry.ts","../src/loom/index.ts","../src/loom/loom.types.ts","../src/schemas/index.ts","../src/schemas/axis-schemas.ts","../src/schemas/body-profile.validator.ts","../src/security/index.ts","../src/sensors/index.ts","../src/sensors/access-profile-resolver.sensor.ts","../src/sensors/body-budget.sensor.ts","../src/sensors/capability-enforcement.sensor.ts","../src/sensors/chunk-hash.sensor.ts","../src/sensors/entropy.sensor.ts","../src/sensors/execution-timeout.sensor.ts","../src/sensors/frame-budget.sensor.ts","../src/sensors/frame-header-sanity.sensor.ts","../src/sensors/header-tlv-limit.sensor.ts","../src/sensors/intent-allowlist.sensor.ts","../src/sensors/intent-registry.sensor.ts","../src/sensors/proof-presence.sensor.ts","../src/sensors/protocol-strict.sensor.ts","../src/sensors/receipt-policy.sensor.ts","../src/sensors/schema-validation.sensor.ts","../src/sensors/stream-scope.sensor.ts","../src/sensors/tlv-parse.sensor.ts","../src/sensors/varint-hardening.sensor.ts","../src/utils/index.ts","../src/utils/axis-tlv-codec.ts"],"sourcesContent":["// Decorators\nexport { Handler, HANDLER_METADATA_KEY } from './decorators/handler.decorator';\nexport {\n Intent,\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentRoute,\n IntentOptions,\n IntentTlvField,\n IntentKind,\n} from './decorators/intent.decorator';\nexport {\n IntentBody,\n INTENT_BODY_KEY,\n} from './decorators/intent-body.decorator';\nexport {\n IntentSensors,\n INTENT_SENSORS_KEY,\n} from './decorators/intent-sensors.decorator';\n\n// TLV Field Decorators\nexport {\n TlvField,\n TlvValidate,\n TlvUtf8Pattern,\n TlvMinLen,\n TlvEnum,\n TlvRange,\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n} from './decorators/tlv-field.decorator';\nexport type {\n TlvFieldKind,\n TlvFieldOptions,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from './decorators/tlv-field.decorator';\n\n// DTO Schema Utilities\nexport {\n extractDtoSchema,\n buildDtoDecoder,\n} from './decorators/dto-schema.util';\nexport type { DtoSchema } from './decorators/dto-schema.util';\n\n// Base DTO Classes\nexport { AxisTlvDto } from './base/axis-tlv.dto';\nexport { AxisIdDto } from './base/axis-id.dto';\nexport { AxisPartialType } from './base/axis-partial-type';\nexport {\n AxisResponseDto,\n RESPONSE_TAG_ID,\n RESPONSE_TAG_CREATED_AT,\n RESPONSE_TAG_UPDATED_AT,\n RESPONSE_TAG_CREATED_BY,\n RESPONSE_TAG_UPDATED_BY,\n} from './base/axis-response.dto';\n\n// Engine\nexport { IntentRouter, AxisEffect } from './engine/intent.router';\n\n// Core Protocol\nexport * from './core/constants';\nexport * from './core/varint';\nexport * from './core/tlv';\nexport * from './core/signature';\nexport {\n AxisFrameZ,\n decodeFrame,\n encodeFrame,\n getSignTarget,\n} from './core/axis-bin';\nexport type { AxisFrame, AxisBinaryFrame } from './core/axis-bin';\n\n// Codec\nexport * from './codec/ats1.constants';\nexport * from './codec/ats1.passkey.schemas';\nexport * as Ats1Codec from './codec/ats1';\nexport * from './codec/axis1.encode';\nexport * from './codec/axis1.signing';\nexport * from './codec/tlv.encode';\n\n// Crypto Utilities\nexport * from './crypto/b64url';\nexport * from './crypto/canonical-json';\nexport type {\n AxisAlg,\n AxisCapsule,\n CapsuleMode,\n KeyStatus,\n AxisSig,\n AxisPacket,\n AxisCapsuleConstraints,\n AxisCapsulePayload,\n} from './crypto/types';\n\n// Contract Utilities\nexport * from './contract/execution-meter';\nexport * from './contract/contract.interface';\n\n// Packet and Sensor Types\nexport { Axis1DecodedFrame, decodeAxis1Frame } from './types/frame';\nexport {\n AxisPacket as AxisBinaryPacket,\n T as AxisPacketTags,\n buildPacket,\n} from './types/packet';\nexport type {\n AxisObservedContext,\n AxisRequestContext,\n} from './types/axis-frame.types';\nexport type { TLV as AxisTlvType } from './core/tlv';\nexport {\n Decision,\n normalizeSensorDecision,\n SensorDecisions,\n} from './sensor/axis-sensor';\nexport type {\n AxisSensor,\n AxisSensorInit,\n AxisPreSensor,\n AxisPostSensor,\n SensorPhaseMetadata,\n SensorInput,\n SensorDecision,\n SensorMinifiedDecision,\n} from './sensor/axis-sensor';\n\n// Interfaces\nexport {\n AxisHandler,\n AxisHandlerInit,\n} from './interfaces/axis-handler.interface';\nexport { AxisCrudHandler } from './interfaces/axis-crud-handler.interface';\n\n// Security\nexport * from './security/scopes';\nexport * from './security/capabilities';\n\n// Risk\nexport * from './risk/index';\n\n// Core: Opcode Registry\nexport * from './core/opcodes';\n\n// Core: Receipt Hash\nexport * from './core/receipt';\n\n// Core: Intent Sensitivity\nexport * from './core/intent-sensitivity';\n\n// Core: Timeouts\nexport * from './core/timeouts';\n\n// Types: Intent Definitions\nexport type { IntentDefinition } from './types/intent-definition';\n\n// Frame Validation\nexport { validateFrameShape, isTimestampValid } from './core/frame-validator';\n\n// Types: JSON-level Frame Types\nexport type {\n AxisFrame as AxisJsonFrame,\n AxisResponse as AxisJsonResponse,\n AxisSig as AxisJsonSig,\n AxisAlg as AxisJsonAlg,\n} from './types/axis-frame.types';\n\n// Upload handlers and stores\nexport {\n AxisFilesDownloadHandler,\n AxisFilesFinalizeHandler,\n} from './upload/axis-files.handlers';\nexport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from './upload/upload.tokens';\nexport type {\n UploadFileStore,\n UploadFileStat,\n UploadReceiptSigner,\n UploadSessionRecord,\n UploadSessionStatus,\n UploadSessionStore,\n} from './upload/upload.types';\nexport { DiskUploadFileStore } from './upload/disk-upload-file.store';\n\n// Types\n\n// Grouped namespaces for the backend package merge surface\nexport * as core from './core';\nexport * as crypto from './crypto';\nexport * as decorators from './decorators';\nexport * as engine from './engine';\nexport * as loom from './loom';\nexport * as schemas from './schemas';\nexport * as security from './security';\nexport * as sensors from './sensors';\nexport * as utils from './utils';\n","import { Injectable, SetMetadata } from '@nestjs/common';\n\nexport const HANDLER_METADATA_KEY = 'axis:handler';\n\n/*\n Decorator to mark a class as an Axis Handler.\n * Handlers are responsible for processing intents or specific logic\n * for Axis modules.\n /\nexport function Handler(intent?: string): ClassDecorator {\n return (target: Function) => {\n SetMetadata(HANDLER_METADATA_KEY, { intent })(target);\n Injectable()(target as any);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_METADATA_KEY = 'axis:intent';\nexport const INTENT_ROUTES_KEY = 'axis:intent_routes';\n\n/\n CRUD + action classification for an intent.\n /\nexport type IntentKind = 'create' \| 'read' \| 'update' \| 'delete' \| 'action';\n\n/\n Describes a single TLV field expected by an intent.\n * Used by SchemaValidationSensor to enforce field contracts.\n /\nexport interface IntentTlvField {\n /* Human-readable field name (used in error messages) /\n name: string;\n /* TLV tag number /\n tag: number;\n /* Value type for type-specific validation /\n kind: 'utf8' \| 'u64' \| 'bytes' \| 'bytes16' \| 'bool' \| 'obj' \| 'arr';\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\nexport interface IntentRoute {\n action: string;\n methodName: string \| symbol;\n absolute?: boolean;\n frame?: boolean;\n kind?: IntentKind;\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n tlv?: IntentTlvField[];\n dto?: Function;\n}\n\nexport interface IntentOptions {\n /* Operation classification for this intent /\n kind?: IntentKind;\n /* If true, the action is the full intent name (not prefixed with handler name) /\n absolute?: boolean;\n /* If true, register as { handle: fn } for frame-based handlers /\n frame?: boolean;\n /\n How the body is encoded. Drives TLVParseSensor behavior:\n * - `TLV_MAP` — flat TLV map (canonical ordering enforced)\n * - `RAW` — raw bytes, skip TLV body validation\n * - `TLV_OBJ` — nested TLV object\n * - `TLV_ARR` — TLV array container\n /\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n /* Inline TLV field definitions for schema validation /\n tlv?: IntentTlvField[];\n /* DTO class decorated with @TlvField for schema extraction /\n dto?: Function;\n}\n\n/\n Marks a method as an intent handler.\n \n Stores both per-method metadata (INTENT_METADATA_KEY) and\n * route-collection metadata (INTENT_ROUTES_KEY) for backward compatibility.\n \n @example\n * ```ts\n * @Handler('axis.actor_keys')\n * class MyHandler {\n * @Intent('create', { kind: 'create', dto: CreateDto })\n * async create(body: Uint8Array) { ... }\n \n @Intent('axis.auth.login', { absolute: true, kind: 'action', dto: LoginDto })\n * async login(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function Intent(\n action: string,\n options?: IntentOptions,\n): MethodDecorator {\n return (target, propertyKey) => {\n // Per-method metadata (backend-style)\n Reflect.defineMetadata(\n INTENT_METADATA_KEY,\n { intent: action, ...options },\n target,\n propertyKey,\n );\n\n // Route-collection metadata (SDK-style, backward compat)\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, target.constructor) \|\| [];\n routes.push({\n action,\n methodName: propertyKey,\n absolute: options?.absolute,\n frame: options?.frame,\n kind: options?.kind,\n bodyProfile: options?.bodyProfile,\n tlv: options?.tlv,\n dto: options?.dto,\n });\n Reflect.defineMetadata(INTENT_ROUTES_KEY, routes, target.constructor);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_BODY_KEY = 'axis:intent:body';\n\n/\n @IntentBody — Auto-decode the raw Uint8Array body before the handler runs.\n \n The router reads this metadata and applies the decoder so handlers can\n * receive a parsed payload instead of raw bytes.\n /\nexport function IntentBody(decoder: (buf: Buffer) => any): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_BODY_KEY, decoder, target, propertyKey);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_SENSORS_KEY = 'axis:intent:sensors';\n\n/\n @IntentSensors — Attach additional sensors that must pass before the\n * annotated intent handler executes.\n /\nexport function IntentSensors(sensors: Function[]): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_SENSORS_KEY, sensors, target, propertyKey);\n };\n}\n","import 'reflect-metadata';\n\nexport const TLV_FIELDS_KEY = 'axis:tlv:fields';\nexport const TLV_VALIDATORS_KEY = 'axis:tlv:validators';\n\nexport type TlvFieldKind =\n \| 'utf8'\n \| 'u64'\n \| 'bytes'\n \| 'bytes16'\n \| 'bool'\n \| 'obj'\n \| 'arr';\n\nexport interface TlvFieldOptions {\n /* Value type for type-specific validation /\n kind: TlvFieldKind;\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\n/* Stored per-property metadata from @TlvField /\nexport interface TlvFieldMeta {\n /* Property name on the DTO class /\n property: string;\n /* TLV tag number /\n tag: number;\n /* Field options /\n options: TlvFieldOptions;\n}\n\n/\n Custom validation function applied via @TlvValidate.\n * Receives the raw TLV value bytes and the property name.\n * Return null/undefined to pass, or a string error message to deny.\n /\nexport type TlvValidatorFn = (\n value: Uint8Array,\n property: string,\n) => string \| null \| undefined;\n\n/* Stored per-property validator from @TlvValidate /\nexport interface TlvValidatorMeta {\n property: string;\n tag: number;\n validators: TlvValidatorFn[];\n}\n\n/\n @TlvField — Declare a TLV field contract on a DTO property.\n \n Applied to properties of a class passed to `@Intent({ dto: MyDto })`.\n * The schema is extracted at bootstrap and forwarded to SchemaValidationSensor.\n \n @example\n * ```typescript\n * class LoginDto {\n * @TlvField(100, { kind: 'utf8', required: true, maxLen: 256 })\n * email: string;\n \n @TlvField(105, { kind: 'bytes16', required: true })\n * deviceId: Buffer;\n \n @TlvField(103, { kind: 'bool' })\n * remember?: boolean;\n * }\n * ```\n /\nexport function TlvField(\n tag: number,\n options: TlvFieldOptions,\n): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, target.constructor) \|\| [];\n\n existing.push({\n property: String(propertyKey),\n tag,\n options,\n });\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, existing, target.constructor);\n };\n}\n\n/\n @TlvValidate — Attach custom validation logic to a TLV field.\n \n Runs after standard type/size checks. The validator receives raw bytes\n * and must return null (pass) or an error string (deny).\n \n Multiple @TlvValidate decorators can be stacked on the same property.\n /\nexport function TlvValidate(validator: TlvValidatorFn): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, target.constructor) \|\| [];\n\n const prop = String(propertyKey);\n let entry = existing.find((e) => e.property === prop);\n\n if (!entry) {\n entry = { property: prop, tag: 0, validators: [] };\n existing.push(entry);\n }\n\n entry.validators.push(validator);\n\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, existing, target.constructor);\n };\n}\n\n// ─── Built-in Validators (composable with @TlvValidate) ───\n\n/\n @TlvUtf8Pattern — Validate a UTF-8 field against a regex.\n /\nexport function TlvUtf8Pattern(\n pattern: RegExp,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n const str = new TextDecoder().decode(val);\n return pattern.test(str)\n ? null\n : message \|\| `${prop}: failed pattern check`;\n });\n}\n\n/\n @TlvMinLen — Minimum byte length for a field value.\n /\nexport function TlvMinLen(min: number, message?: string): PropertyDecorator {\n return TlvValidate((val, prop) => {\n return val.length >= min\n ? null\n : message \|\| `${prop}: too short (${val.length} < ${min})`;\n });\n}\n\n/\n @TlvEnum — UTF-8 field must be one of the listed values.\n /\nexport function TlvEnum(\n allowed: string[],\n message?: string,\n): PropertyDecorator {\n const set = new Set(allowed);\n return TlvValidate((val, prop) => {\n const str = new TextDecoder().decode(val);\n return set.has(str)\n ? null\n : message \|\| `${prop}: must be one of [${allowed.join(', ')}]`;\n });\n}\n\n/\n @TlvRange — Numeric u64 field must be within [min, max].\n /\nexport function TlvRange(\n min: bigint,\n max: bigint,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n if (val.length !== 8) return `${prop}: u64 must be 8 bytes`;\n let n = 0n;\n for (const b of val) n = (n << 8n) \| BigInt(b);\n if (n < min \|\| n > max) {\n return message \|\| `${prop}: value ${n} out of range [${min}, ${max}]`;\n }\n return null;\n });\n}\n","import 'reflect-metadata';\n\nimport type { IntentTlvField } from './intent.decorator';\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from './tlv-field.decorator';\nimport { decodeTLVs } from '../core/tlv';\n\n/* Extracted schema from a DTO class — fields + optional validators /\nexport interface DtoSchema {\n fields: IntentTlvField[];\n validators: Map<number, TlvValidatorFn[]>;\n}\n\n/\n Extracts TLV field definitions and validators from a DTO class\n * decorated with @TlvField and @TlvValidate.\n /\nexport function extractDtoSchema(dto: Function): DtoSchema {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — nothing to validate`,\n );\n }\n\n const tagByProp = new Map<string, number>();\n const fields: IntentTlvField[] = fieldMetas.map((m) => {\n tagByProp.set(m.property, m.tag);\n return {\n name: m.property,\n tag: m.tag,\n kind: m.options.kind,\n required: m.options.required,\n maxLen: m.options.maxLen,\n max: m.options.max,\n scope: m.options.scope,\n };\n });\n\n const validatorMetas: TlvValidatorMeta[] =\n Reflect.getMetadata(TLV_VALIDATORS_KEY, dto) \|\| [];\n\n const validators = new Map<number, TlvValidatorFn[]>();\n for (const vm of validatorMetas) {\n const tag = tagByProp.get(vm.property);\n if (tag === undefined) {\n throw new Error(\n `@TlvValidate on ${dto.name}.${vm.property} but no @TlvField found for that property`,\n );\n }\n vm.tag = tag;\n validators.set(tag, vm.validators);\n }\n\n return { fields, validators };\n}\n\n/\n Builds a decoder function for a DTO class.\n \n The returned function takes raw TLV body bytes and returns a plain object\n * with property names as keys and decoded values matching the DTO shape.\n \n Value decoding by kind:\n * - utf8 → string\n * - u64 → bigint\n * - bytes / bytes16 → Uint8Array\n * - bool → boolean (0x00 = false, anything else = true)\n * - obj → JSON.parse of utf8\n * - arr → JSON.parse of utf8\n /\nexport function buildDtoDecoder(\n dto: Function,\n): (bodyBytes: Buffer) => Record<string, any> {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — cannot build decoder`,\n );\n }\n\n const tagMap = new Map<number, { property: string; kind: string }>();\n for (const m of fieldMetas) {\n tagMap.set(m.tag, { property: m.property, kind: m.options.kind });\n }\n\n return (bodyBytes: Buffer): Record<string, any> => {\n const tlvMap = decodeTLVs(new Uint8Array(bodyBytes));\n const result: Record<string, any> = {};\n\n for (const [tag, raw] of tlvMap) {\n const meta = tagMap.get(tag);\n if (!meta) continue;\n\n switch (meta.kind) {\n case 'utf8':\n result[meta.property] = new TextDecoder().decode(raw);\n break;\n case 'u64': {\n let n = 0n;\n for (let i = 0; i < raw.length; i++) {\n n = (n << 8n) \| BigInt(raw[i]);\n }\n result[meta.property] = n;\n break;\n }\n case 'bytes':\n case 'bytes16':\n result[meta.property] = raw;\n break;\n case 'bool':\n result[meta.property] = raw.length > 0 && raw[0] !== 0;\n break;\n case 'obj':\n case 'arr':\n result[meta.property] = JSON.parse(new TextDecoder().decode(raw));\n break;\n default:\n result[meta.property] = raw;\n }\n }\n\n return result;\n };\n}\n","export {\n TLV, encodeTLVs, decodeTLVs, decodeTLVsList, decodeObject, decodeArray,\n} from '@nextera.one/axis-protocol';\n","/\n AxisTlvDto — Base class for all TLV-decoded DTO classes.\n \n Any DTO decorated with @TlvField that is passed to @Intent({ dto })\n * should extend this class. This gives the CRUD handler interface\n * a type-safe union: `Uint8Array \| AxisTlvDto`.\n \n The base is intentionally empty — it serves as a type marker.\n /\nexport abstract class AxisTlvDto {}\n","import { TlvField, TlvMinLen } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\nexport class AxisIdDto extends AxisTlvDto {\n @TlvField(1, { kind: 'utf8', required: true, maxLen: 128 })\n @TlvMinLen(1, 'id must not be empty')\n id!: string;\n}\n","import 'reflect-metadata';\n\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorMeta,\n} from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n AxisPartialType — Creates a DTO class where all TLV fields are optional.\n \n Copies TLV metadata (`axis:tlv:fields` + `axis:tlv:validators`)\n * and sets `required: false` on every field.\n \n TLV naturally supports partial payloads — only fields present in the\n * binary body get decoded. This utility makes the schema/sensor layer\n * aware that missing fields are acceptable for update operations.\n \n @example\n * ```typescript\n * export class UpdateBlocklistDto extends AxisPartialType(CreateBlocklistDto) {}\n * ```\n /\nexport function AxisPartialType<T extends new (...args: any[]) => AxisTlvDto>(\n BaseDto: T,\n): new (...args: any[]) => Partial<InstanceType<T>> & AxisTlvDto {\n class PartialDto extends (BaseDto as any) {}\n\n const fields: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, BaseDto) \|\| [];\n\n const partialFields: TlvFieldMeta[] = fields.map((f) => ({\n property: f.property,\n tag: f.tag,\n options: { ...f.options, required: false },\n }));\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, partialFields, PartialDto);\n\n const validators: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, BaseDto) \|\| [];\n\n if (validators.length > 0) {\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, [...validators], PartialDto);\n }\n\n Object.defineProperty(PartialDto, 'name', {\n value: `Partial${BaseDto.name}`,\n });\n\n return PartialDto as any;\n}\n","import { TlvField } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n Reserved TLV body tags for server-generated response fields.\n \n Tags 1–10 are reserved for system/audit fields in response bodies.\n * Entity-specific fields start at tag 100+.\n /\nexport const RESPONSE_TAG_ID = 1;\nexport const RESPONSE_TAG_CREATED_AT = 2;\nexport const RESPONSE_TAG_UPDATED_AT = 3;\nexport const RESPONSE_TAG_CREATED_BY = 4;\nexport const RESPONSE_TAG_UPDATED_BY = 5;\n\n/\n AxisResponseDto — Base class for outbound TLV response bodies.\n \n Server-generated audit fields that the backend appends to every\n * entity response. These are NEVER sent by the client — they flow\n * server → client only.\n \n Timestamps are u64 Unix milliseconds (same as TLV_TS in headers).\n /\nexport abstract class AxisResponseDto extends AxisTlvDto {\n @TlvField(RESPONSE_TAG_ID, { kind: 'utf8' })\n id?: string;\n\n @TlvField(RESPONSE_TAG_CREATED_AT, { kind: 'u64' })\n created_at?: bigint;\n\n @TlvField(RESPONSE_TAG_UPDATED_AT, { kind: 'u64' })\n updated_at?: bigint;\n\n @TlvField(RESPONSE_TAG_CREATED_BY, { kind: 'utf8' })\n created_by?: string;\n\n @TlvField(RESPONSE_TAG_UPDATED_BY, { kind: 'utf8' })\n updated_by?: string;\n}\n","import { Injectable, Logger, Optional } from '@nestjs/common';\nimport { ModuleRef } from '@nestjs/core';\n\nimport { AxisFrame } from '../core/axis-bin';\nimport { HANDLER_METADATA_KEY } from '../decorators/handler.decorator';\nimport {\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentKind,\n IntentRoute,\n IntentTlvField,\n} from '../decorators/intent.decorator';\nimport { INTENT_BODY_KEY } from '../decorators/intent-body.decorator';\nimport { INTENT_SENSORS_KEY } from '../decorators/intent-sensors.decorator';\nimport {\n buildDtoDecoder,\n extractDtoSchema,\n} from '../decorators/dto-schema.util';\nimport type { TlvValidatorFn } from '../decorators/tlv-field.decorator';\nimport {\n AxisSensor,\n SensorInput,\n normalizeSensorDecision,\n} from '../sensor/axis-sensor';\n\nexport interface IntentSchema {\n intent: string;\n version: number;\n bodyProfile: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n fields: Array<{\n name: string;\n tlv: number;\n kind: IntentTlvField['kind'];\n required?: boolean;\n maxLen?: number;\n max?: string;\n scope?: 'header' \| 'body';\n }>;\n}\n\n/\n Represents the outcome of an AXIS intent execution.\n \n @interface AxisEffect\n /\nexport interface AxisEffect {\n /* Whether the intent was processed successfully at the application level /\n ok: boolean;\n /* A descriptive string classifier for the result (e.g., 'FILE_CREATED', 'PONG') /\n effect: string;\n /* Optional binary payload (body) to be returned to the requester /\n body?: Uint8Array;\n /* Optional custom TLV headers to be included in the response frame /\n headers?: Map<number, Uint8Array>;\n /* Optional metadata for internal logging or audit (not sent to client) /\n metadata?: any;\n}\n\n/\n IntentRouter\n \n The central dispatching mechanism of the AXIS backend.\n * Maps binary intents (identified by their name in the header) to specialized handlers.\n \n Features:\n * 1. Built-in Fast Path: Handles high-frequency system intents (ping, time, echo) directly.\n * 2. Dynamic Handler Registration: Allows modules to register handlers at runtime.\n * 3. Decorator-driven Registration: Uses {@link registerHandler} to auto-register `@Intent`-decorated methods.\n * 4. Polymorphic Handlers: Supports both raw function handlers and object-based `{ handle }` handlers.\n \n @class IntentRouter\n /\n@Injectable()\nexport class IntentRouter {\n private readonly logger = new Logger(IntentRouter.name);\n\n /* Intents handled inline in route() — not in `handlers` map /\n private static readonly BUILTIN_INTENTS = new Set([\n 'system.ping',\n 'public.ping',\n 'system.time',\n 'system.echo',\n 'INTENT.EXEC',\n 'axis.intent.exec',\n ]);\n\n /* Internal registry of dynamic intent handlers /\n private handlers = new Map<string, any>();\n\n /* Per-intent sensor classes (resolved at call time) /\n private intentSensors = new Map<string, Function[]>();\n\n /* Per-intent body decoders /\n private intentDecoders = new Map<string, (buf: Buffer) => any>();\n\n /* Per-intent TLV schemas /\n private intentSchemas = new Map<string, IntentSchema>();\n\n /* Per-intent custom validators /\n private intentValidators = new Map<string, Map<number, TlvValidatorFn[]>>();\n\n /* Per-intent operation kind /\n private intentKinds = new Map<string, IntentKind>();\n\n constructor(@Optional() private readonly moduleRef?: ModuleRef) {}\n\n getSchema(intent: string): IntentSchema \| undefined {\n return this.intentSchemas.get(intent);\n }\n\n getValidators(intent: string): Map<number, TlvValidatorFn[]> \| undefined {\n return this.intentValidators.get(intent);\n }\n\n has(intent: string): boolean {\n return (\n this.handlers.has(intent) \|\| IntentRouter.BUILTIN_INTENTS.has(intent)\n );\n }\n\n getRegisteredIntents(): string[] {\n return [...IntentRouter.BUILTIN_INTENTS, ...this.handlers.keys()];\n }\n\n getIntentEntry(intent: string): {\n schema?: IntentSchema;\n validators?: Map<number, TlvValidatorFn[]>;\n hasSensors: boolean;\n builtin: boolean;\n kind?: IntentKind;\n } \| null {\n if (!this.has(intent)) return null;\n return {\n schema: this.intentSchemas.get(intent),\n validators: this.intentValidators.get(intent),\n hasSensors: this.intentSensors.has(intent),\n builtin: IntentRouter.BUILTIN_INTENTS.has(intent),\n kind: this.intentKinds.get(intent),\n };\n }\n\n /\n Registers a handler for a specific intent.\n * Handlers can be functions: `(body, headers) => Promise<Uint8Array \| AxisEffect>`\n * Or objects with a method: `handle(frame: AxisFrame) => Promise<AxisEffect>`\n \n @param {string} intent - The unique intent identifier (e.g., 'axis.vault.create')\n * @param {any} handler - The handler function or object\n /\n register(intent: string, handler: any) {\n this.handlers.set(intent, handler);\n }\n\n /\n Automatically registers all `@Intent`-decorated methods from a handler instance.\n \n Reads the handler prefix from `@Handler` metadata (or falls back to `instance.name`),\n * then registers each `@Intent`-decorated method accordingly.\n \n @param {any} instance - The handler instance with `@Intent`-decorated methods\n /\n registerHandler(instance: any) {\n const handlerMeta = Reflect.getMetadata(\n HANDLER_METADATA_KEY,\n instance.constructor,\n );\n const prefix: string \| undefined = handlerMeta?.intent \|\| instance.name;\n\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) \|\| [];\n\n for (const route of routes) {\n const intentName = route.absolute\n ? route.action\n : `${prefix}.${route.action}`;\n const fn = instance[route.methodName].bind(instance);\n\n if (route.frame) {\n this.register(intentName, { handle: fn });\n } else {\n this.register(intentName, fn);\n }\n\n this.registerIntentMeta(intentName, Object.getPrototypeOf(instance), String(route.methodName));\n }\n\n const proto = Object.getPrototypeOf(instance);\n for (const key of Object.getOwnPropertyNames(proto)) {\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, key);\n if (!meta?.intent) continue;\n\n if (!this.handlers.has(meta.intent)) {\n this.register(meta.intent, (instance as any)[key].bind(instance));\n }\n\n this.registerIntentMeta(meta.intent, proto, key);\n }\n }\n\n /\n Routes a decoded AXIS frame to the appropriate handler.\n \n Precedence:\n * 1. System Built-ins (`system.ping`, `public.ping`, `system.time`, `system.echo`)\n * 2. Meta-intent execution (`INTENT.EXEC` / `axis.intent.exec`)\n * 3. Dynamically registered handlers from modules.\n \n @param {AxisFrame} frame - The validated and decoded binary frame\n * @returns {Promise<AxisEffect>} The resulting effect of the execution\n * @throws {Error} If the intent header is missing or no handler is registered\n /\n async route(frame: AxisFrame): Promise<AxisEffect> {\n const start = process.hrtime();\n let intent = 'unknown';\n\n try {\n // Extract intent from header TLV (tag 3 = TLV_INTENT)\n const intentBytes = frame.headers.get(3);\n if (!intentBytes) throw new Error('Missing intent');\n intent = new TextDecoder().decode(intentBytes);\n\n let effect: AxisEffect;\n\n if (intent === 'system.ping' \|\| intent === 'public.ping') {\n this.logger.debug('PING received');\n effect = {\n ok: true,\n effect: 'pong',\n headers: new Map([\n [100, new TextEncoder().encode('AXIS_BACKEND_V1')],\n ]),\n body: new TextEncoder().encode(\n JSON.stringify({\n status: 'ok',\n timestamp: new Date().toISOString(),\n version: '1.0.0',\n }),\n ),\n };\n } else if (intent === 'system.time') {\n const ts = Date.now().toString();\n effect = {\n ok: true,\n effect: 'time',\n body: new TextEncoder().encode(\n JSON.stringify({\n ts,\n iso: new Date().toISOString(),\n }),\n ),\n };\n } else if (intent === 'system.echo') {\n effect = {\n ok: true,\n effect: 'echo',\n body: frame.body,\n };\n } else if (intent === 'INTENT.EXEC' \|\| intent === 'axis.intent.exec') {\n // Meta-intent: Unwrap and execute the inner intent\n try {\n const bodyJSON = JSON.parse(new TextDecoder().decode(frame.body));\n const innerIntent = bodyJSON.intent;\n const innerArgs = bodyJSON.args \|\| {};\n\n if (!innerIntent) {\n throw new Error('INTENT.EXEC missing inner intent');\n }\n\n this.logger.debug(`EXEC: routing to inner intent '${innerIntent}'`);\n\n const innerFrame: AxisFrame = {\n ...frame,\n headers: new Map(frame.headers),\n body: new TextEncoder().encode(JSON.stringify(innerArgs)),\n };\n innerFrame.headers.set(3, new TextEncoder().encode(innerIntent));\n\n return await this.route(innerFrame);\n } catch (e: any) {\n throw new Error(`INTENT.EXEC unwrapping failed: ${e.message}`);\n }\n } else {\n const handler = this.handlers.get(intent);\n if (!handler) {\n throw new Error(`Intent not found: ${intent}`);\n }\n\n const sensorClasses = this.intentSensors.get(intent);\n if (sensorClasses && sensorClasses.length > 0) {\n await this.runIntentSensors(sensorClasses, intent, frame);\n }\n\n const decoder = this.intentDecoders.get(intent);\n let decodedBody: any = frame.body;\n if (decoder) {\n try {\n decodedBody = decoder(Buffer.from(frame.body));\n } catch (decodeErr: any) {\n throw new Error(\n `IntentBody decode failed for ${intent}: ${decodeErr.message}`,\n );\n }\n }\n\n if (typeof handler === 'function') {\n const resultBody = decoder\n ? await handler(decodedBody, frame.headers)\n : await handler(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: 'complete',\n body: resultBody,\n };\n } else {\n if (typeof (handler as any).handle === 'function') {\n effect = await (handler as any).handle(frame);\n } else if (typeof (handler as any).execute === 'function') {\n const bodyRes = decoder\n ? await (handler as any).execute(decodedBody, frame.headers)\n : await (handler as any).execute(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: 'complete',\n body: bodyRes,\n };\n } else {\n throw new Error(\n `Handler for ${intent} does not implement handle or execute`,\n );\n }\n }\n }\n\n this.logIntent(intent, start, true);\n return effect;\n } catch (e: any) {\n this.logIntent(intent, start, false, e.message);\n throw e;\n }\n }\n\n private logIntent(\n intent: string,\n start: [number, number],\n ok: boolean,\n error?: string,\n ) {\n const diff = process.hrtime(start);\n const ms = (diff[0] 1e3 + diff[1] / 1e6).toFixed(2);\n if (ok) {\n this.logger.debug(`${intent} completed in ${ms}ms`);\n } else {\n this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);\n }\n }\n\n registerIntentMeta(intent: string, proto: object, methodName: string): void {\n const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);\n if (decoder) {\n this.intentDecoders.set(intent, decoder);\n }\n\n const sensors = Reflect.getMetadata(INTENT_SENSORS_KEY, proto, methodName);\n if (sensors && Array.isArray(sensors) && sensors.length > 0) {\n this.intentSensors.set(intent, sensors);\n }\n\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);\n if (meta) {\n this.storeSchema(meta);\n if (meta.kind) {\n this.intentKinds.set(intent, meta.kind);\n }\n }\n }\n\n private async runIntentSensors(\n sensorClasses: Function[],\n intent: string,\n frame: AxisFrame,\n ): Promise<void> {\n if (!this.moduleRef) return;\n\n for (const SensorClass of sensorClasses) {\n let sensor: AxisSensor;\n try {\n sensor = this.moduleRef.get(SensorClass as any, { strict: false });\n } catch {\n this.logger.warn(\n `@IntentSensors: could not resolve ${SensorClass.name} for ${intent}`,\n );\n continue;\n }\n\n const sensorInput: SensorInput = {\n rawBytes: frame.body,\n intent,\n body: frame.body,\n headerTLVs: frame.headers as any,\n metadata: { phase: 'intent', intent },\n };\n\n if (sensor.supports && !sensor.supports(sensorInput)) continue;\n\n const decision = normalizeSensorDecision(await sensor.run(sensorInput));\n if (!decision.allow) {\n const reason = decision.reasons[0] \|\| `${sensor.name}:DENIED`;\n this.logger.warn(\n `Intent sensor ${sensor.name} denied ${intent}: ${reason}`,\n );\n throw new Error(`SENSOR_DENY:${reason}`);\n }\n }\n }\n\n private storeSchema(meta: {\n intent: string;\n tlv?: IntentTlvField[];\n dto?: Function;\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n kind?: IntentKind;\n }): void {\n if (meta.dto) {\n if (meta.tlv && meta.tlv.length > 0) {\n this.logger.warn(\n `${meta.intent}: both 'dto' and 'tlv' specified - using dto, ignoring tlv`,\n );\n }\n\n const extracted = extractDtoSchema(meta.dto);\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| 'TLV_MAP',\n fields: extracted.fields.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n\n if (extracted.validators.size > 0) {\n this.intentValidators.set(meta.intent, extracted.validators);\n }\n\n if (!this.intentDecoders.has(meta.intent)) {\n this.intentDecoders.set(meta.intent, buildDtoDecoder(meta.dto));\n }\n\n return;\n }\n\n if (!meta.tlv \|\| meta.tlv.length === 0) return;\n\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| 'TLV_MAP',\n fields: meta.tlv.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n }\n}\n","import type { AxisObservedContext } from '../types/axis-frame.types';\n\n/*\n Sensor Phase Metadata\n \n Metadata describing which phase(s) a sensor executes in.\n * Used for validation and optimization.\n \n @interface SensorPhaseMetadata\n /\nexport interface SensorPhaseMetadata {\n /* Execution phase: pre-decode (middleware) or post-decode (controller) /\n phase: 'PRE_DECODE' \| 'POST_DECODE';\n\n /* Other sensors that must run before this one /\n dependencies?: string[];\n\n /* Whether this sensor can perform async I/O /\n asyncOk?: boolean;\n\n /* Whether this sensor can use cryptographic operations /\n cryptoOk?: boolean;\n\n /* Human-readable description of sensor purpose /\n description?: string;\n}\n\n/\n AXIS Sensor Interface\n \n Core interface for all security sensors in the AXIS pipeline.\n /\nexport interface AxisSensor {\n readonly name: string;\n readonly order?: number; // Lower runs first\n /* Execution phase hint /\n phase?: SensorPhaseMetadata \| 'PRE_DECODE' \| 'POST_DECODE';\n supports?(input: SensorInput): boolean;\n run(input: SensorInput): Promise<SensorDecision>;\n}\n\n// Optional lifecycle hook for frameworks that support module initialization.\nexport interface AxisSensorInit extends AxisSensor {\n onModuleInit?(): void \| Promise<void>;\n}\n\n/\n Sensors that run before frame decoding/deserialization.\n * They should be fast, avoid I/O, and fail fast on malformed traffic.\n /\nexport interface AxisPreSensor extends AxisSensor {\n phase: 'PRE_DECODE';\n}\n\n/\n Sensors that run after a frame is fully decoded and parsed.\n * They may use full context (intent, actor, proofs) and can perform I/O.\n /\nexport interface AxisPostSensor extends AxisSensor {\n phase: 'POST_DECODE';\n}\n\n/\n Sensor Input\n \n Represents the structured data passed to a security sensor for evaluation.\n * Depending on the execution phase, different fields may be populated.\n \n Flow:\n * - Phase 1 (Pre-decode): `rawBytes`, `ip`, `path`, and `peek` are typically available.\n * - Phase 2/3 (Post-decode): `intent`, `contentLength`, and `metadata` are populated after frame parsing.\n \n @interface SensorInput\n /\nexport interface SensorInput {\n /* The full raw binary frame from the wire (if available) /\n rawBytes?: Buffer \| Uint8Array;\n\n /* The AXIS intent string extracted from the frame header (e.g., 'system.info') /\n intent?: string;\n\n /* IPv4/IPv6 address of the edge client /\n ip?: string;\n\n /* The HTTP or transport path being accessed /\n path?: string;\n\n /* Total size of the frame body in bytes /\n contentLength?: number;\n\n /* A small slice of the beginning of the body for early pattern matching /\n peek?: Uint8Array;\n\n /* Geolocation country code (if resolved by upstream middleware) /\n country?: string;\n\n /* Client identifier from the transport layer (e.g., Capsule ID or Socket ID) /\n clientId?: string;\n\n /* Whether the request is coming via a WebSocket connection /\n isWs?: boolean;\n\n /* Extensible metadata for cross-sensor communication /\n metadata?: Record<string, any>;\n\n /* Actor ID from frame or request /\n actorId?: string;\n\n /* Operation code /\n opcode?: string;\n\n /* Audience field /\n aud?: string;\n\n /* Observed context from frame parsing /\n observed?: AxisObservedContext;\n\n /* Parsed frame body /\n frameBody?: any;\n\n /* Device identifier /\n deviceId?: string;\n\n /* Session identifier /\n sessionId?: string;\n\n /* Parsed packet data /\n packet?: Record<string, any>;\n\n /* Dynamic field access for sensor-specific data /\n [key: string]: any;\n}\n\nexport enum Decision {\n ALLOW = 'ALLOW',\n DENY = 'DENY',\n THROTTLE = 'THROTTLE',\n FLAG = 'FLAG',\n}\n/\n Sensor Decision\n \n Represents the outcome of an individual sensor's evaluation.\n * Supports two formats for backward compatibility:\n \n 1. Modern format (preferred): Uses decision/allow/riskScore/reasons\n * 2. Legacy format: Uses action/code/reason (deprecated, will be removed)\n /\nexport type SensorDecision =\n // Modern format (preferred)\n \| {\n /* Final decision outcome (optional for backward compatibility) /\n decision?: Decision;\n /* Whether the request may continue immediately /\n allow: boolean;\n /* Risk score from 0–100 (0 = safe, 100 = blocked) /\n riskScore: number;\n /* Human & machine traceable reasons /\n reasons: string[];\n /* Machine-readable error or control code /\n code?: string;\n /* Throttle hint (only relevant for THROTTLE) /\n retryAfterMs?: number;\n /* Optional delta applied to rolling risk/anomaly state /\n scoreDelta?: number;\n /* Extra signals for audit, observability, forensics /\n tags?: Record<string, any>;\n /* Optional capsule / verification metadata /\n meta?: any;\n /* Optional constraint tightening instructions /\n tighten?: {\n expSecondsMax?: number;\n constraintsPatch?: Record<string, any>;\n };\n }\n // Legacy action-based format (deprecated)\n \| { action: 'ALLOW'; meta?: any }\n \| {\n action: 'DENY';\n code: string;\n reason?: string;\n retryAfterMs?: number;\n meta?: any;\n }\n \| { action: 'THROTTLE'; retryAfterMs: number; meta?: any }\n \| { action: 'FLAG'; scoreDelta: number; reasons: string[]; meta?: any };\n\nexport type SensorMinifiedDecision = {\n allow: boolean;\n riskScore: number;\n reasons: string[];\n tags?: Record<string, any>;\n meta?: any;\n tighten?: { expSecondsMax?: number; constraintsPatch?: Record<string, any> };\n /* Legacy fields for compatibility /\n retryAfterMs?: number;\n};\n\n/\n Helper to normalize SensorDecision (handles both legacy and modern formats)\n /\nexport function normalizeSensorDecision(\n sensorDecision: SensorDecision,\n): SensorMinifiedDecision {\n // Check if it's a legacy action-based format\n if ('action' in sensorDecision) {\n // Convert legacy format to modern\n switch (sensorDecision.action) {\n case 'ALLOW':\n return {\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: sensorDecision.meta,\n };\n case 'DENY':\n return {\n allow: false,\n riskScore: 100,\n reasons: [sensorDecision.code, sensorDecision.reason].filter(\n Boolean,\n ) as string[],\n meta: sensorDecision.meta,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n case 'THROTTLE':\n return {\n allow: false,\n riskScore: 50,\n reasons: ['RATE_LIMIT'],\n retryAfterMs: sensorDecision.retryAfterMs,\n meta: sensorDecision.meta,\n };\n case 'FLAG':\n return {\n allow: true,\n riskScore: sensorDecision.scoreDelta,\n reasons: sensorDecision.reasons,\n meta: sensorDecision.meta,\n };\n }\n }\n\n // Modern format - already has the required fields\n return {\n allow: sensorDecision.allow,\n riskScore: sensorDecision.riskScore,\n reasons: sensorDecision.reasons,\n tags: sensorDecision.tags,\n meta: sensorDecision.meta,\n tighten: sensorDecision.tighten,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n}\n\n/\n Helper factories for creating SensorDecision objects\n /\nexport const SensorDecisions = {\n allow(meta?: any, tags?: Record<string, any>): SensorDecision {\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n tags,\n meta,\n };\n },\n\n deny(code: string, reason?: string, meta?: any): SensorDecision {\n return {\n decision: Decision.DENY,\n allow: false,\n riskScore: 100,\n code,\n reasons: [code, reason].filter(Boolean) as string[],\n meta,\n };\n },\n\n throttle(retryAfterMs: number, meta?: any): SensorDecision {\n return {\n decision: Decision.THROTTLE,\n allow: false,\n riskScore: 50,\n retryAfterMs,\n code: 'RATE_LIMIT',\n reasons: ['RATE_LIMIT'],\n meta,\n };\n },\n\n flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision {\n return {\n decision: Decision.FLAG,\n allow: true,\n riskScore: scoreDelta,\n scoreDelta,\n reasons,\n meta,\n };\n },\n};\n","export {\n AXIS_MAGIC, AXIS_VERSION,\n MAX_HDR_LEN, MAX_BODY_LEN, MAX_SIG_LEN, MAX_FRAME_LEN,\n FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS,\n TLV_PID, TLV_TS, TLV_INTENT, TLV_ACTOR_ID, TLV_PROOF_TYPE,\n TLV_PROOF_REF, TLV_NONCE, TLV_AUD, TLV_REALM, TLV_NODE,\n TLV_TRACE_ID, TLV_KID,\n TLV_RID, TLV_OK, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG,\n TLV_PREV_HASH, TLV_RECEIPT_HASH, TLV_NODE_KID, TLV_NODE_CERT_HASH,\n TLV_LOOM_PRESENCE_ID, TLV_LOOM_WRIT, TLV_LOOM_THREAD_HASH,\n TLV_UPLOAD_ID, TLV_INDEX, TLV_OFFSET, TLV_SHA256_CHUNK, TLV_CAPSULE,\n TLV_BODY_OBJ, TLV_BODY_ARR,\n NCERT_NODE_ID, NCERT_KID, NCERT_ALG, NCERT_PUB, NCERT_NBF,\n NCERT_EXP, NCERT_SCOPE, NCERT_ISSUER_KID, NCERT_PAYLOAD, NCERT_SIG,\n PROOF_NONE, PROOF_CAPSULE, PROOF_JWT, PROOF_MTLS, PROOF_LOOM, PROOF_WITNESS,\n ProofType, BodyProfile,\n ERR_INVALID_PACKET, ERR_BAD_SIGNATURE, ERR_REPLAY_DETECTED, ERR_CONTRACT_VIOLATION,\n} from '@nextera.one/axis-protocol';\n","export { encodeVarint, decodeVarint, varintLength } from '@nextera.one/axis-protocol';\n","import as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame } from './axis-bin';\n\n/*\n Signature utilities for AXIS binary frames\n * Supports Ed25519 signature generation and verification\n /\n\n/\n Computes the canonical payload for signing an AXIS frame.\n * The signature covers all bytes of the encoded frame EXCEPT the signature field itself.\n \n @param {AxisFrame} frame - The frame to prepare for signing\n * @returns {Buffer} The serialized canonical bytes for the signature algorithm\n /\nexport function computeSignaturePayload(frame: AxisFrame): Buffer {\n // Re-encode frame with empty signature\n const frameWithoutSig: AxisFrame = {\n ...frame,\n sig: new Uint8Array(0),\n };\n\n const encoded = encodeFrame(frameWithoutSig);\n return Buffer.from(encoded);\n}\n\n/\n Signs an AXIS frame using the Ed25519 algorithm.\n * Automatically handles both raw 32-byte seeds and pkcs8 DER-encoded private keys.\n \n @param {AxisFrame} frame - The frame to sign\n * @param {Buffer} privateKey - Ed25519 private key (32-byte raw OR pkcs8 DER)\n * @returns {Buffer} The 64-byte Ed25519 signature\n * @throws {Error} If key format is invalid or signing fail\n /\nexport function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer {\n const payload = computeSignaturePayload(frame);\n\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte seed or DER-encoded\n if (privateKey.length === 32) {\n // Raw seed - wrap in pkcs8 DER format\n // pkcs8 prefix for Ed25519: 0x302e020100300506032b657004220420\n const pkcs8Prefix = Buffer.from([\n 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,\n 0x04, 0x22, 0x04, 0x20,\n ]);\n const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);\n\n keyObject = crypto.createPrivateKey({\n key: pkcs8Key,\n format: 'der',\n type: 'pkcs8',\n });\n } else {\n // Assume already DER-encoded pkcs8\n keyObject = crypto.createPrivateKey({\n key: privateKey,\n format: 'der',\n type: 'pkcs8',\n });\n }\n\n const signature = crypto.sign(null, payload, keyObject);\n\n if (signature.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n return signature;\n}\n\n/\n Verifies an Ed25519 signature on an AXIS frame.\n * Automatically handles both raw 32-byte public keys and spki DER-encoded public keys.\n \n @param {AxisFrame} frame - The frame containing the signature to verify\n * @param {Buffer} publicKey - Ed25519 public key (32-byte raw OR spki DER)\n * @returns {boolean} True if the signature is cryptographically valid\n * @throws {Error} If signature length is invalid\n /\nexport function verifyFrameSignature(\n frame: AxisFrame,\n publicKey: Buffer,\n): boolean {\n if (frame.sig.length === 0) {\n return false; // No signature\n }\n\n if (frame.sig.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n const payload = computeSignaturePayload(frame);\n\n try {\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte or DER-encoded\n if (publicKey.length === 32) {\n // Raw key - wrap in spki DER format\n // spki prefix for Ed25519: 0x302a300506032b6570032100\n const spkiPrefix = Buffer.from([\n 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,\n ]);\n const spkiKey = Buffer.concat([spkiPrefix, publicKey]);\n\n keyObject = crypto.createPublicKey({\n key: spkiKey,\n format: 'der',\n type: 'spki',\n });\n } else {\n // Assume already DER-encoded spki\n keyObject = crypto.createPublicKey({\n key: publicKey,\n format: 'der',\n type: 'spki',\n });\n }\n\n const valid = crypto.verify(\n null,\n payload,\n keyObject,\n Buffer.from(frame.sig),\n );\n return valid;\n } catch (error) {\n return false;\n }\n}\n\n/\n Generates a new Ed25519 key pair for use with the AXIS protocol.\n * Returns keys in canonical DER format (pkcs8 for private, spki for public).\n \n @returns {Object} An object containing the privateKey and publicKey as Buffers\n /\nexport function generateEd25519KeyPair(): {\n privateKey: Buffer;\n publicKey: Buffer;\n} {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');\n\n return {\n privateKey: privateKey.export({ type: 'pkcs8', format: 'der' }) as Buffer,\n publicKey: publicKey.export({ type: 'spki', format: 'der' }) as Buffer,\n };\n}\n\n/\n Computes a standard SHA-256 hash of the provided data.\n \n @param {Buffer \| Uint8Array} data - The input data to hash\n * @returns {Buffer} The 32-byte SHA-256 digest\n /\nexport function sha256(data: Buffer \| Uint8Array): Buffer {\n return crypto.createHash('sha256').update(data).digest();\n}\n\n/\n Computes a hash for an AXIS receipt, optionally chaining it to a previous hash.\n * This is used for generating an immutable transaction chain.\n \n @param {Buffer \| Uint8Array} receiptBytes - The canonical binary representation of the receipt\n * @param {Buffer \| Uint8Array} [prevHash] - The hash of the previous receipt in the chain\n * @returns {Buffer} The 32-byte SHA-256 hash of the receipt (and link)\n /\nexport function computeReceiptHash(\n receiptBytes: Buffer \| Uint8Array,\n prevHash?: Buffer \| Uint8Array,\n): Buffer {\n const hasher = crypto.createHash('sha256');\n hasher.update(receiptBytes);\n\n if (prevHash && prevHash.length > 0) {\n hasher.update(prevHash);\n }\n\n return hasher.digest();\n}\n","import as z from 'zod';\n\n/*\n AxisFrame Schema\n \n Defines the logical structure of an AXIS frame using Zod for runtime validation.\n * This is used for internal processing after the low-level binary parsing is complete.\n /\nexport const AxisFrameZ = z.object({\n /* Flag bits for protocol control (e.g., encryption, compression) /\n flags: z.number().int().nonnegative(),\n /* A map of TLV headers where key=Tag and value=BinaryData /\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n /* The main payload of the frame /\n body: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n /* The cryptographic signature covering the frame (except the signature itself) /\n sig: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n});\n\n/\n Represents a structured AXIS frame.\n * @typedef {Object} AxisFrame\n /\nexport type AxisFrame = z.infer<typeof AxisFrameZ>;\nexport type AxisBinaryFrame = AxisFrame;\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n MAX_BODY_LEN,\n MAX_FRAME_LEN,\n MAX_HDR_LEN,\n MAX_SIG_LEN,\n} from './constants';\nimport { decodeTLVs, encodeTLVs } from './tlv';\nimport { decodeVarint, encodeVarint } from './varint';\n\n/\n Encodes a structured AxisFrame into its binary wire representation.\n \n Encoding Steps:\n * 1. Encodes header TLV map into a single buffer.\n * 2. Validates lengths against MAX_* constants.\n * 3. Encodes lengths (HDR, BODY, SIG) as varints.\n * 4. Assembles the final byte array with magic, version, and flags.\n \n @param {AxisFrame} frame - The structured frame to encode\n * @returns {Uint8Array} The full binary frame\n * @throws {Error} If any section exceeds protocol limits\n /\nexport function encodeFrame(frame: AxisFrame): Uint8Array {\n const hdrBytes = encodeTLVs(\n Array.from(frame.headers.entries()).map(([t, v]) => ({\n type: t,\n value: v,\n })),\n );\n\n if (hdrBytes.length > MAX_HDR_LEN) throw new Error('Header too large');\n if (frame.body.length > MAX_BODY_LEN) throw new Error('Body too large');\n if (frame.sig.length > MAX_SIG_LEN) throw new Error('Signature too large');\n\n // Header Len, Body Len, Sig Len\n const hdrLenBytes = encodeVarint(hdrBytes.length);\n const bodyLenBytes = encodeVarint(frame.body.length);\n const sigLenBytes = encodeVarint(frame.sig.length);\n\n const totalLen =\n 5 + // Magic (AXIS1)\n 1 + // Version\n 1 + // Flags\n hdrLenBytes.length +\n bodyLenBytes.length +\n sigLenBytes.length +\n hdrBytes.length +\n frame.body.length +\n frame.sig.length;\n\n if (totalLen > MAX_FRAME_LEN) throw new Error('Total frame too large');\n\n const buf = new Uint8Array(totalLen);\n let offset = 0;\n\n // Magic (AXIS1 - 5 bytes)\n buf.set(AXIS_MAGIC, offset);\n offset += 5;\n\n // Version\n buf[offset++] = AXIS_VERSION;\n\n // Flags\n buf[offset++] = frame.flags;\n\n // Lengths\n buf.set(hdrLenBytes, offset);\n offset += hdrLenBytes.length;\n\n buf.set(bodyLenBytes, offset);\n offset += bodyLenBytes.length;\n\n buf.set(sigLenBytes, offset);\n offset += sigLenBytes.length;\n\n // Payloads\n buf.set(hdrBytes, offset);\n offset += hdrBytes.length;\n\n buf.set(frame.body, offset);\n offset += frame.body.length;\n\n buf.set(frame.sig, offset);\n offset += frame.sig.length;\n\n return buf;\n}\n\n/\n Decodes a binary buffer into a structured AxisFrame with strict validation.\n \n @param {Uint8Array} buf - Raw bytes from the wire\n * @returns {AxisFrame} The parsed and validated frame\n * @throws {Error} If magic, version, or lengths are invalid\n /\nexport function decodeFrame(buf: Uint8Array): AxisFrame {\n let offset = 0;\n\n // 1. Magic (AXIS1 - 5 bytes)\n if (offset + 5 > buf.length) throw new Error('Packet too short');\n for (let i = 0; i < 5; i++) {\n if (buf[offset + i] !== AXIS_MAGIC[i]) throw new Error('Invalid Magic');\n }\n offset += 5;\n\n // 2. Version\n const ver = buf[offset++];\n if (ver !== AXIS_VERSION) throw new Error(`Unsupported version: ${ver}`);\n\n // 3. Flags\n const flags = buf[offset++];\n\n // 4. Lengths\n const { value: hdrLen, length: hlLen } = decodeVarint(buf, offset);\n offset += hlLen;\n if (hdrLen > MAX_HDR_LEN) throw new Error('Header limit exceeded');\n\n const { value: bodyLen, length: blLen } = decodeVarint(buf, offset);\n offset += blLen;\n if (bodyLen > MAX_BODY_LEN) throw new Error('Body limit exceeded');\n\n const { value: sigLen, length: slLen } = decodeVarint(buf, offset);\n offset += slLen;\n if (sigLen > MAX_SIG_LEN) throw new Error('Signature limit exceeded');\n\n // 5. Extract Bytes\n if (offset + hdrLen + bodyLen + sigLen > buf.length) {\n throw new Error('Frame truncated');\n }\n\n const hdrBytes = buf.slice(offset, offset + hdrLen);\n offset += hdrLen;\n\n const bodyBytes = buf.slice(offset, offset + bodyLen);\n offset += bodyLen;\n\n const sigBytes = buf.slice(offset, offset + sigLen);\n offset += sigLen;\n\n // 6. Decode Header TLVs\n const headers = decodeTLVs(hdrBytes);\n\n return {\n flags,\n headers,\n body: bodyBytes,\n sig: sigBytes,\n };\n}\n\n/\n Helper to get canonical bytes for signing.\n * SigTarget = All bytes up to SigLen, with SigLen=0, and no SigBytes.\n /\nexport function getSignTarget(frame: AxisFrame): Uint8Array {\n // Re-encode frame but with empty signature\n // Note: This is efficient enough for v1 (tens of KB).\n return encodeFrame({\n ...frame,\n sig: new Uint8Array(0),\n });\n}\n","// ats1.constants.ts\n\n// Header TLV tags (hdr TLVs)\nexport const ATS1_HDR = {\n INTENT_ID: 1, // uvarint\n ACTOR_KEY_ID: 2, // bytes (key fingerprint / credentialId hash)\n CAPSULE_ID: 3, // bytes or varint\n NONCE: 4, // 16 bytes\n TS_MS: 5, // u64be (8)\n SCHEMA_ID: 6, // uvarint\n BODY_HASH: 7, // 32 bytes (sha256)\n TRACE_ID: 8, // 16 bytes\n} as const;\n\n// Schema IDs (body TLVs meaning depends on schema)\nexport const ATS1_SCHEMA = {\n PASSKEY_LOGIN_OPTIONS_REQ: 2001,\n PASSKEY_LOGIN_OPTIONS_RES: 2002,\n\n PASSKEY_LOGIN_VERIFY_REQ: 2011,\n PASSKEY_LOGIN_VERIFY_RES: 2012,\n\n PASSKEY_REGISTER_OPTIONS_REQ: 2021,\n PASSKEY_REGISTER_OPTIONS_RES: 2022,\n\n PASSKEY_REGISTER_VERIFY_REQ: 2031,\n PASSKEY_REGISTER_VERIFY_RES: 2032,\n} as const;\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n/\n ATS1 (AXIS-TLV Schema v1) — TypeScript Encoder/Decoder\n * - Canonical TLV: [TAG(uvarint)][LEN(uvarint)][VALUE(bytes)]\n * - Canonical ordering: ascending TAG\n * - Minimal varint encoding enforced in decoder\n * - Strict schema validation (unknown tags rejected by default)\n * - Nested TLV streams supported\n \n Node.js: uses crypto for SHA-256\n /\n\nimport { createHash, randomBytes } from 'crypto';\n\n// -----------------------------\n// Types\n// -----------------------------\n\nexport type Ats1FieldType = 'bytes' \| 'utf8' \| 'uvarint' \| 'u64be' \| 'nested';\n\nexport type Ats1FieldDescriptor = {\n tag: number;\n name: string;\n type: Ats1FieldType;\n required?: boolean;\n repeated?: boolean;\n nestedSchema?: Ats1SchemaDescriptor; // required if type === 'nested'\n maxLen?: number; // optional per-field limit (bytes length)\n};\n\nexport type Ats1SchemaDescriptor = {\n schemaId: number;\n name: string;\n strict: boolean; // if true: reject unknown tags\n maxNestingDepth: number; // e.g. 4\n maxBodyBytes?: number; // optional overall body limit\n fields: Ats1FieldDescriptor[];\n};\n\nexport type DecodedTlv = { tag: number; value: Buffer };\n\nexport type DecodedTlvMap = Map<number, Buffer[]>; // tag -> list of values\n\nexport type SensorInputLike = {\n hdrTLVs: DecodedTlvMap;\n bodyTLVs: DecodedTlvMap;\n schemaId: number;\n intentId: number;\n};\n\n// -----------------------------\n// Limits (sane defaults)\n// -----------------------------\n\nexport type Ats1Limits = {\n maxVarintBytes: number; // e.g. 10 for u64\n maxTlvCount: number; // e.g. 512\n maxValueBytes: number; // e.g. 1MB\n maxNestingDepth: number; // e.g. 4\n};\n\nexport const DEFAULT_LIMITS: Ats1Limits = {\n maxVarintBytes: 10,\n maxTlvCount: 512,\n maxValueBytes: 1_048_576, // 1 MiB\n maxNestingDepth: 4,\n};\n\n// -----------------------------\n// Varint (unsigned LEB128)\n// -----------------------------\n\nexport function encodeUVarint(n: number \| bigint): Buffer {\n let x = typeof n === 'bigint' ? n : BigInt(n);\n if (x < 0n) throw new Error('encodeUVarint: negative not allowed');\n\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function decodeUVarint(\n buf: Buffer,\n offset: number,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { value: bigint; offset: number; bytesRead: number } {\n let x = 0n;\n let shift = 0n;\n const start = offset;\n\n for (let i = 0; i < limits.maxVarintBytes; i++) {\n if (offset >= buf.length) throw new Error('decodeUVarint: truncated');\n const b = buf[offset++];\n x \|= BigInt(b & 0x7f) << shift;\n\n if ((b & 0x80) === 0) {\n const bytesRead = offset - start;\n\n // Minimal-encoding check:\n // Re-encode and compare exact bytes.\n const re = encodeUVarint(x);\n const original = buf.subarray(start, offset);\n if (!re.equals(original))\n throw new Error('decodeUVarint: non-minimal varint');\n\n return { value: x, offset, bytesRead };\n }\n\n shift += 7n;\n }\n\n throw new Error('decodeUVarint: too long');\n}\n\n// -----------------------------\n// Primitive encoders/decoders\n// -----------------------------\n\nexport function encodeU64BE(n: bigint): Buffer {\n if (n < 0n) throw new Error('encodeU64BE: negative not allowed');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(n, 0);\n return b;\n}\n\nexport function decodeU64BE(buf: Buffer): bigint {\n if (buf.length !== 8) throw new Error('decodeU64BE: length must be 8');\n return buf.readBigUInt64BE(0);\n}\n\nexport function sha256(data: Buffer): Buffer {\n return createHash('sha256').update(data).digest();\n}\n\n// -----------------------------\n// TLV encode/decode\n// -----------------------------\n\nexport function encodeTLV(tag: number, value: Buffer): Buffer {\n if (!Number.isInteger(tag) \|\| tag <= 0)\n throw new Error('encodeTLV: tag must be positive int');\n const t = encodeUVarint(tag);\n const l = encodeUVarint(value.length);\n return Buffer.concat([t, l, value]);\n}\n\nexport function encodeTLVStreamCanonical(entries: DecodedTlv[]): Buffer {\n // Canonical sort ascending tag\n const sorted = [...entries].sort((a, b) => a.tag - b.tag);\n\n // Duplicate tags are allowed only if the schema says repeated.\n // This function does not enforce schema; caller should.\n const parts: Buffer[] = [];\n for (const e of sorted) parts.push(encodeTLV(e.tag, e.value));\n return Buffer.concat(parts);\n}\n\nexport function decodeTLVStream(\n stream: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n const out: DecodedTlv[] = [];\n let off = 0;\n\n while (off < stream.length) {\n if (out.length >= limits.maxTlvCount)\n throw new Error('decodeTLVStream: too many TLVs');\n\n const tagRes = decodeUVarint(stream, off, limits);\n const tag = Number(tagRes.value);\n off = tagRes.offset;\n\n const lenRes = decodeUVarint(stream, off, limits);\n const len = Number(lenRes.value);\n off = lenRes.offset;\n\n if (len < 0) throw new Error('decodeTLVStream: negative length');\n if (len > limits.maxValueBytes)\n throw new Error('decodeTLVStream: value too large');\n if (off + len > stream.length)\n throw new Error('decodeTLVStream: truncated value');\n\n const value = stream.subarray(off, off + len);\n off += len;\n\n out.push({ tag, value: Buffer.from(value) });\n }\n\n // Canonical check: must be sorted ascending tag.\n for (let i = 1; i < out.length; i++) {\n if (out[i].tag < out[i - 1].tag)\n throw new Error('decodeTLVStream: non-canonical tag order');\n }\n\n return out;\n}\n\nexport function tlvsToMap(entries: DecodedTlv[]): DecodedTlvMap {\n const m: DecodedTlvMap = new Map();\n for (const e of entries) {\n const arr = m.get(e.tag) ?? [];\n arr.push(e.value);\n m.set(e.tag, arr);\n }\n return m;\n}\n\n// -----------------------------\n// Schema validation + object \\u2194 TLV mapping\n// -----------------------------\n\ntype LogicalBody = { schemaId: number; fields: Record<string, any> };\n\nexport function validateTLVsAgainstSchema(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n depth = 0,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): void {\n if (depth > Math.min(schema.maxNestingDepth, limits.maxNestingDepth)) {\n throw new Error('validateTLVsAgainstSchema: nesting depth exceeded');\n }\n\n if (schema.maxBodyBytes && tlvsBytes(tlvs) > schema.maxBodyBytes) {\n throw new Error('validateTLVsAgainstSchema: body too large');\n }\n\n const byTag = new Map<number, DecodedTlv[]>();\n for (const t of tlvs) {\n if (!byTag.has(t.tag)) byTag.set(t.tag, []);\n byTag.get(t.tag)!.push(t);\n }\n\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n // Unknown tags\n if (schema.strict) {\n for (const tag of byTag.keys()) {\n if (!fieldByTag.has(tag))\n throw new Error(`validateTLVsAgainstSchema: unknown tag ${tag}`);\n }\n }\n\n // Required fields & repetition rules\n for (const f of schema.fields) {\n const vals = byTag.get(f.tag) ?? [];\n if (f.required && vals.length === 0)\n throw new Error(`validateTLVsAgainstSchema: missing ${f.name}`);\n\n if (!f.repeated && vals.length > 1) {\n throw new Error(\n `validateTLVsAgainstSchema: duplicate tag not allowed for ${f.name}`,\n );\n }\n\n // Per-field max length\n if (typeof f.maxLen === 'number') {\n for (const v of vals) {\n if (v.value.length > f.maxLen)\n throw new Error(`validateTLVsAgainstSchema: ${f.name} too long`);\n }\n }\n\n // Type checks (lightweight)\n for (const v of vals) {\n switch (f.type) {\n case 'u64be':\n if (v.value.length !== 8)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} u64be must be 8 bytes`,\n );\n break;\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} missing nestedSchema`,\n );\n const nestedTlvs = decodeTLVStream(v.value, limits);\n validateTLVsAgainstSchema(\n f.nestedSchema,\n nestedTlvs,\n depth + 1,\n limits,\n );\n break;\n }\n default:\n // bytes/utf8/uvarint are accepted structurally; deeper validation can be added if you want.\n break;\n }\n }\n }\n}\n\nfunction tlvsBytes(tlvs: DecodedTlv[]): number {\n // approximate encoded size if re-encoded\n let n = 0;\n for (const t of tlvs) {\n n +=\n encodeUVarint(t.tag).length +\n encodeUVarint(t.value.length).length +\n t.value.length;\n }\n return n;\n}\n\nexport function logicalBodyToTLVs(\n schema: Ats1SchemaDescriptor,\n body: LogicalBody,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n if (body.schemaId !== schema.schemaId)\n throw new Error('logicalBodyToTLVs: schemaId mismatch');\n\n const fieldsByName = new Map(schema.fields.map((f) => [f.name, f] as const));\n const tlvs: DecodedTlv[] = [];\n\n for (const [name, val] of Object.entries(body.fields ?? {})) {\n const f = fieldsByName.get(name);\n if (!f) {\n if (schema.strict)\n throw new Error(`logicalBodyToTLVs: unknown field ${name}`);\n continue;\n }\n\n const pushOne = (v: any) => {\n const valueBuf = encodeFieldValue(f, v, limits);\n if (valueBuf.length > limits.maxValueBytes)\n throw new Error('logicalBodyToTLVs: value too large');\n tlvs.push({ tag: f.tag, value: valueBuf });\n };\n\n if (f.repeated) {\n if (!Array.isArray(val))\n throw new Error(\n `logicalBodyToTLVs: repeated field ${name} must be array`,\n );\n for (const item of val) pushOne(item);\n } else {\n pushOne(val);\n }\n }\n\n // Validate required + duplicates + nested schema correctness\n // Validation also enforces canonical ordering check only after encoding/decoding;\n // here we validate semantics.\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n // NOTE: canonical ordering will be applied in encodeTLVStreamCanonical()\n return tlvs;\n}\n\nfunction encodeFieldValue(\n f: Ats1FieldDescriptor,\n val: any,\n limits: Ats1Limits,\n): Buffer {\n switch (f.type) {\n case 'bytes':\n if (Buffer.isBuffer(val)) return Buffer.from(val);\n if (val instanceof Uint8Array) return Buffer.from(val);\n throw new Error(`encodeFieldValue: ${f.name} expects bytes`);\n case 'utf8':\n if (typeof val !== 'string')\n throw new Error(`encodeFieldValue: ${f.name} expects string`);\n return Buffer.from(val, 'utf8');\n case 'uvarint':\n if (typeof val !== 'number' && typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects number/bigint`);\n return encodeUVarint(val);\n case 'u64be':\n if (typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects bigint`);\n return encodeU64BE(val);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`encodeFieldValue: ${f.name} missing nestedSchema`);\n // Accept nested logical object in the form { fields: {...} } or direct record\n const nestedFields =\n val && typeof val === 'object' && 'fields' in val\n ? (val as any).fields\n : val;\n if (!nestedFields \|\| typeof nestedFields !== 'object')\n throw new Error(`encodeFieldValue: ${f.name} expects object`);\n const nestedBody: LogicalBody = {\n schemaId: f.nestedSchema.schemaId,\n fields: nestedFields,\n };\n const nestedTlvs = logicalBodyToTLVs(f.nestedSchema, nestedBody, limits);\n const nestedBytes = encodeTLVStreamCanonical(nestedTlvs);\n // Re-parse to ensure canonical encoding would pass, and validate\n const re = decodeTLVStream(nestedBytes, limits);\n validateTLVsAgainstSchema(f.nestedSchema, re, 1, limits);\n return nestedBytes;\n }\n default:\n throw new Error(`encodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\nexport function tlvsToLogicalBody(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): LogicalBody {\n // TLVs must already be decoded and canonical-checked\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n const fields: Record<string, any> = {};\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n for (const t of tlvs) {\n const f = fieldByTag.get(t.tag);\n if (!f) {\n if (schema.strict)\n throw new Error(`tlvsToLogicalBody: unknown tag ${t.tag}`);\n continue;\n }\n\n const decoded = decodeFieldValue(f, t.value, limits);\n\n if (f.repeated) {\n if (!Array.isArray(fields[f.name])) fields[f.name] = [];\n fields[f.name].push(decoded);\n } else {\n fields[f.name] = decoded;\n }\n }\n\n return { schemaId: schema.schemaId, fields };\n}\n\nfunction decodeFieldValue(\n f: Ats1FieldDescriptor,\n value: Buffer,\n limits: Ats1Limits,\n): any {\n switch (f.type) {\n case 'bytes':\n return Buffer.from(value);\n case 'utf8':\n return value.toString('utf8');\n case 'uvarint': {\n const r = decodeUVarint(value, 0, limits);\n if (r.offset !== value.length)\n throw new Error(\n `decodeFieldValue: ${f.name} uvarint has trailing bytes`,\n );\n // return as number when safe, else bigint\n const asNum = Number(r.value);\n return Number.isSafeInteger(asNum) ? asNum : r.value;\n }\n case 'u64be':\n return decodeU64BE(value);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`decodeFieldValue: ${f.name} missing nestedSchema`);\n const nestedTlvs = decodeTLVStream(value, limits);\n // nested schema validation is called by validateTLVsAgainstSchema already,\n // but we decode again safely here.\n const nestedBody = tlvsToLogicalBody(f.nestedSchema, nestedTlvs, limits);\n return nestedBody.fields; // return the record by default\n }\n default:\n throw new Error(`decodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\n// -----------------------------\n// AXIS HDR tags (ATS1 header TLVs)\n// -----------------------------\n\nexport const HDR_TAGS = {\n intent_id: 1,\n actor_key_id: 2,\n capsule_id: 3,\n nonce: 4,\n ts_ms: 5,\n schema_id: 6,\n body_hash: 7,\n trace_id: 8,\n} as const;\n\nexport type AxisHeaderLogical = {\n intentId: number;\n actorKeyId: Uint8Array;\n capsuleId?: Uint8Array;\n nonce: Uint8Array; // 16 bytes\n tsMs: bigint; // ms\n schemaId: number;\n bodyHash: Uint8Array; // 32 bytes\n traceId?: Uint8Array; // 16 bytes\n version?: number; // optional\n headerHash?: Uint8Array; // 32 bytes\n headerTlvs?: DecodedTlv[]; // optional\n bodyTlvs?: DecodedTlv[]; // optional\n};\n\nexport type AxisLogicalRequest = {\n hdr: AxisHeaderLogical;\n body: LogicalBody;\n};\n\nexport function encodeAxisHeaderToTLVs(hdr: AxisHeaderLogical): DecodedTlv[] {\n if (hdr.nonce.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: nonce must be 16 bytes');\n if (hdr.bodyHash.byteLength !== 32)\n throw new Error('encodeAxisHeaderToTLVs: bodyHash must be 32 bytes');\n if (hdr.traceId && hdr.traceId.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: traceId must be 16 bytes');\n\n const tlvs: DecodedTlv[] = [\n { tag: HDR_TAGS.intent_id, value: encodeUVarint(hdr.intentId) },\n { tag: HDR_TAGS.actor_key_id, value: Buffer.from(hdr.actorKeyId) },\n { tag: HDR_TAGS.nonce, value: Buffer.from(hdr.nonce) },\n { tag: HDR_TAGS.ts_ms, value: encodeU64BE(hdr.tsMs) },\n { tag: HDR_TAGS.schema_id, value: encodeUVarint(hdr.schemaId) },\n { tag: HDR_TAGS.body_hash, value: Buffer.from(hdr.bodyHash) },\n ];\n\n if (hdr.capsuleId)\n tlvs.push({ tag: HDR_TAGS.capsule_id, value: Buffer.from(hdr.capsuleId) });\n if (hdr.traceId)\n tlvs.push({ tag: HDR_TAGS.trace_id, value: Buffer.from(hdr.traceId) });\n\n return tlvs;\n}\n\nexport function decodeAxisHeaderFromTLVs(\n hdrTlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): AxisHeaderLogical {\n // hdr TLVs must be canonical-ordered (enforced by decodeTLVStream) and duplicates only if allowed.\n const m = tlvsToMap(hdrTlvs);\n\n const get1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr \|\| arr.length !== 1)\n throw new Error(\n `decodeAxisHeaderFromTLVs: missing/dup header tag ${tag}`,\n );\n return arr[0];\n };\n const getOpt1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr) return undefined;\n if (arr.length !== 1)\n throw new Error(`decodeAxisHeaderFromTLVs: dup header tag ${tag}`);\n return arr[0];\n };\n\n const intentIdVar = decodeUVarint(get1(HDR_TAGS.intent_id), 0, limits);\n if (intentIdVar.offset !== get1(HDR_TAGS.intent_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: intent_id trailing bytes');\n\n const schemaIdVar = decodeUVarint(get1(HDR_TAGS.schema_id), 0, limits);\n if (schemaIdVar.offset !== get1(HDR_TAGS.schema_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: schema_id trailing bytes');\n\n const ts = decodeU64BE(get1(HDR_TAGS.ts_ms));\n\n const nonce = get1(HDR_TAGS.nonce);\n if (nonce.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: nonce must be 16 bytes');\n\n const bodyHash = get1(HDR_TAGS.body_hash);\n if (bodyHash.length !== 32)\n throw new Error('decodeAxisHeaderFromTLVs: body_hash must be 32 bytes');\n\n const trace = getOpt1(HDR_TAGS.trace_id);\n if (trace && trace.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: trace_id must be 16 bytes');\n\n return {\n intentId: Number(intentIdVar.value),\n actorKeyId: Buffer.from(get1(HDR_TAGS.actor_key_id)),\n capsuleId: getOpt1(HDR_TAGS.capsule_id)\n ? Buffer.from(getOpt1(HDR_TAGS.capsule_id)!)\n : undefined,\n nonce: Buffer.from(nonce),\n tsMs: ts,\n schemaId: Number(schemaIdVar.value),\n bodyHash: Buffer.from(bodyHash),\n traceId: trace ? Buffer.from(trace) : undefined,\n };\n}\n\n// -----------------------------\n// Encode/Decode AXIS request body + hdr with body_hash binding\n// -----------------------------\n\nexport function encodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n req: Omit<AxisLogicalRequest, 'hdr'> & {\n hdr: Omit<AxisHeaderLogical, 'bodyHash'>;\n },\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdrBytes: Buffer; bodyBytes: Buffer; bodyHash: Buffer } {\n // 1) encode body TLVs\n const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);\n const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);\n\n // 2) compute body hash\n const bodyHash = sha256(bodyBytes);\n\n // 3) encode hdr TLVs (with computed hash)\n const hdr: AxisHeaderLogical = {\n ...req.hdr,\n schemaId: schema.schemaId,\n bodyHash,\n };\n const hdrTlvs = encodeAxisHeaderToTLVs(hdr);\n const hdrBytes = encodeTLVStreamCanonical(hdrTlvs);\n\n return { hdrBytes, bodyBytes, bodyHash };\n}\n\nexport function decodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n hdrBytes: Buffer,\n bodyBytes: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdr: AxisHeaderLogical; body: LogicalBody; sensorInput: SensorInputLike } {\n const hdrTlvs = decodeTLVStream(hdrBytes, limits);\n const bodyTlvs = decodeTLVStream(bodyBytes, limits);\n\n const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);\n\n // Schema binding check\n if (hdr.schemaId !== schema.schemaId)\n throw new Error('decodeAxisRequestBinary: schemaId mismatch');\n\n // body_hash check\n const bh = sha256(bodyBytes);\n if (!Buffer.from(hdr.bodyHash).equals(bh))\n throw new Error('decodeAxisRequestBinary: body_hash mismatch');\n\n // validate + decode body\n const body = tlvsToLogicalBody(schema, bodyTlvs, limits);\n\n const sensorInput: SensorInputLike = {\n hdrTLVs: tlvsToMap(hdrTlvs),\n bodyTLVs: tlvsToMap(bodyTlvs),\n schemaId: hdr.schemaId,\n intentId: hdr.intentId,\n };\n\n return { hdr, body, sensorInput };\n}\n\n// -----------------------------\n// Example Schemas\n// -----------------------------\n\nexport const Schema3100_DeviceContext: Ats1SchemaDescriptor = {\n schemaId: 3100,\n name: 'device.context',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'deviceId', type: 'bytes', required: true, maxLen: 128 },\n { tag: 2, name: 'os', type: 'utf8', required: true, maxLen: 64 },\n { tag: 3, name: 'hw', type: 'utf8', required: true, maxLen: 64 },\n ],\n};\n\nexport const Schema2001_PasskeyLoginOptionsReq: Ats1SchemaDescriptor = {\n schemaId: 2001,\n name: 'axis.auth.passkey.login.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema4001_LoginWithDeviceReq: Ats1SchemaDescriptor = {\n schemaId: 4001,\n name: 'axis.auth.login.with_device.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'device',\n type: 'nested',\n required: true,\n nestedSchema: Schema3100_DeviceContext,\n },\n ],\n};\n","import { ATS1_HDR, ATS1_SCHEMA } from './ats1.constants';\nimport as ats1 from './ats1';\n\n/*\n Build canonical hdr for any request using ATS1 codec.\n /\nexport function buildAts1Hdr(params: {\n intentId: number;\n schemaId: number;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n tsMs?: bigint;\n nonce?: Buffer;\n bodyHash?: Buffer;\n}): Buffer {\n const hdr: ats1.AxisHeaderLogical = {\n intentId: params.intentId,\n schemaId: params.schemaId,\n actorKeyId: params.actorKeyId ?? Buffer.alloc(0),\n capsuleId: params.capsuleId,\n nonce: params.nonce ?? require('crypto').randomBytes(16),\n tsMs: params.tsMs ?? BigInt(Date.now()),\n bodyHash: params.bodyHash ?? Buffer.alloc(32),\n traceId: params.traceId,\n };\n\n const tlvs = ats1.encodeAxisHeaderToTLVs(hdr);\n return ats1.encodeTLVStreamCanonical(tlvs);\n}\n\n/\n PASSKEY: login.options.req\n * schema 2001 body:\n * - (1) username: utf8\n /\nexport function packPasskeyLoginOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n capsuleId: params.capsuleId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n Defined schemas for passkey operations\n /\nexport const Schema2021_PasskeyRegisterOptionsReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n name: 'axis.auth.passkey.register.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema2011_PasskeyLoginVerifyReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n name: 'axis.auth.passkey.login.verify.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'credentialId',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n {\n tag: 3,\n name: 'clientDataJSON',\n type: 'bytes',\n required: true,\n maxLen: 4096,\n },\n {\n tag: 4,\n name: 'authenticatorData',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n { tag: 5, name: 'signature', type: 'bytes', required: true, maxLen: 1024 },\n { tag: 6, name: 'userHandle', type: 'bytes', required: false, maxLen: 128 },\n ],\n};\n\n/\n PASSKEY: register.options.req\n /\nexport function packPasskeyRegisterOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n Schema2021_PasskeyRegisterOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyRegisterOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2021_PasskeyRegisterOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n PASSKEY: login.verify.req\n /\nexport function packPasskeyLoginVerifyReq(params: {\n intentId: number;\n username: string;\n credentialId: Buffer;\n clientDataJSON: Buffer;\n authenticatorData: Buffer;\n signature: Buffer;\n userHandle?: Buffer;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2011_PasskeyLoginVerifyReq, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n fields: {\n username: params.username,\n credentialId: params.credentialId,\n clientDataJSON: params.clientDataJSON,\n authenticatorData: params.authenticatorData,\n signature: params.signature,\n userHandle: params.userHandle,\n },\n });\n\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginVerifyReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2011_PasskeyLoginVerifyReq,\n tlvs,\n );\n const f = decoded.fields;\n\n return {\n username: f.username as string,\n credentialId: f.credentialId as Buffer,\n clientDataJSON: f.clientDataJSON as Buffer,\n authenticatorData: f.authenticatorData as Buffer,\n signature: f.signature as Buffer,\n userHandle: f.userHandle as Buffer \| undefined,\n };\n}\n\n// ========================================\n// Response Schemas\n// ========================================\n\n/\n Schema 2002: Passkey Login Options Response\n * - (1) challenge: bytes\n * - (2) timeout: uvarint (ms)\n * - (3) rpId: utf8\n * - (4) allowCredentials: bytes (nested TLV array, each item is id+type+transports)\n * - (5) userVerification: utf8\n /\nexport const Schema2002_PasskeyLoginOptionsRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n name: 'axis.auth.passkey.login.options.res',\n strict: false, // allow extra fields from WebAuthn library\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'challenge', type: 'utf8', required: true }, // base64url string\n { tag: 2, name: 'timeout', type: 'uvarint', required: false },\n { tag: 3, name: 'rpId', type: 'utf8', required: false },\n { tag: 4, name: 'userVerification', type: 'utf8', required: false },\n { tag: 5, name: 'allowCredentialsJson', type: 'utf8', required: false }, // JSON array for simplicity\n ],\n};\n\nexport function packPasskeyLoginOptionsRes(params: {\n challenge: string;\n timeout?: number;\n rpId?: string;\n userVerification?: string;\n allowCredentials?: { id: string; type: string; transports?: string[] }[];\n}): Buffer {\n const fields: Record<string, any> = {\n challenge: params.challenge,\n };\n if (params.timeout !== undefined) fields.timeout = params.timeout;\n if (params.rpId) fields.rpId = params.rpId;\n if (params.userVerification)\n fields.userVerification = params.userVerification;\n if (params.allowCredentials)\n fields.allowCredentialsJson = JSON.stringify(params.allowCredentials);\n\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2002_PasskeyLoginOptionsRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n fields,\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n\n/\n Schema 2012: Passkey Login Verify Response\n * - (1) actorId: utf8\n * - (2) keyId: utf8 (credentialId base64url)\n * - (3) capsule: bytes\n * - (4) expiresAt: u64be (ms)\n /\nexport const Schema2012_PasskeyLoginVerifyRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n name: 'axis.auth.passkey.login.verify.res',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'actorId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 2, name: 'keyId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 3, name: 'capsule', type: 'bytes', required: true, maxLen: 4096 },\n { tag: 4, name: 'expiresAt', type: 'u64be', required: true },\n ],\n};\n\nexport function packPasskeyLoginVerifyRes(params: {\n actorId: string;\n keyId: string;\n capsule: Buffer;\n expiresAt: bigint;\n}): Buffer {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2012_PasskeyLoginVerifyRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n fields: {\n actorId: params.actorId,\n keyId: params.keyId,\n capsule: params.capsule,\n expiresAt: params.expiresAt,\n },\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n","// tlv.encode.ts\nimport { randomBytes } from 'crypto';\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('VARINT_NEG');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n\nexport function u64be(x: bigint): Buffer {\n if (x < 0n) throw new Error('U64_NEG');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x, 0);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function bytes(b: Uint8Array \| Buffer): Buffer {\n return Buffer.isBuffer(b) ? b : Buffer.from(b);\n}\n\nexport function nonce16(): Buffer {\n return randomBytes(16);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n if (!Number.isSafeInteger(type) \|\| type < 0) throw new Error('TLV_BAD_TYPE');\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\n/\n Canonical TLV encoding:\n * - sorted by type ascending\n * - no duplicates by default\n /\nexport function buildTLVs(\n items: { type: number; value: Buffer }[],\n opts?: { allowDupTypes?: Set<number> },\n): Buffer {\n const allow = opts?.allowDupTypes ?? new Set<number>();\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n","// axis1.encode.ts\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\nexport type Axis1FrameToEncode = {\n ver: number; // 1\n flags: number; // bit flags\n hdr: Buffer; // TLVs\n body: Buffer; // TLVs or raw payload\n sig: Buffer; // signature bytes\n};\n\nexport function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer {\n if (\n !Buffer.isBuffer(f.hdr) \|\|\n !Buffer.isBuffer(f.body) \|\|\n !Buffer.isBuffer(f.sig)\n ) {\n throw new Error('AXIS1_BAD_BUFFERS');\n }\n if (f.ver !== 1) throw new Error('AXIS1_BAD_VER');\n\n const hdrLen = encVarint(BigInt(f.hdr.length));\n const bodyLen = encVarint(BigInt(f.body.length));\n const sigLen = encVarint(BigInt(f.sig.length));\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([f.ver & 0xff]),\n Buffer.from([f.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLen,\n f.hdr,\n f.body,\n f.sig,\n ]);\n}\n","// axis1.signing.ts\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\nexport function axis1SigningBytes(params: {\n ver: number;\n flags: number;\n hdr: Buffer;\n body: Buffer;\n}): Buffer {\n if (params.ver !== 1) throw new Error('AXIS1_BAD_VER');\n const hdrLen = encVarint(BigInt(params.hdr.length));\n const bodyLen = encVarint(BigInt(params.body.length));\n const sigLenZero = encVarint(0n); // IMPORTANT: sigLen=0 in signing bytes\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([params.ver & 0xff]),\n Buffer.from([params.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLenZero,\n params.hdr,\n params.body,\n ]);\n}\n","/\n Base64url encoding/decoding utilities\n * RFC 4648 base64url (URL-safe, no padding)\n /\n\n/\n Encode buffer to base64url string\n * @param buf - Buffer to encode\n * @returns Base64url string (no padding, URL-safe)\n /\nexport function b64urlEncode(buf: Buffer): string {\n return buf\n .toString('base64')\n .replace(/=/g, '')\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_');\n}\n\n/\n Decode base64url string to buffer\n * @param str - Base64url string\n * @returns Decoded buffer\n /\nexport function b64urlDecode(str: string): Buffer {\n // Add padding if needed\n const pad = str.length % 4 ? '='.repeat(4 - (str.length % 4)) : '';\n const base64 = (str + pad).replace(/-/g, '+').replace(/_/g, '/');\n return Buffer.from(base64, 'base64');\n}\n\n/\n Encode string to base64url\n * @param str - String to encode\n * @param encoding - String encoding (default: utf8)\n * @returns Base64url string\n /\nexport function b64urlEncodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlEncode(Buffer.from(str, encoding));\n}\n\n/\n Decode base64url string to string\n * @param str - Base64url string\n * @param encoding - String encoding (default: utf8)\n * @returns Decoded string\n /\nexport function b64urlDecodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlDecode(str).toString(encoding);\n}\n","/\n Canonical JSON serialization for stable cryptographic signing\n \n Rules:\n * - Recursively sort object keys lexicographically\n * - Remove undefined values\n * - Preserve array order\n * - No whitespace in output\n * - Stable number formatting\n /\n\n/\n Recursively sort object keys and remove undefined values\n /\nfunction sortRec(value: any): any {\n if (value === null) {\n return null;\n }\n\n if (value === undefined) {\n return undefined;\n }\n\n if (Array.isArray(value)) {\n return value.map(sortRec);\n }\n\n if (typeof value === 'object') {\n const sorted: Record<string, any> = {};\n const keys = Object.keys(value).sort();\n\n for (const key of keys) {\n const sortedValue = sortRec(value[key]);\n // Skip undefined values\n if (sortedValue !== undefined) {\n sorted[key] = sortedValue;\n }\n }\n\n return sorted;\n }\n\n // Primitive types (number, string, boolean)\n return value;\n}\n\n/\n Convert value to canonical JSON string for signing\n \n @param value - Value to canonicalize\n * @returns Canonical JSON string (no whitespace, sorted keys, no undefined)\n /\nexport function canonicalJson(value: any): string {\n return JSON.stringify(sortRec(value));\n}\n\n/\n Helper to create canonical JSON for signing (excluding specific fields)\n \n @param obj - Object to canonicalize\n * @param exclude - Fields to exclude (e.g., 'sig' when signing)\n * @returns Canonical JSON string\n /\nexport function canonicalJsonExcluding(\n obj: Record<string, any>,\n exclude: string[],\n): string {\n const filtered: Record<string, any> = {};\n\n for (const key in obj) {\n if (!exclude.includes(key) && obj[key] !== undefined) {\n filtered[key] = obj[key];\n }\n }\n\n return canonicalJson(filtered);\n}\n","export class ContractViolationError extends Error {\n constructor(\n public code: string,\n message: string,\n ) {\n super(message);\n this.name = 'ContractViolationError';\n }\n}\n\nexport interface ExecutionMetrics {\n dbWrites: number;\n dbReads: number;\n externalCalls: number;\n elapsedMs: number;\n}\n\nexport class ExecutionMeter {\n private dbWrites = 0;\n private dbReads = 0;\n private externalCalls = 0;\n private startTime: number;\n private contract: any; // ExecutionContract\n\n constructor(contract: any) {\n this.contract = contract;\n this.startTime = Date.now();\n }\n\n recordDbWrite(): void {\n this.dbWrites++;\n if (this.dbWrites > this.contract.maxDbWrites) {\n throw new ContractViolationError(\n 'MAX_DB_WRITES_EXCEEDED',\n `DB writes exceeded: ${this.dbWrites}/${this.contract.maxDbWrites}`,\n );\n }\n }\n\n recordDbRead(): void {\n this.dbReads++;\n if (this.contract.maxDbReads && this.dbReads > this.contract.maxDbReads) {\n throw new ContractViolationError(\n 'MAX_DB_READS_EXCEEDED',\n `DB reads exceeded: ${this.dbReads}/${this.contract.maxDbReads}`,\n );\n }\n }\n\n recordExternalCall(): void {\n this.externalCalls++;\n if (this.externalCalls > this.contract.maxExternalCalls) {\n throw new ContractViolationError(\n 'MAX_EXTERNAL_CALLS_EXCEEDED',\n `External calls exceeded: ${this.externalCalls}/${this.contract.maxExternalCalls}`,\n );\n }\n }\n\n checkTime(): void {\n const elapsed = Date.now() - this.startTime;\n if (elapsed > this.contract.maxTimeMs) {\n throw new ContractViolationError(\n 'MAX_TIME_EXCEEDED',\n `Execution time exceeded: ${elapsed}ms/${this.contract.maxTimeMs}ms`,\n );\n }\n }\n\n validateEffect(effect: string): void {\n // Wildcard allows any effect\n if (this.contract.allowedEffects.includes('')) {\n return;\n }\n\n if (!this.contract.allowedEffects.includes(effect)) {\n throw new ContractViolationError(\n 'INVALID_EFFECT',\n `Effect '${effect}' not allowed. Allowed: ${this.contract.allowedEffects.join(', ')}`,\n );\n }\n }\n\n getMetrics(): ExecutionMetrics {\n return {\n dbWrites: this.dbWrites,\n dbReads: this.dbReads,\n externalCalls: this.externalCalls,\n elapsedMs: Date.now() - this.startTime,\n };\n }\n\n getContract() {\n return this.contract;\n }\n}\n","export interface ExecutionContract {\n maxDbWrites: number;\n maxDbReads?: number;\n maxExternalCalls: number;\n maxTimeMs: number;\n allowedEffects: string[];\n maxMemoryMb?: number;\n}\n\nexport const DEFAULT_CONTRACTS: Record<string, ExecutionContract> = {\n // System intents\n 'system.ping': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 100,\n allowedEffects: ['system.pong'],\n },\n\n // Catalog intents\n 'catalog.list': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['catalog.listed'],\n },\n 'catalog.search': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['catalog.searched'],\n },\n\n // Passport intents\n 'passport.issue': {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['passport.issued', 'passport.rejected'],\n },\n 'passport.revoke': {\n maxDbWrites: 5,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['passport.revoked', 'passport.revoke_failed'],\n },\n\n // File intents\n 'file.init': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['file.initialized'],\n },\n 'file.chunk': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: ['file.chunk.stored'],\n },\n 'file.finalize': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['file.finalized'],\n },\n\n // Stream intents\n 'stream.publish': {\n maxDbWrites: 1,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['stream.published'],\n },\n 'stream.read': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['stream.data'],\n },\n\n // Mail intents\n 'mail.send': {\n maxDbWrites: 3,\n maxExternalCalls: 1, // Email service\n maxTimeMs: 2000,\n allowedEffects: ['mail.sent', 'mail.failed'],\n },\n};\n\n// Default contract for unknown intents\nexport const FALLBACK_CONTRACT: ExecutionContract = {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: [''], // Allow any effect\n};\n","/\n Decodes a variable-length integer (Varint) from a buffer.