npm - @nextera.one/axis-server-sdk - Versions diffs - 2.1.5 → 2.1.7 - Mend

@nextera.one/axis-server-sdk 2.1.5 → 2.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/dist/codec/axis1.encode.d.mts +10 -0
package/dist/codec/axis1.encode.d.ts +10 -0
package/dist/codec/axis1.encode.js +65 -0
package/dist/codec/axis1.encode.js.map +1 -0
package/dist/codec/axis1.encode.mjs +41 -0
package/dist/codec/axis1.encode.mjs.map +1 -0
package/dist/codec/axis1.signing.d.mts +8 -0
package/dist/codec/axis1.signing.d.ts +8 -0
package/dist/codec/axis1.signing.js +61 -0
package/dist/codec/axis1.signing.js.map +1 -0
package/dist/codec/axis1.signing.mjs +37 -0
package/dist/codec/axis1.signing.mjs.map +1 -0
package/dist/core/index.d.mts +2 -2
package/dist/core/index.d.ts +2 -2
package/dist/core/index.js +6 -267
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +8 -260
package/dist/core/index.mjs.map +1 -1
package/dist/index-VxXqZPuH.d.mts +51 -0
package/dist/index-VxXqZPuH.d.ts +51 -0
package/dist/index.d.mts +1406 -520
package/dist/index.d.ts +1406 -520
package/dist/index.js +3091 -433
package/dist/index.js.map +1 -1
package/dist/index.mjs +3100 -428
package/dist/index.mjs.map +1 -1
package/dist/types/frame.d.mts +11 -0
package/dist/types/frame.d.ts +11 -0
package/dist/types/frame.js +78 -0
package/dist/types/frame.js.map +1 -0
package/dist/types/frame.mjs +54 -0
package/dist/types/frame.mjs.map +1 -0
package/package.json +2 -1
package/dist/index-DXHfWxLG.d.mts +0 -133
package/dist/index-DXHfWxLG.d.ts +0 -133

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/decorators/chain.decorator.ts","../src/decorators/capsule-policy.decorator.ts","../src/decorators/intent-policy.decorator.ts","../src/decorators/handler.decorator.ts","../src/decorators/intent.decorator.ts","../src/decorators/intent-body.decorator.ts","../src/decorators/intent-sensors.decorator.ts","../src/decorators/observer.decorator.ts","../src/decorators/handler-sensors.decorator.ts","../src/decorators/sensor.decorator.ts","../src/decorators/tlv-field.decorator.ts","../src/core/tlv.ts","../src/decorators/dto-schema.util.ts","../src/base/axis-tlv.dto.ts","../src/base/axis-id.dto.ts","../src/base/axis-partial-type.ts","../src/base/axis-response.dto.ts","../src/core/constants.ts","../src/engine/axis-execution-context.ts","../src/engine/registry/observer.registry.ts","../src/engine/observer-dispatcher.service.ts","../src/cce/cce.types.ts","../src/cce/cce-derivation.service.ts","../src/cce/cce-crypto.ts","../src/cce/cce-response.service.ts","../src/cce/cce-witness.observer.ts","../src/sensor/axis-sensor.ts","../src/cce/cce-pipeline.ts","../src/core/axis-error.ts","../src/security/scopes.ts","../src/security/inline-capsule.ts","../src/engine/intent.router.ts","../src/engine/axis-chain.executor.ts","../src/engine/sensor-bands.ts","../src/engine/observation/stable-json.ts","../src/engine/observation/observation-queue.codec.ts","../src/engine/observation/observation-hash.ts","../src/engine/observation/response-observer.ts","../src/core/varint.ts","../src/core/axis-bin.ts","../src/core/signature.ts","../src/codec/ats1.constants.ts","../src/codec/ats1.ts","../src/codec/ats1.passkey.schemas.ts","../src/codec/tlv.encode.ts","../src/codec/axis1.encode.ts","../src/codec/axis1.signing.ts","../src/crypto/b64url.ts","../src/crypto/canonical-json.ts","../src/contract/execution-meter.ts","../src/contract/contract.interface.ts","../src/types/tlv.ts","../src/types/frame.ts","../src/types/packet.ts","../src/security/capabilities.ts","../src/risk/index.ts","../src/core/opcodes.ts","../src/core/receipt.ts","../src/core/intent-sensitivity.ts","../src/core/timeouts.ts","../src/core/frame-validator.ts","../src/upload/upload.tokens.ts","../src/upload/upload.types.ts","../src/upload/axis-files.handlers.ts","../src/upload/disk-upload-file.store.ts","../src/decorators/axis-request.decorator.ts","../src/engine/observer-discovery.service.ts","../src/engine/handler-discovery.service.ts","../src/engine/registry/sensor.registry.ts","../src/engine/sensor-discovery.service.ts","../src/engine/axis-observation.ts","../src/security/axis-sensor-chain.service.ts","../src/utils/axis-tlv-codec.ts","../src/loom/loom.types.ts","../src/cce/sensors/cce-envelope-validation.sensor.ts","../src/cce/sensors/cce-client-signature.sensor.ts","../src/cce/sensors/cce-capsule-verification.sensor.ts","../src/cce/sensors/cce-tps-window.sensor.ts","../src/cce/sensors/cce-audience-intent-binding.sensor.ts","../src/cce/sensors/cce-replay-protection.sensor.ts","../src/cce/sensors/cce-payload-decryption.sensor.ts","../src/cce/sensors/index.ts","../src/cce/index.ts","../src/core/index.ts","../src/crypto/types.ts","../src/crypto/proof-verification.service.ts","../src/crypto/index.ts","../src/decorators/index.ts","../src/engine/axis-decoded.ts","../src/engine/axis-chain.types.ts","../src/engine/axis-observer.interface.ts","../src/engine/observation/observation-queue.types.ts","../src/engine/observation/index.ts","../src/engine/index.ts","../src/loom/index.ts","../src/schemas/axis-schemas.ts","../src/schemas/body-profile.validator.ts","../src/schemas/index.ts","../src/security/index.ts","../src/sensors/access-profile-resolver.sensor.ts","../src/sensors/body-budget.sensor.ts","../src/sensors/capability-enforcement.sensor.ts","../src/sensors/chunk-hash.sensor.ts","../src/sensors/entropy.sensor.ts","../src/sensors/execution-timeout.sensor.ts","../src/sensors/frame-budget.sensor.ts","../src/sensors/frame-header-sanity.sensor.ts","../src/sensors/header-tlv-limit.sensor.ts","../src/sensors/intent-allowlist.sensor.ts","../src/sensors/intent-registry.sensor.ts","../src/sensors/proof-presence.sensor.ts","../src/sensors/protocol-strict.sensor.ts","../src/sensors/receipt-policy.sensor.ts","../src/sensors/schema-validation.sensor.ts","../src/sensors/stream-scope.sensor.ts","../src/sensors/tlv-parse.sensor.ts","../src/sensors/varint-hardening.sensor.ts","../src/sensors/index.ts","../src/utils/index.ts","../src/index.ts"],"sourcesContent":["import \"reflect-metadata\";\n\nimport type { ChainOptions, RegisteredChainConfig } from \"../engine/axis-chain.types\";\n\nexport const CHAIN_METADATA_KEY = \"axis:chain\";\n\nexport function Chain(options: ChainOptions = {}): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const value: RegisteredChainConfig = {\n enabled: true,\n ...options,\n };\n\n Reflect.defineMetadata(CHAIN_METADATA_KEY, value, target, propertyKey);\n };\n}","import \"reflect-metadata\";\n\nexport const CAPSULE_POLICY_METADATA_KEY = \"axis:capsule:policy\";\n\nexport type CapsuleScopeMode = \"all\" \| \"any\";\n\nexport interface CapsulePolicyOptions {\n required?: boolean;\n scopes?: string \| string[];\n scopeMode?: CapsuleScopeMode;\n intentBound?: boolean;\n allowCapsuleRef?: boolean;\n}\n\nexport function CapsulePolicy(\n options: CapsulePolicyOptions = {},\n): ClassDecorator & MethodDecorator {\n const normalized = normalizeCapsulePolicyOptions(options);\n\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n normalized,\n target,\n propertyKey,\n );\n return;\n }\n\n Reflect.defineMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n normalized,\n target as Function,\n );\n }) as ClassDecorator & MethodDecorator;\n}\n\nexport function normalizeCapsulePolicyOptions(\n options: CapsulePolicyOptions = {},\n): CapsulePolicyOptions {\n return {\n required: options.required ?? true,\n scopes: normalizeScopeValue(options.scopes),\n scopeMode: options.scopeMode ?? \"all\",\n intentBound: options.intentBound ?? true,\n allowCapsuleRef: options.allowCapsuleRef ?? false,\n };\n}\n\nexport function mergeCapsulePolicyOptions(\n base?: CapsulePolicyOptions,\n override?: CapsulePolicyOptions,\n): CapsulePolicyOptions \| undefined {\n if (!base && !override) {\n return undefined;\n }\n\n const normalizedBase = base ? normalizeCapsulePolicyOptions(base) : undefined;\n const normalizedOverride = override\n ? normalizeCapsulePolicyOptions(override)\n : undefined;\n\n const scopes = [\n ...toScopeList(normalizedBase?.scopes),\n ...toScopeList(normalizedOverride?.scopes),\n ];\n\n return {\n required: normalizedOverride?.required ?? normalizedBase?.required ?? true,\n scopes: normalizeScopeValue(scopes),\n scopeMode:\n normalizedOverride?.scopeMode ?? normalizedBase?.scopeMode ?? \"all\",\n intentBound:\n normalizedOverride?.intentBound ??\n normalizedBase?.intentBound ??\n true,\n allowCapsuleRef:\n normalizedOverride?.allowCapsuleRef ??\n normalizedBase?.allowCapsuleRef ??\n false,\n };\n}\n\nfunction normalizeScopeValue(\n value?: string \| string[],\n): string \| string[] \| undefined {\n const list = toScopeList(value);\n if (list.length === 0) {\n return undefined;\n }\n return list.length === 1 ? list[0] : list;\n}\n\nfunction toScopeList(value?: string \| string[]): string[] {\n if (!value) {\n return [];\n }\n\n return Array.from(new Set(Array.isArray(value) ? value : [value])).filter(\n (entry) => entry.trim().length > 0,\n );\n}","import \"reflect-metadata\";\n\nimport type { ExecutionContract } from \"../contract/contract.interface\";\nimport type { ProofKind, SensitivityLevel } from \"../schemas/axis-schemas\";\n\n// ─── Metadata Keys ────────────────────────────────────────────────────────────\n\nexport const SENSITIVITY_METADATA_KEY = \"axis:sensitivity\";\nexport const CONTRACT_METADATA_KEY = \"axis:contract\";\nexport const REQUIRED_PROOF_METADATA_KEY = \"axis:required_proof\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\n/*\n Extends ProofKind with WITNESS — requires a co-signer witness signature\n * in addition to the standard proof kinds (CAPSULE, PASSPORT, MTLS, JWT).\n /\nexport type RequiredProofKind = ProofKind \| \"WITNESS\";\n\n// ─── @Sensitivity ─────────────────────────────────────────────────────────────\n\n/\n Declares the sensitivity tier of an intent.\n \n Used by risk gates and audit trails to apply appropriate scrutiny.\n \n @example\n * ```ts\n * @Sensitivity('CRITICAL')\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function Sensitivity(\n level: SensitivityLevel,\n): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n SENSITIVITY_METADATA_KEY,\n level,\n target,\n propertyKey,\n );\n return;\n }\n Reflect.defineMetadata(SENSITIVITY_METADATA_KEY, level, target as Function);\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Contract ────────────────────────────────────────────────────────────────\n\n/\n Declares the execution contract (resource ceiling) for an intent.\n \n The execution meter enforces these limits at runtime. Unspecified fields\n * fall back to handler-level or global defaults.\n \n @example\n * ```ts\n * @Contract({ maxDbWrites: 5, maxTimeMs: 300 })\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function Contract(\n options: Partial<ExecutionContract>,\n): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n CONTRACT_METADATA_KEY,\n options,\n target,\n propertyKey,\n );\n return;\n }\n Reflect.defineMetadata(CONTRACT_METADATA_KEY, options, target as Function);\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @RequiredProof ───────────────────────────────────────────────────────────\n\n/\n Specifies which proof kinds are accepted to satisfy this intent.\n * At least one of the listed kinds must be present in the request.\n \n Use `@Capsule()` or `@Witness()` as ergonomic shorthands for the\n * single-proof case.\n \n @example\n * ```ts\n * @RequiredProof(['CAPSULE', 'WITNESS'])\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function RequiredProof(\n proofs: [RequiredProofKind, ...RequiredProofKind[]],\n): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proofs,\n target,\n propertyKey,\n );\n return;\n }\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proofs,\n target as Function,\n );\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Capsule ─────────────────────────────────────────────────────────────────\n\n/\n Shorthand for `@RequiredProof(['CAPSULE'])`.\n \n Merges with any proof kinds already declared on the target so that\n * combining `@Capsule()` with `@Witness()` behaves identically to\n * `@RequiredProof(['CAPSULE', 'WITNESS'])`.\n \n @example\n * ```ts\n * @Capsule()\n * @Intent('axis.actor_keys.get')\n * async get() { ... }\n * ```\n /\nexport function Capsule(): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n const existing: RequiredProofKind[] =\n propertyKey !== undefined\n ? (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target,\n propertyKey,\n ) ?? [])\n : (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target as Function,\n ) ?? []);\n\n const merged: RequiredProofKind[] = existing.includes(\"CAPSULE\")\n ? existing\n : [...existing, \"CAPSULE\"];\n\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target,\n propertyKey,\n );\n } else {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target as Function,\n );\n }\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Witness ─────────────────────────────────────────────────────────────────\n\n/\n Shorthand for `@RequiredProof(['WITNESS'])`.\n \n Declares that the intent requires a co-signer witness signature\n * (maps to `ProofType.WITNESS_SIG` at the protocol layer).\n \n Merges with any proof kinds already declared on the target, so\n * `@Capsule()` + `@Witness()` is equivalent to\n * `@RequiredProof(['CAPSULE', 'WITNESS'])`.\n \n @example\n * ```ts\n * @Witness()\n * @Sensitivity('CRITICAL')\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function Witness(): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n const existing: RequiredProofKind[] =\n propertyKey !== undefined\n ? (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target,\n propertyKey,\n ) ?? [])\n : (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target as Function,\n ) ?? []);\n\n const merged: RequiredProofKind[] = existing.includes(\"WITNESS\")\n ? existing\n : [...existing, \"WITNESS\"];\n\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target,\n propertyKey,\n );\n } else {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target as Function,\n );\n }\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @AxisPublic ──────────────────────────────────────────────────────────────\n\n/\n Metadata key stamped on a class or method to mark it as public.\n * Read by HandlerDiscoveryService and injected into SensorInput.metadata.isPublic.\n /\nexport const AXIS_PUBLIC_KEY = \"axis:public\";\n\n/\n @AxisPublic — Marks a handler class or individual intent method as public.\n \n Public intents bypass signature verification and authentication sensors.\n * Use for discovery/catalog endpoints, health checks, and registration flows.\n \n Applied at class level → all intents in the handler are public.\n * Applied at method level → only that intent is public.\n \n @example\n * ```typescript\n * @AxisPublic()\n * @Handler('catalog')\n * export class CatalogHandler { ... }\n \n // Single public intent inside an authenticated handler:\n * @Handler('axis.auth')\n * export class AuthHandler {\n * @AxisPublic()\n * @Intent('axis.auth.register', { absolute: true, kind: 'action' })\n * async register(...) { ... }\n * }\n * ```\n /\nexport function AxisPublic(): ClassDecorator & MethodDecorator {\n return (\n target: any,\n propertyKey?: string \| symbol,\n descriptor?: PropertyDescriptor,\n ) => {\n if (descriptor) {\n Reflect.defineMetadata(AXIS_PUBLIC_KEY, true, target, propertyKey!);\n return descriptor;\n }\n Reflect.defineMetadata(AXIS_PUBLIC_KEY, true, target);\n return target;\n };\n}\n\n// ─── @AxisAnonymous ───────────────────────────────────────────────────────────\n\n/\n Metadata key stamped on a class or method to mark it as anonymous-accessible.\n * Anonymous intents can be called with an anonymous-session capsule.\n * Read by HandlerDiscoveryService and injected into SensorInput.metadata.isAnonymous.\n /\nexport const AXIS_ANONYMOUS_KEY = \"axis:anonymous\";\n\n/\n @AxisAnonymous — Marks a handler class or individual intent method as\n * accessible to anonymous sessions.\n \n Anonymous intents require an anonymous-session capsule (issued via\n * `public.session.anonymous`) but do NOT require full actor authentication.\n * A step above `@AxisPublic` (which needs no capsule at all).\n \n Applied at class level → all intents in the handler are anonymous-accessible.\n * Applied at method level → only that intent is anonymous-accessible.\n \n @example\n * ```typescript\n * @Handler('catalog')\n * export class CatalogHandler {\n * @AxisAnonymous()\n * @Intent('catalog.list', { absolute: true, kind: 'read' })\n * async list(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function AxisAnonymous(): ClassDecorator & MethodDecorator {\n return (\n target: any,\n propertyKey?: string \| symbol,\n descriptor?: PropertyDescriptor,\n ) => {\n if (descriptor) {\n Reflect.defineMetadata(AXIS_ANONYMOUS_KEY, true, target, propertyKey!);\n return descriptor;\n }\n Reflect.defineMetadata(AXIS_ANONYMOUS_KEY, true, target);\n return target;\n };\n}\n\n// ─── @AxisRateLimit ───────────────────────────────────────────────────────────\n\n/\n Metadata key for per-intent rate limit config.\n * Stamped on a method by @AxisRateLimit.\n * Read by HandlerDiscoveryService and consumed by RateLimitSensor at runtime.\n /\nexport const AXIS_RATE_LIMIT_KEY = \"axis:rateLimit\";\n\nexport interface AxisRateLimitConfig {\n /* Maximum requests allowed within the window. /\n max: number;\n /* Sliding window duration in seconds. /\n windowSec: number;\n /\n Key strategy or named bucket.\n * e.g. 'ip_fingerprint' \| 'actor_capsule' \| 'auth' \| 'qr-scan'\n /\n key?: string;\n}\n\n/\n @AxisRateLimit — Per-intent rate limit configuration.\n \n Overrides the handler-level or global default rate limit for a single intent.\n * The config is read by HandlerDiscoveryService and injected into\n * SensorInput.metadata.rateLimit, consumed by RateLimitSensor at runtime.\n \n @example\n * ```typescript\n * @AxisRateLimit({ max: 5, windowSec: 60, key: 'ip_fingerprint' })\n * @Intent('axis.auth.login', { absolute: true, kind: 'action' })\n * async login(body: Uint8Array) { ... }\n * ```\n /\nexport function AxisRateLimit(config: AxisRateLimitConfig): MethodDecorator {\n return (\n target: object,\n propertyKey: string \| symbol,\n descriptor: PropertyDescriptor,\n ) => {\n Reflect.defineMetadata(AXIS_RATE_LIMIT_KEY, config, target, propertyKey);\n return descriptor;\n };\n}\n","import { Injectable, SetMetadata } from '@nestjs/common';\n\nexport const HANDLER_METADATA_KEY = 'axis:handler';\n\n/\n Decorator to mark a class as an Axis Handler.\n * Handlers are responsible for processing intents or specific logic\n * for Axis modules.\n /\nexport function Handler(intent?: string): ClassDecorator {\n return (target: Function) => {\n SetMetadata(HANDLER_METADATA_KEY, { intent })(target);\n Injectable()(target as any);\n };\n}\n","import 'reflect-metadata';\n\nimport type { ChainOptions } from '../engine/axis-chain.types';\n\nexport const INTENT_METADATA_KEY = 'axis:intent';\nexport const INTENT_ROUTES_KEY = 'axis:intent_routes';\n\n/\n CRUD + action classification for an intent.\n /\nexport type IntentKind = 'create' \| 'read' \| 'update' \| 'delete' \| 'action';\n\n/\n Describes a single TLV field expected by an intent.\n * Used by SchemaValidationSensor to enforce field contracts.\n /\nexport interface IntentTlvField {\n /* Human-readable field name (used in error messages) /\n name: string;\n /* TLV tag number /\n tag: number;\n /* Value type for type-specific validation /\n kind: 'utf8' \| 'u64' \| 'bytes' \| 'bytes16' \| 'bool' \| 'obj' \| 'arr';\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\nexport interface IntentRoute {\n action: string;\n methodName: string \| symbol;\n absolute?: boolean;\n frame?: boolean;\n kind?: IntentKind;\n chain?: boolean \| ChainOptions;\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n tlv?: IntentTlvField[];\n dto?: Function;\n}\n\nexport interface IntentOptions {\n /* Operation classification for this intent /\n kind?: IntentKind;\n /* If true, the action is the full intent name (not prefixed with handler name) /\n absolute?: boolean;\n /* If true, register as { handle: fn } for frame-based handlers /\n frame?: boolean;\n /* Enables intent-chain semantics for this intent, optionally with chain defaults /\n chain?: boolean \| ChainOptions;\n /\n How the body is encoded. Drives TLVParseSensor behavior:\n * - `TLV_MAP` — flat TLV map (canonical ordering enforced)\n * - `RAW` — raw bytes, skip TLV body validation\n * - `TLV_OBJ` — nested TLV object\n * - `TLV_ARR` — TLV array container\n /\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n /* Inline TLV field definitions for schema validation /\n tlv?: IntentTlvField[];\n /* DTO class decorated with @TlvField for schema extraction /\n dto?: Function;\n}\n\n/\n Marks a method as an intent handler.\n \n Stores both per-method metadata (INTENT_METADATA_KEY) and\n * route-collection metadata (INTENT_ROUTES_KEY) for backward compatibility.\n \n @example\n * ```ts\n * @Handler('axis.actor_keys')\n * class MyHandler {\n * @Intent('create', { kind: 'create', dto: CreateDto })\n * async create(body: Uint8Array) { ... }\n \n @Intent('axis.auth.login', { absolute: true, kind: 'action', dto: LoginDto })\n * async login(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function Intent(\n action: string,\n options?: IntentOptions,\n): MethodDecorator {\n return (target, propertyKey) => {\n // Per-method metadata (backend-style)\n Reflect.defineMetadata(\n INTENT_METADATA_KEY,\n { intent: action, ...options },\n target,\n propertyKey,\n );\n\n // Route-collection metadata (SDK-style, backward compat)\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, target.constructor) \|\| [];\n routes.push({\n action,\n methodName: propertyKey,\n absolute: options?.absolute,\n frame: options?.frame,\n kind: options?.kind,\n chain: options?.chain,\n bodyProfile: options?.bodyProfile,\n tlv: options?.tlv,\n dto: options?.dto,\n });\n Reflect.defineMetadata(INTENT_ROUTES_KEY, routes, target.constructor);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_BODY_KEY = 'axis:intent:body';\n\n/\n @IntentBody — Auto-decode the raw Uint8Array body before the handler runs.\n \n The router reads this metadata and applies the decoder so handlers can\n * receive a parsed payload instead of raw bytes.\n /\nexport function IntentBody(decoder: (buf: Buffer) => any): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_BODY_KEY, decoder, target, propertyKey);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_SENSORS_KEY = 'axis:intent:sensors';\n\n/\n @IntentSensors — Attach additional sensors that must pass before the\n * annotated intent handler executes.\n /\nexport function IntentSensors(sensors: Function[]): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_SENSORS_KEY, sensors, target, propertyKey);\n };\n}\n","import \"reflect-metadata\";\n\nimport { Injectable } from \"@nestjs/common\";\n\nimport type { AxisObserverEvent } from \"../engine/axis-chain.types\";\n\nexport const OBSERVER_METADATA_KEY = \"axis:observer\";\nexport const OBSERVER_BINDINGS_KEY = \"axis:observer:bindings\";\n\nexport type AxisObserverRef = string \| Function;\n\nexport interface AxisObserverDefinition {\n name?: string;\n tags?: string[];\n events?: AxisObserverEvent[];\n intents?: string[];\n handlers?: string[];\n}\n\nexport interface AxisObserverBinding {\n refs: AxisObserverRef[];\n tags?: string[];\n events?: AxisObserverEvent[];\n}\n\nexport interface AxisObserverBindingOptions {\n use: AxisObserverRef \| AxisObserverRef[];\n tags?: string[];\n events?: AxisObserverEvent[];\n}\n\nfunction isBindingOptions(\n value: unknown,\n): value is AxisObserverBindingOptions {\n return !!value && typeof value === \"object\" && \"use\" in value;\n}\n\nfunction isDefinitionOptions(value: unknown): value is AxisObserverDefinition {\n return (\n !!value &&\n typeof value === \"object\" &&\n !Array.isArray(value) &&\n !isBindingOptions(value)\n );\n}\n\nfunction toBinding(\n input?:\n \| AxisObserverDefinition\n \| AxisObserverBindingOptions\n \| AxisObserverRef\n \| AxisObserverRef[],\n): AxisObserverBinding \| null {\n if (!input) return null;\n\n if (isBindingOptions(input)) {\n const refs = Array.isArray(input.use) ? input.use : [input.use];\n return { refs, tags: input.tags, events: input.events };\n }\n\n if (Array.isArray(input)) {\n return { refs: input };\n }\n\n if (typeof input === \"function\" \|\| typeof input === \"string\") {\n return { refs: [input] };\n }\n\n return null;\n}\n\nexport function Observer(\n input?:\n \| AxisObserverDefinition\n \| AxisObserverBindingOptions\n \| AxisObserverRef\n \| AxisObserverRef[],\n): ClassDecorator & MethodDecorator {\n return ((\n target: object \| Function,\n propertyKey?: string \| symbol,\n ) => {\n const binding = toBinding(input);\n if (binding) {\n if (propertyKey !== undefined) {\n const existing: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, target, propertyKey) \|\| [];\n existing.push(binding);\n Reflect.defineMetadata(\n OBSERVER_BINDINGS_KEY,\n existing,\n target,\n propertyKey,\n );\n return;\n }\n\n const existing: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, target as Function) \|\| [];\n existing.push(binding);\n Reflect.defineMetadata(OBSERVER_BINDINGS_KEY, existing, target as Function);\n return;\n }\n\n if (propertyKey !== undefined) {\n throw new Error(\n \"@Observer method usage must reference one or more observer classes or names\",\n );\n }\n\n const definition = isDefinitionOptions(input) ? input : {};\n Reflect.defineMetadata(OBSERVER_METADATA_KEY, definition, target as Function);\n Injectable()(target as any);\n }) as ClassDecorator & MethodDecorator;\n}","import \"reflect-metadata\";\n\nexport const HANDLER_SENSORS_KEY = \"axis:handler:sensors\";\n\n/\n @HandlerSensors — Attach sensors that must pass before ANY intent in this\n * handler class executes. Per-intent @IntentSensors still run after these.\n \n @example\n * ```ts\n * @Handler('axis.vault')\n * @HandlerSensors([RateLimitSensor, AuditSensor])\n * export class VaultHandler {\n * @Intent('create')\n * async create(body: Uint8Array) { ... }\n \n @Intent('delete')\n * @IntentSensors([MfaSensor]) // Runs AFTER handler-level sensors\n * async delete(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function HandlerSensors(sensors: Function[]): ClassDecorator {\n return (target: Function) => {\n Reflect.defineMetadata(HANDLER_SENSORS_KEY, sensors, target);\n };\n}\n","import { SetMetadata } from '@nestjs/common';\n\nexport const SENSOR_METADATA_KEY = 'axis:sensor';\n\nexport type SensorPhase = 'PRE_DECODE' \| 'POST_DECODE';\n\nexport interface SensorOptions {\n /* Explicit phase override. If omitted, auto-derived from order at bootstrap. /\n phase?: SensorPhase;\n}\n\n/\n Marks a class as an AXIS sensor for auto-registration.\n \n The SensorDiscoveryService finds all @Sensor() classes at bootstrap\n * and registers them with the SensorRegistry automatically.\n \n Sensors still declare `name`, `order`, `supports()`, and `run()` as\n * instance members. The decorator replaces manual `registry.register(this)`\n * in `onModuleInit()`.\n \n Phase can be set explicitly via options or auto-derived from order:\n * < PRE_DECODE_BOUNDARY (40) = PRE_DECODE, >= 40 = POST_DECODE.\n \n @example\n * ```typescript\n * @Sensor({ phase: 'PRE_DECODE' })\n * @Injectable()\n * export class WireSensor implements AxisSensor {\n * readonly name = 'WireSensor';\n * readonly order = BAND.WIRE + 10;\n * }\n \n @Sensor() // phase auto-derived as POST_DECODE\n * @Injectable()\n * export class PolicySensor implements AxisSensor {\n * readonly name = 'PolicySensor';\n * readonly order = BAND.POLICY + 10;\n * }\n * ```\n /\nexport function Sensor(options?: SensorOptions): ClassDecorator {\n return SetMetadata(SENSOR_METADATA_KEY, options ?? true);\n}\n","import 'reflect-metadata';\n\nexport const TLV_FIELDS_KEY = 'axis:tlv:fields';\nexport const TLV_VALIDATORS_KEY = 'axis:tlv:validators';\n\nexport type TlvFieldKind =\n \| 'utf8'\n \| 'u64'\n \| 'bytes'\n \| 'bytes16'\n \| 'bool'\n \| 'obj'\n \| 'arr';\n\nexport interface TlvFieldOptions {\n /* Value type for type-specific validation /\n kind: TlvFieldKind;\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\n/* Stored per-property metadata from @TlvField /\nexport interface TlvFieldMeta {\n /* Property name on the DTO class /\n property: string;\n /* TLV tag number /\n tag: number;\n /* Field options /\n options: TlvFieldOptions;\n}\n\n/\n Custom validation function applied via @TlvValidate.\n * Receives the raw TLV value bytes and the property name.\n * Return null/undefined to pass, or a string error message to deny.\n /\nexport type TlvValidatorFn = (\n value: Uint8Array,\n property: string,\n) => string \| null \| undefined;\n\n/* Stored per-property validator from @TlvValidate /\nexport interface TlvValidatorMeta {\n property: string;\n tag: number;\n validators: TlvValidatorFn[];\n}\n\n/\n @TlvField — Declare a TLV field contract on a DTO property.\n \n Applied to properties of a class passed to `@Intent({ dto: MyDto })`.\n * The schema is extracted at bootstrap and forwarded to SchemaValidationSensor.\n \n @example\n * ```typescript\n * class LoginDto {\n * @TlvField(100, { kind: 'utf8', required: true, maxLen: 256 })\n * email: string;\n \n @TlvField(105, { kind: 'bytes16', required: true })\n * deviceId: Buffer;\n \n @TlvField(103, { kind: 'bool' })\n * remember?: boolean;\n * }\n * ```\n /\nexport function TlvField(\n tag: number,\n options: TlvFieldOptions,\n): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, target.constructor) \|\| [];\n\n existing.push({\n property: String(propertyKey),\n tag,\n options,\n });\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, existing, target.constructor);\n };\n}\n\n/\n @TlvValidate — Attach custom validation logic to a TLV field.\n \n Runs after standard type/size checks. The validator receives raw bytes\n * and must return null (pass) or an error string (deny).\n \n Multiple @TlvValidate decorators can be stacked on the same property.\n /\nexport function TlvValidate(validator: TlvValidatorFn): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, target.constructor) \|\| [];\n\n const prop = String(propertyKey);\n let entry = existing.find((e) => e.property === prop);\n\n if (!entry) {\n entry = { property: prop, tag: 0, validators: [] };\n existing.push(entry);\n }\n\n entry.validators.push(validator);\n\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, existing, target.constructor);\n };\n}\n\n// ─── Built-in Validators (composable with @TlvValidate) ───\n\n/\n @TlvUtf8Pattern — Validate a UTF-8 field against a regex.\n /\nexport function TlvUtf8Pattern(\n pattern: RegExp,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n const str = new TextDecoder().decode(val);\n return pattern.test(str)\n ? null\n : message \|\| `${prop}: failed pattern check`;\n });\n}\n\n/\n @TlvMinLen — Minimum byte length for a field value.\n /\nexport function TlvMinLen(min: number, message?: string): PropertyDecorator {\n return TlvValidate((val, prop) => {\n return val.length >= min\n ? null\n : message \|\| `${prop}: too short (${val.length} < ${min})`;\n });\n}\n\n/\n @TlvEnum — UTF-8 field must be one of the listed values.\n /\nexport function TlvEnum(\n allowed: string[],\n message?: string,\n): PropertyDecorator {\n const set = new Set(allowed);\n return TlvValidate((val, prop) => {\n const str = new TextDecoder().decode(val);\n return set.has(str)\n ? null\n : message \|\| `${prop}: must be one of [${allowed.join(', ')}]`;\n });\n}\n\n/\n @TlvRange — Numeric u64 field must be within [min, max].\n /\nexport function TlvRange(\n min: bigint,\n max: bigint,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n if (val.length !== 8) return `${prop}: u64 must be 8 bytes`;\n let n = 0n;\n for (const b of val) n = (n << 8n) \| BigInt(b);\n if (n < min \|\| n > max) {\n return message \|\| `${prop}: value ${n} out of range [${min}, ${max}]`;\n }\n return null;\n });\n}\n","export {\n TLV, encodeTLVs, decodeTLVs, decodeTLVsList, decodeObject, decodeArray,\n} from '@nextera.one/axis-protocol';\n","import 'reflect-metadata';\n\nimport type { IntentTlvField } from './intent.decorator';\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from './tlv-field.decorator';\nimport { decodeTLVs } from '../core/tlv';\n\n/* Extracted schema from a DTO class — fields + optional validators /\nexport interface DtoSchema {\n fields: IntentTlvField[];\n validators: Map<number, TlvValidatorFn[]>;\n}\n\n/\n Extracts TLV field definitions and validators from a DTO class\n * decorated with @TlvField and @TlvValidate.\n /\nexport function extractDtoSchema(dto: Function): DtoSchema {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — nothing to validate`,\n );\n }\n\n const tagByProp = new Map<string, number>();\n const fields: IntentTlvField[] = fieldMetas.map((m) => {\n tagByProp.set(m.property, m.tag);\n return {\n name: m.property,\n tag: m.tag,\n kind: m.options.kind,\n required: m.options.required,\n maxLen: m.options.maxLen,\n max: m.options.max,\n scope: m.options.scope,\n };\n });\n\n const validatorMetas: TlvValidatorMeta[] =\n Reflect.getMetadata(TLV_VALIDATORS_KEY, dto) \|\| [];\n\n const validators = new Map<number, TlvValidatorFn[]>();\n for (const vm of validatorMetas) {\n const tag = tagByProp.get(vm.property);\n if (tag === undefined) {\n throw new Error(\n `@TlvValidate on ${dto.name}.${vm.property} but no @TlvField found for that property`,\n );\n }\n vm.tag = tag;\n validators.set(tag, vm.validators);\n }\n\n return { fields, validators };\n}\n\n/\n Builds a decoder function for a DTO class.\n \n The returned function takes raw TLV body bytes and returns a plain object\n * with property names as keys and decoded values matching the DTO shape.\n \n Value decoding by kind:\n * - utf8 → string\n * - u64 → bigint\n * - bytes / bytes16 → Uint8Array\n * - bool → boolean (0x00 = false, anything else = true)\n * - obj → JSON.parse of utf8\n * - arr → JSON.parse of utf8\n /\nexport function buildDtoDecoder(\n dto: Function,\n): (bodyBytes: Buffer) => Record<string, any> {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — cannot build decoder`,\n );\n }\n\n const tagMap = new Map<number, { property: string; kind: string }>();\n for (const m of fieldMetas) {\n tagMap.set(m.tag, { property: m.property, kind: m.options.kind });\n }\n\n return (bodyBytes: Buffer): Record<string, any> => {\n const tlvMap = decodeTLVs(new Uint8Array(bodyBytes));\n const result: Record<string, any> = {};\n\n for (const [tag, raw] of tlvMap) {\n const meta = tagMap.get(tag);\n if (!meta) continue;\n\n switch (meta.kind) {\n case 'utf8':\n result[meta.property] = new TextDecoder().decode(raw);\n break;\n case 'u64': {\n let n = 0n;\n for (let i = 0; i < raw.length; i++) {\n n = (n << 8n) \| BigInt(raw[i]);\n }\n result[meta.property] = n;\n break;\n }\n case 'bytes':\n case 'bytes16':\n result[meta.property] = raw;\n break;\n case 'bool':\n result[meta.property] = raw.length > 0 && raw[0] !== 0;\n break;\n case 'obj':\n case 'arr':\n result[meta.property] = JSON.parse(new TextDecoder().decode(raw));\n break;\n default:\n result[meta.property] = raw;\n }\n }\n\n return result;\n };\n}\n","/\n AxisTlvDto — Base class for all TLV-decoded DTO classes.\n \n Any DTO decorated with @TlvField that is passed to @Intent({ dto })\n * should extend this class. This gives the CRUD handler interface\n * a type-safe union: `Uint8Array \| AxisTlvDto`.\n \n The base is intentionally empty — it serves as a type marker.\n /\nexport abstract class AxisTlvDto {}\n","import { TlvField, TlvMinLen } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\nexport class AxisIdDto extends AxisTlvDto {\n @TlvField(1, { kind: 'utf8', required: true, maxLen: 128 })\n @TlvMinLen(1, 'id must not be empty')\n id!: string;\n}\n","import 'reflect-metadata';\n\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorMeta,\n} from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n AxisPartialType — Creates a DTO class where all TLV fields are optional.\n \n Copies TLV metadata (`axis:tlv:fields` + `axis:tlv:validators`)\n * and sets `required: false` on every field.\n \n TLV naturally supports partial payloads — only fields present in the\n * binary body get decoded. This utility makes the schema/sensor layer\n * aware that missing fields are acceptable for update operations.\n \n @example\n * ```typescript\n * export class UpdateBlocklistDto extends AxisPartialType(CreateBlocklistDto) {}\n * ```\n /\nexport function AxisPartialType<T extends new (...args: any[]) => AxisTlvDto>(\n BaseDto: T,\n): new (...args: any[]) => Partial<InstanceType<T>> & AxisTlvDto {\n class PartialDto extends (BaseDto as any) {}\n\n const fields: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, BaseDto) \|\| [];\n\n const partialFields: TlvFieldMeta[] = fields.map((f) => ({\n property: f.property,\n tag: f.tag,\n options: { ...f.options, required: false },\n }));\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, partialFields, PartialDto);\n\n const validators: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, BaseDto) \|\| [];\n\n if (validators.length > 0) {\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, [...validators], PartialDto);\n }\n\n Object.defineProperty(PartialDto, 'name', {\n value: `Partial${BaseDto.name}`,\n });\n\n return PartialDto as any;\n}\n","import { TlvField } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n Reserved TLV body tags for server-generated response fields.\n \n Tags 1–10 are reserved for system/audit fields in response bodies.\n * Entity-specific fields start at tag 100+.\n /\nexport const RESPONSE_TAG_ID = 1;\nexport const RESPONSE_TAG_CREATED_AT = 2;\nexport const RESPONSE_TAG_UPDATED_AT = 3;\nexport const RESPONSE_TAG_CREATED_BY = 4;\nexport const RESPONSE_TAG_UPDATED_BY = 5;\n\n/\n AxisResponseDto — Base class for outbound TLV response bodies.\n \n Server-generated audit fields that the backend appends to every\n * entity response. These are NEVER sent by the client — they flow\n * server → client only.\n \n Timestamps are u64 Unix milliseconds (same as TLV_TS in headers).\n /\nexport abstract class AxisResponseDto extends AxisTlvDto {\n @TlvField(RESPONSE_TAG_ID, { kind: 'utf8' })\n id?: string;\n\n @TlvField(RESPONSE_TAG_CREATED_AT, { kind: 'u64' })\n created_at?: bigint;\n\n @TlvField(RESPONSE_TAG_UPDATED_AT, { kind: 'u64' })\n updated_at?: bigint;\n\n @TlvField(RESPONSE_TAG_CREATED_BY, { kind: 'utf8' })\n created_by?: string;\n\n @TlvField(RESPONSE_TAG_UPDATED_BY, { kind: 'utf8' })\n updated_by?: string;\n}\n","export {\n AXIS_MAGIC,\n AXIS_VERSION,\n MAX_HDR_LEN,\n MAX_BODY_LEN,\n MAX_SIG_LEN,\n MAX_FRAME_LEN,\n FLAG_BODY_TLV,\n FLAG_CHAIN_REQ,\n FLAG_HAS_WITNESS,\n TLV_PID,\n TLV_TS,\n TLV_INTENT,\n TLV_ACTOR_ID,\n TLV_PROOF_TYPE,\n TLV_PROOF_REF,\n TLV_NONCE,\n TLV_AUD,\n TLV_REALM,\n TLV_NODE,\n TLV_TRACE_ID,\n TLV_KID,\n TLV_RID,\n TLV_OK,\n TLV_EFFECT,\n TLV_ERROR_CODE,\n TLV_ERROR_MSG,\n TLV_PREV_HASH,\n TLV_RECEIPT_HASH,\n TLV_NODE_KID,\n TLV_NODE_CERT_HASH,\n TLV_LOOM_PRESENCE_ID,\n TLV_LOOM_WRIT,\n TLV_LOOM_THREAD_HASH,\n TLV_UPLOAD_ID,\n TLV_INDEX,\n TLV_OFFSET,\n TLV_SHA256_CHUNK,\n TLV_CAPSULE,\n TLV_BODY_OBJ,\n TLV_BODY_ARR,\n NCERT_NODE_ID,\n NCERT_KID,\n NCERT_ALG,\n NCERT_PUB,\n NCERT_NBF,\n NCERT_EXP,\n NCERT_SCOPE,\n NCERT_ISSUER_KID,\n NCERT_PAYLOAD,\n NCERT_SIG,\n PROOF_NONE,\n PROOF_CAPSULE,\n PROOF_JWT,\n PROOF_MTLS,\n PROOF_LOOM,\n PROOF_WITNESS,\n ProofType,\n BodyProfile,\n ERR_INVALID_PACKET,\n ERR_BAD_SIGNATURE,\n ERR_REPLAY_DETECTED,\n ERR_CONTRACT_VIOLATION,\n} from '@nextera.one/axis-protocol';\n\nexport abstract class AxisMediaTypes {\n static readonly BINARY = 'application/axis-bin';\n static readonly OCTET_STREAM = 'application/octet-stream';\n static readonly LEGACY_BINARY = 'application/x-axis';\n\n static readonly VALID_AXIS_CONTENT_TYPES = [\n AxisMediaTypes.BINARY,\n AxisMediaTypes.OCTET_STREAM,\n AxisMediaTypes.LEGACY_BINARY,\n ] as const;\n\n static normalize(value?: string \| null): string \| undefined {\n if (!value) return undefined;\n return value.split(';', 1)[0].trim().toLowerCase();\n }\n\n static isAxisContentType(value?: string \| null): boolean {\n const normalized = AxisMediaTypes.normalize(value);\n return (\n !!normalized &&\n AxisMediaTypes.VALID_AXIS_CONTENT_TYPES.some(\n (contentType) => contentType === normalized,\n )\n );\n }\n}\n","import type { AxisFrame } from \"../core/axis-bin\";\n\nimport type { AxisCapsuleRef, AxisChainEnvelope, AxisChainStep } from \"./axis-chain.types\";\n\nexport const AXIS_EXECUTION_CONTEXT_KEY = Symbol.for(\"axis.executionContext\");\n\nexport interface AxisExecutionContext {\n metaIntent?: \"INTENT.EXEC\" \| \"CHAIN.EXEC\";\n actorId?: string;\n inlineCapsule?: Record<string, unknown>;\n capsuleRef?: AxisCapsuleRef;\n chainEnvelope?: AxisChainEnvelope;\n chainStep?: AxisChainStep;\n}\n\ntype FrameLike = Partial<AxisFrame> & {\n [AXIS_EXECUTION_CONTEXT_KEY]?: AxisExecutionContext;\n};\n\nexport function getAxisExecutionContext(\n frame?: Partial<AxisFrame>,\n): AxisExecutionContext \| undefined {\n return (frame as FrameLike \| undefined)?.[AXIS_EXECUTION_CONTEXT_KEY];\n}\n\nexport function withAxisExecutionContext<T extends object>(\n target: T,\n context: AxisExecutionContext,\n): T {\n Object.defineProperty(target, AXIS_EXECUTION_CONTEXT_KEY, {\n value: context,\n writable: true,\n configurable: true,\n enumerable: false,\n });\n\n return target;\n}\n\nexport function mergeAxisExecutionContext(\n base?: AxisExecutionContext,\n override?: AxisExecutionContext,\n): AxisExecutionContext \| undefined {\n if (!base && !override) {\n return undefined;\n }\n\n return {\n ...base,\n ...override,\n capsuleRef: {\n ...(base?.capsuleRef \|\| {}),\n ...(override?.capsuleRef \|\| {}),\n },\n };\n}","import { Injectable, Logger } from \"@nestjs/common\";\n\nimport type { AxisObserverDefinition, AxisObserverRef } from \"../../decorators/observer.decorator\";\nimport type {\n AxisIntentObserver,\n AxisObserverRegistration,\n} from \"../axis-observer.interface\";\n\n@Injectable()\nexport class ObserverRegistry {\n private readonly logger = new Logger(ObserverRegistry.name);\n private readonly byName = new Map<string, AxisObserverRegistration>();\n private readonly byType = new Map<Function, AxisObserverRegistration>();\n\n register(\n instance: AxisIntentObserver,\n meta: AxisObserverDefinition = {},\n ): void {\n const name = meta.name \|\| instance.name \|\| instance.constructor.name;\n const registration: AxisObserverRegistration = {\n name,\n instance,\n tags: meta.tags \|\| [],\n events: meta.events,\n intents: meta.intents,\n handlers: meta.handlers,\n };\n\n this.byName.set(name, registration);\n this.byType.set(instance.constructor, registration);\n this.logger.debug(`Registered observer: ${name}`);\n }\n\n resolve(ref: AxisObserverRef): AxisObserverRegistration \| undefined {\n if (typeof ref === \"string\") {\n return this.byName.get(ref);\n }\n\n return this.byType.get(ref) \|\| this.byName.get(ref.name);\n }\n\n list(): AxisObserverRegistration[] {\n return Array.from(this.byName.values()).sort((left, right) =>\n left.name.localeCompare(right.name),\n );\n }\n\n clear(): void {\n this.byName.clear();\n this.byType.clear();\n }\n}","import { Injectable, Logger } from \"@nestjs/common\";\n\nimport type { AxisObserverBinding } from \"../decorators/observer.decorator\";\nimport type { AxisObserverContext } from \"./axis-observer.interface\";\nimport { ObserverRegistry } from \"./registry/observer.registry\";\n\nfunction unique<T>(values: T[]): T[] {\n return Array.from(new Set(values));\n}\n\n@Injectable()\nexport class ObserverDispatcherService {\n private readonly logger = new Logger(ObserverDispatcherService.name);\n\n constructor(private readonly registry: ObserverRegistry) {}\n\n async dispatch(\n bindings: AxisObserverBinding[] \| undefined,\n context: AxisObserverContext,\n ): Promise<void> {\n if (!bindings \|\| bindings.length === 0) return;\n\n const invoked = new Set<string>();\n\n for (const binding of bindings) {\n if (\n binding.events &&\n binding.events.length > 0 &&\n !binding.events.includes(context.event)\n ) {\n continue;\n }\n\n for (const ref of binding.refs) {\n const registration = this.registry.resolve(ref);\n if (!registration) {\n this.logger.warn(`Observer ${String(ref)} could not be resolved`);\n continue;\n }\n\n if (invoked.has(registration.name)) continue;\n\n if (\n registration.events &&\n registration.events.length > 0 &&\n !registration.events.includes(context.event)\n ) {\n continue;\n }\n\n const observerContext: AxisObserverContext = {\n ...context,\n observerTags: unique([\n ...(registration.tags \|\| []),\n ...(binding.tags \|\| []),\n ...(context.observerTags \|\| []),\n ]),\n };\n\n if (\n registration.instance.supports &&\n !registration.instance.supports(observerContext)\n ) {\n continue;\n }\n\n try {\n invoked.add(registration.name);\n await registration.instance.observe(observerContext);\n } catch (error: any) {\n this.logger.warn(\n `Observer ${registration.name} failed during ${context.event}: ${error.message}`,\n );\n }\n }\n }\n }\n}","/\n Capsule-Carried Encryption (CCE) Types — v1\n \n Defines the core types for the CCE protocol where:\n * - TickAuth issues capsules (authority)\n * - AXIS verifies capsules, decrypts payloads, derives execution context\n * - Payload confidentiality uses hybrid encryption (AES-GCM + AXIS public key)\n /\n\n// ============================================================================\n// CCE Protocol Constants\n// ============================================================================\n\nexport const CCE_PROTOCOL_VERSION = \"cce-v1\" as const;\n\n/* Derivation context prefixes for HKDF /\nexport const CCE_DERIVATION = {\n /* Request execution context /\n REQUEST: \"axis:cce:req:v1\",\n /* Response execution context /\n RESPONSE: \"axis:cce:resp:v1\",\n /* Witness binding context /\n WITNESS: \"axis:cce:witness:v1\",\n} as const;\n\n/* Supported encryption algorithms /\nexport type CceAlgorithm = \"AES-256-GCM\";\n/* Supported key encapsulation algorithms /\nexport type CceKemAlgorithm = \"X25519\" \| \"RSA-OAEP-256\";\n/* Supported KDF algorithms /\nexport type CceKdfAlgorithm = \"HKDF-SHA256\";\n\nexport const CCE_AES_KEY_BYTES = 32; // 256-bit AES key\nexport const CCE_IV_BYTES = 12; // 96-bit GCM nonce\nexport const CCE_TAG_BYTES = 16; // 128-bit GCM auth tag\nexport const CCE_NONCE_BYTES = 32; // 256-bit request/response nonce\n\n// ============================================================================\n// CCE Capsule Claims (extends TickAuth capsule for AXIS binding)\n// ============================================================================\n\n/\n CCE-specific claims that extend the TickAuth capsule.\n * These claims bind the capsule to a specific AXIS audience and intent.\n /\nexport interface CceCapsuleClaims {\n /* Capsule identifier (content-addressed) /\n capsule_id: string;\n /* Protocol version /\n ver: typeof CCE_PROTOCOL_VERSION;\n /* Subject / actor identity /\n sub: string;\n /* Client key identifier /\n kid: string;\n /* Bound intent /\n intent: string;\n /* AXIS audience (service identity) /\n aud: string;\n /* TPS window start (Unix ms or TPS index) /\n tps_from: number;\n /* TPS window end (Unix ms or TPS index) /\n tps_to: number;\n /* Capsule nonce (hex, from challenge) /\n capsule_nonce: string;\n /* Reference to originating challenge /\n challenge_id: string;\n /* Content hash of the validated proof used to issue this capsule /\n proof_hash?: string;\n /* Policy hash (hex) — Digital Fabric Law binding /\n policy_hash?: string;\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expires-at timestamp (Unix seconds) /\n exp: number;\n /* Capsule usage mode /\n mode: \"SINGLE_USE\" \| \"SESSION\";\n /* Scope capabilities /\n scope?: string[];\n /* Constraints /\n constraints?: CceConstraints;\n /* TickAuth issuer signature over claims /\n issuer_sig: CceSignature;\n}\n\nexport interface CceConstraints {\n max_payload_bytes?: number;\n ip_allow?: string[];\n device_allow?: string[];\n country_allow?: string[];\n}\n\nexport interface CceSignature {\n alg: \"EdDSA\" \| \"ES256\";\n kid: string;\n value: string; // base64url or hex\n}\n\n// ============================================================================\n// CCE Request Envelope\n// ============================================================================\n\n/\n The encrypted request envelope sent from Client → AXIS.\n \n The client:\n * 1. Generates ephemeral AES-256 key\n * 2. Encrypts payload with AES-256-GCM\n * 3. Encrypts AES key with AXIS public key (X25519 or RSA-OAEP)\n * 4. Signs the envelope with client private key\n * 5. Attaches capsule\n /\nexport interface CceRequestEnvelope {\n /* Protocol version /\n ver: typeof CCE_PROTOCOL_VERSION;\n /* Unique request identifier /\n request_id: string;\n /* Correlation identifier (for request/response binding) /\n correlation_id: string;\n /* Client key identifier /\n client_kid: string;\n /* The capsule claims (signed by TickAuth) /\n capsule: CceCapsuleClaims;\n /* Encrypted transport key (AXIS public key encrypted) /\n encrypted_key: CceEncryptedKey;\n /* Encrypted payload /\n encrypted_payload: CceEncryptedPayload;\n /* Request nonce (hex, 32 bytes) /\n request_nonce: string;\n /* Client signature over canonical envelope /\n client_sig: CceSignature;\n /* Content type of the plaintext payload /\n content_type: string;\n /* Algorithm descriptors /\n algorithms: CceAlgorithmDescriptor;\n /* Additional authenticated data descriptor /\n aad_descriptor?: string;\n}\n\n/\n Encrypted symmetric key wrapped by AXIS public key.\n /\nexport interface CceEncryptedKey {\n /* Key encapsulation algorithm /\n alg: CceKemAlgorithm;\n /* AXIS key identifier used for encapsulation /\n axis_kid: string;\n /* Encrypted key bytes (base64url) /\n ciphertext: string;\n /* Ephemeral public key (for X25519 ECDH, base64url) /\n ephemeral_pk?: string;\n}\n\n/\n Encrypted payload with AEAD metadata.\n /\nexport interface CceEncryptedPayload {\n /* Encryption algorithm /\n alg: CceAlgorithm;\n /* Initialization vector / nonce (base64url, 12 bytes) /\n iv: string;\n /* Ciphertext (base64url) /\n ciphertext: string;\n /* Authentication tag (base64url, 16 bytes) /\n tag: string;\n}\n\n/\n Algorithm descriptor for the envelope.\n /\nexport interface CceAlgorithmDescriptor {\n /* Key encapsulation /\n kem: CceKemAlgorithm;\n /* Symmetric encryption /\n enc: CceAlgorithm;\n /* Key derivation (for execution context) /\n kdf: CceKdfAlgorithm;\n /* Signature algorithm /\n sig: \"EdDSA\" \| \"ES256\";\n}\n\n// ============================================================================\n// CCE Response Envelope\n// ============================================================================\n\n/\n The encrypted response envelope sent from AXIS → Client.\n /\nexport interface CceResponseEnvelope {\n /* Protocol version /\n ver: typeof CCE_PROTOCOL_VERSION;\n /* Response identifier /\n response_id: string;\n /* Request identifier (binding) /\n request_id: string;\n /* Correlation identifier /\n correlation_id: string;\n /* Capsule identifier of the originating request /\n capsule_id: string;\n /* Encrypted transport key (Client public key encrypted) /\n encrypted_key: CceEncryptedKey;\n /* Encrypted response payload /\n encrypted_payload: CceEncryptedPayload;\n /* Response nonce (hex, 32 bytes) /\n response_nonce: string;\n /* AXIS signature over canonical response /\n axis_sig: CceSignature;\n /* Witness reference /\n witness_ref?: string;\n /* Algorithm descriptors /\n algorithms: CceAlgorithmDescriptor;\n /* Response status (plaintext, allowed on error) /\n status: CceResponseStatus;\n}\n\nexport type CceResponseStatus =\n \| \"SUCCESS\"\n \| \"DENIED\"\n \| \"PARTIAL\"\n \| \"FAILED\"\n \| \"ERROR\";\n\n// ============================================================================\n// CCE Execution Context (derived inside AXIS)\n// ============================================================================\n\n/\n Execution context derived from capsule claims + AXIS local secret.\n * Proves that the request was not only decrypted but legally executable.\n /\nexport interface CceExecutionContext {\n /* Derived execution key (used for witness binding, never exposed) /\n execution_key_hash: string;\n /* Request identifier /\n request_id: string;\n /* Capsule identifier /\n capsule_id: string;\n /* Subject identity /\n sub: string;\n /* Client key identifier /\n kid: string;\n /* Intent /\n intent: string;\n /* Audience /\n aud: string;\n /* TPS window /\n tps_from: number;\n tps_to: number;\n /* Policy hash (if bound) /\n policy_hash?: string;\n /* Timestamp of context derivation /\n derived_at: number;\n /* Whether this context is valid /\n valid: boolean;\n}\n\n// ============================================================================\n// CCE Witness Record\n// ============================================================================\n\n/\n Witness record for the CCE request/response lifecycle.\n /\nexport interface CceWitnessRecord {\n /* Witness identifier /\n witness_id: string;\n /* Request identifier /\n request_id: string;\n /* Capsule identifier /\n capsule_id: string;\n /* Subject identity /\n sub: string;\n /* Intent /\n intent: string;\n /* Audience /\n aud: string;\n /* TPS window /\n tps_from: number;\n tps_to: number;\n /* Timestamp /\n timestamp: number;\n\n /* Verification results /\n verification: {\n client_sig: boolean;\n capsule_sig: boolean;\n tps_valid: boolean;\n audience_match: boolean;\n intent_match: boolean;\n replay_clean: boolean;\n nonce_unique: boolean;\n decryption_ok: boolean;\n };\n\n /* Handler execution result /\n execution: {\n status: CceResponseStatus;\n handler_duration_ms: number;\n effect?: string;\n };\n\n /* Response encryption result /\n response_encrypted: boolean;\n\n /* Execution context hash (proves legal execution) /\n execution_context_hash: string;\n\n /* Payload hash (redacted, never raw content) /\n request_payload_hash?: string;\n response_payload_hash?: string;\n}\n\n// ============================================================================\n// CCE Error Codes\n// ============================================================================\n\nexport const CCE_ERROR = {\n // Envelope errors\n INVALID_ENVELOPE: \"CCE_INVALID_ENVELOPE\",\n UNSUPPORTED_VERSION: \"CCE_UNSUPPORTED_VERSION\",\n MISSING_CAPSULE: \"CCE_MISSING_CAPSULE\",\n MISSING_ENCRYPTED_KEY: \"CCE_MISSING_ENCRYPTED_KEY\",\n\n // Signature errors\n CLIENT_SIG_INVALID: \"CCE_CLIENT_SIG_INVALID\",\n CLIENT_KEY_NOT_FOUND: \"CCE_CLIENT_KEY_NOT_FOUND\",\n\n // Capsule errors\n CAPSULE_SIG_INVALID: \"CCE_CAPSULE_SIG_INVALID\",\n CAPSULE_EXPIRED: \"CCE_CAPSULE_EXPIRED\",\n CAPSULE_NOT_YET_VALID: \"CCE_CAPSULE_NOT_YET_VALID\",\n CAPSULE_REVOKED: \"CCE_CAPSULE_REVOKED\",\n CAPSULE_CONSUMED: \"CCE_CAPSULE_CONSUMED\",\n\n // Binding errors\n AUDIENCE_MISMATCH: \"CCE_AUDIENCE_MISMATCH\",\n INTENT_MISMATCH: \"CCE_INTENT_MISMATCH\",\n TPS_WINDOW_EXPIRED: \"CCE_TPS_WINDOW_EXPIRED\",\n TPS_WINDOW_FUTURE: \"CCE_TPS_WINDOW_FUTURE\",\n\n // Replay / nonce errors\n REPLAY_DETECTED: \"CCE_REPLAY_DETECTED\",\n NONCE_REUSED: \"CCE_NONCE_REUSED\",\n\n // Decryption errors\n DECRYPTION_FAILED: \"CCE_DECRYPTION_FAILED\",\n KEY_UNWRAP_FAILED: \"CCE_KEY_UNWRAP_FAILED\",\n AEAD_TAG_MISMATCH: \"CCE_AEAD_TAG_MISMATCH\",\n PAYLOAD_TOO_LARGE: \"CCE_PAYLOAD_TOO_LARGE\",\n\n // Schema / validation errors\n PAYLOAD_SCHEMA_INVALID: \"CCE_PAYLOAD_SCHEMA_INVALID\",\n INTENT_SCHEMA_MISMATCH: \"CCE_INTENT_SCHEMA_MISMATCH\",\n\n // Policy errors\n POLICY_DENIED: \"CCE_POLICY_DENIED\",\n CONSTRAINT_VIOLATED: \"CCE_CONSTRAINT_VIOLATED\",\n\n // Handler errors\n HANDLER_NOT_FOUND: \"CCE_HANDLER_NOT_FOUND\",\n HANDLER_EXECUTION_FAILED: \"CCE_HANDLER_EXECUTION_FAILED\",\n HANDLER_TIMEOUT: \"CCE_HANDLER_TIMEOUT\",\n\n // Response errors\n RESPONSE_ENCRYPTION_FAILED: \"CCE_RESPONSE_ENCRYPTION_FAILED\",\n} as const;\n\nexport type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];\n\n/\n Structured CCE error.\n /\nexport class CceError extends Error {\n constructor(\n public readonly code: CceErrorCode,\n message: string,\n public readonly metadata?: Record<string, unknown>,\n ) {\n super(`[${code}] ${message}`);\n this.name = \"CceError\";\n }\n\n /* Whether this error is safe to expose to the client /\n get clientSafe(): boolean {\n // Never expose internal decryption/handler details\n const internal: CceErrorCode[] = [\n CCE_ERROR.DECRYPTION_FAILED,\n CCE_ERROR.KEY_UNWRAP_FAILED,\n CCE_ERROR.AEAD_TAG_MISMATCH,\n CCE_ERROR.HANDLER_EXECUTION_FAILED,\n CCE_ERROR.RESPONSE_ENCRYPTION_FAILED,\n ];\n return !internal.includes(this.code);\n }\n\n /* Get client-safe representation /\n toClientError(): { code: CceErrorCode; message: string } {\n if (this.clientSafe) {\n return { code: this.code, message: this.message };\n }\n return {\n code: CCE_ERROR.DECRYPTION_FAILED,\n message: \"Request processing failed\",\n };\n }\n}\n","import { bytesToHex, hexToBytes } from \"@noble/hashes/utils.js\";\n/\n CCE Key Derivation Service\n \n Implements HKDF-based key derivation for the Capsule-Carried Encryption protocol.\n * Keys are never placed in capsules — they are derived from:\n * - AXIS local secret (IKM)\n * - Capsule claims (salt + info)\n * - Request/response nonce (direction binding)\n * - Protocol version (upgrade protection)\n \n Uses @noble/hashes HKDF (RFC 5869) with SHA-256.\n /\nimport { hkdf } from \"@noble/hashes/hkdf.js\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n\nimport { CCE_AES_KEY_BYTES, CCE_DERIVATION, CCE_NONCE_BYTES, type CceCapsuleClaims, type CceExecutionContext } from \"./cce.types\";\n\n/\n Input parameters for key derivation.\n /\nexport interface CceDerivationInput {\n /* AXIS local secret (hex, must be kept private) /\n axisLocalSecret: string;\n /* Capsule claims from the request /\n capsule: CceCapsuleClaims;\n /* Request nonce (hex) /\n requestNonce: string;\n /* Response nonce (hex, only for response derivation) /\n responseNonce?: string;\n}\n\n/\n Build the salt for HKDF from capsule + nonce.\n \n salt = SHA-256(capsule_id \|\| capsule_nonce \|\| request_nonce)\n /\nfunction buildSalt(\n capsuleId: string,\n capsuleNonce: string,\n requestNonce: string,\n): Uint8Array {\n const encoder = new TextEncoder();\n const data = encoder.encode(\n capsuleId + \"\|\" + capsuleNonce + \"\|\" + requestNonce,\n );\n return sha256(data);\n}\n\n/\n Build the info string for HKDF.\n * Binds the derived key to all authority dimensions.\n \n info = context_prefix \| sub \| kid \| intent \| aud \| tps_from \| tps_to \| policy_hash \| ver\n /\nfunction buildInfo(\n contextPrefix: string,\n capsule: CceCapsuleClaims,\n extraNonce?: string,\n): Uint8Array {\n const encoder = new TextEncoder();\n const parts = [\n contextPrefix,\n capsule.sub,\n capsule.kid,\n capsule.intent,\n capsule.aud,\n String(capsule.tps_from),\n String(capsule.tps_to),\n capsule.policy_hash ?? \"\",\n capsule.ver,\n ];\n if (extraNonce) {\n parts.push(extraNonce);\n }\n return encoder.encode(parts.join(\"\|\"));\n}\n\n/\n Derive the request execution key.\n \n This key is used internally by AXIS to prove that:\n * 1. The request arrived with a valid capsule\n * 2. The capsule was bound to this specific intent/audience/subject\n * 3. AXIS possessed the local secret at derivation time\n \n The key itself is NEVER exposed — only its hash appears in witness records.\n /\nexport function deriveRequestExecutionKey(\n input: CceDerivationInput,\n): Uint8Array {\n const ikm = hexToBytes(input.axisLocalSecret);\n const salt = buildSalt(\n input.capsule.capsule_id,\n input.capsule.capsule_nonce,\n input.requestNonce,\n );\n const info = buildInfo(CCE_DERIVATION.REQUEST, input.capsule);\n\n return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);\n}\n\n/\n Derive the response execution key.\n * Uses a different context prefix and includes the response nonce,\n * ensuring request and response keys are always distinct.\n /\nexport function deriveResponseExecutionKey(\n input: CceDerivationInput & { responseNonce: string },\n): Uint8Array {\n const ikm = hexToBytes(input.axisLocalSecret);\n\n // Response salt uses a different construction\n const encoder = new TextEncoder();\n const saltData = encoder.encode(\n input.capsule.capsule_id +\n \"\|\" +\n input.capsule.capsule_nonce +\n \"\|\" +\n input.requestNonce +\n \"\|\" +\n input.responseNonce,\n );\n const salt = sha256(saltData);\n\n const info = buildInfo(\n CCE_DERIVATION.RESPONSE,\n input.capsule,\n input.responseNonce,\n );\n\n return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);\n}\n\n/\n Derive the witness binding key.\n * Used to create tamper-evident witness records.\n /\nexport function deriveWitnessKey(input: CceDerivationInput): Uint8Array {\n const ikm = hexToBytes(input.axisLocalSecret);\n const salt = buildSalt(\n input.capsule.capsule_id,\n input.capsule.capsule_nonce,\n input.requestNonce,\n );\n const info = buildInfo(CCE_DERIVATION.WITNESS, input.capsule);\n\n return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);\n}\n\n/\n Build a complete execution context from capsule claims and derivation.\n * The execution key is derived but only its hash is stored.\n /\nexport function buildExecutionContext(\n input: CceDerivationInput,\n requestId: string,\n): CceExecutionContext {\n const executionKey = deriveRequestExecutionKey(input);\n const keyHash = bytesToHex(sha256(executionKey));\n\n // Clear the raw key from memory (best effort)\n executionKey.fill(0);\n\n return {\n execution_key_hash: keyHash,\n request_id: requestId,\n capsule_id: input.capsule.capsule_id,\n sub: input.capsule.sub,\n kid: input.capsule.kid,\n intent: input.capsule.intent,\n aud: input.capsule.aud,\n tps_from: input.capsule.tps_from,\n tps_to: input.capsule.tps_to,\n policy_hash: input.capsule.policy_hash,\n derived_at: Math.floor(Date.now() / 1000),\n valid: true,\n };\n}\n\n/\n Generate a cryptographically secure nonce for CCE requests/responses.\n /\nexport function generateCceNonce(): string {\n const bytes = new Uint8Array(CCE_NONCE_BYTES);\n crypto.getRandomValues(bytes);\n return bytesToHex(bytes);\n}\n","import { bytesToHex } from \"@noble/hashes/utils.js\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n/\n CCE Crypto Primitives\n \n AES-256-GCM encryption/decryption and X25519 key exchange\n * for the Capsule-Carried Encryption protocol.\n \n Uses Node.js native crypto for AES-GCM (performant and FIPS-capable).\n /\nimport { createCipheriv, createDecipheriv, randomBytes } from \"crypto\";\n\nimport { CCE_AES_KEY_BYTES, CCE_IV_BYTES, CCE_TAG_BYTES } from \"./cce.types\";\n\n// ============================================================================\n// AES-256-GCM\n// ============================================================================\n\n/\n Encrypt plaintext with AES-256-GCM.\n /\nexport function aesGcmEncrypt(\n key: Uint8Array,\n plaintext: Uint8Array,\n aad?: Uint8Array,\n): { iv: Uint8Array; ciphertext: Uint8Array; tag: Uint8Array } {\n if (key.length !== CCE_AES_KEY_BYTES) {\n throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);\n }\n\n const iv = randomBytes(CCE_IV_BYTES);\n const cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\n if (aad) {\n cipher.setAAD(aad);\n }\n\n const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);\n const tag = cipher.getAuthTag();\n\n return {\n iv: new Uint8Array(iv),\n ciphertext: new Uint8Array(encrypted),\n tag: new Uint8Array(tag),\n };\n}\n\n/\n Decrypt ciphertext with AES-256-GCM.\n * Returns null if AEAD tag verification fails.\n /\nexport function aesGcmDecrypt(\n key: Uint8Array,\n iv: Uint8Array,\n ciphertext: Uint8Array,\n tag: Uint8Array,\n aad?: Uint8Array,\n): Uint8Array \| null {\n if (key.length !== CCE_AES_KEY_BYTES) {\n throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);\n }\n if (iv.length !== CCE_IV_BYTES) {\n throw new Error(`IV must be ${CCE_IV_BYTES} bytes`);\n }\n if (tag.length !== CCE_TAG_BYTES) {\n throw new Error(`Tag must be ${CCE_TAG_BYTES} bytes`);\n }\n\n try {\n const decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n decipher.setAuthTag(tag);\n\n if (aad) {\n decipher.setAAD(aad);\n }\n\n const decrypted = Buffer.concat([\n decipher.update(ciphertext),\n decipher.final(),\n ]);\n return new Uint8Array(decrypted);\n } catch {\n // AEAD tag mismatch or other decryption failure\n return null;\n }\n}\n\n/\n Generate an ephemeral AES-256 key.\n /\nexport function generateAesKey(): Uint8Array {\n return new Uint8Array(randomBytes(CCE_AES_KEY_BYTES));\n}\n\n/\n Generate a random IV for AES-GCM.\n /\nexport function generateIv(): Uint8Array {\n return new Uint8Array(randomBytes(CCE_IV_BYTES));\n}\n\n// ============================================================================\n// Base64url helpers\n// ============================================================================\n\nexport function base64UrlEncode(bytes: Uint8Array): string {\n return Buffer.from(bytes)\n .toString(\"base64\")\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport function base64UrlDecode(input: string): Uint8Array {\n const base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padding = \"=\".repeat((4 - (base64.length % 4)) % 4);\n return new Uint8Array(Buffer.from(base64 + padding, \"base64\"));\n}\n\n// ============================================================================\n// Payload hashing (for witness records)\n// ============================================================================\n\n/\n Hash a payload for witness records (never store raw plaintext).\n /\nexport function hashPayload(payload: Uint8Array): string {\n return bytesToHex(sha256(payload));\n}\n\n// ============================================================================\n// Default AES-GCM Provider (for sensor injection)\n// ============================================================================\n\nimport type { CceAesGcmProvider } from \"./sensors/cce-payload-decryption.sensor\";\n\n/\n Node.js native AES-GCM provider.\n /\nexport const nodeAesGcmProvider: CceAesGcmProvider = {\n async decrypt(\n key: Uint8Array,\n iv: Uint8Array,\n ciphertext: Uint8Array,\n tag: Uint8Array,\n aad?: Uint8Array,\n ): Promise<Uint8Array \| null> {\n return aesGcmDecrypt(key, iv, ciphertext, tag, aad);\n },\n};\n","import { bytesToHex } from \"@noble/hashes/utils.js\";\n/\n CCE Response Encryption Service\n \n Encrypts AXIS response payloads back to the client.\n \n v1 model:\n * - Generate ephemeral AES-256 key\n * - Encrypt response body with AES-GCM\n * - Encrypt AES key with client public key\n * - Sign response envelope with AXIS private key\n /\nimport { randomBytes } from \"crypto\";\n\nimport { aesGcmEncrypt, base64UrlEncode, generateAesKey, hashPayload } from \"./cce-crypto\";\nimport { CCE_NONCE_BYTES, CCE_PROTOCOL_VERSION, type CceAlgorithmDescriptor, type CceCapsuleClaims, type CceEncryptedKey, type CceEncryptedPayload, type CceRequestEnvelope, type CceResponseEnvelope, type CceResponseStatus, type CceSignature } from \"./cce.types\";\n\n/\n Client public key encryptor — wraps AES key with client's public key.\n /\nexport interface CceClientKeyEncryptor {\n wrapKey(\n aesKey: Uint8Array,\n clientKid: string,\n clientPublicKeyHex: string,\n ): Promise<CceEncryptedKey>;\n}\n\n/\n AXIS signing provider — signs response envelopes.\n /\nexport interface CceAxisSigner {\n sign(payload: Uint8Array): Promise<CceSignature>;\n}\n\n/\n Options for building a CCE response.\n /\nexport interface CceResponseOptions {\n /* Original request envelope /\n request: CceRequestEnvelope;\n /* Verified capsule claims /\n capsule: CceCapsuleClaims;\n /* Response status /\n status: CceResponseStatus;\n /* Response body (plaintext) /\n body: Uint8Array;\n /* Client public key (hex) for response encryption /\n clientPublicKeyHex: string;\n /* Witness reference /\n witnessRef?: string;\n}\n\n/\n Build and encrypt a CCE response envelope.\n /\nexport async function buildCceResponse(\n options: CceResponseOptions,\n clientKeyEncryptor: CceClientKeyEncryptor,\n axisSigner: CceAxisSigner,\n): Promise<{ envelope: CceResponseEnvelope; responsePayloadHash: string }> {\n const { request, capsule, status, body, clientPublicKeyHex, witnessRef } =\n options;\n\n // Generate response nonce\n const responseNonce = bytesToHex(\n new Uint8Array(randomBytes(CCE_NONCE_BYTES)),\n );\n\n // Generate response ID\n const responseId = generateResponseId();\n\n // Generate ephemeral AES key for response\n const aesKey = generateAesKey();\n\n // Build AAD for response (binds ciphertext to response context)\n const aad = buildResponseAad(\n request.request_id,\n responseId,\n request.correlation_id,\n capsule.capsule_id,\n responseNonce,\n );\n\n // Encrypt response body\n const { iv, ciphertext, tag } = aesGcmEncrypt(aesKey, body, aad);\n\n // Wrap AES key with client public key\n const encryptedKey = await clientKeyEncryptor.wrapKey(\n aesKey,\n request.client_kid,\n clientPublicKeyHex,\n );\n\n // Clear the raw AES key\n aesKey.fill(0);\n\n const encryptedPayload: CceEncryptedPayload = {\n alg: \"AES-256-GCM\",\n iv: base64UrlEncode(iv),\n ciphertext: base64UrlEncode(ciphertext),\n tag: base64UrlEncode(tag),\n };\n\n const algorithms: CceAlgorithmDescriptor = {\n kem: encryptedKey.alg,\n enc: \"AES-256-GCM\",\n kdf: \"HKDF-SHA256\",\n sig: \"EdDSA\",\n };\n\n // Build unsigned response\n const unsignedResponse: Omit<CceResponseEnvelope, \"axis_sig\"> = {\n ver: CCE_PROTOCOL_VERSION,\n response_id: responseId,\n request_id: request.request_id,\n correlation_id: request.correlation_id,\n capsule_id: capsule.capsule_id,\n encrypted_key: encryptedKey,\n encrypted_payload: encryptedPayload,\n response_nonce: responseNonce,\n algorithms,\n status,\n ...(witnessRef ? { witness_ref: witnessRef } : {}),\n };\n\n // Sign the response\n const signPayload = new TextEncoder().encode(canonicalize(unsignedResponse));\n const axisSig = await axisSigner.sign(signPayload);\n\n const envelope: CceResponseEnvelope = {\n ...unsignedResponse,\n axis_sig: axisSig,\n };\n\n return {\n envelope,\n responsePayloadHash: hashPayload(body),\n };\n}\n\n/\n Build a plaintext (unencrypted) error response for cases where\n * encryption is impossible (e.g., before capsule verification).\n /\nexport function buildCceErrorResponse(\n requestId: string,\n correlationId: string,\n status: CceResponseStatus,\n errorCode: string,\n message: string,\n): {\n ver: string;\n request_id: string;\n correlation_id: string;\n status: CceResponseStatus;\n error: { code: string; message: string };\n} {\n return {\n ver: CCE_PROTOCOL_VERSION,\n request_id: requestId,\n correlation_id: correlationId,\n status,\n error: { code: errorCode, message },\n };\n}\n\n// ============================================================================\n// Helpers\n// ============================================================================\n\nfunction generateResponseId(): string {\n const bytes = randomBytes(16);\n return \"resp_\" + bytesToHex(new Uint8Array(bytes)).slice(0, 24);\n}\n\nfunction buildResponseAad(\n requestId: string,\n responseId: string,\n correlationId: string,\n capsuleId: string,\n responseNonce: string,\n): Uint8Array {\n const parts = [\n requestId,\n responseId,\n correlationId,\n capsuleId,\n responseNonce,\n ];\n return new TextEncoder().encode(parts.join(\"\|\"));\n}\n\nfunction canonicalize(obj: unknown): string {\n if (Array.isArray(obj)) {\n return \"[\" + obj.map(canonicalize).join(\",\") + \"]\";\n }\n if (obj !== null && typeof obj === \"object\") {\n const sorted = Object.keys(obj as object)\n .sort()\n .map(\n (k) =>\n JSON.stringify(k) +\n \":\" +\n canonicalize((obj as Record<string, unknown>)[k]),\n );\n return \"{\" + sorted.join(\",\") + \"}\";\n }\n return JSON.stringify(obj);\n}\n","import { bytesToHex } from \"@noble/hashes/utils.js\";\nimport { hkdf } from \"@noble/hashes/hkdf.js\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n/\n CCE Witness Observer\n \n Records tamper-evident witness logs for every CCE request/response lifecycle.\n \n Redaction rules:\n * - Never store raw plaintext payloads (only hashes)\n * - Never store raw encryption keys\n * - Store verification outcomes, not raw crypto material\n /\nimport { randomBytes } from \"crypto\";\n\nimport { hashPayload } from \"./cce-crypto\";\nimport { CCE_DERIVATION, type CceCapsuleClaims, type CceRequestEnvelope, type CceResponseStatus, type CceWitnessRecord } from \"./cce.types\";\n\n/\n Witness store interface — implementations persist witness records.\n /\nexport interface CceWitnessStore {\n record(witness: CceWitnessRecord): Promise<void>;\n}\n\n/\n In-memory witness store for development/testing.\n /\nexport class InMemoryCceWitnessStore implements CceWitnessStore {\n readonly records: CceWitnessRecord[] = [];\n\n async record(witness: CceWitnessRecord): Promise<void> {\n this.records.push(witness);\n }\n\n getByRequestId(requestId: string): CceWitnessRecord \| undefined {\n return this.records.find((w) => w.request_id === requestId);\n }\n\n getByCapsuleId(capsuleId: string): CceWitnessRecord[] {\n return this.records.filter((w) => w.capsule_id === capsuleId);\n }\n}\n\n/\n Verification state accumulated during sensor chain execution.\n /\nexport interface CceVerificationState {\n clientSigVerified: boolean;\n capsuleSigVerified: boolean;\n tpsValid: boolean;\n audienceMatch: boolean;\n intentMatch: boolean;\n replayClean: boolean;\n nonceUnique: boolean;\n decryptionOk: boolean;\n}\n\n/\n Build a witness record from verification state and execution result.\n /\nexport function buildWitnessRecord(\n envelope: CceRequestEnvelope,\n capsule: CceCapsuleClaims,\n verification: CceVerificationState,\n execution: {\n status: CceResponseStatus;\n handlerDurationMs: number;\n effect?: string;\n },\n options: {\n axisLocalSecret: string;\n requestPayload?: Uint8Array;\n responsePayload?: Uint8Array;\n responseEncrypted: boolean;\n },\n): CceWitnessRecord {\n // Generate witness ID\n const witnessId = generateWitnessId(envelope.request_id, capsule.capsule_id);\n\n // Compute execution context hash using HKDF witness derivation\n const executionContextHash = computeExecutionContextHash(\n options.axisLocalSecret,\n capsule,\n envelope.request_nonce,\n );\n\n return {\n witness_id: witnessId,\n request_id: envelope.request_id,\n capsule_id: capsule.capsule_id,\n sub: capsule.sub,\n intent: capsule.intent,\n aud: capsule.aud,\n tps_from: capsule.tps_from,\n tps_to: capsule.tps_to,\n timestamp: Math.floor(Date.now() / 1000),\n verification: {\n client_sig: verification.clientSigVerified,\n capsule_sig: verification.capsuleSigVerified,\n tps_valid: verification.tpsValid,\n audience_match: verification.audienceMatch,\n intent_match: verification.intentMatch,\n replay_clean: verification.replayClean,\n nonce_unique: verification.nonceUnique,\n decryption_ok: verification.decryptionOk,\n },\n execution: {\n status: execution.status,\n handler_duration_ms: execution.handlerDurationMs,\n ...(execution.effect ? { effect: execution.effect } : {}),\n },\n response_encrypted: options.responseEncrypted,\n execution_context_hash: executionContextHash,\n ...(options.requestPayload\n ? { request_payload_hash: hashPayload(options.requestPayload) }\n : {}),\n ...(options.responsePayload\n ? { response_payload_hash: hashPayload(options.responsePayload) }\n : {}),\n };\n}\n\n/\n Extract verification state from sensor chain metadata.\n /\nexport function extractVerificationState(\n metadata: Record<string, any>,\n): CceVerificationState {\n return {\n clientSigVerified: metadata.cceClientSigVerified === true,\n capsuleSigVerified: metadata.cceCapsuleVerified === true,\n tpsValid: metadata.cceTpsValid === true,\n audienceMatch: metadata.cceBindingVerified === true,\n intentMatch: metadata.cceBindingVerified === true,\n replayClean: metadata.cceReplayClean === true,\n nonceUnique: metadata.cceReplayClean === true,\n decryptionOk: metadata.cceDecryptionOk === true,\n };\n}\n\n// ============================================================================\n// Internal\n// ============================================================================\n\nfunction generateWitnessId(requestId: string, capsuleId: string): string {\n const input = `witness:${requestId}:${capsuleId}:${Date.now()}`;\n const hash = sha256(new TextEncoder().encode(input));\n return \"wit_\" + bytesToHex(hash).slice(0, 24);\n}\n\nfunction computeExecutionContextHash(\n axisLocalSecret: string,\n capsule: CceCapsuleClaims,\n requestNonce: string,\n): string {\n const encoder = new TextEncoder();\n\n // Use HKDF to derive witness key\n const ikm = hexToBytes(axisLocalSecret);\n const salt = sha256(\n encoder.encode(\n capsule.capsule_id + \"\|\" + capsule.capsule_nonce + \"\|\" + requestNonce,\n ),\n );\n const info = encoder.encode(\n [\n CCE_DERIVATION.WITNESS,\n capsule.sub,\n capsule.kid,\n capsule.intent,\n capsule.aud,\n String(capsule.tps_from),\n String(capsule.tps_to),\n capsule.policy_hash ?? \"\",\n capsule.ver,\n ].join(\"\|\"),\n );\n\n const witnessKey = hkdf(sha256, ikm, salt, info, 32);\n const hash = bytesToHex(sha256(witnessKey));\n\n // Clear sensitive material\n witnessKey.fill(0);\n\n return hash;\n}\n\nfunction hexToBytes(hex: string): Uint8Array {\n const bytes = new Uint8Array(hex.length / 2);\n for (let i = 0; i < bytes.length; i++) {\n bytes[i] = parseInt(hex.slice(i 2, i * 2 + 2), 16);\n }\n return bytes;\n}\n","import type { AxisObservedContext } from '../types/axis-frame.types';\n\n/*\n Sensor Phase Metadata\n \n Metadata describing which phase(s) a sensor executes in.\n * Used for validation and optimization.\n \n @interface SensorPhaseMetadata\n /\nexport interface SensorPhaseMetadata {\n /* Execution phase: pre-decode (middleware) or post-decode (controller) /\n phase: 'PRE_DECODE' \| 'POST_DECODE';\n\n /* Other sensors that must run before this one /\n dependencies?: string[];\n\n /* Whether this sensor can perform async I/O /\n asyncOk?: boolean;\n\n /* Whether this sensor can use cryptographic operations /\n cryptoOk?: boolean;\n\n /* Human-readable description of sensor purpose /\n description?: string;\n}\n\n/\n AXIS Sensor Interface\n \n Core interface for all security sensors in the AXIS pipeline.\n /\nexport interface AxisSensor {\n readonly name: string;\n readonly order?: number; // Lower runs first\n /* Execution phase hint /\n phase?: SensorPhaseMetadata \| 'PRE_DECODE' \| 'POST_DECODE';\n supports?(input: SensorInput): boolean;\n run(input: SensorInput): Promise<SensorDecision>;\n}\n\n// Optional lifecycle hook for frameworks that support module initialization.\nexport interface AxisSensorInit extends AxisSensor {\n onModuleInit?(): void \| Promise<void>;\n}\n\n/\n Sensors that run before frame decoding/deserialization.\n * They should be fast, avoid I/O, and fail fast on malformed traffic.\n /\nexport interface AxisPreSensor extends AxisSensor {\n phase: 'PRE_DECODE';\n}\n\n/\n Sensors that run after a frame is fully decoded and parsed.\n * They may use full context (intent, actor, proofs) and can perform I/O.\n /\nexport interface AxisPostSensor extends AxisSensor {\n phase: 'POST_DECODE';\n}\n\n/\n Sensor Input\n \n Represents the structured data passed to a security sensor for evaluation.\n * Depending on the execution phase, different fields may be populated.\n \n Flow:\n * - Phase 1 (Pre-decode): `rawBytes`, `ip`, `path`, and `peek` are typically available.\n * - Phase 2/3 (Post-decode): `intent`, `contentLength`, and `metadata` are populated after frame parsing.\n \n @interface SensorInput\n /\nexport interface SensorInput {\n /* The full raw binary frame from the wire (if available) /\n rawBytes?: Buffer \| Uint8Array;\n\n /* The AXIS intent string extracted from the frame header (e.g., 'system.info') /\n intent?: string;\n\n /* IPv4/IPv6 address of the edge client /\n ip?: string;\n\n /* The HTTP or transport path being accessed /\n path?: string;\n\n /* Total size of the frame body in bytes /\n contentLength?: number;\n\n /* A small slice of the beginning of the body for early pattern matching /\n peek?: Uint8Array;\n\n /* Geolocation country code (if resolved by upstream middleware) /\n country?: string;\n\n /* Client identifier from the transport layer (e.g., Capsule ID or Socket ID) /\n clientId?: string;\n\n /* Whether the request is coming via a WebSocket connection /\n isWs?: boolean;\n\n /* Extensible metadata for cross-sensor communication /\n metadata?: Record<string, any>;\n\n /* Actor ID from frame or request /\n actorId?: string;\n\n /* Operation code /\n opcode?: string;\n\n /* Audience field /\n aud?: string;\n\n /* Observed context from frame parsing /\n observed?: AxisObservedContext;\n\n /* Parsed frame body /\n frameBody?: any;\n\n /* Device identifier /\n deviceId?: string;\n\n /* Session identifier /\n sessionId?: string;\n\n /* Parsed packet data /\n packet?: Record<string, any>;\n\n /* Dynamic field access for sensor-specific data /\n [key: string]: any;\n}\n\nexport enum Decision {\n ALLOW = 'ALLOW',\n DENY = 'DENY',\n THROTTLE = 'THROTTLE',\n FLAG = 'FLAG',\n}\n/\n Sensor Decision\n \n Represents the outcome of an individual sensor's evaluation.\n * Supports two formats for backward compatibility:\n \n 1. Modern format (preferred): Uses decision/allow/riskScore/reasons\n * 2. Legacy format: Uses action/code/reason (deprecated, will be removed)\n /\nexport type SensorDecision =\n // Modern format (preferred)\n \| {\n /* Final decision outcome (optional for backward compatibility) /\n decision?: Decision;\n /* Whether the request may continue immediately /\n allow: boolean;\n /* Risk score from 0–100 (0 = safe, 100 = blocked) /\n riskScore: number;\n /* Human & machine traceable reasons /\n reasons: string[];\n /* Machine-readable error or control code /\n code?: string;\n /* Throttle hint (only relevant for THROTTLE) /\n retryAfterMs?: number;\n /* Optional delta applied to rolling risk/anomaly state /\n scoreDelta?: number;\n /* Extra signals for audit, observability, forensics /\n tags?: Record<string, any>;\n /* Optional capsule / verification metadata /\n meta?: any;\n /* Optional constraint tightening instructions /\n tighten?: {\n expSecondsMax?: number;\n constraintsPatch?: Record<string, any>;\n };\n }\n // Legacy action-based format (deprecated)\n \| { action: 'ALLOW'; meta?: any }\n \| {\n action: 'DENY';\n code: string;\n reason?: string;\n retryAfterMs?: number;\n meta?: any;\n }\n \| { action: 'THROTTLE'; retryAfterMs: number; meta?: any }\n \| { action: 'FLAG'; scoreDelta: number; reasons: string[]; meta?: any };\n\nexport type SensorMinifiedDecision = {\n allow: boolean;\n riskScore: number;\n reasons: string[];\n tags?: Record<string, any>;\n meta?: any;\n tighten?: { expSecondsMax?: number; constraintsPatch?: Record<string, any> };\n /* Legacy fields for compatibility /\n retryAfterMs?: number;\n};\n\n/\n Helper to normalize SensorDecision (handles both legacy and modern formats)\n /\nexport function normalizeSensorDecision(\n sensorDecision: SensorDecision,\n): SensorMinifiedDecision {\n // Check if it's a legacy action-based format\n if ('action' in sensorDecision) {\n // Convert legacy format to modern\n switch (sensorDecision.action) {\n case 'ALLOW':\n return {\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: sensorDecision.meta,\n };\n case 'DENY':\n return {\n allow: false,\n riskScore: 100,\n reasons: [sensorDecision.code, sensorDecision.reason].filter(\n Boolean,\n ) as string[],\n meta: sensorDecision.meta,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n case 'THROTTLE':\n return {\n allow: false,\n riskScore: 50,\n reasons: ['RATE_LIMIT'],\n retryAfterMs: sensorDecision.retryAfterMs,\n meta: sensorDecision.meta,\n };\n case 'FLAG':\n return {\n allow: true,\n riskScore: sensorDecision.scoreDelta,\n reasons: sensorDecision.reasons,\n meta: sensorDecision.meta,\n };\n }\n }\n\n // Modern format - already has the required fields\n return {\n allow: sensorDecision.allow,\n riskScore: sensorDecision.riskScore,\n reasons: sensorDecision.reasons,\n tags: sensorDecision.tags,\n meta: sensorDecision.meta,\n tighten: sensorDecision.tighten,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n}\n\n/\n Helper factories for creating SensorDecision objects\n /\nexport const SensorDecisions = {\n allow(meta?: any, tags?: Record<string, any>): SensorDecision {\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n tags,\n meta,\n };\n },\n\n deny(code: string, reason?: string, meta?: any): SensorDecision {\n return {\n decision: Decision.DENY,\n allow: false,\n riskScore: 100,\n code,\n reasons: [code, reason].filter(Boolean) as string[],\n meta,\n };\n },\n\n throttle(retryAfterMs: number, meta?: any): SensorDecision {\n return {\n decision: Decision.THROTTLE,\n allow: false,\n riskScore: 50,\n retryAfterMs,\n code: 'RATE_LIMIT',\n reasons: ['RATE_LIMIT'],\n meta,\n };\n },\n\n flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision {\n return {\n decision: Decision.FLAG,\n allow: true,\n riskScore: scoreDelta,\n scoreDelta,\n reasons,\n meta,\n };\n },\n};\n","import { buildExecutionContext, type CceDerivationInput } from \"./cce-derivation.service\";\nimport { buildCceErrorResponse, buildCceResponse, type CceAxisSigner, type CceClientKeyEncryptor } from \"./cce-response.service\";\nimport { buildWitnessRecord, type CceWitnessStore, extractVerificationState } from \"./cce-witness.observer\";\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../sensor/axis-sensor\";\nimport { normalizeSensorDecision } from \"../sensor/axis-sensor\";\n/\n CCE Pipeline Orchestrator\n \n Orchestrates the full CCE request/response lifecycle within AXIS:\n \n Request path:\n * 1. Parse envelope\n * 2. Run sensor chain (7 CCE sensors in order)\n * 3. Derive execution context\n * 4. Route to handler\n * 5. Execute handler\n \n Response path:\n * 6. Encrypt response\n * 7. Sign response\n * 8. Record witness\n * 9. Return response\n \n This orchestrator can be integrated into IntentRouter or used standalone.\n /\nimport { CCE_ERROR, CCE_PROTOCOL_VERSION, type CceCapsuleClaims, CceError, type CceExecutionContext, type CceRequestEnvelope, type CceResponseEnvelope, type CceResponseStatus } from \"./cce.types\";\n\n/\n CCE handler function — receives decrypted payload and execution context.\n /\nexport type CceHandler = (\n payload: Uint8Array,\n context: CceHandlerContext,\n) => Promise<CceHandlerResult>;\n\nexport interface CceHandlerContext {\n /* Verified capsule claims /\n capsule: CceCapsuleClaims;\n /* Derived execution context /\n executionContext: CceExecutionContext;\n /* Original request envelope /\n envelope: CceRequestEnvelope;\n /* Client's verified public key /\n clientPublicKeyHex: string;\n /* Request intent /\n intent: string;\n /* Actor identity /\n sub: string;\n}\n\nexport interface CceHandlerResult {\n status: CceResponseStatus;\n body: Uint8Array;\n effect?: string;\n}\n\nexport interface CcePolicyContext {\n envelope: CceRequestEnvelope;\n capsule: CceCapsuleClaims;\n executionContext: CceExecutionContext;\n decryptedPayload: Uint8Array;\n clientPublicKeyHex: string;\n}\n\nexport interface CcePolicyDecision {\n allow: boolean;\n code?: string;\n message?: string;\n}\n\nexport interface CcePolicyEvaluator {\n evaluate(context: CcePolicyContext): Promise<CcePolicyDecision>;\n}\n\n/\n CCE Pipeline Configuration\n /\nexport interface CcePipelineConfig {\n /* AXIS local secret for key derivation (hex) /\n axisLocalSecret: string;\n /* AXIS audience identifier /\n axisAudience: string;\n /* CCE sensors (will be sorted by order) /\n sensors: AxisSensor[];\n /* Intent → handler mapping /\n handlers: Map<string, CceHandler>;\n /* Witness store /\n witnessStore: CceWitnessStore;\n /* Client key encryptor (for response encryption) /\n clientKeyEncryptor: CceClientKeyEncryptor;\n /* AXIS response signer /\n axisSigner: CceAxisSigner;\n /* Optional policy/law evaluator run after decryption and before handler execution /\n policyEvaluator?: CcePolicyEvaluator;\n}\n\n/\n Result of CCE pipeline execution.\n /\nexport type CcePipelineResult =\n \| { ok: true; response: CceResponseEnvelope; witnessId: string }\n \| {\n ok: false;\n error: { code: string; message: string };\n status: CceResponseStatus;\n };\n\n/\n Execute the full CCE pipeline.\n /\nexport async function executeCcePipeline(\n envelope: CceRequestEnvelope,\n config: CcePipelineConfig,\n): Promise<CcePipelineResult> {\n const startTime = Date.now();\n\n // Validate protocol version\n if (envelope.ver !== CCE_PROTOCOL_VERSION) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.UNSUPPORTED_VERSION,\n message: `Unsupported version: ${envelope.ver}`,\n },\n status: \"ERROR\",\n };\n }\n\n // Build sensor input\n const sensorInput: SensorInput = {\n intent: envelope.capsule.intent,\n metadata: {\n cce: true,\n cceEnvelope: envelope,\n contentType: \"application/axis-cce\",\n },\n };\n\n // Run sensor chain in order\n const sortedSensors = [...config.sensors].sort(\n (a, b) => (a.order ?? 999) - (b.order ?? 999),\n );\n\n for (const sensor of sortedSensors) {\n if (sensor.supports && !sensor.supports(sensorInput)) {\n continue;\n }\n\n let decision: SensorDecision;\n try {\n decision = await sensor.run(sensorInput);\n } catch (err) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.DECRYPTION_FAILED,\n message: `Sensor ${sensor.name} failed`,\n },\n status: \"ERROR\",\n };\n }\n\n const normalized = normalizeSensorDecision(decision);\n if (!normalized.allow) {\n const code =\n normalized.reasons[0]?.split(\":\")[0] ?? CCE_ERROR.DECRYPTION_FAILED;\n return {\n ok: false,\n error: { code, message: normalized.reasons.join(\"; \") },\n status: \"DENIED\",\n };\n }\n }\n\n // Extract verified state\n const capsule = sensorInput.metadata?.cceCapsule as CceCapsuleClaims;\n const decryptedPayload = sensorInput.metadata\n ?.cceDecryptedPayload as Uint8Array;\n const clientKey = sensorInput.metadata?.cceClientKey as {\n publicKeyHex: string;\n };\n\n if (!capsule \|\| !decryptedPayload \|\| !clientKey) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.DECRYPTION_FAILED,\n message: \"Sensor chain did not produce required outputs\",\n },\n status: \"ERROR\",\n };\n }\n\n // Derive execution context\n const derivationInput: CceDerivationInput = {\n axisLocalSecret: config.axisLocalSecret,\n capsule,\n requestNonce: envelope.request_nonce,\n };\n const executionContext = buildExecutionContext(\n derivationInput,\n envelope.request_id,\n );\n\n if (config.policyEvaluator) {\n try {\n const policyDecision = await config.policyEvaluator.evaluate({\n envelope,\n capsule,\n executionContext,\n decryptedPayload,\n clientPublicKeyHex: clientKey.publicKeyHex,\n });\n if (!policyDecision.allow) {\n const verification = extractVerificationState(sensorInput.metadata ?? {});\n const witness = buildWitnessRecord(\n envelope,\n capsule,\n verification,\n {\n status: \"DENIED\",\n handlerDurationMs: 0,\n effect: \"policy_denied\",\n },\n {\n axisLocalSecret: config.axisLocalSecret,\n requestPayload: decryptedPayload,\n responseEncrypted: false,\n },\n );\n await config.witnessStore.record(witness);\n\n return {\n ok: false,\n error: {\n code: policyDecision.code ?? CCE_ERROR.POLICY_DENIED,\n message:\n policyDecision.message ?? \"Request denied by policy evaluator\",\n },\n status: \"DENIED\",\n };\n }\n } catch (err) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.POLICY_DENIED,\n message: \"Policy evaluator failed\",\n },\n status: \"ERROR\",\n };\n }\n }\n\n // Route to handler\n const handler = config.handlers.get(capsule.intent);\n if (!handler) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.HANDLER_NOT_FOUND,\n message: `No handler for intent: ${capsule.intent}`,\n },\n status: \"ERROR\",\n };\n }\n\n // Execute handler\n const handlerContext: CceHandlerContext = {\n capsule,\n executionContext,\n envelope,\n clientPublicKeyHex: clientKey.publicKeyHex,\n intent: capsule.intent,\n sub: capsule.sub,\n };\n\n let result: CceHandlerResult;\n const handlerStart = Date.now();\n try {\n result = await handler(decryptedPayload, handlerContext);\n } catch (err) {\n const handlerDuration = Date.now() - handlerStart;\n\n // Record failure witness\n const verification = extractVerificationState(sensorInput.metadata ?? {});\n const witness = buildWitnessRecord(\n envelope,\n capsule,\n verification,\n { status: \"FAILED\", handlerDurationMs: handlerDuration },\n {\n axisLocalSecret: config.axisLocalSecret,\n requestPayload: decryptedPayload,\n responseEncrypted: false,\n },\n );\n await config.witnessStore.record(witness);\n\n return {\n ok: false,\n error: {\n code: CCE_ERROR.HANDLER_EXECUTION_FAILED,\n message: \"Handler execution failed\",\n },\n status: \"FAILED\",\n };\n }\n const handlerDuration = Date.now() - handlerStart;\n\n // Encrypt response\n let responseEnvelope: CceResponseEnvelope;\n let responsePayloadHash: string;\n\n try {\n const responseResult = await buildCceResponse(\n {\n request: envelope,\n capsule,\n status: result.status,\n body: result.body,\n clientPublicKeyHex: clientKey.publicKeyHex,\n },\n config.clientKeyEncryptor,\n config.axisSigner,\n );\n responseEnvelope = responseResult.envelope;\n responsePayloadHash = responseResult.responsePayloadHash;\n } catch (err) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.RESPONSE_ENCRYPTION_FAILED,\n message: \"Response encryption failed\",\n },\n status: \"ERROR\",\n };\n }\n\n // Record witness\n const verification = extractVerificationState(sensorInput.metadata ?? {});\n const witness = buildWitnessRecord(\n envelope,\n capsule,\n verification,\n {\n status: result.status,\n handlerDurationMs: handlerDuration,\n effect: result.effect,\n },\n {\n axisLocalSecret: config.axisLocalSecret,\n requestPayload: decryptedPayload,\n responsePayload: result.body,\n responseEncrypted: true,\n },\n );\n await config.witnessStore.record(witness);\n\n return {\n ok: true,\n response: responseEnvelope,\n witnessId: witness.witness_id,\n };\n}\n","export class AxisError extends Error {\n constructor(\n public code: string,\n message: string,\n public httpStatus: number = 400,\n public details?: Record<string, any>,\n ) {\n super(message);\n this.name = 'AxisError';\n }\n}\n","/\n AXIS Scope Utilities\n * Validates capsule scopes against required resource access.\n * Prevents BOLA (Broken Object Level Authorization) attacks.\n /\n\n/\n Check if a capsule has the required scope.\n * Scopes use colon notation: resource:id or resource:\n \n * Examples:\n * - wallet:w_123\n * - merchant:m_456\n * - payment:\n /\nexport function hasScope(scopes: string[], required: string): boolean {\n if (!Array.isArray(scopes) \|\| scopes.length === 0) {\n return false;\n }\n\n // Exact match\n if (scopes.includes(required)) {\n return true;\n }\n\n // Wildcard match: resource:* matches resource:anything\n const [resource, id] = required.split(':');\n if (resource && id) {\n const wildcard = `${resource}:`;\n if (scopes.includes(wildcard)) {\n return true;\n }\n }\n\n return false;\n}\n\n/\n Extract resource type and ID from scope.\n /\nexport function parseScope(\n scope: string,\n): { resource: string; id: string } \| null {\n const parts = scope.split(':');\n if (parts.length !== 2) return null;\n return { resource: parts[0], id: parts[1] };\n}\n\n/\n Check if actor can access a specific resource based on capsule scopes.\n /\nexport function canAccessResource(\n scopes: string[],\n resourceType: string,\n resourceId: string,\n): boolean {\n const required = `${resourceType}:${resourceId}`;\n return hasScope(scopes, required);\n}\n","import { hasScope } from \"./scopes\";\n\nexport interface InlineCapsuleClaims {\n id?: string;\n actorId?: string;\n intents?: string[];\n issuedAt?: bigint;\n expiresAt?: bigint;\n realm?: string;\n node?: string;\n scopes?: string[];\n raw: Record<string, unknown>;\n}\n\nexport function normalizeInlineCapsule(\n input: unknown,\n): InlineCapsuleClaims \| null {\n if (!input \|\| typeof input !== \"object\" \|\| Array.isArray(input)) {\n return null;\n }\n\n const raw = input as Record<string, unknown>;\n const scopes = normalizeStringList(raw.scopes ?? raw.scope);\n\n return {\n id: normalizeScalar(raw.id),\n actorId: normalizeScalar(raw.actorId),\n intents: normalizeStringList(raw.intents),\n issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),\n expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),\n realm: normalizeScalar(raw.realm),\n node: normalizeScalar(raw.node),\n scopes,\n raw,\n };\n}\n\nexport function inlineCapsuleAllowsIntent(\n capsule: InlineCapsuleClaims,\n intent: string,\n): boolean {\n if (!capsule.intents \|\| capsule.intents.length === 0) {\n return false;\n }\n\n for (const pattern of capsule.intents) {\n if (pattern === \"\" \|\| pattern === intent) {\n return true;\n }\n\n if (pattern.endsWith(\".\")) {\n const prefix = pattern.slice(0, -1);\n if (intent.startsWith(prefix)) {\n return true;\n }\n }\n }\n\n return false;\n}\n\nexport function isInlineCapsuleExpired(\n capsule: InlineCapsuleClaims,\n clockSkewMs = 30000,\n): boolean {\n if (capsule.expiresAt === undefined) {\n return false;\n }\n\n return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);\n}\n\nexport function resolvePolicyScopes(\n scopes: string[],\n context: {\n body?: unknown;\n intent: string;\n actorId?: string;\n chainId?: string;\n stepId?: string;\n },\n): string[] {\n return scopes.map((scope) =>\n scope.replace(/\\$\\{([^}]+)\\}/g, (_match, expression: string) => {\n const resolved = resolveTemplateExpression(expression.trim(), context);\n if (resolved === undefined \|\| resolved === null \|\| resolved === \"\") {\n throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);\n }\n return String(resolved);\n }),\n );\n}\n\nexport function inlineCapsuleSatisfiesScopes(\n capsule: InlineCapsuleClaims,\n requiredScopes: string[],\n mode: \"all\" \| \"any\" = \"all\",\n): boolean {\n if (!capsule.scopes \|\| capsule.scopes.length === 0) {\n return false;\n }\n\n if (mode === \"any\") {\n return requiredScopes.some((scope) => hasScope(capsule.scopes!, scope));\n }\n\n return requiredScopes.every((scope) => hasScope(capsule.scopes!, scope));\n}\n\nfunction resolveTemplateExpression(\n expression: string,\n context: {\n body?: unknown;\n intent: string;\n actorId?: string;\n chainId?: string;\n stepId?: string;\n },\n): unknown {\n if (expression === \"intent\") {\n return context.intent;\n }\n\n if (expression === \"actorId\") {\n return context.actorId;\n }\n\n if (expression === \"chainId\") {\n return context.chainId;\n }\n\n if (expression === \"stepId\") {\n return context.stepId;\n }\n\n if (expression.startsWith(\"body.\")) {\n return getNestedValue(context.body, expression.slice(5));\n }\n\n return undefined;\n}\n\nfunction getNestedValue(value: unknown, path: string): unknown {\n if (!value \|\| typeof value !== \"object\") {\n return undefined;\n }\n\n return path.split(\".\").reduce<unknown>((current, segment) => {\n if (!current \|\| typeof current !== \"object\") {\n return undefined;\n }\n return (current as Record<string, unknown>)[segment];\n }, value);\n}\n\nfunction normalizeScalar(value: unknown): string \| undefined {\n if (typeof value === \"string\") {\n return value;\n }\n\n if (value instanceof Uint8Array) {\n return Buffer.from(value).toString(\"hex\");\n }\n\n return undefined;\n}\n\nfunction normalizeStringList(value: unknown): string[] \| undefined {\n if (!value) {\n return undefined;\n }\n\n const list = Array.isArray(value) ? value : [value];\n const normalized = list\n .map((entry) => (typeof entry === \"string\" ? entry : undefined))\n .filter((entry): entry is string => !!entry && entry.trim().length > 0);\n\n return normalized.length > 0 ? Array.from(new Set(normalized)) : undefined;\n}\n\nfunction normalizeTimestamp(value: unknown): bigint \| undefined {\n if (typeof value === \"bigint\") {\n return value;\n }\n\n if (typeof value === \"number\" && Number.isFinite(value)) {\n return BigInt(Math.trunc(value));\n }\n\n if (typeof value === \"string\" && value.trim().length > 0) {\n try {\n return BigInt(value);\n } catch {\n return undefined;\n }\n }\n\n return undefined;\n}","import { Injectable, Logger, Optional } from \"@nestjs/common\";\nimport { ModuleRef } from \"@nestjs/core\";\nimport {\n decodeChainEnvelope,\n decodeChainRequest,\n} from \"@nextera.one/axis-protocol\";\n\nimport {\n type CceHandler,\n type CcePipelineConfig,\n type CcePipelineResult,\n executeCcePipeline,\n} from \"../cce/cce-pipeline\";\nimport type { CceRequestEnvelope } from \"../cce/cce.types\";\nimport { AxisFrame } from \"../core/axis-bin\";\nimport { AxisError } from \"../core/axis-error\";\nimport {\n TLV_ACTOR_ID,\n TLV_CAPSULE,\n TLV_INTENT,\n TLV_NODE,\n TLV_PROOF_REF,\n TLV_REALM,\n} from \"../core/constants\";\nimport {\n CAPSULE_POLICY_METADATA_KEY,\n type CapsulePolicyOptions,\n mergeCapsulePolicyOptions,\n normalizeCapsulePolicyOptions,\n} from \"../decorators/capsule-policy.decorator\";\nimport { CHAIN_METADATA_KEY } from \"../decorators/chain.decorator\";\nimport {\n buildDtoDecoder,\n extractDtoSchema,\n} from \"../decorators/dto-schema.util\";\nimport { HANDLER_SENSORS_KEY } from \"../decorators/handler-sensors.decorator\";\nimport { HANDLER_METADATA_KEY } from \"../decorators/handler.decorator\";\nimport { INTENT_BODY_KEY } from \"../decorators/intent-body.decorator\";\nimport {\n AXIS_ANONYMOUS_KEY,\n AXIS_PUBLIC_KEY,\n AXIS_RATE_LIMIT_KEY,\n type AxisRateLimitConfig,\n CONTRACT_METADATA_KEY,\n type RequiredProofKind,\n REQUIRED_PROOF_METADATA_KEY,\n SENSITIVITY_METADATA_KEY,\n} from \"../decorators/intent-policy.decorator\";\nimport { INTENT_SENSORS_KEY } from \"../decorators/intent-sensors.decorator\";\nimport {\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentKind,\n IntentRoute,\n IntentTlvField,\n} from \"../decorators/intent.decorator\";\nimport {\n AxisObserverBinding,\n AxisObserverRef,\n OBSERVER_BINDINGS_KEY,\n} from \"../decorators/observer.decorator\";\nimport type { TlvValidatorFn } from \"../decorators/tlv-field.decorator\";\nimport {\n inlineCapsuleAllowsIntent,\n inlineCapsuleSatisfiesScopes,\n isInlineCapsuleExpired,\n normalizeInlineCapsule,\n resolvePolicyScopes,\n} from \"../security/inline-capsule\";\nimport {\n AxisSensor,\n normalizeSensorDecision,\n SensorInput,\n} from \"../sensor/axis-sensor\";\nimport {\n AxisChainEnvelope,\n AxisChainRequest,\n ChainOptions,\n RegisteredChainConfig,\n} from \"./axis-chain.types\";\nimport {\n getAxisExecutionContext,\n mergeAxisExecutionContext,\n withAxisExecutionContext,\n} from \"./axis-execution-context\";\nimport { ObserverDispatcherService } from \"./observer-dispatcher.service\";\n\nfunction observerRefKey(ref: AxisObserverRef): string {\n return typeof ref === \"string\" ? ref : ref.name;\n}\n\nfunction mergeObserverBindings(\n bindings: AxisObserverBinding[],\n): AxisObserverBinding[] {\n const merged = new Map<string, AxisObserverBinding>();\n\n for (const binding of bindings) {\n for (const ref of binding.refs) {\n const key = observerRefKey(ref);\n const existing = merged.get(key);\n if (!existing) {\n merged.set(key, {\n refs: [ref],\n tags: binding.tags ? [...new Set(binding.tags)] : undefined,\n events: binding.events ? [...new Set(binding.events)] : undefined,\n });\n continue;\n }\n\n existing.tags = Array.from(\n new Set([...(existing.tags \|\| []), ...(binding.tags \|\| [])]),\n );\n existing.events =\n existing.events === undefined \|\| binding.events === undefined\n ? undefined\n : Array.from(new Set([...existing.events, ...binding.events]));\n }\n }\n\n return Array.from(merged.values());\n}\n\nfunction normalizeChainConfig(\n decoratorConfig?: RegisteredChainConfig,\n intentConfig?: boolean \| ChainOptions,\n): RegisteredChainConfig \| undefined {\n if (decoratorConfig) {\n return decoratorConfig;\n }\n\n if (!intentConfig) {\n return undefined;\n }\n\n if (intentConfig === true) {\n return { enabled: true };\n }\n\n return {\n enabled: true,\n ...intentConfig,\n };\n}\n\nexport interface IntentSchema {\n intent: string;\n version: number;\n bodyProfile: \"TLV_MAP\" \| \"RAW\" \| \"TLV_OBJ\" \| \"TLV_ARR\";\n fields: Array<{\n name: string;\n tlv: number;\n kind: IntentTlvField[\"kind\"];\n required?: boolean;\n maxLen?: number;\n max?: string;\n scope?: \"header\" \| \"body\";\n }>;\n}\n\n/\n Represents the outcome of an AXIS intent execution.\n \n @interface AxisEffect\n /\nexport interface AxisEffect {\n /* Whether the intent was processed successfully at the application level /\n ok: boolean;\n /* A descriptive string classifier for the result (e.g., 'FILE_CREATED', 'PONG') /\n effect: string;\n /* Optional binary payload (body) to be returned to the requester /\n body?: Uint8Array;\n /* Optional custom TLV headers to be included in the response frame /\n headers?: Map<number, Uint8Array>;\n /* Optional metadata for internal logging or audit (not sent to client) /\n metadata?: any;\n}\n\n/\n IntentRouter\n \n The central dispatching mechanism of the AXIS backend.\n * Maps binary intents (identified by their name in the header) to specialized handlers.\n \n Features:\n * 1. Built-in Fast Path: Handles high-frequency system intents (ping, time, echo) directly.\n * 2. Dynamic Handler Registration: Allows modules to register handlers at runtime.\n * 3. Decorator-driven Registration: Uses {@link registerHandler} to auto-register `@Intent`-decorated methods.\n * 4. Polymorphic Handlers: Supports both raw function handlers and object-based `{ handle }` handlers.\n \n @class IntentRouter\n /\n@Injectable()\nexport class IntentRouter {\n private readonly logger = new Logger(IntentRouter.name);\n private readonly decoder = new TextDecoder();\n private readonly encoder = new TextEncoder();\n\n /* Intents handled inline in route() — not in `handlers` map /\n private static readonly BUILTIN_INTENTS = new Set([\n \"system.ping\",\n \"public.ping\",\n \"system.time\",\n \"system.echo\",\n \"CHAIN.EXEC\",\n \"axis.chain.exec\",\n \"INTENT.EXEC\",\n \"axis.intent.exec\",\n ]);\n\n /* Internal registry of dynamic intent handlers /\n private handlers = new Map<string, any>();\n\n /* Per-intent sensor classes (resolved at call time) /\n private intentSensors = new Map<string, Function[]>();\n\n /* Per-intent body decoders /\n private intentDecoders = new Map<string, (buf: Buffer) => any>();\n\n /* Per-intent TLV schemas /\n private intentSchemas = new Map<string, IntentSchema>();\n\n /* Per-intent custom validators /\n private intentValidators = new Map<string, Map<number, TlvValidatorFn[]>>();\n\n /* Per-intent operation kind /\n private intentKinds = new Map<string, IntentKind>();\n\n /* Per-intent chain configuration /\n private intentChains = new Map<string, RegisteredChainConfig>();\n\n /* Per-intent observer bindings /\n private intentObservers = new Map<string, AxisObserverBinding[]>();\n\n /* Per-intent capsule policies /\n private intentCapsulePolicies = new Map<string, CapsulePolicyOptions>();\n\n /* Per-intent sensitivity level /\n private intentSensitivity = new Map<string, string>();\n\n /* Per-intent execution contract overrides /\n private intentContracts = new Map<string, Record<string, any>>();\n\n /* Per-intent required proof kinds /\n private intentRequiredProof = new Map<string, RequiredProofKind[]>();\n\n /* Intents flagged as public (no auth required) /\n private publicIntents = new Set<string>();\n\n /* Intents flagged as anonymous-session accessible /\n private anonymousIntents = new Set<string>();\n\n /* Per-intent rate limit config /\n private intentRateLimits = new Map<string, AxisRateLimitConfig>();\n\n /* CCE handler registry /\n private cceHandlers = new Map<string, CceHandler>();\n\n /* CCE pipeline configuration (set via configureCce) /\n private ccePipelineConfig: Omit<CcePipelineConfig, \"handlers\"> \| null = null;\n\n constructor(\n @Optional() private readonly moduleRef?: ModuleRef,\n @Optional()\n private readonly observerDispatcher?: ObserverDispatcherService,\n ) {}\n\n getSchema(intent: string): IntentSchema \| undefined {\n return this.intentSchemas.get(intent);\n }\n\n getValidators(intent: string): Map<number, TlvValidatorFn[]> \| undefined {\n return this.intentValidators.get(intent);\n }\n\n has(intent: string): boolean {\n return (\n this.handlers.has(intent) \|\| IntentRouter.BUILTIN_INTENTS.has(intent)\n );\n }\n\n getRegisteredIntents(): string[] {\n return [...IntentRouter.BUILTIN_INTENTS, ...this.handlers.keys()];\n }\n\n getIntentEntry(intent: string): {\n schema?: IntentSchema;\n validators?: Map<number, TlvValidatorFn[]>;\n hasSensors: boolean;\n builtin: boolean;\n kind?: IntentKind;\n chain?: RegisteredChainConfig;\n capsulePolicy?: CapsulePolicyOptions;\n observerCount: number;\n } \| null {\n if (!this.has(intent)) return null;\n return {\n schema: this.intentSchemas.get(intent),\n validators: this.intentValidators.get(intent),\n hasSensors: this.intentSensors.has(intent),\n builtin: IntentRouter.BUILTIN_INTENTS.has(intent),\n kind: this.intentKinds.get(intent),\n chain: this.intentChains.get(intent),\n capsulePolicy: this.intentCapsulePolicies.get(intent),\n observerCount: this.getObservers(intent).length,\n };\n }\n\n getChainConfig(intent: string): RegisteredChainConfig \| undefined {\n return this.intentChains.get(intent);\n }\n\n getObservers(intent: string): AxisObserverBinding[] {\n return this.intentObservers.get(intent) \|\| [];\n }\n\n /\n Registers a handler for a specific intent.\n * Handlers can be functions: `(body, headers) => Promise<Uint8Array \| AxisEffect>`\n * Or objects with a method: `handle(frame: AxisFrame) => Promise<AxisEffect>`\n \n @param {string} intent - The unique intent identifier (e.g., 'axis.vault.create')\n * @param {any} handler - The handler function or object\n /\n register(intent: string, handler: any) {\n this.handlers.set(intent, handler);\n }\n\n /\n Automatically registers all `@Intent`-decorated methods from a handler instance.\n \n Reads the handler prefix from `@Handler` metadata (or falls back to `instance.name`),\n * then registers each `@Intent`-decorated method accordingly.\n \n @param {any} instance - The handler instance with `@Intent`-decorated methods\n /\n registerHandler(instance: any) {\n const handlerMeta = Reflect.getMetadata(\n HANDLER_METADATA_KEY,\n instance.constructor,\n );\n const prefix: string \| undefined = handlerMeta?.intent \|\| instance.name;\n\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) \|\| [];\n const routedMethods = new Set(\n routes.map((route) => String(route.methodName)),\n );\n\n // Read @HandlerSensors from the class (if any)\n const handlerSensors: Function[] =\n Reflect.getMetadata(HANDLER_SENSORS_KEY, instance.constructor) \|\| [];\n const handlerObservers: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, instance.constructor) \|\| [];\n\n const proto = Object.getPrototypeOf(instance);\n\n for (const route of routes) {\n const intentName = route.absolute\n ? route.action\n : `${prefix}.${route.action}`;\n const fn = instance[route.methodName].bind(instance);\n\n if (route.frame) {\n this.register(intentName, { handle: fn });\n } else {\n this.register(intentName, fn);\n }\n\n this.registerIntentMeta(\n intentName,\n proto,\n String(route.methodName),\n handlerSensors,\n handlerObservers,\n );\n }\n\n for (const key of Object.getOwnPropertyNames(proto)) {\n if (routedMethods.has(key)) continue;\n\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, key);\n if (!meta?.intent) continue;\n\n const intentName = meta.absolute\n ? meta.intent\n : `${prefix}.${meta.intent}`;\n\n if (!this.handlers.has(intentName)) {\n this.register(intentName, (instance as any)[key].bind(instance));\n }\n\n this.registerIntentMeta(\n intentName,\n proto,\n key,\n handlerSensors,\n handlerObservers,\n );\n }\n }\n\n /\n Routes a decoded AXIS frame to the appropriate handler.\n \n Precedence:\n * 1. System Built-ins (`system.ping`, `public.ping`, `system.time`, `system.echo`)\n * 2. Meta-intent execution (`INTENT.EXEC` / `axis.intent.exec`)\n * 3. Dynamically registered handlers from modules.\n \n @param {AxisFrame} frame - The validated and decoded binary frame\n * @returns {Promise<AxisEffect>} The resulting effect of the execution\n * @throws {Error} If the intent header is missing or no handler is registered\n /\n async route(frame: AxisFrame): Promise<AxisEffect> {\n const start = process.hrtime();\n let intent = \"unknown\";\n\n try {\n const intentBytes = frame.headers.get(TLV_INTENT);\n if (!intentBytes) throw new Error(\"Missing intent\");\n intent = this.decoder.decode(intentBytes);\n const observerBindings = this.getObservers(intent);\n\n await this.emitIntentObservers(observerBindings, {\n event: \"intent.received\",\n timestamp: Date.now(),\n intent,\n frame,\n });\n\n let effect: AxisEffect;\n\n if (intent === \"system.ping\" \|\| intent === \"public.ping\") {\n this.logger.debug(\"PING received\");\n effect = {\n ok: true,\n effect: \"pong\",\n headers: new Map([\n [100, new TextEncoder().encode(\"AXIS_BACKEND_V1\")],\n ]),\n body: new TextEncoder().encode(\n JSON.stringify({\n status: \"ok\",\n timestamp: new Date().toISOString(),\n version: \"1.0.0\",\n }),\n ),\n };\n } else if (intent === \"system.time\") {\n const ts = Date.now().toString();\n effect = {\n ok: true,\n effect: \"time\",\n body: new TextEncoder().encode(\n JSON.stringify({\n ts,\n iso: new Date().toISOString(),\n }),\n ),\n };\n } else if (intent === \"system.echo\") {\n effect = {\n ok: true,\n effect: \"echo\",\n body: frame.body,\n };\n } else if (intent === \"CHAIN.EXEC\" \|\| intent === \"axis.chain.exec\") {\n const chainRequest = this.parseChainRequestBody(frame.body);\n effect = await this.executeChainRequest(frame, chainRequest);\n } else if (intent === \"INTENT.EXEC\" \|\| intent === \"axis.intent.exec\") {\n const execBody = this.parseIntentExecBody(frame.body);\n const innerIntent = execBody.intent;\n const innerArgs = execBody.args \|\| {};\n\n if (!innerIntent) {\n throw new Error(\"INTENT.EXEC missing inner intent\");\n }\n\n this.logger.debug(`EXEC: routing to inner intent '${innerIntent}'`);\n\n const innerHeaders = new Map(frame.headers);\n innerHeaders.set(TLV_INTENT, this.encoder.encode(innerIntent));\n\n const inlineCapsule = this.toInlineCapsuleRecord(execBody.capsule);\n const capsuleId = this.extractInlineCapsuleId(inlineCapsule);\n if (capsuleId) {\n innerHeaders.set(TLV_CAPSULE, this.encoder.encode(capsuleId));\n innerHeaders.set(TLV_PROOF_REF, this.encoder.encode(capsuleId));\n }\n\n const innerFrame = withAxisExecutionContext(\n {\n ...frame,\n headers: innerHeaders,\n body: this.encodeJson(innerArgs),\n },\n mergeAxisExecutionContext(getAxisExecutionContext(frame), {\n metaIntent: \"INTENT.EXEC\",\n actorId: this.getActorIdFromFrame(frame),\n inlineCapsule,\n }) \|\| {},\n );\n\n effect = await this.route(innerFrame);\n } else {\n const handler = this.handlers.get(intent);\n if (!handler) {\n throw new Error(`Intent not found: ${intent}`);\n }\n\n const sensorClasses = this.intentSensors.get(intent);\n if (sensorClasses && sensorClasses.length > 0) {\n await this.runIntentSensors(sensorClasses, intent, frame);\n }\n\n const decoder = this.intentDecoders.get(intent);\n let decodedBody: any = frame.body;\n if (decoder) {\n try {\n decodedBody = decoder(Buffer.from(frame.body));\n } catch (decodeErr: any) {\n throw new Error(\n `IntentBody decode failed for ${intent}: ${decodeErr.message}`,\n );\n }\n }\n\n this.enforceCapsulePolicy(\n intent,\n frame,\n decodedBody,\n this.getEffectiveCapsulePolicy(intent, frame),\n );\n\n if (typeof handler === \"function\") {\n const resultBody = decoder\n ? await handler(decodedBody, frame.headers)\n : await handler(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: \"complete\",\n body: resultBody,\n };\n } else {\n if (typeof (handler as any).handle === \"function\") {\n effect = await (handler as any).handle(frame);\n } else if (typeof (handler as any).execute === \"function\") {\n const bodyRes = decoder\n ? await (handler as any).execute(decodedBody, frame.headers)\n : await (handler as any).execute(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: \"complete\",\n body: bodyRes,\n };\n } else {\n throw new Error(\n `Handler for ${intent} does not implement handle or execute`,\n );\n }\n }\n }\n\n await this.emitIntentObservers(observerBindings, {\n event: \"intent.completed\",\n timestamp: Date.now(),\n intent,\n frame,\n effect,\n metadata: effect.metadata,\n });\n\n this.logIntent(intent, start, true);\n return effect;\n } catch (e: any) {\n await this.emitIntentObservers(this.getObservers(intent), {\n event: \"intent.failed\",\n timestamp: Date.now(),\n intent,\n frame,\n error: e.message,\n });\n this.logIntent(intent, start, false, e.message);\n throw e;\n }\n }\n\n private logIntent(\n intent: string,\n start: [number, number],\n ok: boolean,\n error?: string,\n ) {\n const diff = process.hrtime(start);\n const ms = (diff[0] 1e3 + diff[1] / 1e6).toFixed(2);\n if (ok) {\n this.logger.debug(`${intent} completed in ${ms}ms`);\n } else {\n this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);\n }\n }\n\n registerIntentMeta(\n intent: string,\n proto: object,\n methodName: string,\n handlerSensors?: Function[],\n handlerObservers?: AxisObserverBinding[],\n ): void {\n const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);\n if (decoder) {\n this.intentDecoders.set(intent, decoder);\n }\n\n const intentSensors = Reflect.getMetadata(\n INTENT_SENSORS_KEY,\n proto,\n methodName,\n );\n const combined = [\n ...(handlerSensors \|\| []),\n ...(Array.isArray(intentSensors) ? intentSensors : []),\n ];\n if (combined.length > 0) {\n this.intentSensors.set(intent, combined);\n }\n\n const methodObservers: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, proto, methodName) \|\| [];\n const observers = mergeObserverBindings([\n ...(handlerObservers \|\| []),\n ...methodObservers,\n ]);\n if (observers.length > 0) {\n this.intentObservers.set(intent, observers);\n }\n\n const handlerCapsulePolicy = Reflect.getMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n proto.constructor,\n ) as CapsulePolicyOptions \| undefined;\n const methodCapsulePolicy = Reflect.getMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n proto,\n methodName,\n ) as CapsulePolicyOptions \| undefined;\n const capsulePolicy = mergeCapsulePolicyOptions(\n handlerCapsulePolicy,\n methodCapsulePolicy,\n );\n if (capsulePolicy) {\n this.intentCapsulePolicies.set(intent, capsulePolicy);\n }\n\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);\n if (meta) {\n this.storeSchema({ ...meta, intent });\n if (meta.kind) {\n this.intentKinds.set(intent, meta.kind);\n }\n\n const chainMeta = Reflect.getMetadata(\n CHAIN_METADATA_KEY,\n proto,\n methodName,\n ) as RegisteredChainConfig \| undefined;\n const chainConfig = normalizeChainConfig(chainMeta, meta.chain);\n if (chainConfig) {\n this.intentChains.set(intent, chainConfig);\n }\n }\n\n // ── @Sensitivity ────────────────────────────────────────────────────────\n const methodSensitivity: string \| undefined = Reflect.getMetadata(\n SENSITIVITY_METADATA_KEY,\n proto,\n methodName,\n );\n const classSensitivity: string \| undefined = Reflect.getMetadata(\n SENSITIVITY_METADATA_KEY,\n proto.constructor,\n );\n const sensitivity = methodSensitivity ?? classSensitivity;\n if (sensitivity) {\n this.intentSensitivity.set(intent, sensitivity);\n }\n\n // ── @Contract ───────────────────────────────────────────────────────────\n const methodContract: Record<string, any> \| undefined = Reflect.getMetadata(\n CONTRACT_METADATA_KEY,\n proto,\n methodName,\n );\n const classContract: Record<string, any> \| undefined = Reflect.getMetadata(\n CONTRACT_METADATA_KEY,\n proto.constructor,\n );\n const contract = methodContract ?? classContract;\n if (contract) {\n this.intentContracts.set(intent, contract);\n }\n\n // ── @RequiredProof / @Capsule / @Witness ─────────────────────────────────\n const methodProof: RequiredProofKind[] \| undefined = Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proto,\n methodName,\n );\n const classProof: RequiredProofKind[] \| undefined = Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proto.constructor,\n );\n const requiredProof = methodProof ?? classProof;\n if (requiredProof && requiredProof.length > 0) {\n this.intentRequiredProof.set(intent, requiredProof);\n }\n\n // ── @AxisPublic ──────────────────────────────────────────────────────────\n const isPublicMethod: boolean \| undefined = Reflect.getMetadata(\n AXIS_PUBLIC_KEY,\n proto,\n methodName,\n );\n const isPublicClass: boolean \| undefined = Reflect.getMetadata(\n AXIS_PUBLIC_KEY,\n proto.constructor,\n );\n if (isPublicMethod \|\| isPublicClass) {\n this.publicIntents.add(intent);\n }\n\n // ── @AxisAnonymous ───────────────────────────────────────────────────────\n const isAnonMethod: boolean \| undefined = Reflect.getMetadata(\n AXIS_ANONYMOUS_KEY,\n proto,\n methodName,\n );\n const isAnonClass: boolean \| undefined = Reflect.getMetadata(\n AXIS_ANONYMOUS_KEY,\n proto.constructor,\n );\n if (isAnonMethod \|\| isAnonClass) {\n this.anonymousIntents.add(intent);\n }\n\n // ── @AxisRateLimit ───────────────────────────────────────────────────────\n const rateLimit: AxisRateLimitConfig \| undefined = Reflect.getMetadata(\n AXIS_RATE_LIMIT_KEY,\n proto,\n methodName,\n );\n if (rateLimit) {\n this.intentRateLimits.set(intent, rateLimit);\n }\n }\n\n // ─── Policy Getters ────────────────────────────────────────────────────────\n\n getSensitivity(intent: string): string \| undefined {\n return this.intentSensitivity.get(intent);\n }\n\n getContract(intent: string): Record<string, any> \| undefined {\n return this.intentContracts.get(intent);\n }\n\n getRequiredProof(intent: string): RequiredProofKind[] \| undefined {\n return this.intentRequiredProof.get(intent);\n }\n\n isPublic(intent: string): boolean {\n return this.publicIntents.has(intent);\n }\n\n isAnonymous(intent: string): boolean {\n return this.anonymousIntents.has(intent);\n }\n\n getRateLimit(intent: string): AxisRateLimitConfig \| undefined {\n return this.intentRateLimits.get(intent);\n }\n\n private async emitIntentObservers(\n bindings: AxisObserverBinding[],\n context: Parameters<ObserverDispatcherService[\"dispatch\"]>[1],\n ): Promise<void> {\n if (!this.observerDispatcher \|\| bindings.length === 0) return;\n await this.observerDispatcher.dispatch(bindings, context);\n }\n\n private async runIntentSensors(\n sensorClasses: Function[],\n intent: string,\n frame: AxisFrame,\n ): Promise<void> {\n if (!this.moduleRef) return;\n\n for (const SensorClass of sensorClasses) {\n let sensor: AxisSensor;\n try {\n sensor = this.moduleRef.get(SensorClass as any, { strict: false });\n } catch {\n this.logger.warn(\n `@IntentSensors: could not resolve ${SensorClass.name} for ${intent}`,\n );\n continue;\n }\n\n const sensorInput: SensorInput = {\n rawBytes: frame.body,\n intent,\n body: frame.body,\n headerTLVs: frame.headers as any,\n metadata: { phase: \"intent\", intent },\n };\n\n if (sensor.supports && !sensor.supports(sensorInput)) continue;\n\n const decision = normalizeSensorDecision(await sensor.run(sensorInput));\n if (!decision.allow) {\n const reason = decision.reasons[0] \|\| `${sensor.name}:DENIED`;\n this.logger.warn(\n `Intent sensor ${sensor.name} denied ${intent}: ${reason}`,\n );\n throw new Error(`SENSOR_DENY:${reason}`);\n }\n }\n }\n\n private getEffectiveCapsulePolicy(\n intent: string,\n frame: AxisFrame,\n ): CapsulePolicyOptions \| undefined {\n const registeredPolicy = this.intentCapsulePolicies.get(intent);\n const chainConfig = this.intentChains.get(intent);\n const executionContext = getAxisExecutionContext(frame);\n\n const derivedScopes = Array.from(\n new Set([\n ...this.toScopeList(chainConfig?.capsuleScope),\n ...this.toScopeList(executionContext?.capsuleRef?.scope),\n ...this.toScopeList(executionContext?.chainStep?.capsuleScope),\n ]),\n );\n\n const requiresCapsule =\n chainConfig?.proofRequired \|\|\n executionContext?.capsuleRef?.proofRequired \|\|\n executionContext?.chainStep?.proofRequired \|\|\n executionContext?.chainEnvelope?.capsule?.proofRequired \|\|\n derivedScopes.length > 0;\n\n const derivedPolicy = requiresCapsule\n ? normalizeCapsulePolicyOptions({\n required: true,\n scopes: derivedScopes.length > 0 ? derivedScopes : undefined,\n })\n : undefined;\n\n return mergeCapsulePolicyOptions(registeredPolicy, derivedPolicy);\n }\n\n private enforceCapsulePolicy(\n intent: string,\n frame: AxisFrame,\n body: unknown,\n policy?: CapsulePolicyOptions,\n ): void {\n const executionContext = getAxisExecutionContext(frame);\n const inlineCapsuleRecord = this.toInlineCapsuleRecord(\n executionContext?.inlineCapsule,\n );\n const inlineCapsule = normalizeInlineCapsule(inlineCapsuleRecord);\n const normalizedPolicy = policy\n ? normalizeCapsulePolicyOptions(policy)\n : undefined;\n\n if (!inlineCapsule) {\n if (normalizedPolicy?.required) {\n if (\n normalizedPolicy.allowCapsuleRef &&\n this.hasCapsuleReference(frame) &&\n this.toScopeList(normalizedPolicy.scopes).length === 0 &&\n normalizedPolicy.intentBound === false\n ) {\n return;\n }\n\n throw new AxisError(\n this.hasCapsuleReference(frame)\n ? \"CAPSULE_CLAIMS_REQUIRED\"\n : \"CAPSULE_REQUIRED\",\n `Intent ${intent} requires an inline capsule for policy enforcement`,\n 403,\n { intent },\n );\n }\n\n return;\n }\n\n if (isInlineCapsuleExpired(inlineCapsule)) {\n throw new AxisError(\n \"CAPSULE_EXPIRED\",\n `Capsule for ${intent} is expired`,\n 403,\n { intent, capsuleId: inlineCapsule.id },\n );\n }\n\n const actorId =\n this.getActorIdFromFrame(frame) \|\| executionContext?.actorId;\n if (\n actorId &&\n inlineCapsule.actorId &&\n !this.identifiersMatch(actorId, inlineCapsule.actorId)\n ) {\n throw new AxisError(\n \"CAPSULE_ACTOR_MISMATCH\",\n `Capsule actor does not match request actor for ${intent}`,\n 403,\n {\n intent,\n actorId,\n capsuleActorId: inlineCapsule.actorId,\n },\n );\n }\n\n const proofRef = this.getProofRefFromFrame(frame);\n if (\n proofRef &&\n inlineCapsule.id &&\n !this.identifiersMatch(proofRef, inlineCapsule.id)\n ) {\n throw new AxisError(\n \"CAPSULE_REF_MISMATCH\",\n `Capsule reference does not match request proof for ${intent}`,\n 403,\n {\n intent,\n proofRef,\n capsuleId: inlineCapsule.id,\n },\n );\n }\n\n const realm = this.getHeaderValue(frame, TLV_REALM);\n if (realm && inlineCapsule.realm && realm !== inlineCapsule.realm) {\n throw new AxisError(\n \"CAPSULE_REALM_MISMATCH\",\n `Capsule realm does not match request realm for ${intent}`,\n 403,\n { intent, realm, capsuleRealm: inlineCapsule.realm },\n );\n }\n\n const node = this.getHeaderValue(frame, TLV_NODE);\n if (node && inlineCapsule.node && node !== inlineCapsule.node) {\n throw new AxisError(\n \"CAPSULE_NODE_MISMATCH\",\n `Capsule node does not match request node for ${intent}`,\n 403,\n { intent, node, capsuleNode: inlineCapsule.node },\n );\n }\n\n const shouldCheckIntent = normalizedPolicy?.intentBound ?? true;\n if (\n shouldCheckIntent &&\n !inlineCapsuleAllowsIntent(inlineCapsule, intent)\n ) {\n throw new AxisError(\n \"CAPSULE_DENIED\",\n `Capsule does not authorize ${intent}`,\n 403,\n {\n intent,\n capsuleId: inlineCapsule.id,\n allowedIntents: inlineCapsule.intents,\n },\n );\n }\n\n const requiredScopes = this.toScopeList(normalizedPolicy?.scopes);\n if (requiredScopes.length === 0) {\n return;\n }\n\n let resolvedScopes: string[];\n try {\n resolvedScopes = resolvePolicyScopes(requiredScopes, {\n body,\n intent,\n actorId,\n chainId: executionContext?.chainEnvelope?.chainId,\n stepId: executionContext?.chainStep?.stepId,\n });\n } catch (error: any) {\n this.logger.error(`Scope template error for ${intent}: ${error.message}`);\n throw new AxisError(\n \"CAPSULE_SCOPE_TEMPLATE_UNRESOLVED\",\n \"Scope policy validation failed\",\n 400,\n { intent },\n );\n }\n\n if (\n !inlineCapsuleSatisfiesScopes(\n inlineCapsule,\n resolvedScopes,\n normalizedPolicy?.scopeMode ?? \"all\",\n )\n ) {\n throw new AxisError(\n \"SCOPE_MISMATCH\",\n `Capsule scopes do not satisfy ${intent}`,\n 403,\n {\n intent,\n requiredScopes: resolvedScopes,\n availableScopes: inlineCapsule.scopes \|\| [],\n },\n );\n }\n }\n\n private async executeChainRequest(\n frame: AxisFrame,\n request: AxisChainRequest<unknown, Record<string, unknown>>,\n ): Promise<AxisEffect> {\n const { AxisChainExecutor } = await import(\"./axis-chain.executor\");\n const headerActorId = this.getActorIdFromFrame(frame);\n if (\n request.actorId &&\n headerActorId &&\n !this.identifiersMatch(request.actorId, headerActorId)\n ) {\n throw new AxisError(\n \"ACTOR_MISMATCH\",\n \"CHAIN.EXEC actorId conflicts with authenticated frame identity\",\n 403,\n );\n }\n const actorId = headerActorId \|\| request.actorId;\n const inlineCapsule = this.toInlineCapsuleRecord(request.capsule);\n const capsuleId = this.extractInlineCapsuleId(inlineCapsule);\n const headers = new Map(frame.headers);\n\n if (capsuleId) {\n headers.set(TLV_CAPSULE, this.encoder.encode(capsuleId));\n headers.set(TLV_PROOF_REF, this.encoder.encode(capsuleId));\n }\n\n const baseFrame = withAxisExecutionContext(\n {\n ...frame,\n headers,\n },\n mergeAxisExecutionContext(getAxisExecutionContext(frame), {\n metaIntent: \"CHAIN.EXEC\",\n actorId,\n inlineCapsule,\n capsuleRef: request.envelope.capsule,\n chainEnvelope: request.envelope,\n }) \|\| {},\n );\n\n const executor = new AxisChainExecutor(this, this.observerDispatcher);\n const result = await executor.execute(request.envelope, {\n actorId,\n baseFrame,\n });\n\n return {\n ok: result.status !== \"FAILED\",\n effect: \"chain.complete\",\n body: this.encodeJson(result),\n metadata: {\n chainId: result.chainId,\n status: result.status,\n },\n };\n }\n\n private parseIntentExecBody(bytes: Uint8Array): {\n intent: string;\n args?: unknown;\n capsule?: Record<string, unknown>;\n execNonce?: string;\n } {\n try {\n return JSON.parse(this.decoder.decode(bytes));\n } catch (error: any) {\n throw new Error(`INTENT.EXEC unwrapping failed: ${error.message}`);\n }\n }\n\n private parseChainRequestBody(\n bytes: Uint8Array,\n ): AxisChainRequest<unknown, Record<string, unknown>> {\n let jsonError: Error \| undefined;\n\n try {\n const parsed = JSON.parse(this.decoder.decode(bytes));\n if (this.isChainRequestLike(parsed)) {\n return {\n envelope: parsed.envelope,\n capsule: this.toInlineCapsuleRecord(parsed.capsule),\n actorId:\n typeof parsed.actorId === \"string\" ? parsed.actorId : undefined,\n };\n }\n\n if (this.isChainEnvelopeLike(parsed)) {\n return { envelope: parsed };\n }\n } catch (error: any) {\n jsonError = error;\n }\n\n try {\n const decoded = decodeChainRequest<unknown, Record<string, unknown>>(\n bytes,\n );\n return {\n envelope: decoded.envelope,\n capsule: this.toInlineCapsuleRecord(decoded.capsule),\n actorId: decoded.actorId,\n };\n } catch (requestError: any) {\n try {\n return {\n envelope: decodeChainEnvelope(bytes) as AxisChainEnvelope,\n };\n } catch (envelopeError: any) {\n const reason = [\n jsonError?.message,\n requestError.message,\n envelopeError.message,\n ]\n .filter(Boolean)\n .join(\" \| \");\n throw new Error(`CHAIN.EXEC decode failed: ${reason}`);\n }\n }\n }\n\n private isChainRequestLike(\n value: unknown,\n ): value is AxisChainRequest<unknown, Record<string, unknown>> {\n return (\n !!value &&\n typeof value === \"object\" &&\n \"envelope\" in value &&\n this.isChainEnvelopeLike((value as Record<string, unknown>).envelope)\n );\n }\n\n private isChainEnvelopeLike(value: unknown): value is AxisChainEnvelope {\n return (\n !!value &&\n typeof value === \"object\" &&\n typeof (value as Record<string, unknown>).chainId === \"string\" &&\n Array.isArray((value as Record<string, unknown>).steps)\n );\n }\n\n private encodeJson(value: unknown): Uint8Array {\n return this.encoder.encode(JSON.stringify(value));\n }\n\n private getActorIdFromFrame(frame: AxisFrame): string \| undefined {\n return this.getHeaderValue(frame, TLV_ACTOR_ID);\n }\n\n private getProofRefFromFrame(frame: AxisFrame): string \| undefined {\n return (\n this.getHeaderValue(frame, TLV_PROOF_REF) \|\|\n this.getHeaderValue(frame, TLV_CAPSULE)\n );\n }\n\n private hasCapsuleReference(frame: AxisFrame): boolean {\n return !!this.getProofRefFromFrame(frame);\n }\n\n private getHeaderValue(frame: AxisFrame, tag: number): string \| undefined {\n const value = frame.headers.get(tag);\n if (!value \|\| value.length === 0) {\n return undefined;\n }\n\n const decoded = this.decoder.decode(value);\n if (/^[\\x20-\\x7e]+$/.test(decoded)) {\n return decoded;\n }\n\n return Buffer.from(value).toString(\"hex\");\n }\n\n private identifiersMatch(left: string, right: string): boolean {\n const normalize = (value: string) =>\n /^[0-9a-f]+$/i.test(value) ? value.toLowerCase() : value;\n return normalize(left) === normalize(right);\n }\n\n private extractInlineCapsuleId(\n capsule?: Record<string, unknown>,\n ): string \| undefined {\n const id = capsule?.id;\n return typeof id === \"string\" && id.length > 0 ? id : undefined;\n }\n\n private toInlineCapsuleRecord(\n value: unknown,\n ): Record<string, unknown> \| undefined {\n if (!value \|\| typeof value !== \"object\" \|\| Array.isArray(value)) {\n return undefined;\n }\n\n return value as Record<string, unknown>;\n }\n\n private toScopeList(value?: string \| string[]): string[] {\n if (!value) {\n return [];\n }\n\n return Array.isArray(value) ? value : [value];\n }\n\n // ===========================================================================\n // CCE — Capsule-Carried Encryption Support\n // ===========================================================================\n\n /*\n Configure the CCE pipeline.\n * Must be called before routeCce() can process encrypted requests.\n /\n configureCce(config: Omit<CcePipelineConfig, \"handlers\">): void {\n this.ccePipelineConfig = config;\n this.logger.log(\"CCE pipeline configured\");\n }\n\n /\n Register a CCE-encrypted intent handler.\n * CCE handlers receive decrypted payloads and execution context.\n /\n registerCceHandler(intent: string, handler: CceHandler): void {\n this.cceHandlers.set(intent, handler);\n this.logger.debug(`CCE handler registered: ${intent}`);\n }\n\n /\n Check if a CCE handler exists for the given intent.\n /\n hasCceHandler(intent: string): boolean {\n return this.cceHandlers.has(intent);\n }\n\n /\n Route a CCE-encrypted request through the full pipeline.\n \n Steps:\n * 1. Sensor chain (envelope validation → capsule verification → replay → decrypt)\n * 2. Execution context derivation\n * 3. Handler execution\n * 4. Response encryption\n * 5. Witness recording\n /\n async routeCce(envelope: CceRequestEnvelope): Promise<CcePipelineResult> {\n if (!this.ccePipelineConfig) {\n return {\n ok: false,\n error: {\n code: \"CCE_NOT_CONFIGURED\",\n message: \"CCE pipeline not configured. Call configureCce() first.\",\n },\n status: \"ERROR\",\n };\n }\n\n const config: CcePipelineConfig = {\n ...this.ccePipelineConfig,\n handlers: this.cceHandlers,\n };\n\n return executeCcePipeline(envelope, config);\n }\n\n private storeSchema(meta: {\n intent: string;\n tlv?: IntentTlvField[];\n dto?: Function;\n bodyProfile?: \"TLV_MAP\" \| \"RAW\" \| \"TLV_OBJ\" \| \"TLV_ARR\";\n kind?: IntentKind;\n }): void {\n if (meta.dto) {\n if (meta.tlv && meta.tlv.length > 0) {\n this.logger.warn(\n `${meta.intent}: both 'dto' and 'tlv' specified - using dto, ignoring tlv`,\n );\n }\n\n const extracted = extractDtoSchema(meta.dto);\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| \"TLV_MAP\",\n fields: extracted.fields.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n\n if (extracted.validators.size > 0) {\n this.intentValidators.set(meta.intent, extracted.validators);\n }\n\n if (!this.intentDecoders.has(meta.intent)) {\n this.intentDecoders.set(meta.intent, buildDtoDecoder(meta.dto));\n }\n\n return;\n }\n\n if (!meta.tlv \|\| meta.tlv.length === 0) return;\n\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| \"TLV_MAP\",\n fields: meta.tlv.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n }\n}\n","import { createHash } from \"crypto\";\n\nimport { Injectable, Logger, Optional } from \"@nestjs/common\";\n\nimport type { AxisFrame } from \"../core/axis-bin\";\nimport { FLAG_CHAIN_REQ, TLV_ACTOR_ID, TLV_CAPSULE, TLV_INTENT, TLV_TRACE_ID } from \"../core/constants\";\nimport type { AxisObserverBinding } from \"../decorators/observer.decorator\";\nimport type {\n AxisChainEnvelope,\n AxisChainResult,\n AxisChainStatus,\n AxisChainStep,\n AxisChainStepResult,\n AxisChainStepStatus,\n AxisExecutionMode,\n} from \"./axis-chain.types\";\nimport {\n getAxisExecutionContext,\n mergeAxisExecutionContext,\n withAxisExecutionContext,\n} from \"./axis-execution-context\";\nimport { ObserverDispatcherService } from \"./observer-dispatcher.service\";\nimport { AxisEffect, IntentRouter } from \"./intent.router\";\n\nexport interface AxisChainExecutionOptions {\n actorId?: string;\n baseFrame?: Partial<AxisFrame>;\n}\n\n@Injectable()\nexport class AxisChainExecutor {\n private readonly logger = new Logger(AxisChainExecutor.name);\n private readonly encoder = new TextEncoder();\n private readonly decoder = new TextDecoder();\n\n constructor(\n private readonly router: IntentRouter,\n @Optional()\n private readonly observerDispatcher?: ObserverDispatcherService,\n ) {}\n\n async execute(\n envelope: AxisChainEnvelope,\n options: AxisChainExecutionOptions = {},\n ): Promise<AxisChainResult> {\n this.validateEnvelope(envelope);\n\n const startedAt = Date.now();\n const results = new Map<string, AxisChainStepResult>();\n const bindings = this.collectChainBindings(envelope);\n\n await this.dispatch(bindings, {\n event: \"chain.received\",\n timestamp: startedAt,\n chainId: envelope.chainId,\n envelope,\n observerTags: envelope.observerTags,\n capsule: envelope.capsule,\n keyExchange: envelope.keyExchange,\n });\n\n await this.dispatch(bindings, {\n event: \"chain.admitted\",\n timestamp: Date.now(),\n chainId: envelope.chainId,\n envelope,\n observerTags: envelope.observerTags,\n capsule: envelope.capsule,\n keyExchange: envelope.keyExchange,\n });\n\n const stepsById = new Map(envelope.steps.map((step) => [step.stepId, step]));\n const pending = new Set(stepsById.keys());\n\n while (pending.size > 0) {\n const ready = Array.from(pending)\n .map((stepId) => stepsById.get(stepId)!)\n .filter((step) => this.canRun(step, results));\n\n if (ready.length === 0) {\n this.markUnresolvedSteps(\n pending,\n stepsById,\n results,\n \"BLOCKED\",\n \"UNRESOLVED_DEPENDENCIES\",\n );\n break;\n }\n\n if (envelope.mode === \"parallel\") {\n const waveResults = await Promise.all(\n ready.map((step) => this.executeStep(step, envelope, results, options)),\n );\n for (const result of waveResults) {\n results.set(result.stepId, result);\n pending.delete(result.stepId);\n }\n } else {\n for (const step of ready) {\n const result = await this.executeStep(step, envelope, results, options);\n results.set(result.stepId, result);\n pending.delete(result.stepId);\n\n if (\n result.status === \"FAILED\" &&\n (envelope.mode === \"strict\" \|\| envelope.mode === \"atomic\")\n ) {\n this.markUnresolvedSteps(\n pending,\n stepsById,\n results,\n \"SKIPPED\",\n \"CHAIN_HALTED\",\n );\n pending.clear();\n break;\n }\n }\n }\n\n this.blockStepsWithFailedDependencies(pending, stepsById, results);\n }\n\n const finishedAt = Date.now();\n const orderedResults = envelope.steps.map((step) => results.get(step.stepId)!);\n const summary = this.buildSummary(envelope.mode, orderedResults, startedAt, finishedAt, envelope.chainId);\n\n await this.dispatch(bindings, {\n event:\n summary.status === \"SUCCEEDED\"\n ? \"chain.completed\"\n : summary.status === \"PARTIAL\"\n ? \"chain.partial\"\n : \"chain.failed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n envelope,\n result: summary,\n observerTags: envelope.observerTags,\n capsule: envelope.capsule,\n keyExchange: envelope.keyExchange,\n });\n\n return summary;\n }\n\n private async executeStep(\n step: AxisChainStep,\n envelope: AxisChainEnvelope,\n results: Map<string, AxisChainStepResult>,\n options: AxisChainExecutionOptions,\n ): Promise<AxisChainStepResult> {\n const stepBindings = this.router.getObservers(step.intent);\n const startedAt = Date.now();\n const input = this.resolveStepInput(step.input, results);\n\n await this.dispatch(stepBindings, {\n event: \"step.started\",\n timestamp: startedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n envelope,\n step,\n observerTags: [...(envelope.observerTags \|\| []), ...(step.observerTags \|\| [])],\n capsule: step.capsuleScope\n ? {\n ...envelope.capsule,\n scope: step.capsuleScope,\n }\n : envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n try {\n const frame = this.buildFrame(step, envelope, input, options);\n const effect = await this.router.route(frame);\n const finishedAt = Date.now();\n const output = this.decodeOutput(effect.body);\n const proofHash = this.computeProofHash(envelope.chainId, step.stepId, effect, output);\n\n const result: AxisChainStepResult = {\n stepId: step.stepId,\n intent: step.intent,\n status: \"SUCCEEDED\",\n effect: effect.effect,\n output,\n dependsOn: step.dependsOn,\n startedAt,\n finishedAt,\n proofHash,\n observerTags: [...(envelope.observerTags \|\| []), ...(step.observerTags \|\| [])],\n metadata: effect.metadata,\n };\n\n await this.dispatch(stepBindings, {\n event: \"handler.completed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n effect,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n await this.dispatch(stepBindings, {\n event: \"proof.recorded\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n metadata: { proofHash },\n });\n\n await this.dispatch(stepBindings, {\n event: \"step.completed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n effect,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n return result;\n } catch (error: any) {\n const finishedAt = Date.now();\n const result: AxisChainStepResult = {\n stepId: step.stepId,\n intent: step.intent,\n status: \"FAILED\",\n error: error.message,\n dependsOn: step.dependsOn,\n startedAt,\n finishedAt,\n observerTags: [...(envelope.observerTags \|\| []), ...(step.observerTags \|\| [])],\n };\n\n this.logger.warn(\n `Chain ${envelope.chainId} step ${step.stepId} failed: ${error.message}`,\n );\n\n await this.dispatch(stepBindings, {\n event: \"step.failed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n error: error.message,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n return result;\n }\n }\n\n private buildFrame(\n step: AxisChainStep,\n envelope: AxisChainEnvelope,\n input: unknown,\n options: AxisChainExecutionOptions,\n ): AxisFrame {\n const baseContext = getAxisExecutionContext(options.baseFrame);\n const baseHeaders = new Map(options.baseFrame?.headers \|\| []);\n baseHeaders.set(TLV_INTENT, this.encoder.encode(step.intent));\n baseHeaders.set(TLV_TRACE_ID, this.encoder.encode(envelope.chainId));\n\n const capsuleId = envelope.capsule?.capsuleId;\n if (capsuleId) {\n baseHeaders.set(TLV_CAPSULE, this.encoder.encode(capsuleId));\n }\n\n if (options.actorId) {\n baseHeaders.set(TLV_ACTOR_ID, this.encoder.encode(options.actorId));\n }\n\n return withAxisExecutionContext(\n {\n flags: (options.baseFrame?.flags \|\| 0) \| FLAG_CHAIN_REQ,\n headers: baseHeaders,\n body: this.serializeInput(input),\n sig: options.baseFrame?.sig \|\| new Uint8Array(0),\n },\n mergeAxisExecutionContext(baseContext, {\n metaIntent: \"CHAIN.EXEC\",\n actorId: options.actorId \|\| baseContext?.actorId,\n capsuleRef: step.capsuleScope\n ? {\n ...(envelope.capsule \|\| {}),\n scope: step.capsuleScope,\n }\n : envelope.capsule,\n chainEnvelope: envelope,\n chainStep: step,\n }) \|\| {},\n );\n }\n\n private validateEnvelope(envelope: AxisChainEnvelope): void {\n if (!envelope.chainId) {\n throw new Error(\"CHAIN_ID_REQUIRED\");\n }\n\n if (!envelope.steps \|\| envelope.steps.length === 0) {\n throw new Error(\"CHAIN_STEPS_REQUIRED\");\n }\n\n const seen = new Set<string>();\n for (const step of envelope.steps) {\n if (!step.stepId) {\n throw new Error(\"CHAIN_STEP_ID_REQUIRED\");\n }\n\n if (!step.intent) {\n throw new Error(`CHAIN_STEP_INTENT_REQUIRED:${step.stepId}`);\n }\n\n if (seen.has(step.stepId)) {\n throw new Error(`CHAIN_STEP_DUPLICATE:${step.stepId}`);\n }\n seen.add(step.stepId);\n }\n\n for (const step of envelope.steps) {\n for (const dependency of step.dependsOn \|\| []) {\n if (!seen.has(dependency)) {\n throw new Error(\n `CHAIN_STEP_DEPENDENCY_UNKNOWN:${step.stepId}:${dependency}`,\n );\n }\n }\n }\n }\n\n private canRun(\n step: AxisChainStep,\n results: Map<string, AxisChainStepResult>,\n ): boolean {\n return (step.dependsOn \|\| []).every((dependency) => results.has(dependency));\n }\n\n private blockStepsWithFailedDependencies(\n pending: Set<string>,\n stepsById: Map<string, AxisChainStep>,\n results: Map<string, AxisChainStepResult>,\n ): void {\n for (const stepId of Array.from(pending)) {\n const step = stepsById.get(stepId);\n if (!step \|\| !step.dependsOn \|\| step.dependsOn.length === 0) continue;\n\n const dependencyResults = step.dependsOn\n .map((dependency) => results.get(dependency))\n .filter(Boolean) as AxisChainStepResult[];\n\n if (dependencyResults.length !== step.dependsOn.length) continue;\n\n const hasFailure = dependencyResults.some(\n (dependency) => dependency.status !== \"SUCCEEDED\",\n );\n if (!hasFailure) continue;\n\n results.set(step.stepId, {\n stepId: step.stepId,\n intent: step.intent,\n status: \"BLOCKED\",\n error: \"DEPENDENCY_FAILED\",\n dependsOn: step.dependsOn,\n startedAt: Date.now(),\n finishedAt: Date.now(),\n observerTags: step.observerTags,\n });\n pending.delete(step.stepId);\n }\n }\n\n private markUnresolvedSteps(\n pending: Set<string>,\n stepsById: Map<string, AxisChainStep>,\n results: Map<string, AxisChainStepResult>,\n status: AxisChainStepStatus,\n error: string,\n ): void {\n for (const stepId of pending) {\n const step = stepsById.get(stepId);\n if (!step) continue;\n results.set(stepId, {\n stepId,\n intent: step.intent,\n status,\n error,\n dependsOn: step.dependsOn,\n startedAt: Date.now(),\n finishedAt: Date.now(),\n observerTags: step.observerTags,\n });\n }\n }\n\n private buildSummary(\n mode: AxisExecutionMode,\n results: AxisChainStepResult[],\n startedAt: number,\n finishedAt: number,\n chainId: string,\n ): AxisChainResult {\n const completedSteps = results.filter((result) => result.status === \"SUCCEEDED\").length;\n const failedSteps = results.filter((result) => result.status === \"FAILED\").length;\n const blockedSteps = results.filter((result) => result.status === \"BLOCKED\").length;\n const skippedSteps = results.filter((result) => result.status === \"SKIPPED\").length;\n\n let status: AxisChainStatus = \"SUCCEEDED\";\n if (failedSteps > 0 \|\| blockedSteps > 0 \|\| skippedSteps > 0) {\n status =\n mode === \"best_effort\" \|\| mode === \"parallel\"\n ? completedSteps > 0\n ? \"PARTIAL\"\n : \"FAILED\"\n : \"FAILED\";\n }\n\n return {\n chainId,\n mode,\n status,\n completedSteps,\n failedSteps,\n blockedSteps,\n skippedSteps,\n startedAt,\n finishedAt,\n results,\n rollback:\n mode === \"atomic\"\n ? {\n supported: false,\n attempted: false,\n reason: \"AXIS handlers do not expose rollback semantics yet\",\n }\n : undefined,\n };\n }\n\n private resolveStepInput(\n value: unknown,\n results: Map<string, AxisChainStepResult>,\n ): unknown {\n if (typeof value === \"string\") {\n if (!value.startsWith(\"$\")) return value;\n return this.lookupReference(value.slice(1), results);\n }\n\n if (Array.isArray(value)) {\n return value.map((entry) => this.resolveStepInput(entry, results));\n }\n\n if (value && typeof value === \"object\") {\n return Object.fromEntries(\n Object.entries(value).map(([key, entry]) => [\n key,\n this.resolveStepInput(entry, results),\n ]),\n );\n }\n\n return value;\n }\n\n private lookupReference(\n path: string,\n results: Map<string, AxisChainStepResult>,\n ): unknown {\n const [stepId, ...segments] = path.split(\".