\n * Supports up to 64-bit integers.\n \n @param {Buffer} buf - The buffer to read from\n * @param {number} off - The offset to start reading from\n * @returns {Object} The decoded bigint value and the new offset\n * @throws {Error} If the varint is malformed or exceeds 64 bits\n /\nexport function decVarint(\n buf: Buffer,\n off: number,\n): { val: bigint; off: number } {\n let shift = 0n;\n let x = 0n;\n while (true) {\n if (off >= buf.length) throw new Error('varint overflow');\n const b = BigInt(buf[off++]);\n x \|= (b & 0x7fn) << shift;\n if ((b & 0x80n) === 0n) break;\n shift += 7n;\n if (shift > 63n) throw new Error('varint too large');\n }\n return { val: x, off };\n}\n\nimport type { TLV } from '../core/tlv';\n\n/\n Parses a buffer into an array of TLV objects.\n \n @param {Buffer} buf - The buffer containing TLV-encoded data\n * @param {number} [maxItems=512] - Security limit for the number of TLVs to parse\n * @returns {TLV[]} An array of parsed TLVs\n * @throws {Error} If TLV structure is invalid or limits are exceeded\n /\nexport function parseTLVs(buf: Buffer, maxItems: number = 512): TLV[] {\n const out: TLV[] = [];\n let off = 0;\n while (off < buf.length) {\n if (out.length >= maxItems) throw new Error('TLV_TOO_MANY_ITEMS');\n const t1 = decVarint(buf, off);\n off = t1.off;\n const t2 = decVarint(buf, off);\n off = t2.off;\n const type = Number(t1.val);\n const len = Number(t2.val);\n if (len < 0 \|\| off + len > buf.length) {\n throw new Error('TLV_LEN_INVALID');\n }\n const value = buf.subarray(off, off + len);\n off += len;\n out.push({ type, value });\n }\n return out;\n}\n\n/\n Parses TLVs and organizes them into a Map for efficient access.\n * Multiple values for the same type are preserved in an array.\n \n @param {Buffer} buf - The raw TLV-encoded buffer\n * @returns {Map<number, Buffer[]>} A map of Tag -> [Values]\n /\nexport function tlvMap(buf: Buffer): Map<number, Buffer[]> {\n const m = new Map<number, Buffer[]>();\n for (const it of parseTLVs(buf)) {\n const arr = m.get(it.type) ?? [];\n arr.push(it.value as Buffer);\n m.set(it.type, arr);\n }\n return m;\n}\n\nexport function asUtf8(b?: Buffer): string \| undefined {\n if (!b) return undefined;\n return b.toString('utf8');\n}\n\nexport function asBigintVarint(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n const { val, off } = decVarint(b, 0);\n if (off !== b.length) throw new Error('VARINT_TRAILING_BYTES');\n return val;\n}\n\n/\n Parses an 8-byte big-endian buffer as a BigInt.\n * Used for timestamps which are sent as fixed 8-byte u64.\n /\nexport function asBigint64BE(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n if (b.length !== 8) throw new Error('Expected 8 bytes for u64');\n return b.readBigUInt64BE(0);\n}\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('varint neg');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\nexport function buildTLVs(items: { type: number; value: Buffer }[]): Buffer {\n // Canonical: sort by type ascending\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n // Canonical: forbid duplicate tags by default\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n\nexport function u64be(x: bigint): Buffer {\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n","import { decVarint } from './tlv';\n\n/\n Axis1DecodedFrame\n \n Represents a parsed AXIS v1 binary frame.\n \n @typedef {Object} Axis1DecodedFrame\n /\nexport type Axis1DecodedFrame = {\n /* Protocol version (should be 1) /\n ver: number;\n /* Frame flags for protocol extensions /\n flags: number;\n /* Raw header bytes (containing primary TLVs) /\n hdr: Buffer;\n /* Raw body bytes (the main payload) /\n body: Buffer;\n /* Cryptographic signature bytes /\n sig: Buffer;\n /* Total original size of the frame in bytes /\n frameSize: number;\n};\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\n/\n Decodes a raw binary buffer into a structured Axis1DecodedFrame.\n * Implements the AXIS v1 wire format specification.\n \n Binary Structure (canonical):\n * 1. Magic: 'AXIS1' (5 bytes)\n * 2. Version: (1 byte)\n * 3. Flags: (1 byte)\n * 4. HDR_LEN: Varint\n * 5. BODY_LEN: Varint\n * 6. SIG_LEN: Varint\n * 7. HDR: (HDR_LEN bytes)\n * 8. BODY: (BODY_LEN bytes)\n * 9. SIG: (SIG_LEN bytes)\n \n @param {Buffer} buf - Raw bytes from the wire\n * @returns {Axis1DecodedFrame} Parsed frame object\n * @throws {Error} If magic is invalid, frame is truncated, or lengths are inconsistent\n /\nexport function decodeAxis1Frame(buf: Buffer): Axis1DecodedFrame {\n let off = 0;\n\n const magic = buf.subarray(off, off + 5);\n off += 5;\n if (magic.length !== 5 \|\| !magic.equals(MAGIC))\n throw new Error('AXIS1_BAD_MAGIC');\n\n if (off + 2 > buf.length) throw new Error('AXIS1_TRUNCATED');\n const ver = buf[off++];\n const flags = buf[off++];\n\n // Read all three lengths first (canonical order: hdrLen, bodyLen, sigLen)\n const h1 = decVarint(buf, off);\n off = h1.off;\n const b1 = decVarint(buf, off);\n off = b1.off;\n const s1 = decVarint(buf, off);\n off = s1.off;\n\n const hdrLen = Number(h1.val);\n const bodyLen = Number(b1.val);\n const sigLen = Number(s1.val);\n\n if (hdrLen < 0 \|\| bodyLen < 0 \|\| sigLen < 0) throw new Error('AXIS1_LEN_NEG');\n\n if (off + hdrLen + bodyLen + sigLen > buf.length)\n throw new Error('AXIS1_TRUNCATED_PAYLOAD');\n\n // Then read payloads in order: HDR, BODY, SIG\n const hdr = buf.subarray(off, off + hdrLen);\n off += hdrLen;\n const body = buf.subarray(off, off + bodyLen);\n off += bodyLen;\n const sig = buf.subarray(off, off + sigLen);\n off += sigLen;\n\n if (off !== buf.length) throw new Error('AXIS1_TRAILING_BYTES');\n\n return { ver, flags, hdr, body, sig, frameSize: buf.length };\n}\n","import {\n TLV_ACTOR_ID,\n TLV_INTENT,\n TLV_NONCE,\n TLV_PID,\n TLV_PROOF_REF,\n TLV_PROOF_TYPE,\n TLV_TS,\n} from '../core/constants';\nimport { asBigint64BE, asBigintVarint, asUtf8, tlvMap } from './tlv';\n\n/\n AXIS TLV Tag Definitions (as per specification)\n /\nexport const T = {\n /* The specific intent or action (e.g., 'vault.create') /\n INTENT: TLV_INTENT,\n /* Package identifier / ID /\n PID: TLV_PID,\n /* Versioning of the intent schema /\n INTENT_VERSION: 10, // Defaulting to TRACE_ID for now or a new tag if available\n /* Unique identifier for the requesting actor /\n ACTOR_ID: TLV_ACTOR_ID,\n /* Optional Capability Token identifier (16 bytes) /\n CAPSULE_ID: TLV_PROOF_REF,\n /* Unique session/request identifier (16 bytes) /\n NONCE: TLV_NONCE,\n /* High-precision Unix timestamp in milliseconds /\n TS_MS: TLV_TS,\n /* Proof type /\n PROOF_TYPE: TLV_PROOF_TYPE,\n /* Standard binary body tag /\n BODY: 100,\n /* Standard JSON-encoded body tag /\n JSON: 200,\n};\n\n/\n AxisPacket\n \n A high-level representation of an AXIS message after TLV decoding.\n * Combines header metadata with the raw body and signature.\n \n @typedef {Object} AxisPacket\n /\nexport type AxisPacket = {\n /* The intent string /\n intent: string;\n /* Intent schema version /\n intentVersion: number;\n /* Actor identifier /\n actorId: string;\n /* Optional binary Capsule ID /\n capsuleId?: Buffer;\n /* Packet identifier /\n pid: Buffer;\n /* Random nonce for replay protection /\n nonce: Buffer;\n /* Request timestamp /\n tsMs: bigint;\n /* Decoded header TLV map /\n headersMap: Map<number, Buffer[]>;\n /* Decoded body TLV map (if body contains TLVs) /\n bodyMap: Map<number, Buffer[]>;\n /* Original raw header bytes /\n hdrBytes: Buffer;\n /* Original raw body bytes /\n bodyBytes: Buffer;\n /* Cryptographic signature of the frame /\n sig: Buffer;\n};\n\n/\n Constructs a structured AxisPacket from raw header, body, and signature buffers.\n * Performs rigorous validation on mandatory AXIS fields.\n \n @param {Buffer} hdr - Raw header bytes containing the primary TLVs\n * @param {Buffer} body - Raw body bytes\n * @param {Buffer} sig - Signature bytes for the frame\n * @param {number} [flags=0] - Frame flags (bit 0 = BODY_IS_TLV)\n * @returns {AxisPacket} A fully validated AxisPacket object\n * @throws {Error} If mandatory fields (intent, version, actor, nonce, ts) are missing or malformed\n /\nexport function buildPacket(\n hdr: Buffer,\n body: Buffer,\n sig: Buffer,\n flags: number = 0,\n): AxisPacket {\n const hm = tlvMap(hdr);\n\n // Only parse body as TLV if BODY_IS_TLV flag is set (bit 0)\n const BODY_IS_TLV = 0x01;\n const bm = flags & BODY_IS_TLV ? tlvMap(body) : new Map<number, Buffer[]>();\n\n const intent = asUtf8(hm.get(T.INTENT)?.[0]);\n const intentVerRaw = hm.get(T.INTENT_VERSION)?.[0];\n const intentVer = intentVerRaw ? Number(asBigintVarint(intentVerRaw)) : 1;\n const actorIdRaw = hm.get(T.ACTOR_ID)?.[0];\n const actorId = actorIdRaw ? actorIdRaw.toString('hex') : undefined;\n const capsuleId = hm.get(T.CAPSULE_ID)?.[0];\n const pid = hm.get(T.PID)?.[0] \|\| hm.get(T.NONCE)?.[0]; // Fallback to nonce if pid missing\n const nonce = hm.get(T.NONCE)?.[0];\n const tsMs = asBigint64BE(hm.get(T.TS_MS)?.[0]);\n\n if (!intent) throw new Error('PACKET_MISSING_INTENT');\n if (!actorId) throw new Error('PACKET_MISSING_ACTOR_ID');\n if (!nonce \|\| nonce.length < 16 \|\| nonce.length > 32)\n throw new Error('PACKET_BAD_NONCE');\n if (!pid) throw new Error('PACKET_MISSING_PID');\n if (!tsMs) throw new Error('PACKET_MISSING_TS');\n\n return {\n intent,\n intentVersion: intentVer,\n actorId,\n capsuleId,\n pid,\n nonce,\n tsMs,\n headersMap: hm,\n bodyMap: bm,\n hdrBytes: hdr,\n bodyBytes: body,\n sig,\n };\n}\n","/\n AXIS Scope Utilities\n * Validates capsule scopes against required resource access.\n * Prevents BOLA (Broken Object Level Authorization) attacks.\n /\n\n/\n Check if a capsule has the required scope.\n * Scopes use colon notation: resource:id or resource:\n \n * Examples:\n * - wallet:w_123\n * - merchant:m_456\n * - payment:\n /\nexport function hasScope(scopes: string[], required: string): boolean {\n if (!Array.isArray(scopes) \|\| scopes.length === 0) {\n return false;\n }\n\n // Exact match\n if (scopes.includes(required)) {\n return true;\n }\n\n // Wildcard match: resource:* matches resource:anything\n const [resource, id] = required.split(':');\n if (resource && id) {\n const wildcard = `${resource}:`;\n if (scopes.includes(wildcard)) {\n return true;\n }\n }\n\n return false;\n}\n\n/\n Extract resource type and ID from scope.\n /\nexport function parseScope(\n scope: string,\n): { resource: string; id: string } \| null {\n const parts = scope.split(':');\n if (parts.length !== 2) return null;\n return { resource: parts[0], id: parts[1] };\n}\n\n/\n Check if actor can access a specific resource based on capsule scopes.\n /\nexport function canAccessResource(\n scopes: string[],\n resourceType: string,\n resourceId: string,\n): boolean {\n const required = `${resourceType}:${resourceId}`;\n return hasScope(scopes, required);\n}\n","/\n AXIS Capability Model\n * Maps proof types to capabilities and intents to requirements.\n /\nimport { PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS } from '../core/constants';\n\n/\n Available capabilities in the AXIS system.\n * Each represents a distinct permission level.\n /\nexport const CAPABILITIES = {\n read: 'read',\n write: 'write',\n execute: 'execute',\n admin: 'admin',\n sign: 'sign',\n witness: 'witness',\n} as const;\n\nexport type Capability = keyof typeof CAPABILITIES;\n\n/\n Maps proof type codes to granted capabilities.\n /\nexport const PROOF_CAPABILITIES: Record<number, Capability[]> = {\n [PROOF_NONE]: [],\n [PROOF_CAPSULE]: ['read', 'write', 'execute'],\n [PROOF_JWT]: ['read'],\n [PROOF_MTLS]: ['read', 'write', 'admin'],\n [PROOF_LOOM]: ['read', 'write', 'execute'],\n [PROOF_WITNESS]: ['read', 'write', 'execute', 'witness'],\n};\n\n/\n Maps intent patterns to required capabilities.\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_REQUIREMENTS: Record<string, Capability[]> = {\n 'public.': [],\n 'schema.': [],\n 'catalog.': [],\n 'health.': [],\n 'system.': [],\n\n 'file.upload': ['write'],\n 'file.download': ['read'],\n 'file.delete': ['write', 'admin'],\n\n 'passport.issue': ['write', 'execute'],\n 'passport.revoke': ['write', 'witness'],\n\n 'stream.publish': ['write'],\n 'stream.subscribe': ['read'],\n\n // NestFlow intents\n 'auth.web.login.': ['execute'],\n 'tickauth.challenge.': ['execute'],\n 'capsule.issue.': ['write', 'execute'],\n 'session.': ['execute'],\n 'device.list': ['read'],\n 'device.rename': ['write'],\n 'device.trust.': ['write', 'execute'],\n 'device.revoke': ['write', 'execute'],\n 'identity.': ['admin', 'execute'],\n 'primary.device.': ['admin', 'execute'],\n 'secret.rotate': ['admin'],\n 'org.security.': ['admin'],\n 'production.execution.': ['admin', 'execute'],\n\n 'admin.': ['admin'],\n};\n","/\n AXIS Risk Signal Types\n \n Protocol-level types for risk evaluation and signalling.\n * Used by sensors, risk gates, and anomaly detectors.\n /\n\n/\n A discrete risk signal emitted by a detector or sensor.\n * Signals are aggregated by the risk gate to produce a final RiskEvaluation.\n /\nexport interface RiskSignal {\n type: string;\n severity: 'low' \| 'medium' \| 'high' \| 'critical';\n value: any;\n message: string;\n}\n\n/\n Granular risk gate decision outcomes.\n * More expressive than a binary ALLOW/DENY — covers step-up and witness flows.\n /\nexport enum RiskDecision {\n ALLOW = 'ALLOW',\n THROTTLE = 'THROTTLE',\n STEP_UP = 'STEP_UP',\n WITNESS = 'WITNESS',\n DENY = 'DENY',\n}\n\n/\n The result of a risk gate evaluation over a set of signals.\n /\nexport interface RiskEvaluation {\n decision: RiskDecision;\n reason?: string;\n retryAfterMs?: number;\n /* Confidence score in range [0, 1]. /\n confidence: number;\n signals: RiskSignal[];\n}\n","/\n AXIS Opcode Registry\n * Central registry of all allowed opcodes.\n * Unknown opcodes are rejected by default (no shadow endpoints).\n /\n\nexport const AXIS_OPCODES = new Set([\n 'CAPSULE.ISSUE',\n 'CAPSULE.BATCH',\n 'CAPSULE.REVOKE',\n 'INTENT.EXEC',\n 'ACTOR.KEY.ROTATE',\n 'ACTOR.KEY.REVOKE',\n 'ISSUER.KEY.ROTATE',\n // NestFlow opcodes\n 'AUTH.WEB.LOGIN',\n 'AUTH.WEB.SCAN',\n 'TICKAUTH.CREATE',\n 'TICKAUTH.FULFILL',\n 'TICKAUTH.REJECT',\n 'SESSION.ACTIVATE',\n 'SESSION.REFRESH',\n 'SESSION.LOGOUT',\n 'DEVICE.TRUST',\n 'DEVICE.PROMOTE',\n 'DEVICE.REVOKE',\n 'DEVICE.LIST',\n 'DEVICE.RENAME',\n 'IDENTITY.RECOVERY',\n 'IDENTITY.LOCK',\n]);\n\nexport function isKnownOpcode(op: string): boolean {\n return AXIS_OPCODES.has(op);\n}\n\n/\n Returns true if the opcode requires elevated permissions.\n /\nexport function isAdminOpcode(op: string): boolean {\n return (\n op.startsWith('ACTOR.KEY.') \|\|\n op.startsWith('ISSUER.KEY.') \|\|\n op.startsWith('IDENTITY.')\n );\n}\n","/\n AXIS Receipt Hash Construction\n * Canonical receipt chain hash — protocol invariant.\n * Any compliant implementation must produce identical hashes.\n /\nimport { createHash } from 'crypto';\n\n/* Canonical receipt effect types /\nexport type ReceiptEffect = 'ALLOW' \| 'DENY' \| 'ERROR';\n\n/\n Builds the canonical SHA-256 hash for a receipt in the chain.\n \n Field order (protocol-defined):\n * prevHash? \| pid \| actorId (utf8) \| intent (utf8) \| effect (utf8) \| ts (utf8 string)\n \n @param prevHash Previous receipt hash (null for first receipt)\n * @param pid Process/packet ID (raw bytes)\n * @param actorId Actor identifier (string)\n * @param intent Intent name (string)\n * @param effect Execution effect ('ALLOW' \| 'DENY' \| 'ERROR')\n * @param ts Timestamp as bigint (milliseconds since epoch)\n * @returns 32-byte SHA-256 hash\n /\nexport function buildReceiptHash(\n prevHash: Buffer \| null,\n pid: Buffer,\n actorId: string,\n intent: string,\n effect: ReceiptEffect,\n ts: bigint,\n): Buffer {\n const h = createHash('sha256');\n if (prevHash) h.update(prevHash);\n h.update(pid);\n h.update(Buffer.from(actorId, 'utf8'));\n h.update(Buffer.from(intent, 'utf8'));\n h.update(Buffer.from(effect, 'utf8'));\n h.update(Buffer.from(ts.toString(), 'utf8'));\n return h.digest();\n}\n","/\n AXIS Intent Sensitivity Classification\n * Protocol-level risk classification for intents.\n /\n\nexport enum IntentSensitivity {\n LOW = 1,\n MEDIUM = 2,\n HIGH = 3,\n CRITICAL = 4,\n}\n\n/\n Maps known intents to their sensitivity level.\n /\nexport const INTENT_SENSITIVITY_MAP: Record<string, IntentSensitivity> = {\n // System intents\n 'system.ping': IntentSensitivity.LOW,\n\n // Catalog intents\n 'catalog.list': IntentSensitivity.LOW,\n 'catalog.search': IntentSensitivity.LOW,\n 'catalog.intent.describe': IntentSensitivity.LOW,\n 'catalog.intent.complete': IntentSensitivity.LOW,\n\n // Stream intents\n 'stream.publish': IntentSensitivity.MEDIUM,\n 'stream.read': IntentSensitivity.MEDIUM,\n 'stream.subscribe': IntentSensitivity.MEDIUM,\n\n // File intents\n 'file.init': IntentSensitivity.MEDIUM,\n 'file.chunk': IntentSensitivity.MEDIUM,\n 'file.finalize': IntentSensitivity.MEDIUM,\n 'file.status': IntentSensitivity.LOW,\n\n // Passport intents\n 'passport.issue': IntentSensitivity.HIGH,\n 'passport.verify': IntentSensitivity.MEDIUM,\n 'passport.revoke': IntentSensitivity.CRITICAL,\n\n // Mail intents\n 'mail.send': IntentSensitivity.HIGH,\n\n // Admin intents\n 'admin.create_capsule': IntentSensitivity.CRITICAL,\n 'admin.revoke_capsule': IntentSensitivity.CRITICAL,\n 'admin.issue_node_cert': IntentSensitivity.CRITICAL,\n\n // NestFlow: Auth\n 'auth.web.login.request': IntentSensitivity.MEDIUM,\n 'auth.web.login.scan': IntentSensitivity.HIGH,\n\n // NestFlow: TickAuth\n 'tickauth.challenge.create': IntentSensitivity.MEDIUM,\n 'tickauth.challenge.fulfill': IntentSensitivity.HIGH,\n 'tickauth.challenge.reject': IntentSensitivity.MEDIUM,\n\n // NestFlow: Capsule issuance\n 'capsule.issue.login': IntentSensitivity.HIGH,\n 'capsule.issue.device_registration': IntentSensitivity.HIGH,\n 'capsule.issue.step_up': IntentSensitivity.HIGH,\n 'capsule.issue.recovery': IntentSensitivity.CRITICAL,\n\n // NestFlow: Session\n 'session.activate': IntentSensitivity.HIGH,\n 'session.refresh': IntentSensitivity.MEDIUM,\n 'session.logout': IntentSensitivity.LOW,\n\n // NestFlow: Device trust\n 'device.trust.request': IntentSensitivity.HIGH,\n 'device.trust.promote': IntentSensitivity.CRITICAL,\n 'device.revoke': IntentSensitivity.CRITICAL,\n 'device.list': IntentSensitivity.LOW,\n 'device.rename': IntentSensitivity.LOW,\n\n // NestFlow: Protected operations\n 'flow.publish': IntentSensitivity.MEDIUM,\n 'flow.delete': IntentSensitivity.HIGH,\n 'node.delete': IntentSensitivity.CRITICAL,\n 'secret.rotate': IntentSensitivity.CRITICAL,\n 'org.security.update': IntentSensitivity.CRITICAL,\n 'production.execution.approve': IntentSensitivity.CRITICAL,\n\n // NestFlow: Recovery\n 'identity.recovery.start': IntentSensitivity.CRITICAL,\n 'identity.recovery.complete': IntentSensitivity.CRITICAL,\n 'primary.device.rotate': IntentSensitivity.CRITICAL,\n 'identity.lock': IntentSensitivity.CRITICAL,\n 'identity.unlock': IntentSensitivity.CRITICAL,\n};\n\n/\n Classifies an intent's sensitivity level.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix wildcard match (realm.)\n 3. Default to MEDIUM\n /\nexport function classifyIntent(intent: string): IntentSensitivity {\n if (INTENT_SENSITIVITY_MAP[intent]) {\n return INTENT_SENSITIVITY_MAP[intent];\n }\n\n const realm = intent.split('.')[0];\n const wildcardKey = `${realm}.`;\n if (INTENT_SENSITIVITY_MAP[wildcardKey]) {\n return INTENT_SENSITIVITY_MAP[wildcardKey];\n }\n\n return IntentSensitivity.MEDIUM;\n}\n\n/*\n Returns the string name for a sensitivity level.\n /\nexport function sensitivityName(level: IntentSensitivity): string {\n switch (level) {\n case IntentSensitivity.LOW:\n return 'LOW';\n case IntentSensitivity.MEDIUM:\n return 'MEDIUM';\n case IntentSensitivity.HIGH:\n return 'HIGH';\n case IntentSensitivity.CRITICAL:\n return 'CRITICAL';\n }\n}\n","/\n AXIS Intent Timeout Configuration\n * Protocol-level per-intent execution time limits.\n /\n\n/\n Per-intent timeout configuration (milliseconds).\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_TIMEOUTS: Record<string, number> = {\n 'public.': 5000,\n 'schema.': 5000,\n 'catalog.': 5000,\n 'health.': 2000,\n\n 'file.upload': 60000,\n 'file.download': 60000,\n 'file.chunk': 30000,\n 'file.finalize': 30000,\n\n 'stream.': 30000,\n\n 'passport.': 15000,\n\n 'admin.': 30000,\n};\n\n/* Default timeout for unspecified intents /\nexport const DEFAULT_TIMEOUT = 10000;\n\n/\n Resolves the timeout for a given intent.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix pattern match (e.g. 'file.')\n 3. DEFAULT_TIMEOUT\n /\nexport function resolveTimeout(intent: string): number {\n if (INTENT_TIMEOUTS[intent]) {\n return INTENT_TIMEOUTS[intent];\n }\n\n for (const [pattern, timeout] of Object.entries(INTENT_TIMEOUTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1);\n if (intent.startsWith(prefix)) {\n return timeout;\n }\n }\n }\n\n return DEFAULT_TIMEOUT;\n}\n","/*\n AXIS Frame Shape Validator\n * Validates structural integrity of AXIS frames before cryptographic verification.\n /\n\n/\n Validates that a value has the structural shape of an AXIS Frame.\n * Checks version, required string fields, timestamp, signature envelope, and body.\n \n Note: This validates the JSON-level frame shape (v1 packet format).\n * For binary frame validation, use decodeFrame() which throws on malformed input.\n /\nexport function validateFrameShape(frame: any): boolean {\n if (!frame \|\| typeof frame !== 'object') {\n return false;\n }\n\n if (frame.v !== 1) {\n return false;\n }\n\n const requiredStrings = ['pid', 'nonce', 'actorId', 'opcode'];\n for (const key of requiredStrings) {\n if (typeof frame[key] !== 'string' \|\| frame[key].length < 6) {\n return false;\n }\n }\n\n if (typeof frame.ts !== 'number' \|\| !Number.isFinite(frame.ts)) {\n return false;\n }\n\n if (\n frame.aud !== undefined &&\n (typeof frame.aud !== 'string' \|\| frame.aud.length === 0)\n ) {\n return false;\n }\n\n if (!frame.sig \|\| typeof frame.sig !== 'object') {\n return false;\n }\n\n if (frame.sig.alg !== 'EdDSA') {\n return false;\n }\n\n if (typeof frame.sig.kid !== 'string' \|\| frame.sig.kid.length < 8) {\n return false;\n }\n\n if (typeof frame.sig.value !== 'string' \|\| frame.sig.value.length < 32) {\n return false;\n }\n\n if (typeof frame.body !== 'object' \|\| frame.body === null) {\n return false;\n }\n\n return true;\n}\n\n/\n Validates timestamp is within acceptable skew window.\n /\nexport function isTimestampValid(\n ts: number,\n skewSeconds: number = 120,\n): boolean {\n const now = Math.floor(Date.now() / 1000);\n const diff = Math.abs(now - ts);\n return diff <= skewSeconds;\n}\n","import { Inject, Injectable, Logger, Optional } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame, getSignTarget } from '../core/axis-bin';\nimport { decodeVarint, encodeVarint } from '../core/varint';\nimport { Handler } from '../decorators/handler.decorator';\nimport { Intent } from '../decorators/intent.decorator';\nimport { AxisHandler } from '../interfaces/axis-handler.interface';\nimport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from './upload.tokens';\nimport {\n UploadFileStore,\n UploadReceiptSigner,\n UploadSessionStore,\n} from './upload.types';\n\n@Handler('axis.files.download')\n@Injectable()\nexport class AxisFilesDownloadHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesDownloadHandler.name);\n\n readonly name = 'axis.files.download';\n readonly open = true;\n readonly description = 'File download handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n ) {}\n\n @Intent('file.download', { absolute: true, kind: 'read' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const h = headers;\n if (!h) throw new Error('MISSING_HEADERS');\n\n const uploadIdBytes = h.get(20);\n if (!uploadIdBytes) throw new Error('MISSING_UPLOAD_ID');\n const uploadId = new TextDecoder().decode(uploadIdBytes);\n\n let rangeStart = 0;\n let rangeLen = -1;\n\n const startBytes = h.get(21);\n if (startBytes) {\n const { value } = decodeVarint(startBytes);\n rangeStart = value;\n }\n\n const lenBytes = h.get(22);\n if (lenBytes) {\n const { value } = decodeVarint(lenBytes);\n rangeLen = value;\n }\n\n const session = await this.sessions.findByFileId(uploadId);\n if (!session) {\n throw new Error(`SESSION_NOT_FOUND: ${uploadId}`);\n }\n\n if (session.status !== 'COMPLETE') {\n throw new Error(`FILE_NOT_READY: Status is ${session.status}`);\n }\n\n const stat = await this.files.statFinal(\n uploadId,\n session.filename,\n );\n const fileSize = stat.size;\n\n if (rangeStart < 0) rangeStart = 0;\n if (rangeStart >= fileSize) throw new Error('RANGE_OUT_OF_BOUNDS');\n\n let end = fileSize;\n if (rangeLen >= 0) {\n end = Math.min(rangeStart + rangeLen, fileSize);\n }\n\n const actualLen = end - rangeStart;\n const buffer = await this.files.readFinalRange(\n uploadId,\n session.filename,\n rangeStart,\n actualLen,\n );\n\n const responseHeaders = new Map<number, Uint8Array>();\n responseHeaders.set(30, encodeVarint(fileSize));\n responseHeaders.set(31, encodeVarint(rangeStart));\n responseHeaders.set(32, encodeVarint(actualLen));\n\n return {\n ok: true,\n effect: 'FILE_PART',\n body: buffer,\n headers: responseHeaders,\n };\n }\n}\n\n@Handler('axis.files.finalize')\n@Injectable()\nexport class AxisFilesFinalizeHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesFinalizeHandler.name);\n\n readonly name = 'axis.files.finalize';\n readonly open = false;\n readonly description = 'File upload finalization handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n @Optional()\n @Inject(AXIS_UPLOAD_RECEIPT_SIGNER)\n private readonly keyring?: UploadReceiptSigner,\n ) {}\n\n @Intent('file.finalize', { absolute: true, kind: 'action' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const bodyStr = new TextDecoder().decode(body);\n const req = JSON.parse(bodyStr);\n\n const { fileId, expectedHash } = req;\n if (!fileId) throw new Error('MISSING_FILE_ID');\n\n const session = await this.sessions.findByFileId(fileId);\n if (!session) throw new Error('SESSION_NOT_FOUND');\n\n if (!(await this.files.hasTemp(fileId))) {\n throw new Error('CHUNKS_NOT_FOUND');\n }\n\n const hash = crypto.createHash('sha256');\n const rs = this.files.createTempReadStream(fileId);\n for await (const chunk of rs) {\n hash.update(chunk as Buffer);\n }\n const finalHash = hash.digest('hex');\n\n if (expectedHash && finalHash !== expectedHash) {\n throw new Error('HASH_MISMATCH');\n }\n\n const finalPath = await this.files.moveTempToFinal(\n fileId,\n session.filename,\n );\n\n await this.sessions.updateStatus(fileId, 'COMPLETE', null);\n\n if (!this.keyring) {\n this.logger.warn('Receipt signer not configured; returning unsigned receipt');\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n body: new TextEncoder().encode(\n JSON.stringify({\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n path: finalPath,\n }),\n ),\n };\n }\n\n const receiptData = {\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n };\n\n const receiptJson = JSON.stringify(receiptData);\n const receiptBody = new TextEncoder().encode(receiptJson);\n\n const SIG_PRESENT = 0x01;\n const responseFrame: AxisFrame = {\n flags: SIG_PRESENT,\n headers: new Map(),\n body: receiptBody,\n sig: new Uint8Array(0),\n };\n\n const signTarget = getSignTarget(responseFrame);\n const { sig, kid } = this.keyring.signActive(signTarget);\n responseFrame.sig = sig;\n\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n data: encodeFrame(responseFrame),\n headers: new Map([[1, new TextEncoder().encode(kid)]]),\n };\n }\n}\n","export const AXIS_UPLOAD_SESSION_STORE = 'AXIS_UPLOAD_SESSION_STORE';\nexport const AXIS_UPLOAD_FILE_STORE = 'AXIS_UPLOAD_FILE_STORE';\nexport const AXIS_UPLOAD_RECEIPT_SIGNER = 'AXIS_UPLOAD_RECEIPT_SIGNER';\n","import * as fs from 'fs';\nimport * as path from 'path';\n\nimport { UploadFileStat, UploadFileStore } from './upload.types';\n\nexport interface DiskUploadFileStoreOptions {\n uploadDir: string;\n chunkDir: string;\n}\n\nexport class DiskUploadFileStore implements UploadFileStore {\n private readonly uploadDir: string;\n private readonly chunkDir: string;\n\n constructor(options: DiskUploadFileStoreOptions) {\n this.uploadDir = options.uploadDir;\n this.chunkDir = options.chunkDir;\n }\n\n getFinalPath(fileId: string, filename?: string): string {\n const safeFilename = filename ? path.basename(filename) : fileId;\n return path.join(this.uploadDir, safeFilename);\n }\n\n getTempPath(fileId: string): string {\n const safeId = path.basename(fileId);\n return path.join(this.chunkDir, safeId);\n }\n\n async statFinal(\n fileId: string,\n filename?: string,\n ): Promise<UploadFileStat> {\n const finalPath = this.getFinalPath(fileId, filename);\n if (!fs.existsSync(finalPath)) {\n throw new Error('FILE_MISSING_ON_DISK');\n }\n const stat = fs.statSync(finalPath);\n return { path: finalPath, size: stat.size };\n }\n\n async readFinalRange(\n fileId: string,\n filename: string \| undefined,\n start: number,\n length: number,\n ): Promise<Buffer> {\n const finalPath = this.getFinalPath(fileId, filename);\n const buffer = Buffer.alloc(length);\n const fd = fs.openSync(finalPath, 'r');\n try {\n fs.readSync(fd, buffer, 0, length, start);\n } finally {\n fs.closeSync(fd);\n }\n return buffer;\n }\n\n async hasTemp(fileId: string): Promise<boolean> {\n const tempPath = this.getTempPath(fileId);\n return fs.existsSync(tempPath);\n }\n\n async moveTempToFinal(\n fileId: string,\n filename?: string,\n ): Promise<string> {\n const tempPath = this.getTempPath(fileId);\n const finalPath = this.getFinalPath(fileId, filename);\n\n try {\n await fs.promises.rename(tempPath, finalPath);\n } catch {\n await fs.promises.copyFile(tempPath, finalPath);\n await fs.promises.unlink(tempPath);\n }\n\n return finalPath;\n }\n\n createTempReadStream(fileId: string): NodeJS.ReadableStream {\n const tempPath = this.getTempPath(fileId);\n return fs.createReadStream(tempPath);\n }\n}\n","export * from './constants';\nexport * from './varint';\nexport * from './tlv';\nexport * from './axis-bin';\nexport * from './signature';\nexport * from './axis-error';\n","export class AxisError extends Error {\n constructor(\n public code: string,\n message: string,\n public httpStatus: number = 400,\n public details?: Record<string, any>,\n ) {\n super(message);\n this.name = 'AxisError';\n }\n}\n","export * from './b64url';\nexport * from './canonical-json';\nexport * from './types';\nexport * from './proof-verification.service';\n","import { Injectable, Logger } from '@nestjs/common';\nimport * as crypto from 'crypto';\nimport * as nacl from 'tweetnacl';\n\n/*\n Proof Verification Service\n \n Verifies proof types according to AXIS spec:\n * - CAPSULE (1): Capability token verification\n * - JWT (2): JSON Web Token verification\n * - MTLS_ID (3): mTLS client certificate verification\n * - DEVICE_SE (4): Device Secure Element signature verification\n \n Related: AXIS spec - Proof Types\n /\n\nexport type ProofType = 1 \| 2 \| 3 \| 4; // CAPSULE, JWT, MTLS_ID, DEVICE_SE\n\nexport interface ProofVerificationResult {\n valid: boolean;\n actorId?: string;\n error?: string;\n metadata?: Record<string, any>;\n}\n\nexport interface MTLSContext {\n clientCertPem?: string;\n clientCertFingerprint?: string;\n clientCertSubject?: string;\n clientCertIssuer?: string;\n verified?: boolean;\n}\n\nexport interface DeviceSEContext {\n deviceId: string;\n signature: Uint8Array;\n publicKey: Uint8Array;\n challenge?: Uint8Array;\n}\n\n@Injectable()\nexport class ProofVerificationService {\n private readonly logger = new Logger(ProofVerificationService.name);\n\n // Cache of registered device public keys (deviceId -> pubKey)\n private readonly deviceKeys = new Map<string, Uint8Array>();\n\n // Cache of trusted mTLS certificate fingerprints\n private readonly trustedCerts = new Map<\n string,\n { actorId: string; issuedAt: number }\n >();\n\n /\n Verifies an authentication proof based on its type.\n \n Supported Types:\n * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`\n * - 2 (JWT): Verified by `verifyJWTProof`\n * - 3 (MTLS_ID): Verified by `verifyMTLSProof`\n * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`\n \n @param {ProofType} proofType - The numeric AXIS proof type\n * @param {Uint8Array} proofRef - The binary reference or token for the proof\n * @param {Object} context - Additional metadata required for specific proof types\n * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)\n * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)\n * @param {MTLSContext} [context.mtls] - mTLS certificate data\n * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information\n * @returns {Promise<ProofVerificationResult>} The outcome of the verification\n /\n async verifyProof(\n proofType: ProofType,\n proofRef: Uint8Array,\n context: {\n signTarget?: Uint8Array;\n signature?: Uint8Array;\n mtls?: MTLSContext;\n deviceSE?: DeviceSEContext;\n },\n ): Promise<ProofVerificationResult> {\n switch (proofType) {\n case 1: // CAPSULE\n return this.verifyCapsuleProof(proofRef);\n case 2: // JWT\n return this.verifyJWTProof(proofRef);\n case 3: // MTLS_ID\n return this.verifyMTLSProof(context.mtls);\n case 4: // DEVICE_SE\n return this.verifyDeviceSEProof(\n context.signTarget,\n context.signature,\n context.deviceSE,\n );\n default:\n return { valid: false, error: `Unknown proof type: ${proofType}` };\n }\n }\n\n /\n Verify CAPSULE proof (delegated to CapsuleService)\n /\n private async verifyCapsuleProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n // Capsule verification is handled by CapsuleService\n // This is a pass-through that returns valid to signal capsule processing\n const capsuleId = new TextDecoder().decode(proofRef);\n return {\n valid: true,\n metadata: { capsuleId, requiresCapsuleValidation: true },\n };\n }\n\n /\n Verifies a JSON Web Token (JWT) proof.\n \n Validation Logic:\n * 1. Decodes the token string.\n * 2. Checks for valid 3-part JWT structure.\n * 3. Validates `exp` (expiration) and `nbf` (not before) claims.\n * 4. Extracts `actor_id` or `sub` as the identity.\n \n @param {Uint8Array} proofRef - Binary representation of the JWT string\n * @returns {Promise<ProofVerificationResult>} Result including the actor identifier\n /\n private async verifyJWTProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n try {\n const token = new TextDecoder().decode(proofRef);\n const parts = token.split('.');\n\n if (parts.length !== 3) {\n return { valid: false, error: 'Invalid JWT format' };\n }\n\n // Decode header and payload\n const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());\n const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());\n\n // Check expiration\n if (payload.exp && Date.now() / 1000 > payload.exp) {\n return { valid: false, error: 'JWT expired' };\n }\n\n // Check not before\n if (payload.nbf && Date.now() / 1000 < payload.nbf) {\n return { valid: false, error: 'JWT not yet valid' };\n }\n\n // For production: verify signature against known keys\n // For now, we trust the JWT if it has valid structure and timing\n return {\n valid: true,\n actorId: payload.sub \|\| payload.actor_id,\n metadata: { iss: payload.iss, scope: payload.scope },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return { valid: false, error: `JWT parse error: ${message}` };\n }\n }\n\n /\n Verify mTLS client certificate proof\n /\n private async verifyMTLSProof(\n mtls?: MTLSContext,\n ): Promise<ProofVerificationResult> {\n if (!mtls) {\n return { valid: false, error: 'No mTLS context provided' };\n }\n\n // Check if connection was verified by TLS layer\n if (!mtls.verified) {\n return { valid: false, error: 'mTLS not verified by TLS terminator' };\n }\n\n // Check certificate fingerprint against trusted list\n if (mtls.clientCertFingerprint) {\n const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);\n if (trusted) {\n return {\n valid: true,\n actorId: trusted.actorId,\n metadata: {\n fingerprint: mtls.clientCertFingerprint,\n subject: mtls.clientCertSubject,\n },\n };\n }\n }\n\n // Extract actor ID from certificate subject (CN field)\n if (mtls.clientCertSubject) {\n const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);\n if (cnMatch) {\n return {\n valid: true,\n actorId: cnMatch[1],\n metadata: {\n subject: mtls.clientCertSubject,\n issuer: mtls.clientCertIssuer,\n },\n };\n }\n }\n\n return { valid: false, error: 'Could not extract actor from certificate' };\n }\n\n /\n Verify Device Secure Element signature\n /\n private async verifyDeviceSEProof(\n signTarget?: Uint8Array,\n signature?: Uint8Array,\n deviceSE?: DeviceSEContext,\n ): Promise<ProofVerificationResult> {\n if (!deviceSE \|\| !signTarget \|\| !signature) {\n return { valid: false, error: 'Missing Device SE context' };\n }\n\n // Get registered public key for device\n let publicKey = deviceSE.publicKey;\n\n // If device is pre-registered, use registered key\n const registeredKey = this.deviceKeys.get(deviceSE.deviceId);\n if (registeredKey) {\n publicKey = registeredKey;\n }\n\n if (!publicKey \|\| publicKey.length !== 32) {\n return {\n valid: false,\n error: 'Invalid or unregistered device public key',\n };\n }\n\n // Verify Ed25519 signature\n try {\n const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);\n\n if (!valid) {\n return { valid: false, error: 'Device signature verification failed' };\n }\n\n return {\n valid: true,\n actorId: deviceSE.deviceId,\n metadata: { deviceId: deviceSE.deviceId, proofType: 'DEVICE_SE' },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return {\n valid: false,\n error: `Signature verification error: ${message}`,\n };\n }\n }\n\n /\n Registers a public key for a trusted device.\n * This key will be used for future `DEVICE_SE` proof verifications.\n \n @param {string} deviceId - Unique identifier for the device\n * @param {Uint8Array} publicKey - 32-byte Ed25519 public key\n * @throws {Error} If the public key is not 32 bytes\n /\n registerDeviceKey(deviceId: string, publicKey: Uint8Array): void {\n if (publicKey.length !== 32) {\n throw new Error('Device public key must be 32 bytes (Ed25519)');\n }\n this.deviceKeys.set(deviceId, publicKey);\n this.logger.log(`Registered device key for ${deviceId}`);\n }\n\n /\n Unregister a device\n /\n unregisterDevice(deviceId: string): boolean {\n return this.deviceKeys.delete(deviceId);\n }\n\n /\n Registers a trusted mTLS certificate fingerprint and associates it with an actor.\n \n @param {string} fingerprint - SHA-256 fingerprint of the client certificate\n * @param {string} actorId - The actor to associate with this certificate\n /\n registerMTLSCert(fingerprint: string, actorId: string): void {\n this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });\n this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);\n }\n\n /\n Revoke an mTLS certificate\n /\n revokeMTLSCert(fingerprint: string): boolean {\n return this.trustedCerts.delete(fingerprint);\n }\n\n /\n Calculate certificate fingerprint (SHA-256)\n /\n static calculateFingerprint(certPem: string): string {\n // Extract DER from PEM\n const der = Buffer.from(\n certPem\n .replace(/-----BEGIN CERTIFICATE-----/, '')\n .replace(/-----END CERTIFICATE-----/, '')\n .replace(/\\s/g, ''),\n 'base64',\n );\n return crypto.createHash('sha256').update(der).digest('hex');\n }\n}\n","export from './axis-request.decorator';\nexport * from './dto-schema.util';\nexport * from './handler.decorator';\nexport * from './intent-body.decorator';\nexport * from './intent-sensors.decorator';\nexport * from './intent.decorator';\nexport * from './sensor.decorator';\nexport * from './tlv-field.decorator';\n","import { createParamDecorator, ExecutionContext } from '@nestjs/common';\nimport { Request } from 'express';\nimport type { AxisDecoded } from '../engine/axis-decoded';\n\n/*\n Shape of the AXIS-specific data attached to the request by AxisSensorsMiddleware.\n /\nexport interface AxisRequestData {\n /* Raw binary frame body (full buffer after streaming) /\n raw: Buffer;\n /* Resolved client IP address /\n ip: string \| undefined;\n /* Pre-decode sensor context (risk score, metadata) /\n preDecodeInput: any;\n /* Total frame bytes received /\n frameBytesCount: number;\n}\n\n/\n Resolves the client IP from request headers, respecting common proxy headers.\n /\nfunction resolveIp(req: Request): string \| undefined {\n return (\n (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() \|\|\n (req.headers['x-real-ip'] as string) \|\|\n req.socket.remoteAddress \|\|\n undefined\n );\n}\n\n/\n @AxisRaw() — Extracts the raw binary Buffer from an AXIS request.\n \n Equivalent to NestJS `@Body()` but for the AXIS binary protocol.\n * The buffer has already passed streaming validation (magic bytes, size limits)\n * via AxisSensorsMiddleware before reaching the controller.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisRaw() raw: Buffer) {\n * return this.axis.process(raw, { ... });\n * }\n * ```\n /\nexport const AxisRaw = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): Buffer => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.body as Buffer;\n },\n);\n\n/\n @AxisIp() — Extracts the resolved client IP address.\n \n Checks `x-forwarded-for`, `x-real-ip`, and `socket.remoteAddress` in order.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisIp() ip: string \| undefined) { ... }\n * ```\n /\nexport const AxisIp = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return resolveIp(req);\n },\n);\n\n/\n @AxisContext() — Extracts the full AXIS request context.\n \n Returns the pre-decode sensor input and frame metadata attached by\n * AxisSensorsMiddleware. Useful when a controller needs risk scores or\n * other pre-decode metadata.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisContext() ctx: AxisRequestData) {\n * console.log(ctx.frameBytesCount, ctx.preDecodeInput.metadata.riskScore);\n * }\n * ```\n /\nexport const AxisContext = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisRequestData => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const axisData = (req as any).axis \|\| {};\n return {\n raw: req.body as Buffer,\n ip: resolveIp(req),\n preDecodeInput: axisData.preDecodeInput,\n frameBytesCount: axisData.frameBytesCount \|\| 0,\n };\n },\n);\n\n/\n @AxisDemoPubkey() — Extracts the demo public key header (development only).\n \n Returns `undefined` in non-development environments, blocking the header\n * at the decorator level.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisDemoPubkey() demoPubkeyHex: string \| undefined) { ... }\n * ```\n /\nexport const AxisDemoPubkey = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n if (process.env.NODE_ENV !== 'development') return undefined;\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.headers['x-demo-pubkey'] as string \| undefined;\n },\n);\n\n/\n @AxisFrame() — Extracts the decoded + validated AXIS frame from the request.\n \n Requires `AxisDecodeInterceptor` to be applied to the route/controller.\n * The interceptor calls `AxisService.decode()` and attaches the result to `req.axisDecoded`.\n \n Returns the full `AxisDecoded` object containing the decoded frame, packet,\n * AxisContext, sensor input, and correlation IDs.\n \n @example\n * ```typescript\n * @Post('v1/decoded')\n * @UseInterceptors(AxisDecodeInterceptor)\n * async handle(@AxisFrame() decoded: AxisDecoded) {\n * return this.axis.execute(decoded);\n * }\n * ```\n /\nexport const AxisFrame = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisDecoded => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const decoded = (req as any).axisDecoded as AxisDecoded \| undefined;\n if (!decoded) {\n throw new Error(\n '@AxisFrame() requires AxisDecodeInterceptor on the route. ' +\n 'Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator.',\n );\n }\n return decoded;\n },\n);\n","import { SetMetadata } from '@nestjs/common';\n\nexport const SENSOR_METADATA_KEY = 'axis:sensor';\n\nexport type SensorPhase = 'PRE_DECODE' \| 'POST_DECODE';\n\nexport interface SensorOptions {\n /* Explicit phase override. If omitted, auto-derived from order at bootstrap. /\n phase?: SensorPhase;\n}\n\n/\n Marks a class as an AXIS sensor for auto-registration.\n \n The SensorDiscoveryService finds all @Sensor() classes at bootstrap\n * and registers them with the SensorRegistry automatically.\n \n Sensors still declare `name`, `order`, `supports()`, and `run()` as\n * instance members. The decorator replaces manual `registry.register(this)`\n * in `onModuleInit()`.\n \n Phase can be set explicitly via options or auto-derived from order:\n * < PRE_DECODE_BOUNDARY (40) = PRE_DECODE, >= 40 = POST_DECODE.\n \n @example\n * ```typescript\n * @Sensor({ phase: 'PRE_DECODE' })\n * @Injectable()\n * export class WireSensor implements AxisSensor {\n * readonly name = 'WireSensor';\n * readonly order = BAND.WIRE + 10;\n * }\n \n @Sensor() // phase auto-derived as POST_DECODE\n * @Injectable()\n * export class PolicySensor implements AxisSensor {\n * readonly name = 'PolicySensor';\n * readonly order = BAND.POLICY + 10;\n * }\n * ```\n /\nexport function Sensor(options?: SensorOptions): ClassDecorator {\n return SetMetadata(SENSOR_METADATA_KEY, options ?? true);\n}\n","export from './axis-decoded';\nexport * from './axis-observation';\nexport * from './handler-discovery.service';\nexport * from './intent.router';\nexport * from './sensor-bands';\nexport * from './sensor-discovery.service';\nexport * from './registry/sensor.registry';\n","import { randomBytes } from 'crypto';\n\n/* ─── Stage ─── /\n\nexport interface ObservationStage {\n name: string;\n status: 'ok' \| 'fail' \| 'skip';\n startMs: number;\n endMs?: number;\n durationMs?: number;\n reason?: string;\n code?: string;\n}\n\n/ ─── Sensor Record ─── /\n\nexport interface ObservationSensor {\n name: string;\n allowed: boolean;\n riskScore: number;\n durationMs: number;\n reasons: string[];\n code?: string;\n}\n\n/ ─── Observation (the execution witness) ─── /\n\nexport interface AxisObservation {\n /* Correlation ID (hex) /\n id: string;\n /* High-res start timestamp /\n startMs: number;\n /* Transport origin /\n transport: 'http' \| 'ws';\n /* Client IP /\n ip?: string;\n /* Resolved intent /\n intent?: string;\n /* Actor ID (hex) /\n actorId?: string;\n /* Capsule ID /\n capsuleId?: string;\n\n /* Pipeline stages with timing /\n stages: ObservationStage[];\n /* Individual sensor decisions /\n sensors: ObservationSensor[];\n\n /* Final decision /\n decision?: 'ALLOW' \| 'DENY';\n /* Machine-readable result code /\n resultCode?: string;\n /* HTTP status code /\n statusCode?: number;\n\n /* End timestamp /\n endMs?: number;\n /* Total duration /\n durationMs?: number;\n\n /* Extensible facts for downstream (receipt builder, audit, etc.) /\n facts: Record<string, unknown>;\n}\n\n/ ─── Factory ─── /\n\nexport function createObservation(\n transport: 'http' \| 'ws',\n ip?: string,\n): AxisObservation {\n return {\n id: randomBytes(16).toString('hex'),\n startMs: Date.now(),\n transport,\n ip,\n stages: [],\n sensors: [],\n facts: {},\n };\n}\n\n/ ─── Stage helpers ─── /\n\nexport function startStage(\n obs: AxisObservation,\n name: string,\n): ObservationStage {\n const stage: ObservationStage = { name, status: 'ok', startMs: Date.now() };\n obs.stages.push(stage);\n return stage;\n}\n\nexport function endStage(\n stage: ObservationStage,\n status: 'ok' \| 'fail' \| 'skip' = 'ok',\n reason?: string,\n code?: string,\n): void {\n stage.endMs = Date.now();\n stage.durationMs = stage.endMs - stage.startMs;\n stage.status = status;\n if (reason) stage.reason = reason;\n if (code) stage.code = code;\n}\n\n/ ─── Sensor recording (called by chain service) ─── /\n\nexport function recordSensor(\n obs: AxisObservation,\n name: string,\n allowed: boolean,\n riskScore: number,\n durationMs: number,\n reasons: string[],\n code?: string,\n): void {\n obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });\n}\n\n/ ─── Finalize ─── /\n\nexport function finalizeObservation(\n obs: AxisObservation,\n decision: 'ALLOW' \| 'DENY',\n statusCode: number,\n resultCode?: string,\n): void {\n obs.endMs = Date.now();\n obs.durationMs = obs.endMs - obs.startMs;\n obs.decision = decision;\n obs.statusCode = statusCode;\n if (resultCode) obs.resultCode = resultCode;\n}\n","import { Injectable, Logger, OnModuleInit } from '@nestjs/common';\nimport { DiscoveryService, MetadataScanner } from '@nestjs/core';\n\nimport { HANDLER_METADATA_KEY } from '../decorators/handler.decorator';\nimport { INTENT_METADATA_KEY } from '../decorators/intent.decorator';\nimport { IntentRouter } from './intent.router';\n\n/\n HandlerDiscoveryService\n \n Automatically discovers all `@Handler`-decorated classes at bootstrap\n * and registers their `@Intent`-decorated methods with the IntentRouter.\n \n This eliminates the need for every handler to inject IntentRouter and\n * manually call `router.register()` or `router.registerHandler()` in onModuleInit.\n \n Before (manual, per-handler boilerplate):\n * ```typescript\n * onModuleInit() {\n * this.router.register('axis.capsules.create', this.create.bind(this));\n * this.router.register('axis.capsules.list', this.findAll.bind(this));\n * // ... repeated for every intent in every handler\n * }\n * ```\n \n After (zero-config):\n * ```typescript\n * @Handler('axis.capsules')\n * export class AxisCapsulesHandler {\n * @Intent('axis.capsules.create', { absolute: true })\n * async create(body: Uint8Array) { ... }\n * }\n * // That's it — no onModuleInit, no router injection\n * ```\n /\n@Injectable()\nexport class HandlerDiscoveryService implements OnModuleInit {\n private readonly logger = new Logger(HandlerDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly scanner: MetadataScanner,\n private readonly router: IntentRouter,\n ) {}\n\n onModuleInit() {\n const providers = this.discovery.getProviders();\n let totalIntents = 0;\n\n for (const wrapper of providers) {\n const { instance, metatype } = wrapper;\n if (!instance \|\| !metatype) continue;\n\n // Check if the class has @Handler metadata\n const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);\n if (!handlerMeta) continue;\n\n const handlerName = handlerMeta.intent \|\| metatype.name;\n const proto = Object.getPrototypeOf(instance);\n const methods = this.scanner.getAllMethodNames(proto);\n let registered = 0;\n\n for (const methodName of methods) {\n const meta = Reflect.getMetadata(\n INTENT_METADATA_KEY,\n proto,\n methodName,\n );\n if (!meta?.intent) continue;\n\n // Only auto-register if the router doesn't already have this intent\n // (allows manual registration in onModuleInit to take precedence)\n if (!this.router.has(meta.intent)) {\n this.router.register(\n meta.intent,\n (instance as any)[methodName].bind(instance),\n );\n registered++;\n totalIntents++;\n }\n\n // Always register metadata (@IntentBody, @IntentSensors) —\n // even for manually-registered intents\n this.router.registerIntentMeta(meta.intent, proto, methodName);\n }\n\n if (registered > 0) {\n this.logger.log(\n `Auto-registered ${registered} intents from ${handlerName}`,\n );\n }\n }\n\n this.logger.log(\n `Handler discovery complete: ${totalIntents} intents auto-registered`,\n );\n }\n}\n","/\n Sensor Execution Bands\n \n Semantic groupings for the AXIS sensor chain.\n * Each band has 50–100 slots for ordering sensors within it.\n \n WIRE (0–39): Raw bytes, no decode. PRE_DECODE phase.\n * IDENTITY (40–89): Who is this? IP, access, proof, capsule. POST_DECODE.\n * POLICY (90–139): Are they allowed? Sig, capability, rate limit. POST_DECODE.\n * CONTENT (140–199): What's in the frame? TLV, body, schema, files. POST_DECODE.\n * BUSINESS (200–299): Business context. Stream, WS, timeout. POST_DECODE.\n * AUDIT (900+): Finalization, logging. POST_DECODE.\n /\nexport const BAND = {\n /* Pre-decode: raw byte validation, geo, budget, magic /\n WIRE: 0,\n /* Post-decode: identity resolution, capsule, proof /\n IDENTITY: 40,\n /* Post-decode: authorization, signature, rate limiting /\n POLICY: 90,\n /* Post-decode: content validation, TLV, schema, files /\n CONTENT: 140,\n /* Post-decode: business logic sensors, streams, WS /\n BUSINESS: 200,\n /* Post-decode: audit, logging (always last) /\n AUDIT: 900,\n} as const;\n\nexport type SensorBand = keyof typeof BAND;\n\n/* Sensors with order below this boundary run in PRE_DECODE phase (middleware) /\nexport const PRE_DECODE_BOUNDARY = 40;\n","import { Injectable, Logger, OnApplicationBootstrap } from '@nestjs/common';\nimport { DiscoveryService, Reflector } from '@nestjs/core';\n\nimport {\n SENSOR_METADATA_KEY,\n SensorOptions,\n} from '../decorators/sensor.decorator';\nimport { SensorRegistry } from './registry/sensor.registry';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { PRE_DECODE_BOUNDARY } from './sensor-bands';\n\n/\n Discovers all providers decorated with @Sensor() and registers them\n * in the SensorRegistry at application bootstrap.\n \n Runs after all onModuleInit() calls, so config-reading sensors\n * have their settings loaded before registration.\n /\n@Injectable()\nexport class SensorDiscoveryService implements OnApplicationBootstrap {\n private readonly logger = new Logger(SensorDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly reflector: Reflector,\n private readonly registry: SensorRegistry,\n ) {}\n\n onApplicationBootstrap() {\n const providers = this.discovery.getProviders();\n let count = 0;\n\n for (const wrapper of providers) {\n const { instance } = wrapper;\n if (!instance \|\| !instance.constructor) continue;\n\n const meta = this.reflector.get<SensorOptions \| true>(\n SENSOR_METADATA_KEY,\n instance.constructor,\n );\n if (!meta) continue;\n\n const sensor = instance as AxisSensor;\n\n if (!sensor.name \|\| sensor.order === undefined) {\n this.logger.warn(\n `@Sensor() on ${instance.constructor.name} missing name or order — skipped`,\n );\n continue;\n }\n\n // Phase priority: decorator option > instance property > auto-derive from order\n if (!sensor.phase) {\n const decoratorPhase = meta !== true ? meta.phase : undefined;\n (sensor as any).phase =\n decoratorPhase ??\n (sensor.order < PRE_DECODE_BOUNDARY ? 'PRE_DECODE' : 'POST_DECODE');\n }\n\n this.registry.register(sensor);\n count++;\n }\n\n this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport {\n AxisSensor,\n AxisPreSensor,\n AxisPostSensor,\n} from '../../sensor/axis-sensor';\n\n/\n AxisSensor Registry\n \n A central registry for all AXIS security sensors.\n * Sensors register themselves here during module initialization (onModuleInit).\n * The registry provides a list of sensors sorted by their execution priority (order).\n \n Supports phase-based filtering to separate pre-decode (middleware) from\n * post-decode (controller) sensors.\n \n PHASE SEPARATION:\n * - Pre-decode (order < 40): Run in middleware on raw bytes\n * - Post-decode (order >= 40): Run in controller on decoded frame\n \n @class SensorRegistry\n * @injectable\n /\n@Injectable()\nexport class SensorRegistry {\n private sensors: AxisSensor[] = [];\n private readonly logger = new Logger(SensorRegistry.name);\n\n constructor(private readonly configService: ConfigService) {}\n\n /\n Registers a new sensor in the registry.\n \n Validates that:\n * - AxisSensor has a unique name\n * - AxisSensor has an order field\n * - Pre-decode sensors have order < 40\n * - Post-decode sensors have order >= 40\n \n @param {AxisSensor} sensor - The sensor instance to register\n * @throws Error if validation fails\n /\n register(sensor: AxisSensor): void {\n // Validation\n if (!sensor.name) {\n throw new Error('AxisSensor must have a name');\n }\n\n // Check environment variables for filtering\n const enabledSensorsStr = this.configService.get<string>('ENABLED_SENSORS');\n const disabledSensorsStr =\n this.configService.get<string>('DISABLED_SENSORS');\n\n const enabledSensors = enabledSensorsStr\n ? enabledSensorsStr.split(',').map((s) => s.trim())\n : null;\n const disabledSensors = disabledSensorsStr\n ? disabledSensorsStr.split(',').map((s) => s.trim())\n : [];\n\n if (enabledSensors && !enabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (disabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (sensor.order === undefined) {\n throw new Error(`AxisSensor \"${sensor.name}\" must have an order field`);\n }\n\n // Check for phase consistency\n const isPreDecodeSensor = this.isPreDecodeSensor(sensor);\n const isPostDecodeSensor = this.isPostDecodeSensor(sensor);\n\n if (isPreDecodeSensor && sensor.order >= 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`,\n );\n }\n if (isPostDecodeSensor && sensor.order < 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`,\n );\n }\n\n this.sensors.push(sensor);\n const phaseLabel =\n typeof sensor.phase === 'string'\n ? sensor.phase\n : sensor.phase?.phase \|\| 'UNKNOWN';\n this.logger.debug(\n `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`,\n );\n }\n\n /\n Returns all registered sensors, sorted by their execution order.\n \n @returns {AxisSensor[]} A sorted array of sensors\n /\n list(): AxisSensor[] {\n return [...this.sensors].sort(\n (a, b) => (a.order ?? 999) - (b.order ?? 999),\n );\n }\n\n /\n Returns only pre-decode sensors (order < 40).\n * These sensors run in middleware on raw bytes before frame decoding.\n \n @returns {AxisPreSensor[]} Pre-decode sensors sorted by order\n /\n getPreDecodeSensors(): AxisPreSensor[] {\n return this.list().filter((s): s is AxisPreSensor => (s.order ?? 999) < 40);\n }\n\n /\n Returns only post-decode sensors (order >= 40).\n * These sensors run in the controller on fully decoded frames.\n \n @returns {AxisPostSensor[]} Post-decode sensors sorted by order\n /\n getPostDecodeSensors(): AxisPostSensor[] {\n return this.list().filter(\n (s): s is AxisPostSensor => (s.order ?? 999) >= 40,\n );\n }\n\n /\n Helper: Check if a sensor is a pre-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is pre-decode\n /\n private isPreDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'PRE_DECODE' \|\| (sensor.order ?? 999) < 40;\n }\n\n /\n Helper: Check if a sensor is a post-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is post-decode\n /\n private isPostDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'POST_DECODE' \|\| (sensor.order ?? 999) >= 40;\n }\n\n /\n Returns sensor count by phase.\n * Useful for diagnostics and monitoring.\n \n @returns {{preDecodeCount: number, postDecodeCount: number}}\n /\n getSensorCountByPhase(): { preDecodeCount: number; postDecodeCount: number } {\n return {\n preDecodeCount: this.getPreDecodeSensors().length,\n postDecodeCount: this.getPostDecodeSensors().length,\n };\n }\n\n /\n Clears all registered sensors.\n * Useful for testing.\n \n @internal\n /\n clear(): void {\n this.sensors = [];\n }\n}\n","export from './loom.types';\n","/*\n Loom Runtime - Lawful Execution Types\n \n Core type definitions for the Loom execution engine.\n * Loom replaces traditional auth with \"Lawful Execution\":\n * - Presence: Liveness proof (replaces login/sessions)\n * - Writ: Executable intent (replaces JWT)\n * - Grant: Standing permission (replaces RBAC)\n * - Receipt: Proof of execution (hash-chained)\n /\n\n// ============================================================================\n// Presence Types (Liveness State)\n// ============================================================================\n\nexport interface PresenceDeclaration {\n /* SoftID of the entity resuming presence (e.g., \"~ayesh#work\") /\n softid: string;\n /* Optional device metadata for scope binding /\n device_meta?: {\n fingerprint?: string;\n platform?: string;\n user_agent?: string;\n };\n}\n\nexport interface PresenceChallenge {\n /* Unique challenge identifier /\n challenge_id: string;\n /* High-entropy random nonce (32-byte hex) /\n nonce: string;\n /* Server's current Unix timestamp in milliseconds (temporal anchor) /\n temporal_anchor: number;\n /* Time-to-live for response in milliseconds (default 5000ms) /\n ttl_ms: number;\n /* Challenge expiry timestamp /\n expires_at: number;\n}\n\nexport interface PresenceProof {\n /* Challenge ID being answered /\n challenge_id: string;\n /* Ed25519 signature over canonical(nonce + temporal_anchor + device_meta) /\n signature: string;\n /* Public key corresponding to the SoftID /\n public_key: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface PresenceReceipt {\n /* Presence ID - hash of the completed handshake /\n presence_id: string;\n /* SoftID that established presence /\n softid: string;\n /* Anchor Reflection ID for logs (privacy-preserving) /\n anchor_reflection: string;\n /* Scope constraints for this presence /\n scope: {\n ip?: string;\n device_fingerprint?: string;\n };\n /* When presence was established (Unix timestamp ms) /\n issued_at: number;\n /* When presence expires (Unix timestamp ms) /\n expires_at: number;\n /* Last renewal timestamp (updated on successful Writ execution) /\n renewed_at?: number;\n}\n\nexport type PresenceStatus = 'active' \| 'expired' \| 'revoked';\n\n// ============================================================================\n// Writ Types (Executable Intent)\n// ============================================================================\n\nexport interface WritHead {\n /* Thread ID - derived from actor, groups related writs /\n tid: string;\n /* Sequence number within the thread /\n seq: number;\n}\n\nexport interface WritBody {\n /* SoftID of the actor (Anchor or Shadow) /\n who: string;\n /* Operation Execution Code (e.g., \"dns.write\", \"file.upload\") /\n act: string;\n /* Resource target (e.g., \"zone:example.com\", \"bucket:uploads\") /\n res: string;\n /* Grant reference - grant_id or \"self\" for sovereign actions /\n law: string;\n}\n\nexport interface WritMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Previous receipt hash (thread continuity) - empty string for first writ /\n prev: string;\n}\n\nexport interface WritSignature {\n /* Signature algorithm /\n alg: 'ed25519';\n /* Base64-encoded signature value /\n value: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface Writ {\n head: WritHead;\n body: WritBody;\n meta: WritMeta;\n sig: WritSignature;\n}\n\n// ============================================================================\n// Grant Types (Standing Permission / Law)\n// ============================================================================\n\nexport type GrantType = 'sovereign' \| 'delegated' \| 'system';\n\nexport interface GrantCapability {\n /* Operation Execution Code this grant allows /\n oec: string;\n /* Resource scope constraint (e.g., \"zone:.example.com\") /\n scope: string;\n /** Optional quantitative limits /\n limit?: {\n /* Rate limit (e.g., \"10/min\", \"100/day\") /\n rate?: string;\n /* Maximum amount/count /\n amount?: number;\n /* Depth constraint (e.g., \"subdomains_only\") /\n depth?: string;\n };\n}\n\nexport interface GrantMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Whether this grant can be revoked /\n revocable: boolean;\n /* Version number for updates /\n version: number;\n /* Optional Digital Fabric contract reference /\n contract_ref?: string;\n}\n\nexport interface Grant {\n /* Unique grant identifier /\n grant_id: string;\n /* SoftID of the authority who issued this grant /\n issuer: string;\n /* SoftID of the grantee /\n subject: string;\n /* Grant type /\n grant_type: GrantType;\n /* Array of capabilities this grant provides /\n caps: GrantCapability[];\n /* Grant metadata /\n meta: GrantMeta;\n /* Signature over the grant /\n sig: WritSignature;\n}\n\nexport type GrantStatus = 'active' \| 'revoked' \| 'expired';\n\n// ============================================================================\n// Receipt Types (Proof of Execution)\n// ============================================================================\n\nexport interface LoomReceipt {\n /* Receipt ID /\n receipt_id: string;\n /* Hash of the writ that was executed /\n writ_hash: string;\n /* Thread ID /\n thread_id: string;\n /* Sequence number /\n sequence: number;\n /* Execution effect (e.g., \"ALLOW\", \"DENY\") /\n effect: string;\n /* Current receipt hash (for chaining) /\n hash: string;\n /* Previous receipt hash /\n prev_hash: string \| null;\n /* Execution timestamp /\n executed_at: number;\n /* Additional metadata /\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Thread Types (Causal Continuity)\n// ============================================================================\n\nexport interface ThreadState {\n /* Thread ID /\n thread_id: string;\n /* SoftID that owns this thread /\n softid: string;\n /* Hash of the last receipt in this thread /\n last_receipt_hash: string;\n /* Current sequence number /\n sequence: number;\n /* Last update timestamp /\n updated_at: number;\n}\n\n// ============================================================================\n// Revocation Types (Null-Receipts)\n// ============================================================================\n\nexport type RevocationTargetType = 'grant' \| 'presence' \| 'softid';\n\nexport interface Revocation {\n /* Revocation ID /\n revocation_id: string;\n /* What type of entity is being revoked /\n target_type: RevocationTargetType;\n /* ID of the entity being revoked /\n target_id: string;\n /* SoftID of the issuer of this revocation /\n issuer_softid: string;\n /* Reason for revocation /\n reason?: string;\n /* When revocation takes effect (Unix timestamp) /\n effective_at: number;\n /* Signature over the revocation /\n sig_value: string;\n}\n\n// ============================================================================\n// Validation Result Types\n// ============================================================================\n\nexport interface LoomValidationResult {\n valid: boolean;\n error?: string;\n code?: string;\n}\n\nexport interface PresenceVerifyResult extends LoomValidationResult {\n presence?: PresenceReceipt;\n}\n\nexport interface WritValidationResult extends LoomValidationResult {\n writ?: Writ;\n gate_failed?: 'temporal' \| 'causal' \| 'legal' \| 'authentic';\n}\n\nexport interface GrantValidationResult extends LoomValidationResult {\n grant?: Grant;\n}\n\n// ============================================================================\n// TLV Constants (re-exported from core/constants.ts for convenience)\n// ============================================================================\n\nexport {\n TLV_LOOM_PRESENCE_ID as TLV_PRESENCE_ID,\n TLV_LOOM_WRIT as TLV_WRIT,\n TLV_LOOM_THREAD_HASH as TLV_THREAD_HASH,\n PROOF_LOOM,\n} from '../core/constants';\n\n// ============================================================================\n// Utility Functions\n// ============================================================================\n\n/\n Derive Anchor Reflection ID (ARID) for privacy-preserving logs.\n * ARID = hash(anchor_pubkey + context + scope)\n /\nexport function deriveAnchorReflection(\n softid: string,\n context: string = 'openlogs',\n scope: string = 'loom',\n): string {\n // Implementation will use crypto hash\n // Placeholder structure: ar:<context>:<scope>:<hash>\n return `ar:${context}:${scope}:${softid}`;\n}\n\n/\n Canonicalize a Writ for signing/verification.\n * Returns deterministic JSON string.\n /\nexport function canonicalizeWrit(writ: Omit<Writ, 'sig'>): string {\n const ordered = {\n head: { tid: writ.head.tid, seq: writ.head.seq },\n body: {\n who: writ.body.who,\n act: writ.body.act,\n res: writ.body.res,\n law: writ.body.law,\n },\n meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev },\n };\n return JSON.stringify(ordered);\n}\n\n/\n Canonicalize a Grant for signing/verification.\n /\nexport function canonicalizeGrant(grant: Omit<Grant, 'sig'>): string {\n const ordered = {\n grant_id: grant.grant_id,\n issuer: grant.issuer,\n subject: grant.subject,\n grant_type: grant.grant_type,\n caps: grant.caps,\n meta: grant.meta,\n };\n return JSON.stringify(ordered);\n}\n","export from './axis-schemas';\nexport {\n BodyProfileValidator,\n BodyProfile,\n type BodyProfileValidation,\n} from './body-profile.validator';\n","import * as z from 'zod';\nimport { AxisFrameZ } from '../core/axis-bin';\n\n/*\n AXIS Sensor Input/Output Validation Schemas\n \n Centralized Zod schemas for all sensor input validation.\n * Ensures type-safe, runtime-validated data across the entire sensor chain.\n \n Usage:\n * const input = CountryBlockSensorInputZ.parse(data);\n * const input = CountryBlockSensorInputZ.safeParse(data);\n /\n\n// ============================================================================\n// COMMON TYPES & UTILITIES\n// ============================================================================\n\n/\n Sensor decision outcomes (Zod version for schema composition)\n /\nexport const SensorDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n meta: z.any().optional(),\n }),\n]);\n\nexport const SensorDecisionWithMetadataZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n retryAfterMs: z.number().int().positive().optional(),\n meta: z.any().optional(),\n }),\n]);\n\n// ============================================================================\n// COUNTRY BLOCK SENSOR\n// ============================================================================\n\nexport const CountryBlockSensorInputZ = z.object({\n ip: z.string().min(1),\n country: z.string().length(2).toUpperCase().optional(),\n});\nexport type CountryBlockSensorInput = z.infer<typeof CountryBlockSensorInputZ>;\n\nexport const CountryBlockDecisionZ = SensorDecisionZ;\nexport type CountryBlockDecision = z.infer<typeof CountryBlockDecisionZ>;\n\n// ============================================================================\n// SCAN BURST SENSOR\n// ============================================================================\n\nexport const ScanBurstSensorInputZ = z.object({\n ip: z.string().min(1),\n isFailure: z.boolean().optional(),\n});\nexport type ScanBurstSensorInput = z.infer<typeof ScanBurstSensorInputZ>;\n\nexport const ScanBurstDecisionZ = SensorDecisionWithMetadataZ;\nexport type ScanBurstDecision = z.infer<typeof ScanBurstDecisionZ>;\n\n// ============================================================================\n// PROOF PRESENCE SENSOR\n// ============================================================================\n\nexport const ProofKindZ = z.enum([\n 'NONE',\n 'CAPSULE',\n 'PASSPORT',\n 'MTLS',\n 'JWT',\n]);\nexport type ProofKind = z.infer<typeof ProofKindZ>;\n\nexport const AccessProfileZ = z.enum(['PUBLIC', 'PARTNER', 'INTERNAL', 'NODE']);\nexport type AccessProfile = z.infer<typeof AccessProfileZ>;\n\nexport const ProofPresenceInputZ = z.object({\n profile: AccessProfileZ,\n visibility: z.enum(['PUBLIC', 'GUARDED']),\n requiredProof: z.array(ProofKindZ).min(1),\n hasCapsule: z.boolean(),\n hasPassportSignature: z.boolean(),\n intent: z.string().min(1),\n});\nexport type ProofPresenceInput = z.infer<typeof ProofPresenceInputZ>;\n\n// ============================================================================\n// INTENT POLICY SENSOR\n// ============================================================================\n\nexport const SensitivityLevelZ = z.enum(['LOW', 'MEDIUM', 'HIGH', 'CRITICAL']);\nexport type SensitivityLevel = z.infer<typeof SensitivityLevelZ>;\n\nexport const IntentPolicyZ = z.object({\n intent: z.string().min(1),\n sensitivity: SensitivityLevelZ,\n maxFrameBytes: z.number().int().positive(),\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n maxSigBytes: z.number().int().positive().optional(),\n rateLimitPerMinute: z.number().int().positive().optional(),\n rateLimitPerHour: z.number().int().positive().optional(),\n requiresSignature: z.boolean(),\n requiresCapsule: z.boolean(),\n timeoutMs: z.number().int().positive(),\n});\nexport type IntentPolicy = z.infer<typeof IntentPolicyZ>;\n\nexport const IntentPolicySensorInputZ = z.object({\n frame: AxisFrameZ,\n intent: z.string().min(1),\n rawFrameSize: z.number().int().positive(),\n});\nexport type IntentPolicySensorInput = z.infer<typeof IntentPolicySensorInputZ>;\n\nexport const IntentPolicyDecisionZ = z.union([\n z.object({\n action: z.literal('ALLOW'),\n policy: IntentPolicyZ,\n }),\n z.object({\n action: z.literal('DENY'),\n reason: z.string(),\n }),\n]);\nexport type IntentPolicyDecision = z.infer<typeof IntentPolicyDecisionZ>;\n\n// ============================================================================\n// CAPSULE VERIFY SENSOR\n// ============================================================================\n\nexport const CapsuleClaimsZ = z.object({\n capsuleId: z.string().min(8),\n allowIntents: z.array(z.string()).min(1),\n limits: z\n .object({\n maxBodyBytes: z.number().int().positive().optional(),\n })\n .optional(),\n scopes: z.record(z.string(), z.any()).optional(),\n});\nexport type CapsuleClaims = z.infer<typeof CapsuleClaimsZ>;\n\nexport const CapsuleZ = z.object({\n id: z.string(),\n claims: CapsuleClaimsZ,\n issuedAt: z.number().int(),\n expiresAt: z.number().int(),\n tier: z.enum(['FREE', 'STANDARD', 'PREMIUM']),\n});\nexport type Capsule = z.infer<typeof CapsuleZ>;\n\nexport const CapsuleValidationResultZ = z.object({\n valid: z.boolean(),\n capsule: CapsuleZ.optional(),\n reason: z.string().optional(),\n requiresStepUp: z.boolean().optional(),\n});\nexport type CapsuleValidationResult = z.infer<typeof CapsuleValidationResultZ>;\n\nexport const CapsuleVerifySensorInputZ = z.object({\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n intent: z.string().min(1),\n ctx: z.any(), // AxisContext - avoid circular dependency\n});\nexport type CapsuleVerifySensorInput = z.infer<\n typeof CapsuleVerifySensorInputZ\n>;\n\nexport const CapsuleVerifyResultZ = z.object({\n ok: z.literal(true),\n capsule: CapsuleZ,\n});\nexport type CapsuleVerifyResult = z.infer<typeof CapsuleVerifyResultZ>;\n\n// ============================================================================\n// RATE LIMIT SENSOR\n// ============================================================================\n\nexport const RateLimitProfileZ = z.enum([\n 'PUBLIC',\n 'PARTNER',\n 'INTERNAL',\n 'NODE',\n]);\nexport type RateLimitProfile = z.infer<typeof RateLimitProfileZ>;\n\nexport const RateLimitInputZ = z.object({\n ip: z.string().min(1),\n userAgent: z.string().optional(),\n actorId: z.string().optional(),\n capsuleId: z.string().optional(),\n intent: z.string().min(1),\n profile: RateLimitProfileZ,\n});\nexport type RateLimitInput = z.infer<typeof RateLimitInputZ>;\n\nexport const RateLimitConfigZ = z.object({\n windowSec: z.number().int().positive(),\n max: z.number().int().positive(),\n key: z.enum(['ip_fingerprint', 'actor_capsule']),\n});\nexport type RateLimitConfig = z.infer<typeof RateLimitConfigZ>;\n\nexport const SensorResultZ = z.object({\n ok: z.literal(true),\n});\nexport type SensorResult = z.infer<typeof SensorResultZ>;\n\n// ============================================================================\n// SIGNATURE VERIFICATION SENSOR (Detailed)\n// ============================================================================\n\nexport const PassportZ = z.object({\n id: z.string(),\n public_key: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n status: z.enum(['ACTIVE', 'REVOKED', 'EXPIRED', 'PENDING']),\n issuedAt: z.number().int(),\n expiresAt: z.number().int().optional(),\n});\nexport const ExecutionMetricsZ = z.object({\n dbWrites: z.number().int(),\n dbReads: z.number().int(),\n externalCalls: z.number().int(),\n elapsedMs: z.number().int().optional(),\n});\n\nexport type Passport = z.infer<typeof PassportZ>;\n\n// ============================================================================\n// GENERAL SENSOR CHAIN INPUT\n// ============================================================================\n\nexport const SensorChainInputZ = z.object({\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n});\nexport type SensorChainInput = z.infer<typeof SensorChainInputZ>;\n\n// ============================================================================\n// ENTROPY SENSOR\n// ============================================================================\n\nexport const EntropySensorInputZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n ip: z.string().min(1),\n});\nexport type EntropySensorInput = z.infer<typeof EntropySensorInputZ>;\n\n// ============================================================================\n// PROTOCOL STRICT SENSOR\n// ============================================================================\n\nexport const ProtocolStrictInputZ = z.object({\n rawBytes: z\n .union([z.custom<Buffer>((v) => Buffer.isBuffer(v)), z.instanceof(Uint8Array)])\n .optional(),\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n contentType: z.string().optional(),\n});\nexport type ProtocolStrictInput = z.infer<typeof ProtocolStrictInputZ>;\n\n// ============================================================================\n// SCHEMA VALIDATION SENSOR\n// ============================================================================\n\nexport const SchemaFieldKindZ = z.enum([\n 'utf8',\n 'u64',\n 'bytes',\n 'bytes16',\n 'bool',\n 'obj',\n 'arr',\n]);\nexport type SchemaFieldKind = z.infer<typeof SchemaFieldKindZ>;\n\nexport const ScopeZ = z.enum(['header', 'body']);\nexport type Scope = z.infer<typeof ScopeZ>;\n\nexport const SchemaFieldZ = z.object({\n name: z.string().min(1),\n tlv: z.number().int().positive(),\n kind: SchemaFieldKindZ,\n required: z.boolean().optional(),\n maxLen: z.number().int().positive().optional(),\n max: z.string().optional(),\n scope: ScopeZ.optional(),\n});\nexport type SchemaField = z.infer<typeof SchemaFieldZ>;\n\nexport const BodyProfileZ = z.enum(['TLV_MAP', 'RAW', 'TLV_OBJ', 'TLV_ARR']);\nexport type BodyProfile = z.infer<typeof BodyProfileZ>;\n\nexport const IntentSchemaZ = z.object({\n intent: z.string().min(1),\n version: z.number().int().positive(),\n bodyProfile: BodyProfileZ,\n fields: z.array(SchemaFieldZ).min(1),\n});\nexport type IntentSchema = z.infer<typeof IntentSchemaZ>;\n\n// ============================================================================\n// WEBSOCKET HANDSHAKE SENSOR\n// ============================================================================\n\nexport const WsHandshakeInputZ = z.object({\n clientId: z.string().min(1),\n isWs: z.boolean(),\n ip: z.string().min(1),\n});\nexport type WsHandshakeInput = z.infer<typeof WsHandshakeInputZ>;\n\nexport const WsHandshakeDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW') }),\n z.object({ action: z.literal('DENY'), code: z.string() }),\n]);\nexport type WsHandshakeDecision = z.infer<typeof WsHandshakeDecisionZ>;\n\n// ============================================================================\n// IP REPUTATION SENSOR\n// ============================================================================\n\nexport const IPReputationInputZ = z.object({\n ip: z.string().min(1),\n});\nexport type IPReputationInput = z.infer<typeof IPReputationInputZ>;\n\nexport const IPReputationZ = z.object({\n score: z.number().min(-100).max(100),\n lastUpdated: z.number().int(),\n totalRequests: z.number().int().nonnegative(),\n failedRequests: z.number().int().nonnegative(),\n blockedRequests: z.number().int().nonnegative(),\n tags: z.array(z.string()),\n});\nexport type IPReputation = z.infer<typeof IPReputationZ>;\n\n// ============================================================================\n// FILE UPLOAD STATE SENSOR\n// ============================================================================\n\nexport const UploadStatusZ = z.enum([\n 'INIT',\n 'UPLOADING',\n 'FINALIZING',\n 'DONE',\n 'ABORTED',\n]);\nexport type UploadStatus = z.infer<typeof UploadStatusZ>;\n\nexport const UploadSessionZ = z.object({\n uploadIdHex: z.string().min(1),\n fileName: z.string().min(1),\n totalSize: z.number().int().positive(),\n chunkSize: z.number().int().positive(),\n totalChunks: z.number().int().positive(),\n receivedCount: z.number().int().nonnegative(),\n status: UploadStatusZ,\n});\nexport type UploadSession = z.infer<typeof UploadSessionZ>;\n\n// ============================================================================\n// BODY BUDGET SENSOR\n// ============================================================================\n\nexport const BodyBudgetInputZ = z.object({\n intent: z.string().min(1),\n headerLen: z.number().int().nonnegative(),\n bodyLen: z.number().int().nonnegative(),\n});\nexport type BodyBudgetInput = z.infer<typeof BodyBudgetInputZ>;\n\nexport const BodyBudgetPolicyZ = z.object({\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n});\nexport type BodyBudgetPolicy = z.infer<typeof BodyBudgetPolicyZ>;\n\n// ============================================================================\n// CHUNK HASH SENSOR\n// ============================================================================\n\nexport const ChunkHashInputZ = z.object({\n headerTLVs: z.any(), // Map<number, Uint8Array> - flexible validation for compatibility\n bodyBytes: z.any(), // Uint8Array - flexible validation for compatibility\n intent: z.string().min(1),\n});\nexport type ChunkHashInput = z.infer<typeof ChunkHashInputZ>;\n\n// ============================================================================\n// AXIS CONTEXT (Request Context across sensors)\n// ============================================================================\n\nexport enum ProofType {\n CAPSULE = 1,\n JWT = 2,\n MTLS_ID = 3,\n DEVICE_SE = 4,\n WITNESS_SIG = 5,\n}\n\nexport const AxisContextZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)), // Process ID\n ts: z.bigint(), // Timestamp\n intent: z.string().min(1),\n actorId: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n proofType: z.enum(ProofType),\n proofRef: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n ip: z.string().min(1),\n nodeCertHash: z.string().optional(),\n capsule: CapsuleZ.optional(),\n passport: PassportZ.optional(),\n meter: z.any().optional(), // ExecutionMeter instance - any to avoid circular dependency and allow class instance\n});\n\nexport type AxisContext = z.infer<typeof AxisContextZ>;\n\n// ============================================================================\n// ERROR HANDLING\n// ============================================================================\n\nexport const AxisErrorZ = z.object({\n code: z.string(),\n message: z.string(),\n httpStatus: z.number().int(),\n});\nexport type AxisError = z.infer<typeof AxisErrorZ>;\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { decodeTLVsList } from '../core/tlv';\n\n/\n Body Profile Types\n /\nexport enum BodyProfile {\n RAW = 0, // Raw binary (no structure)\n TLV_MAP = 1, // Flat TLV map (type -> value)\n OBJ = 2, // Nested object (OBJ TLVs)\n ARR = 3, // Array (ARR TLVs)\n}\n\nexport interface BodyProfileValidation {\n valid: boolean;\n error?: string;\n profile: BodyProfile;\n}\n\n/\n Validates AXIS frame body against declared body profile\n /\n@Injectable()\nexport class BodyProfileValidator {\n private readonly logger = new Logger(BodyProfileValidator.name);\n\n /\n Validate body matches declared profile\n /\n validate(body: Uint8Array, profile: BodyProfile): BodyProfileValidation {\n switch (profile) {\n case BodyProfile.RAW:\n return this.validateRaw(body);\n\n case BodyProfile.TLV_MAP:\n return this.validateTlvMap(body);\n\n case BodyProfile.OBJ:\n return this.validateObj(body);\n\n case BodyProfile.ARR:\n return this.validateArr(body);\n\n default:\n return {\n valid: false,\n error: `Unknown body profile: ${profile}`,\n profile,\n };\n }\n }\n\n /\n RAW profile - no validation, any bytes accepted\n /\n private validateRaw(body: Uint8Array): BodyProfileValidation {\n return {\n valid: true,\n profile: BodyProfile.RAW,\n };\n }\n\n /\n TLV_MAP profile - flat TLV list (no nested structures)\n /\n private validateTlvMap(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Check no nested structures (OBJ or ARR types)\n for (const tlv of tlvs) {\n if (tlv.type === 254 \|\| tlv.type === 255) {\n return {\n valid: false,\n error: 'TLV_MAP profile cannot contain nested OBJ/ARR types',\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n return {\n valid: true,\n profile: BodyProfile.TLV_MAP,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `TLV_MAP decode failed: ${message}`,\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n /\n OBJ profile - must be valid nested object\n /\n private validateObj(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one OBJ type (254)\n const hasObj = tlvs.some((t) => t.type === 254);\n if (!hasObj && tlvs.length > 0) {\n return {\n valid: false,\n error: 'OBJ profile must contain OBJ type (254)',\n profile: BodyProfile.OBJ,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.OBJ,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `OBJ decode failed: ${message}`,\n profile: BodyProfile.OBJ,\n };\n }\n }\n\n /\n ARR profile - must be valid array\n /\n private validateArr(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one ARR type (255)\n const hasArr = tlvs.some((t) => t.type === 255);\n if (!hasArr && tlvs.length > 0) {\n return {\n valid: false,\n error: 'ARR profile must contain ARR type (255)',\n profile: BodyProfile.ARR,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.ARR,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `ARR decode failed: ${message}`,\n profile: BodyProfile.ARR,\n };\n }\n }\n}\n","export from './scopes';\nexport * from './capabilities';\n","export * from './access-profile-resolver.sensor';\nexport * from './body-budget.sensor';\nexport * from './capability-enforcement.sensor';\nexport * from './chunk-hash.sensor';\nexport * from './entropy.sensor';\nexport * from './execution-timeout.sensor';\nexport * from './frame-budget.sensor';\nexport * from './frame-header-sanity.sensor';\nexport * from './header-tlv-limit.sensor';\nexport * from './intent-allowlist.sensor';\nexport * from './intent-registry.sensor';\nexport * from './proof-presence.sensor';\nexport * from './protocol-strict.sensor';\nexport * from './receipt-policy.sensor';\nexport * from './schema-validation.sensor';\nexport * from './stream-scope.sensor';\nexport * from './tlv-parse.sensor';\nexport * from './varint-hardening.sensor';\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Access Profile Resolver AxisSensor\n \n This sensor determines whether an AXIS request should be handled under the\n * 'PUBLIC' or 'GUARDED' access profile. It does this by checking for the presence\n * of authentication proofs in the request metadata.\n \n Execution Order: 50 (runs very early)\n \n Core Concept:\n * - If any structural proof is present (Capsule, Passport, or mTLS certificate),\n * the request is flagged as `GUARDED`.\n * - Otherwise, it is treated as `PUBLIC`.\n \n Impact:\n * This determination is stored in `input.metadata.profile` and is used by\n * downstream sensors like `CapabilityEnforcementSensor` to decide whether\n * to enforce strict authorization checks.\n \n @class AccessProfileResolverSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class AccessProfileResolverSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'AccessProfileResolverSensor';\n\n /\n Execution order - runs early to establish the access profile\n * for downstream sensors.\n /\n readonly order = BAND.IDENTITY + 10;\n\n supports(): boolean {\n return true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n // Resolve profile: presence of proof => GUARDED, else PUBLIC\n const hasCapsule = !!input.metadata?.capsuleId;\n const hasPassport = !!input.metadata?.passportSig;\n const hasMTLS = !!input.metadata?.mtlsId;\n\n const profile = hasCapsule \|\| hasPassport \|\| hasMTLS ? 'GUARDED' : 'PUBLIC';\n\n // Store in metadata for downstream sensors\n if (!input.metadata) input.metadata = {};\n input.metadata.profile = profile;\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { MAX_BODY_LEN, MAX_HDR_LEN } from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Body Budget AxisSensor - Section Size Limit Enforcement\n \n Validates that header and body sections of AXIS frames are within\n * configured size limits. This prevents memory exhaustion attacks and\n * ensures efficient processing.