\");\n const result = results.get(stepId);\n if (!result) return undefined;\n\n let current: unknown = result;\n for (const segment of segments) {\n if (current === undefined \|\| current === null) return undefined;\n if (typeof current !== \"object\") return undefined;\n current = (current as Record<string, unknown>)[segment];\n }\n return current;\n }\n\n private serializeInput(input: unknown): Uint8Array {\n if (input instanceof Uint8Array) return input;\n if (typeof input === \"string\") return this.encoder.encode(input);\n if (input === undefined) return new Uint8Array(0);\n return this.encoder.encode(JSON.stringify(input));\n }\n\n private decodeOutput(body?: Uint8Array): unknown {\n if (!body \|\| body.length === 0) return undefined;\n\n try {\n const text = this.decoder.decode(body);\n try {\n return JSON.parse(text);\n } catch {\n return /^[\\x20-\\x7E\\s]+$/.test(text) ? text : body;\n }\n } catch {\n return body;\n }\n }\n\n private computeProofHash(\n chainId: string,\n stepId: string,\n effect: AxisEffect,\n output: unknown,\n ): string {\n const hash = createHash(\"sha256\");\n hash.update(chainId);\n hash.update(\":\");\n hash.update(stepId);\n hash.update(\":\");\n hash.update(effect.effect);\n hash.update(\":\");\n hash.update(JSON.stringify(output ?? null));\n return hash.digest(\"hex\");\n }\n\n private collectChainBindings(\n envelope: AxisChainEnvelope,\n ): AxisObserverBinding[] {\n const uniqueBindings = new Map<string, AxisObserverBinding>();\n\n for (const step of envelope.steps) {\n for (const binding of this.router.getObservers(step.intent)) {\n const key = binding.refs.map((ref) => String(ref)).sort().join(\"\|\");\n if (!uniqueBindings.has(key)) {\n uniqueBindings.set(key, binding);\n }\n }\n }\n\n return Array.from(uniqueBindings.values());\n }\n\n private async dispatch(\n bindings: AxisObserverBinding[],\n context: Parameters<ObserverDispatcherService[\"dispatch\"]>[1],\n ): Promise<void> {\n if (!this.observerDispatcher) return;\n await this.observerDispatcher.dispatch(bindings, context);\n }\n}","/\n Sensor Execution Bands\n \n Semantic groupings for the AXIS sensor chain.\n * Each band has 50–100 slots for ordering sensors within it.\n \n WIRE (0–39): Raw bytes, no decode. PRE_DECODE phase.\n * IDENTITY (40–89): Who is this? IP, access, proof, capsule. POST_DECODE.\n * POLICY (90–139): Are they allowed? Sig, capability, rate limit. POST_DECODE.\n * CONTENT (140–199): What's in the frame? TLV, body, schema, files. POST_DECODE.\n * BUSINESS (200–299): Business context. Stream, WS, timeout. POST_DECODE.\n * AUDIT (900+): Finalization, logging. POST_DECODE.\n /\nexport const BAND = {\n /* Pre-decode: raw byte validation, geo, budget, magic /\n WIRE: 0,\n /* Post-decode: identity resolution, capsule, proof /\n IDENTITY: 40,\n /* Post-decode: authorization, signature, rate limiting /\n POLICY: 90,\n /* Post-decode: content validation, TLV, schema, files /\n CONTENT: 140,\n /* Post-decode: business logic sensors, streams, WS /\n BUSINESS: 200,\n /* Post-decode: audit, logging (always last) /\n AUDIT: 900,\n} as const;\n\nexport type SensorBand = keyof typeof BAND;\n\n/* Sensors with order below this boundary run in PRE_DECODE phase (middleware) /\nexport const PRE_DECODE_BOUNDARY = 40;\n","/\n Deterministic JSON serialization for observation hashing.\n \n Sorts object keys alphabetically and strips `undefined` values\n * so that two structurally equivalent observations always produce\n * the same string — required for reproducible SHA-256 hashing.\n /\n\nfunction normalize(value: unknown): unknown {\n if (Array.isArray(value)) {\n return value.map((item) => normalize(item));\n }\n\n if (value && typeof value === 'object') {\n const entries = Object.entries(value as Record<string, unknown>)\n .filter(([, nested]) => nested !== undefined)\n .sort(([left], [right]) => left.localeCompare(right));\n\n const normalized: Record<string, unknown> = {};\n for (const [key, nested] of entries) {\n normalized[key] = normalize(nested);\n }\n return normalized;\n }\n\n return value;\n}\n\nexport function stableJsonStringify(value: unknown): string {\n return JSON.stringify(normalize(value));\n}\n","import { AxisObservation } from '../axis-observation';\nimport { ObservationQueueMessage } from './observation-queue.types';\n\nexport interface ObservationStreamEntry {\n id: string;\n message: ObservationQueueMessage;\n}\n\nexport function buildQueueMessage(\n observation: AxisObservation,\n sourceNodeId: string,\n previous?: ObservationQueueMessage,\n lastError?: string,\n): ObservationQueueMessage {\n const now = Date.now();\n\n return {\n v: 1,\n observation,\n attempts: previous ? previous.attempts + 1 : 0,\n firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,\n lastEnqueuedAt: now,\n sourceNodeId,\n lastError,\n };\n}\n\nexport function encodeQueueMessage(message: ObservationQueueMessage): string {\n return JSON.stringify(message);\n}\n\nexport function decodeQueueMessage(\n raw: string,\n): ObservationQueueMessage \| null {\n try {\n const parsed = JSON.parse(raw) as ObservationQueueMessage;\n if (!parsed \|\| parsed.v !== 1 \|\| !parsed.observation?.id) {\n return null;\n }\n return parsed;\n } catch {\n return null;\n }\n}\n\nexport function parseStreamEntries(raw: any): ObservationStreamEntry[] {\n if (!Array.isArray(raw)) {\n return [];\n }\n\n const entries: ObservationStreamEntry[] = [];\n for (const streamRow of raw) {\n if (!Array.isArray(streamRow) \|\| streamRow.length < 2) {\n continue;\n }\n\n const messageRows = streamRow[1];\n if (!Array.isArray(messageRows)) {\n continue;\n }\n\n for (const row of messageRows) {\n if (!Array.isArray(row) \|\| row.length < 2) {\n continue;\n }\n\n const id = String(row[0]);\n const fields = Array.isArray(row[1]) ? row[1] : [];\n const fieldMap = fieldsToMap(fields);\n const payload = fieldMap.get('payload');\n if (!payload) {\n continue;\n }\n\n const message = decodeQueueMessage(payload);\n if (!message) {\n continue;\n }\n\n entries.push({ id, message });\n }\n }\n\n return entries;\n}\n\nexport function parseAutoClaimEntries(raw: any): ObservationStreamEntry[] {\n if (!Array.isArray(raw) \|\| raw.length < 2) {\n return [];\n }\n\n const rows = Array.isArray(raw[1]) ? raw[1] : [];\n return parseStreamEntries([['stream', rows]]);\n}\n\nfunction fieldsToMap(fields: any[]): Map<string, string> {\n const map = new Map<string, string>();\n for (let i = 0; i < fields.length; i += 2) {\n const key = fields[i];\n const value = fields[i + 1];\n if (key !== undefined && value !== undefined) {\n map.set(String(key), String(value));\n }\n }\n return map;\n}\n","import { createHash } from 'crypto';\n\nimport { AxisObservation } from '../axis-observation';\nimport { stableJsonStringify } from './stable-json';\n\n/\n Witness summary — a compact proof-of-observation payload\n * signed by the node that observed the execution.\n /\nexport interface ObservationWitnessSummary {\n intent?: string;\n actorId?: string;\n decision?: string;\n statusCode?: number;\n durationMs?: number;\n sensorCount: number;\n stageCount: number;\n}\n\n/\n Unsigned witness artifact — everything except the signature.\n * The backend adds `kid`, `sig`, and `alg` using its keyring.\n /\nexport interface UnsignedObservationWitness {\n v: 1;\n observationId: string;\n payloadHash: string;\n sealedAt: number;\n summary: ObservationWitnessSummary;\n}\n\n/\n Build the canonical JSON representation of an observation.\n \n Only includes structurally meaningful fields (no transient state).\n * Keys are sorted deterministically via `stableJsonStringify` so that\n * the same observation always produces the same string.\n /\nexport function canonicalizeObservation(obs: AxisObservation): string {\n const obj: Record<string, unknown> = {\n id: obs.id,\n startMs: obs.startMs,\n endMs: obs.endMs,\n transport: obs.transport,\n ip: obs.ip,\n intent: obs.intent,\n actorId: obs.actorId,\n capsuleId: obs.capsuleId,\n decision: obs.decision,\n resultCode: obs.resultCode,\n statusCode: obs.statusCode,\n durationMs: obs.durationMs,\n stages: obs.stages.map((s) => ({\n name: s.name,\n status: s.status,\n startMs: s.startMs,\n endMs: s.endMs,\n durationMs: s.durationMs,\n reason: s.reason,\n code: s.code,\n })),\n sensors: obs.sensors.map((s) => ({\n name: s.name,\n allowed: s.allowed,\n riskScore: s.riskScore,\n durationMs: s.durationMs,\n reasons: s.reasons,\n code: s.code,\n })),\n };\n\n return stableJsonStringify(obj);\n}\n\n/\n SHA-256 hash of the canonical observation payload.\n /\nexport function hashObservation(obs: AxisObservation): string {\n const canonical = canonicalizeObservation(obs);\n return createHash('sha256').update(canonical).digest('hex');\n}\n\n/\n Build an unsigned witness from a finalized observation.\n \n Returns `null` if the observation has not been finalized\n * (no `decision` or `endMs`).\n \n The caller (backend WitnessBuilder) adds `kid`, `sig`, `alg`\n * using its keyring.\n /\nexport function buildUnsignedWitness(\n obs: AxisObservation,\n): UnsignedObservationWitness \| null {\n if (!obs.decision \|\| !obs.endMs) {\n return null;\n }\n\n return {\n v: 1,\n observationId: obs.id,\n payloadHash: hashObservation(obs),\n sealedAt: Date.now(),\n summary: {\n intent: obs.intent,\n actorId: obs.actorId,\n decision: obs.decision,\n statusCode: obs.statusCode,\n durationMs: obs.durationMs,\n sensorCount: obs.sensors.length,\n stageCount: obs.stages.length,\n },\n };\n}\n","import { MAX_BODY_LEN } from '../../core/constants';\n\n/\n Minimal request context needed by ResponseObserver.\n * Compatible with the full AxisContext from schemas.\n /\nexport interface ResponseObserverContext {\n actorId: string;\n intent: string;\n}\n\n/\n Response contract that the observer validates.\n /\nexport interface ResponseContract {\n /* Whether the handler reported success /\n ok: boolean;\n /* The effect label returned by the handler /\n effect: string;\n /* Response body bytes (may be undefined for error responses) /\n body?: Uint8Array;\n /* Response TLV headers /\n headers?: Map<number, Uint8Array>;\n}\n\n/\n Result of observer validation.\n /\nexport interface ObserverVerdict {\n /* true = response passes all checks /\n passed: boolean;\n /* Machine-readable code if rejected /\n code?: string;\n /* Human-readable reason if rejected /\n reason?: string;\n}\n\n/* TLV tags that must never appear in a response (ACTOR_ID, PROOF_TYPE, PROOF_REF). /\nconst SENSITIVE_RESPONSE_TAGS = [4, 5, 6];\n\n/\n ResponseObserver — post-execution policy gate (protocol layer).\n \n Validates that:\n * 1. Effect is a valid non-empty string.\n * 2. Mandatory response body exists for successful results.\n * 3. No sensitive data leaks in response headers.\n * 4. Response size is within protocol limits.\n * 5. Effect does not expose internal error details.\n \n This is a defense-in-depth layer — primary correctness comes from\n * deterministic execution, signature verification, and nonce/replay controls.\n \n On failure, the engine returns a safe error instead of the original response.\n /\nexport function verifyResponse(\n ctx: ResponseObserverContext,\n response: ResponseContract,\n): ObserverVerdict {\n // 1. Effect must be a non-empty string\n if (!response.effect \|\| typeof response.effect !== 'string') {\n return {\n passed: false,\n code: 'OBSERVER_INVALID_EFFECT',\n reason: 'Response effect is missing or invalid',\n };\n }\n\n // 2. Successful responses must have a body\n if (response.ok && (!response.body \|\| response.body.length === 0)) {\n return {\n passed: false,\n code: 'OBSERVER_EMPTY_BODY',\n reason: 'Successful response must contain a body',\n };\n }\n\n // 3. Response body must not exceed protocol limits\n if (response.body && response.body.length > MAX_BODY_LEN) {\n return {\n passed: false,\n code: 'OBSERVER_BODY_OVERFLOW',\n reason: `Response body exceeds ${MAX_BODY_LEN} bytes`,\n };\n }\n\n // 4. Verify no sensitive TLV tags leak in response headers\n if (response.headers) {\n for (const tag of SENSITIVE_RESPONSE_TAGS) {\n if (response.headers.has(tag)) {\n return {\n passed: false,\n code: 'OBSERVER_DATA_LEAK',\n reason: `Response must not contain sensitive TLV tag ${tag}`,\n };\n }\n }\n }\n\n // 5. Effect should not expose internal error details\n if (\n response.effect.includes('Error:') \|\|\n response.effect.includes('stack') \|\|\n response.effect.includes('at /')\n ) {\n return {\n passed: false,\n code: 'OBSERVER_INFO_LEAK',\n reason: 'Response effect may contain internal error details',\n };\n }\n\n return { passed: true };\n}\n\n/\n Function type and value alias for the response observer validator.\n /\nexport type ResponseObserver = (\n ctx: ResponseObserverContext,\n response: ResponseContract,\n) => ObserverVerdict;\n\nexport const ResponseObserver: ResponseObserver = verifyResponse;\n","export { encodeVarint, decodeVarint, varintLength } from '@nextera.one/axis-protocol';\n","import as z from 'zod';\n\n/*\n AxisFrame Schema\n \n Defines the logical structure of an AXIS frame using Zod for runtime validation.\n * This is used for internal processing after the low-level binary parsing is complete.\n /\nexport const AxisFrameZ = z.object({\n /* Flag bits for protocol control (e.g., encryption, compression) /\n flags: z.number().int().nonnegative(),\n /* A map of TLV headers where key=Tag and value=BinaryData /\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n /* The main payload of the frame /\n body: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n /* The cryptographic signature covering the frame (except the signature itself) /\n sig: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n});\n\n/\n Represents a structured AXIS frame.\n * @typedef {Object} AxisFrame\n /\nexport type AxisFrame = z.infer<typeof AxisFrameZ>;\nexport type AxisBinaryFrame = AxisFrame;\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n MAX_BODY_LEN,\n MAX_FRAME_LEN,\n MAX_HDR_LEN,\n MAX_SIG_LEN,\n} from './constants';\nimport { decodeTLVs, encodeTLVs } from './tlv';\nimport { decodeVarint, encodeVarint } from './varint';\n\n/\n Encodes a structured AxisFrame into its binary wire representation.\n \n Encoding Steps:\n * 1. Encodes header TLV map into a single buffer.\n * 2. Validates lengths against MAX_* constants.\n * 3. Encodes lengths (HDR, BODY, SIG) as varints.\n * 4. Assembles the final byte array with magic, version, and flags.\n \n @param {AxisFrame} frame - The structured frame to encode\n * @returns {Uint8Array} The full binary frame\n * @throws {Error} If any section exceeds protocol limits\n /\nexport function encodeFrame(frame: AxisFrame): Uint8Array {\n const hdrBytes = encodeTLVs(\n Array.from(frame.headers.entries()).map(([t, v]) => ({\n type: t,\n value: v,\n })),\n );\n\n if (hdrBytes.length > MAX_HDR_LEN) throw new Error('Header too large');\n if (frame.body.length > MAX_BODY_LEN) throw new Error('Body too large');\n if (frame.sig.length > MAX_SIG_LEN) throw new Error('Signature too large');\n\n // Header Len, Body Len, Sig Len\n const hdrLenBytes = encodeVarint(hdrBytes.length);\n const bodyLenBytes = encodeVarint(frame.body.length);\n const sigLenBytes = encodeVarint(frame.sig.length);\n\n const totalLen =\n 5 + // Magic (AXIS1)\n 1 + // Version\n 1 + // Flags\n hdrLenBytes.length +\n bodyLenBytes.length +\n sigLenBytes.length +\n hdrBytes.length +\n frame.body.length +\n frame.sig.length;\n\n if (totalLen > MAX_FRAME_LEN) throw new Error('Total frame too large');\n\n const buf = new Uint8Array(totalLen);\n let offset = 0;\n\n // Magic (AXIS1 - 5 bytes)\n buf.set(AXIS_MAGIC, offset);\n offset += 5;\n\n // Version\n buf[offset++] = AXIS_VERSION;\n\n // Flags\n buf[offset++] = frame.flags;\n\n // Lengths\n buf.set(hdrLenBytes, offset);\n offset += hdrLenBytes.length;\n\n buf.set(bodyLenBytes, offset);\n offset += bodyLenBytes.length;\n\n buf.set(sigLenBytes, offset);\n offset += sigLenBytes.length;\n\n // Payloads\n buf.set(hdrBytes, offset);\n offset += hdrBytes.length;\n\n buf.set(frame.body, offset);\n offset += frame.body.length;\n\n buf.set(frame.sig, offset);\n offset += frame.sig.length;\n\n return buf;\n}\n\n/\n Decodes a binary buffer into a structured AxisFrame with strict validation.\n \n @param {Uint8Array} buf - Raw bytes from the wire\n * @returns {AxisFrame} The parsed and validated frame\n * @throws {Error} If magic, version, or lengths are invalid\n /\nexport function decodeFrame(buf: Uint8Array): AxisFrame {\n let offset = 0;\n\n // 1. Magic (AXIS1 - 5 bytes)\n if (offset + 5 > buf.length) throw new Error('Packet too short');\n for (let i = 0; i < 5; i++) {\n if (buf[offset + i] !== AXIS_MAGIC[i]) throw new Error('Invalid Magic');\n }\n offset += 5;\n\n // 2. Version\n const ver = buf[offset++];\n if (ver !== AXIS_VERSION) throw new Error(`Unsupported version: ${ver}`);\n\n // 3. Flags\n const flags = buf[offset++];\n\n // 4. Lengths\n const { value: hdrLen, length: hlLen } = decodeVarint(buf, offset);\n offset += hlLen;\n if (hdrLen > MAX_HDR_LEN) throw new Error('Header limit exceeded');\n\n const { value: bodyLen, length: blLen } = decodeVarint(buf, offset);\n offset += blLen;\n if (bodyLen > MAX_BODY_LEN) throw new Error('Body limit exceeded');\n\n const { value: sigLen, length: slLen } = decodeVarint(buf, offset);\n offset += slLen;\n if (sigLen > MAX_SIG_LEN) throw new Error('Signature limit exceeded');\n\n // 5. Extract Bytes\n if (offset + hdrLen + bodyLen + sigLen > buf.length) {\n throw new Error('Frame truncated');\n }\n\n const hdrBytes = buf.slice(offset, offset + hdrLen);\n offset += hdrLen;\n\n const bodyBytes = buf.slice(offset, offset + bodyLen);\n offset += bodyLen;\n\n const sigBytes = buf.slice(offset, offset + sigLen);\n offset += sigLen;\n\n // 6. Decode Header TLVs\n const headers = decodeTLVs(hdrBytes);\n\n return {\n flags,\n headers,\n body: bodyBytes,\n sig: sigBytes,\n };\n}\n\n/\n Helper to get canonical bytes for signing.\n * SigTarget = All bytes up to SigLen, with SigLen=0, and no SigBytes.\n /\nexport function getSignTarget(frame: AxisFrame): Uint8Array {\n // Re-encode frame but with empty signature\n // Note: This is efficient enough for v1 (tens of KB).\n return encodeFrame({\n ...frame,\n sig: new Uint8Array(0),\n });\n}\n","import as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame } from './axis-bin';\n\n/*\n Signature utilities for AXIS binary frames\n * Supports Ed25519 signature generation and verification\n /\n\n/\n Computes the canonical payload for signing an AXIS frame.\n * The signature covers all bytes of the encoded frame EXCEPT the signature field itself.\n \n @param {AxisFrame} frame - The frame to prepare for signing\n * @returns {Buffer} The serialized canonical bytes for the signature algorithm\n /\nexport function computeSignaturePayload(frame: AxisFrame): Buffer {\n // Re-encode frame with empty signature\n const frameWithoutSig: AxisFrame = {\n ...frame,\n sig: new Uint8Array(0),\n };\n\n const encoded = encodeFrame(frameWithoutSig);\n return Buffer.from(encoded);\n}\n\n/\n Signs an AXIS frame using the Ed25519 algorithm.\n * Automatically handles both raw 32-byte seeds and pkcs8 DER-encoded private keys.\n \n @param {AxisFrame} frame - The frame to sign\n * @param {Buffer} privateKey - Ed25519 private key (32-byte raw OR pkcs8 DER)\n * @returns {Buffer} The 64-byte Ed25519 signature\n * @throws {Error} If key format is invalid or signing fail\n /\nexport function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer {\n const payload = computeSignaturePayload(frame);\n\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte seed or DER-encoded\n if (privateKey.length === 32) {\n // Raw seed - wrap in pkcs8 DER format\n // pkcs8 prefix for Ed25519: 0x302e020100300506032b657004220420\n const pkcs8Prefix = Buffer.from([\n 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,\n 0x04, 0x22, 0x04, 0x20,\n ]);\n const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);\n\n keyObject = crypto.createPrivateKey({\n key: pkcs8Key,\n format: 'der',\n type: 'pkcs8',\n });\n } else {\n // Assume already DER-encoded pkcs8\n keyObject = crypto.createPrivateKey({\n key: privateKey,\n format: 'der',\n type: 'pkcs8',\n });\n }\n\n const signature = crypto.sign(null, payload, keyObject);\n\n if (signature.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n return signature;\n}\n\n/\n Verifies an Ed25519 signature on an AXIS frame.\n * Automatically handles both raw 32-byte public keys and spki DER-encoded public keys.\n \n @param {AxisFrame} frame - The frame containing the signature to verify\n * @param {Buffer} publicKey - Ed25519 public key (32-byte raw OR spki DER)\n * @returns {boolean} True if the signature is cryptographically valid\n * @throws {Error} If signature length is invalid\n /\nexport function verifyFrameSignature(\n frame: AxisFrame,\n publicKey: Buffer,\n): boolean {\n if (frame.sig.length === 0) {\n return false; // No signature\n }\n\n if (frame.sig.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n const payload = computeSignaturePayload(frame);\n\n try {\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte or DER-encoded\n if (publicKey.length === 32) {\n // Raw key - wrap in spki DER format\n // spki prefix for Ed25519: 0x302a300506032b6570032100\n const spkiPrefix = Buffer.from([\n 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,\n ]);\n const spkiKey = Buffer.concat([spkiPrefix, publicKey]);\n\n keyObject = crypto.createPublicKey({\n key: spkiKey,\n format: 'der',\n type: 'spki',\n });\n } else {\n // Assume already DER-encoded spki\n keyObject = crypto.createPublicKey({\n key: publicKey,\n format: 'der',\n type: 'spki',\n });\n }\n\n const valid = crypto.verify(\n null,\n payload,\n keyObject,\n Buffer.from(frame.sig),\n );\n return valid;\n } catch (error) {\n return false;\n }\n}\n\n/\n Generates a new Ed25519 key pair for use with the AXIS protocol.\n * Returns keys in canonical DER format (pkcs8 for private, spki for public).\n \n @returns {Object} An object containing the privateKey and publicKey as Buffers\n /\nexport function generateEd25519KeyPair(): {\n privateKey: Buffer;\n publicKey: Buffer;\n} {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');\n\n return {\n privateKey: privateKey.export({ type: 'pkcs8', format: 'der' }) as Buffer,\n publicKey: publicKey.export({ type: 'spki', format: 'der' }) as Buffer,\n };\n}\n\n/\n Computes a standard SHA-256 hash of the provided data.\n \n @param {Buffer \| Uint8Array} data - The input data to hash\n * @returns {Buffer} The 32-byte SHA-256 digest\n /\nexport function sha256(data: Buffer \| Uint8Array): Buffer {\n return crypto.createHash('sha256').update(data).digest();\n}\n\n/\n Computes a hash for an AXIS receipt, optionally chaining it to a previous hash.\n * This is used for generating an immutable transaction chain.\n \n @param {Buffer \| Uint8Array} receiptBytes - The canonical binary representation of the receipt\n * @param {Buffer \| Uint8Array} [prevHash] - The hash of the previous receipt in the chain\n * @returns {Buffer} The 32-byte SHA-256 hash of the receipt (and link)\n /\nexport function computeReceiptHash(\n receiptBytes: Buffer \| Uint8Array,\n prevHash?: Buffer \| Uint8Array,\n): Buffer {\n const hasher = crypto.createHash('sha256');\n hasher.update(receiptBytes);\n\n if (prevHash && prevHash.length > 0) {\n hasher.update(prevHash);\n }\n\n return hasher.digest();\n}\n","// ats1.constants.ts\n\n// Header TLV tags (hdr TLVs)\nexport const ATS1_HDR = {\n INTENT_ID: 1, // uvarint\n ACTOR_KEY_ID: 2, // bytes (key fingerprint / credentialId hash)\n CAPSULE_ID: 3, // bytes or varint\n NONCE: 4, // 16 bytes\n TS_MS: 5, // u64be (8)\n SCHEMA_ID: 6, // uvarint\n BODY_HASH: 7, // 32 bytes (sha256)\n TRACE_ID: 8, // 16 bytes\n} as const;\n\n// Schema IDs (body TLVs meaning depends on schema)\nexport const ATS1_SCHEMA = {\n PASSKEY_LOGIN_OPTIONS_REQ: 2001,\n PASSKEY_LOGIN_OPTIONS_RES: 2002,\n\n PASSKEY_LOGIN_VERIFY_REQ: 2011,\n PASSKEY_LOGIN_VERIFY_RES: 2012,\n\n PASSKEY_REGISTER_OPTIONS_REQ: 2021,\n PASSKEY_REGISTER_OPTIONS_RES: 2022,\n\n PASSKEY_REGISTER_VERIFY_REQ: 2031,\n PASSKEY_REGISTER_VERIFY_RES: 2032,\n} as const;\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n/\n ATS1 (AXIS-TLV Schema v1) — TypeScript Encoder/Decoder\n * - Canonical TLV: [TAG(uvarint)][LEN(uvarint)][VALUE(bytes)]\n * - Canonical ordering: ascending TAG\n * - Minimal varint encoding enforced in decoder\n * - Strict schema validation (unknown tags rejected by default)\n * - Nested TLV streams supported\n \n Node.js: uses crypto for SHA-256\n /\n\nimport { createHash, randomBytes } from 'crypto';\n\n// -----------------------------\n// Types\n// -----------------------------\n\nexport type Ats1FieldType = 'bytes' \| 'utf8' \| 'uvarint' \| 'u64be' \| 'nested';\n\nexport type Ats1FieldDescriptor = {\n tag: number;\n name: string;\n type: Ats1FieldType;\n required?: boolean;\n repeated?: boolean;\n nestedSchema?: Ats1SchemaDescriptor; // required if type === 'nested'\n maxLen?: number; // optional per-field limit (bytes length)\n};\n\nexport type Ats1SchemaDescriptor = {\n schemaId: number;\n name: string;\n strict: boolean; // if true: reject unknown tags\n maxNestingDepth: number; // e.g. 4\n maxBodyBytes?: number; // optional overall body limit\n fields: Ats1FieldDescriptor[];\n};\n\nexport type DecodedTlv = { tag: number; value: Buffer };\n\nexport type DecodedTlvMap = Map<number, Buffer[]>; // tag -> list of values\n\nexport type SensorInputLike = {\n hdrTLVs: DecodedTlvMap;\n bodyTLVs: DecodedTlvMap;\n schemaId: number;\n intentId: number;\n};\n\n// -----------------------------\n// Limits (sane defaults)\n// -----------------------------\n\nexport type Ats1Limits = {\n maxVarintBytes: number; // e.g. 10 for u64\n maxTlvCount: number; // e.g. 512\n maxValueBytes: number; // e.g. 1MB\n maxNestingDepth: number; // e.g. 4\n};\n\nexport const DEFAULT_LIMITS: Ats1Limits = {\n maxVarintBytes: 10,\n maxTlvCount: 512,\n maxValueBytes: 1_048_576, // 1 MiB\n maxNestingDepth: 4,\n};\n\n// -----------------------------\n// Varint (unsigned LEB128)\n// -----------------------------\n\nexport function encodeUVarint(n: number \| bigint): Buffer {\n let x = typeof n === 'bigint' ? n : BigInt(n);\n if (x < 0n) throw new Error('encodeUVarint: negative not allowed');\n\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function decodeUVarint(\n buf: Buffer,\n offset: number,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { value: bigint; offset: number; bytesRead: number } {\n let x = 0n;\n let shift = 0n;\n const start = offset;\n\n for (let i = 0; i < limits.maxVarintBytes; i++) {\n if (offset >= buf.length) throw new Error('decodeUVarint: truncated');\n const b = buf[offset++];\n x \|= BigInt(b & 0x7f) << shift;\n\n if ((b & 0x80) === 0) {\n const bytesRead = offset - start;\n\n // Minimal-encoding check:\n // Re-encode and compare exact bytes.\n const re = encodeUVarint(x);\n const original = buf.subarray(start, offset);\n if (!re.equals(original))\n throw new Error('decodeUVarint: non-minimal varint');\n\n return { value: x, offset, bytesRead };\n }\n\n shift += 7n;\n }\n\n throw new Error('decodeUVarint: too long');\n}\n\n// -----------------------------\n// Primitive encoders/decoders\n// -----------------------------\n\nexport function encodeU64BE(n: bigint): Buffer {\n if (n < 0n) throw new Error('encodeU64BE: negative not allowed');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(n, 0);\n return b;\n}\n\nexport function decodeU64BE(buf: Buffer): bigint {\n if (buf.length !== 8) throw new Error('decodeU64BE: length must be 8');\n return buf.readBigUInt64BE(0);\n}\n\nexport function sha256(data: Buffer): Buffer {\n return createHash('sha256').update(data).digest();\n}\n\n// -----------------------------\n// TLV encode/decode\n// -----------------------------\n\nexport function encodeTLV(tag: number, value: Buffer): Buffer {\n if (!Number.isInteger(tag) \|\| tag <= 0)\n throw new Error('encodeTLV: tag must be positive int');\n const t = encodeUVarint(tag);\n const l = encodeUVarint(value.length);\n return Buffer.concat([t, l, value]);\n}\n\nexport function encodeTLVStreamCanonical(entries: DecodedTlv[]): Buffer {\n // Canonical sort ascending tag\n const sorted = [...entries].sort((a, b) => a.tag - b.tag);\n\n // Duplicate tags are allowed only if the schema says repeated.\n // This function does not enforce schema; caller should.\n const parts: Buffer[] = [];\n for (const e of sorted) parts.push(encodeTLV(e.tag, e.value));\n return Buffer.concat(parts);\n}\n\nexport function decodeTLVStream(\n stream: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n const out: DecodedTlv[] = [];\n let off = 0;\n\n while (off < stream.length) {\n if (out.length >= limits.maxTlvCount)\n throw new Error('decodeTLVStream: too many TLVs');\n\n const tagRes = decodeUVarint(stream, off, limits);\n const tag = Number(tagRes.value);\n off = tagRes.offset;\n\n const lenRes = decodeUVarint(stream, off, limits);\n const len = Number(lenRes.value);\n off = lenRes.offset;\n\n if (len < 0) throw new Error('decodeTLVStream: negative length');\n if (len > limits.maxValueBytes)\n throw new Error('decodeTLVStream: value too large');\n if (off + len > stream.length)\n throw new Error('decodeTLVStream: truncated value');\n\n const value = stream.subarray(off, off + len);\n off += len;\n\n out.push({ tag, value: Buffer.from(value) });\n }\n\n // Canonical check: must be sorted ascending tag.\n for (let i = 1; i < out.length; i++) {\n if (out[i].tag < out[i - 1].tag)\n throw new Error('decodeTLVStream: non-canonical tag order');\n }\n\n return out;\n}\n\nexport function tlvsToMap(entries: DecodedTlv[]): DecodedTlvMap {\n const m: DecodedTlvMap = new Map();\n for (const e of entries) {\n const arr = m.get(e.tag) ?? [];\n arr.push(e.value);\n m.set(e.tag, arr);\n }\n return m;\n}\n\n// -----------------------------\n// Schema validation + object \\u2194 TLV mapping\n// -----------------------------\n\ntype LogicalBody = { schemaId: number; fields: Record<string, any> };\n\nexport function validateTLVsAgainstSchema(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n depth = 0,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): void {\n if (depth > Math.min(schema.maxNestingDepth, limits.maxNestingDepth)) {\n throw new Error('validateTLVsAgainstSchema: nesting depth exceeded');\n }\n\n if (schema.maxBodyBytes && tlvsBytes(tlvs) > schema.maxBodyBytes) {\n throw new Error('validateTLVsAgainstSchema: body too large');\n }\n\n const byTag = new Map<number, DecodedTlv[]>();\n for (const t of tlvs) {\n if (!byTag.has(t.tag)) byTag.set(t.tag, []);\n byTag.get(t.tag)!.push(t);\n }\n\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n // Unknown tags\n if (schema.strict) {\n for (const tag of byTag.keys()) {\n if (!fieldByTag.has(tag))\n throw new Error(`validateTLVsAgainstSchema: unknown tag ${tag}`);\n }\n }\n\n // Required fields & repetition rules\n for (const f of schema.fields) {\n const vals = byTag.get(f.tag) ?? [];\n if (f.required && vals.length === 0)\n throw new Error(`validateTLVsAgainstSchema: missing ${f.name}`);\n\n if (!f.repeated && vals.length > 1) {\n throw new Error(\n `validateTLVsAgainstSchema: duplicate tag not allowed for ${f.name}`,\n );\n }\n\n // Per-field max length\n if (typeof f.maxLen === 'number') {\n for (const v of vals) {\n if (v.value.length > f.maxLen)\n throw new Error(`validateTLVsAgainstSchema: ${f.name} too long`);\n }\n }\n\n // Type checks (lightweight)\n for (const v of vals) {\n switch (f.type) {\n case 'u64be':\n if (v.value.length !== 8)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} u64be must be 8 bytes`,\n );\n break;\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} missing nestedSchema`,\n );\n const nestedTlvs = decodeTLVStream(v.value, limits);\n validateTLVsAgainstSchema(\n f.nestedSchema,\n nestedTlvs,\n depth + 1,\n limits,\n );\n break;\n }\n default:\n // bytes/utf8/uvarint are accepted structurally; deeper validation can be added if you want.\n break;\n }\n }\n }\n}\n\nfunction tlvsBytes(tlvs: DecodedTlv[]): number {\n // approximate encoded size if re-encoded\n let n = 0;\n for (const t of tlvs) {\n n +=\n encodeUVarint(t.tag).length +\n encodeUVarint(t.value.length).length +\n t.value.length;\n }\n return n;\n}\n\nexport function logicalBodyToTLVs(\n schema: Ats1SchemaDescriptor,\n body: LogicalBody,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n if (body.schemaId !== schema.schemaId)\n throw new Error('logicalBodyToTLVs: schemaId mismatch');\n\n const fieldsByName = new Map(schema.fields.map((f) => [f.name, f] as const));\n const tlvs: DecodedTlv[] = [];\n\n for (const [name, val] of Object.entries(body.fields ?? {})) {\n const f = fieldsByName.get(name);\n if (!f) {\n if (schema.strict)\n throw new Error(`logicalBodyToTLVs: unknown field ${name}`);\n continue;\n }\n\n const pushOne = (v: any) => {\n const valueBuf = encodeFieldValue(f, v, limits);\n if (valueBuf.length > limits.maxValueBytes)\n throw new Error('logicalBodyToTLVs: value too large');\n tlvs.push({ tag: f.tag, value: valueBuf });\n };\n\n if (f.repeated) {\n if (!Array.isArray(val))\n throw new Error(\n `logicalBodyToTLVs: repeated field ${name} must be array`,\n );\n for (const item of val) pushOne(item);\n } else {\n pushOne(val);\n }\n }\n\n // Validate required + duplicates + nested schema correctness\n // Validation also enforces canonical ordering check only after encoding/decoding;\n // here we validate semantics.\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n // NOTE: canonical ordering will be applied in encodeTLVStreamCanonical()\n return tlvs;\n}\n\nfunction encodeFieldValue(\n f: Ats1FieldDescriptor,\n val: any,\n limits: Ats1Limits,\n): Buffer {\n switch (f.type) {\n case 'bytes':\n if (Buffer.isBuffer(val)) return Buffer.from(val);\n if (val instanceof Uint8Array) return Buffer.from(val);\n throw new Error(`encodeFieldValue: ${f.name} expects bytes`);\n case 'utf8':\n if (typeof val !== 'string')\n throw new Error(`encodeFieldValue: ${f.name} expects string`);\n return Buffer.from(val, 'utf8');\n case 'uvarint':\n if (typeof val !== 'number' && typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects number/bigint`);\n return encodeUVarint(val);\n case 'u64be':\n if (typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects bigint`);\n return encodeU64BE(val);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`encodeFieldValue: ${f.name} missing nestedSchema`);\n // Accept nested logical object in the form { fields: {...} } or direct record\n const nestedFields =\n val && typeof val === 'object' && 'fields' in val\n ? (val as any).fields\n : val;\n if (!nestedFields \|\| typeof nestedFields !== 'object')\n throw new Error(`encodeFieldValue: ${f.name} expects object`);\n const nestedBody: LogicalBody = {\n schemaId: f.nestedSchema.schemaId,\n fields: nestedFields,\n };\n const nestedTlvs = logicalBodyToTLVs(f.nestedSchema, nestedBody, limits);\n const nestedBytes = encodeTLVStreamCanonical(nestedTlvs);\n // Re-parse to ensure canonical encoding would pass, and validate\n const re = decodeTLVStream(nestedBytes, limits);\n validateTLVsAgainstSchema(f.nestedSchema, re, 1, limits);\n return nestedBytes;\n }\n default:\n throw new Error(`encodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\nexport function tlvsToLogicalBody(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): LogicalBody {\n // TLVs must already be decoded and canonical-checked\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n const fields: Record<string, any> = {};\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n for (const t of tlvs) {\n const f = fieldByTag.get(t.tag);\n if (!f) {\n if (schema.strict)\n throw new Error(`tlvsToLogicalBody: unknown tag ${t.tag}`);\n continue;\n }\n\n const decoded = decodeFieldValue(f, t.value, limits);\n\n if (f.repeated) {\n if (!Array.isArray(fields[f.name])) fields[f.name] = [];\n fields[f.name].push(decoded);\n } else {\n fields[f.name] = decoded;\n }\n }\n\n return { schemaId: schema.schemaId, fields };\n}\n\nfunction decodeFieldValue(\n f: Ats1FieldDescriptor,\n value: Buffer,\n limits: Ats1Limits,\n): any {\n switch (f.type) {\n case 'bytes':\n return Buffer.from(value);\n case 'utf8':\n return value.toString('utf8');\n case 'uvarint': {\n const r = decodeUVarint(value, 0, limits);\n if (r.offset !== value.length)\n throw new Error(\n `decodeFieldValue: ${f.name} uvarint has trailing bytes`,\n );\n // return as number when safe, else bigint\n const asNum = Number(r.value);\n return Number.isSafeInteger(asNum) ? asNum : r.value;\n }\n case 'u64be':\n return decodeU64BE(value);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`decodeFieldValue: ${f.name} missing nestedSchema`);\n const nestedTlvs = decodeTLVStream(value, limits);\n // nested schema validation is called by validateTLVsAgainstSchema already,\n // but we decode again safely here.\n const nestedBody = tlvsToLogicalBody(f.nestedSchema, nestedTlvs, limits);\n return nestedBody.fields; // return the record by default\n }\n default:\n throw new Error(`decodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\n// -----------------------------\n// AXIS HDR tags (ATS1 header TLVs)\n// -----------------------------\n\nexport const HDR_TAGS = {\n intent_id: 1,\n actor_key_id: 2,\n capsule_id: 3,\n nonce: 4,\n ts_ms: 5,\n schema_id: 6,\n body_hash: 7,\n trace_id: 8,\n} as const;\n\nexport type AxisHeaderLogical = {\n intentId: number;\n actorKeyId: Uint8Array;\n capsuleId?: Uint8Array;\n nonce: Uint8Array; // 16 bytes\n tsMs: bigint; // ms\n schemaId: number;\n bodyHash: Uint8Array; // 32 bytes\n traceId?: Uint8Array; // 16 bytes\n version?: number; // optional\n headerHash?: Uint8Array; // 32 bytes\n headerTlvs?: DecodedTlv[]; // optional\n bodyTlvs?: DecodedTlv[]; // optional\n};\n\nexport type AxisLogicalRequest = {\n hdr: AxisHeaderLogical;\n body: LogicalBody;\n};\n\nexport function encodeAxisHeaderToTLVs(hdr: AxisHeaderLogical): DecodedTlv[] {\n if (hdr.nonce.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: nonce must be 16 bytes');\n if (hdr.bodyHash.byteLength !== 32)\n throw new Error('encodeAxisHeaderToTLVs: bodyHash must be 32 bytes');\n if (hdr.traceId && hdr.traceId.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: traceId must be 16 bytes');\n\n const tlvs: DecodedTlv[] = [\n { tag: HDR_TAGS.intent_id, value: encodeUVarint(hdr.intentId) },\n { tag: HDR_TAGS.actor_key_id, value: Buffer.from(hdr.actorKeyId) },\n { tag: HDR_TAGS.nonce, value: Buffer.from(hdr.nonce) },\n { tag: HDR_TAGS.ts_ms, value: encodeU64BE(hdr.tsMs) },\n { tag: HDR_TAGS.schema_id, value: encodeUVarint(hdr.schemaId) },\n { tag: HDR_TAGS.body_hash, value: Buffer.from(hdr.bodyHash) },\n ];\n\n if (hdr.capsuleId)\n tlvs.push({ tag: HDR_TAGS.capsule_id, value: Buffer.from(hdr.capsuleId) });\n if (hdr.traceId)\n tlvs.push({ tag: HDR_TAGS.trace_id, value: Buffer.from(hdr.traceId) });\n\n return tlvs;\n}\n\nexport function decodeAxisHeaderFromTLVs(\n hdrTlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): AxisHeaderLogical {\n // hdr TLVs must be canonical-ordered (enforced by decodeTLVStream) and duplicates only if allowed.\n const m = tlvsToMap(hdrTlvs);\n\n const get1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr \|\| arr.length !== 1)\n throw new Error(\n `decodeAxisHeaderFromTLVs: missing/dup header tag ${tag}`,\n );\n return arr[0];\n };\n const getOpt1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr) return undefined;\n if (arr.length !== 1)\n throw new Error(`decodeAxisHeaderFromTLVs: dup header tag ${tag}`);\n return arr[0];\n };\n\n const intentIdVar = decodeUVarint(get1(HDR_TAGS.intent_id), 0, limits);\n if (intentIdVar.offset !== get1(HDR_TAGS.intent_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: intent_id trailing bytes');\n\n const schemaIdVar = decodeUVarint(get1(HDR_TAGS.schema_id), 0, limits);\n if (schemaIdVar.offset !== get1(HDR_TAGS.schema_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: schema_id trailing bytes');\n\n const ts = decodeU64BE(get1(HDR_TAGS.ts_ms));\n\n const nonce = get1(HDR_TAGS.nonce);\n if (nonce.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: nonce must be 16 bytes');\n\n const bodyHash = get1(HDR_TAGS.body_hash);\n if (bodyHash.length !== 32)\n throw new Error('decodeAxisHeaderFromTLVs: body_hash must be 32 bytes');\n\n const trace = getOpt1(HDR_TAGS.trace_id);\n if (trace && trace.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: trace_id must be 16 bytes');\n\n return {\n intentId: Number(intentIdVar.value),\n actorKeyId: Buffer.from(get1(HDR_TAGS.actor_key_id)),\n capsuleId: getOpt1(HDR_TAGS.capsule_id)\n ? Buffer.from(getOpt1(HDR_TAGS.capsule_id)!)\n : undefined,\n nonce: Buffer.from(nonce),\n tsMs: ts,\n schemaId: Number(schemaIdVar.value),\n bodyHash: Buffer.from(bodyHash),\n traceId: trace ? Buffer.from(trace) : undefined,\n };\n}\n\n// -----------------------------\n// Encode/Decode AXIS request body + hdr with body_hash binding\n// -----------------------------\n\nexport function encodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n req: Omit<AxisLogicalRequest, 'hdr'> & {\n hdr: Omit<AxisHeaderLogical, 'bodyHash'>;\n },\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdrBytes: Buffer; bodyBytes: Buffer; bodyHash: Buffer } {\n // 1) encode body TLVs\n const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);\n const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);\n\n // 2) compute body hash\n const bodyHash = sha256(bodyBytes);\n\n // 3) encode hdr TLVs (with computed hash)\n const hdr: AxisHeaderLogical = {\n ...req.hdr,\n schemaId: schema.schemaId,\n bodyHash,\n };\n const hdrTlvs = encodeAxisHeaderToTLVs(hdr);\n const hdrBytes = encodeTLVStreamCanonical(hdrTlvs);\n\n return { hdrBytes, bodyBytes, bodyHash };\n}\n\nexport function decodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n hdrBytes: Buffer,\n bodyBytes: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdr: AxisHeaderLogical; body: LogicalBody; sensorInput: SensorInputLike } {\n const hdrTlvs = decodeTLVStream(hdrBytes, limits);\n const bodyTlvs = decodeTLVStream(bodyBytes, limits);\n\n const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);\n\n // Schema binding check\n if (hdr.schemaId !== schema.schemaId)\n throw new Error('decodeAxisRequestBinary: schemaId mismatch');\n\n // body_hash check\n const bh = sha256(bodyBytes);\n if (!Buffer.from(hdr.bodyHash).equals(bh))\n throw new Error('decodeAxisRequestBinary: body_hash mismatch');\n\n // validate + decode body\n const body = tlvsToLogicalBody(schema, bodyTlvs, limits);\n\n const sensorInput: SensorInputLike = {\n hdrTLVs: tlvsToMap(hdrTlvs),\n bodyTLVs: tlvsToMap(bodyTlvs),\n schemaId: hdr.schemaId,\n intentId: hdr.intentId,\n };\n\n return { hdr, body, sensorInput };\n}\n\n// -----------------------------\n// Example Schemas\n// -----------------------------\n\nexport const Schema3100_DeviceContext: Ats1SchemaDescriptor = {\n schemaId: 3100,\n name: 'device.context',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'deviceId', type: 'bytes', required: true, maxLen: 128 },\n { tag: 2, name: 'os', type: 'utf8', required: true, maxLen: 64 },\n { tag: 3, name: 'hw', type: 'utf8', required: true, maxLen: 64 },\n ],\n};\n\nexport const Schema2001_PasskeyLoginOptionsReq: Ats1SchemaDescriptor = {\n schemaId: 2001,\n name: 'axis.auth.passkey.login.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema4001_LoginWithDeviceReq: Ats1SchemaDescriptor = {\n schemaId: 4001,\n name: 'axis.auth.login.with_device.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'device',\n type: 'nested',\n required: true,\n nestedSchema: Schema3100_DeviceContext,\n },\n ],\n};\n","import { ATS1_HDR, ATS1_SCHEMA } from './ats1.constants';\nimport as ats1 from './ats1';\n\n/*\n Build canonical hdr for any request using ATS1 codec.\n /\nexport function buildAts1Hdr(params: {\n intentId: number;\n schemaId: number;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n tsMs?: bigint;\n nonce?: Buffer;\n bodyHash?: Buffer;\n}): Buffer {\n const hdr: ats1.AxisHeaderLogical = {\n intentId: params.intentId,\n schemaId: params.schemaId,\n actorKeyId: params.actorKeyId ?? Buffer.alloc(0),\n capsuleId: params.capsuleId,\n nonce: params.nonce ?? require('crypto').randomBytes(16),\n tsMs: params.tsMs ?? BigInt(Date.now()),\n bodyHash: params.bodyHash ?? Buffer.alloc(32),\n traceId: params.traceId,\n };\n\n const tlvs = ats1.encodeAxisHeaderToTLVs(hdr);\n return ats1.encodeTLVStreamCanonical(tlvs);\n}\n\n/\n PASSKEY: login.options.req\n * schema 2001 body:\n * - (1) username: utf8\n /\nexport function packPasskeyLoginOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n capsuleId: params.capsuleId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n Defined schemas for passkey operations\n /\nexport const Schema2021_PasskeyRegisterOptionsReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n name: 'axis.auth.passkey.register.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema2011_PasskeyLoginVerifyReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n name: 'axis.auth.passkey.login.verify.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'credentialId',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n {\n tag: 3,\n name: 'clientDataJSON',\n type: 'bytes',\n required: true,\n maxLen: 4096,\n },\n {\n tag: 4,\n name: 'authenticatorData',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n { tag: 5, name: 'signature', type: 'bytes', required: true, maxLen: 1024 },\n { tag: 6, name: 'userHandle', type: 'bytes', required: false, maxLen: 128 },\n ],\n};\n\n/\n PASSKEY: register.options.req\n /\nexport function packPasskeyRegisterOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n Schema2021_PasskeyRegisterOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyRegisterOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2021_PasskeyRegisterOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n PASSKEY: login.verify.req\n /\nexport function packPasskeyLoginVerifyReq(params: {\n intentId: number;\n username: string;\n credentialId: Buffer;\n clientDataJSON: Buffer;\n authenticatorData: Buffer;\n signature: Buffer;\n userHandle?: Buffer;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2011_PasskeyLoginVerifyReq, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n fields: {\n username: params.username,\n credentialId: params.credentialId,\n clientDataJSON: params.clientDataJSON,\n authenticatorData: params.authenticatorData,\n signature: params.signature,\n userHandle: params.userHandle,\n },\n });\n\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginVerifyReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2011_PasskeyLoginVerifyReq,\n tlvs,\n );\n const f = decoded.fields;\n\n return {\n username: f.username as string,\n credentialId: f.credentialId as Buffer,\n clientDataJSON: f.clientDataJSON as Buffer,\n authenticatorData: f.authenticatorData as Buffer,\n signature: f.signature as Buffer,\n userHandle: f.userHandle as Buffer \| undefined,\n };\n}\n\n// ========================================\n// Response Schemas\n// ========================================\n\n/\n Schema 2002: Passkey Login Options Response\n * - (1) challenge: bytes\n * - (2) timeout: uvarint (ms)\n * - (3) rpId: utf8\n * - (4) allowCredentials: bytes (nested TLV array, each item is id+type+transports)\n * - (5) userVerification: utf8\n /\nexport const Schema2002_PasskeyLoginOptionsRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n name: 'axis.auth.passkey.login.options.res',\n strict: false, // allow extra fields from WebAuthn library\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'challenge', type: 'utf8', required: true }, // base64url string\n { tag: 2, name: 'timeout', type: 'uvarint', required: false },\n { tag: 3, name: 'rpId', type: 'utf8', required: false },\n { tag: 4, name: 'userVerification', type: 'utf8', required: false },\n { tag: 5, name: 'allowCredentialsJson', type: 'utf8', required: false }, // JSON array for simplicity\n ],\n};\n\nexport function packPasskeyLoginOptionsRes(params: {\n challenge: string;\n timeout?: number;\n rpId?: string;\n userVerification?: string;\n allowCredentials?: { id: string; type: string; transports?: string[] }[];\n}): Buffer {\n const fields: Record<string, any> = {\n challenge: params.challenge,\n };\n if (params.timeout !== undefined) fields.timeout = params.timeout;\n if (params.rpId) fields.rpId = params.rpId;\n if (params.userVerification)\n fields.userVerification = params.userVerification;\n if (params.allowCredentials)\n fields.allowCredentialsJson = JSON.stringify(params.allowCredentials);\n\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2002_PasskeyLoginOptionsRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n fields,\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n\n/\n Schema 2012: Passkey Login Verify Response\n * - (1) actorId: utf8\n * - (2) keyId: utf8 (credentialId base64url)\n * - (3) capsule: bytes\n * - (4) expiresAt: u64be (ms)\n /\nexport const Schema2012_PasskeyLoginVerifyRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n name: 'axis.auth.passkey.login.verify.res',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'actorId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 2, name: 'keyId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 3, name: 'capsule', type: 'bytes', required: true, maxLen: 4096 },\n { tag: 4, name: 'expiresAt', type: 'u64be', required: true },\n ],\n};\n\nexport function packPasskeyLoginVerifyRes(params: {\n actorId: string;\n keyId: string;\n capsule: Buffer;\n expiresAt: bigint;\n}): Buffer {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2012_PasskeyLoginVerifyRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n fields: {\n actorId: params.actorId,\n keyId: params.keyId,\n capsule: params.capsule,\n expiresAt: params.expiresAt,\n },\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n","// tlv.encode.ts\nimport { randomBytes } from 'crypto';\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('VARINT_NEG');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n\nexport function u64be(x: bigint): Buffer {\n if (x < 0n) throw new Error('U64_NEG');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x, 0);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function bytes(b: Uint8Array \| Buffer): Buffer {\n return Buffer.isBuffer(b) ? b : Buffer.from(b);\n}\n\nexport function nonce16(): Buffer {\n return randomBytes(16);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n if (!Number.isSafeInteger(type) \|\| type < 0) throw new Error('TLV_BAD_TYPE');\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\n/\n Canonical TLV encoding:\n * - sorted by type ascending\n * - no duplicates by default\n /\nexport function buildTLVs(\n items: { type: number; value: Buffer }[],\n opts?: { allowDupTypes?: Set<number> },\n): Buffer {\n const allow = opts?.allowDupTypes ?? new Set<number>();\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n","// axis1.encode.ts\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\nexport type Axis1FrameToEncode = {\n ver: number; // 1\n flags: number; // bit flags\n hdr: Buffer; // TLVs\n body: Buffer; // TLVs or raw payload\n sig: Buffer; // signature bytes\n};\n\nexport function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer {\n if (\n !Buffer.isBuffer(f.hdr) \|\|\n !Buffer.isBuffer(f.body) \|\|\n !Buffer.isBuffer(f.sig)\n ) {\n throw new Error('AXIS1_BAD_BUFFERS');\n }\n if (f.ver !== 1) throw new Error('AXIS1_BAD_VER');\n\n const hdrLen = encVarint(BigInt(f.hdr.length));\n const bodyLen = encVarint(BigInt(f.body.length));\n const sigLen = encVarint(BigInt(f.sig.length));\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([f.ver & 0xff]),\n Buffer.from([f.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLen,\n f.hdr,\n f.body,\n f.sig,\n ]);\n}\n","// axis1.signing.ts\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\nexport function axis1SigningBytes(params: {\n ver: number;\n flags: number;\n hdr: Buffer;\n body: Buffer;\n}): Buffer {\n if (params.ver !== 1) throw new Error('AXIS1_BAD_VER');\n const hdrLen = encVarint(BigInt(params.hdr.length));\n const bodyLen = encVarint(BigInt(params.body.length));\n const sigLenZero = encVarint(0n); // IMPORTANT: sigLen=0 in signing bytes\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([params.ver & 0xff]),\n Buffer.from([params.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLenZero,\n params.hdr,\n params.body,\n ]);\n}\n","/\n Base64url encoding/decoding utilities\n * RFC 4648 base64url (URL-safe, no padding)\n /\n\n/\n Encode buffer to base64url string\n * @param buf - Buffer to encode\n * @returns Base64url string (no padding, URL-safe)\n /\nexport function b64urlEncode(buf: Buffer): string {\n return buf\n .toString('base64')\n .replace(/=/g, '')\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_');\n}\n\n/\n Decode base64url string to buffer\n * @param str - Base64url string\n * @returns Decoded buffer\n /\nexport function b64urlDecode(str: string): Buffer {\n // Add padding if needed\n const pad = str.length % 4 ? '='.repeat(4 - (str.length % 4)) : '';\n const base64 = (str + pad).replace(/-/g, '+').replace(/_/g, '/');\n return Buffer.from(base64, 'base64');\n}\n\n/\n Encode string to base64url\n * @param str - String to encode\n * @param encoding - String encoding (default: utf8)\n * @returns Base64url string\n /\nexport function b64urlEncodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlEncode(Buffer.from(str, encoding));\n}\n\n/\n Decode base64url string to string\n * @param str - Base64url string\n * @param encoding - String encoding (default: utf8)\n * @returns Decoded string\n /\nexport function b64urlDecodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlDecode(str).toString(encoding);\n}\n","/\n Canonical JSON serialization for stable cryptographic signing\n \n Rules:\n * - Recursively sort object keys lexicographically\n * - Remove undefined values\n * - Preserve array order\n * - No whitespace in output\n * - Stable number formatting\n /\n\n/\n Recursively sort object keys and remove undefined values\n /\nfunction sortRec(value: any): any {\n if (value === null) {\n return null;\n }\n\n if (value === undefined) {\n return undefined;\n }\n\n if (Array.isArray(value)) {\n return value.map(sortRec);\n }\n\n if (typeof value === 'object') {\n const sorted: Record<string, any> = {};\n const keys = Object.keys(value).sort();\n\n for (const key of keys) {\n const sortedValue = sortRec(value[key]);\n // Skip undefined values\n if (sortedValue !== undefined) {\n sorted[key] = sortedValue;\n }\n }\n\n return sorted;\n }\n\n // Primitive types (number, string, boolean)\n return value;\n}\n\n/\n Convert value to canonical JSON string for signing\n \n @param value - Value to canonicalize\n * @returns Canonical JSON string (no whitespace, sorted keys, no undefined)\n /\nexport function canonicalJson(value: any): string {\n return JSON.stringify(sortRec(value));\n}\n\n/\n Helper to create canonical JSON for signing (excluding specific fields)\n \n @param obj - Object to canonicalize\n * @param exclude - Fields to exclude (e.g., 'sig' when signing)\n * @returns Canonical JSON string\n /\nexport function canonicalJsonExcluding(\n obj: Record<string, any>,\n exclude: string[],\n): string {\n const filtered: Record<string, any> = {};\n\n for (const key in obj) {\n if (!exclude.includes(key) && obj[key] !== undefined) {\n filtered[key] = obj[key];\n }\n }\n\n return canonicalJson(filtered);\n}\n","export class ContractViolationError extends Error {\n constructor(\n public code: string,\n message: string,\n ) {\n super(message);\n this.name = 'ContractViolationError';\n }\n}\n\nexport interface ExecutionMetrics {\n dbWrites: number;\n dbReads: number;\n externalCalls: number;\n elapsedMs: number;\n}\n\nexport class ExecutionMeter {\n private dbWrites = 0;\n private dbReads = 0;\n private externalCalls = 0;\n private startTime: number;\n private contract: any; // ExecutionContract\n\n constructor(contract: any) {\n this.contract = contract;\n this.startTime = Date.now();\n }\n\n recordDbWrite(): void {\n this.dbWrites++;\n if (this.dbWrites > this.contract.maxDbWrites) {\n throw new ContractViolationError(\n 'MAX_DB_WRITES_EXCEEDED',\n `DB writes exceeded: ${this.dbWrites}/${this.contract.maxDbWrites}`,\n );\n }\n }\n\n recordDbRead(): void {\n this.dbReads++;\n if (this.contract.maxDbReads && this.dbReads > this.contract.maxDbReads) {\n throw new ContractViolationError(\n 'MAX_DB_READS_EXCEEDED',\n `DB reads exceeded: ${this.dbReads}/${this.contract.maxDbReads}`,\n );\n }\n }\n\n recordExternalCall(): void {\n this.externalCalls++;\n if (this.externalCalls > this.contract.maxExternalCalls) {\n throw new ContractViolationError(\n 'MAX_EXTERNAL_CALLS_EXCEEDED',\n `External calls exceeded: ${this.externalCalls}/${this.contract.maxExternalCalls}`,\n );\n }\n }\n\n checkTime(): void {\n const elapsed = Date.now() - this.startTime;\n if (elapsed > this.contract.maxTimeMs) {\n throw new ContractViolationError(\n 'MAX_TIME_EXCEEDED',\n `Execution time exceeded: ${elapsed}ms/${this.contract.maxTimeMs}ms`,\n );\n }\n }\n\n validateEffect(effect: string): void {\n // Wildcard allows any effect\n if (this.contract.allowedEffects.includes('')) {\n return;\n }\n\n if (!this.contract.allowedEffects.includes(effect)) {\n throw new ContractViolationError(\n 'INVALID_EFFECT',\n `Effect '${effect}' not allowed. Allowed: ${this.contract.allowedEffects.join(', ')}`,\n );\n }\n }\n\n getMetrics(): ExecutionMetrics {\n return {\n dbWrites: this.dbWrites,\n dbReads: this.dbReads,\n externalCalls: this.externalCalls,\n elapsedMs: Date.now() - this.startTime,\n };\n }\n\n getContract() {\n return this.contract;\n }\n}\n","export interface ExecutionContract {\n maxDbWrites: number;\n maxDbReads?: number;\n maxExternalCalls: number;\n maxTimeMs: number;\n allowedEffects: string[];\n maxMemoryMb?: number;\n}\n\nexport const DEFAULT_CONTRACTS: Record<string, ExecutionContract> = {\n // System intents\n 'system.ping': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 100,\n allowedEffects: ['system.pong'],\n },\n\n // Catalog intents\n 'catalog.list': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['catalog.listed'],\n },\n 'catalog.search': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['catalog.searched'],\n },\n\n // Passport intents\n 'passport.issue': {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['passport.issued', 'passport.rejected'],\n },\n 'passport.revoke': {\n maxDbWrites: 5,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['passport.revoked', 'passport.revoke_failed'],\n },\n\n // File intents\n 'file.init': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['file.initialized'],\n },\n 'file.chunk': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: ['file.chunk.stored'],\n },\n 'file.finalize': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['file.finalized'],\n },\n\n // Stream intents\n 'stream.publish': {\n maxDbWrites: 1,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['stream.published'],\n },\n 'stream.read': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['stream.data'],\n },\n\n // Mail intents\n 'mail.send': {\n maxDbWrites: 3,\n maxExternalCalls: 1, // Email service\n maxTimeMs: 2000,\n allowedEffects: ['mail.sent', 'mail.failed'],\n },\n};\n\n// Default contract for unknown intents\nexport const FALLBACK_CONTRACT: ExecutionContract = {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: [''], // Allow any effect\n};\n","/\n Decodes a variable-length integer (Varint) from a buffer.\n * Supports up to 64-bit integers.\n \n @param {Buffer} buf - The buffer to read from\n * @param {number} off - The offset to start reading from\n * @returns {Object} The decoded bigint value and the new offset\n * @throws {Error} If the varint is malformed or exceeds 64 bits\n /\nexport function decVarint(\n buf: Buffer,\n off: number,\n): { val: bigint; off: number } {\n let shift = 0n;\n let x = 0n;\n while (true) {\n if (off >= buf.length) throw new Error('varint overflow');\n const b = BigInt(buf[off++]);\n x \|= (b & 0x7fn) << shift;\n if ((b & 0x80n) === 0n) break;\n shift += 7n;\n if (shift > 63n) throw new Error('varint too large');\n }\n return { val: x, off };\n}\n\nimport type { TLV } from '../core/tlv';\n\n/\n Parses a buffer into an array of TLV objects.\n \n @param {Buffer} buf - The buffer containing TLV-encoded data\n * @param {number} [maxItems=512] - Security limit for the number of TLVs to parse\n * @returns {TLV[]} An array of parsed TLVs\n * @throws {Error} If TLV structure is invalid or limits are exceeded\n /\nexport function parseTLVs(buf: Buffer, maxItems: number = 512): TLV[] {\n const out: TLV[] = [];\n let off = 0;\n while (off < buf.length) {\n if (out.length >= maxItems) throw new Error('TLV_TOO_MANY_ITEMS');\n const t1 = decVarint(buf, off);\n off = t1.off;\n const t2 = decVarint(buf, off);\n off = t2.off;\n const type = Number(t1.val);\n const len = Number(t2.val);\n if (len < 0 \|\| off + len > buf.length) {\n throw new Error('TLV_LEN_INVALID');\n }\n const value = buf.subarray(off, off + len);\n off += len;\n out.push({ type, value });\n }\n return out;\n}\n\n/\n Parses TLVs and organizes them into a Map for efficient access.\n * Multiple values for the same type are preserved in an array.\n \n @param {Buffer} buf - The raw TLV-encoded buffer\n * @returns {Map<number, Buffer[]>} A map of Tag -> [Values]\n /\nexport function tlvMap(buf: Buffer): Map<number, Buffer[]> {\n const m = new Map<number, Buffer[]>();\n for (const it of parseTLVs(buf)) {\n const arr = m.get(it.type) ?? [];\n arr.push(it.value as Buffer);\n m.set(it.type, arr);\n }\n return m;\n}\n\nexport function asUtf8(b?: Buffer): string \| undefined {\n if (!b) return undefined;\n return b.toString('utf8');\n}\n\nexport function asBigintVarint(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n const { val, off } = decVarint(b, 0);\n if (off !== b.length) throw new Error('VARINT_TRAILING_BYTES');\n return val;\n}\n\n/\n Parses an 8-byte big-endian buffer as a BigInt.\n * Used for timestamps which are sent as fixed 8-byte u64.\n /\nexport function asBigint64BE(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n if (b.length !== 8) throw new Error('Expected 8 bytes for u64');\n return b.readBigUInt64BE(0);\n}\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('varint neg');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\nexport function buildTLVs(items: { type: number; value: Buffer }[]): Buffer {\n // Canonical: sort by type ascending\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n // Canonical: forbid duplicate tags by default\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n\nexport function u64be(x: bigint): Buffer {\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n","import { decVarint } from './tlv';\n\n/\n Axis1DecodedFrame\n \n Represents a parsed AXIS v1 binary frame.\n \n @typedef {Object} Axis1DecodedFrame\n /\nexport type Axis1DecodedFrame = {\n /* Protocol version (should be 1) /\n ver: number;\n /* Frame flags for protocol extensions /\n flags: number;\n /* Raw header bytes (containing primary TLVs) /\n hdr: Buffer;\n /* Raw body bytes (the main payload) /\n body: Buffer;\n /* Cryptographic signature bytes /\n sig: Buffer;\n /* Total original size of the frame in bytes /\n frameSize: number;\n};\n\nconst MAGIC = Buffer.from('AXIS1', 'ascii');\n\n/\n Decodes a raw binary buffer into a structured Axis1DecodedFrame.\n * Implements the AXIS v1 wire format specification.\n \n Binary Structure (canonical):\n * 1. Magic: 'AXIS1' (5 bytes)\n * 2. Version: (1 byte)\n * 3. Flags: (1 byte)\n * 4. HDR_LEN: Varint\n * 5. BODY_LEN: Varint\n * 6. SIG_LEN: Varint\n * 7. HDR: (HDR_LEN bytes)\n * 8. BODY: (BODY_LEN bytes)\n * 9. SIG: (SIG_LEN bytes)\n \n @param {Buffer} buf - Raw bytes from the wire\n * @returns {Axis1DecodedFrame} Parsed frame object\n * @throws {Error} If magic is invalid, frame is truncated, or lengths are inconsistent\n /\nexport function decodeAxis1Frame(buf: Buffer): Axis1DecodedFrame {\n let off = 0;\n\n const magic = buf.subarray(off, off + 5);\n off += 5;\n if (magic.length !== 5 \|\| !magic.equals(MAGIC))\n throw new Error('AXIS1_BAD_MAGIC');\n\n if (off + 2 > buf.length) throw new Error('AXIS1_TRUNCATED');\n const ver = buf[off++];\n const flags = buf[off++];\n\n // Read all three lengths first (canonical order: hdrLen, bodyLen, sigLen)\n const h1 = decVarint(buf, off);\n off = h1.off;\n const b1 = decVarint(buf, off);\n off = b1.off;\n const s1 = decVarint(buf, off);\n off = s1.off;\n\n const hdrLen = Number(h1.val);\n const bodyLen = Number(b1.val);\n const sigLen = Number(s1.val);\n\n if (hdrLen < 0 \|\| bodyLen < 0 \|\| sigLen < 0) throw new Error('AXIS1_LEN_NEG');\n\n if (off + hdrLen + bodyLen + sigLen > buf.length)\n throw new Error('AXIS1_TRUNCATED_PAYLOAD');\n\n // Then read payloads in order: HDR, BODY, SIG\n const hdr = buf.subarray(off, off + hdrLen);\n off += hdrLen;\n const body = buf.subarray(off, off + bodyLen);\n off += bodyLen;\n const sig = buf.subarray(off, off + sigLen);\n off += sigLen;\n\n if (off !== buf.length) throw new Error('AXIS1_TRAILING_BYTES');\n\n return { ver, flags, hdr, body, sig, frameSize: buf.length };\n}\n","import {\n TLV_ACTOR_ID,\n TLV_INTENT,\n TLV_NONCE,\n TLV_PID,\n TLV_PROOF_REF,\n TLV_PROOF_TYPE,\n TLV_TS,\n} from '../core/constants';\nimport { asBigint64BE, asBigintVarint, asUtf8, tlvMap } from './tlv';\n\n/\n AXIS TLV Tag Definitions (as per specification)\n /\nexport const T = {\n /* The specific intent or action (e.g., 'vault.create') /\n INTENT: TLV_INTENT,\n /* Package identifier / ID /\n PID: TLV_PID,\n /* Versioning of the intent schema /\n INTENT_VERSION: 10, // Defaulting to TRACE_ID for now or a new tag if available\n /* Unique identifier for the requesting actor /\n ACTOR_ID: TLV_ACTOR_ID,\n /* Optional Capability Token identifier (16 bytes) /\n CAPSULE_ID: TLV_PROOF_REF,\n /* Unique session/request identifier (16 bytes) /\n NONCE: TLV_NONCE,\n /* High-precision Unix timestamp in milliseconds /\n TS_MS: TLV_TS,\n /* Proof type /\n PROOF_TYPE: TLV_PROOF_TYPE,\n /* Standard binary body tag /\n BODY: 100,\n /* Standard JSON-encoded body tag /\n JSON: 200,\n};\n\n/\n AxisPacket\n \n A high-level representation of an AXIS message after TLV decoding.\n * Combines header metadata with the raw body and signature.\n \n @typedef {Object} AxisPacket\n /\nexport type AxisPacket = {\n /* The intent string /\n intent: string;\n /* Intent schema version /\n intentVersion: number;\n /* Actor identifier /\n actorId: string;\n /* Optional binary Capsule ID /\n capsuleId?: Buffer;\n /* Packet identifier /\n pid: Buffer;\n /* Random nonce for replay protection /\n nonce: Buffer;\n /* Request timestamp /\n tsMs: bigint;\n /* Decoded header TLV map /\n headersMap: Map<number, Buffer[]>;\n /* Decoded body TLV map (if body contains TLVs) /\n bodyMap: Map<number, Buffer[]>;\n /* Original raw header bytes /\n hdrBytes: Buffer;\n /* Original raw body bytes /\n bodyBytes: Buffer;\n /* Cryptographic signature of the frame /\n sig: Buffer;\n};\n\n/\n Constructs a structured AxisPacket from raw header, body, and signature buffers.\n * Performs rigorous validation on mandatory AXIS fields.\n \n @param {Buffer} hdr - Raw header bytes containing the primary TLVs\n * @param {Buffer} body - Raw body bytes\n * @param {Buffer} sig - Signature bytes for the frame\n * @param {number} [flags=0] - Frame flags (bit 0 = BODY_IS_TLV)\n * @returns {AxisPacket} A fully validated AxisPacket object\n * @throws {Error} If mandatory fields (intent, version, actor, nonce, ts) are missing or malformed\n /\nexport function buildPacket(\n hdr: Buffer,\n body: Buffer,\n sig: Buffer,\n flags: number = 0,\n): AxisPacket {\n const hm = tlvMap(hdr);\n\n // Only parse body as TLV if BODY_IS_TLV flag is set (bit 0)\n const BODY_IS_TLV = 0x01;\n const bm = flags & BODY_IS_TLV ? tlvMap(body) : new Map<number, Buffer[]>();\n\n const intent = asUtf8(hm.get(T.INTENT)?.[0]);\n const intentVerRaw = hm.get(T.INTENT_VERSION)?.[0];\n const intentVer = intentVerRaw ? Number(asBigintVarint(intentVerRaw)) : 1;\n const actorIdRaw = hm.get(T.ACTOR_ID)?.[0];\n const actorId = actorIdRaw ? actorIdRaw.toString('hex') : undefined;\n const capsuleId = hm.get(T.CAPSULE_ID)?.[0];\n const pid = hm.get(T.PID)?.[0] \|\| hm.get(T.NONCE)?.[0]; // Fallback to nonce if pid missing\n const nonce = hm.get(T.NONCE)?.[0];\n const tsMs = asBigint64BE(hm.get(T.TS_MS)?.[0]);\n\n if (!intent) throw new Error('PACKET_MISSING_INTENT');\n if (!actorId) throw new Error('PACKET_MISSING_ACTOR_ID');\n if (!nonce \|\| nonce.length < 16 \|\| nonce.length > 32)\n throw new Error('PACKET_BAD_NONCE');\n if (!pid) throw new Error('PACKET_MISSING_PID');\n if (!tsMs) throw new Error('PACKET_MISSING_TS');\n\n return {\n intent,\n intentVersion: intentVer,\n actorId,\n capsuleId,\n pid,\n nonce,\n tsMs,\n headersMap: hm,\n bodyMap: bm,\n hdrBytes: hdr,\n bodyBytes: body,\n sig,\n };\n}\n","/\n AXIS Capability Model\n * Maps proof types to capabilities and intents to requirements.\n /\nimport { PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS } from '../core/constants';\n\n/\n Available capabilities in the AXIS system.\n * Each represents a distinct permission level.\n /\nexport const CAPABILITIES = {\n read: 'read',\n write: 'write',\n execute: 'execute',\n admin: 'admin',\n sign: 'sign',\n witness: 'witness',\n} as const;\n\nexport type Capability = keyof typeof CAPABILITIES;\n\n/\n Maps proof type codes to granted capabilities.\n /\nexport const PROOF_CAPABILITIES: Record<number, Capability[]> = {\n [PROOF_NONE]: [],\n [PROOF_CAPSULE]: ['read', 'write', 'execute'],\n [PROOF_JWT]: ['read'],\n [PROOF_MTLS]: ['read', 'write', 'admin'],\n [PROOF_LOOM]: ['read', 'write', 'execute'],\n [PROOF_WITNESS]: ['read', 'write', 'execute', 'witness'],\n};\n\n/\n Maps intent patterns to required capabilities.\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_REQUIREMENTS: Record<string, Capability[]> = {\n 'public.': [],\n 'schema.': [],\n 'catalog.': [],\n 'health.': [],\n 'system.': [],\n\n 'file.upload': ['write'],\n 'file.download': ['read'],\n 'file.delete': ['write', 'admin'],\n\n 'passport.issue': ['write', 'execute'],\n 'passport.revoke': ['write', 'witness'],\n\n 'stream.publish': ['write'],\n 'stream.subscribe': ['read'],\n\n // NestFlow intents\n 'auth.web.login.': ['execute'],\n 'tickauth.challenge.': ['execute'],\n 'capsule.issue.': ['write', 'execute'],\n 'session.': ['execute'],\n 'device.list': ['read'],\n 'device.rename': ['write'],\n 'device.trust.': ['write', 'execute'],\n 'device.revoke': ['write', 'execute'],\n 'identity.': ['admin', 'execute'],\n 'primary.device.': ['admin', 'execute'],\n 'secret.rotate': ['admin'],\n 'org.security.': ['admin'],\n 'production.execution.': ['admin', 'execute'],\n\n 'admin.': ['admin'],\n};\n","/\n AXIS Risk Signal Types\n \n Protocol-level types for risk evaluation and signalling.\n * Used by sensors, risk gates, and anomaly detectors.\n /\n\n/\n A discrete risk signal emitted by a detector or sensor.\n * Signals are aggregated by the risk gate to produce a final RiskEvaluation.\n /\nexport interface RiskSignal {\n type: string;\n severity: 'low' \| 'medium' \| 'high' \| 'critical';\n value: any;\n message: string;\n}\n\n/\n Granular risk gate decision outcomes.\n * More expressive than a binary ALLOW/DENY — covers step-up and witness flows.\n /\nexport enum RiskDecision {\n ALLOW = 'ALLOW',\n THROTTLE = 'THROTTLE',\n STEP_UP = 'STEP_UP',\n WITNESS = 'WITNESS',\n DENY = 'DENY',\n}\n\n/\n The result of a risk gate evaluation over a set of signals.\n /\nexport interface RiskEvaluation {\n decision: RiskDecision;\n reason?: string;\n retryAfterMs?: number;\n /* Confidence score in range [0, 1]. /\n confidence: number;\n signals: RiskSignal[];\n}\n","/\n AXIS Opcode Registry\n * Central registry of all allowed opcodes.\n * Unknown opcodes are rejected by default (no shadow endpoints).\n /\n\nexport const AXIS_OPCODES = new Set([\n 'CAPSULE.ISSUE',\n 'CAPSULE.BATCH',\n 'CAPSULE.REVOKE',\n 'INTENT.EXEC',\n 'ACTOR.KEY.ROTATE',\n 'ACTOR.KEY.REVOKE',\n 'ISSUER.KEY.ROTATE',\n // NestFlow opcodes\n 'AUTH.WEB.LOGIN',\n 'AUTH.WEB.SCAN',\n 'TICKAUTH.CREATE',\n 'TICKAUTH.FULFILL',\n 'TICKAUTH.REJECT',\n 'SESSION.ACTIVATE',\n 'SESSION.REFRESH',\n 'SESSION.LOGOUT',\n 'DEVICE.TRUST',\n 'DEVICE.PROMOTE',\n 'DEVICE.REVOKE',\n 'DEVICE.LIST',\n 'DEVICE.RENAME',\n 'IDENTITY.RECOVERY',\n 'IDENTITY.LOCK',\n]);\n\nexport function isKnownOpcode(op: string): boolean {\n return AXIS_OPCODES.has(op);\n}\n\n/\n Returns true if the opcode requires elevated permissions.\n /\nexport function isAdminOpcode(op: string): boolean {\n return (\n op.startsWith('ACTOR.KEY.') \|\|\n op.startsWith('ISSUER.KEY.') \|\|\n op.startsWith('IDENTITY.')\n );\n}\n","/\n AXIS Receipt Hash Construction\n * Canonical receipt chain hash — protocol invariant.\n * Any compliant implementation must produce identical hashes.\n /\nimport { createHash } from 'crypto';\n\n/* Canonical receipt effect types /\nexport type ReceiptEffect = 'ALLOW' \| 'DENY' \| 'ERROR';\n\n/\n Builds the canonical SHA-256 hash for a receipt in the chain.\n \n Field order (protocol-defined):\n * prevHash? \| pid \| actorId (utf8) \| intent (utf8) \| effect (utf8) \| ts (utf8 string)\n \n @param prevHash Previous receipt hash (null for first receipt)\n * @param pid Process/packet ID (raw bytes)\n * @param actorId Actor identifier (string)\n * @param intent Intent name (string)\n * @param effect Execution effect ('ALLOW' \| 'DENY' \| 'ERROR')\n * @param ts Timestamp as bigint (milliseconds since epoch)\n * @returns 32-byte SHA-256 hash\n /\nexport function buildReceiptHash(\n prevHash: Buffer \| null,\n pid: Buffer,\n actorId: string,\n intent: string,\n effect: ReceiptEffect,\n ts: bigint,\n): Buffer {\n const h = createHash('sha256');\n if (prevHash) h.update(prevHash);\n h.update(pid);\n h.update(Buffer.from(actorId, 'utf8'));\n h.update(Buffer.from(intent, 'utf8'));\n h.update(Buffer.from(effect, 'utf8'));\n h.update(Buffer.from(ts.toString(), 'utf8'));\n return h.digest();\n}\n","/\n AXIS Intent Sensitivity Classification\n * Protocol-level risk classification for intents.\n /\n\nexport enum IntentSensitivity {\n LOW = 1,\n MEDIUM = 2,\n HIGH = 3,\n CRITICAL = 4,\n}\n\n/\n Maps known intents to their sensitivity level.\n /\nexport const INTENT_SENSITIVITY_MAP: Record<string, IntentSensitivity> = {\n // System intents\n 'system.ping': IntentSensitivity.LOW,\n\n // Catalog intents\n 'catalog.list': IntentSensitivity.LOW,\n 'catalog.search': IntentSensitivity.LOW,\n 'catalog.intent.describe': IntentSensitivity.LOW,\n 'catalog.intent.complete': IntentSensitivity.LOW,\n\n // Stream intents\n 'stream.publish': IntentSensitivity.MEDIUM,\n 'stream.read': IntentSensitivity.MEDIUM,\n 'stream.subscribe': IntentSensitivity.MEDIUM,\n\n // File intents\n 'file.init': IntentSensitivity.MEDIUM,\n 'file.chunk': IntentSensitivity.MEDIUM,\n 'file.finalize': IntentSensitivity.MEDIUM,\n 'file.status': IntentSensitivity.LOW,\n\n // Passport intents\n 'passport.issue': IntentSensitivity.HIGH,\n 'passport.verify': IntentSensitivity.MEDIUM,\n 'passport.revoke': IntentSensitivity.CRITICAL,\n\n // Mail intents\n 'mail.send': IntentSensitivity.HIGH,\n\n // Admin intents\n 'admin.create_capsule': IntentSensitivity.CRITICAL,\n 'admin.revoke_capsule': IntentSensitivity.CRITICAL,\n 'admin.issue_node_cert': IntentSensitivity.CRITICAL,\n\n // NestFlow: Auth\n 'auth.web.login.request': IntentSensitivity.MEDIUM,\n 'auth.web.login.scan': IntentSensitivity.HIGH,\n\n // NestFlow: TickAuth\n 'tickauth.challenge.create': IntentSensitivity.MEDIUM,\n 'tickauth.challenge.fulfill': IntentSensitivity.HIGH,\n 'tickauth.challenge.reject': IntentSensitivity.MEDIUM,\n\n // NestFlow: Capsule issuance\n 'capsule.issue.login': IntentSensitivity.HIGH,\n 'capsule.issue.device_registration': IntentSensitivity.HIGH,\n 'capsule.issue.step_up': IntentSensitivity.HIGH,\n 'capsule.issue.recovery': IntentSensitivity.CRITICAL,\n\n // NestFlow: Session\n 'session.activate': IntentSensitivity.HIGH,\n 'session.refresh': IntentSensitivity.MEDIUM,\n 'session.logout': IntentSensitivity.LOW,\n\n // NestFlow: Device trust\n 'device.trust.request': IntentSensitivity.HIGH,\n 'device.trust.promote': IntentSensitivity.CRITICAL,\n 'device.revoke': IntentSensitivity.CRITICAL,\n 'device.list': IntentSensitivity.LOW,\n 'device.rename': IntentSensitivity.LOW,\n\n // NestFlow: Protected operations\n 'flow.publish': IntentSensitivity.MEDIUM,\n 'flow.delete': IntentSensitivity.HIGH,\n 'node.delete': IntentSensitivity.CRITICAL,\n 'secret.rotate': IntentSensitivity.CRITICAL,\n 'org.security.update': IntentSensitivity.CRITICAL,\n 'production.execution.approve': IntentSensitivity.CRITICAL,\n\n // NestFlow: Recovery\n 'identity.recovery.start': IntentSensitivity.CRITICAL,\n 'identity.recovery.complete': IntentSensitivity.CRITICAL,\n 'primary.device.rotate': IntentSensitivity.CRITICAL,\n 'identity.lock': IntentSensitivity.CRITICAL,\n 'identity.unlock': IntentSensitivity.CRITICAL,\n};\n\n/\n Classifies an intent's sensitivity level.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix wildcard match (realm.)\n 3. Default to MEDIUM\n /\nexport function classifyIntent(intent: string): IntentSensitivity {\n if (INTENT_SENSITIVITY_MAP[intent]) {\n return INTENT_SENSITIVITY_MAP[intent];\n }\n\n const realm = intent.split('.')[0];\n const wildcardKey = `${realm}.`;\n if (INTENT_SENSITIVITY_MAP[wildcardKey]) {\n return INTENT_SENSITIVITY_MAP[wildcardKey];\n }\n\n return IntentSensitivity.MEDIUM;\n}\n\n/*\n Returns the string name for a sensitivity level.\n /\nexport function sensitivityName(level: IntentSensitivity): string {\n switch (level) {\n case IntentSensitivity.LOW:\n return 'LOW';\n case IntentSensitivity.MEDIUM:\n return 'MEDIUM';\n case IntentSensitivity.HIGH:\n return 'HIGH';\n case IntentSensitivity.CRITICAL:\n return 'CRITICAL';\n }\n}\n","/\n AXIS Intent Timeout Configuration\n * Protocol-level per-intent execution time limits.\n /\n\n/\n Per-intent timeout configuration (milliseconds).\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_TIMEOUTS: Record<string, number> = {\n 'public.': 5000,\n 'schema.': 5000,\n 'catalog.': 5000,\n 'health.': 2000,\n\n 'file.upload': 60000,\n 'file.download': 60000,\n 'file.chunk': 30000,\n 'file.finalize': 30000,\n\n 'stream.': 30000,\n\n 'passport.': 15000,\n\n 'admin.': 30000,\n};\n\n/* Default timeout for unspecified intents /\nexport const DEFAULT_TIMEOUT = 10000;\n\n/\n Resolves the timeout for a given intent.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix pattern match (e.g. 'file.')\n 3. DEFAULT_TIMEOUT\n /\nexport function resolveTimeout(intent: string): number {\n if (INTENT_TIMEOUTS[intent]) {\n return INTENT_TIMEOUTS[intent];\n }\n\n for (const [pattern, timeout] of Object.entries(INTENT_TIMEOUTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1);\n if (intent.startsWith(prefix)) {\n return timeout;\n }\n }\n }\n\n return DEFAULT_TIMEOUT;\n}\n","/*\n AXIS Frame Shape Validator\n * Validates structural integrity of AXIS frames before cryptographic verification.\n /\n\n/\n Validates that a value has the structural shape of an AXIS Frame.\n * Checks version, required string fields, timestamp, signature envelope, and body.\n \n Note: This validates the JSON-level frame shape (v1 packet format).\n * For binary frame validation, use decodeFrame() which throws on malformed input.\n /\nexport function validateFrameShape(frame: any): boolean {\n if (!frame \|\| typeof frame !== 'object') {\n return false;\n }\n\n if (frame.v !== 1) {\n return false;\n }\n\n const requiredStrings = ['pid', 'nonce', 'actorId', 'opcode'];\n for (const key of requiredStrings) {\n if (typeof frame[key] !== 'string' \|\| frame[key].length < 6) {\n return false;\n }\n }\n\n if (typeof frame.ts !== 'number' \|\| !Number.isFinite(frame.ts)) {\n return false;\n }\n\n if (\n frame.aud !== undefined &&\n (typeof frame.aud !== 'string' \|\| frame.aud.length === 0)\n ) {\n return false;\n }\n\n if (!frame.sig \|\| typeof frame.sig !== 'object') {\n return false;\n }\n\n if (frame.sig.alg !== 'EdDSA') {\n return false;\n }\n\n if (typeof frame.sig.kid !== 'string' \|\| frame.sig.kid.length < 8) {\n return false;\n }\n\n if (typeof frame.sig.value !== 'string' \|\| frame.sig.value.length < 32) {\n return false;\n }\n\n if (typeof frame.body !== 'object' \|\| frame.body === null) {\n return false;\n }\n\n return true;\n}\n\n/\n Validates timestamp is within acceptable skew window.\n /\nexport function isTimestampValid(\n ts: number,\n skewSeconds: number = 120,\n): boolean {\n const now = Math.floor(Date.now() / 1000);\n const diff = Math.abs(now - ts);\n return diff <= skewSeconds;\n}\n","export const AXIS_UPLOAD_SESSION_STORE = 'AXIS_UPLOAD_SESSION_STORE';\nexport const AXIS_UPLOAD_FILE_STORE = 'AXIS_UPLOAD_FILE_STORE';\nexport const AXIS_UPLOAD_RECEIPT_SIGNER = 'AXIS_UPLOAD_RECEIPT_SIGNER';\n","export type UploadSessionStatus =\n \| 'ACTIVE'\n \| 'FINALIZING'\n \| 'COMPLETE'\n \| 'ABORTED';\n\nexport interface UploadSessionRecord {\n id?: string;\n fileId: string;\n filename?: string;\n status: UploadSessionStatus \| string;\n totalSize?: number;\n chunkSize?: number;\n totalChunks?: number;\n receivedBitmap?: Uint8Array \| Buffer \| null;\n hashState?: Uint8Array \| Buffer \| null;\n mimeType?: string \| null;\n version?: number;\n}\n\nexport interface UploadSessionStore {\n findByFileId(fileId: string): Promise<UploadSessionRecord \| null>;\n updateStatus(\n fileId: string,\n status: UploadSessionStatus,\n hashState?: Uint8Array \| Buffer \| null,\n ): Promise<void>;\n}\n\nexport interface UploadReceiptSigner {\n signActive(message: Uint8Array): { kid: string; sig: Uint8Array };\n}\n\nexport interface UploadFileStat {\n path: string;\n size: number;\n}\n\nexport interface UploadFileStore {\n getFinalPath(fileId: string, filename?: string): string;\n getTempPath(fileId: string): string;\n statFinal(fileId: string, filename?: string): Promise<UploadFileStat>;\n readFinalRange(\n fileId: string,\n filename: string \| undefined,\n start: number,\n length: number,\n ): Promise<Buffer>;\n hasTemp(fileId: string): Promise<boolean>;\n moveTempToFinal(fileId: string, filename?: string): Promise<string>;\n createTempReadStream(fileId: string): NodeJS.ReadableStream;\n}\n","import { Inject, Injectable, Logger, Optional } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame, getSignTarget } from '../core/axis-bin';\nimport { decodeVarint, encodeVarint } from '../core/varint';\nimport { Handler } from '../decorators/handler.decorator';\nimport { Intent } from '../decorators/intent.decorator';\nimport { AxisHandler } from '../interfaces/axis-handler.interface';\nimport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from './upload.tokens';\nimport {\n UploadFileStore,\n UploadReceiptSigner,\n UploadSessionStore,\n} from './upload.types';\n\n@Handler('axis.files.download')\n@Injectable()\nexport class AxisFilesDownloadHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesDownloadHandler.name);\n\n readonly name = 'axis.files.download';\n readonly open = true;\n readonly description = 'File download handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n ) {}\n\n @Intent('file.download', { absolute: true, kind: 'read' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const h = headers;\n if (!h) throw new Error('MISSING_HEADERS');\n\n const uploadIdBytes = h.get(20);\n if (!uploadIdBytes) throw new Error('MISSING_UPLOAD_ID');\n const uploadId = new TextDecoder().decode(uploadIdBytes);\n\n let rangeStart = 0;\n let rangeLen = -1;\n\n const startBytes = h.get(21);\n if (startBytes) {\n const { value } = decodeVarint(startBytes);\n rangeStart = value;\n }\n\n const lenBytes = h.get(22);\n if (lenBytes) {\n const { value } = decodeVarint(lenBytes);\n rangeLen = value;\n }\n\n const session = await this.sessions.findByFileId(uploadId);\n if (!session) {\n throw new Error(`SESSION_NOT_FOUND: ${uploadId}`);\n }\n\n if (session.status !== 'COMPLETE') {\n throw new Error(`FILE_NOT_READY: Status is ${session.status}`);\n }\n\n const stat = await this.files.statFinal(\n uploadId,\n session.filename,\n );\n const fileSize = stat.size;\n\n if (rangeStart < 0) rangeStart = 0;\n if (rangeStart >= fileSize) throw new Error('RANGE_OUT_OF_BOUNDS');\n\n let end = fileSize;\n if (rangeLen >= 0) {\n end = Math.min(rangeStart + rangeLen, fileSize);\n }\n\n const actualLen = end - rangeStart;\n const buffer = await this.files.readFinalRange(\n uploadId,\n session.filename,\n rangeStart,\n actualLen,\n );\n\n const responseHeaders = new Map<number, Uint8Array>();\n responseHeaders.set(30, encodeVarint(fileSize));\n responseHeaders.set(31, encodeVarint(rangeStart));\n responseHeaders.set(32, encodeVarint(actualLen));\n\n return {\n ok: true,\n effect: 'FILE_PART',\n body: buffer,\n headers: responseHeaders,\n };\n }\n}\n\n@Handler('axis.files.finalize')\n@Injectable()\nexport class AxisFilesFinalizeHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesFinalizeHandler.name);\n\n readonly name = 'axis.files.finalize';\n readonly open = false;\n readonly description = 'File upload finalization handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n @Optional()\n @Inject(AXIS_UPLOAD_RECEIPT_SIGNER)\n private readonly keyring?: UploadReceiptSigner,\n ) {}\n\n @Intent('file.finalize', { absolute: true, kind: 'action' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const bodyStr = new TextDecoder().decode(body);\n const req = JSON.parse(bodyStr);\n\n const { fileId, expectedHash } = req;\n if (!fileId) throw new Error('MISSING_FILE_ID');\n\n const session = await this.sessions.findByFileId(fileId);\n if (!session) throw new Error('SESSION_NOT_FOUND');\n\n if (!(await this.files.hasTemp(fileId))) {\n throw new Error('CHUNKS_NOT_FOUND');\n }\n\n const hash = crypto.createHash('sha256');\n const rs = this.files.createTempReadStream(fileId);\n for await (const chunk of rs) {\n hash.update(chunk as Buffer);\n }\n const finalHash = hash.digest('hex');\n\n if (expectedHash && finalHash !== expectedHash) {\n throw new Error('HASH_MISMATCH');\n }\n\n const finalPath = await this.files.moveTempToFinal(\n fileId,\n session.filename,\n );\n\n await this.sessions.updateStatus(fileId, 'COMPLETE', null);\n\n if (!this.keyring) {\n this.logger.warn('Receipt signer not configured; returning unsigned receipt');\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n body: new TextEncoder().encode(\n JSON.stringify({\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n path: finalPath,\n }),\n ),\n };\n }\n\n const receiptData = {\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n };\n\n const receiptJson = JSON.stringify(receiptData);\n const receiptBody = new TextEncoder().encode(receiptJson);\n\n const SIG_PRESENT = 0x01;\n const responseFrame: AxisFrame = {\n flags: SIG_PRESENT,\n headers: new Map(),\n body: receiptBody,\n sig: new Uint8Array(0),\n };\n\n const signTarget = getSignTarget(responseFrame);\n const { sig, kid } = this.keyring.signActive(signTarget);\n responseFrame.sig = sig;\n\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n data: encodeFrame(responseFrame),\n headers: new Map([[1, new TextEncoder().encode(kid)]]),\n };\n }\n}\n","import * as fs from 'fs';\nimport * as path from 'path';\n\nimport { UploadFileStat, UploadFileStore } from './upload.types';\n\nexport interface DiskUploadFileStoreOptions {\n uploadDir: string;\n chunkDir: string;\n}\n\nexport class DiskUploadFileStore implements UploadFileStore {\n private readonly uploadDir: string;\n private readonly chunkDir: string;\n\n constructor(options: DiskUploadFileStoreOptions) {\n this.uploadDir = options.uploadDir;\n this.chunkDir = options.chunkDir;\n }\n\n getFinalPath(fileId: string, filename?: string): string {\n const safeFilename = filename ? path.basename(filename) : fileId;\n return path.join(this.uploadDir, safeFilename);\n }\n\n getTempPath(fileId: string): string {\n const safeId = path.basename(fileId);\n return path.join(this.chunkDir, safeId);\n }\n\n async statFinal(\n fileId: string,\n filename?: string,\n ): Promise<UploadFileStat> {\n const finalPath = this.getFinalPath(fileId, filename);\n if (!fs.existsSync(finalPath)) {\n throw new Error('FILE_MISSING_ON_DISK');\n }\n const stat = fs.statSync(finalPath);\n return { path: finalPath, size: stat.size };\n }\n\n async readFinalRange(\n fileId: string,\n filename: string \| undefined,\n start: number,\n length: number,\n ): Promise<Buffer> {\n const finalPath = this.getFinalPath(fileId, filename);\n const buffer = Buffer.alloc(length);\n const fd = fs.openSync(finalPath, 'r');\n try {\n fs.readSync(fd, buffer, 0, length, start);\n } finally {\n fs.closeSync(fd);\n }\n return buffer;\n }\n\n async hasTemp(fileId: string): Promise<boolean> {\n const tempPath = this.getTempPath(fileId);\n return fs.existsSync(tempPath);\n }\n\n async moveTempToFinal(\n fileId: string,\n filename?: string,\n ): Promise<string> {\n const tempPath = this.getTempPath(fileId);\n const finalPath = this.getFinalPath(fileId, filename);\n\n try {\n await fs.promises.rename(tempPath, finalPath);\n } catch {\n await fs.promises.copyFile(tempPath, finalPath);\n await fs.promises.unlink(tempPath);\n }\n\n return finalPath;\n }\n\n createTempReadStream(fileId: string): NodeJS.ReadableStream {\n const tempPath = this.getTempPath(fileId);\n return fs.createReadStream(tempPath);\n }\n}\n","import { createParamDecorator, ExecutionContext } from '@nestjs/common';\nimport { Request } from 'express';\nimport type { AxisDecoded } from '../engine/axis-decoded';\n\n/*\n Shape of the AXIS-specific data attached to the request by AxisSensorsMiddleware.\n /\nexport interface AxisRequestData {\n /* Raw binary frame body (full buffer after streaming) /\n raw: Buffer;\n /* Resolved client IP address /\n ip: string \| undefined;\n /* Pre-decode sensor context (risk score, metadata) /\n preDecodeInput: any;\n /* Total frame bytes received /\n frameBytesCount: number;\n}\n\n/\n Resolves the client IP from request headers, respecting common proxy headers.\n /\nfunction resolveIp(req: Request): string \| undefined {\n return (\n (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() \|\|\n (req.headers['x-real-ip'] as string) \|\|\n req.socket.remoteAddress \|\|\n undefined\n );\n}\n\n/\n @AxisRaw() — Extracts the raw binary Buffer from an AXIS request.\n \n Equivalent to NestJS `@Body()` but for the AXIS binary protocol.\n * The buffer has already passed streaming validation (magic bytes, size limits)\n * via AxisSensorsMiddleware before reaching the controller.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisRaw() raw: Buffer) {\n * return this.axis.process(raw, { ... });\n * }\n * ```\n /\nexport const AxisRaw = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): Buffer => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.body as Buffer;\n },\n);\n\n/\n @AxisIp() — Extracts the resolved client IP address.\n \n Checks `x-forwarded-for`, `x-real-ip`, and `socket.remoteAddress` in order.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisIp() ip: string \| undefined) { ... }\n * ```\n /\nexport const AxisIp = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return resolveIp(req);\n },\n);\n\n/\n @AxisContext() — Extracts the full AXIS request context.\n \n Returns the pre-decode sensor input and frame metadata attached by\n * AxisSensorsMiddleware. Useful when a controller needs risk scores or\n * other pre-decode metadata.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisContext() ctx: AxisRequestData) {\n * console.log(ctx.frameBytesCount, ctx.preDecodeInput.metadata.riskScore);\n * }\n * ```\n /\nexport const AxisContext = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisRequestData => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const axisData = (req as any).axis \|\| {};\n return {\n raw: req.body as Buffer,\n ip: resolveIp(req),\n preDecodeInput: axisData.preDecodeInput,\n frameBytesCount: axisData.frameBytesCount \|\| 0,\n };\n },\n);\n\n/\n @AxisDemoPubkey() — Extracts the demo public key header (development only).\n \n Returns `undefined` in non-development environments, blocking the header\n * at the decorator level.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisDemoPubkey() demoPubkeyHex: string \| undefined) { ... }\n * ```\n /\nexport const AxisDemoPubkey = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n if (process.env.NODE_ENV !== 'development') return undefined;\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.headers['x-demo-pubkey'] as string \| undefined;\n },\n);\n\n/\n @AxisFrame() — Extracts the decoded + validated AXIS frame from the request.\n \n Requires `AxisDecodeInterceptor` to be applied to the route/controller.\n * The interceptor calls `AxisService.decode()` and attaches the result to `req.axisDecoded`.\n \n Returns the full `AxisDecoded` object containing the decoded frame, packet,\n * AxisContext, sensor input, and correlation IDs.\n \n @example\n * ```typescript\n * @Post('v1/decoded')\n * @UseInterceptors(AxisDecodeInterceptor)\n * async handle(@AxisFrame() decoded: AxisDecoded) {\n * return this.axis.execute(decoded);\n * }\n * ```\n /\nexport const AxisFrame = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisDecoded => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const decoded = (req as any).axisDecoded as AxisDecoded \| undefined;\n if (!decoded) {\n throw new Error(\n '@AxisFrame() requires AxisDecodeInterceptor on the route. ' +\n 'Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator.',\n );\n }\n return decoded;\n },\n);\n","import { Injectable, Logger, OnApplicationBootstrap } from \"@nestjs/common\";\nimport { DiscoveryService, Reflector } from \"@nestjs/core\";\n\nimport {\n AxisObserverDefinition,\n OBSERVER_METADATA_KEY,\n} from \"../decorators/observer.decorator\";\nimport type { AxisIntentObserver } from \"./axis-observer.interface\";\nimport { ObserverRegistry } from \"./registry/observer.registry\";\n\n@Injectable()\nexport class ObserverDiscoveryService implements OnApplicationBootstrap {\n private readonly logger = new Logger(ObserverDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly reflector: Reflector,\n private readonly registry: ObserverRegistry,\n ) {}\n\n onApplicationBootstrap() {\n const providers = this.discovery.getProviders();\n let count = 0;\n\n for (const wrapper of providers) {\n const { instance } = wrapper;\n if (!instance \|\| !instance.constructor) continue;\n\n const meta = this.reflector.get<AxisObserverDefinition>(\n OBSERVER_METADATA_KEY,\n instance.constructor,\n );\n if (!meta) continue;\n\n const observer = instance as AxisIntentObserver;\n if (typeof observer.observe !== \"function\") {\n this.logger.warn(\n `@Observer on ${instance.constructor.name} is missing observe() and was skipped`,\n );\n continue;\n }\n\n this.registry.register(observer, meta);\n count++;\n }\n\n this.logger.log(`Auto-registered ${count} observers via @Observer()`);\n }\n}","import { Injectable, Logger, OnModuleInit } from \"@nestjs/common\";\nimport { DiscoveryService, MetadataScanner } from \"@nestjs/core\";\n\nimport { OBSERVER_BINDINGS_KEY, type AxisObserverBinding } from \"../decorators/observer.decorator\";\nimport { HANDLER_SENSORS_KEY } from \"../decorators/handler-sensors.decorator\";\nimport { HANDLER_METADATA_KEY } from \"../decorators/handler.decorator\";\nimport { INTENT_METADATA_KEY, INTENT_ROUTES_KEY, IntentRoute } from \"../decorators/intent.decorator\";\nimport { IntentRouter } from \"./intent.router\";\n\n/\n HandlerDiscoveryService\n \n Automatically discovers all `@Handler`-decorated classes at bootstrap\n * and registers their `@Intent`-decorated methods with the IntentRouter.\n \n This eliminates the need for every handler to inject IntentRouter and\n * manually call `router.register()` or `router.registerHandler()` in onModuleInit.\n \n Before (manual, per-handler boilerplate):\n * ```typescript\n * onModuleInit() {\n * this.router.register('axis.capsules.create', this.create.bind(this));\n * this.router.register('axis.capsules.list', this.findAll.bind(this));\n * // ... repeated for every intent in every handler\n * }\n * ```\n \n After (zero-config):\n * ```typescript\n * @Handler('axis.capsules')\n * export class AxisCapsulesHandler {\n * @Intent('axis.capsules.create', { absolute: true })\n * async create(body: Uint8Array) { ... }\n * }\n * // That's it — no onModuleInit, no router injection\n * ```\n /\n@Injectable()\nexport class HandlerDiscoveryService implements OnModuleInit {\n private readonly logger = new Logger(HandlerDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly scanner: MetadataScanner,\n private readonly router: IntentRouter,\n ) {}\n\n onModuleInit() {\n const providers = this.discovery.getProviders();\n let totalIntents = 0;\n\n for (const wrapper of providers) {\n const { instance, metatype } = wrapper;\n if (!instance \|\| !metatype) continue;\n\n // Check if the class has @Handler metadata\n const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);\n if (!handlerMeta) continue;\n\n const handlerName = handlerMeta.intent \|\| metatype.name;\n const prefix = handlerMeta.intent \|\| metatype.name;\n const proto = Object.getPrototypeOf(instance);\n const methods = this.scanner.getAllMethodNames(proto);\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, metatype) \|\| [];\n const routedMethods = new Set(routes.map((route) => String(route.methodName)));\n let registered = 0;\n\n // Read @HandlerSensors from the class (if any)\n const handlerSensors: Function[] =\n Reflect.getMetadata(HANDLER_SENSORS_KEY, metatype) \|\| [];\n const handlerObservers: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, metatype) \|\| [];\n\n for (const route of routes) {\n const intentName = route.absolute\n ? route.action\n : `${prefix}.${route.action}`;\n\n if (!this.router.has(intentName)) {\n this.router.register(intentName, (instance as any)[route.methodName].bind(instance));\n registered++;\n totalIntents++;\n }\n\n this.router.registerIntentMeta(\n intentName,\n proto,\n String(route.methodName),\n handlerSensors,\n handlerObservers,\n );\n }\n\n for (const methodName of methods) {\n if (routedMethods.has(methodName)) continue;\n\n const meta = Reflect.getMetadata(\n INTENT_METADATA_KEY,\n proto,\n methodName,\n );\n if (!meta?.intent) continue;\n\n const intentName = meta.absolute ? meta.intent : `${prefix}.${meta.intent}`;\n\n // Only auto-register if the router doesn't already have this intent\n // (allows manual registration in onModuleInit to take precedence)\n if (!this.router.has(intentName)) {\n this.router.register(\n intentName,\n (instance as any)[methodName].bind(instance),\n );\n registered++;\n totalIntents++;\n }\n\n // Always register metadata (@IntentBody, @IntentSensors) —\n // even for manually-registered intents\n this.router.registerIntentMeta(\n intentName,\n proto,\n methodName,\n handlerSensors,\n handlerObservers,\n );\n }\n\n if (registered > 0) {\n this.logger.log(\n `Auto-registered ${registered} intents from ${handlerName}`,\n );\n }\n }\n\n this.logger.log(\n `Handler discovery complete: ${totalIntents} intents auto-registered`,\n );\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport {\n AxisSensor,\n AxisPreSensor,\n AxisPostSensor,\n} from '../../sensor/axis-sensor';\n\n/\n AxisSensor Registry\n \n A central registry for all AXIS security sensors.\n * Sensors register themselves here during module initialization (onModuleInit).\n * The registry provides a list of sensors sorted by their execution priority (order).\n \n Supports phase-based filtering to separate pre-decode (middleware) from\n * post-decode (controller) sensors.\n \n PHASE SEPARATION:\n * - Pre-decode (order < 40): Run in middleware on raw bytes\n * - Post-decode (order >= 40): Run in controller on decoded frame\n \n @class SensorRegistry\n * @injectable\n /\n@Injectable()\nexport class SensorRegistry {\n private sensors: AxisSensor[] = [];\n private readonly logger = new Logger(SensorRegistry.name);\n\n constructor(private readonly configService: ConfigService) {}\n\n /\n Registers a new sensor in the registry.\n \n Validates that:\n * - AxisSensor has a unique name\n * - AxisSensor has an order field\n * - Pre-decode sensors have order < 40\n * - Post-decode sensors have order >= 40\n \n @param {AxisSensor} sensor - The sensor instance to register\n * @throws Error if validation fails\n /\n register(sensor: AxisSensor): void {\n // Validation\n if (!sensor.name) {\n throw new Error('AxisSensor must have a name');\n }\n\n // Check environment variables for filtering\n const enabledSensorsStr = this.configService.get<string>('ENABLED_SENSORS');\n const disabledSensorsStr =\n this.configService.get<string>('DISABLED_SENSORS');\n\n const enabledSensors = enabledSensorsStr\n ? enabledSensorsStr.split(',').map((s) => s.trim())\n : null;\n const disabledSensors = disabledSensorsStr\n ? disabledSensorsStr.split(',').map((s) => s.trim())\n : [];\n\n if (enabledSensors && !enabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (disabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (sensor.order === undefined) {\n throw new Error(`AxisSensor \"${sensor.name}\" must have an order field`);\n }\n\n // Check for phase consistency\n const isPreDecodeSensor = this.isPreDecodeSensor(sensor);\n const isPostDecodeSensor = this.isPostDecodeSensor(sensor);\n\n if (isPreDecodeSensor && sensor.order >= 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`,\n );\n }\n if (isPostDecodeSensor && sensor.order < 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`,\n );\n }\n\n this.sensors.push(sensor);\n const phaseLabel =\n typeof sensor.phase === 'string'\n ? sensor.phase\n : sensor.phase?.phase \|\| 'UNKNOWN';\n this.logger.debug(\n `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`,\n );\n }\n\n /\n Returns all registered sensors, sorted by their execution order.\n \n @returns {AxisSensor[]} A sorted array of sensors\n /\n list(): AxisSensor[] {\n return [...this.sensors].sort(\n (a, b) => (a.order ?? 999) - (b.order ?? 999),\n );\n }\n\n /\n Returns only pre-decode sensors (order < 40).\n * These sensors run in middleware on raw bytes before frame decoding.\n \n @returns {AxisPreSensor[]} Pre-decode sensors sorted by order\n /\n getPreDecodeSensors(): AxisPreSensor[] {\n return this.list().filter((s): s is AxisPreSensor => (s.order ?? 999) < 40);\n }\n\n /\n Returns only post-decode sensors (order >= 40).\n * These sensors run in the controller on fully decoded frames.\n \n @returns {AxisPostSensor[]} Post-decode sensors sorted by order\n /\n getPostDecodeSensors(): AxisPostSensor[] {\n return this.list().filter(\n (s): s is AxisPostSensor => (s.order ?? 999) >= 40,\n );\n }\n\n /\n Helper: Check if a sensor is a pre-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is pre-decode\n /\n private isPreDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'PRE_DECODE' \|\| (sensor.order ?? 999) < 40;\n }\n\n /\n Helper: Check if a sensor is a post-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is post-decode\n /\n private isPostDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'POST_DECODE' \|\| (sensor.order ?? 999) >= 40;\n }\n\n /\n Returns sensor count by phase.\n * Useful for diagnostics and monitoring.\n \n @returns {{preDecodeCount: number, postDecodeCount: number}}\n /\n getSensorCountByPhase(): { preDecodeCount: number; postDecodeCount: number } {\n return {\n preDecodeCount: this.getPreDecodeSensors().length,\n postDecodeCount: this.getPostDecodeSensors().length,\n };\n }\n\n /\n Clears all registered sensors.\n * Useful for testing.\n \n @internal\n /\n clear(): void {\n this.sensors = [];\n }\n}\n","import { Injectable, Logger, OnApplicationBootstrap } from '@nestjs/common';\nimport { DiscoveryService, Reflector } from '@nestjs/core';\n\nimport {\n SENSOR_METADATA_KEY,\n SensorOptions,\n} from '../decorators/sensor.decorator';\nimport { SensorRegistry } from './registry/sensor.registry';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { PRE_DECODE_BOUNDARY } from './sensor-bands';\n\n/\n Discovers all providers decorated with @Sensor() and registers them\n * in the SensorRegistry at application bootstrap.\n \n Runs after all onModuleInit() calls, so config-reading sensors\n * have their settings loaded before registration.\n /\n@Injectable()\nexport class SensorDiscoveryService implements OnApplicationBootstrap {\n private readonly logger = new Logger(SensorDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly reflector: Reflector,\n private readonly registry: SensorRegistry,\n ) {}\n\n onApplicationBootstrap() {\n const providers = this.discovery.getProviders();\n let count = 0;\n\n for (const wrapper of providers) {\n const { instance } = wrapper;\n if (!instance \|\| !instance.constructor) continue;\n\n const meta = this.reflector.get<SensorOptions \| true>(\n SENSOR_METADATA_KEY,\n instance.constructor,\n );\n if (!meta) continue;\n\n const sensor = instance as AxisSensor;\n\n if (!sensor.name \|\| sensor.order === undefined) {\n this.logger.warn(\n `@Sensor() on ${instance.constructor.name} missing name or order — skipped`,\n );\n continue;\n }\n\n // Phase priority: decorator option > instance property > auto-derive from order\n if (!sensor.phase) {\n const decoratorPhase = meta !== true ? meta.phase : undefined;\n (sensor as any).phase =\n decoratorPhase ??\n (sensor.order < PRE_DECODE_BOUNDARY ? 'PRE_DECODE' : 'POST_DECODE');\n }\n\n this.registry.register(sensor);\n count++;\n }\n\n this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);\n }\n}\n","import { randomBytes } from 'crypto';\n\n/ ─── Stage ─── /\n\nexport interface ObservationStage {\n name: string;\n status: 'ok' \| 'fail' \| 'skip';\n startMs: number;\n endMs?: number;\n durationMs?: number;\n reason?: string;\n code?: string;\n}\n\n/ ─── Sensor Record ─── /\n\nexport interface ObservationSensor {\n name: string;\n allowed: boolean;\n riskScore: number;\n durationMs: number;\n reasons: string[];\n code?: string;\n}\n\n/ ─── Observation (the execution witness) ─── /\n\nexport interface AxisObservation {\n /* Correlation ID (hex) /\n id: string;\n /* High-res start timestamp /\n startMs: number;\n /* Transport origin /\n transport: 'http' \| 'ws';\n /* Client IP /\n ip?: string;\n /* Resolved intent /\n intent?: string;\n /* Actor ID (hex) /\n actorId?: string;\n /* Capsule ID /\n capsuleId?: string;\n\n /* Pipeline stages with timing /\n stages: ObservationStage[];\n /* Individual sensor decisions /\n sensors: ObservationSensor[];\n\n /* Final decision /\n decision?: 'ALLOW' \| 'DENY';\n /* Machine-readable result code /\n resultCode?: string;\n /* HTTP status code /\n statusCode?: number;\n\n /* End timestamp /\n endMs?: number;\n /* Total duration /\n durationMs?: number;\n\n /* Extensible facts for downstream (receipt builder, audit, etc.) /\n facts: Record<string, unknown>;\n}\n\n/ ─── Factory ─── /\n\nexport function createObservation(\n transport: 'http' \| 'ws',\n ip?: string,\n): AxisObservation {\n return {\n id: randomBytes(16).toString('hex'),\n startMs: Date.now(),\n transport,\n ip,\n stages: [],\n sensors: [],\n facts: {},\n };\n}\n\n/ ─── Stage helpers ─── /\n\nexport function startStage(\n obs: AxisObservation,\n name: string,\n): ObservationStage {\n const stage: ObservationStage = { name, status: 'ok', startMs: Date.now() };\n obs.stages.push(stage);\n return stage;\n}\n\nexport function endStage(\n stage: ObservationStage,\n status: 'ok' \| 'fail' \| 'skip' = 'ok',\n reason?: string,\n code?: string,\n): void {\n stage.endMs = Date.now();\n stage.durationMs = stage.endMs - stage.startMs;\n stage.status = status;\n if (reason) stage.reason = reason;\n if (code) stage.code = code;\n}\n\n/ ─── Sensor recording (called by chain service) ─── /\n\nexport function recordSensor(\n obs: AxisObservation,\n name: string,\n allowed: boolean,\n riskScore: number,\n durationMs: number,\n reasons: string[],\n code?: string,\n): void {\n obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });\n}\n\n/ ─── Finalize ─── /\n\nexport function finalizeObservation(\n obs: AxisObservation,\n decision: 'ALLOW' \| 'DENY',\n statusCode: number,\n resultCode?: string,\n): void {\n obs.endMs = Date.now();\n obs.durationMs = obs.endMs - obs.startMs;\n obs.decision = decision;\n obs.statusCode = statusCode;\n if (resultCode) obs.resultCode = resultCode;\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { SensorRegistry } from '../engine/registry/sensor.registry';\nimport {\n SensorDecision,\n SensorInput,\n normalizeSensorDecision,\n AxisSensor,\n} from '../sensor/axis-sensor';\nimport { recordSensor, AxisObservation } from '../engine/axis-observation';\n\nexport { SensorInput, SensorDecision }; // Re-export for convenience\n\n/\n The consolidated result of a sensor chain evaluation.\n \n @interface ChainResult\n /\nexport interface ChainResult {\n /* True if all compulsory sensors allowed the request /\n allowed: boolean;\n /* The total risk score delta accumulated across all sensors /\n scoreDelta: number;\n /* Suggested HTTP status code for the response /\n statusCode: number;\n /* Binary or text body describing the reason for denial or containing the response /\n body?: string \| Buffer \| Uint8Array;\n /* Optional headers (TLVs) to be returned to the client /\n headers?: Map<number, Uint8Array>;\n}\n\n/\n AxisSensorChain\n \n Orchestrates the execution of a series of security sensors against an AXIS request.\n * Sensors are retrieved from the SensorRegistry and executed in order.\n \n Decision Handling:\n * - `DENY`: Immediately stops execution and returns a failure result.\n * - `THROTTLE`: Immediately stops execution and requests client retry.\n * - `FLAG`: Accumulates a risk score delta and continues.\n * - `ALLOW`: Continues to the next sensor.\n \n @class AxisSensorChain\n * @injectable\n /\n@Injectable()\nexport class AxisSensorChainService {\n constructor(private readonly registry: SensorRegistry) {}\n\n /\n Evaluate all applicable sensors based on phase.\n /\n async evaluate(\n input: SensorInput,\n phase: 'PRE_DECODE' \| 'POST_DECODE' \| 'BOTH' = 'POST_DECODE',\n baseDecision?: SensorDecision,\n ): Promise<SensorDecision> {\n if (phase === 'PRE_DECODE') {\n return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);\n }\n\n if (phase === 'BOTH') {\n const rawPreResult = await this.evaluateSensors(\n this.registry.getPreDecodeSensors(),\n input,\n );\n const preResult = normalizeSensorDecision(rawPreResult);\n if (!preResult.allow) return rawPreResult;\n return this.evaluateSensors(\n this.registry.getPostDecodeSensors(),\n input,\n rawPreResult,\n );\n }\n\n // Default: POST_DECODE only\n return this.evaluateSensors(\n this.registry.getPostDecodeSensors(),\n input,\n baseDecision,\n );\n }\n\n /* Run only pre-decode sensors. /\n async evaluatePre(input: SensorInput): Promise<SensorDecision> {\n return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);\n }\n\n /* Run only post-decode sensors. /\n async evaluatePost(\n input: SensorInput,\n baseDecision?: SensorDecision,\n ): Promise<SensorDecision> {\n return this.evaluateSensors(\n this.registry.getPostDecodeSensors(),\n input,\n baseDecision,\n );\n }\n\n private async evaluateSensors(\n sensors: AxisSensor[],\n input: SensorInput,\n baseDecision?: SensorDecision,\n ): Promise<SensorDecision> {\n // Filter to relevant sensors\n const relevantSensors = sensors.filter(\n (s) => !s.supports \|\| s.supports(input),\n );\n\n // Normalize baseDecision if provided\n const normalizedBase = baseDecision\n ? normalizeSensorDecision(baseDecision)\n : undefined;\n\n let riskScore = normalizedBase?.riskScore ?? 0;\n const reasons: string[] = normalizedBase?.reasons\n ? [...normalizedBase.reasons]\n : [];\n const tags: Record<string, any> = normalizedBase?.tags\n ? { ...normalizedBase.tags }\n : {};\n let expSecondsMax = normalizedBase?.tighten?.expSecondsMax;\n let constraintsPatch: Record<string, any> = normalizedBase?.tighten\n ?.constraintsPatch\n ? { ...normalizedBase.tighten.constraintsPatch }\n : {};\n\n for (const sensor of relevantSensors) {\n try {\n const t0 = Date.now();\n const rawDecision = await sensor.run(input);\n const elapsed = Date.now() - t0;\n const decision = normalizeSensorDecision(rawDecision);\n\n // Record into observation if present\n const obs = input.metadata?.observation as AxisObservation \| undefined;\n if (obs) {\n recordSensor(\n obs,\n sensor.name,\n decision.allow,\n decision.riskScore,\n elapsed,\n decision.reasons,\n decision.allow ? undefined : (decision as any).code,\n );\n }\n\n // Hard block: any sensor can deny\n if (!decision.allow) {\n return {\n allow: false,\n riskScore: Math.min(100, riskScore + decision.riskScore),\n reasons: [...reasons, ...decision.reasons],\n tags,\n };\n }\n\n // Aggregate risk (cap at 100)\n riskScore = Math.min(100, riskScore + decision.riskScore);\n reasons.push(...decision.reasons);\n\n // Merge tags\n if (decision.tags) {\n Object.assign(tags, decision.tags);\n }\n\n // Tighten constraints (take most restrictive)\n if (decision.tighten?.expSecondsMax !== undefined) {\n expSecondsMax =\n expSecondsMax === undefined\n ? decision.tighten.expSecondsMax\n : Math.min(expSecondsMax, decision.tighten.expSecondsMax);\n }\n\n if (decision.tighten?.constraintsPatch) {\n constraintsPatch = {\n ...constraintsPatch,\n ...decision.tighten.constraintsPatch,\n };\n }\n } catch (error) {\n // Sensor failure = fail closed\n console.error(`[AXIS][SENSOR] ${sensor.name} failed:`, error);\n\n const obs = input.metadata?.observation as AxisObservation \| undefined;\n if (obs) {\n recordSensor(obs, sensor.name, false, 100, 0, [\n `sensor_error:${sensor.name}`,\n ]);\n }\n\n return {\n allow: false,\n riskScore: 100,\n reasons: [`sensor_error:${sensor.name}`],\n };\n }\n }\n\n const tightenPatch =\n Object.keys(constraintsPatch).length > 0 ? constraintsPatch : undefined;\n\n return {\n allow: true,\n riskScore,\n reasons,\n tags,\n tighten:\n expSecondsMax !== undefined \|\| tightenPatch\n ? {\n expSecondsMax,\n constraintsPatch: tightenPatch,\n }\n : undefined,\n };\n }\n}\n","import {\n buildTLVs,\n extractDtoSchema,\n} from '../index';\nimport type { IntentTlvField } from '../decorators/intent.decorator';\n\ntype AxisTlvDtoCtor<T = object> = new (...args: never[]) => T;\n\nexport function encodeAxisTlvDto<T extends object>(\n dtoClass: AxisTlvDtoCtor<T>,\n data: Partial<Record<keyof T, unknown>>,\n): Uint8Array {\n const schema = extractDtoSchema(dtoClass);\n const items = schema.fields.flatMap((field) => {\n const value = (data as Record<string, unknown>)[field.name];\n if (value === undefined \|\| value === null) {\n if (field.required) {\n throw new Error(`Missing required TLV response field: ${field.name}`);\n }\n return [];\n }\n\n return [{ type: field.tag, value: encodeField(field, value) }];\n });\n\n return buildTLVs(items);\n}\n\nfunction encodeField(field: IntentTlvField, value: unknown): Buffer {\n switch (field.kind) {\n case 'utf8':\n return Buffer.from(String(value), 'utf8');\n case 'u64':\n return encodeU64(value);\n case 'bytes':\n case 'bytes16':\n return toBuffer(value);\n case 'bool':\n return Buffer.from([value ? 1 : 0]);\n case 'obj':\n case 'arr':\n return Buffer.from(JSON.stringify(value), 'utf8');\n default:\n return toBuffer(value);\n }\n}\n\nfunction encodeU64(value: unknown): Buffer {\n const encoded = Buffer.alloc(8);\n encoded.writeBigUInt64BE(\n typeof value === 'bigint' ? value : BigInt(value as number \| string),\n );\n return encoded;\n}\n\nfunction toBuffer(value: unknown): Buffer {\n if (Buffer.isBuffer(value)) {\n return value;\n }\n if (value instanceof Uint8Array) {\n return Buffer.from(value);\n }\n if (typeof value === 'string') {\n return Buffer.from(value, 'utf8');\n }\n\n throw new Error(`Unsupported TLV bytes value: ${typeof value}`);\n}","/\n Loom Runtime - Lawful Execution Types\n \n Core type definitions for the Loom execution engine.\n * Loom replaces traditional auth with \"Lawful Execution\":\n * - Presence: Liveness proof (replaces login/sessions)\n * - Writ: Executable intent (replaces JWT)\n * - Grant: Standing permission (replaces RBAC)\n * - Receipt: Proof of execution (hash-chained)\n /\n\n// ============================================================================\n// Presence Types (Liveness State)\n// ============================================================================\n\nexport interface PresenceDeclaration {\n /* SoftID of the entity resuming presence (e.g., \"~ayesh#work\") /\n softid: string;\n /* Optional device metadata for scope binding /\n device_meta?: {\n fingerprint?: string;\n platform?: string;\n user_agent?: string;\n };\n}\n\nexport interface PresenceChallenge {\n /* Unique challenge identifier /\n challenge_id: string;\n /* High-entropy random nonce (32-byte hex) /\n nonce: string;\n /* Server's current Unix timestamp in milliseconds (temporal anchor) /\n temporal_anchor: number;\n /* Time-to-live for response in milliseconds (default 5000ms) /\n ttl_ms: number;\n /* Challenge expiry timestamp /\n expires_at: number;\n}\n\nexport interface PresenceProof {\n /* Challenge ID being answered /\n challenge_id: string;\n /* Ed25519 signature over canonical(nonce + temporal_anchor + device_meta) /\n signature: string;\n /* Public key corresponding to the SoftID /\n public_key: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface PresenceReceipt {\n /* Presence ID - hash of the completed handshake /\n presence_id: string;\n /* SoftID that established presence /\n softid: string;\n /* Anchor Reflection ID for logs (privacy-preserving) /\n anchor_reflection: string;\n /* Scope constraints for this presence /\n scope: {\n ip?: string;\n device_fingerprint?: string;\n };\n /* When presence was established (Unix timestamp ms) /\n issued_at: number;\n /* When presence expires (Unix timestamp ms) /\n expires_at: number;\n /* Last renewal timestamp (updated on successful Writ execution) /\n renewed_at?: number;\n}\n\nexport type PresenceStatus = 'active' \| 'expired' \| 'revoked';\n\n// ============================================================================\n// Writ Types (Executable Intent)\n// ============================================================================\n\nexport interface WritHead {\n /* Thread ID - derived from actor, groups related writs /\n tid: string;\n /* Sequence number within the thread /\n seq: number;\n}\n\nexport interface WritBody {\n /* SoftID of the actor (Anchor or Shadow) /\n who: string;\n /* Operation Execution Code (e.g., \"dns.write\", \"file.upload\") /\n act: string;\n /* Resource target (e.g., \"zone:example.com\", \"bucket:uploads\") /\n res: string;\n /* Grant reference - grant_id or \"self\" for sovereign actions /\n law: string;\n}\n\nexport interface WritMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Previous receipt hash (thread continuity) - empty string for first writ /\n prev: string;\n}\n\nexport interface WritSignature {\n /* Signature algorithm /\n alg: 'ed25519';\n /* Base64-encoded signature value /\n value: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface Writ {\n head: WritHead;\n body: WritBody;\n meta: WritMeta;\n sig: WritSignature;\n}\n\n// ============================================================================\n// Grant Types (Standing Permission / Law)\n// ============================================================================\n\nexport type GrantType = 'sovereign' \| 'delegated' \| 'system';\n\nexport interface GrantCapability {\n /* Operation Execution Code this grant allows /\n oec: string;\n /* Resource scope constraint (e.g., \"zone:.example.com\") /\n scope: string;\n /** Optional quantitative limits /\n limit?: {\n /* Rate limit (e.g., \"10/min\", \"100/day\") /\n rate?: string;\n /* Maximum amount/count /\n amount?: number;\n /* Depth constraint (e.g., \"subdomains_only\") /\n depth?: string;\n };\n}\n\nexport interface GrantMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Whether this grant can be revoked /\n revocable: boolean;\n /* Version number for updates /\n version: number;\n /* Optional Digital Fabric contract reference /\n contract_ref?: string;\n}\n\nexport interface Grant {\n /* Unique grant identifier /\n grant_id: string;\n /* SoftID of the authority who issued this grant /\n issuer: string;\n /* SoftID of the grantee /\n subject: string;\n /* Grant type /\n grant_type: GrantType;\n /* Array of capabilities this grant provides /\n caps: GrantCapability[];\n /* Grant metadata /\n meta: GrantMeta;\n /* Signature over the grant /\n sig: WritSignature;\n}\n\nexport type GrantStatus = 'active' \| 'revoked' \| 'expired';\n\n// ============================================================================\n// Receipt Types (Proof of Execution)\n// ============================================================================\n\nexport interface LoomReceipt {\n /* Receipt ID /\n receipt_id: string;\n /* Hash of the writ that was executed /\n writ_hash: string;\n /* Thread ID /\n thread_id: string;\n /* Sequence number /\n sequence: number;\n /* Execution effect (e.g., \"ALLOW\", \"DENY\") /\n effect: string;\n /* Current receipt hash (for chaining) /\n hash: string;\n /* Previous receipt hash /\n prev_hash: string \| null;\n /* Execution timestamp /\n executed_at: number;\n /* Additional metadata /\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Thread Types (Causal Continuity)\n// ============================================================================\n\nexport interface ThreadState {\n /* Thread ID /\n thread_id: string;\n /* SoftID that owns this thread /\n softid: string;\n /* Hash of the last receipt in this thread /\n last_receipt_hash: string;\n /* Current sequence number /\n sequence: number;\n /* Last update timestamp /\n updated_at: number;\n}\n\n// ============================================================================\n// Revocation Types (Null-Receipts)\n// ============================================================================\n\nexport type RevocationTargetType = 'grant' \| 'presence' \| 'softid';\n\nexport interface Revocation {\n /* Revocation ID /\n revocation_id: string;\n /* What type of entity is being revoked /\n target_type: RevocationTargetType;\n /* ID of the entity being revoked /\n target_id: string;\n /* SoftID of the issuer of this revocation /\n issuer_softid: string;\n /* Reason for revocation /\n reason?: string;\n /* When revocation takes effect (Unix timestamp) /\n effective_at: number;\n /* Signature over the revocation /\n sig_value: string;\n}\n\n// ============================================================================\n// Validation Result Types\n// ============================================================================\n\nexport interface LoomValidationResult {\n valid: boolean;\n error?: string;\n code?: string;\n}\n\nexport interface PresenceVerifyResult extends LoomValidationResult {\n presence?: PresenceReceipt;\n}\n\nexport interface WritValidationResult extends LoomValidationResult {\n writ?: Writ;\n gate_failed?: 'temporal' \| 'causal' \| 'legal' \| 'authentic';\n}\n\nexport interface GrantValidationResult extends LoomValidationResult {\n grant?: Grant;\n}\n\n// ============================================================================\n// TLV Constants (re-exported from core/constants.ts for convenience)\n// ============================================================================\n\nexport {\n TLV_LOOM_PRESENCE_ID as TLV_PRESENCE_ID,\n TLV_LOOM_WRIT as TLV_WRIT,\n TLV_LOOM_THREAD_HASH as TLV_THREAD_HASH,\n PROOF_LOOM,\n} from '../core/constants';\n\n// ============================================================================\n// Utility Functions\n// ============================================================================\n\n/\n Derive Anchor Reflection ID (ARID) for privacy-preserving logs.\n * ARID = hash(anchor_pubkey + context + scope)\n /\nexport function deriveAnchorReflection(\n softid: string,\n context: string = 'openlogs',\n scope: string = 'loom',\n): string {\n // Implementation will use crypto hash\n // Placeholder structure: ar:<context>:<scope>:<hash>\n return `ar:${context}:${scope}:${softid}`;\n}\n\n/\n Canonicalize a Writ for signing/verification.\n * Returns deterministic JSON string.\n /\nexport function canonicalizeWrit(writ: Omit<Writ, 'sig'>): string {\n const ordered = {\n head: { tid: writ.head.tid, seq: writ.head.seq },\n body: {\n who: writ.body.who,\n act: writ.body.act,\n res: writ.body.res,\n law: writ.body.law,\n },\n meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev },\n };\n return JSON.stringify(ordered);\n}\n\n/\n Canonicalize a Grant for signing/verification.\n /\nexport function canonicalizeGrant(grant: Omit<Grant, 'sig'>): string {\n const ordered = {\n grant_id: grant.grant_id,\n issuer: grant.issuer,\n subject: grant.subject,\n grant_type: grant.grant_type,\n caps: grant.caps,\n meta: grant.meta,\n };\n return JSON.stringify(ordered);\n}\n","/\n CCE Envelope Validation Sensor\n \n Band: WIRE (order: 5)\n * Phase: PRE_DECODE\n \n Step 1-2 from CCE verification order:\n * 1. Validate envelope schema\n * 2. Check protocol version\n \n Fast-fails malformed CCE requests before any crypto work.\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, CCE_NONCE_BYTES, CCE_PROTOCOL_VERSION, type CceRequestEnvelope } from \"../cce.types\";\n\nconst REQUIRED_FIELDS: (keyof CceRequestEnvelope)[] = [\n \"ver\",\n \"request_id\",\n \"correlation_id\",\n \"client_kid\",\n \"capsule\",\n \"encrypted_key\",\n \"encrypted_payload\",\n \"request_nonce\",\n \"client_sig\",\n \"content_type\",\n \"algorithms\",\n];\n\nexport class CceEnvelopeValidationSensor implements AxisSensor {\n readonly name = \"cce.envelope.validation\";\n readonly order = 5;\n readonly phase = \"PRE_DECODE\" as const;\n\n supports(input: SensorInput): boolean {\n // Only process CCE envelopes (detected by metadata flag or content type)\n return (\n input.metadata?.cce === true \|\|\n input.metadata?.contentType === \"application/axis-cce\"\n );\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.INVALID_ENVELOPE],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Check required fields\n for (const field of REQUIRED_FIELDS) {\n if (envelope[field] === undefined \|\| envelope[field] === null) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: missing ${field}`],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n }\n\n // Check protocol version\n if (envelope.ver !== CCE_PROTOCOL_VERSION) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.UNSUPPORTED_VERSION}: ${envelope.ver}`],\n code: CCE_ERROR.UNSUPPORTED_VERSION,\n };\n }\n\n // Validate request nonce format (must be hex, correct length)\n if (!/^[0-9a-f]+$/i.test(envelope.request_nonce)) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INVALID_ENVELOPE}: invalid request_nonce format`,\n ],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n if (envelope.request_nonce.length !== CCE_NONCE_BYTES 2) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: request_nonce wrong length`],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Validate capsule has required fields\n const capsule = envelope.capsule;\n if (\n !capsule.capsule_id \|\|\n !capsule.ver \|\|\n !capsule.sub \|\|\n !capsule.kid \|\|\n !capsule.intent \|\|\n !capsule.aud \|\|\n !capsule.issuer_sig\n ) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.MISSING_CAPSULE}: incomplete capsule claims`],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Validate encrypted key structure\n if (!envelope.encrypted_key.ciphertext \|\| !envelope.encrypted_key.alg) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.MISSING_ENCRYPTED_KEY}: incomplete encrypted_key`,\n ],\n code: CCE_ERROR.MISSING_ENCRYPTED_KEY,\n };\n }\n\n // Pass: store parsed envelope in metadata for downstream sensors\n input.metadata = input.metadata ?? {};\n input.metadata.cceEnvelopeValid = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/*\n CCE Client Signature Verification Sensor\n \n Band: IDENTITY (order: 45)\n * Phase: POST_DECODE\n \n Steps 4-5 from CCE verification order:\n * 4. Resolve client public key\n * 5. Verify client signature over canonical envelope\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceRequestEnvelope } from \"../cce.types\";\n\n/\n Key resolver interface — implementations can look up Redis, DB, or in-memory.\n /\nexport interface CceClientKeyResolver {\n resolve(kid: string): Promise<{ publicKeyHex: string; alg: string } \| null>;\n}\n\n/\n Signature verifier interface — pluggable for Ed25519, ES256, etc.\n /\nexport interface CceSignatureVerifier {\n verify(\n message: Uint8Array,\n signatureHex: string,\n publicKeyHex: string,\n alg: string,\n ): Promise<boolean>;\n}\n\nexport class CceClientSignatureSensor implements AxisSensor {\n readonly name = \"cce.client.signature\";\n readonly order = 45;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n private readonly keyResolver: CceClientKeyResolver,\n private readonly signatureVerifier: CceSignatureVerifier,\n ) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceEnvelopeValid === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const envelope = input.metadata?.cceEnvelope as CceRequestEnvelope;\n if (!envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.INVALID_ENVELOPE],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Step 4: Resolve client public key\n const keyRecord = await this.keyResolver.resolve(envelope.client_kid);\n if (!keyRecord) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.CLIENT_KEY_NOT_FOUND}: kid=${envelope.client_kid}`,\n ],\n code: CCE_ERROR.CLIENT_KEY_NOT_FOUND,\n };\n }\n\n // Step 5: Verify client signature\n // Canonical signing payload: everything except client_sig\n const { client_sig, ...signable } = envelope;\n const canonical = canonicalize(signable);\n const message = new TextEncoder().encode(canonical);\n\n const valid = await this.signatureVerifier.verify(\n message,\n client_sig.value,\n keyRecord.publicKeyHex,\n keyRecord.alg,\n );\n\n if (!valid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.CLIENT_SIG_INVALID],\n code: CCE_ERROR.CLIENT_SIG_INVALID,\n };\n }\n\n // Store resolved key for downstream\n input.metadata = input.metadata ?? {};\n input.metadata.cceClientKey = keyRecord;\n input.metadata.cceClientSigVerified = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: { kid: envelope.client_kid },\n };\n }\n}\n\n// Canonical JSON for deterministic signature verification\nfunction canonicalize(obj: unknown): string {\n if (Array.isArray(obj)) {\n return \"[\" + obj.map(canonicalize).join(\",\") + \"]\";\n }\n if (obj !== null && typeof obj === \"object\") {\n const sorted = Object.keys(obj as object)\n .sort()\n .map(\n (k) =>\n JSON.stringify(k) +\n \":\" +\n canonicalize((obj as Record<string, unknown>)[k]),\n );\n return \"{\" + sorted.join(\",\") + \"}\";\n }\n return JSON.stringify(obj);\n}\n","/\n CCE Capsule Verification Sensor\n \n Band: IDENTITY (order: 50)\n * Phase: POST_DECODE\n \n Step 6 from CCE verification order:\n * 6. Parse capsule, verify TickAuth signature, verify integrity\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, CCE_PROTOCOL_VERSION, type CceCapsuleClaims } from \"../cce.types\";\n\n/\n TickAuth issuer key resolver.\n /\nexport interface CceIssuerKeyResolver {\n resolve(kid: string): Promise<{ publicKeyHex: string } \| null>;\n}\n\n/\n Signature verifier for capsule issuer signatures.\n /\nexport interface CceCapsuleSignatureVerifier {\n verify(\n claims: Omit<CceCapsuleClaims, \"issuer_sig\">,\n signature: { alg: string; kid: string; value: string },\n publicKeyHex: string,\n ): Promise<boolean>;\n}\n\nexport class CceCapsuleVerificationSensor implements AxisSensor {\n readonly name = \"cce.capsule.verification\";\n readonly order = 50;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n private readonly issuerKeyResolver: CceIssuerKeyResolver,\n private readonly capsuleVerifier: CceCapsuleSignatureVerifier,\n ) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceEnvelopeValid === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceEnvelope?.capsule as\n \| CceCapsuleClaims\n \| undefined;\n\n if (!capsule) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Verify protocol version\n if (capsule.ver !== CCE_PROTOCOL_VERSION) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.CAPSULE_SIG_INVALID}: wrong version ${capsule.ver}`,\n ],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Verify content integrity (ID matches hash)\n const { capsule_id, issuer_sig, ...claimsBody } = capsule;\n const expectedId = computeCceCapsuleId(claimsBody);\n if (capsule_id !== expectedId) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: content hash mismatch`],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Resolve TickAuth issuer key\n const issuerKey = await this.issuerKeyResolver.resolve(\n capsule.issuer_sig.kid,\n );\n if (!issuerKey) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: issuer key not found`],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Verify issuer signature\n const { issuer_sig: sig, ...rest } = capsule;\n const sigValid = await this.capsuleVerifier.verify(\n rest,\n sig,\n issuerKey.publicKeyHex,\n );\n if (!sigValid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.CAPSULE_SIG_INVALID],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Check expiry\n const nowSeconds = Math.floor(Date.now() / 1000);\n if (capsule.exp < nowSeconds) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_EXPIRED}: exp=${capsule.exp}`],\n code: CCE_ERROR.CAPSULE_EXPIRED,\n };\n }\n\n // Check not-yet-valid (iat in future with tolerance)\n if (capsule.iat > nowSeconds + 5) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_NOT_YET_VALID}: iat=${capsule.iat}`],\n code: CCE_ERROR.CAPSULE_NOT_YET_VALID,\n };\n }\n\n // Store verified capsule for downstream\n input.metadata = input.metadata ?? {};\n input.metadata.cceCapsuleVerified = true;\n input.metadata.cceCapsule = capsule;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: { capsule_id: capsule.capsule_id },\n };\n }\n}\n\n// Content-addressed capsule ID computation\nimport { blake3 } from \"@noble/hashes/blake3.js\";\nimport { bytesToHex } from \"@noble/hashes/utils.js\";\n\nfunction canonicalize(obj: unknown): string {\n if (Array.isArray(obj)) {\n return \"[\" + obj.map(canonicalize).join(\",\") + \"]\";\n }\n if (obj !== null && typeof obj === \"object\") {\n const sorted = Object.keys(obj as object)\n .sort()\n .map(\n (k) =>\n JSON.stringify(k) +\n \":\" +\n canonicalize((obj as Record<string, unknown>)[k]),\n );\n return \"{\" + sorted.join(\",\") + \"}\";\n }\n return JSON.stringify(obj);\n}\n\nfunction computeCceCapsuleId(claims: Record<string, unknown>): string {\n const canonical = canonicalize(claims);\n const hash = blake3(new TextEncoder().encode(canonical));\n return \"cce_b3_\" + bytesToHex(hash).slice(0, 32);\n}\n","/\n CCE TPS Window Validation Sensor\n \n Band: POLICY (order: 92)\n * Phase: POST_DECODE\n \n Step 7 from CCE verification order:\n * 7. Verify TPS window is current (not expired, not future)\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceCapsuleClaims } from \"../cce.types\";\n\n/* Maximum acceptable clock skew in milliseconds /\nconst DEFAULT_SKEW_MS = 5000;\n\nexport class CceTpsWindowSensor implements AxisSensor {\n readonly name = \"cce.tps.window\";\n readonly order = 92;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(private readonly skewMs: number = DEFAULT_SKEW_MS) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceCapsuleVerified === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceCapsule as CceCapsuleClaims \| undefined;\n if (!capsule) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n const nowMs = Date.now();\n\n // Check if TPS window has expired (with skew tolerance)\n if (nowMs > capsule.tps_to + this.skewMs) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.TPS_WINDOW_EXPIRED}: window ended at ${capsule.tps_to}, now=${nowMs}`,\n ],\n code: CCE_ERROR.TPS_WINDOW_EXPIRED,\n };\n }\n\n // Check if TPS window is in the future (with skew tolerance)\n if (nowMs < capsule.tps_from - this.skewMs) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.TPS_WINDOW_FUTURE}: window starts at ${capsule.tps_from}, now=${nowMs}`,\n ],\n code: CCE_ERROR.TPS_WINDOW_FUTURE,\n };\n }\n\n input.metadata = input.metadata ?? {};\n input.metadata.cceTpsValid = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/\n CCE Audience & Intent Binding Sensor\n \n Band: POLICY (order: 95)\n * Phase: POST_DECODE\n \n Steps 8-9 from CCE verification order:\n * 8. Verify audience matches this AXIS instance\n * 9. Verify intent matches the capsule-bound intent\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceCapsuleClaims, type CceRequestEnvelope } from \"../cce.types\";\n\nexport class CceAudienceIntentBindingSensor implements AxisSensor {\n readonly name = \"cce.audience.intent.binding\";\n readonly order = 95;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n /* This AXIS instance's audience identifier /\n private readonly axisAudience: string,\n ) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceCapsuleVerified === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceCapsule as CceCapsuleClaims \| undefined;\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!capsule \|\| !envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Step 8: Verify audience\n if (capsule.aud !== this.axisAudience) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.AUDIENCE_MISMATCH}: capsule.aud=${capsule.aud}, expected=${this.axisAudience}`,\n ],\n code: CCE_ERROR.AUDIENCE_MISMATCH,\n };\n }\n\n // Step 9: Verify intent\n // The intent in the envelope should match the capsule-bound intent\n const requestIntent = input.intent ?? input.metadata?.cceRequestIntent;\n if (requestIntent && capsule.intent !== requestIntent) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INTENT_MISMATCH}: capsule.intent=${capsule.intent}, request=${requestIntent}`,\n ],\n code: CCE_ERROR.INTENT_MISMATCH,\n };\n }\n\n // Verify client_kid in envelope matches capsule kid\n if (envelope.client_kid !== capsule.kid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INTENT_MISMATCH}: envelope.kid=${envelope.client_kid}, capsule.kid=${capsule.kid}`,\n ],\n code: CCE_ERROR.INTENT_MISMATCH,\n };\n }\n\n input.metadata = input.metadata ?? {};\n input.metadata.cceBindingVerified = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/\n CCE Replay Protection Sensor\n \n Band: POLICY (order: 98)\n * Phase: POST_DECODE\n \n Steps 10-11 from CCE verification order:\n * 10. Verify capsule not replayed (capsule_id not consumed if SINGLE_USE)\n * 11. Verify request nonce uniqueness\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceCapsuleClaims, type CceRequestEnvelope } from \"../cce.types\";\n\n/\n Replay store interface — implementations can use Redis, in-memory, etc.\n * Must support O(1) lookups for performance in the hot path.\n /\nexport interface CceReplayStore {\n /\n Check and mark a nonce/id as used.\n * @returns true if this is the first time (valid), false if replay\n /\n checkAndMark(key: string, ttlMs: number): Promise<boolean>;\n\n /* Check if a capsule has been consumed /\n isCapsuleConsumed(capsuleId: string): Promise<boolean>;\n\n /* Mark a capsule as consumed /\n markCapsuleConsumed(capsuleId: string, ttlMs: number): Promise<void>;\n\n /* Check if a capsule has been revoked /\n isCapsuleRevoked(capsuleId: string): Promise<boolean>;\n}\n\n/\n In-memory replay store for development/testing.\n /\nexport class InMemoryCceReplayStore implements CceReplayStore {\n private nonces = new Map<string, number>();\n private consumed = new Set<string>();\n private revoked = new Set<string>();\n\n async checkAndMark(key: string, ttlMs: number): Promise<boolean> {\n this.cleanup();\n if (this.nonces.has(key)) return false;\n this.nonces.set(key, Date.now() + ttlMs);\n return true;\n }\n\n async isCapsuleConsumed(capsuleId: string): Promise<boolean> {\n return this.consumed.has(capsuleId);\n }\n\n async markCapsuleConsumed(capsuleId: string, _ttlMs: number): Promise<void> {\n this.consumed.add(capsuleId);\n }\n\n async isCapsuleRevoked(capsuleId: string): Promise<boolean> {\n return this.revoked.has(capsuleId);\n }\n\n /* Revoke a capsule (for testing/admin) /\n revoke(capsuleId: string): void {\n this.revoked.add(capsuleId);\n }\n\n private cleanup(): void {\n const now = Date.now();\n for (const [key, expiresAt] of this.nonces) {\n if (expiresAt < now) this.nonces.delete(key);\n }\n }\n}\n\nexport class CceReplayProtectionSensor implements AxisSensor {\n readonly name = \"cce.replay.protection\";\n readonly order = 98;\n readonly phase = \"POST_DECODE\" as const;\n\n /* Default nonce TTL: 5 minutes /\n private readonly nonceTtlMs: number;\n\n constructor(\n private readonly replayStore: CceReplayStore,\n options?: { nonceTtlMs?: number },\n ) {\n this.nonceTtlMs = options?.nonceTtlMs ?? 5 60 * 1000;\n }\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceCapsuleVerified === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceCapsule as CceCapsuleClaims \| undefined;\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!capsule \|\| !envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Check capsule revocation\n const revoked = await this.replayStore.isCapsuleRevoked(capsule.capsule_id);\n if (revoked) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_REVOKED}: ${capsule.capsule_id}`],\n code: CCE_ERROR.CAPSULE_REVOKED,\n };\n }\n\n // Check capsule consumption (SINGLE_USE mode)\n if (capsule.mode === \"SINGLE_USE\") {\n const consumed = await this.replayStore.isCapsuleConsumed(\n capsule.capsule_id,\n );\n if (consumed) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_CONSUMED}: ${capsule.capsule_id}`],\n code: CCE_ERROR.CAPSULE_CONSUMED,\n };\n }\n }\n\n // Check request nonce uniqueness\n // Namespace: sub + aud + intent to prevent cross-context collision\n const nonceKey = `cce:nonce:${capsule.sub}:${capsule.aud}:${capsule.intent}:${envelope.request_nonce}`;\n const nonceValid = await this.replayStore.checkAndMark(\n nonceKey,\n this.nonceTtlMs,\n );\n if (!nonceValid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.NONCE_REUSED}: ${envelope.request_nonce.slice(0, 16)}...`,\n ],\n code: CCE_ERROR.NONCE_REUSED,\n };\n }\n\n // Mark capsule consumed for SINGLE_USE\n if (capsule.mode === \"SINGLE_USE\") {\n const capsuleTtl = (capsule.exp - capsule.iat) * 1000 + 60_000; // TTL + 1 min buffer\n await this.replayStore.markCapsuleConsumed(\n capsule.capsule_id,\n capsuleTtl,\n );\n }\n\n input.metadata = input.metadata ?? {};\n input.metadata.cceReplayClean = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/*\n CCE Payload Decryption Sensor\n \n Band: CONTENT (order: 145)\n * Phase: POST_DECODE\n \n Steps 12-13 from CCE verification order:\n * 12. Decrypt transport key → decrypt payload\n * 13. Validate plaintext payload schema\n \n This sensor performs the actual cryptographic decryption of the request payload.\n * It unwraps the AES transport key using the AXIS private key, then decrypts\n * the payload with AES-256-GCM.\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceRequestEnvelope } from \"../cce.types\";\n\n/\n AXIS private key provider for decrypting the transport key.\n /\nexport interface CceAxisKeyProvider {\n /\n Decrypt a transport key using AXIS private key.\n * Supports X25519 (ECDH) and RSA-OAEP key unwrapping.\n /\n unwrapKey(\n encryptedKeyB64: string,\n algorithm: string,\n axisKid: string,\n ephemeralPkB64?: string,\n ): Promise<Uint8Array \| null>;\n}\n\n/\n AES-GCM decryption provider.\n /\nexport interface CceAesGcmProvider {\n /\n Decrypt ciphertext with AES-256-GCM.\n * @returns plaintext bytes, or null if AEAD tag verification failed\n /\n decrypt(\n key: Uint8Array,\n iv: Uint8Array,\n ciphertext: Uint8Array,\n tag: Uint8Array,\n aad?: Uint8Array,\n ): Promise<Uint8Array \| null>;\n}\n\nexport interface CcePayloadValidatorResult {\n ok: boolean;\n intent?: string;\n code?: string;\n reason?: string;\n}\n\n/\n Optional decrypted payload validator.\n * Use this hook to enforce intent-specific schema checks before handler execution.\n /\nexport interface CcePayloadValidator {\n validate(\n plaintext: Uint8Array,\n envelope: CceRequestEnvelope,\n ): Promise<CcePayloadValidatorResult>;\n}\n\nexport class CcePayloadDecryptionSensor implements AxisSensor {\n readonly name = \"cce.payload.decryption\";\n readonly order = 145;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n private readonly keyProvider: CceAxisKeyProvider,\n private readonly aesProvider: CceAesGcmProvider,\n private readonly maxPayloadBytes: number = 64 1024,\n private readonly payloadValidator?: CcePayloadValidator,\n ) {}\n\n supports(input: SensorInput): boolean {\n return (\n input.metadata?.cceEnvelopeValid === true &&\n input.metadata?.cceClientSigVerified === true &&\n input.metadata?.cceCapsuleVerified === true &&\n input.metadata?.cceReplayClean === true\n );\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.INVALID_ENVELOPE],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Step 11 (from spec): Decrypt transport key\n let aesKey: Uint8Array \| null;\n try {\n aesKey = await this.keyProvider.unwrapKey(\n envelope.encrypted_key.ciphertext,\n envelope.encrypted_key.alg,\n envelope.encrypted_key.axis_kid,\n envelope.encrypted_key.ephemeral_pk,\n );\n } catch {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],\n code: CCE_ERROR.KEY_UNWRAP_FAILED,\n };\n }\n\n if (!aesKey) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],\n code: CCE_ERROR.KEY_UNWRAP_FAILED,\n };\n }\n\n // Step 12: Decrypt payload with AES-GCM\n let iv: Uint8Array;\n let ciphertext: Uint8Array;\n let tag: Uint8Array;\n\n try {\n iv = base64UrlDecode(envelope.encrypted_payload.iv);\n ciphertext = base64UrlDecode(envelope.encrypted_payload.ciphertext);\n tag = base64UrlDecode(envelope.encrypted_payload.tag);\n } catch {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.DECRYPTION_FAILED}: invalid base64url encoding`],\n code: CCE_ERROR.DECRYPTION_FAILED,\n };\n }\n\n // Check payload size before decryption\n if (ciphertext.length > this.maxPayloadBytes) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.PAYLOAD_TOO_LARGE}: ${ciphertext.length} > ${this.maxPayloadBytes}`,\n ],\n code: CCE_ERROR.PAYLOAD_TOO_LARGE,\n };\n }\n\n // Build AAD from envelope metadata (binds ciphertext to context)\n const aad = buildAad(envelope);\n\n let plaintext: Uint8Array \| null;\n try {\n plaintext = await this.aesProvider.decrypt(\n aesKey,\n iv,\n ciphertext,\n tag,\n aad,\n );\n } catch {\n plaintext = null;\n } finally {\n // Clear AES key from memory (best effort)\n aesKey.fill(0);\n }\n\n if (!plaintext) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.AEAD_TAG_MISMATCH],\n code: CCE_ERROR.AEAD_TAG_MISMATCH,\n };\n }\n\n const capsule = input.metadata?.cceCapsule as\n \| { intent: string }\n \| undefined;\n\n // Built-in JSON intent binding check.