\n \n Execution Order: 150 (after auth, before schema validation)\n \n Core Concept:\n * AXIS frames have three main sections:\n * - Header (TLVs for routing, auth, etc.)\n * - Body (payload data)\n * - Signature\n \n Each section has a declared length in the frame header. This sensor\n * validates those lengths against configured maximums BEFORE reading\n * the full content.\n \n Frame Format Reference:\n * ```\n * Offset 0-4: Magic (AXIS1)\n * Offset 5: Version (0x01)\n * Offset 6: Flags\n * Offset 7+: HDR_LEN (varint)\n * Following: BODY_LEN (varint)\n * Following: SIG_LEN (varint)\n * Then: HDR bytes, BODY bytes, SIG bytes\n * ```\n \n Default Limits (from constants.ts):\n * - MAX_HDR_LEN: 2048 bytes (2KB)\n * - MAX_BODY_LEN: 65536 bytes (64KB)\n \n Security Model:\n * - Fail Open: Parse errors allow (other sensors catch)\n * - Early Rejection: Rejects before reading large payloads\n * - Defense in Depth: Works with FrameBudgetSensor\n \n Actions:\n * - `ALLOW` - Sizes within limits\n * - `DENY` - Header or body exceeds maximum\n \n Error Codes:\n * - `HEADER_TOO_LARGE` - Header exceeds MAX_HDR_LEN\n * - `BODY_TOO_LARGE` - Body exceeds MAX_BODY_LEN\n \n Performance:\n * - Parses first ~20 bytes (varint lengths)\n * - O(1) comparison\n * - Latency: <0.5ms\n \n @class BodyBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Within limits:\n * ```typescript\n * // HDR_LEN: 500 (< 2048), BODY_LEN: 10000 (< 65536)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Body too large:\n * ```typescript\n * // BODY_LEN: 100000 (> 65536)\n * {\n * action: 'DENY',\n * code: 'BODY_TOO_LARGE',\n * reason: 'Body size 100000 exceeds limit 65536'\n * }\n * ```\n \n @see {@link FrameBudgetSensor} - Content-Length based limiting\n * @see {@link MAX_BODY_LEN} - Configurable body limit\n /\n@Sensor()\n@Injectable()\nexport class BodyBudgetSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'BodyBudgetSensor';\n\n /\n Execution order - after authentication\n \n Order 150 ensures:\n * - Authentication complete\n * - Runs before full body read\n * - Before schema validation (170)\n /\n readonly order = BAND.CONTENT + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 8 bytes of peeked data to read headers.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data available\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 8;\n }\n\n /\n Validates header and body lengths against configured limits.\n \n Frame Parsing:\n * - Skip magic (5 bytes)\n * - Skip version (1 byte)\n * - Skip flags (1 byte)\n * - Read HDR_LEN varint\n * - Read BODY_LEN varint\n * - Compare against MAX_HDR_LEN and MAX_BODY_LEN\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size limits\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { peek } = input;\n\n // Should be caught by ProtocolStrict, but defensive check\n if (!peek \|\| peek.length < 8) {\n return { action: 'ALLOW' };\n }\n\n try {\n // Frame structure:\n // 0-4: Magic (AXIS1)\n // 5: Version\n // 6: Flags\n // 7+: Varints for HDR_LEN, BODY_LEN, SIG_LEN\n\n let offset = 5; // After magic\n offset += 1; // Skip version\n offset += 1; // Skip flags\n\n // Now at offset 7: read HDR_LEN varint\n const { value: hdrLen, length: hdrBytes } = decodeVarint(peek, offset);\n offset += hdrBytes;\n\n // Read BODY_LEN varint\n const { value: bodyLen } = decodeVarint(peek, offset);\n\n // === Check Header Limit ===\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds limit ${MAX_HDR_LEN}`,\n };\n }\n\n // === Check Body Limit ===\n if (bodyLen > MAX_BODY_LEN) {\n return {\n action: 'DENY',\n code: 'BODY_TOO_LARGE',\n reason: `Body size ${bodyLen} exceeds limit ${MAX_BODY_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n } catch (e) {\n // Parse errors are likely malformed frames\n // ProtocolStrict will handle them\n return { action: 'ALLOW' };\n }\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n Capability,\n INTENT_REQUIREMENTS,\n PROOF_CAPABILITIES,\n SensorDecision,\n SensorInput,\n} from '../index';\n\n/\n Capability Enforcement AxisSensor - Authorization Based on Proof Type\n \n Maps authentication proof types to capabilities and enforces capability\n * requirements per intent. This implements role-based access control (RBAC)\n * at the intent level.\n \n Execution Order: 100 (after capsule/signature verification)\n \n Core Concept:\n * Different authentication methods grant different capabilities:\n * - Stronger auth = more capabilities\n * - Weaker auth = fewer capabilities\n \n Each intent has required capabilities. The request's proof type must\n * grant ALL required capabilities for the intent to proceed.\n \n Capability Definitions:\n * - `read` - Can read/query data\n * - `write` - Can create/update data\n * - `execute` - Can trigger actions/operations\n * - `admin` - Administrative operations\n * - `sign` - Can create digital signatures\n * - `witness` - Can act as independent witness\n \n Proof Type Mappings:\n * \| Type \| Name \| Capabilities \|\n * \|------\|------\|--------------\|\n * \| 0 \| NONE \| (none) \|\n * \| 1 \| CAPSULE \| read, write, execute \|\n * \| 2 \| JWT \| read \|\n * \| 3 \| MTLS \| read, write, admin \|\n * \| 4 \| DEVICE_SE \| read, write, sign \|\n * \| 5 \| WITNESS_SIG \| read, write, execute, witness \|\n \n @class CapabilityEnforcementSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload (requires 'write'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'file.upload' (requires: write)\n * // write ∈ [read, write, execute] ✓\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Admin operation (requires 'admin'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'admin.users.delete' (requires: admin)\n * // admin ∉ [read, write, execute] ✗\n * {\n * action: 'DENY',\n * code: 'CAPABILITY_DENIED',\n * reason: 'Missing capabilities: admin'\n * }\n * ```\n /\n\n@Sensor()\n@Injectable()\nexport class CapabilityEnforcementSensor implements AxisSensor {\n private readonly logger = new Logger(CapabilityEnforcementSensor.name);\n\n /* AxisSensor identifier for logging and registry /\n readonly name = 'CapabilityEnforcementSensor';\n\n /\n Execution order - runs after authentication\n \n Order 100 ensures:\n * - Capsule is verified (CapsuleVerifySensor @ 80)\n * - Signature is verified (SigVerifySensor @ 90)\n * - We know the proof type for capability lookup\n /\n readonly order = BAND.POLICY + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when an intent is present.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Enforces capability requirements for the requested intent.\n \n Processing Flow:\n * 1. Extract proof type from packet (default: 0/NONE)\n * 2. Look up capabilities granted by this proof type\n * 3. Look up capabilities required by the intent\n * 4. If no requirements, ALLOW\n * 5. Check if all required capabilities are granted\n * 6. If missing capabilities, DENY with details\n * 7. Otherwise, ALLOW\n \n @param {SensorInput} input - Request with intent and packet\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on capabilities\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, packet } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n const proofType = packet?.proofType ?? 0;\n\n // === STEP 1: Get Granted Capabilities ===\n // Look up what this proof type allows\n const grantedCapabilities = PROOF_CAPABILITIES[proofType] \|\| [];\n\n // === STEP 2: Get Required Capabilities ===\n // Look up what this intent requires\n const requiredCapabilities = this.getRequiredCapabilities(intent);\n\n // === STEP 3: Check Public Intents ===\n // No capabilities required = public access\n if (requiredCapabilities.length === 0) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 4: Check Capability Match ===\n // Find any required capabilities not granted\n const missingCapabilities = requiredCapabilities.filter(\n (cap) => !grantedCapabilities.includes(cap),\n );\n\n if (missingCapabilities.length > 0) {\n // Capability mismatch - deny with details\n this.logger.warn(\n `Capability denied for ${intent}: missing ${missingCapabilities.join(', ')} (has: ${grantedCapabilities.join(', ')})`,\n );\n return {\n action: 'DENY',\n code: 'CAPABILITY_DENIED',\n reason: `Missing capabilities: ${missingCapabilities.join(', ')}`,\n };\n }\n\n // All required capabilities present\n return { action: 'ALLOW' };\n }\n\n /\n Gets required capabilities for an intent.\n \n Lookup Strategy:\n * 1. Check for exact intent match\n * 2. Check for prefix pattern match (.suffix)\n 3. Default to 'execute' for unknown intents\n \n @private\n * @param {string} intent - Intent name to look up\n * @returns {Capability[]} Array of required capabilities\n /\n private getRequiredCapabilities(intent: string): Capability[] {\n // Check exact match first\n if (INTENT_REQUIREMENTS[intent]) {\n return INTENT_REQUIREMENTS[intent];\n }\n\n // Check prefix patterns (e.g., 'admin.' matches 'admin.users.delete')\n for (const [pattern, caps] of Object.entries(INTENT_REQUIREMENTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1); // Remove ''\n if (intent.startsWith(prefix)) {\n return caps;\n }\n }\n }\n\n // Default: require execute for unknown intents (safe default)\n return ['execute'];\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { createHash } from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/*\n Chunk Hash Sensor - Data Integrity Verification\n \n Validates that uploaded file chunks match their declared SHA-256 hash.\n * This ensures data integrity during transfer and detects corruption or\n * tampering.\n \n Execution Order: 190 (after session validation, before handler)\n \n Core Concept:\n * Each file chunk includes a SHA-256 hash in the header. The sensor:\n * 1. Extracts the expected hash from header TLV\n * 2. Computes the actual hash of the body\n * 3. Compares them byte-by-byte\n * 4. Rejects if mismatch (data corruption)\n \n This provides end-to-end integrity verification, catching:\n * - Network corruption\n * - Storage errors\n * - Man-in-the-middle modifications\n * - Client-side bugs\n \n TLV Type:\n * - Type 73 (`TLV_SHA256_CHUNK`): 32-byte SHA-256 hash\n \n Hash Calculation:\n * ```typescript\n * const actual = createHash('sha256').update(bodyBytes).digest();\n * ```\n \n Security Model:\n * - Fail Closed: Hash mismatch = DENY\n * - Immutable Check: Hash computed server-side\n * - Early Rejection: Before storage writes\n \n Actions:\n * - `ALLOW` - Hash matches\n * - `DENY` - Hash mismatch or missing\n \n Error Codes:\n * - `FILE_CHUNK_HASH_MISSING` - TLV 73 not present or wrong size\n * - `FILE_CHUNK_HASH_MISMATCH` - Computed hash != expected hash\n \n Performance:\n * - SHA-256 computation: ~100MB/s on modern CPUs\n * - For 1MB chunk: ~10ms\n \n @class ChunkHashSensor\n * @implements {AxisSensor}\n \n @example\n * Hash matches:\n * ```typescript\n * // Header TLV 73: sha256(body) = expected\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Hash mismatch:\n * ```typescript\n * // Body was corrupted during transfer\n * {\n * action: 'DENY',\n * code: 'FILE_CHUNK_HASH_MISMATCH',\n * reason: 'Chunk hash mismatch - data corrupted'\n * }\n * ```\n \n @see {@link FileUploadStateSensor} - Session validation\n * @see {@link https://en.wikipedia.org/wiki/SHA-2 SHA-256}\n /\n@Sensor()\n@Injectable()\nexport class ChunkHashSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'ChunkHashSensor';\n\n /\n Execution order - after session validation\n \n Order 190 ensures:\n * - Session validated (180)\n * - Chunk parameters verified\n * - Hash check before storage\n /\n readonly order = BAND.CONTENT + 50;\n\n /\n Determines if this sensor should process the given input.\n \n Only processes file.chunk intents.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is 'file.chunk'\n /\n supports(input: SensorInput): boolean {\n return input.intent === 'file.chunk';\n }\n\n /\n Validates chunk data against declared SHA-256 hash.\n \n Processing Flow:\n * 1. Check for required headerTLVs and body\n * 2. Extract expected hash from TLV 73\n * 3. Verify hash is exactly 32 bytes\n * 4. Compute SHA-256 of body\n * 5. Compare bytes (timing-safe)\n * 6. DENY on mismatch\n \n @param {SensorInput} input - Request with chunk body\n * @returns {Promise<SensorDecision>} ALLOW if hash matches, DENY otherwise\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyBytes = input.body as Uint8Array;\n\n // Validate required inputs\n if (!headerTLVs \|\| !bodyBytes) {\n return {\n action: 'DENY',\n code: 'SENSOR_INVALID_INPUT',\n reason: 'Missing headerTLVs or body',\n };\n }\n\n // TLV type for chunk SHA-256 hash\n const TLV_SHA256_CHUNK = 73;\n\n // === STEP 1: Extract Expected Hash ===\n const expected = headerTLVs.get(TLV_SHA256_CHUNK);\n\n if (!expected \|\| expected.length !== 32) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISSING',\n reason: 'Missing sha256Chunk TLV in header',\n };\n }\n\n // === STEP 2: Compute Actual Hash ===\n const actual = createHash('sha256').update(bodyBytes).digest();\n\n // === STEP 3: Compare Hashes ===\n // Using Buffer.equals for comparison\n if (!Buffer.from(actual).equals(Buffer.from(expected))) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISMATCH',\n reason: 'Chunk hash mismatch - data corrupted',\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\n\nimport { TLV_NONCE, TLV_PID } from '../core/constants';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Entropy AxisSensor - Randomness Quality Analysis\n \n Validates that cryptographic identifiers (PIDs, nonces) have sufficient\n * randomness to prevent predictability attacks. Weak entropy in IDs can\n * lead to collision attacks and session hijacking.\n \n Execution Order: 130 (after replay protection, before policy checks)\n \n Core Concept:\n * Proper cryptographic security requires high-quality randomness. This sensor\n * detects patterns that suggest weak random number generation:\n * - Low Shannon entropy\n * - Sequential patterns (1,2,3,4...)\n * - Repeated patterns (0xAB,0xAB,0xAB...)\n \n How It Works:\n * ```\n * 1. Extract PID and nonce from headers\n * 2. Calculate Shannon entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. FLAG if issues found (doesn't DENY for availability)\n * ```\n \n Shannon Entropy Calculation:\n * ```\n * H = -Σ(p_i * log2(p_i))\n * ```\n * Where p_i is the probability of byte value i appearing.\n * - High entropy (7-8 bits/byte): Good randomness\n * - Low entropy (<3 bits/byte): Suspicious pattern\n \n Pattern Detection:\n * - Sequential: More than 50% of bytes are +1 or -1 from previous\n * - Repeated: 90%+ match with 2, 4, or 8 byte repeating pattern\n \n Security Model:\n * - Fail Open: Issues cause FLAG, not DENY\n * - Trust Score Impact: Each issue reduces trust score\n * - Detection Only: Logs suspicious patterns for investigation\n \n Actions:\n * - `ALLOW` - Sufficient entropy, no patterns detected\n * - `FLAG` - Issues detected (reduces trust score)\n \n Score Deltas:\n * \| Issue \| Delta \|\n * \|-------\|-------\|\n * \| Low entropy (<3 bits/byte) \| -3 \|\n * \| Sequential pattern \| -5 \|\n * \| Repeated pattern \| -5 \|\n \n Why Not DENY?\n * Legitimate clients with older RNG libraries might trigger false positives.\n * FLAG allows monitoring without breaking legitimate traffic.\n \n Performance:\n * - In-memory analysis\n * - O(n) where n = bytes analyzed\n * - Latency: <1ms\n \n @class EntropySensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * High-entropy nonce (good):\n * ```typescript\n * // Nonce from crypto.randomBytes(16)\n * // Entropy: 7.2 bits/byte\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Sequential pattern (suspicious):\n * ```typescript\n * // Nonce: [1,2,3,4,5,6,7,8,9,10,11,12]\n * {\n * action: 'FLAG',\n * scoreDelta: -5,\n * reasons: ['nonce_sequential']\n * }\n * ```\n \n @see {@link https://en.wikipedia.org/wiki/Entropy_(information_theory) Shannon Entropy}\n /\n@Sensor()\n@Injectable()\nexport class EntropySensor implements AxisSensor {\n private readonly logger = new Logger(EntropySensor.name);\n\n /\n Minimum acceptable entropy in bits per byte.\n \n 3.0 bits/byte is a conservative threshold:\n * - Random data: ~7.9 bits/byte\n * - English text: ~4.5 bits/byte\n * - Sequential data: ~0-2 bits/byte\n /\n private readonly MIN_ENTROPY_THRESHOLD = 3.0;\n\n /* AxisSensor identifier /\n readonly name = 'EntropySensor';\n\n /\n Execution order - anomaly detection phase\n \n Order 130 ensures:\n * - Replay protection done (120)\n * - Runs before expensive policy lookups\n /\n readonly order = BAND.POLICY + 35;\n\n /\n Calculates Shannon entropy of a byte array.\n \n Algorithm:\n * 1. Count frequency of each byte value (0-255)\n * 2. Calculate probability p = count / total\n * 3. Sum: -Σ(p * log2(p))\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {number} Entropy in bits per byte (0-8 scale)\n /\n private calculateEntropy(data: Uint8Array): number {\n if (data.length === 0) return 0;\n\n // Count byte frequencies\n const freq = new Map<number, number>();\n for (const byte of data) {\n freq.set(byte, (freq.get(byte) \|\| 0) + 1);\n }\n\n // Calculate Shannon entropy\n let entropy = 0;\n const len = data.length;\n for (const count of freq.values()) {\n const p = count / len;\n entropy -= p Math.log2(p);\n }\n\n return entropy;\n }\n\n /*\n Checks for sequential patterns in data.\n \n Detects sequences like [1,2,3,4...] or [10,9,8,7...].\n * More than 50% sequential is considered suspicious.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if sequential pattern detected\n /\n private hasSequentialPattern(data: Uint8Array): boolean {\n if (data.length < 4) return false;\n\n let ascending = 0;\n let descending = 0;\n\n for (let i = 1; i < data.length; i++) {\n if (data[i] === data[i - 1] + 1) ascending++;\n if (data[i] === data[i - 1] - 1) descending++;\n }\n\n // More than 50% sequential is suspicious\n return ascending > data.length / 2 \|\| descending > data.length / 2;\n }\n\n /\n Checks for repeated patterns in data.\n \n Detects patterns like [0xAB, 0xCD, 0xAB, 0xCD...].\n * Checks for 2, 4, and 8 byte repeating patterns.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if repeated pattern detected\n /\n private hasRepeatedPattern(data: Uint8Array): boolean {\n if (data.length < 8) return false;\n\n // Check for 2-byte, 4-byte, and 8-byte repeating patterns\n for (const patternLen of [2, 4, 8]) {\n if (data.length % patternLen !== 0) continue;\n\n let matches = 0;\n for (let i = patternLen; i < data.length; i++) {\n if (data[i] === data[i % patternLen]) matches++;\n }\n\n // 90%+ match = repeating pattern\n if (matches > (data.length - patternLen) 0.9) {\n return true;\n }\n }\n\n return false;\n }\n\n /*\n Analyzes entropy of PID and nonce in request headers.\n \n Processing Flow:\n * 1. Extract PID and nonce from header TLVs\n * 2. Calculate entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. Accumulate issues and score delta\n * 6. Return FLAG if issues found, ALLOW otherwise\n \n @param {SensorInput} input - Request with header TLVs\n * @returns {Promise<SensorDecision>} ALLOW or FLAG based on entropy analysis\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headers = input.headerTLVs as Map<number, Uint8Array>;\n\n // If no headers, allow (WebSocket handshake, etc.)\n if (!headers) {\n return { action: 'ALLOW' };\n }\n\n // Extract PID and nonce from headers\n const pid = headers.get(TLV_PID);\n const nonce = headers.get(TLV_NONCE);\n\n const issues: string[] = [];\n let totalDelta = 0;\n\n // === Analyze PID ===\n if (pid && pid.length > 0) {\n const pidEntropy = this.calculateEntropy(pid);\n\n // Check minimum entropy threshold\n if (pidEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`pid_low_entropy:${pidEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(pid)) {\n issues.push('pid_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(pid)) {\n issues.push('pid_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Analyze Nonce ===\n if (nonce && nonce.length > 0) {\n const nonceEntropy = this.calculateEntropy(nonce);\n\n // Check minimum entropy threshold\n if (nonceEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`nonce_low_entropy:${nonceEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(nonce)) {\n issues.push('nonce_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(nonce)) {\n issues.push('nonce_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Return Decision ===\n if (issues.length > 0) {\n this.logger.warn(`Entropy issues from ${input.ip}: ${issues.join(', ')}`);\n return {\n action: 'FLAG',\n scoreDelta: totalDelta,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Generates cryptographically secure random bytes.\n \n Utility method for SDK/client code to ensure proper entropy.\n * Uses Node.js crypto.randomBytes for secure PRNG.\n \n @static\n * @param {number} length - Number of random bytes\n * @returns {Uint8Array} Cryptographically secure random bytes\n /\n static generateSecureRandom(length: number): Uint8Array {\n return new Uint8Array(crypto.randomBytes(length));\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { resolveTimeout } from '../core/timeouts';\n\n/\n Execution Timeout AxisSensor - Intent-Based Deadline Enforcement\n \n Sets per-intent execution time limits and stores deadlines in the request\n * context. This prevents runaway handlers and ensures predictable response times.\n \n Execution Order: 210 (late, before handler execution)\n \n Core Concept:\n * Different intents have different acceptable latencies:\n * - Health checks: 2 seconds (must be fast)\n * - File uploads: 60 seconds (large transfers)\n * - Standard operations: 10 seconds (default)\n \n The sensor calculates a deadline timestamp and stores it in the context.\n * Handler code can check this deadline to abort if running too long.\n \n How It Works:\n * ```\n * 1. Look up timeout for intent (exact match or prefix pattern)\n * 2. Calculate deadline = now + timeout\n * 3. Store deadline in context\n * 4. Return ALLOW (enforcement happens in handler)\n * ```\n \n Timeout Lookup:\n * 1. Check exact intent match first\n * 2. Then check prefix patterns (e.g., 'file.')\n 3. Fall back to DEFAULT_TIMEOUT (10s)\n \n Context Properties Set:\n * - `deadline`: Absolute timestamp (ms since epoch)\n * - `timeoutMs`: Configured timeout duration\n \n Handler Usage:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new Error('Execution timeout exceeded');\n * }\n \n const remaining = ExecutionTimeoutSensor.getRemainingMs(ctx);\n * ```\n \n Security Model:\n * - Always Allow: This sensor only sets context, doesn't block\n * - Handler Responsibility: Actual enforcement in handler code\n * - Defense in Depth: Works with ExecutionContractSensor\n \n Actions:\n * - `ALLOW` - Always (only sets context)\n \n Performance:\n * - Map lookup: O(1) to O(n patterns)\n * - Latency: <0.1ms\n \n @class ExecutionTimeoutSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload:\n * ```typescript\n * // Intent: file.upload\n * // Timeout: 60000ms\n * // ctx.deadline = Date.now() + 60000\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Checking deadline in handler:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new TimeoutError('Handler exceeded deadline');\n * }\n * ```\n \n @see {@link ExecutionContractSensor} - Resource limit enforcement\n /\n@Sensor()\n@Injectable()\nexport class ExecutionTimeoutSensor implements AxisSensor {\n private readonly logger = new Logger(ExecutionTimeoutSensor.name);\n\n /* AxisSensor identifier /\n readonly name = 'ExecutionTimeoutSensor';\n\n /\n Execution order - late, near handler execution\n \n Order 210 ensures:\n * - All validation complete\n * - Deadline set just before handler\n /\n readonly order = BAND.BUSINESS + 10;\n\n /\n Determines if this sensor should process the given input.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Sets execution deadline in the request context.\n \n Processing Flow:\n * 1. Look up timeout for intent\n * 2. Calculate absolute deadline\n * 3. Store in context for handler use\n * 4. Return ALLOW\n \n @param {SensorInput} input - Request with intent\n * @returns {Promise<SensorDecision>} Always ALLOW\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, context } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n // Get timeout for this intent\n const timeout = resolveTimeout(intent);\n\n // Calculate absolute deadline\n const deadline = Date.now() + timeout;\n\n // Store deadline in context for downstream components\n if (context) {\n (context as any).deadline = deadline;\n (context as any).timeoutMs = timeout;\n }\n\n this.logger.debug(\n `Set ${timeout}ms timeout for ${intent} (deadline: ${new Date(deadline).toISOString()})`,\n );\n\n // Actual timeout enforcement happens in the intent router/executor\n // This sensor just sets the deadline\n return { action: 'ALLOW' };\n }\n\n /\n Checks if a deadline has been exceeded.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {boolean} True if deadline passed\n /\n static isExpired(ctx: { deadline?: number }): boolean {\n if (!ctx.deadline) return false;\n return Date.now() > ctx.deadline;\n }\n\n /\n Gets remaining time until deadline.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {number} Remaining milliseconds (0 if expired, Infinity if no deadline)\n /\n static getRemainingMs(ctx: { deadline?: number }): number {\n if (!ctx.deadline) return Infinity;\n return Math.max(0, ctx.deadline - Date.now());\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Frame Budget AxisSensor - Request Size Validation\n \n Validates that incoming frame sizes do not exceed configured limits.\n * This prevents memory exhaustion attacks and ensures fair resource allocation.\n \n Execution Order: 20 (after ProtocolStrictSensor, before security checks)\n \n Core Concept:\n * Large payloads can be used for denial-of-service attacks, buffer overflows,\n * or to exhaust server memory. This sensor enforces per-intent size limits\n * defined in the intent policy, rejecting oversized frames before they are\n * fully processed.\n \n How It Works:\n * 1. Extract Content-Length from request\n * 2. Look up maximum allowed size from intent policy\n * 3. If size exceeds limit, DENY the request\n * 4. Otherwise, ALLOW request to proceed\n \n Default Limits:\n * - Standard requests: 1MB (1,048,576 bytes)\n * - File uploads: 100MB (104,857,600 bytes)\n * - Streaming: No limit (handled by StreamScopeSensor)\n \n Security Model:\n * - Fail Open: If Content-Length is not available, ALLOW (other sensors handle)\n * - Early Rejection: Reject oversized frames before full download\n * - Per-Intent Limits: Different intents can have different size limits\n \n Configuration:\n * ```env\n * AXIS_MAX_FRAME_BYTES=1048576 # 1MB default\n * AXIS_MAX_UPLOAD_BYTES=104857600 # 100MB for uploads\n * ```\n \n Actions:\n * - `ALLOW` - Frame size within limits or unknown\n * - `DENY` - Frame exceeds configured maximum (code: FRAME_TOO_LARGE)\n \n Performance:\n * - Single comparison operation\n * - No I/O or external calls\n * - Latency: <0.1ms\n \n @class FrameBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Normal request (within limits):\n * ```typescript\n * // Content-Length: 50000 (50KB)\n * // Policy max: 1MB\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Oversized request:\n * ```typescript\n * // Content-Length: 10485760 (10MB)\n * // Policy max: 1MB\n * {\n * action: 'DENY',\n * code: 'FRAME_TOO_LARGE',\n * reason: 'Frame size 10485760 exceeds limit 1048576'\n * }\n * ```\n \n @todo Implement actual size checking against intent policy maxFrameBytes\n * @see {@link BodyBudgetSensor} - Body-specific size limiting\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class FrameBudgetSensor implements AxisSensor {\n /* AxisSensor identifier for logging and registry /\n readonly name = 'FrameBudgetSensor';\n\n /\n Execution order - runs after protocol validation\n \n Order 20 ensures:\n * - Protocol is valid (ProtocolStrictSensor @ 10)\n * - Size checked before expensive processing\n /\n readonly order = BAND.WIRE + 20;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when Content-Length header is available.\n * WebSocket frames may not have Content-Length; they use different size tracking.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if Content-Length is present\n /\n supports(input: SensorInput): boolean {\n return typeof input.contentLength === 'number';\n }\n\n /\n Validates frame size against configured limits.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Load intent policy for the request\n * 2. Get maxFrameBytes from policy\n * 3. Compare against contentLength\n * 4. DENY if exceeded\n \n @param {SensorInput} input - Request with contentLength\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const maxBytes =\n this.config.get<number>('AXIS_MAX_FRAME_SIZE') \|\| 50 1024 * 1024;\n const contentLength = input.contentLength;\n\n if (typeof contentLength !== 'number') {\n return { action: 'ALLOW' };\n }\n\n if (contentLength > maxBytes) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLength} exceeds limit ${maxBytes}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { AXIS_MAGIC, AXIS_VERSION, MAX_FRAME_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor({ phase: 'PRE_DECODE' })\nexport class FrameHeaderSanitySensor implements AxisSensor {\n readonly name = 'FrameHeaderSanitySensor';\n readonly order = BAND.WIRE + 30;\n\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const peek = input.peek!;\n const contentLen = input.contentLength \|\| 0;\n\n // Check magic (first 5 bytes: AXIS1)\n if (peek.length < 5 \|\| !this.bufferEqual(peek.slice(0, 5), AXIS_MAGIC)) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: 'Frame magic is not AXIS1',\n };\n }\n\n // Check version (byte 5)\n if (peek[5] !== AXIS_VERSION) {\n return {\n action: 'DENY',\n code: 'UNSUPPORTED_VERSION',\n reason: `Unsupported version: ${peek[5]}`,\n };\n }\n\n // Check frame length against hard limit\n if (contentLen > MAX_FRAME_LEN) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLen} exceeds max ${MAX_FRAME_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n private bufferEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { MAX_HDR_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class HeaderTLVLimitSensor implements AxisSensor {\n readonly name = 'HeaderTLVLimitSensor';\n readonly order = BAND.CONTENT + 0;\n private readonly MAX_TLVS = 64;\n\n supports(input: SensorInput): boolean {\n return !!input.headerTLVs \|\| !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n if (input.headerTLVs && input.headerTLVs.size > this.MAX_TLVS) {\n return {\n action: 'DENY',\n code: 'TOO_MANY_TLVS',\n reason: `Header TLVs (${input.headerTLVs.size}) exceed max (${this.MAX_TLVS})`,\n };\n }\n\n if (input.packet && input.packet.headerBytes) {\n const hdrLen = input.packet.headerBytes.length;\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds max ${MAX_HDR_LEN}`,\n };\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n// Public intent allowlist (exact or prefix)\nconst PUBLIC_INTENT_ALLOWLIST = [\n 'public.',\n 'schema.',\n 'catalog.',\n 'health.',\n 'system.',\n];\n\n@Injectable()\n@Sensor()\nexport class IntentAllowlistSensor implements AxisSensor {\n readonly name = 'IntentAllowlistSensor';\n readonly order = BAND.IDENTITY + 20;\n\n supports(input: SensorInput): boolean {\n // Only run in post-decode phase when intent is available\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const profile = input.metadata?.profile \|\| 'PUBLIC';\n const intent = input.intent \|\| '';\n\n // PUBLIC profile: only allow whitelisted intents\n if (profile === 'PUBLIC') {\n const isAllowed = PUBLIC_INTENT_ALLOWLIST.some((prefix) =>\n intent.startsWith(prefix),\n );\n if (!isAllowed) {\n return {\n action: 'DENY',\n code: 'INTENT_NOT_ALLOWED',\n reason: `Intent '${intent}' not in public allowlist`,\n };\n }\n }\n\n // GUARDED profile: allow all intents (capability enforcement comes later)\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { IntentRouter } from '../engine/intent.router';\nimport { BAND } from '../engine/sensor-bands';\n\n/*\n IntentRegistrySensor\n \n Runs early in POST_DECODE to reject intents that have no registered handler.\n * This prevents wasting resources on sensors, decoding, and routing for\n * intents that will inevitably fail with \"Intent not found\".\n \n Order: BAND.IDENTITY + 25 (65) — right after IntentAllowlistSensor (60).\n /\n@Injectable()\n@Sensor({ phase: 'POST_DECODE' })\nexport class IntentRegistrySensor implements AxisSensor {\n readonly name = 'IntentRegistrySensor';\n readonly order = BAND.IDENTITY + 25;\n\n constructor(private readonly router: IntentRouter) {}\n\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const intent = input.intent!;\n\n if (this.router.has(intent)) {\n return { action: 'ALLOW' };\n }\n\n return {\n action: 'DENY',\n code: 'INTENT_NOT_REGISTERED',\n reason: `Intent '${intent}' is not registered`,\n };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n ProofPresenceInput,\n ProofPresenceInputZ,\n} from '../schemas/axis-schemas';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Sensor()\n@Injectable()\nexport class ProofPresenceSensor implements AxisSensor {\n readonly name = 'ProofPresenceSensor';\n readonly order = BAND.IDENTITY + 30;\n\n supports(input: ProofPresenceInput): boolean {\n return !!input.profile && !!input.visibility;\n }\n\n async run(input: ProofPresenceInput): Promise<SensorDecision> {\n // Validate input with Zod\n const validatedInput = ProofPresenceInputZ.safeParse(input);\n if (!validatedInput.success) {\n throw new AxisError(\n 'SENSOR_INVALID_INPUT',\n `Input validation failed: ${validatedInput.error.message}`,\n 400,\n );\n }\n\n const {\n visibility,\n requiredProof,\n hasCapsule,\n hasPassportSignature,\n profile,\n intent,\n } = validatedInput.data;\n\n // Public intents don't require proof\n if (visibility === 'PUBLIC') {\n return { action: 'ALLOW' };\n }\n\n // If NONE is in required proofs, allow without proof\n if (requiredProof.includes('NONE')) {\n return { action: 'ALLOW' };\n }\n\n // Check if any required proof is satisfied\n const hasCapsuleProof = requiredProof.includes('CAPSULE') && hasCapsule;\n const hasPassportProof =\n requiredProof.includes('PASSPORT') && hasPassportSignature;\n const hasNodeProof = requiredProof.includes('MTLS') && profile === 'NODE';\n\n const satisfied = hasCapsuleProof \|\| hasPassportProof \|\| hasNodeProof;\n\n if (!satisfied) {\n throw new AxisError(\n 'SENSOR_PROOF_REQUIRED',\n `Proof required for guarded intent: ${intent}`,\n 403,\n );\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger, OnModuleInit } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { ProtocolStrictInputZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n FLAG_BODY_TLV,\n FLAG_CHAIN_REQ,\n FLAG_HAS_WITNESS,\n} from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/\n Valid flag combinations for AXIS frames.\n \n Flags can be combined using bitwise OR:\n * - 0x00: No flags (basic request)\n * - FLAG_BODY_TLV: Body section contains TLV-encoded data\n * - FLAG_CHAIN_REQ: Request requires receipt chaining\n * - FLAG_HAS_WITNESS: Frame includes witness signatures\n \n Any other flag combination is considered invalid.\n /\nconst VALID_FLAGS = [\n 0x00, // No flags\n FLAG_BODY_TLV, // Body contains TLVs\n FLAG_CHAIN_REQ, // Requires receipt chaining\n FLAG_HAS_WITNESS, // Has witness signatures\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ,\n FLAG_BODY_TLV \| FLAG_HAS_WITNESS,\n FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n];\n\n/\n Protocol Strict Sensor - Binary Protocol Validation Gateway\n \n CRITICAL SECURITY COMPONENT - FIRST LINE OF DEFENSE\n \n This sensor validates the raw binary structure of incoming AXIS frames before\n * any further processing occurs. It acts as the protocol gatekeeper, ensuring\n * only well-formed, spec-compliant frames are processed by the system.\n \n Execution Order: 10 (FIRST sensor in the chain)\n \n Core Concept:\n * AXIS uses a custom binary wire format for efficiency and security. This sensor\n * validates the frame structure at the byte level, catching malformed packets\n * before they can exploit parsing vulnerabilities deeper in the stack.\n \n Frame Structure Validated:\n * ```\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| MAGIC (5 bytes: \"AXIS1\") \| VER \| FLAGS \| HDR_LEN (varint)\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY_LEN (varint) \| SIG_LEN (varint) \| HDR TLVs... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY... \| SIGNATURE... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * ```\n \n Validations Performed:\n * 1. Content-Type - Must be `application/axis-bin` or similar\n * 2. Magic Bytes - Must be \"AXIS1\" (5 bytes)\n * 3. Version - Must match AXIS_VERSION constant\n * 4. Flags - Must be a valid combination\n * 5. Varint Encoding - Must be minimal (no unnecessary bytes)\n * 6. TLV Ordering - Must be canonical (sorted by type)\n * 7. Client Version - TLV 100 should be present\n \n Security Model:\n * - Fail Closed: Invalid magic/version = DENY\n * - Flag for Minor Issues: Non-critical violations decrease trust score\n * - Defense in Depth: First of multiple validation layers\n \n Actions:\n * - `ALLOW` - Frame is well-formed and spec-compliant\n * - `DENY` - Critical protocol violation (magic, version, frame too short)\n * - `FLAG` - Minor issues that decrease trust score\n \n Performance:\n * - Validates first 20 bytes of each frame\n * - No external dependencies (pure byte validation)\n * - Latency: <1ms for typical frames\n \n @class ProtocolStrictSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid AXIS frame:\n * ```typescript\n * // Frame starts with: \"AXIS1\" + version(1) + flags(0x01) + lengths...\n * // Sensor returns: { action: 'ALLOW' }\n * ```\n \n @example\n * Invalid magic bytes:\n * ```typescript\n * // Frame starts with: \"HTTP1\" (wrong protocol)\n * // Sensor returns: {\n * // action: 'DENY',\n * // code: 'INVALID_MAGIC',\n * // reason: 'Expected AXIS1 magic, got HTTP1'\n * // }\n * ```\n \n @see {@link https://axis-spec.example.com/wire-format AXIS Wire Format Spec}\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class ProtocolStrictSensor implements AxisSensor, OnModuleInit {\n private readonly logger = new Logger(ProtocolStrictSensor.name);\n\n /* Sensor identifier for logging and registry /\n readonly name = 'ProtocolStrictSensor';\n\n /\n Execution order - FIRST sensor in the chain\n \n Order 10 ensures:\n * - Runs before any other processing\n * - Invalid frames rejected immediately\n * - Protects all downstream sensors from malformed input\n /\n readonly order = BAND.WIRE + 10;\n\n private protocolMagic: Uint8Array = AXIS_MAGIC;\n private protocolVersion = AXIS_VERSION;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Static validation for streaming middleware (Fast Check)\n /\n public static validateMagic(\n chunk: Uint8Array,\n expected: Uint8Array,\n ): { valid: boolean; actual?: string } {\n if (chunk.length < expected.length) return { valid: true }; // Not enough data yet\n const actual = chunk.subarray(0, expected.length);\n const valid = Buffer.from(actual).equals(Buffer.from(expected));\n return {\n valid,\n actual: valid ? undefined : new TextDecoder().decode(actual),\n };\n }\n\n public static validateVersion(version: number, expected: number): boolean {\n return version === expected;\n }\n\n /\n Lifecycle hook: Registers this sensor in the chain on module initialization.\n /\n onModuleInit() {\n const magicStr = this.config.get<string>('AXIS_PROTOCOL_MAGIC');\n this.protocolMagic = magicStr ? Buffer.from(magicStr, 'ascii') : AXIS_MAGIC;\n this.protocolVersion =\n this.config.get<number>('AXIS_PROTOCOL_VERSION') \|\| AXIS_VERSION;\n }\n\n /\n Evaluate protocol strictness\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const validatedInput = ProtocolStrictInputZ.safeParse(input);\n if (!validatedInput.success) {\n this.logger.error(\n `Invalid input: ${validatedInput.error.message}`,\n validatedInput.error.issues,\n );\n return {\n action: 'DENY',\n code: 'INVALID_INPUT',\n reason: 'Protocol validation input failed',\n };\n }\n\n const { contentType, peek } = validatedInput.data;\n const issues: string[] = [];\n\n // Debug: Log first 10 bytes\n if (peek.length >= 8) {\n const hex = Buffer.from(peek.subarray(0, 10)).toString('hex');\n this.logger.debug(`Raw Frame Header (Hex): ${hex} (IP: ${input.ip})`);\n }\n\n // 1. Check Content-Type header (HTTP only)\n if (contentType !== undefined) {\n if (!this.isValidContentType(contentType)) {\n issues.push(`invalid_content_type:${contentType}`);\n }\n }\n\n // Need at least 9 bytes for basic frame header (Magic:5, Ver:1, Flags:1, HLen:1, BLen:1, SLen:1)\n if (peek.length < 9) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_SHORT',\n reason: 'Frame too short for protocol header',\n };\n }\n\n // 2. Check magic bytes\n const magicCheck = ProtocolStrictSensor.validateMagic(\n peek,\n this.protocolMagic,\n );\n if (!magicCheck.valid) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: `Expected ${new TextDecoder().decode(this.protocolMagic)} magic, got ${magicCheck.actual}`,\n };\n }\n\n // 3. Check version (Offset 5)\n const version = peek[5];\n if (!ProtocolStrictSensor.validateVersion(version, this.protocolVersion)) {\n issues.push(`unsupported_version:${version}`);\n }\n\n // 4. Check flags validity (Offset 6)\n const flags = peek[6];\n if (!this.isValidFlags(flags)) {\n issues.push(`invalid_flags:0x${flags.toString(16)}`);\n }\n\n // 5. Check length encoding (varints should be minimal) - Starts at Offset 7\n if (peek.length >= 10) {\n const lengthCheck = this.checkVarintEncoding(peek.subarray(7));\n if (!lengthCheck.valid) {\n issues.push(`non_minimal_varint:${lengthCheck.reason}`);\n }\n }\n\n // 6. Check TLV ordering if we have enough data\n if (peek.length >= 20) {\n const tlvCheck = this.checkTLVOrdering(peek);\n if (!tlvCheck.valid) {\n issues.push(`tlv_not_canonical:${tlvCheck.reason}`);\n }\n\n // 7. Check Client Version (TLV 100) presence\n const hasClientVersion = await this.checkForClientVersion(peek);\n if (!hasClientVersion) {\n // Warn for now (Phase 7 Soft Rollout)\n issues.push('missing_client_version');\n }\n }\n\n // Return FLAG for minor issues, DENY for critical\n if (issues.length > 0) {\n // Check for critical issues\n const critical = issues.some(\n (i) =>\n i.startsWith('invalid_magic') \|\| i.startsWith('unsupported_version'),\n );\n\n if (critical) {\n return {\n action: 'DENY',\n code: 'PROTOCOL_VIOLATION',\n reason: issues.join(', '),\n };\n }\n\n this.logger.warn(\n `Protocol issues from ${input.ip}: ${issues.join(', ')}`,\n );\n return {\n action: 'FLAG',\n scoreDelta: -issues.length 2,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /*\n Compare two buffers for equality\n /\n private buffersEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n\n /\n Check if Content-Type is valid for AXIS\n /\n private isValidContentType(contentType: string): boolean {\n const valid = [\n 'application/axis-bin',\n 'application/octet-stream',\n 'application/x-axis',\n ];\n return valid.some((v) => contentType.toLowerCase().includes(v));\n }\n\n /\n Check if flags are a valid combination\n /\n private isValidFlags(flags: number): boolean {\n return VALID_FLAGS.includes(flags);\n }\n\n /\n Check varint encoding is minimal (no leading zeros)\n /\n private checkVarintEncoding(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n try {\n const { value, length: bytesRead } = decodeVarint(data, 0);\n\n // Check for non-minimal encoding\n // A varint should use the minimum number of bytes\n if (value < 128 && bytesRead > 1) {\n return { valid: false, reason: 'non-minimal-small-value' };\n }\n if (value < 16384 && bytesRead > 2) {\n return { valid: false, reason: 'non-minimal-medium-value' };\n }\n\n return { valid: true };\n } catch {\n return { valid: false, reason: 'varint-decode-error' };\n }\n }\n\n /\n Check TLV ordering is canonical (sorted by type, no duplicates)\n /\n private checkTLVOrdering(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n // This is a simplified check - full check would require decoding the frame\n // For now, we do a heuristic check on the first few TLVs\n\n try {\n // Skip to length section (after magic, version, flags)\n let offset = 7;\n\n // Decode header length\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n\n // Decode body length\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n\n // Decode sig length\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n // Now at HDR TLVs\n const hdrStart = offset;\n const hdrEnd = hdrStart + Number(hdrLen);\n\n if (hdrEnd > data.length) {\n return { valid: true }; // Not enough data to check\n }\n\n // Check TLV types are ascending\n let lastType = -1;\n let pos = hdrStart;\n\n while (pos < hdrEnd && pos < data.length - 2) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n\n if (pos >= hdrEnd) break;\n\n const { value: len, length: lenBytes } = decodeVarint(data, pos);\n pos += lenBytes;\n\n // Check ordering\n if (Number(type) <= lastType) {\n return {\n valid: false,\n reason: `type-${type}-after-${lastType}`,\n };\n }\n\n lastType = Number(type);\n pos += Number(len);\n }\n\n return { valid: true };\n } catch {\n return { valid: true }; // On error, don't block\n }\n }\n\n /\n Check if TLV 100 (Client Version) exists in the headers\n /\n private async checkForClientVersion(data: Uint8Array): Promise<boolean> {\n try {\n let offset = 7;\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n const hdrEnd = offset + Number(hdrLen);\n\n let pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n const { length: lenBytes } = decodeVarint(data, pos); // value not needed\n pos += lenBytes;\n\n const { value: valLen, length: valLenBytes } = decodeVarint(\n data,\n pos - lenBytes,\n ); // reread legnth\n\n // Correct interaction: varint includes bytes read.\n // decodeVarint returns { value, length } -> length is how many bytes the varint took.\n // Wait, I need to read the length value to skip.\n\n // Re-do loop structure correctly:\n // 1. Read Type\n // 2. Read Length\n // 3. Skip Value\n }\n\n // Let's use a simpler heuristic scan for now as full parse is expensive here\n // and done elsewhere. But for correctness let's do it right.\n\n pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const t = decodeVarint(data, pos);\n pos += t.length;\n const l = decodeVarint(data, pos);\n pos += l.length;\n\n if (t.value === 100) return true;\n\n pos += Number(l.value);\n }\n\n return false;\n } catch {\n return false;\n }\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class ReceiptPolicySensor implements AxisSensor {\n readonly name = 'ReceiptPolicySensor';\n readonly order = BAND.BUSINESS + 20;\n\n supports(): boolean {\n return true;\n }\n\n async run(): Promise<SensorDecision> {\n // Stub: allow. Real impl defines which intents must yield signed receipts.\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { IntentSchema, IntentSchemaZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { AxisError } from '../core/axis-error';\nimport type { TlvValidatorFn } from '../decorators/tlv-field.decorator';\n\n/\n Reads a big-endian unsigned 64-bit integer from a byte array.\n \n @param {Uint8Array} b - 8-byte array\n * @returns {bigint} The decoded integer\n * @throws {AxisError} If array is not exactly 8 bytes\n /\nfunction readU64be(b: Uint8Array): bigint {\n if (b.length !== 8)\n throw new AxisError('SCHEMA_TYPE_MISMATCH', 'u64 must be 8 bytes', 400);\n let x = 0n;\n for (const by of b) x = (x << 8n) \| BigInt(by);\n return x;\n}\n\n/\n Schema Validation Sensor - TLV Field Contract Enforcement\n \n Validates that incoming request bodies conform to the defined intent schema.\n * This ensures type safety and data integrity before handler execution.\n \n Execution Order: 170 (late in pipeline, after all auth/policy checks)\n \n Core Concept:\n * Every AXIS intent can define a schema that specifies:\n * - Required fields and their TLV types\n * - Field types (utf8, bytes, u64, bool, etc.)\n * - Size limits per field\n * - Scope (header or body)\n \n The sensor validates each field against its schema definition, rejecting\n * requests that violate the contract.\n \n Supported Field Types:\n * \| Kind \| Description \| Validation \|\n * \|------\|-------------\|------------\|\n * \| `utf8` \| UTF-8 string \| Valid UTF-8 encoding \|\n * \| `bool` \| Boolean \| 1 byte: 0x00 or 0x01 \|\n * \| `u64` \| Unsigned 64-bit int \| Exactly 8 bytes, big-endian \|\n * \| `bytes16` \| Fixed 16 bytes \| Exactly 16 bytes (UUIDs) \|\n * \| `bytes` \| Variable bytes \| Any length up to maxLen \|\n * \| `obj` \| Nested object \| (Reserved for future) \|\n * \| `arr` \| Array \| (Reserved for future) \|\n \n How It Works:\n * ```\n * 1. Validate schema structure with Zod\n * 2. For each field in schema:\n * a. Look up TLV in headers or body (based on scope)\n * b. Check if field is required\n * c. Check size against maxLen\n * d. Validate type (utf8 encoding, bool values, etc.)\n * 3. Throw AxisError on any violation\n * ```\n \n Security Model:\n * - Fail Closed: Schema violations throw errors (no silent failures)\n * - Pre-Handler: All validation happens before handler execution\n * - Type-Safe: Handlers receive type-validated data\n \n Error Codes:\n * - `SCHEMA_INVALID` - Schema itself is malformed\n * - `SCHEMA_FIELD_MISSING` - Required field not present\n * - `SCHEMA_LIMIT_EXCEEDED` - Field exceeds maxLen or max value\n * - `SCHEMA_TYPE_MISMATCH` - Field type doesn't match expected\n \n Performance:\n * - In-memory validation (no I/O)\n * - O(n) where n = number of schema fields\n * - Latency: ~1-5ms for typical schemas\n \n @class SchemaValidationSensor\n * @implements {OnModuleInit}\n \n @example\n * Valid schema validation:\n * ```typescript\n * const schema = {\n * fields: [\n * { name: 'fullName', tlv: 100, kind: 'utf8', required: true, maxLen: 256 },\n * { name: 'age', tlv: 101, kind: 'u64', max: 150 }\n * ]\n * };\n * // Body TLVs contain valid data\n * { ok: true }\n * ```\n \n @example\n * Missing required field:\n * ```typescript\n * // TLV 100 (fullName) not present in body\n * throw AxisError('SCHEMA_FIELD_MISSING',\n * 'Missing required field: fullName (TLV 100)', 400);\n * ```\n \n @see {@link IntentSchema}\n /\n@Sensor()\n@Injectable()\nexport class SchemaValidationSensor implements AxisSensor {\n /* Sensor identifier for logging and registry /\n readonly name = 'SchemaValidationSensor';\n\n /\n Execution order - runs late in the pipeline\n \n Order 170 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Data validated before handler execution\n /\n readonly order = BAND.CONTENT + 35;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when a schema is provided for the intent (post-decode phase).\n \n @param {any} input - Sensor input\n * @returns {boolean} True if schema exists in metadata\n /\n supports(input: any): boolean {\n // Only run in post-decode phase when schema is provided\n return !!input.metadata?.schema;\n }\n\n /\n Validates TLV fields against the schema definition.\n \n Validation Steps:\n * 1. Validate the schema itself using Zod\n * 2. Iterate through each field definition\n * 3. Check required fields are present\n * 4. Validate size limits (maxLen)\n * 5. Validate type-specific rules\n \n @param {any} input - Standard SensorInput\n * @returns {{ action: 'ALLOW' } \| { action: 'DENY', code: string, reason: string }} Decision\n /\n async run(\n input: any,\n ): Promise<\n { action: 'ALLOW' } \| { action: 'DENY'; code: string; reason: string }\n > {\n const schema = input.metadata?.schema as IntentSchema;\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyTLVs = input.bodyTLVs as Map<number, Uint8Array> \| undefined;\n\n // If no schema, allow (no validation needed)\n if (!schema) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 1: Validate Schema Structure ===\n const validatedSchema = IntentSchemaZ.safeParse(schema);\n if (!validatedSchema.success) {\n return {\n action: 'DENY',\n code: 'SCHEMA_INVALID',\n reason: `Schema validation failed: ${validatedSchema.error.message}`,\n };\n }\n\n // === STEP 2: Validate Each Field ===\n try {\n for (const field of schema.fields) {\n // Determine which TLV map to use (header or body)\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n\n // Get the field value from the appropriate map\n const val = map?.get(field.tlv);\n\n // === Check Required Fields ===\n if (field.required && !val) {\n throw new AxisError(\n 'SCHEMA_FIELD_MISSING',\n `Missing required field: ${field.name} (TLV ${field.tlv})`,\n 400,\n );\n }\n\n // Skip validation if field not present (and not required)\n if (!val) continue;\n\n // === Check Size Limit ===\n if (typeof field.maxLen === 'number' && val.length > field.maxLen) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `Field ${field.name} too large (${val.length} > ${field.maxLen})`,\n 413, // Payload Too Large\n );\n }\n\n // === Type-Specific Validation ===\n switch (field.kind) {\n case 'utf8':\n // Validate UTF-8 encoding\n try {\n new TextDecoder('utf-8', { fatal: true }).decode(val);\n } catch {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid UTF-8 in ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bool':\n // Boolean must be exactly 1 byte: 0x00 or 0x01\n if (val.length !== 1 \|\| (val[0] !== 0 && val[0] !== 1)) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid bool: ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'u64': {\n // Unsigned 64-bit integer (big-endian)\n const x = readU64be(val);\n\n // Check max value if specified\n if (field.max) {\n const mx = BigInt(field.max);\n if (x > mx) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `u64 ${field.name} exceeds max (${x} > ${mx})`,\n 400,\n );\n }\n }\n break;\n }\n\n case 'bytes16':\n // Fixed 16-byte field (UUIDs, IDs)\n if (val.length !== 16) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `bytes16 required for ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bytes':\n // Variable-length bytes - any length within maxLen is allowed\n break;\n\n case 'obj':\n case 'arr':\n // Nested object/array validation (reserved for future)\n // TODO: Implement nested validation\n break;\n\n default:\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Unknown schema kind: ${field.kind}`,\n 500,\n );\n }\n }\n\n // === STEP 3: Run custom @TlvValidate validators ===\n const validators = input.metadata?.validators as\n \| Map<number, TlvValidatorFn[]>\n \| undefined;\n if (validators && validators.size > 0) {\n for (const field of schema.fields) {\n const fns = validators.get(field.tlv);\n if (!fns \|\| fns.length === 0) continue;\n\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n const val = map?.get(field.tlv);\n if (!val) continue; // missing fields already handled above\n\n for (const fn of fns) {\n const error = fn(val, field.name);\n if (error) {\n throw new AxisError(\n 'SCHEMA_VALIDATION_FAILED',\n `${field.name} (TLV ${field.tlv}): ${error}`,\n 400,\n );\n }\n }\n }\n }\n } catch (err: any) {\n // Convert AxisError to DENY decision\n if (err instanceof AxisError) {\n return {\n action: 'DENY',\n code: err.code,\n reason: err.message,\n };\n }\n throw err; // Re-throw unknown errors\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n/\n Stream Scope Sensor - Topic-Level Access Control\n \n Enforces read/write permissions on stream topics. Validates that\n * the actor has appropriate access to subscribe or publish to the\n * requested stream topic.\n \n Execution Order: 200 (near execution, after all validation)\n \n Core Concept:\n * AXIS supports real-time streaming via WebSocket. Streams are organized\n * by topics (e.g., 'citizen.123.timeline', 'hub.news.updates'). This\n * sensor enforces topic-level access control:\n * - Can the actor subscribe to this topic?\n * - Can the actor publish to this topic?\n \n Topic Patterns:\n * - `citizen.{id}.timeline` - Personal timeline (owner + admin)\n * - `hub.{name}.updates` - Hub updates (members)\n * - `public.` - Public topics (anyone)\n - `admin.` - Admin topics (admins only)\n \n * How It Would Work (Full Implementation):\n * ```\n * 1. Extract topic from stream intent body\n * 2. Parse topic pattern (e.g., citizen.123.timeline)\n * 3. Determine required access (read for subscribe, write for publish)\n * 4. Check actor's permissions against topic ACL\n * 5. DENY if unauthorized, ALLOW if permitted\n * ```\n \n Stream Operations:\n * - `stream.subscribe` - Requires READ access\n * - `stream.publish` - Requires WRITE access\n * - `stream.unsubscribe` - Always allowed (cleanup)\n \n Security Model:\n * - Stub Implementation: Currently allows all\n * - Topic Isolation: Each topic has independent ACL\n * - Inheritance: Pattern-based permissions (citizen.* = citizen owner)\n \n Actions (planned):\n * - `ALLOW` - Actor has permission\n * - `DENY` - Unauthorized topic access\n \n Error Codes (planned):\n * - `STREAM_UNAUTHORIZED` - No permission for topic\n * - `STREAM_TOPIC_NOT_FOUND` - Topic doesn't exist\n \n Performance:\n * - ACL lookup: O(1) with caching\n * - Pattern matching: O(patterns)\n \n @class StreamScopeSensor\n * @implements {Sensor}\n * @implements {OnModuleInit}\n \n @example\n * Authorized subscription:\n * ```typescript\n * // Actor: user123\n * // Topic: citizen.user123.timeline\n * // Permission: owner can read own timeline\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Unauthorized subscription (planned):\n * ```typescript\n * // Actor: user456\n * // Topic: citizen.user123.timeline\n * // Permission: NOT owner\n * {\n * action: 'DENY',\n * code: 'STREAM_UNAUTHORIZED',\n * reason: 'No read access to citizen.user123.timeline'\n * }\n * ```\n \n @todo Implement topic ACL lookup and permission checking\n * @see {@link CapabilityEnforcementSensor} - Request-level capabilities\n /\n@Sensor()\n@Injectable()\nexport class StreamScopeSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'StreamScopeSensor';\n\n /\n Execution order - near handler execution\n \n Order 200 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Stream-specific check right before subscription\n /\n readonly order = BAND.BUSINESS + 0;\n\n /\n Determines if this sensor should process the given input.\n \n Currently processes all inputs.\n \n @returns {boolean} Always true\n /\n supports(): boolean {\n return true;\n }\n\n /\n Validates stream topic access permissions.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Check if intent is stream.subscribe or stream.publish\n * 2. Extract topic from body TLVs\n * 3. Parse topic into owner/resource pattern\n * 4. Look up topic ACL from database/cache\n * 5. Check if actor has required permission (read/write)\n * 6. DENY if unauthorized\n \n @returns {Promise<SensorDecision>} ALLOW (stub implementation)\n /\n async run(): Promise<SensorDecision> {\n // TODO: Implement topic scope enforcement\n //\n // Full implementation would:\n // const { intent, packet, actorId } = input;\n //\n // if (!intent?.startsWith('stream.')) {\n // return { action: 'ALLOW' }; // Not a stream intent\n // }\n //\n // const topic = extractTopicFromBody(input.bodyTLVs);\n // const operation = intent === 'stream.publish' ? 'write' : 'read';\n //\n // const acl = await this.getTopicACL(topic);\n // if (!acl.allows(actorId, operation)) {\n // return {\n // action: 'DENY',\n // code: 'STREAM_UNAUTHORIZED',\n // reason: `No ${operation} access to ${topic}`\n // };\n // }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { decodeVarint } from '../core/varint';\n\n/\n TLV Parse AxisSensor - Type-Length-Value Parsing Verification\n \n Verifies that TLV data in packets is properly formed and follows\n * canonical ordering rules. Ensures binary payload integrity before\n * field extraction.\n \n Execution Order: 160 (after policy checks, before schema validation)\n \n Validates:\n * - TLV types are ascending (canonical ordering)\n * - No duplicate TLV types\n * - Length values are accurate (no buffer overrun)\n * - Varint encoding is minimal (no padding bytes)\n * - Tag values are > 0\n \n @class TLVParseSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class TLVParseSensor implements AxisSensor {\n readonly name = 'TLVParseSensor';\n readonly order = BAND.CONTENT + 20;\n\n supports(input: SensorInput): boolean {\n return !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const packet = input.packet;\n if (!packet) return { action: 'ALLOW' };\n\n // Validate header TLVs if raw header bytes are available\n const hdrBytes: Uint8Array \| Buffer \| undefined =\n packet.hdrBytes ?? packet.headerBytes;\n if (hdrBytes && hdrBytes.length > 0) {\n const result = this.validateCanonicalTLV(hdrBytes, 'header');\n if (result) return result;\n }\n\n // Validate body TLVs if body is flagged as TLV-encoded\n const bodyBytes: Uint8Array \| Buffer \| undefined =\n packet.bodyBytes ?? input.body;\n const bodyIsTlv =\n packet.flags !== undefined ? (packet.flags & 0x01) !== 0 : false;\n\n // @Intent({ bodyProfile: 'RAW' }) explicitly skips body TLV validation\n const bodyProfile = input.metadata?.schema?.bodyProfile;\n const skipBody = bodyProfile === 'RAW';\n\n if (!skipBody && bodyIsTlv && bodyBytes && bodyBytes.length > 0) {\n const result = this.validateCanonicalTLV(bodyBytes, 'body');\n if (result) return result;\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Validates a TLV buffer for canonical ordering, no duplicates,\n * valid bounds, and minimal varint encoding.\n /\n private validateCanonicalTLV(\n buf: Uint8Array,\n section: string,\n ): SensorDecision \| null {\n let offset = 0;\n let lastType = -1;\n let count = 0;\n const maxItems = 512;\n\n while (offset < buf.length) {\n if (count >= maxItems) {\n return {\n action: 'DENY',\n code: 'TLV_LIMIT',\n reason: `Too many TLVs in ${section}`,\n };\n }\n\n // Decode TYPE varint\n let type: number;\n let typeLen: number;\n try {\n const r = decodeVarint(buf, offset);\n type = r.value;\n typeLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed type varint in ${section} at offset ${offset}`,\n };\n }\n offset += typeLen;\n\n // Tag must be > 0\n if (type <= 0) {\n return {\n action: 'DENY',\n code: 'TLV_INVALID_TAG',\n reason: `Invalid tag ${type} in ${section}`,\n };\n }\n\n // Canonical order: strictly ascending\n if (type <= lastType) {\n return {\n action: 'DENY',\n code: 'TLV_NOT_CANONICAL',\n reason: `Non-canonical tag order in ${section}: ${type} after ${lastType}`,\n };\n }\n lastType = type;\n\n // Decode LEN varint\n let len: number;\n let lenLen: number;\n try {\n const r = decodeVarint(buf, offset);\n len = r.value;\n lenLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed length varint in ${section}`,\n };\n }\n offset += lenLen;\n\n // Bounds check\n if (offset + len > buf.length) {\n return {\n action: 'DENY',\n code: 'TLV_TRUNCATED',\n reason: `TLV value truncated in ${section}`,\n };\n }\n\n offset += len;\n count++;\n }\n\n return null; // Valid\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Varint Hardening Sensor - Variable-Length Integer Overflow Protection\n \n Detects and blocks malicious varint values that could cause integer overflow\n * or excessive memory allocation. Varints in AXIS frames encode lengths and types.\n \n Execution Order: 40 (early, before length-based parsing)\n \n Core Concept:\n * AXIS uses variable-length integers (varints) to encode:\n * - Header length\n * - Body length\n * - Signature length\n * - TLV types and lengths\n \n Varints use a continuation bit (MSB) to indicate more bytes follow.\n * An attacker could send an extremely long varint (many continuation bytes)\n * to cause:\n * - Integer overflow\n * - Excessive parsing time\n * - Memory exhaustion\n \n Varint Format:\n * ```\n * Each byte: [1-bit continuation][7-bit data]\n \n Examples:\n * 127 = 0x7F (1 byte)\n * 128 = 0x80 0x01 (2 bytes)\n * 16384 = 0x80 0x80 0x01 (3 bytes)\n * ```\n \n Limit: Maximum 5 bytes per varint\n * - 5 bytes = 35 bits of data = max value ~34 billion\n * - Sufficient for any legitimate length in AXIS\n \n How It Works:\n * ```\n * 1. Skip to varint start (offset 7: after magic+version+flags)\n * 2. Count consecutive bytes with MSB set (continuation bit)\n * 3. If count > 5, reject frame\n * ```\n \n Security Model:\n * - Fail Closed: Overflow = DENY\n * - Early Detection: Before full parsing\n * - Low Cost: Simple bit check\n \n Actions:\n * - `ALLOW` - Varint within bounds\n * - `DENY` - Varint exceeds 5 bytes\n \n Error Codes:\n * - `VARINT_OVERFLOW` - Varint exceeds maximum length\n \n Performance:\n * - Bit masking: O(1) per byte\n * - Maximum 15 bytes checked\n * - Latency: <0.1ms\n \n @class VarintHardeningSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid varint:\n * ```typescript\n * // Length 16384 encoded as 0x80 0x80 0x01 (3 bytes)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Overflow attack:\n * ```typescript\n * // 6 bytes with continuation bits set\n * {\n * action: 'DENY',\n * code: 'VARINT_OVERFLOW',\n * reason: 'Varint exceeds 5 bytes'\n * }\n * ```\n \n @see {@link BodyBudgetSensor} - Uses varints for length parsing\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class VarintHardeningSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'VarintHardeningSensor';\n\n /\n Execution order - early detection\n \n Order 40 ensures:\n * - After protocol magic check\n * - Before length-based parsing\n /\n readonly order = BAND.WIRE + 35;\n\n /* Maximum allowed bytes for a single varint /\n private readonly MAX_VARINT_BYTES = 5;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 7 bytes of peeked data.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n /\n Validates varint lengths in frame header.\n \n Processing Flow:\n * 1. Skip to varint section (offset 7)\n * 2. Scan for continuation bytes (MSB = 1)\n * 3. Count consecutive continuation bytes\n * 4. DENY if count exceeds MAX_VARINT_BYTES\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on varint length\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n // After magic(5) + version(1) + flags(1), varints follow for hdrLen, bodyLen, sigLen\n const peek = input.peek!;\n const offset = 7;\n const maxOffset = Math.min(offset + 15, peek.length);\n\n // Count consecutive bytes with continuation bit set (MSB = 1)\n let continuationCount = 0;\n for (let i = offset; i < maxOffset; i++) {\n if ((peek[i] & 0x80) !== 0) {\n continuationCount++;\n if (continuationCount > this.MAX_VARINT_BYTES) {\n return {\n action: 'DENY',\n code: 'VARINT_OVERFLOW',\n reason: `Varint exceeds ${this.MAX_VARINT_BYTES} bytes`,\n };\n }\n } else {\n // End of current varint - reset for next\n continuationCount = 0;\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","export from './axis-tlv-codec';\n","import {\n buildTLVs,\n extractDtoSchema,\n} from '../index';\nimport type { IntentTlvField } from '../decorators/intent.decorator';\n\ntype AxisTlvDtoCtor<T = object> = new (...args: never[]) => T;\n\nexport function encodeAxisTlvDto<T extends object>(\n dtoClass: AxisTlvDtoCtor<T>,\n data: Partial<Record<keyof T, unknown>>,\n): Uint8Array {\n const schema = extractDtoSchema(dtoClass);\n const items = schema.fields.flatMap((field) => {\n const value = (data as Record<string, unknown>)[field.name];\n if (value === undefined \|\| value === null) {\n if (field.required) {\n throw new Error(`Missing required TLV response field: ${field.name}`);\n }\n return [];\n }\n\n return [{ type: field.tag, value: encodeField(field, value) }];\n });\n\n return buildTLVs(items);\n}\n\nfunction encodeField(field: IntentTlvField, value: unknown): Buffer {\n switch (field.kind) {\n case 'utf8':\n return Buffer.from(String(value), 'utf8');\n case 'u64':\n return encodeU64(value);\n case 'bytes':\n case 'bytes16':\n return toBuffer(value);\n case 'bool':\n return Buffer.from([value ? 1 : 0]);\n case 'obj':\n case 'arr':\n return Buffer.from(JSON.stringify(value), 'utf8');\n default:\n return toBuffer(value);\n }\n}\n\nfunction encodeU64(value: unknown): Buffer {\n const encoded = Buffer.alloc(8);\n encoded.writeBigUInt64BE(\n typeof value === 'bigint' ? value : BigInt(value as number \| string),\n );\n return encoded;\n}\n\nfunction toBuffer(value: unknown): Buffer {\n if (Buffer.isBuffer(value)) {\n return value;\n }\n if (value instanceof Uint8Array) {\n return Buffer.from(value);\n }\n if (typeof value === 'string') {\n return Buffer.from(value, 'utf8');\n }\n\n throw new Error(`Unsupported TLV bytes value: ${typeof value}`);\n}"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAAwC;AAEjC,IAAM,uBAAuB;AAO7B,SAAS,QAAQ,QAAiC;AACvD,SAAO,CAAC,WAAqB;AAC3B,mCAAY,sBAAsB,EAAE,OAAO,CAAC,EAAE,MAAM;AACpD,kCAAW,EAAE,MAAa;AAAA,EAC5B;AACF;;;ACdA,8BAAO;AAEA,IAAM,sBAAsB;AAC5B,IAAM,oBAAoB;AA8E1B,SAAS,OACd,QACA,SACiB;AACjB,SAAO,CAAC,QAAQ,gBAAgB;AAE9B,YAAQ;AAAA,MACN;AAAA,MACA,EAAE,QAAQ,QAAQ,GAAG,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAGA,UAAM,SACJ,QAAQ,YAAY,mBAAmB,OAAO,WAAW,KAAK,CAAC;AACjE,WAAO,KAAK;AAAA,MACV;AAAA,MACA,YAAY;AAAA,MACZ,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,MAChB,MAAM,SAAS;AAAA,MACf,aAAa,SAAS;AAAA,MACtB,KAAK,SAAS;AAAA,MACd,KAAK,SAAS;AAAA,IAChB,CAAC;AACD,YAAQ,eAAe,mBAAmB,QAAQ,OAAO,WAAW;AAAA,EACtE;AACF;;;AC7GA,IAAAA,2BAAO;AAEA,IAAM,kBAAkB;AAQxB,SAAS,WAAW,SAAgD;AACzE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,iBAAiB,SAAS,QAAQ,WAAW;AAAA,EACtE;AACF;;;ACdA,IAAAC,2BAAO;AAEA,IAAM,qBAAqB;AAM3B,SAAS,cAAc,SAAsC;AAClE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,oBAAoB,SAAS,QAAQ,WAAW;AAAA,EACzE;AACF;;;ACZA,IAAAC,2BAAO;AAEA,IAAM,iBAAiB;AACvB,IAAM,qBAAqB;AAuE3B,SAAS,SACd,KACA,SACmB;AACnB,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,WACJ,QAAQ,eAAe,gBAAgB,OAAO,WAAW,KAAK,CAAC;AAEjE,aAAS,KAAK;AAAA,MACZ,UAAU,OAAO,WAAW;AAAA,MAC5B;AAAA,MACA;AAAA,IACF,CAAC;AAED,YAAQ,eAAe,gBAAgB,UAAU,OAAO,WAAW;AAAA,EACrE;AACF;AAUO,SAAS,YAAY,WAA8C;AACxE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,WACJ,QAAQ,eAAe,oBAAoB,OAAO,WAAW,KAAK,CAAC;AAErE,UAAM,OAAO,OAAO,WAAW;AAC/B,QAAI,QAAQ,SAAS,KAAK,CAAC,MAAM,EAAE,aAAa,IAAI;AAEpD,QAAI,CAAC,OAAO;AACV,cAAQ,EAAE,UAAU,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE;AACjD,eAAS,KAAK,KAAK;AAAA,IACrB;AAEA,UAAM,WAAW,KAAK,SAAS;AAE/B,YAAQ,eAAe,oBAAoB,UAAU,OAAO,WAAW;AAAA,EACzE;AACF;AAOO,SAAS,eACd,SACA,SACmB;AACnB,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,UAAM,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG;AACxC,WAAO,QAAQ,KAAK,GAAG,IACnB,OACA,WAAW,GAAG,IAAI;AAAA,EACxB,CAAC;AACH;AAKO,SAAS,UAAU,KAAa,SAAqC;AAC1E,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,WAAO,IAAI,UAAU,MACjB,OACA,WAAW,GAAG,IAAI,gBAAgB,IAAI,MAAM,MAAM,GAAG;AAAA,EAC3D,CAAC;AACH;AAKO,SAAS,QACd,SACA,SACmB;AACnB,QAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,UAAM,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG;AACxC,WAAO,IAAI,IAAI,GAAG,IACd,OACA,WAAW,GAAG,IAAI,qBAAqB,QAAQ,KAAK,IAAI,CAAC;AAAA,EAC/D,CAAC;AACH;AAKO,SAAS,SACd,KACA,KACA,SACmB;AACnB,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,QAAI,IAAI,WAAW,EAAG,QAAO,GAAG,IAAI;AACpC,QAAI,IAAI;AACR,eAAW,KAAK,IAAK,KAAK,KAAK,KAAM,OAAO,CAAC;AAC7C,QAAI,IAAI,OAAO,IAAI,KAAK;AACtB,aAAO,WAAW,GAAG,IAAI,WAAW,CAAC,kBAAkB,GAAG,KAAK,GAAG;AAAA,IACpE;AACA,WAAO;AAAA,EACT,CAAC;AACH;;;ACpLA,IAAAC,2BAAO;;;ACAP,2BAEO;;;ADoBA,SAAS,iBAAiB,KAA0B;AACzD,QAAM,aACJ,QAAQ,YAAY,gBAAgB,GAAG,KAAK,CAAC;AAE/C,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,aAAa,IAAI,IAAI;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,YAAY,oBAAI,IAAoB;AAC1C,QAAM,SAA2B,WAAW,IAAI,CAAC,MAAM;AACrD,cAAU,IAAI,EAAE,UAAU,EAAE,GAAG;AAC/B,WAAO;AAAA,MACL,MAAM,EAAE;AAAA,MACR,KAAK,EAAE;AAAA,MACP,MAAM,EAAE,QAAQ;AAAA,MAChB,UAAU,EAAE,QAAQ;AAAA,MACpB,QAAQ,EAAE,QAAQ;AAAA,MAClB,KAAK,EAAE,QAAQ;AAAA,MACf,OAAO,EAAE,QAAQ;AAAA,IACnB;AAAA,EACF,CAAC;AAED,QAAM,iBACJ,QAAQ,YAAY,oBAAoB,GAAG,KAAK,CAAC;AAEnD,QAAM,aAAa,oBAAI,IAA8B;AACrD,aAAW,MAAM,gBAAgB;AAC/B,UAAM,MAAM,UAAU,IAAI,GAAG,QAAQ;AACrC,QAAI,QAAQ,QAAW;AACrB,YAAM,IAAI;AAAA,QACR,mBAAmB,IAAI,IAAI,IAAI,GAAG,QAAQ;AAAA,MAC5C;AAAA,IACF;AACA,OAAG,MAAM;AACT,eAAW,IAAI,KAAK,GAAG,UAAU;AAAA,EACnC;AAEA,SAAO,EAAE,QAAQ,WAAW;AAC9B;AAgBO,SAAS,gBACd,KAC4C;AAC5C,QAAM,aACJ,QAAQ,YAAY,gBAAgB,GAAG,KAAK,CAAC;AAE/C,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,aAAa,IAAI,IAAI;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,SAAS,oBAAI,IAAgD;AACnE,aAAW,KAAK,YAAY;AAC1B,WAAO,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,MAAM,EAAE,QAAQ,KAAK,CAAC;AAAA,EAClE;AAEA,SAAO,CAAC,cAA2C;AACjD,UAAMC,cAAS,iCAAW,IAAI,WAAW,SAAS,CAAC;AACnD,UAAM,SAA8B,CAAC;AAErC,eAAW,CAAC,KAAK,GAAG,KAAKA,SAAQ;AAC/B,YAAM,OAAO,OAAO,IAAI,GAAG;AAC3B,UAAI,CAAC,KAAM;AAEX,cAAQ,KAAK,MAAM;AAAA,QACjB,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI,IAAI,YAAY,EAAE,OAAO,GAAG;AACpD;AAAA,QACF,KAAK,OAAO;AACV,cAAI,IAAI;AACR,mBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,gBAAK,KAAK,KAAM,OAAO,IAAI,CAAC,CAAC;AAAA,UAC/B;AACA,iBAAO,KAAK,QAAQ,IAAI;AACxB;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI;AACxB;AAAA,QACF,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,MAAM;AACrD;AAAA,QACF,KAAK;AAAA,QACL,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG,CAAC;AAChE;AAAA,QACF;AACE,iBAAO,KAAK,QAAQ,IAAI;AAAA,MAC5B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AE5HO,IAAe,aAAf,MAA0B;AAAC;;;ACN3B,IAAM,YAAN,cAAwB,WAAW;AAI1C;AADE;AAAA,EAFC,SAAS,GAAG,EAAE,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI,CAAC;AAAA,EACzD,UAAU,GAAG,sBAAsB;AAAA,GAFzB,UAGX;;;ACNF,IAAAC,2BAAO;AAyBA,SAAS,gBACd,SAC+D;AAAA,EAC/D,MAAM,mBAAoB,QAAgB;AAAA,EAAC;AAE3C,QAAM,SACJ,QAAQ,eAAe,gBAAgB,OAAO,KAAK,CAAC;AAEtD,QAAM,gBAAgC,OAAO,IAAI,CAAC,OAAO;AAAA,IACvD,UAAU,EAAE;AAAA,IACZ,KAAK,EAAE;AAAA,IACP,SAAS,EAAE,GAAG,EAAE,SAAS,UAAU,MAAM;AAAA,EAC3C,EAAE;AAEF,UAAQ,eAAe,gBAAgB,eAAe,UAAU;AAEhE,QAAM,aACJ,QAAQ,eAAe,oBAAoB,OAAO,KAAK,CAAC;AAE1D,MAAI,WAAW,SAAS,GAAG;AACzB,YAAQ,eAAe,oBAAoB,CAAC,GAAG,UAAU,GAAG,UAAU;AAAA,EACxE;AAEA,SAAO,eAAe,YAAY,QAAQ;AAAA,IACxC,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC/B,CAAC;AAED,SAAO;AACT;;;AC5CO,IAAM,kBAAkB;AACxB,IAAM,0BAA0B;AAChC,IAAM,0BAA0B;AAChC,IAAM,0BAA0B;AAChC,IAAM,0BAA0B;AAWhC,IAAe,kBAAf,cAAuC,WAAW;AAezD;AAbE;AAAA,EADC,SAAS,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAAA,GADvB,gBAEpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,MAAM,CAAC;AAAA,GAJ9B,gBAKpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,MAAM,CAAC;AAAA,GAP9B,gBAQpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,OAAO,CAAC;AAAA,GAV/B,gBAWpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,OAAO,CAAC;AAAA,GAb/B,gBAcpB;;;ACtCF,IAAAC,iBAA6C;;;ACqItC,IAAK,WAAL,kBAAKC,cAAL;AACL,EAAAA,UAAA,WAAQ;AACR,EAAAA,UAAA,UAAO;AACP,EAAAA,UAAA,cAAW;AACX,EAAAA,UAAA,UAAO;AAJG,SAAAA;AAAA,GAAA;AAoEL,SAAS,wBACd,gBACwB;AAExB,MAAI,YAAY,gBAAgB;AAE9B,YAAQ,eAAe,QAAQ;AAAA,MAC7B,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,eAAe,MAAM,eAAe,MAAM,EAAE;AAAA,YACpD;AAAA,UACF;AAAA,UACA,MAAM,eAAe;AAAA,UACrB,cAAc,eAAe;AAAA,QAC/B;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,YAAY;AAAA,UACtB,cAAc,eAAe;AAAA,UAC7B,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW,eAAe;AAAA,UAC1B,SAAS,eAAe;AAAA,UACxB,MAAM,eAAe;AAAA,QACvB;AAAA,IACJ;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO,eAAe;AAAA,IACtB,WAAW,eAAe;AAAA,IAC1B,SAAS,eAAe;AAAA,IACxB,MAAM,eAAe;AAAA,IACrB,MAAM,eAAe;AAAA,IACrB,SAAS,eAAe;AAAA,IACxB,cAAc,eAAe;AAAA,EAC/B;AACF;AAKO,IAAM,kBAAkB;AAAA,EAC7B,MAAM,MAAY,MAA4C;AAC5D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX,SAAS,CAAC;AAAA,MACV;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,KAAK,MAAc,QAAiB,MAA4B;AAC9D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA,SAAS,CAAC,MAAM,MAAM,EAAE,OAAO,OAAO;AAAA,MACtC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,SAAS,cAAsB,MAA4B;AACzD,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA,MAAM;AAAA,MACN,SAAS,CAAC,YAAY;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAAA,EAEA,KAAK,YAAoB,SAAmB,MAA4B;AACtE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ADtOO,IAAM,eAAN,MAAmB;AAAA,EA+BxB,YAAyC,WAAuB;AAAvB;AA9BzC,SAAiB,SAAS,IAAI,sBAAO,aAAa,IAAI;AAatD;AAAA,SAAQ,WAAW,oBAAI,IAAiB;AAGxC;AAAA,SAAQ,gBAAgB,oBAAI,IAAwB;AAGpD;AAAA,SAAQ,iBAAiB,oBAAI,IAAkC;AAG/D;AAAA,SAAQ,gBAAgB,oBAAI,IAA0B;AAGtD;AAAA,SAAQ,mBAAmB,oBAAI,IAA2C;AAG1E;AAAA,SAAQ,cAAc,oBAAI,IAAwB;AAAA,EAEe;AAAA,EAEjE,UAAU,QAA0C;AAClD,WAAO,KAAK,cAAc,IAAI,MAAM;AAAA,EACtC;AAAA,EAEA,cAAc,QAA2D;AACvE,WAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,EACzC;AAAA,EAEA,IAAI,QAAyB;AAC3B,WACE,KAAK,SAAS,IAAI,MAAM,KAAK,aAAa,gBAAgB,IAAI,MAAM;AAAA,EAExE;AAAA,EAEA,uBAAiC;AAC/B,WAAO,CAAC,GAAG,aAAa,iBAAiB,GAAG,KAAK,SAAS,KAAK,CAAC;AAAA,EAClE;AAAA,EAEA,eAAe,QAMN;AACP,QAAI,CAAC,KAAK,IAAI,MAAM,EAAG,QAAO;AAC9B,WAAO;AAAA,MACL,QAAQ,KAAK,cAAc,IAAI,MAAM;AAAA,MACrC,YAAY,KAAK,iBAAiB,IAAI,MAAM;AAAA,MAC5C,YAAY,KAAK,cAAc,IAAI,MAAM;AAAA,MACzC,SAAS,aAAa,gBAAgB,IAAI,MAAM;AAAA,MAChD,MAAM,KAAK,YAAY,IAAI,MAAM;AAAA,IACnC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,SAAS,QAAgB,SAAc;AACrC,SAAK,SAAS,IAAI,QAAQ,OAAO;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,gBAAgB,UAAe;AAC7B,UAAM,cAAc,QAAQ;AAAA,MAC1B;AAAA,MACA,SAAS;AAAA,IACX;AACA,UAAM,SAA6B,aAAa,UAAU,SAAS;AAEnE,UAAM,SACJ,QAAQ,YAAY,mBAAmB,SAAS,WAAW,KAAK,CAAC;AAEnE,eAAW,SAAS,QAAQ;AAC1B,YAAM,aAAa,MAAM,WACrB,MAAM,SACN,GAAG,MAAM,IAAI,MAAM,MAAM;AAC7B,YAAM,KAAK,SAAS,MAAM,UAAU,EAAE,KAAK,QAAQ;AAEnD,UAAI,MAAM,OAAO;AACf,aAAK,SAAS,YAAY,EAAE,QAAQ,GAAG,CAAC;AAAA,MAC1C,OAAO;AACL,aAAK,SAAS,YAAY,EAAE;AAAA,MAC9B;AAEA,WAAK,mBAAmB,YAAY,OAAO,eAAe,QAAQ,GAAG,OAAO,MAAM,UAAU,CAAC;AAAA,IAC/F;AAEA,UAAM,QAAQ,OAAO,eAAe,QAAQ;AAC5C,eAAW,OAAO,OAAO,oBAAoB,KAAK,GAAG;AACnD,YAAM,OAAO,QAAQ,YAAY,qBAAqB,OAAO,GAAG;AAChE,UAAI,CAAC,MAAM,OAAQ;AAEnB,UAAI,CAAC,KAAK,SAAS,IAAI,KAAK,MAAM,GAAG;AACnC,aAAK,SAAS,KAAK,QAAS,SAAiB,GAAG,EAAE,KAAK,QAAQ,CAAC;AAAA,MAClE;AAEA,WAAK,mBAAmB,KAAK,QAAQ,OAAO,GAAG;AAAA,IACjD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,MAAM,OAAuC;AACjD,UAAM,QAAQ,QAAQ,OAAO;AAC7B,QAAI,SAAS;AAEb,QAAI;AAEF,YAAM,cAAc,MAAM,QAAQ,IAAI,CAAC;AACvC,UAAI,CAAC,YAAa,OAAM,IAAI,MAAM,gBAAgB;AAClD,eAAS,IAAI,YAAY,EAAE,OAAO,WAAW;AAE7C,UAAI;AAEJ,UAAI,WAAW,iBAAiB,WAAW,eAAe;AACxD,aAAK,OAAO,MAAM,eAAe;AACjC,iBAAS;AAAA,UACP,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,SAAS,oBAAI,IAAI;AAAA,YACf,CAAC,KAAK,IAAI,YAAY,EAAE,OAAO,iBAAiB,CAAC;AAAA,UACnD,CAAC;AAAA,UACD,MAAM,IAAI,YAAY,EAAE;AAAA,YACtB,KAAK,UAAU;AAAA,cACb,QAAQ;AAAA,cACR,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,cAClC,SAAS;AAAA,YACX,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF,WAAW,WAAW,eAAe;AACnC,cAAM,KAAK,KAAK,IAAI,EAAE,SAAS;AAC/B,iBAAS;AAAA,UACP,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,MAAM,IAAI,YAAY,EAAE;AAAA,YACtB,KAAK,UAAU;AAAA,cACb;AAAA,cACA,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,YAC9B,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF,WAAW,WAAW,eAAe;AACnC,iBAAS;AAAA,UACP,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,MAAM,MAAM;AAAA,QACd;AAAA,MACF,WAAW,WAAW,iBAAiB,WAAW,oBAAoB;AAEpE,YAAI;AACF,gBAAM,WAAW,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI,CAAC;AAChE,gBAAM,cAAc,SAAS;AAC7B,gBAAM,YAAY,SAAS,QAAQ,CAAC;AAEpC,cAAI,CAAC,aAAa;AAChB,kBAAM,IAAI,MAAM,kCAAkC;AAAA,UACpD;AAEA,eAAK,OAAO,MAAM,kCAAkC,WAAW,GAAG;AAElE,gBAAM,aAAwB;AAAA,YAC5B,GAAG;AAAA,YACH,SAAS,IAAI,IAAI,MAAM,OAAO;AAAA,YAC9B,MAAM,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,SAAS,CAAC;AAAA,UAC1D;AACA,qBAAW,QAAQ,IAAI,GAAG,IAAI,YAAY,EAAE,OAAO,WAAW,CAAC;AAE/D,iBAAO,MAAM,KAAK,MAAM,UAAU;AAAA,QACpC,SAAS,GAAQ;AACf,gBAAM,IAAI,MAAM,kCAAkC,EAAE,OAAO,EAAE;AAAA,QAC/D;AAAA,MACF,OAAO;AACL,cAAM,UAAU,KAAK,SAAS,IAAI,MAAM;AACxC,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,QAC/C;AAEA,cAAM,gBAAgB,KAAK,cAAc,IAAI,MAAM;AACnD,YAAI,iBAAiB,cAAc,SAAS,GAAG;AAC7C,gBAAM,KAAK,iBAAiB,eAAe,QAAQ,KAAK;AAAA,QAC1D;AAEA,cAAM,UAAU,KAAK,eAAe,IAAI,MAAM;AAC9C,YAAI,cAAmB,MAAM;AAC7B,YAAI,SAAS;AACX,cAAI;AACF,0BAAc,QAAQ,OAAO,KAAK,MAAM,IAAI,CAAC;AAAA,UAC/C,SAAS,WAAgB;AACvB,kBAAM,IAAI;AAAA,cACR,gCAAgC,MAAM,KAAK,UAAU,OAAO;AAAA,YAC9D;AAAA,UACF;AAAA,QACF;AAEA,YAAI,OAAO,YAAY,YAAY;AACjC,gBAAM,aAAa,UACf,MAAM,QAAQ,aAAa,MAAM,OAAO,IACxC,MAAM,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC3C,mBAAS;AAAA,YACP,IAAI;AAAA,YACJ,QAAQ;AAAA,YACR,MAAM;AAAA,UACR;AAAA,QACF,OAAO;AACL,cAAI,OAAQ,QAAgB,WAAW,YAAY;AACjD,qBAAS,MAAO,QAAgB,OAAO,KAAK;AAAA,UAC9C,WAAW,OAAQ,QAAgB,YAAY,YAAY;AACzD,kBAAM,UAAU,UACZ,MAAO,QAAgB,QAAQ,aAAa,MAAM,OAAO,IACzD,MAAO,QAAgB,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC5D,qBAAS;AAAA,cACP,IAAI;AAAA,cACJ,QAAQ;AAAA,cACR,MAAM;AAAA,YACR;AAAA,UACF,OAAO;AACL,kBAAM,IAAI;AAAA,cACR,eAAe,MAAM;AAAA,YACvB;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAEA,WAAK,UAAU,QAAQ,OAAO,IAAI;AAClC,aAAO;AAAA,IACT,SAAS,GAAQ;AACf,WAAK,UAAU,QAAQ,OAAO,OAAO,EAAE,OAAO;AAC9C,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEQ,UACN,QACA,OACA,IACA,OACA;AACA,UAAM,OAAO,QAAQ,OAAO,KAAK;AACjC,UAAM,MAAM,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC;AACpD,QAAI,IAAI;AACN,WAAK,OAAO,MAAM,GAAG,MAAM,iBAAiB,EAAE,IAAI;AAAA,IACpD,OAAO;AACL,WAAK,OAAO,KAAK,GAAG,MAAM,cAAc,EAAE,QAAQ,KAAK,EAAE;AAAA,IAC3D;AAAA,EACF;AAAA,EAEA,mBAAmB,QAAgB,OAAe,YAA0B;AAC1E,UAAM,UAAU,QAAQ,YAAY,iBAAiB,OAAO,UAAU;AACtE,QAAI,SAAS;AACX,WAAK,eAAe,IAAI,QAAQ,OAAO;AAAA,IACzC;AAEA,UAAM,UAAU,QAAQ,YAAY,oBAAoB,OAAO,UAAU;AACzE,QAAI,WAAW,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAC3D,WAAK,cAAc,IAAI,QAAQ,OAAO;AAAA,IACxC;AAEA,UAAM,OAAO,QAAQ,YAAY,qBAAqB,OAAO,UAAU;AACvE,QAAI,MAAM;AACR,WAAK,YAAY,IAAI;AACrB,UAAI,KAAK,MAAM;AACb,aAAK,YAAY,IAAI,QAAQ,KAAK,IAAI;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,iBACZ,eACA,QACA,OACe;AACf,QAAI,CAAC,KAAK,UAAW;AAErB,eAAW,eAAe,eAAe;AACvC,UAAI;AACJ,UAAI;AACF,iBAAS,KAAK,UAAU,IAAI,aAAoB,EAAE,QAAQ,MAAM,CAAC;AAAA,MACnE,QAAQ;AACN,aAAK,OAAO;AAAA,UACV,qCAAqC,YAAY,IAAI,QAAQ,MAAM;AAAA,QACrE;AACA;AAAA,MACF;AAEA,YAAM,cAA2B;AAAA,QAC/B,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,YAAY,MAAM;AAAA,QAClB,UAAU,EAAE,OAAO,UAAU,OAAO;AAAA,MACtC;AAEA,UAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW,EAAG;AAEtD,YAAM,WAAW,wBAAwB,MAAM,OAAO,IAAI,WAAW,CAAC;AACtE,UAAI,CAAC,SAAS,OAAO;AACnB,cAAM,SAAS,SAAS,QAAQ,CAAC,KAAK,GAAG,OAAO,IAAI;AACpD,aAAK,OAAO;AAAA,UACV,iBAAiB,OAAO,IAAI,WAAW,MAAM,KAAK,MAAM;AAAA,QAC1D;AACA,cAAM,IAAI,MAAM,eAAe,MAAM,EAAE;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,YAAY,MAMX;AACP,QAAI,KAAK,KAAK;AACZ,UAAI,KAAK,OAAO,KAAK,IAAI,SAAS,GAAG;AACnC,aAAK,OAAO;AAAA,UACV,GAAG,KAAK,MAAM;AAAA,QAChB;AAAA,MACF;AAEA,YAAM,YAAY,iBAAiB,KAAK,GAAG;AAC3C,YAAMC,UAAuB;AAAA,QAC3B,QAAQ,KAAK;AAAA,QACb,SAAS;AAAA,QACT,aAAa,KAAK,eAAe;AAAA,QACjC,QAAQ,UAAU,OAAO,IAAI,CAAC,OAAO;AAAA,UACnC,MAAM,EAAE;AAAA,UACR,KAAK,EAAE;AAAA,UACP,MAAM,EAAE;AAAA,UACR,UAAU,EAAE;AAAA,UACZ,QAAQ,EAAE;AAAA,UACV,KAAK,EAAE;AAAA,UACP,OAAO,EAAE;AAAA,QACX,EAAE;AAAA,MACJ;AAEA,WAAK,cAAc,IAAI,KAAK,QAAQA,OAAM;AAE1C,UAAI,UAAU,WAAW,OAAO,GAAG;AACjC,aAAK,iBAAiB,IAAI,KAAK,QAAQ,UAAU,UAAU;AAAA,MAC7D;AAEA,UAAI,CAAC,KAAK,eAAe,IAAI,KAAK,MAAM,GAAG;AACzC,aAAK,eAAe,IAAI,KAAK,QAAQ,gBAAgB,KAAK,GAAG,CAAC;AAAA,MAChE;AAEA;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,OAAO,KAAK,IAAI,WAAW,EAAG;AAExC,UAAM,SAAuB;AAAA,MAC3B,QAAQ,KAAK;AAAA,MACb,SAAS;AAAA,MACT,aAAa,KAAK,eAAe;AAAA,MACjC,QAAQ,KAAK,IAAI,IAAI,CAAC,OAAO;AAAA,QAC3B,MAAM,EAAE;AAAA,QACR,KAAK,EAAE;AAAA,QACP,MAAM,EAAE;AAAA,QACR,UAAU,EAAE;AAAA,QACZ,QAAQ,EAAE;AAAA,QACV,KAAK,EAAE;AAAA,QACP,OAAO,EAAE;AAAA,MACX,EAAE;AAAA,IACJ;AAEA,SAAK,cAAc,IAAI,KAAK,QAAQ,MAAM;AAAA,EAC5C;AACF;AAAA;AApZa,aAIa,kBAAkB,oBAAI,IAAI;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAXU,eAAN;AAAA,MADN,2BAAW;AAAA,EAgCG,gDAAS;AAAA,GA/BX;;;AEzEb,IAAAC,wBAiBO;;;ACjBP,IAAAC,wBAAyD;;;ACAzD,aAAwB;;;ACAxB,QAAmB;AAQZ,IAAM,aAAe,SAAO;AAAA;AAAA,EAEjC,OAAS,SAAO,EAAE,IAAI,EAAE,YAAY;AAAA;AAAA,EAEpC,SAAW;AAAA,IACP,SAAO;AAAA,IACP,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,EACrD;AAAA;AAAA,EAEA,MAAQ,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA;AAAA,EAEzD,KAAO,SAAmB,CAAC,MAAM,aAAa,UAAU;AAC1D,CAAC;AAgCM,SAAS,YAAY,OAA8B;AACxD,QAAM,eAAW;AAAA,IACf,MAAM,KAAK,MAAM,QAAQ,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO;AAAA,MACnD,MAAM;AAAA,MACN,OAAO;AAAA,IACT,EAAE;AAAA,EACJ;AAEA,MAAI,SAAS,SAAS,kCAAa,OAAM,IAAI,MAAM,kBAAkB;AACrE,MAAI,MAAM,KAAK,SAAS,mCAAc,OAAM,IAAI,MAAM,gBAAgB;AACtE,MAAI,MAAM,IAAI,SAAS,kCAAa,OAAM,IAAI,MAAM,qBAAqB;AAGzE,QAAM,kBAAc,oCAAa,SAAS,MAAM;AAChD,QAAM,mBAAe,oCAAa,MAAM,KAAK,MAAM;AACnD,QAAM,kBAAc,oCAAa,MAAM,IAAI,MAAM;AAEjD,QAAM,WACJ;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SACZ,aAAa,SACb,YAAY,SACZ,SAAS,SACT,MAAM,KAAK,SACX,MAAM,IAAI;AAEZ,MAAI,WAAW,oCAAe,OAAM,IAAI,MAAM,uBAAuB;AAErE,QAAM,MAAM,IAAI,WAAW,QAAQ;AACnC,MAAI,SAAS;AAGb,MAAI,IAAI,kCAAY,MAAM;AAC1B,YAAU;AAGV,MAAI,QAAQ,IAAI;AAGhB,MAAI,QAAQ,IAAI,MAAM;AAGtB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAEtB,MAAI,IAAI,cAAc,MAAM;AAC5B,YAAU,aAAa;AAEvB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAGtB,MAAI,IAAI,UAAU,MAAM;AACxB,YAAU,SAAS;AAEnB,MAAI,IAAI,MAAM,MAAM,MAAM;AAC1B,YAAU,MAAM,KAAK;AAErB,MAAI,IAAI,MAAM,KAAK,MAAM;AACzB,YAAU,MAAM,IAAI;AAEpB,SAAO;AACT;AASO,SAAS,YAAY,KAA4B;AACtD,MAAI,SAAS;AAGb,MAAI,SAAS,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAC/D,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,IAAI,SAAS,CAAC,MAAM,iCAAW,CAAC,EAAG,OAAM,IAAI,MAAM,eAAe;AAAA,EACxE;AACA,YAAU;AAGV,QAAM,MAAM,IAAI,QAAQ;AACxB,MAAI,QAAQ,mCAAc,OAAM,IAAI,MAAM,wBAAwB,GAAG,EAAE;AAGvE,QAAM,QAAQ,IAAI,QAAQ;AAG1B,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,kCAAa,OAAM,IAAI,MAAM,uBAAuB;AAEjE,QAAM,EAAE,OAAO,SAAS,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AAClE,YAAU;AACV,MAAI,UAAU,mCAAc,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,kCAAa,OAAM,IAAI,MAAM,0BAA0B;AAGpE,MAAI,SAAS,SAAS,UAAU,SAAS,IAAI,QAAQ;AACnD,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAEV,QAAM,YAAY,IAAI,MAAM,QAAQ,SAAS,OAAO;AACpD,YAAU;AAEV,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAGV,QAAM,cAAU,iCAAW,QAAQ;AAEnC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,KAAK;AAAA,EACP;AACF;AAMO,SAAS,cAAc,OAA8B;AAG1D,SAAO,YAAY;AAAA,IACjB,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB,CAAC;AACH;;;AD/KO,SAAS,wBAAwB,OAA0B;AAEhE,QAAM,kBAA6B;AAAA,IACjC,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB;AAEA,QAAM,UAAU,YAAY,eAAe;AAC3C,SAAO,OAAO,KAAK,OAAO;AAC5B;AAWO,SAAS,UAAU,OAAkB,YAA4B;AACtE,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AAGJ,MAAI,WAAW,WAAW,IAAI;AAG5B,UAAM,cAAc,OAAO,KAAK;AAAA,MAC9B;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAClE;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IACpB,CAAC;AACD,UAAM,WAAW,OAAO,OAAO,CAAC,aAAa,UAAU,CAAC;AAExD,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH,OAAO;AAEL,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,YAAmB,YAAK,MAAM,SAAS,SAAS;AAEtD,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO;AACT;AAWO,SAAS,qBACd,OACA,WACS;AACT,MAAI,MAAM,IAAI,WAAW,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AACF,QAAI;AAGJ,QAAI,UAAU,WAAW,IAAI;AAG3B,YAAM,aAAa,OAAO,KAAK;AAAA,QAC7B;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,MACpE,CAAC;AACD,YAAM,UAAU,OAAO,OAAO,CAAC,YAAY,SAAS,CAAC;AAErD,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH,OAAO;AAEL,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,QAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,KAAK,MAAM,GAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AAQO,SAAS,yBAGd;AACA,QAAM,EAAE,YAAY,UAAU,IAAW,2BAAoB,SAAS;AAEtE,SAAO;AAAA,IACL,YAAY,WAAW,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC;AAAA,IAC9D,WAAW,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAAA,EAC7D;AACF;AAQO,SAAS,OAAO,MAAmC;AACxD,SAAc,kBAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AACzD;AAUO,SAAS,mBACd,cACA,UACQ;AACR,QAAM,SAAgB,kBAAW,QAAQ;AACzC,SAAO,OAAO,YAAY;AAE1B,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO,OAAO,OAAO;AACvB;;;AEpLO,IAAM,WAAW;AAAA,EACtB,WAAW;AAAA;AAAA,EACX,cAAc;AAAA;AAAA,EACd,YAAY;AAAA;AAAA,EACZ,OAAO;AAAA;AAAA,EACP,OAAO;AAAA;AAAA,EACP,WAAW;AAAA;AAAA,EACX,WAAW;AAAA;AAAA,EACX,UAAU;AAAA;AACZ;AAGO,IAAM,cAAc;AAAA,EACzB,2BAA2B;AAAA,EAC3B,2BAA2B;AAAA,EAE3B,0BAA0B;AAAA,EAC1B,0BAA0B;AAAA,EAE1B,8BAA8B;AAAA,EAC9B,8BAA8B;AAAA,EAE9B,6BAA6B;AAAA,EAC7B,6BAA6B;AAC/B;;;AC3BA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAYA,oBAAwC;AAiDjC,IAAM,iBAA6B;AAAA,EACxC,gBAAgB;AAAA,EAChB,aAAa;AAAA,EACb,eAAe;AAAA;AAAA,EACf,iBAAiB;AACnB;AAMO,SAAS,cAAc,GAA4B;AACxD,MAAI,IAAI,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC;AAC5C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,qCAAqC;AAEjE,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,cACd,KACA,QACA,SAAqB,gBACiC;AACtD,MAAI,IAAI;AACR,MAAI,QAAQ;AACZ,QAAM,QAAQ;AAEd,WAAS,IAAI,GAAG,IAAI,OAAO,gBAAgB,KAAK;AAC9C,QAAI,UAAU,IAAI,OAAQ,OAAM,IAAI,MAAM,0BAA0B;AACpE,UAAM,IAAI,IAAI,QAAQ;AACtB,SAAK,OAAO,IAAI,GAAI,KAAK;AAEzB,SAAK,IAAI,SAAU,GAAG;AACpB,YAAM,YAAY,SAAS;AAI3B,YAAM,KAAK,cAAc,CAAC;AAC1B,YAAM,WAAW,IAAI,SAAS,OAAO,MAAM;AAC3C,UAAI,CAAC,GAAG,OAAO,QAAQ;AACrB,cAAM,IAAI,MAAM,mCAAmC;AAErD,aAAO,EAAE,OAAO,GAAG,QAAQ,UAAU;AAAA,IACvC;AAEA,aAAS;AAAA,EACX;AAEA,QAAM,IAAI,MAAM,yBAAyB;AAC3C;AAMO,SAAS,YAAY,GAAmB;AAC7C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,mCAAmC;AAC/D,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,YAAY,KAAqB;AAC/C,MAAI,IAAI,WAAW,EAAG,OAAM,IAAI,MAAM,+BAA+B;AACrE,SAAO,IAAI,gBAAgB,CAAC;AAC9B;AAEO,SAASA,QAAO,MAAsB;AAC3C,aAAO,0BAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AAClD;AAMO,SAAS,UAAU,KAAa,OAAuB;AAC5D,MAAI,CAAC,OAAO,UAAU,GAAG,KAAK,OAAO;AACnC,UAAM,IAAI,MAAM,qCAAqC;AACvD,QAAM,IAAI,cAAc,GAAG;AAC3B,QAAM,IAAI,cAAc,MAAM,MAAM;AACpC,SAAO,OAAO,OAAO,CAAC,GAAG,GAAG,KAAK,CAAC;AACpC;AAEO,SAAS,yBAAyB,SAA+B;AAEtE,QAAM,SAAS,CAAC,GAAG,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;AAIxD,QAAM,QAAkB,CAAC;AACzB,aAAW,KAAK,OAAQ,OAAM,KAAK,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC;AAC5D,SAAO,OAAO,OAAO,KAAK;AAC5B;AAEO,SAAS,gBACd,QACA,SAAqB,gBACP;AACd,QAAM,MAAoB,CAAC;AAC3B,MAAI,MAAM;AAEV,SAAO,MAAM,OAAO,QAAQ;AAC1B,QAAI,IAAI,UAAU,OAAO;AACvB,YAAM,IAAI,MAAM,gCAAgC;AAElD,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,QAAI,MAAM,EAAG,OAAM,IAAI,MAAM,kCAAkC;AAC/D,QAAI,MAAM,OAAO;AACf,YAAM,IAAI,MAAM,kCAAkC;AACpD,QAAI,MAAM,MAAM,OAAO;AACrB,YAAM,IAAI,MAAM,kCAAkC;AAEpD,UAAM,QAAQ,OAAO,SAAS,KAAK,MAAM,GAAG;AAC5C,WAAO;AAEP,QAAI,KAAK,EAAE,KAAK,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC;AAAA,EAC7C;AAGA,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,QAAI,IAAI,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC,EAAE;AAC1B,YAAM,IAAI,MAAM,0CAA0C;AAAA,EAC9D;AAEA,SAAO;AACT;AAEO,SAAS,UAAU,SAAsC;AAC9D,QAAM,IAAmB,oBAAI,IAAI;AACjC,aAAW,KAAK,SAAS;AACvB,UAAM,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;AAC7B,QAAI,KAAK,EAAE,KAAK;AAChB,MAAE,IAAI,EAAE,KAAK,GAAG;AAAA,EAClB;AACA,SAAO;AACT;AAQO,SAAS,0BACd,QACA,MACA,QAAQ,GACR,SAAqB,gBACf;AACN,MAAI,QAAQ,KAAK,IAAI,OAAO,iBAAiB,OAAO,eAAe,GAAG;AACpE,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,OAAO,gBAAgB,UAAU,IAAI,IAAI,OAAO,cAAc;AAChE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,QAAQ,oBAAI,IAA0B;AAC5C,aAAW,KAAK,MAAM;AACpB,QAAI,CAAC,MAAM,IAAI,EAAE,GAAG,EAAG,OAAM,IAAI,EAAE,KAAK,CAAC,CAAC;AAC1C,UAAM,IAAI,EAAE,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AAEA,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAGxE,MAAI,OAAO,QAAQ;AACjB,eAAW,OAAO,MAAM,KAAK,GAAG;AAC9B,UAAI,CAAC,WAAW,IAAI,GAAG;AACrB,cAAM,IAAI,MAAM,0CAA0C,GAAG,EAAE;AAAA,IACnE;AAAA,EACF;AAGA,aAAW,KAAK,OAAO,QAAQ;AAC7B,UAAM,OAAO,MAAM,IAAI,EAAE,GAAG,KAAK,CAAC;AAClC,QAAI,EAAE,YAAY,KAAK,WAAW;AAChC,YAAM,IAAI,MAAM,sCAAsC,EAAE,IAAI,EAAE;AAEhE,QAAI,CAAC,EAAE,YAAY,KAAK,SAAS,GAAG;AAClC,YAAM,IAAI;AAAA,QACR,4DAA4D,EAAE,IAAI;AAAA,MACpE;AAAA,IACF;AAGA,QAAI,OAAO,EAAE,WAAW,UAAU;AAChC,iBAAW,KAAK,MAAM;AACpB,YAAI,EAAE,MAAM,SAAS,EAAE;AACrB,gBAAM,IAAI,MAAM,8BAA8B,EAAE,IAAI,WAAW;AAAA,MACnE;AAAA,IACF;AAGA,eAAW,KAAK,MAAM;AACpB,cAAQ,EAAE,MAAM;AAAA,QACd,KAAK;AACH,cAAI,EAAE,MAAM,WAAW;AACrB,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF;AAAA,QACF,KAAK,UAAU;AACb,cAAI,CAAC,EAAE;AACL,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF,gBAAM,aAAa,gBAAgB,EAAE,OAAO,MAAM;AAClD;AAAA,YACE,EAAE;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR;AAAA,UACF;AACA;AAAA,QACF;AAAA,QACA;AAEE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,UAAU,MAA4B;AAE7C,MAAI,IAAI;AACR,aAAW,KAAK,MAAM;AACpB,SACE,cAAc,EAAE,GAAG,EAAE,SACrB,cAAc,EAAE,MAAM,MAAM,EAAE,SAC9B,EAAE,MAAM;AAAA,EACZ;AACA,SAAO;AACT;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACP;AACd,MAAI,KAAK,aAAa,OAAO;AAC3B,UAAM,IAAI,MAAM,sCAAsC;AAExD,QAAM,eAAe,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAU,CAAC;AAC3E,QAAM,OAAqB,CAAC;AAE5B,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,GAAG;AAC3D,UAAM,IAAI,aAAa,IAAI,IAAI;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,oCAAoC,IAAI,EAAE;AAC5D;AAAA,IACF;AAEA,UAAM,UAAU,CAAC,MAAW;AAC1B,YAAM,WAAW,iBAAiB,GAAG,GAAG,MAAM;AAC9C,UAAI,SAAS,SAAS,OAAO;AAC3B,cAAM,IAAI,MAAM,oCAAoC;AACtD,WAAK,KAAK,EAAE,KAAK,EAAE,KAAK,OAAO,SAAS,CAAC;AAAA,IAC3C;AAEA,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,GAAG;AACpB,cAAM,IAAI;AAAA,UACR,qCAAqC,IAAI;AAAA,QAC3C;AACF,iBAAW,QAAQ,IAAK,SAAQ,IAAI;AAAA,IACtC,OAAO;AACL,cAAQ,GAAG;AAAA,IACb;AAAA,EACF;AAKA,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAGjD,SAAO;AACT;AAEA,SAAS,iBACP,GACA,KACA,QACQ;AACR,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,UAAI,OAAO,SAAS,GAAG,EAAG,QAAO,OAAO,KAAK,GAAG;AAChD,UAAI,eAAe,WAAY,QAAO,OAAO,KAAK,GAAG;AACrD,YAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,gBAAgB;AAAA,IAC7D,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,OAAO,KAAK,KAAK,MAAM;AAAA,IAChC,KAAK;AACH,UAAI,OAAO,QAAQ,YAAY,OAAO,QAAQ;AAC5C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,wBAAwB;AACrE,aAAO,cAAc,GAAG;AAAA,IAC1B,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,YAAY,GAAG;AAAA,IACxB,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AAEpE,YAAM,eACJ,OAAO,OAAO,QAAQ,YAAY,YAAY,MACzC,IAAY,SACb;AACN,UAAI,CAAC,gBAAgB,OAAO,iBAAiB;AAC3C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,YAAM,aAA0B;AAAA,QAC9B,UAAU,EAAE,aAAa;AAAA,QACzB,QAAQ;AAAA,MACV;AACA,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,YAAM,cAAc,yBAAyB,UAAU;AAEvD,YAAM,KAAK,gBAAgB,aAAa,MAAM;AAC9C,gCAA0B,EAAE,cAAc,IAAI,GAAG,MAAM;AACvD,aAAO;AAAA,IACT;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACR;AAEb,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAEjD,QAAM,SAA8B,CAAC;AACrC,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAExE,aAAW,KAAK,MAAM;AACpB,UAAM,IAAI,WAAW,IAAI,EAAE,GAAG;AAC9B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,kCAAkC,EAAE,GAAG,EAAE;AAC3D;AAAA,IACF;AAEA,UAAM,UAAU,iBAAiB,GAAG,EAAE,OAAO,MAAM;AAEnD,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,OAAO,EAAE,IAAI,CAAC,EAAG,QAAO,EAAE,IAAI,IAAI,CAAC;AACtD,aAAO,EAAE,IAAI,EAAE,KAAK,OAAO;AAAA,IAC7B,OAAO;AACL,aAAO,EAAE,IAAI,IAAI;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,OAAO,UAAU,OAAO;AAC7C;AAEA,SAAS,iBACP,GACA,OACA,QACK;AACL,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,aAAO,OAAO,KAAK,KAAK;AAAA,IAC1B,KAAK;AACH,aAAO,MAAM,SAAS,MAAM;AAAA,IAC9B,KAAK,WAAW;AACd,YAAM,IAAI,cAAc,OAAO,GAAG,MAAM;AACxC,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,qBAAqB,EAAE,IAAI;AAAA,QAC7B;AAEF,YAAM,QAAQ,OAAO,EAAE,KAAK;AAC5B,aAAO,OAAO,cAAc,KAAK,IAAI,QAAQ,EAAE;AAAA,IACjD;AAAA,IACA,KAAK;AACH,aAAO,YAAY,KAAK;AAAA,IAC1B,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AACpE,YAAM,aAAa,gBAAgB,OAAO,MAAM;AAGhD,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,aAAO,WAAW;AAAA,IACpB;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAMO,IAAM,WAAW;AAAA,EACtB,WAAW;AAAA,EACX,cAAc;AAAA,EACd,YAAY;AAAA,EACZ,OAAO;AAAA,EACP,OAAO;AAAA,EACP,WAAW;AAAA,EACX,WAAW;AAAA,EACX,UAAU;AACZ;AAsBO,SAAS,uBAAuB,KAAsC;AAC3E,MAAI,IAAI,MAAM,eAAe;AAC3B,UAAM,IAAI,MAAM,gDAAgD;AAClE,MAAI,IAAI,SAAS,eAAe;AAC9B,UAAM,IAAI,MAAM,mDAAmD;AACrE,MAAI,IAAI,WAAW,IAAI,QAAQ,eAAe;AAC5C,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,OAAqB;AAAA,IACzB,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,cAAc,OAAO,OAAO,KAAK,IAAI,UAAU,EAAE;AAAA,IACjE,EAAE,KAAK,SAAS,OAAO,OAAO,OAAO,KAAK,IAAI,KAAK,EAAE;AAAA,IACrD,EAAE,KAAK,SAAS,OAAO,OAAO,YAAY,IAAI,IAAI,EAAE;AAAA,IACpD,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,WAAW,OAAO,OAAO,KAAK,IAAI,QAAQ,EAAE;AAAA,EAC9D;AAEA,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,YAAY,OAAO,OAAO,KAAK,IAAI,SAAS,EAAE,CAAC;AAC3E,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,UAAU,OAAO,OAAO,KAAK,IAAI,OAAO,EAAE,CAAC;AAEvE,SAAO;AACT;AAEO,SAAS,yBACd,SACA,SAAqB,gBACF;AAEnB,QAAM,IAAI,UAAU,OAAO;AAE3B,QAAM,OAAO,CAAC,QAAgB;AAC5B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,OAAO,IAAI,WAAW;AACzB,YAAM,IAAI;AAAA,QACR,oDAAoD,GAAG;AAAA,MACzD;AACF,WAAO,IAAI,CAAC;AAAA,EACd;AACA,QAAM,UAAU,CAAC,QAAgB;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,IAAI,WAAW;AACjB,YAAM,IAAI,MAAM,4CAA4C,GAAG,EAAE;AACnE,WAAO,IAAI,CAAC;AAAA,EACd;AAEA,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,KAAK,YAAY,KAAK,SAAS,KAAK,CAAC;AAE3C,QAAM,QAAQ,KAAK,SAAS,KAAK;AACjC,MAAI,MAAM,WAAW;AACnB,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,WAAW,KAAK,SAAS,SAAS;AACxC,MAAI,SAAS,WAAW;AACtB,UAAM,IAAI,MAAM,sDAAsD;AAExE,QAAM,QAAQ,QAAQ,SAAS,QAAQ;AACvC,MAAI,SAAS,MAAM,WAAW;AAC5B,UAAM,IAAI,MAAM,qDAAqD;AAEvE,SAAO;AAAA,IACL,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,YAAY,OAAO,KAAK,KAAK,SAAS,YAAY,CAAC;AAAA,IACnD,WAAW,QAAQ,SAAS,UAAU,IAClC,OAAO,KAAK,QAAQ,SAAS,UAAU,CAAE,IACzC;AAAA,IACJ,OAAO,OAAO,KAAK,KAAK;AAAA,IACxB,MAAM;AAAA,IACN,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,UAAU,OAAO,KAAK,QAAQ;AAAA,IAC9B,SAAS,QAAQ,OAAO,KAAK,KAAK,IAAI;AAAA,EACxC;AACF;AAMO,SAAS,wBACd,QACA,KAGA,SAAqB,gBACsC;AAE3D,QAAM,WAAW,kBAAkB,QAAQ,IAAI,MAAM,MAAM;AAC3D,QAAM,YAAY,yBAAyB,QAAQ;AAGnD,QAAM,WAAWA,QAAO,SAAS;AAGjC,QAAM,MAAyB;AAAA,IAC7B,GAAG,IAAI;AAAA,IACP,UAAU,OAAO;AAAA,IACjB;AAAA,EACF;AACA,QAAM,UAAU,uBAAuB,GAAG;AAC1C,QAAM,WAAW,yBAAyB,OAAO;AAEjD,SAAO,EAAE,UAAU,WAAW,SAAS;AACzC;AAEO,SAAS,wBACd,QACA,UACA,WACA,SAAqB,gBACwD;AAC7E,QAAM,UAAU,gBAAgB,UAAU,MAAM;AAChD,QAAM,WAAW,gBAAgB,WAAW,MAAM;AAElD,QAAM,MAAM,yBAAyB,SAAS,MAAM;AAGpD,MAAI,IAAI,aAAa,OAAO;AAC1B,UAAM,IAAI,MAAM,4CAA4C;AAG9D,QAAM,KAAKA,QAAO,SAAS;AAC3B,MAAI,CAAC,OAAO,KAAK,IAAI,QAAQ,EAAE,OAAO,EAAE;AACtC,UAAM,IAAI,MAAM,6CAA6C;AAG/D,QAAM,OAAO,kBAAkB,QAAQ,UAAU,MAAM;AAEvD,QAAM,cAA+B;AAAA,IACnC,SAAS,UAAU,OAAO;AAAA,IAC1B,UAAU,UAAU,QAAQ;AAAA,IAC5B,UAAU,IAAI;AAAA,IACd,UAAU,IAAI;AAAA,EAChB;AAEA,SAAO,EAAE,KAAK,MAAM,YAAY;AAClC;AAMO,IAAM,2BAAiD;AAAA,EAC5D,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,SAAS,UAAU,MAAM,QAAQ,IAAI;AAAA,IACvE,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,IAC/D,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,EACjE;AACF;AAEO,IAAM,oCAA0D;AAAA,EACrE,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,EACxE;AACF;AAEO,IAAM,gCAAsD;AAAA,EACjE,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACtE;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,cAAc;AAAA,IAChB;AAAA,EACF;AACF;;;ACjrBO,SAAS,aAAa,QASlB;AACT,QAAM,MAA8B;AAAA,IAClC,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO;AAAA,IACjB,YAAY,OAAO,cAAc,OAAO,MAAM,CAAC;AAAA,IAC/C,WAAW,OAAO;AAAA,IAClB,OAAO,OAAO,SAAS,QAAQ,QAAQ,EAAE,YAAY,EAAE;AAAA,IACvD,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI,CAAC;AAAA,IACtC,UAAU,OAAO,YAAY,OAAO,MAAM,EAAE;AAAA,IAC5C,SAAS,OAAO;AAAA,EAClB;AAEA,QAAM,OAAY,uBAAuB,GAAG;AAC5C,SAAY,yBAAyB,IAAI;AAC3C;AAOO,SAAS,2BAA2B,QAMxC;AACD,QAAM,WAAgB;AAAA,IACf;AAAA,IACL;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBC,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,6BAA6B,MAAc;AACzD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACd;AAAA,IACL;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAKO,IAAM,uCAAkE;AAAA,EAC7E,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,EACxE;AACF;AAEO,IAAM,mCAA8D;AAAA,EACzE,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACtE;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,IACA,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,IACzE,EAAE,KAAK,GAAG,MAAM,cAAc,MAAM,SAAS,UAAU,OAAO,QAAQ,IAAI;AAAA,EAC5E;AACF;AAKO,SAAS,8BAA8B,QAK3C;AACD,QAAM,WAAgB;AAAA,IACpB;AAAA,IACA;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,gCAAgC,MAAc;AAC5D,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAKO,SAAS,0BAA0B,QAUvC;AACD,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,UAAU,OAAO;AAAA,MACjB,cAAc,OAAO;AAAA,MACrB,gBAAgB,OAAO;AAAA,MACvB,mBAAmB,OAAO;AAAA,MAC1B,WAAW,OAAO;AAAA,MAClB,YAAY,OAAO;AAAA,IACrB;AAAA,EACF,CAAC;AAED,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,4BAA4B,MAAc;AACxD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,QAAM,IAAI,QAAQ;AAElB,SAAO;AAAA,IACL,UAAU,EAAE;AAAA,IACZ,cAAc,EAAE;AAAA,IAChB,gBAAgB,EAAE;AAAA,IAClB,mBAAmB,EAAE;AAAA,IACrB,WAAW,EAAE;AAAA,IACb,YAAY,EAAE;AAAA,EAChB;AACF;AAcO,IAAM,oCAA+D;AAAA,EAC1E,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,QAAQ,UAAU,KAAK;AAAA;AAAA,IAC1D,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,WAAW,UAAU,MAAM;AAAA,IAC5D,EAAE,KAAK,GAAG,MAAM,QAAQ,MAAM,QAAQ,UAAU,MAAM;AAAA,IACtD,EAAE,KAAK,GAAG,MAAM,oBAAoB,MAAM,QAAQ,UAAU,MAAM;AAAA,IAClE,EAAE,KAAK,GAAG,MAAM,wBAAwB,MAAM,QAAQ,UAAU,MAAM;AAAA;AAAA,EACxE;AACF;AAEO,SAAS,2BAA2B,QAMhC;AACT,QAAM,SAA8B;AAAA,IAClC,WAAW,OAAO;AAAA,EACpB;AACA,MAAI,OAAO,YAAY,OAAW,QAAO,UAAU,OAAO;AAC1D,MAAI,OAAO,KAAM,QAAO,OAAO,OAAO;AACtC,MAAI,OAAO;AACT,WAAO,mBAAmB,OAAO;AACnC,MAAI,OAAO;AACT,WAAO,uBAAuB,KAAK,UAAU,OAAO,gBAAgB;AAEtE,QAAM,WAAgB,kBAAkB,mCAAmC;AAAA,IACzE,UAAU,YAAY;AAAA,IACtB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;AASO,IAAM,mCAA8D;AAAA,EACzE,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACrE,EAAE,KAAK,GAAG,MAAM,SAAS,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACnE,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,IACvE,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,KAAK;AAAA,EAC7D;AACF;AAEO,SAAS,0BAA0B,QAK/B;AACT,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,SAAS,OAAO;AAAA,MAChB,OAAO,OAAO;AAAA,MACd,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO;AAAA,IACpB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;;;AC9SA,IAAAC,iBAA4B;AAErB,SAAS,UAAU,GAAmB;AAC3C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,YAAY;AACxC,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,QAAQ,GAA4B;AAClD,QAAM,IAAI,OAAO,MAAM,WAAW,OAAO,CAAC,IAAI;AAC9C,SAAO,UAAU,CAAC;AACpB;AAEO,SAAS,MAAM,GAAmB;AACvC,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,SAAS;AACrC,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,KAAK,GAAmB;AACtC,SAAO,OAAO,KAAK,GAAG,MAAM;AAC9B;AAEO,SAAS,MAAM,GAAgC;AACpD,SAAO,OAAO,SAAS,CAAC,IAAI,IAAI,OAAO,KAAK,CAAC;AAC/C;AAEO,SAAS,UAAkB;AAChC,aAAO,4BAAY,EAAE;AACvB;AAEO,SAAS,IAAI,MAAc,OAAuB;AACvD,MAAI,CAAC,OAAO,cAAc,IAAI,KAAK,OAAO,EAAG,OAAM,IAAI,MAAM,cAAc;AAC3E,SAAO,OAAO,OAAO;AAAA,IACnB,UAAU,OAAO,IAAI,CAAC;AAAA,IACtB,UAAU,OAAO,MAAM,MAAM,CAAC;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAOO,SAAS,UACd,OACA,MACQ;AACR,QAAM,QAAQ,MAAM,iBAAiB,oBAAI,IAAY;AACrD,QAAM,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI;AAExD,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,OAAO,CAAC,EAAE,SAAS,OAAO,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG;AACvE,YAAM,IAAI,MAAM,gBAAgB,OAAO,CAAC,EAAE,IAAI,EAAE;AAAA,IAClD;AAAA,EACF;AAEA,SAAO,OAAO,OAAO,OAAO,IAAI,CAAC,OAAO,IAAI,GAAG,MAAM,GAAG,KAAK,CAAC,CAAC;AACjE;;;AC/DA,IAAM,QAAQ,OAAO,KAAK,SAAS,OAAO;AAUnC,SAAS,iBAAiB,GAA+B;AAC9D,MACE,CAAC,OAAO,SAAS,EAAE,GAAG,KACtB,CAAC,OAAO,SAAS,EAAE,IAAI,KACvB,CAAC,OAAO,SAAS,EAAE,GAAG,GACtB;AACA,UAAM,IAAI,MAAM,mBAAmB;AAAA,EACrC;AACA,MAAI,EAAE,QAAQ,EAAG,OAAM,IAAI,MAAM,eAAe;AAEhD,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAC7C,QAAM,UAAU,UAAU,OAAO,EAAE,KAAK,MAAM,CAAC;AAC/C,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAE7C,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,OAAO,KAAK,CAAC,EAAE,MAAM,GAAI,CAAC;AAAA,IAC1B,OAAO,KAAK,CAAC,EAAE,QAAQ,GAAI,CAAC;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,EACJ,CAAC;AACH;;;ACnCA,IAAMC,SAAQ,OAAO,KAAK,SAAS,OAAO;AAEnC,SAAS,kBAAkB,QAKvB;AACT,MAAI,OAAO,QAAQ,EAAG,OAAM,IAAI,MAAM,eAAe;AACrD,QAAM,SAAS,UAAU,OAAO,OAAO,IAAI,MAAM,CAAC;AAClD,QAAM,UAAU,UAAU,OAAO,OAAO,KAAK,MAAM,CAAC;AACpD,QAAM,aAAa,UAAU,EAAE;AAE/B,SAAO,OAAO,OAAO;AAAA,IACnBA;AAAA,IACA,OAAO,KAAK,CAAC,OAAO,MAAM,GAAI,CAAC;AAAA,IAC/B,OAAO,KAAK,CAAC,OAAO,QAAQ,GAAI,CAAC;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACH;;;AChBO,SAAS,aAAa,KAAqB;AAChD,SAAO,IACJ,SAAS,QAAQ,EACjB,QAAQ,MAAM,EAAE,EAChB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG;AACvB;AAOO,SAAS,aAAa,KAAqB;AAEhD,QAAM,MAAM,IAAI,SAAS,IAAI,IAAI,OAAO,IAAK,IAAI,SAAS,CAAE,IAAI;AAChE,QAAM,UAAU,MAAM,KAAK,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC/D,SAAO,OAAO,KAAK,QAAQ,QAAQ;AACrC;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,OAAO,KAAK,KAAK,QAAQ,CAAC;AAChD;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,GAAG,EAAE,SAAS,QAAQ;AAC5C;;;ACxCA,SAAS,QAAQ,OAAiB;AAChC,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,UAAU,QAAW;AACvB,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,OAAO;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,SAA8B,CAAC;AACrC,UAAM,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK;AAErC,eAAW,OAAO,MAAM;AACtB,YAAM,cAAc,QAAQ,MAAM,GAAG,CAAC;AAEtC,UAAI,gBAAgB,QAAW;AAC7B,eAAO,GAAG,IAAI;AAAA,MAChB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAQO,SAAS,cAAc,OAAoB;AAChD,SAAO,KAAK,UAAU,QAAQ,KAAK,CAAC;AACtC;AASO,SAAS,uBACd,KACA,SACQ;AACR,QAAM,WAAgC,CAAC;AAEvC,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,QAAQ,SAAS,GAAG,KAAK,IAAI,GAAG,MAAM,QAAW;AACpD,eAAS,GAAG,IAAI,IAAI,GAAG;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,cAAc,QAAQ;AAC/B;;;AC5EO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YACS,MACP,SACA;AACA,UAAM,OAAO;AAHN;AAIP,SAAK,OAAO;AAAA,EACd;AACF;AASO,IAAM,iBAAN,MAAqB;AAAA;AAAA,EAO1B,YAAY,UAAe;AAN3B,SAAQ,WAAW;AACnB,SAAQ,UAAU;AAClB,SAAQ,gBAAgB;AAKtB,SAAK,WAAW;AAChB,SAAK,YAAY,KAAK,IAAI;AAAA,EAC5B;AAAA,EAEA,gBAAsB;AACpB,SAAK;AACL,QAAI,KAAK,WAAW,KAAK,SAAS,aAAa;AAC7C,YAAM,IAAI;AAAA,QACR;AAAA,QACA,uBAAuB,KAAK,QAAQ,IAAI,KAAK,SAAS,WAAW;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AAAA,EAEA,eAAqB;AACnB,SAAK;AACL,QAAI,KAAK,SAAS,cAAc,KAAK,UAAU,KAAK,SAAS,YAAY;AACvE,YAAM,IAAI;AAAA,QACR;AAAA,QACA,sBAAsB,KAAK,OAAO,IAAI,KAAK,SAAS,UAAU;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAAA,EAEA,qBAA2B;AACzB,SAAK;AACL,QAAI,KAAK,gBAAgB,KAAK,SAAS,kBAAkB;AACvD,YAAM,IAAI;AAAA,QACR;AAAA,QACA,4BAA4B,KAAK,aAAa,IAAI,KAAK,SAAS,gBAAgB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,YAAkB;AAChB,UAAM,UAAU,KAAK,IAAI,IAAI,KAAK;AAClC,QAAI,UAAU,KAAK,SAAS,WAAW;AACrC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,4BAA4B,OAAO,MAAM,KAAK,SAAS,SAAS;AAAA,MAClE;AAAA,IACF;AAAA,EACF;AAAA,EAEA,eAAe,QAAsB;AAEnC,QAAI,KAAK,SAAS,eAAe,SAAS,GAAG,GAAG;AAC9C;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,SAAS,eAAe,SAAS,MAAM,GAAG;AAClD,YAAM,IAAI;AAAA,QACR;AAAA,QACA,WAAW,MAAM,2BAA2B,KAAK,SAAS,eAAe,KAAK,IAAI,CAAC;AAAA,MACrF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,aAA+B;AAC7B,WAAO;AAAA,MACL,UAAU,KAAK;AAAA,MACf,SAAS,KAAK;AAAA,MACd,eAAe,KAAK;AAAA,MACpB,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,IAC/B;AAAA,EACF;AAAA,EAEA,cAAc;AACZ,WAAO,KAAK;AAAA,EACd;AACF;;;ACtFO,IAAM,oBAAuD;AAAA;AAAA,EAElE,eAAe;AAAA,IACb,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,aAAa;AAAA,EAChC;AAAA;AAAA,EAGA,gBAAgB;AAAA,IACd,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,gBAAgB;AAAA,EACnC;AAAA,EACA,kBAAkB;AAAA,IAChB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,kBAAkB;AAAA,EACrC;AAAA;AAAA,EAGA,kBAAkB;AAAA,IAChB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,mBAAmB,mBAAmB;AAAA,EACzD;AAAA,EACA,mBAAmB;AAAA,IACjB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,oBAAoB,wBAAwB;AAAA,EAC/D;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,kBAAkB;AAAA,EACrC;AAAA,EACA,cAAc;AAAA,IACZ,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,mBAAmB;AAAA,EACtC;AAAA,EACA,iBAAiB;AAAA,IACf,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,gBAAgB;AAAA,EACnC;AAAA;AAAA,EAGA,kBAAkB;AAAA,IAChB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,kBAAkB;AAAA,EACrC;AAAA,EACA,eAAe;AAAA,IACb,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,aAAa;AAAA,EAChC;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,aAAa;AAAA,IACb,kBAAkB;AAAA;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,aAAa,aAAa;AAAA,EAC7C;AACF;AAGO,IAAM,oBAAuC;AAAA,EAClD,aAAa;AAAA,EACb,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,gBAAgB,CAAC,GAAG;AAAA;AACtB;;;ACtFO,SAAS,UACd,KACA,KAC8B;AAC9B,MAAI,QAAQ;AACZ,MAAI,IAAI;AACR,SAAO,MAAM;AACX,QAAI,OAAO,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AACxD,UAAM,IAAI,OAAO,IAAI,KAAK,CAAC;AAC3B,UAAM,IAAI,UAAU;AACpB,SAAK,IAAI,WAAW,GAAI;AACxB,aAAS;AACT,QAAI,QAAQ,IAAK,OAAM,IAAI,MAAM,kBAAkB;AAAA,EACrD;AACA,SAAO,EAAE,KAAK,GAAG,IAAI;AACvB;AAYO,SAAS,UAAU,KAAa,WAAmB,KAAY;AACpE,QAAM,MAAa,CAAC;AACpB,MAAI,MAAM;AACV,SAAO,MAAM,IAAI,QAAQ;AACvB,QAAI,IAAI,UAAU,SAAU,OAAM,IAAI,MAAM,oBAAoB;AAChE,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,OAAO,OAAO,GAAG,GAAG;AAC1B,UAAM,MAAM,OAAO,GAAG,GAAG;AACzB,QAAI,MAAM,KAAK,MAAM,MAAM,IAAI,QAAQ;AACrC,YAAM,IAAI,MAAM,iBAAiB;AAAA,IACnC;AACA,UAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,GAAG;AACzC,WAAO;AACP,QAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAAA,EAC1B;AACA,SAAO;AACT;AASO,SAAS,OAAO,KAAoC;AACzD,QAAM,IAAI,oBAAI,IAAsB;AACpC,aAAW,MAAM,UAAU,GAAG,GAAG;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG,IAAI,KAAK,CAAC;AAC/B,QAAI,KAAK,GAAG,KAAe;AAC3B,MAAE,IAAI,GAAG,MAAM,GAAG;AAAA,EACpB;AACA,SAAO;AACT;AAEO,SAAS,OAAO,GAAgC;AACrD,MAAI,CAAC,EAAG,QAAO;AACf,SAAO,EAAE,SAAS,MAAM;AAC1B;AAEO,SAAS,eAAe,GAAgC;AAC7D,MAAI,CAAC,EAAG,QAAO;AACf,QAAM,EAAE,KAAK,IAAI,IAAI,UAAU,GAAG,CAAC;AACnC,MAAI,QAAQ,EAAE,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AAC7D,SAAO;AACT;AAMO,SAAS,aAAa,GAAgC;AAC3D,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,EAAE,WAAW,EAAG,OAAM,IAAI,MAAM,0BAA0B;AAC9D,SAAO,EAAE,gBAAgB,CAAC;AAC5B;;;ACtEA,IAAMC,SAAQ,OAAO,KAAK,SAAS,OAAO;AAqBnC,SAAS,iBAAiB,KAAgC;AAC/D,MAAI,MAAM;AAEV,QAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,CAAC;AACvC,SAAO;AACP,MAAI,MAAM,WAAW,KAAK,CAAC,MAAM,OAAOA,MAAK;AAC3C,UAAM,IAAI,MAAM,iBAAiB;AAEnC,MAAI,MAAM,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AAC3D,QAAM,MAAM,IAAI,KAAK;AACrB,QAAM,QAAQ,IAAI,KAAK;AAGvB,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AAET,QAAM,SAAS,OAAO,GAAG,GAAG;AAC5B,QAAM,UAAU,OAAO,GAAG,GAAG;AAC7B,QAAM,SAAS,OAAO,GAAG,GAAG;AAE5B,MAAI,SAAS,KAAK,UAAU,KAAK,SAAS,EAAG,OAAM,IAAI,MAAM,eAAe;AAE5E,MAAI,MAAM,SAAS,UAAU,SAAS,IAAI;AACxC,UAAM,IAAI,MAAM,yBAAyB;AAG3C,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AACP,QAAM,OAAO,IAAI,SAAS,KAAK,MAAM,OAAO;AAC5C,SAAO;AACP,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AAEP,MAAI,QAAQ,IAAI,OAAQ,OAAM,IAAI,MAAM,sBAAsB;AAE9D,SAAO,EAAE,KAAK,OAAO,KAAK,MAAM,KAAK,WAAW,IAAI,OAAO;AAC7D;;;ACvEO,IAAM,IAAI;AAAA;AAAA,EAEf,QAAQ;AAAA;AAAA,EAER,KAAK;AAAA;AAAA,EAEL,gBAAgB;AAAA;AAAA;AAAA,EAEhB,UAAU;AAAA;AAAA,EAEV,YAAY;AAAA;AAAA,EAEZ,OAAO;AAAA;AAAA,EAEP,OAAO;AAAA;AAAA,EAEP,YAAY;AAAA;AAAA,EAEZ,MAAM;AAAA;AAAA,EAEN,MAAM;AACR;AAgDO,SAAS,YACd,KACA,MACA,KACA,QAAgB,GACJ;AACZ,QAAM,KAAK,OAAO,GAAG;AAGrB,QAAM,cAAc;AACpB,QAAM,KAAK,QAAQ,cAAc,OAAO,IAAI,IAAI,oBAAI,IAAsB;AAE1E,QAAM,SAAS,OAAO,GAAG,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC;AAC3C,QAAM,eAAe,GAAG,IAAI,EAAE,cAAc,IAAI,CAAC;AACjD,QAAM,YAAY,eAAe,OAAO,eAAe,YAAY,CAAC,IAAI;AACxE,QAAM,aAAa,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AACzC,QAAM,UAAU,aAAa,WAAW,SAAS,KAAK,IAAI;AAC1D,QAAM,YAAY,GAAG,IAAI,EAAE,UAAU,IAAI,CAAC;AAC1C,QAAM,MAAM,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACrD,QAAM,QAAQ,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACjC,QAAM,OAAO,aAAa,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC;AAE9C,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AACpD,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM,yBAAyB;AACvD,MAAI,CAAC,SAAS,MAAM,SAAS,MAAM,MAAM,SAAS;AAChD,UAAM,IAAI,MAAM,kBAAkB;AACpC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,oBAAoB;AAC9C,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,mBAAmB;AAE9C,SAAO;AAAA,IACL;AAAA,IACA,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,IACZ,SAAS;AAAA,IACT,UAAU;AAAA,IACV,WAAW;AAAA,IACX;AAAA,EACF;AACF;;;AC/GO,SAAS,SAAS,QAAkB,UAA2B;AACpE,MAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,OAAO,WAAW,GAAG;AACjD,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,WAAO;AAAA,EACT;AAGA,QAAM,CAAC,UAAU,EAAE,IAAI,SAAS,MAAM,GAAG;AACzC,MAAI,YAAY,IAAI;AAClB,UAAM,WAAW,GAAG,QAAQ;AAC5B,QAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,WACd,OACyC;AACzC,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,SAAO,EAAE,UAAU,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,EAAE;AAC5C;AAKO,SAAS,kBACd,QACA,cACA,YACS;AACT,QAAM,WAAW,GAAG,YAAY,IAAI,UAAU;AAC9C,SAAO,SAAS,QAAQ,QAAQ;AAClC;;;AChDO,IAAM,eAAe;AAAA,EAC1B,MAAM;AAAA,EACN,OAAO;AAAA,EACP,SAAS;AAAA,EACT,OAAO;AAAA,EACP,MAAM;AAAA,EACN,SAAS;AACX;AAOO,IAAM,qBAAmD;AAAA,EAC9D,CAAC,gCAAU,GAAG,CAAC;AAAA,EACf,CAAC,mCAAa,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,EAC5C,CAAC,+BAAS,GAAG,CAAC,MAAM;AAAA,EACpB,CAAC,gCAAU,GAAG,CAAC,QAAQ,SAAS,OAAO;AAAA,EACvC,CAAC,gCAAU,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,EACzC,CAAC,mCAAa,GAAG,CAAC,QAAQ,SAAS,WAAW,SAAS;AACzD;AAMO,IAAM,sBAAoD;AAAA,EAC/D,YAAY,CAAC;AAAA,EACb,YAAY,CAAC;AAAA,EACb,aAAa,CAAC;AAAA,EACd,YAAY,CAAC;AAAA,EACb,YAAY,CAAC;AAAA,EAEb,eAAe,CAAC,OAAO;AAAA,EACvB,iBAAiB,CAAC,MAAM;AAAA,EACxB,eAAe,CAAC,SAAS,OAAO;AAAA,EAEhC,kBAAkB,CAAC,SAAS,SAAS;AAAA,EACrC,mBAAmB,CAAC,SAAS,SAAS;AAAA,EAEtC,kBAAkB,CAAC,OAAO;AAAA,EAC1B,oBAAoB,CAAC,MAAM;AAAA;AAAA,EAG3B,oBAAoB,CAAC,SAAS;AAAA,EAC9B,wBAAwB,CAAC,SAAS;AAAA,EAClC,mBAAmB,CAAC,SAAS,SAAS;AAAA,EACtC,aAAa,CAAC,SAAS;AAAA,EACvB,eAAe,CAAC,MAAM;AAAA,EACtB,iBAAiB,CAAC,OAAO;AAAA,EACzB,kBAAkB,CAAC,SAAS,SAAS;AAAA,EACrC,iBAAiB,CAAC,SAAS,SAAS;AAAA,EACpC,cAAc,CAAC,SAAS,SAAS;AAAA,EACjC,oBAAoB,CAAC,SAAS,SAAS;AAAA,EACvC,iBAAiB,CAAC,OAAO;AAAA,EACzB,kBAAkB,CAAC,OAAO;AAAA,EAC1B,0BAA0B,CAAC,SAAS,SAAS;AAAA,EAE7C,WAAW,CAAC,OAAO;AACrB;;;AChDO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,WAAQ;AACR,EAAAA,cAAA,cAAW;AACX,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,UAAO;AALG,SAAAA;AAAA,GAAA;;;AChBL,IAAM,eAAe,oBAAI,IAAI;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,cAAc,IAAqB;AACjD,SAAO,aAAa,IAAI,EAAE;AAC5B;AAKO,SAAS,cAAc,IAAqB;AACjD,SACE,GAAG,WAAW,YAAY,KAC1B,GAAG,WAAW,aAAa,KAC3B,GAAG,WAAW,WAAW;AAE7B;;;ACxCA,IAAAC,iBAA2B;AAmBpB,SAAS,iBACd,UACA,KACA,SACA,QACA,QACA,IACQ;AACR,QAAM,QAAI,2BAAW,QAAQ;AAC7B,MAAI,SAAU,GAAE,OAAO,QAAQ;AAC/B,IAAE,OAAO,GAAG;AACZ,IAAE,OAAO,OAAO,KAAK,SAAS,MAAM,CAAC;AACrC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,GAAG,SAAS,GAAG,MAAM,CAAC;AAC3C,SAAO,EAAE,OAAO;AAClB;;;ACnCO,IAAK,oBAAL,kBAAKC,uBAAL;AACL,EAAAA,sCAAA,SAAM,KAAN;AACA,EAAAA,sCAAA,YAAS,KAAT;AACA,EAAAA,sCAAA,UAAO,KAAP;AACA,EAAAA,sCAAA,cAAW,KAAX;AAJU,SAAAA;AAAA,GAAA;AAUL,IAAM,yBAA4D;AAAA;AAAA,EAEvE,eAAe;AAAA;AAAA,EAGf,gBAAgB;AAAA,EAChB,kBAAkB;AAAA,EAClB,2BAA2B;AAAA,EAC3B,2BAA2B;AAAA;AAAA,EAG3B,kBAAkB;AAAA,EAClB,eAAe;AAAA,EACf,oBAAoB;AAAA;AAAA,EAGpB,aAAa;AAAA,EACb,cAAc;AAAA,EACd,iBAAiB;AAAA,EACjB,eAAe;AAAA;AAAA,EAGf,kBAAkB;AAAA,EAClB,mBAAmB;AAAA,EACnB,mBAAmB;AAAA;AAAA,EAGnB,aAAa;AAAA;AAAA,EAGb,wBAAwB;AAAA,EACxB,wBAAwB;AAAA,EACxB,yBAAyB;AAAA;AAAA,EAGzB,0BAA0B;AAAA,EAC1B,uBAAuB;AAAA;AAAA,EAGvB,6BAA6B;AAAA,EAC7B,8BAA8B;AAAA,EAC9B,6BAA6B;AAAA;AAAA,EAG7B,uBAAuB;AAAA,EACvB,qCAAqC;AAAA,EACrC,yBAAyB;AAAA,EACzB,0BAA0B;AAAA;AAAA,EAG1B,oBAAoB;AAAA,EACpB,mBAAmB;AAAA,EACnB,kBAAkB;AAAA;AAAA,EAGlB,wBAAwB;AAAA,EACxB,wBAAwB;AAAA,EACxB,iBAAiB;AAAA,EACjB,eAAe;AAAA,EACf,iBAAiB;AAAA;AAAA,EAGjB,gBAAgB;AAAA,EAChB,eAAe;AAAA,EACf,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,gCAAgC;AAAA;AAAA,EAGhC,2BAA2B;AAAA,EAC3B,8BAA8B;AAAA,EAC9B,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,mBAAmB;AACrB;AAUO,SAAS,eAAe,QAAmC;AAChE,MAAI,uBAAuB,MAAM,GAAG;AAClC,WAAO,uBAAuB,MAAM;AAAA,EACtC;AAEA,QAAM,QAAQ,OAAO,MAAM,GAAG,EAAE,CAAC;AACjC,QAAM,cAAc,GAAG,KAAK;AAC5B,MAAI,uBAAuB,WAAW,GAAG;AACvC,WAAO,uBAAuB,WAAW;AAAA,EAC3C;AAEA,SAAO;AACT;AAKO,SAAS,gBAAgB,OAAkC;AAChE,UAAQ,OAAO;AAAA,IACb,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;;;ACvHO,IAAM,kBAA0C;AAAA,EACrD,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,YAAY;AAAA,EAEZ,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,cAAc;AAAA,EACd,iBAAiB;AAAA,EAEjB,YAAY;AAAA,EAEZ,cAAc;AAAA,EAEd,WAAW;AACb;AAGO,IAAM,kBAAkB;AAUxB,SAAS,eAAe,QAAwB;AACrD,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,aAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,eAAe,GAAG;AAChE,QAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;;;ACzCO,SAAS,mBAAmB,OAAqB;AACtD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,MAAM,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,kBAAkB,CAAC,OAAO,SAAS,WAAW,QAAQ;AAC5D,aAAW,OAAO,iBAAiB;AACjC,QAAI,OAAO,MAAM,GAAG,MAAM,YAAY,MAAM,GAAG,EAAE,SAAS,GAAG;AAC3D,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,OAAO,MAAM,OAAO,YAAY,CAAC,OAAO,SAAS,MAAM,EAAE,GAAG;AAC9D,WAAO;AAAA,EACT;AAEA,MACE,MAAM,QAAQ,WACb,OAAO,MAAM,QAAQ,YAAY,MAAM,IAAI,WAAW,IACvD;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,MAAM,OAAO,OAAO,MAAM,QAAQ,UAAU;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,QAAQ,SAAS;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,QAAQ,YAAY,MAAM,IAAI,IAAI,SAAS,GAAG;AACjE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,UAAU,YAAY,MAAM,IAAI,MAAM,SAAS,IAAI;AACtE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,MAAM;AACzD,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAKO,SAAS,iBACd,IACA,cAAsB,KACb;AACT,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,OAAO,KAAK,IAAI,MAAM,EAAE;AAC9B,SAAO,QAAQ;AACjB;;;ACxEA,IAAAC,iBAAqD;AACrD,IAAAC,UAAwB;;;ACDjB,IAAM,4BAA4B;AAClC,IAAM,yBAAyB;AAC/B,IAAM,6BAA6B;;;ADmBnC,IAAM,2BAAN,MAAsD;AAAA,EAO3D,YAEmB,UAEA,OACjB;AAHiB;AAEA;AAVnB,SAAiB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAElE,SAAS,OAAO;AAChB,SAAS,OAAO;AAChB,SAAS,cAAc;AAAA,EAOpB;AAAA,EAGH,MAAM,QACJ,MACA,SACc;AACd,UAAM,IAAI;AACV,QAAI,CAAC,EAAG,OAAM,IAAI,MAAM,iBAAiB;AAEzC,UAAM,gBAAgB,EAAE,IAAI,EAAE;AAC9B,QAAI,CAAC,cAAe,OAAM,IAAI,MAAM,mBAAmB;AACvD,UAAM,WAAW,IAAI,YAAY,EAAE,OAAO,aAAa;AAEvD,QAAI,aAAa;AACjB,QAAI,WAAW;AAEf,UAAM,aAAa,EAAE,IAAI,EAAE;AAC3B,QAAI,YAAY;AACd,YAAM,EAAE,MAAM,QAAI,oCAAa,UAAU;AACzC,mBAAa;AAAA,IACf;AAEA,UAAM,WAAW,EAAE,IAAI,EAAE;AACzB,QAAI,UAAU;AACZ,YAAM,EAAE,MAAM,QAAI,oCAAa,QAAQ;AACvC,iBAAW;AAAA,IACb;AAEA,UAAM,UAAU,MAAM,KAAK,SAAS,aAAa,QAAQ;AACzD,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB,QAAQ,EAAE;AAAA,IAClD;AAEA,QAAI,QAAQ,WAAW,YAAY;AACjC,YAAM,IAAI,MAAM,6BAA6B,QAAQ,MAAM,EAAE;AAAA,IAC/D;AAEA,UAAM,OAAO,MAAM,KAAK,MAAM;AAAA,MAC5B;AAAA,MACA,QAAQ;AAAA,IACV;AACA,UAAM,WAAW,KAAK;AAEtB,QAAI,aAAa,EAAG,cAAa;AACjC,QAAI,cAAc,SAAU,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAI,MAAM;AACV,QAAI,YAAY,GAAG;AACjB,YAAM,KAAK,IAAI,aAAa,UAAU,QAAQ;AAAA,IAChD;AAEA,UAAM,YAAY,MAAM;AACxB,UAAM,SAAS,MAAM,KAAK,MAAM;AAAA,MAC9B;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAEA,UAAM,kBAAkB,oBAAI,IAAwB;AACpD,oBAAgB,IAAI,QAAI,oCAAa,QAAQ,CAAC;AAC9C,oBAAgB,IAAI,QAAI,oCAAa,UAAU,CAAC;AAChD,oBAAgB,IAAI,QAAI,oCAAa,SAAS,CAAC;AAE/C,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAAA,EACF;AACF;AArEQ;AAAA,EADL,OAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,OAAO,CAAC;AAAA,GAd9C,yBAeL;AAfK,2BAAN;AAAA,EAFN,QAAQ,qBAAqB;AAAA,MAC7B,2BAAW;AAAA,EASP,8CAAO,yBAAyB;AAAA,EAEhC,8CAAO,sBAAsB;AAAA,GAVrB;AAwFN,IAAM,2BAAN,MAAsD;AAAA,EAO3D,YAEmB,UAEA,OAGA,SACjB;AANiB;AAEA;AAGA;AAbnB,SAAiB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAElE,SAAS,OAAO;AAChB,SAAS,OAAO;AAChB,SAAS,cAAc;AAAA,EAUpB;AAAA,EAGH,MAAM,QACJ,MACA,SACc;AACd,UAAM,UAAU,IAAI,YAAY,EAAE,OAAO,IAAI;AAC7C,UAAM,MAAM,KAAK,MAAM,OAAO;AAE9B,UAAM,EAAE,QAAQ,aAAa,IAAI;AACjC,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AAE9C,UAAM,UAAU,MAAM,KAAK,SAAS,aAAa,MAAM;AACvD,QAAI,CAAC,QAAS,OAAM,IAAI,MAAM,mBAAmB;AAEjD,QAAI,CAAE,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAI;AACvC,YAAM,IAAI,MAAM,kBAAkB;AAAA,IACpC;AAEA,UAAM,OAAc,mBAAW,QAAQ;AACvC,UAAM,KAAK,KAAK,MAAM,qBAAqB,MAAM;AACjD,qBAAiB,SAAS,IAAI;AAC5B,WAAK,OAAO,KAAe;AAAA,IAC7B;AACA,UAAM,YAAY,KAAK,OAAO,KAAK;AAEnC,QAAI,gBAAgB,cAAc,cAAc;AAC9C,YAAM,IAAI,MAAM,eAAe;AAAA,IACjC;AAEA,UAAM,YAAY,MAAM,KAAK,MAAM;AAAA,MACjC;AAAA,MACA,QAAQ;AAAA,IACV;AAEA,UAAM,KAAK,SAAS,aAAa,QAAQ,YAAY,IAAI;AAEzD,QAAI,CAAC,KAAK,SAAS;AACjB,WAAK,OAAO,KAAK,2DAA2D;AAC5E,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,IAAI,YAAY,EAAE;AAAA,UACtB,KAAK,UAAU;AAAA,YACb,UAAU;AAAA,YACV,cAAc;AAAA,YACd,WAAW,QAAQ;AAAA,YACnB,MAAM,KAAK,IAAI;AAAA,YACf,MAAM;AAAA,UACR,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,UAAM,cAAc;AAAA,MAClB,UAAU;AAAA,MACV,cAAc;AAAA,MACd,WAAW,QAAQ;AAAA,MACnB,MAAM,KAAK,IAAI;AAAA,IACjB;AAEA,UAAM,cAAc,KAAK,UAAU,WAAW;AAC9C,UAAM,cAAc,IAAI,YAAY,EAAE,OAAO,WAAW;AAExD,UAAM,cAAc;AACpB,UAAM,gBAA2B;AAAA,MAC/B,OAAO;AAAA,MACP,SAAS,oBAAI,IAAI;AAAA,MACjB,MAAM;AAAA,MACN,KAAK,IAAI,WAAW,CAAC;AAAA,IACvB;AAEA,UAAM,aAAa,cAAc,aAAa;AAC9C,UAAM,EAAE,KAAK,IAAI,IAAI,KAAK,QAAQ,WAAW,UAAU;AACvD,kBAAc,MAAM;AAEpB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM,YAAY,aAAa;AAAA,MAC/B,SAAS,oBAAI,IAAI,CAAC,CAAC,GAAG,IAAI,YAAY,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;AAAA,IACvD;AAAA,EACF;AACF;AAjFQ;AAAA,EADL,OAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,SAAS,CAAC;AAAA,GAjBhD,yBAkBL;AAlBK,2BAAN;AAAA,EAFN,QAAQ,qBAAqB;AAAA,MAC7B,2BAAW;AAAA,EASP,8CAAO,yBAAyB;AAAA,EAEhC,8CAAO,sBAAsB;AAAA,EAE7B,gDAAS;AAAA,EACT,8CAAO,0BAA0B;AAAA,GAbzB;;;AE7Gb,SAAoB;AACpB,WAAsB;AASf,IAAM,sBAAN,MAAqD;AAAA,EAI1D,YAAY,SAAqC;AAC/C,SAAK,YAAY,QAAQ;AACzB,SAAK,WAAW,QAAQ;AAAA,EAC1B;AAAA,EAEA,aAAa,QAAgB,UAA2B;AACtD,UAAM,eAAe,WAAgB,cAAS,QAAQ,IAAI;AAC1D,WAAY,UAAK,KAAK,WAAW,YAAY;AAAA,EAC/C;AAAA,EAEA,YAAY,QAAwB;AAClC,UAAM,SAAc,cAAS,MAAM;AACnC,WAAY,UAAK,KAAK,UAAU,MAAM;AAAA,EACxC;AAAA,EAEA,MAAM,UACJ,QACA,UACyB;AACzB,UAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,QAAI,CAAI,cAAW,SAAS,GAAG;AAC7B,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AACA,UAAM,OAAU,YAAS,SAAS;AAClC,WAAO,EAAE,MAAM,WAAW,MAAM,KAAK,KAAK;AAAA,EAC5C;AAAA,EAEA,MAAM,eACJ,QACA,UACA,OACA,QACiB;AACjB,UAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,UAAM,SAAS,OAAO,MAAM,MAAM;AAClC,UAAM,KAAQ,YAAS,WAAW,GAAG;AACrC,QAAI;AACF,MAAG,YAAS,IAAI,QAAQ,GAAG,QAAQ,KAAK;AAAA,IAC1C,UAAE;AACA,MAAG,aAAU,EAAE;AAAA,IACjB;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,QAAkC;AAC9C,UAAM,WAAW,KAAK,YAAY,MAAM;AACxC,WAAU,cAAW,QAAQ;AAAA,EAC/B;AAAA,EAEA,MAAM,gBACJ,QACA,UACiB;AACjB,UAAM,WAAW,KAAK,YAAY,MAAM;AACxC,UAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AAEpD,QAAI;AACF,YAAS,YAAS,OAAO,UAAU,SAAS;AAAA,IAC9C,QAAQ;AACN,YAAS,YAAS,SAAS,UAAU,SAAS;AAC9C,YAAS,YAAS,OAAO,QAAQ;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,qBAAqB,QAAuC;AAC1D,UAAM,WAAW,KAAK,YAAY,MAAM;AACxC,WAAU,oBAAiB,QAAQ;AAAA,EACrC;AACF;;;ACpFA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACS,MACP,SACO,aAAqB,KACrB,SACP;AACA,UAAM,OAAO;AALN;AAEA;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;;;ACVA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,iBAAmC;AACnC,IAAAC,UAAwB;AACxB,WAAsB;AAuCf,IAAM,2BAAN,MAA+B;AAAA,EAA/B;AACL,SAAiB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAGlE;AAAA,SAAiB,aAAa,oBAAI,IAAwB;AAG1D;AAAA,SAAiB,eAAe,oBAAI,IAGlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBF,MAAM,YACJ,WACA,UACA,SAMkC;AAClC,YAAQ,WAAW;AAAA,MACjB,KAAK;AACH,eAAO,KAAK,mBAAmB,QAAQ;AAAA,MACzC,KAAK;AACH,eAAO,KAAK,eAAe,QAAQ;AAAA,MACrC,KAAK;AACH,eAAO,KAAK,gBAAgB,QAAQ,IAAI;AAAA,MAC1C,KAAK;AACH,eAAO,KAAK;AAAA,UACV,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV;AAAA,MACF;AACE,eAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,SAAS,GAAG;AAAA,IACrE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBACZ,UACkC;AAGlC,UAAM,YAAY,IAAI,YAAY,EAAE,OAAO,QAAQ;AACnD,WAAO;AAAA,MACL,OAAO;AAAA,MACP,UAAU,EAAE,WAAW,2BAA2B,KAAK;AAAA,IACzD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAc,eACZ,UACkC;AAClC,QAAI;AACF,YAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,QAAQ;AAC/C,YAAM,QAAQ,MAAM,MAAM,GAAG;AAE7B,UAAI,MAAM,WAAW,GAAG;AACtB,eAAO,EAAE,OAAO,OAAO,OAAO,qBAAqB;AAAA,MACrD;AAGA,YAAM,SAAS,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAS,CAAC;AACvE,YAAM,UAAU,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAS,CAAC;AAGxE,UAAI,QAAQ,OAAO,KAAK,IAAI,IAAI,MAAO,QAAQ,KAAK;AAClD,eAAO,EAAE,OAAO,OAAO,OAAO,cAAc;AAAA,MAC9C;AAGA,UAAI,QAAQ,OAAO,KAAK,IAAI,IAAI,MAAO,QAAQ,KAAK;AAClD,eAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB;AAAA,MACpD;AAIA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS,QAAQ,OAAO,QAAQ;AAAA,QAChC,UAAU,EAAE,KAAK,QAAQ,KAAK,OAAO,QAAQ,MAAM;AAAA,MACrD;AAAA,IACF,SAAS,GAAG;AACV,YAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,aAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,OAAO,GAAG;AAAA,IAC9D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBACZ,MACkC;AAClC,QAAI,CAAC,MAAM;AACT,aAAO,EAAE,OAAO,OAAO,OAAO,2BAA2B;AAAA,IAC3D;AAGA,QAAI,CAAC,KAAK,UAAU;AAClB,aAAO,EAAE,OAAO,OAAO,OAAO,sCAAsC;AAAA,IACtE;AAGA,QAAI,KAAK,uBAAuB;AAC9B,YAAM,UAAU,KAAK,aAAa,IAAI,KAAK,qBAAqB;AAChE,UAAI,SAAS;AACX,eAAO;AAAA,UACL,OAAO;AAAA,UACP,SAAS,QAAQ;AAAA,UACjB,UAAU;AAAA,YACR,aAAa,KAAK;AAAA,YAClB,SAAS,KAAK;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,mBAAmB;AAC1B,YAAM,UAAU,KAAK,kBAAkB,MAAM,YAAY;AACzD,UAAI,SAAS;AACX,eAAO;AAAA,UACL,OAAO;AAAA,UACP,SAAS,QAAQ,CAAC;AAAA,UAClB,UAAU;AAAA,YACR,SAAS,KAAK;AAAA,YACd,QAAQ,KAAK;AAAA,UACf;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,OAAO,OAAO,2CAA2C;AAAA,EAC3E;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,oBACZ,YACA,WACA,UACkC;AAClC,QAAI,CAAC,YAAY,CAAC,cAAc,CAAC,WAAW;AAC1C,aAAO,EAAE,OAAO,OAAO,OAAO,4BAA4B;AAAA,IAC5D;AAGA,QAAI,YAAY,SAAS;AAGzB,UAAM,gBAAgB,KAAK,WAAW,IAAI,SAAS,QAAQ;AAC3D,QAAI,eAAe;AACjB,kBAAY;AAAA,IACd;AAEA,QAAI,CAAC,aAAa,UAAU,WAAW,IAAI;AACzC,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI;AACF,YAAM,QAAa,UAAK,SAAS,OAAO,YAAY,WAAW,SAAS;AAExE,UAAI,CAAC,OAAO;AACV,eAAO,EAAE,OAAO,OAAO,OAAO,uCAAuC;AAAA,MACvE;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS,SAAS;AAAA,QAClB,UAAU,EAAE,UAAU,SAAS,UAAU,WAAW,YAAY;AAAA,MAClE;AAAA,IACF,SAAS,GAAG;AACV,YAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,iCAAiC,OAAO;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,kBAAkB,UAAkB,WAA6B;AAC/D,QAAI,UAAU,WAAW,IAAI;AAC3B,YAAM,IAAI,MAAM,8CAA8C;AAAA,IAChE;AACA,SAAK,WAAW,IAAI,UAAU,SAAS;AACvC,SAAK,OAAO,IAAI,6BAA6B,QAAQ,EAAE;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,UAA2B;AAC1C,WAAO,KAAK,WAAW,OAAO,QAAQ;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,iBAAiB,aAAqB,SAAuB;AAC3D,SAAK,aAAa,IAAI,aAAa,EAAE,SAAS,UAAU,KAAK,IAAI,EAAE,CAAC;AACpE,SAAK,OAAO,IAAI,wBAAwB,WAAW,cAAc,OAAO,EAAE;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA,EAKA,eAAe,aAA8B;AAC3C,WAAO,KAAK,aAAa,OAAO,WAAW;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,qBAAqB,SAAyB;AAEnD,UAAM,MAAM,OAAO;AAAA,MACjB,QACG,QAAQ,+BAA+B,EAAE,EACzC,QAAQ,6BAA6B,EAAE,EACvC,QAAQ,OAAO,EAAE;AAAA,MACpB;AAAA,IACF;AACA,WAAc,mBAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;AAAA,EAC7D;AACF;AApRa,2BAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;ACzCb;AAAA;AAAA;AAAA;AAAA,mBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,iBAAuD;AAqBvD,SAAS,UAAU,KAAkC;AACnD,SACG,IAAI,QAAQ,iBAAiB,GAAc,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,KAC/D,IAAI,QAAQ,WAAW,KACxB,IAAI,OAAO,iBACX;AAEJ;AAiBO,IAAM,cAAU;AAAA,EACrB,CAAC,OAAgB,QAAkC;AACjD,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,WAAO,IAAI;AAAA,EACb;AACF;AAaO,IAAM,aAAS;AAAA,EACpB,CAAC,OAAgB,QAA8C;AAC7D,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,WAAO,UAAU,GAAG;AAAA,EACtB;AACF;AAiBO,IAAM,kBAAc;AAAA,EACzB,CAAC,OAAgB,QAA2C;AAC1D,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,UAAM,WAAY,IAAY,QAAQ,CAAC;AACvC,WAAO;AAAA,MACL,KAAK,IAAI;AAAA,MACT,IAAI,UAAU,GAAG;AAAA,MACjB,gBAAgB,SAAS;AAAA,MACzB,iBAAiB,SAAS,mBAAmB;AAAA,IAC/C;AAAA,EACF;AACF;AAcO,IAAM,qBAAiB;AAAA,EAC5B,CAAC,OAAgB,QAA8C;AAC7D,QAAI,QAAQ,IAAI,aAAa,cAAe,QAAO;AACnD,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,WAAO,IAAI,QAAQ,eAAe;AAAA,EACpC;AACF;AAoBO,IAAMC,iBAAY;AAAA,EACvB,CAAC,OAAgB,QAAuC;AACtD,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,UAAM,UAAW,IAAY;AAC7B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;;;ACpJA,IAAAC,iBAA4B;AAErB,IAAM,sBAAsB;AAuC5B,SAAS,OAAO,SAAyC;AAC9D,aAAO,4BAAY,qBAAqB,WAAW,IAAI;AACzD;;;AC3CA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,iBAA4B;AAkErB,SAAS,kBACd,WACA,IACiB;AACjB,SAAO;AAAA,IACL,QAAI,4BAAY,EAAE,EAAE,SAAS,KAAK;AAAA,IAClC,SAAS,KAAK,IAAI;AAAA,IAClB;AAAA,IACA;AAAA,IACA,QAAQ,CAAC;AAAA,IACT,SAAS,CAAC;AAAA,IACV,OAAO,CAAC;AAAA,EACV;AACF;AAIO,SAAS,WACd,KACA,MACkB;AAClB,QAAM,QAA0B,EAAE,MAAM,QAAQ,MAAM,SAAS,KAAK,IAAI,EAAE;AAC1E,MAAI,OAAO,KAAK,KAAK;AACrB,SAAO;AACT;AAEO,SAAS,SACd,OACA,SAAiC,MACjC,QACA,MACM;AACN,QAAM,QAAQ,KAAK,IAAI;AACvB,QAAM,aAAa,MAAM,QAAQ,MAAM;AACvC,QAAM,SAAS;AACf,MAAI,OAAQ,OAAM,SAAS;AAC3B,MAAI,KAAM,OAAM,OAAO;AACzB;AAIO,SAAS,aACd,KACA,MACA,SACA,WACA,YACA,SACA,MACM;AACN,MAAI,QAAQ,KAAK,EAAE,MAAM,SAAS,WAAW,YAAY,SAAS,KAAK,CAAC;AAC1E;AAIO,SAAS,oBACd,KACA,UACA,YACA,YACM;AACN,MAAI,QAAQ,KAAK,IAAI;AACrB,MAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,MAAI,WAAW;AACf,MAAI,aAAa;AACjB,MAAI,WAAY,KAAI,aAAa;AACnC;;;ACpIA,IAAAC,iBAAiD;AAoC1C,IAAM,0BAAN,MAAsD;AAAA,EAG3D,YACmB,WACA,SACA,QACjB;AAHiB;AACA;AACA;AALnB,SAAiB,SAAS,IAAI,sBAAO,wBAAwB,IAAI;AAAA,EAM9D;AAAA,EAEH,eAAe;AACb,UAAM,YAAY,KAAK,UAAU,aAAa;AAC9C,QAAI,eAAe;AAEnB,eAAW,WAAW,WAAW;AAC/B,YAAM,EAAE,UAAU,SAAS,IAAI;AAC/B,UAAI,CAAC,YAAY,CAAC,SAAU;AAG5B,YAAM,cAAc,QAAQ,YAAY,sBAAsB,QAAQ;AACtE,UAAI,CAAC,YAAa;AAElB,YAAM,cAAc,YAAY,UAAU,SAAS;AACnD,YAAM,QAAQ,OAAO,eAAe,QAAQ;AAC5C,YAAM,UAAU,KAAK,QAAQ,kBAAkB,KAAK;AACpD,UAAI,aAAa;AAEjB,iBAAW,cAAc,SAAS;AAChC,cAAM,OAAO,QAAQ;AAAA,UACnB;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,YAAI,CAAC,MAAM,OAAQ;AAInB,YAAI,CAAC,KAAK,OAAO,IAAI,KAAK,MAAM,GAAG;AACjC,eAAK,OAAO;AAAA,YACV,KAAK;AAAA,YACJ,SAAiB,UAAU,EAAE,KAAK,QAAQ;AAAA,UAC7C;AACA;AACA;AAAA,QACF;AAIA,aAAK,OAAO,mBAAmB,KAAK,QAAQ,OAAO,UAAU;AAAA,MAC/D;AAEA,UAAI,aAAa,GAAG;AAClB,aAAK,OAAO;AAAA,UACV,mBAAmB,UAAU,iBAAiB,WAAW;AAAA,QAC3D;AAAA,MACF;AAAA,IACF;AAEA,SAAK,OAAO;AAAA,MACV,+BAA+B,YAAY;AAAA,IAC7C;AAAA,EACF;AACF;AA7Da,0BAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;ACvBN,IAAM,OAAO;AAAA;AAAA,EAElB,MAAM;AAAA;AAAA,EAEN,UAAU;AAAA;AAAA,EAEV,QAAQ;AAAA;AAAA,EAER,SAAS;AAAA;AAAA,EAET,UAAU;AAAA;AAAA,EAEV,OAAO;AACT;AAKO,IAAM,sBAAsB;;;AC/BnC,IAAAC,iBAA2D;AAmBpD,IAAM,yBAAN,MAA+D;AAAA,EAGpE,YACmB,WACA,WACA,UACjB;AAHiB;AACA;AACA;AALnB,SAAiB,SAAS,IAAI,sBAAO,uBAAuB,IAAI;AAAA,EAM7D;AAAA,EAEH,yBAAyB;AACvB,UAAM,YAAY,KAAK,UAAU,aAAa;AAC9C,QAAI,QAAQ;AAEZ,eAAW,WAAW,WAAW;AAC/B,YAAM,EAAE,SAAS,IAAI;AACrB,UAAI,CAAC,YAAY,CAAC,SAAS,YAAa;AAExC,YAAM,OAAO,KAAK,UAAU;AAAA,QAC1B;AAAA,QACA,SAAS;AAAA,MACX;AACA,UAAI,CAAC,KAAM;AAEX,YAAM,SAAS;AAEf,UAAI,CAAC,OAAO,QAAQ,OAAO,UAAU,QAAW;AAC9C,aAAK,OAAO;AAAA,UACV,gBAAgB,SAAS,YAAY,IAAI;AAAA,QAC3C;AACA;AAAA,MACF;AAGA,UAAI,CAAC,OAAO,OAAO;AACjB,cAAM,iBAAiB,SAAS,OAAO,KAAK,QAAQ;AACpD,QAAC,OAAe,QACd,mBACC,OAAO,QAAQ,sBAAsB,eAAe;AAAA,MACzD;AAEA,WAAK,SAAS,SAAS,MAAM;AAC7B;AAAA,IACF;AAEA,SAAK,OAAO,IAAI,mBAAmB,KAAK,wBAAwB;AAAA,EAClE;AACF;AA9Ca,yBAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;ACnBb,IAAAC,iBAAmC;AA2B5B,IAAM,iBAAN,MAAqB;AAAA,EAI1B,YAA6B,eAA8B;AAA9B;AAH7B,SAAQ,UAAwB,CAAC;AACjC,SAAiB,SAAS,IAAI,sBAAO,eAAe,IAAI;AAAA,EAEI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAc5D,SAAS,QAA0B;AAEjC,QAAI,CAAC,OAAO,MAAM;AAChB,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AAGA,UAAM,oBAAoB,KAAK,cAAc,IAAY,iBAAiB;AAC1E,UAAM,qBACJ,KAAK,cAAc,IAAY,kBAAkB;AAEnD,UAAM,iBAAiB,oBACnB,kBAAkB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,IAChD;AACJ,UAAM,kBAAkB,qBACpB,mBAAmB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,IACjD,CAAC;AAEL,QAAI,kBAAkB,CAAC,eAAe,SAAS,OAAO,IAAI,GAAG;AAC3D,WAAK,OAAO,IAAI,sDAAsD,OAAO,IAAI,EAAE;AACnF;AAAA,IACF;AAEA,QAAI,gBAAgB,SAAS,OAAO,IAAI,GAAG;AACzC,WAAK,OAAO,IAAI,mDAAmD,OAAO,IAAI,EAAE;AAChF;AAAA,IACF;AAEA,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAM,IAAI,MAAM,eAAe,OAAO,IAAI,4BAA4B;AAAA,IACxE;AAGA,UAAM,oBAAoB,KAAK,kBAAkB,MAAM;AACvD,UAAM,qBAAqB,KAAK,mBAAmB,MAAM;AAEzD,QAAI,qBAAqB,OAAO,SAAS,IAAI;AAC3C,WAAK,OAAO;AAAA,QACV,eAAe,OAAO,IAAI,2CAA2C,OAAO,KAAK;AAAA,MACnF;AAAA,IACF;AACA,QAAI,sBAAsB,OAAO,QAAQ,IAAI;AAC3C,WAAK,OAAO;AAAA,QACV,eAAe,OAAO,IAAI,4CAA4C,OAAO,KAAK;AAAA,MACpF;AAAA,IACF;AAEA,SAAK,QAAQ,KAAK,MAAM;AACxB,UAAM,aACJ,OAAO,OAAO,UAAU,WACpB,OAAO,QACP,OAAO,OAAO,SAAS;AAC7B,SAAK,OAAO;AAAA,MACV,sBAAsB,OAAO,IAAI,YAAY,OAAO,KAAK,YAAY,UAAU;AAAA,IACjF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAqB;AACnB,WAAO,CAAC,GAAG,KAAK,OAAO,EAAE;AAAA,MACvB,CAAC,GAAG,OAAO,EAAE,SAAS,QAAQ,EAAE,SAAS;AAAA,IAC3C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAuC;AACrC,WAAO,KAAK,KAAK,EAAE,OAAO,CAAC,OAA2B,EAAE,SAAS,OAAO,EAAE;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,uBAAyC;AACvC,WAAO,KAAK,KAAK,EAAE;AAAA,MACjB,CAAC,OAA4B,EAAE,SAAS,QAAQ;AAAA,IAClD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,kBAAkB,QAA6B;AACrD,UAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,WAAO,UAAU,iBAAiB,OAAO,SAAS,OAAO;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,mBAAmB,QAA6B;AACtD,UAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,WAAO,UAAU,kBAAkB,OAAO,SAAS,QAAQ;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,wBAA6E;AAC3E,WAAO;AAAA,MACL,gBAAgB,KAAK,oBAAoB,EAAE;AAAA,MAC3C,iBAAiB,KAAK,qBAAqB,EAAE;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAc;AACZ,SAAK,UAAU,CAAC;AAAA,EAClB;AACF;AA5Ja,iBAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;AC3Bb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACwRO,SAAS,uBACd,QACA,UAAkB,YAClB,QAAgB,QACR;AAGR,SAAO,MAAM,OAAO,IAAI,KAAK,IAAI,MAAM;AACzC;AAMO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU;AAAA,IACd,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI;AAAA,IAC/C,MAAM;AAAA,MACJ,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,IACjB;AAAA,IACA,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,MAAM,KAAK,KAAK,KAAK;AAAA,EACvE;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;AAKO,SAAS,kBAAkB,OAAmC;AACnE,QAAM,UAAU;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,QAAQ,MAAM;AAAA,IACd,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,IAClB,MAAM,MAAM;AAAA,IACZ,MAAM,MAAM;AAAA,EACd;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;;;ACjUA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,KAAmB;AAqBZ,IAAM,kBAAoB,SAAM;AAAA,EACnC,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,EAC/D,UAAO;AAAA,IACP,QAAU,WAAQ,MAAM;AAAA,IACxB,MAAQ,UAAO;AAAA,IACf,QAAU,UAAO,EAAE,SAAS;AAAA,IAC5B,MAAQ,OAAI,EAAE,SAAS;AAAA,EACzB,CAAC;AACH,CAAC;AAEM,IAAM,8BAAgC,SAAM;AAAA,EAC/C,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,EAC/D,UAAO;AAAA,IACP,QAAU,WAAQ,MAAM;AAAA,IACxB,MAAQ,UAAO;AAAA,IACf,QAAU,UAAO,EAAE,SAAS;AAAA,IAC5B,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,IACnD,MAAQ,OAAI,EAAE,SAAS;AAAA,EACzB,CAAC;AACH,CAAC;AAMM,IAAM,2BAA6B,UAAO;AAAA,EAC/C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,SAAW,UAAO,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS;AACvD,CAAC;AAGM,IAAM,wBAAwB;AAO9B,IAAM,wBAA0B,UAAO;AAAA,EAC5C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,WAAa,WAAQ,EAAE,SAAS;AAClC,CAAC;AAGM,IAAM,qBAAqB;AAO3B,IAAM,aAAe,QAAK;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,iBAAmB,QAAK,CAAC,UAAU,WAAW,YAAY,MAAM,CAAC;AAGvE,IAAM,sBAAwB,UAAO;AAAA,EAC1C,SAAS;AAAA,EACT,YAAc,QAAK,CAAC,UAAU,SAAS,CAAC;AAAA,EACxC,eAAiB,SAAM,UAAU,EAAE,IAAI,CAAC;AAAA,EACxC,YAAc,WAAQ;AAAA,EACtB,sBAAwB,WAAQ;AAAA,EAChC,QAAU,UAAO,EAAE,IAAI,CAAC;AAC1B,CAAC;AAOM,IAAM,oBAAsB,QAAK,CAAC,OAAO,UAAU,QAAQ,UAAU,CAAC;AAGtE,IAAM,gBAAkB,UAAO;AAAA,EACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,aAAa;AAAA,EACb,eAAiB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACzC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAClD,oBAAsB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EACzD,kBAAoB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EACvD,mBAAqB,WAAQ;AAAA,EAC7B,iBAAmB,WAAQ;AAAA,EAC3B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AACvC,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,EAC/C,OAAO;AAAA,EACP,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAC1C,CAAC;AAGM,IAAM,wBAA0B,SAAM;AAAA,EACzC,UAAO;AAAA,IACP,QAAU,WAAQ,OAAO;AAAA,IACzB,QAAQ;AAAA,EACV,CAAC;AAAA,EACC,UAAO;AAAA,IACP,QAAU,WAAQ,MAAM;AAAA,IACxB,QAAU,UAAO;AAAA,EACnB,CAAC;AACH,CAAC;AAOM,IAAM,iBAAmB,UAAO;AAAA,EACrC,WAAa,UAAO,EAAE,IAAI,CAAC;AAAA,EAC3B,cAAgB,SAAQ,UAAO,CAAC,EAAE,IAAI,CAAC;AAAA,EACvC,QACG,UAAO;AAAA,IACN,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EACrD,CAAC,EACA,SAAS;AAAA,EACZ,QAAU,UAAS,UAAO,GAAK,OAAI,CAAC,EAAE,SAAS;AACjD,CAAC;AAGM,IAAM,WAAa,UAAO;AAAA,EAC/B,IAAM,UAAO;AAAA,EACb,QAAQ;AAAA,EACR,UAAY,UAAO,EAAE,IAAI;AAAA,EACzB,WAAa,UAAO,EAAE,IAAI;AAAA,EAC1B,MAAQ,QAAK,CAAC,QAAQ,YAAY,SAAS,CAAC;AAC9C,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,EAC/C,OAAS,WAAQ;AAAA,EACjB,SAAS,SAAS,SAAS;AAAA,EAC3B,QAAU,UAAO,EAAE,SAAS;AAAA,EAC5B,gBAAkB,WAAQ,EAAE,SAAS;AACvC,CAAC;AAGM,IAAM,4BAA8B,UAAO;AAAA,EAChD,SAAW;AAAA,IACP,UAAO;AAAA,IACP,UAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,EACrD;AAAA,EACA,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,KAAO,OAAI;AAAA;AACb,CAAC;AAKM,IAAM,uBAAyB,UAAO;AAAA,EAC3C,IAAM,WAAQ,IAAI;AAAA,EAClB,SAAS;AACX,CAAC;AAOM,IAAM,oBAAsB,QAAK;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,kBAAoB,UAAO;AAAA,EACtC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,WAAa,UAAO,EAAE,SAAS;AAAA,EAC/B,SAAW,UAAO,EAAE,SAAS;AAAA,EAC7B,WAAa,UAAO,EAAE,SAAS;AAAA,EAC/B,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,SAAS;AACX,CAAC;AAGM,IAAM,mBAAqB,UAAO;AAAA,EACvC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACrC,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC/B,KAAO,QAAK,CAAC,kBAAkB,eAAe,CAAC;AACjD,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,EACpC,IAAM,WAAQ,IAAI;AACpB,CAAC;AAOM,IAAM,YAAc,UAAO;AAAA,EAChC,IAAM,UAAO;AAAA,EACb,YAAc,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACtD,QAAU,QAAK,CAAC,UAAU,WAAW,WAAW,SAAS,CAAC;AAAA,EAC1D,UAAY,UAAO,EAAE,IAAI;AAAA,EACzB,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AACvC,CAAC;AACM,IAAM,oBAAsB,UAAO;AAAA,EACxC,UAAY,UAAO,EAAE,IAAI;AAAA,EACzB,SAAW,UAAO,EAAE,IAAI;AAAA,EACxB,eAAiB,UAAO,EAAE,IAAI;AAAA,EAC9B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AACvC,CAAC;AAQM,IAAM,oBAAsB,UAAO;AAAA,EACxC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,EACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,MAAQ,cAAW,UAAU;AAAA,EAC7B,SAAW,UAAO,EAAE,SAAS;AAC/B,CAAC;AAOM,IAAM,sBAAwB,UAAO;AAAA,EAC1C,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,EAC1D,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,EAC5D,IAAM,UAAO,EAAE,IAAI,CAAC;AACtB,CAAC;AAOM,IAAM,uBAAyB,UAAO;AAAA,EAC3C,UACG,SAAM,CAAG,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,GAAK,cAAW,UAAU,CAAC,CAAC,EAC7E,SAAS;AAAA,EACZ,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,EACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,MAAQ,cAAW,UAAU;AAAA,EAC7B,SAAW,UAAO,EAAE,SAAS;AAAA,EAC7B,aAAe,UAAO,EAAE,SAAS;AACnC,CAAC;AAOM,IAAM,mBAAqB,QAAK;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,SAAW,QAAK,CAAC,UAAU,MAAM,CAAC;AAGxC,IAAM,eAAiB,UAAO;AAAA,EACnC,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,EACtB,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC/B,MAAM;AAAA,EACN,UAAY,WAAQ,EAAE,SAAS;AAAA,EAC/B,QAAU,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,KAAO,UAAO,EAAE,SAAS;AAAA,EACzB,OAAO,OAAO,SAAS;AACzB,CAAC;AAGM,IAAM,eAAiB,QAAK,CAAC,WAAW,OAAO,WAAW,SAAS,CAAC;AAGpE,IAAM,gBAAkB,UAAO;AAAA,EACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,SAAW,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,aAAa;AAAA,EACb,QAAU,SAAM,YAAY,EAAE,IAAI,CAAC;AACrC,CAAC;AAOM,IAAM,oBAAsB,UAAO;AAAA,EACxC,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,MAAQ,WAAQ;AAAA,EAChB,IAAM,UAAO,EAAE,IAAI,CAAC;AACtB,CAAC;AAGM,IAAM,uBAAyB,SAAM;AAAA,EACxC,UAAO,EAAE,QAAU,WAAQ,OAAO,EAAE,CAAC;AAAA,EACrC,UAAO,EAAE,QAAU,WAAQ,MAAM,GAAG,MAAQ,UAAO,EAAE,CAAC;AAC1D,CAAC;AAOM,IAAM,qBAAuB,UAAO;AAAA,EACzC,IAAM,UAAO,EAAE,IAAI,CAAC;AACtB,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,EACpC,OAAS,UAAO,EAAE,IAAI,IAAI,EAAE,IAAI,GAAG;AAAA,EACnC,aAAe,UAAO,EAAE,IAAI;AAAA,EAC5B,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,gBAAkB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC7C,iBAAmB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC9C,MAAQ,SAAQ,UAAO,CAAC;AAC1B,CAAC;AAOM,IAAM,gBAAkB,QAAK;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,iBAAmB,UAAO;AAAA,EACrC,aAAe,UAAO,EAAE,IAAI,CAAC;AAAA,EAC7B,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACrC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACrC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACvC,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,QAAQ;AACV,CAAC;AAOM,IAAM,mBAAqB,UAAO;AAAA,EACvC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,WAAa,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACxC,SAAW,UAAO,EAAE,IAAI,EAAE,YAAY;AACxC,CAAC;AAGM,IAAM,oBAAsB,UAAO;AAAA,EACxC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAC1C,CAAC;AAOM,IAAM,kBAAoB,UAAO;AAAA,EACtC,YAAc,OAAI;AAAA;AAAA,EAClB,WAAa,OAAI;AAAA;AAAA,EACjB,QAAU,UAAO,EAAE,IAAI,CAAC;AAC1B,CAAC;AAOM,IAAKC,aAAL,kBAAKA,eAAL;AACL,EAAAA,sBAAA,aAAU,KAAV;AACA,EAAAA,sBAAA,SAAM,KAAN;AACA,EAAAA,sBAAA,aAAU,KAAV;AACA,EAAAA,sBAAA,eAAY,KAAZ;AACA,EAAAA,sBAAA,iBAAc,KAAd;AALU,SAAAA;AAAA,iBAAA;AAQL,IAAM,eAAiB,UAAO;AAAA,EACnC,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA;AAAA,EAC/C,IAAM,UAAO;AAAA;AAAA,EACb,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,SAAW,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACnD,WAAa,QAAKA,UAAS;AAAA,EAC3B,UAAY,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACpD,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACjD,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,cAAgB,UAAO,EAAE,SAAS;AAAA,EAClC,SAAS,SAAS,SAAS;AAAA,EAC3B,UAAU,UAAU,SAAS;AAAA,EAC7B,OAAS,OAAI,EAAE,SAAS;AAAA;AAC1B,CAAC;AAQM,IAAM,aAAe,UAAO;AAAA,EACjC,MAAQ,UAAO;AAAA,EACf,SAAW,UAAO;AAAA,EAClB,YAAc,UAAO,EAAE,IAAI;AAC7B,CAAC;;;AC9bD,IAAAC,kBAAmC;AAO5B,IAAKC,eAAL,kBAAKA,iBAAL;AACL,EAAAA,0BAAA,SAAM,KAAN;AACA,EAAAA,0BAAA,aAAU,KAAV;AACA,EAAAA,0BAAA,SAAM,KAAN;AACA,EAAAA,0BAAA,SAAM,KAAN;AAJU,SAAAA;AAAA,mBAAA;AAiBL,IAAM,uBAAN,MAA2B;AAAA,EAA3B;AACL,SAAiB,SAAS,IAAI,uBAAO,qBAAqB,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA,EAK9D,SAAS,MAAkB,SAA6C;AACtE,YAAQ,SAAS;AAAA,MACf,KAAK;AACH,eAAO,KAAK,YAAY,IAAI;AAAA,MAE9B,KAAK;AACH,eAAO,KAAK,eAAe,IAAI;AAAA,MAEjC,KAAK;AACH,eAAO,KAAK,YAAY,IAAI;AAAA,MAE9B,KAAK;AACH,eAAO,KAAK,YAAY,IAAI;AAAA,MAE9B;AACE,eAAO;AAAA,UACL,OAAO;AAAA,UACP,OAAO,yBAAyB,OAAO;AAAA,UACvC;AAAA,QACF;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAyC;AAC3D,WAAO;AAAA,MACL,OAAO;AAAA,MACP,SAAS;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,MAAyC;AAC9D,QAAI;AACF,YAAM,WAAO,qCAAe,IAAI;AAGhC,iBAAWC,QAAO,MAAM;AACtB,YAAIA,KAAI,SAAS,OAAOA,KAAI,SAAS,KAAK;AACxC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,OAAO;AAAA,YACP,SAAS;AAAA,UACX;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS;AAAA,MACX;AAAA,IACF,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,0BAA0B,OAAO;AAAA,QACxC,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAyC;AAC3D,QAAI;AACF,YAAM,WAAO,qCAAe,IAAI;AAGhC,YAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,UAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,eAAO;AAAA,UACL,OAAO;AAAA,UACP,OAAO;AAAA,UACP,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS;AAAA,MACX;AAAA,IACF,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,sBAAsB,OAAO;AAAA,QACpC,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAyC;AAC3D,QAAI;AACF,YAAM,WAAO,qCAAe,IAAI;AAGhC,YAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,UAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,eAAO;AAAA,UACL,OAAO;AAAA,UACP,OAAO;AAAA,UACP,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS;AAAA,MACX;AAAA,IACF,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,sBAAsB,OAAO;AAAA,QACpC,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AACF;AApIa,uBAAN;AAAA,MADN,4BAAW;AAAA,GACC;;;ACxBb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,kBAA2B;AAmCpB,IAAM,8BAAN,MAAwD;AAAA,EAAxD;AAEL;AAAA,SAAS,OAAO;AAMhB;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,WAAoB;AAClB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,OAA6C;AAErD,UAAM,aAAa,CAAC,CAAC,MAAM,UAAU;AACrC,UAAM,cAAc,CAAC,CAAC,MAAM,UAAU;AACtC,UAAM,UAAU,CAAC,CAAC,MAAM,UAAU;AAElC,UAAM,UAAU,cAAc,eAAe,UAAU,YAAY;AAGnE,QAAI,CAAC,MAAM,SAAU,OAAM,WAAW,CAAC;AACvC,UAAM,SAAS,UAAU;AAEzB,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA5Ba,8BAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACnCb,IAAAC,kBAA2B;AA2FpB,IAAM,mBAAN,MAA6C;AAAA,EAA7C;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUhC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,EAAE,KAAK,IAAI;AAGjB,QAAI,CAAC,QAAQ,KAAK,SAAS,GAAG;AAC5B,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,QAAI;AAOF,UAAI,SAAS;AACb,gBAAU;AACV,gBAAU;AAGV,YAAM,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACrE,gBAAU;AAGV,YAAM,EAAE,OAAO,QAAQ,QAAI,oCAAa,MAAM,MAAM;AAGpD,UAAI,SAAS,mCAAa;AACxB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,eAAe,MAAM,kBAAkB,iCAAW;AAAA,QAC5D;AAAA,MACF;AAGA,UAAI,UAAU,oCAAc;AAC1B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,aAAa,OAAO,kBAAkB,kCAAY;AAAA,QAC5D;AAAA,MACF;AAEA,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B,SAAS,GAAG;AAGV,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAAA,EACF;AACF;AA3Fa,mBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC3Fb,IAAAC,kBAAmC;AA6E5B,IAAM,8BAAN,MAAwD;AAAA,EAAxD;AACL,SAAiB,SAAS,IAAI,uBAAO,4BAA4B,IAAI;AAGrE;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU/B,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,IAAI,OAA6C;AACrD,UAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,UAAM,YAAY,QAAQ,aAAa;AAIvC,UAAM,sBAAsB,mBAAmB,SAAS,KAAK,CAAC;AAI9D,UAAM,uBAAuB,KAAK,wBAAwB,MAAM;AAIhE,QAAI,qBAAqB,WAAW,GAAG;AACrC,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAIA,UAAM,sBAAsB,qBAAqB;AAAA,MAC/C,CAAC,QAAQ,CAAC,oBAAoB,SAAS,GAAG;AAAA,IAC5C;AAEA,QAAI,oBAAoB,SAAS,GAAG;AAElC,WAAK,OAAO;AAAA,QACV,yBAAyB,MAAM,aAAa,oBAAoB,KAAK,IAAI,CAAC,UAAU,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACpH;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,yBAAyB,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACjE;AAAA,IACF;AAGA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,wBAAwB,QAA8B;AAE5D,QAAI,oBAAoB,MAAM,GAAG;AAC/B,aAAO,oBAAoB,MAAM;AAAA,IACnC;AAGA,eAAW,CAAC,SAAS,IAAI,KAAK,OAAO,QAAQ,mBAAmB,GAAG;AACjE,UAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,cAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,YAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,iBAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,WAAO,CAAC,SAAS;AAAA,EACnB;AACF;AAtHa,8BAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC7Eb,IAAAC,kBAA2B;AAC3B,IAAAC,iBAA2B;AAgFpB,IAAM,kBAAN,MAA4C;AAAA,EAA5C;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUhC,SAAS,OAA6B;AACpC,WAAO,MAAM,WAAW;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,aAAa,MAAM;AACzB,UAAM,YAAY,MAAM;AAGxB,QAAI,CAAC,cAAc,CAAC,WAAW;AAC7B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,UAAMC,oBAAmB;AAGzB,UAAM,WAAW,WAAW,IAAIA,iBAAgB;AAEhD,QAAI,CAAC,YAAY,SAAS,WAAW,IAAI;AACvC,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,UAAM,aAAS,2BAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO;AAI7D,QAAI,CAAC,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC,GAAG;AACtD,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAlFa,kBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACjFb,IAAAC,kBAAmC;AACnC,IAAAC,UAAwB;AAqGjB,IAAM,gBAAN,MAA0C;AAAA,EAA1C;AACL,SAAiB,SAAS,IAAI,uBAAO,cAAc,IAAI;AAUvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAiB,wBAAwB;AAGzC;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcvB,iBAAiB,MAA0B;AACjD,QAAI,KAAK,WAAW,EAAG,QAAO;AAG9B,UAAM,OAAO,oBAAI,IAAoB;AACrC,eAAW,QAAQ,MAAM;AACvB,WAAK,IAAI,OAAO,KAAK,IAAI,IAAI,KAAK,KAAK,CAAC;AAAA,IAC1C;AAGA,QAAI,UAAU;AACd,UAAM,MAAM,KAAK;AACjB,eAAW,SAAS,KAAK,OAAO,GAAG;AACjC,YAAM,IAAI,QAAQ;AAClB,iBAAW,IAAI,KAAK,KAAK,CAAC;AAAA,IAC5B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYQ,qBAAqB,MAA2B;AACtD,QAAI,KAAK,SAAS,EAAG,QAAO;AAE5B,QAAI,YAAY;AAChB,QAAI,aAAa;AAEjB,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,EAAG;AACjC,UAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,EAAG;AAAA,IACnC;AAGA,WAAO,YAAY,KAAK,SAAS,KAAK,aAAa,KAAK,SAAS;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYQ,mBAAmB,MAA2B;AACpD,QAAI,KAAK,SAAS,EAAG,QAAO;AAG5B,eAAW,cAAc,CAAC,GAAG,GAAG,CAAC,GAAG;AAClC,UAAI,KAAK,SAAS,eAAe,EAAG;AAEpC,UAAI,UAAU;AACd,eAAS,IAAI,YAAY,IAAI,KAAK,QAAQ,KAAK;AAC7C,YAAI,KAAK,CAAC,MAAM,KAAK,IAAI,UAAU,EAAG;AAAA,MACxC;AAGA,UAAI,WAAW,KAAK,SAAS,cAAc,KAAK;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,UAAU,MAAM;AAGtB,QAAI,CAAC,SAAS;AACZ,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,MAAM,QAAQ,IAAI,6BAAO;AAC/B,UAAM,QAAQ,QAAQ,IAAI,+BAAS;AAEnC,UAAM,SAAmB,CAAC;AAC1B,QAAI,aAAa;AAGjB,QAAI,OAAO,IAAI,SAAS,GAAG;AACzB,YAAM,aAAa,KAAK,iBAAiB,GAAG;AAG5C,UAAI,aAAa,KAAK,uBAAuB;AAC3C,eAAO,KAAK,mBAAmB,WAAW,QAAQ,CAAC,CAAC,EAAE;AACtD,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,qBAAqB,GAAG,GAAG;AAClC,eAAO,KAAK,gBAAgB;AAC5B,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,mBAAmB,GAAG,GAAG;AAChC,eAAO,KAAK,cAAc;AAC1B,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,YAAM,eAAe,KAAK,iBAAiB,KAAK;AAGhD,UAAI,eAAe,KAAK,uBAAuB;AAC7C,eAAO,KAAK,qBAAqB,aAAa,QAAQ,CAAC,CAAC,EAAE;AAC1D,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,qBAAqB,KAAK,GAAG;AACpC,eAAO,KAAK,kBAAkB;AAC9B,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,mBAAmB,KAAK,GAAG;AAClC,eAAO,KAAK,gBAAgB;AAC5B,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AACrB,WAAK,OAAO,KAAK,uBAAuB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC,EAAE;AACxE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,OAAO,qBAAqB,QAA4B;AACtD,WAAO,IAAI,WAAkB,oBAAY,MAAM,CAAC;AAAA,EAClD;AACF;AAtNa,gBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACtGb,IAAAC,kBAAmC;AA2F5B,IAAM,yBAAN,MAAmD;AAAA,EAAnD;AACL,SAAiB,SAAS,IAAI,uBAAO,uBAAuB,IAAI;AAGhE;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQjC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,IAAI,OAA6C;AACrD,UAAM,EAAE,QAAQ,QAAQ,IAAI;AAC5B,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,UAAU,eAAe,MAAM;AAGrC,UAAM,WAAW,KAAK,IAAI,IAAI;AAG9B,QAAI,SAAS;AACX,MAAC,QAAgB,WAAW;AAC5B,MAAC,QAAgB,YAAY;AAAA,IAC/B;AAEA,SAAK,OAAO;AAAA,MACV,OAAO,OAAO,kBAAkB,MAAM,eAAe,IAAI,KAAK,QAAQ,EAAE,YAAY,CAAC;AAAA,IACvF;AAIA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,UAAU,KAAqC;AACpD,QAAI,CAAC,IAAI,SAAU,QAAO;AAC1B,WAAO,KAAK,IAAI,IAAI,IAAI;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,eAAe,KAAoC;AACxD,QAAI,CAAC,IAAI,SAAU,QAAO;AAC1B,WAAO,KAAK,IAAI,GAAG,IAAI,WAAW,KAAK,IAAI,CAAC;AAAA,EAC9C;AACF;AA3Fa,yBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC3Fb,IAAAC,kBAA2B;AAqFpB,IAAM,oBAAN,MAA8C;AAAA,EAanD,YAA6B,QAAuB;AAAvB;AAX7B;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,OAAO;AAAA,EAEwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWrD,SAAS,OAA6B;AACpC,WAAO,OAAO,MAAM,kBAAkB;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,WACJ,KAAK,OAAO,IAAY,qBAAqB,KAAK,KAAK,OAAO;AAChE,UAAM,gBAAgB,MAAM;AAE5B,QAAI,OAAO,kBAAkB,UAAU;AACrC,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,QAAI,gBAAgB,UAAU;AAC5B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,cAAc,aAAa,kBAAkB,QAAQ;AAAA,MAC/D;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA7Da,oBAAN;AAAA,EAFN,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,MAC9B,4BAAW;AAAA,GACC;;;ACrFb,IAAAC,kBAA2B;AASpB,IAAM,0BAAN,MAAoD;AAAA,EAApD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,OAAO;AAAA;AAAA,EAE7B,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;AAAA,EAC9C;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,OAAO,MAAM;AACnB,UAAM,aAAa,MAAM,iBAAiB;AAG1C,QAAI,KAAK,SAAS,KAAK,CAAC,KAAK,YAAY,KAAK,MAAM,GAAG,CAAC,GAAG,gCAAU,GAAG;AACtE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,QAAI,KAAK,CAAC,MAAM,oCAAc;AAC5B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,wBAAwB,KAAK,CAAC,CAAC;AAAA,MACzC;AAAA,IACF;AAGA,QAAI,aAAa,qCAAe;AAC9B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,cAAc,UAAU,gBAAgB,mCAAa;AAAA,MAC/D;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA,EAEQ,YAAY,GAAe,GAAwB;AACzD,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,aAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,UAAI,EAAE,CAAC,MAAM,EAAE,CAAC,EAAG,QAAO;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AACF;AAjDa,0BAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,GAClB;;;ACTb,IAAAC,kBAA2B;AASpB,IAAM,uBAAN,MAAiD;AAAA,EAAjD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,UAAU;AAChC,SAAiB,WAAW;AAAA;AAAA,EAE5B,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,cAAc,CAAC,CAAC,MAAM;AAAA,EACvC;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,QAAI,MAAM,cAAc,MAAM,WAAW,OAAO,KAAK,UAAU;AAC7D,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,gBAAgB,MAAM,WAAW,IAAI,iBAAiB,KAAK,QAAQ;AAAA,MAC7E;AAAA,IACF;AAEA,QAAI,MAAM,UAAU,MAAM,OAAO,aAAa;AAC5C,YAAM,SAAS,MAAM,OAAO,YAAY;AACxC,UAAI,SAAS,mCAAa;AACxB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,eAAe,MAAM,gBAAgB,iCAAW;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA/Ba,uBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO;AAAA,GACK;;;ACTb,IAAAC,kBAA2B;AAO3B,IAAM,0BAA0B;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAIO,IAAM,wBAAN,MAAkD;AAAA,EAAlD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,SAAS,OAA6B;AAEpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,UAAU,MAAM,UAAU,WAAW;AAC3C,UAAM,SAAS,MAAM,UAAU;AAG/B,QAAI,YAAY,UAAU;AACxB,YAAM,YAAY,wBAAwB;AAAA,QAAK,CAAC,WAC9C,OAAO,WAAW,MAAM;AAAA,MAC1B;AACA,UAAI,CAAC,WAAW;AACd,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,WAAW,MAAM;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AAGA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA9Ba,wBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO;AAAA,GACK;;;ACjBb,IAAAC,kBAA2B;AAsBpB,IAAM,uBAAN,MAAiD;AAAA,EAItD,YAA6B,QAAsB;AAAtB;AAH7B,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA,EAEmB;AAAA,EAEpD,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,SAAS,MAAM;AAErB,QAAI,KAAK,OAAO,IAAI,MAAM,GAAG;AAC3B,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ,WAAW,MAAM;AAAA,IAC3B;AAAA,EACF;AACF;AAvBa,uBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO,EAAE,OAAO,cAAc,CAAC;AAAA,GACnB;;;ACtBb,IAAAC,kBAA2B;AAapB,IAAM,sBAAN,MAAgD;AAAA,EAAhD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,SAAS,OAAoC;AAC3C,WAAO,CAAC,CAAC,MAAM,WAAW,CAAC,CAAC,MAAM;AAAA,EACpC;AAAA,EAEA,MAAM,IAAI,OAAoD;AAE5D,UAAM,iBAAiB,oBAAoB,UAAU,KAAK;AAC1D,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR;AAAA,QACA,4BAA4B,eAAe,MAAM,OAAO;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAEA,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,IAAI,eAAe;AAGnB,QAAI,eAAe,UAAU;AAC3B,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,QAAI,cAAc,SAAS,MAAM,GAAG;AAClC,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,kBAAkB,cAAc,SAAS,SAAS,KAAK;AAC7D,UAAM,mBACJ,cAAc,SAAS,UAAU,KAAK;AACxC,UAAM,eAAe,cAAc,SAAS,MAAM,KAAK,YAAY;AAEnE,UAAM,YAAY,mBAAmB,oBAAoB;AAEzD,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR;AAAA,QACA,sCAAsC,MAAM;AAAA,QAC5C;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAxDa,sBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACbb,IAAAC,kBAAiD;AA4BjD,IAAM,cAAc;AAAA,EAClB;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA,sCAAgB;AAAA,EAChB,sCAAgB;AAAA,EAChB,uCAAiB;AAAA,EACjB,sCAAgB,uCAAiB;AACnC;AA+EO,IAAM,uBAAN,MAA+D;AAAA,EAmBpE,YAA6B,QAAuB;AAAvB;AAlB7B,SAAiB,SAAS,IAAI,uBAAO,qBAAqB,IAAI;AAG9D;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,OAAO;AAE7B,SAAQ,gBAA4B;AACpC,SAAQ,kBAAkB;AAAA,EAE2B;AAAA;AAAA;AAAA;AAAA,EAKrD,OAAc,cACZ,OACA,UACqC;AACrC,QAAI,MAAM,SAAS,SAAS,OAAQ,QAAO,EAAE,OAAO,KAAK;AACzD,UAAM,SAAS,MAAM,SAAS,GAAG,SAAS,MAAM;AAChD,UAAM,QAAQ,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC;AAC9D,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,QAAQ,SAAY,IAAI,YAAY,EAAE,OAAO,MAAM;AAAA,IAC7D;AAAA,EACF;AAAA,EAEA,OAAc,gBAAgB,SAAiB,UAA2B;AACxE,WAAO,YAAY;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAe;AACb,UAAM,WAAW,KAAK,OAAO,IAAY,qBAAqB;AAC9D,SAAK,gBAAgB,WAAW,OAAO,KAAK,UAAU,OAAO,IAAI;AACjE,SAAK,kBACH,KAAK,OAAO,IAAY,uBAAuB,KAAK;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,OAA6C;AACrD,UAAM,iBAAiB,qBAAqB,UAAU,KAAK;AAC3D,QAAI,CAAC,eAAe,SAAS;AAC3B,WAAK,OAAO;AAAA,QACV,kBAAkB,eAAe,MAAM,OAAO;AAAA,QAC9C,eAAe,MAAM;AAAA,MACvB;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,UAAM,EAAE,aAAa,KAAK,IAAI,eAAe;AAC7C,UAAM,SAAmB,CAAC;AAG1B,QAAI,KAAK,UAAU,GAAG;AACpB,YAAM,MAAM,OAAO,KAAK,KAAK,SAAS,GAAG,EAAE,CAAC,EAAE,SAAS,KAAK;AAC5D,WAAK,OAAO,MAAM,2BAA2B,GAAG,SAAS,MAAM,EAAE,GAAG;AAAA,IACtE;AAGA,QAAI,gBAAgB,QAAW;AAC7B,UAAI,CAAC,KAAK,mBAAmB,WAAW,GAAG;AACzC,eAAO,KAAK,wBAAwB,WAAW,EAAE;AAAA,MACnD;AAAA,IACF;AAGA,QAAI,KAAK,SAAS,GAAG;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,UAAM,aAAa,qBAAqB;AAAA,MACtC;AAAA,MACA,KAAK;AAAA,IACP;AACA,QAAI,CAAC,WAAW,OAAO;AACrB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,aAAa,CAAC,eAAe,WAAW,MAAM;AAAA,MAClG;AAAA,IACF;AAGA,UAAM,UAAU,KAAK,CAAC;AACtB,QAAI,CAAC,qBAAqB,gBAAgB,SAAS,KAAK,eAAe,GAAG;AACxE,aAAO,KAAK,uBAAuB,OAAO,EAAE;AAAA,IAC9C;AAGA,UAAM,QAAQ,KAAK,CAAC;AACpB,QAAI,CAAC,KAAK,aAAa,KAAK,GAAG;AAC7B,aAAO,KAAK,mBAAmB,MAAM,SAAS,EAAE,CAAC,EAAE;AAAA,IACrD;AAGA,QAAI,KAAK,UAAU,IAAI;AACrB,YAAM,cAAc,KAAK,oBAAoB,KAAK,SAAS,CAAC,CAAC;AAC7D,UAAI,CAAC,YAAY,OAAO;AACtB,eAAO,KAAK,sBAAsB,YAAY,MAAM,EAAE;AAAA,MACxD;AAAA,IACF;AAGA,QAAI,KAAK,UAAU,IAAI;AACrB,YAAM,WAAW,KAAK,iBAAiB,IAAI;AAC3C,UAAI,CAAC,SAAS,OAAO;AACnB,eAAO,KAAK,qBAAqB,SAAS,MAAM,EAAE;AAAA,MACpD;AAGA,YAAM,mBAAmB,MAAM,KAAK,sBAAsB,IAAI;AAC9D,UAAI,CAAC,kBAAkB;AAErB,eAAO,KAAK,wBAAwB;AAAA,MACtC;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AAErB,YAAM,WAAW,OAAO;AAAA,QACtB,CAAC,MACC,EAAE,WAAW,eAAe,KAAK,EAAE,WAAW,qBAAqB;AAAA,MACvE;AAEA,UAAI,UAAU;AACZ,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,OAAO,KAAK,IAAI;AAAA,QAC1B;AAAA,MACF;AAEA,WAAK,OAAO;AAAA,QACV,wBAAwB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC;AAAA,MACxD;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,YAAY,CAAC,OAAO,SAAS;AAAA,QAC7B,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,GAAe,GAAwB;AAC1D,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,aAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,UAAI,EAAE,CAAC,MAAM,EAAE,CAAC,EAAG,QAAO;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAmB,aAA8B;AACvD,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,MAAM,KAAK,CAAC,MAAM,YAAY,YAAY,EAAE,SAAS,CAAC,CAAC;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,OAAwB;AAC3C,WAAO,YAAY,SAAS,KAAK;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,MAG1B;AACA,QAAI;AACF,YAAM,EAAE,OAAO,QAAQ,UAAU,QAAI,oCAAa,MAAM,CAAC;AAIzD,UAAI,QAAQ,OAAO,YAAY,GAAG;AAChC,eAAO,EAAE,OAAO,OAAO,QAAQ,0BAA0B;AAAA,MAC3D;AACA,UAAI,QAAQ,SAAS,YAAY,GAAG;AAClC,eAAO,EAAE,OAAO,OAAO,QAAQ,2BAA2B;AAAA,MAC5D;AAEA,aAAO,EAAE,OAAO,KAAK;AAAA,IACvB,QAAQ;AACN,aAAO,EAAE,OAAO,OAAO,QAAQ,sBAAsB;AAAA,IACvD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAiB,MAGvB;AAIA,QAAI;AAEF,UAAI,SAAS;AAGb,YAAM,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACrE,gBAAU;AAGV,YAAM,EAAE,QAAQ,UAAU,QAAI,oCAAa,MAAM,MAAM;AACvD,gBAAU;AAGV,YAAM,EAAE,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACtD,gBAAU;AAGV,YAAM,WAAW;AACjB,YAAM,SAAS,WAAW,OAAO,MAAM;AAEvC,UAAI,SAAS,KAAK,QAAQ;AACxB,eAAO,EAAE,OAAO,KAAK;AAAA,MACvB;AAGA,UAAI,WAAW;AACf,UAAI,MAAM;AAEV,aAAO,MAAM,UAAU,MAAM,KAAK,SAAS,GAAG;AAC5C,cAAM,EAAE,OAAO,MAAM,QAAQ,UAAU,QAAI,oCAAa,MAAM,GAAG;AACjE,eAAO;AAEP,YAAI,OAAO,OAAQ;AAEnB,cAAM,EAAE,OAAO,KAAK,QAAQ,SAAS,QAAI,oCAAa,MAAM,GAAG;AAC/D,eAAO;AAGP,YAAI,OAAO,IAAI,KAAK,UAAU;AAC5B,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,QAAQ,QAAQ,IAAI,UAAU,QAAQ;AAAA,UACxC;AAAA,QACF;AAEA,mBAAW,OAAO,IAAI;AACtB,eAAO,OAAO,GAAG;AAAA,MACnB;AAEA,aAAO,EAAE,OAAO,KAAK;AAAA,IACvB,QAAQ;AACN,aAAO,EAAE,OAAO,KAAK;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAsB,MAAoC;AACtE,QAAI;AACF,UAAI,SAAS;AACb,YAAM,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACrE,gBAAU;AACV,YAAM,EAAE,QAAQ,UAAU,QAAI,oCAAa,MAAM,MAAM;AACvD,gBAAU;AACV,YAAM,EAAE,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACtD,gBAAU;AAEV,YAAM,SAAS,SAAS,OAAO,MAAM;AAErC,UAAI,MAAM;AACV,aAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,cAAM,EAAE,OAAO,MAAM,QAAQ,UAAU,QAAI,oCAAa,MAAM,GAAG;AACjE,eAAO;AACP,cAAM,EAAE,QAAQ,SAAS,QAAI,oCAAa,MAAM,GAAG;AACnD,eAAO;AAEP,cAAM,EAAE,OAAO,QAAQ,QAAQ,YAAY,QAAI;AAAA,UAC7C;AAAA,UACA,MAAM;AAAA,QACR;AAAA,MAUF;AAKA,YAAM;AACN,aAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,cAAM,QAAI,oCAAa,MAAM,GAAG;AAChC,eAAO,EAAE;AACT,cAAM,QAAI,oCAAa,MAAM,GAAG;AAChC,eAAO,EAAE;AAET,YAAI,EAAE,UAAU,IAAK,QAAO;AAE5B,eAAO,OAAO,EAAE,KAAK;AAAA,MACvB;AAEA,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;AA3Va,uBAAN;AAAA,EAFN,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,MAC9B,4BAAW;AAAA,GACC;;;ACpHb,IAAAC,kBAA2B;AAQpB,IAAM,sBAAN,MAAgD;AAAA,EAAhD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,WAAoB;AAClB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,MAA+B;AAEnC,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAZa,sBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO;AAAA,GACK;;;ACRb,IAAAC,kBAA2B;AAgB3B,SAAS,UAAU,GAAuB;AACxC,MAAI,EAAE,WAAW;AACf,UAAM,IAAI,UAAU,wBAAwB,uBAAuB,GAAG;AACxE,MAAI,IAAI;AACR,aAAW,MAAM,EAAG,KAAK,KAAK,KAAM,OAAO,EAAE;AAC7C,SAAO;AACT;AAsFO,IAAM,yBAAN,MAAmD;AAAA,EAAnD;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUhC,SAAS,OAAqB;AAE5B,WAAO,CAAC,CAAC,MAAM,UAAU;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,IACJ,OAGA;AACA,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,aAAa,MAAM;AACzB,UAAM,WAAW,MAAM;AAGvB,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,kBAAkB,cAAc,UAAU,MAAM;AACtD,QAAI,CAAC,gBAAgB,SAAS;AAC5B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,6BAA6B,gBAAgB,MAAM,OAAO;AAAA,MACpE;AAAA,IACF;AAGA,QAAI;AACF,iBAAW,SAAS,OAAO,QAAQ;AAEjC,cAAM,QAAQ,MAAM,SAAS;AAC7B,cAAMC,OAAM,UAAU,WAAW,aAAa;AAG9C,cAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAG9B,YAAI,MAAM,YAAY,CAAC,KAAK;AAC1B,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,2BAA2B,MAAM,IAAI,SAAS,MAAM,GAAG;AAAA,YACvD;AAAA,UACF;AAAA,QACF;AAGA,YAAI,CAAC,IAAK;AAGV,YAAI,OAAO,MAAM,WAAW,YAAY,IAAI,SAAS,MAAM,QAAQ;AACjE,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,SAAS,MAAM,IAAI,eAAe,IAAI,MAAM,MAAM,MAAM,MAAM;AAAA,YAC9D;AAAA;AAAA,UACF;AAAA,QACF;AAGA,gBAAQ,MAAM,MAAM;AAAA,UAClB,KAAK;AAEH,gBAAI;AACF,kBAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,GAAG;AAAA,YACtD,QAAQ;AACN,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,oBAAoB,MAAM,IAAI;AAAA,gBAC9B;AAAA,cACF;AAAA,YACF;AACA;AAAA,UAEF,KAAK;AAEH,gBAAI,IAAI,WAAW,KAAM,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,GAAI;AACtD,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,iBAAiB,MAAM,IAAI;AAAA,gBAC3B;AAAA,cACF;AAAA,YACF;AACA;AAAA,UAEF,KAAK,OAAO;AAEV,kBAAM,IAAI,UAAU,GAAG;AAGvB,gBAAI,MAAM,KAAK;AACb,oBAAM,KAAK,OAAO,MAAM,GAAG;AAC3B,kBAAI,IAAI,IAAI;AACV,sBAAM,IAAI;AAAA,kBACR;AAAA,kBACA,OAAO,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAE;AAAA,kBAC3C;AAAA,gBACF;AAAA,cACF;AAAA,YACF;AACA;AAAA,UACF;AAAA,UAEA,KAAK;AAEH,gBAAI,IAAI,WAAW,IAAI;AACrB,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,wBAAwB,MAAM,IAAI;AAAA,gBAClC;AAAA,cACF;AAAA,YACF;AACA;AAAA,UAEF,KAAK;AAEH;AAAA,UAEF,KAAK;AAAA,UACL,KAAK;AAGH;AAAA,UAEF;AACE,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,wBAAwB,MAAM,IAAI;AAAA,cAClC;AAAA,YACF;AAAA,QACJ;AAAA,MACF;AAGA,YAAM,aAAa,MAAM,UAAU;AAGnC,UAAI,cAAc,WAAW,OAAO,GAAG;AACrC,mBAAW,SAAS,OAAO,QAAQ;AACjC,gBAAM,MAAM,WAAW,IAAI,MAAM,GAAG;AACpC,cAAI,CAAC,OAAO,IAAI,WAAW,EAAG;AAE9B,gBAAM,QAAQ,MAAM,SAAS;AAC7B,gBAAMA,OAAM,UAAU,WAAW,aAAa;AAC9C,gBAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAC9B,cAAI,CAAC,IAAK;AAEV,qBAAW,MAAM,KAAK;AACpB,kBAAM,QAAQ,GAAG,KAAK,MAAM,IAAI;AAChC,gBAAI,OAAO;AACT,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,GAAG,MAAM,IAAI,SAAS,MAAM,GAAG,MAAM,KAAK;AAAA,gBAC1C;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,SAAS,KAAU;AAEjB,UAAI,eAAe,WAAW;AAC5B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM,IAAI;AAAA,UACV,QAAQ,IAAI;AAAA,QACd;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAjNa,yBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC5Gb,IAAAC,kBAA2B;AA0FpB,IAAM,oBAAN,MAA8C;AAAA,EAA9C;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASjC,WAAoB;AAClB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,MAA+B;AAsBnC,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAhEa,oBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC1Fb,IAAAC,kBAA2B;AAiCpB,IAAM,iBAAN,MAA2C;AAAA,EAA3C;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA,EAEhC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,SAAS,MAAM;AACrB,QAAI,CAAC,OAAQ,QAAO,EAAE,QAAQ,QAAQ;AAGtC,UAAM,WACJ,OAAO,YAAY,OAAO;AAC5B,QAAI,YAAY,SAAS,SAAS,GAAG;AACnC,YAAM,SAAS,KAAK,qBAAqB,UAAU,QAAQ;AAC3D,UAAI,OAAQ,QAAO;AAAA,IACrB;AAGA,UAAM,YACJ,OAAO,aAAa,MAAM;AAC5B,UAAM,YACJ,OAAO,UAAU,UAAa,OAAO,QAAQ,OAAU,IAAI;AAG7D,UAAM,cAAc,MAAM,UAAU,QAAQ;AAC5C,UAAM,WAAW,gBAAgB;AAEjC,QAAI,CAAC,YAAY,aAAa,aAAa,UAAU,SAAS,GAAG;AAC/D,YAAM,SAAS,KAAK,qBAAqB,WAAW,MAAM;AAC1D,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,qBACN,KACA,SACuB;AACvB,QAAI,SAAS;AACb,QAAI,WAAW;AACf,QAAI,QAAQ;AACZ,UAAM,WAAW;AAEjB,WAAO,SAAS,IAAI,QAAQ;AAC1B,UAAI,SAAS,UAAU;AACrB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,oBAAoB,OAAO;AAAA,QACrC;AAAA,MACF;AAGA,UAAI;AACJ,UAAI;AACJ,UAAI;AACF,cAAM,QAAI,oCAAa,KAAK,MAAM;AAClC,eAAO,EAAE;AACT,kBAAU,EAAE;AAAA,MACd,QAAQ;AACN,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,4BAA4B,OAAO,cAAc,MAAM;AAAA,QACjE;AAAA,MACF;AACA,gBAAU;AAGV,UAAI,QAAQ,GAAG;AACb,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,eAAe,IAAI,OAAO,OAAO;AAAA,QAC3C;AAAA,MACF;AAGA,UAAI,QAAQ,UAAU;AACpB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,8BAA8B,OAAO,KAAK,IAAI,UAAU,QAAQ;AAAA,QAC1E;AAAA,MACF;AACA,iBAAW;AAGX,UAAI;AACJ,UAAI;AACJ,UAAI;AACF,cAAM,QAAI,oCAAa,KAAK,MAAM;AAClC,cAAM,EAAE;AACR,iBAAS,EAAE;AAAA,MACb,QAAQ;AACN,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,8BAA8B,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,gBAAU;AAGV,UAAI,SAAS,MAAM,IAAI,QAAQ;AAC7B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,0BAA0B,OAAO;AAAA,QAC3C;AAAA,MACF;AAEA,gBAAU;AACV;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AA9Ha,iBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACjCb,IAAAC,kBAA2B;AAgGpB,IAAM,wBAAN,MAAkD;AAAA,EAAlD;AAEL;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,OAAO;AAG7B;AAAA,SAAiB,mBAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUpC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,IAAI,OAA6C;AAErD,UAAM,OAAO,MAAM;AACnB,UAAM,SAAS;AACf,UAAM,YAAY,KAAK,IAAI,SAAS,IAAI,KAAK,MAAM;AAGnD,QAAI,oBAAoB;AACxB,aAAS,IAAI,QAAQ,IAAI,WAAW,KAAK;AACvC,WAAK,KAAK,CAAC,IAAI,SAAU,GAAG;AAC1B;AACA,YAAI,oBAAoB,KAAK,kBAAkB;AAC7C,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,QAAQ,kBAAkB,KAAK,gBAAgB;AAAA,UACjD;AAAA,QACF;AAAA,MACF,OAAO;AAEL,4BAAoB;AAAA,MACtB;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAlEa,wBAAN;AAAA,EAFN,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,MAC9B,4BAAW;AAAA,GACC;;;AChGb;AAAA;AAAA;AAAA;;;ACQO,SAAS,iBACd,UACA,MACY;AACZ,QAAM,SAAS,iBAAiB,QAAQ;AACxC,QAAM,QAAQ,OAAO,OAAO,QAAQ,CAAC,UAAU;AAC7C,UAAM,QAAS,KAAiC,MAAM,IAAI;AAC1D,QAAI,UAAU,UAAa,UAAU,MAAM;AACzC,UAAI,MAAM,UAAU;AAClB,cAAM,IAAI,MAAM,wCAAwC,MAAM,IAAI,EAAE;AAAA,MACtE;AACA,aAAO,CAAC;AAAA,IACV;AAEA,WAAO,CAAC,EAAE,MAAM,MAAM,KAAK,OAAO,YAAY,OAAO,KAAK,EAAE,CAAC;AAAA,EAC/D,CAAC;AAED,SAAO,UAAU,KAAK;AACxB;AAEA,SAAS,YAAY,OAAuB,OAAwB;AAClE,UAAQ,MAAM,MAAM;AAAA,IAClB,KAAK;AACH,aAAO,OAAO,KAAK,OAAO,KAAK,GAAG,MAAM;AAAA,IAC1C,KAAK;AACH,aAAO,UAAU,KAAK;AAAA,IACxB,KAAK;AAAA,IACL,KAAK;AACH,aAAO,SAAS,KAAK;AAAA,IACvB,KAAK;AACH,aAAO,OAAO,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;AAAA,IACpC,KAAK;AAAA,IACL,KAAK;AACH,aAAO,OAAO,KAAK,KAAK,UAAU,KAAK,GAAG,MAAM;AAAA,IAClD;AACE,aAAO,SAAS,KAAK;AAAA,EACzB;AACF;AAEA,SAAS,UAAU,OAAwB;AACzC,QAAM,UAAU,OAAO,MAAM,CAAC;AAC9B,UAAQ;AAAA,IACN,OAAO,UAAU,WAAW,QAAQ,OAAO,KAAwB;AAAA,EACrE;AACA,SAAO;AACT;AAEA,SAAS,SAAS,OAAwB;AACxC,MAAI,OAAO,SAAS,KAAK,GAAG;AAC1B,WAAO;AAAA,EACT;AACA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,OAAO,KAAK,KAAK;AAAA,EAC1B;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,OAAO,KAAK,OAAO,MAAM;AAAA,EAClC;AAEA,QAAM,IAAI,MAAM,gCAAgC,OAAO,KAAK,EAAE;AAChE;","names":["import_reflect_metadata","import_reflect_metadata","import_reflect_metadata","import_reflect_metadata","tlvMap","import_reflect_metadata","import_common","Decision","schema","import_axis_protocol","import_axis_protocol","sha256","sha256","import_crypto","MAGIC","MAGIC","RiskDecision","import_crypto","IntentSensitivity","import_common","crypto","import_common","crypto","AxisFrame","import_common","AxisFrame","import_common","import_crypto","import_common","import_common","import_common","BodyProfile","ProofType","z","ProofType","import_common","BodyProfile","tlv","import_common","import_common","import_common","import_common","import_crypto","TLV_SHA256_CHUNK","import_common","crypto","import_common","import_common","import_common","import_common","import_common","import_common","import_common","import_common","import_common","import_common","map","import_common","import_common","import_common"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/decorators/handler.decorator.ts","../src/decorators/intent.decorator.ts","../src/decorators/intent-body.decorator.ts","../src/decorators/intent-sensors.decorator.ts","../src/decorators/tlv-field.decorator.ts","../src/decorators/dto-schema.util.ts","../src/core/tlv.ts","../src/base/axis-tlv.dto.ts","../src/base/axis-id.dto.ts","../src/base/axis-partial-type.ts","../src/base/axis-response.dto.ts","../src/engine/intent.router.ts","../src/sensor/axis-sensor.ts","../src/engine/observation/stable-json.ts","../src/engine/observation/observation-queue.codec.ts","../src/engine/observation/observation-hash.ts","../src/core/constants.ts","../src/engine/observation/response-observer.ts","../src/core/varint.ts","../src/core/signature.ts","../src/core/axis-bin.ts","../src/codec/ats1.constants.ts","../src/codec/ats1.ts","../src/codec/ats1.passkey.schemas.ts","../src/codec/tlv.encode.ts","../src/codec/axis1.encode.ts","../src/codec/axis1.signing.ts","../src/crypto/b64url.ts","../src/crypto/canonical-json.ts","../src/contract/execution-meter.ts","../src/contract/contract.interface.ts","../src/types/tlv.ts","../src/types/frame.ts","../src/types/packet.ts","../src/security/scopes.ts","../src/security/capabilities.ts","../src/risk/index.ts","../src/core/opcodes.ts","../src/core/receipt.ts","../src/core/intent-sensitivity.ts","../src/core/timeouts.ts","../src/core/frame-validator.ts","../src/upload/axis-files.handlers.ts","../src/upload/upload.tokens.ts","../src/upload/disk-upload-file.store.ts","../src/core/index.ts","../src/core/axis-error.ts","../src/crypto/index.ts","../src/crypto/proof-verification.service.ts","../src/decorators/index.ts","../src/decorators/axis-request.decorator.ts","../src/decorators/sensor.decorator.ts","../src/engine/index.ts","../src/engine/axis-observation.ts","../src/engine/handler-discovery.service.ts","../src/engine/sensor-bands.ts","../src/engine/sensor-discovery.service.ts","../src/engine/registry/sensor.registry.ts","../src/engine/observation/index.ts","../src/loom/index.ts","../src/loom/loom.types.ts","../src/schemas/index.ts","../src/schemas/axis-schemas.ts","../src/schemas/body-profile.validator.ts","../src/security/index.ts","../src/sensors/index.ts","../src/sensors/access-profile-resolver.sensor.ts","../src/sensors/body-budget.sensor.ts","../src/sensors/capability-enforcement.sensor.ts","../src/sensors/chunk-hash.sensor.ts","../src/sensors/entropy.sensor.ts","../src/sensors/execution-timeout.sensor.ts","../src/sensors/frame-budget.sensor.ts","../src/sensors/frame-header-sanity.sensor.ts","../src/sensors/header-tlv-limit.sensor.ts","../src/sensors/intent-allowlist.sensor.ts","../src/sensors/intent-registry.sensor.ts","../src/sensors/proof-presence.sensor.ts","../src/sensors/protocol-strict.sensor.ts","../src/sensors/receipt-policy.sensor.ts","../src/sensors/schema-validation.sensor.ts","../src/sensors/stream-scope.sensor.ts","../src/sensors/tlv-parse.sensor.ts","../src/sensors/varint-hardening.sensor.ts","../src/utils/index.ts","../src/utils/axis-tlv-codec.ts"],"sourcesContent":["// Decorators\nexport { Handler, HANDLER_METADATA_KEY } from './decorators/handler.decorator';\nexport {\n Intent,\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentRoute,\n IntentOptions,\n IntentTlvField,\n IntentKind,\n} from './decorators/intent.decorator';\nexport {\n IntentBody,\n INTENT_BODY_KEY,\n} from './decorators/intent-body.decorator';\nexport {\n IntentSensors,\n INTENT_SENSORS_KEY,\n} from './decorators/intent-sensors.decorator';\n\n// TLV Field Decorators\nexport {\n TlvField,\n TlvValidate,\n TlvUtf8Pattern,\n TlvMinLen,\n TlvEnum,\n TlvRange,\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n} from './decorators/tlv-field.decorator';\nexport type {\n TlvFieldKind,\n TlvFieldOptions,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from './decorators/tlv-field.decorator';\n\n// DTO Schema Utilities\nexport {\n extractDtoSchema,\n buildDtoDecoder,\n} from './decorators/dto-schema.util';\nexport type { DtoSchema } from './decorators/dto-schema.util';\n\n// Base DTO Classes\nexport { AxisTlvDto } from './base/axis-tlv.dto';\nexport { AxisIdDto } from './base/axis-id.dto';\nexport { AxisPartialType } from './base/axis-partial-type';\nexport {\n AxisResponseDto,\n RESPONSE_TAG_ID,\n RESPONSE_TAG_CREATED_AT,\n RESPONSE_TAG_UPDATED_AT,\n RESPONSE_TAG_CREATED_BY,\n RESPONSE_TAG_UPDATED_BY,\n} from './base/axis-response.dto';\n\n// Engine\nexport { IntentRouter, AxisEffect } from './engine/intent.router';\n\n// Observation (protocol-level observation pipeline)\nexport {\n stableJsonStringify,\n} from './engine/observation/stable-json';\nexport type {\n ObservationQueueMessage,\n ObservationQueueConfig,\n} from './engine/observation/observation-queue.types';\nexport {\n buildQueueMessage,\n encodeQueueMessage,\n decodeQueueMessage,\n parseStreamEntries,\n parseAutoClaimEntries,\n} from './engine/observation/observation-queue.codec';\nexport type {\n ObservationStreamEntry,\n} from './engine/observation/observation-queue.codec';\nexport {\n canonicalizeObservation,\n hashObservation,\n buildUnsignedWitness,\n} from './engine/observation/observation-hash';\nexport type {\n ObservationWitnessSummary,\n UnsignedObservationWitness,\n} from './engine/observation/observation-hash';\nexport {\n verifyResponse,\n} from './engine/observation/response-observer';\nexport type {\n ResponseObserverContext,\n ResponseContract,\n ObserverVerdict,\n} from './engine/observation/response-observer';\n\n// Core Protocol\nexport * from './core/constants';\nexport * from './core/varint';\nexport * from './core/tlv';\nexport * from './core/signature';\nexport {\n AxisFrameZ,\n decodeFrame,\n encodeFrame,\n getSignTarget,\n} from './core/axis-bin';\nexport type { AxisFrame, AxisBinaryFrame } from './core/axis-bin';\n\n// Codec\nexport * from './codec/ats1.constants';\nexport * from './codec/ats1.passkey.schemas';\nexport * as Ats1Codec from './codec/ats1';\nexport * from './codec/axis1.encode';\nexport * from './codec/axis1.signing';\nexport * from './codec/tlv.encode';\n\n// Crypto Utilities\nexport * from './crypto/b64url';\nexport * from './crypto/canonical-json';\nexport type {\n AxisAlg,\n AxisCapsule,\n CapsuleMode,\n KeyStatus,\n AxisSig,\n AxisPacket,\n AxisCapsuleConstraints,\n AxisCapsulePayload,\n} from './crypto/types';\n\n// Contract Utilities\nexport * from './contract/execution-meter';\nexport * from './contract/contract.interface';\n\n// Packet and Sensor Types\nexport { Axis1DecodedFrame, decodeAxis1Frame } from './types/frame';\nexport {\n AxisPacket as AxisBinaryPacket,\n T as AxisPacketTags,\n buildPacket,\n} from './types/packet';\nexport type {\n AxisObservedContext,\n AxisRequestContext,\n} from './types/axis-frame.types';\nexport type { TLV as AxisTlvType } from './core/tlv';\nexport {\n Decision,\n normalizeSensorDecision,\n SensorDecisions,\n} from './sensor/axis-sensor';\nexport type {\n AxisSensor,\n AxisSensorInit,\n AxisPreSensor,\n AxisPostSensor,\n SensorPhaseMetadata,\n SensorInput,\n SensorDecision,\n SensorMinifiedDecision,\n} from './sensor/axis-sensor';\n\n// Interfaces\nexport {\n AxisHandler,\n AxisHandlerInit,\n} from './interfaces/axis-handler.interface';\nexport { AxisCrudHandler } from './interfaces/axis-crud-handler.interface';\n\n// Security\nexport * from './security/scopes';\nexport * from './security/capabilities';\n\n// Risk\nexport * from './risk/index';\n\n// Core: Opcode Registry\nexport * from './core/opcodes';\n\n// Core: Receipt Hash\nexport * from './core/receipt';\n\n// Core: Intent Sensitivity\nexport * from './core/intent-sensitivity';\n\n// Core: Timeouts\nexport * from './core/timeouts';\n\n// Types: Intent Definitions\nexport type { IntentDefinition } from './types/intent-definition';\n\n// Frame Validation\nexport { validateFrameShape, isTimestampValid } from './core/frame-validator';\n\n// Types: JSON-level Frame Types\nexport type {\n AxisFrame as AxisJsonFrame,\n AxisResponse as AxisJsonResponse,\n AxisSig as AxisJsonSig,\n AxisAlg as AxisJsonAlg,\n} from './types/axis-frame.types';\n\n// Upload handlers and stores\nexport {\n AxisFilesDownloadHandler,\n AxisFilesFinalizeHandler,\n} from './upload/axis-files.handlers';\nexport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from './upload/upload.tokens';\nexport type {\n UploadFileStore,\n UploadFileStat,\n UploadReceiptSigner,\n UploadSessionRecord,\n UploadSessionStatus,\n UploadSessionStore,\n} from './upload/upload.types';\nexport { DiskUploadFileStore } from './upload/disk-upload-file.store';\n\n// Types\n\n// Grouped namespaces for the backend package merge surface\nexport * as core from './core';\nexport * as crypto from './crypto';\nexport * as decorators from './decorators';\nexport * as engine from './engine';\nexport * as loom from './loom';\nexport * as schemas from './schemas';\nexport * as security from './security';\nexport * as sensors from './sensors';\nexport * as utils from './utils';\n","import { Injectable, SetMetadata } from '@nestjs/common';\n\nexport const HANDLER_METADATA_KEY = 'axis:handler';\n\n/*\n Decorator to mark a class as an Axis Handler.