\n if (capsule && isJsonContentType(envelope.content_type)) {\n const parsed = tryParseJsonObject(plaintext);\n if (parsed && typeof parsed.intent === \"string\") {\n if (parsed.intent !== capsule.intent) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INTENT_SCHEMA_MISMATCH}: payload.intent=${parsed.intent}, capsule.intent=${capsule.intent}`,\n ],\n code: CCE_ERROR.INTENT_SCHEMA_MISMATCH,\n };\n }\n input.metadata = input.metadata ?? {};\n input.metadata.cceRequestIntent = parsed.intent;\n }\n }\n\n if (this.payloadValidator) {\n const verdict = await this.payloadValidator.validate(plaintext, envelope);\n if (!verdict.ok) {\n const code = verdict.code ?? CCE_ERROR.PAYLOAD_SCHEMA_INVALID;\n return {\n allow: false,\n riskScore: 100,\n reasons: [verdict.reason ?? code],\n code,\n };\n }\n\n if (verdict.intent) {\n input.metadata = input.metadata ?? {};\n input.metadata.cceRequestIntent = verdict.intent;\n }\n }\n\n // Store decrypted payload for handler\n input.metadata = input.metadata ?? {};\n input.metadata.cceDecryptedPayload = plaintext;\n input.metadata.cceDecryptionOk = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n\n/*\n Build Additional Authenticated Data from envelope fields.\n * Binds the ciphertext to the request context and prevents\n * transplanting encrypted payloads between requests.\n /\nfunction buildAad(envelope: CceRequestEnvelope): Uint8Array {\n const parts = [\n envelope.ver,\n envelope.request_id,\n envelope.correlation_id,\n envelope.client_kid,\n envelope.capsule.capsule_id,\n envelope.capsule.intent,\n envelope.capsule.aud,\n envelope.request_nonce,\n ];\n return new TextEncoder().encode(parts.join(\"\|\"));\n}\n\nfunction isJsonContentType(contentType: string \| undefined): boolean {\n return (\n typeof contentType === \"string\" &&\n contentType.toLowerCase().includes(\"application/json\")\n );\n}\n\nfunction tryParseJsonObject(\n payload: Uint8Array,\n): Record<string, unknown> \| null {\n try {\n const parsed = JSON.parse(new TextDecoder().decode(payload));\n if (parsed && typeof parsed === \"object\" && !Array.isArray(parsed)) {\n return parsed as Record<string, unknown>;\n }\n return null;\n } catch {\n return null;\n }\n}\n\n/* Base64url decode /\nfunction base64UrlDecode(input: string): Uint8Array {\n const base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padding = \"=\".repeat((4 - (base64.length % 4)) % 4);\n return new Uint8Array(Buffer.from(base64 + padding, \"base64\"));\n}\n","/\n CCE Sensors — Index\n \n All CCE security sensors in execution order:\n \n 1. CceEnvelopeValidationSensor (order: 5, WIRE) — Schema + version check\n * 2. CceClientSignatureSensor (order: 45, IDENTITY) — Client key resolve + sig verify\n * 3. CceCapsuleVerificationSensor (order: 50, IDENTITY) — Capsule parse + TickAuth sig verify\n * 4. CceTpsWindowSensor (order: 92, POLICY) — TPS window validation\n * 5. CceAudienceIntentBindingSensor (order: 95, POLICY) — Audience + intent binding\n * 6. CceReplayProtectionSensor (order: 98, POLICY) — Replay + nonce check\n * 7. CcePayloadDecryptionSensor (order: 145, CONTENT) — Key unwrap + AES-GCM decrypt\n /\n\nexport { CceEnvelopeValidationSensor } from \"./cce-envelope-validation.sensor\";\n\nexport {\n CceClientSignatureSensor,\n type CceClientKeyResolver,\n type CceSignatureVerifier,\n} from \"./cce-client-signature.sensor\";\n\nexport {\n CceCapsuleVerificationSensor,\n type CceIssuerKeyResolver,\n type CceCapsuleSignatureVerifier,\n} from \"./cce-capsule-verification.sensor\";\n\nexport { CceTpsWindowSensor } from \"./cce-tps-window.sensor\";\n\nexport { CceAudienceIntentBindingSensor } from \"./cce-audience-intent-binding.sensor\";\n\nexport {\n CceReplayProtectionSensor,\n InMemoryCceReplayStore,\n type CceReplayStore,\n} from \"./cce-replay-protection.sensor\";\n\nexport {\n CcePayloadDecryptionSensor,\n type CceAxisKeyProvider,\n type CceAesGcmProvider,\n type CcePayloadValidator,\n type CcePayloadValidatorResult,\n} from \"./cce-payload-decryption.sensor\";\n","/\n CCE Module — Index\n \n Capsule-Carried Encryption for AXIS Protocol (Server SDK)\n \n Architecture:\n * - cce.types: Core types, error codes, envelope definitions\n * - cce-derivation: HKDF key derivation and execution context\n * - cce-crypto: AES-GCM encryption/decryption primitives\n * - cce-response: Response encryption and signing\n * - cce-witness: Witness/OpenLogs observer\n * - cce-pipeline: Full request/response orchestrator\n * - sensors/: 7 CCE security sensors for the verification chain\n /\n\n// Types and Constants\nexport {\n CCE_PROTOCOL_VERSION,\n CCE_DERIVATION,\n CCE_AES_KEY_BYTES,\n CCE_IV_BYTES,\n CCE_TAG_BYTES,\n CCE_NONCE_BYTES,\n CCE_ERROR,\n CceError,\n type CceAlgorithm,\n type CceKemAlgorithm,\n type CceKdfAlgorithm,\n type CceCapsuleClaims,\n type CceConstraints,\n type CceSignature,\n type CceRequestEnvelope,\n type CceResponseEnvelope,\n type CceResponseStatus,\n type CceEncryptedKey,\n type CceEncryptedPayload,\n type CceAlgorithmDescriptor,\n type CceExecutionContext,\n type CceWitnessRecord,\n type CceErrorCode,\n} from \"./cce.types\";\n\n// Key Derivation\nexport {\n deriveRequestExecutionKey,\n deriveResponseExecutionKey,\n deriveWitnessKey,\n buildExecutionContext,\n generateCceNonce,\n type CceDerivationInput,\n} from \"./cce-derivation.service\";\n\n// Crypto Primitives\nexport {\n aesGcmEncrypt,\n aesGcmDecrypt,\n generateAesKey,\n generateIv,\n base64UrlEncode,\n base64UrlDecode,\n hashPayload,\n nodeAesGcmProvider,\n} from \"./cce-crypto\";\n\n// Response Encryption\nexport {\n buildCceResponse,\n buildCceErrorResponse,\n type CceClientKeyEncryptor,\n type CceAxisSigner,\n type CceResponseOptions,\n} from \"./cce-response.service\";\n\n// Witness Observer\nexport {\n buildWitnessRecord,\n extractVerificationState,\n InMemoryCceWitnessStore,\n type CceWitnessStore,\n type CceVerificationState,\n} from \"./cce-witness.observer\";\n\n// Pipeline Orchestrator\nexport {\n executeCcePipeline,\n type CceHandler,\n type CceHandlerContext,\n type CceHandlerResult,\n type CcePolicyContext,\n type CcePolicyDecision,\n type CcePolicyEvaluator,\n type CcePipelineConfig,\n type CcePipelineResult,\n} from \"./cce-pipeline\";\n\n// Sensors\nexport {\n CceEnvelopeValidationSensor,\n CceClientSignatureSensor,\n CceCapsuleVerificationSensor,\n CceTpsWindowSensor,\n CceAudienceIntentBindingSensor,\n CceReplayProtectionSensor,\n CcePayloadDecryptionSensor,\n InMemoryCceReplayStore,\n type CceClientKeyResolver,\n type CceSignatureVerifier,\n type CceIssuerKeyResolver,\n type CceCapsuleSignatureVerifier,\n type CceReplayStore,\n type CceAxisKeyProvider,\n type CceAesGcmProvider,\n type CcePayloadValidator,\n type CcePayloadValidatorResult,\n} from \"./sensors\";\n","export from './constants';\nexport * from './varint';\nexport * from './tlv';\nexport * from './axis-bin';\nexport * from './signature';\nexport * from './axis-error';\n","/*\n AXIS Cryptographic Types\n * Ed25519 signature system for packets and capsules\n /\n\nexport type AxisAlg = 'EdDSA' \| 'ES256' \| 'RS256';\n\nexport type CapsuleStatus = 'ACTIVE' \| 'CONSUMED' \| 'REVOKED' \| 'EXPIRED';\nexport type CapsuleMode = 'SINGLE_USE' \| 'MULTI_USE';\n\nexport type KeyStatus = 'ACTIVE' \| 'GRACE' \| 'REVOKED' \| 'RETIRED';\n\n/\n Signature envelope for packets and capsules\n /\nexport interface AxisSig {\n alg: AxisAlg;\n kid: string; // Key identifier\n value: string; // base64url signature\n}\n\n/\n AXIS packet structure (client → server)\n /\nexport interface AxisPacket<T = any> {\n v: 1;\n pid: string; // Packet ID for tracing\n nonce: string; // Anti-replay nonce\n ts: number; // Unix timestamp (seconds)\n actorId: string; // Actor identifier\n opcode: string; // Operation code (e.g., CAPSULE.ISSUE, INTENT.EXEC)\n body: T; // Opcode-specific payload\n sig: AxisSig; // Actor signature over packet (excluding sig itself)\n}\n\n/\n Capsule constraints for execution context\n /\nexport interface AxisCapsuleConstraints {\n // Hard limits\n maxAmount?: number;\n maxCount?: number;\n ttlSeconds?: number;\n\n // Context locks\n ipCidrAllow?: string[]; // [\"1.2.3.0/24\"]\n countryAllow?: string[]; // [\"JO\", \"SA\"]\n deviceIdAllow?: string[]; // Device fingerprints\n sessionIdLock?: string; // Bind to specific session\n nonceRequired?: boolean; // Require per-execution nonce\n}\n\n/\n TickAuth time window for temporal binding\n /\nexport interface TickWindow {\n start: number; // Unix timestamp\n end: number; // Unix timestamp\n}\n\n/\n Capsule payload (what gets signed by issuer)\n /\nexport interface AxisCapsulePayload {\n v: 1;\n\n // Identity binding\n capsuleId: string; // ULID or UUID\n actorId: string; // Who this capsule belongs to\n issuer: string; // Who issued it\n audience: string; // Who may accept it\n subject?: string; // Optional target entity\n\n // Intent binding\n intent: string; // Single intent (e.g., \"PAYMENT_CREATE\")\n scopes: string[]; // Fine-grained resources [\"wallet:123\", \"merchant:77\"]\n actions?: string[]; // Optional action verbs [\"create\", \"approve\"]\n\n // Time/window\n iat: number; // Issued at (unix seconds)\n nbf?: number; // Not before (unix seconds)\n exp: number; // Expires at (unix seconds)\n tickWindow?: TickWindow; // Optional TickAuth temporal window\n\n // Usage control\n mode: CapsuleMode;\n maxUses: number; // 1 for SINGLE_USE\n nonceSeed?: string; // Optional server nonce seed\n\n // Policy linkage\n policyRefs?: string[]; // [\"policy:transfer:v3\", \"risk:geo:v1\"]\n riskScore?: number; // Risk snapshot at issuance\n\n // Constraints\n constraints?: AxisCapsuleConstraints;\n\n // Optional metadata (never trusted for auth decisions)\n meta?: Record<string, unknown>;\n}\n\n/\n Complete capsule (payload + issuer signature)\n /\nexport interface AxisCapsule {\n payload: AxisCapsulePayload;\n sig: AxisSig; // Issuer signature over canonical payload\n}\n\n/\n Capsule issuance request body (CAPSULE.ISSUE opcode)\n /\nexport interface CapsuleIssueBody {\n intent: string;\n audience: string;\n scopes: string[];\n subject?: string;\n mode: CapsuleMode;\n maxUses?: number;\n expSeconds?: number; // Server will clamp (e.g., 30-120)\n constraints?: AxisCapsuleConstraints;\n hints?: {\n // Optional client hints (not trusted)\n ip?: string;\n ua?: string;\n deviceId?: string;\n geo?: string;\n };\n}\n\n/\n Batch capsule issuance request (CAPSULE.BATCH opcode)\n /\nexport interface CapsuleBatchBody extends Omit<\n CapsuleIssueBody,\n 'mode' \| 'maxUses'\n> {\n count: number; // Number of capsules to issue\n mode: 'SINGLE_USE'; // Batch typically single-use\n}\n\n/\n Intent execution request (INTENT.EXEC opcode)\n /\nexport interface IntentExecBody {\n intent: string;\n capsule: AxisCapsule; // Attached capsule\n execNonce?: string; // Required if capsule.constraints.nonceRequired\n args: Record<string, any>; // Intent-specific arguments\n}\n\n/\n Capsule revocation request (CAPSULE.REVOKE opcode)\n /\nexport interface CapsuleRevokeBody {\n capsuleId: string;\n reason: string;\n}\n\n/\n AXIS response envelope\n /\nexport interface AxisResponse<T = any> {\n ok: boolean;\n pid: string; // Echoes request pid\n decisionId: string; // AXIS decision trace id\n code: string; // AXIS error/success code\n message?: string;\n data?: T;\n meta?: Record<string, unknown>;\n}\n\n/\n Capsule issuance result\n /\nexport interface CapsuleIssueResult {\n capsule: AxisCapsule;\n}\n\n/\n Batch capsule issuance result\n /\nexport interface CapsuleBatchResult {\n capsules: AxisCapsule[];\n}\n\n/\n Actor key record (from DB)\n /\nexport interface ActorKeyRecord {\n id: Buffer;\n actor_id: string;\n key_id: string;\n algorithm: string;\n public_key: Buffer;\n purpose: string;\n status: KeyStatus;\n is_primary: boolean;\n not_before: Date \| null;\n expires_at: Date \| null;\n rotated_from_key_id: string \| null;\n revoked_at: Date \| null;\n revocation_reason: string \| null;\n metadata: any;\n created_at: Date;\n updated_at: Date;\n}\n\n/\n Issuer key record (from DB)\n /\nexport interface IssuerKeyRecord {\n id: Buffer;\n kid: string;\n issuer_id: string;\n alg: string;\n public_key_pem: string;\n status: KeyStatus;\n not_before: Date \| null;\n not_after: Date \| null;\n fingerprint: string \| null;\n metadata: any;\n created_at: Date;\n updated_at: Date;\n}\n\n/\n Capsule record (from DB)\n /\nexport interface CapsuleRecord {\n id: Buffer;\n capsule_id: string;\n actor_id: string;\n intent: string;\n audience: string;\n issuer: string;\n subject: string \| null;\n status: CapsuleStatus;\n mode: CapsuleMode;\n max_uses: number;\n used_count: number;\n iat: Date;\n nbf: Date \| null;\n exp: Date;\n scopes_json: any;\n constraints_json: any;\n policy_refs_json: any;\n risk_score: number \| null;\n payload_hash: Buffer;\n sig_alg: string;\n sig_kid: string;\n sig_value: Buffer;\n created_at: Date;\n updated_at: Date;\n last_used_at: Date \| null;\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport as crypto from 'crypto';\nimport * as nacl from 'tweetnacl';\n\n/*\n Proof Verification Service\n \n Verifies proof types according to AXIS spec:\n * - CAPSULE (1): Capability token verification\n * - JWT (2): JSON Web Token verification\n * - MTLS_ID (3): mTLS client certificate verification\n * - DEVICE_SE (4): Device Secure Element signature verification\n \n Related: AXIS spec - Proof Types\n /\n\nexport type ProofType = 1 \| 2 \| 3 \| 4; // CAPSULE, JWT, MTLS_ID, DEVICE_SE\n\nexport interface ProofVerificationResult {\n valid: boolean;\n actorId?: string;\n error?: string;\n metadata?: Record<string, any>;\n}\n\nexport interface MTLSContext {\n clientCertPem?: string;\n clientCertFingerprint?: string;\n clientCertSubject?: string;\n clientCertIssuer?: string;\n verified?: boolean;\n}\n\nexport interface DeviceSEContext {\n deviceId: string;\n signature: Uint8Array;\n publicKey: Uint8Array;\n challenge?: Uint8Array;\n}\n\n@Injectable()\nexport class ProofVerificationService {\n private readonly logger = new Logger(ProofVerificationService.name);\n\n // Cache of registered device public keys (deviceId -> pubKey)\n private readonly deviceKeys = new Map<string, Uint8Array>();\n\n // Cache of trusted mTLS certificate fingerprints\n private readonly trustedCerts = new Map<\n string,\n { actorId: string; issuedAt: number }\n >();\n\n /\n Verifies an authentication proof based on its type.\n \n Supported Types:\n * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`\n * - 2 (JWT): Verified by `verifyJWTProof`\n * - 3 (MTLS_ID): Verified by `verifyMTLSProof`\n * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`\n \n @param {ProofType} proofType - The numeric AXIS proof type\n * @param {Uint8Array} proofRef - The binary reference or token for the proof\n * @param {Object} context - Additional metadata required for specific proof types\n * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)\n * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)\n * @param {MTLSContext} [context.mtls] - mTLS certificate data\n * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information\n * @returns {Promise<ProofVerificationResult>} The outcome of the verification\n /\n async verifyProof(\n proofType: ProofType,\n proofRef: Uint8Array,\n context: {\n signTarget?: Uint8Array;\n signature?: Uint8Array;\n mtls?: MTLSContext;\n deviceSE?: DeviceSEContext;\n },\n ): Promise<ProofVerificationResult> {\n switch (proofType) {\n case 1: // CAPSULE\n return this.verifyCapsuleProof(proofRef);\n case 2: // JWT\n return this.verifyJWTProof(proofRef);\n case 3: // MTLS_ID\n return this.verifyMTLSProof(context.mtls);\n case 4: // DEVICE_SE\n return this.verifyDeviceSEProof(\n context.signTarget,\n context.signature,\n context.deviceSE,\n );\n default:\n return { valid: false, error: `Unknown proof type: ${proofType}` };\n }\n }\n\n /\n Verify CAPSULE proof (delegated to CapsuleService)\n /\n private async verifyCapsuleProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n // Capsule verification is handled by CapsuleService\n // This is a pass-through that returns valid to signal capsule processing\n const capsuleId = new TextDecoder().decode(proofRef);\n return {\n valid: true,\n metadata: { capsuleId, requiresCapsuleValidation: true },\n };\n }\n\n /\n Verifies a JSON Web Token (JWT) proof.\n \n Validation Logic:\n * 1. Decodes the token string.\n * 2. Checks for valid 3-part JWT structure.\n * 3. Validates `exp` (expiration) and `nbf` (not before) claims.\n * 4. Extracts `actor_id` or `sub` as the identity.\n \n @param {Uint8Array} proofRef - Binary representation of the JWT string\n * @returns {Promise<ProofVerificationResult>} Result including the actor identifier\n /\n private async verifyJWTProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n try {\n const token = new TextDecoder().decode(proofRef);\n const parts = token.split('.');\n\n if (parts.length !== 3) {\n return { valid: false, error: 'Invalid JWT format' };\n }\n\n // Decode header and payload\n const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());\n const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());\n\n // Check expiration\n if (payload.exp && Date.now() / 1000 > payload.exp) {\n return { valid: false, error: 'JWT expired' };\n }\n\n // Check not before\n if (payload.nbf && Date.now() / 1000 < payload.nbf) {\n return { valid: false, error: 'JWT not yet valid' };\n }\n\n // For production: verify signature against known keys\n // For now, we trust the JWT if it has valid structure and timing\n return {\n valid: true,\n actorId: payload.sub \|\| payload.actor_id,\n metadata: { iss: payload.iss, scope: payload.scope },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return { valid: false, error: `JWT parse error: ${message}` };\n }\n }\n\n /\n Verify mTLS client certificate proof\n /\n private async verifyMTLSProof(\n mtls?: MTLSContext,\n ): Promise<ProofVerificationResult> {\n if (!mtls) {\n return { valid: false, error: 'No mTLS context provided' };\n }\n\n // Check if connection was verified by TLS layer\n if (!mtls.verified) {\n return { valid: false, error: 'mTLS not verified by TLS terminator' };\n }\n\n // Check certificate fingerprint against trusted list\n if (mtls.clientCertFingerprint) {\n const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);\n if (trusted) {\n return {\n valid: true,\n actorId: trusted.actorId,\n metadata: {\n fingerprint: mtls.clientCertFingerprint,\n subject: mtls.clientCertSubject,\n },\n };\n }\n }\n\n // Extract actor ID from certificate subject (CN field)\n if (mtls.clientCertSubject) {\n const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);\n if (cnMatch) {\n return {\n valid: true,\n actorId: cnMatch[1],\n metadata: {\n subject: mtls.clientCertSubject,\n issuer: mtls.clientCertIssuer,\n },\n };\n }\n }\n\n return { valid: false, error: 'Could not extract actor from certificate' };\n }\n\n /\n Verify Device Secure Element signature\n /\n private async verifyDeviceSEProof(\n signTarget?: Uint8Array,\n signature?: Uint8Array,\n deviceSE?: DeviceSEContext,\n ): Promise<ProofVerificationResult> {\n if (!deviceSE \|\| !signTarget \|\| !signature) {\n return { valid: false, error: 'Missing Device SE context' };\n }\n\n // Get registered public key for device\n let publicKey = deviceSE.publicKey;\n\n // If device is pre-registered, use registered key\n const registeredKey = this.deviceKeys.get(deviceSE.deviceId);\n if (registeredKey) {\n publicKey = registeredKey;\n }\n\n if (!publicKey \|\| publicKey.length !== 32) {\n return {\n valid: false,\n error: 'Invalid or unregistered device public key',\n };\n }\n\n // Verify Ed25519 signature\n try {\n const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);\n\n if (!valid) {\n return { valid: false, error: 'Device signature verification failed' };\n }\n\n return {\n valid: true,\n actorId: deviceSE.deviceId,\n metadata: { deviceId: deviceSE.deviceId, proofType: 'DEVICE_SE' },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return {\n valid: false,\n error: `Signature verification error: ${message}`,\n };\n }\n }\n\n /\n Registers a public key for a trusted device.\n * This key will be used for future `DEVICE_SE` proof verifications.\n \n @param {string} deviceId - Unique identifier for the device\n * @param {Uint8Array} publicKey - 32-byte Ed25519 public key\n * @throws {Error} If the public key is not 32 bytes\n /\n registerDeviceKey(deviceId: string, publicKey: Uint8Array): void {\n if (publicKey.length !== 32) {\n throw new Error('Device public key must be 32 bytes (Ed25519)');\n }\n this.deviceKeys.set(deviceId, publicKey);\n this.logger.log(`Registered device key for ${deviceId}`);\n }\n\n /\n Unregister a device\n /\n unregisterDevice(deviceId: string): boolean {\n return this.deviceKeys.delete(deviceId);\n }\n\n /\n Registers a trusted mTLS certificate fingerprint and associates it with an actor.\n \n @param {string} fingerprint - SHA-256 fingerprint of the client certificate\n * @param {string} actorId - The actor to associate with this certificate\n /\n registerMTLSCert(fingerprint: string, actorId: string): void {\n this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });\n this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);\n }\n\n /\n Revoke an mTLS certificate\n /\n revokeMTLSCert(fingerprint: string): boolean {\n return this.trustedCerts.delete(fingerprint);\n }\n\n /\n Calculate certificate fingerprint (SHA-256)\n /\n static calculateFingerprint(certPem: string): string {\n // Extract DER from PEM\n const der = Buffer.from(\n certPem\n .replace(/-----BEGIN CERTIFICATE-----/, '')\n .replace(/-----END CERTIFICATE-----/, '')\n .replace(/\\s/g, ''),\n 'base64',\n );\n return crypto.createHash('sha256').update(der).digest('hex');\n }\n}\n","export from './b64url';\nexport * from './canonical-json';\nexport * from './types';\nexport * from './proof-verification.service';\n","export * from \"./axis-request.decorator\";\nexport * from \"./capsule-policy.decorator\";\nexport * from \"./intent-policy.decorator\";\nexport * from \"./chain.decorator\";\nexport * from \"./dto-schema.util\";\nexport * from \"./handler.decorator\";\nexport * from \"./intent-body.decorator\";\nexport * from \"./intent-sensors.decorator\";\nexport * from \"./intent.decorator\";\nexport * from \"./observer.decorator\";\nexport * from \"./sensor.decorator\";\nexport * from \"./tlv-field.decorator\";\n","import type { Axis1DecodedFrame } from '../types/frame';\nimport type { AxisPacket as AxisBinaryPacket } from '../types/packet';\nimport type { AxisContext } from '../schemas/axis-schemas';\nimport type { SensorInput } from '../sensor/axis-sensor';\nimport type { AxisObservation } from './axis-observation';\n\nexport interface AxisDecoded {\n frame: Axis1DecodedFrame;\n packet: AxisBinaryPacket;\n axisCtx: AxisContext;\n correlationId: Buffer;\n correlationIdHex: string;\n sensorInput: SensorInput;\n extra: { ip?: string; demoPubkeyHex?: string };\n observation: AxisObservation;\n}\n","export type AxisExecutionMode = 'strict' \| 'parallel' \| 'best_effort' \| 'atomic';\n\nexport type AxisObserverEvent =\n \| 'intent.received'\n \| 'intent.completed'\n \| 'intent.failed'\n \| 'chain.received'\n \| 'chain.admitted'\n \| 'chain.completed'\n \| 'chain.failed'\n \| 'chain.partial'\n \| 'step.started'\n \| 'step.completed'\n \| 'step.failed'\n \| 'step.blocked'\n \| 'step.skipped'\n \| 'signature.verified'\n \| 'decryption.succeeded'\n \| 'sensor.passed'\n \| 'sensor.failed'\n \| 'handler.completed'\n \| 'proof.recorded';\n\nexport interface AxisCapsuleRef {\n capsuleId?: string;\n scope?: string \| string[];\n scopeMode?: 'chain' \| 'step' \| 'chain+step';\n proofRequired?: boolean;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisKeyExchangeRef {\n profile?: string;\n sessionId?: string;\n clientKid?: string;\n serverKid?: string;\n algorithm?: string;\n derivedKeyRef?: string;\n required?: boolean;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisIntentEnvelope<TPayload = unknown> {\n intent: string;\n handler?: string;\n payload: TPayload;\n capsule?: AxisCapsuleRef;\n keyExchange?: AxisKeyExchangeRef;\n observerTags?: string[];\n proofRequired?: boolean;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisChainStep<TInput = unknown> {\n stepId: string;\n intent: string;\n handler?: string;\n input?: TInput;\n dependsOn?: string[];\n onSuccess?: string[];\n onFailure?: string[];\n capsuleScope?: string \| string[];\n observerTags?: string[];\n proofRequired?: boolean;\n keyExchange?: AxisKeyExchangeRef;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisChainEncryption {\n enabled?: boolean;\n profile?: string;\n keyExchange?: AxisKeyExchangeRef;\n}\n\nexport interface AxisChainEnvelope<TInput = unknown> {\n chainId: string;\n subject?: string;\n issuer?: string;\n issuedAtTps?: string \| number;\n expiresAtTps?: string \| number;\n mode: AxisExecutionMode;\n signature?: string;\n encryption?: AxisChainEncryption;\n capsule?: AxisCapsuleRef;\n keyExchange?: AxisKeyExchangeRef;\n observerTags?: string[];\n dynamic?: boolean;\n metadata?: Record<string, unknown>;\n steps: Array<AxisChainStep<TInput>>;\n}\n\nexport interface AxisChainRequest<\n TInput = unknown,\n TCapsule = Record<string, unknown>,\n> {\n envelope: AxisChainEnvelope<TInput>;\n capsule?: TCapsule;\n actorId?: string;\n}\n\nexport type AxisChainStepStatus =\n \| 'SUCCEEDED'\n \| 'FAILED'\n \| 'BLOCKED'\n \| 'SKIPPED';\n\nexport interface AxisChainStepResult<TOutput = unknown> {\n stepId: string;\n intent: string;\n status: AxisChainStepStatus;\n effect?: string;\n output?: TOutput;\n error?: string;\n dependsOn?: string[];\n startedAt: number;\n finishedAt: number;\n proofHash?: string;\n observerTags?: string[];\n metadata?: Record<string, unknown>;\n}\n\nexport type AxisChainStatus = 'SUCCEEDED' \| 'FAILED' \| 'PARTIAL';\n\nexport interface AxisChainResult<TOutput = unknown> {\n chainId: string;\n mode: AxisExecutionMode;\n status: AxisChainStatus;\n completedSteps: number;\n failedSteps: number;\n blockedSteps: number;\n skippedSteps: number;\n startedAt: number;\n finishedAt: number;\n results: Array<AxisChainStepResult<TOutput>>;\n rollback?: {\n supported: boolean;\n attempted: boolean;\n reason?: string;\n };\n metadata?: Record<string, unknown>;\n}\n\nexport interface ChainOptions {\n mode?: AxisExecutionMode;\n allowPartial?: boolean;\n dynamic?: boolean;\n proofRequired?: boolean;\n capsuleScope?: string \| string[];\n observerTags?: string[];\n keyExchangeRequired?: boolean;\n}\n\nexport interface RegisteredChainConfig extends ChainOptions {\n enabled: boolean;\n}","import type { AxisFrame } from \"../core/axis-bin\";\nimport type {\n AxisCapsuleRef,\n AxisChainEnvelope,\n AxisChainResult,\n AxisChainStep,\n AxisChainStepResult,\n AxisKeyExchangeRef,\n AxisObserverEvent,\n} from \"./axis-chain.types\";\nimport type { AxisEffect } from \"./intent.router\";\n\nexport interface AxisObserverContext {\n event: AxisObserverEvent;\n timestamp: number;\n intent?: string;\n chainId?: string;\n stepId?: string;\n handler?: string;\n frame?: AxisFrame;\n envelope?: AxisChainEnvelope;\n step?: AxisChainStep;\n effect?: AxisEffect;\n result?: AxisChainStepResult \| AxisChainResult;\n error?: string;\n observerTags?: string[];\n capsule?: AxisCapsuleRef;\n keyExchange?: AxisKeyExchangeRef;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisIntentObserver {\n readonly name: string;\n supports?(context: AxisObserverContext): boolean;\n observe(context: AxisObserverContext): Promise<void> \| void;\n}\n\nexport interface AxisObserverRegistration {\n name: string;\n instance: AxisIntentObserver;\n tags: string[];\n events?: AxisObserverEvent[];\n intents?: string[];\n handlers?: string[];\n}","import { AxisObservation } from '../axis-observation';\n\nexport interface ObservationQueueMessage {\n v: 1;\n observation: AxisObservation;\n attempts: number;\n firstEnqueuedAt: number;\n lastEnqueuedAt: number;\n sourceNodeId: string;\n lastError?: string;\n}\n\nexport interface ObservationQueueConfig {\n enabled: boolean;\n workerEnabled: boolean;\n streamKey: string;\n deadLetterStreamKey: string;\n groupName: string;\n consumerName: string;\n readBlockMs: number;\n readBatchSize: number;\n reclaimIdleMs: number;\n reclaimBatchSize: number;\n maxRetries: number;\n maxStreamLength: number;\n workerConcurrency: number;\n}\n","export * from './stable-json';\nexport * from './observation-queue.types';\nexport * from './observation-queue.codec';\nexport * from './observation-hash';\nexport * from './response-observer';\n","export * from './axis-decoded';\nexport * from './axis-chain.executor';\nexport * from './axis-chain.types';\nexport * from './axis-execution-context';\nexport * from './axis-observation';\nexport * from './axis-observer.interface';\nexport * from './handler-discovery.service';\nexport * from './intent.router';\nexport * from './observation';\nexport * from './observer-discovery.service';\nexport * from './observer-dispatcher.service';\nexport * from './sensor-bands';\nexport * from './sensor-discovery.service';\nexport * from './registry/observer.registry';\nexport * from './registry/sensor.registry';\nexport * as observation from './observation';\n","export * from './loom.types';\n","import * as z from 'zod';\nimport { AxisFrameZ } from '../core/axis-bin';\n\n/*\n AXIS Sensor Input/Output Validation Schemas\n \n Centralized Zod schemas for all sensor input validation.\n * Ensures type-safe, runtime-validated data across the entire sensor chain.\n \n Usage:\n * const input = CountryBlockSensorInputZ.parse(data);\n * const input = CountryBlockSensorInputZ.safeParse(data);\n /\n\n// ============================================================================\n// COMMON TYPES & UTILITIES\n// ============================================================================\n\n/\n Sensor decision outcomes (Zod version for schema composition)\n /\nexport const SensorDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n meta: z.any().optional(),\n }),\n]);\n\nexport const SensorDecisionWithMetadataZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n retryAfterMs: z.number().int().positive().optional(),\n meta: z.any().optional(),\n }),\n]);\n\n// ============================================================================\n// COUNTRY BLOCK SENSOR\n// ============================================================================\n\nexport const CountryBlockSensorInputZ = z.object({\n ip: z.string().min(1),\n country: z.string().length(2).toUpperCase().optional(),\n});\nexport type CountryBlockSensorInput = z.infer<typeof CountryBlockSensorInputZ>;\n\nexport const CountryBlockDecisionZ = SensorDecisionZ;\nexport type CountryBlockDecision = z.infer<typeof CountryBlockDecisionZ>;\n\n// ============================================================================\n// SCAN BURST SENSOR\n// ============================================================================\n\nexport const ScanBurstSensorInputZ = z.object({\n ip: z.string().min(1),\n isFailure: z.boolean().optional(),\n});\nexport type ScanBurstSensorInput = z.infer<typeof ScanBurstSensorInputZ>;\n\nexport const ScanBurstDecisionZ = SensorDecisionWithMetadataZ;\nexport type ScanBurstDecision = z.infer<typeof ScanBurstDecisionZ>;\n\n// ============================================================================\n// PROOF PRESENCE SENSOR\n// ============================================================================\n\nexport const ProofKindZ = z.enum([\n 'NONE',\n 'CAPSULE',\n 'PASSPORT',\n 'MTLS',\n 'JWT',\n]);\nexport type ProofKind = z.infer<typeof ProofKindZ>;\n\nexport const AccessProfileZ = z.enum(['PUBLIC', 'PARTNER', 'INTERNAL', 'NODE']);\nexport type AccessProfile = z.infer<typeof AccessProfileZ>;\n\nexport const ProofPresenceInputZ = z.object({\n profile: AccessProfileZ,\n visibility: z.enum(['PUBLIC', 'GUARDED']),\n requiredProof: z.array(ProofKindZ).min(1),\n hasCapsule: z.boolean(),\n hasPassportSignature: z.boolean(),\n intent: z.string().min(1),\n});\nexport type ProofPresenceInput = z.infer<typeof ProofPresenceInputZ>;\n\n// ============================================================================\n// INTENT POLICY SENSOR\n// ============================================================================\n\nexport const SensitivityLevelZ = z.enum(['LOW', 'MEDIUM', 'HIGH', 'CRITICAL']);\nexport type SensitivityLevel = z.infer<typeof SensitivityLevelZ>;\n\nexport const IntentPolicyZ = z.object({\n intent: z.string().min(1),\n sensitivity: SensitivityLevelZ,\n maxFrameBytes: z.number().int().positive(),\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n maxSigBytes: z.number().int().positive().optional(),\n rateLimitPerMinute: z.number().int().positive().optional(),\n rateLimitPerHour: z.number().int().positive().optional(),\n requiresSignature: z.boolean(),\n requiresCapsule: z.boolean(),\n timeoutMs: z.number().int().positive(),\n});\nexport type IntentPolicy = z.infer<typeof IntentPolicyZ>;\n\nexport const IntentPolicySensorInputZ = z.object({\n frame: AxisFrameZ,\n intent: z.string().min(1),\n rawFrameSize: z.number().int().positive(),\n});\nexport type IntentPolicySensorInput = z.infer<typeof IntentPolicySensorInputZ>;\n\nexport const IntentPolicyDecisionZ = z.union([\n z.object({\n action: z.literal('ALLOW'),\n policy: IntentPolicyZ,\n }),\n z.object({\n action: z.literal('DENY'),\n reason: z.string(),\n }),\n]);\nexport type IntentPolicyDecision = z.infer<typeof IntentPolicyDecisionZ>;\n\n// ============================================================================\n// CAPSULE VERIFY SENSOR\n// ============================================================================\n\nexport const CapsuleClaimsZ = z.object({\n capsuleId: z.string().min(8),\n allowIntents: z.array(z.string()).min(1),\n limits: z\n .object({\n maxBodyBytes: z.number().int().positive().optional(),\n })\n .optional(),\n scopes: z.record(z.string(), z.any()).optional(),\n});\nexport type CapsuleClaims = z.infer<typeof CapsuleClaimsZ>;\n\nexport const CapsuleZ = z.object({\n id: z.string(),\n claims: CapsuleClaimsZ,\n issuedAt: z.number().int(),\n expiresAt: z.number().int(),\n tier: z.enum(['FREE', 'STANDARD', 'PREMIUM']),\n});\nexport type Capsule = z.infer<typeof CapsuleZ>;\n\nexport const CapsuleValidationResultZ = z.object({\n valid: z.boolean(),\n capsule: CapsuleZ.optional(),\n reason: z.string().optional(),\n requiresStepUp: z.boolean().optional(),\n});\nexport type CapsuleValidationResult = z.infer<typeof CapsuleValidationResultZ>;\n\nexport const CapsuleVerifySensorInputZ = z.object({\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n intent: z.string().min(1),\n ctx: z.any(), // AxisContext - avoid circular dependency\n});\nexport type CapsuleVerifySensorInput = z.infer<\n typeof CapsuleVerifySensorInputZ\n>;\n\nexport const CapsuleVerifyResultZ = z.object({\n ok: z.literal(true),\n capsule: CapsuleZ,\n});\nexport type CapsuleVerifyResult = z.infer<typeof CapsuleVerifyResultZ>;\n\n// ============================================================================\n// RATE LIMIT SENSOR\n// ============================================================================\n\nexport const RateLimitProfileZ = z.enum([\n 'PUBLIC',\n 'PARTNER',\n 'INTERNAL',\n 'NODE',\n]);\nexport type RateLimitProfile = z.infer<typeof RateLimitProfileZ>;\n\nexport const RateLimitInputZ = z.object({\n ip: z.string().min(1),\n userAgent: z.string().optional(),\n actorId: z.string().optional(),\n capsuleId: z.string().optional(),\n intent: z.string().min(1),\n profile: RateLimitProfileZ,\n});\nexport type RateLimitInput = z.infer<typeof RateLimitInputZ>;\n\nexport const RateLimitConfigZ = z.object({\n windowSec: z.number().int().positive(),\n max: z.number().int().positive(),\n key: z.enum(['ip_fingerprint', 'actor_capsule']),\n});\nexport type RateLimitConfig = z.infer<typeof RateLimitConfigZ>;\n\nexport const SensorResultZ = z.object({\n ok: z.literal(true),\n});\nexport type SensorResult = z.infer<typeof SensorResultZ>;\n\n// ============================================================================\n// SIGNATURE VERIFICATION SENSOR (Detailed)\n// ============================================================================\n\nexport const PassportZ = z.object({\n id: z.string(),\n public_key: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n status: z.enum(['ACTIVE', 'REVOKED', 'EXPIRED', 'PENDING']),\n issuedAt: z.number().int(),\n expiresAt: z.number().int().optional(),\n});\nexport const ExecutionMetricsZ = z.object({\n dbWrites: z.number().int(),\n dbReads: z.number().int(),\n externalCalls: z.number().int(),\n elapsedMs: z.number().int().optional(),\n});\n\nexport type Passport = z.infer<typeof PassportZ>;\n\n// ============================================================================\n// GENERAL SENSOR CHAIN INPUT\n// ============================================================================\n\nexport const SensorChainInputZ = z.object({\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n});\nexport type SensorChainInput = z.infer<typeof SensorChainInputZ>;\n\n// ============================================================================\n// ENTROPY SENSOR\n// ============================================================================\n\nexport const EntropySensorInputZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n ip: z.string().min(1),\n});\nexport type EntropySensorInput = z.infer<typeof EntropySensorInputZ>;\n\n// ============================================================================\n// PROTOCOL STRICT SENSOR\n// ============================================================================\n\nexport const ProtocolStrictInputZ = z.object({\n rawBytes: z\n .union([z.custom<Buffer>((v) => Buffer.isBuffer(v)), z.instanceof(Uint8Array)])\n .optional(),\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n contentType: z.string().optional(),\n});\nexport type ProtocolStrictInput = z.infer<typeof ProtocolStrictInputZ>;\n\n// ============================================================================\n// SCHEMA VALIDATION SENSOR\n// ============================================================================\n\nexport const SchemaFieldKindZ = z.enum([\n 'utf8',\n 'u64',\n 'bytes',\n 'bytes16',\n 'bool',\n 'obj',\n 'arr',\n]);\nexport type SchemaFieldKind = z.infer<typeof SchemaFieldKindZ>;\n\nexport const ScopeZ = z.enum(['header', 'body']);\nexport type Scope = z.infer<typeof ScopeZ>;\n\nexport const SchemaFieldZ = z.object({\n name: z.string().min(1),\n tlv: z.number().int().positive(),\n kind: SchemaFieldKindZ,\n required: z.boolean().optional(),\n maxLen: z.number().int().positive().optional(),\n max: z.string().optional(),\n scope: ScopeZ.optional(),\n});\nexport type SchemaField = z.infer<typeof SchemaFieldZ>;\n\nexport const BodyProfileZ = z.enum(['TLV_MAP', 'RAW', 'TLV_OBJ', 'TLV_ARR']);\nexport type BodyProfile = z.infer<typeof BodyProfileZ>;\n\nexport const IntentSchemaZ = z.object({\n intent: z.string().min(1),\n version: z.number().int().positive(),\n bodyProfile: BodyProfileZ,\n fields: z.array(SchemaFieldZ).min(1),\n});\nexport type IntentSchema = z.infer<typeof IntentSchemaZ>;\n\n// ============================================================================\n// WEBSOCKET HANDSHAKE SENSOR\n// ============================================================================\n\nexport const WsHandshakeInputZ = z.object({\n clientId: z.string().min(1),\n isWs: z.boolean(),\n ip: z.string().min(1),\n});\nexport type WsHandshakeInput = z.infer<typeof WsHandshakeInputZ>;\n\nexport const WsHandshakeDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW') }),\n z.object({ action: z.literal('DENY'), code: z.string() }),\n]);\nexport type WsHandshakeDecision = z.infer<typeof WsHandshakeDecisionZ>;\n\n// ============================================================================\n// IP REPUTATION SENSOR\n// ============================================================================\n\nexport const IPReputationInputZ = z.object({\n ip: z.string().min(1),\n});\nexport type IPReputationInput = z.infer<typeof IPReputationInputZ>;\n\nexport const IPReputationZ = z.object({\n score: z.number().min(-100).max(100),\n lastUpdated: z.number().int(),\n totalRequests: z.number().int().nonnegative(),\n failedRequests: z.number().int().nonnegative(),\n blockedRequests: z.number().int().nonnegative(),\n tags: z.array(z.string()),\n});\nexport type IPReputation = z.infer<typeof IPReputationZ>;\n\n// ============================================================================\n// FILE UPLOAD STATE SENSOR\n// ============================================================================\n\nexport const UploadStatusZ = z.enum([\n 'INIT',\n 'UPLOADING',\n 'FINALIZING',\n 'DONE',\n 'ABORTED',\n]);\nexport type UploadStatus = z.infer<typeof UploadStatusZ>;\n\nexport const UploadSessionZ = z.object({\n uploadIdHex: z.string().min(1),\n fileName: z.string().min(1),\n totalSize: z.number().int().positive(),\n chunkSize: z.number().int().positive(),\n totalChunks: z.number().int().positive(),\n receivedCount: z.number().int().nonnegative(),\n status: UploadStatusZ,\n});\nexport type UploadSession = z.infer<typeof UploadSessionZ>;\n\n// ============================================================================\n// BODY BUDGET SENSOR\n// ============================================================================\n\nexport const BodyBudgetInputZ = z.object({\n intent: z.string().min(1),\n headerLen: z.number().int().nonnegative(),\n bodyLen: z.number().int().nonnegative(),\n});\nexport type BodyBudgetInput = z.infer<typeof BodyBudgetInputZ>;\n\nexport const BodyBudgetPolicyZ = z.object({\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n});\nexport type BodyBudgetPolicy = z.infer<typeof BodyBudgetPolicyZ>;\n\n// ============================================================================\n// CHUNK HASH SENSOR\n// ============================================================================\n\nexport const ChunkHashInputZ = z.object({\n headerTLVs: z.any(), // Map<number, Uint8Array> - flexible validation for compatibility\n bodyBytes: z.any(), // Uint8Array - flexible validation for compatibility\n intent: z.string().min(1),\n});\nexport type ChunkHashInput = z.infer<typeof ChunkHashInputZ>;\n\n// ============================================================================\n// AXIS CONTEXT (Request Context across sensors)\n// ============================================================================\n\nexport enum ProofType {\n CAPSULE = 1,\n JWT = 2,\n MTLS_ID = 3,\n DEVICE_SE = 4,\n WITNESS_SIG = 5,\n}\n\nexport const AxisContextZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)), // Process ID\n ts: z.bigint(), // Timestamp\n intent: z.string().min(1),\n actorId: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n proofType: z.enum(ProofType),\n proofRef: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n ip: z.string().min(1),\n nodeCertHash: z.string().optional(),\n capsule: CapsuleZ.optional(),\n passport: PassportZ.optional(),\n meter: z.any().optional(), // ExecutionMeter instance - any to avoid circular dependency and allow class instance\n});\n\nexport type AxisContext = z.infer<typeof AxisContextZ>;\n\n// ============================================================================\n// ERROR HANDLING\n// ============================================================================\n\nexport const AxisErrorZ = z.object({\n code: z.string(),\n message: z.string(),\n httpStatus: z.number().int(),\n});\nexport type AxisError = z.infer<typeof AxisErrorZ>;\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { decodeTLVsList } from '../core/tlv';\n\n/\n Body Profile Types\n /\nexport enum BodyProfile {\n RAW = 0, // Raw binary (no structure)\n TLV_MAP = 1, // Flat TLV map (type -> value)\n OBJ = 2, // Nested object (OBJ TLVs)\n ARR = 3, // Array (ARR TLVs)\n}\n\nexport interface BodyProfileValidation {\n valid: boolean;\n error?: string;\n profile: BodyProfile;\n}\n\n/\n Validates AXIS frame body against declared body profile\n /\n@Injectable()\nexport class BodyProfileValidator {\n private readonly logger = new Logger(BodyProfileValidator.name);\n\n /\n Validate body matches declared profile\n /\n validate(body: Uint8Array, profile: BodyProfile): BodyProfileValidation {\n switch (profile) {\n case BodyProfile.RAW:\n return this.validateRaw(body);\n\n case BodyProfile.TLV_MAP:\n return this.validateTlvMap(body);\n\n case BodyProfile.OBJ:\n return this.validateObj(body);\n\n case BodyProfile.ARR:\n return this.validateArr(body);\n\n default:\n return {\n valid: false,\n error: `Unknown body profile: ${profile}`,\n profile,\n };\n }\n }\n\n /\n RAW profile - no validation, any bytes accepted\n /\n private validateRaw(body: Uint8Array): BodyProfileValidation {\n return {\n valid: true,\n profile: BodyProfile.RAW,\n };\n }\n\n /\n TLV_MAP profile - flat TLV list (no nested structures)\n /\n private validateTlvMap(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Check no nested structures (OBJ or ARR types)\n for (const tlv of tlvs) {\n if (tlv.type === 254 \|\| tlv.type === 255) {\n return {\n valid: false,\n error: 'TLV_MAP profile cannot contain nested OBJ/ARR types',\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n return {\n valid: true,\n profile: BodyProfile.TLV_MAP,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `TLV_MAP decode failed: ${message}`,\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n /\n OBJ profile - must be valid nested object\n /\n private validateObj(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one OBJ type (254)\n const hasObj = tlvs.some((t) => t.type === 254);\n if (!hasObj && tlvs.length > 0) {\n return {\n valid: false,\n error: 'OBJ profile must contain OBJ type (254)',\n profile: BodyProfile.OBJ,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.OBJ,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `OBJ decode failed: ${message}`,\n profile: BodyProfile.OBJ,\n };\n }\n }\n\n /\n ARR profile - must be valid array\n /\n private validateArr(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one ARR type (255)\n const hasArr = tlvs.some((t) => t.type === 255);\n if (!hasArr && tlvs.length > 0) {\n return {\n valid: false,\n error: 'ARR profile must contain ARR type (255)',\n profile: BodyProfile.ARR,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.ARR,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `ARR decode failed: ${message}`,\n profile: BodyProfile.ARR,\n };\n }\n }\n}\n","export from './axis-schemas';\nexport {\n BodyProfileValidator,\n BodyProfile,\n type BodyProfileValidation,\n} from './body-profile.validator';\n","export * from './scopes';\nexport * from './capabilities';\nexport * from './axis-sensor-chain.service';\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Access Profile Resolver AxisSensor\n \n This sensor determines whether an AXIS request should be handled under the\n * 'PUBLIC' or 'GUARDED' access profile. It does this by checking for the presence\n * of authentication proofs in the request metadata.\n \n Execution Order: 50 (runs very early)\n \n Core Concept:\n * - If any structural proof is present (Capsule, Passport, or mTLS certificate),\n * the request is flagged as `GUARDED`.\n * - Otherwise, it is treated as `PUBLIC`.\n \n Impact:\n * This determination is stored in `input.metadata.profile` and is used by\n * downstream sensors like `CapabilityEnforcementSensor` to decide whether\n * to enforce strict authorization checks.\n \n @class AccessProfileResolverSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class AccessProfileResolverSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'AccessProfileResolverSensor';\n\n /\n Execution order - runs early to establish the access profile\n * for downstream sensors.\n /\n readonly order = BAND.IDENTITY + 10;\n\n supports(): boolean {\n return true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n // Resolve profile: presence of proof => GUARDED, else PUBLIC\n const hasCapsule = !!input.metadata?.capsuleId;\n const hasPassport = !!input.metadata?.passportSig;\n const hasMTLS = !!input.metadata?.mtlsId;\n\n const profile = hasCapsule \|\| hasPassport \|\| hasMTLS ? 'GUARDED' : 'PUBLIC';\n\n // Store in metadata for downstream sensors\n if (!input.metadata) input.metadata = {};\n input.metadata.profile = profile;\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { MAX_BODY_LEN, MAX_HDR_LEN } from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Body Budget AxisSensor - Section Size Limit Enforcement\n \n Validates that header and body sections of AXIS frames are within\n * configured size limits. This prevents memory exhaustion attacks and\n * ensures efficient processing.\n \n Execution Order: 150 (after auth, before schema validation)\n \n Core Concept:\n * AXIS frames have three main sections:\n * - Header (TLVs for routing, auth, etc.)\n * - Body (payload data)\n * - Signature\n \n Each section has a declared length in the frame header. This sensor\n * validates those lengths against configured maximums BEFORE reading\n * the full content.\n \n Frame Format Reference:\n * ```\n * Offset 0-4: Magic (AXIS1)\n * Offset 5: Version (0x01)\n * Offset 6: Flags\n * Offset 7+: HDR_LEN (varint)\n * Following: BODY_LEN (varint)\n * Following: SIG_LEN (varint)\n * Then: HDR bytes, BODY bytes, SIG bytes\n * ```\n \n Default Limits (from constants.ts):\n * - MAX_HDR_LEN: 2048 bytes (2KB)\n * - MAX_BODY_LEN: 65536 bytes (64KB)\n \n Security Model:\n * - Fail Open: Parse errors allow (other sensors catch)\n * - Early Rejection: Rejects before reading large payloads\n * - Defense in Depth: Works with FrameBudgetSensor\n \n Actions:\n * - `ALLOW` - Sizes within limits\n * - `DENY` - Header or body exceeds maximum\n \n Error Codes:\n * - `HEADER_TOO_LARGE` - Header exceeds MAX_HDR_LEN\n * - `BODY_TOO_LARGE` - Body exceeds MAX_BODY_LEN\n \n Performance:\n * - Parses first ~20 bytes (varint lengths)\n * - O(1) comparison\n * - Latency: <0.5ms\n \n @class BodyBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Within limits:\n * ```typescript\n * // HDR_LEN: 500 (< 2048), BODY_LEN: 10000 (< 65536)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Body too large:\n * ```typescript\n * // BODY_LEN: 100000 (> 65536)\n * {\n * action: 'DENY',\n * code: 'BODY_TOO_LARGE',\n * reason: 'Body size 100000 exceeds limit 65536'\n * }\n * ```\n \n @see {@link FrameBudgetSensor} - Content-Length based limiting\n * @see {@link MAX_BODY_LEN} - Configurable body limit\n /\n@Sensor()\n@Injectable()\nexport class BodyBudgetSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'BodyBudgetSensor';\n\n /\n Execution order - after authentication\n \n Order 150 ensures:\n * - Authentication complete\n * - Runs before full body read\n * - Before schema validation (170)\n /\n readonly order = BAND.CONTENT + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 8 bytes of peeked data to read headers.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data available\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 8;\n }\n\n /\n Validates header and body lengths against configured limits.\n \n Frame Parsing:\n * - Skip magic (5 bytes)\n * - Skip version (1 byte)\n * - Skip flags (1 byte)\n * - Read HDR_LEN varint\n * - Read BODY_LEN varint\n * - Compare against MAX_HDR_LEN and MAX_BODY_LEN\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size limits\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { peek } = input;\n\n // Should be caught by ProtocolStrict, but defensive check\n if (!peek \|\| peek.length < 8) {\n return { action: 'ALLOW' };\n }\n\n try {\n // Frame structure:\n // 0-4: Magic (AXIS1)\n // 5: Version\n // 6: Flags\n // 7+: Varints for HDR_LEN, BODY_LEN, SIG_LEN\n\n let offset = 5; // After magic\n offset += 1; // Skip version\n offset += 1; // Skip flags\n\n // Now at offset 7: read HDR_LEN varint\n const { value: hdrLen, length: hdrBytes } = decodeVarint(peek, offset);\n offset += hdrBytes;\n\n // Read BODY_LEN varint\n const { value: bodyLen } = decodeVarint(peek, offset);\n\n // === Check Header Limit ===\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds limit ${MAX_HDR_LEN}`,\n };\n }\n\n // === Check Body Limit ===\n if (bodyLen > MAX_BODY_LEN) {\n return {\n action: 'DENY',\n code: 'BODY_TOO_LARGE',\n reason: `Body size ${bodyLen} exceeds limit ${MAX_BODY_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n } catch (e) {\n // Parse errors are likely malformed frames\n // ProtocolStrict will handle them\n return { action: 'ALLOW' };\n }\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n Capability,\n INTENT_REQUIREMENTS,\n PROOF_CAPABILITIES,\n SensorDecision,\n SensorInput,\n} from '../index';\n\n/\n Capability Enforcement AxisSensor - Authorization Based on Proof Type\n \n Maps authentication proof types to capabilities and enforces capability\n * requirements per intent. This implements role-based access control (RBAC)\n * at the intent level.\n \n Execution Order: 100 (after capsule/signature verification)\n \n Core Concept:\n * Different authentication methods grant different capabilities:\n * - Stronger auth = more capabilities\n * - Weaker auth = fewer capabilities\n \n Each intent has required capabilities. The request's proof type must\n * grant ALL required capabilities for the intent to proceed.\n \n Capability Definitions:\n * - `read` - Can read/query data\n * - `write` - Can create/update data\n * - `execute` - Can trigger actions/operations\n * - `admin` - Administrative operations\n * - `sign` - Can create digital signatures\n * - `witness` - Can act as independent witness\n \n Proof Type Mappings:\n * \| Type \| Name \| Capabilities \|\n * \|------\|------\|--------------\|\n * \| 0 \| NONE \| (none) \|\n * \| 1 \| CAPSULE \| read, write, execute \|\n * \| 2 \| JWT \| read \|\n * \| 3 \| MTLS \| read, write, admin \|\n * \| 4 \| DEVICE_SE \| read, write, sign \|\n * \| 5 \| WITNESS_SIG \| read, write, execute, witness \|\n \n @class CapabilityEnforcementSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload (requires 'write'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'file.upload' (requires: write)\n * // write ∈ [read, write, execute] ✓\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Admin operation (requires 'admin'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'admin.users.delete' (requires: admin)\n * // admin ∉ [read, write, execute] ✗\n * {\n * action: 'DENY',\n * code: 'CAPABILITY_DENIED',\n * reason: 'Missing capabilities: admin'\n * }\n * ```\n /\n\n@Sensor()\n@Injectable()\nexport class CapabilityEnforcementSensor implements AxisSensor {\n private readonly logger = new Logger(CapabilityEnforcementSensor.name);\n\n /* AxisSensor identifier for logging and registry /\n readonly name = 'CapabilityEnforcementSensor';\n\n /\n Execution order - runs after authentication\n \n Order 100 ensures:\n * - Capsule is verified (CapsuleVerifySensor @ 80)\n * - Signature is verified (SigVerifySensor @ 90)\n * - We know the proof type for capability lookup\n /\n readonly order = BAND.POLICY + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when an intent is present.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Enforces capability requirements for the requested intent.\n \n Processing Flow:\n * 1. Extract proof type from packet (default: 0/NONE)\n * 2. Look up capabilities granted by this proof type\n * 3. Look up capabilities required by the intent\n * 4. If no requirements, ALLOW\n * 5. Check if all required capabilities are granted\n * 6. If missing capabilities, DENY with details\n * 7. Otherwise, ALLOW\n \n @param {SensorInput} input - Request with intent and packet\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on capabilities\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, packet } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n const proofType = packet?.proofType ?? 0;\n\n // === STEP 1: Get Granted Capabilities ===\n // Look up what this proof type allows\n const grantedCapabilities = PROOF_CAPABILITIES[proofType] \|\| [];\n\n // === STEP 2: Get Required Capabilities ===\n // Look up what this intent requires\n const requiredCapabilities = this.getRequiredCapabilities(intent);\n\n // === STEP 3: Check Public Intents ===\n // No capabilities required = public access\n if (requiredCapabilities.length === 0) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 4: Check Capability Match ===\n // Find any required capabilities not granted\n const missingCapabilities = requiredCapabilities.filter(\n (cap) => !grantedCapabilities.includes(cap),\n );\n\n if (missingCapabilities.length > 0) {\n // Capability mismatch - deny with details\n this.logger.warn(\n `Capability denied for ${intent}: missing ${missingCapabilities.join(', ')} (has: ${grantedCapabilities.join(', ')})`,\n );\n return {\n action: 'DENY',\n code: 'CAPABILITY_DENIED',\n reason: `Missing capabilities: ${missingCapabilities.join(', ')}`,\n };\n }\n\n // All required capabilities present\n return { action: 'ALLOW' };\n }\n\n /\n Gets required capabilities for an intent.\n \n Lookup Strategy:\n * 1. Check for exact intent match\n * 2. Check for prefix pattern match (.suffix)\n 3. Default to 'execute' for unknown intents\n \n @private\n * @param {string} intent - Intent name to look up\n * @returns {Capability[]} Array of required capabilities\n /\n private getRequiredCapabilities(intent: string): Capability[] {\n // Check exact match first\n if (INTENT_REQUIREMENTS[intent]) {\n return INTENT_REQUIREMENTS[intent];\n }\n\n // Check prefix patterns (e.g., 'admin.' matches 'admin.users.delete')\n for (const [pattern, caps] of Object.entries(INTENT_REQUIREMENTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1); // Remove ''\n if (intent.startsWith(prefix)) {\n return caps;\n }\n }\n }\n\n // Default: require execute for unknown intents (safe default)\n return ['execute'];\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { createHash } from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/*\n Chunk Hash Sensor - Data Integrity Verification\n \n Validates that uploaded file chunks match their declared SHA-256 hash.\n * This ensures data integrity during transfer and detects corruption or\n * tampering.\n \n Execution Order: 190 (after session validation, before handler)\n \n Core Concept:\n * Each file chunk includes a SHA-256 hash in the header. The sensor:\n * 1. Extracts the expected hash from header TLV\n * 2. Computes the actual hash of the body\n * 3. Compares them byte-by-byte\n * 4. Rejects if mismatch (data corruption)\n \n This provides end-to-end integrity verification, catching:\n * - Network corruption\n * - Storage errors\n * - Man-in-the-middle modifications\n * - Client-side bugs\n \n TLV Type:\n * - Type 73 (`TLV_SHA256_CHUNK`): 32-byte SHA-256 hash\n \n Hash Calculation:\n * ```typescript\n * const actual = createHash('sha256').update(bodyBytes).digest();\n * ```\n \n Security Model:\n * - Fail Closed: Hash mismatch = DENY\n * - Immutable Check: Hash computed server-side\n * - Early Rejection: Before storage writes\n \n Actions:\n * - `ALLOW` - Hash matches\n * - `DENY` - Hash mismatch or missing\n \n Error Codes:\n * - `FILE_CHUNK_HASH_MISSING` - TLV 73 not present or wrong size\n * - `FILE_CHUNK_HASH_MISMATCH` - Computed hash != expected hash\n \n Performance:\n * - SHA-256 computation: ~100MB/s on modern CPUs\n * - For 1MB chunk: ~10ms\n \n @class ChunkHashSensor\n * @implements {AxisSensor}\n \n @example\n * Hash matches:\n * ```typescript\n * // Header TLV 73: sha256(body) = expected\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Hash mismatch:\n * ```typescript\n * // Body was corrupted during transfer\n * {\n * action: 'DENY',\n * code: 'FILE_CHUNK_HASH_MISMATCH',\n * reason: 'Chunk hash mismatch - data corrupted'\n * }\n * ```\n \n @see {@link FileUploadStateSensor} - Session validation\n * @see {@link https://en.wikipedia.org/wiki/SHA-2 SHA-256}\n /\n@Sensor()\n@Injectable()\nexport class ChunkHashSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'ChunkHashSensor';\n\n /\n Execution order - after session validation\n \n Order 190 ensures:\n * - Session validated (180)\n * - Chunk parameters verified\n * - Hash check before storage\n /\n readonly order = BAND.CONTENT + 50;\n\n /\n Determines if this sensor should process the given input.\n \n Only processes file.chunk intents.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is 'file.chunk'\n /\n supports(input: SensorInput): boolean {\n return input.intent === 'file.chunk';\n }\n\n /\n Validates chunk data against declared SHA-256 hash.\n \n Processing Flow:\n * 1. Check for required headerTLVs and body\n * 2. Extract expected hash from TLV 73\n * 3. Verify hash is exactly 32 bytes\n * 4. Compute SHA-256 of body\n * 5. Compare bytes (timing-safe)\n * 6. DENY on mismatch\n \n @param {SensorInput} input - Request with chunk body\n * @returns {Promise<SensorDecision>} ALLOW if hash matches, DENY otherwise\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyBytes = input.body as Uint8Array;\n\n // Validate required inputs\n if (!headerTLVs \|\| !bodyBytes) {\n return {\n action: 'DENY',\n code: 'SENSOR_INVALID_INPUT',\n reason: 'Missing headerTLVs or body',\n };\n }\n\n // TLV type for chunk SHA-256 hash\n const TLV_SHA256_CHUNK = 73;\n\n // === STEP 1: Extract Expected Hash ===\n const expected = headerTLVs.get(TLV_SHA256_CHUNK);\n\n if (!expected \|\| expected.length !== 32) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISSING',\n reason: 'Missing sha256Chunk TLV in header',\n };\n }\n\n // === STEP 2: Compute Actual Hash ===\n const actual = createHash('sha256').update(bodyBytes).digest();\n\n // === STEP 3: Compare Hashes ===\n // Using Buffer.equals for comparison\n if (!Buffer.from(actual).equals(Buffer.from(expected))) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISMATCH',\n reason: 'Chunk hash mismatch - data corrupted',\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\n\nimport { TLV_NONCE, TLV_PID } from '../core/constants';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Entropy AxisSensor - Randomness Quality Analysis\n \n Validates that cryptographic identifiers (PIDs, nonces) have sufficient\n * randomness to prevent predictability attacks. Weak entropy in IDs can\n * lead to collision attacks and session hijacking.\n \n Execution Order: 130 (after replay protection, before policy checks)\n \n Core Concept:\n * Proper cryptographic security requires high-quality randomness. This sensor\n * detects patterns that suggest weak random number generation:\n * - Low Shannon entropy\n * - Sequential patterns (1,2,3,4...)\n * - Repeated patterns (0xAB,0xAB,0xAB...)\n \n How It Works:\n * ```\n * 1. Extract PID and nonce from headers\n * 2. Calculate Shannon entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. FLAG if issues found (doesn't DENY for availability)\n * ```\n \n Shannon Entropy Calculation:\n * ```\n * H = -Σ(p_i * log2(p_i))\n * ```\n * Where p_i is the probability of byte value i appearing.\n * - High entropy (7-8 bits/byte): Good randomness\n * - Low entropy (<3 bits/byte): Suspicious pattern\n \n Pattern Detection:\n * - Sequential: More than 50% of bytes are +1 or -1 from previous\n * - Repeated: 90%+ match with 2, 4, or 8 byte repeating pattern\n \n Security Model:\n * - Fail Open: Issues cause FLAG, not DENY\n * - Trust Score Impact: Each issue reduces trust score\n * - Detection Only: Logs suspicious patterns for investigation\n \n Actions:\n * - `ALLOW` - Sufficient entropy, no patterns detected\n * - `FLAG` - Issues detected (reduces trust score)\n \n Score Deltas:\n * \| Issue \| Delta \|\n * \|-------\|-------\|\n * \| Low entropy (<3 bits/byte) \| -3 \|\n * \| Sequential pattern \| -5 \|\n * \| Repeated pattern \| -5 \|\n \n Why Not DENY?\n * Legitimate clients with older RNG libraries might trigger false positives.\n * FLAG allows monitoring without breaking legitimate traffic.\n \n Performance:\n * - In-memory analysis\n * - O(n) where n = bytes analyzed\n * - Latency: <1ms\n \n @class EntropySensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * High-entropy nonce (good):\n * ```typescript\n * // Nonce from crypto.randomBytes(16)\n * // Entropy: 7.2 bits/byte\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Sequential pattern (suspicious):\n * ```typescript\n * // Nonce: [1,2,3,4,5,6,7,8,9,10,11,12]\n * {\n * action: 'FLAG',\n * scoreDelta: -5,\n * reasons: ['nonce_sequential']\n * }\n * ```\n \n @see {@link https://en.wikipedia.org/wiki/Entropy_(information_theory) Shannon Entropy}\n /\n@Sensor()\n@Injectable()\nexport class EntropySensor implements AxisSensor {\n private readonly logger = new Logger(EntropySensor.name);\n\n /\n Minimum acceptable entropy in bits per byte.\n \n 3.0 bits/byte is a conservative threshold:\n * - Random data: ~7.9 bits/byte\n * - English text: ~4.5 bits/byte\n * - Sequential data: ~0-2 bits/byte\n /\n private readonly MIN_ENTROPY_THRESHOLD = 3.0;\n\n /* AxisSensor identifier /\n readonly name = 'EntropySensor';\n\n /\n Execution order - anomaly detection phase\n \n Order 130 ensures:\n * - Replay protection done (120)\n * - Runs before expensive policy lookups\n /\n readonly order = BAND.POLICY + 35;\n\n /\n Calculates Shannon entropy of a byte array.\n \n Algorithm:\n * 1. Count frequency of each byte value (0-255)\n * 2. Calculate probability p = count / total\n * 3. Sum: -Σ(p * log2(p))\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {number} Entropy in bits per byte (0-8 scale)\n /\n private calculateEntropy(data: Uint8Array): number {\n if (data.length === 0) return 0;\n\n // Count byte frequencies\n const freq = new Map<number, number>();\n for (const byte of data) {\n freq.set(byte, (freq.get(byte) \|\| 0) + 1);\n }\n\n // Calculate Shannon entropy\n let entropy = 0;\n const len = data.length;\n for (const count of freq.values()) {\n const p = count / len;\n entropy -= p Math.log2(p);\n }\n\n return entropy;\n }\n\n /*\n Checks for sequential patterns in data.\n \n Detects sequences like [1,2,3,4...] or [10,9,8,7...].\n * More than 50% sequential is considered suspicious.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if sequential pattern detected\n /\n private hasSequentialPattern(data: Uint8Array): boolean {\n if (data.length < 4) return false;\n\n let ascending = 0;\n let descending = 0;\n\n for (let i = 1; i < data.length; i++) {\n if (data[i] === data[i - 1] + 1) ascending++;\n if (data[i] === data[i - 1] - 1) descending++;\n }\n\n // More than 50% sequential is suspicious\n return ascending > data.length / 2 \|\| descending > data.length / 2;\n }\n\n /\n Checks for repeated patterns in data.\n \n Detects patterns like [0xAB, 0xCD, 0xAB, 0xCD...].\n * Checks for 2, 4, and 8 byte repeating patterns.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if repeated pattern detected\n /\n private hasRepeatedPattern(data: Uint8Array): boolean {\n if (data.length < 8) return false;\n\n // Check for 2-byte, 4-byte, and 8-byte repeating patterns\n for (const patternLen of [2, 4, 8]) {\n if (data.length % patternLen !== 0) continue;\n\n let matches = 0;\n for (let i = patternLen; i < data.length; i++) {\n if (data[i] === data[i % patternLen]) matches++;\n }\n\n // 90%+ match = repeating pattern\n if (matches > (data.length - patternLen) 0.9) {\n return true;\n }\n }\n\n return false;\n }\n\n /*\n Analyzes entropy of PID and nonce in request headers.\n \n Processing Flow:\n * 1. Extract PID and nonce from header TLVs\n * 2. Calculate entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. Accumulate issues and score delta\n * 6. Return FLAG if issues found, ALLOW otherwise\n \n @param {SensorInput} input - Request with header TLVs\n * @returns {Promise<SensorDecision>} ALLOW or FLAG based on entropy analysis\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headers = input.headerTLVs as Map<number, Uint8Array>;\n\n // If no headers, allow (WebSocket handshake, etc.)\n if (!headers) {\n return { action: 'ALLOW' };\n }\n\n // Extract PID and nonce from headers\n const pid = headers.get(TLV_PID);\n const nonce = headers.get(TLV_NONCE);\n\n const issues: string[] = [];\n let totalDelta = 0;\n\n // === Analyze PID ===\n if (pid && pid.length > 0) {\n const pidEntropy = this.calculateEntropy(pid);\n\n // Check minimum entropy threshold\n if (pidEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`pid_low_entropy:${pidEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(pid)) {\n issues.push('pid_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(pid)) {\n issues.push('pid_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Analyze Nonce ===\n if (nonce && nonce.length > 0) {\n const nonceEntropy = this.calculateEntropy(nonce);\n\n // Check minimum entropy threshold\n if (nonceEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`nonce_low_entropy:${nonceEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(nonce)) {\n issues.push('nonce_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(nonce)) {\n issues.push('nonce_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Return Decision ===\n if (issues.length > 0) {\n this.logger.warn(`Entropy issues from ${input.ip}: ${issues.join(', ')}`);\n return {\n action: 'FLAG',\n scoreDelta: totalDelta,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Generates cryptographically secure random bytes.\n \n Utility method for SDK/client code to ensure proper entropy.\n * Uses Node.js crypto.randomBytes for secure PRNG.\n \n @static\n * @param {number} length - Number of random bytes\n * @returns {Uint8Array} Cryptographically secure random bytes\n /\n static generateSecureRandom(length: number): Uint8Array {\n return new Uint8Array(crypto.randomBytes(length));\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { resolveTimeout } from '../core/timeouts';\n\n/\n Execution Timeout AxisSensor - Intent-Based Deadline Enforcement\n \n Sets per-intent execution time limits and stores deadlines in the request\n * context. This prevents runaway handlers and ensures predictable response times.\n \n Execution Order: 210 (late, before handler execution)\n \n Core Concept:\n * Different intents have different acceptable latencies:\n * - Health checks: 2 seconds (must be fast)\n * - File uploads: 60 seconds (large transfers)\n * - Standard operations: 10 seconds (default)\n \n The sensor calculates a deadline timestamp and stores it in the context.\n * Handler code can check this deadline to abort if running too long.\n \n How It Works:\n * ```\n * 1. Look up timeout for intent (exact match or prefix pattern)\n * 2. Calculate deadline = now + timeout\n * 3. Store deadline in context\n * 4. Return ALLOW (enforcement happens in handler)\n * ```\n \n Timeout Lookup:\n * 1. Check exact intent match first\n * 2. Then check prefix patterns (e.g., 'file.')\n 3. Fall back to DEFAULT_TIMEOUT (10s)\n \n Context Properties Set:\n * - `deadline`: Absolute timestamp (ms since epoch)\n * - `timeoutMs`: Configured timeout duration\n \n Handler Usage:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new Error('Execution timeout exceeded');\n * }\n \n const remaining = ExecutionTimeoutSensor.getRemainingMs(ctx);\n * ```\n \n Security Model:\n * - Always Allow: This sensor only sets context, doesn't block\n * - Handler Responsibility: Actual enforcement in handler code\n * - Defense in Depth: Works with ExecutionContractSensor\n \n Actions:\n * - `ALLOW` - Always (only sets context)\n \n Performance:\n * - Map lookup: O(1) to O(n patterns)\n * - Latency: <0.1ms\n \n @class ExecutionTimeoutSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload:\n * ```typescript\n * // Intent: file.upload\n * // Timeout: 60000ms\n * // ctx.deadline = Date.now() + 60000\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Checking deadline in handler:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new TimeoutError('Handler exceeded deadline');\n * }\n * ```\n \n @see {@link ExecutionContractSensor} - Resource limit enforcement\n /\n@Sensor()\n@Injectable()\nexport class ExecutionTimeoutSensor implements AxisSensor {\n private readonly logger = new Logger(ExecutionTimeoutSensor.name);\n\n /* AxisSensor identifier /\n readonly name = 'ExecutionTimeoutSensor';\n\n /\n Execution order - late, near handler execution\n \n Order 210 ensures:\n * - All validation complete\n * - Deadline set just before handler\n /\n readonly order = BAND.BUSINESS + 10;\n\n /\n Determines if this sensor should process the given input.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Sets execution deadline in the request context.\n \n Processing Flow:\n * 1. Look up timeout for intent\n * 2. Calculate absolute deadline\n * 3. Store in context for handler use\n * 4. Return ALLOW\n \n @param {SensorInput} input - Request with intent\n * @returns {Promise<SensorDecision>} Always ALLOW\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, context } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n // Get timeout for this intent\n const timeout = resolveTimeout(intent);\n\n // Calculate absolute deadline\n const deadline = Date.now() + timeout;\n\n // Store deadline in context for downstream components\n if (context) {\n (context as any).deadline = deadline;\n (context as any).timeoutMs = timeout;\n }\n\n this.logger.debug(\n `Set ${timeout}ms timeout for ${intent} (deadline: ${new Date(deadline).toISOString()})`,\n );\n\n // Actual timeout enforcement happens in the intent router/executor\n // This sensor just sets the deadline\n return { action: 'ALLOW' };\n }\n\n /\n Checks if a deadline has been exceeded.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {boolean} True if deadline passed\n /\n static isExpired(ctx: { deadline?: number }): boolean {\n if (!ctx.deadline) return false;\n return Date.now() > ctx.deadline;\n }\n\n /\n Gets remaining time until deadline.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {number} Remaining milliseconds (0 if expired, Infinity if no deadline)\n /\n static getRemainingMs(ctx: { deadline?: number }): number {\n if (!ctx.deadline) return Infinity;\n return Math.max(0, ctx.deadline - Date.now());\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Frame Budget AxisSensor - Request Size Validation\n \n Validates that incoming frame sizes do not exceed configured limits.\n * This prevents memory exhaustion attacks and ensures fair resource allocation.\n \n Execution Order: 20 (after ProtocolStrictSensor, before security checks)\n \n Core Concept:\n * Large payloads can be used for denial-of-service attacks, buffer overflows,\n * or to exhaust server memory. This sensor enforces per-intent size limits\n * defined in the intent policy, rejecting oversized frames before they are\n * fully processed.\n \n How It Works:\n * 1. Extract Content-Length from request\n * 2. Look up maximum allowed size from intent policy\n * 3. If size exceeds limit, DENY the request\n * 4. Otherwise, ALLOW request to proceed\n \n Default Limits:\n * - Standard requests: 1MB (1,048,576 bytes)\n * - File uploads: 100MB (104,857,600 bytes)\n * - Streaming: No limit (handled by StreamScopeSensor)\n \n Security Model:\n * - Fail Open: If Content-Length is not available, ALLOW (other sensors handle)\n * - Early Rejection: Reject oversized frames before full download\n * - Per-Intent Limits: Different intents can have different size limits\n \n Configuration:\n * ```env\n * AXIS_MAX_FRAME_BYTES=1048576 # 1MB default\n * AXIS_MAX_UPLOAD_BYTES=104857600 # 100MB for uploads\n * ```\n \n Actions:\n * - `ALLOW` - Frame size within limits or unknown\n * - `DENY` - Frame exceeds configured maximum (code: FRAME_TOO_LARGE)\n \n Performance:\n * - Single comparison operation\n * - No I/O or external calls\n * - Latency: <0.1ms\n \n @class FrameBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Normal request (within limits):\n * ```typescript\n * // Content-Length: 50000 (50KB)\n * // Policy max: 1MB\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Oversized request:\n * ```typescript\n * // Content-Length: 10485760 (10MB)\n * // Policy max: 1MB\n * {\n * action: 'DENY',\n * code: 'FRAME_TOO_LARGE',\n * reason: 'Frame size 10485760 exceeds limit 1048576'\n * }\n * ```\n \n @todo Implement actual size checking against intent policy maxFrameBytes\n * @see {@link BodyBudgetSensor} - Body-specific size limiting\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class FrameBudgetSensor implements AxisSensor {\n /* AxisSensor identifier for logging and registry /\n readonly name = 'FrameBudgetSensor';\n\n /\n Execution order - runs after protocol validation\n \n Order 20 ensures:\n * - Protocol is valid (ProtocolStrictSensor @ 10)\n * - Size checked before expensive processing\n /\n readonly order = BAND.WIRE + 20;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when Content-Length header is available.\n * WebSocket frames may not have Content-Length; they use different size tracking.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if Content-Length is present\n /\n supports(input: SensorInput): boolean {\n return typeof input.contentLength === 'number';\n }\n\n /\n Validates frame size against configured limits.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Load intent policy for the request\n * 2. Get maxFrameBytes from policy\n * 3. Compare against contentLength\n * 4. DENY if exceeded\n \n @param {SensorInput} input - Request with contentLength\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const maxBytes =\n this.config.get<number>('AXIS_MAX_FRAME_SIZE') \|\| 50 1024 * 1024;\n const contentLength = input.contentLength;\n\n if (typeof contentLength !== 'number') {\n return { action: 'ALLOW' };\n }\n\n if (contentLength > maxBytes) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLength} exceeds limit ${maxBytes}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { AXIS_MAGIC, AXIS_VERSION, MAX_FRAME_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor({ phase: 'PRE_DECODE' })\nexport class FrameHeaderSanitySensor implements AxisSensor {\n readonly name = 'FrameHeaderSanitySensor';\n readonly order = BAND.WIRE + 30;\n\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const peek = input.peek!;\n const contentLen = input.contentLength \|\| 0;\n\n // Check magic (first 5 bytes: AXIS1)\n if (peek.length < 5 \|\| !this.bufferEqual(peek.slice(0, 5), AXIS_MAGIC)) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: 'Frame magic is not AXIS1',\n };\n }\n\n // Check version (byte 5)\n if (peek[5] !== AXIS_VERSION) {\n return {\n action: 'DENY',\n code: 'UNSUPPORTED_VERSION',\n reason: `Unsupported version: ${peek[5]}`,\n };\n }\n\n // Check frame length against hard limit\n if (contentLen > MAX_FRAME_LEN) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLen} exceeds max ${MAX_FRAME_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n private bufferEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { MAX_HDR_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class HeaderTLVLimitSensor implements AxisSensor {\n readonly name = 'HeaderTLVLimitSensor';\n readonly order = BAND.CONTENT + 0;\n private readonly MAX_TLVS = 64;\n\n supports(input: SensorInput): boolean {\n return !!input.headerTLVs \|\| !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n if (input.headerTLVs && input.headerTLVs.size > this.MAX_TLVS) {\n return {\n action: 'DENY',\n code: 'TOO_MANY_TLVS',\n reason: `Header TLVs (${input.headerTLVs.size}) exceed max (${this.MAX_TLVS})`,\n };\n }\n\n if (input.packet && input.packet.headerBytes) {\n const hdrLen = input.packet.headerBytes.length;\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds max ${MAX_HDR_LEN}`,\n };\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n// Public intent allowlist (exact or prefix)\nconst PUBLIC_INTENT_ALLOWLIST = [\n 'public.',\n 'schema.',\n 'catalog.',\n 'health.',\n 'system.',\n];\n\n@Injectable()\n@Sensor()\nexport class IntentAllowlistSensor implements AxisSensor {\n readonly name = 'IntentAllowlistSensor';\n readonly order = BAND.IDENTITY + 20;\n\n supports(input: SensorInput): boolean {\n // Only run in post-decode phase when intent is available\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const profile = input.metadata?.profile \|\| 'PUBLIC';\n const intent = input.intent \|\| '';\n\n // PUBLIC profile: only allow whitelisted intents\n if (profile === 'PUBLIC') {\n const isAllowed = PUBLIC_INTENT_ALLOWLIST.some((prefix) =>\n intent.startsWith(prefix),\n );\n if (!isAllowed) {\n return {\n action: 'DENY',\n code: 'INTENT_NOT_ALLOWED',\n reason: `Intent '${intent}' not in public allowlist`,\n };\n }\n }\n\n // GUARDED profile: allow all intents (capability enforcement comes later)\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { IntentRouter } from '../engine/intent.router';\nimport { BAND } from '../engine/sensor-bands';\n\n/*\n IntentRegistrySensor\n \n Runs early in POST_DECODE to reject intents that have no registered handler.\n * This prevents wasting resources on sensors, decoding, and routing for\n * intents that will inevitably fail with \"Intent not found\".\n \n Order: BAND.IDENTITY + 25 (65) — right after IntentAllowlistSensor (60).\n /\n@Injectable()\n@Sensor({ phase: 'POST_DECODE' })\nexport class IntentRegistrySensor implements AxisSensor {\n readonly name = 'IntentRegistrySensor';\n readonly order = BAND.IDENTITY + 25;\n\n constructor(private readonly router: IntentRouter) {}\n\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const intent = input.intent!;\n\n if (this.router.has(intent)) {\n return { action: 'ALLOW' };\n }\n\n return {\n action: 'DENY',\n code: 'INTENT_NOT_REGISTERED',\n reason: `Intent '${intent}' is not registered`,\n };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n ProofPresenceInput,\n ProofPresenceInputZ,\n} from '../schemas/axis-schemas';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Sensor()\n@Injectable()\nexport class ProofPresenceSensor implements AxisSensor {\n readonly name = 'ProofPresenceSensor';\n readonly order = BAND.IDENTITY + 30;\n\n supports(input: ProofPresenceInput): boolean {\n return !!input.profile && !!input.visibility;\n }\n\n async run(input: ProofPresenceInput): Promise<SensorDecision> {\n // Validate input with Zod\n const validatedInput = ProofPresenceInputZ.safeParse(input);\n if (!validatedInput.success) {\n throw new AxisError(\n 'SENSOR_INVALID_INPUT',\n `Input validation failed: ${validatedInput.error.message}`,\n 400,\n );\n }\n\n const {\n visibility,\n requiredProof,\n hasCapsule,\n hasPassportSignature,\n profile,\n intent,\n } = validatedInput.data;\n\n // Public intents don't require proof\n if (visibility === 'PUBLIC') {\n return { action: 'ALLOW' };\n }\n\n // If NONE is in required proofs, allow without proof\n if (requiredProof.includes('NONE')) {\n return { action: 'ALLOW' };\n }\n\n // Check if any required proof is satisfied\n const hasCapsuleProof = requiredProof.includes('CAPSULE') && hasCapsule;\n const hasPassportProof =\n requiredProof.includes('PASSPORT') && hasPassportSignature;\n const hasNodeProof = requiredProof.includes('MTLS') && profile === 'NODE';\n\n const satisfied = hasCapsuleProof \|\| hasPassportProof \|\| hasNodeProof;\n\n if (!satisfied) {\n throw new AxisError(\n 'SENSOR_PROOF_REQUIRED',\n `Proof required for guarded intent: ${intent}`,\n 403,\n );\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger, OnModuleInit } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { ProtocolStrictInputZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n AxisMediaTypes,\n FLAG_BODY_TLV,\n FLAG_CHAIN_REQ,\n FLAG_HAS_WITNESS,\n} from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/\n Valid flag combinations for AXIS frames.\n \n Flags can be combined using bitwise OR:\n * - 0x00: No flags (basic request)\n * - FLAG_BODY_TLV: Body section contains TLV-encoded data\n * - FLAG_CHAIN_REQ: Request requires receipt chaining\n * - FLAG_HAS_WITNESS: Frame includes witness signatures\n \n Any other flag combination is considered invalid.\n /\nconst VALID_FLAGS = [\n 0x00, // No flags\n FLAG_BODY_TLV, // Body contains TLVs\n FLAG_CHAIN_REQ, // Requires receipt chaining\n FLAG_HAS_WITNESS, // Has witness signatures\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ,\n FLAG_BODY_TLV \| FLAG_HAS_WITNESS,\n FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n];\n\n/\n Protocol Strict Sensor - Binary Protocol Validation Gateway\n \n CRITICAL SECURITY COMPONENT - FIRST LINE OF DEFENSE\n \n This sensor validates the raw binary structure of incoming AXIS frames before\n * any further processing occurs. It acts as the protocol gatekeeper, ensuring\n * only well-formed, spec-compliant frames are processed by the system.\n \n Execution Order: 10 (FIRST sensor in the chain)\n \n Core Concept:\n * AXIS uses a custom binary wire format for efficiency and security. This sensor\n * validates the frame structure at the byte level, catching malformed packets\n * before they can exploit parsing vulnerabilities deeper in the stack.\n \n Frame Structure Validated:\n * ```\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| MAGIC (5 bytes: \"AXIS1\") \| VER \| FLAGS \| HDR_LEN (varint)\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY_LEN (varint) \| SIG_LEN (varint) \| HDR TLVs... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY... \| SIGNATURE... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * ```\n \n Validations Performed:\n * 1. Content-Type - Must be `application/axis-bin` or similar\n * 2. Magic Bytes - Must be \"AXIS1\" (5 bytes)\n * 3. Version - Must match AXIS_VERSION constant\n * 4. Flags - Must be a valid combination\n * 5. Varint Encoding - Must be minimal (no unnecessary bytes)\n * 6. TLV Ordering - Must be canonical (sorted by type)\n * 7. Client Version - TLV 100 should be present\n \n Security Model:\n * - Fail Closed: Invalid magic/version = DENY\n * - Flag for Minor Issues: Non-critical violations decrease trust score\n * - Defense in Depth: First of multiple validation layers\n \n Actions:\n * - `ALLOW` - Frame is well-formed and spec-compliant\n * - `DENY` - Critical protocol violation (magic, version, frame too short)\n * - `FLAG` - Minor issues that decrease trust score\n \n Performance:\n * - Validates first 20 bytes of each frame\n * - No external dependencies (pure byte validation)\n * - Latency: <1ms for typical frames\n \n @class ProtocolStrictSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid AXIS frame:\n * ```typescript\n * // Frame starts with: \"AXIS1\" + version(1) + flags(0x01) + lengths...\n * // Sensor returns: { action: 'ALLOW' }\n * ```\n \n @example\n * Invalid magic bytes:\n * ```typescript\n * // Frame starts with: \"HTTP1\" (wrong protocol)\n * // Sensor returns: {\n * // action: 'DENY',\n * // code: 'INVALID_MAGIC',\n * // reason: 'Expected AXIS1 magic, got HTTP1'\n * // }\n * ```\n \n @see {@link https://axis-spec.example.com/wire-format AXIS Wire Format Spec}\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class ProtocolStrictSensor implements AxisSensor, OnModuleInit {\n private readonly logger = new Logger(ProtocolStrictSensor.name);\n\n /* Sensor identifier for logging and registry /\n readonly name = 'ProtocolStrictSensor';\n\n /\n Execution order - FIRST sensor in the chain\n \n Order 10 ensures:\n * - Runs before any other processing\n * - Invalid frames rejected immediately\n * - Protects all downstream sensors from malformed input\n /\n readonly order = BAND.WIRE + 10;\n\n private protocolMagic: Uint8Array = AXIS_MAGIC;\n private protocolVersion = AXIS_VERSION;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Static validation for streaming middleware (Fast Check)\n /\n public static validateMagic(\n chunk: Uint8Array,\n expected: Uint8Array,\n ): { valid: boolean; actual?: string } {\n if (chunk.length < expected.length) return { valid: true }; // Not enough data yet\n const actual = chunk.subarray(0, expected.length);\n const valid = Buffer.from(actual).equals(Buffer.from(expected));\n return {\n valid,\n actual: valid ? undefined : new TextDecoder().decode(actual),\n };\n }\n\n public static validateVersion(version: number, expected: number): boolean {\n return version === expected;\n }\n\n /\n Lifecycle hook: Registers this sensor in the chain on module initialization.\n /\n onModuleInit() {\n const magicStr = this.config.get<string>('AXIS_PROTOCOL_MAGIC');\n this.protocolMagic = magicStr ? Buffer.from(magicStr, 'ascii') : AXIS_MAGIC;\n this.protocolVersion =\n this.config.get<number>('AXIS_PROTOCOL_VERSION') \|\| AXIS_VERSION;\n }\n\n /\n Evaluate protocol strictness\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const validatedInput = ProtocolStrictInputZ.safeParse(input);\n if (!validatedInput.success) {\n this.logger.error(\n `Invalid input: ${validatedInput.error.message}`,\n validatedInput.error.issues,\n );\n return {\n action: 'DENY',\n code: 'INVALID_INPUT',\n reason: 'Protocol validation input failed',\n };\n }\n\n const { contentType, peek } = validatedInput.data;\n const issues: string[] = [];\n\n // Debug: Log first 10 bytes\n if (peek.length >= 8) {\n const hex = Buffer.from(peek.subarray(0, 10)).toString('hex');\n this.logger.debug(`Raw Frame Header (Hex): ${hex} (IP: ${input.ip})`);\n }\n\n // 1. Check Content-Type header (HTTP only)\n if (contentType !== undefined) {\n if (!this.isValidContentType(contentType)) {\n issues.push(`invalid_content_type:${contentType}`);\n }\n }\n\n // Need at least 9 bytes for basic frame header (Magic:5, Ver:1, Flags:1, HLen:1, BLen:1, SLen:1)\n if (peek.length < 9) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_SHORT',\n reason: 'Frame too short for protocol header',\n };\n }\n\n // 2. Check magic bytes\n const magicCheck = ProtocolStrictSensor.validateMagic(\n peek,\n this.protocolMagic,\n );\n if (!magicCheck.valid) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: `Expected ${new TextDecoder().decode(this.protocolMagic)} magic, got ${magicCheck.actual}`,\n };\n }\n\n // 3. Check version (Offset 5)\n const version = peek[5];\n if (!ProtocolStrictSensor.validateVersion(version, this.protocolVersion)) {\n issues.push(`unsupported_version:${version}`);\n }\n\n // 4. Check flags validity (Offset 6)\n const flags = peek[6];\n if (!this.isValidFlags(flags)) {\n issues.push(`invalid_flags:0x${flags.toString(16)}`);\n }\n\n // 5. Check length encoding (varints should be minimal) - Starts at Offset 7\n if (peek.length >= 10) {\n const lengthCheck = this.checkVarintEncoding(peek.subarray(7));\n if (!lengthCheck.valid) {\n issues.push(`non_minimal_varint:${lengthCheck.reason}`);\n }\n }\n\n // 6. Check TLV ordering if we have enough data\n if (peek.length >= 20) {\n const tlvCheck = this.checkTLVOrdering(peek);\n if (!tlvCheck.valid) {\n issues.push(`tlv_not_canonical:${tlvCheck.reason}`);\n }\n\n // 7. Check Client Version (TLV 100) presence\n const hasClientVersion = await this.checkForClientVersion(peek);\n if (!hasClientVersion) {\n // Warn for now (Phase 7 Soft Rollout)\n issues.push('missing_client_version');\n }\n }\n\n // Return FLAG for minor issues, DENY for critical\n if (issues.length > 0) {\n // Check for critical issues\n const critical = issues.some(\n (i) =>\n i.startsWith('invalid_magic') \|\| i.startsWith('unsupported_version'),\n );\n\n if (critical) {\n return {\n action: 'DENY',\n code: 'PROTOCOL_VIOLATION',\n reason: issues.join(', '),\n };\n }\n\n this.logger.warn(\n `Protocol issues from ${input.ip}: ${issues.join(', ')}`,\n );\n return {\n action: 'FLAG',\n scoreDelta: -issues.length 2,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /*\n Compare two buffers for equality\n /\n private buffersEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n\n /\n Check if Content-Type is valid for AXIS\n /\n private isValidContentType(contentType: string): boolean {\n return AxisMediaTypes.isAxisContentType(contentType);\n }\n\n /\n Check if flags are a valid combination\n /\n private isValidFlags(flags: number): boolean {\n return VALID_FLAGS.includes(flags);\n }\n\n /\n Check varint encoding is minimal (no leading zeros)\n /\n private checkVarintEncoding(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n try {\n const { value, length: bytesRead } = decodeVarint(data, 0);\n\n // Check for non-minimal encoding\n // A varint should use the minimum number of bytes\n if (value < 128 && bytesRead > 1) {\n return { valid: false, reason: 'non-minimal-small-value' };\n }\n if (value < 16384 && bytesRead > 2) {\n return { valid: false, reason: 'non-minimal-medium-value' };\n }\n\n return { valid: true };\n } catch {\n return { valid: false, reason: 'varint-decode-error' };\n }\n }\n\n /\n Check TLV ordering is canonical (sorted by type, no duplicates)\n /\n private checkTLVOrdering(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n // This is a simplified check - full check would require decoding the frame\n // For now, we do a heuristic check on the first few TLVs\n\n try {\n // Skip to length section (after magic, version, flags)\n let offset = 7;\n\n // Decode header length\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n\n // Decode body length\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n\n // Decode sig length\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n // Now at HDR TLVs\n const hdrStart = offset;\n const hdrEnd = hdrStart + Number(hdrLen);\n\n if (hdrEnd > data.length) {\n return { valid: true }; // Not enough data to check\n }\n\n // Check TLV types are ascending\n let lastType = -1;\n let pos = hdrStart;\n\n while (pos < hdrEnd && pos < data.length - 2) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n\n if (pos >= hdrEnd) break;\n\n const { value: len, length: lenBytes } = decodeVarint(data, pos);\n pos += lenBytes;\n\n // Check ordering\n if (Number(type) <= lastType) {\n return {\n valid: false,\n reason: `type-${type}-after-${lastType}`,\n };\n }\n\n lastType = Number(type);\n pos += Number(len);\n }\n\n return { valid: true };\n } catch {\n return { valid: true }; // On error, don't block\n }\n }\n\n /\n Check if TLV 100 (Client Version) exists in the headers\n /\n private async checkForClientVersion(data: Uint8Array): Promise<boolean> {\n try {\n let offset = 7;\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n const hdrEnd = offset + Number(hdrLen);\n\n let pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n const { length: lenBytes } = decodeVarint(data, pos); // value not needed\n pos += lenBytes;\n\n const { value: valLen, length: valLenBytes } = decodeVarint(\n data,\n pos - lenBytes,\n ); // reread legnth\n\n // Correct interaction: varint includes bytes read.\n // decodeVarint returns { value, length } -> length is how many bytes the varint took.\n // Wait, I need to read the length value to skip.\n\n // Re-do loop structure correctly:\n // 1. Read Type\n // 2. Read Length\n // 3. Skip Value\n }\n\n // Let's use a simpler heuristic scan for now as full parse is expensive here\n // and done elsewhere. But for correctness let's do it right.\n\n pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const t = decodeVarint(data, pos);\n pos += t.length;\n const l = decodeVarint(data, pos);\n pos += l.length;\n\n if (t.value === 100) return true;\n\n pos += Number(l.value);\n }\n\n return false;\n } catch {\n return false;\n }\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class ReceiptPolicySensor implements AxisSensor {\n readonly name = 'ReceiptPolicySensor';\n readonly order = BAND.BUSINESS + 20;\n\n supports(): boolean {\n return true;\n }\n\n async run(): Promise<SensorDecision> {\n // Stub: allow. Real impl defines which intents must yield signed receipts.\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { IntentSchema, IntentSchemaZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { AxisError } from '../core/axis-error';\nimport type { TlvValidatorFn } from '../decorators/tlv-field.decorator';\n\n/\n Reads a big-endian unsigned 64-bit integer from a byte array.\n \n @param {Uint8Array} b - 8-byte array\n * @returns {bigint} The decoded integer\n * @throws {AxisError} If array is not exactly 8 bytes\n /\nfunction readU64be(b: Uint8Array): bigint {\n if (b.length !== 8)\n throw new AxisError('SCHEMA_TYPE_MISMATCH', 'u64 must be 8 bytes', 400);\n let x = 0n;\n for (const by of b) x = (x << 8n) \| BigInt(by);\n return x;\n}\n\n/\n Schema Validation Sensor - TLV Field Contract Enforcement\n \n Validates that incoming request bodies conform to the defined intent schema.\n * This ensures type safety and data integrity before handler execution.\n \n Execution Order: 170 (late in pipeline, after all auth/policy checks)\n \n Core Concept:\n * Every AXIS intent can define a schema that specifies:\n * - Required fields and their TLV types\n * - Field types (utf8, bytes, u64, bool, etc.)\n * - Size limits per field\n * - Scope (header or body)\n \n The sensor validates each field against its schema definition, rejecting\n * requests that violate the contract.\n \n Supported Field Types:\n * \| Kind \| Description \| Validation \|\n * \|------\|-------------\|------------\|\n * \| `utf8` \| UTF-8 string \| Valid UTF-8 encoding \|\n * \| `bool` \| Boolean \| 1 byte: 0x00 or 0x01 \|\n * \| `u64` \| Unsigned 64-bit int \| Exactly 8 bytes, big-endian \|\n * \| `bytes16` \| Fixed 16 bytes \| Exactly 16 bytes (UUIDs) \|\n * \| `bytes` \| Variable bytes \| Any length up to maxLen \|\n * \| `obj` \| Nested object \| (Reserved for future) \|\n * \| `arr` \| Array \| (Reserved for future) \|\n \n How It Works:\n * ```\n * 1. Validate schema structure with Zod\n * 2. For each field in schema:\n * a. Look up TLV in headers or body (based on scope)\n * b. Check if field is required\n * c. Check size against maxLen\n * d. Validate type (utf8 encoding, bool values, etc.)\n * 3. Throw AxisError on any violation\n * ```\n \n Security Model:\n * - Fail Closed: Schema violations throw errors (no silent failures)\n * - Pre-Handler: All validation happens before handler execution\n * - Type-Safe: Handlers receive type-validated data\n \n Error Codes:\n * - `SCHEMA_INVALID` - Schema itself is malformed\n * - `SCHEMA_FIELD_MISSING` - Required field not present\n * - `SCHEMA_LIMIT_EXCEEDED` - Field exceeds maxLen or max value\n * - `SCHEMA_TYPE_MISMATCH` - Field type doesn't match expected\n \n Performance:\n * - In-memory validation (no I/O)\n * - O(n) where n = number of schema fields\n * - Latency: ~1-5ms for typical schemas\n \n @class SchemaValidationSensor\n * @implements {OnModuleInit}\n \n @example\n * Valid schema validation:\n * ```typescript\n * const schema = {\n * fields: [\n * { name: 'fullName', tlv: 100, kind: 'utf8', required: true, maxLen: 256 },\n * { name: 'age', tlv: 101, kind: 'u64', max: 150 }\n * ]\n * };\n * // Body TLVs contain valid data\n * { ok: true }\n * ```\n \n @example\n * Missing required field:\n * ```typescript\n * // TLV 100 (fullName) not present in body\n * throw AxisError('SCHEMA_FIELD_MISSING',\n * 'Missing required field: fullName (TLV 100)', 400);\n * ```\n \n @see {@link IntentSchema}\n /\n@Sensor()\n@Injectable()\nexport class SchemaValidationSensor implements AxisSensor {\n /* Sensor identifier for logging and registry /\n readonly name = 'SchemaValidationSensor';\n\n /\n Execution order - runs late in the pipeline\n \n Order 170 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Data validated before handler execution\n /\n readonly order = BAND.CONTENT + 35;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when a schema is provided for the intent (post-decode phase).\n \n @param {any} input - Sensor input\n * @returns {boolean} True if schema exists in metadata\n /\n supports(input: any): boolean {\n // Only run in post-decode phase when schema is provided\n return !!input.metadata?.schema;\n }\n\n /\n Validates TLV fields against the schema definition.\n \n Validation Steps:\n * 1. Validate the schema itself using Zod\n * 2. Iterate through each field definition\n * 3. Check required fields are present\n * 4. Validate size limits (maxLen)\n * 5. Validate type-specific rules\n \n @param {any} input - Standard SensorInput\n * @returns {{ action: 'ALLOW' } \| { action: 'DENY', code: string, reason: string }} Decision\n /\n async run(\n input: any,\n ): Promise<\n { action: 'ALLOW' } \| { action: 'DENY'; code: string; reason: string }\n > {\n const schema = input.metadata?.schema as IntentSchema;\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyTLVs = input.bodyTLVs as Map<number, Uint8Array> \| undefined;\n\n // If no schema, allow (no validation needed)\n if (!schema) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 1: Validate Schema Structure ===\n const validatedSchema = IntentSchemaZ.safeParse(schema);\n if (!validatedSchema.success) {\n return {\n action: 'DENY',\n code: 'SCHEMA_INVALID',\n reason: `Schema validation failed: ${validatedSchema.error.message}`,\n };\n }\n\n // === STEP 2: Validate Each Field ===\n try {\n for (const field of schema.fields) {\n // Determine which TLV map to use (header or body)\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n\n // Get the field value from the appropriate map\n const val = map?.get(field.tlv);\n\n // === Check Required Fields ===\n if (field.required && !val) {\n throw new AxisError(\n 'SCHEMA_FIELD_MISSING',\n `Missing required field: ${field.name} (TLV ${field.tlv})`,\n 400,\n );\n }\n\n // Skip validation if field not present (and not required)\n if (!val) continue;\n\n // === Check Size Limit ===\n if (typeof field.maxLen === 'number' && val.length > field.maxLen) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `Field ${field.name} too large (${val.length} > ${field.maxLen})`,\n 413, // Payload Too Large\n );\n }\n\n // === Type-Specific Validation ===\n switch (field.kind) {\n case 'utf8':\n // Validate UTF-8 encoding\n try {\n new TextDecoder('utf-8', { fatal: true }).decode(val);\n } catch {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid UTF-8 in ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bool':\n // Boolean must be exactly 1 byte: 0x00 or 0x01\n if (val.length !== 1 \|\| (val[0] !== 0 && val[0] !== 1)) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid bool: ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'u64': {\n // Unsigned 64-bit integer (big-endian)\n const x = readU64be(val);\n\n // Check max value if specified\n if (field.max) {\n const mx = BigInt(field.max);\n if (x > mx) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `u64 ${field.name} exceeds max (${x} > ${mx})`,\n 400,\n );\n }\n }\n break;\n }\n\n case 'bytes16':\n // Fixed 16-byte field (UUIDs, IDs)\n if (val.length !== 16) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `bytes16 required for ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bytes':\n // Variable-length bytes - any length within maxLen is allowed\n break;\n\n case 'obj':\n case 'arr':\n // Nested object/array validation (reserved for future)\n // TODO: Implement nested validation\n break;\n\n default:\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Unknown schema kind: ${field.kind}`,\n 500,\n );\n }\n }\n\n // === STEP 3: Run custom @TlvValidate validators ===\n const validators = input.metadata?.validators as\n \| Map<number, TlvValidatorFn[]>\n \| undefined;\n if (validators && validators.size > 0) {\n for (const field of schema.fields) {\n const fns = validators.get(field.tlv);\n if (!fns \|\| fns.length === 0) continue;\n\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n const val = map?.get(field.tlv);\n if (!val) continue; // missing fields already handled above\n\n for (const fn of fns) {\n const error = fn(val, field.name);\n if (error) {\n throw new AxisError(\n 'SCHEMA_VALIDATION_FAILED',\n `${field.name} (TLV ${field.tlv}): ${error}`,\n 400,\n );\n }\n }\n }\n }\n } catch (err: any) {\n // Convert AxisError to DENY decision\n if (err instanceof AxisError) {\n return {\n action: 'DENY',\n code: err.code,\n reason: err.message,\n };\n }\n throw err; // Re-throw unknown errors\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n/\n Stream Scope Sensor - Topic-Level Access Control\n \n Enforces read/write permissions on stream topics. Validates that\n * the actor has appropriate access to subscribe or publish to the\n * requested stream topic.\n \n Execution Order: 200 (near execution, after all validation)\n \n Core Concept:\n * AXIS supports real-time streaming via WebSocket. Streams are organized\n * by topics (e.g., 'citizen.123.timeline', 'hub.news.updates'). This\n * sensor enforces topic-level access control:\n * - Can the actor subscribe to this topic?\n * - Can the actor publish to this topic?\n \n Topic Patterns:\n * - `citizen.{id}.timeline` - Personal timeline (owner + admin)\n * - `hub.{name}.updates` - Hub updates (members)\n * - `public.` - Public topics (anyone)\n - `admin.` - Admin topics (admins only)\n \n * How It Would Work (Full Implementation):\n * ```\n * 1. Extract topic from stream intent body\n * 2. Parse topic pattern (e.g., citizen.123.timeline)\n * 3. Determine required access (read for subscribe, write for publish)\n * 4. Check actor's permissions against topic ACL\n * 5. DENY if unauthorized, ALLOW if permitted\n * ```\n \n Stream Operations:\n * - `stream.subscribe` - Requires READ access\n * - `stream.publish` - Requires WRITE access\n * - `stream.unsubscribe` - Always allowed (cleanup)\n \n Security Model:\n * - Stub Implementation: Currently allows all\n * - Topic Isolation: Each topic has independent ACL\n * - Inheritance: Pattern-based permissions (citizen.* = citizen owner)\n \n Actions (planned):\n * - `ALLOW` - Actor has permission\n * - `DENY` - Unauthorized topic access\n \n Error Codes (planned):\n * - `STREAM_UNAUTHORIZED` - No permission for topic\n * - `STREAM_TOPIC_NOT_FOUND` - Topic doesn't exist\n \n Performance:\n * - ACL lookup: O(1) with caching\n * - Pattern matching: O(patterns)\n \n @class StreamScopeSensor\n * @implements {Sensor}\n * @implements {OnModuleInit}\n \n @example\n * Authorized subscription:\n * ```typescript\n * // Actor: user123\n * // Topic: citizen.user123.timeline\n * // Permission: owner can read own timeline\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Unauthorized subscription (planned):\n * ```typescript\n * // Actor: user456\n * // Topic: citizen.user123.timeline\n * // Permission: NOT owner\n * {\n * action: 'DENY',\n * code: 'STREAM_UNAUTHORIZED',\n * reason: 'No read access to citizen.user123.timeline'\n * }\n * ```\n \n @todo Implement topic ACL lookup and permission checking\n * @see {@link CapabilityEnforcementSensor} - Request-level capabilities\n /\n@Sensor()\n@Injectable()\nexport class StreamScopeSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'StreamScopeSensor';\n\n /\n Execution order - near handler execution\n \n Order 200 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Stream-specific check right before subscription\n /\n readonly order = BAND.BUSINESS + 0;\n\n /\n Determines if this sensor should process the given input.\n \n Currently processes all inputs.\n \n @returns {boolean} Always true\n /\n supports(): boolean {\n return true;\n }\n\n /\n Validates stream topic access permissions.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Check if intent is stream.subscribe or stream.publish\n * 2. Extract topic from body TLVs\n * 3. Parse topic into owner/resource pattern\n * 4. Look up topic ACL from database/cache\n * 5. Check if actor has required permission (read/write)\n * 6. DENY if unauthorized\n \n @returns {Promise<SensorDecision>} ALLOW (stub implementation)\n /\n async run(): Promise<SensorDecision> {\n // TODO: Implement topic scope enforcement\n //\n // Full implementation would:\n // const { intent, packet, actorId } = input;\n //\n // if (!intent?.startsWith('stream.')) {\n // return { action: 'ALLOW' }; // Not a stream intent\n // }\n //\n // const topic = extractTopicFromBody(input.bodyTLVs);\n // const operation = intent === 'stream.publish' ? 'write' : 'read';\n //\n // const acl = await this.getTopicACL(topic);\n // if (!acl.allows(actorId, operation)) {\n // return {\n // action: 'DENY',\n // code: 'STREAM_UNAUTHORIZED',\n // reason: `No ${operation} access to ${topic}`\n // };\n // }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { decodeVarint } from '../core/varint';\n\n/\n TLV Parse AxisSensor - Type-Length-Value Parsing Verification\n \n Verifies that TLV data in packets is properly formed and follows\n * canonical ordering rules. Ensures binary payload integrity before\n * field extraction.\n \n Execution Order: 160 (after policy checks, before schema validation)\n \n Validates:\n * - TLV types are ascending (canonical ordering)\n * - No duplicate TLV types\n * - Length values are accurate (no buffer overrun)\n * - Varint encoding is minimal (no padding bytes)\n * - Tag values are > 0\n \n @class TLVParseSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class TLVParseSensor implements AxisSensor {\n readonly name = 'TLVParseSensor';\n readonly order = BAND.CONTENT + 20;\n\n supports(input: SensorInput): boolean {\n return !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const packet = input.packet;\n if (!packet) return { action: 'ALLOW' };\n\n // Validate header TLVs if raw header bytes are available\n const hdrBytes: Uint8Array \| Buffer \| undefined =\n packet.hdrBytes ?? packet.headerBytes;\n if (hdrBytes && hdrBytes.length > 0) {\n const result = this.validateCanonicalTLV(hdrBytes, 'header');\n if (result) return result;\n }\n\n // Validate body TLVs if body is flagged as TLV-encoded\n const bodyBytes: Uint8Array \| Buffer \| undefined =\n packet.bodyBytes ?? input.body;\n const bodyIsTlv =\n packet.flags !== undefined ? (packet.flags & 0x01) !== 0 : false;\n\n // @Intent({ bodyProfile: 'RAW' }) explicitly skips body TLV validation\n const bodyProfile = input.metadata?.schema?.bodyProfile;\n const skipBody = bodyProfile === 'RAW';\n\n if (!skipBody && bodyIsTlv && bodyBytes && bodyBytes.length > 0) {\n const result = this.validateCanonicalTLV(bodyBytes, 'body');\n if (result) return result;\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Validates a TLV buffer for canonical ordering, no duplicates,\n * valid bounds, and minimal varint encoding.\n /\n private validateCanonicalTLV(\n buf: Uint8Array,\n section: string,\n ): SensorDecision \| null {\n let offset = 0;\n let lastType = -1;\n let count = 0;\n const maxItems = 512;\n\n while (offset < buf.length) {\n if (count >= maxItems) {\n return {\n action: 'DENY',\n code: 'TLV_LIMIT',\n reason: `Too many TLVs in ${section}`,\n };\n }\n\n // Decode TYPE varint\n let type: number;\n let typeLen: number;\n try {\n const r = decodeVarint(buf, offset);\n type = r.value;\n typeLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed type varint in ${section} at offset ${offset}`,\n };\n }\n offset += typeLen;\n\n // Tag must be > 0\n if (type <= 0) {\n return {\n action: 'DENY',\n code: 'TLV_INVALID_TAG',\n reason: `Invalid tag ${type} in ${section}`,\n };\n }\n\n // Canonical order: strictly ascending\n if (type <= lastType) {\n return {\n action: 'DENY',\n code: 'TLV_NOT_CANONICAL',\n reason: `Non-canonical tag order in ${section}: ${type} after ${lastType}`,\n };\n }\n lastType = type;\n\n // Decode LEN varint\n let len: number;\n let lenLen: number;\n try {\n const r = decodeVarint(buf, offset);\n len = r.value;\n lenLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed length varint in ${section}`,\n };\n }\n offset += lenLen;\n\n // Bounds check\n if (offset + len > buf.length) {\n return {\n action: 'DENY',\n code: 'TLV_TRUNCATED',\n reason: `TLV value truncated in ${section}`,\n };\n }\n\n offset += len;\n count++;\n }\n\n return null; // Valid\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Varint Hardening Sensor - Variable-Length Integer Overflow Protection\n \n Detects and blocks malicious varint values that could cause integer overflow\n * or excessive memory allocation. Varints in AXIS frames encode lengths and types.\n \n Execution Order: 40 (early, before length-based parsing)\n \n Core Concept:\n * AXIS uses variable-length integers (varints) to encode:\n * - Header length\n * - Body length\n * - Signature length\n * - TLV types and lengths\n \n Varints use a continuation bit (MSB) to indicate more bytes follow.\n * An attacker could send an extremely long varint (many continuation bytes)\n * to cause:\n * - Integer overflow\n * - Excessive parsing time\n * - Memory exhaustion\n \n Varint Format:\n * ```\n * Each byte: [1-bit continuation][7-bit data]\n \n Examples:\n * 127 = 0x7F (1 byte)\n * 128 = 0x80 0x01 (2 bytes)\n * 16384 = 0x80 0x80 0x01 (3 bytes)\n * ```\n \n Limit: Maximum 5 bytes per varint\n * - 5 bytes = 35 bits of data = max value ~34 billion\n * - Sufficient for any legitimate length in AXIS\n \n How It Works:\n * ```\n * 1. Skip to varint start (offset 7: after magic+version+flags)\n * 2. Count consecutive bytes with MSB set (continuation bit)\n * 3. If count > 5, reject frame\n * ```\n \n Security Model:\n * - Fail Closed: Overflow = DENY\n * - Early Detection: Before full parsing\n * - Low Cost: Simple bit check\n \n Actions:\n * - `ALLOW` - Varint within bounds\n * - `DENY` - Varint exceeds 5 bytes\n \n Error Codes:\n * - `VARINT_OVERFLOW` - Varint exceeds maximum length\n \n Performance:\n * - Bit masking: O(1) per byte\n * - Maximum 15 bytes checked\n * - Latency: <0.1ms\n \n @class VarintHardeningSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid varint:\n * ```typescript\n * // Length 16384 encoded as 0x80 0x80 0x01 (3 bytes)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Overflow attack:\n * ```typescript\n * // 6 bytes with continuation bits set\n * {\n * action: 'DENY',\n * code: 'VARINT_OVERFLOW',\n * reason: 'Varint exceeds 5 bytes'\n * }\n * ```\n \n @see {@link BodyBudgetSensor} - Uses varints for length parsing\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class VarintHardeningSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'VarintHardeningSensor';\n\n /\n Execution order - early detection\n \n Order 40 ensures:\n * - After protocol magic check\n * - Before length-based parsing\n /\n readonly order = BAND.WIRE + 35;\n\n /* Maximum allowed bytes for a single varint /\n private readonly MAX_VARINT_BYTES = 5;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 7 bytes of peeked data.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n /\n Validates varint lengths in frame header.\n \n Processing Flow:\n * 1. Skip to varint section (offset 7)\n * 2. Scan for continuation bytes (MSB = 1)\n * 3. Count consecutive continuation bytes\n * 4. DENY if count exceeds MAX_VARINT_BYTES\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on varint length\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n // After magic(5) + version(1) + flags(1), varints follow for hdrLen, bodyLen, sigLen\n const peek = input.peek!;\n const offset = 7;\n const maxOffset = Math.min(offset + 15, peek.length);\n\n // Count consecutive bytes with continuation bit set (MSB = 1)\n let continuationCount = 0;\n for (let i = offset; i < maxOffset; i++) {\n if ((peek[i] & 0x80) !== 0) {\n continuationCount++;\n if (continuationCount > this.MAX_VARINT_BYTES) {\n return {\n action: 'DENY',\n code: 'VARINT_OVERFLOW',\n reason: `Varint exceeds ${this.MAX_VARINT_BYTES} bytes`,\n };\n }\n } else {\n // End of current varint - reset for next\n continuationCount = 0;\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","export from './access-profile-resolver.sensor';\nexport * from './body-budget.sensor';\nexport * from './capability-enforcement.sensor';\nexport * from './chunk-hash.sensor';\nexport * from './entropy.sensor';\nexport * from './execution-timeout.sensor';\nexport * from './frame-budget.sensor';\nexport * from './frame-header-sanity.sensor';\nexport * from './header-tlv-limit.sensor';\nexport * from './intent-allowlist.sensor';\nexport * from './intent-registry.sensor';\nexport * from './proof-presence.sensor';\nexport * from './protocol-strict.sensor';\nexport * from './receipt-policy.sensor';\nexport * from './schema-validation.sensor';\nexport * from './stream-scope.sensor';\nexport * from './tlv-parse.sensor';\nexport * from './varint-hardening.sensor';\n","export * from './axis-tlv-codec';\n","// Decorators\nexport { Chain, CHAIN_METADATA_KEY } from \"./decorators/chain.decorator\";\nexport {\n CapsulePolicy,\n CAPSULE_POLICY_METADATA_KEY,\n} from \"./decorators/capsule-policy.decorator\";\nexport {\n AxisPublic,\n AXIS_PUBLIC_KEY,\n AxisAnonymous,\n AXIS_ANONYMOUS_KEY,\n AxisRateLimit,\n AXIS_RATE_LIMIT_KEY,\n Sensitivity,\n SENSITIVITY_METADATA_KEY,\n Contract,\n CONTRACT_METADATA_KEY,\n RequiredProof,\n REQUIRED_PROOF_METADATA_KEY,\n Capsule,\n Witness,\n} from \"./decorators/intent-policy.decorator\";\nexport type {\n RequiredProofKind,\n AxisRateLimitConfig,\n} from \"./decorators/intent-policy.decorator\";\nexport { Handler, HANDLER_METADATA_KEY } from \"./decorators/handler.decorator\";\nexport {\n Intent,\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentRoute,\n IntentOptions,\n IntentTlvField,\n IntentKind,\n} from \"./decorators/intent.decorator\";\nexport {\n IntentBody,\n INTENT_BODY_KEY,\n} from \"./decorators/intent-body.decorator\";\nexport {\n IntentSensors,\n INTENT_SENSORS_KEY,\n} from \"./decorators/intent-sensors.decorator\";\nexport {\n Observer,\n OBSERVER_BINDINGS_KEY,\n OBSERVER_METADATA_KEY,\n} from \"./decorators/observer.decorator\";\nexport type {\n CapsulePolicyOptions,\n CapsuleScopeMode,\n} from \"./decorators/capsule-policy.decorator\";\nexport type {\n AxisObserverBinding,\n AxisObserverBindingOptions,\n AxisObserverDefinition,\n AxisObserverRef,\n} from \"./decorators/observer.decorator\";\nexport {\n HandlerSensors,\n HANDLER_SENSORS_KEY,\n} from \"./decorators/handler-sensors.decorator\";\nexport { Sensor, SENSOR_METADATA_KEY } from \"./decorators/sensor.decorator\";\nexport type { SensorOptions, SensorPhase } from \"./decorators/sensor.decorator\";\n\n// TLV Field Decorators\nexport {\n TlvField,\n TlvValidate,\n TlvUtf8Pattern,\n TlvMinLen,\n TlvEnum,\n TlvRange,\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n} from \"./decorators/tlv-field.decorator\";\nexport type {\n TlvFieldKind,\n TlvFieldOptions,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from \"./decorators/tlv-field.decorator\";\n\n// DTO Schema Utilities\nexport {\n extractDtoSchema,\n buildDtoDecoder,\n} from \"./decorators/dto-schema.util\";\nexport type { DtoSchema } from \"./decorators/dto-schema.util\";\n\n// Base DTO Classes\nexport { AxisTlvDto } from \"./base/axis-tlv.dto\";\nexport { AxisIdDto } from \"./base/axis-id.dto\";\nexport { AxisPartialType } from \"./base/axis-partial-type\";\nexport {\n AxisResponseDto,\n RESPONSE_TAG_ID,\n RESPONSE_TAG_CREATED_AT,\n RESPONSE_TAG_UPDATED_AT,\n RESPONSE_TAG_CREATED_BY,\n RESPONSE_TAG_UPDATED_BY,\n} from \"./base/axis-response.dto\";\n\n// Engine\nexport { AxisChainExecutor } from \"./engine/axis-chain.executor\";\nexport type {\n AxisCapsuleRef,\n AxisChainEnvelope,\n AxisChainEncryption,\n AxisChainRequest,\n AxisChainResult,\n AxisChainStatus,\n AxisChainStep,\n AxisChainStepResult,\n AxisChainStepStatus,\n AxisExecutionMode,\n AxisIntentEnvelope,\n AxisKeyExchangeRef,\n AxisObserverEvent,\n ChainOptions,\n RegisteredChainConfig,\n} from \"./engine/axis-chain.types\";\nexport type { AxisExecutionContext } from \"./engine/axis-execution-context\";\nexport {\n AXIS_EXECUTION_CONTEXT_KEY,\n getAxisExecutionContext,\n mergeAxisExecutionContext,\n withAxisExecutionContext,\n} from \"./engine/axis-execution-context\";\nexport type {\n AxisIntentObserver,\n AxisObserverContext,\n AxisObserverRegistration,\n} from \"./engine/axis-observer.interface\";\nexport { IntentRouter, AxisEffect } from \"./engine/intent.router\";\nexport { BAND, PRE_DECODE_BOUNDARY } from \"./engine/sensor-bands\";\nexport type { SensorBand } from \"./engine/sensor-bands\";\n\n// Observation (protocol-level observation pipeline)\nexport { stableJsonStringify } from \"./engine/observation/stable-json\";\nexport type {\n ObservationQueueMessage,\n ObservationQueueConfig,\n} from \"./engine/observation/observation-queue.types\";\nexport {\n buildQueueMessage,\n encodeQueueMessage,\n decodeQueueMessage,\n parseStreamEntries,\n parseAutoClaimEntries,\n} from \"./engine/observation/observation-queue.codec\";\nexport type { ObservationStreamEntry } from \"./engine/observation/observation-queue.codec\";\nexport {\n canonicalizeObservation,\n hashObservation,\n buildUnsignedWitness,\n} from \"./engine/observation/observation-hash\";\nexport type {\n ObservationWitnessSummary,\n UnsignedObservationWitness,\n} from \"./engine/observation/observation-hash\";\nexport {\n verifyResponse,\n ResponseObserver,\n} from \"./engine/observation/response-observer\";\nexport type {\n ResponseObserverContext,\n ResponseContract,\n ObserverVerdict,\n} from \"./engine/observation/response-observer\";\n\n// Core Protocol\nexport * from \"./core/constants\";\nexport * from \"./core/varint\";\nexport * from \"./core/tlv\";\nexport * from \"./core/signature\";\nexport {\n AxisFrameZ,\n decodeFrame,\n encodeFrame,\n getSignTarget,\n} from \"./core/axis-bin\";\nexport type { AxisFrame, AxisBinaryFrame } from \"./core/axis-bin\";\n\n// Codec\nexport * from \"./codec/ats1.constants\";\nexport * from \"./codec/ats1.passkey.schemas\";\nexport * as Ats1Codec from \"./codec/ats1\";\nexport * from \"./codec/axis1.encode\";\nexport * from \"./codec/axis1.signing\";\nexport * from \"./codec/tlv.encode\";\n\n// Crypto Utilities\nexport * from \"./crypto/b64url\";\nexport * from \"./crypto/canonical-json\";\nexport type {\n AxisAlg,\n AxisCapsule,\n CapsuleMode,\n KeyStatus,\n AxisSig,\n AxisPacket,\n AxisCapsuleConstraints,\n AxisCapsulePayload,\n} from \"./crypto/types\";\n\n// Contract Utilities\nexport * from \"./contract/execution-meter\";\nexport * from \"./contract/contract.interface\";\n\n// Packet and Sensor Types\nexport { Axis1DecodedFrame, decodeAxis1Frame } from \"./types/frame\";\nexport {\n AxisPacket as AxisBinaryPacket,\n T as AxisPacketTags,\n buildPacket,\n} from \"./types/packet\";\nexport type {\n AxisObservedContext,\n AxisRequestContext,\n} from \"./types/axis-frame.types\";\nexport type { TLV as AxisTlvType } from \"./core/tlv\";\nexport {\n Decision,\n normalizeSensorDecision,\n SensorDecisions,\n} from \"./sensor/axis-sensor\";\nexport type {\n AxisSensor,\n AxisSensorInit,\n AxisPreSensor,\n AxisPostSensor,\n SensorPhaseMetadata,\n SensorInput,\n SensorDecision,\n SensorMinifiedDecision,\n} from \"./sensor/axis-sensor\";\n\n// Interfaces\nexport {\n AxisHandler,\n AxisHandlerInit,\n} from \"./interfaces/axis-handler.interface\";\nexport { AxisCrudHandler } from \"./interfaces/axis-crud-handler.interface\";\n\n// Security\nexport * from \"./security/scopes\";\nexport * from \"./security/capabilities\";\n\n// Risk\nexport * from \"./risk/index\";\n\n// Core: Opcode Registry\nexport * from \"./core/opcodes\";\n\n// Core: Receipt Hash\nexport * from \"./core/receipt\";\n\n// Core: Intent Sensitivity\nexport * from \"./core/intent-sensitivity\";\n\n// Core: Timeouts\nexport * from \"./core/timeouts\";\n\n// Types: Intent Definitions\nexport type { IntentDefinition } from \"./types/intent-definition\";\n\n// Frame Validation\nexport { validateFrameShape, isTimestampValid } from \"./core/frame-validator\";\n\n// Types: JSON-level Frame Types\nexport type {\n AxisFrame as AxisJsonFrame,\n AxisResponse as AxisJsonResponse,\n AxisSig as AxisJsonSig,\n AxisAlg as AxisJsonAlg,\n} from \"./types/axis-frame.types\";\n\n// Upload handlers and stores\nexport {\n AxisFilesDownloadHandler,\n AxisFilesFinalizeHandler,\n} from \"./upload/axis-files.handlers\";\nexport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from \"./upload/upload.tokens\";\nexport type {\n UploadFileStore,\n UploadFileStat,\n UploadReceiptSigner,\n UploadSessionRecord,\n UploadSessionStatus,\n UploadSessionStore,\n} from \"./upload/upload.types\";\nexport { DiskUploadFileStore } from \"./upload/disk-upload-file.store\";\n\n// Types\n\n// Additional root exports for import ergonomics\nexport {\n AxisRaw,\n AxisIp,\n AxisContext,\n AxisDemoPubkey,\n} from \"./decorators/axis-request.decorator\";\nexport type { AxisRequestData } from \"./decorators/axis-request.decorator\";\nexport { AxisError } from \"./core/axis-error\";\nexport { ObserverDiscoveryService } from \"./engine/observer-discovery.service\";\nexport { ObserverDispatcherService } from \"./engine/observer-dispatcher.service\";\nexport { HandlerDiscoveryService } from \"./engine/handler-discovery.service\";\nexport { SensorDiscoveryService } from \"./engine/sensor-discovery.service\";\nexport { ObserverRegistry } from \"./engine/registry/observer.registry\";\nexport { SensorRegistry } from \"./engine/registry/sensor.registry\";\nexport type { AxisDecoded } from \"./engine/axis-decoded\";\nexport {\n createObservation,\n startStage,\n endStage,\n recordSensor,\n finalizeObservation,\n} from \"./engine/axis-observation\";\nexport type {\n AxisObservation,\n ObservationSensor,\n ObservationStage,\n} from \"./engine/axis-observation\";\nexport { AxisSensorChainService } from \"./security/axis-sensor-chain.service\";\nexport type { ChainResult } from \"./security/axis-sensor-chain.service\";\n\n// CCE — Capsule-Carried Encryption\nexport { executeCcePipeline } from \"./cce/cce-pipeline\";\nexport type {\n CceHandler,\n CceHandlerContext,\n CceHandlerResult,\n CcePolicyContext,\n CcePolicyDecision,\n CcePolicyEvaluator,\n CcePipelineConfig,\n CcePipelineResult,\n} from \"./cce/cce-pipeline\";\nexport { CCE_PROTOCOL_VERSION, CCE_ERROR, CceError } from \"./cce/cce.types\";\nexport type {\n CceCapsuleClaims as CceCapsuleClaimsType,\n CceRequestEnvelope as CceRequestEnvelopeType,\n CceResponseEnvelope as CceResponseEnvelopeType,\n CceExecutionContext as CceExecutionContextType,\n CceWitnessRecord as CceWitnessRecordType,\n} from \"./cce/cce.types\";\n\n// Utils\nexport { encodeAxisTlvDto } from \"./utils/axis-tlv-codec\";\n\n// Loom runtime helpers and types\nexport {\n TLV_PRESENCE_ID,\n TLV_WRIT,\n TLV_THREAD_HASH,\n deriveAnchorReflection,\n canonicalizeWrit,\n canonicalizeGrant,\n} from \"./loom/loom.types\";\nexport type {\n PresenceDeclaration,\n PresenceChallenge,\n PresenceProof,\n PresenceReceipt,\n PresenceStatus,\n WritHead,\n WritBody,\n WritMeta,\n WritSignature,\n Writ,\n GrantType,\n GrantCapability,\n GrantMeta,\n Grant,\n GrantStatus,\n LoomReceipt,\n ThreadState,\n RevocationTargetType,\n Revocation,\n LoomValidationResult,\n PresenceVerifyResult,\n WritValidationResult,\n GrantValidationResult,\n} from \"./loom/loom.types\";\n\n// Grouped namespaces for the backend package merge surface\nexport * as cce from \"./cce\";\nexport * as core from \"./core\";\nexport * as crypto from \"./crypto\";\nexport * as decorators from \"./decorators\";\nexport * as engine from \"./engine\";\nexport * as loom from \"./loom\";\nexport * as schemas from \"./schemas\";\nexport * as security from \"./security\";\nexport * as sensors from \"./sensors\";\nexport * as utils from \"./utils\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAMA,SAAS,MAAM,UAAwB,CAAC,GAAoB;AACjE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,QAA+B;AAAA,MACnC,SAAS;AAAA,MACT,GAAG;AAAA,IACL;AAEA,YAAQ,eAAe,oBAAoB,OAAO,QAAQ,WAAW;AAAA,EACvE;AACF;AAfA,IAIa;AAJb;AAAA;AAIO,IAAM,qBAAqB;AAAA;AAAA;;;ACJlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAcA,SAAS,cACd,UAAgC,CAAC,GACC;AAClC,QAAM,aAAa,8BAA8B,OAAO;AAExD,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AAEA,YAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,8BACd,UAAgC,CAAC,GACX;AACtB,SAAO;AAAA,IACL,UAAU,QAAQ,YAAY;AAAA,IAC9B,QAAQ,oBAAoB,QAAQ,MAAM;AAAA,IAC1C,WAAW,QAAQ,aAAa;AAAA,IAChC,aAAa,QAAQ,eAAe;AAAA,IACpC,iBAAiB,QAAQ,mBAAmB;AAAA,EAC9C;AACF;AAEO,SAAS,0BACd,MACA,UACkC;AAClC,MAAI,CAAC,QAAQ,CAAC,UAAU;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,iBAAiB,OAAO,8BAA8B,IAAI,IAAI;AACpE,QAAM,qBAAqB,WACvB,8BAA8B,QAAQ,IACtC;AAEJ,QAAM,SAAS;AAAA,IACb,GAAG,YAAY,gBAAgB,MAAM;AAAA,IACrC,GAAG,YAAY,oBAAoB,MAAM;AAAA,EAC3C;AAEA,SAAO;AAAA,IACL,UAAU,oBAAoB,YAAY,gBAAgB,YAAY;AAAA,IACtE,QAAQ,oBAAoB,MAAM;AAAA,IAClC,WACE,oBAAoB,aAAa,gBAAgB,aAAa;AAAA,IAChE,aACE,oBAAoB,eACpB,gBAAgB,eAChB;AAAA,IACF,iBACE,oBAAoB,mBACpB,gBAAgB,mBAChB;AAAA,EACJ;AACF;AAEA,SAAS,oBACP,OAC+B;AAC/B,QAAM,OAAO,YAAY,KAAK;AAC9B,MAAI,KAAK,WAAW,GAAG;AACrB,WAAO;AAAA,EACT;AACA,SAAO,KAAK,WAAW,IAAI,KAAK,CAAC,IAAI;AACvC;AAEA,SAAS,YAAY,OAAqC;AACxD,MAAI,CAAC,OAAO;AACV,WAAO,CAAC;AAAA,EACV;AAEA,SAAO,MAAM,KAAK,IAAI,IAAI,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;AAAA,IACjE,CAAC,UAAU,MAAM,KAAK,EAAE,SAAS;AAAA,EACnC;AACF;AAtGA,IAEa;AAFb;AAAA;AAEO,IAAM,8BAA8B;AAAA;AAAA;;;ACF3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAiCA,SAAS,YACd,OACkC;AAClC,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AACA,YAAQ,eAAe,0BAA0B,OAAO,MAAkB;AAAA,EAC5E;AACF;AAiBO,SAAS,SACd,SACkC;AAClC,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AACA,YAAQ,eAAe,uBAAuB,SAAS,MAAkB;AAAA,EAC3E;AACF;AAkBO,SAAS,cACd,QACkC;AAClC,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AACA,YAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAkBO,SAAS,UAA4C;AAC1D,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,UAAM,WACJ,gBAAgB,SACX,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,MACA;AAAA,IACF,KAAK,CAAC,IACL,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,IACF,KAAK,CAAC;AAEZ,UAAM,SAA8B,SAAS,SAAS,SAAS,IAC3D,WACA,CAAC,GAAG,UAAU,SAAS;AAE3B,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,OAAO;AACL,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAsBO,SAAS,UAA4C;AAC1D,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,UAAM,WACJ,gBAAgB,SACX,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,MACA;AAAA,IACF,KAAK,CAAC,IACL,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,IACF,KAAK,CAAC;AAEZ,UAAM,SAA8B,SAAS,SAAS,SAAS,IAC3D,WACA,CAAC,GAAG,UAAU,SAAS;AAE3B,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,OAAO;AACL,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAkCO,SAAS,aAA+C;AAC7D,SAAO,CACL,QACA,aACA,eACG;AACH,QAAI,YAAY;AACd,cAAQ,eAAe,iBAAiB,MAAM,QAAQ,WAAY;AAClE,aAAO;AAAA,IACT;AACA,YAAQ,eAAe,iBAAiB,MAAM,MAAM;AACpD,WAAO;AAAA,EACT;AACF;AAgCO,SAAS,gBAAkD;AAChE,SAAO,CACL,QACA,aACA,eACG;AACH,QAAI,YAAY;AACd,cAAQ,eAAe,oBAAoB,MAAM,QAAQ,WAAY;AACrE,aAAO;AAAA,IACT;AACA,YAAQ,eAAe,oBAAoB,MAAM,MAAM;AACvD,WAAO;AAAA,EACT;AACF;AAqCO,SAAS,cAAc,QAA8C;AAC1E,SAAO,CACL,QACA,aACA,eACG;AACH,YAAQ,eAAe,qBAAqB,QAAQ,QAAQ,WAAW;AACvE,WAAO;AAAA,EACT;AACF;AAzWA,IAOa,0BACA,uBACA,6BA8NA,iBAgDA,oBA6CA;AApUb;AAAA;AAOO,IAAM,2BAA2B;AACjC,IAAM,wBAAwB;AAC9B,IAAM,8BAA8B;AA8NpC,IAAM,kBAAkB;AAgDxB,IAAM,qBAAqB;AA6C3B,IAAM,sBAAsB;AAAA;AAAA;;;ACpUnC;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,YAAY,mBAAmB;AASjC,SAAS,QAAQ,QAAiC;AACvD,SAAO,CAAC,WAAqB;AAC3B,gBAAY,sBAAsB,EAAE,OAAO,CAAC,EAAE,MAAM;AACpD,eAAW,EAAE,MAAa;AAAA,EAC5B;AACF;AAdA,IAEa;AAFb;AAAA;AAEO,IAAM,uBAAuB;AAAA;AAAA;;;ACFpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAsFA,SAAS,OACd,QACA,SACiB;AACjB,SAAO,CAAC,QAAQ,gBAAgB;AAE9B,YAAQ;AAAA,MACN;AAAA,MACA,EAAE,QAAQ,QAAQ,GAAG,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAGA,UAAM,SACJ,QAAQ,YAAY,mBAAmB,OAAO,WAAW,KAAK,CAAC;AACjE,WAAO,KAAK;AAAA,MACV;AAAA,MACA,YAAY;AAAA,MACZ,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,MAChB,MAAM,SAAS;AAAA,MACf,OAAO,SAAS;AAAA,MAChB,aAAa,SAAS;AAAA,MACtB,KAAK,SAAS;AAAA,MACd,KAAK,SAAS;AAAA,IAChB,CAAC;AACD,YAAQ,eAAe,mBAAmB,QAAQ,OAAO,WAAW;AAAA,EACtE;AACF;AAnHA,IAIa,qBACA;AALb;AAAA;AAIO,IAAM,sBAAsB;AAC5B,IAAM,oBAAoB;AAAA;AAAA;;;ACLjC;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAUA,SAAS,WAAW,SAAgD;AACzE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,iBAAiB,SAAS,QAAQ,WAAW;AAAA,EACtE;AACF;AAdA,IAEa;AAFb;AAAA;AAEO,IAAM,kBAAkB;AAAA;AAAA;;;ACF/B;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAQA,SAAS,cAAc,SAAsC;AAClE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,oBAAoB,SAAS,QAAQ,WAAW;AAAA,EACzE;AACF;AAZA,IAEa;AAFb;AAAA;AAEO,IAAM,qBAAqB;AAAA;AAAA;;;ACFlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAEP,SAAS,cAAAA,mBAAkB;AA6B3B,SAAS,iBACP,OACqC;AACrC,SAAO,CAAC,CAAC,SAAS,OAAO,UAAU,YAAY,SAAS;AAC1D;AAEA,SAAS,oBAAoB,OAAiD;AAC5E,SACE,CAAC,CAAC,SACF,OAAO,UAAU,YACjB,CAAC,MAAM,QAAQ,KAAK,KACpB,CAAC,iBAAiB,KAAK;AAE3B;AAEA,SAAS,UACP,OAK4B;AAC5B,MAAI,CAAC,MAAO,QAAO;AAEnB,MAAI,iBAAiB,KAAK,GAAG;AAC3B,UAAM,OAAO,MAAM,QAAQ,MAAM,GAAG,IAAI,MAAM,MAAM,CAAC,MAAM,GAAG;AAC9D,WAAO,EAAE,MAAM,MAAM,MAAM,MAAM,QAAQ,MAAM,OAAO;AAAA,EACxD;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,EAAE,MAAM,MAAM;AAAA,EACvB;AAEA,MAAI,OAAO,UAAU,cAAc,OAAO,UAAU,UAAU;AAC5D,WAAO,EAAE,MAAM,CAAC,KAAK,EAAE;AAAA,EACzB;AAEA,SAAO;AACT;AAEO,SAAS,SACd,OAKkC;AAClC,UAAQ,CACN,QACA,gBACG;AACH,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,SAAS;AACX,UAAI,gBAAgB,QAAW;AAC7B,cAAMC,YACJ,QAAQ,YAAY,uBAAuB,QAAQ,WAAW,KAAK,CAAC;AACtE,QAAAA,UAAS,KAAK,OAAO;AACrB,gBAAQ;AAAA,UACN;AAAA,UACAA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA;AAAA,MACF;AAEA,YAAM,WACJ,QAAQ,YAAY,uBAAuB,MAAkB,KAAK,CAAC;AACrE,eAAS,KAAK,OAAO;AACrB,cAAQ,eAAe,uBAAuB,UAAU,MAAkB;AAC1E;AAAA,IACF;AAEA,QAAI,gBAAgB,QAAW;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,oBAAoB,KAAK,IAAI,QAAQ,CAAC;AACzD,YAAQ,eAAe,uBAAuB,YAAY,MAAkB;AAC5E,IAAAD,YAAW,EAAE,MAAa;AAAA,EAC5B;AACF;AAlHA,IAMa,uBACA;AAPb;AAAA;AAMO,IAAM,wBAAwB;AAC9B,IAAM,wBAAwB;AAAA;AAAA;;;ACPrC;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAsBA,SAAS,eAAe,SAAqC;AAClE,SAAO,CAAC,WAAqB;AAC3B,YAAQ,eAAe,qBAAqB,SAAS,MAAM;AAAA,EAC7D;AACF;AA1BA,IAEa;AAFb;AAAA;AAEO,IAAM,sBAAsB;AAAA;AAAA;;;ACFnC;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,eAAAE,oBAAmB;AAyCrB,SAAS,OAAO,SAAyC;AAC9D,SAAOA,aAAY,qBAAqB,WAAW,IAAI;AACzD;AA3CA,IAEa;AAFb;AAAA;AAEO,IAAM,sBAAsB;AAAA;AAAA;;;ACFnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AA0EA,SAAS,SACd,KACA,SACmB;AACnB,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,WACJ,QAAQ,eAAe,gBAAgB,OAAO,WAAW,KAAK,CAAC;AAEjE,aAAS,KAAK;AAAA,MACZ,UAAU,OAAO,WAAW;AAAA,MAC5B;AAAA,MACA;AAAA,IACF,CAAC;AAED,YAAQ,eAAe,gBAAgB,UAAU,OAAO,WAAW;AAAA,EACrE;AACF;AAUO,SAAS,YAAY,WAA8C;AACxE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,WACJ,QAAQ,eAAe,oBAAoB,OAAO,WAAW,KAAK,CAAC;AAErE,UAAM,OAAO,OAAO,WAAW;AAC/B,QAAI,QAAQ,SAAS,KAAK,CAAC,MAAM,EAAE,aAAa,IAAI;AAEpD,QAAI,CAAC,OAAO;AACV,cAAQ,EAAE,UAAU,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE;AACjD,eAAS,KAAK,KAAK;AAAA,IACrB;AAEA,UAAM,WAAW,KAAK,SAAS;AAE/B,YAAQ,eAAe,oBAAoB,UAAU,OAAO,WAAW;AAAA,EACzE;AACF;AAOO,SAAS,eACd,SACA,SACmB;AACnB,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,UAAM,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG;AACxC,WAAO,QAAQ,KAAK,GAAG,IACnB,OACA,WAAW,GAAG,IAAI;AAAA,EACxB,CAAC;AACH;AAKO,SAAS,UAAU,KAAa,SAAqC;AAC1E,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,WAAO,IAAI,UAAU,MACjB,OACA,WAAW,GAAG,IAAI,gBAAgB,IAAI,MAAM,MAAM,GAAG;AAAA,EAC3D,CAAC;AACH;AAKO,SAAS,QACd,SACA,SACmB;AACnB,QAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,UAAM,MAAM,IAAI,YAAY,EAAE,OAAO,GAAG;AACxC,WAAO,IAAI,IAAI,GAAG,IACd,OACA,WAAW,GAAG,IAAI,qBAAqB,QAAQ,KAAK,IAAI,CAAC;AAAA,EAC/D,CAAC;AACH;AAKO,SAAS,SACd,KACA,KACA,SACmB;AACnB,SAAO,YAAY,CAAC,KAAK,SAAS;AAChC,QAAI,IAAI,WAAW,EAAG,QAAO,GAAG,IAAI;AACpC,QAAI,IAAI;AACR,eAAW,KAAK,IAAK,KAAK,KAAK,KAAM,OAAO,CAAC;AAC7C,QAAI,IAAI,OAAO,IAAI,KAAK;AACtB,aAAO,WAAW,GAAG,IAAI,WAAW,CAAC,kBAAkB,GAAG,KAAK,GAAG;AAAA,IACpE;AACA,WAAO;AAAA,EACT,CAAC;AACH;AApLA,IAEa,gBACA;AAHb;AAAA;AAEO,IAAM,iBAAiB;AACvB,IAAM,qBAAqB;AAAA;AAAA;;;ACHlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EACE;AAAA,EAAK;AAAA,EAAY;AAAA,EAAY;AAAA,EAAgB;AAAA,EAAc;AAAA,OACtD;AAFP;AAAA;AAAA;AAAA;;;;;;;ACsBA,YAAA,mBAAAC;AAwDA,YAAA,kBAAAC;AA9EA,cAAA,kBAAA;AAGA,QAAA,wBAAA;AAOA,QAAA,QAAA;AAYA,aAAgBD,kBAAiB,KAAa;AAC5C,YAAM,aACJ,QAAQ,YAAY,sBAAA,gBAAgB,GAAG,KAAK,CAAA;AAE9C,UAAI,WAAW,WAAW,GAAG;AAC3B,cAAM,IAAI,MACR,aAAa,IAAI,IAAI,yDAAoD;MAE7E;AAEA,YAAM,YAAY,oBAAI,IAAG;AACzB,YAAM,SAA2B,WAAW,IAAI,CAAC,MAAK;AACpD,kBAAU,IAAI,EAAE,UAAU,EAAE,GAAG;AAC/B,eAAO;UACL,MAAM,EAAE;UACR,KAAK,EAAE;UACP,MAAM,EAAE,QAAQ;UAChB,UAAU,EAAE,QAAQ;UACpB,QAAQ,EAAE,QAAQ;UAClB,KAAK,EAAE,QAAQ;UACf,OAAO,EAAE,QAAQ;;MAErB,CAAC;AAED,YAAM,iBACJ,QAAQ,YAAY,sBAAA,oBAAoB,GAAG,KAAK,CAAA;AAElD,YAAM,aAAa,oBAAI,IAAG;AAC1B,iBAAW,MAAM,gBAAgB;AAC/B,cAAM,MAAM,UAAU,IAAI,GAAG,QAAQ;AACrC,YAAI,QAAQ,QAAW;AACrB,gBAAM,IAAI,MACR,mBAAmB,IAAI,IAAI,IAAI,GAAG,QAAQ,2CAA2C;QAEzF;AACA,WAAG,MAAM;AACT,mBAAW,IAAI,KAAK,GAAG,UAAU;MACnC;AAEA,aAAO,EAAE,QAAQ,WAAU;IAC7B;AAgBA,aAAgBC,iBACd,KAAa;AAEb,YAAM,aACJ,QAAQ,YAAY,sBAAA,gBAAgB,GAAG,KAAK,CAAA;AAE9C,UAAI,WAAW,WAAW,GAAG;AAC3B,cAAM,IAAI,MACR,aAAa,IAAI,IAAI,0DAAqD;MAE9E;AAEA,YAAM,SAAS,oBAAI,IAAG;AACtB,iBAAW,KAAK,YAAY;AAC1B,eAAO,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,MAAM,EAAE,QAAQ,KAAI,CAAE;MAClE;AAEA,aAAO,CAAC,cAA0C;AAChD,cAAMC,WAAS,GAAA,MAAA,YAAW,IAAI,WAAW,SAAS,CAAC;AACnD,cAAM,SAA8B,CAAA;AAEpC,mBAAW,CAAC,KAAK,GAAG,KAAKA,SAAQ;AAC/B,gBAAM,OAAO,OAAO,IAAI,GAAG;AAC3B,cAAI,CAAC;AAAM;AAEX,kBAAQ,KAAK,MAAM;YACjB,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI,IAAI,YAAW,EAAG,OAAO,GAAG;AACpD;YACF,KAAK,OAAO;AACV,kBAAI,IAAI;AACR,uBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,oBAAK,KAAK,KAAM,OAAO,IAAI,CAAC,CAAC;cAC/B;AACA,qBAAO,KAAK,QAAQ,IAAI;AACxB;YACF;YACA,KAAK;YACL,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI;AACxB;YACF,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,MAAM;AACrD;YACF,KAAK;YACL,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI,KAAK,MAAM,IAAI,YAAW,EAAG,OAAO,GAAG,CAAC;AAChE;YACF;AACE,qBAAO,KAAK,QAAQ,IAAI;UAC5B;QACF;AAEA,eAAO;MACT;IACF;;;;;ACrIA;AAAA;AAAA;AAAA;AAAA,IASsB;AATtB;AAAA;AASO,IAAe,aAAf,MAA0B;AAAA,IAAC;AAAA;AAAA;;;;;;;;;;;;;;;;;ACTlC,QAAA,wBAAA;AACA,QAAA,iBAAA;AAEA,QAAaC,aAAb,cAA+B,eAAA,WAAU;;AAAzC,YAAA,YAAAA;AAGE,eAAA;OAFC,GAAA,sBAAA,UAAS,GAAG,EAAE,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAG,CAAE;OACzD,GAAA,sBAAA,WAAU,GAAG,sBAAsB;;;;;;;ACLtC,OAAO;AAyBA,SAAS,gBACd,SAC+D;AAAA,EAC/D,MAAM,mBAAoB,QAAgB;AAAA,EAAC;AAE3C,QAAM,SACJ,QAAQ,eAAe,gBAAgB,OAAO,KAAK,CAAC;AAEtD,QAAM,gBAAgC,OAAO,IAAI,CAAC,OAAO;AAAA,IACvD,UAAU,EAAE;AAAA,IACZ,KAAK,EAAE;AAAA,IACP,SAAS,EAAE,GAAG,EAAE,SAAS,UAAU,MAAM;AAAA,EAC3C,EAAE;AAEF,UAAQ,eAAe,gBAAgB,eAAe,UAAU;AAEhE,QAAM,aACJ,QAAQ,eAAe,oBAAoB,OAAO,KAAK,CAAC;AAE1D,MAAI,WAAW,SAAS,GAAG;AACzB,YAAQ,eAAe,oBAAoB,CAAC,GAAG,UAAU,GAAG,UAAU;AAAA,EACxE;AAEA,SAAO,eAAe,YAAY,QAAQ;AAAA,IACxC,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC/B,CAAC;AAED,SAAO;AACT;AArDA;AAAA;AAEA;AAAA;AAAA;;;;;;;;;;;;;;;;;ACFA,QAAA,wBAAA;AACA,QAAA,iBAAA;AAQa,YAAA,kBAAkB;AAClB,YAAA,0BAA0B;AAC1B,YAAA,0BAA0B;AAC1B,YAAA,0BAA0B;AAC1B,YAAA,0BAA0B;AAWvC,QAAsBC,mBAAtB,cAA8C,eAAA,WAAU;;AAAxD,YAAA,kBAAAA;AAEE,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,iBAAiB,EAAE,MAAM,OAAM,CAAE;;;AAI3C,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,MAAK,CAAE;;;AAIlD,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,MAAK,CAAE;;;AAIlD,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,OAAM,CAAE;;;AAInD,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,OAAM,CAAE;;;;;;;ACrCrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AA/DP,IAiEsB;AAjEtB;AAAA;AAiEO,IAAe,kBAAf,MAAe,gBAAe;AAAA,MAWnC,OAAO,UAAU,OAA2C;AAC1D,YAAI,CAAC,MAAO,QAAO;AACnB,eAAO,MAAM,MAAM,KAAK,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,YAAY;AAAA,MACnD;AAAA,MAEA,OAAO,kBAAkB,OAAgC;AACvD,cAAM,aAAa,gBAAe,UAAU,KAAK;AACjD,eACE,CAAC,CAAC,cACF,gBAAe,yBAAyB;AAAA,UACtC,CAAC,gBAAgB,gBAAgB;AAAA,QACnC;AAAA,MAEJ;AAAA,IACF;AAxBE,IADoB,gBACJ,SAAS;AACzB,IAFoB,gBAEJ,eAAe;AAC/B,IAHoB,gBAGJ,gBAAgB;AAEhC,IALoB,gBAKJ,2BAA2B;AAAA,MACzC,gBAAe;AAAA,MACf,gBAAe;AAAA,MACf,gBAAe;AAAA,IACjB;AATK,IAAe,iBAAf;AAAA;AAAA;;;ACjEP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAmBO,SAAS,wBACd,OACkC;AAClC,SAAQ,QAAkC,0BAA0B;AACtE;AAEO,SAAS,yBACd,QACA,SACG;AACH,SAAO,eAAe,QAAQ,4BAA4B;AAAA,IACxD,OAAO;AAAA,IACP,UAAU;AAAA,IACV,cAAc;AAAA,IACd,YAAY;AAAA,EACd,CAAC;AAED,SAAO;AACT;AAEO,SAAS,0BACd,MACA,UACkC;AAClC,MAAI,CAAC,QAAQ,CAAC,UAAU;AACtB,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,IACH,YAAY;AAAA,MACV,GAAI,MAAM,cAAc,CAAC;AAAA,MACzB,GAAI,UAAU,cAAc,CAAC;AAAA,IAC/B;AAAA,EACF;AACF;AAvDA,IAIa;AAJb;AAAA;AAIO,IAAM,6BAA6B,uBAAO,IAAI,uBAAuB;AAAA;AAAA;;;;;;;;;;;;;;;ACJ5E,QAAA,WAAA,UAAA,gBAAA;AASO,QAAMC,oBAAgB,qBAAtB,MAAM,iBAAgB;MAAtB,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,mBAAiB,IAAI;AACzC,aAAA,SAAS,oBAAI,IAAG;AAChB,aAAA,SAAS,oBAAI,IAAG;MAuCnC;MArCE,SACE,UACA,OAA+B,CAAA,GAAE;AAEjC,cAAM,OAAO,KAAK,QAAQ,SAAS,QAAQ,SAAS,YAAY;AAChE,cAAM,eAAyC;UAC7C;UACA;UACA,MAAM,KAAK,QAAQ,CAAA;UACnB,QAAQ,KAAK;UACb,SAAS,KAAK;UACd,UAAU,KAAK;;AAGjB,aAAK,OAAO,IAAI,MAAM,YAAY;AAClC,aAAK,OAAO,IAAI,SAAS,aAAa,YAAY;AAClD,aAAK,OAAO,MAAM,wBAAwB,IAAI,EAAE;MAClD;MAEA,QAAQ,KAAoB;AAC1B,YAAI,OAAO,QAAQ,UAAU;AAC3B,iBAAO,KAAK,OAAO,IAAI,GAAG;QAC5B;AAEA,eAAO,KAAK,OAAO,IAAI,GAAG,KAAK,KAAK,OAAO,IAAI,IAAI,IAAI;MACzD;MAEA,OAAI;AACF,eAAO,MAAM,KAAK,KAAK,OAAO,OAAM,CAAE,EAAE,KAAK,CAAC,MAAM,UAClD,KAAK,KAAK,cAAc,MAAM,IAAI,CAAC;MAEvC;MAEA,QAAK;AACH,aAAK,OAAO,MAAK;AACjB,aAAK,OAAO,MAAK;MACnB;;AAzCW,YAAA,mBAAAA;+BAAAA,oBAAgB,qBAAA,WAAA;OAD5B,GAAA,SAAA,YAAU;OACEA,iBAAgB;;;;;;;;;;;;;;;;;;;;;ACT7B,QAAA,WAAA,UAAA,gBAAA;AAIA,QAAA,sBAAA;AAEA,aAAS,OAAU,QAAW;AAC5B,aAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC;IACnC;AAGO,QAAMC,6BAAyB,8BAA/B,MAAM,0BAAyB;MAGpC,YAA6B,UAA0B;AAA1B,aAAA,WAAA;AAFZ,aAAA,SAAS,IAAI,SAAA,OAAO,4BAA0B,IAAI;MAET;MAE1D,MAAM,SACJ,UACA,SAA4B;AAE5B,YAAI,CAAC,YAAY,SAAS,WAAW;AAAG;AAExC,cAAM,UAAU,oBAAI,IAAG;AAEvB,mBAAW,WAAW,UAAU;AAC9B,cACE,QAAQ,UACR,QAAQ,OAAO,SAAS,KACxB,CAAC,QAAQ,OAAO,SAAS,QAAQ,KAAK,GACtC;AACA;UACF;AAEA,qBAAW,OAAO,QAAQ,MAAM;AAC9B,kBAAM,eAAe,KAAK,SAAS,QAAQ,GAAG;AAC9C,gBAAI,CAAC,cAAc;AACjB,mBAAK,OAAO,KAAK,YAAY,OAAO,GAAG,CAAC,wBAAwB;AAChE;YACF;AAEA,gBAAI,QAAQ,IAAI,aAAa,IAAI;AAAG;AAEpC,gBACE,aAAa,UACb,aAAa,OAAO,SAAS,KAC7B,CAAC,aAAa,OAAO,SAAS,QAAQ,KAAK,GAC3C;AACA;YACF;AAEA,kBAAM,kBAAuC;cAC3C,GAAG;cACH,cAAc,OAAO;gBACnB,GAAI,aAAa,QAAQ,CAAA;gBACzB,GAAI,QAAQ,QAAQ,CAAA;gBACpB,GAAI,QAAQ,gBAAgB,CAAA;eAC7B;;AAGH,gBACE,aAAa,SAAS,YACtB,CAAC,aAAa,SAAS,SAAS,eAAe,GAC/C;AACA;YACF;AAEA,gBAAI;AACF,sBAAQ,IAAI,aAAa,IAAI;AAC7B,oBAAM,aAAa,SAAS,QAAQ,eAAe;YACrD,SAAS,OAAY;AACnB,mBAAK,OAAO,KACV,YAAY,aAAa,IAAI,kBAAkB,QAAQ,KAAK,KAAK,MAAM,OAAO,EAAE;YAEpF;UACF;QACF;MACF;;AAjEW,YAAA,4BAAAA;wCAAAA,6BAAyB,8BAAA,WAAA;OADrC,GAAA,SAAA,YAAU;2DAI8B,oBAAA,qBAAgB,eAAhB,oBAAA,sBAAgB,aAAA,KAAA,MAAA,CAAA;OAH5CA,0BAAyB;;;;;ACXtC,IAaa,sBAGA,gBAgBA,mBACA,cACA,eACA,iBAwRA,WAwDA;AAnXb;AAAA;AAaO,IAAM,uBAAuB;AAG7B,IAAM,iBAAiB;AAAA;AAAA,MAE5B,SAAS;AAAA;AAAA,MAET,UAAU;AAAA;AAAA,MAEV,SAAS;AAAA,IACX;AASO,IAAM,oBAAoB;AAC1B,IAAM,eAAe;AACrB,IAAM,gBAAgB;AACtB,IAAM,kBAAkB;AAwRxB,IAAM,YAAY;AAAA;AAAA,MAEvB,kBAAkB;AAAA,MAClB,qBAAqB;AAAA,MACrB,iBAAiB;AAAA,MACjB,uBAAuB;AAAA;AAAA,MAGvB,oBAAoB;AAAA,MACpB,sBAAsB;AAAA;AAAA,MAGtB,qBAAqB;AAAA,MACrB,iBAAiB;AAAA,MACjB,uBAAuB;AAAA,MACvB,iBAAiB;AAAA,MACjB,kBAAkB;AAAA;AAAA,MAGlB,mBAAmB;AAAA,MACnB,iBAAiB;AAAA,MACjB,oBAAoB;AAAA,MACpB,mBAAmB;AAAA;AAAA,MAGnB,iBAAiB;AAAA,MACjB,cAAc;AAAA;AAAA,MAGd,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA;AAAA,MAGnB,wBAAwB;AAAA,MACxB,wBAAwB;AAAA;AAAA,MAGxB,eAAe;AAAA,MACf,qBAAqB;AAAA;AAAA,MAGrB,mBAAmB;AAAA,MACnB,0BAA0B;AAAA,MAC1B,iBAAiB;AAAA;AAAA,MAGjB,4BAA4B;AAAA,IAC9B;AAOO,IAAM,WAAN,cAAuB,MAAM;AAAA,MAClC,YACkB,MAChB,SACgB,UAChB;AACA,cAAM,IAAI,IAAI,KAAK,OAAO,EAAE;AAJZ;AAEA;AAGhB,aAAK,OAAO;AAAA,MACd;AAAA;AAAA,MAGA,IAAI,aAAsB;AAExB,cAAM,WAA2B;AAAA,UAC/B,UAAU;AAAA,UACV,UAAU;AAAA,UACV,UAAU;AAAA,UACV,UAAU;AAAA,UACV,UAAU;AAAA,QACZ;AACA,eAAO,CAAC,SAAS,SAAS,KAAK,IAAI;AAAA,MACrC;AAAA;AAAA,MAGA,gBAAyD;AACvD,YAAI,KAAK,YAAY;AACnB,iBAAO,EAAE,MAAM,KAAK,MAAM,SAAS,KAAK,QAAQ;AAAA,QAClD;AACA,eAAO;AAAA,UACL,MAAM,UAAU;AAAA,UAChB,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACpZA,SAAS,YAAY,kBAAkB;AAavC,SAAS,YAAY;AACrB,SAAS,cAAc;AAuBvB,SAAS,UACP,WACA,cACA,cACY;AACZ,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ;AAAA,IACnB,YAAY,MAAM,eAAe,MAAM;AAAA,EACzC;AACA,SAAO,OAAO,IAAI;AACpB;AAQA,SAAS,UACP,eACA,SACA,YACY;AACZ,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,OAAO,QAAQ,QAAQ;AAAA,IACvB,OAAO,QAAQ,MAAM;AAAA,IACrB,QAAQ,eAAe;AAAA,IACvB,QAAQ;AAAA,EACV;AACA,MAAI,YAAY;AACd,UAAM,KAAK,UAAU;AAAA,EACvB;AACA,SAAO,QAAQ,OAAO,MAAM,KAAK,GAAG,CAAC;AACvC;AAYO,SAAS,0BACd,OACY;AACZ,QAAM,MAAM,WAAW,MAAM,eAAe;AAC5C,QAAM,OAAO;AAAA,IACX,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,MAAM;AAAA,EACR;AACA,QAAM,OAAO,UAAU,eAAe,SAAS,MAAM,OAAO;AAE5D,SAAO,KAAK,QAAQ,KAAK,MAAM,MAAM,iBAAiB;AACxD;AAOO,SAAS,2BACd,OACY;AACZ,QAAM,MAAM,WAAW,MAAM,eAAe;AAG5C,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,WAAW,QAAQ;AAAA,IACvB,MAAM,QAAQ,aACZ,MACA,MAAM,QAAQ,gBACd,MACA,MAAM,eACN,MACA,MAAM;AAAA,EACV;AACA,QAAM,OAAO,OAAO,QAAQ;AAE5B,QAAM,OAAO;AAAA,IACX,eAAe;AAAA,IACf,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AAEA,SAAO,KAAK,QAAQ,KAAK,MAAM,MAAM,iBAAiB;AACxD;AAMO,SAAS,iBAAiB,OAAuC;AACtE,QAAM,MAAM,WAAW,MAAM,eAAe;AAC5C,QAAM,OAAO;AAAA,IACX,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,MAAM;AAAA,EACR;AACA,QAAM,OAAO,UAAU,eAAe,SAAS,MAAM,OAAO;AAE5D,SAAO,KAAK,QAAQ,KAAK,MAAM,MAAM,iBAAiB;AACxD;AAMO,SAAS,sBACd,OACA,WACqB;AACrB,QAAM,eAAe,0BAA0B,KAAK;AACpD,QAAM,UAAU,WAAW,OAAO,YAAY,CAAC;AAG/C,eAAa,KAAK,CAAC;AAEnB,SAAO;AAAA,IACL,oBAAoB;AAAA,IACpB,YAAY;AAAA,IACZ,YAAY,MAAM,QAAQ;AAAA,IAC1B,KAAK,MAAM,QAAQ;AAAA,IACnB,KAAK,MAAM,QAAQ;AAAA,IACnB,QAAQ,MAAM,QAAQ;AAAA,IACtB,KAAK,MAAM,QAAQ;AAAA,IACnB,UAAU,MAAM,QAAQ;AAAA,IACxB,QAAQ,MAAM,QAAQ;AAAA,IACtB,aAAa,MAAM,QAAQ;AAAA,IAC3B,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAAA,IACxC,OAAO;AAAA,EACT;AACF;AAKO,SAAS,mBAA2B;AACzC,QAAMC,SAAQ,IAAI,WAAW,eAAe;AAC5C,SAAO,gBAAgBA,MAAK;AAC5B,SAAO,WAAWA,MAAK;AACzB;AA3LA;AAAA;AAgBA;AAAA;AAAA;;;AChBA,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,UAAAC,eAAc;AASvB,SAAS,gBAAgB,kBAAkB,mBAAmB;AAWvD,SAAS,cACd,KACA,WACA,KAC6D;AAC7D,MAAI,IAAI,WAAW,mBAAmB;AACpC,UAAM,IAAI,MAAM,mBAAmB,iBAAiB,QAAQ;AAAA,EAC9D;AAEA,QAAM,KAAK,YAAY,YAAY;AACnC,QAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAEpD,MAAI,KAAK;AACP,WAAO,OAAO,GAAG;AAAA,EACnB;AAEA,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,SAAS,GAAG,OAAO,MAAM,CAAC,CAAC;AAC1E,QAAM,MAAM,OAAO,WAAW;AAE9B,SAAO;AAAA,IACL,IAAI,IAAI,WAAW,EAAE;AAAA,IACrB,YAAY,IAAI,WAAW,SAAS;AAAA,IACpC,KAAK,IAAI,WAAW,GAAG;AAAA,EACzB;AACF;AAMO,SAAS,cACd,KACA,IACA,YACA,KACA,KACmB;AACnB,MAAI,IAAI,WAAW,mBAAmB;AACpC,UAAM,IAAI,MAAM,mBAAmB,iBAAiB,QAAQ;AAAA,EAC9D;AACA,MAAI,GAAG,WAAW,cAAc;AAC9B,UAAM,IAAI,MAAM,cAAc,YAAY,QAAQ;AAAA,EACpD;AACA,MAAI,IAAI,WAAW,eAAe;AAChC,UAAM,IAAI,MAAM,eAAe,aAAa,QAAQ;AAAA,EACtD;AAEA,MAAI;AACF,UAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AAEvB,QAAI,KAAK;AACP,eAAS,OAAO,GAAG;AAAA,IACrB;