\n * Handlers are responsible for processing intents or specific logic\n * for Axis modules.\n /\nexport function Handler(intent?: string): ClassDecorator {\n return (target: Function) => {\n SetMetadata(HANDLER_METADATA_KEY, { intent })(target);\n Injectable()(target as any);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_METADATA_KEY = 'axis:intent';\nexport const INTENT_ROUTES_KEY = 'axis:intent_routes';\n\n/\n CRUD + action classification for an intent.\n /\nexport type IntentKind = 'create' \| 'read' \| 'update' \| 'delete' \| 'action';\n\n/\n Describes a single TLV field expected by an intent.\n * Used by SchemaValidationSensor to enforce field contracts.\n /\nexport interface IntentTlvField {\n /* Human-readable field name (used in error messages) /\n name: string;\n /* TLV tag number /\n tag: number;\n /* Value type for type-specific validation /\n kind: 'utf8' \| 'u64' \| 'bytes' \| 'bytes16' \| 'bool' \| 'obj' \| 'arr';\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\nexport interface IntentRoute {\n action: string;\n methodName: string \| symbol;\n absolute?: boolean;\n frame?: boolean;\n kind?: IntentKind;\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n tlv?: IntentTlvField[];\n dto?: Function;\n}\n\nexport interface IntentOptions {\n /* Operation classification for this intent /\n kind?: IntentKind;\n /* If true, the action is the full intent name (not prefixed with handler name) /\n absolute?: boolean;\n /* If true, register as { handle: fn } for frame-based handlers /\n frame?: boolean;\n /\n How the body is encoded. Drives TLVParseSensor behavior:\n * - `TLV_MAP` — flat TLV map (canonical ordering enforced)\n * - `RAW` — raw bytes, skip TLV body validation\n * - `TLV_OBJ` — nested TLV object\n * - `TLV_ARR` — TLV array container\n /\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n /* Inline TLV field definitions for schema validation /\n tlv?: IntentTlvField[];\n /* DTO class decorated with @TlvField for schema extraction /\n dto?: Function;\n}\n\n/\n Marks a method as an intent handler.\n \n Stores both per-method metadata (INTENT_METADATA_KEY) and\n * route-collection metadata (INTENT_ROUTES_KEY) for backward compatibility.\n \n @example\n * ```ts\n * @Handler('axis.actor_keys')\n * class MyHandler {\n * @Intent('create', { kind: 'create', dto: CreateDto })\n * async create(body: Uint8Array) { ... }\n \n @Intent('axis.auth.login', { absolute: true, kind: 'action', dto: LoginDto })\n * async login(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function Intent(\n action: string,\n options?: IntentOptions,\n): MethodDecorator {\n return (target, propertyKey) => {\n // Per-method metadata (backend-style)\n Reflect.defineMetadata(\n INTENT_METADATA_KEY,\n { intent: action, ...options },\n target,\n propertyKey,\n );\n\n // Route-collection metadata (SDK-style, backward compat)\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, target.constructor) \|\| [];\n routes.push({\n action,\n methodName: propertyKey,\n absolute: options?.absolute,\n frame: options?.frame,\n kind: options?.kind,\n bodyProfile: options?.bodyProfile,\n tlv: options?.tlv,\n dto: options?.dto,\n });\n Reflect.defineMetadata(INTENT_ROUTES_KEY, routes, target.constructor);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_BODY_KEY = 'axis:intent:body';\n\n/\n @IntentBody — Auto-decode the raw Uint8Array body before the handler runs.\n \n The router reads this metadata and applies the decoder so handlers can\n * receive a parsed payload instead of raw bytes.\n /\nexport function IntentBody(decoder: (buf: Buffer) => any): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_BODY_KEY, decoder, target, propertyKey);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_SENSORS_KEY = 'axis:intent:sensors';\n\n/\n @IntentSensors — Attach additional sensors that must pass before the\n * annotated intent handler executes.\n /\nexport function IntentSensors(sensors: Function[]): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_SENSORS_KEY, sensors, target, propertyKey);\n };\n}\n","import 'reflect-metadata';\n\nexport const TLV_FIELDS_KEY = 'axis:tlv:fields';\nexport const TLV_VALIDATORS_KEY = 'axis:tlv:validators';\n\nexport type TlvFieldKind =\n \| 'utf8'\n \| 'u64'\n \| 'bytes'\n \| 'bytes16'\n \| 'bool'\n \| 'obj'\n \| 'arr';\n\nexport interface TlvFieldOptions {\n /* Value type for type-specific validation /\n kind: TlvFieldKind;\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\n/* Stored per-property metadata from @TlvField /\nexport interface TlvFieldMeta {\n /* Property name on the DTO class /\n property: string;\n /* TLV tag number /\n tag: number;\n /* Field options /\n options: TlvFieldOptions;\n}\n\n/\n Custom validation function applied via @TlvValidate.\n * Receives the raw TLV value bytes and the property name.\n * Return null/undefined to pass, or a string error message to deny.\n /\nexport type TlvValidatorFn = (\n value: Uint8Array,\n property: string,\n) => string \| null \| undefined;\n\n/* Stored per-property validator from @TlvValidate /\nexport interface TlvValidatorMeta {\n property: string;\n tag: number;\n validators: TlvValidatorFn[];\n}\n\n/\n @TlvField — Declare a TLV field contract on a DTO property.\n \n Applied to properties of a class passed to `@Intent({ dto: MyDto })`.\n * The schema is extracted at bootstrap and forwarded to SchemaValidationSensor.\n \n @example\n * ```typescript\n * class LoginDto {\n * @TlvField(100, { kind: 'utf8', required: true, maxLen: 256 })\n * email: string;\n \n @TlvField(105, { kind: 'bytes16', required: true })\n * deviceId: Buffer;\n \n @TlvField(103, { kind: 'bool' })\n * remember?: boolean;\n * }\n * ```\n /\nexport function TlvField(\n tag: number,\n options: TlvFieldOptions,\n): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, target.constructor) \|\| [];\n\n existing.push({\n property: String(propertyKey),\n tag,\n options,\n });\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, existing, target.constructor);\n };\n}\n\n/\n @TlvValidate — Attach custom validation logic to a TLV field.\n \n Runs after standard type/size checks. The validator receives raw bytes\n * and must return null (pass) or an error string (deny).\n \n Multiple @TlvValidate decorators can be stacked on the same property.\n /\nexport function TlvValidate(validator: TlvValidatorFn): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, target.constructor) \|\| [];\n\n const prop = String(propertyKey);\n let entry = existing.find((e) => e.property === prop);\n\n if (!entry) {\n entry = { property: prop, tag: 0, validators: [] };\n existing.push(entry);\n }\n\n entry.validators.push(validator);\n\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, existing, target.constructor);\n };\n}\n\n// ─── Built-in Validators (composable with @TlvValidate) ───\n\n/\n @TlvUtf8Pattern — Validate a UTF-8 field against a regex.\n /\nexport function TlvUtf8Pattern(\n pattern: RegExp,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n const str = new TextDecoder().decode(val);\n return pattern.test(str)\n ? null\n : message \|\| `${prop}: failed pattern check`;\n });\n}\n\n/\n @TlvMinLen — Minimum byte length for a field value.\n /\nexport function TlvMinLen(min: number, message?: string): PropertyDecorator {\n return TlvValidate((val, prop) => {\n return val.length >= min\n ? null\n : message \|\| `${prop}: too short (${val.length} < ${min})`;\n });\n}\n\n/\n @TlvEnum — UTF-8 field must be one of the listed values.\n /\nexport function TlvEnum(\n allowed: string[],\n message?: string,\n): PropertyDecorator {\n const set = new Set(allowed);\n return TlvValidate((val, prop) => {\n const str = new TextDecoder().decode(val);\n return set.has(str)\n ? null\n : message \|\| `${prop}: must be one of [${allowed.join(', ')}]`;\n });\n}\n\n/\n @TlvRange — Numeric u64 field must be within [min, max].\n /\nexport function TlvRange(\n min: bigint,\n max: bigint,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n if (val.length !== 8) return `${prop}: u64 must be 8 bytes`;\n let n = 0n;\n for (const b of val) n = (n << 8n) \| BigInt(b);\n if (n < min \|\| n > max) {\n return message \|\| `${prop}: value ${n} out of range [${min}, ${max}]`;\n }\n return null;\n });\n}\n","import 'reflect-metadata';\n\nimport type { IntentTlvField } from './intent.decorator';\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from './tlv-field.decorator';\nimport { decodeTLVs } from '../core/tlv';\n\n/* Extracted schema from a DTO class — fields + optional validators /\nexport interface DtoSchema {\n fields: IntentTlvField[];\n validators: Map<number, TlvValidatorFn[]>;\n}\n\n/\n Extracts TLV field definitions and validators from a DTO class\n * decorated with @TlvField and @TlvValidate.\n /\nexport function extractDtoSchema(dto: Function): DtoSchema {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — nothing to validate`,\n );\n }\n\n const tagByProp = new Map<string, number>();\n const fields: IntentTlvField[] = fieldMetas.map((m) => {\n tagByProp.set(m.property, m.tag);\n return {\n name: m.property,\n tag: m.tag,\n kind: m.options.kind,\n required: m.options.required,\n maxLen: m.options.maxLen,\n max: m.options.max,\n scope: m.options.scope,\n };\n });\n\n const validatorMetas: TlvValidatorMeta[] =\n Reflect.getMetadata(TLV_VALIDATORS_KEY, dto) \|\| [];\n\n const validators = new Map<number, TlvValidatorFn[]>();\n for (const vm of validatorMetas) {\n const tag = tagByProp.get(vm.property);\n if (tag === undefined) {\n throw new Error(\n `@TlvValidate on ${dto.name}.${vm.property} but no @TlvField found for that property`,\n );\n }\n vm.tag = tag;\n validators.set(tag, vm.validators);\n }\n\n return { fields, validators };\n}\n\n/\n Builds a decoder function for a DTO class.\n \n The returned function takes raw TLV body bytes and returns a plain object\n * with property names as keys and decoded values matching the DTO shape.\n \n Value decoding by kind:\n * - utf8 → string\n * - u64 → bigint\n * - bytes / bytes16 → Uint8Array\n * - bool → boolean (0x00 = false, anything else = true)\n * - obj → JSON.parse of utf8\n * - arr → JSON.parse of utf8\n /\nexport function buildDtoDecoder(\n dto: Function,\n): (bodyBytes: Buffer) => Record<string, any> {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — cannot build decoder`,\n );\n }\n\n const tagMap = new Map<number, { property: string; kind: string }>();\n for (const m of fieldMetas) {\n tagMap.set(m.tag, { property: m.property, kind: m.options.kind });\n }\n\n return (bodyBytes: Buffer): Record<string, any> => {\n const tlvMap = decodeTLVs(new Uint8Array(bodyBytes));\n const result: Record<string, any> = {};\n\n for (const [tag, raw] of tlvMap) {\n const meta = tagMap.get(tag);\n if (!meta) continue;\n\n switch (meta.kind) {\n case 'utf8':\n result[meta.property] = new TextDecoder().decode(raw);\n break;\n case 'u64': {\n let n = 0n;\n for (let i = 0; i < raw.length; i++) {\n n = (n << 8n) \| BigInt(raw[i]);\n }\n result[meta.property] = n;\n break;\n }\n case 'bytes':\n case 'bytes16':\n result[meta.property] = raw;\n break;\n case 'bool':\n result[meta.property] = raw.length > 0 && raw[0] !== 0;\n break;\n case 'obj':\n case 'arr':\n result[meta.property] = JSON.parse(new TextDecoder().decode(raw));\n break;\n default:\n result[meta.property] = raw;\n }\n }\n\n return result;\n };\n}\n","export {\n TLV, encodeTLVs, decodeTLVs, decodeTLVsList, decodeObject, decodeArray,\n} from '@nextera.one/axis-protocol';\n","/\n AxisTlvDto — Base class for all TLV-decoded DTO classes.\n \n Any DTO decorated with @TlvField that is passed to @Intent({ dto })\n * should extend this class. This gives the CRUD handler interface\n * a type-safe union: `Uint8Array \| AxisTlvDto`.\n \n The base is intentionally empty — it serves as a type marker.\n /\nexport abstract class AxisTlvDto {}\n","import { TlvField, TlvMinLen } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\nexport class AxisIdDto extends AxisTlvDto {\n @TlvField(1, { kind: 'utf8', required: true, maxLen: 128 })\n @TlvMinLen(1, 'id must not be empty')\n id!: string;\n}\n","import 'reflect-metadata';\n\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorMeta,\n} from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n AxisPartialType — Creates a DTO class where all TLV fields are optional.\n \n Copies TLV metadata (`axis:tlv:fields` + `axis:tlv:validators`)\n * and sets `required: false` on every field.\n \n TLV naturally supports partial payloads — only fields present in the\n * binary body get decoded. This utility makes the schema/sensor layer\n * aware that missing fields are acceptable for update operations.\n \n @example\n * ```typescript\n * export class UpdateBlocklistDto extends AxisPartialType(CreateBlocklistDto) {}\n * ```\n /\nexport function AxisPartialType<T extends new (...args: any[]) => AxisTlvDto>(\n BaseDto: T,\n): new (...args: any[]) => Partial<InstanceType<T>> & AxisTlvDto {\n class PartialDto extends (BaseDto as any) {}\n\n const fields: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, BaseDto) \|\| [];\n\n const partialFields: TlvFieldMeta[] = fields.map((f) => ({\n property: f.property,\n tag: f.tag,\n options: { ...f.options, required: false },\n }));\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, partialFields, PartialDto);\n\n const validators: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, BaseDto) \|\| [];\n\n if (validators.length > 0) {\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, [...validators], PartialDto);\n }\n\n Object.defineProperty(PartialDto, 'name', {\n value: `Partial${BaseDto.name}`,\n });\n\n return PartialDto as any;\n}\n","import { TlvField } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n Reserved TLV body tags for server-generated response fields.\n \n Tags 1–10 are reserved for system/audit fields in response bodies.\n * Entity-specific fields start at tag 100+.\n /\nexport const RESPONSE_TAG_ID = 1;\nexport const RESPONSE_TAG_CREATED_AT = 2;\nexport const RESPONSE_TAG_UPDATED_AT = 3;\nexport const RESPONSE_TAG_CREATED_BY = 4;\nexport const RESPONSE_TAG_UPDATED_BY = 5;\n\n/\n AxisResponseDto — Base class for outbound TLV response bodies.\n \n Server-generated audit fields that the backend appends to every\n * entity response. These are NEVER sent by the client — they flow\n * server → client only.\n \n Timestamps are u64 Unix milliseconds (same as TLV_TS in headers).\n /\nexport abstract class AxisResponseDto extends AxisTlvDto {\n @TlvField(RESPONSE_TAG_ID, { kind: 'utf8' })\n id?: string;\n\n @TlvField(RESPONSE_TAG_CREATED_AT, { kind: 'u64' })\n created_at?: bigint;\n\n @TlvField(RESPONSE_TAG_UPDATED_AT, { kind: 'u64' })\n updated_at?: bigint;\n\n @TlvField(RESPONSE_TAG_CREATED_BY, { kind: 'utf8' })\n created_by?: string;\n\n @TlvField(RESPONSE_TAG_UPDATED_BY, { kind: 'utf8' })\n updated_by?: string;\n}\n","import { Injectable, Logger, Optional } from '@nestjs/common';\nimport { ModuleRef } from '@nestjs/core';\n\nimport { AxisFrame } from '../core/axis-bin';\nimport { HANDLER_METADATA_KEY } from '../decorators/handler.decorator';\nimport {\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentKind,\n IntentRoute,\n IntentTlvField,\n} from '../decorators/intent.decorator';\nimport { INTENT_BODY_KEY } from '../decorators/intent-body.decorator';\nimport { INTENT_SENSORS_KEY } from '../decorators/intent-sensors.decorator';\nimport {\n buildDtoDecoder,\n extractDtoSchema,\n} from '../decorators/dto-schema.util';\nimport type { TlvValidatorFn } from '../decorators/tlv-field.decorator';\nimport {\n AxisSensor,\n SensorInput,\n normalizeSensorDecision,\n} from '../sensor/axis-sensor';\n\nexport interface IntentSchema {\n intent: string;\n version: number;\n bodyProfile: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n fields: Array<{\n name: string;\n tlv: number;\n kind: IntentTlvField['kind'];\n required?: boolean;\n maxLen?: number;\n max?: string;\n scope?: 'header' \| 'body';\n }>;\n}\n\n/\n Represents the outcome of an AXIS intent execution.\n \n @interface AxisEffect\n /\nexport interface AxisEffect {\n /* Whether the intent was processed successfully at the application level /\n ok: boolean;\n /* A descriptive string classifier for the result (e.g., 'FILE_CREATED', 'PONG') /\n effect: string;\n /* Optional binary payload (body) to be returned to the requester /\n body?: Uint8Array;\n /* Optional custom TLV headers to be included in the response frame /\n headers?: Map<number, Uint8Array>;\n /* Optional metadata for internal logging or audit (not sent to client) /\n metadata?: any;\n}\n\n/\n IntentRouter\n \n The central dispatching mechanism of the AXIS backend.\n * Maps binary intents (identified by their name in the header) to specialized handlers.\n \n Features:\n * 1. Built-in Fast Path: Handles high-frequency system intents (ping, time, echo) directly.\n * 2. Dynamic Handler Registration: Allows modules to register handlers at runtime.\n * 3. Decorator-driven Registration: Uses {@link registerHandler} to auto-register `@Intent`-decorated methods.\n * 4. Polymorphic Handlers: Supports both raw function handlers and object-based `{ handle }` handlers.\n \n @class IntentRouter\n /\n@Injectable()\nexport class IntentRouter {\n private readonly logger = new Logger(IntentRouter.name);\n\n /* Intents handled inline in route() — not in `handlers` map /\n private static readonly BUILTIN_INTENTS = new Set([\n 'system.ping',\n 'public.ping',\n 'system.time',\n 'system.echo',\n 'INTENT.EXEC',\n 'axis.intent.exec',\n ]);\n\n /* Internal registry of dynamic intent handlers /\n private handlers = new Map<string, any>();\n\n /* Per-intent sensor classes (resolved at call time) /\n private intentSensors = new Map<string, Function[]>();\n\n /* Per-intent body decoders /\n private intentDecoders = new Map<string, (buf: Buffer) => any>();\n\n /* Per-intent TLV schemas /\n private intentSchemas = new Map<string, IntentSchema>();\n\n /* Per-intent custom validators /\n private intentValidators = new Map<string, Map<number, TlvValidatorFn[]>>();\n\n /* Per-intent operation kind /\n private intentKinds = new Map<string, IntentKind>();\n\n constructor(@Optional() private readonly moduleRef?: ModuleRef) {}\n\n getSchema(intent: string): IntentSchema \| undefined {\n return this.intentSchemas.get(intent);\n }\n\n getValidators(intent: string): Map<number, TlvValidatorFn[]> \| undefined {\n return this.intentValidators.get(intent);\n }\n\n has(intent: string): boolean {\n return (\n this.handlers.has(intent) \|\| IntentRouter.BUILTIN_INTENTS.has(intent)\n );\n }\n\n getRegisteredIntents(): string[] {\n return [...IntentRouter.BUILTIN_INTENTS, ...this.handlers.keys()];\n }\n\n getIntentEntry(intent: string): {\n schema?: IntentSchema;\n validators?: Map<number, TlvValidatorFn[]>;\n hasSensors: boolean;\n builtin: boolean;\n kind?: IntentKind;\n } \| null {\n if (!this.has(intent)) return null;\n return {\n schema: this.intentSchemas.get(intent),\n validators: this.intentValidators.get(intent),\n hasSensors: this.intentSensors.has(intent),\n builtin: IntentRouter.BUILTIN_INTENTS.has(intent),\n kind: this.intentKinds.get(intent),\n };\n }\n\n /\n Registers a handler for a specific intent.\n * Handlers can be functions: `(body, headers) => Promise<Uint8Array \| AxisEffect>`\n * Or objects with a method: `handle(frame: AxisFrame) => Promise<AxisEffect>`\n \n @param {string} intent - The unique intent identifier (e.g., 'axis.vault.create')\n * @param {any} handler - The handler function or object\n /\n register(intent: string, handler: any) {\n this.handlers.set(intent, handler);\n }\n\n /\n Automatically registers all `@Intent`-decorated methods from a handler instance.\n \n Reads the handler prefix from `@Handler` metadata (or falls back to `instance.name`),\n * then registers each `@Intent`-decorated method accordingly.\n \n @param {any} instance - The handler instance with `@Intent`-decorated methods\n /\n registerHandler(instance: any) {\n const handlerMeta = Reflect.getMetadata(\n HANDLER_METADATA_KEY,\n instance.constructor,\n );\n const prefix: string \| undefined = handlerMeta?.intent \|\| instance.name;\n\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) \|\| [];\n\n for (const route of routes) {\n const intentName = route.absolute\n ? route.action\n : `${prefix}.${route.action}`;\n const fn = instance[route.methodName].bind(instance);\n\n if (route.frame) {\n this.register(intentName, { handle: fn });\n } else {\n this.register(intentName, fn);\n }\n\n this.registerIntentMeta(intentName, Object.getPrototypeOf(instance), String(route.methodName));\n }\n\n const proto = Object.getPrototypeOf(instance);\n for (const key of Object.getOwnPropertyNames(proto)) {\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, key);\n if (!meta?.intent) continue;\n\n if (!this.handlers.has(meta.intent)) {\n this.register(meta.intent, (instance as any)[key].bind(instance));\n }\n\n this.registerIntentMeta(meta.intent, proto, key);\n }\n }\n\n /\n Routes a decoded AXIS frame to the appropriate handler.\n \n Precedence:\n * 1. System Built-ins (`system.ping`, `public.ping`, `system.time`, `system.echo`)\n * 2. Meta-intent execution (`INTENT.EXEC` / `axis.intent.exec`)\n * 3. Dynamically registered handlers from modules.\n \n @param {AxisFrame} frame - The validated and decoded binary frame\n * @returns {Promise<AxisEffect>} The resulting effect of the execution\n * @throws {Error} If the intent header is missing or no handler is registered\n /\n async route(frame: AxisFrame): Promise<AxisEffect> {\n const start = process.hrtime();\n let intent = 'unknown';\n\n try {\n // Extract intent from header TLV (tag 3 = TLV_INTENT)\n const intentBytes = frame.headers.get(3);\n if (!intentBytes) throw new Error('Missing intent');\n intent = new TextDecoder().decode(intentBytes);\n\n let effect: AxisEffect;\n\n if (intent === 'system.ping' \|\| intent === 'public.ping') {\n this.logger.debug('PING received');\n effect = {\n ok: true,\n effect: 'pong',\n headers: new Map([\n [100, new TextEncoder().encode('AXIS_BACKEND_V1')],\n ]),\n body: new TextEncoder().encode(\n JSON.stringify({\n status: 'ok',\n timestamp: new Date().toISOString(),\n version: '1.0.0',\n }),\n ),\n };\n } else if (intent === 'system.time') {\n const ts = Date.now().toString();\n effect = {\n ok: true,\n effect: 'time',\n body: new TextEncoder().encode(\n JSON.stringify({\n ts,\n iso: new Date().toISOString(),\n }),\n ),\n };\n } else if (intent === 'system.echo') {\n effect = {\n ok: true,\n effect: 'echo',\n body: frame.body,\n };\n } else if (intent === 'INTENT.EXEC' \|\| intent === 'axis.intent.exec') {\n // Meta-intent: Unwrap and execute the inner intent\n try {\n const bodyJSON = JSON.parse(new TextDecoder().decode(frame.body));\n const innerIntent = bodyJSON.intent;\n const innerArgs = bodyJSON.args \|\| {};\n\n if (!innerIntent) {\n throw new Error('INTENT.EXEC missing inner intent');\n }\n\n this.logger.debug(`EXEC: routing to inner intent '${innerIntent}'`);\n\n const innerFrame: AxisFrame = {\n ...frame,\n headers: new Map(frame.headers),\n body: new TextEncoder().encode(JSON.stringify(innerArgs)),\n };\n innerFrame.headers.set(3, new TextEncoder().encode(innerIntent));\n\n return await this.route(innerFrame);\n } catch (e: any) {\n throw new Error(`INTENT.EXEC unwrapping failed: ${e.message}`);\n }\n } else {\n const handler = this.handlers.get(intent);\n if (!handler) {\n throw new Error(`Intent not found: ${intent}`);\n }\n\n const sensorClasses = this.intentSensors.get(intent);\n if (sensorClasses && sensorClasses.length > 0) {\n await this.runIntentSensors(sensorClasses, intent, frame);\n }\n\n const decoder = this.intentDecoders.get(intent);\n let decodedBody: any = frame.body;\n if (decoder) {\n try {\n decodedBody = decoder(Buffer.from(frame.body));\n } catch (decodeErr: any) {\n throw new Error(\n `IntentBody decode failed for ${intent}: ${decodeErr.message}`,\n );\n }\n }\n\n if (typeof handler === 'function') {\n const resultBody = decoder\n ? await handler(decodedBody, frame.headers)\n : await handler(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: 'complete',\n body: resultBody,\n };\n } else {\n if (typeof (handler as any).handle === 'function') {\n effect = await (handler as any).handle(frame);\n } else if (typeof (handler as any).execute === 'function') {\n const bodyRes = decoder\n ? await (handler as any).execute(decodedBody, frame.headers)\n : await (handler as any).execute(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: 'complete',\n body: bodyRes,\n };\n } else {\n throw new Error(\n `Handler for ${intent} does not implement handle or execute`,\n );\n }\n }\n }\n\n this.logIntent(intent, start, true);\n return effect;\n } catch (e: any) {\n this.logIntent(intent, start, false, e.message);\n throw e;\n }\n }\n\n private logIntent(\n intent: string,\n start: [number, number],\n ok: boolean,\n error?: string,\n ) {\n const diff = process.hrtime(start);\n const ms = (diff[0] 1e3 + diff[1] / 1e6).toFixed(2);\n if (ok) {\n this.logger.debug(`${intent} completed in ${ms}ms`);\n } else {\n this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);\n }\n }\n\n registerIntentMeta(intent: string, proto: object, methodName: string): void {\n const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);\n if (decoder) {\n this.intentDecoders.set(intent, decoder);\n }\n\n const sensors = Reflect.getMetadata(INTENT_SENSORS_KEY, proto, methodName);\n if (sensors && Array.isArray(sensors) && sensors.length > 0) {\n this.intentSensors.set(intent, sensors);\n }\n\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);\n if (meta) {\n this.storeSchema(meta);\n if (meta.kind) {\n this.intentKinds.set(intent, meta.kind);\n }\n }\n }\n\n private async runIntentSensors(\n sensorClasses: Function[],\n intent: string,\n frame: AxisFrame,\n ): Promise<void> {\n if (!this.moduleRef) return;\n\n for (const SensorClass of sensorClasses) {\n let sensor: AxisSensor;\n try {\n sensor = this.moduleRef.get(SensorClass as any, { strict: false });\n } catch {\n this.logger.warn(\n `@IntentSensors: could not resolve ${SensorClass.name} for ${intent}`,\n );\n continue;\n }\n\n const sensorInput: SensorInput = {\n rawBytes: frame.body,\n intent,\n body: frame.body,\n headerTLVs: frame.headers as any,\n metadata: { phase: 'intent', intent },\n };\n\n if (sensor.supports && !sensor.supports(sensorInput)) continue;\n\n const decision = normalizeSensorDecision(await sensor.run(sensorInput));\n if (!decision.allow) {\n const reason = decision.reasons[0] \|\| `${sensor.name}:DENIED`;\n this.logger.warn(\n `Intent sensor ${sensor.name} denied ${intent}: ${reason}`,\n );\n throw new Error(`SENSOR_DENY:${reason}`);\n }\n }\n }\n\n private storeSchema(meta: {\n intent: string;\n tlv?: IntentTlvField[];\n dto?: Function;\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n kind?: IntentKind;\n }): void {\n if (meta.dto) {\n if (meta.tlv && meta.tlv.length > 0) {\n this.logger.warn(\n `${meta.intent}: both 'dto' and 'tlv' specified - using dto, ignoring tlv`,\n );\n }\n\n const extracted = extractDtoSchema(meta.dto);\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| 'TLV_MAP',\n fields: extracted.fields.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n\n if (extracted.validators.size > 0) {\n this.intentValidators.set(meta.intent, extracted.validators);\n }\n\n if (!this.intentDecoders.has(meta.intent)) {\n this.intentDecoders.set(meta.intent, buildDtoDecoder(meta.dto));\n }\n\n return;\n }\n\n if (!meta.tlv \|\| meta.tlv.length === 0) return;\n\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| 'TLV_MAP',\n fields: meta.tlv.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n }\n}\n","import type { AxisObservedContext } from '../types/axis-frame.types';\n\n/*\n Sensor Phase Metadata\n \n Metadata describing which phase(s) a sensor executes in.\n * Used for validation and optimization.\n \n @interface SensorPhaseMetadata\n /\nexport interface SensorPhaseMetadata {\n /* Execution phase: pre-decode (middleware) or post-decode (controller) /\n phase: 'PRE_DECODE' \| 'POST_DECODE';\n\n /* Other sensors that must run before this one /\n dependencies?: string[];\n\n /* Whether this sensor can perform async I/O /\n asyncOk?: boolean;\n\n /* Whether this sensor can use cryptographic operations /\n cryptoOk?: boolean;\n\n /* Human-readable description of sensor purpose /\n description?: string;\n}\n\n/\n AXIS Sensor Interface\n \n Core interface for all security sensors in the AXIS pipeline.\n /\nexport interface AxisSensor {\n readonly name: string;\n readonly order?: number; // Lower runs first\n /* Execution phase hint /\n phase?: SensorPhaseMetadata \| 'PRE_DECODE' \| 'POST_DECODE';\n supports?(input: SensorInput): boolean;\n run(input: SensorInput): Promise<SensorDecision>;\n}\n\n// Optional lifecycle hook for frameworks that support module initialization.\nexport interface AxisSensorInit extends AxisSensor {\n onModuleInit?(): void \| Promise<void>;\n}\n\n/\n Sensors that run before frame decoding/deserialization.\n * They should be fast, avoid I/O, and fail fast on malformed traffic.\n /\nexport interface AxisPreSensor extends AxisSensor {\n phase: 'PRE_DECODE';\n}\n\n/\n Sensors that run after a frame is fully decoded and parsed.\n * They may use full context (intent, actor, proofs) and can perform I/O.\n /\nexport interface AxisPostSensor extends AxisSensor {\n phase: 'POST_DECODE';\n}\n\n/\n Sensor Input\n \n Represents the structured data passed to a security sensor for evaluation.\n * Depending on the execution phase, different fields may be populated.\n \n Flow:\n * - Phase 1 (Pre-decode): `rawBytes`, `ip`, `path`, and `peek` are typically available.\n * - Phase 2/3 (Post-decode): `intent`, `contentLength`, and `metadata` are populated after frame parsing.\n \n @interface SensorInput\n /\nexport interface SensorInput {\n /* The full raw binary frame from the wire (if available) /\n rawBytes?: Buffer \| Uint8Array;\n\n /* The AXIS intent string extracted from the frame header (e.g., 'system.info') /\n intent?: string;\n\n /* IPv4/IPv6 address of the edge client /\n ip?: string;\n\n /* The HTTP or transport path being accessed /\n path?: string;\n\n /* Total size of the frame body in bytes /\n contentLength?: number;\n\n /* A small slice of the beginning of the body for early pattern matching /\n peek?: Uint8Array;\n\n /* Geolocation country code (if resolved by upstream middleware) /\n country?: string;\n\n /* Client identifier from the transport layer (e.g., Capsule ID or Socket ID) /\n clientId?: string;\n\n /* Whether the request is coming via a WebSocket connection /\n isWs?: boolean;\n\n /* Extensible metadata for cross-sensor communication /\n metadata?: Record<string, any>;\n\n /* Actor ID from frame or request /\n actorId?: string;\n\n /* Operation code /\n opcode?: string;\n\n /* Audience field /\n aud?: string;\n\n /* Observed context from frame parsing /\n observed?: AxisObservedContext;\n\n /* Parsed frame body /\n frameBody?: any;\n\n /* Device identifier /\n deviceId?: string;\n\n /* Session identifier /\n sessionId?: string;\n\n /* Parsed packet data /\n packet?: Record<string, any>;\n\n /* Dynamic field access for sensor-specific data /\n [key: string]: any;\n}\n\nexport enum Decision {\n ALLOW = 'ALLOW',\n DENY = 'DENY',\n THROTTLE = 'THROTTLE',\n FLAG = 'FLAG',\n}\n/\n Sensor Decision\n \n Represents the outcome of an individual sensor's evaluation.\n * Supports two formats for backward compatibility:\n \n 1. Modern format (preferred): Uses decision/allow/riskScore/reasons\n * 2. Legacy format: Uses action/code/reason (deprecated, will be removed)\n /\nexport type SensorDecision =\n // Modern format (preferred)\n \| {\n /* Final decision outcome (optional for backward compatibility) /\n decision?: Decision;\n /* Whether the request may continue immediately /\n allow: boolean;\n /* Risk score from 0–100 (0 = safe, 100 = blocked) /\n riskScore: number;\n /* Human & machine traceable reasons /\n reasons: string[];\n /* Machine-readable error or control code /\n code?: string;\n /* Throttle hint (only relevant for THROTTLE) /\n retryAfterMs?: number;\n /* Optional delta applied to rolling risk/anomaly state /\n scoreDelta?: number;\n /* Extra signals for audit, observability, forensics /\n tags?: Record<string, any>;\n /* Optional capsule / verification metadata /\n meta?: any;\n /* Optional constraint tightening instructions /\n tighten?: {\n expSecondsMax?: number;\n constraintsPatch?: Record<string, any>;\n };\n }\n // Legacy action-based format (deprecated)\n \| { action: 'ALLOW'; meta?: any }\n \| {\n action: 'DENY';\n code: string;\n reason?: string;\n retryAfterMs?: number;\n meta?: any;\n }\n \| { action: 'THROTTLE'; retryAfterMs: number; meta?: any }\n \| { action: 'FLAG'; scoreDelta: number; reasons: string[]; meta?: any };\n\nexport type SensorMinifiedDecision = {\n allow: boolean;\n riskScore: number;\n reasons: string[];\n tags?: Record<string, any>;\n meta?: any;\n tighten?: { expSecondsMax?: number; constraintsPatch?: Record<string, any> };\n /* Legacy fields for compatibility /\n retryAfterMs?: number;\n};\n\n/\n Helper to normalize SensorDecision (handles both legacy and modern formats)\n /\nexport function normalizeSensorDecision(\n sensorDecision: SensorDecision,\n): SensorMinifiedDecision {\n // Check if it's a legacy action-based format\n if ('action' in sensorDecision) {\n // Convert legacy format to modern\n switch (sensorDecision.action) {\n case 'ALLOW':\n return {\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: sensorDecision.meta,\n };\n case 'DENY':\n return {\n allow: false,\n riskScore: 100,\n reasons: [sensorDecision.code, sensorDecision.reason].filter(\n Boolean,\n ) as string[],\n meta: sensorDecision.meta,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n case 'THROTTLE':\n return {\n allow: false,\n riskScore: 50,\n reasons: ['RATE_LIMIT'],\n retryAfterMs: sensorDecision.retryAfterMs,\n meta: sensorDecision.meta,\n };\n case 'FLAG':\n return {\n allow: true,\n riskScore: sensorDecision.scoreDelta,\n reasons: sensorDecision.reasons,\n meta: sensorDecision.meta,\n };\n }\n }\n\n // Modern format - already has the required fields\n return {\n allow: sensorDecision.allow,\n riskScore: sensorDecision.riskScore,\n reasons: sensorDecision.reasons,\n tags: sensorDecision.tags,\n meta: sensorDecision.meta,\n tighten: sensorDecision.tighten,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n}\n\n/\n Helper factories for creating SensorDecision objects\n /\nexport const SensorDecisions = {\n allow(meta?: any, tags?: Record<string, any>): SensorDecision {\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n tags,\n meta,\n };\n },\n\n deny(code: string, reason?: string, meta?: any): SensorDecision {\n return {\n decision: Decision.DENY,\n allow: false,\n riskScore: 100,\n code,\n reasons: [code, reason].filter(Boolean) as string[],\n meta,\n };\n },\n\n throttle(retryAfterMs: number, meta?: any): SensorDecision {\n return {\n decision: Decision.THROTTLE,\n allow: false,\n riskScore: 50,\n retryAfterMs,\n code: 'RATE_LIMIT',\n reasons: ['RATE_LIMIT'],\n meta,\n };\n },\n\n flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision {\n return {\n decision: Decision.FLAG,\n allow: true,\n riskScore: scoreDelta,\n scoreDelta,\n reasons,\n meta,\n };\n },\n};\n","/\n Deterministic JSON serialization for observation hashing.\n \n Sorts object keys alphabetically and strips `undefined` values\n * so that two structurally equivalent observations always produce\n * the same string — required for reproducible SHA-256 hashing.\n /\n\nfunction normalize(value: unknown): unknown {\n if (Array.isArray(value)) {\n return value.map((item) => normalize(item));\n }\n\n if (value && typeof value === 'object') {\n const entries = Object.entries(value as Record<string, unknown>)\n .filter(([, nested]) => nested !== undefined)\n .sort(([left], [right]) => left.localeCompare(right));\n\n const normalized: Record<string, unknown> = {};\n for (const [key, nested] of entries) {\n normalized[key] = normalize(nested);\n }\n return normalized;\n }\n\n return value;\n}\n\nexport function stableJsonStringify(value: unknown): string {\n return JSON.stringify(normalize(value));\n}\n","import { AxisObservation } from '../axis-observation';\nimport { ObservationQueueMessage } from './observation-queue.types';\n\nexport interface ObservationStreamEntry {\n id: string;\n message: ObservationQueueMessage;\n}\n\nexport function buildQueueMessage(\n observation: AxisObservation,\n sourceNodeId: string,\n previous?: ObservationQueueMessage,\n lastError?: string,\n): ObservationQueueMessage {\n const now = Date.now();\n\n return {\n v: 1,\n observation,\n attempts: previous ? previous.attempts + 1 : 0,\n firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,\n lastEnqueuedAt: now,\n sourceNodeId,\n lastError,\n };\n}\n\nexport function encodeQueueMessage(message: ObservationQueueMessage): string {\n return JSON.stringify(message);\n}\n\nexport function decodeQueueMessage(\n raw: string,\n): ObservationQueueMessage \| null {\n try {\n const parsed = JSON.parse(raw) as ObservationQueueMessage;\n if (!parsed \|\| parsed.v !== 1 \|\| !parsed.observation?.id) {\n return null;\n }\n return parsed;\n } catch {\n return null;\n }\n}\n\nexport function parseStreamEntries(raw: any): ObservationStreamEntry[] {\n if (!Array.isArray(raw)) {\n return [];\n }\n\n const entries: ObservationStreamEntry[] = [];\n for (const streamRow of raw) {\n if (!Array.isArray(streamRow) \|\| streamRow.length < 2) {\n continue;\n }\n\n const messageRows = streamRow[1];\n if (!Array.isArray(messageRows)) {\n continue;\n }\n\n for (const row of messageRows) {\n if (!Array.isArray(row) \|\| row.length < 2) {\n continue;\n }\n\n const id = String(row[0]);\n const fields = Array.isArray(row[1]) ? row[1] : [];\n const fieldMap = fieldsToMap(fields);\n const payload = fieldMap.get('payload');\n if (!payload) {\n continue;\n }\n\n const message = decodeQueueMessage(payload);\n if (!message) {\n continue;\n }\n\n entries.push({ id, message });\n }\n }\n\n return entries;\n}\n\nexport function parseAutoClaimEntries(raw: any): ObservationStreamEntry[] {\n if (!Array.isArray(raw) \|\| raw.length < 2) {\n return [];\n }\n\n const rows = Array.isArray(raw[1]) ? raw[1] : [];\n return parseStreamEntries([['stream', rows]]);\n}\n\nfunction fieldsToMap(fields: any[]): Map<string, string> {\n const map = new Map<string, string>();\n for (let i = 0; i < fields.length; i += 2) {\n const key = fields[i];\n const value = fields[i + 1];\n if (key !== undefined && value !== undefined) {\n map.set(String(key), String(value));\n }\n }\n return map;\n}\n","import { createHash } from 'crypto';\n\nimport { AxisObservation } from '../axis-observation';\nimport { stableJsonStringify } from './stable-json';\n\n/\n Witness summary — a compact proof-of-observation payload\n * signed by the node that observed the execution.\n /\nexport interface ObservationWitnessSummary {\n intent?: string;\n actorId?: string;\n decision?: string;\n statusCode?: number;\n durationMs?: number;\n sensorCount: number;\n stageCount: number;\n}\n\n/\n Unsigned witness artifact — everything except the signature.\n * The backend adds `kid`, `sig`, and `alg` using its keyring.\n /\nexport interface UnsignedObservationWitness {\n v: 1;\n observationId: string;\n payloadHash: string;\n sealedAt: number;\n summary: ObservationWitnessSummary;\n}\n\n/\n Build the canonical JSON representation of an observation.\n \n Only includes structurally meaningful fields (no transient state).\n * Keys are sorted deterministically via `stableJsonStringify` so that\n * the same observation always produces the same string.\n /\nexport function canonicalizeObservation(obs: AxisObservation): string {\n const obj: Record<string, unknown> = {\n id: obs.id,\n startMs: obs.startMs,\n endMs: obs.endMs,\n transport: obs.transport,\n ip: obs.ip,\n intent: obs.intent,\n actorId: obs.actorId,\n capsuleId: obs.capsuleId,\n decision: obs.decision,\n resultCode: obs.resultCode,\n statusCode: obs.statusCode,\n durationMs: obs.durationMs,\n stages: obs.stages.map((s) => ({\n name: s.name,\n status: s.status,\n startMs: s.startMs,\n endMs: s.endMs,\n durationMs: s.durationMs,\n reason: s.reason,\n code: s.code,\n })),\n sensors: obs.sensors.map((s) => ({\n name: s.name,\n allowed: s.allowed,\n riskScore: s.riskScore,\n durationMs: s.durationMs,\n reasons: s.reasons,\n code: s.code,\n })),\n };\n\n return stableJsonStringify(obj);\n}\n\n/\n SHA-256 hash of the canonical observation payload.\n /\nexport function hashObservation(obs: AxisObservation): string {\n const canonical = canonicalizeObservation(obs);\n return createHash('sha256').update(canonical).digest('hex');\n}\n\n/\n Build an unsigned witness from a finalized observation.\n \n Returns `null` if the observation has not been finalized\n * (no `decision` or `endMs`).\n \n The caller (backend WitnessBuilder) adds `kid`, `sig`, `alg`\n * using its keyring.\n /\nexport function buildUnsignedWitness(\n obs: AxisObservation,\n): UnsignedObservationWitness \| null {\n if (!obs.decision \|\| !obs.endMs) {\n return null;\n }\n\n return {\n v: 1,\n observationId: obs.id,\n payloadHash: hashObservation(obs),\n sealedAt: Date.now(),\n summary: {\n intent: obs.intent,\n actorId: obs.actorId,\n decision: obs.decision,\n statusCode: obs.statusCode,\n durationMs: obs.durationMs,\n sensorCount: obs.sensors.length,\n stageCount: obs.stages.length,\n },\n };\n}\n","export {\n AXIS_MAGIC, AXIS_VERSION,\n MAX_HDR_LEN, MAX_BODY_LEN, MAX_SIG_LEN, MAX_FRAME_LEN,\n FLAG_BODY_TLV, FLAG_CHAIN_REQ, FLAG_HAS_WITNESS,\n TLV_PID, TLV_TS, TLV_INTENT, TLV_ACTOR_ID, TLV_PROOF_TYPE,\n TLV_PROOF_REF, TLV_NONCE, TLV_AUD, TLV_REALM, TLV_NODE,\n TLV_TRACE_ID, TLV_KID,\n TLV_RID, TLV_OK, TLV_EFFECT, TLV_ERROR_CODE, TLV_ERROR_MSG,\n TLV_PREV_HASH, TLV_RECEIPT_HASH, TLV_NODE_KID, TLV_NODE_CERT_HASH,\n TLV_LOOM_PRESENCE_ID, TLV_LOOM_WRIT, TLV_LOOM_THREAD_HASH,\n TLV_UPLOAD_ID, TLV_INDEX, TLV_OFFSET, TLV_SHA256_CHUNK, TLV_CAPSULE,\n TLV_BODY_OBJ, TLV_BODY_ARR,\n NCERT_NODE_ID, NCERT_KID, NCERT_ALG, NCERT_PUB, NCERT_NBF,\n NCERT_EXP, NCERT_SCOPE, NCERT_ISSUER_KID, NCERT_PAYLOAD, NCERT_SIG,\n PROOF_NONE, PROOF_CAPSULE, PROOF_JWT, PROOF_MTLS, PROOF_LOOM, PROOF_WITNESS,\n ProofType, BodyProfile,\n ERR_INVALID_PACKET, ERR_BAD_SIGNATURE, ERR_REPLAY_DETECTED, ERR_CONTRACT_VIOLATION,\n} from '@nextera.one/axis-protocol';\n","import { MAX_BODY_LEN } from '../../core/constants';\n\n/\n Minimal request context needed by ResponseObserver.\n * Compatible with the full AxisContext from schemas.\n /\nexport interface ResponseObserverContext {\n actorId: string;\n intent: string;\n}\n\n/\n Response contract that the observer validates.\n /\nexport interface ResponseContract {\n /* Whether the handler reported success /\n ok: boolean;\n /* The effect label returned by the handler /\n effect: string;\n /* Response body bytes (may be undefined for error responses) /\n body?: Uint8Array;\n /* Response TLV headers /\n headers?: Map<number, Uint8Array>;\n}\n\n/\n Result of observer validation.\n /\nexport interface ObserverVerdict {\n /* true = response passes all checks /\n passed: boolean;\n /* Machine-readable code if rejected /\n code?: string;\n /* Human-readable reason if rejected /\n reason?: string;\n}\n\n/* TLV tags that must never appear in a response (ACTOR_ID, PROOF_TYPE, PROOF_REF). /\nconst SENSITIVE_RESPONSE_TAGS = [4, 5, 6];\n\n/\n ResponseObserver — post-execution policy gate (protocol layer).\n \n Validates that:\n * 1. Effect is a valid non-empty string.\n * 2. Mandatory response body exists for successful results.\n * 3. No sensitive data leaks in response headers.\n * 4. Response size is within protocol limits.\n * 5. Effect does not expose internal error details.\n \n This is a defense-in-depth layer — primary correctness comes from\n * deterministic execution, signature verification, and nonce/replay controls.\n \n On failure, the engine returns a safe error instead of the original response.\n /\nexport function verifyResponse(\n ctx: ResponseObserverContext,\n response: ResponseContract,\n): ObserverVerdict {\n // 1. Effect must be a non-empty string\n if (!response.effect \|\| typeof response.effect !== 'string') {\n return {\n passed: false,\n code: 'OBSERVER_INVALID_EFFECT',\n reason: 'Response effect is missing or invalid',\n };\n }\n\n // 2. Successful responses must have a body\n if (response.ok && (!response.body \|\| response.body.length === 0)) {\n return {\n passed: false,\n code: 'OBSERVER_EMPTY_BODY',\n reason: 'Successful response must contain a body',\n };\n }\n\n // 3. Response body must not exceed protocol limits\n if (response.body && response.body.length > MAX_BODY_LEN) {\n return {\n passed: false,\n code: 'OBSERVER_BODY_OVERFLOW',\n reason: `Response body exceeds ${MAX_BODY_LEN} bytes`,\n };\n }\n\n // 4. Verify no sensitive TLV tags leak in response headers\n if (response.headers) {\n for (const tag of SENSITIVE_RESPONSE_TAGS) {\n if (response.headers.has(tag)) {\n return {\n passed: false,\n code: 'OBSERVER_DATA_LEAK',\n reason: `Response must not contain sensitive TLV tag ${tag}`,\n };\n }\n }\n }\n\n // 5. Effect should not expose internal error details\n if (\n response.effect.includes('Error:') \|\|\n response.effect.includes('stack') \|\|\n response.effect.includes('at /')\n ) {\n return {\n passed: false,\n code: 'OBSERVER_INFO_LEAK',\n reason: 'Response effect may contain internal error details',\n };\n }\n\n return { passed: true };\n}\n","export { encodeVarint, decodeVarint, varintLength } from '@nextera.one/axis-protocol';\n","import as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame } from './axis-bin';\n\n/*\n Signature utilities for AXIS binary frames\n * Supports Ed25519 signature generation and verification\n /\n\n/\n Computes the canonical payload for signing an AXIS frame.\n * The signature covers all bytes of the encoded frame EXCEPT the signature field itself.\n \n @param {AxisFrame} frame - The frame to prepare for signing\n * @returns {Buffer} The serialized canonical bytes for the signature algorithm\n /\nexport function computeSignaturePayload(frame: AxisFrame): Buffer {\n // Re-encode frame with empty signature\n const frameWithoutSig: AxisFrame = {\n ...frame,\n sig: new Uint8Array(0),\n };\n\n const encoded = encodeFrame(frameWithoutSig);\n return Buffer.from(encoded);\n}\n\n/\n Signs an AXIS frame using the Ed25519 algorithm.\n * Automatically handles both raw 32-byte seeds and pkcs8 DER-encoded private keys.\n \n @param {AxisFrame} frame - The frame to sign\n * @param {Buffer} privateKey - Ed25519 private key (32-byte raw OR pkcs8 DER)\n * @returns {Buffer} The 64-byte Ed25519 signature\n * @throws {Error} If key format is invalid or signing fail\n /\nexport function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer {\n const payload = computeSignaturePayload(frame);\n\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte seed or DER-encoded\n if (privateKey.length === 32) {\n // Raw seed - wrap in pkcs8 DER format\n // pkcs8 prefix for Ed25519: 0x302e020100300506032b657004220420\n const pkcs8Prefix = Buffer.from([\n 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,\n 0x04, 0x22, 0x04, 0x20,\n ]);\n const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);\n\n keyObject = crypto.createPrivateKey({\n key: pkcs8Key,\n format: 'der',\n type: 'pkcs8',\n });\n } else {\n // Assume already DER-encoded pkcs8\n keyObject = crypto.createPrivateKey({\n key: privateKey,\n format: 'der',\n type: 'pkcs8',\n });\n }\n\n const signature = crypto.sign(null, payload, keyObject);\n\n if (signature.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n return signature;\n}\n\n/\n Verifies an Ed25519 signature on an AXIS frame.\n * Automatically handles both raw 32-byte public keys and spki DER-encoded public keys.\n \n @param {AxisFrame} frame - The frame containing the signature to verify\n * @param {Buffer} publicKey - Ed25519 public key (32-byte raw OR spki DER)\n * @returns {boolean} True if the signature is cryptographically valid\n * @throws {Error} If signature length is invalid\n /\nexport function verifyFrameSignature(\n frame: AxisFrame,\n publicKey: Buffer,\n): boolean {\n if (frame.sig.length === 0) {\n return false; // No signature\n }\n\n if (frame.sig.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n const payload = computeSignaturePayload(frame);\n\n try {\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte or DER-encoded\n if (publicKey.length === 32) {\n // Raw key - wrap in spki DER format\n // spki prefix for Ed25519: 0x302a300506032b6570032100\n const spkiPrefix = Buffer.from([\n 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,\n ]);\n const spkiKey = Buffer.concat([spkiPrefix, publicKey]);\n\n keyObject = crypto.createPublicKey({\n key: spkiKey,\n format: 'der',\n type: 'spki',\n });\n } else {\n // Assume already DER-encoded spki\n keyObject = crypto.createPublicKey({\n key: publicKey,\n format: 'der',\n type: 'spki',\n });\n }\n\n const valid = crypto.verify(\n null,\n payload,\n keyObject,\n Buffer.from(frame.sig),\n );\n return valid;\n } catch (error) {\n return false;\n }\n}\n\n/\n Generates a new Ed25519 key pair for use with the AXIS protocol.\n * Returns keys in canonical DER format (pkcs8 for private, spki for public).\n \n @returns {Object} An object containing the privateKey and publicKey as Buffers\n /\nexport function generateEd25519KeyPair(): {\n privateKey: Buffer;\n publicKey: Buffer;\n} {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');\n\n return {\n privateKey: privateKey.export({ type: 'pkcs8', format: 'der' }) as Buffer,\n publicKey: publicKey.export({ type: 'spki', format: 'der' }) as Buffer,\n };\n}\n\n/\n Computes a standard SHA-256 hash of the provided data.\n \n @param {Buffer \| Uint8Array} data - The input data to hash\n * @returns {Buffer} The 32-byte SHA-256 digest\n /\nexport function sha256(data: Buffer \| Uint8Array): Buffer {\n return crypto.createHash('sha256').update(data).digest();\n}\n\n/\n Computes a hash for an AXIS receipt, optionally chaining it to a previous hash.\n * This is used for generating an immutable transaction chain.\n \n @param {Buffer \| Uint8Array} receiptBytes - The canonical binary representation of the receipt\n * @param {Buffer \| Uint8Array} [prevHash] - The hash of the previous receipt in the chain\n * @returns {Buffer} The 32-byte SHA-256 hash of the receipt (and link)\n /\nexport function computeReceiptHash(\n receiptBytes: Buffer \| Uint8Array,\n prevHash?: Buffer \| Uint8Array,\n): Buffer {\n const hasher = crypto.createHash('sha256');\n hasher.update(receiptBytes);\n\n if (prevHash && prevHash.length > 0) {\n hasher.update(prevHash);\n }\n\n return hasher.digest();\n}\n","import as z from 'zod';\n\n/*\n AxisFrame Schema\n \n Defines the logical structure of an AXIS frame using Zod for runtime validation.\n * This is used for internal processing after the low-level binary parsing is complete.\n /\nexport const AxisFrameZ = z.object({\n /* Flag bits for protocol control (e.g., encryption, compression) /\n flags: z.number().int().nonnegative(),\n /* A map of TLV headers where key=Tag and value=BinaryData /\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n /* The main payload of the frame /\n body: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n /* The cryptographic signature covering the frame (except the signature itself) /\n sig: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n});\n\n/\n Represents a structured AXIS frame.\n * @typedef {Object} AxisFrame\n /\nexport type AxisFrame = z.infer<typeof AxisFrameZ>;\nexport type AxisBinaryFrame = AxisFrame;\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n MAX_BODY_LEN,\n MAX_FRAME_LEN,\n MAX_HDR_LEN,\n MAX_SIG_LEN,\n} from './constants';\nimport { decodeTLVs, encodeTLVs } from './tlv';\nimport { decodeVarint, encodeVarint } from './varint';\n\n/\n Encodes a structured AxisFrame into its binary wire representation.\n \n Encoding Steps:\n * 1. Encodes header TLV map into a single buffer.\n * 2. Validates lengths against MAX_* constants.\n * 3. Encodes lengths (HDR, BODY, SIG) as varints.\n * 4. Assembles the final byte array with magic, version, and flags.\n \n @param {AxisFrame} frame - The structured frame to encode\n * @returns {Uint8Array} The full binary frame\n * @throws {Error} If any section exceeds protocol limits\n /\nexport function encodeFrame(frame: AxisFrame): Uint8Array {\n const hdrBytes = encodeTLVs(\n Array.from(frame.headers.entries()).map(([t, v]) => ({\n type: t,\n value: v,\n })),\n );\n\n if (hdrBytes.length > MAX_HDR_LEN) throw new Error('Header too large');\n if (frame.body.length > MAX_BODY_LEN) throw new Error('Body too large');\n if (frame.sig.length > MAX_SIG_LEN) throw new Error('Signature too large');\n\n // Header Len, Body Len, Sig Len\n const hdrLenBytes = encodeVarint(hdrBytes.length);\n const bodyLenBytes = encodeVarint(frame.body.length);\n const sigLenBytes = encodeVarint(frame.sig.length);\n\n const totalLen =\n 5 + // Magic (AXIS1)\n 1 + // Version\n 1 + // Flags\n hdrLenBytes.length +\n bodyLenBytes.length +\n sigLenBytes.length +\n hdrBytes.length +\n frame.body.length +\n frame.sig.length;\n\n if (totalLen > MAX_FRAME_LEN) throw new Error('Total frame too large');\n\n const buf = new Uint8Array(totalLen);\n let offset = 0;\n\n // Magic (AXIS1 - 5 bytes)\n buf.set(AXIS_MAGIC, offset);\n offset += 5;\n\n // Version\n buf[offset++] = AXIS_VERSION;\n\n // Flags\n buf[offset++] = frame.flags;\n\n // Lengths\n buf.set(hdrLenBytes, offset);\n offset += hdrLenBytes.length;\n\n buf.set(bodyLenBytes, offset);\n offset += bodyLenBytes.length;\n\n buf.set(sigLenBytes, offset);\n offset += sigLenBytes.length;\n\n // Payloads\n buf.set(hdrBytes, offset);\n offset += hdrBytes.length;\n\n buf.set(frame.body, offset);\n offset += frame.body.length;\n\n buf.set(frame.sig, offset);\n offset += frame.sig.length;\n\n return buf;\n}\n\n/\n Decodes a binary buffer into a structured AxisFrame with strict validation.\n \n @param {Uint8Array} buf - Raw bytes from the wire\n * @returns {AxisFrame} The parsed and validated frame\n * @throws {Error} If magic, version, or lengths are invalid\n /\nexport function decodeFrame(buf: Uint8Array): AxisFrame {\n let offset = 0;\n\n // 1. Magic (AXIS1 - 5 bytes)\n if (offset + 5 > buf.length) throw new Error('Packet too short');\n for (let i = 0; i < 5; i++) {\n if (buf[offset + i] !== AXIS_MAGIC[i]) throw new Error('Invalid Magic');\n }\n offset += 5;\n\n // 2. Version\n const ver = buf[offset++];\n if (ver !== AXIS_VERSION) throw new Error(`Unsupported version: ${ver}`);\n\n // 3. Flags\n const flags = buf[offset++];\n\n // 4. Lengths\n const { value: hdrLen, length: hlLen } = decodeVarint(buf, offset);\n offset += hlLen;\n if (hdrLen > MAX_HDR_LEN) throw new Error('Header limit exceeded');\n\n const { value: bodyLen, length: blLen } = decodeVarint(buf, offset);\n offset += blLen;\n if (bodyLen > MAX_BODY_LEN) throw new Error('Body limit exceeded');\n\n const { value: sigLen, length: slLen } = decodeVarint(buf, offset);\n offset += slLen;\n if (sigLen > MAX_SIG_LEN) throw new Error('Signature limit exceeded');\n\n // 5. Extract Bytes\n if (offset + hdrLen + bodyLen + sigLen > buf.length) {\n throw new Error('Frame truncated');\n }\n\n const hdrBytes = buf.slice(offset, offset + hdrLen);\n offset += hdrLen;\n\n const bodyBytes = buf.slice(offset, offset + bodyLen);\n offset += bodyLen;\n\n const sigBytes = buf.slice(offset, offset + sigLen);\n offset += sigLen;\n\n // 6. Decode Header TLVs\n const headers = decodeTLVs(hdrBytes);\n\n return {\n flags,\n headers,\n body: bodyBytes,\n sig: sigBytes,\n };\n}\n\n/\n Helper to get canonical bytes for signing.\n * SigTarget = All bytes up to SigLen, with SigLen=0, and no SigBytes.\n /\nexport function getSignTarget(frame: AxisFrame): Uint8Array {\n // Re-encode frame but with empty signature\n // Note: This is efficient enough for v1 (tens of KB).\n return encodeFrame({\n ...frame,\n sig: new Uint8Array(0),\n });\n}\n","// ats1.constants.ts\n\n// Header TLV tags (hdr TLVs)\nexport const ATS1_HDR = {\n INTENT_ID: 1, // uvarint\n ACTOR_KEY_ID: 2, // bytes (key fingerprint / credentialId hash)\n CAPSULE_ID: 3, // bytes or varint\n NONCE: 4, // 16 bytes\n TS_MS: 5, // u64be (8)\n SCHEMA_ID: 6, // uvarint\n BODY_HASH: 7, // 32 bytes (sha256)\n TRACE_ID: 8, // 16 bytes\n} as const;\n\n// Schema IDs (body TLVs meaning depends on schema)\nexport const ATS1_SCHEMA = {\n PASSKEY_LOGIN_OPTIONS_REQ: 2001,\n PASSKEY_LOGIN_OPTIONS_RES: 2002,\n\n PASSKEY_LOGIN_VERIFY_REQ: 2011,\n PASSKEY_LOGIN_VERIFY_RES: 2012,\n\n PASSKEY_REGISTER_OPTIONS_REQ: 2021,\n PASSKEY_REGISTER_OPTIONS_RES: 2022,\n\n PASSKEY_REGISTER_VERIFY_REQ: 2031,\n PASSKEY_REGISTER_VERIFY_RES: 2032,\n} as const;\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n/\n ATS1 (AXIS-TLV Schema v1) — TypeScript Encoder/Decoder\n * - Canonical TLV: [TAG(uvarint)][LEN(uvarint)][VALUE(bytes)]\n * - Canonical ordering: ascending TAG\n * - Minimal varint encoding enforced in decoder\n * - Strict schema validation (unknown tags rejected by default)\n * - Nested TLV streams supported\n \n Node.js: uses crypto for SHA-256\n /\n\nimport { createHash, randomBytes } from 'crypto';\n\n// -----------------------------\n// Types\n// -----------------------------\n\nexport type Ats1FieldType = 'bytes' \| 'utf8' \| 'uvarint' \| 'u64be' \| 'nested';\n\nexport type Ats1FieldDescriptor = {\n tag: number;\n name: string;\n type: Ats1FieldType;\n required?: boolean;\n repeated?: boolean;\n nestedSchema?: Ats1SchemaDescriptor; // required if type === 'nested'\n maxLen?: number; // optional per-field limit (bytes length)\n};\n\nexport type Ats1SchemaDescriptor = {\n schemaId: number;\n name: string;\n strict: boolean; // if true: reject unknown tags\n maxNestingDepth: number; // e.g. 4\n maxBodyBytes?: number; // optional overall body limit\n fields: Ats1FieldDescriptor[];\n};\n\nexport type DecodedTlv = { tag: number; value: Buffer };\n\nexport type DecodedTlvMap = Map<number, Buffer[]>; // tag -> list of values\n\nexport type SensorInputLike = {\n hdrTLVs: DecodedTlvMap;\n bodyTLVs: DecodedTlvMap;\n schemaId: number;\n intentId: number;\n};\n\n// -----------------------------\n// Limits (sane defaults)\n// -----------------------------\n\nexport type Ats1Limits = {\n maxVarintBytes: number; // e.g. 10 for u64\n maxTlvCount: number; // e.g. 512\n maxValueBytes: number; // e.g. 1MB\n maxNestingDepth: number; // e.g. 4\n};\n\nexport const DEFAULT_LIMITS: Ats1Limits = {\n maxVarintBytes: 10,\n maxTlvCount: 512,\n maxValueBytes: 1_048_576, // 1 MiB\n maxNestingDepth: 4,\n};\n\n// -----------------------------\n// Varint (unsigned LEB128)\n// -----------------------------\n\nexport function encodeUVarint(n: number \| bigint): Buffer {\n let x = typeof n === 'bigint' ? n : BigInt(n);\n if (x < 0n) throw new Error('encodeUVarint: negative not allowed');\n\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function decodeUVarint(\n buf: Buffer,\n offset: number,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { value: bigint; offset: number; bytesRead: number } {\n let x = 0n;\n let shift = 0n;\n const start = offset;\n\n for (let i = 0; i < limits.maxVarintBytes; i++) {\n if (offset >= buf.length) throw new Error('decodeUVarint: truncated');\n const b = buf[offset++];\n x \|= BigInt(b & 0x7f) << shift;\n\n if ((b & 0x80) === 0) {\n const bytesRead = offset - start;\n\n // Minimal-encoding check:\n // Re-encode and compare exact bytes.\n const re = encodeUVarint(x);\n const original = buf.subarray(start, offset);\n if (!re.equals(original))\n throw new Error('decodeUVarint: non-minimal varint');\n\n return { value: x, offset, bytesRead };\n }\n\n shift += 7n;\n }\n\n throw new Error('decodeUVarint: too long');\n}\n\n// -----------------------------\n// Primitive encoders/decoders\n// -----------------------------\n\nexport function encodeU64BE(n: bigint): Buffer {\n if (n < 0n) throw new Error('encodeU64BE: negative not allowed');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(n, 0);\n return b;\n}\n\nexport function decodeU64BE(buf: Buffer): bigint {\n if (buf.length !== 8) throw new Error('decodeU64BE: length must be 8');\n return buf.readBigUInt64BE(0);\n}\n\nexport function sha256(data: Buffer): Buffer {\n return createHash('sha256').update(data).digest();\n}\n\n// -----------------------------\n// TLV encode/decode\n// -----------------------------\n\nexport function encodeTLV(tag: number, value: Buffer): Buffer {\n if (!Number.isInteger(tag) \|\| tag <= 0)\n throw new Error('encodeTLV: tag must be positive int');\n const t = encodeUVarint(tag);\n const l = encodeUVarint(value.length);\n return Buffer.concat([t, l, value]);\n}\n\nexport function encodeTLVStreamCanonical(entries: DecodedTlv[]): Buffer {\n // Canonical sort ascending tag\n const sorted = [...entries].sort((a, b) => a.tag - b.tag);\n\n // Duplicate tags are allowed only if the schema says repeated.\n // This function does not enforce schema; caller should.\n const parts: Buffer[] = [];\n for (const e of sorted) parts.push(encodeTLV(e.tag, e.value));\n return Buffer.concat(parts);\n}\n\nexport function decodeTLVStream(\n stream: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n const out: DecodedTlv[] = [];\n let off = 0;\n\n while (off < stream.length) {\n if (out.length >= limits.maxTlvCount)\n throw new Error('decodeTLVStream: too many TLVs');\n\n const tagRes = decodeUVarint(stream, off, limits);\n const tag = Number(tagRes.value);\n off = tagRes.offset;\n\n const lenRes = decodeUVarint(stream, off, limits);\n const len = Number(lenRes.value);\n off = lenRes.offset;\n\n if (len < 0) throw new Error('decodeTLVStream: negative length');\n if (len > limits.maxValueBytes)\n throw new Error('decodeTLVStream: value too large');\n if (off + len > stream.length)\n throw new Error('decodeTLVStream: truncated value');\n\n const value = stream.subarray(off, off + len);\n off += len;\n\n out.push({ tag, value: Buffer.from(value) });\n }\n\n // Canonical check: must be sorted ascending tag.\n for (let i = 1; i < out.length; i++) {\n if (out[i].tag < out[i - 1].tag)\n throw new Error('decodeTLVStream: non-canonical tag order');\n }\n\n return out;\n}\n\nexport function tlvsToMap(entries: DecodedTlv[]): DecodedTlvMap {\n const m: DecodedTlvMap = new Map();\n for (const e of entries) {\n const arr = m.get(e.tag) ?? [];\n arr.push(e.value);\n m.set(e.tag, arr);\n }\n return m;\n}\n\n// -----------------------------\n// Schema validation + object \\u2194 TLV mapping\n// -----------------------------\n\ntype LogicalBody = { schemaId: number; fields: Record<string, any> };\n\nexport function validateTLVsAgainstSchema(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n depth = 0,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): void {\n if (depth > Math.min(schema.maxNestingDepth, limits.maxNestingDepth)) {\n throw new Error('validateTLVsAgainstSchema: nesting depth exceeded');\n }\n\n if (schema.maxBodyBytes && tlvsBytes(tlvs) > schema.maxBodyBytes) {\n throw new Error('validateTLVsAgainstSchema: body too large');\n }\n\n const byTag = new Map<number, DecodedTlv[]>();\n for (const t of tlvs) {\n if (!byTag.has(t.tag)) byTag.set(t.tag, []);\n byTag.get(t.tag)!.push(t);\n }\n\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n // Unknown tags\n if (schema.strict) {\n for (const tag of byTag.keys()) {\n if (!fieldByTag.has(tag))\n throw new Error(`validateTLVsAgainstSchema: unknown tag ${tag}`);\n }\n }\n\n // Required fields & repetition rules\n for (const f of schema.fields) {\n const vals = byTag.get(f.tag) ?? [];\n if (f.required && vals.length === 0)\n throw new Error(`validateTLVsAgainstSchema: missing ${f.name}`);\n\n if (!f.repeated && vals.length > 1) {\n throw new Error(\n `validateTLVsAgainstSchema: duplicate tag not allowed for ${f.name}`,\n );\n }\n\n // Per-field max length\n if (typeof f.maxLen === 'number') {\n for (const v of vals) {\n if (v.value.length > f.maxLen)\n throw new Error(`validateTLVsAgainstSchema: ${f.name} too long`);\n }\n }\n\n // Type checks (lightweight)\n for (const v of vals) {\n switch (f.type) {\n case 'u64be':\n if (v.value.length !== 8)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} u64be must be 8 bytes`,\n );\n break;\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} missing nestedSchema`,\n );\n const nestedTlvs = decodeTLVStream(v.value, limits);\n validateTLVsAgainstSchema(\n f.nestedSchema,\n nestedTlvs,\n depth + 1,\n limits,\n );\n break;\n }\n default:\n // bytes/utf8/uvarint are accepted structurally; deeper validation can be added if you want.\n break;\n }\n }\n }\n}\n\nfunction tlvsBytes(tlvs: DecodedTlv[]): number {\n // approximate encoded size if re-encoded\n let n = 0;\n for (const t of tlvs) {\n n +=\n encodeUVarint(t.tag).length +\n encodeUVarint(t.value.length).length +\n t.value.length;\n }\n return n;\n}\n\nexport function logicalBodyToTLVs(\n schema: Ats1SchemaDescriptor,\n body: LogicalBody,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n if (body.schemaId !== schema.schemaId)\n throw new Error('logicalBodyToTLVs: schemaId mismatch');\n\n const fieldsByName = new Map(schema.fields.map((f) => [f.name, f] as const));\n const tlvs: DecodedTlv[] = [];\n\n for (const [name, val] of Object.entries(body.fields ?? {})) {\n const f = fieldsByName.get(name);\n if (!f) {\n if (schema.strict)\n throw new Error(`logicalBodyToTLVs: unknown field ${name}`);\n continue;\n }\n\n const pushOne = (v: any) => {\n const valueBuf = encodeFieldValue(f, v, limits);\n if (valueBuf.length > limits.maxValueBytes)\n throw new Error('logicalBodyToTLVs: value too large');\n tlvs.push({ tag: f.tag, value: valueBuf });\n };\n\n if (f.repeated) {\n if (!Array.isArray(val))\n throw new Error(\n `logicalBodyToTLVs: repeated field ${name} must be array`,\n );\n for (const item of val) pushOne(item);\n } else {\n pushOne(val);\n }\n }\n\n // Validate required + duplicates + nested schema correctness\n // Validation also enforces canonical ordering check only after encoding/decoding;\n // here we validate semantics.\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n // NOTE: canonical ordering will be applied in encodeTLVStreamCanonical()\n return tlvs;\n}\n\nfunction encodeFieldValue(\n f: Ats1FieldDescriptor,\n val: any,\n limits: Ats1Limits,\n): Buffer {\n switch (f.type) {\n case 'bytes':\n if (Buffer.isBuffer(val)) return Buffer.from(val);\n if (val instanceof Uint8Array) return Buffer.from(val);\n throw new Error(`encodeFieldValue: ${f.name} expects bytes`);\n case 'utf8':\n if (typeof val !== 'string')\n throw new Error(`encodeFieldValue: ${f.name} expects string`);\n return Buffer.from(val, 'utf8');\n case 'uvarint':\n if (typeof val !== 'number' && typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects number/bigint`);\n return encodeUVarint(val);\n case 'u64be':\n if (typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects bigint`);\n return encodeU64BE(val);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`encodeFieldValue: ${f.name} missing nestedSchema`);\n // Accept nested logical object in the form { fields: {...} } or direct record\n const nestedFields =\n val && typeof val === 'object' && 'fields' in val\n ? (val as any).fields\n : val;\n if (!nestedFields \|\| typeof nestedFields !== 'object')\n throw new Error(`encodeFieldValue: ${f.name} expects object`);\n const nestedBody: LogicalBody = {\n schemaId: f.nestedSchema.schemaId,\n fields: nestedFields,\n };\n const nestedTlvs = logicalBodyToTLVs(f.nestedSchema, nestedBody, limits);\n const nestedBytes = encodeTLVStreamCanonical(nestedTlvs);\n // Re-parse to ensure canonical encoding would pass, and validate\n const re = decodeTLVStream(nestedBytes, limits);\n validateTLVsAgainstSchema(f.nestedSchema, re, 1, limits);\n return nestedBytes;\n }\n default:\n throw new Error(`encodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\nexport function tlvsToLogicalBody(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): LogicalBody {\n // TLVs must already be decoded and canonical-checked\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n const fields: Record<string, any> = {};\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n for (const t of tlvs) {\n const f = fieldByTag.get(t.tag);\n if (!f) {\n if (schema.strict)\n throw new Error(`tlvsToLogicalBody: unknown tag ${t.tag}`);\n continue;\n }\n\n const decoded = decodeFieldValue(f, t.value, limits);\n\n if (f.repeated) {\n if (!Array.isArray(fields[f.name])) fields[f.name] = [];\n fields[f.name].push(decoded);\n } else {\n fields[f.name] = decoded;\n }\n }\n\n return { schemaId: schema.schemaId, fields };\n}\n\nfunction decodeFieldValue(\n f: Ats1FieldDescriptor,\n value: Buffer,\n limits: Ats1Limits,\n): any {\n switch (f.type) {\n case 'bytes':\n return Buffer.from(value);\n case 'utf8':\n return value.toString('utf8');\n case 'uvarint': {\n const r = decodeUVarint(value, 0, limits);\n if (r.offset !== value.length)\n throw new Error(\n `decodeFieldValue: ${f.name} uvarint has trailing bytes`,\n );\n // return as number when safe, else bigint\n const asNum = Number(r.value);\n return Number.isSafeInteger(asNum) ? asNum : r.value;\n }\n case 'u64be':\n return decodeU64BE(value);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`decodeFieldValue: ${f.name} missing nestedSchema`);\n const nestedTlvs = decodeTLVStream(value, limits);\n // nested schema validation is called by validateTLVsAgainstSchema already,\n // but we decode again safely here.\n const nestedBody = tlvsToLogicalBody(f.nestedSchema, nestedTlvs, limits);\n return nestedBody.fields; // return the record by default\n }\n default:\n throw new Error(`decodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\n// -----------------------------\n// AXIS HDR tags (ATS1 header TLVs)\n// -----------------------------\n\nexport const HDR_TAGS = {\n intent_id: 1,\n actor_key_id: 2,\n capsule_id: 3,\n nonce: 4,\n ts_ms: 5,\n schema_id: 6,\n body_hash: 7,\n trace_id: 8,\n} as const;\n\nexport type AxisHeaderLogical = {\n intentId: number;\n actorKeyId: Uint8Array;\n capsuleId?: Uint8Array;\n nonce: Uint8Array; // 16 bytes\n tsMs: bigint; // ms\n schemaId: number;\n bodyHash: Uint8Array; // 32 bytes\n traceId?: Uint8Array; // 16 bytes\n version?: number; // optional\n headerHash?: Uint8Array; // 32 bytes\n headerTlvs?: DecodedTlv[]; // optional\n bodyTlvs?: DecodedTlv[]; // optional\n};\n\nexport type AxisLogicalRequest = {\n hdr: AxisHeaderLogical;\n body: LogicalBody;\n};\n\nexport function encodeAxisHeaderToTLVs(hdr: AxisHeaderLogical): DecodedTlv[] {\n if (hdr.nonce.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: nonce must be 16 bytes');\n if (hdr.bodyHash.byteLength !== 32)\n throw new Error('encodeAxisHeaderToTLVs: bodyHash must be 32 bytes');\n if (hdr.traceId && hdr.traceId.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: traceId must be 16 bytes');\n\n const tlvs: DecodedTlv[] = [\n { tag: HDR_TAGS.intent_id, value: encodeUVarint(hdr.intentId) },\n { tag: HDR_TAGS.actor_key_id, value: Buffer.from(hdr.actorKeyId) },\n { tag: HDR_TAGS.nonce, value: Buffer.from(hdr.nonce) },\n { tag: HDR_TAGS.ts_ms, value: encodeU64BE(hdr.tsMs) },\n { tag: HDR_TAGS.schema_id, value: encodeUVarint(hdr.schemaId) },\n { tag: HDR_TAGS.body_hash, value: Buffer.from(hdr.bodyHash) },\n ];\n\n if (hdr.capsuleId)\n tlvs.push({ tag: HDR_TAGS.capsule_id, value: Buffer.from(hdr.capsuleId) });\n if (hdr.traceId)\n tlvs.push({ tag: HDR_TAGS.trace_id, value: Buffer.from(hdr.traceId) });\n\n return tlvs;\n}\n\nexport function decodeAxisHeaderFromTLVs(\n hdrTlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): AxisHeaderLogical {\n // hdr TLVs must be canonical-ordered (enforced by decodeTLVStream) and duplicates only if allowed.\n const m = tlvsToMap(hdrTlvs);\n\n const get1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr \|\| arr.length !== 1)\n throw new Error(\n `decodeAxisHeaderFromTLVs: missing/dup header tag ${tag}`,\n );\n return arr[0];\n };\n const getOpt1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr) return undefined;\n if (arr.length !== 1)\n throw new Error(`decodeAxisHeaderFromTLVs: dup header tag ${tag}`);\n return arr[0];\n };\n\n const intentIdVar = decodeUVarint(get1(HDR_TAGS.intent_id), 0, limits);\n if (intentIdVar.offset !== get1(HDR_TAGS.intent_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: intent_id trailing bytes');\n\n const schemaIdVar = decodeUVarint(get1(HDR_TAGS.schema_id), 0, limits);\n if (schemaIdVar.offset !== get1(HDR_TAGS.schema_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: schema_id trailing bytes');\n\n const ts = decodeU64BE(get1(HDR_TAGS.ts_ms));\n\n const nonce = get1(HDR_TAGS.nonce);\n if (nonce.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: nonce must be 16 bytes');\n\n const bodyHash = get1(HDR_TAGS.body_hash);\n if (bodyHash.length !== 32)\n throw new Error('decodeAxisHeaderFromTLVs: body_hash must be 32 bytes');\n\n const trace = getOpt1(HDR_TAGS.trace_id);\n if (trace && trace.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: trace_id must be 16 bytes');\n\n return {\n intentId: Number(intentIdVar.value),\n actorKeyId: Buffer.from(get1(HDR_TAGS.actor_key_id)),\n capsuleId: getOpt1(HDR_TAGS.capsule_id)\n ? Buffer.from(getOpt1(HDR_TAGS.capsule_id)!)\n : undefined,\n nonce: Buffer.from(nonce),\n tsMs: ts,\n schemaId: Number(schemaIdVar.value),\n bodyHash: Buffer.from(bodyHash),\n traceId: trace ? Buffer.from(trace) : undefined,\n };\n}\n\n// -----------------------------\n// Encode/Decode AXIS request body + hdr with body_hash binding\n// -----------------------------\n\nexport function encodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n req: Omit<AxisLogicalRequest, 'hdr'> & {\n hdr: Omit<AxisHeaderLogical, 'bodyHash'>;\n },\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdrBytes: Buffer; bodyBytes: Buffer; bodyHash: Buffer } {\n // 1) encode body TLVs\n const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);\n const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);\n\n // 2) compute body hash\n const bodyHash = sha256(bodyBytes);\n\n // 3) encode hdr TLVs (with computed hash)\n const hdr: AxisHeaderLogical = {\n ...req.hdr,\n schemaId: schema.schemaId,\n bodyHash,\n };\n const hdrTlvs = encodeAxisHeaderToTLVs(hdr);\n const hdrBytes = encodeTLVStreamCanonical(hdrTlvs);\n\n return { hdrBytes, bodyBytes, bodyHash };\n}\n\nexport function decodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n hdrBytes: Buffer,\n bodyBytes: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdr: AxisHeaderLogical; body: LogicalBody; sensorInput: SensorInputLike } {\n const hdrTlvs = decodeTLVStream(hdrBytes, limits);\n const bodyTlvs = decodeTLVStream(bodyBytes, limits);\n\n const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);\n\n // Schema binding check\n if (hdr.schemaId !== schema.schemaId)\n throw new Error('decodeAxisRequestBinary: schemaId mismatch');\n\n // body_hash check\n const bh = sha256(bodyBytes);\n if (!Buffer.from(hdr.bodyHash).equals(bh))\n throw new Error('decodeAxisRequestBinary: body_hash mismatch');\n\n // validate + decode body\n const body = tlvsToLogicalBody(schema, bodyTlvs, limits);\n\n const sensorInput: SensorInputLike = {\n hdrTLVs: tlvsToMap(hdrTlvs),\n bodyTLVs: tlvsToMap(bodyTlvs),\n schemaId: hdr.schemaId,\n intentId: hdr.intentId,\n };\n\n return { hdr, body, sensorInput };\n}\n\n// -----------------------------\n// Example Schemas\n// -----------------------------\n\nexport const Schema3100_DeviceContext: Ats1SchemaDescriptor = {\n schemaId: 3100,\n name: 'device.context',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'deviceId', type: 'bytes', required: true, maxLen: 128 },\n { tag: 2, name: 'os', type: 'utf8', required: true, maxLen: 64 },\n { tag: 3, name: 'hw', type: 'utf8', required: true, maxLen: 64 },\n ],\n};\n\nexport const Schema2001_PasskeyLoginOptionsReq: Ats1SchemaDescriptor = {\n schemaId: 2001,\n name: 'axis.auth.passkey.login.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema4001_LoginWithDeviceReq: Ats1SchemaDescriptor = {\n schemaId: 4001,\n name: 'axis.auth.login.with_device.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'device',\n type: 'nested',\n required: true,\n nestedSchema: Schema3100_DeviceContext,\n },\n ],\n};\n","import { ATS1_HDR, ATS1_SCHEMA } from './ats1.constants';\nimport as ats1 from './ats1';\n\n/*\n Build canonical hdr for any request using ATS1 codec.\n /\nexport function buildAts1Hdr(params: {\n intentId: number;\n schemaId: number;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n tsMs?: bigint;\n nonce?: Buffer;\n bodyHash?: Buffer;\n}): Buffer {\n const hdr: ats1.AxisHeaderLogical = {\n intentId: params.intentId,\n schemaId: params.schemaId,\n actorKeyId: params.actorKeyId ?? Buffer.alloc(0),\n capsuleId: params.capsuleId,\n nonce: params.nonce ?? require('crypto').randomBytes(16),\n tsMs: params.tsMs ?? BigInt(Date.now()),\n bodyHash: params.bodyHash ?? Buffer.alloc(32),\n traceId: params.traceId,\n };\n\n const tlvs = ats1.encodeAxisHeaderToTLVs(hdr);\n return ats1.encodeTLVStreamCanonical(tlvs);\n}\n\n/\n PASSKEY: login.options.req\n * schema 2001 body:\n * - (1) username: utf8\n /\nexport function packPasskeyLoginOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n capsuleId: params.capsuleId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n Defined schemas for passkey operations\n /\nexport const Schema2021_PasskeyRegisterOptionsReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n name: 'axis.auth.passkey.register.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema2011_PasskeyLoginVerifyReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n name: 'axis.auth.passkey.login.verify.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'credentialId',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n {\n tag: 3,\n name: 'clientDataJSON',\n type: 'bytes',\n required: true,\n maxLen: 4096,\n },\n {\n tag: 4,\n name: 'authenticatorData',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n { tag: 5, name: 'signature', type: 'bytes', required: true, maxLen: 1024 },\n { tag: 6, name: 'userHandle', type: 'bytes', required: false, maxLen: 128 },\n ],\n};\n\n/\n PASSKEY: register.options.req\n /\nexport function packPasskeyRegisterOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n Schema2021_PasskeyRegisterOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyRegisterOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2021_PasskeyRegisterOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n PASSKEY: login.verify.req\n /\nexport function packPasskeyLoginVerifyReq(params: {\n intentId: number;\n username: string;\n credentialId: Buffer;\n clientDataJSON: Buffer;\n authenticatorData: Buffer;\n signature: Buffer;\n userHandle?: Buffer;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2011_PasskeyLoginVerifyReq, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n fields: {\n username: params.username,\n credentialId: params.credentialId,\n clientDataJSON: params.clientDataJSON,\n authenticatorData: params.authenticatorData,\n signature: params.signature,\n userHandle: params.userHandle,\n },\n });\n\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginVerifyReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2011_PasskeyLoginVerifyReq,\n tlvs,\n );\n const f = decoded.fields;\n\n return {\n username: f.username as string,\n credentialId: f.credentialId as Buffer,\n clientDataJSON: f.clientDataJSON as Buffer,\n authenticatorData: f.authenticatorData as Buffer,\n signature: f.signature as Buffer,\n userHandle: f.userHandle as Buffer \| undefined,\n };\n}\n\n// ========================================\n// Response Schemas\n// ========================================\n\n/\n Schema 2002: Passkey Login Options Response\n * - (1) challenge: bytes\n * - (2) timeout: uvarint (ms)\n * - (3) rpId: utf8\n * - (4) allowCredentials: bytes (nested TLV array, each item is id+type+transports)\n * - (5) userVerification: utf8\n /\nexport const Schema2002_PasskeyLoginOptionsRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n name: 'axis.auth.passkey.login.options.res',\n strict: false, // allow extra fields from WebAuthn library\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'challenge', type: 'utf8', required: true }, // base64url string\n { tag: 2, name: 'timeout', type: 'uvarint', required: false },\n { tag: 3, name: 'rpId', type: 'utf8', required: false },\n { tag: 4, name: 'userVerification', type: 'utf8', required: false },\n { tag: 5, name: 'allowCredentialsJson', type: 'utf8', required: false }, // JSON array for simplicity\n ],\n};\n\nexport function packPasskeyLoginOptionsRes(params: {\n challenge: string;\n timeout?: number;\n rpId?: string;\n userVerification?: string;\n allowCredentials?: { id: string; type: string; transports?: string[] }[];\n}): Buffer {\n const fields: Record<string, any> = {\n challenge: params.challenge,\n };\n if (params.timeout !== undefined) fields.timeout = params.timeout;\n if (params.rpId) fields.rpId = params.rpId;\n if (params.userVerification)\n fields.userVerification = params.userVerification;\n if (params.allowCredentials)\n fields.allowCredentialsJson = JSON.stringify(params.allowCredentials);\n\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2002_PasskeyLoginOptionsRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n fields,\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n\n/\n Schema 2012: Passkey Login Verify Response\n * - (1) actorId: utf8\n * - (2) keyId: utf8 (credentialId base64url)\n * - (3) capsule: bytes\n * - (4) expiresAt: u64be (ms)\n /\nexport const Schema2012_PasskeyLoginVerifyRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n name: 'axis.auth.passkey.login.verify.res',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'actorId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 2, name: 'keyId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 3, name: 'capsule', type: 'bytes', required: true, maxLen: 4096 },\n { tag: 4, name: 'expiresAt', type: 'u64be', required: true },\n ],\n};\n\nexport function packPasskeyLoginVerifyRes(params: {\n actorId: string;\n keyId: string;\n capsule: Buffer;\n expiresAt: bigint;\n}): Buffer {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2012_PasskeyLoginVerifyRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n fields: {\n actorId: params.actorId,\n keyId: params.keyId,\n capsule: params.capsule,\n expiresAt: params.expiresAt,\n },\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n","// tlv.encode.ts\nimport { randomBytes } from 'crypto';\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('VARINT_NEG');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n\nexport function u64be(x: bigint): Buffer {\n if (x < 0n) throw new Error('U64_NEG');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x, 0);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function bytes(b: Uint8Array \| Buffer): Buffer {\n return Buffer.isBuffer(b) ? b : Buffer.from(b);\n}\n\nexport function nonce16(): Buffer {\n return randomBytes(16);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n if (!Number.isSafeInteger(type) \|\| type < 0) throw new Error('TLV_BAD_TYPE');\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\n/\n Canonical TLV encoding:\n * - sorted by type ascending\n * - no duplicates by default\n /\nexport function buildTLVs(\n items: { type: number; value: Buffer }[],\n opts?: { allowDupTypes?: Set<number> },\n): Buffer {\n const allow = opts?.allowDupTypes ?? new Set<number>();\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n","// axis1.encode.ts\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\nexport type Axis1FrameToEncode = {\n ver: number; // 1\n flags: number; // bit flags\n hdr: Buffer; // TLVs\n body: Buffer; // TLVs or raw payload\n sig: Buffer; // signature bytes\n};\n\nexport function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer {\n if (\n !Buffer.isBuffer(f.hdr) \|\|\n !Buffer.isBuffer(f.body) \|\|\n !Buffer.isBuffer(f.sig)\n ) {\n throw new Error('AXIS1_BAD_BUFFERS');\n }\n if (f.ver !== 1) throw new Error('AXIS1_BAD_VER');\n\n const hdrLen = encVarint(BigInt(f.hdr.length));\n const bodyLen = encVarint(BigInt(f.body.length));\n const sigLen = encVarint(BigInt(f.sig.length));\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([f.ver & 0xff]),\n Buffer.from([f.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLen,\n f.hdr,\n f.body,\n f.sig,\n ]);\n}\n","// axis1.signing.ts\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\nexport function axis1SigningBytes(params: {\n ver: number;\n flags: number;\n hdr: Buffer;\n body: Buffer;\n}): Buffer {\n if (params.ver !== 1) throw new Error('AXIS1_BAD_VER');\n const hdrLen = encVarint(BigInt(params.hdr.length));\n const bodyLen = encVarint(BigInt(params.body.length));\n const sigLenZero = encVarint(0n); // IMPORTANT: sigLen=0 in signing bytes\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([params.ver & 0xff]),\n Buffer.from([params.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLenZero,\n params.hdr,\n params.body,\n ]);\n}\n","/\n Base64url encoding/decoding utilities\n * RFC 4648 base64url (URL-safe, no padding)\n /\n\n/\n Encode buffer to base64url string\n * @param buf - Buffer to encode\n * @returns Base64url string (no padding, URL-safe)\n /\nexport function b64urlEncode(buf: Buffer): string {\n return buf\n .toString('base64')\n .replace(/=/g, '')\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_');\n}\n\n/\n Decode base64url string to buffer\n * @param str - Base64url string\n * @returns Decoded buffer\n /\nexport function b64urlDecode(str: string): Buffer {\n // Add padding if needed\n const pad = str.length % 4 ? '='.repeat(4 - (str.length % 4)) : '';\n const base64 = (str + pad).replace(/-/g, '+').replace(/_/g, '/');\n return Buffer.from(base64, 'base64');\n}\n\n/\n Encode string to base64url\n * @param str - String to encode\n * @param encoding - String encoding (default: utf8)\n * @returns Base64url string\n /\nexport function b64urlEncodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlEncode(Buffer.from(str, encoding));\n}\n\n/\n Decode base64url string to string\n * @param str - Base64url string\n * @param encoding - String encoding (default: utf8)\n * @returns Decoded string\n /\nexport function b64urlDecodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlDecode(str).toString(encoding);\n}\n","/\n Canonical JSON serialization for stable cryptographic signing\n \n Rules:\n * - Recursively sort object keys lexicographically\n * - Remove undefined values\n * - Preserve array order\n * - No whitespace in output\n * - Stable number formatting\n /\n\n/\n Recursively sort object keys and remove undefined values\n /\nfunction sortRec(value: any): any {\n if (value === null) {\n return null;\n }\n\n if (value === undefined) {\n return undefined;\n }\n\n if (Array.isArray(value)) {\n return value.map(sortRec);\n }\n\n if (typeof value === 'object') {\n const sorted: Record<string, any> = {};\n const keys = Object.keys(value).sort();\n\n for (const key of keys) {\n const sortedValue = sortRec(value[key]);\n // Skip undefined values\n if (sortedValue !== undefined) {\n sorted[key] = sortedValue;\n }\n }\n\n return sorted;\n }\n\n // Primitive types (number, string, boolean)\n return value;\n}\n\n/\n Convert value to canonical JSON string for signing\n \n @param value - Value to canonicalize\n * @returns Canonical JSON string (no whitespace, sorted keys, no undefined)\n /\nexport function canonicalJson(value: any): string {\n return JSON.stringify(sortRec(value));\n}\n\n/\n Helper to create canonical JSON for signing (excluding specific fields)\n \n @param obj - Object to canonicalize\n * @param exclude - Fields to exclude (e.g., 'sig' when signing)\n * @returns Canonical JSON string\n /\nexport function canonicalJsonExcluding(\n obj: Record<string, any>,\n exclude: string[],\n): string {\n const filtered: Record<string, any> = {};\n\n for (const key in obj) {\n if (!exclude.includes(key) && obj[key] !