AAEA,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,SAAS,OAAO,UAAU;AAAA,MAC1B,SAAS,MAAM;AAAA,IACjB,CAAC;AACD,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,QAAQ;AAEN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,iBAA6B;AAC3C,SAAO,IAAI,WAAW,YAAY,iBAAiB,CAAC;AACtD;AAKO,SAAS,aAAyB;AACvC,SAAO,IAAI,WAAW,YAAY,YAAY,CAAC;AACjD;AAMO,SAAS,gBAAgBC,QAA2B;AACzD,SAAO,OAAO,KAAKA,MAAK,EACrB,SAAS,QAAQ,EACjB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAEO,SAAS,gBAAgB,OAA2B;AACzD,QAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACzD,QAAM,UAAU,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AACxD,SAAO,IAAI,WAAW,OAAO,KAAK,SAAS,SAAS,QAAQ,CAAC;AAC/D;AASO,SAAS,YAAY,SAA6B;AACvD,SAAOF,YAAWC,QAAO,OAAO,CAAC;AACnC;AAhIA,IA2Ia;AA3Ib;AAAA;AAYA;AA+HO,IAAM,qBAAwC;AAAA,MACnD,MAAM,QACJ,KACA,IACA,YACA,KACA,KAC4B;AAC5B,eAAO,cAAc,KAAK,IAAI,YAAY,KAAK,GAAG;AAAA,MACpD;AAAA,IACF;AAAA;AAAA;;;ACrJA,SAAS,cAAAE,mBAAkB;AAY3B,SAAS,eAAAC,oBAAmB;AA4C5B,eAAsB,iBACpB,SACA,oBACA,YACyE;AACzE,QAAM,EAAE,SAAS,SAAS,QAAQ,MAAM,oBAAoB,WAAW,IACrE;AAGF,QAAM,gBAAgBD;AAAA,IACpB,IAAI,WAAWC,aAAY,eAAe,CAAC;AAAA,EAC7C;AAGA,QAAM,aAAa,mBAAmB;AAGtC,QAAM,SAAS,eAAe;AAG9B,QAAM,MAAM;AAAA,IACV,QAAQ;AAAA,IACR;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR;AAAA,EACF;AAGA,QAAM,EAAE,IAAI,YAAY,IAAI,IAAI,cAAc,QAAQ,MAAM,GAAG;AAG/D,QAAM,eAAe,MAAM,mBAAmB;AAAA,IAC5C;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,EACF;AAGA,SAAO,KAAK,CAAC;AAEb,QAAM,mBAAwC;AAAA,IAC5C,KAAK;AAAA,IACL,IAAI,gBAAgB,EAAE;AAAA,IACtB,YAAY,gBAAgB,UAAU;AAAA,IACtC,KAAK,gBAAgB,GAAG;AAAA,EAC1B;AAEA,QAAM,aAAqC;AAAA,IACzC,KAAK,aAAa;AAAA,IAClB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EACP;AAGA,QAAM,mBAA0D;AAAA,IAC9D,KAAK;AAAA,IACL,aAAa;AAAA,IACb,YAAY,QAAQ;AAAA,IACpB,gBAAgB,QAAQ;AAAA,IACxB,YAAY,QAAQ;AAAA,IACpB,eAAe;AAAA,IACf,mBAAmB;AAAA,IACnB,gBAAgB;AAAA,IAChB;AAAA,IACA;AAAA,IACA,GAAI,aAAa,EAAE,aAAa,WAAW,IAAI,CAAC;AAAA,EAClD;AAGA,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,aAAa,gBAAgB,CAAC;AAC3E,QAAM,UAAU,MAAM,WAAW,KAAK,WAAW;AAEjD,QAAM,WAAgC;AAAA,IACpC,GAAG;AAAA,IACH,UAAU;AAAA,EACZ;AAEA,SAAO;AAAA,IACL;AAAA,IACA,qBAAqB,YAAY,IAAI;AAAA,EACvC;AACF;AAMO,SAAS,sBACd,WACA,eACA,QACA,WACA,SAOA;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,YAAY;AAAA,IACZ,gBAAgB;AAAA,IAChB;AAAA,IACA,OAAO,EAAE,MAAM,WAAW,QAAQ;AAAA,EACpC;AACF;AAMA,SAAS,qBAA6B;AACpC,QAAMC,SAAQD,aAAY,EAAE;AAC5B,SAAO,UAAUD,YAAW,IAAI,WAAWE,MAAK,CAAC,EAAE,MAAM,GAAG,EAAE;AAChE;AAEA,SAAS,iBACP,WACA,YACA,eACA,WACA,eACY;AACZ,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,IAAI,YAAY,EAAE,OAAO,MAAM,KAAK,GAAG,CAAC;AACjD;AAEA,SAAS,aAAa,KAAsB;AAC1C,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,MAAM,IAAI,IAAI,YAAY,EAAE,KAAK,GAAG,IAAI;AAAA,EACjD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAS,OAAO,KAAK,GAAa,EACrC,KAAK,EACL;AAAA,MACC,CAAC,MACC,KAAK,UAAU,CAAC,IAChB,MACA,aAAc,IAAgC,CAAC,CAAC;AAAA,IACpD;AACF,WAAO,MAAM,OAAO,KAAK,GAAG,IAAI;AAAA,EAClC;AACA,SAAO,KAAK,UAAU,GAAG;AAC3B;AAjNA;AAAA;AAcA;AACA;AAAA;AAAA;;;ACfA,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,QAAAC,aAAY;AACrB,SAAS,UAAAC,eAAc;AA2DhB,SAAS,mBACd,UACA,SACA,cACA,WAKA,SAMkB;AAElB,QAAM,YAAY,kBAAkB,SAAS,YAAY,QAAQ,UAAU;AAG3E,QAAM,uBAAuB;AAAA,IAC3B,QAAQ;AAAA,IACR;AAAA,IACA,SAAS;AAAA,EACX;AAEA,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,YAAY,SAAS;AAAA,IACrB,YAAY,QAAQ;AAAA,IACpB,KAAK,QAAQ;AAAA,IACb,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,IAChB,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAAA,IACvC,cAAc;AAAA,MACZ,YAAY,aAAa;AAAA,MACzB,aAAa,aAAa;AAAA,MAC1B,WAAW,aAAa;AAAA,MACxB,gBAAgB,aAAa;AAAA,MAC7B,cAAc,aAAa;AAAA,MAC3B,cAAc,aAAa;AAAA,MAC3B,cAAc,aAAa;AAAA,MAC3B,eAAe,aAAa;AAAA,IAC9B;AAAA,IACA,WAAW;AAAA,MACT,QAAQ,UAAU;AAAA,MAClB,qBAAqB,UAAU;AAAA,MAC/B,GAAI,UAAU,SAAS,EAAE,QAAQ,UAAU,OAAO,IAAI,CAAC;AAAA,IACzD;AAAA,IACA,oBAAoB,QAAQ;AAAA,IAC5B,wBAAwB;AAAA,IACxB,GAAI,QAAQ,iBACR,EAAE,sBAAsB,YAAY,QAAQ,cAAc,EAAE,IAC5D,CAAC;AAAA,IACL,GAAI,QAAQ,kBACR,EAAE,uBAAuB,YAAY,QAAQ,eAAe,EAAE,IAC9D,CAAC;AAAA,EACP;AACF;AAKO,SAAS,yBACd,UACsB;AACtB,SAAO;AAAA,IACL,mBAAmB,SAAS,yBAAyB;AAAA,IACrD,oBAAoB,SAAS,uBAAuB;AAAA,IACpD,UAAU,SAAS,gBAAgB;AAAA,IACnC,eAAe,SAAS,uBAAuB;AAAA,IAC/C,aAAa,SAAS,uBAAuB;AAAA,IAC7C,aAAa,SAAS,mBAAmB;AAAA,IACzC,aAAa,SAAS,mBAAmB;AAAA,IACzC,cAAc,SAAS,oBAAoB;AAAA,EAC7C;AACF;AAMA,SAAS,kBAAkB,WAAmB,WAA2B;AACvE,QAAM,QAAQ,WAAW,SAAS,IAAI,SAAS,IAAI,KAAK,IAAI,CAAC;AAC7D,QAAM,OAAOA,QAAO,IAAI,YAAY,EAAE,OAAO,KAAK,CAAC;AACnD,SAAO,SAASF,YAAW,IAAI,EAAE,MAAM,GAAG,EAAE;AAC9C;AAEA,SAAS,4BACP,iBACA,SACA,cACQ;AACR,QAAM,UAAU,IAAI,YAAY;AAGhC,QAAM,MAAMG,YAAW,eAAe;AACtC,QAAM,OAAOD;AAAA,IACX,QAAQ;AAAA,MACN,QAAQ,aAAa,MAAM,QAAQ,gBAAgB,MAAM;AAAA,IAC3D;AAAA,EACF;AACA,QAAM,OAAO,QAAQ;AAAA,IACnB;AAAA,MACE,eAAe;AAAA,MACf,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,OAAO,QAAQ,QAAQ;AAAA,MACvB,OAAO,QAAQ,MAAM;AAAA,MACrB,QAAQ,eAAe;AAAA,MACvB,QAAQ;AAAA,IACV,EAAE,KAAK,GAAG;AAAA,EACZ;AAEA,QAAM,aAAaD,MAAKC,SAAQ,KAAK,MAAM,MAAM,EAAE;AACnD,QAAM,OAAOF,YAAWE,QAAO,UAAU,CAAC;AAG1C,aAAW,KAAK,CAAC;AAEjB,SAAO;AACT;AAEA,SAASC,YAAW,KAAyB;AAC3C,QAAMC,SAAQ,IAAI,WAAW,IAAI,SAAS,CAAC;AAC3C,WAAS,IAAI,GAAG,IAAIA,OAAM,QAAQ,KAAK;AACrC,IAAAA,OAAM,CAAC,IAAI,SAAS,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;AAAA,EACrD;AACA,SAAOA;AACT;AAlMA,IA4Ba;AA5Bb;AAAA;AAeA;AACA;AAYO,IAAM,0BAAN,MAAyD;AAAA,MAAzD;AACL,aAAS,UAA8B,CAAC;AAAA;AAAA,MAExC,MAAM,OAAO,SAA0C;AACrD,aAAK,QAAQ,KAAK,OAAO;AAAA,MAC3B;AAAA,MAEA,eAAe,WAAiD;AAC9D,eAAO,KAAK,QAAQ,KAAK,CAAC,MAAM,EAAE,eAAe,SAAS;AAAA,MAC5D;AAAA,MAEA,eAAe,WAAuC;AACpD,eAAO,KAAK,QAAQ,OAAO,CAAC,MAAM,EAAE,eAAe,SAAS;AAAA,MAC9D;AAAA,IACF;AAAA;AAAA;;;AC1CA;AAAA;AAAA;AAAA;AAAA;AAAA;AAyMO,SAAS,wBACd,gBACwB;AAExB,MAAI,YAAY,gBAAgB;AAE9B,YAAQ,eAAe,QAAQ;AAAA,MAC7B,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,eAAe,MAAM,eAAe,MAAM,EAAE;AAAA,YACpD;AAAA,UACF;AAAA,UACA,MAAM,eAAe;AAAA,UACrB,cAAc,eAAe;AAAA,QAC/B;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,YAAY;AAAA,UACtB,cAAc,eAAe;AAAA,UAC7B,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW,eAAe;AAAA,UAC1B,SAAS,eAAe;AAAA,UACxB,MAAM,eAAe;AAAA,QACvB;AAAA,IACJ;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO,eAAe;AAAA,IACtB,WAAW,eAAe;AAAA,IAC1B,SAAS,eAAe;AAAA,IACxB,MAAM,eAAe;AAAA,IACrB,MAAM,eAAe;AAAA,IACrB,SAAS,eAAe;AAAA,IACxB,cAAc,eAAe;AAAA,EAC/B;AACF;AA7PA,IAqIY,UA6HC;AAlQb;AAAA;AAqIO,IAAK,WAAL,kBAAKC,cAAL;AACL,MAAAA,UAAA,WAAQ;AACR,MAAAA,UAAA,UAAO;AACP,MAAAA,UAAA,cAAW;AACX,MAAAA,UAAA,UAAO;AAJG,aAAAA;AAAA,OAAA;AA6HL,IAAM,kBAAkB;AAAA,MAC7B,MAAM,MAAY,MAA4C;AAC5D,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MAEA,KAAK,MAAc,QAAiB,MAA4B;AAC9D,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,SAAS,CAAC,MAAM,MAAM,EAAE,OAAO,OAAO;AAAA,UACtC;AAAA,QACF;AAAA,MACF;AAAA,MAEA,SAAS,cAAsB,MAA4B;AACzD,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,MAAM;AAAA,UACN,SAAS,CAAC,YAAY;AAAA,UACtB;AAAA,QACF;AAAA,MACF;AAAA,MAEA,KAAK,YAAoB,SAAmB,MAA4B;AACtE,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC/SA;AAAA;AAAA;AAAA;AA8GA,eAAsB,mBACpB,UACA,QAC4B;AAC5B,QAAM,YAAY,KAAK,IAAI;AAG3B,MAAI,SAAS,QAAQ,sBAAsB;AACzC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS,wBAAwB,SAAS,GAAG;AAAA,MAC/C;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,cAA2B;AAAA,IAC/B,QAAQ,SAAS,QAAQ;AAAA,IACzB,UAAU;AAAA,MACR,KAAK;AAAA,MACL,aAAa;AAAA,MACb,aAAa;AAAA,IACf;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,OAAO,OAAO,EAAE;AAAA,IACxC,CAAC,GAAG,OAAO,EAAE,SAAS,QAAQ,EAAE,SAAS;AAAA,EAC3C;AAEA,aAAW,UAAU,eAAe;AAClC,QAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW,GAAG;AACpD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,OAAO,IAAI,WAAW;AAAA,IACzC,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO;AAAA,UACL,MAAM,UAAU;AAAA,UAChB,SAAS,UAAU,OAAO,IAAI;AAAA,QAChC;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,UAAM,aAAa,wBAAwB,QAAQ;AACnD,QAAI,CAAC,WAAW,OAAO;AACrB,YAAM,OACJ,WAAW,QAAQ,CAAC,GAAG,MAAM,GAAG,EAAE,CAAC,KAAK,UAAU;AACpD,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO,EAAE,MAAM,SAAS,WAAW,QAAQ,KAAK,IAAI,EAAE;AAAA,QACtD,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,UAAU,YAAY,UAAU;AACtC,QAAM,mBAAmB,YAAY,UACjC;AACJ,QAAM,YAAY,YAAY,UAAU;AAIxC,MAAI,CAAC,WAAW,CAAC,oBAAoB,CAAC,WAAW;AAC/C,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,kBAAsC;AAAA,IAC1C,iBAAiB,OAAO;AAAA,IACxB;AAAA,IACA,cAAc,SAAS;AAAA,EACzB;AACA,QAAM,mBAAmB;AAAA,IACvB;AAAA,IACA,SAAS;AAAA,EACX;AAEA,MAAI,OAAO,iBAAiB;AAC1B,QAAI;AACF,YAAM,iBAAiB,MAAM,OAAO,gBAAgB,SAAS;AAAA,QAC3D;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,oBAAoB,UAAU;AAAA,MAChC,CAAC;AACD,UAAI,CAAC,eAAe,OAAO;AACzB,cAAMC,gBAAe,yBAAyB,YAAY,YAAY,CAAC,CAAC;AACxE,cAAMC,WAAU;AAAA,UACd;AAAA,UACA;AAAA,UACAD;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,YACR,mBAAmB;AAAA,YACnB,QAAQ;AAAA,UACV;AAAA,UACA;AAAA,YACE,iBAAiB,OAAO;AAAA,YACxB,gBAAgB;AAAA,YAChB,mBAAmB;AAAA,UACrB;AAAA,QACF;AACA,cAAM,OAAO,aAAa,OAAOC,QAAO;AAExC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO;AAAA,YACL,MAAM,eAAe,QAAQ,UAAU;AAAA,YACvC,SACE,eAAe,WAAW;AAAA,UAC9B;AAAA,UACA,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO;AAAA,UACL,MAAM,UAAU;AAAA,UAChB,SAAS;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,UAAU,OAAO,SAAS,IAAI,QAAQ,MAAM;AAClD,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS,0BAA0B,QAAQ,MAAM;AAAA,MACnD;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,iBAAoC;AAAA,IACxC;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB,UAAU;AAAA,IAC9B,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,EACf;AAEA,MAAI;AACJ,QAAM,eAAe,KAAK,IAAI;AAC9B,MAAI;AACF,aAAS,MAAM,QAAQ,kBAAkB,cAAc;AAAA,EACzD,SAAS,KAAK;AACZ,UAAMC,mBAAkB,KAAK,IAAI,IAAI;AAGrC,UAAMF,gBAAe,yBAAyB,YAAY,YAAY,CAAC,CAAC;AACxE,UAAMC,WAAU;AAAA,MACd;AAAA,MACA;AAAA,MACAD;AAAA,MACA,EAAE,QAAQ,UAAU,mBAAmBE,iBAAgB;AAAA,MACvD;AAAA,QACE,iBAAiB,OAAO;AAAA,QACxB,gBAAgB;AAAA,QAChB,mBAAmB;AAAA,MACrB;AAAA,IACF;AACA,UAAM,OAAO,aAAa,OAAOD,QAAO;AAExC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AACA,QAAM,kBAAkB,KAAK,IAAI,IAAI;AAGrC,MAAI;AACJ,MAAI;AAEJ,MAAI;AACF,UAAM,iBAAiB,MAAM;AAAA,MAC3B;AAAA,QACE,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,OAAO;AAAA,QACf,MAAM,OAAO;AAAA,QACb,oBAAoB,UAAU;AAAA,MAChC;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,uBAAmB,eAAe;AAClC,0BAAsB,eAAe;AAAA,EACvC,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,eAAe,yBAAyB,YAAY,YAAY,CAAC,CAAC;AACxE,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,QAAQ,OAAO;AAAA,MACf,mBAAmB;AAAA,MACnB,QAAQ,OAAO;AAAA,IACjB;AAAA,IACA;AAAA,MACE,iBAAiB,OAAO;AAAA,MACxB,gBAAgB;AAAA,MAChB,iBAAiB,OAAO;AAAA,MACxB,mBAAmB;AAAA,IACrB;AAAA,EACF;AACA,QAAM,OAAO,aAAa,OAAO,OAAO;AAExC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,UAAU;AAAA,IACV,WAAW,QAAQ;AAAA,EACrB;AACF;AA5WA;AAAA;AAAA;AACA;AACA;AAEA;AAqBA;AAAA;AAAA;;;ACzBA;AAAA;AAAA;AAAA;AAAA,IAAa;AAAb;AAAA;AAAO,IAAM,YAAN,cAAwB,MAAM;AAAA,MACnC,YACS,MACP,SACO,aAAqB,KACrB,SACP;AACA,cAAM,OAAO;AALN;AAEA;AACA;AAGP,aAAK,OAAO;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;ACKO,SAAS,SAAS,QAAkB,UAA2B;AACpE,MAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,OAAO,WAAW,GAAG;AACjD,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,WAAO;AAAA,EACT;AAGA,QAAM,CAAC,UAAU,EAAE,IAAI,SAAS,MAAM,GAAG;AACzC,MAAI,YAAY,IAAI;AAClB,UAAM,WAAW,GAAG,QAAQ;AAC5B,QAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,WACd,OACyC;AACzC,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,SAAO,EAAE,UAAU,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,EAAE;AAC5C;AAKO,SAAS,kBACd,QACA,cACA,YACS;AACT,QAAM,WAAW,GAAG,YAAY,IAAI,UAAU;AAC9C,SAAO,SAAS,QAAQ,QAAQ;AAClC;AA1DA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAcO,SAAS,uBACd,OAC4B;AAC5B,MAAI,CAAC,SAAS,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AAC/D,WAAO;AAAA,EACT;AAEA,QAAM,MAAM;AACZ,QAAM,SAAS,oBAAoB,IAAI,UAAU,IAAI,KAAK;AAE1D,SAAO;AAAA,IACL,IAAI,gBAAgB,IAAI,EAAE;AAAA,IAC1B,SAAS,gBAAgB,IAAI,OAAO;AAAA,IACpC,SAAS,oBAAoB,IAAI,OAAO;AAAA,IACxC,UAAU,mBAAmB,IAAI,YAAY,IAAI,GAAG;AAAA,IACpD,WAAW,mBAAmB,IAAI,aAAa,IAAI,GAAG;AAAA,IACtD,OAAO,gBAAgB,IAAI,KAAK;AAAA,IAChC,MAAM,gBAAgB,IAAI,IAAI;AAAA,IAC9B;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,0BACd,SACA,QACS;AACT,MAAI,CAAC,QAAQ,WAAW,QAAQ,QAAQ,WAAW,GAAG;AACpD,WAAO;AAAA,EACT;AAEA,aAAW,WAAW,QAAQ,SAAS;AACrC,QAAI,YAAY,OAAO,YAAY,QAAQ;AACzC,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,uBACd,SACA,cAAc,KACL;AACT,MAAI,QAAQ,cAAc,QAAW;AACnC,WAAO;AAAA,EACT;AAEA,SAAO,OAAO,KAAK,IAAI,CAAC,IAAI,QAAQ,YAAY,OAAO,WAAW;AACpE;AAEO,SAAS,oBACd,QACA,SAOU;AACV,SAAO,OAAO;AAAA,IAAI,CAAC,UACjB,MAAM,QAAQ,kBAAkB,CAAC,QAAQ,eAAuB;AAC9D,YAAM,WAAW,0BAA0B,WAAW,KAAK,GAAG,OAAO;AACrE,UAAI,aAAa,UAAa,aAAa,QAAQ,aAAa,IAAI;AAClE,cAAM,IAAI,MAAM,qCAAqC,UAAU,EAAE;AAAA,MACnE;AACA,aAAO,OAAO,QAAQ;AAAA,IACxB,CAAC;AAAA,EACH;AACF;AAEO,SAAS,6BACd,SACA,gBACA,OAAsB,OACb;AACT,MAAI,CAAC,QAAQ,UAAU,QAAQ,OAAO,WAAW,GAAG;AAClD,WAAO;AAAA,EACT;AAEA,MAAI,SAAS,OAAO;AAClB,WAAO,eAAe,KAAK,CAAC,UAAU,SAAS,QAAQ,QAAS,KAAK,CAAC;AAAA,EACxE;AAEA,SAAO,eAAe,MAAM,CAAC,UAAU,SAAS,QAAQ,QAAS,KAAK,CAAC;AACzE;AAEA,SAAS,0BACP,YACA,SAOS;AACT,MAAI,eAAe,UAAU;AAC3B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,eAAe,WAAW;AAC5B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,eAAe,WAAW;AAC5B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,eAAe,UAAU;AAC3B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,WAAW,WAAW,OAAO,GAAG;AAClC,WAAO,eAAe,QAAQ,MAAM,WAAW,MAAM,CAAC,CAAC;AAAA,EACzD;AAEA,SAAO;AACT;AAEA,SAAS,eAAe,OAAgBE,OAAuB;AAC7D,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AAEA,SAAOA,MAAK,MAAM,GAAG,EAAE,OAAgB,CAAC,SAAS,YAAY;AAC3D,QAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,aAAO;AAAA,IACT;AACA,WAAQ,QAAoC,OAAO;AAAA,EACrD,GAAG,KAAK;AACV;AAEA,SAAS,gBAAgB,OAAoC;AAC3D,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,OAAO,KAAK,KAAK,EAAE,SAAS,KAAK;AAAA,EAC1C;AAEA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAAsC;AACjE,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,EACT;AAEA,QAAM,OAAO,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;AAClD,QAAM,aAAa,KAChB,IAAI,CAAC,UAAW,OAAO,UAAU,WAAW,QAAQ,MAAU,EAC9D,OAAO,CAAC,UAA2B,CAAC,CAAC,SAAS,MAAM,KAAK,EAAE,SAAS,CAAC;AAExE,SAAO,WAAW,SAAS,IAAI,MAAM,KAAK,IAAI,IAAI,UAAU,CAAC,IAAI;AACnE;AAEA,SAAS,mBAAmB,OAAoC;AAC9D,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,GAAG;AACvD,WAAO,OAAO,KAAK,MAAM,KAAK,CAAC;AAAA,EACjC;AAEA,MAAI,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,GAAG;AACxD,QAAI;AACF,aAAO,OAAO,KAAK;AAAA,IACrB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAtMA;AAAA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AACA,QAAA,kBAAA,UAAA,4BAAA;AAKA,QAAA,iBAAA;AAQA,QAAA,eAAA;AACA,QAAA,cAAA;AAQA,QAAA,6BAAA;AAMA,QAAA,oBAAA;AACA,QAAA,oBAAA;AAIA,QAAA,8BAAA;AACA,QAAA,sBAAA;AACA,QAAA,0BAAA;AACA,QAAA,4BAAA;AAUA,QAAA,6BAAA;AACA,QAAA,qBAAA;AAOA,QAAA,uBAAA;AAMA,QAAA,mBAAA;AAOA,QAAA,gBAAA;AAWA,QAAA,2BAAA;AAKA,QAAA,gCAAA;AAEA,aAAS,eAAe,KAAoB;AAC1C,aAAO,OAAO,QAAQ,WAAW,MAAM,IAAI;IAC7C;AAEA,aAAS,sBACP,UAA+B;AAE/B,YAAM,SAAS,oBAAI,IAAG;AAEtB,iBAAW,WAAW,UAAU;AAC9B,mBAAW,OAAO,QAAQ,MAAM;AAC9B,gBAAM,MAAM,eAAe,GAAG;AAC9B,gBAAM,WAAW,OAAO,IAAI,GAAG;AAC/B,cAAI,CAAC,UAAU;AACb,mBAAO,IAAI,KAAK;cACd,MAAM,CAAC,GAAG;cACV,MAAM,QAAQ,OAAO,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,CAAC,IAAI;cAClD,QAAQ,QAAQ,SAAS,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,CAAC,IAAI;aACzD;AACD;UACF;AAEA,mBAAS,OAAO,MAAM,KACpB,oBAAI,IAAI,CAAC,GAAI,SAAS,QAAQ,CAAA,GAAK,GAAI,QAAQ,QAAQ,CAAA,CAAG,CAAC,CAAC;AAE9D,mBAAS,SACP,SAAS,WAAW,UAAa,QAAQ,WAAW,SAChD,SACA,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,SAAS,QAAQ,GAAG,QAAQ,MAAM,CAAC,CAAC;QACnE;MACF;AAEA,aAAO,MAAM,KAAK,OAAO,OAAM,CAAE;IACnC;AAEA,aAAS,qBACP,iBACA,cAAqC;AAErC,UAAI,iBAAiB;AACnB,eAAO;MACT;AAEA,UAAI,CAAC,cAAc;AACjB,eAAO;MACT;AAEA,UAAI,iBAAiB,MAAM;AACzB,eAAO,EAAE,SAAS,KAAI;MACxB;AAEA,aAAO;QACL,SAAS;QACT,GAAG;;IAEP;AAkDO,QAAMC,gBAAY,iBAAlB,MAAM,aAAY;MAoEvB,YACc,WAEZ,oBAA+D;AAFlC,aAAA,YAAA;AAEZ,aAAA,qBAAA;AAtEF,aAAA,SAAS,IAAI,SAAA,OAAO,eAAa,IAAI;AACrC,aAAA,UAAU,IAAI,YAAW;AACzB,aAAA,UAAU,IAAI,YAAW;AAelC,aAAA,WAAW,oBAAI,IAAG;AAGlB,aAAA,gBAAgB,oBAAI,IAAG;AAGvB,aAAA,iBAAiB,oBAAI,IAAG;AAGxB,aAAA,gBAAgB,oBAAI,IAAG;AAGvB,aAAA,mBAAmB,oBAAI,IAAG;AAG1B,aAAA,cAAc,oBAAI,IAAG;AAGrB,aAAA,eAAe,oBAAI,IAAG;AAGtB,aAAA,kBAAkB,oBAAI,IAAG;AAGzB,aAAA,wBAAwB,oBAAI,IAAG;AAG/B,aAAA,oBAAoB,oBAAI,IAAG;AAG3B,aAAA,kBAAkB,oBAAI,IAAG;AAGzB,aAAA,sBAAsB,oBAAI,IAAG;AAG7B,aAAA,gBAAgB,oBAAI,IAAG;AAGvB,aAAA,mBAAmB,oBAAI,IAAG;AAG1B,aAAA,mBAAmB,oBAAI,IAAG;AAG1B,aAAA,cAAc,oBAAI,IAAG;AAGrB,aAAA,oBAAgE;MAMrE;MAEH,UAAU,QAAc;AACtB,eAAO,KAAK,cAAc,IAAI,MAAM;MACtC;MAEA,cAAc,QAAc;AAC1B,eAAO,KAAK,iBAAiB,IAAI,MAAM;MACzC;MAEA,IAAI,QAAc;AAChB,eACE,KAAK,SAAS,IAAI,MAAM,KAAK,eAAa,gBAAgB,IAAI,MAAM;MAExE;MAEA,uBAAoB;AAClB,eAAO,CAAC,GAAG,eAAa,iBAAiB,GAAG,KAAK,SAAS,KAAI,CAAE;MAClE;MAEA,eAAe,QAAc;AAU3B,YAAI,CAAC,KAAK,IAAI,MAAM;AAAG,iBAAO;AAC9B,eAAO;UACL,QAAQ,KAAK,cAAc,IAAI,MAAM;UACrC,YAAY,KAAK,iBAAiB,IAAI,MAAM;UAC5C,YAAY,KAAK,cAAc,IAAI,MAAM;UACzC,SAAS,eAAa,gBAAgB,IAAI,MAAM;UAChD,MAAM,KAAK,YAAY,IAAI,MAAM;UACjC,OAAO,KAAK,aAAa,IAAI,MAAM;UACnC,eAAe,KAAK,sBAAsB,IAAI,MAAM;UACpD,eAAe,KAAK,aAAa,MAAM,EAAE;;MAE7C;MAEA,eAAe,QAAc;AAC3B,eAAO,KAAK,aAAa,IAAI,MAAM;MACrC;MAEA,aAAa,QAAc;AACzB,eAAO,KAAK,gBAAgB,IAAI,MAAM,KAAK,CAAA;MAC7C;MAUA,SAAS,QAAgB,SAAY;AACnC,aAAK,SAAS,IAAI,QAAQ,OAAO;MACnC;MAUA,gBAAgB,UAAa;AAC3B,cAAM,cAAc,QAAQ,YAC1B,oBAAA,sBACA,SAAS,WAAW;AAEtB,cAAM,SAA6B,aAAa,UAAU,SAAS;AAEnE,cAAM,SACJ,QAAQ,YAAY,mBAAA,mBAAmB,SAAS,WAAW,KAAK,CAAA;AAClE,cAAM,gBAAgB,IAAI,IACxB,OAAO,IAAI,CAAC,UAAU,OAAO,MAAM,UAAU,CAAC,CAAC;AAIjD,cAAM,iBACJ,QAAQ,YAAY,4BAAA,qBAAqB,SAAS,WAAW,KAAK,CAAA;AACpE,cAAM,mBACJ,QAAQ,YAAY,qBAAA,uBAAuB,SAAS,WAAW,KAAK,CAAA;AAEtE,cAAM,QAAQ,OAAO,eAAe,QAAQ;AAE5C,mBAAW,SAAS,QAAQ;AAC1B,gBAAM,aAAa,MAAM,WACrB,MAAM,SACN,GAAG,MAAM,IAAI,MAAM,MAAM;AAC7B,gBAAM,KAAK,SAAS,MAAM,UAAU,EAAE,KAAK,QAAQ;AAEnD,cAAI,MAAM,OAAO;AACf,iBAAK,SAAS,YAAY,EAAE,QAAQ,GAAE,CAAE;UAC1C,OAAO;AACL,iBAAK,SAAS,YAAY,EAAE;UAC9B;AAEA,eAAK,mBACH,YACA,OACA,OAAO,MAAM,UAAU,GACvB,gBACA,gBAAgB;QAEpB;AAEA,mBAAW,OAAO,OAAO,oBAAoB,KAAK,GAAG;AACnD,cAAI,cAAc,IAAI,GAAG;AAAG;AAE5B,gBAAM,OAAO,QAAQ,YAAY,mBAAA,qBAAqB,OAAO,GAAG;AAChE,cAAI,CAAC,MAAM;AAAQ;AAEnB,gBAAM,aAAa,KAAK,WACpB,KAAK,SACL,GAAG,MAAM,IAAI,KAAK,MAAM;AAE5B,cAAI,CAAC,KAAK,SAAS,IAAI,UAAU,GAAG;AAClC,iBAAK,SAAS,YAAa,SAAiB,GAAG,EAAE,KAAK,QAAQ,CAAC;UACjE;AAEA,eAAK,mBACH,YACA,OACA,KACA,gBACA,gBAAgB;QAEpB;MACF;MAcA,MAAM,MAAM,OAAgB;AAC1B,cAAM,QAAQ,QAAQ,OAAM;AAC5B,YAAI,SAAS;AAEb,YAAI;AACF,gBAAM,cAAc,MAAM,QAAQ,IAAI,YAAA,UAAU;AAChD,cAAI,CAAC;AAAa,kBAAM,IAAI,MAAM,gBAAgB;AAClD,mBAAS,KAAK,QAAQ,OAAO,WAAW;AACxC,gBAAM,mBAAmB,KAAK,aAAa,MAAM;AAEjD,gBAAM,KAAK,oBAAoB,kBAAkB;YAC/C,OAAO;YACP,WAAW,KAAK,IAAG;YACnB;YACA;WACD;AAED,cAAI;AAEJ,cAAI,WAAW,iBAAiB,WAAW,eAAe;AACxD,iBAAK,OAAO,MAAM,eAAe;AACjC,qBAAS;cACP,IAAI;cACJ,QAAQ;cACR,SAAS,oBAAI,IAAI;gBACf,CAAC,KAAK,IAAI,YAAW,EAAG,OAAO,iBAAiB,CAAC;eAClD;cACD,MAAM,IAAI,YAAW,EAAG,OACtB,KAAK,UAAU;gBACb,QAAQ;gBACR,YAAW,oBAAI,KAAI,GAAG,YAAW;gBACjC,SAAS;eACV,CAAC;;UAGR,WAAW,WAAW,eAAe;AACnC,kBAAM,KAAK,KAAK,IAAG,EAAG,SAAQ;AAC9B,qBAAS;cACP,IAAI;cACJ,QAAQ;cACR,MAAM,IAAI,YAAW,EAAG,OACtB,KAAK,UAAU;gBACb;gBACA,MAAK,oBAAI,KAAI,GAAG,YAAW;eAC5B,CAAC;;UAGR,WAAW,WAAW,eAAe;AACnC,qBAAS;cACP,IAAI;cACJ,QAAQ;cACR,MAAM,MAAM;;UAEhB,WAAW,WAAW,gBAAgB,WAAW,mBAAmB;AAClE,kBAAM,eAAe,KAAK,sBAAsB,MAAM,IAAI;AAC1D,qBAAS,MAAM,KAAK,oBAAoB,OAAO,YAAY;UAC7D,WAAW,WAAW,iBAAiB,WAAW,oBAAoB;AACpE,kBAAM,WAAW,KAAK,oBAAoB,MAAM,IAAI;AACpD,kBAAM,cAAc,SAAS;AAC7B,kBAAM,YAAY,SAAS,QAAQ,CAAA;AAEnC,gBAAI,CAAC,aAAa;AAChB,oBAAM,IAAI,MAAM,kCAAkC;YACpD;AAEA,iBAAK,OAAO,MAAM,kCAAkC,WAAW,GAAG;AAElE,kBAAM,eAAe,IAAI,IAAI,MAAM,OAAO;AAC1C,yBAAa,IAAI,YAAA,YAAY,KAAK,QAAQ,OAAO,WAAW,CAAC;AAE7D,kBAAM,gBAAgB,KAAK,sBAAsB,SAAS,OAAO;AACjE,kBAAM,YAAY,KAAK,uBAAuB,aAAa;AAC3D,gBAAI,WAAW;AACb,2BAAa,IAAI,YAAA,aAAa,KAAK,QAAQ,OAAO,SAAS,CAAC;AAC5D,2BAAa,IAAI,YAAA,eAAe,KAAK,QAAQ,OAAO,SAAS,CAAC;YAChE;AAEA,kBAAM,cAAa,GAAA,yBAAA,0BACjB;cACE,GAAG;cACH,SAAS;cACT,MAAM,KAAK,WAAW,SAAS;gBAEjC,GAAA,yBAAA,4BAA0B,GAAA,yBAAA,yBAAwB,KAAK,GAAG;cACxD,YAAY;cACZ,SAAS,KAAK,oBAAoB,KAAK;cACvC;aACD,KAAK,CAAA,CAAE;AAGV,qBAAS,MAAM,KAAK,MAAM,UAAU;UACtC,OAAO;AACL,kBAAM,UAAU,KAAK,SAAS,IAAI,MAAM;AACxC,gBAAI,CAAC,SAAS;AACZ,oBAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;YAC/C;AAEA,kBAAM,gBAAgB,KAAK,cAAc,IAAI,MAAM;AACnD,gBAAI,iBAAiB,cAAc,SAAS,GAAG;AAC7C,oBAAM,KAAK,iBAAiB,eAAe,QAAQ,KAAK;YAC1D;AAEA,kBAAM,UAAU,KAAK,eAAe,IAAI,MAAM;AAC9C,gBAAI,cAAmB,MAAM;AAC7B,gBAAI,SAAS;AACX,kBAAI;AACF,8BAAc,QAAQ,OAAO,KAAK,MAAM,IAAI,CAAC;cAC/C,SAAS,WAAgB;AACvB,sBAAM,IAAI,MACR,gCAAgC,MAAM,KAAK,UAAU,OAAO,EAAE;cAElE;YACF;AAEA,iBAAK,qBACH,QACA,OACA,aACA,KAAK,0BAA0B,QAAQ,KAAK,CAAC;AAG/C,gBAAI,OAAO,YAAY,YAAY;AACjC,oBAAM,aAAa,UACf,MAAM,QAAQ,aAAa,MAAM,OAAO,IACxC,MAAM,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC3C,uBAAS;gBACP,IAAI;gBACJ,QAAQ;gBACR,MAAM;;YAEV,OAAO;AACL,kBAAI,OAAQ,QAAgB,WAAW,YAAY;AACjD,yBAAS,MAAO,QAAgB,OAAO,KAAK;cAC9C,WAAW,OAAQ,QAAgB,YAAY,YAAY;AACzD,sBAAM,UAAU,UACZ,MAAO,QAAgB,QAAQ,aAAa,MAAM,OAAO,IACzD,MAAO,QAAgB,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC5D,yBAAS;kBACP,IAAI;kBACJ,QAAQ;kBACR,MAAM;;cAEV,OAAO;AACL,sBAAM,IAAI,MACR,eAAe,MAAM,uCAAuC;cAEhE;YACF;UACF;AAEA,gBAAM,KAAK,oBAAoB,kBAAkB;YAC/C,OAAO;YACP,WAAW,KAAK,IAAG;YACnB;YACA;YACA;YACA,UAAU,OAAO;WAClB;AAED,eAAK,UAAU,QAAQ,OAAO,IAAI;AAClC,iBAAO;QACT,SAAS,GAAQ;AACf,gBAAM,KAAK,oBAAoB,KAAK,aAAa,MAAM,GAAG;YACxD,OAAO;YACP,WAAW,KAAK,IAAG;YACnB;YACA;YACA,OAAO,EAAE;WACV;AACD,eAAK,UAAU,QAAQ,OAAO,OAAO,EAAE,OAAO;AAC9C,gBAAM;QACR;MACF;MAEQ,UACN,QACA,OACA,IACA,OAAc;AAEd,cAAM,OAAO,QAAQ,OAAO,KAAK;AACjC,cAAM,MAAM,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC;AACpD,YAAI,IAAI;AACN,eAAK,OAAO,MAAM,GAAG,MAAM,iBAAiB,EAAE,IAAI;QACpD,OAAO;AACL,eAAK,OAAO,KAAK,GAAG,MAAM,cAAc,EAAE,QAAQ,KAAK,EAAE;QAC3D;MACF;MAEA,mBACE,QACA,OACA,YACA,gBACA,kBAAwC;AAExC,cAAM,UAAU,QAAQ,YAAY,wBAAA,iBAAiB,OAAO,UAAU;AACtE,YAAI,SAAS;AACX,eAAK,eAAe,IAAI,QAAQ,OAAO;QACzC;AAEA,cAAM,gBAAgB,QAAQ,YAC5B,2BAAA,oBACA,OACA,UAAU;AAEZ,cAAM,WAAW;UACf,GAAI,kBAAkB,CAAA;UACtB,GAAI,MAAM,QAAQ,aAAa,IAAI,gBAAgB,CAAA;;AAErD,YAAI,SAAS,SAAS,GAAG;AACvB,eAAK,cAAc,IAAI,QAAQ,QAAQ;QACzC;AAEA,cAAM,kBACJ,QAAQ,YAAY,qBAAA,uBAAuB,OAAO,UAAU,KAAK,CAAA;AACnE,cAAM,YAAY,sBAAsB;UACtC,GAAI,oBAAoB,CAAA;UACxB,GAAG;SACJ;AACD,YAAI,UAAU,SAAS,GAAG;AACxB,eAAK,gBAAgB,IAAI,QAAQ,SAAS;QAC5C;AAEA,cAAM,uBAAuB,QAAQ,YACnC,2BAAA,6BACA,MAAM,WAAW;AAEnB,cAAM,sBAAsB,QAAQ,YAClC,2BAAA,6BACA,OACA,UAAU;AAEZ,cAAM,iBAAgB,GAAA,2BAAA,2BACpB,sBACA,mBAAmB;AAErB,YAAI,eAAe;AACjB,eAAK,sBAAsB,IAAI,QAAQ,aAAa;QACtD;AAEA,cAAM,OAAO,QAAQ,YAAY,mBAAA,qBAAqB,OAAO,UAAU;AACvE,YAAI,MAAM;AACR,eAAK,YAAY,EAAE,GAAG,MAAM,OAAM,CAAE;AACpC,cAAI,KAAK,MAAM;AACb,iBAAK,YAAY,IAAI,QAAQ,KAAK,IAAI;UACxC;AAEA,gBAAM,YAAY,QAAQ,YACxB,kBAAA,oBACA,OACA,UAAU;AAEZ,gBAAM,cAAc,qBAAqB,WAAW,KAAK,KAAK;AAC9D,cAAI,aAAa;AACf,iBAAK,aAAa,IAAI,QAAQ,WAAW;UAC3C;QACF;AAGA,cAAM,oBAAwC,QAAQ,YACpD,0BAAA,0BACA,OACA,UAAU;AAEZ,cAAM,mBAAuC,QAAQ,YACnD,0BAAA,0BACA,MAAM,WAAW;AAEnB,cAAM,cAAc,qBAAqB;AACzC,YAAI,aAAa;AACf,eAAK,kBAAkB,IAAI,QAAQ,WAAW;QAChD;AAGA,cAAM,iBAAkD,QAAQ,YAC9D,0BAAA,uBACA,OACA,UAAU;AAEZ,cAAM,gBAAiD,QAAQ,YAC7D,0BAAA,uBACA,MAAM,WAAW;AAEnB,cAAM,WAAW,kBAAkB;AACnC,YAAI,UAAU;AACZ,eAAK,gBAAgB,IAAI,QAAQ,QAAQ;QAC3C;AAGA,cAAM,cAA+C,QAAQ,YAC3D,0BAAA,6BACA,OACA,UAAU;AAEZ,cAAM,aAA8C,QAAQ,YAC1D,0BAAA,6BACA,MAAM,WAAW;AAEnB,cAAM,gBAAgB,eAAe;AACrC,YAAI,iBAAiB,cAAc,SAAS,GAAG;AAC7C,eAAK,oBAAoB,IAAI,QAAQ,aAAa;QACpD;AAGA,cAAM,iBAAsC,QAAQ,YAClD,0BAAA,iBACA,OACA,UAAU;AAEZ,cAAM,gBAAqC,QAAQ,YACjD,0BAAA,iBACA,MAAM,WAAW;AAEnB,YAAI,kBAAkB,eAAe;AACnC,eAAK,cAAc,IAAI,MAAM;QAC/B;AAGA,cAAM,eAAoC,QAAQ,YAChD,0BAAA,oBACA,OACA,UAAU;AAEZ,cAAM,cAAmC,QAAQ,YAC/C,0BAAA,oBACA,MAAM,WAAW;AAEnB,YAAI,gBAAgB,aAAa;AAC/B,eAAK,iBAAiB,IAAI,MAAM;QAClC;AAGA,cAAM,YAA6C,QAAQ,YACzD,0BAAA,qBACA,OACA,UAAU;AAEZ,YAAI,WAAW;AACb,eAAK,iBAAiB,IAAI,QAAQ,SAAS;QAC7C;MACF;MAIA,eAAe,QAAc;AAC3B,eAAO,KAAK,kBAAkB,IAAI,MAAM;MAC1C;MAEA,YAAY,QAAc;AACxB,eAAO,KAAK,gBAAgB,IAAI,MAAM;MACxC;MAEA,iBAAiB,QAAc;AAC7B,eAAO,KAAK,oBAAoB,IAAI,MAAM;MAC5C;MAEA,SAAS,QAAc;AACrB,eAAO,KAAK,cAAc,IAAI,MAAM;MACtC;MAEA,YAAY,QAAc;AACxB,eAAO,KAAK,iBAAiB,IAAI,MAAM;MACzC;MAEA,aAAa,QAAc;AACzB,eAAO,KAAK,iBAAiB,IAAI,MAAM;MACzC;MAEQ,MAAM,oBACZ,UACA,SAA6D;AAE7D,YAAI,CAAC,KAAK,sBAAsB,SAAS,WAAW;AAAG;AACvD,cAAM,KAAK,mBAAmB,SAAS,UAAU,OAAO;MAC1D;MAEQ,MAAM,iBACZ,eACA,QACA,OAAgB;AAEhB,YAAI,CAAC,KAAK;AAAW;AAErB,mBAAW,eAAe,eAAe;AACvC,cAAI;AACJ,cAAI;AACF,qBAAS,KAAK,UAAU,IAAI,aAAoB,EAAE,QAAQ,MAAK,CAAE;UACnE,QAAQ;AACN,iBAAK,OAAO,KACV,qCAAqC,YAAY,IAAI,QAAQ,MAAM,EAAE;AAEvE;UACF;AAEA,gBAAM,cAA2B;YAC/B,UAAU,MAAM;YAChB;YACA,MAAM,MAAM;YACZ,YAAY,MAAM;YAClB,UAAU,EAAE,OAAO,UAAU,OAAM;;AAGrC,cAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW;AAAG;AAEtD,gBAAM,YAAW,GAAA,cAAA,yBAAwB,MAAM,OAAO,IAAI,WAAW,CAAC;AACtE,cAAI,CAAC,SAAS,OAAO;AACnB,kBAAM,SAAS,SAAS,QAAQ,CAAC,KAAK,GAAG,OAAO,IAAI;AACpD,iBAAK,OAAO,KACV,iBAAiB,OAAO,IAAI,WAAW,MAAM,KAAK,MAAM,EAAE;AAE5D,kBAAM,IAAI,MAAM,eAAe,MAAM,EAAE;UACzC;QACF;MACF;MAEQ,0BACN,QACA,OAAgB;AAEhB,cAAM,mBAAmB,KAAK,sBAAsB,IAAI,MAAM;AAC9D,cAAM,cAAc,KAAK,aAAa,IAAI,MAAM;AAChD,cAAM,oBAAmB,GAAA,yBAAA,yBAAwB,KAAK;AAEtD,cAAM,gBAAgB,MAAM,KAC1B,oBAAI,IAAI;UACN,GAAG,KAAK,YAAY,aAAa,YAAY;UAC7C,GAAG,KAAK,YAAY,kBAAkB,YAAY,KAAK;UACvD,GAAG,KAAK,YAAY,kBAAkB,WAAW,YAAY;SAC9D,CAAC;AAGJ,cAAM,kBACJ,aAAa,iBACb,kBAAkB,YAAY,iBAC9B,kBAAkB,WAAW,iBAC7B,kBAAkB,eAAe,SAAS,iBAC1C,cAAc,SAAS;AAEzB,cAAM,gBAAgB,mBAClB,GAAA,2BAAA,+BAA8B;UAC5B,UAAU;UACV,QAAQ,cAAc,SAAS,IAAI,gBAAgB;SACpD,IACD;AAEJ,gBAAO,GAAA,2BAAA,2BAA0B,kBAAkB,aAAa;MAClE;MAEQ,qBACN,QACA,OACA,MACA,QAA6B;AAE7B,cAAM,oBAAmB,GAAA,yBAAA,yBAAwB,KAAK;AACtD,cAAM,sBAAsB,KAAK,sBAC/B,kBAAkB,aAAa;AAEjC,cAAM,iBAAgB,GAAA,iBAAA,wBAAuB,mBAAmB;AAChE,cAAM,mBAAmB,UACrB,GAAA,2BAAA,+BAA8B,MAAM,IACpC;AAEJ,YAAI,CAAC,eAAe;AAClB,cAAI,kBAAkB,UAAU;AAC9B,gBACE,iBAAiB,mBACjB,KAAK,oBAAoB,KAAK,KAC9B,KAAK,YAAY,iBAAiB,MAAM,EAAE,WAAW,KACrD,iBAAiB,gBAAgB,OACjC;AACA;YACF;AAEA,kBAAM,IAAI,aAAA,UACR,KAAK,oBAAoB,KAAK,IAC1B,4BACA,oBACJ,UAAU,MAAM,sDAChB,KACA,EAAE,OAAM,CAAE;UAEd;AAEA;QACF;AAEA,aAAI,GAAA,iBAAA,wBAAuB,aAAa,GAAG;AACzC,gBAAM,IAAI,aAAA,UACR,mBACA,eAAe,MAAM,eACrB,KACA,EAAE,QAAQ,WAAW,cAAc,GAAE,CAAE;QAE3C;AAEA,cAAM,UACJ,KAAK,oBAAoB,KAAK,KAAK,kBAAkB;AACvD,YACE,WACA,cAAc,WACd,CAAC,KAAK,iBAAiB,SAAS,cAAc,OAAO,GACrD;AACA,gBAAM,IAAI,aAAA,UACR,0BACA,kDAAkD,MAAM,IACxD,KACA;YACE;YACA;YACA,gBAAgB,cAAc;WAC/B;QAEL;AAEA,cAAM,WAAW,KAAK,qBAAqB,KAAK;AAChD,YACE,YACA,cAAc,MACd,CAAC,KAAK,iBAAiB,UAAU,cAAc,EAAE,GACjD;AACA,gBAAM,IAAI,aAAA,UACR,wBACA,sDAAsD,MAAM,IAC5D,KACA;YACE;YACA;YACA,WAAW,cAAc;WAC1B;QAEL;AAEA,cAAM,QAAQ,KAAK,eAAe,OAAO,YAAA,SAAS;AAClD,YAAI,SAAS,cAAc,SAAS,UAAU,cAAc,OAAO;AACjE,gBAAM,IAAI,aAAA,UACR,0BACA,kDAAkD,MAAM,IACxD,KACA,EAAE,QAAQ,OAAO,cAAc,cAAc,MAAK,CAAE;QAExD;AAEA,cAAM,OAAO,KAAK,eAAe,OAAO,YAAA,QAAQ;AAChD,YAAI,QAAQ,cAAc,QAAQ,SAAS,cAAc,MAAM;AAC7D,gBAAM,IAAI,aAAA,UACR,yBACA,gDAAgD,MAAM,IACtD,KACA,EAAE,QAAQ,MAAM,aAAa,cAAc,KAAI,CAAE;QAErD;AAEA,cAAM,oBAAoB,kBAAkB,eAAe;AAC3D,YACE,qBACA,EAAC,GAAA,iBAAA,2BAA0B,eAAe,MAAM,GAChD;AACA,gBAAM,IAAI,aAAA,UACR,kBACA,8BAA8B,MAAM,IACpC,KACA;YACE;YACA,WAAW,cAAc;YACzB,gBAAgB,cAAc;WAC/B;QAEL;AAEA,cAAM,iBAAiB,KAAK,YAAY,kBAAkB,MAAM;AAChE,YAAI,eAAe,WAAW,GAAG;AAC/B;QACF;AAEA,YAAI;AACJ,YAAI;AACF,4BAAiB,GAAA,iBAAA,qBAAoB,gBAAgB;YACnD;YACA;YACA;YACA,SAAS,kBAAkB,eAAe;YAC1C,QAAQ,kBAAkB,WAAW;WACtC;QACH,SAAS,OAAY;AACnB,eAAK,OAAO,MAAM,4BAA4B,MAAM,KAAK,MAAM,OAAO,EAAE;AACxE,gBAAM,IAAI,aAAA,UACR,qCACA,kCACA,KACA,EAAE,OAAM,CAAE;QAEd;AAEA,YACE,EAAC,GAAA,iBAAA,8BACC,eACA,gBACA,kBAAkB,aAAa,KAAK,GAEtC;AACA,gBAAM,IAAI,aAAA,UACR,kBACA,iCAAiC,MAAM,IACvC,KACA;YACE;YACA,gBAAgB;YAChB,iBAAiB,cAAc,UAAU,CAAA;WAC1C;QAEL;MACF;MAEQ,MAAM,oBACZ,OACA,SAA2D;AAE3D,cAAM,EAAE,mBAAAC,mBAAiB,IAAK,MAAA,QAAA,QAAA,EAAA,KAAA,MAAA,6BAAoC;AAClE,cAAM,gBAAgB,KAAK,oBAAoB,KAAK;AACpD,YACE,QAAQ,WACR,iBACA,CAAC,KAAK,iBAAiB,QAAQ,SAAS,aAAa,GACrD;AACA,gBAAM,IAAI,aAAA,UACR,kBACA,kEACA,GAAG;QAEP;AACA,cAAM,UAAU,iBAAiB,QAAQ;AACzC,cAAM,gBAAgB,KAAK,sBAAsB,QAAQ,OAAO;AAChE,cAAM,YAAY,KAAK,uBAAuB,aAAa;AAC3D,cAAM,UAAU,IAAI,IAAI,MAAM,OAAO;AAErC,YAAI,WAAW;AACb,kBAAQ,IAAI,YAAA,aAAa,KAAK,QAAQ,OAAO,SAAS,CAAC;AACvD,kBAAQ,IAAI,YAAA,eAAe,KAAK,QAAQ,OAAO,SAAS,CAAC;QAC3D;AAEA,cAAM,aAAY,GAAA,yBAAA,0BAChB;UACE,GAAG;UACH;YAEF,GAAA,yBAAA,4BAA0B,GAAA,yBAAA,yBAAwB,KAAK,GAAG;UACxD,YAAY;UACZ;UACA;UACA,YAAY,QAAQ,SAAS;UAC7B,eAAe,QAAQ;SACxB,KAAK,CAAA,CAAE;AAGV,cAAM,WAAW,IAAIA,mBAAkB,MAAM,KAAK,kBAAkB;AACpE,cAAM,SAAS,MAAM,SAAS,QAAQ,QAAQ,UAAU;UACtD;UACA;SACD;AAED,eAAO;UACL,IAAI,OAAO,WAAW;UACtB,QAAQ;UACR,MAAM,KAAK,WAAW,MAAM;UAC5B,UAAU;YACR,SAAS,OAAO;YAChB,QAAQ,OAAO;;;MAGrB;MAEQ,oBAAoBC,QAAiB;AAM3C,YAAI;AACF,iBAAO,KAAK,MAAM,KAAK,QAAQ,OAAOA,MAAK,CAAC;QAC9C,SAAS,OAAY;AACnB,gBAAM,IAAI,MAAM,kCAAkC,MAAM,OAAO,EAAE;QACnE;MACF;MAEQ,sBACNA,QAAiB;AAEjB,YAAI;AAEJ,YAAI;AACF,gBAAM,SAAS,KAAK,MAAM,KAAK,QAAQ,OAAOA,MAAK,CAAC;AACpD,cAAI,KAAK,mBAAmB,MAAM,GAAG;AACnC,mBAAO;cACL,UAAU,OAAO;cACjB,SAAS,KAAK,sBAAsB,OAAO,OAAO;cAClD,SACE,OAAO,OAAO,YAAY,WAAW,OAAO,UAAU;;UAE5D;AAEA,cAAI,KAAK,oBAAoB,MAAM,GAAG;AACpC,mBAAO,EAAE,UAAU,OAAM;UAC3B;QACF,SAAS,OAAY;AACnB,sBAAY;QACd;AAEA,YAAI;AACF,gBAAM,WAAU,GAAA,gBAAA,oBACdA,MAAK;AAEP,iBAAO;YACL,UAAU,QAAQ;YAClB,SAAS,KAAK,sBAAsB,QAAQ,OAAO;YACnD,SAAS,QAAQ;;QAErB,SAAS,cAAmB;AAC1B,cAAI;AACF,mBAAO;cACL,WAAU,GAAA,gBAAA,qBAAoBA,MAAK;;UAEvC,SAAS,eAAoB;AAC3B,kBAAM,SAAS;cACb,WAAW;cACX,aAAa;cACb,cAAc;cAEb,OAAO,OAAO,EACd,KAAK,KAAK;AACb,kBAAM,IAAI,MAAM,6BAA6B,MAAM,EAAE;UACvD;QACF;MACF;MAEQ,mBACN,OAAc;AAEd,eACE,CAAC,CAAC,SACF,OAAO,UAAU,YACjB,cAAc,SACd,KAAK,oBAAqB,MAAkC,QAAQ;MAExE;MAEQ,oBAAoB,OAAc;AACxC,eACE,CAAC,CAAC,SACF,OAAO,UAAU,YACjB,OAAQ,MAAkC,YAAY,YACtD,MAAM,QAAS,MAAkC,KAAK;MAE1D;MAEQ,WAAW,OAAc;AAC/B,eAAO,KAAK,QAAQ,OAAO,KAAK,UAAU,KAAK,CAAC;MAClD;MAEQ,oBAAoB,OAAgB;AAC1C,eAAO,KAAK,eAAe,OAAO,YAAA,YAAY;MAChD;MAEQ,qBAAqB,OAAgB;AAC3C,eACE,KAAK,eAAe,OAAO,YAAA,aAAa,KACxC,KAAK,eAAe,OAAO,YAAA,WAAW;MAE1C;MAEQ,oBAAoB,OAAgB;AAC1C,eAAO,CAAC,CAAC,KAAK,qBAAqB,KAAK;MAC1C;MAEQ,eAAe,OAAkB,KAAW;AAClD,cAAM,QAAQ,MAAM,QAAQ,IAAI,GAAG;AACnC,YAAI,CAAC,SAAS,MAAM,WAAW,GAAG;AAChC,iBAAO;QACT;AAEA,cAAM,UAAU,KAAK,QAAQ,OAAO,KAAK;AACzC,YAAI,iBAAiB,KAAK,OAAO,GAAG;AAClC,iBAAO;QACT;AAEA,eAAO,OAAO,KAAK,KAAK,EAAE,SAAS,KAAK;MAC1C;MAEQ,iBAAiB,MAAc,OAAa;AAClD,cAAMC,aAAY,CAAC,UACjB,eAAe,KAAK,KAAK,IAAI,MAAM,YAAW,IAAK;AACrD,eAAOA,WAAU,IAAI,MAAMA,WAAU,KAAK;MAC5C;MAEQ,uBACN,SAAiC;AAEjC,cAAM,KAAK,SAAS;AACpB,eAAO,OAAO,OAAO,YAAY,GAAG,SAAS,IAAI,KAAK;MACxD;MAEQ,sBACN,OAAc;AAEd,YAAI,CAAC,SAAS,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AAC/D,iBAAO;QACT;AAEA,eAAO;MACT;MAEQ,YAAY,OAAyB;AAC3C,YAAI,CAAC,OAAO;AACV,iBAAO,CAAA;QACT;AAEA,eAAO,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;MAC9C;MAUA,aAAa,QAA2C;AACtD,aAAK,oBAAoB;AACzB,aAAK,OAAO,IAAI,yBAAyB;MAC3C;MAMA,mBAAmB,QAAgB,SAAmB;AACpD,aAAK,YAAY,IAAI,QAAQ,OAAO;AACpC,aAAK,OAAO,MAAM,2BAA2B,MAAM,EAAE;MACvD;MAKA,cAAc,QAAc;AAC1B,eAAO,KAAK,YAAY,IAAI,MAAM;MACpC;MAYA,MAAM,SAAS,UAA4B;AACzC,YAAI,CAAC,KAAK,mBAAmB;AAC3B,iBAAO;YACL,IAAI;YACJ,OAAO;cACL,MAAM;cACN,SAAS;;YAEX,QAAQ;;QAEZ;AAEA,cAAM,SAA4B;UAChC,GAAG,KAAK;UACR,UAAU,KAAK;;AAGjB,gBAAO,GAAA,eAAA,oBAAmB,UAAU,MAAM;MAC5C;MAEQ,YAAY,MAMnB;AACC,YAAI,KAAK,KAAK;AACZ,cAAI,KAAK,OAAO,KAAK,IAAI,SAAS,GAAG;AACnC,iBAAK,OAAO,KACV,GAAG,KAAK,MAAM,4DAA4D;UAE9E;AAEA,gBAAM,aAAY,GAAA,kBAAA,kBAAiB,KAAK,GAAG;AAC3C,gBAAMC,UAAuB;YAC3B,QAAQ,KAAK;YACb,SAAS;YACT,aAAa,KAAK,eAAe;YACjC,QAAQ,UAAU,OAAO,IAAI,CAAC,OAAO;cACnC,MAAM,EAAE;cACR,KAAK,EAAE;cACP,MAAM,EAAE;cACR,UAAU,EAAE;cACZ,QAAQ,EAAE;cACV,KAAK,EAAE;cACP,OAAO,EAAE;cACT;;AAGJ,eAAK,cAAc,IAAI,KAAK,QAAQA,OAAM;AAE1C,cAAI,UAAU,WAAW,OAAO,GAAG;AACjC,iBAAK,iBAAiB,IAAI,KAAK,QAAQ,UAAU,UAAU;UAC7D;AAEA,cAAI,CAAC,KAAK,eAAe,IAAI,KAAK,MAAM,GAAG;AACzC,iBAAK,eAAe,IAAI,KAAK,SAAQ,GAAA,kBAAA,iBAAgB,KAAK,GAAG,CAAC;UAChE;AAEA;QACF;AAEA,YAAI,CAAC,KAAK,OAAO,KAAK,IAAI,WAAW;AAAG;AAExC,cAAM,SAAuB;UAC3B,QAAQ,KAAK;UACb,SAAS;UACT,aAAa,KAAK,eAAe;UACjC,QAAQ,KAAK,IAAI,IAAI,CAAC,OAAO;YAC3B,MAAM,EAAE;YACR,KAAK,EAAE;YACP,MAAM,EAAE;YACR,UAAU,EAAE;YACZ,QAAQ,EAAE;YACV,KAAK,EAAE;YACP,OAAO,EAAE;YACT;;AAGJ,aAAK,cAAc,IAAI,KAAK,QAAQ,MAAM;MAC5C;;AAzoCW,YAAA,eAAAJ;AAMa,IAAAA,cAAA,kBAAkB,oBAAI,IAAI;MAChD;MACA;MACA;MACA;MACA;MACA;MACA;MACA;KACD;2BAfUA,gBAAY,iBAAA,WAAA;OADxB,GAAA,SAAA,YAAU;MAsEN,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;MACV,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;2DAD8B,OAAA,cAAS,eAAT,OAAA,eAAS,aAAA,KAAA,QAAA,QAAA,KAAA,OAEZ,8BAAA,8BAAyB,eAAzB,8BAAA,+BAAyB,aAAA,KAAA,MAAA,CAAA;OAvEtDA,aAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;AChMzB,QAAA,WAAA,UAAA,QAAA;AAEA,QAAA,WAAA,UAAA,gBAAA;AAGA,QAAA,cAAA;AAWA,QAAA,2BAAA;AAKA,QAAA,gCAAA;AACA,QAAA,kBAAA;AAQO,QAAMK,qBAAiB,sBAAvB,MAAM,kBAAiB;MAK5B,YACmB,QAEjB,oBAA+D;AAF9C,aAAA,SAAA;AAEA,aAAA,qBAAA;AAPF,aAAA,SAAS,IAAI,SAAA,OAAO,oBAAkB,IAAI;AAC1C,aAAA,UAAU,IAAI,YAAW;AACzB,aAAA,UAAU,IAAI,YAAW;MAMvC;MAEH,MAAM,QACJ,UACA,UAAqC,CAAA,GAAE;AAEvC,aAAK,iBAAiB,QAAQ;AAE9B,cAAM,YAAY,KAAK,IAAG;AAC1B,cAAM,UAAU,oBAAI,IAAG;AACvB,cAAM,WAAW,KAAK,qBAAqB,QAAQ;AAEnD,cAAM,KAAK,SAAS,UAAU;UAC5B,OAAO;UACP,WAAW;UACX,SAAS,SAAS;UAClB;UACA,cAAc,SAAS;UACvB,SAAS,SAAS;UAClB,aAAa,SAAS;SACvB;AAED,cAAM,KAAK,SAAS,UAAU;UAC5B,OAAO;UACP,WAAW,KAAK,IAAG;UACnB,SAAS,SAAS;UAClB;UACA,cAAc,SAAS;UACvB,SAAS,SAAS;UAClB,aAAa,SAAS;SACvB;AAED,cAAM,YAAY,IAAI,IAAI,SAAS,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC;AAC3E,cAAM,UAAU,IAAI,IAAI,UAAU,KAAI,CAAE;AAExC,eAAO,QAAQ,OAAO,GAAG;AACvB,gBAAM,QAAQ,MAAM,KAAK,OAAO,EAC7B,IAAI,CAAC,WAAW,UAAU,IAAI,MAAM,CAAE,EACtC,OAAO,CAAC,SAAS,KAAK,OAAO,MAAM,OAAO,CAAC;AAE9C,cAAI,MAAM,WAAW,GAAG;AACtB,iBAAK,oBACH,SACA,WACA,SACA,WACA,yBAAyB;AAE3B;UACF;AAEA,cAAI,SAAS,SAAS,YAAY;AAChC,kBAAM,cAAc,MAAM,QAAQ,IAChC,MAAM,IAAI,CAAC,SAAS,KAAK,YAAY,MAAM,UAAU,SAAS,OAAO,CAAC,CAAC;AAEzE,uBAAW,UAAU,aAAa;AAChC,sBAAQ,IAAI,OAAO,QAAQ,MAAM;AACjC,sBAAQ,OAAO,OAAO,MAAM;YAC9B;UACF,OAAO;AACL,uBAAW,QAAQ,OAAO;AACxB,oBAAM,SAAS,MAAM,KAAK,YAAY,MAAM,UAAU,SAAS,OAAO;AACtE,sBAAQ,IAAI,OAAO,QAAQ,MAAM;AACjC,sBAAQ,OAAO,OAAO,MAAM;AAE5B,kBACE,OAAO,WAAW,aACjB,SAAS,SAAS,YAAY,SAAS,SAAS,WACjD;AACA,qBAAK,oBACH,SACA,WACA,SACA,WACA,cAAc;AAEhB,wBAAQ,MAAK;AACb;cACF;YACF;UACF;AAEA,eAAK,iCAAiC,SAAS,WAAW,OAAO;QACnE;AAEA,cAAM,aAAa,KAAK,IAAG;AAC3B,cAAM,iBAAiB,SAAS,MAAM,IAAI,CAAC,SAAS,QAAQ,IAAI,KAAK,MAAM,CAAE;AAC7E,cAAM,UAAU,KAAK,aAAa,SAAS,MAAM,gBAAgB,WAAW,YAAY,SAAS,OAAO;AAExG,cAAM,KAAK,SAAS,UAAU;UAC5B,OACE,QAAQ,WAAW,cACf,oBACA,QAAQ,WAAW,YACjB,kBACA;UACR,WAAW;UACX,SAAS,SAAS;UAClB;UACA,QAAQ;UACR,cAAc,SAAS;UACvB,SAAS,SAAS;UAClB,aAAa,SAAS;SACvB;AAED,eAAO;MACT;MAEQ,MAAM,YACZ,MACA,UACA,SACA,SAAkC;AAElC,cAAM,eAAe,KAAK,OAAO,aAAa,KAAK,MAAM;AACzD,cAAM,YAAY,KAAK,IAAG;AAC1B,cAAM,QAAQ,KAAK,iBAAiB,KAAK,OAAO,OAAO;AAEvD,cAAM,KAAK,SAAS,cAAc;UAChC,OAAO;UACP,WAAW;UACX,SAAS,SAAS;UAClB,QAAQ,KAAK;UACb,QAAQ,KAAK;UACb;UACA;UACA,cAAc,CAAC,GAAI,SAAS,gBAAgB,CAAA,GAAK,GAAI,KAAK,gBAAgB,CAAA,CAAG;UAC7E,SAAS,KAAK,eACV;YACE,GAAG,SAAS;YACZ,OAAO,KAAK;cAEd,SAAS;UACb,aAAa,KAAK,eAAe,SAAS;SAC3C;AAED,YAAI;AACF,gBAAM,QAAQ,KAAK,WAAW,MAAM,UAAU,OAAO,OAAO;AAC5D,gBAAM,SAAS,MAAM,KAAK,OAAO,MAAM,KAAK;AAC5C,gBAAM,aAAa,KAAK,IAAG;AAC3B,gBAAM,SAAS,KAAK,aAAa,OAAO,IAAI;AAC5C,gBAAM,YAAY,KAAK,iBAAiB,SAAS,SAAS,KAAK,QAAQ,QAAQ,MAAM;AAErF,gBAAM,SAA8B;YAClC,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,QAAQ;YACR,QAAQ,OAAO;YACf;YACA,WAAW,KAAK;YAChB;YACA;YACA;YACA,cAAc,CAAC,GAAI,SAAS,gBAAgB,CAAA,GAAK,GAAI,KAAK,gBAAgB,CAAA,CAAG;YAC7E,UAAU,OAAO;;AAGnB,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb;YACA;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;WAC3C;AAED,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;YAC1C,UAAU,EAAE,UAAS;WACtB;AAED,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb;YACA;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;WAC3C;AAED,iBAAO;QACT,SAAS,OAAY;AACnB,gBAAM,aAAa,KAAK,IAAG;AAC3B,gBAAM,SAA8B;YAClC,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,QAAQ;YACR,OAAO,MAAM;YACb,WAAW,KAAK;YAChB;YACA;YACA,cAAc,CAAC,GAAI,SAAS,gBAAgB,CAAA,GAAK,GAAI,KAAK,gBAAgB,CAAA,CAAG;;AAG/E,eAAK,OAAO,KACV,SAAS,SAAS,OAAO,SAAS,KAAK,MAAM,YAAY,MAAM,OAAO,EAAE;AAG1E,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,OAAO,MAAM;YACb;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;WAC3C;AAED,iBAAO;QACT;MACF;MAEQ,WACN,MACA,UACA,OACA,SAAkC;AAElC,cAAM,eAAc,GAAA,yBAAA,yBAAwB,QAAQ,SAAS;AAC7D,cAAM,cAAc,IAAI,IAAI,QAAQ,WAAW,WAAW,CAAA,CAAE;AAC5D,oBAAY,IAAI,YAAA,YAAY,KAAK,QAAQ,OAAO,KAAK,MAAM,CAAC;AAC5D,oBAAY,IAAI,YAAA,cAAc,KAAK,QAAQ,OAAO,SAAS,OAAO,CAAC;AAEnE,cAAM,YAAY,SAAS,SAAS;AACpC,YAAI,WAAW;AACb,sBAAY,IAAI,YAAA,aAAa,KAAK,QAAQ,OAAO,SAAS,CAAC;QAC7D;AAEA,YAAI,QAAQ,SAAS;AACnB,sBAAY,IAAI,YAAA,cAAc,KAAK,QAAQ,OAAO,QAAQ,OAAO,CAAC;QACpE;AAEA,gBAAO,GAAA,yBAAA,0BACL;UACA,QAAQ,QAAQ,WAAW,SAAS,KAAK,YAAA;UACzC,SAAS;UACT,MAAM,KAAK,eAAe,KAAK;UAC/B,KAAK,QAAQ,WAAW,OAAO,IAAI,WAAW,CAAC;YAE/C,GAAA,yBAAA,2BAA0B,aAAa;UACrC,YAAY;UACZ,SAAS,QAAQ,WAAW,aAAa;UACzC,YAAY,KAAK,eACb;YACE,GAAI,SAAS,WAAW,CAAA;YACxB,OAAO,KAAK;cAEd,SAAS;UACb,eAAe;UACf,WAAW;SACZ,KAAK,CAAA,CAAE;MAEZ;MAEQ,iBAAiB,UAA2B;AAClD,YAAI,CAAC,SAAS,SAAS;AACrB,gBAAM,IAAI,MAAM,mBAAmB;QACrC;AAEA,YAAI,CAAC,SAAS,SAAS,SAAS,MAAM,WAAW,GAAG;AAClD,gBAAM,IAAI,MAAM,sBAAsB;QACxC;AAEA,cAAM,OAAO,oBAAI,IAAG;AACpB,mBAAW,QAAQ,SAAS,OAAO;AACjC,cAAI,CAAC,KAAK,QAAQ;AAChB,kBAAM,IAAI,MAAM,wBAAwB;UAC1C;AAEA,cAAI,CAAC,KAAK,QAAQ;AAChB,kBAAM,IAAI,MAAM,8BAA8B,KAAK,MAAM,EAAE;UAC7D;AAEA,cAAI,KAAK,IAAI,KAAK,MAAM,GAAG;AACzB,kBAAM,IAAI,MAAM,wBAAwB,KAAK,MAAM,EAAE;UACvD;AACA,eAAK,IAAI,KAAK,MAAM;QACtB;AAEA,mBAAW,QAAQ,SAAS,OAAO;AACjC,qBAAW,cAAc,KAAK,aAAa,CAAA,GAAI;AAC7C,gBAAI,CAAC,KAAK,IAAI,UAAU,GAAG;AACzB,oBAAM,IAAI,MACR,iCAAiC,KAAK,MAAM,IAAI,UAAU,EAAE;YAEhE;UACF;QACF;MACF;MAEQ,OACN,MACA,SAAyC;AAEzC,gBAAQ,KAAK,aAAa,CAAA,GAAI,MAAM,CAAC,eAAe,QAAQ,IAAI,UAAU,CAAC;MAC7E;MAEQ,iCACN,SACA,WACA,SAAyC;AAEzC,mBAAW,UAAU,MAAM,KAAK,OAAO,GAAG;AACxC,gBAAM,OAAO,UAAU,IAAI,MAAM;AACjC,cAAI,CAAC,QAAQ,CAAC,KAAK,aAAa,KAAK,UAAU,WAAW;AAAG;AAE7D,gBAAM,oBAAoB,KAAK,UAC5B,IAAI,CAAC,eAAe,QAAQ,IAAI,UAAU,CAAC,EAC3C,OAAO,OAAO;AAEjB,cAAI,kBAAkB,WAAW,KAAK,UAAU;AAAQ;AAExD,gBAAM,aAAa,kBAAkB,KACnC,CAAC,eAAe,WAAW,WAAW,WAAW;AAEnD,cAAI,CAAC;AAAY;AAEjB,kBAAQ,IAAI,KAAK,QAAQ;YACvB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,QAAQ;YACR,OAAO;YACP,WAAW,KAAK;YAChB,WAAW,KAAK,IAAG;YACnB,YAAY,KAAK,IAAG;YACpB,cAAc,KAAK;WACpB;AACD,kBAAQ,OAAO,KAAK,MAAM;QAC5B;MACF;MAEQ,oBACN,SACA,WACA,SACA,QACA,OAAa;AAEb,mBAAW,UAAU,SAAS;AAC5B,gBAAM,OAAO,UAAU,IAAI,MAAM;AACjC,cAAI,CAAC;AAAM;AACX,kBAAQ,IAAI,QAAQ;YAClB;YACA,QAAQ,KAAK;YACb;YACA;YACA,WAAW,KAAK;YAChB,WAAW,KAAK,IAAG;YACnB,YAAY,KAAK,IAAG;YACpB,cAAc,KAAK;WACpB;QACH;MACF;MAEQ,aACN,MACA,SACA,WACA,YACA,SAAe;AAEf,cAAM,iBAAiB,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,WAAW,EAAE;AACjF,cAAM,cAAc,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,QAAQ,EAAE;AAC3E,cAAM,eAAe,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,SAAS,EAAE;AAC7E,cAAM,eAAe,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,SAAS,EAAE;AAE7E,YAAI,SAA0B;AAC9B,YAAI,cAAc,KAAK,eAAe,KAAK,eAAe,GAAG;AAC3D,mBACE,SAAS,iBAAiB,SAAS,aAC/B,iBAAiB,IACf,YACA,WACF;QACR;AAEA,eAAO;UACL;UACA;UACA;UACA;UACA;UACA;UACA;UACA;UACA;UACA;UACA,UACE,SAAS,WACL;YACE,WAAW;YACX,WAAW;YACX,QAAQ;cAEV;;MAEV;MAEQ,iBACN,OACA,SAAyC;AAEzC,YAAI,OAAO,UAAU,UAAU;AAC7B,cAAI,CAAC,MAAM,WAAW,GAAG;AAAG,mBAAO;AACnC,iBAAO,KAAK,gBAAgB,MAAM,MAAM,CAAC,GAAG,OAAO;QACrD;AAEA,YAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,iBAAO,MAAM,IAAI,CAAC,UAAU,KAAK,iBAAiB,OAAO,OAAO,CAAC;QACnE;AAEA,YAAI,SAAS,OAAO,UAAU,UAAU;AACtC,iBAAO,OAAO,YACZ,OAAO,QAAQ,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM;YAC1C;YACA,KAAK,iBAAiB,OAAO,OAAO;WACrC,CAAC;QAEN;AAEA,eAAO;MACT;MAEQ,gBACNC,OACA,SAAyC;AAEzC,cAAM,CAAC,QAAQ,GAAG,QAAQ,IAAIA,MAAK,MAAM,GAAG;AAC5C,cAAM,SAAS,QAAQ,IAAI,MAAM;AACjC,YAAI,CAAC;AAAQ,iBAAO;AAEpB,YAAI,UAAmB;AACvB,mBAAW,WAAW,UAAU;AAC9B,cAAI,YAAY,UAAa,YAAY;AAAM,mBAAO;AACtD,cAAI,OAAO,YAAY;AAAU,mBAAO;AACxC,oBAAW,QAAoC,OAAO;QACxD;AACA,eAAO;MACT;MAEQ,eAAe,OAAc;AACnC,YAAI,iBAAiB;AAAY,iBAAO;AACxC,YAAI,OAAO,UAAU;AAAU,iBAAO,KAAK,QAAQ,OAAO,KAAK;AAC/D,YAAI,UAAU;AAAW,iBAAO,IAAI,WAAW,CAAC;AAChD,eAAO,KAAK,QAAQ,OAAO,KAAK,UAAU,KAAK,CAAC;MAClD;MAEQ,aAAa,MAAiB;AACpC,YAAI,CAAC,QAAQ,KAAK,WAAW;AAAG,iBAAO;AAEvC,YAAI;AACF,gBAAM,OAAO,KAAK,QAAQ,OAAO,IAAI;AACrC,cAAI;AACF,mBAAO,KAAK,MAAM,IAAI;UACxB,QAAQ;AACN,mBAAO,mBAAmB,KAAK,IAAI,IAAI,OAAO;UAChD;QACF,QAAQ;AACN,iBAAO;QACT;MACF;MAEQ,iBACN,SACA,QACA,QACA,QAAe;AAEf,cAAM,QAAO,GAAA,SAAA,YAAW,QAAQ;AAChC,aAAK,OAAO,OAAO;AACnB,aAAK,OAAO,GAAG;AACf,aAAK,OAAO,MAAM;AAClB,aAAK,OAAO,GAAG;AACf,aAAK,OAAO,OAAO,MAAM;AACzB,aAAK,OAAO,GAAG;AACf,aAAK,OAAO,KAAK,UAAU,UAAU,IAAI,CAAC;AAC1C,eAAO,KAAK,OAAO,KAAK;MAC1B;MAEQ,qBACN,UAA2B;AAE3B,cAAM,iBAAiB,oBAAI,IAAG;AAE9B,mBAAW,QAAQ,SAAS,OAAO;AACjC,qBAAW,WAAW,KAAK,OAAO,aAAa,KAAK,MAAM,GAAG;AAC3D,kBAAM,MAAM,QAAQ,KAAK,IAAI,CAAC,QAAQ,OAAO,GAAG,CAAC,EAAE,KAAI,EAAG,KAAK,GAAG;AAClE,gBAAI,CAAC,eAAe,IAAI,GAAG,GAAG;AAC5B,6BAAe,IAAI,KAAK,OAAO;YACjC;UACF;QACF;AAEA,eAAO,MAAM,KAAK,eAAe,OAAM,CAAE;MAC3C;MAEQ,MAAM,SACZ,UACA,SAA6D;AAE7D,YAAI,CAAC,KAAK;AAAoB;AAC9B,cAAM,KAAK,mBAAmB,SAAS,UAAU,OAAO;MAC1D;;AA1hBW,YAAA,oBAAAD;gCAAAA,qBAAiB,sBAAA,WAAA;OAD7B,GAAA,SAAA,YAAU;MAQN,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;2DADc,gBAAA,iBAAY,eAAZ,gBAAA,kBAAY,aAAA,KAAA,QAAA,QAAA,KAAA,OAEC,8BAAA,8BAAyB,eAAzB,8BAAA,+BAAyB,aAAA,KAAA,MAAA,CAAA;OARtDA,kBAAiB;;;;;AC9B9B;AAAA;AAAA;AAAA;AAAA;AAAA,IAaa,MAkBA;AA/Bb;AAAA;AAaO,IAAM,OAAO;AAAA;AAAA,MAElB,MAAM;AAAA;AAAA,MAEN,UAAU;AAAA;AAAA,MAEV,QAAQ;AAAA;AAAA,MAER,SAAS;AAAA;AAAA,MAET,UAAU;AAAA;AAAA,MAEV,OAAO;AAAA,IACT;AAKO,IAAM,sBAAsB;AAAA;AAAA;;;ACvBnC,SAAS,UAAU,OAAyB;AAC1C,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,EAC5C;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,UAAU,OAAO,QAAQ,KAAgC,EAC5D,OAAO,CAAC,CAAC,EAAE,MAAM,MAAM,WAAW,MAAS,EAC3C,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,MAAM,KAAK,cAAc,KAAK,CAAC;AAEtD,UAAM,aAAsC,CAAC;AAC7C,eAAW,CAAC,KAAK,MAAM,KAAK,SAAS;AACnC,iBAAW,GAAG,IAAI,UAAU,MAAM;AAAA,IACpC;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,oBAAoB,OAAwB;AAC1D,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;AA9BA;AAAA;AAAA;AAAA;;;ACQO,SAAS,kBACd,aACA,cACA,UACA,WACyB;AACzB,QAAM,MAAM,KAAK,IAAI;AAErB,SAAO;AAAA,IACL,GAAG;AAAA,IACH;AAAA,IACA,UAAU,WAAW,SAAS,WAAW,IAAI;AAAA,IAC7C,iBAAiB,UAAU,mBAAmB;AAAA,IAC9C,gBAAgB;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBAAmB,SAA0C;AAC3E,SAAO,KAAK,UAAU,OAAO;AAC/B;AAEO,SAAS,mBACd,KACgC;AAChC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,QAAI,CAAC,UAAU,OAAO,MAAM,KAAK,CAAC,OAAO,aAAa,IAAI;AACxD,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB,KAAoC;AACrE,MAAI,CAAC,MAAM,QAAQ,GAAG,GAAG;AACvB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAoC,CAAC;AAC3C,aAAW,aAAa,KAAK;AAC3B,QAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,UAAU,SAAS,GAAG;AACrD;AAAA,IACF;AAEA,UAAM,cAAc,UAAU,CAAC;AAC/B,QAAI,CAAC,MAAM,QAAQ,WAAW,GAAG;AAC/B;AAAA,IACF;AAEA,eAAW,OAAO,aAAa;AAC7B,UAAI,CAAC,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,GAAG;AACzC;AAAA,MACF;AAEA,YAAM,KAAK,OAAO,IAAI,CAAC,CAAC;AACxB,YAAM,SAAS,MAAM,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;AACjD,YAAM,WAAW,YAAY,MAAM;AACnC,YAAM,UAAU,SAAS,IAAI,SAAS;AACtC,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,UAAU,mBAAmB,OAAO;AAC1C,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,cAAQ,KAAK,EAAE,IAAI,QAAQ,CAAC;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,sBAAsB,KAAoC;AACxE,MAAI,CAAC,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,GAAG;AACzC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,OAAO,MAAM,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;AAC/C,SAAO,mBAAmB,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC;AAC9C;AAEA,SAAS,YAAY,QAAoC;AACvD,QAAME,OAAM,oBAAI,IAAoB;AACpC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK,GAAG;AACzC,UAAM,MAAM,OAAO,CAAC;AACpB,UAAM,QAAQ,OAAO,IAAI,CAAC;AAC1B,QAAI,QAAQ,UAAa,UAAU,QAAW;AAC5C,MAAAA,KAAI,IAAI,OAAO,GAAG,GAAG,OAAO,KAAK,CAAC;AAAA,IACpC;AAAA,EACF;AACA,SAAOA;AACT;AAzGA;AAAA;AAAA;AAAA;;;ACAA,SAAS,kBAAkB;AAsCpB,SAAS,wBAAwB,KAA8B;AACpE,QAAM,MAA+B;AAAA,IACnC,IAAI,IAAI;AAAA,IACR,SAAS,IAAI;AAAA,IACb,OAAO,IAAI;AAAA,IACX,WAAW,IAAI;AAAA,IACf,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,WAAW,IAAI;AAAA,IACf,UAAU,IAAI;AAAA,IACd,YAAY,IAAI;AAAA,IAChB,YAAY,IAAI;AAAA,IAChB,YAAY,IAAI;AAAA,IAChB,QAAQ,IAAI,OAAO,IAAI,CAAC,OAAO;AAAA,MAC7B,MAAM,EAAE;AAAA,MACR,QAAQ,EAAE;AAAA,MACV,SAAS,EAAE;AAAA,MACX,OAAO,EAAE;AAAA,MACT,YAAY,EAAE;AAAA,MACd,QAAQ,EAAE;AAAA,MACV,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,IACF,SAAS,IAAI,QAAQ,IAAI,CAAC,OAAO;AAAA,MAC/B,MAAM,EAAE;AAAA,MACR,SAAS,EAAE;AAAA,MACX,WAAW,EAAE;AAAA,MACb,YAAY,EAAE;AAAA,MACd,SAAS,EAAE;AAAA,MACX,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,EACJ;AAEA,SAAO,oBAAoB,GAAG;AAChC;AAKO,SAAS,gBAAgB,KAA8B;AAC5D,QAAM,YAAY,wBAAwB,GAAG;AAC7C,SAAO,WAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO,KAAK;AAC5D;AAWO,SAAS,qBACd,KACmC;AACnC,MAAI,CAAC,IAAI,YAAY,CAAC,IAAI,OAAO;AAC/B,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,IAAI;AAAA,IACnB,aAAa,gBAAgB,GAAG;AAAA,IAChC,UAAU,KAAK,IAAI;AAAA,IACnB,SAAS;AAAA,MACP,QAAQ,IAAI;AAAA,MACZ,SAAS,IAAI;AAAA,MACb,UAAU,IAAI;AAAA,MACd,YAAY,IAAI;AAAA,MAChB,YAAY,IAAI;AAAA,MAChB,aAAa,IAAI,QAAQ;AAAA,MACzB,YAAY,IAAI,OAAO;AAAA,IACzB;AAAA,EACF;AACF;AAjHA;AAAA;AAGA;AAAA;AAAA;;;ACoDO,SAAS,eACd,KACA,UACiB;AAEjB,MAAI,CAAC,SAAS,UAAU,OAAO,SAAS,WAAW,UAAU;AAC3D,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,MAAI,SAAS,OAAO,CAAC,SAAS,QAAQ,SAAS,KAAK,WAAW,IAAI;AACjE,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,MAAI,SAAS,QAAQ,SAAS,KAAK,SAAS,cAAc;AACxD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ,yBAAyB,YAAY;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,SAAS,SAAS;AACpB,eAAW,OAAO,yBAAyB;AACzC,UAAI,SAAS,QAAQ,IAAI,GAAG,GAAG;AAC7B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,+CAA+C,GAAG;AAAA,QAC5D;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MACE,SAAS,OAAO,SAAS,QAAQ,KACjC,SAAS,OAAO,SAAS,OAAO,KAChC,SAAS,OAAO,SAAS,MAAM,GAC/B;AACA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,KAAK;AACxB;AAjHA,IAsCM,yBAqFO;AA3Hb;AAAA;AAAA;AAsCA,IAAM,0BAA0B,CAAC,GAAG,GAAG,CAAC;AAqFjC,IAAM,mBAAqC;AAAA;AAAA;;;AC3HlD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,cAAc,cAAc,oBAAoB;AAAzD;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAAY,OAAO;AAoDZ,SAAS,YAAY,OAA8B;AACxD,QAAM,WAAW;AAAA,IACf,MAAM,KAAK,MAAM,QAAQ,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO;AAAA,MACnD,MAAM;AAAA,MACN,OAAO;AAAA,IACT,EAAE;AAAA,EACJ;AAEA,MAAI,SAAS,SAAS,YAAa,OAAM,IAAI,MAAM,kBAAkB;AACrE,MAAI,MAAM,KAAK,SAAS,aAAc,OAAM,IAAI,MAAM,gBAAgB;AACtE,MAAI,MAAM,IAAI,SAAS,YAAa,OAAM,IAAI,MAAM,qBAAqB;AAGzE,QAAM,cAAc,aAAa,SAAS,MAAM;AAChD,QAAM,eAAe,aAAa,MAAM,KAAK,MAAM;AACnD,QAAM,cAAc,aAAa,MAAM,IAAI,MAAM;AAEjD,QAAM,WACJ;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAY,SACZ,aAAa,SACb,YAAY,SACZ,SAAS,SACT,MAAM,KAAK,SACX,MAAM,IAAI;AAEZ,MAAI,WAAW,cAAe,OAAM,IAAI,MAAM,uBAAuB;AAErE,QAAM,MAAM,IAAI,WAAW,QAAQ;AACnC,MAAI,SAAS;AAGb,MAAI,IAAI,YAAY,MAAM;AAC1B,YAAU;AAGV,MAAI,QAAQ,IAAI;AAGhB,MAAI,QAAQ,IAAI,MAAM;AAGtB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAEtB,MAAI,IAAI,cAAc,MAAM;AAC5B,YAAU,aAAa;AAEvB,MAAI,IAAI,aAAa,MAAM;AAC3B,YAAU,YAAY;AAGtB,MAAI,IAAI,UAAU,MAAM;AACxB,YAAU,SAAS;AAEnB,MAAI,IAAI,MAAM,MAAM,MAAM;AAC1B,YAAU,MAAM,KAAK;AAErB,MAAI,IAAI,MAAM,KAAK,MAAM;AACzB,YAAU,MAAM,IAAI;AAEpB,SAAO;AACT;AASO,SAAS,YAAY,KAA4B;AACtD,MAAI,SAAS;AAGb,MAAI,SAAS,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAC/D,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,IAAI,SAAS,CAAC,MAAM,WAAW,CAAC,EAAG,OAAM,IAAI,MAAM,eAAe;AAAA,EACxE;AACA,YAAU;AAGV,QAAM,MAAM,IAAI,QAAQ;AACxB,MAAI,QAAQ,aAAc,OAAM,IAAI,MAAM,wBAAwB,GAAG,EAAE;AAGvE,QAAM,QAAQ,IAAI,QAAQ;AAG1B,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,IAAI,aAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,YAAa,OAAM,IAAI,MAAM,uBAAuB;AAEjE,QAAM,EAAE,OAAO,SAAS,QAAQ,MAAM,IAAI,aAAa,KAAK,MAAM;AAClE,YAAU;AACV,MAAI,UAAU,aAAc,OAAM,IAAI,MAAM,qBAAqB;AAEjE,QAAM,EAAE,OAAO,QAAQ,QAAQ,MAAM,IAAI,aAAa,KAAK,MAAM;AACjE,YAAU;AACV,MAAI,SAAS,YAAa,OAAM,IAAI,MAAM,0BAA0B;AAGpE,MAAI,SAAS,SAAS,UAAU,SAAS,IAAI,QAAQ;AACnD,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAEV,QAAM,YAAY,IAAI,MAAM,QAAQ,SAAS,OAAO;AACpD,YAAU;AAEV,QAAM,WAAW,IAAI,MAAM,QAAQ,SAAS,MAAM;AAClD,YAAU;AAGV,QAAM,UAAU,WAAW,QAAQ;AAEnC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,KAAK;AAAA,EACP;AACF;AAMO,SAAS,cAAc,OAA8B;AAG1D,SAAO,YAAY;AAAA,IACjB,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB,CAAC;AACH;AA/LA,IAQa;AARb;AAAA;AA4BA;AAQA;AACA;AA7BO,IAAM,aAAe,SAAO;AAAA;AAAA,MAEjC,OAAS,SAAO,EAAE,IAAI,EAAE,YAAY;AAAA;AAAA,MAEpC,SAAW;AAAA,QACP,SAAO;AAAA,QACP,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,MACrD;AAAA;AAAA,MAEA,MAAQ,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA;AAAA,MAEzD,KAAO,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,IAC1D,CAAC;AAAA;AAAA;;;ACpBD,YAAYC,aAAY;AAgBjB,SAAS,wBAAwB,OAA0B;AAEhE,QAAM,kBAA6B;AAAA,IACjC,GAAG;AAAA,IACH,KAAK,IAAI,WAAW,CAAC;AAAA,EACvB;AAEA,QAAM,UAAU,YAAY,eAAe;AAC3C,SAAO,OAAO,KAAK,OAAO;AAC5B;AAWO,SAAS,UAAU,OAAkB,YAA4B;AACtE,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AAGJ,MAAI,WAAW,WAAW,IAAI;AAG5B,UAAM,cAAc,OAAO,KAAK;AAAA,MAC9B;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAClE;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IACpB,CAAC;AACD,UAAM,WAAW,OAAO,OAAO,CAAC,aAAa,UAAU,CAAC;AAExD,gBAAmB,yBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH,OAAO;AAEL,gBAAmB,yBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,YAAmB,aAAK,MAAM,SAAS,SAAS;AAEtD,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO;AACT;AAWO,SAAS,qBACd,OACA,WACS;AACT,MAAI,MAAM,IAAI,WAAW,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AACF,QAAI;AAGJ,QAAI,UAAU,WAAW,IAAI;AAG3B,YAAM,aAAa,OAAO,KAAK;AAAA,QAC7B;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,MACpE,CAAC;AACD,YAAM,UAAU,OAAO,OAAO,CAAC,YAAY,SAAS,CAAC;AAErD,kBAAmB,wBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH,OAAO;AAEL,kBAAmB,wBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,QAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,KAAK,MAAM,GAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AAQO,SAAS,yBAGd;AACA,QAAM,EAAE,YAAY,UAAU,IAAW,4BAAoB,SAAS;AAEtE,SAAO;AAAA,IACL,YAAY,WAAW,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC;AAAA,IAC9D,WAAW,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAAA,EAC7D;AACF;AAQO,SAASC,QAAO,MAAmC;AACxD,SAAc,mBAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AACzD;AAUO,SAAS,mBACd,cACA,UACQ;AACR,QAAM,SAAgB,mBAAW,QAAQ;AACzC,SAAO,OAAO,YAAY;AAE1B,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO,OAAO,OAAO;AACvB;AAvLA;AAAA;AAEA;AAAA;AAAA;;;ACFA,IAGa,UAYA;AAfb;AAAA;AAGO,IAAM,WAAW;AAAA,MACtB,WAAW;AAAA;AAAA,MACX,cAAc;AAAA;AAAA,MACd,YAAY;AAAA;AAAA,MACZ,OAAO;AAAA;AAAA,MACP,OAAO;AAAA;AAAA,MACP,WAAW;AAAA;AAAA,MACX,WAAW;AAAA;AAAA,MACX,UAAU;AAAA;AAAA,IACZ;AAGO,IAAM,cAAc;AAAA,MACzB,2BAA2B;AAAA,MAC3B,2BAA2B;AAAA,MAE3B,0BAA0B;AAAA,MAC1B,0BAA0B;AAAA,MAE1B,8BAA8B;AAAA,MAC9B,8BAA8B;AAAA,MAE9B,6BAA6B;AAAA,MAC7B,6BAA6B;AAAA,IAC/B;AAAA;AAAA;;;AC3BA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAYA,SAAS,cAAAC,mBAA+B;AA4DjC,SAAS,cAAc,GAA4B;AACxD,MAAI,IAAI,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC;AAC5C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,qCAAqC;AAEjE,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,cACd,KACA,QACA,SAAqB,gBACiC;AACtD,MAAI,IAAI;AACR,MAAI,QAAQ;AACZ,QAAM,QAAQ;AAEd,WAAS,IAAI,GAAG,IAAI,OAAO,gBAAgB,KAAK;AAC9C,QAAI,UAAU,IAAI,OAAQ,OAAM,IAAI,MAAM,0BAA0B;AACpE,UAAM,IAAI,IAAI,QAAQ;AACtB,SAAK,OAAO,IAAI,GAAI,KAAK;AAEzB,SAAK,IAAI,SAAU,GAAG;AACpB,YAAM,YAAY,SAAS;AAI3B,YAAM,KAAK,cAAc,CAAC;AAC1B,YAAM,WAAW,IAAI,SAAS,OAAO,MAAM;AAC3C,UAAI,CAAC,GAAG,OAAO,QAAQ;AACrB,cAAM,IAAI,MAAM,mCAAmC;AAErD,aAAO,EAAE,OAAO,GAAG,QAAQ,UAAU;AAAA,IACvC;AAEA,aAAS;AAAA,EACX;AAEA,QAAM,IAAI,MAAM,yBAAyB;AAC3C;AAMO,SAAS,YAAY,GAAmB;AAC7C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,mCAAmC;AAC/D,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,YAAY,KAAqB;AAC/C,MAAI,IAAI,WAAW,EAAG,OAAM,IAAI,MAAM,+BAA+B;AACrE,SAAO,IAAI,gBAAgB,CAAC;AAC9B;AAEO,SAASD,QAAO,MAAsB;AAC3C,SAAOC,YAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AAClD;AAMO,SAAS,UAAU,KAAa,OAAuB;AAC5D,MAAI,CAAC,OAAO,UAAU,GAAG,KAAK,OAAO;AACnC,UAAM,IAAI,MAAM,qCAAqC;AACvD,QAAM,IAAI,cAAc,GAAG;AAC3B,QAAM,IAAI,cAAc,MAAM,MAAM;AACpC,SAAO,OAAO,OAAO,CAAC,GAAG,GAAG,KAAK,CAAC;AACpC;AAEO,SAAS,yBAAyB,SAA+B;AAEtE,QAAM,SAAS,CAAC,GAAG,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;AAIxD,QAAM,QAAkB,CAAC;AACzB,aAAW,KAAK,OAAQ,OAAM,KAAK,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC;AAC5D,SAAO,OAAO,OAAO,KAAK;AAC5B;AAEO,SAAS,gBACd,QACA,SAAqB,gBACP;AACd,QAAM,MAAoB,CAAC;AAC3B,MAAI,MAAM;AAEV,SAAO,MAAM,OAAO,QAAQ;AAC1B,QAAI,IAAI,UAAU,OAAO;AACvB,YAAM,IAAI,MAAM,gCAAgC;AAElD,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,QAAI,MAAM,EAAG,OAAM,IAAI,MAAM,kCAAkC;AAC/D,QAAI,MAAM,OAAO;AACf,YAAM,IAAI,MAAM,kCAAkC;AACpD,QAAI,MAAM,MAAM,OAAO;AACrB,YAAM,IAAI,MAAM,kCAAkC;AAEpD,UAAM,QAAQ,OAAO,SAAS,KAAK,MAAM,GAAG;AAC5C,WAAO;AAEP,QAAI,KAAK,EAAE,KAAK,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC;AAAA,EAC7C;AAGA,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,QAAI,IAAI,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC,EAAE;AAC1B,YAAM,IAAI,MAAM,0CAA0C;AAAA,EAC9D;AAEA,SAAO;AACT;AAEO,SAAS,UAAU,SAAsC;AAC9D,QAAM,IAAmB,oBAAI,IAAI;AACjC,aAAW,KAAK,SAAS;AACvB,UAAM,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;AAC7B,QAAI,KAAK,EAAE,KAAK;AAChB,MAAE,IAAI,EAAE,KAAK,GAAG;AAAA,EAClB;AACA,SAAO;AACT;AAQO,SAAS,0BACd,QACA,MACA,QAAQ,GACR,SAAqB,gBACf;AACN,MAAI,QAAQ,KAAK,IAAI,OAAO,iBAAiB,OAAO,eAAe,GAAG;AACpE,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,OAAO,gBAAgB,UAAU,IAAI,IAAI,OAAO,cAAc;AAChE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,QAAQ,oBAAI,IAA0B;AAC5C,aAAW,KAAK,MAAM;AACpB,QAAI,CAAC,MAAM,IAAI,EAAE,GAAG,EAAG,OAAM,IAAI,EAAE,KAAK,CAAC,CAAC;AAC1C,UAAM,IAAI,EAAE,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AAEA,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAGxE,MAAI,OAAO,QAAQ;AACjB,eAAW,OAAO,MAAM,KAAK,GAAG;AAC9B,UAAI,CAAC,WAAW,IAAI,GAAG;AACrB,cAAM,IAAI,MAAM,0CAA0C,GAAG,EAAE;AAAA,IACnE;AAAA,EACF;AAGA,aAAW,KAAK,OAAO,QAAQ;AAC7B,UAAM,OAAO,MAAM,IAAI,EAAE,GAAG,KAAK,CAAC;AAClC,QAAI,EAAE,YAAY,KAAK,WAAW;AAChC,YAAM,IAAI,MAAM,sCAAsC,EAAE,IAAI,EAAE;AAEhE,QAAI,CAAC,EAAE,YAAY,KAAK,SAAS,GAAG;AAClC,YAAM,IAAI;AAAA,QACR,4DAA4D,EAAE,IAAI;AAAA,MACpE;AAAA,IACF;AAGA,QAAI,OAAO,EAAE,WAAW,UAAU;AAChC,iBAAW,KAAK,MAAM;AACpB,YAAI,EAAE,MAAM,SAAS,EAAE;AACrB,gBAAM,IAAI,MAAM,8BAA8B,EAAE,IAAI,WAAW;AAAA,MACnE;AAAA,IACF;AAGA,eAAW,KAAK,MAAM;AACpB,cAAQ,EAAE,MAAM;AAAA,QACd,KAAK;AACH,cAAI,EAAE,MAAM,WAAW;AACrB,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF;AAAA,QACF,KAAK,UAAU;AACb,cAAI,CAAC,EAAE;AACL,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF,gBAAM,aAAa,gBAAgB,EAAE,OAAO,MAAM;AAClD;AAAA,YACE,EAAE;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR;AAAA,UACF;AACA;AAAA,QACF;AAAA,QACA;AAEE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,UAAU,MAA4B;AAE7C,MAAI,IAAI;AACR,aAAW,KAAK,MAAM;AACpB,SACE,cAAc,EAAE,GAAG,EAAE,SACrB,cAAc,EAAE,MAAM,MAAM,EAAE,SAC9B,EAAE,MAAM;AAAA,EACZ;AACA,SAAO;AACT;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACP;AACd,MAAI,KAAK,aAAa,OAAO;AAC3B,UAAM,IAAI,MAAM,sCAAsC;AAExD,QAAM,eAAe,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAU,CAAC;AAC3E,QAAM,OAAqB,CAAC;AAE5B,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,GAAG;AAC3D,UAAM,IAAI,aAAa,IAAI,IAAI;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,oCAAoC,IAAI,EAAE;AAC5D;AAAA,IACF;AAEA,UAAM,UAAU,CAAC,MAAW;AAC1B,YAAM,WAAW,iBAAiB,GAAG,GAAG,MAAM;AAC9C,UAAI,SAAS,SAAS,OAAO;AAC3B,cAAM,IAAI,MAAM,oCAAoC;AACtD,WAAK,KAAK,EAAE,KAAK,EAAE,KAAK,OAAO,SAAS,CAAC;AAAA,IAC3C;AAEA,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,GAAG;AACpB,cAAM,IAAI;AAAA,UACR,qCAAqC,IAAI;AAAA,QAC3C;AACF,iBAAW,QAAQ,IAAK,SAAQ,IAAI;AAAA,IACtC,OAAO;AACL,cAAQ,GAAG;AAAA,IACb;AAAA,EACF;AAKA,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAGjD,SAAO;AACT;AAEA,SAAS,iBACP,GACA,KACA,QACQ;AACR,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,UAAI,OAAO,SAAS,GAAG,EAAG,QAAO,OAAO,KAAK,GAAG;AAChD,UAAI,eAAe,WAAY,QAAO,OAAO,KAAK,GAAG;AACrD,YAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,gBAAgB;AAAA,IAC7D,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,OAAO,KAAK,KAAK,MAAM;AAAA,IAChC,KAAK;AACH,UAAI,OAAO,QAAQ,YAAY,OAAO,QAAQ;AAC5C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,wBAAwB;AACrE,aAAO,cAAc,GAAG;AAAA,IAC1B,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,YAAY,GAAG;AAAA,IACxB,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AAEpE,YAAM,eACJ,OAAO,OAAO,QAAQ,YAAY,YAAY,MACzC,IAAY,SACb;AACN,UAAI,CAAC,gBAAgB,OAAO,iBAAiB;AAC3C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,YAAM,aAA0B;AAAA,QAC9B,UAAU,EAAE,aAAa;AAAA,QACzB,QAAQ;AAAA,MACV;AACA,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,YAAM,cAAc,yBAAyB,UAAU;AAEvD,YAAM,KAAK,gBAAgB,aAAa,MAAM;AAC9C,gCAA0B,EAAE,cAAc,IAAI,GAAG,MAAM;AACvD,aAAO;AAAA,IACT;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACR;AAEb,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAEjD,QAAM,SAA8B,CAAC;AACrC,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAExE,aAAW,KAAK,MAAM;AACpB,UAAM,IAAI,WAAW,IAAI,EAAE,GAAG;AAC9B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,kCAAkC,EAAE,GAAG,EAAE;AAC3D;AAAA,IACF;AAEA,UAAM,UAAU,iBAAiB,GAAG,EAAE,OAAO,MAAM;AAEnD,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,OAAO,EAAE,IAAI,CAAC,EAAG,QAAO,EAAE,IAAI,IAAI,CAAC;AACtD,aAAO,EAAE,IAAI,EAAE,KAAK,OAAO;AAAA,IAC7B,OAAO;AACL,aAAO,EAAE,IAAI,IAAI;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,OAAO,UAAU,OAAO;AAC7C;AAEA,SAAS,iBACP,GACA,OACA,QACK;AACL,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,aAAO,OAAO,KAAK,KAAK;AAAA,IAC1B,KAAK;AACH,aAAO,MAAM,SAAS,MAAM;AAAA,IAC9B,KAAK,WAAW;AACd,YAAM,IAAI,cAAc,OAAO,GAAG,MAAM;AACxC,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,qBAAqB,EAAE,IAAI;AAAA,QAC7B;AAEF,YAAM,QAAQ,OAAO,EAAE,KAAK;AAC5B,aAAO,OAAO,cAAc,KAAK,IAAI,QAAQ,EAAE;AAAA,IACjD;AAAA,IACA,KAAK;AACH,aAAO,YAAY,KAAK;AAAA,IAC1B,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AACpE,YAAM,aAAa,gBAAgB,OAAO,MAAM;AAGhD,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,aAAO,WAAW;AAAA,IACpB;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAqCO,SAAS,uBAAuB,KAAsC;AAC3E,MAAI,IAAI,MAAM,eAAe;AAC3B,UAAM,IAAI,MAAM,gDAAgD;AAClE,MAAI,IAAI,SAAS,eAAe;AAC9B,UAAM,IAAI,MAAM,mDAAmD;AACrE,MAAI,IAAI,WAAW,IAAI,QAAQ,eAAe;AAC5C,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,OAAqB;AAAA,IACzB,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,cAAc,OAAO,OAAO,KAAK,IAAI,UAAU,EAAE;AAAA,IACjE,EAAE,KAAK,SAAS,OAAO,OAAO,OAAO,KAAK,IAAI,KAAK,EAAE;AAAA,IACrD,EAAE,KAAK,SAAS,OAAO,OAAO,YAAY,IAAI,IAAI,EAAE;AAAA,IACpD,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,WAAW,OAAO,OAAO,KAAK,IAAI,QAAQ,EAAE;AAAA,EAC9D;AAEA,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,YAAY,OAAO,OAAO,KAAK,IAAI,SAAS,EAAE,CAAC;AAC3E,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,UAAU,OAAO,OAAO,KAAK,IAAI,OAAO,EAAE,CAAC;AAEvE,SAAO;AACT;AAEO,SAAS,yBACd,SACA,SAAqB,gBACF;AAEnB,QAAM,IAAI,UAAU,OAAO;AAE3B,QAAM,OAAO,CAAC,QAAgB;AAC5B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,OAAO,IAAI,WAAW;AACzB,YAAM,IAAI;AAAA,QACR,oDAAoD,GAAG;AAAA,MACzD;AACF,WAAO,IAAI,CAAC;AAAA,EACd;AACA,QAAM,UAAU,CAAC,QAAgB;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,IAAI,WAAW;AACjB,YAAM,IAAI,MAAM,4CAA4C,GAAG,EAAE;AACnE,WAAO,IAAI,CAAC;AAAA,EACd;AAEA,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,KAAK,YAAY,KAAK,SAAS,KAAK,CAAC;AAE3C,QAAM,QAAQ,KAAK,SAAS,KAAK;AACjC,MAAI,MAAM,WAAW;AACnB,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,WAAW,KAAK,SAAS,SAAS;AACxC,MAAI,SAAS,WAAW;AACtB,UAAM,IAAI,MAAM,sDAAsD;AAExE,QAAM,QAAQ,QAAQ,SAAS,QAAQ;AACvC,MAAI,SAAS,MAAM,WAAW;AAC5B,UAAM,IAAI,MAAM,qDAAqD;AAEvE,SAAO;AAAA,IACL,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,YAAY,OAAO,KAAK,KAAK,SAAS,YAAY,CAAC;AAAA,IACnD,WAAW,QAAQ,SAAS,UAAU,IAClC,OAAO,KAAK,QAAQ,SAAS,UAAU,CAAE,IACzC;AAAA,IACJ,OAAO,OAAO,KAAK,KAAK;AAAA,IACxB,MAAM;AAAA,IACN,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,UAAU,OAAO,KAAK,QAAQ;AAAA,IAC9B,SAAS,QAAQ,OAAO,KAAK,KAAK,IAAI;AAAA,EACxC;AACF;AAMO,SAAS,wBACd,QACA,KAGA,SAAqB,gBACsC;AAE3D,QAAM,WAAW,kBAAkB,QAAQ,IAAI,MAAM,MAAM;AAC3D,QAAM,YAAY,yBAAyB,QAAQ;AAGnD,QAAM,WAAWD,QAAO,SAAS;AAGjC,QAAM,MAAyB;AAAA,IAC7B,GAAG,IAAI;AAAA,IACP,UAAU,OAAO;AAAA,IACjB;AAAA,EACF;AACA,QAAM,UAAU,uBAAuB,GAAG;AAC1C,QAAM,WAAW,yBAAyB,OAAO;AAEjD,SAAO,EAAE,UAAU,WAAW,SAAS;AACzC;AAEO,SAAS,wBACd,QACA,UACA,WACA,SAAqB,gBACwD;AAC7E,QAAM,UAAU,gBAAgB,UAAU,MAAM;AAChD,QAAM,WAAW,gBAAgB,WAAW,MAAM;AAElD,QAAM,MAAM,yBAAyB,SAAS,MAAM;AAGpD,MAAI,IAAI,aAAa,OAAO;AAC1B,UAAM,IAAI,MAAM,4CAA4C;AAG9D,QAAM,KAAKA,QAAO,SAAS;AAC3B,MAAI,CAAC,OAAO,KAAK,IAAI,QAAQ,EAAE,OAAO,EAAE;AACtC,UAAM,IAAI,MAAM,6CAA6C;AAG/D,QAAM,OAAO,kBAAkB,QAAQ,UAAU,MAAM;AAEvD,QAAM,cAA+B;AAAA,IACnC,SAAS,UAAU,OAAO;AAAA,IAC1B,UAAU,UAAU,QAAQ;AAAA,IAC5B,UAAU,IAAI;AAAA,IACd,UAAU,IAAI;AAAA,EAChB;AAEA,SAAO,EAAE,KAAK,MAAM,YAAY;AAClC;AA5oBA,IA6Da,gBA+ZA,UAsLA,0BAYA,mCAUA;AAxqBb;AAAA;AA6DO,IAAM,iBAA6B;AAAA,MACxC,gBAAgB;AAAA,MAChB,aAAa;AAAA,MACb,eAAe;AAAA;AAAA,MACf,iBAAiB;AAAA,IACnB;AA0ZO,IAAM,WAAW;AAAA,MACtB,WAAW;AAAA,MACX,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,OAAO;AAAA,MACP,OAAO;AAAA,MACP,WAAW;AAAA,MACX,WAAW;AAAA,MACX,UAAU;AAAA,IACZ;AA6KO,IAAM,2BAAiD;AAAA,MAC5D,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,SAAS,UAAU,MAAM,QAAQ,IAAI;AAAA,QACvE,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,QAC/D,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,MACjE;AAAA,IACF;AAEO,IAAM,oCAA0D;AAAA,MACrE,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,MACxE;AAAA,IACF;AAEO,IAAM,gCAAsD;AAAA,MACjE,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACtE;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACjrBO,SAAS,aAAa,QASlB;AACT,QAAM,MAA8B;AAAA,IAClC,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO;AAAA,IACjB,YAAY,OAAO,cAAc,OAAO,MAAM,CAAC;AAAA,IAC/C,WAAW,OAAO;AAAA,IAClB,OAAO,OAAO,SAAS,UAAQ,QAAQ,EAAE,YAAY,EAAE;AAAA,IACvD,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI,CAAC;AAAA,IACtC,UAAU,OAAO,YAAY,OAAO,MAAM,EAAE;AAAA,IAC5C,SAAS,OAAO;AAAA,EAClB;AAEA,QAAM,OAAY,uBAAuB,GAAG;AAC5C,SAAY,yBAAyB,IAAI;AAC3C;AAOO,SAAS,2BAA2B,QAMxC;AACD,QAAM,WAAgB;AAAA,IACf;AAAA,IACL;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBE,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,6BAA6B,MAAc;AACzD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACd;AAAA,IACL;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAmDO,SAAS,8BAA8B,QAK3C;AACD,QAAM,WAAgB;AAAA,IACpB;AAAA,IACA;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,gCAAgC,MAAc;AAC5D,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAKO,SAAS,0BAA0B,QAUvC;AACD,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,UAAU,OAAO;AAAA,MACjB,cAAc,OAAO;AAAA,MACrB,gBAAgB,OAAO;AAAA,MACvB,mBAAmB,OAAO;AAAA,MAC1B,WAAW,OAAO;AAAA,MAClB,YAAY,OAAO;AAAA,IACrB;AAAA,EACF,CAAC;AAED,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,4BAA4B,MAAc;AACxD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,QAAM,IAAI,QAAQ;AAElB,SAAO;AAAA,IACL,UAAU,EAAE;AAAA,IACZ,cAAc,EAAE;AAAA,IAChB,gBAAgB,EAAE;AAAA,IAClB,mBAAmB,EAAE;AAAA,IACrB,WAAW,EAAE;AAAA,IACb,YAAY,EAAE;AAAA,EAChB;AACF;AA4BO,SAAS,2BAA2B,QAMhC;AACT,QAAM,SAA8B;AAAA,IAClC,WAAW,OAAO;AAAA,EACpB;AACA,MAAI,OAAO,YAAY,OAAW,QAAO,UAAU,OAAO;AAC1D,MAAI,OAAO,KAAM,QAAO,OAAO,OAAO;AACtC,MAAI,OAAO;AACT,WAAO,mBAAmB,OAAO;AACnC,MAAI,OAAO;AACT,WAAO,uBAAuB,KAAK,UAAU,OAAO,gBAAgB;AAEtE,QAAM,WAAgB,kBAAkB,mCAAmC;AAAA,IACzE,UAAU,YAAY;AAAA,IACtB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;AAsBO,SAAS,0BAA0B,QAK/B;AACT,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,SAAS,OAAO;AAAA,MAChB,OAAO,OAAO;AAAA,MACd,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO;AAAA,IACpB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;AA/SA,IA6Ea,sCAUA,kCA8IA,mCA6CA;AAlRb;AAAA;AAAA;AACA;AA4EO,IAAM,uCAAkE;AAAA,MAC7E,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,MACxE;AAAA,IACF;AAEO,IAAM,mCAA8D;AAAA,MACzE,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACtE;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,QACA,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,QACzE,EAAE,KAAK,GAAG,MAAM,cAAc,MAAM,SAAS,UAAU,OAAO,QAAQ,IAAI;AAAA,MAC5E;AAAA,IACF;AA+GO,IAAM,oCAA+D;AAAA,MAC1E,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,QAAQ,UAAU,KAAK;AAAA;AAAA,QAC1D,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,WAAW,UAAU,MAAM;AAAA,QAC5D,EAAE,KAAK,GAAG,MAAM,QAAQ,MAAM,QAAQ,UAAU,MAAM;AAAA,QACtD,EAAE,KAAK,GAAG,MAAM,oBAAoB,MAAM,QAAQ,UAAU,MAAM;AAAA,QAClE,EAAE,KAAK,GAAG,MAAM,wBAAwB,MAAM,QAAQ,UAAU,MAAM;AAAA;AAAA,MACxE;AAAA,IACF;AAiCO,IAAM,mCAA8D;AAAA,MACzE,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACrE,EAAE,KAAK,GAAG,MAAM,SAAS,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACnE,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,QACvE,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,KAAK;AAAA,MAC7D;AAAA,IACF;AAAA;AAAA;;;AC5RA,SAAS,eAAAC,oBAAmB;AAErB,SAAS,UAAU,GAAmB;AAC3C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,YAAY;AACxC,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,QAAQ,GAA4B;AAClD,QAAM,IAAI,OAAO,MAAM,WAAW,OAAO,CAAC,IAAI;AAC9C,SAAO,UAAU,CAAC;AACpB;AAEO,SAAS,MAAM,GAAmB;AACvC,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,SAAS;AACrC,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,KAAK,GAAmB;AACtC,SAAO,OAAO,KAAK,GAAG,MAAM;AAC9B;AAEO,SAAS,MAAM,GAAgC;AACpD,SAAO,OAAO,SAAS,CAAC,IAAI,IAAI,OAAO,KAAK,CAAC;AAC/C;AAEO,SAAS,UAAkB;AAChC,SAAOA,aAAY,EAAE;AACvB;AAEO,SAAS,IAAI,MAAc,OAAuB;AACvD,MAAI,CAAC,OAAO,cAAc,IAAI,KAAK,OAAO,EAAG,OAAM,IAAI,MAAM,cAAc;AAC3E,SAAO,OAAO,OAAO;AAAA,IACnB,UAAU,OAAO,IAAI,CAAC;AAAA,IACtB,UAAU,OAAO,MAAM,MAAM,CAAC;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAOO,SAAS,UACd,OACA,MACQ;AACR,QAAM,QAAQ,MAAM,iBAAiB,oBAAI,IAAY;AACrD,QAAM,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI;AAExD,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,OAAO,CAAC,EAAE,SAAS,OAAO,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG;AACvE,YAAM,IAAI,MAAM,gBAAgB,OAAO,CAAC,EAAE,IAAI,EAAE;AAAA,IAClD;AAAA,EACF;AAEA,SAAO,OAAO,OAAO,OAAO,IAAI,CAAC,OAAO,IAAI,GAAG,MAAM,GAAG,KAAK,CAAC,CAAC;AACjE;AAlEA;AAAA;AAAA;AAAA;;;ACaO,SAAS,iBAAiB,GAA+B;AAC9D,MACE,CAAC,OAAO,SAAS,EAAE,GAAG,KACtB,CAAC,OAAO,SAAS,EAAE,IAAI,KACvB,CAAC,OAAO,SAAS,EAAE,GAAG,GACtB;AACA,UAAM,IAAI,MAAM,mBAAmB;AAAA,EACrC;AACA,MAAI,EAAE,QAAQ,EAAG,OAAM,IAAI,MAAM,eAAe;AAEhD,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAC7C,QAAM,UAAU,UAAU,OAAO,EAAE,KAAK,MAAM,CAAC;AAC/C,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAE7C,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,OAAO,KAAK,CAAC,EAAE,MAAM,GAAI,CAAC;AAAA,IAC1B,OAAO,KAAK,CAAC,EAAE,QAAQ,GAAI,CAAC;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,EACJ,CAAC;AACH;AAtCA,IAGM;AAHN;AAAA;AACA;AAEA,IAAM,QAAQ,OAAO,KAAK,SAAS,OAAO;AAAA;AAAA;;;ACEnC,SAAS,kBAAkB,QAKvB;AACT,MAAI,OAAO,QAAQ,EAAG,OAAM,IAAI,MAAM,eAAe;AACrD,QAAM,SAAS,UAAU,OAAO,OAAO,IAAI,MAAM,CAAC;AAClD,QAAM,UAAU,UAAU,OAAO,OAAO,KAAK,MAAM,CAAC;AACpD,QAAM,aAAa,UAAU,EAAE;AAE/B,SAAO,OAAO,OAAO;AAAA,IACnBC;AAAA,IACA,OAAO,KAAK,CAAC,OAAO,MAAM,GAAI,CAAC;AAAA,IAC/B,OAAO,KAAK,CAAC,OAAO,QAAQ,GAAI,CAAC;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACH;AA1BA,IAGMA;AAHN;AAAA;AACA;AAEA,IAAMA,SAAQ,OAAO,KAAK,SAAS,OAAO;AAAA;AAAA;;;ACOnC,SAAS,aAAa,KAAqB;AAChD,SAAO,IACJ,SAAS,QAAQ,EACjB,QAAQ,MAAM,EAAE,EAChB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG;AACvB;AAOO,SAAS,aAAa,KAAqB;AAEhD,QAAM,MAAM,IAAI,SAAS,IAAI,IAAI,OAAO,IAAK,IAAI,SAAS,CAAE,IAAI;AAChE,QAAM,UAAU,MAAM,KAAK,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC/D,SAAO,OAAO,KAAK,QAAQ,QAAQ;AACrC;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,OAAO,KAAK,KAAK,QAAQ,CAAC;AAChD;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,GAAG,EAAE,SAAS,QAAQ;AAC5C;AAtDA;AAAA;AAAA;AAAA;;;ACcA,SAAS,QAAQ,OAAiB;AAChC,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,UAAU,QAAW;AACvB,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,OAAO;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,SAA8B,CAAC;AACrC,UAAM,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK;AAErC,eAAW,OAAO,MAAM;AACtB,YAAM,cAAc,QAAQ,MAAM,GAAG,CAAC;AAEtC,UAAI,gBAAgB,QAAW;AAC7B,eAAO,GAAG,IAAI;AAAA,MAChB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAQO,SAAS,cAAc,OAAoB;AAChD,SAAO,KAAK,UAAU,QAAQ,KAAK,CAAC;AACtC;AASO,SAAS,uBACd,KACA,SACQ;AACR,QAAM,WAAgC,CAAC;AAEvC,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,QAAQ,SAAS,GAAG,KAAK,IAAI,GAAG,MAAM,QAAW;AACpD,eAAS,GAAG,IAAI,IAAI,GAAG;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,cAAc,QAAQ;AAC/B;AA5EA;AAAA;AAAA;AAAA;;;ACAA,IAAa,wBAiBA;AAjBb;AAAA;AAAO,IAAM,yBAAN,cAAqC,MAAM;AAAA,MAChD,YACS,MACP,SACA;AACA,cAAM,OAAO;AAHN;AAIP,aAAK,OAAO;AAAA,MACd;AAAA,IACF;AASO,IAAM,iBAAN,MAAqB;AAAA;AAAA,MAO1B,YAAY,UAAe;AAN3B,aAAQ,WAAW;AACnB,aAAQ,UAAU;AAClB,aAAQ,gBAAgB;AAKtB,aAAK,WAAW;AAChB,aAAK,YAAY,KAAK,IAAI;AAAA,MAC5B;AAAA,MAEA,gBAAsB;AACpB,aAAK;AACL,YAAI,KAAK,WAAW,KAAK,SAAS,aAAa;AAC7C,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,uBAAuB,KAAK,QAAQ,IAAI,KAAK,SAAS,WAAW;AAAA,UACnE;AAAA,QACF;AAAA,MACF;AAAA,MAEA,eAAqB;AACnB,aAAK;AACL,YAAI,KAAK,SAAS,cAAc,KAAK,UAAU,KAAK,SAAS,YAAY;AACvE,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,sBAAsB,KAAK,OAAO,IAAI,KAAK,SAAS,UAAU;AAAA,UAChE;AAAA,QACF;AAAA,MACF;AAAA,MAEA,qBAA2B;AACzB,aAAK;AACL,YAAI,KAAK,gBAAgB,KAAK,SAAS,kBAAkB;AACvD,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,4BAA4B,KAAK,aAAa,IAAI,KAAK,SAAS,gBAAgB;AAAA,UAClF;AAAA,QACF;AAAA,MACF;AAAA,MAEA,YAAkB;AAChB,cAAM,UAAU,KAAK,IAAI,IAAI,KAAK;AAClC,YAAI,UAAU,KAAK,SAAS,WAAW;AACrC,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,4BAA4B,OAAO,MAAM,KAAK,SAAS,SAAS;AAAA,UAClE;AAAA,QACF;AAAA,MACF;AAAA,MAEA,eAAe,QAAsB;AAEnC,YAAI,KAAK,SAAS,eAAe,SAAS,GAAG,GAAG;AAC9C;AAAA,QACF;AAEA,YAAI,CAAC,KAAK,SAAS,eAAe,SAAS,MAAM,GAAG;AAClD,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,WAAW,MAAM,2BAA2B,KAAK,SAAS,eAAe,KAAK,IAAI,CAAC;AAAA,UACrF;AAAA,QACF;AAAA,MACF;AAAA,MAEA,aAA+B;AAC7B,eAAO;AAAA,UACL,UAAU,KAAK;AAAA,UACf,SAAS,KAAK;AAAA,UACd,eAAe,KAAK;AAAA,UACpB,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,QAC/B;AAAA,MACF;AAAA,MAEA,cAAc;AACZ,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;AC/FA,IASa,mBAiFA;AA1Fb;AAAA;AASO,IAAM,oBAAuD;AAAA;AAAA,MAElE,eAAe;AAAA,QACb,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,aAAa;AAAA,MAChC;AAAA;AAAA,MAGA,gBAAgB;AAAA,QACd,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,gBAAgB;AAAA,MACnC;AAAA,MACA,kBAAkB;AAAA,QAChB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,kBAAkB;AAAA,MACrC;AAAA;AAAA,MAGA,kBAAkB;AAAA,QAChB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,mBAAmB,mBAAmB;AAAA,MACzD;AAAA,MACA,mBAAmB;AAAA,QACjB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,oBAAoB,wBAAwB;AAAA,MAC/D;AAAA;AAAA,MAGA,aAAa;AAAA,QACX,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,kBAAkB;AAAA,MACrC;AAAA,MACA,cAAc;AAAA,QACZ,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,mBAAmB;AAAA,MACtC;AAAA,MACA,iBAAiB;AAAA,QACf,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,gBAAgB;AAAA,MACnC;AAAA;AAAA,MAGA,kBAAkB;AAAA,QAChB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,kBAAkB;AAAA,MACrC;AAAA,MACA,eAAe;AAAA,QACb,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,aAAa;AAAA,MAChC;AAAA;AAAA,MAGA,aAAa;AAAA,QACX,aAAa;AAAA,QACb,kBAAkB;AAAA;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,aAAa,aAAa;AAAA,MAC7C;AAAA,IACF;AAGO,IAAM,oBAAuC;AAAA,MAClD,aAAa;AAAA,MACb,kBAAkB;AAAA,MAClB,WAAW;AAAA,MACX,gBAAgB,CAAC,GAAG;AAAA;AAAA,IACtB;AAAA;AAAA;;;ACtFO,SAAS,UACd,KACA,KAC8B;AAC9B,MAAI,QAAQ;AACZ,MAAI,IAAI;AACR,SAAO,MAAM;AACX,QAAI,OAAO,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AACxD,UAAM,IAAI,OAAO,IAAI,KAAK,CAAC;AAC3B,UAAM,IAAI,UAAU;AACpB,SAAK,IAAI,WAAW,GAAI;AACxB,aAAS;AACT,QAAI,QAAQ,IAAK,OAAM,IAAI,MAAM,kBAAkB;AAAA,EACrD;AACA,SAAO,EAAE,KAAK,GAAG,IAAI;AACvB;AAYO,SAAS,UAAU,KAAa,WAAmB,KAAY;AACpE,QAAM,MAAa,CAAC;AACpB,MAAI,MAAM;AACV,SAAO,MAAM,IAAI,QAAQ;AACvB,QAAI,IAAI,UAAU,SAAU,OAAM,IAAI,MAAM,oBAAoB;AAChE,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,OAAO,OAAO,GAAG,GAAG;AAC1B,UAAM,MAAM,OAAO,GAAG,GAAG;AACzB,QAAI,MAAM,KAAK,MAAM,MAAM,IAAI,QAAQ;AACrC,YAAM,IAAI,MAAM,iBAAiB;AAAA,IACnC;AACA,UAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,GAAG;AACzC,WAAO;AACP,QAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAAA,EAC1B;AACA,SAAO;AACT;AASO,SAAS,OAAO,KAAoC;AACzD,QAAM,IAAI,oBAAI,IAAsB;AACpC,aAAW,MAAM,UAAU,GAAG,GAAG;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG,IAAI,KAAK,CAAC;AAC/B,QAAI,KAAK,GAAG,KAAe;AAC3B,MAAE,IAAI,GAAG,MAAM,GAAG;AAAA,EACpB;AACA,SAAO;AACT;AAEO,SAAS,OAAO,GAAgC;AACrD,MAAI,CAAC,EAAG,QAAO;AACf,SAAO,EAAE,SAAS,MAAM;AAC1B;AAEO,SAAS,eAAe,GAAgC;AAC7D,MAAI,CAAC,EAAG,QAAO;AACf,QAAM,EAAE,KAAK,IAAI,IAAI,UAAU,GAAG,CAAC;AACnC,MAAI,QAAQ,EAAE,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AAC7D,SAAO;AACT;AAMO,SAAS,aAAa,GAAgC;AAC3D,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,EAAE,WAAW,EAAG,OAAM,IAAI,MAAM,0BAA0B;AAC9D,SAAO,EAAE,gBAAgB,CAAC;AAC5B;AA9FA,IAAAC,YAAA;AAAA;AAAA;AAAA;;;AC6CO,SAAS,iBAAiB,KAAgC;AAC/D,MAAI,MAAM;AAEV,QAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,CAAC;AACvC,SAAO;AACP,MAAI,MAAM,WAAW,KAAK,CAAC,MAAM,OAAOC,MAAK;AAC3C,UAAM,IAAI,MAAM,iBAAiB;AAEnC,MAAI,MAAM,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AAC3D,QAAM,MAAM,IAAI,KAAK;AACrB,QAAM,QAAQ,IAAI,KAAK;AAGvB,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AAET,QAAM,SAAS,OAAO,GAAG,GAAG;AAC5B,QAAM,UAAU,OAAO,GAAG,GAAG;AAC7B,QAAM,SAAS,OAAO,GAAG,GAAG;AAE5B,MAAI,SAAS,KAAK,UAAU,KAAK,SAAS,EAAG,OAAM,IAAI,MAAM,eAAe;AAE5E,MAAI,MAAM,SAAS,UAAU,SAAS,IAAI;AACxC,UAAM,IAAI,MAAM,yBAAyB;AAG3C,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AACP,QAAM,OAAO,IAAI,SAAS,KAAK,MAAM,OAAO;AAC5C,SAAO;AACP,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AAEP,MAAI,QAAQ,IAAI,OAAQ,OAAM,IAAI,MAAM,sBAAsB;AAE9D,SAAO,EAAE,KAAK,OAAO,KAAK,MAAM,KAAK,WAAW,IAAI,OAAO;AAC7D;AArFA,IAwBMA;AAxBN;AAAA;AAAA,IAAAC;AAwBA,IAAMD,SAAQ,OAAO,KAAK,SAAS,OAAO;AAAA;AAAA;;;AC2DnC,SAAS,YACd,KACA,MACA,KACA,QAAgB,GACJ;AACZ,QAAM,KAAK,OAAO,GAAG;AAGrB,QAAM,cAAc;AACpB,QAAM,KAAK,QAAQ,cAAc,OAAO,IAAI,IAAI,oBAAI,IAAsB;AAE1E,QAAM,SAAS,OAAO,GAAG,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC;AAC3C,QAAM,eAAe,GAAG,IAAI,EAAE,cAAc,IAAI,CAAC;AACjD,QAAM,YAAY,eAAe,OAAO,eAAe,YAAY,CAAC,IAAI;AACxE,QAAM,aAAa,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AACzC,QAAM,UAAU,aAAa,WAAW,SAAS,KAAK,IAAI;AAC1D,QAAM,YAAY,GAAG,IAAI,EAAE,UAAU,IAAI,CAAC;AAC1C,QAAM,MAAM,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACrD,QAAM,QAAQ,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACjC,QAAM,OAAO,aAAa,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC;AAE9C,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AACpD,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM,yBAAyB;AACvD,MAAI,CAAC,SAAS,MAAM,SAAS,MAAM,MAAM,SAAS;AAChD,UAAM,IAAI,MAAM,kBAAkB;AACpC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,oBAAoB;AAC9C,