== undefined) {\n filtered[key] = obj[key];\n }\n }\n\n return canonicalJson(filtered);\n}\n","export class ContractViolationError extends Error {\n constructor(\n public code: string,\n message: string,\n ) {\n super(message);\n this.name = 'ContractViolationError';\n }\n}\n\nexport interface ExecutionMetrics {\n dbWrites: number;\n dbReads: number;\n externalCalls: number;\n elapsedMs: number;\n}\n\nexport class ExecutionMeter {\n private dbWrites = 0;\n private dbReads = 0;\n private externalCalls = 0;\n private startTime: number;\n private contract: any; // ExecutionContract\n\n constructor(contract: any) {\n this.contract = contract;\n this.startTime = Date.now();\n }\n\n recordDbWrite(): void {\n this.dbWrites++;\n if (this.dbWrites > this.contract.maxDbWrites) {\n throw new ContractViolationError(\n 'MAX_DB_WRITES_EXCEEDED',\n `DB writes exceeded: ${this.dbWrites}/${this.contract.maxDbWrites}`,\n );\n }\n }\n\n recordDbRead(): void {\n this.dbReads++;\n if (this.contract.maxDbReads && this.dbReads > this.contract.maxDbReads) {\n throw new ContractViolationError(\n 'MAX_DB_READS_EXCEEDED',\n `DB reads exceeded: ${this.dbReads}/${this.contract.maxDbReads}`,\n );\n }\n }\n\n recordExternalCall(): void {\n this.externalCalls++;\n if (this.externalCalls > this.contract.maxExternalCalls) {\n throw new ContractViolationError(\n 'MAX_EXTERNAL_CALLS_EXCEEDED',\n `External calls exceeded: ${this.externalCalls}/${this.contract.maxExternalCalls}`,\n );\n }\n }\n\n checkTime(): void {\n const elapsed = Date.now() - this.startTime;\n if (elapsed > this.contract.maxTimeMs) {\n throw new ContractViolationError(\n 'MAX_TIME_EXCEEDED',\n `Execution time exceeded: ${elapsed}ms/${this.contract.maxTimeMs}ms`,\n );\n }\n }\n\n validateEffect(effect: string): void {\n // Wildcard allows any effect\n if (this.contract.allowedEffects.includes('')) {\n return;\n }\n\n if (!this.contract.allowedEffects.includes(effect)) {\n throw new ContractViolationError(\n 'INVALID_EFFECT',\n `Effect '${effect}' not allowed. Allowed: ${this.contract.allowedEffects.join(', ')}`,\n );\n }\n }\n\n getMetrics(): ExecutionMetrics {\n return {\n dbWrites: this.dbWrites,\n dbReads: this.dbReads,\n externalCalls: this.externalCalls,\n elapsedMs: Date.now() - this.startTime,\n };\n }\n\n getContract() {\n return this.contract;\n }\n}\n","export interface ExecutionContract {\n maxDbWrites: number;\n maxDbReads?: number;\n maxExternalCalls: number;\n maxTimeMs: number;\n allowedEffects: string[];\n maxMemoryMb?: number;\n}\n\nexport const DEFAULT_CONTRACTS: Record<string, ExecutionContract> = {\n // System intents\n 'system.ping': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 100,\n allowedEffects: ['system.pong'],\n },\n\n // Catalog intents\n 'catalog.list': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['catalog.listed'],\n },\n 'catalog.search': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['catalog.searched'],\n },\n\n // Passport intents\n 'passport.issue': {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['passport.issued', 'passport.rejected'],\n },\n 'passport.revoke': {\n maxDbWrites: 5,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['passport.revoked', 'passport.revoke_failed'],\n },\n\n // File intents\n 'file.init': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['file.initialized'],\n },\n 'file.chunk': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: ['file.chunk.stored'],\n },\n 'file.finalize': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['file.finalized'],\n },\n\n // Stream intents\n 'stream.publish': {\n maxDbWrites: 1,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['stream.published'],\n },\n 'stream.read': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['stream.data'],\n },\n\n // Mail intents\n 'mail.send': {\n maxDbWrites: 3,\n maxExternalCalls: 1, // Email service\n maxTimeMs: 2000,\n allowedEffects: ['mail.sent', 'mail.failed'],\n },\n};\n\n// Default contract for unknown intents\nexport const FALLBACK_CONTRACT: ExecutionContract = {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: [''], // Allow any effect\n};\n","/\n Decodes a variable-length integer (Varint) from a buffer.\n * Supports up to 64-bit integers.\n \n @param {Buffer} buf - The buffer to read from\n * @param {number} off - The offset to start reading from\n * @returns {Object} The decoded bigint value and the new offset\n * @throws {Error} If the varint is malformed or exceeds 64 bits\n /\nexport function decVarint(\n buf: Buffer,\n off: number,\n): { val: bigint; off: number } {\n let shift = 0n;\n let x = 0n;\n while (true) {\n if (off >= buf.length) throw new Error('varint overflow');\n const b = BigInt(buf[off++]);\n x \|= (b & 0x7fn) << shift;\n if ((b & 0x80n) === 0n) break;\n shift += 7n;\n if (shift > 63n) throw new Error('varint too large');\n }\n return { val: x, off };\n}\n\nimport type { TLV } from '../core/tlv';\n\n/\n Parses a buffer into an array of TLV objects.\n \n @param {Buffer} buf - The buffer containing TLV-encoded data\n * @param {number} [maxItems=512] - Security limit for the number of TLVs to parse\n * @returns {TLV[]} An array of parsed TLVs\n * @throws {Error} If TLV structure is invalid or limits are exceeded\n /\nexport function parseTLVs(buf: Buffer, maxItems: number = 512): TLV[] {\n const out: TLV[] = [];\n let off = 0;\n while (off < buf.length) {\n if (out.length >= maxItems) throw new Error('TLV_TOO_MANY_ITEMS');\n const t1 = decVarint(buf, off);\n off = t1.off;\n const t2 = decVarint(buf, off);\n off = t2.off;\n const type = Number(t1.val);\n const len = Number(t2.val);\n if (len < 0 \|\| off + len > buf.length) {\n throw new Error('TLV_LEN_INVALID');\n }\n const value = buf.subarray(off, off + len);\n off += len;\n out.push({ type, value });\n }\n return out;\n}\n\n/\n Parses TLVs and organizes them into a Map for efficient access.\n * Multiple values for the same type are preserved in an array.\n \n @param {Buffer} buf - The raw TLV-encoded buffer\n * @returns {Map<number, Buffer[]>} A map of Tag -> [Values]\n /\nexport function tlvMap(buf: Buffer): Map<number, Buffer[]> {\n const m = new Map<number, Buffer[]>();\n for (const it of parseTLVs(buf)) {\n const arr = m.get(it.type) ?? [];\n arr.push(it.value as Buffer);\n m.set(it.type, arr);\n }\n return m;\n}\n\nexport function asUtf8(b?: Buffer): string \| undefined {\n if (!b) return undefined;\n return b.toString('utf8');\n}\n\nexport function asBigintVarint(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n const { val, off } = decVarint(b, 0);\n if (off !== b.length) throw new Error('VARINT_TRAILING_BYTES');\n return val;\n}\n\n/\n Parses an 8-byte big-endian buffer as a BigInt.\n * Used for timestamps which are sent as fixed 8-byte u64.\n /\nexport function asBigint64BE(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n if (b.length !== 8) throw new Error('Expected 8 bytes for u64');\n return b.readBigUInt64BE(0);\n}\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('varint neg');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\nexport function buildTLVs(items: { type: number; value: Buffer }[]): Buffer {\n // Canonical: sort by type ascending\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n // Canonical: forbid duplicate tags by default\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n\nexport function u64be(x: bigint): Buffer {\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n","import { decVarint } from './tlv';\n\n/\n Axis1DecodedFrame\n \n Represents a parsed AXIS v1 binary frame.\n \n @typedef {Object} Axis1DecodedFrame\n /\nexport type Axis1DecodedFrame = {\n /* Protocol version (should be 1) /\n ver: number;\n /* Frame flags for protocol extensions /\n flags: number;\n /* Raw header bytes (containing primary TLVs) /\n hdr: Buffer;\n /* Raw body bytes (the main payload) /\n body: Buffer;\n /* Cryptographic signature bytes /\n sig: Buffer;\n /* Total original size of the frame in bytes /\n frameSize: number;\n};\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\n/\n Decodes a raw binary buffer into a structured Axis1DecodedFrame.\n * Implements the AXIS v1 wire format specification.\n \n Binary Structure (canonical):\n * 1. Magic: 'AXIS1' (5 bytes)\n * 2. Version: (1 byte)\n * 3. Flags: (1 byte)\n * 4. HDR_LEN: Varint\n * 5. BODY_LEN: Varint\n * 6. SIG_LEN: Varint\n * 7. HDR: (HDR_LEN bytes)\n * 8. BODY: (BODY_LEN bytes)\n * 9. SIG: (SIG_LEN bytes)\n \n @param {Buffer} buf - Raw bytes from the wire\n * @returns {Axis1DecodedFrame} Parsed frame object\n * @throws {Error} If magic is invalid, frame is truncated, or lengths are inconsistent\n /\nexport function decodeAxis1Frame(buf: Buffer): Axis1DecodedFrame {\n let off = 0;\n\n const magic = buf.subarray(off, off + 5);\n off += 5;\n if (magic.length !== 5 \|\| !magic.equals(MAGIC))\n throw new Error('AXIS1_BAD_MAGIC');\n\n if (off + 2 > buf.length) throw new Error('AXIS1_TRUNCATED');\n const ver = buf[off++];\n const flags = buf[off++];\n\n // Read all three lengths first (canonical order: hdrLen, bodyLen, sigLen)\n const h1 = decVarint(buf, off);\n off = h1.off;\n const b1 = decVarint(buf, off);\n off = b1.off;\n const s1 = decVarint(buf, off);\n off = s1.off;\n\n const hdrLen = Number(h1.val);\n const bodyLen = Number(b1.val);\n const sigLen = Number(s1.val);\n\n if (hdrLen < 0 \|\| bodyLen < 0 \|\| sigLen < 0) throw new Error('AXIS1_LEN_NEG');\n\n if (off + hdrLen + bodyLen + sigLen > buf.length)\n throw new Error('AXIS1_TRUNCATED_PAYLOAD');\n\n // Then read payloads in order: HDR, BODY, SIG\n const hdr = buf.subarray(off, off + hdrLen);\n off += hdrLen;\n const body = buf.subarray(off, off + bodyLen);\n off += bodyLen;\n const sig = buf.subarray(off, off + sigLen);\n off += sigLen;\n\n if (off !== buf.length) throw new Error('AXIS1_TRAILING_BYTES');\n\n return { ver, flags, hdr, body, sig, frameSize: buf.length };\n}\n","import {\n TLV_ACTOR_ID,\n TLV_INTENT,\n TLV_NONCE,\n TLV_PID,\n TLV_PROOF_REF,\n TLV_PROOF_TYPE,\n TLV_TS,\n} from '../core/constants';\nimport { asBigint64BE, asBigintVarint, asUtf8, tlvMap } from './tlv';\n\n/\n AXIS TLV Tag Definitions (as per specification)\n /\nexport const T = {\n /* The specific intent or action (e.g., 'vault.create') /\n INTENT: TLV_INTENT,\n /* Package identifier / ID /\n PID: TLV_PID,\n /* Versioning of the intent schema /\n INTENT_VERSION: 10, // Defaulting to TRACE_ID for now or a new tag if available\n /* Unique identifier for the requesting actor /\n ACTOR_ID: TLV_ACTOR_ID,\n /* Optional Capability Token identifier (16 bytes) /\n CAPSULE_ID: TLV_PROOF_REF,\n /* Unique session/request identifier (16 bytes) /\n NONCE: TLV_NONCE,\n /* High-precision Unix timestamp in milliseconds /\n TS_MS: TLV_TS,\n /* Proof type /\n PROOF_TYPE: TLV_PROOF_TYPE,\n /* Standard binary body tag /\n BODY: 100,\n /* Standard JSON-encoded body tag /\n JSON: 200,\n};\n\n/\n AxisPacket\n \n A high-level representation of an AXIS message after TLV decoding.\n * Combines header metadata with the raw body and signature.\n \n @typedef {Object} AxisPacket\n /\nexport type AxisPacket = {\n /* The intent string /\n intent: string;\n /* Intent schema version /\n intentVersion: number;\n /* Actor identifier /\n actorId: string;\n /* Optional binary Capsule ID /\n capsuleId?: Buffer;\n /* Packet identifier /\n pid: Buffer;\n /* Random nonce for replay protection /\n nonce: Buffer;\n /* Request timestamp /\n tsMs: bigint;\n /* Decoded header TLV map /\n headersMap: Map<number, Buffer[]>;\n /* Decoded body TLV map (if body contains TLVs) /\n bodyMap: Map<number, Buffer[]>;\n /* Original raw header bytes /\n hdrBytes: Buffer;\n /* Original raw body bytes /\n bodyBytes: Buffer;\n /* Cryptographic signature of the frame /\n sig: Buffer;\n};\n\n/\n Constructs a structured AxisPacket from raw header, body, and signature buffers.\n * Performs rigorous validation on mandatory AXIS fields.\n \n @param {Buffer} hdr - Raw header bytes containing the primary TLVs\n * @param {Buffer} body - Raw body bytes\n * @param {Buffer} sig - Signature bytes for the frame\n * @param {number} [flags=0] - Frame flags (bit 0 = BODY_IS_TLV)\n * @returns {AxisPacket} A fully validated AxisPacket object\n * @throws {Error} If mandatory fields (intent, version, actor, nonce, ts) are missing or malformed\n /\nexport function buildPacket(\n hdr: Buffer,\n body: Buffer,\n sig: Buffer,\n flags: number = 0,\n): AxisPacket {\n const hm = tlvMap(hdr);\n\n // Only parse body as TLV if BODY_IS_TLV flag is set (bit 0)\n const BODY_IS_TLV = 0x01;\n const bm = flags & BODY_IS_TLV ? tlvMap(body) : new Map<number, Buffer[]>();\n\n const intent = asUtf8(hm.get(T.INTENT)?.[0]);\n const intentVerRaw = hm.get(T.INTENT_VERSION)?.[0];\n const intentVer = intentVerRaw ? Number(asBigintVarint(intentVerRaw)) : 1;\n const actorIdRaw = hm.get(T.ACTOR_ID)?.[0];\n const actorId = actorIdRaw ? actorIdRaw.toString('hex') : undefined;\n const capsuleId = hm.get(T.CAPSULE_ID)?.[0];\n const pid = hm.get(T.PID)?.[0] \|\| hm.get(T.NONCE)?.[0]; // Fallback to nonce if pid missing\n const nonce = hm.get(T.NONCE)?.[0];\n const tsMs = asBigint64BE(hm.get(T.TS_MS)?.[0]);\n\n if (!intent) throw new Error('PACKET_MISSING_INTENT');\n if (!actorId) throw new Error('PACKET_MISSING_ACTOR_ID');\n if (!nonce \|\| nonce.length < 16 \|\| nonce.length > 32)\n throw new Error('PACKET_BAD_NONCE');\n if (!pid) throw new Error('PACKET_MISSING_PID');\n if (!tsMs) throw new Error('PACKET_MISSING_TS');\n\n return {\n intent,\n intentVersion: intentVer,\n actorId,\n capsuleId,\n pid,\n nonce,\n tsMs,\n headersMap: hm,\n bodyMap: bm,\n hdrBytes: hdr,\n bodyBytes: body,\n sig,\n };\n}\n","/\n AXIS Scope Utilities\n * Validates capsule scopes against required resource access.\n * Prevents BOLA (Broken Object Level Authorization) attacks.\n /\n\n/\n Check if a capsule has the required scope.\n * Scopes use colon notation: resource:id or resource:\n \n * Examples:\n * - wallet:w_123\n * - merchant:m_456\n * - payment:\n /\nexport function hasScope(scopes: string[], required: string): boolean {\n if (!Array.isArray(scopes) \|\| scopes.length === 0) {\n return false;\n }\n\n // Exact match\n if (scopes.includes(required)) {\n return true;\n }\n\n // Wildcard match: resource:* matches resource:anything\n const [resource, id] = required.split(':');\n if (resource && id) {\n const wildcard = `${resource}:`;\n if (scopes.includes(wildcard)) {\n return true;\n }\n }\n\n return false;\n}\n\n/\n Extract resource type and ID from scope.\n /\nexport function parseScope(\n scope: string,\n): { resource: string; id: string } \| null {\n const parts = scope.split(':');\n if (parts.length !== 2) return null;\n return { resource: parts[0], id: parts[1] };\n}\n\n/\n Check if actor can access a specific resource based on capsule scopes.\n /\nexport function canAccessResource(\n scopes: string[],\n resourceType: string,\n resourceId: string,\n): boolean {\n const required = `${resourceType}:${resourceId}`;\n return hasScope(scopes, required);\n}\n","/\n AXIS Capability Model\n * Maps proof types to capabilities and intents to requirements.\n /\nimport { PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS } from '../core/constants';\n\n/\n Available capabilities in the AXIS system.\n * Each represents a distinct permission level.\n /\nexport const CAPABILITIES = {\n read: 'read',\n write: 'write',\n execute: 'execute',\n admin: 'admin',\n sign: 'sign',\n witness: 'witness',\n} as const;\n\nexport type Capability = keyof typeof CAPABILITIES;\n\n/\n Maps proof type codes to granted capabilities.\n /\nexport const PROOF_CAPABILITIES: Record<number, Capability[]> = {\n [PROOF_NONE]: [],\n [PROOF_CAPSULE]: ['read', 'write', 'execute'],\n [PROOF_JWT]: ['read'],\n [PROOF_MTLS]: ['read', 'write', 'admin'],\n [PROOF_LOOM]: ['read', 'write', 'execute'],\n [PROOF_WITNESS]: ['read', 'write', 'execute', 'witness'],\n};\n\n/\n Maps intent patterns to required capabilities.\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_REQUIREMENTS: Record<string, Capability[]> = {\n 'public.': [],\n 'schema.': [],\n 'catalog.': [],\n 'health.': [],\n 'system.': [],\n\n 'file.upload': ['write'],\n 'file.download': ['read'],\n 'file.delete': ['write', 'admin'],\n\n 'passport.issue': ['write', 'execute'],\n 'passport.revoke': ['write', 'witness'],\n\n 'stream.publish': ['write'],\n 'stream.subscribe': ['read'],\n\n // NestFlow intents\n 'auth.web.login.': ['execute'],\n 'tickauth.challenge.': ['execute'],\n 'capsule.issue.': ['write', 'execute'],\n 'session.': ['execute'],\n 'device.list': ['read'],\n 'device.rename': ['write'],\n 'device.trust.': ['write', 'execute'],\n 'device.revoke': ['write', 'execute'],\n 'identity.': ['admin', 'execute'],\n 'primary.device.': ['admin', 'execute'],\n 'secret.rotate': ['admin'],\n 'org.security.': ['admin'],\n 'production.execution.': ['admin', 'execute'],\n\n 'admin.': ['admin'],\n};\n","/\n AXIS Risk Signal Types\n \n Protocol-level types for risk evaluation and signalling.\n * Used by sensors, risk gates, and anomaly detectors.\n /\n\n/\n A discrete risk signal emitted by a detector or sensor.\n * Signals are aggregated by the risk gate to produce a final RiskEvaluation.\n /\nexport interface RiskSignal {\n type: string;\n severity: 'low' \| 'medium' \| 'high' \| 'critical';\n value: any;\n message: string;\n}\n\n/\n Granular risk gate decision outcomes.\n * More expressive than a binary ALLOW/DENY — covers step-up and witness flows.\n /\nexport enum RiskDecision {\n ALLOW = 'ALLOW',\n THROTTLE = 'THROTTLE',\n STEP_UP = 'STEP_UP',\n WITNESS = 'WITNESS',\n DENY = 'DENY',\n}\n\n/\n The result of a risk gate evaluation over a set of signals.\n /\nexport interface RiskEvaluation {\n decision: RiskDecision;\n reason?: string;\n retryAfterMs?: number;\n /* Confidence score in range [0, 1]. /\n confidence: number;\n signals: RiskSignal[];\n}\n","/\n AXIS Opcode Registry\n * Central registry of all allowed opcodes.\n * Unknown opcodes are rejected by default (no shadow endpoints).\n /\n\nexport const AXIS_OPCODES = new Set([\n 'CAPSULE.ISSUE',\n 'CAPSULE.BATCH',\n 'CAPSULE.REVOKE',\n 'INTENT.EXEC',\n 'ACTOR.KEY.ROTATE',\n 'ACTOR.KEY.REVOKE',\n 'ISSUER.KEY.ROTATE',\n // NestFlow opcodes\n 'AUTH.WEB.LOGIN',\n 'AUTH.WEB.SCAN',\n 'TICKAUTH.CREATE',\n 'TICKAUTH.FULFILL',\n 'TICKAUTH.REJECT',\n 'SESSION.ACTIVATE',\n 'SESSION.REFRESH',\n 'SESSION.LOGOUT',\n 'DEVICE.TRUST',\n 'DEVICE.PROMOTE',\n 'DEVICE.REVOKE',\n 'DEVICE.LIST',\n 'DEVICE.RENAME',\n 'IDENTITY.RECOVERY',\n 'IDENTITY.LOCK',\n]);\n\nexport function isKnownOpcode(op: string): boolean {\n return AXIS_OPCODES.has(op);\n}\n\n/\n Returns true if the opcode requires elevated permissions.\n /\nexport function isAdminOpcode(op: string): boolean {\n return (\n op.startsWith('ACTOR.KEY.') \|\|\n op.startsWith('ISSUER.KEY.') \|\|\n op.startsWith('IDENTITY.')\n );\n}\n","/\n AXIS Receipt Hash Construction\n * Canonical receipt chain hash — protocol invariant.\n * Any compliant implementation must produce identical hashes.\n /\nimport { createHash } from 'crypto';\n\n/* Canonical receipt effect types /\nexport type ReceiptEffect = 'ALLOW' \| 'DENY' \| 'ERROR';\n\n/\n Builds the canonical SHA-256 hash for a receipt in the chain.\n \n Field order (protocol-defined):\n * prevHash? \| pid \| actorId (utf8) \| intent (utf8) \| effect (utf8) \| ts (utf8 string)\n \n @param prevHash Previous receipt hash (null for first receipt)\n * @param pid Process/packet ID (raw bytes)\n * @param actorId Actor identifier (string)\n * @param intent Intent name (string)\n * @param effect Execution effect ('ALLOW' \| 'DENY' \| 'ERROR')\n * @param ts Timestamp as bigint (milliseconds since epoch)\n * @returns 32-byte SHA-256 hash\n /\nexport function buildReceiptHash(\n prevHash: Buffer \| null,\n pid: Buffer,\n actorId: string,\n intent: string,\n effect: ReceiptEffect,\n ts: bigint,\n): Buffer {\n const h = createHash('sha256');\n if (prevHash) h.update(prevHash);\n h.update(pid);\n h.update(Buffer.from(actorId, 'utf8'));\n h.update(Buffer.from(intent, 'utf8'));\n h.update(Buffer.from(effect, 'utf8'));\n h.update(Buffer.from(ts.toString(), 'utf8'));\n return h.digest();\n}\n","/\n AXIS Intent Sensitivity Classification\n * Protocol-level risk classification for intents.\n /\n\nexport enum IntentSensitivity {\n LOW = 1,\n MEDIUM = 2,\n HIGH = 3,\n CRITICAL = 4,\n}\n\n/\n Maps known intents to their sensitivity level.\n /\nexport const INTENT_SENSITIVITY_MAP: Record<string, IntentSensitivity> = {\n // System intents\n 'system.ping': IntentSensitivity.LOW,\n\n // Catalog intents\n 'catalog.list': IntentSensitivity.LOW,\n 'catalog.search': IntentSensitivity.LOW,\n 'catalog.intent.describe': IntentSensitivity.LOW,\n 'catalog.intent.complete': IntentSensitivity.LOW,\n\n // Stream intents\n 'stream.publish': IntentSensitivity.MEDIUM,\n 'stream.read': IntentSensitivity.MEDIUM,\n 'stream.subscribe': IntentSensitivity.MEDIUM,\n\n // File intents\n 'file.init': IntentSensitivity.MEDIUM,\n 'file.chunk': IntentSensitivity.MEDIUM,\n 'file.finalize': IntentSensitivity.MEDIUM,\n 'file.status': IntentSensitivity.LOW,\n\n // Passport intents\n 'passport.issue': IntentSensitivity.HIGH,\n 'passport.verify': IntentSensitivity.MEDIUM,\n 'passport.revoke': IntentSensitivity.CRITICAL,\n\n // Mail intents\n 'mail.send': IntentSensitivity.HIGH,\n\n // Admin intents\n 'admin.create_capsule': IntentSensitivity.CRITICAL,\n 'admin.revoke_capsule': IntentSensitivity.CRITICAL,\n 'admin.issue_node_cert': IntentSensitivity.CRITICAL,\n\n // NestFlow: Auth\n 'auth.web.login.request': IntentSensitivity.MEDIUM,\n 'auth.web.login.scan': IntentSensitivity.HIGH,\n\n // NestFlow: TickAuth\n 'tickauth.challenge.create': IntentSensitivity.MEDIUM,\n 'tickauth.challenge.fulfill': IntentSensitivity.HIGH,\n 'tickauth.challenge.reject': IntentSensitivity.MEDIUM,\n\n // NestFlow: Capsule issuance\n 'capsule.issue.login': IntentSensitivity.HIGH,\n 'capsule.issue.device_registration': IntentSensitivity.HIGH,\n 'capsule.issue.step_up': IntentSensitivity.HIGH,\n 'capsule.issue.recovery': IntentSensitivity.CRITICAL,\n\n // NestFlow: Session\n 'session.activate': IntentSensitivity.HIGH,\n 'session.refresh': IntentSensitivity.MEDIUM,\n 'session.logout': IntentSensitivity.LOW,\n\n // NestFlow: Device trust\n 'device.trust.request': IntentSensitivity.HIGH,\n 'device.trust.promote': IntentSensitivity.CRITICAL,\n 'device.revoke': IntentSensitivity.CRITICAL,\n 'device.list': IntentSensitivity.LOW,\n 'device.rename': IntentSensitivity.LOW,\n\n // NestFlow: Protected operations\n 'flow.publish': IntentSensitivity.MEDIUM,\n 'flow.delete': IntentSensitivity.HIGH,\n 'node.delete': IntentSensitivity.CRITICAL,\n 'secret.rotate': IntentSensitivity.CRITICAL,\n 'org.security.update': IntentSensitivity.CRITICAL,\n 'production.execution.approve': IntentSensitivity.CRITICAL,\n\n // NestFlow: Recovery\n 'identity.recovery.start': IntentSensitivity.CRITICAL,\n 'identity.recovery.complete': IntentSensitivity.CRITICAL,\n 'primary.device.rotate': IntentSensitivity.CRITICAL,\n 'identity.lock': IntentSensitivity.CRITICAL,\n 'identity.unlock': IntentSensitivity.CRITICAL,\n};\n\n/\n Classifies an intent's sensitivity level.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix wildcard match (realm.)\n 3. Default to MEDIUM\n /\nexport function classifyIntent(intent: string): IntentSensitivity {\n if (INTENT_SENSITIVITY_MAP[intent]) {\n return INTENT_SENSITIVITY_MAP[intent];\n }\n\n const realm = intent.split('.')[0];\n const wildcardKey = `${realm}.`;\n if (INTENT_SENSITIVITY_MAP[wildcardKey]) {\n return INTENT_SENSITIVITY_MAP[wildcardKey];\n }\n\n return IntentSensitivity.MEDIUM;\n}\n\n/*\n Returns the string name for a sensitivity level.\n /\nexport function sensitivityName(level: IntentSensitivity): string {\n switch (level) {\n case IntentSensitivity.LOW:\n return 'LOW';\n case IntentSensitivity.MEDIUM:\n return 'MEDIUM';\n case IntentSensitivity.HIGH:\n return 'HIGH';\n case IntentSensitivity.CRITICAL:\n return 'CRITICAL';\n }\n}\n","/\n AXIS Intent Timeout Configuration\n * Protocol-level per-intent execution time limits.\n /\n\n/\n Per-intent timeout configuration (milliseconds).\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_TIMEOUTS: Record<string, number> = {\n 'public.': 5000,\n 'schema.': 5000,\n 'catalog.': 5000,\n 'health.': 2000,\n\n 'file.upload': 60000,\n 'file.download': 60000,\n 'file.chunk': 30000,\n 'file.finalize': 30000,\n\n 'stream.': 30000,\n\n 'passport.': 15000,\n\n 'admin.': 30000,\n};\n\n/* Default timeout for unspecified intents /\nexport const DEFAULT_TIMEOUT = 10000;\n\n/\n Resolves the timeout for a given intent.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix pattern match (e.g. 'file.')\n 3. DEFAULT_TIMEOUT\n /\nexport function resolveTimeout(intent: string): number {\n if (INTENT_TIMEOUTS[intent]) {\n return INTENT_TIMEOUTS[intent];\n }\n\n for (const [pattern, timeout] of Object.entries(INTENT_TIMEOUTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1);\n if (intent.startsWith(prefix)) {\n return timeout;\n }\n }\n }\n\n return DEFAULT_TIMEOUT;\n}\n","/*\n AXIS Frame Shape Validator\n * Validates structural integrity of AXIS frames before cryptographic verification.\n /\n\n/\n Validates that a value has the structural shape of an AXIS Frame.\n * Checks version, required string fields, timestamp, signature envelope, and body.\n \n Note: This validates the JSON-level frame shape (v1 packet format).\n * For binary frame validation, use decodeFrame() which throws on malformed input.\n /\nexport function validateFrameShape(frame: any): boolean {\n if (!frame \|\| typeof frame !== 'object') {\n return false;\n }\n\n if (frame.v !== 1) {\n return false;\n }\n\n const requiredStrings = ['pid', 'nonce', 'actorId', 'opcode'];\n for (const key of requiredStrings) {\n if (typeof frame[key] !== 'string' \|\| frame[key].length < 6) {\n return false;\n }\n }\n\n if (typeof frame.ts !== 'number' \|\| !Number.isFinite(frame.ts)) {\n return false;\n }\n\n if (\n frame.aud !== undefined &&\n (typeof frame.aud !== 'string' \|\| frame.aud.length === 0)\n ) {\n return false;\n }\n\n if (!frame.sig \|\| typeof frame.sig !== 'object') {\n return false;\n }\n\n if (frame.sig.alg !== 'EdDSA') {\n return false;\n }\n\n if (typeof frame.sig.kid !== 'string' \|\| frame.sig.kid.length < 8) {\n return false;\n }\n\n if (typeof frame.sig.value !== 'string' \|\| frame.sig.value.length < 32) {\n return false;\n }\n\n if (typeof frame.body !== 'object' \|\| frame.body === null) {\n return false;\n }\n\n return true;\n}\n\n/\n Validates timestamp is within acceptable skew window.\n /\nexport function isTimestampValid(\n ts: number,\n skewSeconds: number = 120,\n): boolean {\n const now = Math.floor(Date.now() / 1000);\n const diff = Math.abs(now - ts);\n return diff <= skewSeconds;\n}\n","import { Inject, Injectable, Logger, Optional } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame, getSignTarget } from '../core/axis-bin';\nimport { decodeVarint, encodeVarint } from '../core/varint';\nimport { Handler } from '../decorators/handler.decorator';\nimport { Intent } from '../decorators/intent.decorator';\nimport { AxisHandler } from '../interfaces/axis-handler.interface';\nimport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from './upload.tokens';\nimport {\n UploadFileStore,\n UploadReceiptSigner,\n UploadSessionStore,\n} from './upload.types';\n\n@Handler('axis.files.download')\n@Injectable()\nexport class AxisFilesDownloadHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesDownloadHandler.name);\n\n readonly name = 'axis.files.download';\n readonly open = true;\n readonly description = 'File download handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n ) {}\n\n @Intent('file.download', { absolute: true, kind: 'read' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const h = headers;\n if (!h) throw new Error('MISSING_HEADERS');\n\n const uploadIdBytes = h.get(20);\n if (!uploadIdBytes) throw new Error('MISSING_UPLOAD_ID');\n const uploadId = new TextDecoder().decode(uploadIdBytes);\n\n let rangeStart = 0;\n let rangeLen = -1;\n\n const startBytes = h.get(21);\n if (startBytes) {\n const { value } = decodeVarint(startBytes);\n rangeStart = value;\n }\n\n const lenBytes = h.get(22);\n if (lenBytes) {\n const { value } = decodeVarint(lenBytes);\n rangeLen = value;\n }\n\n const session = await this.sessions.findByFileId(uploadId);\n if (!session) {\n throw new Error(`SESSION_NOT_FOUND: ${uploadId}`);\n }\n\n if (session.status !== 'COMPLETE') {\n throw new Error(`FILE_NOT_READY: Status is ${session.status}`);\n }\n\n const stat = await this.files.statFinal(\n uploadId,\n session.filename,\n );\n const fileSize = stat.size;\n\n if (rangeStart < 0) rangeStart = 0;\n if (rangeStart >= fileSize) throw new Error('RANGE_OUT_OF_BOUNDS');\n\n let end = fileSize;\n if (rangeLen >= 0) {\n end = Math.min(rangeStart + rangeLen, fileSize);\n }\n\n const actualLen = end - rangeStart;\n const buffer = await this.files.readFinalRange(\n uploadId,\n session.filename,\n rangeStart,\n actualLen,\n );\n\n const responseHeaders = new Map<number, Uint8Array>();\n responseHeaders.set(30, encodeVarint(fileSize));\n responseHeaders.set(31, encodeVarint(rangeStart));\n responseHeaders.set(32, encodeVarint(actualLen));\n\n return {\n ok: true,\n effect: 'FILE_PART',\n body: buffer,\n headers: responseHeaders,\n };\n }\n}\n\n@Handler('axis.files.finalize')\n@Injectable()\nexport class AxisFilesFinalizeHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesFinalizeHandler.name);\n\n readonly name = 'axis.files.finalize';\n readonly open = false;\n readonly description = 'File upload finalization handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n @Optional()\n @Inject(AXIS_UPLOAD_RECEIPT_SIGNER)\n private readonly keyring?: UploadReceiptSigner,\n ) {}\n\n @Intent('file.finalize', { absolute: true, kind: 'action' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const bodyStr = new TextDecoder().decode(body);\n const req = JSON.parse(bodyStr);\n\n const { fileId, expectedHash } = req;\n if (!fileId) throw new Error('MISSING_FILE_ID');\n\n const session = await this.sessions.findByFileId(fileId);\n if (!session) throw new Error('SESSION_NOT_FOUND');\n\n if (!(await this.files.hasTemp(fileId))) {\n throw new Error('CHUNKS_NOT_FOUND');\n }\n\n const hash = crypto.createHash('sha256');\n const rs = this.files.createTempReadStream(fileId);\n for await (const chunk of rs) {\n hash.update(chunk as Buffer);\n }\n const finalHash = hash.digest('hex');\n\n if (expectedHash && finalHash !== expectedHash) {\n throw new Error('HASH_MISMATCH');\n }\n\n const finalPath = await this.files.moveTempToFinal(\n fileId,\n session.filename,\n );\n\n await this.sessions.updateStatus(fileId, 'COMPLETE', null);\n\n if (!this.keyring) {\n this.logger.warn('Receipt signer not configured; returning unsigned receipt');\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n body: new TextEncoder().encode(\n JSON.stringify({\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n path: finalPath,\n }),\n ),\n };\n }\n\n const receiptData = {\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n };\n\n const receiptJson = JSON.stringify(receiptData);\n const receiptBody = new TextEncoder().encode(receiptJson);\n\n const SIG_PRESENT = 0x01;\n const responseFrame: AxisFrame = {\n flags: SIG_PRESENT,\n headers: new Map(),\n body: receiptBody,\n sig: new Uint8Array(0),\n };\n\n const signTarget = getSignTarget(responseFrame);\n const { sig, kid } = this.keyring.signActive(signTarget);\n responseFrame.sig = sig;\n\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n data: encodeFrame(responseFrame),\n headers: new Map([[1, new TextEncoder().encode(kid)]]),\n };\n }\n}\n","export const AXIS_UPLOAD_SESSION_STORE = 'AXIS_UPLOAD_SESSION_STORE';\nexport const AXIS_UPLOAD_FILE_STORE = 'AXIS_UPLOAD_FILE_STORE';\nexport const AXIS_UPLOAD_RECEIPT_SIGNER = 'AXIS_UPLOAD_RECEIPT_SIGNER';\n","import * as fs from 'fs';\nimport * as path from 'path';\n\nimport { UploadFileStat, UploadFileStore } from './upload.types';\n\nexport interface DiskUploadFileStoreOptions {\n uploadDir: string;\n chunkDir: string;\n}\n\nexport class DiskUploadFileStore implements UploadFileStore {\n private readonly uploadDir: string;\n private readonly chunkDir: string;\n\n constructor(options: DiskUploadFileStoreOptions) {\n this.uploadDir = options.uploadDir;\n this.chunkDir = options.chunkDir;\n }\n\n getFinalPath(fileId: string, filename?: string): string {\n const safeFilename = filename ? path.basename(filename) : fileId;\n return path.join(this.uploadDir, safeFilename);\n }\n\n getTempPath(fileId: string): string {\n const safeId = path.basename(fileId);\n return path.join(this.chunkDir, safeId);\n }\n\n async statFinal(\n fileId: string,\n filename?: string,\n ): Promise<UploadFileStat> {\n const finalPath = this.getFinalPath(fileId, filename);\n if (!fs.existsSync(finalPath)) {\n throw new Error('FILE_MISSING_ON_DISK');\n }\n const stat = fs.statSync(finalPath);\n return { path: finalPath, size: stat.size };\n }\n\n async readFinalRange(\n fileId: string,\n filename: string \| undefined,\n start: number,\n length: number,\n ): Promise<Buffer> {\n const finalPath = this.getFinalPath(fileId, filename);\n const buffer = Buffer.alloc(length);\n const fd = fs.openSync(finalPath, 'r');\n try {\n fs.readSync(fd, buffer, 0, length, start);\n } finally {\n fs.closeSync(fd);\n }\n return buffer;\n }\n\n async hasTemp(fileId: string): Promise<boolean> {\n const tempPath = this.getTempPath(fileId);\n return fs.existsSync(tempPath);\n }\n\n async moveTempToFinal(\n fileId: string,\n filename?: string,\n ): Promise<string> {\n const tempPath = this.getTempPath(fileId);\n const finalPath = this.getFinalPath(fileId, filename);\n\n try {\n await fs.promises.rename(tempPath, finalPath);\n } catch {\n await fs.promises.copyFile(tempPath, finalPath);\n await fs.promises.unlink(tempPath);\n }\n\n return finalPath;\n }\n\n createTempReadStream(fileId: string): NodeJS.ReadableStream {\n const tempPath = this.getTempPath(fileId);\n return fs.createReadStream(tempPath);\n }\n}\n","export * from './constants';\nexport * from './varint';\nexport * from './tlv';\nexport * from './axis-bin';\nexport * from './signature';\nexport * from './axis-error';\n","export class AxisError extends Error {\n constructor(\n public code: string,\n message: string,\n public httpStatus: number = 400,\n public details?: Record<string, any>,\n ) {\n super(message);\n this.name = 'AxisError';\n }\n}\n","export * from './b64url';\nexport * from './canonical-json';\nexport * from './types';\nexport * from './proof-verification.service';\n","import { Injectable, Logger } from '@nestjs/common';\nimport * as crypto from 'crypto';\nimport * as nacl from 'tweetnacl';\n\n/*\n Proof Verification Service\n \n Verifies proof types according to AXIS spec:\n * - CAPSULE (1): Capability token verification\n * - JWT (2): JSON Web Token verification\n * - MTLS_ID (3): mTLS client certificate verification\n * - DEVICE_SE (4): Device Secure Element signature verification\n \n Related: AXIS spec - Proof Types\n /\n\nexport type ProofType = 1 \| 2 \| 3 \| 4; // CAPSULE, JWT, MTLS_ID, DEVICE_SE\n\nexport interface ProofVerificationResult {\n valid: boolean;\n actorId?: string;\n error?: string;\n metadata?: Record<string, any>;\n}\n\nexport interface MTLSContext {\n clientCertPem?: string;\n clientCertFingerprint?: string;\n clientCertSubject?: string;\n clientCertIssuer?: string;\n verified?: boolean;\n}\n\nexport interface DeviceSEContext {\n deviceId: string;\n signature: Uint8Array;\n publicKey: Uint8Array;\n challenge?: Uint8Array;\n}\n\n@Injectable()\nexport class ProofVerificationService {\n private readonly logger = new Logger(ProofVerificationService.name);\n\n // Cache of registered device public keys (deviceId -> pubKey)\n private readonly deviceKeys = new Map<string, Uint8Array>();\n\n // Cache of trusted mTLS certificate fingerprints\n private readonly trustedCerts = new Map<\n string,\n { actorId: string; issuedAt: number }\n >();\n\n /\n Verifies an authentication proof based on its type.\n \n Supported Types:\n * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`\n * - 2 (JWT): Verified by `verifyJWTProof`\n * - 3 (MTLS_ID): Verified by `verifyMTLSProof`\n * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`\n \n @param {ProofType} proofType - The numeric AXIS proof type\n * @param {Uint8Array} proofRef - The binary reference or token for the proof\n * @param {Object} context - Additional metadata required for specific proof types\n * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)\n * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)\n * @param {MTLSContext} [context.mtls] - mTLS certificate data\n * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information\n * @returns {Promise<ProofVerificationResult>} The outcome of the verification\n /\n async verifyProof(\n proofType: ProofType,\n proofRef: Uint8Array,\n context: {\n signTarget?: Uint8Array;\n signature?: Uint8Array;\n mtls?: MTLSContext;\n deviceSE?: DeviceSEContext;\n },\n ): Promise<ProofVerificationResult> {\n switch (proofType) {\n case 1: // CAPSULE\n return this.verifyCapsuleProof(proofRef);\n case 2: // JWT\n return this.verifyJWTProof(proofRef);\n case 3: // MTLS_ID\n return this.verifyMTLSProof(context.mtls);\n case 4: // DEVICE_SE\n return this.verifyDeviceSEProof(\n context.signTarget,\n context.signature,\n context.deviceSE,\n );\n default:\n return { valid: false, error: `Unknown proof type: ${proofType}` };\n }\n }\n\n /\n Verify CAPSULE proof (delegated to CapsuleService)\n /\n private async verifyCapsuleProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n // Capsule verification is handled by CapsuleService\n // This is a pass-through that returns valid to signal capsule processing\n const capsuleId = new TextDecoder().decode(proofRef);\n return {\n valid: true,\n metadata: { capsuleId, requiresCapsuleValidation: true },\n };\n }\n\n /\n Verifies a JSON Web Token (JWT) proof.\n \n Validation Logic:\n * 1. Decodes the token string.\n * 2. Checks for valid 3-part JWT structure.\n * 3. Validates `exp` (expiration) and `nbf` (not before) claims.\n * 4. Extracts `actor_id` or `sub` as the identity.\n \n @param {Uint8Array} proofRef - Binary representation of the JWT string\n * @returns {Promise<ProofVerificationResult>} Result including the actor identifier\n /\n private async verifyJWTProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n try {\n const token = new TextDecoder().decode(proofRef);\n const parts = token.split('.');\n\n if (parts.length !== 3) {\n return { valid: false, error: 'Invalid JWT format' };\n }\n\n // Decode header and payload\n const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());\n const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());\n\n // Check expiration\n if (payload.exp && Date.now() / 1000 > payload.exp) {\n return { valid: false, error: 'JWT expired' };\n }\n\n // Check not before\n if (payload.nbf && Date.now() / 1000 < payload.nbf) {\n return { valid: false, error: 'JWT not yet valid' };\n }\n\n // For production: verify signature against known keys\n // For now, we trust the JWT if it has valid structure and timing\n return {\n valid: true,\n actorId: payload.sub \|\| payload.actor_id,\n metadata: { iss: payload.iss, scope: payload.scope },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return { valid: false, error: `JWT parse error: ${message}` };\n }\n }\n\n /\n Verify mTLS client certificate proof\n /\n private async verifyMTLSProof(\n mtls?: MTLSContext,\n ): Promise<ProofVerificationResult> {\n if (!mtls) {\n return { valid: false, error: 'No mTLS context provided' };\n }\n\n // Check if connection was verified by TLS layer\n if (!mtls.verified) {\n return { valid: false, error: 'mTLS not verified by TLS terminator' };\n }\n\n // Check certificate fingerprint against trusted list\n if (mtls.clientCertFingerprint) {\n const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);\n if (trusted) {\n return {\n valid: true,\n actorId: trusted.actorId,\n metadata: {\n fingerprint: mtls.clientCertFingerprint,\n subject: mtls.clientCertSubject,\n },\n };\n }\n }\n\n // Extract actor ID from certificate subject (CN field)\n if (mtls.clientCertSubject) {\n const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);\n if (cnMatch) {\n return {\n valid: true,\n actorId: cnMatch[1],\n metadata: {\n subject: mtls.clientCertSubject,\n issuer: mtls.clientCertIssuer,\n },\n };\n }\n }\n\n return { valid: false, error: 'Could not extract actor from certificate' };\n }\n\n /\n Verify Device Secure Element signature\n /\n private async verifyDeviceSEProof(\n signTarget?: Uint8Array,\n signature?: Uint8Array,\n deviceSE?: DeviceSEContext,\n ): Promise<ProofVerificationResult> {\n if (!deviceSE \|\| !signTarget \|\| !signature) {\n return { valid: false, error: 'Missing Device SE context' };\n }\n\n // Get registered public key for device\n let publicKey = deviceSE.publicKey;\n\n // If device is pre-registered, use registered key\n const registeredKey = this.deviceKeys.get(deviceSE.deviceId);\n if (registeredKey) {\n publicKey = registeredKey;\n }\n\n if (!publicKey \|\| publicKey.length !== 32) {\n return {\n valid: false,\n error: 'Invalid or unregistered device public key',\n };\n }\n\n // Verify Ed25519 signature\n try {\n const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);\n\n if (!valid) {\n return { valid: false, error: 'Device signature verification failed' };\n }\n\n return {\n valid: true,\n actorId: deviceSE.deviceId,\n metadata: { deviceId: deviceSE.deviceId, proofType: 'DEVICE_SE' },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return {\n valid: false,\n error: `Signature verification error: ${message}`,\n };\n }\n }\n\n /\n Registers a public key for a trusted device.\n * This key will be used for future `DEVICE_SE` proof verifications.\n \n @param {string} deviceId - Unique identifier for the device\n * @param {Uint8Array} publicKey - 32-byte Ed25519 public key\n * @throws {Error} If the public key is not 32 bytes\n /\n registerDeviceKey(deviceId: string, publicKey: Uint8Array): void {\n if (publicKey.length !== 32) {\n throw new Error('Device public key must be 32 bytes (Ed25519)');\n }\n this.deviceKeys.set(deviceId, publicKey);\n this.logger.log(`Registered device key for ${deviceId}`);\n }\n\n /\n Unregister a device\n /\n unregisterDevice(deviceId: string): boolean {\n return this.deviceKeys.delete(deviceId);\n }\n\n /\n Registers a trusted mTLS certificate fingerprint and associates it with an actor.\n \n @param {string} fingerprint - SHA-256 fingerprint of the client certificate\n * @param {string} actorId - The actor to associate with this certificate\n /\n registerMTLSCert(fingerprint: string, actorId: string): void {\n this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });\n this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);\n }\n\n /\n Revoke an mTLS certificate\n /\n revokeMTLSCert(fingerprint: string): boolean {\n return this.trustedCerts.delete(fingerprint);\n }\n\n /\n Calculate certificate fingerprint (SHA-256)\n /\n static calculateFingerprint(certPem: string): string {\n // Extract DER from PEM\n const der = Buffer.from(\n certPem\n .replace(/-----BEGIN CERTIFICATE-----/, '')\n .replace(/-----END CERTIFICATE-----/, '')\n .replace(/\\s/g, ''),\n 'base64',\n );\n return crypto.createHash('sha256').update(der).digest('hex');\n }\n}\n","export from './axis-request.decorator';\nexport * from './dto-schema.util';\nexport * from './handler.decorator';\nexport * from './intent-body.decorator';\nexport * from './intent-sensors.decorator';\nexport * from './intent.decorator';\nexport * from './sensor.decorator';\nexport * from './tlv-field.decorator';\n","import { createParamDecorator, ExecutionContext } from '@nestjs/common';\nimport { Request } from 'express';\nimport type { AxisDecoded } from '../engine/axis-decoded';\n\n/*\n Shape of the AXIS-specific data attached to the request by AxisSensorsMiddleware.\n /\nexport interface AxisRequestData {\n /* Raw binary frame body (full buffer after streaming) /\n raw: Buffer;\n /* Resolved client IP address /\n ip: string \| undefined;\n /* Pre-decode sensor context (risk score, metadata) /\n preDecodeInput: any;\n /* Total frame bytes received /\n frameBytesCount: number;\n}\n\n/\n Resolves the client IP from request headers, respecting common proxy headers.\n /\nfunction resolveIp(req: Request): string \| undefined {\n return (\n (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() \|\|\n (req.headers['x-real-ip'] as string) \|\|\n req.socket.remoteAddress \|\|\n undefined\n );\n}\n\n/\n @AxisRaw() — Extracts the raw binary Buffer from an AXIS request.\n \n Equivalent to NestJS `@Body()` but for the AXIS binary protocol.\n * The buffer has already passed streaming validation (magic bytes, size limits)\n * via AxisSensorsMiddleware before reaching the controller.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisRaw() raw: Buffer) {\n * return this.axis.process(raw, { ... });\n * }\n * ```\n /\nexport const AxisRaw = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): Buffer => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.body as Buffer;\n },\n);\n\n/\n @AxisIp() — Extracts the resolved client IP address.\n \n Checks `x-forwarded-for`, `x-real-ip`, and `socket.remoteAddress` in order.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisIp() ip: string \| undefined) { ... }\n * ```\n /\nexport const AxisIp = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return resolveIp(req);\n },\n);\n\n/\n @AxisContext() — Extracts the full AXIS request context.\n \n Returns the pre-decode sensor input and frame metadata attached by\n * AxisSensorsMiddleware. Useful when a controller needs risk scores or\n * other pre-decode metadata.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisContext() ctx: AxisRequestData) {\n * console.log(ctx.frameBytesCount, ctx.preDecodeInput.metadata.riskScore);\n * }\n * ```\n /\nexport const AxisContext = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisRequestData => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const axisData = (req as any).axis \|\| {};\n return {\n raw: req.body as Buffer,\n ip: resolveIp(req),\n preDecodeInput: axisData.preDecodeInput,\n frameBytesCount: axisData.frameBytesCount \|\| 0,\n };\n },\n);\n\n/\n @AxisDemoPubkey() — Extracts the demo public key header (development only).\n \n Returns `undefined` in non-development environments, blocking the header\n * at the decorator level.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisDemoPubkey() demoPubkeyHex: string \| undefined) { ... }\n * ```\n /\nexport const AxisDemoPubkey = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n if (process.env.NODE_ENV !== 'development') return undefined;\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.headers['x-demo-pubkey'] as string \| undefined;\n },\n);\n\n/\n @AxisFrame() — Extracts the decoded + validated AXIS frame from the request.\n \n Requires `AxisDecodeInterceptor` to be applied to the route/controller.\n * The interceptor calls `AxisService.decode()` and attaches the result to `req.axisDecoded`.\n \n Returns the full `AxisDecoded` object containing the decoded frame, packet,\n * AxisContext, sensor input, and correlation IDs.\n \n @example\n * ```typescript\n * @Post('v1/decoded')\n * @UseInterceptors(AxisDecodeInterceptor)\n * async handle(@AxisFrame() decoded: AxisDecoded) {\n * return this.axis.execute(decoded);\n * }\n * ```\n /\nexport const AxisFrame = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisDecoded => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const decoded = (req as any).axisDecoded as AxisDecoded \| undefined;\n if (!decoded) {\n throw new Error(\n '@AxisFrame() requires AxisDecodeInterceptor on the route. ' +\n 'Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator.',\n );\n }\n return decoded;\n },\n);\n","import { SetMetadata } from '@nestjs/common';\n\nexport const SENSOR_METADATA_KEY = 'axis:sensor';\n\nexport type SensorPhase = 'PRE_DECODE' \| 'POST_DECODE';\n\nexport interface SensorOptions {\n /* Explicit phase override. If omitted, auto-derived from order at bootstrap. /\n phase?: SensorPhase;\n}\n\n/\n Marks a class as an AXIS sensor for auto-registration.\n \n The SensorDiscoveryService finds all @Sensor() classes at bootstrap\n * and registers them with the SensorRegistry automatically.\n \n Sensors still declare `name`, `order`, `supports()`, and `run()` as\n * instance members. The decorator replaces manual `registry.register(this)`\n * in `onModuleInit()`.\n \n Phase can be set explicitly via options or auto-derived from order:\n * < PRE_DECODE_BOUNDARY (40) = PRE_DECODE, >= 40 = POST_DECODE.\n \n @example\n * ```typescript\n * @Sensor({ phase: 'PRE_DECODE' })\n * @Injectable()\n * export class WireSensor implements AxisSensor {\n * readonly name = 'WireSensor';\n * readonly order = BAND.WIRE + 10;\n * }\n \n @Sensor() // phase auto-derived as POST_DECODE\n * @Injectable()\n * export class PolicySensor implements AxisSensor {\n * readonly name = 'PolicySensor';\n * readonly order = BAND.POLICY + 10;\n * }\n * ```\n /\nexport function Sensor(options?: SensorOptions): ClassDecorator {\n return SetMetadata(SENSOR_METADATA_KEY, options ?? true);\n}\n","export from './axis-decoded';\nexport * from './axis-observation';\nexport * from './handler-discovery.service';\nexport * from './intent.router';\nexport * from './sensor-bands';\nexport * from './sensor-discovery.service';\nexport * from './registry/sensor.registry';\nexport * as observation from './observation';\n","import { randomBytes } from 'crypto';\n\n/* ─── Stage ─── /\n\nexport interface ObservationStage {\n name: string;\n status: 'ok' \| 'fail' \| 'skip';\n startMs: number;\n endMs?: number;\n durationMs?: number;\n reason?: string;\n code?: string;\n}\n\n/ ─── Sensor Record ─── /\n\nexport interface ObservationSensor {\n name: string;\n allowed: boolean;\n riskScore: number;\n durationMs: number;\n reasons: string[];\n code?: string;\n}\n\n/ ─── Observation (the execution witness) ─── /\n\nexport interface AxisObservation {\n /* Correlation ID (hex) /\n id: string;\n /* High-res start timestamp /\n startMs: number;\n /* Transport origin /\n transport: 'http' \| 'ws';\n /* Client IP /\n ip?: string;\n /* Resolved intent /\n intent?: string;\n /* Actor ID (hex) /\n actorId?: string;\n /* Capsule ID /\n capsuleId?: string;\n\n /* Pipeline stages with timing /\n stages: ObservationStage[];\n /* Individual sensor decisions /\n sensors: ObservationSensor[];\n\n /* Final decision /\n decision?: 'ALLOW' \| 'DENY';\n /* Machine-readable result code /\n resultCode?: string;\n /* HTTP status code /\n statusCode?: number;\n\n /* End timestamp /\n endMs?: number;\n /* Total duration /\n durationMs?: number;\n\n /* Extensible facts for downstream (receipt builder, audit, etc.) /\n facts: Record<string, unknown>;\n}\n\n/ ─── Factory ─── /\n\nexport function createObservation(\n transport: 'http' \| 'ws',\n ip?: string,\n): AxisObservation {\n return {\n id: randomBytes(16).toString('hex'),\n startMs: Date.now(),\n transport,\n ip,\n stages: [],\n sensors: [],\n facts: {},\n };\n}\n\n/ ─── Stage helpers ─── /\n\nexport function startStage(\n obs: AxisObservation,\n name: string,\n): ObservationStage {\n const stage: ObservationStage = { name, status: 'ok', startMs: Date.now() };\n obs.stages.push(stage);\n return stage;\n}\n\nexport function endStage(\n stage: ObservationStage,\n status: 'ok' \| 'fail' \| 'skip' = 'ok',\n reason?: string,\n code?: string,\n): void {\n stage.endMs = Date.now();\n stage.durationMs = stage.endMs - stage.startMs;\n stage.status = status;\n if (reason) stage.reason = reason;\n if (code) stage.code = code;\n}\n\n/ ─── Sensor recording (called by chain service) ─── /\n\nexport function recordSensor(\n obs: AxisObservation,\n name: string,\n allowed: boolean,\n riskScore: number,\n durationMs: number,\n reasons: string[],\n code?: string,\n): void {\n obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });\n}\n\n/ ─── Finalize ─── /\n\nexport function finalizeObservation(\n obs: AxisObservation,\n decision: 'ALLOW' \| 'DENY',\n statusCode: number,\n resultCode?: string,\n): void {\n obs.endMs = Date.now();\n obs.durationMs = obs.endMs - obs.startMs;\n obs.decision = decision;\n obs.statusCode = statusCode;\n if (resultCode) obs.resultCode = resultCode;\n}\n","import { Injectable, Logger, OnModuleInit } from '@nestjs/common';\nimport { DiscoveryService, MetadataScanner } from '@nestjs/core';\n\nimport { HANDLER_METADATA_KEY } from '../decorators/handler.decorator';\nimport { INTENT_METADATA_KEY } from '../decorators/intent.decorator';\nimport { IntentRouter } from './intent.router';\n\n/\n HandlerDiscoveryService\n \n Automatically discovers all `@Handler`-decorated classes at bootstrap\n * and registers their `@Intent`-decorated methods with the IntentRouter.\n \n This eliminates the need for every handler to inject IntentRouter and\n * manually call `router.register()` or `router.registerHandler()` in onModuleInit.\n \n Before (manual, per-handler boilerplate):\n * ```typescript\n * onModuleInit() {\n * this.router.register('axis.capsules.create', this.create.bind(this));\n * this.router.register('axis.capsules.list', this.findAll.bind(this));\n * // ... repeated for every intent in every handler\n * }\n * ```\n \n After (zero-config):\n * ```typescript\n * @Handler('axis.capsules')\n * export class AxisCapsulesHandler {\n * @Intent('axis.capsules.create', { absolute: true })\n * async create(body: Uint8Array) { ... }\n * }\n * // That's it — no onModuleInit, no router injection\n * ```\n /\n@Injectable()\nexport class HandlerDiscoveryService implements OnModuleInit {\n private readonly logger = new Logger(HandlerDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly scanner: MetadataScanner,\n private readonly router: IntentRouter,\n ) {}\n\n onModuleInit() {\n const providers = this.discovery.getProviders();\n let totalIntents = 0;\n\n for (const wrapper of providers) {\n const { instance, metatype } = wrapper;\n if (!instance \|\| !metatype) continue;\n\n // Check if the class has @Handler metadata\n const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);\n if (!handlerMeta) continue;\n\n const handlerName = handlerMeta.intent \|\| metatype.name;\n const proto = Object.getPrototypeOf(instance);\n const methods = this.scanner.getAllMethodNames(proto);\n let registered = 0;\n\n for (const methodName of methods) {\n const meta = Reflect.getMetadata(\n INTENT_METADATA_KEY,\n proto,\n methodName,\n );\n if (!meta?.intent) continue;\n\n // Only auto-register if the router doesn't already have this intent\n // (allows manual registration in onModuleInit to take precedence)\n if (!this.router.has(meta.intent)) {\n this.router.register(\n meta.intent,\n (instance as any)[methodName].bind(instance),\n );\n registered++;\n totalIntents++;\n }\n\n // Always register metadata (@IntentBody, @IntentSensors) —\n // even for manually-registered intents\n this.router.registerIntentMeta(meta.intent, proto, methodName);\n }\n\n if (registered > 0) {\n this.logger.log(\n `Auto-registered ${registered} intents from ${handlerName}`,\n );\n }\n }\n\n this.logger.log(\n `Handler discovery complete: ${totalIntents} intents auto-registered`,\n );\n }\n}\n","/\n Sensor Execution Bands\n \n Semantic groupings for the AXIS sensor chain.\n * Each band has 50–100 slots for ordering sensors within it.\n \n WIRE (0–39): Raw bytes, no decode. PRE_DECODE phase.\n * IDENTITY (40–89): Who is this? IP, access, proof, capsule. POST_DECODE.\n * POLICY (90–139): Are they allowed? Sig, capability, rate limit. POST_DECODE.\n * CONTENT (140–199): What's in the frame? TLV, body, schema, files. POST_DECODE.\n * BUSINESS (200–299): Business context. Stream, WS, timeout. POST_DECODE.\n * AUDIT (900+): Finalization, logging. POST_DECODE.\n /\nexport const BAND = {\n /* Pre-decode: raw byte validation, geo, budget, magic /\n WIRE: 0,\n /* Post-decode: identity resolution, capsule, proof /\n IDENTITY: 40,\n /* Post-decode: authorization, signature, rate limiting /\n POLICY: 90,\n /* Post-decode: content validation, TLV, schema, files /\n CONTENT: 140,\n /* Post-decode: business logic sensors, streams, WS /\n BUSINESS: 200,\n /* Post-decode: audit, logging (always last) /\n AUDIT: 900,\n} as const;\n\nexport type SensorBand = keyof typeof BAND;\n\n/* Sensors with order below this boundary run in PRE_DECODE phase (middleware) /\nexport const PRE_DECODE_BOUNDARY = 40;\n","import { Injectable, Logger, OnApplicationBootstrap } from '@nestjs/common';\nimport { DiscoveryService, Reflector } from '@nestjs/core';\n\nimport {\n SENSOR_METADATA_KEY,\n SensorOptions,\n} from '../decorators/sensor.decorator';\nimport { SensorRegistry } from './registry/sensor.registry';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { PRE_DECODE_BOUNDARY } from './sensor-bands';\n\n/\n Discovers all providers decorated with @Sensor() and registers them\n * in the SensorRegistry at application bootstrap.\n \n Runs after all onModuleInit() calls, so config-reading sensors\n * have their settings loaded before registration.\n /\n@Injectable()\nexport class SensorDiscoveryService implements OnApplicationBootstrap {\n private readonly logger = new Logger(SensorDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly reflector: Reflector,\n private readonly registry: SensorRegistry,\n ) {}\n\n onApplicationBootstrap() {\n const providers = this.discovery.getProviders();\n let count = 0;\n\n for (const wrapper of providers) {\n const { instance } = wrapper;\n if (!instance \|\| !instance.constructor) continue;\n\n const meta = this.reflector.get<SensorOptions \| true>(\n SENSOR_METADATA_KEY,\n instance.constructor,\n );\n if (!meta) continue;\n\n const sensor = instance as AxisSensor;\n\n if (!sensor.name \|\| sensor.order === undefined) {\n this.logger.warn(\n `@Sensor() on ${instance.constructor.name} missing name or order — skipped`,\n );\n continue;\n }\n\n // Phase priority: decorator option > instance property > auto-derive from order\n if (!sensor.phase) {\n const decoratorPhase = meta !== true ? meta.phase : undefined;\n (sensor as any).phase =\n decoratorPhase ??\n (sensor.order < PRE_DECODE_BOUNDARY ? 'PRE_DECODE' : 'POST_DECODE');\n }\n\n this.registry.register(sensor);\n count++;\n }\n\n this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport {\n AxisSensor,\n AxisPreSensor,\n AxisPostSensor,\n} from '../../sensor/axis-sensor';\n\n/\n AxisSensor Registry\n \n A central registry for all AXIS security sensors.\n * Sensors register themselves here during module initialization (onModuleInit).\n * The registry provides a list of sensors sorted by their execution priority (order).\n \n Supports phase-based filtering to separate pre-decode (middleware) from\n * post-decode (controller) sensors.\n \n PHASE SEPARATION:\n * - Pre-decode (order < 40): Run in middleware on raw bytes\n * - Post-decode (order >= 40): Run in controller on decoded frame\n \n @class SensorRegistry\n * @injectable\n /\n@Injectable()\nexport class SensorRegistry {\n private sensors: AxisSensor[] = [];\n private readonly logger = new Logger(SensorRegistry.name);\n\n constructor(private readonly configService: ConfigService) {}\n\n /\n Registers a new sensor in the registry.\n \n Validates that:\n * - AxisSensor has a unique name\n * - AxisSensor has an order field\n * - Pre-decode sensors have order < 40\n * - Post-decode sensors have order >= 40\n \n @param {AxisSensor} sensor - The sensor instance to register\n * @throws Error if validation fails\n /\n register(sensor: AxisSensor): void {\n // Validation\n if (!sensor.name) {\n throw new Error('AxisSensor must have a name');\n }\n\n // Check environment variables for filtering\n const enabledSensorsStr = this.configService.get<string>('ENABLED_SENSORS');\n const disabledSensorsStr =\n this.configService.get<string>('DISABLED_SENSORS');\n\n const enabledSensors = enabledSensorsStr\n ? enabledSensorsStr.split(',').map((s) => s.trim())\n : null;\n const disabledSensors = disabledSensorsStr\n ? disabledSensorsStr.split(',').map((s) => s.trim())\n : [];\n\n if (enabledSensors && !enabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (disabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (sensor.order === undefined) {\n throw new Error(`AxisSensor \"${sensor.name}\" must have an order field`);\n }\n\n // Check for phase consistency\n const isPreDecodeSensor = this.isPreDecodeSensor(sensor);\n const isPostDecodeSensor = this.isPostDecodeSensor(sensor);\n\n if (isPreDecodeSensor && sensor.order >= 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`,\n );\n }\n if (isPostDecodeSensor && sensor.order < 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`,\n );\n }\n\n this.sensors.push(sensor);\n const phaseLabel =\n typeof sensor.phase === 'string'\n ? sensor.phase\n : sensor.phase?.phase \|\| 'UNKNOWN';\n this.logger.debug(\n `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`,\n );\n }\n\n /\n Returns all registered sensors, sorted by their execution order.\n \n @returns {AxisSensor[]} A sorted array of sensors\n /\n list(): AxisSensor[] {\n return [...this.sensors].sort(\n (a, b) => (a.order ?? 999) - (b.order ?? 999),\n );\n }\n\n /\n Returns only pre-decode sensors (order < 40).\n * These sensors run in middleware on raw bytes before frame decoding.\n \n @returns {AxisPreSensor[]} Pre-decode sensors sorted by order\n /\n getPreDecodeSensors(): AxisPreSensor[] {\n return this.list().filter((s): s is AxisPreSensor => (s.order ?? 999) < 40);\n }\n\n /\n Returns only post-decode sensors (order >= 40).\n * These sensors run in the controller on fully decoded frames.\n \n @returns {AxisPostSensor[]} Post-decode sensors sorted by order\n /\n getPostDecodeSensors(): AxisPostSensor[] {\n return this.list().filter(\n (s): s is AxisPostSensor => (s.order ?? 999) >= 40,\n );\n }\n\n /\n Helper: Check if a sensor is a pre-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is pre-decode\n /\n private isPreDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'PRE_DECODE' \|\| (sensor.order ?? 999) < 40;\n }\n\n /\n Helper: Check if a sensor is a post-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is post-decode\n /\n private isPostDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'POST_DECODE' \|\| (sensor.order ?? 999) >= 40;\n }\n\n /\n Returns sensor count by phase.\n * Useful for diagnostics and monitoring.\n \n @returns {{preDecodeCount: number, postDecodeCount: number}}\n /\n getSensorCountByPhase(): { preDecodeCount: number; postDecodeCount: number } {\n return {\n preDecodeCount: this.getPreDecodeSensors().length,\n postDecodeCount: this.getPostDecodeSensors().length,\n };\n }\n\n /\n Clears all registered sensors.\n * Useful for testing.\n \n @internal\n /\n clear(): void {\n this.sensors = [];\n }\n}\n","export from './stable-json';\nexport * from './observation-queue.types';\nexport * from './observation-queue.codec';\nexport * from './observation-hash';\nexport * from './response-observer';\n","export * from './loom.types';\n","/*\n Loom Runtime - Lawful Execution Types\n \n Core type definitions for the Loom execution engine.\n * Loom replaces traditional auth with \"Lawful Execution\":\n * - Presence: Liveness proof (replaces login/sessions)\n * - Writ: Executable intent (replaces JWT)\n * - Grant: Standing permission (replaces RBAC)\n * - Receipt: Proof of execution (hash-chained)\n /\n\n// ============================================================================\n// Presence Types (Liveness State)\n// ============================================================================\n\nexport interface PresenceDeclaration {\n /* SoftID of the entity resuming presence (e.g., \"~ayesh#work\") /\n softid: string;\n /* Optional device metadata for scope binding /\n device_meta?: {\n fingerprint?: string;\n platform?: string;\n user_agent?: string;\n };\n}\n\nexport interface PresenceChallenge {\n /* Unique challenge identifier /\n challenge_id: string;\n /* High-entropy random nonce (32-byte hex) /\n nonce: string;\n /* Server's current Unix timestamp in milliseconds (temporal anchor) /\n temporal_anchor: number;\n /* Time-to-live for response in milliseconds (default 5000ms) /\n ttl_ms: number;\n /* Challenge expiry timestamp /\n expires_at: number;\n}\n\nexport interface PresenceProof {\n /* Challenge ID being answered /\n challenge_id: string;\n /* Ed25519 signature over canonical(nonce + temporal_anchor + device_meta) /\n signature: string;\n /* Public key corresponding to the SoftID /\n public_key: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface PresenceReceipt {\n /* Presence ID - hash of the completed handshake /\n presence_id: string;\n /* SoftID that established presence /\n softid: string;\n /* Anchor Reflection ID for logs (privacy-preserving) /\n anchor_reflection: string;\n /* Scope constraints for this presence /\n scope: {\n ip?: string;\n device_fingerprint?: string;\n };\n /* When presence was established (Unix timestamp ms) /\n issued_at: number;\n /* When presence expires (Unix timestamp ms) /\n expires_at: number;\n /* Last renewal timestamp (updated on successful Writ execution) /\n renewed_at?: number;\n}\n\nexport type PresenceStatus = 'active' \| 'expired' \| 'revoked';\n\n// ============================================================================\n// Writ Types (Executable Intent)\n// ============================================================================\n\nexport interface WritHead {\n /* Thread ID - derived from actor, groups related writs /\n tid: string;\n /* Sequence number within the thread /\n seq: number;\n}\n\nexport interface WritBody {\n /* SoftID of the actor (Anchor or Shadow) /\n who: string;\n /* Operation Execution Code (e.g., \"dns.write\", \"file.upload\") /\n act: string;\n /* Resource target (e.g., \"zone:example.com\", \"bucket:uploads\") /\n res: string;\n /* Grant reference - grant_id or \"self\" for sovereign actions /\n law: string;\n}\n\nexport interface WritMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Previous receipt hash (thread continuity) - empty string for first writ /\n prev: string;\n}\n\nexport interface WritSignature {\n /* Signature algorithm /\n alg: 'ed25519';\n /* Base64-encoded signature value /\n value: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface Writ {\n head: WritHead;\n body: WritBody;\n meta: WritMeta;\n sig: WritSignature;\n}\n\n// ============================================================================\n// Grant Types (Standing Permission / Law)\n// ============================================================================\n\nexport type GrantType = 'sovereign' \| 'delegated' \| 'system';\n\nexport interface GrantCapability {\n /* Operation Execution Code this grant allows /\n oec: string;\n /* Resource scope constraint (e.g., \"zone:.example.com\") /\n scope: string;\n /** Optional quantitative limits /\n limit?: {\n /* Rate limit (e.g., \"10/min\", \"100/day\") /\n rate?: string;\n /* Maximum amount/count /\n amount?: number;\n /* Depth constraint (e.g., \"subdomains_only\") /\n depth?: string;\n };\n}\n\nexport interface GrantMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Whether this grant can be revoked /\n revocable: boolean;\n /* Version number for updates /\n version: number;\n /* Optional Digital Fabric contract reference /\n contract_ref?: string;\n}\n\nexport interface Grant {\n /* Unique grant identifier /\n grant_id: string;\n /* SoftID of the authority who issued this grant /\n issuer: string;\n /* SoftID of the grantee /\n subject: string;\n /* Grant type /\n grant_type: GrantType;\n /* Array of capabilities this grant provides /\n caps: GrantCapability[];\n /* Grant metadata /\n meta: GrantMeta;\n /* Signature over the grant /\n sig: WritSignature;\n}\n\nexport type GrantStatus = 'active' \| 'revoked' \| 'expired';\n\n// ============================================================================\n// Receipt Types (Proof of Execution)\n// ============================================================================\n\nexport interface LoomReceipt {\n /* Receipt ID /\n receipt_id: string;\n /* Hash of the writ that was executed /\n writ_hash: string;\n /* Thread ID /\n thread_id: string;\n /* Sequence number /\n sequence: number;\n /* Execution effect (e.g., \"ALLOW\", \"DENY\") /\n effect: string;\n /* Current receipt hash (for chaining) /\n hash: string;\n /* Previous receipt hash /\n prev_hash: string \| null;\n /* Execution timestamp /\n executed_at: number;\n /* Additional metadata /\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Thread Types (Causal Continuity)\n// ============================================================================\n\nexport interface ThreadState {\n /* Thread ID /\n thread_id: string;\n /* SoftID that owns this thread /\n softid: string;\n /* Hash of the last receipt in this thread /\n last_receipt_hash: string;\n /* Current sequence number /\n sequence: number;\n /* Last update timestamp /\n updated_at: number;\n}\n\n// ============================================================================\n// Revocation Types (Null-Receipts)\n// ============================================================================\n\nexport type RevocationTargetType = 'grant' \| 'presence' \| 'softid';\n\nexport interface Revocation {\n /* Revocation ID /\n revocation_id: string;\n /* What type of entity is being revoked /\n target_type: RevocationTargetType;\n /* ID of the entity being revoked /\n target_id: string;\n /* SoftID of the issuer of this revocation /\n issuer_softid: string;\n /* Reason for revocation /\n reason?: string;\n /* When revocation takes effect (Unix timestamp) /\n effective_at: number;\n /* Signature over the revocation /\n sig_value: string;\n}\n\n// ============================================================================\n// Validation Result Types\n// ============================================================================\n\nexport interface LoomValidationResult {\n valid: boolean;\n error?: string;\n code?: string;\n}\n\nexport interface PresenceVerifyResult extends LoomValidationResult {\n presence?: PresenceReceipt;\n}\n\nexport interface WritValidationResult extends LoomValidationResult {\n writ?: Writ;\n gate_failed?: 'temporal' \| 'causal' \| 'legal' \| 'authentic';\n}\n\nexport interface GrantValidationResult extends LoomValidationResult {\n grant?: Grant;\n}\n\n// ============================================================================\n// TLV Constants (re-exported from core/constants.ts for convenience)\n// ============================================================================\n\nexport {\n TLV_LOOM_PRESENCE_ID as TLV_PRESENCE_ID,\n TLV_LOOM_WRIT as TLV_WRIT,\n TLV_LOOM_THREAD_HASH as TLV_THREAD_HASH,\n PROOF_LOOM,\n} from '../core/constants';\n\n// ============================================================================\n// Utility Functions\n// ============================================================================\n\n/\n Derive Anchor Reflection ID (ARID) for privacy-preserving logs.\n * ARID = hash(anchor_pubkey + context + scope)\n /\nexport function deriveAnchorReflection(\n softid: string,\n context: string = 'openlogs',\n scope: string = 'loom',\n): string {\n // Implementation will use crypto hash\n // Placeholder structure: ar:<context>:<scope>:<hash>\n return `ar:${context}:${scope}:${softid}`;\n}\n\n/\n Canonicalize a Writ for signing/verification.\n * Returns deterministic JSON string.\n /\nexport function canonicalizeWrit(writ: Omit<Writ, 'sig'>): string {\n const ordered = {\n head: { tid: writ.head.tid, seq: writ.head.seq },\n body: {\n who: writ.body.who,\n act: writ.body.act,\n res: writ.body.res,\n law: writ.body.law,\n },\n meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev },\n };\n return JSON.stringify(ordered);\n}\n\n/\n Canonicalize a Grant for signing/verification.\n /\nexport function canonicalizeGrant(grant: Omit<Grant, 'sig'>): string {\n const ordered = {\n grant_id: grant.grant_id,\n issuer: grant.issuer,\n subject: grant.subject,\n grant_type: grant.grant_type,\n caps: grant.caps,\n meta: grant.meta,\n };\n return JSON.stringify(ordered);\n}\n","export from './axis-schemas';\nexport {\n BodyProfileValidator,\n BodyProfile,\n type BodyProfileValidation,\n} from './body-profile.validator';\n","import * as z from 'zod';\nimport { AxisFrameZ } from '../core/axis-bin';\n\n/*\n AXIS Sensor Input/Output Validation Schemas\n \n Centralized Zod schemas for all sensor input validation.\n * Ensures type-safe, runtime-validated data across the entire sensor chain.\n \n Usage:\n * const input = CountryBlockSensorInputZ.parse(data);\n * const input = CountryBlockSensorInputZ.safeParse(data);\n /\n\n// ============================================================================\n// COMMON TYPES & UTILITIES\n// ============================================================================\n\n/\n Sensor decision outcomes (Zod version for schema composition)\n /\nexport const SensorDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n meta: z.any().optional(),\n }),\n]);\n\nexport const SensorDecisionWithMetadataZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n retryAfterMs: z.number().int().positive().optional(),\n meta: z.any().optional(),\n }),\n]);\n\n// ============================================================================\n// COUNTRY BLOCK SENSOR\n// ============================================================================\n\nexport const CountryBlockSensorInputZ = z.object({\n ip: z.string().min(1),\n country: z.string().length(2).toUpperCase().optional(),\n});\nexport type CountryBlockSensorInput = z.infer<typeof CountryBlockSensorInputZ>;\n\nexport const CountryBlockDecisionZ = SensorDecisionZ;\nexport type CountryBlockDecision = z.infer<typeof CountryBlockDecisionZ>;\n\n// ============================================================================\n// SCAN BURST SENSOR\n// ============================================================================\n\nexport const ScanBurstSensorInputZ = z.object({\n ip: z.string().min(1),\n isFailure: z.boolean().optional(),\n});\nexport type ScanBurstSensorInput = z.infer<typeof ScanBurstSensorInputZ>;\n\nexport const ScanBurstDecisionZ = SensorDecisionWithMetadataZ;\nexport type ScanBurstDecision = z.infer<typeof ScanBurstDecisionZ>;\n\n// ============================================================================\n// PROOF PRESENCE SENSOR\n// ============================================================================\n\nexport const ProofKindZ = z.enum([\n 'NONE',\n 'CAPSULE',\n 'PASSPORT',\n 'MTLS',\n 'JWT',\n]);\nexport type ProofKind = z.infer<typeof ProofKindZ>;\n\nexport const AccessProfileZ = z.enum(['PUBLIC', 'PARTNER', 'INTERNAL', 'NODE']);\nexport type AccessProfile = z.infer<typeof AccessProfileZ>;\n\nexport const ProofPresenceInputZ = z.object({\n profile: AccessProfileZ,\n visibility: z.enum(['PUBLIC', 'GUARDED']),\n requiredProof: z.array(ProofKindZ).min(1),\n hasCapsule: z.boolean(),\n hasPassportSignature: z.boolean(),\n intent: z.string().min(1),\n});\nexport type ProofPresenceInput = z.infer<typeof ProofPresenceInputZ>;\n\n// ============================================================================\n// INTENT POLICY SENSOR\n// ============================================================================\n\nexport const SensitivityLevelZ = z.enum(['LOW', 'MEDIUM', 'HIGH', 'CRITICAL']);\nexport type SensitivityLevel = z.infer<typeof SensitivityLevelZ>;\n\nexport const IntentPolicyZ = z.object({\n intent: z.string().min(1),\n sensitivity: SensitivityLevelZ,\n maxFrameBytes: z.number().int().positive(),\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n maxSigBytes: z.number().int().positive().optional(),\n rateLimitPerMinute: z.number().int().positive().optional(),\n rateLimitPerHour: z.number().int().positive().optional(),\n requiresSignature: z.boolean(),\n requiresCapsule: z.boolean(),\n timeoutMs: z.number().int().positive(),\n});\nexport type IntentPolicy = z.infer<typeof IntentPolicyZ>;\n\nexport const IntentPolicySensorInputZ = z.object({\n frame: AxisFrameZ,\n intent: z.string().min(1),\n rawFrameSize: z.number().int().positive(),\n});\nexport type IntentPolicySensorInput = z.infer<typeof IntentPolicySensorInputZ>;\n\nexport const IntentPolicyDecisionZ = z.union([\n z.object({\n action: z.literal('ALLOW'),\n policy: IntentPolicyZ,\n }),\n z.object({\n action: z.literal('DENY'),\n reason: z.string(),\n }),\n]);\nexport type IntentPolicyDecision = z.infer<typeof IntentPolicyDecisionZ>;\n\n// ============================================================================\n// CAPSULE VERIFY SENSOR\n// ============================================================================\n\nexport const CapsuleClaimsZ = z.object({\n capsuleId: z.string().min(8),\n allowIntents: z.array(z.string()).min(1),\n limits: z\n .object({\n maxBodyBytes: z.number().int().positive().optional(),\n })\n .optional(),\n scopes: z.record(z.string(), z.any()).optional(),\n});\nexport type CapsuleClaims = z.infer<typeof CapsuleClaimsZ>;\n\nexport const CapsuleZ = z.object({\n id: z.string(),\n claims: CapsuleClaimsZ,\n issuedAt: z.number().int(),\n expiresAt: z.number().int(),\n tier: z.enum(['FREE', 'STANDARD', 'PREMIUM']),\n});\nexport type Capsule = z.infer<typeof CapsuleZ>;\n\nexport const CapsuleValidationResultZ = z.object({\n valid: z.boolean(),\n capsule: CapsuleZ.optional(),\n reason: z.string().optional(),\n requiresStepUp: z.boolean().optional(),\n});\nexport type CapsuleValidationResult = z.infer<typeof CapsuleValidationResultZ>;\n\nexport const CapsuleVerifySensorInputZ = z.object({\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n intent: z.string().min(1),\n ctx: z.any(), // AxisContext - avoid circular dependency\n});\nexport type CapsuleVerifySensorInput = z.infer<\n typeof CapsuleVerifySensorInputZ\n>;\n\nexport const CapsuleVerifyResultZ = z.object({\n ok: z.literal(true),\n capsule: CapsuleZ,\n});\nexport type CapsuleVerifyResult = z.infer<typeof CapsuleVerifyResultZ>;\n\n// ============================================================================\n// RATE LIMIT SENSOR\n// ============================================================================\n\nexport const RateLimitProfileZ = z.enum([\n 'PUBLIC',\n 'PARTNER',\n 'INTERNAL',\n 'NODE',\n]);\nexport type RateLimitProfile = z.infer<typeof RateLimitProfileZ>;\n\nexport const RateLimitInputZ = z.object({\n ip: z.string().min(1),\n userAgent: z.string().optional(),\n actorId: z.string().optional(),\n capsuleId: z.string().optional(),\n intent: z.string().min(1),\n profile: RateLimitProfileZ,\n});\nexport type RateLimitInput = z.infer<typeof RateLimitInputZ>;\n\nexport const RateLimitConfigZ = z.object({\n windowSec: z.number().int().positive(),\n max: z.number().int().positive(),\n key: z.enum(['ip_fingerprint', 'actor_capsule']),\n});\nexport type RateLimitConfig = z.infer<typeof RateLimitConfigZ>;\n\nexport const SensorResultZ = z.object({\n ok: z.literal(true),\n});\nexport type SensorResult = z.infer<typeof SensorResultZ>;\n\n// ============================================================================\n// SIGNATURE VERIFICATION SENSOR (Detailed)\n// ============================================================================\n\nexport const PassportZ = z.object({\n id: z.string(),\n public_key: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n status: z.enum(['ACTIVE', 'REVOKED', 'EXPIRED', 'PENDING']),\n issuedAt: z.number().int(),\n expiresAt: z.number().int().optional(),\n});\nexport const ExecutionMetricsZ = z.object({\n dbWrites: z.number().int(),\n dbReads: z.number().int(),\n externalCalls: z.number().int(),\n elapsedMs: z.number().int().optional(),\n});\n\nexport type Passport = z.infer<typeof PassportZ>;\n\n// ============================================================================\n// GENERAL SENSOR CHAIN INPUT\n// ============================================================================\n\nexport const SensorChainInputZ = z.object({\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n});\nexport type SensorChainInput = z.infer<typeof SensorChainInputZ>;\n\n// ============================================================================\n// ENTROPY SENSOR\n// ============================================================================\n\nexport const EntropySensorInputZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n ip: z.string().min(1),\n});\nexport type EntropySensorInput = z.infer<typeof EntropySensorInputZ>;\n\n// ============================================================================\n// PROTOCOL STRICT SENSOR\n// ============================================================================\n\nexport const ProtocolStrictInputZ = z.object({\n rawBytes: z\n .union([z.custom<Buffer>((v) => Buffer.isBuffer(v)), z.instanceof(Uint8Array)])\n .optional(),\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n contentType: z.string().optional(),\n});\nexport type ProtocolStrictInput = z.infer<typeof ProtocolStrictInputZ>;\n\n// ============================================================================\n// SCHEMA VALIDATION SENSOR\n// ============================================================================\n\nexport const SchemaFieldKindZ = z.enum([\n 'utf8',\n 'u64',\n 'bytes',\n 'bytes16',\n 'bool',\n 'obj',\n 'arr',\n]);\nexport type SchemaFieldKind = z.infer<typeof SchemaFieldKindZ>;\n\nexport const ScopeZ = z.enum(['header', 'body']);\nexport type Scope = z.infer<typeof ScopeZ>;\n\nexport const SchemaFieldZ = z.object({\n name: z.string().min(1),\n tlv: z.number().int().positive(),\n kind: SchemaFieldKindZ,\n required: z.boolean().optional(),\n maxLen: z.number().int().positive().optional(),\n max: z.string().optional(),\n scope: ScopeZ.optional(),\n});\nexport type SchemaField = z.infer<typeof SchemaFieldZ>;\n\nexport const BodyProfileZ = z.enum(['TLV_MAP', 'RAW', 'TLV_OBJ', 'TLV_ARR']);\nexport type BodyProfile = z.infer<typeof BodyProfileZ>;\n\nexport const IntentSchemaZ = z.object({\n intent: z.string().min(1),\n version: z.number().int().positive(),\n bodyProfile: BodyProfileZ,\n fields: z.array(SchemaFieldZ).min(1),\n});\nexport type IntentSchema = z.infer<typeof IntentSchemaZ>;\n\n// ============================================================================\n// WEBSOCKET HANDSHAKE SENSOR\n// ============================================================================\n\nexport const WsHandshakeInputZ = z.object({\n clientId: z.string().min(1),\n isWs: z.boolean(),\n ip: z.string().min(1),\n});\nexport type WsHandshakeInput = z.infer<typeof WsHandshakeInputZ>;\n\nexport const WsHandshakeDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW') }),\n z.object({ action: z.literal('DENY'), code: z.string() }),\n]);\nexport type WsHandshakeDecision = z.infer<typeof WsHandshakeDecisionZ>;\n\n// ============================================================================\n// IP REPUTATION SENSOR\n// ============================================================================\n\nexport const IPReputationInputZ = z.object({\n ip: z.string().min(1),\n});\nexport type IPReputationInput = z.infer<typeof IPReputationInputZ>;\n\nexport const IPReputationZ = z.object({\n score: z.number().min(-100).max(100),\n lastUpdated: z.number().int(),\n totalRequests: z.number().int().nonnegative(),\n failedRequests: z.number().int().nonnegative(),\n blockedRequests: z.number().int().nonnegative(),\n tags: z.array(z.string()),\n});\nexport type IPReputation = z.infer<typeof IPReputationZ>;\n\n// ============================================================================\n// FILE UPLOAD STATE SENSOR\n// ============================================================================\n\nexport const UploadStatusZ = z.enum([\n 'INIT',\n 'UPLOADING',\n 'FINALIZING',\n 'DONE',\n 'ABORTED',\n]);\nexport type UploadStatus = z.infer<typeof UploadStatusZ>;\n\nexport const UploadSessionZ = z.object({\n uploadIdHex: z.string().min(1),\n fileName: z.string().min(1),\n totalSize: z.number().int().positive(),\n chunkSize: z.number().int().positive(),\n totalChunks: z.number().int().positive(),\n receivedCount: z.number().int().nonnegative(),\n status: UploadStatusZ,\n});\nexport type UploadSession = z.infer<typeof UploadSessionZ>;\n\n// ============================================================================\n// BODY BUDGET SENSOR\n// ============================================================================\n\nexport const BodyBudgetInputZ = z.object({\n intent: z.string().min(1),\n headerLen: z.number().int().nonnegative(),\n bodyLen: z.number().int().nonnegative(),\n});\nexport type BodyBudgetInput = z.infer<typeof BodyBudgetInputZ>;\n\nexport const BodyBudgetPolicyZ = z.object({\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n});\nexport type BodyBudgetPolicy = z.infer<typeof BodyBudgetPolicyZ>;\n\n// ============================================================================\n// CHUNK HASH SENSOR\n// ============================================================================\n\nexport const ChunkHashInputZ = z.object({\n headerTLVs: z.any(), // Map<number, Uint8Array> - flexible validation for compatibility\n bodyBytes: z.any(), // Uint8Array - flexible validation for compatibility\n intent: z.string().min(1),\n});\nexport type ChunkHashInput = z.infer<typeof ChunkHashInputZ>;\n\n// ============================================================================\n// AXIS CONTEXT (Request Context across sensors)\n// ============================================================================\n\nexport enum ProofType {\n CAPSULE = 1,\n JWT = 2,\n MTLS_ID = 3,\n DEVICE_SE = 4,\n WITNESS_SIG = 5,\n}\n\nexport const AxisContextZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)), // Process ID\n ts: z.bigint(), // Timestamp\n intent: z.string().min(1),\n actorId: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n proofType: z.enum(ProofType),\n proofRef: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n ip: z.string().min(1),\n nodeCertHash: z.string().optional(),\n capsule: CapsuleZ.optional(),\n passport: PassportZ.optional(),\n meter: z.any().optional(), // ExecutionMeter instance - any to avoid circular dependency and allow class instance\n});\n\nexport type AxisContext = z.infer<typeof AxisContextZ>;\n\n// ============================================================================\n// ERROR HANDLING\n// ============================================================================\n\nexport const AxisErrorZ = z.object({\n code: z.string(),\n message: z.string(),\n httpStatus: z.number().int(),\n});\nexport type AxisError = z.infer<typeof AxisErrorZ>;\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { decodeTLVsList } from '../core/tlv';\n\n/\n Body Profile Types\n /\nexport enum BodyProfile {\n RAW = 0, // Raw binary (no structure)\n TLV_MAP = 1, // Flat TLV map (type -> value)\n OBJ = 2, // Nested object (OBJ TLVs)\n ARR = 3, // Array (ARR TLVs)\n}\n\nexport interface BodyProfileValidation {\n valid: boolean;\n error?: string;\n profile: BodyProfile;\n}\n\n/\n Validates AXIS frame body against declared body profile\n /\n@Injectable()\nexport class BodyProfileValidator {\n private readonly logger = new Logger(BodyProfileValidator.name);\n\n /\n Validate body matches declared profile\n /\n validate(body: Uint8Array, profile: BodyProfile): BodyProfileValidation {\n switch (profile) {\n case BodyProfile.RAW:\n return this.validateRaw(body);\n\n case BodyProfile.TLV_MAP:\n return this.validateTlvMap(body);\n\n case BodyProfile.OBJ:\n return this.validateObj(body);\n\n case BodyProfile.ARR:\n return this.validateArr(body);\n\n default:\n return {\n valid: false,\n error: `Unknown body profile: ${profile}`,\n profile,\n };\n }\n }\n\n /\n RAW profile - no validation, any bytes accepted\n /\n private validateRaw(body: Uint8Array): BodyProfileValidation {\n return {\n valid: true,\n profile: BodyProfile.RAW,\n };\n }\n\n /\n TLV_MAP profile - flat TLV list (no nested structures)\n /\n private validateTlvMap(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Check no nested structures (OBJ or ARR types)\n for (const tlv of tlvs) {\n if (tlv.type === 254 \|\| tlv.type === 255) {\n return {\n valid: false,\n error: 'TLV_MAP profile cannot contain nested OBJ/ARR types',\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n return {\n valid: true,\n profile: BodyProfile.TLV_MAP,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `TLV_MAP decode failed: ${message}`,\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n /\n OBJ profile - must be valid nested object\n /\n private validateObj(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one OBJ type (254)\n const hasObj = tlvs.some((t) => t.type === 254);\n if (!hasObj && tlvs.length > 0) {\n return {\n valid: false,\n error: 'OBJ profile must contain OBJ type (254)',\n profile: BodyProfile.OBJ,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.OBJ,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `OBJ decode failed: ${message}`,\n profile: BodyProfile.OBJ,\n };\n }\n }\n\n /\n ARR profile - must be valid array\n /\n private validateArr(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one ARR type (255)\n const hasArr = tlvs.some((t) => t.type === 255);\n if (!hasArr && tlvs.length > 0) {\n return {\n valid: false,\n error: 'ARR profile must contain ARR type (255)',\n profile: BodyProfile.ARR,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.ARR,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `ARR decode failed: ${message}`,\n profile: BodyProfile.ARR,\n };\n }\n }\n}\n","export from './scopes';\nexport * from './capabilities';\n","export * from './access-profile-resolver.sensor';\nexport * from './body-budget.sensor';\nexport * from './capability-enforcement.sensor';\nexport * from './chunk-hash.sensor';\nexport * from './entropy.sensor';\nexport * from './execution-timeout.sensor';\nexport * from './frame-budget.sensor';\nexport * from './frame-header-sanity.sensor';\nexport * from './header-tlv-limit.sensor';\nexport * from './intent-allowlist.sensor';\nexport * from './intent-registry.sensor';\nexport * from './proof-presence.sensor';\nexport * from './protocol-strict.sensor';\nexport * from './receipt-policy.sensor';\nexport * from './schema-validation.sensor';\nexport * from './stream-scope.sensor';\nexport * from './tlv-parse.sensor';\nexport * from './varint-hardening.sensor';\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Access Profile Resolver AxisSensor\n \n This sensor determines whether an AXIS request should be handled under the\n * 'PUBLIC' or 'GUARDED' access profile. It does this by checking for the presence\n * of authentication proofs in the request metadata.\n \n Execution Order: 50 (runs very early)\n \n Core Concept:\n * - If any structural proof is present (Capsule, Passport, or mTLS certificate),\n * the request is flagged as `GUARDED`.\n * - Otherwise, it is treated as `PUBLIC`.\n \n Impact:\n * This determination is stored in `input.metadata.profile` and is used by\n * downstream sensors like `CapabilityEnforcementSensor` to decide whether\n * to enforce strict authorization checks.\n \n @class AccessProfileResolverSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class AccessProfileResolverSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'AccessProfileResolverSensor';\n\n /\n Execution order - runs early to establish the access profile\n * for downstream sensors.\n /\n readonly order = BAND.IDENTITY + 10;\n\n supports(): boolean {\n return true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n // Resolve profile: presence of proof => GUARDED, else PUBLIC\n const hasCapsule = !!input.metadata?.capsuleId;\n const hasPassport = !!input.metadata?.passportSig;\n const hasMTLS = !!input.metadata?.mtlsId;\n\n const profile = hasCapsule \|\| hasPassport \|\| hasMTLS ? 'GUARDED' : 'PUBLIC';\n\n // Store in metadata for downstream sensors\n if (!input.metadata) input.metadata = {};\n input.metadata.profile = profile;\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { MAX_BODY_LEN, MAX_HDR_LEN } from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Body Budget AxisSensor - Section Size Limit Enforcement\n \n Validates that header and body sections of AXIS frames are within\n * configured size limits. This prevents memory exhaustion attacks and\n * ensures efficient processing.\n \n Execution Order: 150 (after auth, before schema validation)\n \n Core Concept:\n * AXIS frames have three main sections:\n * - Header (TLVs for routing, auth, etc.)\n * - Body (payload data)\n * - Signature\n \n Each section has a declared length in the frame header. This sensor\n * validates those lengths against configured maximums BEFORE reading\n * the full content.\n \n Frame Format Reference:\n * ```\n * Offset 0-4: Magic (AXIS1)\n * Offset 5: Version (0x01)\n * Offset 6: Flags\n * Offset 7+: HDR_LEN (varint)\n * Following: BODY_LEN (varint)\n * Following: SIG_LEN (varint)\n * Then: HDR bytes, BODY bytes, SIG bytes\n * ```\n \n Default Limits (from constants.ts):\n * - MAX_HDR_LEN: 2048 bytes (2KB)\n * - MAX_BODY_LEN: 65536 bytes (64KB)\n \n Security Model:\n * - Fail Open: Parse errors allow (other sensors catch)\n * - Early Rejection: Rejects before reading large payloads\n * - Defense in Depth: Works with FrameBudgetSensor\n \n Actions:\n * - `ALLOW` - Sizes within limits\n * - `DENY` - Header or body exceeds maximum\n \n Error Codes:\n * - `HEADER_TOO_LARGE` - Header exceeds MAX_HDR_LEN\n * - `BODY_TOO_LARGE` - Body exceeds MAX_BODY_LEN\n \n Performance:\n * - Parses first ~20 bytes (varint lengths)\n * - O(1) comparison\n * - Latency: <0.5ms\n \n @class BodyBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Within limits:\n * ```typescript\n * // HDR_LEN: 500 (< 2048), BODY_LEN: 10000 (< 65536)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Body too large:\n * ```typescript\n * // BODY_LEN: 100000 (> 65536)\n * {\n * action: 'DENY',\n * code: 'BODY_TOO_LARGE',\n * reason: 'Body size 100000 exceeds limit 65536'\n * }\n * ```\n \n @see {@link FrameBudgetSensor} - Content-Length based limiting\n * @see {@link MAX_BODY_LEN} - Configurable body limit\n /\n@Sensor()\n@Injectable()\nexport class BodyBudgetSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'BodyBudgetSensor';\n\n /\n Execution order - after authentication\n \n Order 150 ensures:\n * - Authentication complete\n * - Runs before full body read\n * - Before schema validation (170)\n /\n readonly order = BAND.CONTENT + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 8 bytes of peeked data to read headers.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data available\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 8;\n }\n\n /\n Validates header and body lengths against configured limits.\n \n Frame Parsing:\n * - Skip magic (5 bytes)\n * - Skip version (1 byte)\n * - Skip flags (1 byte)\n * - Read HDR_LEN varint\n * - Read BODY_LEN varint\n * - Compare against MAX_HDR_LEN and MAX_BODY_LEN\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size limits\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { peek } = input;\n\n // Should be caught by ProtocolStrict, but defensive check\n if (!peek \|\| peek.length < 8) {\n return { action: 'ALLOW' };\n }\n\n try {\n // Frame structure:\n // 0-4: Magic (AXIS1)\n // 5: Version\n // 6: Flags\n // 7+: Varints for HDR_LEN, BODY_LEN, SIG_LEN\n\n let offset = 5; // After magic\n offset += 1; // Skip version\n offset += 1; // Skip flags\n\n // Now at offset 7: read HDR_LEN varint\n const { value: hdrLen, length: hdrBytes } = decodeVarint(peek, offset);\n offset += hdrBytes;\n\n // Read BODY_LEN varint\n const { value: bodyLen } = decodeVarint(peek, offset);\n\n // === Check Header Limit ===\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds limit ${MAX_HDR_LEN}`,\n };\n }\n\n // === Check Body Limit ===\n if (bodyLen > MAX_BODY_LEN) {\n return {\n action: 'DENY',\n code: 'BODY_TOO_LARGE',\n reason: `Body size ${bodyLen} exceeds limit ${MAX_BODY_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n } catch (e) {\n // Parse errors are likely malformed frames\n // ProtocolStrict will handle them\n return { action: 'ALLOW' };\n }\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n Capability,\n INTENT_REQUIREMENTS,\n PROOF_CAPABILITIES,\n SensorDecision,\n SensorInput,\n} from '../index';\n\n/\n Capability Enforcement AxisSensor - Authorization Based on Proof Type\n \n Maps authentication proof types to capabilities and enforces capability\n * requirements per intent. This implements role-based access control (RBAC)\n * at the intent level.\n \n Execution Order: 100 (after capsule/signature verification)\n \n Core Concept:\n * Different authentication methods grant different capabilities:\n * - Stronger auth = more capabilities\n * - Weaker auth = fewer capabilities\n \n Each intent has required capabilities. The request's proof type must\n * grant ALL required capabilities for the intent to proceed.\n \n Capability Definitions:\n * - `read` - Can read/query data\n * - `write` - Can create/update data\n * - `execute` - Can trigger actions/operations\n * - `admin` - Administrative operations\n * - `sign` - Can create digital signatures\n * - `witness` - Can act as independent witness\n \n Proof Type Mappings:\n * \| Type \| Name \| Capabilities \|\n * \|------\|------\|--------------\|\n * \| 0 \| NONE \| (none) \|\n * \| 1 \| CAPSULE \| read, write, execute \|\n * \| 2 \| JWT \| read \|\n * \| 3 \| MTLS \| read, write, admin \|\n * \| 4 \| DEVICE_SE \| read, write, sign \|\n * \| 5 \| WITNESS_SIG \| read, write, execute, witness \|\n \n @class CapabilityEnforcementSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload (requires 'write'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'file.upload' (requires: write)\n * // write ∈ [read, write, execute] ✓\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Admin operation (requires 'admin'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'admin.users.delete' (requires: admin)\n * // admin ∉ [read, write, execute] ✗\n * {\n * action: 'DENY',\n * code: 'CAPABILITY_DENIED',\n * reason: 'Missing capabilities: admin'\n * }\n * ```\n /\n\n@Sensor()\n@Injectable()\nexport class CapabilityEnforcementSensor implements AxisSensor {\n private readonly logger = new Logger(CapabilityEnforcementSensor.name);\n\n /* AxisSensor identifier for logging and registry /\n readonly name = 'CapabilityEnforcementSensor';\n\n /\n Execution order - runs after authentication\n \n Order 100 ensures:\n * - Capsule is verified (CapsuleVerifySensor @ 80)\n * - Signature is verified (SigVerifySensor @ 90)\n * - We know the proof type for capability lookup\n /\n readonly order = BAND.POLICY + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when an intent is present.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Enforces capability requirements for the requested intent.\n \n Processing Flow:\n * 1. Extract proof type from packet (default: 0/NONE)\n * 2. Look up capabilities granted by this proof type\n * 3. Look up capabilities required by the intent\n * 4. If no requirements, ALLOW\n * 5. Check if all required capabilities are granted\n * 6. If missing capabilities, DENY with details\n * 7. Otherwise, ALLOW\n \n @param {SensorInput} input - Request with intent and packet\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on capabilities\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, packet } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n const proofType = packet?.proofType ?? 0;\n\n // === STEP 1: Get Granted Capabilities ===\n // Look up what this proof type allows\n const grantedCapabilities = PROOF_CAPABILITIES[proofType] \|\| [];\n\n // === STEP 2: Get Required Capabilities ===\n // Look up what this intent requires\n const requiredCapabilities = this.getRequiredCapabilities(intent);\n\n // === STEP 3: Check Public Intents ===\n // No capabilities required = public access\n if (requiredCapabilities.length === 0) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 4: Check Capability Match ===\n // Find any required capabilities not granted\n const missingCapabilities = requiredCapabilities.filter(\n (cap) => !grantedCapabilities.includes(cap),\n );\n\n if (missingCapabilities.length > 0) {\n // Capability mismatch - deny with details\n this.logger.warn(\n `Capability denied for ${intent}: missing ${missingCapabilities.join(', ')} (has: ${grantedCapabilities.join(', ')})`,\n );\n return {\n action: 'DENY',\n code: 'CAPABILITY_DENIED',\n reason: `Missing capabilities: ${missingCapabilities.join(', ')}`,\n };\n }\n\n // All required capabilities present\n return { action: 'ALLOW' };\n }\n\n /\n Gets required capabilities for an intent.\n \n Lookup Strategy:\n * 1. Check for exact intent match\n * 2. Check for prefix pattern match (.suffix)\n 3. Default to 'execute' for unknown intents\n \n @private\n * @param {string} intent - Intent name to look up\n * @returns {Capability[]} Array of required capabilities\n /\n private getRequiredCapabilities(intent: string): Capability[] {\n // Check exact match first\n if (INTENT_REQUIREMENTS[intent]) {\n return INTENT_REQUIREMENTS[intent];\n }\n\n // Check prefix patterns (e.g., 'admin.' matches 'admin.users.delete')\n for (const [pattern, caps] of Object.entries(INTENT_REQUIREMENTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1); // Remove ''\n if (intent.startsWith(prefix)) {\n return caps;\n }\n }\n }\n\n // Default: require execute for unknown intents (safe default)\n return ['execute'];\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { createHash } from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/*\n Chunk Hash Sensor - Data Integrity Verification\n \n Validates that uploaded file chunks match their declared SHA-256 hash.\n * This ensures data integrity during transfer and detects corruption or\n * tampering.\n \n Execution Order: 190 (after session validation, before handler)\n \n Core Concept:\n * Each file chunk includes a SHA-256 hash in the header. The sensor:\n * 1. Extracts the expected hash from header TLV\n * 2. Computes the actual hash of the body\n * 3. Compares them byte-by-byte\n * 4. Rejects if mismatch (data corruption)\n \n This provides end-to-end integrity verification, catching:\n * - Network corruption\n * - Storage errors\n * - Man-in-the-middle modifications\n * - Client-side bugs\n \n TLV Type:\n * - Type 73 (`TLV_SHA256_CHUNK`): 32-byte SHA-256 hash\n \n Hash Calculation:\n * ```typescript\n * const actual = createHash('sha256').update(bodyBytes).digest();\n * ```\n \n Security Model:\n * - Fail Closed: Hash mismatch = DENY\n * - Immutable Check: Hash computed server-side\n * - Early Rejection: Before storage writes\n \n Actions:\n * - `ALLOW` - Hash matches\n * - `DENY` - Hash mismatch or missing\n \n Error Codes:\n * - `FILE_CHUNK_HASH_MISSING` - TLV 73 not present or wrong size\n * - `FILE_CHUNK_HASH_MISMATCH` - Computed hash != expected hash\n \n Performance:\n * - SHA-256 computation: ~100MB/s on modern CPUs\n * - For 1MB chunk: ~10ms\n \n @class ChunkHashSensor\n * @implements {AxisSensor}\n \n @example\n * Hash matches:\n * ```typescript\n * // Header TLV 73: sha256(body) = expected\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Hash mismatch:\n * ```typescript\n * // Body was corrupted during transfer\n * {\n * action: 'DENY',\n * code: 'FILE_CHUNK_HASH_MISMATCH',\n * reason: 'Chunk hash mismatch - data corrupted'\n * }\n * ```\n \n @see {@link FileUploadStateSensor} - Session validation\n * @see {@link https://en.wikipedia.org/wiki/SHA-2 SHA-256}\n /\n@Sensor()\n@Injectable()\nexport class ChunkHashSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'ChunkHashSensor';\n\n /\n Execution order - after session validation\n \n Order 190 ensures:\n * - Session validated (180)\n * - Chunk parameters verified\n * - Hash check before storage\n /\n readonly order = BAND.CONTENT + 50;\n\n /\n Determines if this sensor should process the given input.\n \n Only processes file.chunk intents.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is 'file.chunk'\n /\n supports(input: SensorInput): boolean {\n return input.intent === 'file.chunk';\n }\n\n /\n Validates chunk data against declared SHA-256 hash.\n \n Processing Flow:\n * 1. Check for required headerTLVs and body\n * 2. Extract expected hash from TLV 73\n * 3. Verify hash is exactly 32 bytes\n * 4. Compute SHA-256 of body\n * 5. Compare bytes (timing-safe)\n * 6. DENY on mismatch\n \n @param {SensorInput} input - Request with chunk body\n * @returns {Promise<SensorDecision>} ALLOW if hash matches, DENY otherwise\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyBytes = input.body as Uint8Array;\n\n // Validate required inputs\n if (!headerTLVs \|\| !bodyBytes) {\n return {\n action: 'DENY',\n code: 'SENSOR_INVALID_INPUT',\n reason: 'Missing headerTLVs or body',\n };\n }\n\n // TLV type for chunk SHA-256 hash\n const TLV_SHA256_CHUNK = 73;\n\n // === STEP 1: Extract Expected Hash ===\n const expected = headerTLVs.get(TLV_SHA256_CHUNK);\n\n if (!expected \|\| expected.length !== 32) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISSING',\n reason: 'Missing sha256Chunk TLV in header',\n };\n }\n\n // === STEP 2: Compute Actual Hash ===\n const actual = createHash('sha256').update(bodyBytes).digest();\n\n // === STEP 3: Compare Hashes ===\n // Using Buffer.equals for comparison\n if (!Buffer.from(actual).equals(Buffer.from(expected))) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISMATCH',\n reason: 'Chunk hash mismatch - data corrupted',\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\n\nimport { TLV_NONCE, TLV_PID } from '../core/constants';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Entropy AxisSensor - Randomness Quality Analysis\n \n Validates that cryptographic identifiers (PIDs, nonces) have sufficient\n * randomness to prevent predictability attacks. Weak entropy in IDs can\n * lead to collision attacks and session hijacking.\n \n Execution Order: 130 (after replay protection, before policy checks)\n \n Core Concept:\n * Proper cryptographic security requires high-quality randomness. This sensor\n * detects patterns that suggest weak random number generation:\n * - Low Shannon entropy\n * - Sequential patterns (1,2,3,4...)\n * - Repeated patterns (0xAB,0xAB,0xAB...)\n \n How It Works:\n * ```\n * 1. Extract PID and nonce from headers\n * 2. Calculate Shannon entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. FLAG if issues found (doesn't DENY for availability)\n * ```\n \n Shannon Entropy Calculation:\n * ```\n * H = -Σ(p_i * log2(p_i))\n * ```\n * Where p_i is the probability of byte value i appearing.\n * - High entropy (7-8 bits/byte): Good randomness\n * - Low entropy (<3 bits/byte): Suspicious pattern\n \n Pattern Detection:\n * - Sequential: More than 50% of bytes are +1 or -1 from previous\n * - Repeated: 90%+ match with 2, 4, or 8 byte repeating pattern\n \n Security Model:\n * - Fail Open: Issues cause FLAG, not DENY\n * - Trust Score Impact: Each issue reduces trust score\n * - Detection Only: Logs suspicious patterns for investigation\n \n Actions:\n * - `ALLOW` - Sufficient entropy, no patterns detected\n * - `FLAG` - Issues detected (reduces trust score)\n \n Score Deltas:\n * \| Issue \| Delta \|\n * \|-------\|-------\|\n * \| Low entropy (<3 bits/byte) \| -3 \|\n * \| Sequential pattern \| -5 \|\n * \| Repeated pattern \| -5 \|\n \n Why Not DENY?\n * Legitimate clients with older RNG libraries might trigger false positives.\n * FLAG allows monitoring without breaking legitimate traffic.\n \n Performance:\n * - In-memory analysis\n * - O(n) where n = bytes analyzed\n * - Latency: <1ms\n \n @class EntropySensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * High-entropy nonce (good):\n * ```typescript\n * // Nonce from crypto.randomBytes(16)\n * // Entropy: 7.2 bits/byte\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Sequential pattern (suspicious):\n * ```typescript\n * // Nonce: [1,2,3,4,5,6,7,8,9,10,11,12]\n * {\n * action: 'FLAG',\n * scoreDelta: -5,\n * reasons: ['nonce_sequential']\n * }\n * ```\n \n @see {@link https://en.wikipedia.org/wiki/Entropy_(information_theory) Shannon Entropy}\n /\n@Sensor()\n@Injectable()\nexport class EntropySensor implements AxisSensor {\n private readonly logger = new Logger(EntropySensor.name);\n\n /\n Minimum acceptable entropy in bits per byte.\n \n 3.0 bits/byte is a conservative threshold:\n * - Random data: ~7.9 bits/byte\n * - English text: ~4.5 bits/byte\n * - Sequential data: ~0-2 bits/byte\n /\n private readonly MIN_ENTROPY_THRESHOLD = 3.0;\n\n /* AxisSensor identifier /\n readonly name = 'EntropySensor';\n\n /\n Execution order - anomaly detection phase\n \n Order 130 ensures:\n * - Replay protection done (120)\n * - Runs before expensive policy lookups\n /\n readonly order = BAND.POLICY + 35;\n\n /\n Calculates Shannon entropy of a byte array.\n \n Algorithm:\n * 1. Count frequency of each byte value (0-255)\n * 2. Calculate probability p = count / total\n * 3. Sum: -Σ(p * log2(p))\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {number} Entropy in bits per byte (0-8 scale)\n /\n private calculateEntropy(data: Uint8Array): number {\n if (data.length === 0) return 0;\n\n // Count byte frequencies\n const freq = new Map<number, number>();\n for (const byte of data) {\n freq.set(byte, (freq.get(byte) \|\| 0) + 1);\n }\n\n // Calculate Shannon entropy\n let entropy = 0;\n const len = data.length;\n for (const count of freq.values()) {\n const p = count / len;\n entropy -= p Math.log2(p);\n }\n\n return entropy;\n }\n\n /*\n Checks for sequential patterns in data.\n \n Detects sequences like [1,2,3,4...] or [10,9,8,7...].\n * More than 50% sequential is considered suspicious.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if sequential pattern detected\n /\n private hasSequentialPattern(data: Uint8Array): boolean {\n if (data.length < 4) return false;\n\n let ascending = 0;\n let descending = 0;\n\n for (let i = 1; i < data.length; i++) {\n if (data[i] === data[i - 1] + 1) ascending++;\n if (data[i] === data[i - 1] - 1) descending++;\n }\n\n // More than 50% sequential is suspicious\n return ascending > data.length / 2 \|\| descending > data.length / 2;\n }\n\n /\n Checks for repeated patterns in data.\n \n Detects patterns like [0xAB, 0xCD, 0xAB, 0xCD...].\n * Checks for 2, 4, and 8 byte repeating patterns.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if repeated pattern detected\n /\n private hasRepeatedPattern(data: Uint8Array): boolean {\n if (data.length < 8) return false;\n\n // Check for 2-byte, 4-byte, and 8-byte repeating patterns\n for (const patternLen of [2, 4, 8]) {\n if (data.length % patternLen !== 0) continue;\n\n let matches = 0;\n for (let i = patternLen; i < data.length; i++) {\n if (data[i] === data[i % patternLen]) matches++;\n }\n\n // 90%+ match = repeating pattern\n if (matches > (data.length - patternLen) 0.9) {\n return true;\n }\n }\n\n return false;\n }\n\n /*\n Analyzes entropy of PID and nonce in request headers.\n \n Processing Flow:\n * 1. Extract PID and nonce from header TLVs\n * 2. Calculate entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. Accumulate issues and score delta\n * 6. Return FLAG if issues found, ALLOW otherwise\n \n @param {SensorInput} input - Request with header TLVs\n * @returns {Promise<SensorDecision>} ALLOW or FLAG based on entropy analysis\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headers = input.headerTLVs as Map<number, Uint8Array>;\n\n // If no headers, allow (WebSocket handshake, etc.)\n if (!headers) {\n return { action: 'ALLOW' };\n }\n\n // Extract PID and nonce from headers\n const pid = headers.get(TLV_PID);\n const nonce = headers.get(TLV_NONCE);\n\n const issues: string[] = [];\n let totalDelta = 0;\n\n // === Analyze PID ===\n if (pid && pid.length > 0) {\n const pidEntropy = this.calculateEntropy(pid);\n\n // Check minimum entropy threshold\n if (pidEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`pid_low_entropy:${pidEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(pid)) {\n issues.push('pid_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(pid)) {\n issues.push('pid_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Analyze Nonce ===\n if (nonce && nonce.length > 0) {\n const nonceEntropy = this.calculateEntropy(nonce);\n\n // Check minimum entropy threshold\n if (nonceEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`nonce_low_entropy:${nonceEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(nonce)) {\n issues.push('nonce_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(nonce)) {\n issues.push('nonce_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Return Decision ===\n if (issues.length > 0) {\n this.logger.warn(`Entropy issues from ${input.ip}: ${issues.join(', ')}`);\n return {\n action: 'FLAG',\n scoreDelta: totalDelta,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Generates cryptographically secure random bytes.\n \n Utility method for SDK/client code to ensure proper entropy.\n * Uses Node.js crypto.randomBytes for secure PRNG.\n \n @static\n * @param {number} length - Number of random bytes\n * @returns {Uint8Array} Cryptographically secure random bytes\n /\n static generateSecureRandom(length: number): Uint8Array {\n return new Uint8Array(crypto.randomBytes(length));\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { resolveTimeout } from '../core/timeouts';\n\n/\n Execution Timeout AxisSensor - Intent-Based Deadline Enforcement\n \n Sets per-intent execution time limits and stores deadlines in the request\n * context. This prevents runaway handlers and ensures predictable response times.\n \n Execution Order: 210 (late, before handler execution)\n \n Core Concept:\n * Different intents have different acceptable latencies:\n * - Health checks: 2 seconds (must be fast)\n * - File uploads: 60 seconds (large transfers)\n * - Standard operations: 10 seconds (default)\n \n The sensor calculates a deadline timestamp and stores it in the context.\n * Handler code can check this deadline to abort if running too long.\n \n How It Works:\n * ```\n * 1. Look up timeout for intent (exact match or prefix pattern)\n * 2. Calculate deadline = now + timeout\n * 3. Store deadline in context\n * 4. Return ALLOW (enforcement happens in handler)\n * ```\n \n Timeout Lookup:\n * 1. Check exact intent match first\n * 2. Then check prefix patterns (e.g., 'file.')\n 3. Fall back to DEFAULT_TIMEOUT (10s)\n \n Context Properties Set:\n * - `deadline`: Absolute timestamp (ms since epoch)\n * - `timeoutMs`: Configured timeout duration\n \n Handler Usage:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new Error('Execution timeout exceeded');\n * }\n \n const remaining = ExecutionTimeoutSensor.getRemainingMs(ctx);\n * ```\n \n Security Model:\n * - Always Allow: This sensor only sets context, doesn't block\n * - Handler Responsibility: Actual enforcement in handler code\n * - Defense in Depth: Works with ExecutionContractSensor\n \n Actions:\n * - `ALLOW` - Always (only sets context)\n \n Performance:\n * - Map lookup: O(1) to O(n patterns)\n * - Latency: <0.1ms\n \n @class ExecutionTimeoutSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload:\n * ```typescript\n * // Intent: file.upload\n * // Timeout: 60000ms\n * // ctx.deadline = Date.now() + 60000\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Checking deadline in handler:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new TimeoutError('Handler exceeded deadline');\n * }\n * ```\n \n @see {@link ExecutionContractSensor} - Resource limit enforcement\n /\n@Sensor()\n@Injectable()\nexport class ExecutionTimeoutSensor implements AxisSensor {\n private readonly logger = new Logger(ExecutionTimeoutSensor.name);\n\n /* AxisSensor identifier /\n readonly name = 'ExecutionTimeoutSensor';\n\n /\n Execution order - late, near handler execution\n \n Order 210 ensures:\n * - All validation complete\n * - Deadline set just before handler\n /\n readonly order = BAND.BUSINESS + 10;\n\n /\n Determines if this sensor should process the given input.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Sets execution deadline in the request context.\n \n Processing Flow:\n * 1. Look up timeout for intent\n * 2. Calculate absolute deadline\n * 3. Store in context for handler use\n * 4. Return ALLOW\n \n @param {SensorInput} input - Request with intent\n * @returns {Promise<SensorDecision>} Always ALLOW\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, context } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n // Get timeout for this intent\n const timeout = resolveTimeout(intent);\n\n // Calculate absolute deadline\n const deadline = Date.now() + timeout;\n\n // Store deadline in context for downstream components\n if (context) {\n (context as any).deadline = deadline;\n (context as any).timeoutMs = timeout;\n }\n\n this.logger.debug(\n `Set ${timeout}ms timeout for ${intent} (deadline: ${new Date(deadline).toISOString()})`,\n );\n\n // Actual timeout enforcement happens in the intent router/executor\n // This sensor just sets the deadline\n return { action: 'ALLOW' };\n }\n\n /\n Checks if a deadline has been exceeded.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {boolean} True if deadline passed\n /\n static isExpired(ctx: { deadline?: number }): boolean {\n if (!ctx.deadline) return false;\n return Date.now() > ctx.deadline;\n }\n\n /\n Gets remaining time until deadline.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {number} Remaining milliseconds (0 if expired, Infinity if no deadline)\n /\n static getRemainingMs(ctx: { deadline?: number }): number {\n if (!ctx.deadline) return Infinity;\n return Math.max(0, ctx.deadline - Date.now());\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Frame Budget AxisSensor - Request Size Validation\n \n Validates that incoming frame sizes do not exceed configured limits.\n * This prevents memory exhaustion attacks and ensures fair resource allocation.\n \n Execution Order: 20 (after ProtocolStrictSensor, before security checks)\n \n Core Concept:\n * Large payloads can be used for denial-of-service attacks, buffer overflows,\n * or to exhaust server memory. This sensor enforces per-intent size limits\n * defined in the intent policy, rejecting oversized frames before they are\n * fully processed.\n \n How It Works:\n * 1. Extract Content-Length from request\n * 2. Look up maximum allowed size from intent policy\n * 3. If size exceeds limit, DENY the request\n * 4. Otherwise, ALLOW request to proceed\n \n Default Limits:\n * - Standard requests: 1MB (1,048,576 bytes)\n * - File uploads: 100MB (104,857,600 bytes)\n * - Streaming: No limit (handled by StreamScopeSensor)\n \n Security Model:\n * - Fail Open: If Content-Length is not available, ALLOW (other sensors handle)\n * - Early Rejection: Reject oversized frames before full download\n * - Per-Intent Limits: Different intents can have different size limits\n \n Configuration:\n * ```env\n * AXIS_MAX_FRAME_BYTES=1048576 # 1MB default\n * AXIS_MAX_UPLOAD_BYTES=104857600 # 100MB for uploads\n * ```\n \n Actions:\n * - `ALLOW` - Frame size within limits or unknown\n * - `DENY` - Frame exceeds configured maximum (code: FRAME_TOO_LARGE)\n \n Performance:\n * - Single comparison operation\n * - No I/O or external calls\n * - Latency: <0.1ms\n \n @class FrameBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Normal request (within limits):\n * ```typescript\n * // Content-Length: 50000 (50KB)\n * // Policy max: 1MB\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Oversized request:\n * ```typescript\n * // Content-Length: 10485760 (10MB)\n * // Policy max: 1MB\n * {\n * action: 'DENY',\n * code: 'FRAME_TOO_LARGE',\n * reason: 'Frame size 10485760 exceeds limit 1048576'\n * }\n * ```\n \n @todo Implement actual size checking against intent policy maxFrameBytes\n * @see {@link BodyBudgetSensor} - Body-specific size limiting\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class FrameBudgetSensor implements AxisSensor {\n /* AxisSensor identifier for logging and registry /\n readonly name = 'FrameBudgetSensor';\n\n /\n Execution order - runs after protocol validation\n \n Order 20 ensures:\n * - Protocol is valid (ProtocolStrictSensor @ 10)\n * - Size checked before expensive processing\n /\n readonly order = BAND.WIRE + 20;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when Content-Length header is available.\n * WebSocket frames may not have Content-Length; they use different size tracking.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if Content-Length is present\n /\n supports(input: SensorInput): boolean {\n return typeof input.contentLength === 'number';\n }\n\n /\n Validates frame size against configured limits.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Load intent policy for the request\n * 2. Get maxFrameBytes from policy\n * 3. Compare against contentLength\n * 4. DENY if exceeded\n \n @param {SensorInput} input - Request with contentLength\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const maxBytes =\n this.config.get<number>('AXIS_MAX_FRAME_SIZE') \|\| 50 1024 * 1024;\n const contentLength = input.contentLength;\n\n if (typeof contentLength !== 'number') {\n return { action: 'ALLOW' };\n }\n\n if (contentLength > maxBytes) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLength} exceeds limit ${maxBytes}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { AXIS_MAGIC, AXIS_VERSION, MAX_FRAME_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor({ phase: 'PRE_DECODE' })\nexport class FrameHeaderSanitySensor implements AxisSensor {\n readonly name = 'FrameHeaderSanitySensor';\n readonly order = BAND.WIRE + 30;\n\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const peek = input.peek!;\n const contentLen = input.contentLength \|\| 0;\n\n // Check magic (first 5 bytes: AXIS1)\n if (peek.length < 5 \|\| !this.bufferEqual(peek.slice(0, 5), AXIS_MAGIC)) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: 'Frame magic is not AXIS1',\n };\n }\n\n // Check version (byte 5)\n if (peek[5] !== AXIS_VERSION) {\n return {\n action: 'DENY',\n code: 'UNSUPPORTED_VERSION',\n reason: `Unsupported version: ${peek[5]}`,\n };\n }\n\n // Check frame length against hard limit\n if (contentLen > MAX_FRAME_LEN) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLen} exceeds max ${MAX_FRAME_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n private bufferEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { MAX_HDR_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class HeaderTLVLimitSensor implements AxisSensor {\n readonly name = 'HeaderTLVLimitSensor';\n readonly order = BAND.CONTENT + 0;\n private readonly MAX_TLVS = 64;\n\n supports(input: SensorInput): boolean {\n return !!input.headerTLVs \|\| !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n if (input.headerTLVs && input.headerTLVs.size > this.MAX_TLVS) {\n return {\n action: 'DENY',\n code: 'TOO_MANY_TLVS',\n reason: `Header TLVs (${input.headerTLVs.size}) exceed max (${this.MAX_TLVS})`,\n };\n }\n\n if (input.packet && input.packet.headerBytes) {\n const hdrLen = input.packet.headerBytes.length;\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds max ${MAX_HDR_LEN}`,\n };\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n// Public intent allowlist (exact or prefix)\nconst PUBLIC_INTENT_ALLOWLIST = [\n 'public.',\n 'schema.',\n 'catalog.',\n 'health.',\n 'system.',\n];\n\n@Injectable()\n@Sensor()\nexport class IntentAllowlistSensor implements AxisSensor {\n readonly name = 'IntentAllowlistSensor';\n readonly order = BAND.IDENTITY + 20;\n\n supports(input: SensorInput): boolean {\n // Only run in post-decode phase when intent is available\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const profile = input.metadata?.profile \|\| 'PUBLIC';\n const intent = input.intent \|\| '';\n\n // PUBLIC profile: only allow whitelisted intents\n if (profile === 'PUBLIC') {\n const isAllowed = PUBLIC_INTENT_ALLOWLIST.some((prefix) =>\n intent.startsWith(prefix),\n );\n if (!isAllowed) {\n return {\n action: 'DENY',\n code: 'INTENT_NOT_ALLOWED',\n reason: `Intent '${intent}' not in public allowlist`,\n };\n }\n }\n\n // GUARDED profile: allow all intents (capability enforcement comes later)\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { IntentRouter } from '../engine/intent.router';\nimport { BAND } from '../engine/sensor-bands';\n\n/*\n IntentRegistrySensor\n \n Runs early in POST_DECODE to reject intents that have no registered handler.\n * This prevents wasting resources on sensors, decoding, and routing for\n * intents that will inevitably fail with \"Intent not found\".\n \n Order: BAND.IDENTITY + 25 (65) — right after IntentAllowlistSensor (60).\n /\n@Injectable()\n@Sensor({ phase: 'POST_DECODE' })\nexport class IntentRegistrySensor implements AxisSensor {\n readonly name = 'IntentRegistrySensor';\n readonly order = BAND.IDENTITY + 25;\n\n constructor(private readonly router: IntentRouter) {}\n\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const intent = input.intent!;\n\n if (this.router.has(intent)) {\n return { action: 'ALLOW' };\n }\n\n return {\n action: 'DENY',\n code: 'INTENT_NOT_REGISTERED',\n reason: `Intent '${intent}' is not registered`,\n };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n ProofPresenceInput,\n ProofPresenceInputZ,\n} from '../schemas/axis-schemas';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Sensor()\n@Injectable()\nexport class ProofPresenceSensor implements AxisSensor {\n readonly name = 'ProofPresenceSensor';\n readonly order = BAND.IDENTITY + 30;\n\n supports(input: ProofPresenceInput): boolean {\n return !!input.profile && !!input.visibility;\n }\n\n async run(input: ProofPresenceInput): Promise<SensorDecision> {\n // Validate input with Zod\n const validatedInput = ProofPresenceInputZ.safeParse(input);\n if (!validatedInput.success) {\n throw new AxisError(\n 'SENSOR_INVALID_INPUT',\n `Input validation failed: ${validatedInput.error.message}`,\n 400,\n );\n }\n\n const {\n visibility,\n requiredProof,\n hasCapsule,\n hasPassportSignature,\n profile,\n intent,\n } = validatedInput.data;\n\n // Public intents don't require proof\n if (visibility === 'PUBLIC') {\n return { action: 'ALLOW' };\n }\n\n // If NONE is in required proofs, allow without proof\n if (requiredProof.includes('NONE')) {\n return { action: 'ALLOW' };\n }\n\n // Check if any required proof is satisfied\n const hasCapsuleProof = requiredProof.includes('CAPSULE') && hasCapsule;\n const hasPassportProof =\n requiredProof.includes('PASSPORT') && hasPassportSignature;\n const hasNodeProof = requiredProof.includes('MTLS') && profile === 'NODE';\n\n const satisfied = hasCapsuleProof \|\| hasPassportProof \|\| hasNodeProof;\n\n if (!satisfied) {\n throw new AxisError(\n 'SENSOR_PROOF_REQUIRED',\n `Proof required for guarded intent: ${intent}`,\n 403,\n );\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger, OnModuleInit } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { ProtocolStrictInputZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n FLAG_BODY_TLV,\n FLAG_CHAIN_REQ,\n FLAG_HAS_WITNESS,\n} from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/\n Valid flag combinations for AXIS frames.\n \n Flags can be combined using bitwise OR:\n * - 0x00: No flags (basic request)\n * - FLAG_BODY_TLV: Body section contains TLV-encoded data\n * - FLAG_CHAIN_REQ: Request requires receipt chaining\n * - FLAG_HAS_WITNESS: Frame includes witness signatures\n \n Any other flag combination is considered invalid.\n /\nconst VALID_FLAGS = [\n 0x00, // No flags\n FLAG_BODY_TLV, // Body contains TLVs\n FLAG_CHAIN_REQ, // Requires receipt chaining\n FLAG_HAS_WITNESS, // Has witness signatures\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ,\n FLAG_BODY_TLV \| FLAG_HAS_WITNESS,\n FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n];\n\n/\n Protocol Strict Sensor - Binary Protocol Validation Gateway\n \n CRITICAL SECURITY COMPONENT - FIRST LINE OF DEFENSE\n \n This sensor validates the raw binary structure of incoming AXIS frames before\n * any further processing occurs. It acts as the protocol gatekeeper, ensuring\n * only well-formed, spec-compliant frames are processed by the system.\n \n Execution Order: 10 (FIRST sensor in the chain)\n \n Core Concept:\n * AXIS uses a custom binary wire format for efficiency and security. This sensor\n * validates the frame structure at the byte level, catching malformed packets\n * before they can exploit parsing vulnerabilities deeper in the stack.\n \n Frame Structure Validated:\n * ```\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| MAGIC (5 bytes: \"AXIS1\") \| VER \| FLAGS \| HDR_LEN (varint)\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY_LEN (varint) \| SIG_LEN (varint) \| HDR TLVs... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY... \| SIGNATURE... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * ```\n \n Validations Performed:\n * 1. Content-Type - Must be `application/axis-bin` or similar\n * 2. Magic Bytes - Must be \"AXIS1\" (5 bytes)\n * 3. Version - Must match AXIS_VERSION constant\n * 4. Flags - Must be a valid combination\n * 5. Varint Encoding - Must be minimal (no unnecessary bytes)\n * 6. TLV Ordering - Must be canonical (sorted by type)\n * 7. Client Version - TLV 100 should be present\n \n Security Model:\n * - Fail Closed: Invalid magic/version = DENY\n * - Flag for Minor Issues: Non-critical violations decrease trust score\n * - Defense in Depth: First of multiple validation layers\n \n Actions:\n * - `ALLOW` - Frame is well-formed and spec-compliant\n * - `DENY` - Critical protocol violation (magic, version, frame too short)\n * - `FLAG` - Minor issues that decrease trust score\n \n Performance:\n * - Validates first 20 bytes of each frame\n * - No external dependencies (pure byte validation)\n * - Latency: <1ms for typical frames\n \n @class ProtocolStrictSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid AXIS frame:\n * ```typescript\n * // Frame starts with: \"AXIS1\" + version(1) + flags(0x01) + lengths...\n * // Sensor returns: { action: 'ALLOW' }\n * ```\n \n @example\n * Invalid magic bytes:\n * ```typescript\n * // Frame starts with: \"HTTP1\" (wrong protocol)\n * // Sensor returns: {\n * // action: 'DENY',\n * // code: 'INVALID_MAGIC',\n * // reason: 'Expected AXIS1 magic, got HTTP1'\n * // }\n * ```\n \n @see {@link https://axis-spec.example.com/wire-format AXIS Wire Format Spec}\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class ProtocolStrictSensor implements AxisSensor, OnModuleInit {\n private readonly logger = new Logger(ProtocolStrictSensor.name);\n\n /* Sensor identifier for logging and registry /\n readonly name = 'ProtocolStrictSensor';\n\n /\n Execution order - FIRST sensor in the chain\n \n Order 10 ensures:\n * - Runs before any other processing\n * - Invalid frames rejected immediately\n * - Protects all downstream sensors from malformed input\n /\n readonly order = BAND.WIRE + 10;\n\n private protocolMagic: Uint8Array = AXIS_MAGIC;\n private protocolVersion = AXIS_VERSION;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Static validation for streaming middleware (Fast Check)\n /\n public static validateMagic(\n chunk: Uint8Array,\n expected: Uint8Array,\n ): { valid: boolean; actual?: string } {\n if (chunk.length < expected.length) return { valid: true }; // Not enough data yet\n const actual = chunk.subarray(0, expected.length);\n const valid = Buffer.from(actual).equals(Buffer.from(expected));\n return {\n valid,\n actual: valid ? undefined : new TextDecoder().decode(actual),\n };\n }\n\n public static validateVersion(version: number, expected: number): boolean {\n return version === expected;\n }\n\n /\n Lifecycle hook: Registers this sensor in the chain on module initialization.\n /\n onModuleInit() {\n const magicStr = this.config.get<string>('AXIS_PROTOCOL_MAGIC');\n this.protocolMagic = magicStr ? Buffer.from(magicStr, 'ascii') : AXIS_MAGIC;\n this.protocolVersion =\n this.config.get<number>('AXIS_PROTOCOL_VERSION') \|\| AXIS_VERSION;\n }\n\n /\n Evaluate protocol strictness\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const validatedInput = ProtocolStrictInputZ.safeParse(input);\n if (!validatedInput.success) {\n this.logger.error(\n `Invalid input: ${validatedInput.error.message}`,\n validatedInput.error.issues,\n );\n return {\n action: 'DENY',\n code: 'INVALID_INPUT',\n reason: 'Protocol validation input failed',\n };\n }\n\n const { contentType, peek } = validatedInput.data;\n const issues: string[] = [];\n\n // Debug: Log first 10 bytes\n if (peek.length >= 8) {\n const hex = Buffer.from(peek.subarray(0, 10)).toString('hex');\n this.logger.debug(`Raw Frame Header (Hex): ${hex} (IP: ${input.ip})`);\n }\n\n // 1. Check Content-Type header (HTTP only)\n if (contentType !== undefined) {\n if (!this.isValidContentType(contentType)) {\n issues.push(`invalid_content_type:${contentType}`);\n }\n }\n\n // Need at least 9 bytes for basic frame header (Magic:5, Ver:1, Flags:1, HLen:1, BLen:1, SLen:1)\n if (peek.length < 9) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_SHORT',\n reason: 'Frame too short for protocol header',\n };\n }\n\n // 2. Check magic bytes\n const magicCheck = ProtocolStrictSensor.validateMagic(\n peek,\n this.protocolMagic,\n );\n if (!magicCheck.valid) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: `Expected ${new TextDecoder().decode(this.protocolMagic)} magic, got ${magicCheck.actual}`,\n };\n }\n\n // 3. Check version (Offset 5)\n const version = peek[5];\n if (!ProtocolStrictSensor.validateVersion(version, this.protocolVersion)) {\n issues.push(`unsupported_version:${version}`);\n }\n\n // 4. Check flags validity (Offset 6)\n const flags = peek[6];\n if (!this.isValidFlags(flags)) {\n issues.push(`invalid_flags:0x${flags.toString(16)}`);\n }\n\n // 5. Check length encoding (varints should be minimal) - Starts at Offset 7\n if (peek.length >= 10) {\n const lengthCheck = this.checkVarintEncoding(peek.subarray(7));\n if (!lengthCheck.valid) {\n issues.push(`non_minimal_varint:${lengthCheck.reason}`);\n }\n }\n\n // 6. Check TLV ordering if we have enough data\n if (peek.length >= 20) {\n const tlvCheck = this.checkTLVOrdering(peek);\n if (!tlvCheck.valid) {\n issues.push(`tlv_not_canonical:${tlvCheck.reason}`);\n }\n\n // 7. Check Client Version (TLV 100) presence\n const hasClientVersion = await this.checkForClientVersion(peek);\n if (!hasClientVersion) {\n // Warn for now (Phase 7 Soft Rollout)\n issues.push('missing_client_version');\n }\n }\n\n // Return FLAG for minor issues, DENY for critical\n if (issues.length > 0) {\n // Check for critical issues\n const critical = issues.some(\n (i) =>\n i.startsWith('invalid_magic') \|\| i.startsWith('unsupported_version'),\n );\n\n if (critical) {\n return {\n action: 'DENY',\n code: 'PROTOCOL_VIOLATION',\n reason: issues.join(', '),\n };\n }\n\n this.logger.warn(\n `Protocol issues from ${input.ip}: ${issues.join(', ')}`,\n );\n return {\n action: 'FLAG',\n scoreDelta: -issues.length 2,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /*\n Compare two buffers for equality\n /\n private buffersEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n\n /\n Check if Content-Type is valid for AXIS\n /\n private isValidContentType(contentType: string): boolean {\n const valid = [\n 'application/axis-bin',\n 'application/octet-stream',\n 'application/x-axis',\n ];\n return valid.some((v) => contentType.toLowerCase().includes(v));\n }\n\n /\n Check if flags are a valid combination\n /\n private isValidFlags(flags: number): boolean {\n return VALID_FLAGS.includes(flags);\n }\n\n /\n Check varint encoding is minimal (no leading zeros)\n /\n private checkVarintEncoding(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n try {\n const { value, length: bytesRead } = decodeVarint(data, 0);\n\n // Check for non-minimal encoding\n // A varint should use the minimum number of bytes\n if (value < 128 && bytesRead > 1) {\n return { valid: false, reason: 'non-minimal-small-value' };\n }\n if (value < 16384 && bytesRead > 2) {\n return { valid: false, reason: 'non-minimal-medium-value' };\n }\n\n return { valid: true };\n } catch {\n return { valid: false, reason: 'varint-decode-error' };\n }\n }\n\n /\n Check TLV ordering is canonical (sorted by type, no duplicates)\n /\n private checkTLVOrdering(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n // This is a simplified check - full check would require decoding the frame\n // For now, we do a heuristic check on the first few TLVs\n\n try {\n // Skip to length section (after magic, version, flags)\n let offset = 7;\n\n // Decode header length\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n\n // Decode body length\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n\n // Decode sig length\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n // Now at HDR TLVs\n const hdrStart = offset;\n const hdrEnd = hdrStart + Number(hdrLen);\n\n if (hdrEnd > data.length) {\n return { valid: true }; // Not enough data to check\n }\n\n // Check TLV types are ascending\n let lastType = -1;\n let pos = hdrStart;\n\n while (pos < hdrEnd && pos < data.length - 2) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n\n if (pos >= hdrEnd) break;\n\n const { value: len, length: lenBytes } = decodeVarint(data, pos);\n pos += lenBytes;\n\n // Check ordering\n if (Number(type) <= lastType) {\n return {\n valid: false,\n reason: `type-${type}-after-${lastType}`,\n };\n }\n\n lastType = Number(type);\n pos += Number(len);\n }\n\n return { valid: true };\n } catch {\n return { valid: true }; // On error, don't block\n }\n }\n\n /\n Check if TLV 100 (Client Version) exists in the headers\n /\n private async checkForClientVersion(data: Uint8Array): Promise<boolean> {\n try {\n let offset = 7;\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n const hdrEnd = offset + Number(hdrLen);\n\n let pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n const { length: lenBytes } = decodeVarint(data, pos); // value not needed\n pos += lenBytes;\n\n const { value: valLen, length: valLenBytes } = decodeVarint(\n data,\n pos - lenBytes,\n ); // reread legnth\n\n // Correct interaction: varint includes bytes read.\n // decodeVarint returns { value, length } -> length is how many bytes the varint took.\n // Wait, I need to read the length value to skip.\n\n // Re-do loop structure correctly:\n // 1. Read Type\n // 2. Read Length\n // 3. Skip Value\n }\n\n // Let's use a simpler heuristic scan for now as full parse is expensive here\n // and done elsewhere. But for correctness let's do it right.\n\n pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const t = decodeVarint(data, pos);\n pos += t.length;\n const l = decodeVarint(data, pos);\n pos += l.length;\n\n if (t.value === 100) return true;\n\n pos += Number(l.value);\n }\n\n return false;\n } catch {\n return false;\n }\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class ReceiptPolicySensor implements AxisSensor {\n readonly name = 'ReceiptPolicySensor';\n readonly order = BAND.BUSINESS + 20;\n\n supports(): boolean {\n return true;\n }\n\n async run(): Promise<SensorDecision> {\n // Stub: allow. Real impl defines which intents must yield signed receipts.\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { IntentSchema, IntentSchemaZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { AxisError } from '../core/axis-error';\nimport type { TlvValidatorFn } from '../decorators/tlv-field.decorator';\n\n/\n Reads a big-endian unsigned 64-bit integer from a byte array.\n \n @param {Uint8Array} b - 8-byte array\n * @returns {bigint} The decoded integer\n * @throws {AxisError} If array is not exactly 8 bytes\n /\nfunction readU64be(b: Uint8Array): bigint {\n if (b.length !== 8)\n throw new AxisError('SCHEMA_TYPE_MISMATCH', 'u64 must be 8 bytes', 400);\n let x = 0n;\n for (const by of b) x = (x << 8n) \| BigInt(by);\n return x;\n}\n\n/\n Schema Validation Sensor - TLV Field Contract Enforcement\n \n Validates that incoming request bodies conform to the defined intent schema.\n * This ensures type safety and data integrity before handler execution.\n \n Execution Order: 170 (late in pipeline, after all auth/policy checks)\n \n Core Concept:\n * Every AXIS intent can define a schema that specifies:\n * - Required fields and their TLV types\n * - Field types (utf8, bytes, u64, bool, etc.)\n * - Size limits per field\n * - Scope (header or body)\n \n The sensor validates each field against its schema definition, rejecting\n * requests that violate the contract.\n \n Supported Field Types:\n * \| Kind \| Description \| Validation \|\n * \|------\|-------------\|------------\|\n * \| `utf8` \| UTF-8 string \| Valid UTF-8 encoding \|\n * \| `bool` \| Boolean \| 1 byte: 0x00 or 0x01 \|\n * \| `u64` \| Unsigned 64-bit int \| Exactly 8 bytes, big-endian \|\n * \| `bytes16` \| Fixed 16 bytes \| Exactly 16 bytes (UUIDs) \|\n * \| `bytes` \| Variable bytes \| Any length up to maxLen \|\n * \| `obj` \| Nested object \| (Reserved for future) \|\n * \| `arr` \| Array \| (Reserved for future) \|\n \n How It Works:\n * ```\n * 1. Validate schema structure with Zod\n * 2. For each field in schema:\n * a. Look up TLV in headers or body (based on scope)\n * b. Check if field is required\n * c. Check size against maxLen\n * d. Validate type (utf8 encoding, bool values, etc.)\n * 3. Throw AxisError on any violation\n * ```\n \n Security Model:\n * - Fail Closed: Schema violations throw errors (no silent failures)\n * - Pre-Handler: All validation happens before handler execution\n * - Type-Safe: Handlers receive type-validated data\n \n Error Codes:\n * - `SCHEMA_INVALID` - Schema itself is malformed\n * - `SCHEMA_FIELD_MISSING` - Required field not present\n * - `SCHEMA_LIMIT_EXCEEDED` - Field exceeds maxLen or max value\n * - `SCHEMA_TYPE_MISMATCH` - Field type doesn't match expected\n \n Performance:\n * - In-memory validation (no I/O)\n * - O(n) where n = number of schema fields\n * - Latency: ~1-5ms for typical schemas\n \n @class SchemaValidationSensor\n * @implements {OnModuleInit}\n \n @example\n * Valid schema validation:\n * ```typescript\n * const schema = {\n * fields: [\n * { name: 'fullName', tlv: 100, kind: 'utf8', required: true, maxLen: 256 },\n * { name: 'age', tlv: 101, kind: 'u64', max: 150 }\n * ]\n * };\n * // Body TLVs contain valid data\n * { ok: true }\n * ```\n \n @example\n * Missing required field:\n * ```typescript\n * // TLV 100 (fullName) not present in body\n * throw AxisError('SCHEMA_FIELD_MISSING',\n * 'Missing required field: fullName (TLV 100)', 400);\n * ```\n \n @see {@link IntentSchema}\n /\n@Sensor()\n@Injectable()\nexport class SchemaValidationSensor implements AxisSensor {\n /* Sensor identifier for logging and registry /\n readonly name = 'SchemaValidationSensor';\n\n /\n Execution order - runs late in the pipeline\n \n Order 170 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Data validated before handler execution\n /\n readonly order = BAND.CONTENT + 35;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when a schema is provided for the intent (post-decode phase).\n \n @param {any} input - Sensor input\n * @returns {boolean} True if schema exists in metadata\n /\n supports(input: any): boolean {\n // Only run in post-decode phase when schema is provided\n return !!input.metadata?.schema;\n }\n\n /\n Validates TLV fields against the schema definition.\n \n Validation Steps:\n * 1. Validate the schema itself using Zod\n * 2. Iterate through each field definition\n * 3. Check required fields are present\n * 4. Validate size limits (maxLen)\n * 5. Validate type-specific rules\n \n @param {any} input - Standard SensorInput\n * @returns {{ action: 'ALLOW' } \| { action: 'DENY', code: string, reason: string }} Decision\n /\n async run(\n input: any,\n ): Promise<\n { action: 'ALLOW' } \| { action: 'DENY'; code: string; reason: string }\n > {\n const schema = input.metadata?.schema as IntentSchema;\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyTLVs = input.bodyTLVs as Map<number, Uint8Array> \| undefined;\n\n // If no schema, allow (no validation needed)\n if (!schema) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 1: Validate Schema Structure ===\n const validatedSchema = IntentSchemaZ.safeParse(schema);\n if (!validatedSchema.success) {\n return {\n action: 'DENY',\n code: 'SCHEMA_INVALID',\n reason: `Schema validation failed: ${validatedSchema.error.message}`,\n };\n }\n\n // === STEP 2: Validate Each Field ===\n try {\n for (const field of schema.fields) {\n // Determine which TLV map to use (header or body)\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n\n // Get the field value from the appropriate map\n const val = map?.get(field.tlv);\n\n // === Check Required Fields ===\n if (field.required && !val) {\n throw new AxisError(\n 'SCHEMA_FIELD_MISSING',\n `Missing required field: ${field.name} (TLV ${field.tlv})`,\n 400,\n );\n }\n\n // Skip validation if field not present (and not required)\n if (!val) continue;\n\n // === Check Size Limit ===\n if (typeof field.maxLen === 'number' && val.length > field.maxLen) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `Field ${field.name} too large (${val.length} > ${field.maxLen})`,\n 413, // Payload Too Large\n );\n }\n\n // === Type-Specific Validation ===\n switch (field.kind) {\n case 'utf8':\n // Validate UTF-8 encoding\n try {\n new TextDecoder('utf-8', { fatal: true }).decode(val);\n } catch {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid UTF-8 in ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bool':\n // Boolean must be exactly 1 byte: 0x00 or 0x01\n if (val.length !== 1 \|\| (val[0] !== 0 && val[0] !== 1)) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid bool: ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'u64': {\n // Unsigned 64-bit integer (big-endian)\n const x = readU64be(val);\n\n // Check max value if specified\n if (field.max) {\n const mx = BigInt(field.max);\n if (x > mx) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `u64 ${field.name} exceeds max (${x} > ${mx})`,\n 400,\n );\n }\n }\n break;\n }\n\n case 'bytes16':\n // Fixed 16-byte field (UUIDs, IDs)\n if (val.length !== 16) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `bytes16 required for ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bytes':\n // Variable-length bytes - any length within maxLen is allowed\n break;\n\n case 'obj':\n case 'arr':\n // Nested object/array validation (reserved for future)\n // TODO: Implement nested validation\n break;\n\n default:\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Unknown schema kind: ${field.kind}`,\n 500,\n );\n }\n }\n\n // === STEP 3: Run custom @TlvValidate validators ===\n const validators = input.metadata?.validators as\n \| Map<number, TlvValidatorFn[]>\n \| undefined;\n if (validators && validators.size > 0) {\n for (const field of schema.fields) {\n const fns = validators.get(field.tlv);\n if (!fns \|\| fns.length === 0) continue;\n\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n const val = map?.get(field.tlv);\n if (!val) continue; // missing fields already handled above\n\n for (const fn of fns) {\n const error = fn(val, field.name);\n if (error) {\n throw new AxisError(\n 'SCHEMA_VALIDATION_FAILED',\n `${field.name} (TLV ${field.tlv}): ${error}`,\n 400,\n );\n }\n }\n }\n }\n } catch (err: any) {\n // Convert AxisError to DENY decision\n if (err instanceof AxisError) {\n return {\n action: 'DENY',\n code: err.code,\n reason: err.message,\n };\n }\n throw err; // Re-throw unknown errors\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n/\n Stream Scope Sensor - Topic-Level Access Control\n \n Enforces read/write permissions on stream topics. Validates that\n * the actor has appropriate access to subscribe or publish to the\n * requested stream topic.\n \n Execution Order: 200 (near execution, after all validation)\n \n Core Concept:\n * AXIS supports real-time streaming via WebSocket. Streams are organized\n * by topics (e.g., 'citizen.123.timeline', 'hub.news.updates'). This\n * sensor enforces topic-level access control:\n * - Can the actor subscribe to this topic?\n * - Can the actor publish to this topic?\n \n Topic Patterns:\n * - `citizen.{id}.timeline` - Personal timeline (owner + admin)\n * - `hub.{name}.updates` - Hub updates (members)\n * - `public.` - Public topics (anyone)\n - `admin.` - Admin topics (admins only)\n \n * How It Would Work (Full Implementation):\n * ```\n * 1. Extract topic from stream intent body\n * 2. Parse topic pattern (e.g., citizen.123.timeline)\n * 3. Determine required access (read for subscribe, write for publish)\n * 4. Check actor's permissions against topic ACL\n * 5. DENY if unauthorized, ALLOW if permitted\n * ```\n \n Stream Operations:\n * - `stream.subscribe` - Requires READ access\n * - `stream.publish` - Requires WRITE access\n * - `stream.unsubscribe` - Always allowed (cleanup)\n \n Security Model:\n * - Stub Implementation: Currently allows all\n * - Topic Isolation: Each topic has independent ACL\n * - Inheritance: Pattern-based permissions (citizen.* = citizen owner)\n \n Actions (planned):\n * - `ALLOW` - Actor has permission\n * - `DENY` - Unauthorized topic access\n \n Error Codes (planned):\n * - `STREAM_UNAUTHORIZED` - No permission for topic\n * - `STREAM_TOPIC_NOT_FOUND` - Topic doesn't exist\n \n Performance:\n * - ACL lookup: O(1) with caching\n * - Pattern matching: O(patterns)\n \n @class StreamScopeSensor\n * @implements {Sensor}\n * @implements {OnModuleInit}\n \n @example\n * Authorized subscription:\n * ```typescript\n * // Actor: user123\n * // Topic: citizen.user123.timeline\n * // Permission: owner can read own timeline\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Unauthorized subscription (planned):\n * ```typescript\n * // Actor: user456\n * // Topic: citizen.user123.timeline\n * // Permission: NOT owner\n * {\n * action: 'DENY',\n * code: 'STREAM_UNAUTHORIZED',\n * reason: 'No read access to citizen.user123.timeline'\n * }\n * ```\n \n @todo Implement topic ACL lookup and permission checking\n * @see {@link CapabilityEnforcementSensor} - Request-level capabilities\n /\n@Sensor()\n@Injectable()\nexport class StreamScopeSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'StreamScopeSensor';\n\n /\n Execution order - near handler execution\n \n Order 200 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Stream-specific check right before subscription\n /\n readonly order = BAND.BUSINESS + 0;\n\n /\n Determines if this sensor should process the given input.\n \n Currently processes all inputs.\n \n @returns {boolean} Always true\n /\n supports(): boolean {\n return true;\n }\n\n /\n Validates stream topic access permissions.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Check if intent is stream.subscribe or stream.publish\n * 2. Extract topic from body TLVs\n * 3. Parse topic into owner/resource pattern\n * 4. Look up topic ACL from database/cache\n * 5. Check if actor has required permission (read/write)\n * 6. DENY if unauthorized\n \n @returns {Promise<SensorDecision>} ALLOW (stub implementation)\n /\n async run(): Promise<SensorDecision> {\n // TODO: Implement topic scope enforcement\n //\n // Full implementation would:\n // const { intent, packet, actorId } = input;\n //\n // if (!intent?.startsWith('stream.')) {\n // return { action: 'ALLOW' }; // Not a stream intent\n // }\n //\n // const topic = extractTopicFromBody(input.bodyTLVs);\n // const operation = intent === 'stream.publish' ? 'write' : 'read';\n //\n // const acl = await this.getTopicACL(topic);\n // if (!acl.allows(actorId, operation)) {\n // return {\n // action: 'DENY',\n // code: 'STREAM_UNAUTHORIZED',\n // reason: `No ${operation} access to ${topic}`\n // };\n // }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { decodeVarint } from '../core/varint';\n\n/\n TLV Parse AxisSensor - Type-Length-Value Parsing Verification\n \n Verifies that TLV data in packets is properly formed and follows\n * canonical ordering rules. Ensures binary payload integrity before\n * field extraction.\n \n Execution Order: 160 (after policy checks, before schema validation)\n \n Validates:\n * - TLV types are ascending (canonical ordering)\n * - No duplicate TLV types\n * - Length values are accurate (no buffer overrun)\n * - Varint encoding is minimal (no padding bytes)\n * - Tag values are > 0\n \n @class TLVParseSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class TLVParseSensor implements AxisSensor {\n readonly name = 'TLVParseSensor';\n readonly order = BAND.CONTENT + 20;\n\n supports(input: SensorInput): boolean {\n return !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const packet = input.packet;\n if (!packet) return { action: 'ALLOW' };\n\n // Validate header TLVs if raw header bytes are available\n const hdrBytes: Uint8Array \| Buffer \| undefined =\n packet.hdrBytes ?? packet.headerBytes;\n if (hdrBytes && hdrBytes.length > 0) {\n const result = this.validateCanonicalTLV(hdrBytes, 'header');\n if (result) return result;\n }\n\n // Validate body TLVs if body is flagged as TLV-encoded\n const bodyBytes: Uint8Array \| Buffer \| undefined =\n packet.bodyBytes ?? input.body;\n const bodyIsTlv =\n packet.flags !== undefined ? (packet.flags & 0x01) !== 0 : false;\n\n // @Intent({ bodyProfile: 'RAW' }) explicitly skips body TLV validation\n const bodyProfile = input.metadata?.schema?.bodyProfile;\n const skipBody = bodyProfile === 'RAW';\n\n if (!skipBody && bodyIsTlv && bodyBytes && bodyBytes.length > 0) {\n const result = this.validateCanonicalTLV(bodyBytes, 'body');\n if (result) return result;\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Validates a TLV buffer for canonical ordering, no duplicates,\n * valid bounds, and minimal varint encoding.\n /\n private validateCanonicalTLV(\n buf: Uint8Array,\n section: string,\n ): SensorDecision \| null {\n let offset = 0;\n let lastType = -1;\n let count = 0;\n const maxItems = 512;\n\n while (offset < buf.length) {\n if (count >= maxItems) {\n return {\n action: 'DENY',\n code: 'TLV_LIMIT',\n reason: `Too many TLVs in ${section}`,\n };\n }\n\n // Decode TYPE varint\n let type: number;\n let typeLen: number;\n try {\n const r = decodeVarint(buf, offset);\n type = r.value;\n typeLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed type varint in ${section} at offset ${offset}`,\n };\n }\n offset += typeLen;\n\n // Tag must be > 0\n if (type <= 0) {\n return {\n action: 'DENY',\n code: 'TLV_INVALID_TAG',\n reason: `Invalid tag ${type} in ${section}`,\n };\n }\n\n // Canonical order: strictly ascending\n if (type <= lastType) {\n return {\n action: 'DENY',\n code: 'TLV_NOT_CANONICAL',\n reason: `Non-canonical tag order in ${section}: ${type} after ${lastType}`,\n };\n }\n lastType = type;\n\n // Decode LEN varint\n let len: number;\n let lenLen: number;\n try {\n const r = decodeVarint(buf, offset);\n len = r.value;\n lenLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed length varint in ${section}`,\n };\n }\n offset += lenLen;\n\n // Bounds check\n if (offset + len > buf.length) {\n return {\n action: 'DENY',\n code: 'TLV_TRUNCATED',\n reason: `TLV value truncated in ${section}`,\n };\n }\n\n offset += len;\n count++;\n }\n\n return null; // Valid\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Varint Hardening Sensor - Variable-Length Integer Overflow Protection\n \n Detects and blocks malicious varint values that could cause integer overflow\n * or excessive memory allocation. Varints in AXIS frames encode lengths and types.\n \n Execution Order: 40 (early, before length-based parsing)\n \n Core Concept:\n * AXIS uses variable-length integers (varints) to encode:\n * - Header length\n * - Body length\n * - Signature length\n * - TLV types and lengths\n \n Varints use a continuation bit (MSB) to indicate more bytes follow.\n * An attacker could send an extremely long varint (many continuation bytes)\n * to cause:\n * - Integer overflow\n * - Excessive parsing time\n * - Memory exhaustion\n \n Varint Format:\n * ```\n * Each byte: [1-bit continuation][7-bit data]\n \n Examples:\n * 127 = 0x7F (1 byte)\n * 128 = 0x80 0x01 (2 bytes)\n * 16384 = 0x80 0x80 0x01 (3 bytes)\n * ```\n \n Limit: Maximum 5 bytes per varint\n * - 5 bytes = 35 bits of data = max value ~34 billion\n * - Sufficient for any legitimate length in AXIS\n \n How It Works:\n * ```\n * 1. Skip to varint start (offset 7: after magic+version+flags)\n * 2. Count consecutive bytes with MSB set (continuation bit)\n * 3. If count > 5, reject frame\n * ```\n \n Security Model:\n * - Fail Closed: Overflow = DENY\n * - Early Detection: Before full parsing\n * - Low Cost: Simple bit check\n \n Actions:\n * - `ALLOW` - Varint within bounds\n * - `DENY` - Varint exceeds 5 bytes\n \n Error Codes:\n * - `VARINT_OVERFLOW` - Varint exceeds maximum length\n \n Performance:\n * - Bit masking: O(1) per byte\n * - Maximum 15 bytes checked\n * - Latency: <0.1ms\n \n @class VarintHardeningSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid varint:\n * ```typescript\n * // Length 16384 encoded as 0x80 0x80 0x01 (3 bytes)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Overflow attack:\n * ```typescript\n * // 6 bytes with continuation bits set\n * {\n * action: 'DENY',\n * code: 'VARINT_OVERFLOW',\n * reason: 'Varint exceeds 5 bytes'\n * }\n * ```\n \n @see {@link BodyBudgetSensor} - Uses varints for length parsing\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class VarintHardeningSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'VarintHardeningSensor';\n\n /\n Execution order - early detection\n \n Order 40 ensures:\n * - After protocol magic check\n * - Before length-based parsing\n /\n readonly order = BAND.WIRE + 35;\n\n /* Maximum allowed bytes for a single varint /\n private readonly MAX_VARINT_BYTES = 5;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 7 bytes of peeked data.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n /\n Validates varint lengths in frame header.\n \n Processing Flow:\n * 1. Skip to varint section (offset 7)\n * 2. Scan for continuation bytes (MSB = 1)\n * 3. Count consecutive continuation bytes\n * 4. DENY if count exceeds MAX_VARINT_BYTES\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on varint length\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n // After magic(5) + version(1) + flags(1), varints follow for hdrLen, bodyLen, sigLen\n const peek = input.peek!;\n const offset = 7;\n const maxOffset = Math.min(offset + 15, peek.length);\n\n // Count consecutive bytes with continuation bit set (MSB = 1)\n let continuationCount = 0;\n for (let i = offset; i < maxOffset; i++) {\n if ((peek[i] & 0x80) !== 0) {\n continuationCount++;\n if (continuationCount > this.MAX_VARINT_BYTES) {\n return {\n action: 'DENY',\n code: 'VARINT_OVERFLOW',\n reason: `Varint exceeds ${this.MAX_VARINT_BYTES} bytes`,\n };\n }\n } else {\n // End of current varint - reset for next\n continuationCount = 0;\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","export from './axis-tlv-codec';\n","import {\n buildTLVs,\n extractDtoSchema,\n} from '../index';\nimport type { IntentTlvField } from '../decorators/intent.decorator';\n\ntype AxisTlvDtoCtor<T = object> = new (...args: never[]) => T;\n\nexport function encodeAxisTlvDto<T extends object>(\n dtoClass: AxisTlvDtoCtor<T>,\n data: Partial<Record<keyof T, unknown>>,\n): Uint8Array {\n const schema = extractDtoSchema(dtoClass);\n const items = schema.fields.flatMap((field) => {\n const value = (data as Record<string, unknown>)[field.name];\n if (value === undefined \|\| value === null) {\n if (field.required) {\n throw new Error(`Missing required TLV response field: ${field.name}`);\n }\n return [];\n }\n\n return [{ type: field.tag, value: encodeField(field, value) }];\n });\n\n return buildTLVs(items);\n}\n\nfunction encodeField(field: IntentTlvField, value: unknown): Buffer {\n switch (field.kind) {\n case 'utf8':\n return Buffer.from(String(value), 'utf8');\n case 'u64':\n return encodeU64(value);\n case 'bytes':\n case 'bytes16':\n return toBuffer(value);\n case 'bool':\n return Buffer.from([value ? 1 : 0]);\n case 'obj':\n case 'arr':\n return Buffer.from(JSON.stringify(value), 'utf8');\n default:\n return toBuffer(value);\n }\n}\n\nfunction encodeU64(value: unknown): Buffer {\n const encoded = Buffer.alloc(8);\n encoded.writeBigUInt64BE(\n typeof value === 'bigint' ? value : BigInt(value as number \| string),\n );\n return encoded;\n}\n\nfunction toBuffer(value: unknown): Buffer {\n if (Buffer.isBuffer(value)) {\n return value;\n }\n if (value instanceof Uint8Array) {\n return Buffer.from(value);\n }\n if (typeof value === 'string') {\n return Buffer.from(value, 'utf8');\n }\n\n throw new Error(`Unsupported TLV bytes value: ${typeof value}`);\n}"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,oBAAwC;AAEjC,IAAM,uBAAuB;AAO7B,SAAS,QAAQ,QAAiC;AACvD,SAAO,CAAC,WAAqB;AAC3B,mCAAY,sBAAsB,EAAE,OAAO,CAAC,EAAE,MAAM;AACpD,kCAAW,EAAE,MAAa;AAAA,EAC5B;AACF;;;ACdA,8BAAO;AAEA,IAAM,sBAAsB;AAC5B,IAAM,oBAAoB;AA8E1B,SAAS,OACd,QACA,SACiB;AACjB,SAAO,CAAC,QAAQ,gBAAgB;AAE9B,YAAQ;AAAA,MACN;AAAA,MACA,EAAE,QAAQ,QAAQ,GAAG,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAGA,UAAM,SACJ,QAAQ,YAAY,mBAAmB,OAAO,WAAW,KAAK,CAAC;AACjE,WAAO,KAAK;AAAA,MACV;AAAA,MACA,YAAY;AAAA,MACZ,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,MAChB,MAAM,SAAS;AAAA,MACf,aAAa,SAAS;AAAA,MACtB,KAAK,SAAS;AAAA,MACd,KAAK,SAAS;AAAA,IAChB,CAAC;AACD,YAAQ,eAAe,mBAAmB,QAAQ,OAAO,WAAW;AAAA,EACtE;AACF;;;AC7GA,IAAAA,2BAAO;AAEA,IAAM,kBAAkB;AAQxB,SAAS,WAAW,SAAgD;AACzE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,iBAAiB,SAAS,QAAQ,WAAW;AAAA,EACtE;AACF;;;ACdA,IAAAC,2BAAO;AAEA,IAAM,qBAAqB;AAM3B,SAAS,cAAc,SAAsC;AAClE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,oBAAoB,SAAS,QAAQ,WAAW;AAAA,EACzE;AACF;;;ACZA,IAAAC,2BAAO;AAEA,IAAM,iBAAiB;AACvB,IAAM,qBAAqB;AAuE3B,SAAS,SACd,KACA,SACmB;AACnB,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,WACJ,QAAQ,eAAe,gBAAgB,OAAO,WAAW,KAAK,CAAC;AAEjE,aAAS,KAAK;AAAA,MACZ,UAAU,OAAO,WAAW;AAAA,MAC5B;AAAA,MACA;AAAA,IACF,CAAC;AAED,YAAQ,eAAe,gBAAgB,UAAU,OAAO,WAAW;AAAA,EACrE;AACF;AAUO,SAAS,YAAY,WAA8C;AACxE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,WACJ,QAAQ,eAAe,oBAAoB,OAAO,WAAW,KAAK,CAAC;AAErE,UAAM,OAAO,OAAO,WAAW;AAC/B,QAAI,QAAQ,SAAS,KAAK,CAAC,MAAM,EAAE,aAAa,IAAI;AAEpD,QAAI,CAAC,OAAO;AACV,cAAQ,EAAE,UAAU,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE;AACjD,eAAS,KAAK,KAAK;AAAA,IACrB;AAEA,UAAM,WAAW,KAAK,SAAS;AAE/B,YAAQ,eAAe,oBAAoB,UAAU,OAAO,WAAW;AAAA,EACzE;AACF;AAOO,SAAS,eACd,SACA,SACmB;AACnB,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,UAAM,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG;AACxC,WAAO,QAAQ,KAAK,GAAG,IACnB,OACA,WAAW,GAAG,IAAI;AAAA,EACxB,CAAC;AACH;AAKO,SAAS,UAAU,KAAa,SAAqC;AAC1E,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,WAAO,IAAI,UAAU,MACjB,OACA,WAAW,GAAG,IAAI,gBAAgB,IAAI,MAAM,MAAM,GAAG;AAAA,EAC3D,CAAC;AACH;AAKO,SAAS,QACd,SACA,SACmB;AACnB,QAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,UAAM,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG;AACxC,WAAO,IAAI,IAAI,GAAG,IACd,OACA,WAAW,GAAG,IAAI,qBAAqB,QAAQ,KAAK,IAAI,CAAC;AAAA,EAC/D,CAAC;AACH;AAKO,SAAS,SACd,KACA,KACA,SACmB;AACnB,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,QAAI,IAAI,WAAW,EAAG,QAAO,GAAG,IAAI;AACpC,QAAI,IAAI;AACR,eAAW,KAAK,IAAK,KAAK,KAAK,KAAM,OAAO,CAAC;AAC7C,QAAI,IAAI,OAAO,IAAI,KAAK;AACtB,aAAO,WAAW,GAAG,IAAI,WAAW,CAAC,kBAAkB,GAAG,KAAK,GAAG;AAAA,IACpE;AACA,WAAO;AAAA,EACT,CAAC;AACH;;;ACpLA,IAAAC,2BAAO;;;ACAP,2BAEO;;;ADoBA,SAAS,iBAAiB,KAA0B;AACzD,QAAM,aACJ,QAAQ,YAAY,gBAAgB,GAAG,KAAK,CAAC;AAE/C,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,aAAa,IAAI,IAAI;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,YAAY,oBAAI,IAAoB;AAC1C,QAAM,SAA2B,WAAW,IAAI,CAAC,MAAM;AACrD,cAAU,IAAI,EAAE,UAAU,EAAE,GAAG;AAC/B,WAAO;AAAA,MACL,MAAM,EAAE;AAAA,MACR,KAAK,EAAE;AAAA,MACP,MAAM,EAAE,QAAQ;AAAA,MAChB,UAAU,EAAE,QAAQ;AAAA,MACpB,QAAQ,EAAE,QAAQ;AAAA,MAClB,KAAK,EAAE,QAAQ;AAAA,MACf,OAAO,EAAE,QAAQ;AAAA,IACnB;AAAA,EACF,CAAC;AAED,QAAM,iBACJ,QAAQ,YAAY,oBAAoB,GAAG,KAAK,CAAC;AAEnD,QAAM,aAAa,oBAAI,IAA8B;AACrD,aAAW,MAAM,gBAAgB;AAC/B,UAAM,MAAM,UAAU,IAAI,GAAG,QAAQ;AACrC,QAAI,QAAQ,QAAW;AACrB,YAAM,IAAI;AAAA,QACR,mBAAmB,IAAI,IAAI,IAAI,GAAG,QAAQ;AAAA,MAC5C;AAAA,IACF;AACA,OAAG,MAAM;AACT,eAAW,IAAI,KAAK,GAAG,UAAU;AAAA,EACnC;AAEA,SAAO,EAAE,QAAQ,WAAW;AAC9B;AAgBO,SAAS,gBACd,KAC4C;AAC5C,QAAM,aACJ,QAAQ,YAAY,gBAAgB,GAAG,KAAK,CAAC;AAE/C,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,aAAa,IAAI,IAAI;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,SAAS,oBAAI,IAAgD;AACnE,aAAW,KAAK,YAAY;AAC1B,WAAO,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,MAAM,EAAE,QAAQ,KAAK,CAAC;AAAA,EAClE;AAEA,SAAO,CAAC,cAA2C;AACjD,UAAMC,cAAS,iCAAW,IAAI,WAAW,SAAS,CAAC;AACnD,UAAM,SAA8B,CAAC;AAErC,eAAW,CAAC,KAAK,GAAG,KAAKA,SAAQ;AAC/B,YAAM,OAAO,OAAO,IAAI,GAAG;AAC3B,UAAI,CAAC,KAAM;AAEX,cAAQ,KAAK,MAAM;AAAA,QACjB,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI,IAAI,YAAY,EAAE,OAAO,GAAG;AACpD;AAAA,QACF,KAAK,OAAO;AACV,cAAI,IAAI;AACR,mBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,gBAAK,KAAK,KAAM,OAAO,IAAI,CAAC,CAAC;AAAA,UAC/B;AACA,iBAAO,KAAK,QAAQ,IAAI;AACxB;AAAA,QACF;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI;AACxB;AAAA,QACF,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,MAAM;AACrD;AAAA,QACF,KAAK;AAAA,QACL,KAAK;AACH,iBAAO,KAAK,QAAQ,IAAI,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG,CAAC;AAChE;AAAA,QACF;AACE,iBAAO,KAAK,QAAQ,IAAI;AAAA,MAC5B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AE5HO,IAAe,aAAf,MAA0B;AAAC;;;ACN3B,IAAM,YAAN,cAAwB,WAAW;AAI1C;AADE;AAAA,EAFC,SAAS,GAAG,EAAE,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI,CAAC;AAAA,EACzD,UAAU,GAAG,sBAAsB;AAAA,GAFzB,UAGX;;;ACNF,IAAAC,2BAAO;AAyBA,SAAS,gBACd,SAC+D;AAAA,EAC/D,MAAM,mBAAoB,QAAgB;AAAA,EAAC;AAE3C,QAAM,SACJ,QAAQ,eAAe,gBAAgB,OAAO,KAAK,CAAC;AAEtD,QAAM,gBAAgC,OAAO,IAAI,CAAC,OAAO;AAAA,IACvD,UAAU,EAAE;AAAA,IACZ,KAAK,EAAE;AAAA,IACP,SAAS,EAAE,GAAG,EAAE,SAAS,UAAU,MAAM;AAAA,EAC3C,EAAE;AAEF,UAAQ,eAAe,gBAAgB,eAAe,UAAU;AAEhE,QAAM,aACJ,QAAQ,eAAe,oBAAoB,OAAO,KAAK,CAAC;AAE1D,MAAI,WAAW,SAAS,GAAG;AACzB,YAAQ,eAAe,oBAAoB,CAAC,GAAG,UAAU,GAAG,UAAU;AAAA,EACxE;AAEA,SAAO,eAAe,YAAY,QAAQ;AAAA,IACxC,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC/B,CAAC;AAED,SAAO;AACT;;;AC5CO,IAAM,kBAAkB;AACxB,IAAM,0BAA0B;AAChC,IAAM,0BAA0B;AAChC,IAAM,0BAA0B;AAChC,IAAM,0BAA0B;AAWhC,IAAe,kBAAf,cAAuC,WAAW;AAezD;AAbE;AAAA,EADC,SAAS,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAAA,GADvB,gBAEpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,MAAM,CAAC;AAAA,GAJ9B,gBAKpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,MAAM,CAAC;AAAA,GAP9B,gBAQpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,OAAO,CAAC;AAAA,GAV/B,gBAWpB;AAGA;AAAA,EADC,SAAS,yBAAyB,EAAE,MAAM,OAAO,CAAC;AAAA,GAb/B,gBAcpB;;;ACtCF,IAAAC,iBAA6C;;;ACqItC,IAAK,WAAL,kBAAKC,cAAL;AACL,EAAAA,UAAA,WAAQ;AACR,EAAAA,UAAA,UAAO;AACP,EAAAA,UAAA,cAAW;AACX,EAAAA,UAAA,UAAO;AAJG,SAAAA;AAAA,GAAA;AAoEL,SAAS,wBACd,gBACwB;AAExB,MAAI,YAAY,gBAAgB;AAE9B,YAAQ,eAAe,QAAQ;AAAA,MAC7B,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,eAAe,MAAM,eAAe,MAAM,EAAE;AAAA,YACpD;AAAA,UACF;AAAA,UACA,MAAM,eAAe;AAAA,UACrB,cAAc,eAAe;AAAA,QAC/B;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,YAAY;AAAA,UACtB,cAAc,eAAe;AAAA,UAC7B,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW,eAAe;AAAA,UAC1B,SAAS,eAAe;AAAA,UACxB,MAAM,eAAe;AAAA,QACvB;AAAA,IACJ;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO,eAAe;AAAA,IACtB,WAAW,eAAe;AAAA,IAC1B,SAAS,eAAe;AAAA,IACxB,MAAM,eAAe;AAAA,IACrB,MAAM,eAAe;AAAA,IACrB,SAAS,eAAe;AAAA,IACxB,cAAc,eAAe;AAAA,EAC/B;AACF;AAKO,IAAM,kBAAkB;AAAA,EAC7B,MAAM,MAAY,MAA4C;AAC5D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX,SAAS,CAAC;AAAA,MACV;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,KAAK,MAAc,QAAiB,MAA4B;AAC9D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA,SAAS,CAAC,MAAM,MAAM,EAAE,OAAO,OAAO;AAAA,MACtC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,SAAS,cAAsB,MAA4B;AACzD,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA,MAAM;AAAA,MACN,SAAS,CAAC,YAAY;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAAA,EAEA,KAAK,YAAoB,SAAmB,MAA4B;AACtE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,OAAO;AAAA,MACP,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ADtOO,IAAM,eAAN,MAAmB;AAAA,EA+BxB,YAAyC,WAAuB;AAAvB;AA9BzC,SAAiB,SAAS,IAAI,sBAAO,aAAa,IAAI;AAatD;AAAA,SAAQ,WAAW,oBAAI,IAAiB;AAGxC;AAAA,SAAQ,gBAAgB,oBAAI,IAAwB;AAGpD;AAAA,SAAQ,iBAAiB,oBAAI,IAAkC;AAG/D;AAAA,SAAQ,gBAAgB,oBAAI,IAA0B;AAGtD;AAAA,SAAQ,mBAAmB,oBAAI,IAA2C;AAG1E;AAAA,SAAQ,cAAc,oBAAI,IAAwB;AAAA,EAEe;AAAA,EAEjE,UAAU,QAA0C;AAClD,WAAO,KAAK,cAAc,IAAI,MAAM;AAAA,EACtC;AAAA,EAEA,cAAc,QAA2D;AACvE,WAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,EACzC;AAAA,EAEA,IAAI,QAAyB;AAC3B,WACE,KAAK,SAAS,IAAI,MAAM,KAAK,aAAa,gBAAgB,IAAI,MAAM;AAAA,EAExE;AAAA,EAEA,uBAAiC;AAC/B,WAAO,CAAC,GAAG,aAAa,iBAAiB,GAAG,KAAK,SAAS,KAAK,CAAC;AAAA,EAClE;AAAA,EAEA,eAAe,QAMN;AACP,QAAI,CAAC,KAAK,IAAI,MAAM,EAAG,QAAO;AAC9B,WAAO;AAAA,MACL,QAAQ,KAAK,cAAc,IAAI,MAAM;AAAA,MACrC,YAAY,KAAK,iBAAiB,IAAI,MAAM;AAAA,MAC5C,YAAY,KAAK,cAAc,IAAI,MAAM;AAAA,MACzC,SAAS,aAAa,gBAAgB,IAAI,MAAM;AAAA,MAChD,MAAM,KAAK,YAAY,IAAI,MAAM;AAAA,IACnC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,SAAS,QAAgB,SAAc;AACrC,SAAK,SAAS,IAAI,QAAQ,OAAO;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,gBAAgB,UAAe;AAC7B,UAAM,cAAc,QAAQ;AAAA,MAC1B;AAAA,MACA,SAAS;AAAA,IACX;AACA,UAAM,SAA6B,aAAa,UAAU,SAAS;AAEnE,UAAM,SACJ,QAAQ,YAAY,mBAAmB,SAAS,WAAW,KAAK,CAAC;AAEnE,eAAW,SAAS,QAAQ;AAC1B,YAAM,aAAa,MAAM,WACrB,MAAM,SACN,GAAG,MAAM,IAAI,MAAM,MAAM;AAC7B,YAAM,KAAK,SAAS,MAAM,UAAU,EAAE,KAAK,QAAQ;AAEnD,UAAI,MAAM,OAAO;AACf,aAAK,SAAS,YAAY,EAAE,QAAQ,GAAG,CAAC;AAAA,MAC1C,OAAO;AACL,aAAK,SAAS,YAAY,EAAE;AAAA,MAC9B;AAEA,WAAK,mBAAmB,YAAY,OAAO,eAAe,QAAQ,GAAG,OAAO,MAAM,UAAU,CAAC;AAAA,IAC/F;AAEA,UAAM,QAAQ,OAAO,eAAe,QAAQ;AAC5C,eAAW,OAAO,OAAO,oBAAoB,KAAK,GAAG;AACnD,YAAM,OAAO,QAAQ,YAAY,qBAAqB,OAAO,GAAG;AAChE,UAAI,CAAC,MAAM,OAAQ;AAEnB,UAAI,CAAC,KAAK,SAAS,IAAI,KAAK,MAAM,GAAG;AACnC,aAAK,SAAS,KAAK,QAAS,SAAiB,GAAG,EAAE,KAAK,QAAQ,CAAC;AAAA,MAClE;AAEA,WAAK,mBAAmB,KAAK,QAAQ,OAAO,GAAG;AAAA,IACjD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,MAAM,OAAuC;AACjD,UAAM,QAAQ,QAAQ,OAAO;AAC7B,QAAI,SAAS;AAEb,QAAI;AAEF,YAAM,cAAc,MAAM,QAAQ,IAAI,CAAC;AACvC,UAAI,CAAC,YAAa,OAAM,IAAI,MAAM,gBAAgB;AAClD,eAAS,IAAI,YAAY,EAAE,OAAO,WAAW;AAE7C,UAAI;AAEJ,UAAI,WAAW,iBAAiB,WAAW,eAAe;AACxD,aAAK,OAAO,MAAM,eAAe;AACjC,iBAAS;AAAA,UACP,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,SAAS,oBAAI,IAAI;AAAA,YACf,CAAC,KAAK,IAAI,YAAY,EAAE,OAAO,iBAAiB,CAAC;AAAA,UACnD,CAAC;AAAA,UACD,MAAM,IAAI,YAAY,EAAE;AAAA,YACtB,KAAK,UAAU;AAAA,cACb,QAAQ;AAAA,cACR,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,cAClC,SAAS;AAAA,YACX,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF,WAAW,WAAW,eAAe;AACnC,cAAM,KAAK,KAAK,IAAI,EAAE,SAAS;AAC/B,iBAAS;AAAA,UACP,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,MAAM,IAAI,YAAY,EAAE;AAAA,YACtB,KAAK,UAAU;AAAA,cACb;AAAA,cACA,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,YAC9B,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF,WAAW,WAAW,eAAe;AACnC,iBAAS;AAAA,UACP,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,MAAM,MAAM;AAAA,QACd;AAAA,MACF,WAAW,WAAW,iBAAiB,WAAW,oBAAoB;AAEpE,YAAI;AACF,gBAAM,WAAW,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI,CAAC;AAChE,gBAAM,cAAc,SAAS;AAC7B,gBAAM,YAAY,SAAS,QAAQ,CAAC;AAEpC,cAAI,CAAC,aAAa;AAChB,kBAAM,IAAI,MAAM,kCAAkC;AAAA,UACpD;AAEA,eAAK,OAAO,MAAM,kCAAkC,WAAW,GAAG;AAElE,gBAAM,aAAwB;AAAA,YAC5B,GAAG;AAAA,YACH,SAAS,IAAI,IAAI,MAAM,OAAO;AAAA,YAC9B,MAAM,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,SAAS,CAAC;AAAA,UAC1D;AACA,qBAAW,QAAQ,IAAI,GAAG,IAAI,YAAY,EAAE,OAAO,WAAW,CAAC;AAE/D,iBAAO,MAAM,KAAK,MAAM,UAAU;AAAA,QACpC,SAAS,GAAQ;AACf,gBAAM,IAAI,MAAM,kCAAkC,EAAE,OAAO,EAAE;AAAA,QAC/D;AAAA,MACF,OAAO;AACL,cAAM,UAAU,KAAK,SAAS,IAAI,MAAM;AACxC,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;AAAA,QAC/C;AAEA,cAAM,gBAAgB,KAAK,cAAc,IAAI,MAAM;AACnD,YAAI,iBAAiB,cAAc,SAAS,GAAG;AAC7C,gBAAM,KAAK,iBAAiB,eAAe,QAAQ,KAAK;AAAA,QAC1D;AAEA,cAAM,UAAU,KAAK,eAAe,IAAI,MAAM;AAC9C,YAAI,cAAmB,MAAM;AAC7B,YAAI,SAAS;AACX,cAAI;AACF,0BAAc,QAAQ,OAAO,KAAK,MAAM,IAAI,CAAC;AAAA,UAC/C,SAAS,WAAgB;AACvB,kBAAM,IAAI;AAAA,cACR,gCAAgC,MAAM,KAAK,UAAU,OAAO;AAAA,YAC9D;AAAA,UACF;AAAA,QACF;AAEA,YAAI,OAAO,YAAY,YAAY;AACjC,gBAAM,aAAa,UACf,MAAM,QAAQ,aAAa,MAAM,OAAO,IACxC,MAAM,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC3C,mBAAS;AAAA,YACP,IAAI;AAAA,YACJ,QAAQ;AAAA,YACR,MAAM;AAAA,UACR;AAAA,QACF,OAAO;AACL,cAAI,OAAQ,QAAgB,WAAW,YAAY;AACjD,qBAAS,MAAO,QAAgB,OAAO,KAAK;AAAA,UAC9C,WAAW,OAAQ,QAAgB,YAAY,YAAY;AACzD,kBAAM,UAAU,UACZ,MAAO,QAAgB,QAAQ,aAAa,MAAM,OAAO,IACzD,MAAO,QAAgB,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC5D,qBAAS;AAAA,cACP,IAAI;AAAA,cACJ,QAAQ;AAAA,cACR,MAAM;AAAA,YACR;AAAA,UACF,OAAO;AACL,kBAAM,IAAI;AAAA,cACR,eAAe,MAAM;AAAA,YACvB;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAEA,WAAK,UAAU,QAAQ,OAAO,IAAI;AAClC,aAAO;AAAA,IACT,SAAS,GAAQ;AACf,WAAK,UAAU,QAAQ,OAAO,OAAO,EAAE,OAAO;AAC9C,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEQ,UACN,QACA,OACA,IACA,OACA;AACA,UAAM,OAAO,QAAQ,OAAO,KAAK;AACjC,UAAM,MAAM,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC;AACpD,QAAI,IAAI;AACN,WAAK,OAAO,MAAM,GAAG,MAAM,iBAAiB,EAAE,IAAI;AAAA,IACpD,OAAO;AACL,WAAK,OAAO,KAAK,GAAG,MAAM,cAAc,EAAE,QAAQ,KAAK,EAAE;AAAA,IAC3D;AAAA,EACF;AAAA,EAEA,mBAAmB,QAAgB,OAAe,YAA0B;AAC1E,UAAM,UAAU,QAAQ,YAAY,iBAAiB,OAAO,UAAU;AACtE,QAAI,SAAS;AACX,WAAK,eAAe,IAAI,QAAQ,OAAO;AAAA,IACzC;AAEA,UAAM,UAAU,QAAQ,YAAY,oBAAoB,OAAO,UAAU;AACzE,QAAI,WAAW,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAC3D,WAAK,cAAc,IAAI,QAAQ,OAAO;AAAA,IACxC;AAEA,UAAM,OAAO,QAAQ,YAAY,qBAAqB,OAAO,UAAU;AACvE,QAAI,MAAM;AACR,WAAK,YAAY,IAAI;AACrB,UAAI,KAAK,MAAM;AACb,aAAK,YAAY,IAAI,QAAQ,KAAK,IAAI;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,iBACZ,eACA,QACA,OACe;AACf,QAAI,CAAC,KAAK,UAAW;AAErB,eAAW,eAAe,eAAe;AACvC,UAAI;AACJ,UAAI;AACF,iBAAS,KAAK,UAAU,IAAI,aAAoB,EAAE,QAAQ,MAAM,CAAC;AAAA,MACnE,QAAQ;AACN,aAAK,OAAO;AAAA,UACV,qCAAqC,YAAY,IAAI,QAAQ,MAAM;AAAA,QACrE;AACA;AAAA,MACF;AAEA,YAAM,cAA2B;AAAA,QAC/B,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,YAAY,MAAM;AAAA,QAClB,UAAU,EAAE,OAAO,UAAU,OAAO;AAAA,MACtC;AAEA,UAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW,EAAG;AAEtD,YAAM,WAAW,wBAAwB,MAAM,OAAO,IAAI,WAAW,CAAC;AACtE,UAAI,CAAC,SAAS,OAAO;AACnB,cAAM,SAAS,SAAS,QAAQ,CAAC,KAAK,GAAG,OAAO,IAAI;AACpD,aAAK,OAAO;AAAA,UACV,iBAAiB,OAAO,IAAI,WAAW,MAAM,KAAK,MAAM;AAAA,QAC1D;AACA,cAAM,IAAI,MAAM,eAAe,MAAM,EAAE;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,YAAY,MAMX;AACP,QAAI,KAAK,KAAK;AACZ,UAAI,KAAK,OAAO,KAAK,IAAI,SAAS,GAAG;AACnC,aAAK,OAAO;AAAA,UACV,GAAG,KAAK,MAAM;AAAA,QAChB;AAAA,MACF;AAEA,YAAM,YAAY,iBAAiB,KAAK,GAAG;AAC3C,YAAMC,UAAuB;AAAA,QAC3B,QAAQ,KAAK;AAAA,QACb,SAAS;AAAA,QACT,aAAa,KAAK,eAAe;AAAA,QACjC,QAAQ,UAAU,OAAO,IAAI,CAAC,OAAO;AAAA,UACnC,MAAM,EAAE;AAAA,UACR,KAAK,EAAE;AAAA,UACP,MAAM,EAAE;AAAA,UACR,UAAU,EAAE;AAAA,UACZ,QAAQ,EAAE;AAAA,UACV,KAAK,EAAE;AAAA,UACP,OAAO,EAAE;AAAA,QACX,EAAE;AAAA,MACJ;AAEA,WAAK,cAAc,IAAI,KAAK,QAAQA,OAAM;AAE1C,UAAI,UAAU,WAAW,OAAO,GAAG;AACjC,aAAK,iBAAiB,IAAI,KAAK,QAAQ,UAAU,UAAU;AAAA,MAC7D;AAEA,UAAI,CAAC,KAAK,eAAe,IAAI,KAAK,MAAM,GAAG;AACzC,aAAK,eAAe,IAAI,KAAK,QAAQ,gBAAgB,KAAK,GAAG,CAAC;AAAA,MAChE;AAEA;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,OAAO,KAAK,IAAI,WAAW,EAAG;AAExC,UAAM,SAAuB;AAAA,MAC3B,QAAQ,KAAK;AAAA,MACb,SAAS;AAAA,MACT,aAAa,KAAK,eAAe;AAAA,MACjC,QAAQ,KAAK,IAAI,IAAI,CAAC,OAAO;AAAA,QAC3B,MAAM,EAAE;AAAA,QACR,KAAK,EAAE;AAAA,QACP,MAAM,EAAE;AAAA,QACR,UAAU,EAAE;AAAA,QACZ,QAAQ,EAAE;AAAA,QACV,KAAK,EAAE;AAAA,QACP,OAAO,EAAE;AAAA,MACX,EAAE;AAAA,IACJ;AAEA,SAAK,cAAc,IAAI,KAAK,QAAQ,MAAM;AAAA,EAC5C;AACF;AAAA;AApZa,aAIa,kBAAkB,oBAAI,IAAI;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAXU,eAAN;AAAA,MADN,2BAAW;AAAA,EAgCG,gDAAS;AAAA,GA/BX;;;AEjEb,SAAS,UAAU,OAAyB;AAC1C,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,EAC5C;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,UAAU,OAAO,QAAQ,KAAgC,EAC5D,OAAO,CAAC,CAAC,EAAE,MAAM,MAAM,WAAW,MAAS,EAC3C,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,MAAM,KAAK,cAAc,KAAK,CAAC;AAEtD,UAAM,aAAsC,CAAC;AAC7C,eAAW,CAAC,KAAK,MAAM,KAAK,SAAS;AACnC,iBAAW,GAAG,IAAI,UAAU,MAAM;AAAA,IACpC;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,oBAAoB,OAAwB;AAC1D,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;;;ACtBO,SAAS,kBACd,aACA,cACA,UACA,WACyB;AACzB,QAAM,MAAM,KAAK,IAAI;AAErB,SAAO;AAAA,IACL,GAAG;AAAA,IACH;AAAA,IACA,UAAU,WAAW,SAAS,WAAW,IAAI;AAAA,IAC7C,iBAAiB,UAAU,mBAAmB;AAAA,IAC9C,gBAAgB;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBAAmB,SAA0C;AAC3E,SAAO,KAAK,UAAU,OAAO;AAC/B;AAEO,SAAS,mBACd,KACgC;AAChC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,QAAI,CAAC,UAAU,OAAO,MAAM,KAAK,CAAC,OAAO,aAAa,IAAI;AACxD,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB,KAAoC;AACrE,MAAI,CAAC,MAAM,QAAQ,GAAG,GAAG;AACvB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAoC,CAAC;AAC3C,aAAW,aAAa,KAAK;AAC3B,QAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,UAAU,SAAS,GAAG;AACrD;AAAA,IACF;AAEA,UAAM,cAAc,UAAU,CAAC;AAC/B,QAAI,CAAC,MAAM,QAAQ,WAAW,GAAG;AAC/B;AAAA,IACF;AAEA,eAAW,OAAO,aAAa;AAC7B,UAAI,CAAC,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,GAAG;AACzC;AAAA,MACF;AAEA,YAAM,KAAK,OAAO,IAAI,CAAC,CAAC;AACxB,YAAM,SAAS,MAAM,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;AACjD,YAAM,WAAW,YAAY,MAAM;AACnC,YAAM,UAAU,SAAS,IAAI,SAAS;AACtC,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,UAAU,mBAAmB,OAAO;AAC1C,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,cAAQ,KAAK,EAAE,IAAI,QAAQ,CAAC;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,sBAAsB,KAAoC;AACxE,MAAI,CAAC,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,GAAG;AACzC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,OAAO,MAAM,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;AAC/C,SAAO,mBAAmB,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC;AAC9C;AAEA,SAAS,YAAY,QAAoC;AACvD,QAAMC,OAAM,oBAAI,IAAoB;AACpC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK,GAAG;AACzC,UAAM,MAAM,OAAO,CAAC;AACpB,UAAM,QAAQ,OAAO,IAAI,CAAC;AAC1B,QAAI,QAAQ,UAAa,UAAU,QAAW;AAC5C,MAAAA,KAAI,IAAI,OAAO,GAAG,GAAG,OAAO,KAAK,CAAC;AAAA,IACpC;AAAA,EACF;AACA,SAAOA;AACT;;;ACzGA,oBAA2B;AAsCpB,SAAS,wBAAwB,KAA8B;AACpE,QAAM,MAA+B;AAAA,IACnC,IAAI,IAAI;AAAA,IACR,SAAS,IAAI;AAAA,IACb,OAAO,IAAI;AAAA,IACX,WAAW,IAAI;AAAA,IACf,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,WAAW,IAAI;AAAA,IACf,UAAU,IAAI;AAAA,IACd,YAAY,IAAI;AAAA,IAChB,YAAY,IAAI;AAAA,IAChB,YAAY,IAAI;AAAA,IAChB,QAAQ,IAAI,OAAO,IAAI,CAAC,OAAO;AAAA,MAC7B,MAAM,EAAE;AAAA,MACR,QAAQ,EAAE;AAAA,MACV,SAAS,EAAE;AAAA,MACX,OAAO,EAAE;AAAA,MACT,YAAY,EAAE;AAAA,MACd,QAAQ,EAAE;AAAA,MACV,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,IACF,SAAS,IAAI,QAAQ,IAAI,CAAC,OAAO;AAAA,MAC/B,MAAM,EAAE;AAAA,MACR,SAAS,EAAE;AAAA,MACX,WAAW,EAAE;AAAA,MACb,YAAY,EAAE;AAAA,MACd,SAAS,EAAE;AAAA,MACX,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,EACJ;AAEA,SAAO,oBAAoB,GAAG;AAChC;AAKO,SAAS,gBAAgB,KAA8B;AAC5D,QAAM,YAAY,wBAAwB,GAAG;AAC7C,aAAO,0BAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO,KAAK;AAC5D;AAWO,SAAS,qBACd,KACmC;AACnC,MAAI,CAAC,IAAI,YAAY,CAAC,IAAI,OAAO;AAC/B,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,IAAI;AAAA,IACnB,aAAa,gBAAgB,GAAG;AAAA,IAChC,UAAU,KAAK,IAAI;AAAA,IACnB,SAAS;AAAA,MACP,QAAQ,IAAI;AAAA,MACZ,SAAS,IAAI;AAAA,MACb,UAAU,IAAI;AAAA,MACd,YAAY,IAAI;AAAA,MAChB,YAAY,IAAI;AAAA,MAChB,aAAa,IAAI,QAAQ;AAAA,MACzB,YAAY,IAAI,OAAO;AAAA,IACzB;AAAA,EACF;AACF;;;ACjHA,IAAAC,wBAiBO;;;ACqBP,IAAM,0BAA0B,CAAC,GAAG,GAAG,CAAC;AAiBjC,SAAS,eACd,KACA,UACiB;AAEjB,MAAI,CAAC,SAAS,UAAU,OAAO,SAAS,WAAW,UAAU;AAC3D,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,MAAI,SAAS,OAAO,CAAC,SAAS,QAAQ,SAAS,KAAK,WAAW,IAAI;AACjE,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,MAAI,SAAS,QAAQ,SAAS,KAAK,SAAS,oCAAc;AACxD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ,yBAAyB,kCAAY;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,SAAS,SAAS;AACpB,eAAW,OAAO,yBAAyB;AACzC,UAAI,SAAS,QAAQ,IAAI,GAAG,GAAG;AAC7B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,+CAA+C,GAAG;AAAA,QAC5D;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MACE,SAAS,OAAO,SAAS,QAAQ,KACjC,SAAS,OAAO,SAAS,OAAO,KAChC,SAAS,OAAO,SAAS,MAAM,GAC/B;AACA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,KAAK;AACxB;;;ACjHA,IAAAC,wBAAyD;;;ACAzD,aAAwB;;;ACAxB,QAAmB;AAQZ,IAAM,aAAe,SAAO;AAAA;AAAA,EAEjC,OAAS,SAAO,EAAE,IAAI,EAAE,YAAY;AAAA;AAAA,EAEpC,SAAW;AAAA,IACP,SAAO;AAAA,IACP,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,EACrD;AAAA;AAAA,EAEA,MAAQ,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA;AAAA,EAEzD,KAAO,SAAmB,CAAC,MAAM,aAAa,UAAU;AAC1D,CAAC;AAgCM,SAAS,YAAY,OAA8B;AACxD,QAAM,eAAW;AAAA,IACf,MAAM,KAAK,MAAM,QAAQ,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO;AAAA,MACnD,MAAM;AAAA,MACN,OAAO;AAAA,IACT,EAAE;AAAA,EACJ;AAEA,MAAI,SAAS,SAAS,kCAAa,OAAM,IAAI,MAAM,kBAAkB;AACrE,MAAI,MAAM,KAAK,SAAS,mCAAc,OAAM,IAAI,MAAM,gBAAgB;AACtE,MAAI,MAAM,IAAI,SAAS,kCAAa,OAAM,IAAI,MAAM,qBAAqB;AAGzE,QAAM,kBAAc,oCAAa,SAAS,MAAM;AAChD,QAAM,mBAAe,oCAAa,MAAM,KAAK,MAAM;AACnD,QAAM,kBAAc,oCAAa,MAAM,IAAI,MAAM;AAEjD,QAAM,WACJ;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SACZ,aAAa,SACb,YAAY,SACZ,SAAS,SACT,MAAM,KAAK,SACX,MAAM,IAAI;AAEZ,MAAI,WAAW,oCAAe,OAAM,IAAI,MAAM,uBAAuB;AAErE,QAAM,MAAM,IAAI,WAAW,QAAQ;AACnC,MAAI,SAAS;AAGb,MAAI,IAAI,kCAAY,MAAM;AAC1B,YAAU;AAGV,MAAI,QAAQ,IAAI;AAGhB,MAAI,QAAQ,IAAI,MAAM;AAGtB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAEtB,MAAI,IAAI,cAAc,MAAM;AAC5B,YAAU,aAAa;AAEvB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAGtB,MAAI,IAAI,UAAU,MAAM;AACxB,YAAU,SAAS;AAEnB,MAAI,IAAI,MAAM,MAAM,MAAM;AAC1B,YAAU,MAAM,KAAK;AAErB,MAAI,IAAI,MAAM,KAAK,MAAM;AACzB,YAAU,MAAM,IAAI;AAEpB,SAAO;AACT;AASO,SAAS,YAAY,KAA4B;AACtD,MAAI,SAAS;AAGb,MAAI,SAAS,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAC/D,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,IAAI,SAAS,CAAC,MAAM,iCAAW,CAAC,EAAG,OAAM,IAAI,MAAM,eAAe;AAAA,EACxE;AACA,YAAU;AAGV,QAAM,MAAM,IAAI,QAAQ;AACxB,MAAI,QAAQ,mCAAc,OAAM,IAAI,MAAM,wBAAwB,GAAG,EAAE;AAGvE,QAAM,QAAQ,IAAI,QAAQ;AAG1B,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,kCAAa,OAAM,IAAI,MAAM,uBAAuB;AAEjE,QAAM,EAAE,OAAO,SAAS,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AAClE,YAAU;AACV,MAAI,UAAU,mCAAc,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,QAAI,oCAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,kCAAa,OAAM,IAAI,MAAM,0BAA0B;AAGpE,MAAI,SAAS,SAAS,UAAU,SAAS,IAAI,QAAQ;AACnD,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAEV,QAAM,YAAY,IAAI,MAAM,QAAQ,SAAS,OAAO;AACpD,YAAU;AAEV,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAGV,QAAM,cAAU,iCAAW,QAAQ;AAEnC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,KAAK;AAAA,EACP;AACF;AAMO,SAAS,cAAc,OAA8B;AAG1D,SAAO,YAAY;AAAA,IACjB,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB,CAAC;AACH;;;AD/KO,SAAS,wBAAwB,OAA0B;AAEhE,QAAM,kBAA6B;AAAA,IACjC,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB;AAEA,QAAM,UAAU,YAAY,eAAe;AAC3C,SAAO,OAAO,KAAK,OAAO;AAC5B;AAWO,SAAS,UAAU,OAAkB,YAA4B;AACtE,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AAGJ,MAAI,WAAW,WAAW,IAAI;AAG5B,UAAM,cAAc,OAAO,KAAK;AAAA,MAC9B;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAClE;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IACpB,CAAC;AACD,UAAM,WAAW,OAAO,OAAO,CAAC,aAAa,UAAU,CAAC;AAExD,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH,OAAO;AAEL,gBAAmB,wBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,YAAmB,YAAK,MAAM,SAAS,SAAS;AAEtD,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO;AACT;AAWO,SAAS,qBACd,OACA,WACS;AACT,MAAI,MAAM,IAAI,WAAW,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AACF,QAAI;AAGJ,QAAI,UAAU,WAAW,IAAI;AAG3B,YAAM,aAAa,OAAO,KAAK;AAAA,QAC7B;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,MACpE,CAAC;AACD,YAAM,UAAU,OAAO,OAAO,CAAC,YAAY,SAAS,CAAC;AAErD,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH,OAAO;AAEL,kBAAmB,uBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,QAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,KAAK,MAAM,GAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AAQO,SAAS,yBAGd;AACA,QAAM,EAAE,YAAY,UAAU,IAAW,2BAAoB,SAAS;AAEtE,SAAO;AAAA,IACL,YAAY,WAAW,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC;AAAA,IAC9D,WAAW,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAAA,EAC7D;AACF;AAQO,SAAS,OAAO,MAAmC;AACxD,SAAc,kBAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AACzD;AAUO,SAAS,mBACd,cACA,UACQ;AACR,QAAM,SAAgB,kBAAW,QAAQ;AACzC,SAAO,OAAO,YAAY;AAE1B,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO,OAAO,OAAO;AACvB;;;AEpLO,IAAM,WAAW;AAAA,EACtB,WAAW;AAAA;AAAA,EACX,cAAc;AAAA;AAAA,EACd,YAAY;AAAA;AAAA,EACZ,OAAO;AAAA;AAAA,EACP,OAAO;AAAA;AAAA,EACP,WAAW;AAAA;AAAA,EACX,WAAW;AAAA;AAAA,EACX,UAAU;AAAA;AACZ;AAGO,IAAM,cAAc;AAAA,EACzB,2BAA2B;AAAA,EAC3B,2BAA2B;AAAA,EAE3B,0BAA0B;AAAA,EAC1B,0BAA0B;AAAA,EAE1B,8BAA8B;AAAA,EAC9B,8BAA8B;AAAA,EAE9B,6BAA6B;AAAA,EAC7B,6BAA6B;AAC/B;;;AC3BA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAYA,IAAAC,iBAAwC;AAiDjC,IAAM,iBAA6B;AAAA,EACxC,gBAAgB;AAAA,EAChB,aAAa;AAAA,EACb,eAAe;AAAA;AAAA,EACf,iBAAiB;AACnB;AAMO,SAAS,cAAc,GAA4B;AACxD,MAAI,IAAI,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC;AAC5C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,qCAAqC;AAEjE,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,cACd,KACA,QACA,SAAqB,gBACiC;AACtD,MAAI,IAAI;AACR,MAAI,QAAQ;AACZ,QAAM,QAAQ;AAEd,WAAS,IAAI,GAAG,IAAI,OAAO,gBAAgB,KAAK;AAC9C,QAAI,UAAU,IAAI,OAAQ,OAAM,IAAI,MAAM,0BAA0B;AACpE,UAAM,IAAI,IAAI,QAAQ;AACtB,SAAK,OAAO,IAAI,GAAI,KAAK;AAEzB,SAAK,IAAI,SAAU,GAAG;AACpB,YAAM,YAAY,SAAS;AAI3B,YAAM,KAAK,cAAc,CAAC;AAC1B,YAAM,WAAW,IAAI,SAAS,OAAO,MAAM;AAC3C,UAAI,CAAC,GAAG,OAAO,QAAQ;AACrB,cAAM,IAAI,MAAM,mCAAmC;AAErD,aAAO,EAAE,OAAO,GAAG,QAAQ,UAAU;AAAA,IACvC;AAEA,aAAS;AAAA,EACX;AAEA,QAAM,IAAI,MAAM,yBAAyB;AAC3C;AAMO,SAAS,YAAY,GAAmB;AAC7C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,mCAAmC;AAC/D,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,YAAY,KAAqB;AAC/C,MAAI,IAAI,WAAW,EAAG,OAAM,IAAI,MAAM,+BAA+B;AACrE,SAAO,IAAI,gBAAgB,CAAC;AAC9B;AAEO,SAASD,QAAO,MAAsB;AAC3C,aAAO,2BAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AAClD;AAMO,SAAS,UAAU,KAAa,OAAuB;AAC5D,MAAI,CAAC,OAAO,UAAU,GAAG,KAAK,OAAO;AACnC,UAAM,IAAI,MAAM,qCAAqC;AACvD,QAAM,IAAI,cAAc,GAAG;AAC3B,QAAM,IAAI,cAAc,MAAM,MAAM;AACpC,SAAO,OAAO,OAAO,CAAC,GAAG,GAAG,KAAK,CAAC;AACpC;AAEO,SAAS,yBAAyB,SAA+B;AAEtE,QAAM,SAAS,CAAC,GAAG,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;AAIxD,QAAM,QAAkB,CAAC;AACzB,aAAW,KAAK,OAAQ,OAAM,KAAK,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC;AAC5D,SAAO,OAAO,OAAO,KAAK;AAC5B;AAEO,SAAS,gBACd,QACA,SAAqB,gBACP;AACd,QAAM,MAAoB,CAAC;AAC3B,MAAI,MAAM;AAEV,SAAO,MAAM,OAAO,QAAQ;AAC1B,QAAI,IAAI,UAAU,OAAO;AACvB,YAAM,IAAI,MAAM,gCAAgC;AAElD,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,QAAI,MAAM,EAAG,OAAM,IAAI,MAAM,kCAAkC;AAC/D,QAAI,MAAM,OAAO;AACf,YAAM,IAAI,MAAM,kCAAkC;AACpD,QAAI,MAAM,MAAM,OAAO;AACrB,YAAM,IAAI,MAAM,kCAAkC;AAEpD,UAAM,QAAQ,OAAO,SAAS,KAAK,MAAM,GAAG;AAC5C,WAAO;AAEP,QAAI,KAAK,EAAE,KAAK,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC;AAAA,EAC7C;AAGA,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,QAAI,IAAI,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC,EAAE;AAC1B,YAAM,IAAI,MAAM,0CAA0C;AAAA,EAC9D;AAEA,SAAO;AACT;AAEO,SAAS,UAAU,SAAsC;AAC9D,QAAM,IAAmB,oBAAI,IAAI;AACjC,aAAW,KAAK,SAAS;AACvB,UAAM,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;AAC7B,QAAI,KAAK,EAAE,KAAK;AAChB,MAAE,IAAI,EAAE,KAAK,GAAG;AAAA,EAClB;AACA,SAAO;AACT;AAQO,SAAS,0BACd,QACA,MACA,QAAQ,GACR,SAAqB,gBACf;AACN,MAAI,QAAQ,KAAK,IAAI,OAAO,iBAAiB,OAAO,eAAe,GAAG;AACpE,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,OAAO,gBAAgB,UAAU,IAAI,IAAI,OAAO,cAAc;AAChE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,QAAQ,oBAAI,IAA0B;AAC5C,aAAW,KAAK,MAAM;AACpB,QAAI,CAAC,MAAM,IAAI,EAAE,GAAG,EAAG,OAAM,IAAI,EAAE,KAAK,CAAC,CAAC;AAC1C,UAAM,IAAI,EAAE,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AAEA,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAGxE,MAAI,OAAO,QAAQ;AACjB,eAAW,OAAO,MAAM,KAAK,GAAG;AAC9B,UAAI,CAAC,WAAW,IAAI,GAAG;AACrB,cAAM,IAAI,MAAM,0CAA0C,GAAG,EAAE;AAAA,IACnE;AAAA,EACF;AAGA,aAAW,KAAK,OAAO,QAAQ;AAC7B,UAAM,OAAO,MAAM,IAAI,EAAE,GAAG,KAAK,CAAC;AAClC,QAAI,EAAE,YAAY,KAAK,WAAW;AAChC,YAAM,IAAI,MAAM,sCAAsC,EAAE,IAAI,EAAE;AAEhE,QAAI,CAAC,EAAE,YAAY,KAAK,SAAS,GAAG;AAClC,YAAM,IAAI;AAAA,QACR,4DAA4D,EAAE,IAAI;AAAA,MACpE;AAAA,IACF;AAGA,QAAI,OAAO,EAAE,WAAW,UAAU;AAChC,iBAAW,KAAK,MAAM;AACpB,YAAI,EAAE,MAAM,SAAS,EAAE;AACrB,gBAAM,IAAI,MAAM,8BAA8B,EAAE,IAAI,WAAW;AAAA,MACnE;AAAA,IACF;AAGA,eAAW,KAAK,MAAM;AACpB,cAAQ,EAAE,MAAM;AAAA,QACd,KAAK;AACH,cAAI,EAAE,MAAM,WAAW;AACrB,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF;AAAA,QACF,KAAK,UAAU;AACb,cAAI,CAAC,EAAE;AACL,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF,gBAAM,aAAa,gBAAgB,EAAE,OAAO,MAAM;AAClD;AAAA,YACE,EAAE;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR;AAAA,UACF;AACA;AAAA,QACF;AAAA,QACA;AAEE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,UAAU,MAA4B;AAE7C,MAAI,IAAI;AACR,aAAW,KAAK,MAAM;AACpB,SACE,cAAc,EAAE,GAAG,EAAE,SACrB,cAAc,EAAE,MAAM,MAAM,EAAE,SAC9B,EAAE,MAAM;AAAA,EACZ;AACA,SAAO;AACT;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACP;AACd,MAAI,KAAK,aAAa,OAAO;AAC3B,UAAM,IAAI,MAAM,sCAAsC;AAExD,QAAM,eAAe,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAU,CAAC;AAC3E,QAAM,OAAqB,CAAC;AAE5B,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,GAAG;AAC3D,UAAM,IAAI,aAAa,IAAI,IAAI;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,oCAAoC,IAAI,EAAE;AAC5D;AAAA,IACF;AAEA,UAAM,UAAU,CAAC,MAAW;AAC1B,YAAM,WAAW,iBAAiB,GAAG,GAAG,MAAM;AAC9C,UAAI,SAAS,SAAS,OAAO;AAC3B,cAAM,IAAI,MAAM,oCAAoC;AACtD,WAAK,KAAK,EAAE,KAAK,EAAE,KAAK,OAAO,SAAS,CAAC;AAAA,IAC3C;AAEA,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,GAAG;AACpB,cAAM,IAAI;AAAA,UACR,qCAAqC,IAAI;AAAA,QAC3C;AACF,iBAAW,QAAQ,IAAK,SAAQ,IAAI;AAAA,IACtC,OAAO;AACL,cAAQ,GAAG;AAAA,IACb;AAAA,EACF;AAKA,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAGjD,SAAO;AACT;AAEA,SAAS,iBACP,GACA,KACA,QACQ;AACR,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,UAAI,OAAO,SAAS,GAAG,EAAG,QAAO,OAAO,KAAK,GAAG;AAChD,UAAI,eAAe,WAAY,QAAO,OAAO,KAAK,GAAG;AACrD,YAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,gBAAgB;AAAA,IAC7D,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,OAAO,KAAK,KAAK,MAAM;AAAA,IAChC,KAAK;AACH,UAAI,OAAO,QAAQ,YAAY,OAAO,QAAQ;AAC5C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,wBAAwB;AACrE,aAAO,cAAc,GAAG;AAAA,IAC1B,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,YAAY,GAAG;AAAA,IACxB,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AAEpE,YAAM,eACJ,OAAO,OAAO,QAAQ,YAAY,YAAY,MACzC,IAAY,SACb;AACN,UAAI,CAAC,gBAAgB,OAAO,iBAAiB;AAC3C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,YAAM,aAA0B;AAAA,QAC9B,UAAU,EAAE,aAAa;AAAA,QACzB,QAAQ;AAAA,MACV;AACA,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,YAAM,cAAc,yBAAyB,UAAU;AAEvD,YAAM,KAAK,gBAAgB,aAAa,MAAM;AAC9C,gCAA0B,EAAE,cAAc,IAAI,GAAG,MAAM;AACvD,aAAO;AAAA,IACT;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACR;AAEb,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAEjD,QAAM,SAA8B,CAAC;AACrC,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAExE,aAAW,KAAK,MAAM;AACpB,UAAM,IAAI,WAAW,IAAI,EAAE,GAAG;AAC9B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,kCAAkC,EAAE,GAAG,EAAE;AAC3D;AAAA,IACF;AAEA,UAAM,UAAU,iBAAiB,GAAG,EAAE,OAAO,MAAM;AAEnD,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,OAAO,EAAE,IAAI,CAAC,EAAG,QAAO,EAAE,IAAI,IAAI,CAAC;AACtD,aAAO,EAAE,IAAI,EAAE,KAAK,OAAO;AAAA,IAC7B,OAAO;AACL,aAAO,EAAE,IAAI,IAAI;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,OAAO,UAAU,OAAO;AAC7C;AAEA,SAAS,iBACP,GACA,OACA,QACK;AACL,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,aAAO,OAAO,KAAK,KAAK;AAAA,IAC1B,KAAK;AACH,aAAO,MAAM,SAAS,MAAM;AAAA,IAC9B,KAAK,WAAW;AACd,YAAM,IAAI,cAAc,OAAO,GAAG,MAAM;AACxC,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,qBAAqB,EAAE,IAAI;AAAA,QAC7B;AAEF,YAAM,QAAQ,OAAO,EAAE,KAAK;AAC5B,aAAO,OAAO,cAAc,KAAK,IAAI,QAAQ,EAAE;AAAA,IACjD;AAAA,IACA,KAAK;AACH,aAAO,YAAY,KAAK;AAAA,IAC1B,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AACpE,YAAM,aAAa,gBAAgB,OAAO,MAAM;AAGhD,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,aAAO,WAAW;AAAA,IACpB;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAMO,IAAM,WAAW;AAAA,EACtB,WAAW;AAAA,EACX,cAAc;AAAA,EACd,YAAY;AAAA,EACZ,OAAO;AAAA,EACP,OAAO;AAAA,EACP,WAAW;AAAA,EACX,WAAW;AAAA,EACX,UAAU;AACZ;AAsBO,SAAS,uBAAuB,KAAsC;AAC3E,MAAI,IAAI,MAAM,eAAe;AAC3B,UAAM,IAAI,MAAM,gDAAgD;AAClE,MAAI,IAAI,SAAS,eAAe;AAC9B,UAAM,IAAI,MAAM,mDAAmD;AACrE,MAAI,IAAI,WAAW,IAAI,QAAQ,eAAe;AAC5C,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,OAAqB;AAAA,IACzB,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,cAAc,OAAO,OAAO,KAAK,IAAI,UAAU,EAAE;AAAA,IACjE,EAAE,KAAK,SAAS,OAAO,OAAO,OAAO,KAAK,IAAI,KAAK,EAAE;AAAA,IACrD,EAAE,KAAK,SAAS,OAAO,OAAO,YAAY,IAAI,IAAI,EAAE;AAAA,IACpD,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,WAAW,OAAO,OAAO,KAAK,IAAI,QAAQ,EAAE;AAAA,EAC9D;AAEA,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,YAAY,OAAO,OAAO,KAAK,IAAI,SAAS,EAAE,CAAC;AAC3E,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,UAAU,OAAO,OAAO,KAAK,IAAI,OAAO,EAAE,CAAC;AAEvE,SAAO;AACT;AAEO,SAAS,yBACd,SACA,SAAqB,gBACF;AAEnB,QAAM,IAAI,UAAU,OAAO;AAE3B,QAAM,OAAO,CAAC,QAAgB;AAC5B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,OAAO,IAAI,WAAW;AACzB,YAAM,IAAI;AAAA,QACR,oDAAoD,GAAG;AAAA,MACzD;AACF,WAAO,IAAI,CAAC;AAAA,EACd;AACA,QAAM,UAAU,CAAC,QAAgB;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,IAAI,WAAW;AACjB,YAAM,IAAI,MAAM,4CAA4C,GAAG,EAAE;AACnE,WAAO,IAAI,CAAC;AAAA,EACd;AAEA,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,KAAK,YAAY,KAAK,SAAS,KAAK,CAAC;AAE3C,QAAM,QAAQ,KAAK,SAAS,KAAK;AACjC,MAAI,MAAM,WAAW;AACnB,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,WAAW,KAAK,SAAS,SAAS;AACxC,MAAI,SAAS,WAAW;AACtB,UAAM,IAAI,MAAM,sDAAsD;AAExE,QAAM,QAAQ,QAAQ,SAAS,QAAQ;AACvC,MAAI,SAAS,MAAM,WAAW;AAC5B,UAAM,IAAI,MAAM,qDAAqD;AAEvE,SAAO;AAAA,IACL,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,YAAY,OAAO,KAAK,KAAK,SAAS,YAAY,CAAC;AAAA,IACnD,WAAW,QAAQ,SAAS,UAAU,IAClC,OAAO,KAAK,QAAQ,SAAS,UAAU,CAAE,IACzC;AAAA,IACJ,OAAO,OAAO,KAAK,KAAK;AAAA,IACxB,MAAM;AAAA,IACN,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,UAAU,OAAO,KAAK,QAAQ;AAAA,IAC9B,SAAS,QAAQ,OAAO,KAAK,KAAK,IAAI;AAAA,EACxC;AACF;AAMO,SAAS,wBACd,QACA,KAGA,SAAqB,gBACsC;AAE3D,QAAM,WAAW,kBAAkB,QAAQ,IAAI,MAAM,MAAM;AAC3D,QAAM,YAAY,yBAAyB,QAAQ;AAGnD,QAAM,WAAWA,QAAO,SAAS;AAGjC,QAAM,MAAyB;AAAA,IAC7B,GAAG,IAAI;AAAA,IACP,UAAU,OAAO;AAAA,IACjB;AAAA,EACF;AACA,QAAM,UAAU,uBAAuB,GAAG;AAC1C,QAAM,WAAW,yBAAyB,OAAO;AAEjD,SAAO,EAAE,UAAU,WAAW,SAAS;AACzC;AAEO,SAAS,wBACd,QACA,UACA,WACA,SAAqB,gBACwD;AAC7E,QAAM,UAAU,gBAAgB,UAAU,MAAM;AAChD,QAAM,WAAW,gBAAgB,WAAW,MAAM;AAElD,QAAM,MAAM,yBAAyB,SAAS,MAAM;AAGpD,MAAI,IAAI,aAAa,OAAO;AAC1B,UAAM,IAAI,MAAM,4CAA4C;AAG9D,QAAM,KAAKA,QAAO,SAAS;AAC3B,MAAI,CAAC,OAAO,KAAK,IAAI,QAAQ,EAAE,OAAO,EAAE;AACtC,UAAM,IAAI,MAAM,6CAA6C;AAG/D,QAAM,OAAO,kBAAkB,QAAQ,UAAU,MAAM;AAEvD,QAAM,cAA+B;AAAA,IACnC,SAAS,UAAU,OAAO;AAAA,IAC1B,UAAU,UAAU,QAAQ;AAAA,IAC5B,UAAU,IAAI;AAAA,IACd,UAAU,IAAI;AAAA,EAChB;AAEA,SAAO,EAAE,KAAK,MAAM,YAAY;AAClC;AAMO,IAAM,2BAAiD;AAAA,EAC5D,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,SAAS,UAAU,MAAM,QAAQ,IAAI;AAAA,IACvE,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,IAC/D,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,EACjE;AACF;AAEO,IAAM,oCAA0D;AAAA,EACrE,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,EACxE;AACF;AAEO,IAAM,gCAAsD;AAAA,EACjE,UAAU;AAAA,EACV,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACtE;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,cAAc;AAAA,IAChB;AAAA,EACF;AACF;;;ACjrBO,SAAS,aAAa,QASlB;AACT,QAAM,MAA8B;AAAA,IAClC,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO;AAAA,IACjB,YAAY,OAAO,cAAc,OAAO,MAAM,CAAC;AAAA,IAC/C,WAAW,OAAO;AAAA,IAClB,OAAO,OAAO,SAAS,QAAQ,QAAQ,EAAE,YAAY,EAAE;AAAA,IACvD,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI,CAAC;AAAA,IACtC,UAAU,OAAO,YAAY,OAAO,MAAM,EAAE;AAAA,IAC5C,SAAS,OAAO;AAAA,EAClB;AAEA,QAAM,OAAY,uBAAuB,GAAG;AAC5C,SAAY,yBAAyB,IAAI;AAC3C;AAOO,SAAS,2BAA2B,QAMxC;AACD,QAAM,WAAgB;AAAA,IACf;AAAA,IACL;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBE,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,6BAA6B,MAAc;AACzD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACd;AAAA,IACL;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAKO,IAAM,uCAAkE;AAAA,EAC7E,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,EACxE;AACF;AAEO,IAAM,mCAA8D;AAAA,EACzE,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACtE;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,IACA,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,IACzE,EAAE,KAAK,GAAG,MAAM,cAAc,MAAM,SAAS,UAAU,OAAO,QAAQ,IAAI;AAAA,EAC5E;AACF;AAKO,SAAS,8BAA8B,QAK3C;AACD,QAAM,WAAgB;AAAA,IACpB;AAAA,IACA;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,gCAAgC,MAAc;AAC5D,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAKO,SAAS,0BAA0B,QAUvC;AACD,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,UAAU,OAAO;AAAA,MACjB,cAAc,OAAO;AAAA,MACrB,gBAAgB,OAAO;AAAA,MACvB,mBAAmB,OAAO;AAAA,MAC1B,WAAW,OAAO;AAAA,MAClB,YAAY,OAAO;AAAA,IACrB;AAAA,EACF,CAAC;AAED,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,4BAA4B,MAAc;AACxD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,QAAM,IAAI,QAAQ;AAElB,SAAO;AAAA,IACL,UAAU,EAAE;AAAA,IACZ,cAAc,EAAE;AAAA,IAChB,gBAAgB,EAAE;AAAA,IAClB,mBAAmB,EAAE;AAAA,IACrB,WAAW,EAAE;AAAA,IACb,YAAY,EAAE;AAAA,EAChB;AACF;AAcO,IAAM,oCAA+D;AAAA,EAC1E,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,QAAQ,UAAU,KAAK;AAAA;AAAA,IAC1D,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,WAAW,UAAU,MAAM;AAAA,IAC5D,EAAE,KAAK,GAAG,MAAM,QAAQ,MAAM,QAAQ,UAAU,MAAM;AAAA,IACtD,EAAE,KAAK,GAAG,MAAM,oBAAoB,MAAM,QAAQ,UAAU,MAAM;AAAA,IAClE,EAAE,KAAK,GAAG,MAAM,wBAAwB,MAAM,QAAQ,UAAU,MAAM;AAAA;AAAA,EACxE;AACF;AAEO,SAAS,2BAA2B,QAMhC;AACT,QAAM,SAA8B;AAAA,IAClC,WAAW,OAAO;AAAA,EACpB;AACA,MAAI,OAAO,YAAY,OAAW,QAAO,UAAU,OAAO;AAC1D,MAAI,OAAO,KAAM,QAAO,OAAO,OAAO;AACtC,MAAI,OAAO;AACT,WAAO,mBAAmB,OAAO;AACnC,MAAI,OAAO;AACT,WAAO,uBAAuB,KAAK,UAAU,OAAO,gBAAgB;AAEtE,QAAM,WAAgB,kBAAkB,mCAAmC;AAAA,IACzE,UAAU,YAAY;AAAA,IACtB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;AASO,IAAM,mCAA8D;AAAA,EACzE,UAAU,YAAY;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,iBAAiB;AAAA,EACjB,QAAQ;AAAA,IACN,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACrE,EAAE,KAAK,GAAG,MAAM,SAAS,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,IACnE,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,IACvE,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,KAAK;AAAA,EAC7D;AACF;AAEO,SAAS,0BAA0B,QAK/B;AACT,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,SAAS,OAAO;AAAA,MAChB,OAAO,OAAO;AAAA,MACd,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO;AAAA,IACpB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;;;AC9SA,IAAAC,iBAA4B;AAErB,SAAS,UAAU,GAAmB;AAC3C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,YAAY;AACxC,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,QAAQ,GAA4B;AAClD,QAAM,IAAI,OAAO,MAAM,WAAW,OAAO,CAAC,IAAI;AAC9C,SAAO,UAAU,CAAC;AACpB;AAEO,SAAS,MAAM,GAAmB;AACvC,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,SAAS;AACrC,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,KAAK,GAAmB;AACtC,SAAO,OAAO,KAAK,GAAG,MAAM;AAC9B;AAEO,SAAS,MAAM,GAAgC;AACpD,SAAO,OAAO,SAAS,CAAC,IAAI,IAAI,OAAO,KAAK,CAAC;AAC/C;AAEO,SAAS,UAAkB;AAChC,aAAO,4BAAY,EAAE;AACvB;AAEO,SAAS,IAAI,MAAc,OAAuB;AACvD,MAAI,CAAC,OAAO,cAAc,IAAI,KAAK,OAAO,EAAG,OAAM,IAAI,MAAM,cAAc;AAC3E,SAAO,OAAO,OAAO;AAAA,IACnB,UAAU,OAAO,IAAI,CAAC;AAAA,IACtB,UAAU,OAAO,MAAM,MAAM,CAAC;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAOO,SAAS,UACd,OACA,MACQ;AACR,QAAM,QAAQ,MAAM,iBAAiB,oBAAI,IAAY;AACrD,QAAM,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI;AAExD,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,OAAO,CAAC,EAAE,SAAS,OAAO,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG;AACvE,YAAM,IAAI,MAAM,gBAAgB,OAAO,CAAC,EAAE,IAAI,EAAE;AAAA,IAClD;AAAA,EACF;AAEA,SAAO,OAAO,OAAO,OAAO,IAAI,CAAC,OAAO,IAAI,GAAG,MAAM,GAAG,KAAK,CAAC,CAAC;AACjE;;;AC/DA,IAAM,QAAQ,OAAO,KAAK,SAAS,OAAO;AAUnC,SAAS,iBAAiB,GAA+B;AAC9D,MACE,CAAC,OAAO,SAAS,EAAE,GAAG,KACtB,CAAC,OAAO,SAAS,EAAE,IAAI,KACvB,CAAC,OAAO,SAAS,EAAE,GAAG,GACtB;AACA,UAAM,IAAI,MAAM,mBAAmB;AAAA,EACrC;AACA,MAAI,EAAE,QAAQ,EAAG,OAAM,IAAI,MAAM,eAAe;AAEhD,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAC7C,QAAM,UAAU,UAAU,OAAO,EAAE,KAAK,MAAM,CAAC;AAC/C,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAE7C,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,OAAO,KAAK,CAAC,EAAE,MAAM,GAAI,CAAC;AAAA,IAC1B,OAAO,KAAK,CAAC,EAAE,QAAQ,GAAI,CAAC;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,EACJ,CAAC;AACH;;;ACnCA,IAAMC,SAAQ,OAAO,KAAK,SAAS,OAAO;AAEnC,SAAS,kBAAkB,QAKvB;AACT,MAAI,OAAO,QAAQ,EAAG,OAAM,IAAI,MAAM,eAAe;AACrD,QAAM,SAAS,UAAU,OAAO,OAAO,IAAI,MAAM,CAAC;AAClD,QAAM,UAAU,UAAU,OAAO,OAAO,KAAK,MAAM,CAAC;AACpD,QAAM,aAAa,UAAU,EAAE;AAE/B,SAAO,OAAO,OAAO;AAAA,IACnBA;AAAA,IACA,OAAO,KAAK,CAAC,OAAO,MAAM,GAAI,CAAC;AAAA,IAC/B,OAAO,KAAK,CAAC,OAAO,QAAQ,GAAI,CAAC;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACH;;;AChBO,SAAS,aAAa,KAAqB;AAChD,SAAO,IACJ,SAAS,QAAQ,EACjB,QAAQ,MAAM,EAAE,EAChB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG;AACvB;AAOO,SAAS,aAAa,KAAqB;AAEhD,QAAM,MAAM,IAAI,SAAS,IAAI,IAAI,OAAO,IAAK,IAAI,SAAS,CAAE,IAAI;AAChE,QAAM,UAAU,MAAM,KAAK,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC/D,SAAO,OAAO,KAAK,QAAQ,QAAQ;AACrC;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,OAAO,KAAK,KAAK,QAAQ,CAAC;AAChD;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,GAAG,EAAE,SAAS,QAAQ;AAC5C;;;ACxCA,SAAS,QAAQ,OAAiB;AAChC,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,UAAU,QAAW;AACvB,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,OAAO;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,SAA8B,CAAC;AACrC,UAAM,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK;AAErC,eAAW,OAAO,MAAM;AACtB,YAAM,cAAc,QAAQ,MAAM,GAAG,CAAC;AAEtC,UAAI,gBAAgB,QAAW;AAC7B,eAAO,GAAG,IAAI;AAAA,MAChB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAQO,SAAS,cAAc,OAAoB;AAChD,SAAO,KAAK,UAAU,QAAQ,KAAK,CAAC;AACtC;AASO,SAAS,uBACd,KACA,SACQ;AACR,QAAM,WAAgC,CAAC;AAEvC,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,QAAQ,SAAS,GAAG,KAAK,IAAI,GAAG,MAAM,QAAW;AACpD,eAAS,GAAG,IAAI,IAAI,GAAG;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,cAAc,QAAQ;AAC/B;;;AC5EO,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YACS,MACP,SACA;AACA,UAAM,OAAO;AAHN;AAIP,SAAK,OAAO;AAAA,EACd;AACF;AASO,IAAM,iBAAN,MAAqB;AAAA;AAAA,EAO1B,YAAY,UAAe;AAN3B,SAAQ,WAAW;AACnB,SAAQ,UAAU;AAClB,SAAQ,gBAAgB;AAKtB,SAAK,WAAW;AAChB,SAAK,YAAY,KAAK,IAAI;AAAA,EAC5B;AAAA,EAEA,gBAAsB;AACpB,SAAK;AACL,QAAI,KAAK,WAAW,KAAK,SAAS,aAAa;AAC7C,YAAM,IAAI;AAAA,QACR;AAAA,QACA,uBAAuB,KAAK,QAAQ,IAAI,KAAK,SAAS,WAAW;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AAAA,EAEA,eAAqB;AACnB,SAAK;AACL,QAAI,KAAK,SAAS,cAAc,KAAK,UAAU,KAAK,SAAS,YAAY;AACvE,YAAM,IAAI;AAAA,QACR;AAAA,QACA,sBAAsB,KAAK,OAAO,IAAI,KAAK,SAAS,UAAU;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAAA,EAEA,qBAA2B;AACzB,SAAK;AACL,QAAI,KAAK,gBAAgB,KAAK,SAAS,kBAAkB;AACvD,YAAM,IAAI;AAAA,QACR;AAAA,QACA,4BAA4B,KAAK,aAAa,IAAI,KAAK,SAAS,gBAAgB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,YAAkB;AAChB,UAAM,UAAU,KAAK,IAAI,IAAI,KAAK;AAClC,QAAI,UAAU,KAAK,SAAS,WAAW;AACrC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,4BAA4B,OAAO,MAAM,KAAK,SAAS,SAAS;AAAA,MAClE;AAAA,IACF;AAAA,EACF;AAAA,EAEA,eAAe,QAAsB;AAEnC,QAAI,KAAK,SAAS,eAAe,SAAS,GAAG,GAAG;AAC9C;AAAA,IACF;AAEA,QAAI,CAAC,KAAK,SAAS,eAAe,SAAS,MAAM,GAAG;AAClD,YAAM,IAAI;AAAA,QACR;AAAA,QACA,WAAW,MAAM,2BAA2B,KAAK,SAAS,eAAe,KAAK,IAAI,CAAC;AAAA,MACrF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,aAA+B;AAC7B,WAAO;AAAA,MACL,UAAU,KAAK;AAAA,MACf,SAAS,KAAK;AAAA,MACd,eAAe,KAAK;AAAA,MACpB,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,IAC/B;AAAA,EACF;AAAA,EAEA,cAAc;AACZ,WAAO,KAAK;AAAA,EACd;AACF;;;ACtFO,IAAM,oBAAuD;AAAA;AAAA,EAElE,eAAe;AAAA,IACb,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,aAAa;AAAA,EAChC;AAAA;AAAA,EAGA,gBAAgB;AAAA,IACd,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,gBAAgB;AAAA,EACnC;AAAA,EACA,kBAAkB;AAAA,IAChB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,kBAAkB;AAAA,EACrC;AAAA;AAAA,EAGA,kBAAkB;AAAA,IAChB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,mBAAmB,mBAAmB;AAAA,EACzD;AAAA,EACA,mBAAmB;AAAA,IACjB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,oBAAoB,wBAAwB;AAAA,EAC/D;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,kBAAkB;AAAA,EACrC;AAAA,EACA,cAAc;AAAA,IACZ,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,mBAAmB;AAAA,EACtC;AAAA,EACA,iBAAiB;AAAA,IACf,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,gBAAgB;AAAA,EACnC;AAAA;AAAA,EAGA,kBAAkB;AAAA,IAChB,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,kBAAkB;AAAA,EACrC;AAAA,EACA,eAAe;AAAA,IACb,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,aAAa;AAAA,EAChC;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,aAAa;AAAA,IACb,kBAAkB;AAAA;AAAA,IAClB,WAAW;AAAA,IACX,gBAAgB,CAAC,aAAa,aAAa;AAAA,EAC7C;AACF;AAGO,IAAM,oBAAuC;AAAA,EAClD,aAAa;AAAA,EACb,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,gBAAgB,CAAC,GAAG;AAAA;AACtB;;;ACtFO,SAAS,UACd,KACA,KAC8B;AAC9B,MAAI,QAAQ;AACZ,MAAI,IAAI;AACR,SAAO,MAAM;AACX,QAAI,OAAO,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AACxD,UAAM,IAAI,OAAO,IAAI,KAAK,CAAC;AAC3B,UAAM,IAAI,UAAU;AACpB,SAAK,IAAI,WAAW,GAAI;AACxB,aAAS;AACT,QAAI,QAAQ,IAAK,OAAM,IAAI,MAAM,kBAAkB;AAAA,EACrD;AACA,SAAO,EAAE,KAAK,GAAG,IAAI;AACvB;AAYO,SAAS,UAAU,KAAa,WAAmB,KAAY;AACpE,QAAM,MAAa,CAAC;AACpB,MAAI,MAAM;AACV,SAAO,MAAM,IAAI,QAAQ;AACvB,QAAI,IAAI,UAAU,SAAU,OAAM,IAAI,MAAM,oBAAoB;AAChE,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,OAAO,OAAO,GAAG,GAAG;AAC1B,UAAM,MAAM,OAAO,GAAG,GAAG;AACzB,QAAI,MAAM,KAAK,MAAM,MAAM,IAAI,QAAQ;AACrC,YAAM,IAAI,MAAM,iBAAiB;AAAA,IACnC;AACA,UAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,GAAG;AACzC,WAAO;AACP,QAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAAA,EAC1B;AACA,SAAO;AACT;AASO,SAAS,OAAO,KAAoC;AACzD,QAAM,IAAI,oBAAI,IAAsB;AACpC,aAAW,MAAM,UAAU,GAAG,GAAG;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG,IAAI,KAAK,CAAC;AAC/B,QAAI,KAAK,GAAG,KAAe;AAC3B,MAAE,IAAI,GAAG,MAAM,GAAG;AAAA,EACpB;AACA,SAAO;AACT;AAEO,SAAS,OAAO,GAAgC;AACrD,MAAI,CAAC,EAAG,QAAO;AACf,SAAO,EAAE,SAAS,MAAM;AAC1B;AAEO,SAAS,eAAe,GAAgC;AAC7D,MAAI,CAAC,EAAG,QAAO;AACf,QAAM,EAAE,KAAK,IAAI,IAAI,UAAU,GAAG,CAAC;AACnC,MAAI,QAAQ,EAAE,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AAC7D,SAAO;AACT;AAMO,SAAS,aAAa,GAAgC;AAC3D,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,EAAE,WAAW,EAAG,OAAM,IAAI,MAAM,0BAA0B;AAC9D,SAAO,EAAE,gBAAgB,CAAC;AAC5B;;;ACtEA,IAAMC,SAAQ,OAAO,KAAK,SAAS,OAAO;AAqBnC,SAAS,iBAAiB,KAAgC;AAC/D,MAAI,MAAM;AAEV,QAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,CAAC;AACvC,SAAO;AACP,MAAI,MAAM,WAAW,KAAK,CAAC,MAAM,OAAOA,MAAK;AAC3C,UAAM,IAAI,MAAM,iBAAiB;AAEnC,MAAI,MAAM,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AAC3D,QAAM,MAAM,IAAI,KAAK;AACrB,QAAM,QAAQ,IAAI,KAAK;AAGvB,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AAET,QAAM,SAAS,OAAO,GAAG,GAAG;AAC5B,QAAM,UAAU,OAAO,GAAG,GAAG;AAC7B,QAAM,SAAS,OAAO,GAAG,GAAG;AAE5B,MAAI,SAAS,KAAK,UAAU,KAAK,SAAS,EAAG,OAAM,IAAI,MAAM,eAAe;AAE5E,MAAI,MAAM,SAAS,UAAU,SAAS,IAAI;AACxC,UAAM,IAAI,MAAM,yBAAyB;AAG3C,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AACP,QAAM,OAAO,IAAI,SAAS,KAAK,MAAM,OAAO;AAC5C,SAAO;AACP,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AAEP,MAAI,QAAQ,IAAI,OAAQ,OAAM,IAAI,MAAM,sBAAsB;AAE9D,SAAO,EAAE,KAAK,OAAO,KAAK,MAAM,KAAK,WAAW,IAAI,OAAO;AAC7D;;;ACvEO,IAAM,IAAI;AAAA;AAAA,EAEf,QAAQ;AAAA;AAAA,EAER,KAAK;AAAA;AAAA,EAEL,gBAAgB;AAAA;AAAA;AAAA,EAEhB,UAAU;AAAA;AAAA,EAEV,YAAY;AAAA;AAAA,EAEZ,OAAO;AAAA;AAAA,EAEP,OAAO;AAAA;AAAA,EAEP,YAAY;AAAA;AAAA,EAEZ,MAAM;AAAA;AAAA,EAEN,MAAM;AACR;AAgDO,SAAS,YACd,KACA,MACA,KACA,QAAgB,GACJ;AACZ,QAAM,KAAK,OAAO,GAAG;AAGrB,QAAM,cAAc;AACpB,QAAM,KAAK,QAAQ,cAAc,OAAO,IAAI,IAAI,oBAAI,IAAsB;AAE1E,QAAM,SAAS,OAAO,GAAG,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC;AAC3C,QAAM,eAAe,GAAG,IAAI,EAAE,cAAc,IAAI,CAAC;AACjD,QAAM,YAAY,eAAe,OAAO,eAAe,YAAY,CAAC,IAAI;AACxE,QAAM,aAAa,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AACzC,QAAM,UAAU,aAAa,WAAW,SAAS,KAAK,IAAI;AAC1D,QAAM,YAAY,GAAG,IAAI,EAAE,UAAU,IAAI,CAAC;AAC1C,QAAM,MAAM,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACrD,QAAM,QAAQ,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACjC,QAAM,OAAO,aAAa,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC;AAE9C,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AACpD,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM,yBAAyB;AACvD,MAAI,CAAC,SAAS,MAAM,SAAS,MAAM,MAAM,SAAS;AAChD,UAAM,IAAI,MAAM,kBAAkB;AACpC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,oBAAoB;AAC9C,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,mBAAmB;AAE9C,SAAO;AAAA,IACL;AAAA,IACA,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,IACZ,SAAS;AAAA,IACT,UAAU;AAAA,IACV,WAAW;AAAA,IACX;AAAA,EACF;AACF;;;AC/GO,SAAS,SAAS,QAAkB,UAA2B;AACpE,MAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,OAAO,WAAW,GAAG;AACjD,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,WAAO;AAAA,EACT;AAGA,QAAM,CAAC,UAAU,EAAE,IAAI,SAAS,MAAM,GAAG;AACzC,MAAI,YAAY,IAAI;AAClB,UAAM,WAAW,GAAG,QAAQ;AAC5B,QAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,WACd,OACyC;AACzC,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,SAAO,EAAE,UAAU,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,EAAE;AAC5C;AAKO,SAAS,kBACd,QACA,cACA,YACS;AACT,QAAM,WAAW,GAAG,YAAY,IAAI,UAAU;AAC9C,SAAO,SAAS,QAAQ,QAAQ;AAClC;;;AChDO,IAAM,eAAe;AAAA,EAC1B,MAAM;AAAA,EACN,OAAO;AAAA,EACP,SAAS;AAAA,EACT,OAAO;AAAA,EACP,MAAM;AAAA,EACN,SAAS;AACX;AAOO,IAAM,qBAAmD;AAAA,EAC9D,CAAC,gCAAU,GAAG,CAAC;AAAA,EACf,CAAC,mCAAa,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,EAC5C,CAAC,+BAAS,GAAG,CAAC,MAAM;AAAA,EACpB,CAAC,gCAAU,GAAG,CAAC,QAAQ,SAAS,OAAO;AAAA,EACvC,CAAC,gCAAU,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,EACzC,CAAC,mCAAa,GAAG,CAAC,QAAQ,SAAS,WAAW,SAAS;AACzD;AAMO,IAAM,sBAAoD;AAAA,EAC/D,YAAY,CAAC;AAAA,EACb,YAAY,CAAC;AAAA,EACb,aAAa,CAAC;AAAA,EACd,YAAY,CAAC;AAAA,EACb,YAAY,CAAC;AAAA,EAEb,eAAe,CAAC,OAAO;AAAA,EACvB,iBAAiB,CAAC,MAAM;AAAA,EACxB,eAAe,CAAC,SAAS,OAAO;AAAA,EAEhC,kBAAkB,CAAC,SAAS,SAAS;AAAA,EACrC,mBAAmB,CAAC,SAAS,SAAS;AAAA,EAEtC,kBAAkB,CAAC,OAAO;AAAA,EAC1B,oBAAoB,CAAC,MAAM;AAAA;AAAA,EAG3B,oBAAoB,CAAC,SAAS;AAAA,EAC9B,wBAAwB,CAAC,SAAS;AAAA,EAClC,mBAAmB,CAAC,SAAS,SAAS;AAAA,EACtC,aAAa,CAAC,SAAS;AAAA,EACvB,eAAe,CAAC,MAAM;AAAA,EACtB,iBAAiB,CAAC,OAAO;AAAA,EACzB,kBAAkB,CAAC,SAAS,SAAS;AAAA,EACrC,iBAAiB,CAAC,SAAS,SAAS;AAAA,EACpC,cAAc,CAAC,SAAS,SAAS;AAAA,EACjC,oBAAoB,CAAC,SAAS,SAAS;AAAA,EACvC,iBAAiB,CAAC,OAAO;AAAA,EACzB,kBAAkB,CAAC,OAAO;AAAA,EAC1B,0BAA0B,CAAC,SAAS,SAAS;AAAA,EAE7C,WAAW,CAAC,OAAO;AACrB;;;AChDO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,WAAQ;AACR,EAAAA,cAAA,cAAW;AACX,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,UAAO;AALG,SAAAA;AAAA,GAAA;;;AChBL,IAAM,eAAe,oBAAI,IAAI;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,cAAc,IAAqB;AACjD,SAAO,aAAa,IAAI,EAAE;AAC5B;AAKO,SAAS,cAAc,IAAqB;AACjD,SACE,GAAG,WAAW,YAAY,KAC1B,GAAG,WAAW,aAAa,KAC3B,GAAG,WAAW,WAAW;AAE7B;;;ACxCA,IAAAC,iBAA2B;AAmBpB,SAAS,iBACd,UACA,KACA,SACA,QACA,QACA,IACQ;AACR,QAAM,QAAI,2BAAW,QAAQ;AAC7B,MAAI,SAAU,GAAE,OAAO,QAAQ;AAC/B,IAAE,OAAO,GAAG;AACZ,IAAE,OAAO,OAAO,KAAK,SAAS,MAAM,CAAC;AACrC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,GAAG,SAAS,GAAG,MAAM,CAAC;AAC3C,SAAO,EAAE,OAAO;AAClB;;;ACnCO,IAAK,oBAAL,kBAAKC,uBAAL;AACL,EAAAA,sCAAA,SAAM,KAAN;AACA,EAAAA,sCAAA,YAAS,KAAT;AACA,EAAAA,sCAAA,UAAO,KAAP;AACA,EAAAA,sCAAA,cAAW,KAAX;AAJU,SAAAA;AAAA,GAAA;AAUL,IAAM,yBAA4D;AAAA;AAAA,EAEvE,eAAe;AAAA;AAAA,EAGf,gBAAgB;AAAA,EAChB,kBAAkB;AAAA,EAClB,2BAA2B;AAAA,EAC3B,2BAA2B;AAAA;AAAA,EAG3B,kBAAkB;AAAA,EAClB,eAAe;AAAA,EACf,oBAAoB;AAAA;AAAA,EAGpB,aAAa;AAAA,EACb,cAAc;AAAA,EACd,iBAAiB;AAAA,EACjB,eAAe;AAAA;AAAA,EAGf,kBAAkB;AAAA,EAClB,mBAAmB;AAAA,EACnB,mBAAmB;AAAA;AAAA,EAGnB,aAAa;AAAA;AAAA,EAGb,wBAAwB;AAAA,EACxB,wBAAwB;AAAA,EACxB,yBAAyB;AAAA;AAAA,EAGzB,0BAA0B;AAAA,EAC1B,uBAAuB;AAAA;AAAA,EAGvB,6BAA6B;AAAA,EAC7B,8BAA8B;AAAA,EAC9B,6BAA6B;AAAA;AAAA,EAG7B,uBAAuB;AAAA,EACvB,qCAAqC;AAAA,EACrC,yBAAyB;AAAA,EACzB,0BAA0B;AAAA;AAAA,EAG1B,oBAAoB;AAAA,EACpB,mBAAmB;AAAA,EACnB,kBAAkB;AAAA;AAAA,EAGlB,wBAAwB;AAAA,EACxB,wBAAwB;AAAA,EACxB,iBAAiB;AAAA,EACjB,eAAe;AAAA,EACf,iBAAiB;AAAA;AAAA,EAGjB,gBAAgB;AAAA,EAChB,eAAe;AAAA,EACf,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,uBAAuB;AAAA,EACvB,gCAAgC;AAAA;AAAA,EAGhC,2BAA2B;AAAA,EAC3B,8BAA8B;AAAA,EAC9B,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,mBAAmB;AACrB;AAUO,SAAS,eAAe,QAAmC;AAChE,MAAI,uBAAuB,MAAM,GAAG;AAClC,WAAO,uBAAuB,MAAM;AAAA,EACtC;AAEA,QAAM,QAAQ,OAAO,MAAM,GAAG,EAAE,CAAC;AACjC,QAAM,cAAc,GAAG,KAAK;AAC5B,MAAI,uBAAuB,WAAW,GAAG;AACvC,WAAO,uBAAuB,WAAW;AAAA,EAC3C;AAEA,SAAO;AACT;AAKO,SAAS,gBAAgB,OAAkC;AAChE,UAAQ,OAAO;AAAA,IACb,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;;;ACvHO,IAAM,kBAA0C;AAAA,EACrD,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,YAAY;AAAA,EAEZ,eAAe;AAAA,EACf,iBAAiB;AAAA,EACjB,cAAc;AAAA,EACd,iBAAiB;AAAA,EAEjB,YAAY;AAAA,EAEZ,cAAc;AAAA,EAEd,WAAW;AACb;AAGO,IAAM,kBAAkB;AAUxB,SAAS,eAAe,QAAwB;AACrD,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,aAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,eAAe,GAAG;AAChE,QAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;;;ACzCO,SAAS,mBAAmB,OAAqB;AACtD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,MAAM,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,kBAAkB,CAAC,OAAO,SAAS,WAAW,QAAQ;AAC5D,aAAW,OAAO,iBAAiB;AACjC,QAAI,OAAO,MAAM,GAAG,MAAM,YAAY,MAAM,GAAG,EAAE,SAAS,GAAG;AAC3D,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,OAAO,MAAM,OAAO,YAAY,CAAC,OAAO,SAAS,MAAM,EAAE,GAAG;AAC9D,WAAO;AAAA,EACT;AAEA,MACE,MAAM,QAAQ,WACb,OAAO,MAAM,QAAQ,YAAY,MAAM,IAAI,WAAW,IACvD;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,MAAM,OAAO,OAAO,MAAM,QAAQ,UAAU;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,QAAQ,SAAS;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,QAAQ,YAAY,MAAM,IAAI,IAAI,SAAS,GAAG;AACjE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,UAAU,YAAY,MAAM,IAAI,MAAM,SAAS,IAAI;AACtE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,MAAM;AACzD,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAKO,SAAS,iBACd,IACA,cAAsB,KACb;AACT,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,OAAO,KAAK,IAAI,MAAM,EAAE;AAC9B,SAAO,QAAQ;AACjB;;;ACxEA,IAAAC,iBAAqD;AACrD,IAAAC,UAAwB;;;ACDjB,IAAM,4BAA4B;AAClC,IAAM,yBAAyB;AAC/B,IAAM,6BAA6B;;;ADmBnC,IAAM,2BAAN,MAAsD;AAAA,EAO3D,YAEmB,UAEA,OACjB;AAHiB;AAEA;AAVnB,SAAiB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAElE,SAAS,OAAO;AAChB,SAAS,OAAO;AAChB,SAAS,cAAc;AAAA,EAOpB;AAAA,EAGH,MAAM,QACJ,MACA,SACc;AACd,UAAM,IAAI;AACV,QAAI,CAAC,EAAG,OAAM,IAAI,MAAM,iBAAiB;AAEzC,UAAM,gBAAgB,EAAE,IAAI,EAAE;AAC9B,QAAI,CAAC,cAAe,OAAM,IAAI,MAAM,mBAAmB;AACvD,UAAM,WAAW,IAAI,YAAY,EAAE,OAAO,aAAa;AAEvD,QAAI,aAAa;AACjB,QAAI,WAAW;AAEf,UAAM,aAAa,EAAE,IAAI,EAAE;AAC3B,QAAI,YAAY;AACd,YAAM,EAAE,MAAM,QAAI,oCAAa,UAAU;AACzC,mBAAa;AAAA,IACf;AAEA,UAAM,WAAW,EAAE,IAAI,EAAE;AACzB,QAAI,UAAU;AACZ,YAAM,EAAE,MAAM,QAAI,oCAAa,QAAQ;AACvC,iBAAW;AAAA,IACb;AAEA,UAAM,UAAU,MAAM,KAAK,SAAS,aAAa,QAAQ;AACzD,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,sBAAsB,QAAQ,EAAE;AAAA,IAClD;AAEA,QAAI,QAAQ,WAAW,YAAY;AACjC,YAAM,IAAI,MAAM,6BAA6B,QAAQ,MAAM,EAAE;AAAA,IAC/D;AAEA,UAAM,OAAO,MAAM,KAAK,MAAM;AAAA,MAC5B;AAAA,MACA,QAAQ;AAAA,IACV;AACA,UAAM,WAAW,KAAK;AAEtB,QAAI,aAAa,EAAG,cAAa;AACjC,QAAI,cAAc,SAAU,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAI,MAAM;AACV,QAAI,YAAY,GAAG;AACjB,YAAM,KAAK,IAAI,aAAa,UAAU,QAAQ;AAAA,IAChD;AAEA,UAAM,YAAY,MAAM;AACxB,UAAM,SAAS,MAAM,KAAK,MAAM;AAAA,MAC9B;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAEA,UAAM,kBAAkB,oBAAI,IAAwB;AACpD,oBAAgB,IAAI,QAAI,oCAAa,QAAQ,CAAC;AAC9C,oBAAgB,IAAI,QAAI,oCAAa,UAAU,CAAC;AAChD,oBAAgB,IAAI,QAAI,oCAAa,SAAS,CAAC;AAE/C,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAAA,EACF;AACF;AArEQ;AAAA,EADL,OAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,OAAO,CAAC;AAAA,GAd9C,yBAeL;AAfK,2BAAN;AAAA,EAFN,QAAQ,qBAAqB;AAAA,MAC7B,2BAAW;AAAA,EASP,8CAAO,yBAAyB;AAAA,EAEhC,8CAAO,sBAAsB;AAAA,GAVrB;AAwFN,IAAM,2BAAN,MAAsD;AAAA,EAO3D,YAEmB,UAEA,OAGA,SACjB;AANiB;AAEA;AAGA;AAbnB,SAAiB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAElE,SAAS,OAAO;AAChB,SAAS,OAAO;AAChB,SAAS,cAAc;AAAA,EAUpB;AAAA,EAGH,MAAM,QACJ,MACA,SACc;AACd,UAAM,UAAU,IAAI,YAAY,EAAE,OAAO,IAAI;AAC7C,UAAM,MAAM,KAAK,MAAM,OAAO;AAE9B,UAAM,EAAE,QAAQ,aAAa,IAAI;AACjC,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AAE9C,UAAM,UAAU,MAAM,KAAK,SAAS,aAAa,MAAM;AACvD,QAAI,CAAC,QAAS,OAAM,IAAI,MAAM,mBAAmB;AAEjD,QAAI,CAAE,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAI;AACvC,YAAM,IAAI,MAAM,kBAAkB;AAAA,IACpC;AAEA,UAAM,OAAc,mBAAW,QAAQ;AACvC,UAAM,KAAK,KAAK,MAAM,qBAAqB,MAAM;AACjD,qBAAiB,SAAS,IAAI;AAC5B,WAAK,OAAO,KAAe;AAAA,IAC7B;AACA,UAAM,YAAY,KAAK,OAAO,KAAK;AAEnC,QAAI,gBAAgB,cAAc,cAAc;AAC9C,YAAM,IAAI,MAAM,eAAe;AAAA,IACjC;AAEA,UAAM,YAAY,MAAM,KAAK,MAAM;AAAA,MACjC;AAAA,MACA,QAAQ;AAAA,IACV;AAEA,UAAM,KAAK,SAAS,aAAa,QAAQ,YAAY,IAAI;AAEzD,QAAI,CAAC,KAAK,SAAS;AACjB,WAAK,OAAO,KAAK,2DAA2D;AAC5E,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,QAAQ;AAAA,QACR,MAAM,IAAI,YAAY,EAAE;AAAA,UACtB,KAAK,UAAU;AAAA,YACb,UAAU;AAAA,YACV,cAAc;AAAA,YACd,WAAW,QAAQ;AAAA,YACnB,MAAM,KAAK,IAAI;AAAA,YACf,MAAM;AAAA,UACR,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,UAAM,cAAc;AAAA,MAClB,UAAU;AAAA,MACV,cAAc;AAAA,MACd,WAAW,QAAQ;AAAA,MACnB,MAAM,KAAK,IAAI;AAAA,IACjB;AAEA,UAAM,cAAc,KAAK,UAAU,WAAW;AAC9C,UAAM,cAAc,IAAI,YAAY,EAAE,OAAO,WAAW;AAExD,UAAM,cAAc;AACpB,UAAM,gBAA2B;AAAA,MAC/B,OAAO;AAAA,MACP,SAAS,oBAAI,IAAI;AAAA,MACjB,MAAM;AAAA,MACN,KAAK,IAAI,WAAW,CAAC;AAAA,IACvB;AAEA,UAAM,aAAa,cAAc,aAAa;AAC9C,UAAM,EAAE,KAAK,IAAI,IAAI,KAAK,QAAQ,WAAW,UAAU;AACvD,kBAAc,MAAM;AAEpB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM,YAAY,aAAa;AAAA,MAC/B,SAAS,oBAAI,IAAI,CAAC,CAAC,GAAG,IAAI,YAAY,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;AAAA,IACvD;AAAA,EACF;AACF;AAjFQ;AAAA,EADL,OAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,SAAS,CAAC;AAAA,GAjBhD,yBAkBL;AAlBK,2BAAN;AAAA,EAFN,QAAQ,qBAAqB;AAAA,MAC7B,2BAAW;AAAA,EASP,8CAAO,yBAAyB;AAAA,EAEhC,8CAAO,sBAAsB;AAAA,EAE7B,gDAAS;AAAA,EACT,8CAAO,0BAA0B;AAAA,GAbzB;;;AE7Gb,SAAoB;AACpB,WAAsB;AASf,IAAM,sBAAN,MAAqD;AAAA,EAI1D,YAAY,SAAqC;AAC/C,SAAK,YAAY,QAAQ;AACzB,SAAK,WAAW,QAAQ;AAAA,EAC1B;AAAA,EAEA,aAAa,QAAgB,UAA2B;AACtD,UAAM,eAAe,WAAgB,cAAS,QAAQ,IAAI;AAC1D,WAAY,UAAK,KAAK,WAAW,YAAY;AAAA,EAC/C;AAAA,EAEA,YAAY,QAAwB;AAClC,UAAM,SAAc,cAAS,MAAM;AACnC,WAAY,UAAK,KAAK,UAAU,MAAM;AAAA,EACxC;AAAA,EAEA,MAAM,UACJ,QACA,UACyB;AACzB,UAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,QAAI,CAAI,cAAW,SAAS,GAAG;AAC7B,YAAM,IAAI,MAAM,sBAAsB;AAAA,IACxC;AACA,UAAM,OAAU,YAAS,SAAS;AAClC,WAAO,EAAE,MAAM,WAAW,MAAM,KAAK,KAAK;AAAA,EAC5C;AAAA,EAEA,MAAM,eACJ,QACA,UACA,OACA,QACiB;AACjB,UAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,UAAM,SAAS,OAAO,MAAM,MAAM;AAClC,UAAM,KAAQ,YAAS,WAAW,GAAG;AACrC,QAAI;AACF,MAAG,YAAS,IAAI,QAAQ,GAAG,QAAQ,KAAK;AAAA,IAC1C,UAAE;AACA,MAAG,aAAU,EAAE;AAAA,IACjB;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,QAAkC;AAC9C,UAAM,WAAW,KAAK,YAAY,MAAM;AACxC,WAAU,cAAW,QAAQ;AAAA,EAC/B;AAAA,EAEA,MAAM,gBACJ,QACA,UACiB;AACjB,UAAM,WAAW,KAAK,YAAY,MAAM;AACxC,UAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AAEpD,QAAI;AACF,YAAS,YAAS,OAAO,UAAU,SAAS;AAAA,IAC9C,QAAQ;AACN,YAAS,YAAS,SAAS,UAAU,SAAS;AAC9C,YAAS,YAAS,OAAO,QAAQ;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,qBAAqB,QAAuC;AAC1D,UAAM,WAAW,KAAK,YAAY,MAAM;AACxC,WAAU,oBAAiB,QAAQ;AAAA,EACrC;AACF;;;ACpFA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACS,MACP,SACO,aAAqB,KACrB,SACP;AACA,UAAM,OAAO;AALN;AAEA;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;;;ACVA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,iBAAmC;AACnC,IAAAC,UAAwB;AACxB,WAAsB;AAuCf,IAAM,2BAAN,MAA+B;AAAA,EAA/B;AACL,SAAiB,SAAS,IAAI,sBAAO,yBAAyB,IAAI;AAGlE;AAAA,SAAiB,aAAa,oBAAI,IAAwB;AAG1D;AAAA,SAAiB,eAAe,oBAAI,IAGlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBF,MAAM,YACJ,WACA,UACA,SAMkC;AAClC,YAAQ,WAAW;AAAA,MACjB,KAAK;AACH,eAAO,KAAK,mBAAmB,QAAQ;AAAA,MACzC,KAAK;AACH,eAAO,KAAK,eAAe,QAAQ;AAAA,MACrC,KAAK;AACH,eAAO,KAAK,gBAAgB,QAAQ,IAAI;AAAA,MAC1C,KAAK;AACH,eAAO,KAAK;AAAA,UACV,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV;AAAA,MACF;AACE,eAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,SAAS,GAAG;AAAA,IACrE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBACZ,UACkC;AAGlC,UAAM,YAAY,IAAI,YAAY,EAAE,OAAO,QAAQ;AACnD,WAAO;AAAA,MACL,OAAO;AAAA,MACP,UAAU,EAAE,WAAW,2BAA2B,KAAK;AAAA,IACzD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAc,eACZ,UACkC;AAClC,QAAI;AACF,YAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,QAAQ;AAC/C,YAAM,QAAQ,MAAM,MAAM,GAAG;AAE7B,UAAI,MAAM,WAAW,GAAG;AACtB,eAAO,EAAE,OAAO,OAAO,OAAO,qBAAqB;AAAA,MACrD;AAGA,YAAM,SAAS,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAS,CAAC;AACvE,YAAM,UAAU,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAS,CAAC;AAGxE,UAAI,QAAQ,OAAO,KAAK,IAAI,IAAI,MAAO,QAAQ,KAAK;AAClD,eAAO,EAAE,OAAO,OAAO,OAAO,cAAc;AAAA,MAC9C;AAGA,UAAI,QAAQ,OAAO,KAAK,IAAI,IAAI,MAAO,QAAQ,KAAK;AAClD,eAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB;AAAA,MACpD;AAIA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS,QAAQ,OAAO,QAAQ;AAAA,QAChC,UAAU,EAAE,KAAK,QAAQ,KAAK,OAAO,QAAQ,MAAM;AAAA,MACrD;AAAA,IACF,SAAS,GAAG;AACV,YAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,aAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,OAAO,GAAG;AAAA,IAC9D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBACZ,MACkC;AAClC,QAAI,CAAC,MAAM;AACT,aAAO,EAAE,OAAO,OAAO,OAAO,2BAA2B;AAAA,IAC3D;AAGA,QAAI,CAAC,KAAK,UAAU;AAClB,aAAO,EAAE,OAAO,OAAO,OAAO,sCAAsC;AAAA,IACtE;AAGA,QAAI,KAAK,uBAAuB;AAC9B,YAAM,UAAU,KAAK,aAAa,IAAI,KAAK,qBAAqB;AAChE,UAAI,SAAS;AACX,eAAO;AAAA,UACL,OAAO;AAAA,UACP,SAAS,QAAQ;AAAA,UACjB,UAAU;AAAA,YACR,aAAa,KAAK;AAAA,YAClB,SAAS,KAAK;AAAA,UAChB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,mBAAmB;AAC1B,YAAM,UAAU,KAAK,kBAAkB,MAAM,YAAY;AACzD,UAAI,SAAS;AACX,eAAO;AAAA,UACL,OAAO;AAAA,UACP,SAAS,QAAQ,CAAC;AAAA,UAClB,UAAU;AAAA,YACR,SAAS,KAAK;AAAA,YACd,QAAQ,KAAK;AAAA,UACf;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,OAAO,OAAO,2CAA2C;AAAA,EAC3E;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,oBACZ,YACA,WACA,UACkC;AAClC,QAAI,CAAC,YAAY,CAAC,cAAc,CAAC,WAAW;AAC1C,aAAO,EAAE,OAAO,OAAO,OAAO,4BAA4B;AAAA,IAC5D;AAGA,QAAI,YAAY,SAAS;AAGzB,UAAM,gBAAgB,KAAK,WAAW,IAAI,SAAS,QAAQ;AAC3D,QAAI,eAAe;AACjB,kBAAY;AAAA,IACd;AAEA,QAAI,CAAC,aAAa,UAAU,WAAW,IAAI;AACzC,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI;AACF,YAAM,QAAa,UAAK,SAAS,OAAO,YAAY,WAAW,SAAS;AAExE,UAAI,CAAC,OAAO;AACV,eAAO,EAAE,OAAO,OAAO,OAAO,uCAAuC;AAAA,MACvE;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS,SAAS;AAAA,QAClB,UAAU,EAAE,UAAU,SAAS,UAAU,WAAW,YAAY;AAAA,MAClE;AAAA,IACF,SAAS,GAAG;AACV,YAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,iCAAiC,OAAO;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,kBAAkB,UAAkB,WAA6B;AAC/D,QAAI,UAAU,WAAW,IAAI;AAC3B,YAAM,IAAI,MAAM,8CAA8C;AAAA,IAChE;AACA,SAAK,WAAW,IAAI,UAAU,SAAS;AACvC,SAAK,OAAO,IAAI,6BAA6B,QAAQ,EAAE;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,UAA2B;AAC1C,WAAO,KAAK,WAAW,OAAO,QAAQ;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,iBAAiB,aAAqB,SAAuB;AAC3D,SAAK,aAAa,IAAI,aAAa,EAAE,SAAS,UAAU,KAAK,IAAI,EAAE,CAAC;AACpE,SAAK,OAAO,IAAI,wBAAwB,WAAW,cAAc,OAAO,EAAE;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA,EAKA,eAAe,aAA8B;AAC3C,WAAO,KAAK,aAAa,OAAO,WAAW;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,qBAAqB,SAAyB;AAEnD,UAAM,MAAM,OAAO;AAAA,MACjB,QACG,QAAQ,+BAA+B,EAAE,EACzC,QAAQ,6BAA6B,EAAE,EACvC,QAAQ,OAAO,EAAE;AAAA,MACpB;AAAA,IACF;AACA,WAAc,mBAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;AAAA,EAC7D;AACF;AApRa,2BAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;ACzCb;AAAA;AAAA;AAAA;AAAA,mBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,iBAAuD;AAqBvD,SAAS,UAAU,KAAkC;AACnD,SACG,IAAI,QAAQ,iBAAiB,GAAc,MAAM,GAAG,EAAE,CAAC,GAAG,KAAK,KAC/D,IAAI,QAAQ,WAAW,KACxB,IAAI,OAAO,iBACX;AAEJ;AAiBO,IAAM,cAAU;AAAA,EACrB,CAAC,OAAgB,QAAkC;AACjD,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,WAAO,IAAI;AAAA,EACb;AACF;AAaO,IAAM,aAAS;AAAA,EACpB,CAAC,OAAgB,QAA8C;AAC7D,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,WAAO,UAAU,GAAG;AAAA,EACtB;AACF;AAiBO,IAAM,kBAAc;AAAA,EACzB,CAAC,OAAgB,QAA2C;AAC1D,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,UAAM,WAAY,IAAY,QAAQ,CAAC;AACvC,WAAO;AAAA,MACL,KAAK,IAAI;AAAA,MACT,IAAI,UAAU,GAAG;AAAA,MACjB,gBAAgB,SAAS;AAAA,MACzB,iBAAiB,SAAS,mBAAmB;AAAA,IAC/C;AAAA,EACF;AACF;AAcO,IAAM,qBAAiB;AAAA,EAC5B,CAAC,OAAgB,QAA8C;AAC7D,QAAI,QAAQ,IAAI,aAAa,cAAe,QAAO;AACnD,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,WAAO,IAAI,QAAQ,eAAe;AAAA,EACpC;AACF;AAoBO,IAAMC,iBAAY;AAAA,EACvB,CAAC,OAAgB,QAAuC;AACtD,UAAM,MAAM,IAAI,aAAa,EAAE,WAAoB;AACnD,UAAM,UAAW,IAAY;AAC7B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;;;ACpJA,IAAAC,iBAA4B;AAErB,IAAM,sBAAsB;AAuC5B,SAAS,OAAO,SAAyC;AAC9D,aAAO,4BAAY,qBAAqB,WAAW,IAAI;AACzD;;;AC3CA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,iBAA4B;AAkErB,SAAS,kBACd,WACA,IACiB;AACjB,SAAO;AAAA,IACL,QAAI,4BAAY,EAAE,EAAE,SAAS,KAAK;AAAA,IAClC,SAAS,KAAK,IAAI;AAAA,IAClB;AAAA,IACA;AAAA,IACA,QAAQ,CAAC;AAAA,IACT,SAAS,CAAC;AAAA,IACV,OAAO,CAAC;AAAA,EACV;AACF;AAIO,SAAS,WACd,KACA,MACkB;AAClB,QAAM,QAA0B,EAAE,MAAM,QAAQ,MAAM,SAAS,KAAK,IAAI,EAAE;AAC1E,MAAI,OAAO,KAAK,KAAK;AACrB,SAAO;AACT;AAEO,SAAS,SACd,OACA,SAAiC,MACjC,QACA,MACM;AACN,QAAM,QAAQ,KAAK,IAAI;AACvB,QAAM,aAAa,MAAM,QAAQ,MAAM;AACvC,QAAM,SAAS;AACf,MAAI,OAAQ,OAAM,SAAS;AAC3B,MAAI,KAAM,OAAM,OAAO;AACzB;AAIO,SAAS,aACd,KACA,MACA,SACA,WACA,YACA,SACA,MACM;AACN,MAAI,QAAQ,KAAK,EAAE,MAAM,SAAS,WAAW,YAAY,SAAS,KAAK,CAAC;AAC1E;AAIO,SAAS,oBACd,KACA,UACA,YACA,YACM;AACN,MAAI,QAAQ,KAAK,IAAI;AACrB,MAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,MAAI,WAAW;AACf,MAAI,aAAa;AACjB,MAAI,WAAY,KAAI,aAAa;AACnC;;;ACpIA,IAAAC,iBAAiD;AAoC1C,IAAM,0BAAN,MAAsD;AAAA,EAG3D,YACmB,WACA,SACA,QACjB;AAHiB;AACA;AACA;AALnB,SAAiB,SAAS,IAAI,sBAAO,wBAAwB,IAAI;AAAA,EAM9D;AAAA,EAEH,eAAe;AACb,UAAM,YAAY,KAAK,UAAU,aAAa;AAC9C,QAAI,eAAe;AAEnB,eAAW,WAAW,WAAW;AAC/B,YAAM,EAAE,UAAU,SAAS,IAAI;AAC/B,UAAI,CAAC,YAAY,CAAC,SAAU;AAG5B,YAAM,cAAc,QAAQ,YAAY,sBAAsB,QAAQ;AACtE,UAAI,CAAC,YAAa;AAElB,YAAM,cAAc,YAAY,UAAU,SAAS;AACnD,YAAM,QAAQ,OAAO,eAAe,QAAQ;AAC5C,YAAM,UAAU,KAAK,QAAQ,kBAAkB,KAAK;AACpD,UAAI,aAAa;AAEjB,iBAAW,cAAc,SAAS;AAChC,cAAM,OAAO,QAAQ;AAAA,UACnB;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,YAAI,CAAC,MAAM,OAAQ;AAInB,YAAI,CAAC,KAAK,OAAO,IAAI,KAAK,MAAM,GAAG;AACjC,eAAK,OAAO;AAAA,YACV,KAAK;AAAA,YACJ,SAAiB,UAAU,EAAE,KAAK,QAAQ;AAAA,UAC7C;AACA;AACA;AAAA,QACF;AAIA,aAAK,OAAO,mBAAmB,KAAK,QAAQ,OAAO,UAAU;AAAA,MAC/D;AAEA,UAAI,aAAa,GAAG;AAClB,aAAK,OAAO;AAAA,UACV,mBAAmB,UAAU,iBAAiB,WAAW;AAAA,QAC3D;AAAA,MACF;AAAA,IACF;AAEA,SAAK,OAAO;AAAA,MACV,+BAA+B,YAAY;AAAA,IAC7C;AAAA,EACF;AACF;AA7Da,0BAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;ACvBN,IAAM,OAAO;AAAA;AAAA,EAElB,MAAM;AAAA;AAAA,EAEN,UAAU;AAAA;AAAA,EAEV,QAAQ;AAAA;AAAA,EAER,SAAS;AAAA;AAAA,EAET,UAAU;AAAA;AAAA,EAEV,OAAO;AACT;AAKO,IAAM,sBAAsB;;;AC/BnC,IAAAC,iBAA2D;AAmBpD,IAAM,yBAAN,MAA+D;AAAA,EAGpE,YACmB,WACA,WACA,UACjB;AAHiB;AACA;AACA;AALnB,SAAiB,SAAS,IAAI,sBAAO,uBAAuB,IAAI;AAAA,EAM7D;AAAA,EAEH,yBAAyB;AACvB,UAAM,YAAY,KAAK,UAAU,aAAa;AAC9C,QAAI,QAAQ;AAEZ,eAAW,WAAW,WAAW;AAC/B,YAAM,EAAE,SAAS,IAAI;AACrB,UAAI,CAAC,YAAY,CAAC,SAAS,YAAa;AAExC,YAAM,OAAO,KAAK,UAAU;AAAA,QAC1B;AAAA,QACA,SAAS;AAAA,MACX;AACA,UAAI,CAAC,KAAM;AAEX,YAAM,SAAS;AAEf,UAAI,CAAC,OAAO,QAAQ,OAAO,UAAU,QAAW;AAC9C,aAAK,OAAO;AAAA,UACV,gBAAgB,SAAS,YAAY,IAAI;AAAA,QAC3C;AACA;AAAA,MACF;AAGA,UAAI,CAAC,OAAO,OAAO;AACjB,cAAM,iBAAiB,SAAS,OAAO,KAAK,QAAQ;AACpD,QAAC,OAAe,QACd,mBACC,OAAO,QAAQ,sBAAsB,eAAe;AAAA,MACzD;AAEA,WAAK,SAAS,SAAS,MAAM;AAC7B;AAAA,IACF;AAEA,SAAK,OAAO,IAAI,mBAAmB,KAAK,wBAAwB;AAAA,EAClE;AACF;AA9Ca,yBAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;ACnBb,IAAAC,iBAAmC;AA2B5B,IAAM,iBAAN,MAAqB;AAAA,EAI1B,YAA6B,eAA8B;AAA9B;AAH7B,SAAQ,UAAwB,CAAC;AACjC,SAAiB,SAAS,IAAI,sBAAO,eAAe,IAAI;AAAA,EAEI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAc5D,SAAS,QAA0B;AAEjC,QAAI,CAAC,OAAO,MAAM;AAChB,YAAM,IAAI,MAAM,6BAA6B;AAAA,IAC/C;AAGA,UAAM,oBAAoB,KAAK,cAAc,IAAY,iBAAiB;AAC1E,UAAM,qBACJ,KAAK,cAAc,IAAY,kBAAkB;AAEnD,UAAM,iBAAiB,oBACnB,kBAAkB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,IAChD;AACJ,UAAM,kBAAkB,qBACpB,mBAAmB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,IACjD,CAAC;AAEL,QAAI,kBAAkB,CAAC,eAAe,SAAS,OAAO,IAAI,GAAG;AAC3D,WAAK,OAAO,IAAI,sDAAsD,OAAO,IAAI,EAAE;AACnF;AAAA,IACF;AAEA,QAAI,gBAAgB,SAAS,OAAO,IAAI,GAAG;AACzC,WAAK,OAAO,IAAI,mDAAmD,OAAO,IAAI,EAAE;AAChF;AAAA,IACF;AAEA,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAM,IAAI,MAAM,eAAe,OAAO,IAAI,4BAA4B;AAAA,IACxE;AAGA,UAAM,oBAAoB,KAAK,kBAAkB,MAAM;AACvD,UAAM,qBAAqB,KAAK,mBAAmB,MAAM;AAEzD,QAAI,qBAAqB,OAAO,SAAS,IAAI;AAC3C,WAAK,OAAO;AAAA,QACV,eAAe,OAAO,IAAI,2CAA2C,OAAO,KAAK;AAAA,MACnF;AAAA,IACF;AACA,QAAI,sBAAsB,OAAO,QAAQ,IAAI;AAC3C,WAAK,OAAO;AAAA,QACV,eAAe,OAAO,IAAI,4CAA4C,OAAO,KAAK;AAAA,MACpF;AAAA,IACF;AAEA,SAAK,QAAQ,KAAK,MAAM;AACxB,UAAM,aACJ,OAAO,OAAO,UAAU,WACpB,OAAO,QACP,OAAO,OAAO,SAAS;AAC7B,SAAK,OAAO;AAAA,MACV,sBAAsB,OAAO,IAAI,YAAY,OAAO,KAAK,YAAY,UAAU;AAAA,IACjF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAqB;AACnB,WAAO,CAAC,GAAG,KAAK,OAAO,EAAE;AAAA,MACvB,CAAC,GAAG,OAAO,EAAE,SAAS,QAAQ,EAAE,SAAS;AAAA,IAC3C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAuC;AACrC,WAAO,KAAK,KAAK,EAAE,OAAO,CAAC,OAA2B,EAAE,SAAS,OAAO,EAAE;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,uBAAyC;AACvC,WAAO,KAAK,KAAK,EAAE;AAAA,MACjB,CAAC,OAA4B,EAAE,SAAS,QAAQ;AAAA,IAClD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,kBAAkB,QAA6B;AACrD,UAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,WAAO,UAAU,iBAAiB,OAAO,SAAS,OAAO;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,mBAAmB,QAA6B;AACtD,UAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,WAAO,UAAU,kBAAkB,OAAO,SAAS,QAAQ;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,wBAA6E;AAC3E,WAAO;AAAA,MACL,gBAAgB,KAAK,oBAAoB,EAAE;AAAA,MAC3C,iBAAiB,KAAK,qBAAqB,EAAE;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,QAAc;AACZ,SAAK,UAAU,CAAC;AAAA,EAClB;AACF;AA5Ja,iBAAN;AAAA,MADN,2BAAW;AAAA,GACC;;;AC3Bb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACwRO,SAAS,uBACd,QACA,UAAkB,YAClB,QAAgB,QACR;AAGR,SAAO,MAAM,OAAO,IAAI,KAAK,IAAI,MAAM;AACzC;AAMO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU;AAAA,IACd,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI;AAAA,IAC/C,MAAM;AAAA,MACJ,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,IACjB;AAAA,IACA,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,MAAM,KAAK,KAAK,KAAK;AAAA,EACvE;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;AAKO,SAAS,kBAAkB,OAAmC;AACnE,QAAM,UAAU;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,QAAQ,MAAM;AAAA,IACd,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,IAClB,MAAM,MAAM;AAAA,IACZ,MAAM,MAAM;AAAA,EACd;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;;;ACjUA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,KAAmB;AAqBZ,IAAM,kBAAoB,SAAM;AAAA,EACnC,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,EAC/D,UAAO;AAAA,IACP,QAAU,WAAQ,MAAM;AAAA,IACxB,MAAQ,UAAO;AAAA,IACf,QAAU,UAAO,EAAE,SAAS;AAAA,IAC5B,MAAQ,OAAI,EAAE,SAAS;AAAA,EACzB,CAAC;AACH,CAAC;AAEM,IAAM,8BAAgC,SAAM;AAAA,EAC/C,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,EAC/D,UAAO;AAAA,IACP,QAAU,WAAQ,MAAM;AAAA,IACxB,MAAQ,UAAO;AAAA,IACf,QAAU,UAAO,EAAE,SAAS;AAAA,IAC5B,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,IACnD,MAAQ,OAAI,EAAE,SAAS;AAAA,EACzB,CAAC;AACH,CAAC;AAMM,IAAM,2BAA6B,UAAO;AAAA,EAC/C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,SAAW,UAAO,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS;AACvD,CAAC;AAGM,IAAM,wBAAwB;AAO9B,IAAM,wBAA0B,UAAO;AAAA,EAC5C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,WAAa,WAAQ,EAAE,SAAS;AAClC,CAAC;AAGM,IAAM,qBAAqB;AAO3B,IAAM,aAAe,QAAK;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,iBAAmB,QAAK,CAAC,UAAU,WAAW,YAAY,MAAM,CAAC;AAGvE,IAAM,sBAAwB,UAAO;AAAA,EAC1C,SAAS;AAAA,EACT,YAAc,QAAK,CAAC,UAAU,SAAS,CAAC;AAAA,EACxC,eAAiB,SAAM,UAAU,EAAE,IAAI,CAAC;AAAA,EACxC,YAAc,WAAQ;AAAA,EACtB,sBAAwB,WAAQ;AAAA,EAChC,QAAU,UAAO,EAAE,IAAI,CAAC;AAC1B,CAAC;AAOM,IAAM,oBAAsB,QAAK,CAAC,OAAO,UAAU,QAAQ,UAAU,CAAC;AAGtE,IAAM,gBAAkB,UAAO;AAAA,EACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,aAAa;AAAA,EACb,eAAiB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACzC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACxC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAClD,oBAAsB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EACzD,kBAAoB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EACvD,mBAAqB,WAAQ;AAAA,EAC7B,iBAAmB,WAAQ;AAAA,EAC3B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AACvC,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,EAC/C,OAAO;AAAA,EACP,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAC1C,CAAC;AAGM,IAAM,wBAA0B,SAAM;AAAA,EACzC,UAAO;AAAA,IACP,QAAU,WAAQ,OAAO;AAAA,IACzB,QAAQ;AAAA,EACV,CAAC;AAAA,EACC,UAAO;AAAA,IACP,QAAU,WAAQ,MAAM;AAAA,IACxB,QAAU,UAAO;AAAA,EACnB,CAAC;AACH,CAAC;AAOM,IAAM,iBAAmB,UAAO;AAAA,EACrC,WAAa,UAAO,EAAE,IAAI,CAAC;AAAA,EAC3B,cAAgB,SAAQ,UAAO,CAAC,EAAE,IAAI,CAAC;AAAA,EACvC,QACG,UAAO;AAAA,IACN,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EACrD,CAAC,EACA,SAAS;AAAA,EACZ,QAAU,UAAS,UAAO,GAAK,OAAI,CAAC,EAAE,SAAS;AACjD,CAAC;AAGM,IAAM,WAAa,UAAO;AAAA,EAC/B,IAAM,UAAO;AAAA,EACb,QAAQ;AAAA,EACR,UAAY,UAAO,EAAE,IAAI;AAAA,EACzB,WAAa,UAAO,EAAE,IAAI;AAAA,EAC1B,MAAQ,QAAK,CAAC,QAAQ,YAAY,SAAS,CAAC;AAC9C,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,EAC/C,OAAS,WAAQ;AAAA,EACjB,SAAS,SAAS,SAAS;AAAA,EAC3B,QAAU,UAAO,EAAE,SAAS;AAAA,EAC5B,gBAAkB,WAAQ,EAAE,SAAS;AACvC,CAAC;AAGM,IAAM,4BAA8B,UAAO;AAAA,EAChD,SAAW;AAAA,IACP,UAAO;AAAA,IACP,UAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,EACrD;AAAA,EACA,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,KAAO,OAAI;AAAA;AACb,CAAC;AAKM,IAAM,uBAAyB,UAAO;AAAA,EAC3C,IAAM,WAAQ,IAAI;AAAA,EAClB,SAAS;AACX,CAAC;AAOM,IAAM,oBAAsB,QAAK;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,kBAAoB,UAAO;AAAA,EACtC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,WAAa,UAAO,EAAE,SAAS;AAAA,EAC/B,SAAW,UAAO,EAAE,SAAS;AAAA,EAC7B,WAAa,UAAO,EAAE,SAAS;AAAA,EAC/B,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,SAAS;AACX,CAAC;AAGM,IAAM,mBAAqB,UAAO;AAAA,EACvC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACrC,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC/B,KAAO,QAAK,CAAC,kBAAkB,eAAe,CAAC;AACjD,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,EACpC,IAAM,WAAQ,IAAI;AACpB,CAAC;AAOM,IAAM,YAAc,UAAO;AAAA,EAChC,IAAM,UAAO;AAAA,EACb,YAAc,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACtD,QAAU,QAAK,CAAC,UAAU,WAAW,WAAW,SAAS,CAAC;AAAA,EAC1D,UAAY,UAAO,EAAE,IAAI;AAAA,EACzB,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AACvC,CAAC;AACM,IAAM,oBAAsB,UAAO;AAAA,EACxC,UAAY,UAAO,EAAE,IAAI;AAAA,EACzB,SAAW,UAAO,EAAE,IAAI;AAAA,EACxB,eAAiB,UAAO,EAAE,IAAI;AAAA,EAC9B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AACvC,CAAC;AAQM,IAAM,oBAAsB,UAAO;AAAA,EACxC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,EACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,MAAQ,cAAW,UAAU;AAAA,EAC7B,SAAW,UAAO,EAAE,SAAS;AAC/B,CAAC;AAOM,IAAM,sBAAwB,UAAO;AAAA,EAC1C,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,EAC1D,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,EAC5D,IAAM,UAAO,EAAE,IAAI,CAAC;AACtB,CAAC;AAOM,IAAM,uBAAyB,UAAO;AAAA,EAC3C,UACG,SAAM,CAAG,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,GAAK,cAAW,UAAU,CAAC,CAAC,EAC7E,SAAS;AAAA,EACZ,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,EACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,MAAQ,cAAW,UAAU;AAAA,EAC7B,SAAW,UAAO,EAAE,SAAS;AAAA,EAC7B,aAAe,UAAO,EAAE,SAAS;AACnC,CAAC;AAOM,IAAM,mBAAqB,QAAK;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,SAAW,QAAK,CAAC,UAAU,MAAM,CAAC;AAGxC,IAAM,eAAiB,UAAO;AAAA,EACnC,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,EACtB,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC/B,MAAM;AAAA,EACN,UAAY,WAAQ,EAAE,SAAS;AAAA,EAC/B,QAAU,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,KAAO,UAAO,EAAE,SAAS;AAAA,EACzB,OAAO,OAAO,SAAS;AACzB,CAAC;AAGM,IAAM,eAAiB,QAAK,CAAC,WAAW,OAAO,WAAW,SAAS,CAAC;AAGpE,IAAM,gBAAkB,UAAO;AAAA,EACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,SAAW,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,aAAa;AAAA,EACb,QAAU,SAAM,YAAY,EAAE,IAAI,CAAC;AACrC,CAAC;AAOM,IAAM,oBAAsB,UAAO;AAAA,EACxC,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,MAAQ,WAAQ;AAAA,EAChB,IAAM,UAAO,EAAE,IAAI,CAAC;AACtB,CAAC;AAGM,IAAM,uBAAyB,SAAM;AAAA,EACxC,UAAO,EAAE,QAAU,WAAQ,OAAO,EAAE,CAAC;AAAA,EACrC,UAAO,EAAE,QAAU,WAAQ,MAAM,GAAG,MAAQ,UAAO,EAAE,CAAC;AAC1D,CAAC;AAOM,IAAM,qBAAuB,UAAO;AAAA,EACzC,IAAM,UAAO,EAAE,IAAI,CAAC;AACtB,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,EACpC,OAAS,UAAO,EAAE,IAAI,IAAI,EAAE,IAAI,GAAG;AAAA,EACnC,aAAe,UAAO,EAAE,IAAI;AAAA,EAC5B,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,gBAAkB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC7C,iBAAmB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC9C,MAAQ,SAAQ,UAAO,CAAC;AAC1B,CAAC;AAOM,IAAM,gBAAkB,QAAK;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,iBAAmB,UAAO;AAAA,EACrC,aAAe,UAAO,EAAE,IAAI,CAAC;AAAA,EAC7B,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACrC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACrC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACvC,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EAC5C,QAAQ;AACV,CAAC;AAOM,IAAM,mBAAqB,UAAO;AAAA,EACvC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,WAAa,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACxC,SAAW,UAAO,EAAE,IAAI,EAAE,YAAY;AACxC,CAAC;AAGM,IAAM,oBAAsB,UAAO;AAAA,EACxC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAC1C,CAAC;AAOM,IAAM,kBAAoB,UAAO;AAAA,EACtC,YAAc,OAAI;AAAA;AAAA,EAClB,WAAa,OAAI;AAAA;AAAA,EACjB,QAAU,UAAO,EAAE,IAAI,CAAC;AAC1B,CAAC;AAOM,IAAKC,aAAL,kBAAKA,eAAL;AACL,EAAAA,sBAAA,aAAU,KAAV;AACA,EAAAA,sBAAA,SAAM,KAAN;AACA,EAAAA,sBAAA,aAAU,KAAV;AACA,EAAAA,sBAAA,eAAY,KAAZ;AACA,EAAAA,sBAAA,iBAAc,KAAd;AALU,SAAAA;AAAA,iBAAA;AAQL,IAAM,eAAiB,UAAO;AAAA,EACnC,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA;AAAA,EAC/C,IAAM,UAAO;AAAA;AAAA,EACb,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,EACxB,SAAW,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACnD,WAAa,QAAKA,UAAS;AAAA,EAC3B,UAAY,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACpD,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,EACjD,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,EACpB,cAAgB,UAAO,EAAE,SAAS;AAAA,EAClC,SAAS,SAAS,SAAS;AAAA,EAC3B,UAAU,UAAU,SAAS;AAAA,EAC7B,OAAS,OAAI,EAAE,SAAS;AAAA;AAC1B,CAAC;AAQM,IAAM,aAAe,UAAO;AAAA,EACjC,MAAQ,UAAO;AAAA,EACf,SAAW,UAAO;AAAA,EAClB,YAAc,UAAO,EAAE,IAAI;AAC7B,CAAC;;;AC9bD,IAAAC,kBAAmC;AAO5B,IAAKC,eAAL,kBAAKA,iBAAL;AACL,EAAAA,0BAAA,SAAM,KAAN;AACA,EAAAA,0BAAA,aAAU,KAAV;AACA,EAAAA,0BAAA,SAAM,KAAN;AACA,EAAAA,0BAAA,SAAM,KAAN;AAJU,SAAAA;AAAA,mBAAA;AAiBL,IAAM,uBAAN,MAA2B;AAAA,EAA3B;AACL,SAAiB,SAAS,IAAI,uBAAO,qBAAqB,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA,EAK9D,SAAS,MAAkB,SAA6C;AACtE,YAAQ,SAAS;AAAA,MACf,KAAK;AACH,eAAO,KAAK,YAAY,IAAI;AAAA,MAE9B,KAAK;AACH,eAAO,KAAK,eAAe,IAAI;AAAA,MAEjC,KAAK;AACH,eAAO,KAAK,YAAY,IAAI;AAAA,MAE9B,KAAK;AACH,eAAO,KAAK,YAAY,IAAI;AAAA,MAE9B;AACE,eAAO;AAAA,UACL,OAAO;AAAA,UACP,OAAO,yBAAyB,OAAO;AAAA,UACvC;AAAA,QACF;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAyC;AAC3D,WAAO;AAAA,MACL,OAAO;AAAA,MACP,SAAS;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,MAAyC;AAC9D,QAAI;AACF,YAAM,WAAO,qCAAe,IAAI;AAGhC,iBAAWC,QAAO,MAAM;AACtB,YAAIA,KAAI,SAAS,OAAOA,KAAI,SAAS,KAAK;AACxC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,OAAO;AAAA,YACP,SAAS;AAAA,UACX;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS;AAAA,MACX;AAAA,IACF,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,0BAA0B,OAAO;AAAA,QACxC,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAyC;AAC3D,QAAI;AACF,YAAM,WAAO,qCAAe,IAAI;AAGhC,YAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,UAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,eAAO;AAAA,UACL,OAAO;AAAA,UACP,OAAO;AAAA,UACP,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS;AAAA,MACX;AAAA,IACF,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,sBAAsB,OAAO;AAAA,QACpC,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAyC;AAC3D,QAAI;AACF,YAAM,WAAO,qCAAe,IAAI;AAGhC,YAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,UAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,eAAO;AAAA,UACL,OAAO;AAAA,UACP,OAAO;AAAA,UACP,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,OAAO;AAAA,QACP,SAAS;AAAA,MACX;AAAA,IACF,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,sBAAsB,OAAO;AAAA,QACpC,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AACF;AApIa,uBAAN;AAAA,MADN,4BAAW;AAAA,GACC;;;ACxBb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,kBAA2B;AAmCpB,IAAM,8BAAN,MAAwD;AAAA,EAAxD;AAEL;AAAA,SAAS,OAAO;AAMhB;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,WAAoB;AAClB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,OAA6C;AAErD,UAAM,aAAa,CAAC,CAAC,MAAM,UAAU;AACrC,UAAM,cAAc,CAAC,CAAC,MAAM,UAAU;AACtC,UAAM,UAAU,CAAC,CAAC,MAAM,UAAU;AAElC,UAAM,UAAU,cAAc,eAAe,UAAU,YAAY;AAGnE,QAAI,CAAC,MAAM,SAAU,OAAM,WAAW,CAAC;AACvC,UAAM,SAAS,UAAU;AAEzB,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA5Ba,8BAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACnCb,IAAAC,kBAA2B;AA2FpB,IAAM,mBAAN,MAA6C;AAAA,EAA7C;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUhC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,EAAE,KAAK,IAAI;AAGjB,QAAI,CAAC,QAAQ,KAAK,SAAS,GAAG;AAC5B,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,QAAI;AAOF,UAAI,SAAS;AACb,gBAAU;AACV,gBAAU;AAGV,YAAM,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACrE,gBAAU;AAGV,YAAM,EAAE,OAAO,QAAQ,QAAI,oCAAa,MAAM,MAAM;AAGpD,UAAI,SAAS,mCAAa;AACxB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,eAAe,MAAM,kBAAkB,iCAAW;AAAA,QAC5D;AAAA,MACF;AAGA,UAAI,UAAU,oCAAc;AAC1B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,aAAa,OAAO,kBAAkB,kCAAY;AAAA,QAC5D;AAAA,MACF;AAEA,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B,SAAS,GAAG;AAGV,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAAA,EACF;AACF;AA3Fa,mBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC3Fb,IAAAC,kBAAmC;AA6E5B,IAAM,8BAAN,MAAwD;AAAA,EAAxD;AACL,SAAiB,SAAS,IAAI,uBAAO,4BAA4B,IAAI;AAGrE;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU/B,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,IAAI,OAA6C;AACrD,UAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,UAAM,YAAY,QAAQ,aAAa;AAIvC,UAAM,sBAAsB,mBAAmB,SAAS,KAAK,CAAC;AAI9D,UAAM,uBAAuB,KAAK,wBAAwB,MAAM;AAIhE,QAAI,qBAAqB,WAAW,GAAG;AACrC,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAIA,UAAM,sBAAsB,qBAAqB;AAAA,MAC/C,CAAC,QAAQ,CAAC,oBAAoB,SAAS,GAAG;AAAA,IAC5C;AAEA,QAAI,oBAAoB,SAAS,GAAG;AAElC,WAAK,OAAO;AAAA,QACV,yBAAyB,MAAM,aAAa,oBAAoB,KAAK,IAAI,CAAC,UAAU,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACpH;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,yBAAyB,oBAAoB,KAAK,IAAI,CAAC;AAAA,MACjE;AAAA,IACF;AAGA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,wBAAwB,QAA8B;AAE5D,QAAI,oBAAoB,MAAM,GAAG;AAC/B,aAAO,oBAAoB,MAAM;AAAA,IACnC;AAGA,eAAW,CAAC,SAAS,IAAI,KAAK,OAAO,QAAQ,mBAAmB,GAAG;AACjE,UAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,cAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,YAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,iBAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAGA,WAAO,CAAC,SAAS;AAAA,EACnB;AACF;AAtHa,8BAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC7Eb,IAAAC,kBAA2B;AAC3B,IAAAC,iBAA2B;AAgFpB,IAAM,kBAAN,MAA4C;AAAA,EAA5C;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUhC,SAAS,OAA6B;AACpC,WAAO,MAAM,WAAW;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,aAAa,MAAM;AACzB,UAAM,YAAY,MAAM;AAGxB,QAAI,CAAC,cAAc,CAAC,WAAW;AAC7B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,UAAMC,oBAAmB;AAGzB,UAAM,WAAW,WAAW,IAAIA,iBAAgB;AAEhD,QAAI,CAAC,YAAY,SAAS,WAAW,IAAI;AACvC,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,UAAM,aAAS,2BAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO;AAI7D,QAAI,CAAC,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC,GAAG;AACtD,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAlFa,kBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACjFb,IAAAC,kBAAmC;AACnC,IAAAC,UAAwB;AAqGjB,IAAM,gBAAN,MAA0C;AAAA,EAA1C;AACL,SAAiB,SAAS,IAAI,uBAAO,cAAc,IAAI;AAUvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAiB,wBAAwB;AAGzC;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcvB,iBAAiB,MAA0B;AACjD,QAAI,KAAK,WAAW,EAAG,QAAO;AAG9B,UAAM,OAAO,oBAAI,IAAoB;AACrC,eAAW,QAAQ,MAAM;AACvB,WAAK,IAAI,OAAO,KAAK,IAAI,IAAI,KAAK,KAAK,CAAC;AAAA,IAC1C;AAGA,QAAI,UAAU;AACd,UAAM,MAAM,KAAK;AACjB,eAAW,SAAS,KAAK,OAAO,GAAG;AACjC,YAAM,IAAI,QAAQ;AAClB,iBAAW,IAAI,KAAK,KAAK,CAAC;AAAA,IAC5B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYQ,qBAAqB,MAA2B;AACtD,QAAI,KAAK,SAAS,EAAG,QAAO;AAE5B,QAAI,YAAY;AAChB,QAAI,aAAa;AAEjB,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,EAAG;AACjC,UAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,EAAG;AAAA,IACnC;AAGA,WAAO,YAAY,KAAK,SAAS,KAAK,aAAa,KAAK,SAAS;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYQ,mBAAmB,MAA2B;AACpD,QAAI,KAAK,SAAS,EAAG,QAAO;AAG5B,eAAW,cAAc,CAAC,GAAG,GAAG,CAAC,GAAG;AAClC,UAAI,KAAK,SAAS,eAAe,EAAG;AAEpC,UAAI,UAAU;AACd,eAAS,IAAI,YAAY,IAAI,KAAK,QAAQ,KAAK;AAC7C,YAAI,KAAK,CAAC,MAAM,KAAK,IAAI,UAAU,EAAG;AAAA,MACxC;AAGA,UAAI,WAAW,KAAK,SAAS,cAAc,KAAK;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,UAAU,MAAM;AAGtB,QAAI,CAAC,SAAS;AACZ,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,MAAM,QAAQ,IAAI,6BAAO;AAC/B,UAAM,QAAQ,QAAQ,IAAI,+BAAS;AAEnC,UAAM,SAAmB,CAAC;AAC1B,QAAI,aAAa;AAGjB,QAAI,OAAO,IAAI,SAAS,GAAG;AACzB,YAAM,aAAa,KAAK,iBAAiB,GAAG;AAG5C,UAAI,aAAa,KAAK,uBAAuB;AAC3C,eAAO,KAAK,mBAAmB,WAAW,QAAQ,CAAC,CAAC,EAAE;AACtD,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,qBAAqB,GAAG,GAAG;AAClC,eAAO,KAAK,gBAAgB;AAC5B,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,mBAAmB,GAAG,GAAG;AAChC,eAAO,KAAK,cAAc;AAC1B,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,YAAM,eAAe,KAAK,iBAAiB,KAAK;AAGhD,UAAI,eAAe,KAAK,uBAAuB;AAC7C,eAAO,KAAK,qBAAqB,aAAa,QAAQ,CAAC,CAAC,EAAE;AAC1D,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,qBAAqB,KAAK,GAAG;AACpC,eAAO,KAAK,kBAAkB;AAC9B,sBAAc;AAAA,MAChB;AAGA,UAAI,KAAK,mBAAmB,KAAK,GAAG;AAClC,eAAO,KAAK,gBAAgB;AAC5B,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AACrB,WAAK,OAAO,KAAK,uBAAuB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC,EAAE;AACxE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,OAAO,qBAAqB,QAA4B;AACtD,WAAO,IAAI,WAAkB,oBAAY,MAAM,CAAC;AAAA,EAClD;AACF;AAtNa,gBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACtGb,IAAAC,kBAAmC;AA2F5B,IAAM,yBAAN,MAAmD;AAAA,EAAnD;AACL,SAAiB,SAAS,IAAI,uBAAO,uBAAuB,IAAI;AAGhE;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQjC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,IAAI,OAA6C;AACrD,UAAM,EAAE,QAAQ,QAAQ,IAAI;AAC5B,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,UAAU,eAAe,MAAM;AAGrC,UAAM,WAAW,KAAK,IAAI,IAAI;AAG9B,QAAI,SAAS;AACX,MAAC,QAAgB,WAAW;AAC5B,MAAC,QAAgB,YAAY;AAAA,IAC/B;AAEA,SAAK,OAAO;AAAA,MACV,OAAO,OAAO,kBAAkB,MAAM,eAAe,IAAI,KAAK,QAAQ,EAAE,YAAY,CAAC;AAAA,IACvF;AAIA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,UAAU,KAAqC;AACpD,QAAI,CAAC,IAAI,SAAU,QAAO;AAC1B,WAAO,KAAK,IAAI,IAAI,IAAI;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,eAAe,KAAoC;AACxD,QAAI,CAAC,IAAI,SAAU,QAAO;AAC1B,WAAO,KAAK,IAAI,GAAG,IAAI,WAAW,KAAK,IAAI,CAAC;AAAA,EAC9C;AACF;AA3Fa,yBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC3Fb,IAAAC,kBAA2B;AAqFpB,IAAM,oBAAN,MAA8C;AAAA,EAanD,YAA6B,QAAuB;AAAvB;AAX7B;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,OAAO;AAAA,EAEwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWrD,SAAS,OAA6B;AACpC,WAAO,OAAO,MAAM,kBAAkB;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,IAAI,OAA6C;AACrD,UAAM,WACJ,KAAK,OAAO,IAAY,qBAAqB,KAAK,KAAK,OAAO;AAChE,UAAM,gBAAgB,MAAM;AAE5B,QAAI,OAAO,kBAAkB,UAAU;AACrC,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,QAAI,gBAAgB,UAAU;AAC5B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,cAAc,aAAa,kBAAkB,QAAQ;AAAA,MAC/D;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA7Da,oBAAN;AAAA,EAFN,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,MAC9B,4BAAW;AAAA,GACC;;;ACrFb,IAAAC,kBAA2B;AASpB,IAAM,0BAAN,MAAoD;AAAA,EAApD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,OAAO;AAAA;AAAA,EAE7B,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;AAAA,EAC9C;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,OAAO,MAAM;AACnB,UAAM,aAAa,MAAM,iBAAiB;AAG1C,QAAI,KAAK,SAAS,KAAK,CAAC,KAAK,YAAY,KAAK,MAAM,GAAG,CAAC,GAAG,gCAAU,GAAG;AACtE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,QAAI,KAAK,CAAC,MAAM,oCAAc;AAC5B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,wBAAwB,KAAK,CAAC,CAAC;AAAA,MACzC;AAAA,IACF;AAGA,QAAI,aAAa,qCAAe;AAC9B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,cAAc,UAAU,gBAAgB,mCAAa;AAAA,MAC/D;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA,EAEQ,YAAY,GAAe,GAAwB;AACzD,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,aAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,UAAI,EAAE,CAAC,MAAM,EAAE,CAAC,EAAG,QAAO;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AACF;AAjDa,0BAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,GAClB;;;ACTb,IAAAC,kBAA2B;AASpB,IAAM,uBAAN,MAAiD;AAAA,EAAjD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,UAAU;AAChC,SAAiB,WAAW;AAAA;AAAA,EAE5B,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,cAAc,CAAC,CAAC,MAAM;AAAA,EACvC;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,QAAI,MAAM,cAAc,MAAM,WAAW,OAAO,KAAK,UAAU;AAC7D,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,gBAAgB,MAAM,WAAW,IAAI,iBAAiB,KAAK,QAAQ;AAAA,MAC7E;AAAA,IACF;AAEA,QAAI,MAAM,UAAU,MAAM,OAAO,aAAa;AAC5C,YAAM,SAAS,MAAM,OAAO,YAAY;AACxC,UAAI,SAAS,mCAAa;AACxB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,eAAe,MAAM,gBAAgB,iCAAW;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA/Ba,uBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO;AAAA,GACK;;;ACTb,IAAAC,kBAA2B;AAO3B,IAAM,0BAA0B;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAIO,IAAM,wBAAN,MAAkD;AAAA,EAAlD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,SAAS,OAA6B;AAEpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,UAAU,MAAM,UAAU,WAAW;AAC3C,UAAM,SAAS,MAAM,UAAU;AAG/B,QAAI,YAAY,UAAU;AACxB,YAAM,YAAY,wBAAwB;AAAA,QAAK,CAAC,WAC9C,OAAO,WAAW,MAAM;AAAA,MAC1B;AACA,UAAI,CAAC,WAAW;AACd,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,WAAW,MAAM;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AAGA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AA9Ba,wBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO;AAAA,GACK;;;ACjBb,IAAAC,kBAA2B;AAsBpB,IAAM,uBAAN,MAAiD;AAAA,EAItD,YAA6B,QAAsB;AAAtB;AAH7B,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA,EAEmB;AAAA,EAEpD,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,SAAS,MAAM;AAErB,QAAI,KAAK,OAAO,IAAI,MAAM,GAAG;AAC3B,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ,WAAW,MAAM;AAAA,IAC3B;AAAA,EACF;AACF;AAvBa,uBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO,EAAE,OAAO,cAAc,CAAC;AAAA,GACnB;;;ACtBb,IAAAC,kBAA2B;AAapB,IAAM,sBAAN,MAAgD;AAAA,EAAhD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,SAAS,OAAoC;AAC3C,WAAO,CAAC,CAAC,MAAM,WAAW,CAAC,CAAC,MAAM;AAAA,EACpC;AAAA,EAEA,MAAM,IAAI,OAAoD;AAE5D,UAAM,iBAAiB,oBAAoB,UAAU,KAAK;AAC1D,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR;AAAA,QACA,4BAA4B,eAAe,MAAM,OAAO;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAEA,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,IAAI,eAAe;AAGnB,QAAI,eAAe,UAAU;AAC3B,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,QAAI,cAAc,SAAS,MAAM,GAAG;AAClC,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,kBAAkB,cAAc,SAAS,SAAS,KAAK;AAC7D,UAAM,mBACJ,cAAc,SAAS,UAAU,KAAK;AACxC,UAAM,eAAe,cAAc,SAAS,MAAM,KAAK,YAAY;AAEnE,UAAM,YAAY,mBAAmB,oBAAoB;AAEzD,QAAI,CAAC,WAAW;AACd,YAAM,IAAI;AAAA,QACR;AAAA,QACA,sCAAsC,MAAM;AAAA,QAC5C;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAxDa,sBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACbb,IAAAC,kBAAiD;AA4BjD,IAAM,cAAc;AAAA,EAClB;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA,sCAAgB;AAAA,EAChB,sCAAgB;AAAA,EAChB,uCAAiB;AAAA,EACjB,sCAAgB,uCAAiB;AACnC;AA+EO,IAAM,uBAAN,MAA+D;AAAA,EAmBpE,YAA6B,QAAuB;AAAvB;AAlB7B,SAAiB,SAAS,IAAI,uBAAO,qBAAqB,IAAI;AAG9D;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,OAAO;AAE7B,SAAQ,gBAA4B;AACpC,SAAQ,kBAAkB;AAAA,EAE2B;AAAA;AAAA;AAAA;AAAA,EAKrD,OAAc,cACZ,OACA,UACqC;AACrC,QAAI,MAAM,SAAS,SAAS,OAAQ,QAAO,EAAE,OAAO,KAAK;AACzD,UAAM,SAAS,MAAM,SAAS,GAAG,SAAS,MAAM;AAChD,UAAM,QAAQ,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC;AAC9D,WAAO;AAAA,MACL;AAAA,MACA,QAAQ,QAAQ,SAAY,IAAI,YAAY,EAAE,OAAO,MAAM;AAAA,IAC7D;AAAA,EACF;AAAA,EAEA,OAAc,gBAAgB,SAAiB,UAA2B;AACxE,WAAO,YAAY;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAe;AACb,UAAM,WAAW,KAAK,OAAO,IAAY,qBAAqB;AAC9D,SAAK,gBAAgB,WAAW,OAAO,KAAK,UAAU,OAAO,IAAI;AACjE,SAAK,kBACH,KAAK,OAAO,IAAY,uBAAuB,KAAK;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,OAA6C;AACrD,UAAM,iBAAiB,qBAAqB,UAAU,KAAK;AAC3D,QAAI,CAAC,eAAe,SAAS;AAC3B,WAAK,OAAO;AAAA,QACV,kBAAkB,eAAe,MAAM,OAAO;AAAA,QAC9C,eAAe,MAAM;AAAA,MACvB;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,UAAM,EAAE,aAAa,KAAK,IAAI,eAAe;AAC7C,UAAM,SAAmB,CAAC;AAG1B,QAAI,KAAK,UAAU,GAAG;AACpB,YAAM,MAAM,OAAO,KAAK,KAAK,SAAS,GAAG,EAAE,CAAC,EAAE,SAAS,KAAK;AAC5D,WAAK,OAAO,MAAM,2BAA2B,GAAG,SAAS,MAAM,EAAE,GAAG;AAAA,IACtE;AAGA,QAAI,gBAAgB,QAAW;AAC7B,UAAI,CAAC,KAAK,mBAAmB,WAAW,GAAG;AACzC,eAAO,KAAK,wBAAwB,WAAW,EAAE;AAAA,MACnD;AAAA,IACF;AAGA,QAAI,KAAK,SAAS,GAAG;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,MACV;AAAA,IACF;AAGA,UAAM,aAAa,qBAAqB;AAAA,MACtC;AAAA,MACA,KAAK;AAAA,IACP;AACA,QAAI,CAAC,WAAW,OAAO;AACrB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,aAAa,CAAC,eAAe,WAAW,MAAM;AAAA,MAClG;AAAA,IACF;AAGA,UAAM,UAAU,KAAK,CAAC;AACtB,QAAI,CAAC,qBAAqB,gBAAgB,SAAS,KAAK,eAAe,GAAG;AACxE,aAAO,KAAK,uBAAuB,OAAO,EAAE;AAAA,IAC9C;AAGA,UAAM,QAAQ,KAAK,CAAC;AACpB,QAAI,CAAC,KAAK,aAAa,KAAK,GAAG;AAC7B,aAAO,KAAK,mBAAmB,MAAM,SAAS,EAAE,CAAC,EAAE;AAAA,IACrD;AAGA,QAAI,KAAK,UAAU,IAAI;AACrB,YAAM,cAAc,KAAK,oBAAoB,KAAK,SAAS,CAAC,CAAC;AAC7D,UAAI,CAAC,YAAY,OAAO;AACtB,eAAO,KAAK,sBAAsB,YAAY,MAAM,EAAE;AAAA,MACxD;AAAA,IACF;AAGA,QAAI,KAAK,UAAU,IAAI;AACrB,YAAM,WAAW,KAAK,iBAAiB,IAAI;AAC3C,UAAI,CAAC,SAAS,OAAO;AACnB,eAAO,KAAK,qBAAqB,SAAS,MAAM,EAAE;AAAA,MACpD;AAGA,YAAM,mBAAmB,MAAM,KAAK,sBAAsB,IAAI;AAC9D,UAAI,CAAC,kBAAkB;AAErB,eAAO,KAAK,wBAAwB;AAAA,MACtC;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AAErB,YAAM,WAAW,OAAO;AAAA,QACtB,CAAC,MACC,EAAE,WAAW,eAAe,KAAK,EAAE,WAAW,qBAAqB;AAAA,MACvE;AAEA,UAAI,UAAU;AACZ,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,OAAO,KAAK,IAAI;AAAA,QAC1B;AAAA,MACF;AAEA,WAAK,OAAO;AAAA,QACV,wBAAwB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC;AAAA,MACxD;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,YAAY,CAAC,OAAO,SAAS;AAAA,QAC7B,SAAS;AAAA,MACX;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,GAAe,GAAwB;AAC1D,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,aAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,UAAI,EAAE,CAAC,MAAM,EAAE,CAAC,EAAG,QAAO;AAAA,IAC5B;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAmB,aAA8B;AACvD,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,MAAM,KAAK,CAAC,MAAM,YAAY,YAAY,EAAE,SAAS,CAAC,CAAC;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,OAAwB;AAC3C,WAAO,YAAY,SAAS,KAAK;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,MAG1B;AACA,QAAI;AACF,YAAM,EAAE,OAAO,QAAQ,UAAU,QAAI,oCAAa,MAAM,CAAC;AAIzD,UAAI,QAAQ,OAAO,YAAY,GAAG;AAChC,eAAO,EAAE,OAAO,OAAO,QAAQ,0BAA0B;AAAA,MAC3D;AACA,UAAI,QAAQ,SAAS,YAAY,GAAG;AAClC,eAAO,EAAE,OAAO,OAAO,QAAQ,2BAA2B;AAAA,MAC5D;AAEA,aAAO,EAAE,OAAO,KAAK;AAAA,IACvB,QAAQ;AACN,aAAO,EAAE,OAAO,OAAO,QAAQ,sBAAsB;AAAA,IACvD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAiB,MAGvB;AAIA,QAAI;AAEF,UAAI,SAAS;AAGb,YAAM,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACrE,gBAAU;AAGV,YAAM,EAAE,QAAQ,UAAU,QAAI,oCAAa,MAAM,MAAM;AACvD,gBAAU;AAGV,YAAM,EAAE,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACtD,gBAAU;AAGV,YAAM,WAAW;AACjB,YAAM,SAAS,WAAW,OAAO,MAAM;AAEvC,UAAI,SAAS,KAAK,QAAQ;AACxB,eAAO,EAAE,OAAO,KAAK;AAAA,MACvB;AAGA,UAAI,WAAW;AACf,UAAI,MAAM;AAEV,aAAO,MAAM,UAAU,MAAM,KAAK,SAAS,GAAG;AAC5C,cAAM,EAAE,OAAO,MAAM,QAAQ,UAAU,QAAI,oCAAa,MAAM,GAAG;AACjE,eAAO;AAEP,YAAI,OAAO,OAAQ;AAEnB,cAAM,EAAE,OAAO,KAAK,QAAQ,SAAS,QAAI,oCAAa,MAAM,GAAG;AAC/D,eAAO;AAGP,YAAI,OAAO,IAAI,KAAK,UAAU;AAC5B,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,QAAQ,QAAQ,IAAI,UAAU,QAAQ;AAAA,UACxC;AAAA,QACF;AAEA,mBAAW,OAAO,IAAI;AACtB,eAAO,OAAO,GAAG;AAAA,MACnB;AAEA,aAAO,EAAE,OAAO,KAAK;AAAA,IACvB,QAAQ;AACN,aAAO,EAAE,OAAO,KAAK;AAAA,IACvB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAsB,MAAoC;AACtE,QAAI;AACF,UAAI,SAAS;AACb,YAAM,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACrE,gBAAU;AACV,YAAM,EAAE,QAAQ,UAAU,QAAI,oCAAa,MAAM,MAAM;AACvD,gBAAU;AACV,YAAM,EAAE,QAAQ,SAAS,QAAI,oCAAa,MAAM,MAAM;AACtD,gBAAU;AAEV,YAAM,SAAS,SAAS,OAAO,MAAM;AAErC,UAAI,MAAM;AACV,aAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,cAAM,EAAE,OAAO,MAAM,QAAQ,UAAU,QAAI,oCAAa,MAAM,GAAG;AACjE,eAAO;AACP,cAAM,EAAE,QAAQ,SAAS,QAAI,oCAAa,MAAM,GAAG;AACnD,eAAO;AAEP,cAAM,EAAE,OAAO,QAAQ,QAAQ,YAAY,QAAI;AAAA,UAC7C;AAAA,UACA,MAAM;AAAA,QACR;AAAA,MAUF;AAKA,YAAM;AACN,aAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,cAAM,QAAI,oCAAa,MAAM,GAAG;AAChC,eAAO,EAAE;AACT,cAAM,QAAI,oCAAa,MAAM,GAAG;AAChC,eAAO,EAAE;AAET,YAAI,EAAE,UAAU,IAAK,QAAO;AAE5B,eAAO,OAAO,EAAE,KAAK;AAAA,MACvB;AAEA,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;AA3Va,uBAAN;AAAA,EAFN,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,MAC9B,4BAAW;AAAA,GACC;;;ACpHb,IAAAC,kBAA2B;AAQpB,IAAM,sBAAN,MAAgD;AAAA,EAAhD;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA,EAEjC,WAAoB;AAClB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,MAA+B;AAEnC,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAZa,sBAAN;AAAA,MAFN,4BAAW;AAAA,EACX,OAAO;AAAA,GACK;;;ACRb,IAAAC,kBAA2B;AAgB3B,SAAS,UAAU,GAAuB;AACxC,MAAI,EAAE,WAAW;AACf,UAAM,IAAI,UAAU,wBAAwB,uBAAuB,GAAG;AACxE,MAAI,IAAI;AACR,aAAW,MAAM,EAAG,KAAK,KAAK,KAAM,OAAO,EAAE;AAC7C,SAAO;AACT;AAsFO,IAAM,yBAAN,MAAmD;AAAA,EAAnD;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUhC,SAAS,OAAqB;AAE5B,WAAO,CAAC,CAAC,MAAM,UAAU;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,IACJ,OAGA;AACA,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,aAAa,MAAM;AACzB,UAAM,WAAW,MAAM;AAGvB,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,QAAQ,QAAQ;AAAA,IAC3B;AAGA,UAAM,kBAAkB,cAAc,UAAU,MAAM;AACtD,QAAI,CAAC,gBAAgB,SAAS;AAC5B,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ,6BAA6B,gBAAgB,MAAM,OAAO;AAAA,MACpE;AAAA,IACF;AAGA,QAAI;AACF,iBAAW,SAAS,OAAO,QAAQ;AAEjC,cAAM,QAAQ,MAAM,SAAS;AAC7B,cAAMC,OAAM,UAAU,WAAW,aAAa;AAG9C,cAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAG9B,YAAI,MAAM,YAAY,CAAC,KAAK;AAC1B,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,2BAA2B,MAAM,IAAI,SAAS,MAAM,GAAG;AAAA,YACvD;AAAA,UACF;AAAA,QACF;AAGA,YAAI,CAAC,IAAK;AAGV,YAAI,OAAO,MAAM,WAAW,YAAY,IAAI,SAAS,MAAM,QAAQ;AACjE,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,SAAS,MAAM,IAAI,eAAe,IAAI,MAAM,MAAM,MAAM,MAAM;AAAA,YAC9D;AAAA;AAAA,UACF;AAAA,QACF;AAGA,gBAAQ,MAAM,MAAM;AAAA,UAClB,KAAK;AAEH,gBAAI;AACF,kBAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,GAAG;AAAA,YACtD,QAAQ;AACN,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,oBAAoB,MAAM,IAAI;AAAA,gBAC9B;AAAA,cACF;AAAA,YACF;AACA;AAAA,UAEF,KAAK;AAEH,gBAAI,IAAI,WAAW,KAAM,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,GAAI;AACtD,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,iBAAiB,MAAM,IAAI;AAAA,gBAC3B;AAAA,cACF;AAAA,YACF;AACA;AAAA,UAEF,KAAK,OAAO;AAEV,kBAAM,IAAI,UAAU,GAAG;AAGvB,gBAAI,MAAM,KAAK;AACb,oBAAM,KAAK,OAAO,MAAM,GAAG;AAC3B,kBAAI,IAAI,IAAI;AACV,sBAAM,IAAI;AAAA,kBACR;AAAA,kBACA,OAAO,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAE;AAAA,kBAC3C;AAAA,gBACF;AAAA,cACF;AAAA,YACF;AACA;AAAA,UACF;AAAA,UAEA,KAAK;AAEH,gBAAI,IAAI,WAAW,IAAI;AACrB,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,wBAAwB,MAAM,IAAI;AAAA,gBAClC;AAAA,cACF;AAAA,YACF;AACA;AAAA,UAEF,KAAK;AAEH;AAAA,UAEF,KAAK;AAAA,UACL,KAAK;AAGH;AAAA,UAEF;AACE,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,wBAAwB,MAAM,IAAI;AAAA,cAClC;AAAA,YACF;AAAA,QACJ;AAAA,MACF;AAGA,YAAM,aAAa,MAAM,UAAU;AAGnC,UAAI,cAAc,WAAW,OAAO,GAAG;AACrC,mBAAW,SAAS,OAAO,QAAQ;AACjC,gBAAM,MAAM,WAAW,IAAI,MAAM,GAAG;AACpC,cAAI,CAAC,OAAO,IAAI,WAAW,EAAG;AAE9B,gBAAM,QAAQ,MAAM,SAAS;AAC7B,gBAAMA,OAAM,UAAU,WAAW,aAAa;AAC9C,gBAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAC9B,cAAI,CAAC,IAAK;AAEV,qBAAW,MAAM,KAAK;AACpB,kBAAM,QAAQ,GAAG,KAAK,MAAM,IAAI;AAChC,gBAAI,OAAO;AACT,oBAAM,IAAI;AAAA,gBACR;AAAA,gBACA,GAAG,MAAM,IAAI,SAAS,MAAM,GAAG,MAAM,KAAK;AAAA,gBAC1C;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,SAAS,KAAU;AAEjB,UAAI,eAAe,WAAW;AAC5B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM,IAAI;AAAA,UACV,QAAQ,IAAI;AAAA,QACd;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAjNa,yBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC5Gb,IAAAC,kBAA2B;AA0FpB,IAAM,oBAAN,MAA8C;AAAA,EAA9C;AAEL;AAAA,SAAS,OAAO;AAUhB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASjC,WAAoB;AAClB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,MAA+B;AAsBnC,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAhEa,oBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;AC1Fb,IAAAC,kBAA2B;AAiCpB,IAAM,iBAAN,MAA2C;AAAA,EAA3C;AACL,SAAS,OAAO;AAChB,SAAS,QAAQ,KAAK,UAAU;AAAA;AAAA,EAEhC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM;AAAA,EACjB;AAAA,EAEA,MAAM,IAAI,OAA6C;AACrD,UAAM,SAAS,MAAM;AACrB,QAAI,CAAC,OAAQ,QAAO,EAAE,QAAQ,QAAQ;AAGtC,UAAM,WACJ,OAAO,YAAY,OAAO;AAC5B,QAAI,YAAY,SAAS,SAAS,GAAG;AACnC,YAAM,SAAS,KAAK,qBAAqB,UAAU,QAAQ;AAC3D,UAAI,OAAQ,QAAO;AAAA,IACrB;AAGA,UAAM,YACJ,OAAO,aAAa,MAAM;AAC5B,UAAM,YACJ,OAAO,UAAU,UAAa,OAAO,QAAQ,OAAU,IAAI;AAG7D,UAAM,cAAc,MAAM,UAAU,QAAQ;AAC5C,UAAM,WAAW,gBAAgB;AAEjC,QAAI,CAAC,YAAY,aAAa,aAAa,UAAU,SAAS,GAAG;AAC/D,YAAM,SAAS,KAAK,qBAAqB,WAAW,MAAM;AAC1D,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,qBACN,KACA,SACuB;AACvB,QAAI,SAAS;AACb,QAAI,WAAW;AACf,QAAI,QAAQ;AACZ,UAAM,WAAW;AAEjB,WAAO,SAAS,IAAI,QAAQ;AAC1B,UAAI,SAAS,UAAU;AACrB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,oBAAoB,OAAO;AAAA,QACrC;AAAA,MACF;AAGA,UAAI;AACJ,UAAI;AACJ,UAAI;AACF,cAAM,QAAI,oCAAa,KAAK,MAAM;AAClC,eAAO,EAAE;AACT,kBAAU,EAAE;AAAA,MACd,QAAQ;AACN,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,4BAA4B,OAAO,cAAc,MAAM;AAAA,QACjE;AAAA,MACF;AACA,gBAAU;AAGV,UAAI,QAAQ,GAAG;AACb,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,eAAe,IAAI,OAAO,OAAO;AAAA,QAC3C;AAAA,MACF;AAGA,UAAI,QAAQ,UAAU;AACpB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,8BAA8B,OAAO,KAAK,IAAI,UAAU,QAAQ;AAAA,QAC1E;AAAA,MACF;AACA,iBAAW;AAGX,UAAI;AACJ,UAAI;AACJ,UAAI;AACF,cAAM,QAAI,oCAAa,KAAK,MAAM;AAClC,cAAM,EAAE;AACR,iBAAS,EAAE;AAAA,MACb,QAAQ;AACN,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,8BAA8B,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,gBAAU;AAGV,UAAI,SAAS,MAAM,IAAI,QAAQ;AAC7B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,0BAA0B,OAAO;AAAA,QAC3C;AAAA,MACF;AAEA,gBAAU;AACV;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AA9Ha,iBAAN;AAAA,EAFN,OAAO;AAAA,MACP,4BAAW;AAAA,GACC;;;ACjCb,IAAAC,kBAA2B;AAgGpB,IAAM,wBAAN,MAAkD;AAAA,EAAlD;AAEL;AAAA,SAAS,OAAO;AAShB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,QAAQ,KAAK,OAAO;AAG7B;AAAA,SAAiB,mBAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUpC,SAAS,OAA6B;AACpC,WAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,IAAI,OAA6C;AAErD,UAAM,OAAO,MAAM;AACnB,UAAM,SAAS;AACf,UAAM,YAAY,KAAK,IAAI,SAAS,IAAI,KAAK,MAAM;AAGnD,QAAI,oBAAoB;AACxB,aAAS,IAAI,QAAQ,IAAI,WAAW,KAAK;AACvC,WAAK,KAAK,CAAC,IAAI,SAAU,GAAG;AAC1B;AACA,YAAI,oBAAoB,KAAK,kBAAkB;AAC7C,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,QAAQ,kBAAkB,KAAK,gBAAgB;AAAA,UACjD;AAAA,QACF;AAAA,MACF,OAAO;AAEL,4BAAoB;AAAA,MACtB;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,QAAQ;AAAA,EAC3B;AACF;AAlEa,wBAAN;AAAA,EAFN,OAAO,EAAE,OAAO,aAAa,CAAC;AAAA,MAC9B,4BAAW;AAAA,GACC;;;AChGb;AAAA;AAAA;AAAA;;;ACQO,SAAS,iBACd,UACA,MACY;AACZ,QAAM,SAAS,iBAAiB,QAAQ;AACxC,QAAM,QAAQ,OAAO,OAAO,QAAQ,CAAC,UAAU;AAC7C,UAAM,QAAS,KAAiC,MAAM,IAAI;AAC1D,QAAI,UAAU,UAAa,UAAU,MAAM;AACzC,UAAI,MAAM,UAAU;AAClB,cAAM,IAAI,MAAM,wCAAwC,MAAM,IAAI,EAAE;AAAA,MACtE;AACA,aAAO,CAAC;AAAA,IACV;AAEA,WAAO,CAAC,EAAE,MAAM,MAAM,KAAK,OAAO,YAAY,OAAO,KAAK,EAAE,CAAC;AAAA,EAC/D,CAAC;AAED,SAAO,UAAU,KAAK;AACxB;AAEA,SAAS,YAAY,OAAuB,OAAwB;AAClE,UAAQ,MAAM,MAAM;AAAA,IAClB,KAAK;AACH,aAAO,OAAO,KAAK,OAAO,KAAK,GAAG,MAAM;AAAA,IAC1C,KAAK;AACH,aAAO,UAAU,KAAK;AAAA,IACxB,KAAK;AAAA,IACL,KAAK;AACH,aAAO,SAAS,KAAK;AAAA,IACvB,KAAK;AACH,aAAO,OAAO,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;AAAA,IACpC,KAAK;AAAA,IACL,KAAK;AACH,aAAO,OAAO,KAAK,KAAK,UAAU,KAAK,GAAG,MAAM;AAAA,IAClD;AACE,aAAO,SAAS,KAAK;AAAA,EACzB;AACF;AAEA,SAAS,UAAU,OAAwB;AACzC,QAAM,UAAU,OAAO,MAAM,CAAC;AAC9B,UAAQ;AAAA,IACN,OAAO,UAAU,WAAW,QAAQ,OAAO,KAAwB;AAAA,EACrE;AACA,SAAO;AACT;AAEA,SAAS,SAAS,OAAwB;AACxC,MAAI,OAAO,SAAS,KAAK,GAAG;AAC1B,WAAO;AAAA,EACT;AACA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,OAAO,KAAK,KAAK;AAAA,EAC1B;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,OAAO,KAAK,OAAO,MAAM;AAAA,EAClC;AAEA,QAAM,IAAI,MAAM,gCAAgC,OAAO,KAAK,EAAE;AAChE;","names":["import_reflect_metadata","import_reflect_metadata","import_reflect_metadata","import_reflect_metadata","tlvMap","import_reflect_metadata","import_common","Decision","schema","map","import_axis_protocol","import_axis_protocol","sha256","import_crypto","sha256","import_crypto","MAGIC","MAGIC","RiskDecision","import_crypto","IntentSensitivity","import_common","crypto","import_common","crypto","AxisFrame","import_common","AxisFrame","import_common","import_crypto","import_common","import_common","import_common","BodyProfile","ProofType","z","ProofType","import_common","BodyProfile","tlv","import_common","import_common","import_common","import_common","import_crypto","TLV_SHA256_CHUNK","import_common","crypto","import_common","import_common","import_common","import_common","import_common","import_common","import_common","import_common","import_common","import_common","map","import_common","import_common","import_common"]}