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,mBAAmB;AAE9C,SAAO;AAAA,IACL;AAAA,IACA,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,IACZ,SAAS;AAAA,IACT,UAAU;AAAA,IACV,WAAW;AAAA,IACX;AAAA,EACF;AACF;AA9HA,IAca;AAdb;AAAA;AAAA;AASA,IAAAE;AAKO,IAAM,IAAI;AAAA;AAAA,MAEf,QAAQ;AAAA;AAAA,MAER,KAAK;AAAA;AAAA,MAEL,gBAAgB;AAAA;AAAA;AAAA,MAEhB,UAAU;AAAA;AAAA,MAEV,YAAY;AAAA;AAAA,MAEZ,OAAO;AAAA;AAAA,MAEP,OAAO;AAAA;AAAA,MAEP,YAAY;AAAA;AAAA,MAEZ,MAAM;AAAA;AAAA,MAEN,MAAM;AAAA,IACR;AAAA;AAAA;;;ACnCA,IAUa,cAcA,oBAaA;AArCb;AAAA;AAIA;AAMO,IAAM,eAAe;AAAA,MAC1B,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS;AAAA,MACT,OAAO;AAAA,MACP,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAOO,IAAM,qBAAmD;AAAA,MAC9D,CAAC,UAAU,GAAG,CAAC;AAAA,MACf,CAAC,aAAa,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,MAC5C,CAAC,SAAS,GAAG,CAAC,MAAM;AAAA,MACpB,CAAC,UAAU,GAAG,CAAC,QAAQ,SAAS,OAAO;AAAA,MACvC,CAAC,UAAU,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,MACzC,CAAC,aAAa,GAAG,CAAC,QAAQ,SAAS,WAAW,SAAS;AAAA,IACzD;AAMO,IAAM,sBAAoD;AAAA,MAC/D,YAAY,CAAC;AAAA,MACb,YAAY,CAAC;AAAA,MACb,aAAa,CAAC;AAAA,MACd,YAAY,CAAC;AAAA,MACb,YAAY,CAAC;AAAA,MAEb,eAAe,CAAC,OAAO;AAAA,MACvB,iBAAiB,CAAC,MAAM;AAAA,MACxB,eAAe,CAAC,SAAS,OAAO;AAAA,MAEhC,kBAAkB,CAAC,SAAS,SAAS;AAAA,MACrC,mBAAmB,CAAC,SAAS,SAAS;AAAA,MAEtC,kBAAkB,CAAC,OAAO;AAAA,MAC1B,oBAAoB,CAAC,MAAM;AAAA;AAAA,MAG3B,oBAAoB,CAAC,SAAS;AAAA,MAC9B,wBAAwB,CAAC,SAAS;AAAA,MAClC,mBAAmB,CAAC,SAAS,SAAS;AAAA,MACtC,aAAa,CAAC,SAAS;AAAA,MACvB,eAAe,CAAC,MAAM;AAAA,MACtB,iBAAiB,CAAC,OAAO;AAAA,MACzB,kBAAkB,CAAC,SAAS,SAAS;AAAA,MACrC,iBAAiB,CAAC,SAAS,SAAS;AAAA,MACpC,cAAc,CAAC,SAAS,SAAS;AAAA,MACjC,oBAAoB,CAAC,SAAS,SAAS;AAAA,MACvC,iBAAiB,CAAC,OAAO;AAAA,MACzB,kBAAkB,CAAC,OAAO;AAAA,MAC1B,0BAA0B,CAAC,SAAS,SAAS;AAAA,MAE7C,WAAW,CAAC,OAAO;AAAA,IACrB;AAAA;AAAA;;;ACtEA,IAsBY;AAtBZ;AAAA;AAsBO,IAAK,eAAL,kBAAKC,kBAAL;AACL,MAAAA,cAAA,WAAQ;AACR,MAAAA,cAAA,cAAW;AACX,MAAAA,cAAA,aAAU;AACV,MAAAA,cAAA,aAAU;AACV,MAAAA,cAAA,UAAO;AALG,aAAAA;AAAA,OAAA;AAAA;AAAA;;;ACUL,SAAS,cAAc,IAAqB;AACjD,SAAO,aAAa,IAAI,EAAE;AAC5B;AAKO,SAAS,cAAc,IAAqB;AACjD,SACE,GAAG,WAAW,YAAY,KAC1B,GAAG,WAAW,aAAa,KAC3B,GAAG,WAAW,WAAW;AAE7B;AA7CA,IAMa;AANb;AAAA;AAMO,IAAM,eAAe,oBAAI,IAAI;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAEA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA;AAAA;;;ACzBD,SAAS,cAAAC,mBAAkB;AAmBpB,SAAS,iBACd,UACA,KACA,SACA,QACA,QACA,IACQ;AACR,QAAM,IAAIA,YAAW,QAAQ;AAC7B,MAAI,SAAU,GAAE,OAAO,QAAQ;AAC/B,IAAE,OAAO,GAAG;AACZ,IAAE,OAAO,OAAO,KAAK,SAAS,MAAM,CAAC;AACrC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,GAAG,SAAS,GAAG,MAAM,CAAC;AAC3C,SAAO,EAAE,OAAO;AAClB;AAxCA;AAAA;AAAA;AAAA;;;ACoGO,SAAS,eAAe,QAAmC;AAChE,MAAI,uBAAuB,MAAM,GAAG;AAClC,WAAO,uBAAuB,MAAM;AAAA,EACtC;AAEA,QAAM,QAAQ,OAAO,MAAM,GAAG,EAAE,CAAC;AACjC,QAAM,cAAc,GAAG,KAAK;AAC5B,MAAI,uBAAuB,WAAW,GAAG;AACvC,WAAO,uBAAuB,WAAW;AAAA,EAC3C;AAEA,SAAO;AACT;AAKO,SAAS,gBAAgB,OAAkC;AAChE,UAAQ,OAAO;AAAA,IACb,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAhIA,IAKY,mBAUC;AAfb;AAAA;AAKO,IAAK,oBAAL,kBAAKC,uBAAL;AACL,MAAAA,sCAAA,SAAM,KAAN;AACA,MAAAA,sCAAA,YAAS,KAAT;AACA,MAAAA,sCAAA,UAAO,KAAP;AACA,MAAAA,sCAAA,cAAW,KAAX;AAJU,aAAAA;AAAA,OAAA;AAUL,IAAM,yBAA4D;AAAA;AAAA,MAEvE,eAAe;AAAA;AAAA,MAGf,gBAAgB;AAAA,MAChB,kBAAkB;AAAA,MAClB,2BAA2B;AAAA,MAC3B,2BAA2B;AAAA;AAAA,MAG3B,kBAAkB;AAAA,MAClB,eAAe;AAAA,MACf,oBAAoB;AAAA;AAAA,MAGpB,aAAa;AAAA,MACb,cAAc;AAAA,MACd,iBAAiB;AAAA,MACjB,eAAe;AAAA;AAAA,MAGf,kBAAkB;AAAA,MAClB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA;AAAA,MAGnB,aAAa;AAAA;AAAA,MAGb,wBAAwB;AAAA,MACxB,wBAAwB;AAAA,MACxB,yBAAyB;AAAA;AAAA,MAGzB,0BAA0B;AAAA,MAC1B,uBAAuB;AAAA;AAAA,MAGvB,6BAA6B;AAAA,MAC7B,8BAA8B;AAAA,MAC9B,6BAA6B;AAAA;AAAA,MAG7B,uBAAuB;AAAA,MACvB,qCAAqC;AAAA,MACrC,yBAAyB;AAAA,MACzB,0BAA0B;AAAA;AAAA,MAG1B,oBAAoB;AAAA,MACpB,mBAAmB;AAAA,MACnB,kBAAkB;AAAA;AAAA,MAGlB,wBAAwB;AAAA,MACxB,wBAAwB;AAAA,MACxB,iBAAiB;AAAA,MACjB,eAAe;AAAA,MACf,iBAAiB;AAAA;AAAA,MAGjB,gBAAgB;AAAA,MAChB,eAAe;AAAA,MACf,eAAe;AAAA,MACf,iBAAiB;AAAA,MACjB,uBAAuB;AAAA,MACvB,gCAAgC;AAAA;AAAA,MAGhC,2BAA2B;AAAA,MAC3B,8BAA8B;AAAA,MAC9B,yBAAyB;AAAA,MACzB,iBAAiB;AAAA,MACjB,mBAAmB;AAAA,IACrB;AAAA;AAAA;;;AC1FA;AAAA;AAAA;AAAA;AAAA;AAAA;AAsCO,SAAS,eAAe,QAAwB;AACrD,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,aAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,eAAe,GAAG;AAChE,QAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AArDA,IASa,iBAmBA;AA5Bb;AAAA;AASO,IAAM,kBAA0C;AAAA,MACrD,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,aAAa;AAAA,MACb,YAAY;AAAA,MAEZ,eAAe;AAAA,MACf,iBAAiB;AAAA,MACjB,cAAc;AAAA,MACd,iBAAiB;AAAA,MAEjB,YAAY;AAAA,MAEZ,cAAc;AAAA,MAEd,WAAW;AAAA,IACb;AAGO,IAAM,kBAAkB;AAAA;AAAA;;;AChBxB,SAAS,mBAAmB,OAAqB;AACtD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,MAAM,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,kBAAkB,CAAC,OAAO,SAAS,WAAW,QAAQ;AAC5D,aAAW,OAAO,iBAAiB;AACjC,QAAI,OAAO,MAAM,GAAG,MAAM,YAAY,MAAM,GAAG,EAAE,SAAS,GAAG;AAC3D,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,OAAO,MAAM,OAAO,YAAY,CAAC,OAAO,SAAS,MAAM,EAAE,GAAG;AAC9D,WAAO;AAAA,EACT;AAEA,MACE,MAAM,QAAQ,WACb,OAAO,MAAM,QAAQ,YAAY,MAAM,IAAI,WAAW,IACvD;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,MAAM,OAAO,OAAO,MAAM,QAAQ,UAAU;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,QAAQ,SAAS;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,QAAQ,YAAY,MAAM,IAAI,IAAI,SAAS,GAAG;AACjE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,UAAU,YAAY,MAAM,IAAI,MAAM,SAAS,IAAI;AACtE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,MAAM;AACzD,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAKO,SAAS,iBACd,IACA,cAAsB,KACb;AACT,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,OAAO,KAAK,IAAI,MAAM,EAAE;AAC9B,SAAO,QAAQ;AACjB;AAxEA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAa,2BACA,wBACA;AAFb;AAAA;AAAO,IAAM,4BAA4B;AAClC,IAAM,yBAAyB;AAC/B,IAAM,6BAA6B;AAAA;AAAA;;;ACF1C;AAAA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AACA,QAAAC,UAAA,UAAA,QAAA;AAEA,QAAA,aAAA;AACA,QAAA,WAAA;AACA,QAAA,sBAAA;AACA,QAAA,qBAAA;AAEA,QAAA,kBAAA;AAKA,QAAA,iBAAA;AAQO,QAAMC,4BAAwB,6BAA9B,MAAM,yBAAwB;MAOnC,YAEE,UAEA,OAAuC;AAFtB,aAAA,WAAA;AAEA,aAAA,QAAA;AAVF,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;AAEzD,aAAA,OAAO;AACP,aAAA,OAAO;AACP,aAAA,cAAc;MAOpB;MAGH,MAAM,QACJ,MACA,SAAiC;AAEjC,cAAM,IAAI;AACV,YAAI,CAAC;AAAG,gBAAM,IAAI,MAAM,iBAAiB;AAEzC,cAAM,gBAAgB,EAAE,IAAI,EAAE;AAC9B,YAAI,CAAC;AAAe,gBAAM,IAAI,MAAM,mBAAmB;AACvD,cAAM,WAAW,IAAI,YAAW,EAAG,OAAO,aAAa;AAEvD,YAAI,aAAa;AACjB,YAAI,WAAW;AAEf,cAAM,aAAa,EAAE,IAAI,EAAE;AAC3B,YAAI,YAAY;AACd,gBAAM,EAAE,MAAK,KAAK,GAAA,SAAA,cAAa,UAAU;AACzC,uBAAa;QACf;AAEA,cAAM,WAAW,EAAE,IAAI,EAAE;AACzB,YAAI,UAAU;AACZ,gBAAM,EAAE,MAAK,KAAK,GAAA,SAAA,cAAa,QAAQ;AACvC,qBAAW;QACb;AAEA,cAAM,UAAU,MAAM,KAAK,SAAS,aAAa,QAAQ;AACzD,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,sBAAsB,QAAQ,EAAE;QAClD;AAEA,YAAI,QAAQ,WAAW,YAAY;AACjC,gBAAM,IAAI,MAAM,6BAA6B,QAAQ,MAAM,EAAE;QAC/D;AAEA,cAAM,OAAO,MAAM,KAAK,MAAM,UAC5B,UACA,QAAQ,QAAQ;AAElB,cAAM,WAAW,KAAK;AAEtB,YAAI,aAAa;AAAG,uBAAa;AACjC,YAAI,cAAc;AAAU,gBAAM,IAAI,MAAM,qBAAqB;AAEjE,YAAI,MAAM;AACV,YAAI,YAAY,GAAG;AACjB,gBAAM,KAAK,IAAI,aAAa,UAAU,QAAQ;QAChD;AAEA,cAAM,YAAY,MAAM;AACxB,cAAM,SAAS,MAAM,KAAK,MAAM,eAC9B,UACA,QAAQ,UACR,YACA,SAAS;AAGX,cAAM,kBAAkB,oBAAI,IAAG;AAC/B,wBAAgB,IAAI,KAAI,GAAA,SAAA,cAAa,QAAQ,CAAC;AAC9C,wBAAgB,IAAI,KAAI,GAAA,SAAA,cAAa,UAAU,CAAC;AAChD,wBAAgB,IAAI,KAAI,GAAA,SAAA,cAAa,SAAS,CAAC;AAE/C,eAAO;UACL,IAAI;UACJ,QAAQ;UACR,MAAM;UACN,SAAS;;MAEb;;AAnFW,YAAA,2BAAAA;AAeL,eAAA;OADL,GAAA,mBAAA,QAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,OAAM,CAAE;;2DAEjD,eAAU,eAAV,gBAAU,aAAA,KAAA,QAAA,QAAA,KAAA,OACN,QAAG,eAAH,SAAG,aAAA,KAAA,MAAA,CAAA;0DACZ,YAAO,eAAP,aAAO,aAAA,KAAA,MAAA;;uCAlBCA,4BAAwB,6BAAA,WAAA;OAFpC,GAAA,oBAAA,SAAQ,qBAAqB;OAC7B,GAAA,SAAA,YAAU;MASN,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,yBAAyB,CAAC;MAEjC,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,sBAAsB,CAAC;2DADJ,eAAA,uBAAkB,eAAlB,eAAA,wBAAkB,aAAA,KAAA,QAAA,QAAA,KAAA,OAErB,eAAA,oBAAe,eAAf,eAAA,qBAAe,aAAA,KAAA,MAAA,CAAA;OAX9BA,yBAAwB;AAwF9B,QAAMC,4BAAwB,6BAA9B,MAAM,yBAAwB;MAOnC,YAEE,UAEA,OAGA,SAA8C;AAL7B,aAAA,WAAA;AAEA,aAAA,QAAA;AAGA,aAAA,UAAA;AAbF,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;AAEzD,aAAA,OAAO;AACP,aAAA,OAAO;AACP,aAAA,cAAc;MAUpB;MAGH,MAAM,QACJ,MACA,SAAiC;AAEjC,cAAM,UAAU,IAAI,YAAW,EAAG,OAAO,IAAI;AAC7C,cAAM,MAAM,KAAK,MAAM,OAAO;AAE9B,cAAM,EAAE,QAAQ,aAAY,IAAK;AACjC,YAAI,CAAC;AAAQ,gBAAM,IAAI,MAAM,iBAAiB;AAE9C,cAAM,UAAU,MAAM,KAAK,SAAS,aAAa,MAAM;AACvD,YAAI,CAAC;AAAS,gBAAM,IAAI,MAAM,mBAAmB;AAEjD,YAAI,CAAE,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAI;AACvC,gBAAM,IAAI,MAAM,kBAAkB;QACpC;AAEA,cAAM,OAAOF,QAAO,WAAW,QAAQ;AACvC,cAAM,KAAK,KAAK,MAAM,qBAAqB,MAAM;AACjD,yBAAiB,SAAS,IAAI;AAC5B,eAAK,OAAO,KAAe;QAC7B;AACA,cAAM,YAAY,KAAK,OAAO,KAAK;AAEnC,YAAI,gBAAgB,cAAc,cAAc;AAC9C,gBAAM,IAAI,MAAM,eAAe;QACjC;AAEA,cAAM,YAAY,MAAM,KAAK,MAAM,gBACjC,QACA,QAAQ,QAAQ;AAGlB,cAAM,KAAK,SAAS,aAAa,QAAQ,YAAY,IAAI;AAEzD,YAAI,CAAC,KAAK,SAAS;AACjB,eAAK,OAAO,KAAK,2DAA2D;AAC5E,iBAAO;YACL,IAAI;YACJ,QAAQ;YACR,MAAM,IAAI,YAAW,EAAG,OACtB,KAAK,UAAU;cACb,UAAU;cACV,cAAc;cACd,WAAW,QAAQ;cACnB,MAAM,KAAK,IAAG;cACd,MAAM;aACP,CAAC;;QAGR;AAEA,cAAM,cAAc;UAClB,UAAU;UACV,cAAc;UACd,WAAW,QAAQ;UACnB,MAAM,KAAK,IAAG;;AAGhB,cAAM,cAAc,KAAK,UAAU,WAAW;AAC9C,cAAM,cAAc,IAAI,YAAW,EAAG,OAAO,WAAW;AAExD,cAAM,cAAc;AACpB,cAAM,gBAA2B;UAC/B,OAAO;UACP,SAAS,oBAAI,IAAG;UAChB,MAAM;UACN,KAAK,IAAI,WAAW,CAAC;;AAGvB,cAAM,cAAa,GAAA,WAAA,eAAc,aAAa;AAC9C,cAAM,EAAE,KAAK,IAAG,IAAK,KAAK,QAAQ,WAAW,UAAU;AACvD,sBAAc,MAAM;AAEpB,eAAO;UACL,IAAI;UACJ,QAAQ;UACR,OAAM,GAAA,WAAA,aAAY,aAAa;UAC/B,SAAS,oBAAI,IAAI,CAAC,CAAC,GAAG,IAAI,YAAW,EAAG,OAAO,GAAG,CAAC,CAAC,CAAC;;MAEzD;;AAlGW,YAAA,2BAAAE;AAkBL,eAAA;OADL,GAAA,mBAAA,QAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,SAAQ,CAAE;;2DAEnD,eAAU,eAAV,gBAAU,aAAA,KAAA,QAAA,QAAA,KAAA,OACN,QAAG,eAAH,SAAG,aAAA,KAAA,MAAA,CAAA;0DACZ,YAAO,eAAP,aAAO,aAAA,KAAA,MAAA;;uCArBCA,4BAAwB,6BAAA,WAAA;OAFpC,GAAA,oBAAA,SAAQ,qBAAqB;OAC7B,GAAA,SAAA,YAAU;MASN,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,yBAAyB,CAAC;MAEjC,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,sBAAsB,CAAC;MAE9B,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;MACV,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,0BAA0B,CAAC;2DAJR,eAAA,uBAAkB,eAAlB,eAAA,wBAAkB,aAAA,KAAA,QAAA,QAAA,KAAA,OAErB,eAAA,oBAAe,eAAf,eAAA,qBAAe,aAAA,KAAA,QAAA,QAAA,KAAA,OAGZ,eAAA,wBAAmB,eAAnB,eAAA,yBAAmB,aAAA,KAAA,MAAA,CAAA;OAdrCA,yBAAwB;;;;;AC7GrC,YAAY,QAAQ;AACpB,YAAY,UAAU;AADtB,IAUa;AAVb;AAAA;AAUO,IAAM,sBAAN,MAAqD;AAAA,MAI1D,YAAY,SAAqC;AAC/C,aAAK,YAAY,QAAQ;AACzB,aAAK,WAAW,QAAQ;AAAA,MAC1B;AAAA,MAEA,aAAa,QAAgB,UAA2B;AACtD,cAAM,eAAe,WAAgB,cAAS,QAAQ,IAAI;AAC1D,eAAY,UAAK,KAAK,WAAW,YAAY;AAAA,MAC/C;AAAA,MAEA,YAAY,QAAwB;AAClC,cAAM,SAAc,cAAS,MAAM;AACnC,eAAY,UAAK,KAAK,UAAU,MAAM;AAAA,MACxC;AAAA,MAEA,MAAM,UACJ,QACA,UACyB;AACzB,cAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,YAAI,CAAI,cAAW,SAAS,GAAG;AAC7B,gBAAM,IAAI,MAAM,sBAAsB;AAAA,QACxC;AACA,cAAM,OAAU,YAAS,SAAS;AAClC,eAAO,EAAE,MAAM,WAAW,MAAM,KAAK,KAAK;AAAA,MAC5C;AAAA,MAEA,MAAM,eACJ,QACA,UACA,OACA,QACiB;AACjB,cAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,cAAM,SAAS,OAAO,MAAM,MAAM;AAClC,cAAM,KAAQ,YAAS,WAAW,GAAG;AACrC,YAAI;AACF,UAAG,YAAS,IAAI,QAAQ,GAAG,QAAQ,KAAK;AAAA,QAC1C,UAAE;AACA,UAAG,aAAU,EAAE;AAAA,QACjB;AACA,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,QAAQ,QAAkC;AAC9C,cAAM,WAAW,KAAK,YAAY,MAAM;AACxC,eAAU,cAAW,QAAQ;AAAA,MAC/B;AAAA,MAEA,MAAM,gBACJ,QACA,UACiB;AACjB,cAAM,WAAW,KAAK,YAAY,MAAM;AACxC,cAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AAEpD,YAAI;AACF,gBAAS,YAAS,OAAO,UAAU,SAAS;AAAA,QAC9C,QAAQ;AACN,gBAAS,YAAS,SAAS,UAAU,SAAS;AAC9C,gBAAS,YAAS,OAAO,QAAQ;AAAA,QACnC;AAEA,eAAO;AAAA,MACT;AAAA,MAEA,qBAAqB,QAAuC;AAC1D,cAAM,WAAW,KAAK,YAAY,MAAM;AACxC,eAAU,oBAAiB,QAAQ;AAAA,MACrC;AAAA,IACF;AAAA;AAAA;;;;;;;;ACpFA,QAAA,WAAA,UAAA,gBAAA;AAqBA,aAAS,UAAU,KAAY;AAC7B,aACG,IAAI,QAAQ,iBAAiB,GAAc,MAAM,GAAG,EAAE,CAAC,GAAG,KAAI,KAC9D,IAAI,QAAQ,WAAW,KACxB,IAAI,OAAO,iBACX;IAEJ;AAiBa,YAAA,WAAU,GAAA,SAAA,sBACrB,CAAC,OAAgB,QAAiC;AAChD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,aAAO,IAAI;IACb,CAAC;AAcU,YAAA,UAAS,GAAA,SAAA,sBACpB,CAAC,OAAgB,QAA6C;AAC5D,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,aAAO,UAAU,GAAG;IACtB,CAAC;AAkBU,YAAA,eAAc,GAAA,SAAA,sBACzB,CAAC,OAAgB,QAA0C;AACzD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,YAAM,WAAY,IAAY,QAAQ,CAAA;AACtC,aAAO;QACL,KAAK,IAAI;QACT,IAAI,UAAU,GAAG;QACjB,gBAAgB,SAAS;QACzB,iBAAiB,SAAS,mBAAmB;;IAEjD,CAAC;AAeU,YAAA,kBAAiB,GAAA,SAAA,sBAC5B,CAAC,OAAgB,QAA6C;AAC5D,UAAI,QAAQ,IAAI,aAAa;AAAe,eAAO;AACnD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,aAAO,IAAI,QAAQ,eAAe;IACpC,CAAC;AAqBU,YAAA,aAAY,GAAA,SAAA,sBACvB,CAAC,OAAgB,QAAsC;AACrD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,YAAM,UAAW,IAAY;AAC7B,UAAI,CAAC,SAAS;AACZ,cAAM,IAAI,MACR,8HACsE;MAE1E;AACA,aAAO;IACT,CAAC;;;;;;;;;;;;;;;;;;;;;;;ACnJH,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AAEA,QAAA,uBAAA;AAKA,QAAA,sBAAA;AAGO,QAAMC,4BAAwB,6BAA9B,MAAM,yBAAwB;MAGnC,YACmB,WACA,WACA,UAA0B;AAF1B,aAAA,YAAA;AACA,aAAA,YAAA;AACA,aAAA,WAAA;AALF,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;MAM/D;MAEH,yBAAsB;AACpB,cAAM,YAAY,KAAK,UAAU,aAAY;AAC7C,YAAI,QAAQ;AAEZ,mBAAW,WAAW,WAAW;AAC/B,gBAAM,EAAE,SAAQ,IAAK;AACrB,cAAI,CAAC,YAAY,CAAC,SAAS;AAAa;AAExC,gBAAM,OAAO,KAAK,UAAU,IAC1B,qBAAA,uBACA,SAAS,WAAW;AAEtB,cAAI,CAAC;AAAM;AAEX,gBAAM,WAAW;AACjB,cAAI,OAAO,SAAS,YAAY,YAAY;AAC1C,iBAAK,OAAO,KACV,gBAAgB,SAAS,YAAY,IAAI,uCAAuC;AAElF;UACF;AAEA,eAAK,SAAS,SAAS,UAAU,IAAI;AACrC;QACF;AAEA,aAAK,OAAO,IAAI,mBAAmB,KAAK,4BAA4B;MACtE;;AApCW,YAAA,2BAAAA;uCAAAA,4BAAwB,6BAAA,WAAA;OADpC,GAAA,SAAA,YAAU;2DAKqB,OAAA,qBAAgB,eAAhB,OAAA,sBAAgB,aAAA,KAAA,QAAA,QAAA,KAAA,OAChB,OAAA,cAAS,eAAT,OAAA,eAAS,aAAA,KAAA,QAAA,QAAA,KAAA,OACV,oBAAA,qBAAgB,eAAhB,oBAAA,sBAAgB,aAAA,KAAA,MAAA,CAAA;OANlCA,yBAAwB;;;;;;;;;;;;;;;;;;;;;;;ACXrC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AAEA,QAAA,uBAAA;AACA,QAAA,8BAAA;AACA,QAAA,sBAAA;AACA,QAAA,qBAAA;AACA,QAAA,kBAAA;AA+BO,QAAMC,2BAAuB,4BAA7B,MAAM,wBAAuB;MAGlC,YACmB,WACA,SACA,QAAoB;AAFpB,aAAA,YAAA;AACA,aAAA,UAAA;AACA,aAAA,SAAA;AALF,aAAA,SAAS,IAAI,SAAA,OAAO,0BAAwB,IAAI;MAM9D;MAEH,eAAY;AACV,cAAM,YAAY,KAAK,UAAU,aAAY;AAC7C,YAAI,eAAe;AAEnB,mBAAW,WAAW,WAAW;AAC/B,gBAAM,EAAE,UAAU,SAAQ,IAAK;AAC/B,cAAI,CAAC,YAAY,CAAC;AAAU;AAG5B,gBAAM,cAAc,QAAQ,YAAY,oBAAA,sBAAsB,QAAQ;AACtE,cAAI,CAAC;AAAa;AAElB,gBAAM,cAAc,YAAY,UAAU,SAAS;AACnD,gBAAM,SAAS,YAAY,UAAU,SAAS;AAC9C,gBAAM,QAAQ,OAAO,eAAe,QAAQ;AAC5C,gBAAM,UAAU,KAAK,QAAQ,kBAAkB,KAAK;AACpD,gBAAM,SACJ,QAAQ,YAAY,mBAAA,mBAAmB,QAAQ,KAAK,CAAA;AACtD,gBAAM,gBAAgB,IAAI,IAAI,OAAO,IAAI,CAAC,UAAU,OAAO,MAAM,UAAU,CAAC,CAAC;AAC7E,cAAI,aAAa;AAGjB,gBAAM,iBACJ,QAAQ,YAAY,4BAAA,qBAAqB,QAAQ,KAAK,CAAA;AACxD,gBAAM,mBACJ,QAAQ,YAAY,qBAAA,uBAAuB,QAAQ,KAAK,CAAA;AAE1D,qBAAW,SAAS,QAAQ;AAC1B,kBAAM,aAAa,MAAM,WACrB,MAAM,SACN,GAAG,MAAM,IAAI,MAAM,MAAM;AAE7B,gBAAI,CAAC,KAAK,OAAO,IAAI,UAAU,GAAG;AAChC,mBAAK,OAAO,SAAS,YAAa,SAAiB,MAAM,UAAU,EAAE,KAAK,QAAQ,CAAC;AACnF;AACA;YACF;AAEA,iBAAK,OAAO,mBACV,YACA,OACA,OAAO,MAAM,UAAU,GACvB,gBACA,gBAAgB;UAEpB;AAEA,qBAAW,cAAc,SAAS;AAChC,gBAAI,cAAc,IAAI,UAAU;AAAG;AAEnC,kBAAM,OAAO,QAAQ,YACnB,mBAAA,qBACA,OACA,UAAU;AAEZ,gBAAI,CAAC,MAAM;AAAQ;AAEnB,kBAAM,aAAa,KAAK,WAAW,KAAK,SAAS,GAAG,MAAM,IAAI,KAAK,MAAM;AAIzE,gBAAI,CAAC,KAAK,OAAO,IAAI,UAAU,GAAG;AAChC,mBAAK,OAAO,SACV,YACC,SAAiB,UAAU,EAAE,KAAK,QAAQ,CAAC;AAE9C;AACA;YACF;AAIA,iBAAK,OAAO,mBACV,YACA,OACA,YACA,gBACA,gBAAgB;UAEpB;AAEA,cAAI,aAAa,GAAG;AAClB,iBAAK,OAAO,IACV,mBAAmB,UAAU,iBAAiB,WAAW,EAAE;UAE/D;QACF;AAEA,aAAK,OAAO,IACV,+BAA+B,YAAY,0BAA0B;MAEzE;;AApGW,YAAA,0BAAAA;sCAAAA,2BAAuB,4BAAA,WAAA;OADnC,GAAA,SAAA,YAAU;2DAKqB,OAAA,qBAAgB,eAAhB,OAAA,sBAAgB,aAAA,KAAA,QAAA,QAAA,KAAA,OAClB,OAAA,oBAAe,eAAf,OAAA,qBAAe,aAAA,KAAA,QAAA,QAAA,KAAA,OAChB,gBAAA,iBAAY,eAAZ,gBAAA,kBAAY,aAAA,KAAA,MAAA,CAAA;OAN5BA,wBAAuB;;;;;;;;;;;;;;;;;;;;;ACtCpC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,gBAAA;AA0BO,QAAMC,kBAAc,mBAApB,MAAM,eAAc;MAIzB,YAA6B,eAA4B;AAA5B,aAAA,gBAAA;AAHrB,aAAA,UAAwB,CAAA;AACf,aAAA,SAAS,IAAI,SAAA,OAAO,iBAAe,IAAI;MAEI;MAc5D,SAAS,QAAkB;AAEzB,YAAI,CAAC,OAAO,MAAM;AAChB,gBAAM,IAAI,MAAM,6BAA6B;QAC/C;AAGA,cAAM,oBAAoB,KAAK,cAAc,IAAY,iBAAiB;AAC1E,cAAM,qBACJ,KAAK,cAAc,IAAY,kBAAkB;AAEnD,cAAM,iBAAiB,oBACnB,kBAAkB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAI,CAAE,IAChD;AACJ,cAAM,kBAAkB,qBACpB,mBAAmB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAI,CAAE,IACjD,CAAA;AAEJ,YAAI,kBAAkB,CAAC,eAAe,SAAS,OAAO,IAAI,GAAG;AAC3D,eAAK,OAAO,IAAI,sDAAsD,OAAO,IAAI,EAAE;AACnF;QACF;AAEA,YAAI,gBAAgB,SAAS,OAAO,IAAI,GAAG;AACzC,eAAK,OAAO,IAAI,mDAAmD,OAAO,IAAI,EAAE;AAChF;QACF;AAEA,YAAI,OAAO,UAAU,QAAW;AAC9B,gBAAM,IAAI,MAAM,eAAe,OAAO,IAAI,4BAA4B;QACxE;AAGA,cAAM,oBAAoB,KAAK,kBAAkB,MAAM;AACvD,cAAM,qBAAqB,KAAK,mBAAmB,MAAM;AAEzD,YAAI,qBAAqB,OAAO,SAAS,IAAI;AAC3C,eAAK,OAAO,KACV,eAAe,OAAO,IAAI,2CAA2C,OAAO,KAAK,mBAAmB;QAExG;AACA,YAAI,sBAAsB,OAAO,QAAQ,IAAI;AAC3C,eAAK,OAAO,KACV,eAAe,OAAO,IAAI,4CAA4C,OAAO,KAAK,oBAAoB;QAE1G;AAEA,aAAK,QAAQ,KAAK,MAAM;AACxB,cAAM,aACJ,OAAO,OAAO,UAAU,WACpB,OAAO,QACP,OAAO,OAAO,SAAS;AAC7B,aAAK,OAAO,MACV,sBAAsB,OAAO,IAAI,YAAY,OAAO,KAAK,YAAY,UAAU,GAAG;MAEtF;MAOA,OAAI;AACF,eAAO,CAAC,GAAG,KAAK,OAAO,EAAE,KACvB,CAAC,GAAG,OAAO,EAAE,SAAS,QAAQ,EAAE,SAAS,IAAI;MAEjD;MAQA,sBAAmB;AACjB,eAAO,KAAK,KAAI,EAAG,OAAO,CAAC,OAA2B,EAAE,SAAS,OAAO,EAAE;MAC5E;MAQA,uBAAoB;AAClB,eAAO,KAAK,KAAI,EAAG,OACjB,CAAC,OAA4B,EAAE,SAAS,QAAQ,EAAE;MAEtD;MASQ,kBAAkB,QAAkB;AAC1C,cAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,eAAO,UAAU,iBAAiB,OAAO,SAAS,OAAO;MAC3D;MASQ,mBAAmB,QAAkB;AAC3C,cAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,eAAO,UAAU,kBAAkB,OAAO,SAAS,QAAQ;MAC7D;MAQA,wBAAqB;AACnB,eAAO;UACL,gBAAgB,KAAK,oBAAmB,EAAG;UAC3C,iBAAiB,KAAK,qBAAoB,EAAG;;MAEjD;MAQA,QAAK;AACH,aAAK,UAAU,CAAA;MACjB;;AA3JW,YAAA,iBAAAA;6BAAAA,kBAAc,mBAAA,WAAA;OAD1B,GAAA,SAAA,YAAU;2DAKmC,SAAA,kBAAa,eAAb,SAAA,mBAAa,aAAA,KAAA,MAAA,CAAA;OAJ9CA,eAAc;;;;;;;;;;;;;;;;;;;;;;;AC3B3B,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AAEA,QAAA,qBAAA;AAIA,QAAA,oBAAA;AAEA,QAAA,iBAAA;AAUO,QAAMC,0BAAsB,2BAA5B,MAAM,uBAAsB;MAGjC,YACmB,WACA,WACA,UAAwB;AAFxB,aAAA,YAAA;AACA,aAAA,YAAA;AACA,aAAA,WAAA;AALF,aAAA,SAAS,IAAI,SAAA,OAAO,yBAAuB,IAAI;MAM7D;MAEH,yBAAsB;AACpB,cAAM,YAAY,KAAK,UAAU,aAAY;AAC7C,YAAI,QAAQ;AAEZ,mBAAW,WAAW,WAAW;AAC/B,gBAAM,EAAE,SAAQ,IAAK;AACrB,cAAI,CAAC,YAAY,CAAC,SAAS;AAAa;AAExC,gBAAM,OAAO,KAAK,UAAU,IAC1B,mBAAA,qBACA,SAAS,WAAW;AAEtB,cAAI,CAAC;AAAM;AAEX,gBAAM,SAAS;AAEf,cAAI,CAAC,OAAO,QAAQ,OAAO,UAAU,QAAW;AAC9C,iBAAK,OAAO,KACV,gBAAgB,SAAS,YAAY,IAAI,uCAAkC;AAE7E;UACF;AAGA,cAAI,CAAC,OAAO,OAAO;AACjB,kBAAM,iBAAiB,SAAS,OAAO,KAAK,QAAQ;AACnD,mBAAe,QACd,mBACC,OAAO,QAAQ,eAAA,sBAAsB,eAAe;UACzD;AAEA,eAAK,SAAS,SAAS,MAAM;AAC7B;QACF;AAEA,aAAK,OAAO,IAAI,mBAAmB,KAAK,wBAAwB;MAClE;;AA7CW,YAAA,yBAAAA;qCAAAA,0BAAsB,2BAAA,WAAA;OADlC,GAAA,SAAA,YAAU;2DAKqB,OAAA,qBAAgB,eAAhB,OAAA,sBAAgB,aAAA,KAAA,QAAA,QAAA,KAAA,OAChB,OAAA,cAAS,eAAT,OAAA,eAAS,aAAA,KAAA,QAAA,QAAA,KAAA,OACV,kBAAA,mBAAc,eAAd,kBAAA,oBAAc,aAAA,KAAA,MAAA,CAAA;OANhCA,uBAAsB;;;;;ACnBnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,eAAAC,oBAAmB;AAkErB,SAAS,kBACd,WACA,IACiB;AACjB,SAAO;AAAA,IACL,IAAIA,aAAY,EAAE,EAAE,SAAS,KAAK;AAAA,IAClC,SAAS,KAAK,IAAI;AAAA,IAClB;AAAA,IACA;AAAA,IACA,QAAQ,CAAC;AAAA,IACT,SAAS,CAAC;AAAA,IACV,OAAO,CAAC;AAAA,EACV;AACF;AAIO,SAAS,WACd,KACA,MACkB;AAClB,QAAM,QAA0B,EAAE,MAAM,QAAQ,MAAM,SAAS,KAAK,IAAI,EAAE;AAC1E,MAAI,OAAO,KAAK,KAAK;AACrB,SAAO;AACT;AAEO,SAAS,SACd,OACA,SAAiC,MACjC,QACA,MACM;AACN,QAAM,QAAQ,KAAK,IAAI;AACvB,QAAM,aAAa,MAAM,QAAQ,MAAM;AACvC,QAAM,SAAS;AACf,MAAI,OAAQ,OAAM,SAAS;AAC3B,MAAI,KAAM,OAAM,OAAO;AACzB;AAIO,SAAS,aACd,KACA,MACA,SACA,WACA,YACA,SACA,MACM;AACN,MAAI,QAAQ,KAAK,EAAE,MAAM,SAAS,WAAW,YAAY,SAAS,KAAK,CAAC;AAC1E;AAIO,SAAS,oBACd,KACA,UACA,YACA,YACM;AACN,MAAI,QAAQ,KAAK,IAAI;AACrB,MAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,MAAI,WAAW;AACf,MAAI,aAAa;AACjB,MAAI,WAAY,KAAI,aAAa;AACnC;AApIA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,oBAAA;AACA,QAAA,gBAAA;AAQsB,WAAA,eAAA,SAAA,kBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAPpB,cAAA;IAAc,EAAA,CAAA;AAOP,WAAA,eAAA,SAAA,eAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aANP,cAAA;IAAW,EAAA,CAAA;AAIb,QAAA,qBAAA;AAsCO,QAAMC,0BAAN,MAAM,uBAAsB;MACjC,YAA6B,UAAwB;AAAxB,aAAA,WAAA;MAA2B;MAKxD,MAAM,SACJ,OACA,QAA+C,eAC/C,cAA6B;AAE7B,YAAI,UAAU,cAAc;AAC1B,iBAAO,KAAK,gBAAgB,KAAK,SAAS,oBAAmB,GAAI,KAAK;QACxE;AAEA,YAAI,UAAU,QAAQ;AACpB,gBAAM,eAAe,MAAM,KAAK,gBAC9B,KAAK,SAAS,oBAAmB,GACjC,KAAK;AAEP,gBAAM,aAAY,GAAA,cAAA,yBAAwB,YAAY;AACtD,cAAI,CAAC,UAAU;AAAO,mBAAO;AAC7B,iBAAO,KAAK,gBACV,KAAK,SAAS,qBAAoB,GAClC,OACA,YAAY;QAEhB;AAGA,eAAO,KAAK,gBACV,KAAK,SAAS,qBAAoB,GAClC,OACA,YAAY;MAEhB;MAGA,MAAM,YAAY,OAAkB;AAClC,eAAO,KAAK,gBAAgB,KAAK,SAAS,oBAAmB,GAAI,KAAK;MACxE;MAGA,MAAM,aACJ,OACA,cAA6B;AAE7B,eAAO,KAAK,gBACV,KAAK,SAAS,qBAAoB,GAClC,OACA,YAAY;MAEhB;MAEQ,MAAM,gBACZ,SACA,OACA,cAA6B;AAG7B,cAAM,kBAAkB,QAAQ,OAC9B,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,SAAS,KAAK,CAAC;AAIzC,cAAM,iBAAiB,gBACnB,GAAA,cAAA,yBAAwB,YAAY,IACpC;AAEJ,YAAI,YAAY,gBAAgB,aAAa;AAC7C,cAAM,UAAoB,gBAAgB,UACtC,CAAC,GAAG,eAAe,OAAO,IAC1B,CAAA;AACJ,cAAM,OAA4B,gBAAgB,OAC9C,EAAE,GAAG,eAAe,KAAI,IACxB,CAAA;AACJ,YAAI,gBAAgB,gBAAgB,SAAS;AAC7C,YAAI,mBAAwC,gBAAgB,SACxD,mBACA,EAAE,GAAG,eAAe,QAAQ,iBAAgB,IAC5C,CAAA;AAEJ,mBAAW,UAAU,iBAAiB;AACpC,cAAI;AACF,kBAAM,KAAK,KAAK,IAAG;AACnB,kBAAM,cAAc,MAAM,OAAO,IAAI,KAAK;AAC1C,kBAAM,UAAU,KAAK,IAAG,IAAK;AAC7B,kBAAM,YAAW,GAAA,cAAA,yBAAwB,WAAW;AAGpD,kBAAM,MAAM,MAAM,UAAU;AAC5B,gBAAI,KAAK;AACP,eAAA,GAAA,mBAAA,cACE,KACA,OAAO,MACP,SAAS,OACT,SAAS,WACT,SACA,SAAS,SACT,SAAS,QAAQ,SAAa,SAAiB,IAAI;YAEvD;AAGA,gBAAI,CAAC,SAAS,OAAO;AACnB,qBAAO;gBACL,OAAO;gBACP,WAAW,KAAK,IAAI,KAAK,YAAY,SAAS,SAAS;gBACvD,SAAS,CAAC,GAAG,SAAS,GAAG,SAAS,OAAO;gBACzC;;YAEJ;AAGA,wBAAY,KAAK,IAAI,KAAK,YAAY,SAAS,SAAS;AACxD,oBAAQ,KAAK,GAAG,SAAS,OAAO;AAGhC,gBAAI,SAAS,MAAM;AACjB,qBAAO,OAAO,MAAM,SAAS,IAAI;YACnC;AAGA,gBAAI,SAAS,SAAS,kBAAkB,QAAW;AACjD,8BACE,kBAAkB,SACd,SAAS,QAAQ,gBACjB,KAAK,IAAI,eAAe,SAAS,QAAQ,aAAa;YAC9D;AAEA,gBAAI,SAAS,SAAS,kBAAkB;AACtC,iCAAmB;gBACjB,GAAG;gBACH,GAAG,SAAS,QAAQ;;YAExB;UACF,SAAS,OAAO;AAEd,oBAAQ,MAAM,kBAAkB,OAAO,IAAI,YAAY,KAAK;AAE5D,kBAAM,MAAM,MAAM,UAAU;AAC5B,gBAAI,KAAK;AACP,eAAA,GAAA,mBAAA,cAAa,KAAK,OAAO,MAAM,OAAO,KAAK,GAAG;gBAC5C,gBAAgB,OAAO,IAAI;eAC5B;YACH;AAEA,mBAAO;cACL,OAAO;cACP,WAAW;cACX,SAAS,CAAC,gBAAgB,OAAO,IAAI,EAAE;;UAE3C;QACF;AAEA,cAAM,eACJ,OAAO,KAAK,gBAAgB,EAAE,SAAS,IAAI,mBAAmB;AAEhE,eAAO;UACL,OAAO;UACP;UACA;UACA;UACA,SACE,kBAAkB,UAAa,eAC3B;YACE;YACA,kBAAkB;cAEpB;;MAEV;;AA3KW,YAAA,yBAAAA;qCAAAA,0BAAsB,WAAA;OADlC,GAAA,SAAA,YAAU;2DAE8B,kBAAA,mBAAc,eAAd,kBAAA,oBAAc,aAAA,KAAA,MAAA,CAAA;OAD1CA,uBAAsB;;;;;ACvC5B,SAAS,iBACd,UACA,MACY;AACZ,QAAM,aAAS,oCAAiB,QAAQ;AACxC,QAAM,QAAQ,OAAO,OAAO,QAAQ,CAAC,UAAU;AAC7C,UAAM,QAAS,KAAiC,MAAM,IAAI;AAC1D,QAAI,UAAU,UAAa,UAAU,MAAM;AACzC,UAAI,MAAM,UAAU;AAClB,cAAM,IAAI,MAAM,wCAAwC,MAAM,IAAI,EAAE;AAAA,MACtE;AACA,aAAO,CAAC;AAAA,IACV;AAEA,WAAO,CAAC,EAAE,MAAM,MAAM,KAAK,OAAO,YAAY,OAAO,KAAK,EAAE,CAAC;AAAA,EAC/D,CAAC;AAED,SAAO,UAAU,KAAK;AACxB;AAEA,SAAS,YAAY,OAAuB,OAAwB;AAClE,UAAQ,MAAM,MAAM;AAAA,IAClB,KAAK;AACH,aAAO,OAAO,KAAK,OAAO,KAAK,GAAG,MAAM;AAAA,IAC1C,KAAK;AACH,aAAO,UAAU,KAAK;AAAA,IACxB,KAAK;AAAA,IACL,KAAK;AACH,aAAO,SAAS,KAAK;AAAA,IACvB,KAAK;AACH,aAAO,OAAO,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;AAAA,IACpC,KAAK;AAAA,IACL,KAAK;AACH,aAAO,OAAO,KAAK,KAAK,UAAU,KAAK,GAAG,MAAM;AAAA,IAClD;AACE,aAAO,SAAS,KAAK;AAAA,EACzB;AACF;AAEA,SAAS,UAAU,OAAwB;AACzC,QAAM,UAAU,OAAO,MAAM,CAAC;AAC9B,UAAQ;AAAA,IACN,OAAO,UAAU,WAAW,QAAQ,OAAO,KAAwB;AAAA,EACrE;AACA,SAAO;AACT;AAEA,SAAS,SAAS,OAAwB;AACxC,MAAI,OAAO,SAAS,KAAK,GAAG;AAC1B,WAAO;AAAA,EACT;AACA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,OAAO,KAAK,KAAK;AAAA,EAC1B;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,OAAO,KAAK,OAAO,MAAM;AAAA,EAClC;AAEA,QAAM,IAAI,MAAM,gCAAgC,OAAO,KAAK,EAAE;AAChE;AAnEA;AAAA;AAAA;AAAA;AAAA;;;ACwRO,SAAS,uBACd,QACA,UAAkB,YAClB,QAAgB,QACR;AAGR,SAAO,MAAM,OAAO,IAAI,KAAK,IAAI,MAAM;AACzC;AAMO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU;AAAA,IACd,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI;AAAA,IAC/C,MAAM;AAAA,MACJ,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,IACjB;AAAA,IACA,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,MAAM,KAAK,KAAK,KAAK;AAAA,EACvE;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;AAKO,SAAS,kBAAkB,OAAmC;AACnE,QAAM,UAAU;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,QAAQ,MAAM;AAAA,IACd,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,IAClB,MAAM,MAAM;AAAA,IACZ,MAAM,MAAM;AAAA,EACd;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;AAjUA;AAAA;AAyQA;AAAA;AAAA;;;ACzQA,IAgBM,iBAcO;AA9Bb;AAAA;AAaA;AACA;AAEA,IAAM,kBAAgD;AAAA,MACpD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEO,IAAM,8BAAN,MAAwD;AAAA,MAAxD;AACL,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA;AAAA,MAEjB,SAAS,OAA6B;AAEpC,eACE,MAAM,UAAU,QAAQ,QACxB,MAAM,UAAU,gBAAgB;AAAA,MAEpC;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,gBAAgB;AAAA,YACpC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,mBAAW,SAAS,iBAAiB;AACnC,cAAI,SAAS,KAAK,MAAM,UAAa,SAAS,KAAK,MAAM,MAAM;AAC7D,mBAAO;AAAA,cACL,OAAO;AAAA,cACP,WAAW;AAAA,cACX,SAAS,CAAC,GAAG,UAAU,gBAAgB,aAAa,KAAK,EAAE;AAAA,cAC3D,MAAM,UAAU;AAAA,YAClB;AAAA,UACF;AAAA,QACF;AAGA,YAAI,SAAS,QAAQ,sBAAsB;AACzC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,mBAAmB,KAAK,SAAS,GAAG,EAAE;AAAA,YAC7D,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,CAAC,eAAe,KAAK,SAAS,aAAa,GAAG;AAChD,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,gBAAgB;AAAA,YAC/B;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,YAAI,SAAS,cAAc,WAAW,kBAAkB,GAAG;AACzD,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,gBAAgB,8BAA8B;AAAA,YACrE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,UAAU,SAAS;AACzB,YACE,CAAC,QAAQ,cACT,CAAC,QAAQ,OACT,CAAC,QAAQ,OACT,CAAC,QAAQ,OACT,CAAC,QAAQ,UACT,CAAC,QAAQ,OACT,CAAC,QAAQ,YACT;AACA,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,eAAe,6BAA6B;AAAA,YACnE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,CAAC,SAAS,cAAc,cAAc,CAAC,SAAS,cAAc,KAAK;AACrE,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,qBAAqB;AAAA,YACpC;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,mBAAmB;AAElC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACjCA,SAASC,cAAa,KAAsB;AAC1C,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,MAAM,IAAI,IAAIA,aAAY,EAAE,KAAK,GAAG,IAAI;AAAA,EACjD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAS,OAAO,KAAK,GAAa,EACrC,KAAK,EACL;AAAA,MACC,CAAC,MACC,KAAK,UAAU,CAAC,IAChB,MACAA,cAAc,IAAgC,CAAC,CAAC;AAAA,IACpD;AACF,WAAO,MAAM,OAAO,KAAK,GAAG,IAAI;AAAA,EAClC;AACA,SAAO,KAAK,UAAU,GAAG;AAC3B;AA7HA,IAiCa;AAjCb;AAAA;AAWA;AACA;AAqBO,IAAM,2BAAN,MAAqD;AAAA,MAK1D,YACmB,aACA,mBACjB;AAFiB;AACA;AANnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAKd;AAAA,MAEH,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,qBAAqB;AAAA,MAC9C;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,WAAW,MAAM,UAAU;AACjC,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,gBAAgB;AAAA,YACpC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,YAAY,MAAM,KAAK,YAAY,QAAQ,SAAS,UAAU;AACpE,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,oBAAoB,SAAS,SAAS,UAAU;AAAA,YAC/D;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAIA,cAAM,EAAE,YAAY,GAAG,SAAS,IAAI;AACpC,cAAM,YAAYA,cAAa,QAAQ;AACvC,cAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAElD,cAAM,QAAQ,MAAM,KAAK,kBAAkB;AAAA,UACzC;AAAA,UACA,WAAW;AAAA,UACX,UAAU;AAAA,UACV,UAAU;AAAA,QACZ;AAEA,YAAI,CAAC,OAAO;AACV,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,kBAAkB;AAAA,YACtC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,eAAe;AAC9B,cAAM,SAAS,uBAAuB;AAEtC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,EAAE,KAAK,SAAS,WAAW;AAAA,QACnC;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC2CA,SAAS,cAAc;AACvB,SAAS,cAAAC,mBAAkB;AAE3B,SAASC,cAAa,KAAsB;AAC1C,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,MAAM,IAAI,IAAIA,aAAY,EAAE,KAAK,GAAG,IAAI;AAAA,EACjD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAS,OAAO,KAAK,GAAa,EACrC,KAAK,EACL;AAAA,MACC,CAAC,MACC,KAAK,UAAU,CAAC,IAChB,MACAA,cAAc,IAAgC,CAAC,CAAC;AAAA,IACpD;AACF,WAAO,MAAM,OAAO,KAAK,GAAG,IAAI;AAAA,EAClC;AACA,SAAO,KAAK,UAAU,GAAG;AAC3B;AAEA,SAAS,oBAAoB,QAAyC;AACpE,QAAM,YAAYA,cAAa,MAAM;AACrC,QAAM,OAAO,OAAO,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AACvD,SAAO,YAAYD,YAAW,IAAI,EAAE,MAAM,GAAG,EAAE;AACjD;AA9KA,IA+Ba;AA/Bb;AAAA;AAUA;AACA;AAoBO,IAAM,+BAAN,MAAyD;AAAA,MAK9D,YACmB,mBACA,iBACjB;AAFiB;AACA;AANnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAKd;AAAA,MAEH,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,qBAAqB;AAAA,MAC9C;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU,aAAa;AAI7C,YAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,QAAQ,sBAAsB;AACxC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,mBAAmB,mBAAmB,QAAQ,GAAG;AAAA,YAChE;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,EAAE,YAAY,YAAY,GAAG,WAAW,IAAI;AAClD,cAAM,aAAa,oBAAoB,UAAU;AACjD,YAAI,eAAe,YAAY;AAC7B,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,mBAAmB,yBAAyB;AAAA,YACnE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,YAAY,MAAM,KAAK,kBAAkB;AAAA,UAC7C,QAAQ,WAAW;AAAA,QACrB;AACA,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,mBAAmB,wBAAwB;AAAA,YAClE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,EAAE,YAAY,KAAK,GAAG,KAAK,IAAI;AACrC,cAAM,WAAW,MAAM,KAAK,gBAAgB;AAAA,UAC1C;AAAA,UACA;AAAA,UACA,UAAU;AAAA,QACZ;AACA,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,mBAAmB;AAAA,YACvC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC/C,YAAI,QAAQ,MAAM,YAAY;AAC5B,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,eAAe,SAAS,QAAQ,GAAG,EAAE;AAAA,YAC5D,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,MAAM,aAAa,GAAG;AAChC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,qBAAqB,SAAS,QAAQ,GAAG,EAAE;AAAA,YAClE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,qBAAqB;AACpC,cAAM,SAAS,aAAa;AAE5B,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,EAAE,YAAY,QAAQ,WAAW;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AClJA,IAcM,iBAEO;AAhBb;AAAA;AAUA;AACA;AAGA,IAAM,kBAAkB;AAEjB,IAAM,qBAAN,MAA+C;AAAA,MAKpD,YAA6B,SAAiB,iBAAiB;AAAlC;AAJ7B,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAE+C;AAAA,MAEhE,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,uBAAuB;AAAA,MAChD;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU;AAChC,YAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,QAAQ,KAAK,IAAI;AAGvB,YAAI,QAAQ,QAAQ,SAAS,KAAK,QAAQ;AACxC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,kBAAkB,qBAAqB,QAAQ,MAAM,SAAS,KAAK;AAAA,YAClF;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,QAAQ,WAAW,KAAK,QAAQ;AAC1C,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,iBAAiB,sBAAsB,QAAQ,QAAQ,SAAS,KAAK;AAAA,YACpF;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,cAAc;AAE7B,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC1EA,IAca;AAdb;AAAA;AAWA;AACA;AAEO,IAAM,iCAAN,MAA2D;AAAA,MAKhE,YAEmB,cACjB;AADiB;AANnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAKd;AAAA,MAEH,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,uBAAuB;AAAA,MAChD;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU;AAChC,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,WAAW,CAAC,UAAU;AACzB,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,QAAQ,KAAK,cAAc;AACrC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,iBAAiB,iBAAiB,QAAQ,GAAG,cAAc,KAAK,YAAY;AAAA,YAC3F;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAIA,cAAM,gBAAgB,MAAM,UAAU,MAAM,UAAU;AACtD,YAAI,iBAAiB,QAAQ,WAAW,eAAe;AACrD,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,eAAe,oBAAoB,QAAQ,MAAM,aAAa,aAAa;AAAA,YAC1F;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,SAAS,eAAe,QAAQ,KAAK;AACvC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,eAAe,kBAAkB,SAAS,UAAU,iBAAiB,QAAQ,GAAG;AAAA,YAC/F;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,qBAAqB;AAEpC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC3FA,IAsCa,wBAqCA;AA3Eb;AAAA;AAWA;AACA;AA0BO,IAAM,yBAAN,MAAuD;AAAA,MAAvD;AACL,aAAQ,SAAS,oBAAI,IAAoB;AACzC,aAAQ,WAAW,oBAAI,IAAY;AACnC,aAAQ,UAAU,oBAAI,IAAY;AAAA;AAAA,MAElC,MAAM,aAAa,KAAa,OAAiC;AAC/D,aAAK,QAAQ;AACb,YAAI,KAAK,OAAO,IAAI,GAAG,EAAG,QAAO;AACjC,aAAK,OAAO,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK;AACvC,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,kBAAkB,WAAqC;AAC3D,eAAO,KAAK,SAAS,IAAI,SAAS;AAAA,MACpC;AAAA,MAEA,MAAM,oBAAoB,WAAmB,QAA+B;AAC1E,aAAK,SAAS,IAAI,SAAS;AAAA,MAC7B;AAAA,MAEA,MAAM,iBAAiB,WAAqC;AAC1D,eAAO,KAAK,QAAQ,IAAI,SAAS;AAAA,MACnC;AAAA;AAAA,MAGA,OAAO,WAAyB;AAC9B,aAAK,QAAQ,IAAI,SAAS;AAAA,MAC5B;AAAA,MAEQ,UAAgB;AACtB,cAAM,MAAM,KAAK,IAAI;AACrB,mBAAW,CAAC,KAAK,SAAS,KAAK,KAAK,QAAQ;AAC1C,cAAI,YAAY,IAAK,MAAK,OAAO,OAAO,GAAG;AAAA,QAC7C;AAAA,MACF;AAAA,IACF;AAEO,IAAM,4BAAN,MAAsD;AAAA,MAQ3D,YACmB,aACjB,SACA;AAFiB;AARnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AASf,aAAK,aAAa,SAAS,cAAc,IAAI,KAAK;AAAA,MACpD;AAAA,MAEA,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,uBAAuB;AAAA,MAChD;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU;AAChC,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,WAAW,CAAC,UAAU;AACzB,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,UAAU,MAAM,KAAK,YAAY,iBAAiB,QAAQ,UAAU;AAC1E,YAAI,SAAS;AACX,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,eAAe,KAAK,QAAQ,UAAU,EAAE;AAAA,YAC/D,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,SAAS,cAAc;AACjC,gBAAM,WAAW,MAAM,KAAK,YAAY;AAAA,YACtC,QAAQ;AAAA,UACV;AACA,cAAI,UAAU;AACZ,mBAAO;AAAA,cACL,OAAO;AAAA,cACP,WAAW;AAAA,cACX,SAAS,CAAC,GAAG,UAAU,gBAAgB,KAAK,QAAQ,UAAU,EAAE;AAAA,cAChE,MAAM,UAAU;AAAA,YAClB;AAAA,UACF;AAAA,QACF;AAIA,cAAM,WAAW,aAAa,QAAQ,GAAG,IAAI,QAAQ,GAAG,IAAI,QAAQ,MAAM,IAAI,SAAS,aAAa;AACpG,cAAM,aAAa,MAAM,KAAK,YAAY;AAAA,UACxC;AAAA,UACA,KAAK;AAAA,QACP;AACA,YAAI,CAAC,YAAY;AACf,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,YAAY,KAAK,SAAS,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,YACnE;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,SAAS,cAAc;AACjC,gBAAM,cAAc,QAAQ,MAAM,QAAQ,OAAO,MAAO;AACxD,gBAAM,KAAK,YAAY;AAAA,YACrB,QAAQ;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAEA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,iBAAiB;AAEhC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC6EA,SAAS,SAAS,UAA0C;AAC1D,QAAM,QAAQ;AAAA,IACZ,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS,QAAQ;AAAA,IACjB,SAAS,QAAQ;AAAA,IACjB,SAAS,QAAQ;AAAA,IACjB,SAAS;AAAA,EACX;AACA,SAAO,IAAI,YAAY,EAAE,OAAO,MAAM,KAAK,GAAG,CAAC;AACjD;AAEA,SAAS,kBAAkB,aAA0C;AACnE,SACE,OAAO,gBAAgB,YACvB,YAAY,YAAY,EAAE,SAAS,kBAAkB;AAEzD;AAEA,SAAS,mBACP,SACgC;AAChC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,OAAO,CAAC;AAC3D,QAAI,UAAU,OAAO,WAAW,YAAY,CAAC,MAAM,QAAQ,MAAM,GAAG;AAClE,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,SAASE,iBAAgB,OAA2B;AAClD,QAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACzD,QAAM,UAAU,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AACxD,SAAO,IAAI,WAAW,OAAO,KAAK,SAAS,SAAS,QAAQ,CAAC;AAC/D;AAjSA,IAqEa;AArEb;AAAA;AAeA;AACA;AAqDO,IAAM,6BAAN,MAAuD;AAAA,MAK5D,YACmB,aACA,aACA,kBAA0B,KAAK,MAC/B,kBACjB;AAJiB;AACA;AACA;AACA;AARnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAOd;AAAA,MAEH,SAAS,OAA6B;AACpC,eACE,MAAM,UAAU,qBAAqB,QACrC,MAAM,UAAU,yBAAyB,QACzC,MAAM,UAAU,uBAAuB,QACvC,MAAM,UAAU,mBAAmB;AAAA,MAEvC;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,gBAAgB;AAAA,YACpC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI;AACJ,YAAI;AACF,mBAAS,MAAM,KAAK,YAAY;AAAA,YAC9B,SAAS,cAAc;AAAA,YACvB,SAAS,cAAc;AAAA,YACvB,SAAS,cAAc;AAAA,YACvB,SAAS,cAAc;AAAA,UACzB;AAAA,QACF,QAAQ;AACN,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,iBAAiB;AAAA,YACrC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,YAAI,CAAC,QAAQ;AACX,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,iBAAiB;AAAA,YACrC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI;AACJ,YAAI;AACJ,YAAI;AAEJ,YAAI;AACF,eAAKA,iBAAgB,SAAS,kBAAkB,EAAE;AAClD,uBAAaA,iBAAgB,SAAS,kBAAkB,UAAU;AAClE,gBAAMA,iBAAgB,SAAS,kBAAkB,GAAG;AAAA,QACtD,QAAQ;AACN,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,iBAAiB,8BAA8B;AAAA,YACtE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,WAAW,SAAS,KAAK,iBAAiB;AAC5C,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,iBAAiB,KAAK,WAAW,MAAM,MAAM,KAAK,eAAe;AAAA,YAChF;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,MAAM,SAAS,QAAQ;AAE7B,YAAI;AACJ,YAAI;AACF,sBAAY,MAAM,KAAK,YAAY;AAAA,YACjC;AAAA,YACA;AAAA,YACA;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF,QAAQ;AACN,sBAAY;AAAA,QACd,UAAE;AAEA,iBAAO,KAAK,CAAC;AAAA,QACf;AAEA,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,iBAAiB;AAAA,YACrC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,UAAU,MAAM,UAAU;AAKhC,YAAI,WAAW,kBAAkB,SAAS,YAAY,GAAG;AACvD,gBAAM,SAAS,mBAAmB,SAAS;AAC3C,cAAI,UAAU,OAAO,OAAO,WAAW,UAAU;AAC/C,gBAAI,OAAO,WAAW,QAAQ,QAAQ;AACpC,qBAAO;AAAA,gBACL,OAAO;AAAA,gBACP,WAAW;AAAA,gBACX,SAAS;AAAA,kBACP,GAAG,UAAU,sBAAsB,oBAAoB,OAAO,MAAM,oBAAoB,QAAQ,MAAM;AAAA,gBACxG;AAAA,gBACA,MAAM,UAAU;AAAA,cAClB;AAAA,YACF;AACA,kBAAM,WAAW,MAAM,YAAY,CAAC;AACpC,kBAAM,SAAS,mBAAmB,OAAO;AAAA,UAC3C;AAAA,QACF;AAEA,YAAI,KAAK,kBAAkB;AACzB,gBAAM,UAAU,MAAM,KAAK,iBAAiB,SAAS,WAAW,QAAQ;AACxE,cAAI,CAAC,QAAQ,IAAI;AACf,kBAAM,OAAO,QAAQ,QAAQ,UAAU;AACvC,mBAAO;AAAA,cACL,OAAO;AAAA,cACP,WAAW;AAAA,cACX,SAAS,CAAC,QAAQ,UAAU,IAAI;AAAA,cAChC;AAAA,YACF;AAAA,UACF;AAEA,cAAI,QAAQ,QAAQ;AAClB,kBAAM,WAAW,MAAM,YAAY,CAAC;AACpC,kBAAM,SAAS,mBAAmB,QAAQ;AAAA,UAC5C;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,sBAAsB;AACrC,cAAM,SAAS,kBAAkB;AAEjC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AClPA;AAAA;AAcA;AAEA;AAMA;AAMA;AAEA;AAEA;AAMA;AAAA;AAAA;;;ACtCA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAgBA;AA2BA;AAUA;AAYA;AASA;AASA;AAaA;AAAA;AAAA;;;AChGA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACLA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AACA,QAAAC,UAAA,UAAA,QAAA;AACA,QAAA,OAAA,UAAA,WAAA;AAuCO,QAAM,2BAAwB,6BAA9B,MAAM,yBAAwB;MAA9B,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;AAGjD,aAAA,aAAa,oBAAI,IAAG;AAGpB,aAAA,eAAe,oBAAI,IAAG;MA6QzC;MAtPE,MAAM,YACJ,WACA,UACA,SAKC;AAED,gBAAQ,WAAW;UACjB,KAAK;AACH,mBAAO,KAAK,mBAAmB,QAAQ;UACzC,KAAK;AACH,mBAAO,KAAK,eAAe,QAAQ;UACrC,KAAK;AACH,mBAAO,KAAK,gBAAgB,QAAQ,IAAI;UAC1C,KAAK;AACH,mBAAO,KAAK,oBACV,QAAQ,YACR,QAAQ,WACR,QAAQ,QAAQ;UAEpB;AACE,mBAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,SAAS,GAAE;QACpE;MACF;MAKQ,MAAM,mBACZ,UAAoB;AAIpB,cAAM,YAAY,IAAI,YAAW,EAAG,OAAO,QAAQ;AACnD,eAAO;UACL,OAAO;UACP,UAAU,EAAE,WAAW,2BAA2B,KAAI;;MAE1D;MAcQ,MAAM,eACZ,UAAoB;AAEpB,YAAI;AACF,gBAAM,QAAQ,IAAI,YAAW,EAAG,OAAO,QAAQ;AAC/C,gBAAM,QAAQ,MAAM,MAAM,GAAG;AAE7B,cAAI,MAAM,WAAW,GAAG;AACtB,mBAAO,EAAE,OAAO,OAAO,OAAO,qBAAoB;UACpD;AAGA,gBAAM,SAAS,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAQ,CAAE;AACvE,gBAAM,UAAU,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAQ,CAAE;AAGxE,cAAI,QAAQ,OAAO,KAAK,IAAG,IAAK,MAAO,QAAQ,KAAK;AAClD,mBAAO,EAAE,OAAO,OAAO,OAAO,cAAa;UAC7C;AAGA,cAAI,QAAQ,OAAO,KAAK,IAAG,IAAK,MAAO,QAAQ,KAAK;AAClD,mBAAO,EAAE,OAAO,OAAO,OAAO,oBAAmB;UACnD;AAIA,iBAAO;YACL,OAAO;YACP,SAAS,QAAQ,OAAO,QAAQ;YAChC,UAAU,EAAE,KAAK,QAAQ,KAAK,OAAO,QAAQ,MAAK;;QAEtD,SAAS,GAAG;AACV,gBAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,iBAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,OAAO,GAAE;QAC7D;MACF;MAKQ,MAAM,gBACZ,MAAkB;AAElB,YAAI,CAAC,MAAM;AACT,iBAAO,EAAE,OAAO,OAAO,OAAO,2BAA0B;QAC1D;AAGA,YAAI,CAAC,KAAK,UAAU;AAClB,iBAAO,EAAE,OAAO,OAAO,OAAO,sCAAqC;QACrE;AAGA,YAAI,KAAK,uBAAuB;AAC9B,gBAAM,UAAU,KAAK,aAAa,IAAI,KAAK,qBAAqB;AAChE,cAAI,SAAS;AACX,mBAAO;cACL,OAAO;cACP,SAAS,QAAQ;cACjB,UAAU;gBACR,aAAa,KAAK;gBAClB,SAAS,KAAK;;;UAGpB;QACF;AAGA,YAAI,KAAK,mBAAmB;AAC1B,gBAAM,UAAU,KAAK,kBAAkB,MAAM,YAAY;AACzD,cAAI,SAAS;AACX,mBAAO;cACL,OAAO;cACP,SAAS,QAAQ,CAAC;cAClB,UAAU;gBACR,SAAS,KAAK;gBACd,QAAQ,KAAK;;;UAGnB;QACF;AAEA,eAAO,EAAE,OAAO,OAAO,OAAO,2CAA0C;MAC1E;MAKQ,MAAM,oBACZ,YACA,WACA,UAA0B;AAE1B,YAAI,CAAC,YAAY,CAAC,cAAc,CAAC,WAAW;AAC1C,iBAAO,EAAE,OAAO,OAAO,OAAO,4BAA2B;QAC3D;AAGA,YAAI,YAAY,SAAS;AAGzB,cAAM,gBAAgB,KAAK,WAAW,IAAI,SAAS,QAAQ;AAC3D,YAAI,eAAe;AACjB,sBAAY;QACd;AAEA,YAAI,CAAC,aAAa,UAAU,WAAW,IAAI;AACzC,iBAAO;YACL,OAAO;YACP,OAAO;;QAEX;AAGA,YAAI;AACF,gBAAM,QAAQ,KAAK,KAAK,SAAS,OAAO,YAAY,WAAW,SAAS;AAExE,cAAI,CAAC,OAAO;AACV,mBAAO,EAAE,OAAO,OAAO,OAAO,uCAAsC;UACtE;AAEA,iBAAO;YACL,OAAO;YACP,SAAS,SAAS;YAClB,UAAU,EAAE,UAAU,SAAS,UAAU,WAAW,YAAW;;QAEnE,SAAS,GAAG;AACV,gBAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,iBAAO;YACL,OAAO;YACP,OAAO,iCAAiC,OAAO;;QAEnD;MACF;MAUA,kBAAkB,UAAkB,WAAqB;AACvD,YAAI,UAAU,WAAW,IAAI;AAC3B,gBAAM,IAAI,MAAM,8CAA8C;QAChE;AACA,aAAK,WAAW,IAAI,UAAU,SAAS;AACvC,aAAK,OAAO,IAAI,6BAA6B,QAAQ,EAAE;MACzD;MAKA,iBAAiB,UAAgB;AAC/B,eAAO,KAAK,WAAW,OAAO,QAAQ;MACxC;MAQA,iBAAiB,aAAqB,SAAe;AACnD,aAAK,aAAa,IAAI,aAAa,EAAE,SAAS,UAAU,KAAK,IAAG,EAAE,CAAE;AACpE,aAAK,OAAO,IAAI,wBAAwB,WAAW,cAAc,OAAO,EAAE;MAC5E;MAKA,eAAe,aAAmB;AAChC,eAAO,KAAK,aAAa,OAAO,WAAW;MAC7C;MAKA,OAAO,qBAAqB,SAAe;AAEzC,cAAM,MAAM,OAAO,KACjB,QACG,QAAQ,+BAA+B,EAAE,EACzC,QAAQ,6BAA6B,EAAE,EACvC,QAAQ,OAAO,EAAE,GACpB,QAAQ;AAEV,eAAOA,QAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;MAC7D;;AAnRW,YAAA,2BAAA;uCAAA,2BAAwB,6BAAA,WAAA;OADpC,GAAA,SAAA,YAAU;OACE,wBAAwB;;;;;ACzCrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AACA,+BAAc;AAAA;AAAA;;;ACHd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mCAAc;AACd;AACA;AACA;AACA,mCAAc;AACd;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACXA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACJA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,+BAAc;AACd;AACA;AACA;AACA;AACA,+BAAc;AACd,+BAAc;AACd;AACA,+BAAc;AACd,+BAAc;AACd;AACA,+BAAc;AACd,+BAAc;AACd,+BAAc;AACd;AAAA;AAAA;;;ACfA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAAYC,QAAO;AAAnB,IAqBa,iBAUA,6BAeA,0BAMA,uBAOA,uBAMA,oBAOA,YASA,gBAGA,qBAcA,mBAGA,eAeA,0BAOA,uBAgBA,gBAYA,UASA,0BAQA,2BAYA,sBAUA,mBAQA,iBAUA,kBAOA,eASA,WAOA,mBAaA,mBAaA,qBAWA,sBAiBA,kBAWA,QAGA,cAWA,cAGA,eAYA,mBAOA,sBAUA,oBAKA,eAcA,eASA,gBAeA,kBAOA,mBAUA,iBAWDD,YAQC,cAqBA;AA1bb;AAAA;AACA;AAoBO,IAAM,kBAAoB,SAAM;AAAA,MACnC,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,MAC/D,UAAO;AAAA,QACP,QAAU,WAAQ,MAAM;AAAA,QACxB,MAAQ,UAAO;AAAA,QACf,QAAU,UAAO,EAAE,SAAS;AAAA,QAC5B,MAAQ,OAAI,EAAE,SAAS;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAEM,IAAM,8BAAgC,SAAM;AAAA,MAC/C,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,MAC/D,UAAO;AAAA,QACP,QAAU,WAAQ,MAAM;AAAA,QACxB,MAAQ,UAAO;AAAA,QACf,QAAU,UAAO,EAAE,SAAS;AAAA,QAC5B,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,QACnD,MAAQ,OAAI,EAAE,SAAS;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAMM,IAAM,2BAA6B,UAAO;AAAA,MAC/C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,SAAW,UAAO,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS;AAAA,IACvD,CAAC;AAGM,IAAM,wBAAwB;AAO9B,IAAM,wBAA0B,UAAO;AAAA,MAC5C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,WAAa,WAAQ,EAAE,SAAS;AAAA,IAClC,CAAC;AAGM,IAAM,qBAAqB;AAO3B,IAAM,aAAe,QAAK;AAAA,MAC/B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,iBAAmB,QAAK,CAAC,UAAU,WAAW,YAAY,MAAM,CAAC;AAGvE,IAAM,sBAAwB,UAAO;AAAA,MAC1C,SAAS;AAAA,MACT,YAAc,QAAK,CAAC,UAAU,SAAS,CAAC;AAAA,MACxC,eAAiB,SAAM,UAAU,EAAE,IAAI,CAAC;AAAA,MACxC,YAAc,WAAQ;AAAA,MACtB,sBAAwB,WAAQ;AAAA,MAChC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,IAC1B,CAAC;AAOM,IAAM,oBAAsB,QAAK,CAAC,OAAO,UAAU,QAAQ,UAAU,CAAC;AAGtE,IAAM,gBAAkB,UAAO;AAAA,MACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,aAAa;AAAA,MACb,eAAiB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACzC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACxC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MAClD,oBAAsB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MACzD,kBAAoB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MACvD,mBAAqB,WAAQ;AAAA,MAC7B,iBAAmB,WAAQ;AAAA,MAC3B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IACvC,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,MAC/C,OAAO;AAAA,MACP,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IAC1C,CAAC;AAGM,IAAM,wBAA0B,SAAM;AAAA,MACzC,UAAO;AAAA,QACP,QAAU,WAAQ,OAAO;AAAA,QACzB,QAAQ;AAAA,MACV,CAAC;AAAA,MACC,UAAO;AAAA,QACP,QAAU,WAAQ,MAAM;AAAA,QACxB,QAAU,UAAO;AAAA,MACnB,CAAC;AAAA,IACH,CAAC;AAOM,IAAM,iBAAmB,UAAO;AAAA,MACrC,WAAa,UAAO,EAAE,IAAI,CAAC;AAAA,MAC3B,cAAgB,SAAQ,UAAO,CAAC,EAAE,IAAI,CAAC;AAAA,MACvC,QACG,UAAO;AAAA,QACN,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MACrD,CAAC,EACA,SAAS;AAAA,MACZ,QAAU,UAAS,UAAO,GAAK,OAAI,CAAC,EAAE,SAAS;AAAA,IACjD,CAAC;AAGM,IAAM,WAAa,UAAO;AAAA,MAC/B,IAAM,UAAO;AAAA,MACb,QAAQ;AAAA,MACR,UAAY,UAAO,EAAE,IAAI;AAAA,MACzB,WAAa,UAAO,EAAE,IAAI;AAAA,MAC1B,MAAQ,QAAK,CAAC,QAAQ,YAAY,SAAS,CAAC;AAAA,IAC9C,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,MAC/C,OAAS,WAAQ;AAAA,MACjB,SAAS,SAAS,SAAS;AAAA,MAC3B,QAAU,UAAO,EAAE,SAAS;AAAA,MAC5B,gBAAkB,WAAQ,EAAE,SAAS;AAAA,IACvC,CAAC;AAGM,IAAM,4BAA8B,UAAO;AAAA,MAChD,SAAW;AAAA,QACP,UAAO;AAAA,QACP,UAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,MACrD;AAAA,MACA,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,KAAO,OAAI;AAAA;AAAA,IACb,CAAC;AAKM,IAAM,uBAAyB,UAAO;AAAA,MAC3C,IAAM,WAAQ,IAAI;AAAA,MAClB,SAAS;AAAA,IACX,CAAC;AAOM,IAAM,oBAAsB,QAAK;AAAA,MACtC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,kBAAoB,UAAO;AAAA,MACtC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,WAAa,UAAO,EAAE,SAAS;AAAA,MAC/B,SAAW,UAAO,EAAE,SAAS;AAAA,MAC7B,WAAa,UAAO,EAAE,SAAS;AAAA,MAC/B,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,SAAS;AAAA,IACX,CAAC;AAGM,IAAM,mBAAqB,UAAO;AAAA,MACvC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACrC,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC/B,KAAO,QAAK,CAAC,kBAAkB,eAAe,CAAC;AAAA,IACjD,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,MACpC,IAAM,WAAQ,IAAI;AAAA,IACpB,CAAC;AAOM,IAAM,YAAc,UAAO;AAAA,MAChC,IAAM,UAAO;AAAA,MACb,YAAc,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACtD,QAAU,QAAK,CAAC,UAAU,WAAW,WAAW,SAAS,CAAC;AAAA,MAC1D,UAAY,UAAO,EAAE,IAAI;AAAA,MACzB,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IACvC,CAAC;AACM,IAAM,oBAAsB,UAAO;AAAA,MACxC,UAAY,UAAO,EAAE,IAAI;AAAA,MACzB,SAAW,UAAO,EAAE,IAAI;AAAA,MACxB,eAAiB,UAAO,EAAE,IAAI;AAAA,MAC9B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IACvC,CAAC;AAQM,IAAM,oBAAsB,UAAO;AAAA,MACxC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,MACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,MAAQ,cAAW,UAAU;AAAA,MAC7B,SAAW,UAAO,EAAE,SAAS;AAAA,IAC/B,CAAC;AAOM,IAAM,sBAAwB,UAAO;AAAA,MAC1C,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,MAC1D,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,MAC5D,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,IACtB,CAAC;AAOM,IAAM,uBAAyB,UAAO;AAAA,MAC3C,UACG,SAAM,CAAG,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,GAAK,cAAW,UAAU,CAAC,CAAC,EAC7E,SAAS;AAAA,MACZ,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,MACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,MAAQ,cAAW,UAAU;AAAA,MAC7B,SAAW,UAAO,EAAE,SAAS;AAAA,MAC7B,aAAe,UAAO,EAAE,SAAS;AAAA,IACnC,CAAC;AAOM,IAAM,mBAAqB,QAAK;AAAA,MACrC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,SAAW,QAAK,CAAC,UAAU,MAAM,CAAC;AAGxC,IAAM,eAAiB,UAAO;AAAA,MACnC,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,MACtB,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC/B,MAAM;AAAA,MACN,UAAY,WAAQ,EAAE,SAAS;AAAA,MAC/B,QAAU,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MAC7C,KAAO,UAAO,EAAE,SAAS;AAAA,MACzB,OAAO,OAAO,SAAS;AAAA,IACzB,CAAC;AAGM,IAAM,eAAiB,QAAK,CAAC,WAAW,OAAO,WAAW,SAAS,CAAC;AAGpE,IAAM,gBAAkB,UAAO;AAAA,MACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,SAAW,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACnC,aAAa;AAAA,MACb,QAAU,SAAM,YAAY,EAAE,IAAI,CAAC;AAAA,IACrC,CAAC;AAOM,IAAM,oBAAsB,UAAO;AAAA,MACxC,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,MAC1B,MAAQ,WAAQ;AAAA,MAChB,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,IACtB,CAAC;AAGM,IAAM,uBAAyB,SAAM;AAAA,MACxC,UAAO,EAAE,QAAU,WAAQ,OAAO,EAAE,CAAC;AAAA,MACrC,UAAO,EAAE,QAAU,WAAQ,MAAM,GAAG,MAAQ,UAAO,EAAE,CAAC;AAAA,IAC1D,CAAC;AAOM,IAAM,qBAAuB,UAAO;AAAA,MACzC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,IACtB,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,MACpC,OAAS,UAAO,EAAE,IAAI,IAAI,EAAE,IAAI,GAAG;AAAA,MACnC,aAAe,UAAO,EAAE,IAAI;AAAA,MAC5B,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,gBAAkB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC7C,iBAAmB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC9C,MAAQ,SAAQ,UAAO,CAAC;AAAA,IAC1B,CAAC;AAOM,IAAM,gBAAkB,QAAK;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,iBAAmB,UAAO;AAAA,MACrC,aAAe,UAAO,EAAE,IAAI,CAAC;AAAA,MAC7B,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,MAC1B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACrC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACrC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACvC,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,QAAQ;AAAA,IACV,CAAC;AAOM,IAAM,mBAAqB,UAAO;AAAA,MACvC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,WAAa,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MACxC,SAAW,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,IACxC,CAAC;AAGM,IAAM,oBAAsB,UAAO;AAAA,MACxC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IAC1C,CAAC;AAOM,IAAM,kBAAoB,UAAO;AAAA,MACtC,YAAc,OAAI;AAAA;AAAA,MAClB,WAAa,OAAI;AAAA;AAAA,MACjB,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,IAC1B,CAAC;AAOM,IAAKA,aAAL,kBAAKA,eAAL;AACL,MAAAA,sBAAA,aAAU,KAAV;AACA,MAAAA,sBAAA,SAAM,KAAN;AACA,MAAAA,sBAAA,aAAU,KAAV;AACA,MAAAA,sBAAA,eAAY,KAAZ;AACA,MAAAA,sBAAA,iBAAc,KAAd;AALU,aAAAA;AAAA,qBAAA;AAQL,IAAM,eAAiB,UAAO;AAAA,MACnC,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA;AAAA,MAC/C,IAAM,UAAO;AAAA;AAAA,MACb,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,SAAW,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACnD,WAAa,QAAKA,UAAS;AAAA,MAC3B,UAAY,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACpD,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACjD,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,cAAgB,UAAO,EAAE,SAAS;AAAA,MAClC,SAAS,SAAS,SAAS;AAAA,MAC3B,UAAU,UAAU,SAAS;AAAA,MAC7B,OAAS,OAAI,EAAE,SAAS;AAAA;AAAA,IAC1B,CAAC;AAQM,IAAM,aAAe,UAAO;AAAA,MACjC,MAAQ,UAAO;AAAA,MACf,SAAW,UAAO;AAAA,MAClB,YAAc,UAAO,EAAE,IAAI;AAAA,IAC7B,CAAC;AAAA;AAAA;;;;;;;;;;;;;;;AC9bD,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,QAAA;AAKA,QAAYE;AAAZ,KAAA,SAAYA,cAAW;AACrB,MAAAA,aAAAA,aAAA,KAAA,IAAA,CAAA,IAAA;AACA,MAAAA,aAAAA,aAAA,SAAA,IAAA,CAAA,IAAA;AACA,MAAAA,aAAAA,aAAA,KAAA,IAAA,CAAA,IAAA;AACA,MAAAA,aAAAA,aAAA,KAAA,IAAA,CAAA,IAAA;IACF,GALYA,iBAAW,QAAA,cAAXA,eAAW,CAAA,EAAA;AAiBhB,QAAMC,wBAAoB,yBAA1B,MAAM,qBAAoB;MAA1B,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,uBAAqB,IAAI;MAmIhE;MA9HE,SAAS,MAAkB,SAAoB;AAC7C,gBAAQ,SAAS;UACf,KAAKD,aAAY;AACf,mBAAO,KAAK,YAAY,IAAI;UAE9B,KAAKA,aAAY;AACf,mBAAO,KAAK,eAAe,IAAI;UAEjC,KAAKA,aAAY;AACf,mBAAO,KAAK,YAAY,IAAI;UAE9B,KAAKA,aAAY;AACf,mBAAO,KAAK,YAAY,IAAI;UAE9B;AACE,mBAAO;cACL,OAAO;cACP,OAAO,yBAAyB,OAAO;cACvC;;QAEN;MACF;MAKQ,YAAY,MAAgB;AAClC,eAAO;UACL,OAAO;UACP,SAASA,aAAY;;MAEzB;MAKQ,eAAe,MAAgB;AACrC,YAAI;AACF,gBAAM,QAAO,GAAA,MAAA,gBAAe,IAAI;AAGhC,qBAAWE,QAAO,MAAM;AACtB,gBAAIA,KAAI,SAAS,OAAOA,KAAI,SAAS,KAAK;AACxC,qBAAO;gBACL,OAAO;gBACP,OAAO;gBACP,SAASF,aAAY;;YAEzB;UACF;AAEA,iBAAO;YACL,OAAO;YACP,SAASA,aAAY;;QAEzB,SAAS,OAAO;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,iBAAO;YACL,OAAO;YACP,OAAO,0BAA0B,OAAO;YACxC,SAASA,aAAY;;QAEzB;MACF;MAKQ,YAAY,MAAgB;AAClC,YAAI;AACF,gBAAM,QAAO,GAAA,MAAA,gBAAe,IAAI;AAGhC,gBAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,cAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,mBAAO;cACL,OAAO;cACP,OAAO;cACP,SAASA,aAAY;;UAEzB;AAEA,iBAAO;YACL,OAAO;YACP,SAASA,aAAY;;QAEzB,SAAS,OAAO;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,iBAAO;YACL,OAAO;YACP,OAAO,sBAAsB,OAAO;YACpC,SAASA,aAAY;;QAEzB;MACF;MAKQ,YAAY,MAAgB;AAClC,YAAI;AACF,gBAAM,QAAO,GAAA,MAAA,gBAAe,IAAI;AAGhC,gBAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,cAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,mBAAO;cACL,OAAO;cACP,OAAO;cACP,SAASA,aAAY;;UAEzB;AAEA,iBAAO;YACL,OAAO;YACP,SAASA,aAAY;;QAEzB,SAAS,OAAO;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,iBAAO;YACL,OAAO;YACP,OAAO,sBAAsB,OAAO;YACpC,SAASA,aAAY;;QAEzB;MACF;;AAnIW,YAAA,uBAAAC;mCAAAA,wBAAoB,yBAAA,WAAA;OADhC,GAAA,SAAA,YAAU;OACEA,qBAAoB;;;;;ACxBjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAAE;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IACA;AADA;AAAA;AAAA;AACA,0BAIO;AAAA;AAAA;;;ACLP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA,iCAAc;AAAA;AAAA;;;;;;;;;;;;;;ACFd,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAgCO,QAAM,8BAAN,MAAM,4BAA2B;MAAjC,cAAA;AAEI,aAAA,OAAO;AAMP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAoBnC;MAlBE,WAAQ;AACN,eAAO;MACT;MAEA,MAAM,IAAI,OAAkB;AAE1B,cAAM,aAAa,CAAC,CAAC,MAAM,UAAU;AACrC,cAAM,cAAc,CAAC,CAAC,MAAM,UAAU;AACtC,cAAM,UAAU,CAAC,CAAC,MAAM,UAAU;AAElC,cAAM,UAAU,cAAc,eAAe,UAAU,YAAY;AAGnE,YAAI,CAAC,MAAM;AAAU,gBAAM,WAAW,CAAA;AACtC,cAAM,SAAS,UAAU;AAEzB,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA3BW,YAAA,8BAAA;0CAAA,8BAA2B,WAAA;OAFvC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,2BAA2B;;;;;;;;;;;;;;;;ACnCxC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,cAAA;AACA,QAAA,WAAA;AACA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAsFO,QAAM,mBAAN,MAAM,iBAAgB;MAAtB,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,UAAU;MA+ElC;MArEE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;MAC9C;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,EAAE,KAAI,IAAK;AAGjB,YAAI,CAAC,QAAQ,KAAK,SAAS,GAAG;AAC5B,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,YAAI;AAOF,cAAI,SAAS;AACb,oBAAU;AACV,oBAAU;AAGV,gBAAM,EAAE,OAAO,QAAQ,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACrE,oBAAU;AAGV,gBAAM,EAAE,OAAO,QAAO,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AAGpD,cAAI,SAAS,YAAA,aAAa;AACxB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,eAAe,MAAM,kBAAkB,YAAA,WAAW;;UAE9D;AAGA,cAAI,UAAU,YAAA,cAAc;AAC1B,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,aAAa,OAAO,kBAAkB,YAAA,YAAY;;UAE9D;AAEA,iBAAO,EAAE,QAAQ,QAAO;QAC1B,SAAS,GAAG;AAGV,iBAAO,EAAE,QAAQ,QAAO;QAC1B;MACF;;AA1FW,YAAA,mBAAA;+BAAA,mBAAgB,WAAA;OAF5B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,gBAAgB;;;;;;;;;;;;;;;;;AC3F7B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,UAAA;AAyEO,QAAM,8BAA2B,gCAAjC,MAAM,4BAA2B;MAAjC,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,8BAA4B,IAAI;AAG5D,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,SAAS;MAwGjC;MA9FE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAiBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,EAAE,QAAQ,OAAM,IAAK;AAC3B,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,cAAM,YAAY,QAAQ,aAAa;AAIvC,cAAM,sBAAsB,QAAA,mBAAmB,SAAS,KAAK,CAAA;AAI7D,cAAM,uBAAuB,KAAK,wBAAwB,MAAM;AAIhE,YAAI,qBAAqB,WAAW,GAAG;AACrC,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAIA,cAAM,sBAAsB,qBAAqB,OAC/C,CAAC,QAAQ,CAAC,oBAAoB,SAAS,GAAG,CAAC;AAG7C,YAAI,oBAAoB,SAAS,GAAG;AAElC,eAAK,OAAO,KACV,yBAAyB,MAAM,aAAa,oBAAoB,KAAK,IAAI,CAAC,UAAU,oBAAoB,KAAK,IAAI,CAAC,GAAG;AAEvH,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,yBAAyB,oBAAoB,KAAK,IAAI,CAAC;;QAEnE;AAGA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAcQ,wBAAwB,QAAc;AAE5C,YAAI,QAAA,oBAAoB,MAAM,GAAG;AAC/B,iBAAO,QAAA,oBAAoB,MAAM;QACnC;AAGA,mBAAW,CAAC,SAAS,IAAI,KAAK,OAAO,QAAQ,QAAA,mBAAmB,GAAG;AACjE,cAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,kBAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,gBAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,qBAAO;YACT;UACF;QACF;AAGA,eAAO,CAAC,SAAS;MACnB;;AArHW,YAAA,8BAAA;0CAAA,8BAA2B,gCAAA,WAAA;OAFvC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,2BAA2B;;;;;;;;;;;;;;;;AC7ExC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,QAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AA6EO,QAAM,kBAAN,MAAM,gBAAe;MAArB,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,UAAU;MAsElC;MA5DE,SAAS,OAAkB;AACzB,eAAO,MAAM,WAAW;MAC1B;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,aAAa,MAAM;AACzB,cAAM,YAAY,MAAM;AAGxB,YAAI,CAAC,cAAc,CAAC,WAAW;AAC7B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,cAAMC,oBAAmB;AAGzB,cAAM,WAAW,WAAW,IAAIA,iBAAgB;AAEhD,YAAI,CAAC,YAAY,SAAS,WAAW,IAAI;AACvC,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,cAAM,UAAS,GAAA,SAAA,YAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAM;AAI5D,YAAI,CAAC,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC,GAAG;AACtD,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAjFW,YAAA,kBAAA;8BAAA,kBAAe,WAAA;OAF3B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,eAAe;;;;;;;;;;;;;;;;;ACjF5B,QAAA,WAAA,UAAA,gBAAA;AACA,QAAAC,UAAA,UAAA,QAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,cAAA;AAgGO,QAAM,gBAAa,kBAAnB,MAAM,cAAa;MAAnB,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,gBAAc,IAAI;AAUtC,aAAA,wBAAwB;AAGhC,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,SAAS;MA+LjC;MAjLU,iBAAiB,MAAgB;AACvC,YAAI,KAAK,WAAW;AAAG,iBAAO;AAG9B,cAAM,OAAO,oBAAI,IAAG;AACpB,mBAAW,QAAQ,MAAM;AACvB,eAAK,IAAI,OAAO,KAAK,IAAI,IAAI,KAAK,KAAK,CAAC;QAC1C;AAGA,YAAI,UAAU;AACd,cAAM,MAAM,KAAK;AACjB,mBAAW,SAAS,KAAK,OAAM,GAAI;AACjC,gBAAM,IAAI,QAAQ;AAClB,qBAAW,IAAI,KAAK,KAAK,CAAC;QAC5B;AAEA,eAAO;MACT;MAYQ,qBAAqB,MAAgB;AAC3C,YAAI,KAAK,SAAS;AAAG,iBAAO;AAE5B,YAAI,YAAY;AAChB,YAAI,aAAa;AAEjB,iBAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,cAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI;AAAG;AACjC,cAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI;AAAG;QACnC;AAGA,eAAO,YAAY,KAAK,SAAS,KAAK,aAAa,KAAK,SAAS;MACnE;MAYQ,mBAAmB,MAAgB;AACzC,YAAI,KAAK,SAAS;AAAG,iBAAO;AAG5B,mBAAW,cAAc,CAAC,GAAG,GAAG,CAAC,GAAG;AAClC,cAAI,KAAK,SAAS,eAAe;AAAG;AAEpC,cAAI,UAAU;AACd,mBAAS,IAAI,YAAY,IAAI,KAAK,QAAQ,KAAK;AAC7C,gBAAI,KAAK,CAAC,MAAM,KAAK,IAAI,UAAU;AAAG;UACxC;AAGA,cAAI,WAAW,KAAK,SAAS,cAAc,KAAK;AAC9C,mBAAO;UACT;QACF;AAEA,eAAO;MACT;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,UAAU,MAAM;AAGtB,YAAI,CAAC,SAAS;AACZ,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,MAAM,QAAQ,IAAI,YAAA,OAAO;AAC/B,cAAM,QAAQ,QAAQ,IAAI,YAAA,SAAS;AAEnC,cAAM,SAAmB,CAAA;AACzB,YAAI,aAAa;AAGjB,YAAI,OAAO,IAAI,SAAS,GAAG;AACzB,gBAAM,aAAa,KAAK,iBAAiB,GAAG;AAG5C,cAAI,aAAa,KAAK,uBAAuB;AAC3C,mBAAO,KAAK,mBAAmB,WAAW,QAAQ,CAAC,CAAC,EAAE;AACtD,0BAAc;UAChB;AAGA,cAAI,KAAK,qBAAqB,GAAG,GAAG;AAClC,mBAAO,KAAK,gBAAgB;AAC5B,0BAAc;UAChB;AAGA,cAAI,KAAK,mBAAmB,GAAG,GAAG;AAChC,mBAAO,KAAK,cAAc;AAC1B,0BAAc;UAChB;QACF;AAGA,YAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,gBAAM,eAAe,KAAK,iBAAiB,KAAK;AAGhD,cAAI,eAAe,KAAK,uBAAuB;AAC7C,mBAAO,KAAK,qBAAqB,aAAa,QAAQ,CAAC,CAAC,EAAE;AAC1D,0BAAc;UAChB;AAGA,cAAI,KAAK,qBAAqB,KAAK,GAAG;AACpC,mBAAO,KAAK,kBAAkB;AAC9B,0BAAc;UAChB;AAGA,cAAI,KAAK,mBAAmB,KAAK,GAAG;AAClC,mBAAO,KAAK,gBAAgB;AAC5B,0BAAc;UAChB;QACF;AAGA,YAAI,OAAO,SAAS,GAAG;AACrB,eAAK,OAAO,KAAK,uBAAuB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC,EAAE;AACxE,iBAAO;YACL,QAAQ;YACR,YAAY;YACZ,SAAS;;QAEb;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAYA,OAAO,qBAAqB,QAAc;AACxC,eAAO,IAAI,WAAWA,QAAO,YAAY,MAAM,CAAC;MAClD;;AArNW,YAAA,gBAAA;4BAAA,gBAAa,kBAAA,WAAA;OAFzB,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,aAAa;;;;;;;;;;;;;;;;;ACtG1B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAMA,QAAA,aAAA;AAkFO,QAAM,yBAAsB,2BAA5B,MAAM,uBAAsB;MAA5B,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,yBAAuB,IAAI;AAGvD,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,WAAW;MA8EnC;MAtEE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAcA,MAAM,IAAI,OAAkB;AAC1B,cAAM,EAAE,QAAQ,QAAO,IAAK;AAC5B,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,WAAU,GAAA,WAAA,gBAAe,MAAM;AAGrC,cAAM,WAAW,KAAK,IAAG,IAAK;AAG9B,YAAI,SAAS;AACV,kBAAgB,WAAW;AAC3B,kBAAgB,YAAY;QAC/B;AAEA,aAAK,OAAO,MACV,OAAO,OAAO,kBAAkB,MAAM,eAAe,IAAI,KAAK,QAAQ,EAAE,YAAW,CAAE,GAAG;AAK1F,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAWA,OAAO,UAAU,KAA0B;AACzC,YAAI,CAAC,IAAI;AAAU,iBAAO;AAC1B,eAAO,KAAK,IAAG,IAAK,IAAI;MAC1B;MAWA,OAAO,eAAe,KAA0B;AAC9C,YAAI,CAAC,IAAI;AAAU,iBAAO;AAC1B,eAAO,KAAK,IAAI,GAAG,IAAI,WAAW,KAAK,IAAG,CAAE;MAC9C;;AA1FW,YAAA,yBAAA;qCAAA,yBAAsB,2BAAA,WAAA;OAFlC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,sBAAsB;;;;;;;;;;;;;;;;;;;;AC3FnC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAiFO,QAAM,oBAAN,MAAM,kBAAiB;MAa5B,YAA6B,QAAqB;AAArB,aAAA,SAAA;AAXpB,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,OAAO;MAEwB;MAWrD,SAAS,OAAkB;AACzB,eAAO,OAAO,MAAM,kBAAkB;MACxC;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,WACJ,KAAK,OAAO,IAAY,qBAAqB,KAAK,KAAK,OAAO;AAChE,cAAM,gBAAgB,MAAM;AAE5B,YAAI,OAAO,kBAAkB,UAAU;AACrC,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,YAAI,gBAAgB,UAAU;AAC5B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,cAAc,aAAa,kBAAkB,QAAQ;;QAEjE;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA5DW,YAAA,oBAAA;gCAAA,oBAAiB,WAAA;OAF7B,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAC9B,GAAA,SAAA,YAAU;2DAc4B,SAAA,kBAAa,eAAb,SAAA,mBAAa,aAAA,KAAA,MAAA,CAAA;OAbvC,iBAAiB;;;;;;;;;;;;;;;;ACrF9B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,cAAA;AACA,QAAA,iBAAA;AAKO,QAAM,0BAAN,MAAM,wBAAuB;MAA7B,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,OAAO;MA+C/B;MA7CE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;MAC9C;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,OAAO,MAAM;AACnB,cAAM,aAAa,MAAM,iBAAiB;AAG1C,YAAI,KAAK,SAAS,KAAK,CAAC,KAAK,YAAY,KAAK,MAAM,GAAG,CAAC,GAAG,YAAA,UAAU,GAAG;AACtE,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,YAAI,KAAK,CAAC,MAAM,YAAA,cAAc;AAC5B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,wBAAwB,KAAK,CAAC,CAAC;;QAE3C;AAGA,YAAI,aAAa,YAAA,eAAe;AAC9B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,cAAc,UAAU,gBAAgB,YAAA,aAAa;;QAEjE;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAEQ,YAAY,GAAe,GAAa;AAC9C,YAAI,EAAE,WAAW,EAAE;AAAQ,iBAAO;AAClC,iBAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,cAAI,EAAE,CAAC,MAAM,EAAE,CAAC;AAAG,mBAAO;QAC5B;AACA,eAAO;MACT;;AAhDW,YAAA,0BAAA;sCAAA,0BAAuB,WAAA;OAFnC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAClB,uBAAuB;;;;;;;;;;;;;;;;ACTpC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,cAAA;AACA,QAAA,iBAAA;AAKO,QAAM,uBAAN,MAAM,qBAAoB;MAA1B,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,UAAU;AACf,aAAA,WAAW;MA4B9B;MA1BE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,cAAc,CAAC,CAAC,MAAM;MACvC;MAEA,MAAM,IAAI,OAAkB;AAC1B,YAAI,MAAM,cAAc,MAAM,WAAW,OAAO,KAAK,UAAU;AAC7D,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,gBAAgB,MAAM,WAAW,IAAI,iBAAiB,KAAK,QAAQ;;QAE/E;AAEA,YAAI,MAAM,UAAU,MAAM,OAAO,aAAa;AAC5C,gBAAM,SAAS,MAAM,OAAO,YAAY;AACxC,cAAI,SAAS,YAAA,aAAa;AACxB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,eAAe,MAAM,gBAAgB,YAAA,WAAW;;UAE5D;QACF;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA9BW,YAAA,uBAAA;mCAAA,uBAAoB,WAAA;OAFhC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAM;OACM,oBAAoB;;;;;;;;;;;;;;;;ACTjC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAIA,QAAM,0BAA0B;MAC9B;MACA;MACA;MACA;MACA;;AAKK,QAAM,wBAAN,MAAM,sBAAqB;MAA3B,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MA4BnC;MA1BE,SAAS,OAAkB;AAEzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,UAAU,MAAM,UAAU,WAAW;AAC3C,cAAM,SAAS,MAAM,UAAU;AAG/B,YAAI,YAAY,UAAU;AACxB,gBAAM,YAAY,wBAAwB,KAAK,CAAC,WAC9C,OAAO,WAAW,MAAM,CAAC;AAE3B,cAAI,CAAC,WAAW;AACd,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,WAAW,MAAM;;UAE7B;QACF;AAGA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA7BW,YAAA,wBAAA;oCAAA,wBAAqB,WAAA;OAFjC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAM;OACM,qBAAqB;;;;;;;;;;;;;;;;;;;;ACjBlC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AAMA,QAAA,kBAAA;AACA,QAAA,iBAAA;AAaO,QAAM,uBAAN,MAAM,qBAAoB;MAI/B,YAA6B,QAAoB;AAApB,aAAA,SAAA;AAHpB,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAEmB;MAEpD,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,SAAS,MAAM;AAErB,YAAI,KAAK,OAAO,IAAI,MAAM,GAAG;AAC3B,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,eAAO;UACL,QAAQ;UACR,MAAM;UACN,QAAQ,WAAW,MAAM;;MAE7B;;AAtBW,YAAA,uBAAA;mCAAA,uBAAoB,WAAA;OAFhC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAO,EAAE,OAAO,cAAa,CAAE;2DAKO,gBAAA,iBAAY,eAAZ,gBAAA,kBAAY,aAAA,KAAA,MAAA,CAAA;OAJtC,oBAAoB;;;;;;;;;;;;;;;;ACtBjC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,iBAAA;AAIA,QAAA,eAAA;AAKO,QAAM,sBAAN,MAAM,oBAAmB;MAAzB,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAsDnC;MApDE,SAAS,OAAyB;AAChC,eAAO,CAAC,CAAC,MAAM,WAAW,CAAC,CAAC,MAAM;MACpC;MAEA,MAAM,IAAI,OAAyB;AAEjC,cAAM,iBAAiB,eAAA,oBAAoB,UAAU,KAAK;AAC1D,YAAI,CAAC,eAAe,SAAS;AAC3B,gBAAM,IAAI,aAAA,UACR,wBACA,4BAA4B,eAAe,MAAM,OAAO,IACxD,GAAG;QAEP;AAEA,cAAM,EACJ,YACA,eACA,YACA,sBACA,SACA,OAAM,IACJ,eAAe;AAGnB,YAAI,eAAe,UAAU;AAC3B,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,YAAI,cAAc,SAAS,MAAM,GAAG;AAClC,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,kBAAkB,cAAc,SAAS,SAAS,KAAK;AAC7D,cAAM,mBACJ,cAAc,SAAS,UAAU,KAAK;AACxC,cAAM,eAAe,cAAc,SAAS,MAAM,KAAK,YAAY;AAEnE,cAAM,YAAY,mBAAmB,oBAAoB;AAEzD,YAAI,CAAC,WAAW;AACd,gBAAM,IAAI,aAAA,UACR,yBACA,sCAAsC,MAAM,IAC5C,GAAG;QAEP;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAvDW,YAAA,sBAAA;kCAAA,sBAAmB,WAAA;OAF/B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,mBAAmB;;;;;;;;;;;;;;;;;;;;;ACbhC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,cAAA;AAQA,QAAA,WAAA;AAcA,QAAM,cAAc;MAClB;MACA,YAAA;MACA,YAAA;MACA,YAAA;MACA,YAAA,gBAAgB,YAAA;MAChB,YAAA,gBAAgB,YAAA;MAChB,YAAA,iBAAiB,YAAA;MACjB,YAAA,gBAAgB,YAAA,iBAAiB,YAAA;;AAgF5B,QAAM,uBAAoB,yBAA1B,MAAM,qBAAoB;MAmB/B,YAA6B,QAAqB;AAArB,aAAA,SAAA;AAlBZ,aAAA,SAAS,IAAI,SAAA,OAAO,uBAAqB,IAAI;AAGrD,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,OAAO;AAErB,aAAA,gBAA4B,YAAA;AAC5B,aAAA,kBAAkB,YAAA;MAE2B;MAK9C,OAAO,cACZ,OACA,UAAoB;AAEpB,YAAI,MAAM,SAAS,SAAS;AAAQ,iBAAO,EAAE,OAAO,KAAI;AACxD,cAAM,SAAS,MAAM,SAAS,GAAG,SAAS,MAAM;AAChD,cAAM,QAAQ,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC;AAC9D,eAAO;UACL;UACA,QAAQ,QAAQ,SAAY,IAAI,YAAW,EAAG,OAAO,MAAM;;MAE/D;MAEO,OAAO,gBAAgB,SAAiB,UAAgB;AAC7D,eAAO,YAAY;MACrB;MAKA,eAAY;AACV,cAAM,WAAW,KAAK,OAAO,IAAY,qBAAqB;AAC9D,aAAK,gBAAgB,WAAW,OAAO,KAAK,UAAU,OAAO,IAAI,YAAA;AACjE,aAAK,kBACH,KAAK,OAAO,IAAY,uBAAuB,KAAK,YAAA;MACxD;MAKA,MAAM,IAAI,OAAkB;AAC1B,cAAM,iBAAiB,eAAA,qBAAqB,UAAU,KAAK;AAC3D,YAAI,CAAC,eAAe,SAAS;AAC3B,eAAK,OAAO,MACV,kBAAkB,eAAe,MAAM,OAAO,IAC9C,eAAe,MAAM,MAAM;AAE7B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAEA,cAAM,EAAE,aAAa,KAAI,IAAK,eAAe;AAC7C,cAAM,SAAmB,CAAA;AAGzB,YAAI,KAAK,UAAU,GAAG;AACpB,gBAAM,MAAM,OAAO,KAAK,KAAK,SAAS,GAAG,EAAE,CAAC,EAAE,SAAS,KAAK;AAC5D,eAAK,OAAO,MAAM,2BAA2B,GAAG,SAAS,MAAM,EAAE,GAAG;QACtE;AAGA,YAAI,gBAAgB,QAAW;AAC7B,cAAI,CAAC,KAAK,mBAAmB,WAAW,GAAG;AACzC,mBAAO,KAAK,wBAAwB,WAAW,EAAE;UACnD;QACF;AAGA,YAAI,KAAK,SAAS,GAAG;AACnB,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,cAAM,aAAa,uBAAqB,cACtC,MACA,KAAK,aAAa;AAEpB,YAAI,CAAC,WAAW,OAAO;AACrB,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,YAAY,IAAI,YAAW,EAAG,OAAO,KAAK,aAAa,CAAC,eAAe,WAAW,MAAM;;QAEpG;AAGA,cAAM,UAAU,KAAK,CAAC;AACtB,YAAI,CAAC,uBAAqB,gBAAgB,SAAS,KAAK,eAAe,GAAG;AACxE,iBAAO,KAAK,uBAAuB,OAAO,EAAE;QAC9C;AAGA,cAAM,QAAQ,KAAK,CAAC;AACpB,YAAI,CAAC,KAAK,aAAa,KAAK,GAAG;AAC7B,iBAAO,KAAK,mBAAmB,MAAM,SAAS,EAAE,CAAC,EAAE;QACrD;AAGA,YAAI,KAAK,UAAU,IAAI;AACrB,gBAAM,cAAc,KAAK,oBAAoB,KAAK,SAAS,CAAC,CAAC;AAC7D,cAAI,CAAC,YAAY,OAAO;AACtB,mBAAO,KAAK,sBAAsB,YAAY,MAAM,EAAE;UACxD;QACF;AAGA,YAAI,KAAK,UAAU,IAAI;AACrB,gBAAM,WAAW,KAAK,iBAAiB,IAAI;AAC3C,cAAI,CAAC,SAAS,OAAO;AACnB,mBAAO,KAAK,qBAAqB,SAAS,MAAM,EAAE;UACpD;AAGA,gBAAM,mBAAmB,MAAM,KAAK,sBAAsB,IAAI;AAC9D,cAAI,CAAC,kBAAkB;AAErB,mBAAO,KAAK,wBAAwB;UACtC;QACF;AAGA,YAAI,OAAO,SAAS,GAAG;AAErB,gBAAM,WAAW,OAAO,KACtB,CAAC,MACC,EAAE,WAAW,eAAe,KAAK,EAAE,WAAW,qBAAqB,CAAC;AAGxE,cAAI,UAAU;AACZ,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,OAAO,KAAK,IAAI;;UAE5B;AAEA,eAAK,OAAO,KACV,wBAAwB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC,EAAE;AAE1D,iBAAO;YACL,QAAQ;YACR,YAAY,CAAC,OAAO,SAAS;YAC7B,SAAS;;QAEb;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAKQ,aAAa,GAAe,GAAa;AAC/C,YAAI,EAAE,WAAW,EAAE;AAAQ,iBAAO;AAClC,iBAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,cAAI,EAAE,CAAC,MAAM,EAAE,CAAC;AAAG,mBAAO;QAC5B;AACA,eAAO;MACT;MAKQ,mBAAmB,aAAmB;AAC5C,eAAO,YAAA,eAAe,kBAAkB,WAAW;MACrD;MAKQ,aAAa,OAAa;AAChC,eAAO,YAAY,SAAS,KAAK;MACnC;MAKQ,oBAAoB,MAAgB;AAI1C,YAAI;AACF,gBAAM,EAAE,OAAO,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,CAAC;AAIzD,cAAI,QAAQ,OAAO,YAAY,GAAG;AAChC,mBAAO,EAAE,OAAO,OAAO,QAAQ,0BAAyB;UAC1D;AACA,cAAI,QAAQ,SAAS,YAAY,GAAG;AAClC,mBAAO,EAAE,OAAO,OAAO,QAAQ,2BAA0B;UAC3D;AAEA,iBAAO,EAAE,OAAO,KAAI;QACtB,QAAQ;AACN,iBAAO,EAAE,OAAO,OAAO,QAAQ,sBAAqB;QACtD;MACF;MAKQ,iBAAiB,MAAgB;AAOvC,YAAI;AAEF,cAAI,SAAS;AAGb,gBAAM,EAAE,OAAO,QAAQ,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACrE,oBAAU;AAGV,gBAAM,EAAE,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACvD,oBAAU;AAGV,gBAAM,EAAE,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACtD,oBAAU;AAGV,gBAAM,WAAW;AACjB,gBAAM,SAAS,WAAW,OAAO,MAAM;AAEvC,cAAI,SAAS,KAAK,QAAQ;AACxB,mBAAO,EAAE,OAAO,KAAI;UACtB;AAGA,cAAI,WAAW;AACf,cAAI,MAAM;AAEV,iBAAO,MAAM,UAAU,MAAM,KAAK,SAAS,GAAG;AAC5C,kBAAM,EAAE,OAAO,MAAM,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AACjE,mBAAO;AAEP,gBAAI,OAAO;AAAQ;AAEnB,kBAAM,EAAE,OAAO,KAAK,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AAC/D,mBAAO;AAGP,gBAAI,OAAO,IAAI,KAAK,UAAU;AAC5B,qBAAO;gBACL,OAAO;gBACP,QAAQ,QAAQ,IAAI,UAAU,QAAQ;;YAE1C;AAEA,uBAAW,OAAO,IAAI;AACtB,mBAAO,OAAO,GAAG;UACnB;AAEA,iBAAO,EAAE,OAAO,KAAI;QACtB,QAAQ;AACN,iBAAO,EAAE,OAAO,KAAI;QACtB;MACF;MAKQ,MAAM,sBAAsB,MAAgB;AAClD,YAAI;AACF,cAAI,SAAS;AACb,gBAAM,EAAE,OAAO,QAAQ,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACrE,oBAAU;AACV,gBAAM,EAAE,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACvD,oBAAU;AACV,gBAAM,EAAE,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACtD,oBAAU;AAEV,gBAAM,SAAS,SAAS,OAAO,MAAM;AAErC,cAAI,MAAM;AACV,iBAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,kBAAM,EAAE,OAAO,MAAM,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AACjE,mBAAO;AACP,kBAAM,EAAE,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AACnD,mBAAO;AAEP,kBAAM,EAAE,OAAO,QAAQ,QAAQ,YAAW,KAAK,GAAA,SAAA,cAC7C,MACA,MAAM,QAAQ;UAWlB;AAKA,gBAAM;AACN,iBAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,kBAAM,KAAI,GAAA,SAAA,cAAa,MAAM,GAAG;AAChC,mBAAO,EAAE;AACT,kBAAM,KAAI,GAAA,SAAA,cAAa,MAAM,GAAG;AAChC,mBAAO,EAAE;AAET,gBAAI,EAAE,UAAU;AAAK,qBAAO;AAE5B,mBAAO,OAAO,EAAE,KAAK;UACvB;AAEA,iBAAO;QACT,QAAQ;AACN,iBAAO;QACT;MACF;;AArVW,YAAA,uBAAA;mCAAA,uBAAoB,yBAAA,WAAA;OAFhC,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAC9B,GAAA,SAAA,YAAU;2DAoB4B,SAAA,kBAAa,eAAb,SAAA,mBAAa,aAAA,KAAA,MAAA,CAAA;OAnBvC,oBAAoB;;;;;;;;;;;;;;;;ACrHjC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAKO,QAAM,sBAAN,MAAM,oBAAmB;MAAzB,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAUnC;MARE,WAAQ;AACN,eAAO;MACT;MAEA,MAAM,MAAG;AAEP,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAXW,YAAA,sBAAA;kCAAA,sBAAmB,WAAA;OAF/B,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAM;OACM,mBAAmB;;;;;;;;;;;;;;;;ACRhC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,eAAA;AAUA,aAAS,UAAU,GAAa;AAC9B,UAAI,EAAE,WAAW;AACf,cAAM,IAAI,aAAA,UAAU,wBAAwB,uBAAuB,GAAG;AACxE,UAAI,IAAI;AACR,iBAAW,MAAM;AAAG,YAAK,KAAK,KAAM,OAAO,EAAE;AAC7C,aAAO;IACT;AAsFO,QAAM,yBAAN,MAAM,uBAAsB;MAA5B,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,UAAU;MAqMlC;MA3LE,SAAS,OAAU;AAEjB,eAAO,CAAC,CAAC,MAAM,UAAU;MAC3B;MAeA,MAAM,IACJ,OAAU;AAIV,cAAM,SAAS,MAAM,UAAU;AAC/B,cAAM,aAAa,MAAM;AACzB,cAAM,WAAW,MAAM;AAGvB,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,kBAAkB,eAAA,cAAc,UAAU,MAAM;AACtD,YAAI,CAAC,gBAAgB,SAAS;AAC5B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,6BAA6B,gBAAgB,MAAM,OAAO;;QAEtE;AAGA,YAAI;AACF,qBAAW,SAAS,OAAO,QAAQ;AAEjC,kBAAM,QAAQ,MAAM,SAAS;AAC7B,kBAAMC,OAAM,UAAU,WAAW,aAAa;AAG9C,kBAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAG9B,gBAAI,MAAM,YAAY,CAAC,KAAK;AAC1B,oBAAM,IAAI,aAAA,UACR,wBACA,2BAA2B,MAAM,IAAI,SAAS,MAAM,GAAG,KACvD,GAAG;YAEP;AAGA,gBAAI,CAAC;AAAK;AAGV,gBAAI,OAAO,MAAM,WAAW,YAAY,IAAI,SAAS,MAAM,QAAQ;AACjE,oBAAM,IAAI,aAAA,UACR,yBACA,SAAS,MAAM,IAAI,eAAe,IAAI,MAAM,MAAM,MAAM,MAAM,KAC9D,GAAG;YAEP;AAGA,oBAAQ,MAAM,MAAM;cAClB,KAAK;AAEH,oBAAI;AACF,sBAAI,YAAY,SAAS,EAAE,OAAO,KAAI,CAAE,EAAE,OAAO,GAAG;gBACtD,QAAQ;AACN,wBAAM,IAAI,aAAA,UACR,wBACA,oBAAoB,MAAM,IAAI,IAC9B,GAAG;gBAEP;AACA;cAEF,KAAK;AAEH,oBAAI,IAAI,WAAW,KAAM,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,GAAI;AACtD,wBAAM,IAAI,aAAA,UACR,wBACA,iBAAiB,MAAM,IAAI,IAC3B,GAAG;gBAEP;AACA;cAEF,KAAK,OAAO;AAEV,sBAAM,IAAI,UAAU,GAAG;AAGvB,oBAAI,MAAM,KAAK;AACb,wBAAM,KAAK,OAAO,MAAM,GAAG;AAC3B,sBAAI,IAAI,IAAI;AACV,0BAAM,IAAI,aAAA,UACR,yBACA,OAAO,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAC3C,GAAG;kBAEP;gBACF;AACA;cACF;cAEA,KAAK;AAEH,oBAAI,IAAI,WAAW,IAAI;AACrB,wBAAM,IAAI,aAAA,UACR,wBACA,wBAAwB,MAAM,IAAI,IAClC,GAAG;gBAEP;AACA;cAEF,KAAK;AAEH;cAEF,KAAK;cACL,KAAK;AAGH;cAEF;AACE,sBAAM,IAAI,aAAA,UACR,wBACA,wBAAwB,MAAM,IAAI,IAClC,GAAG;YAET;UACF;AAGA,gBAAM,aAAa,MAAM,UAAU;AAGnC,cAAI,cAAc,WAAW,OAAO,GAAG;AACrC,uBAAW,SAAS,OAAO,QAAQ;AACjC,oBAAM,MAAM,WAAW,IAAI,MAAM,GAAG;AACpC,kBAAI,CAAC,OAAO,IAAI,WAAW;AAAG;AAE9B,oBAAM,QAAQ,MAAM,SAAS;AAC7B,oBAAMA,OAAM,UAAU,WAAW,aAAa;AAC9C,oBAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAC9B,kBAAI,CAAC;AAAK;AAEV,yBAAW,MAAM,KAAK;AACpB,sBAAM,QAAQ,GAAG,KAAK,MAAM,IAAI;AAChC,oBAAI,OAAO;AACT,wBAAM,IAAI,aAAA,UACR,4BACA,GAAG,MAAM,IAAI,SAAS,MAAM,GAAG,MAAM,KAAK,IAC1C,GAAG;gBAEP;cACF;YACF;UACF;QACF,SAAS,KAAU;AAEjB,cAAI,eAAe,aAAA,WAAW;AAC5B,mBAAO;cACL,QAAQ;cACR,MAAM,IAAI;cACV,QAAQ,IAAI;;UAEhB;AACA,gBAAM;QACR;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAhNW,YAAA,yBAAA;qCAAA,yBAAsB,WAAA;OAFlC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,sBAAsB;;;;;;;;;;;;;;;;AC5GnC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAuFO,QAAM,oBAAN,MAAM,kBAAiB;MAAvB,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAoDnC;MA3CE,WAAQ;AACN,eAAO;MACT;MAiBA,MAAM,MAAG;AAsBP,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA/DW,YAAA,oBAAA;gCAAA,oBAAiB,WAAA;OAF7B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,iBAAiB;;;;;;;;;;;;;;;;AC1F9B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAMA,QAAA,WAAA;AAwBO,QAAM,iBAAN,MAAM,eAAc;MAApB,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,UAAU;MA4HlC;MA1HE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,SAAS,MAAM;AACrB,YAAI,CAAC;AAAQ,iBAAO,EAAE,QAAQ,QAAO;AAGrC,cAAM,WACJ,OAAO,YAAY,OAAO;AAC5B,YAAI,YAAY,SAAS,SAAS,GAAG;AACnC,gBAAM,SAAS,KAAK,qBAAqB,UAAU,QAAQ;AAC3D,cAAI;AAAQ,mBAAO;QACrB;AAGA,cAAM,YACJ,OAAO,aAAa,MAAM;AAC5B,cAAM,YACJ,OAAO,UAAU,UAAa,OAAO,QAAQ,OAAU,IAAI;AAG7D,cAAM,cAAc,MAAM,UAAU,QAAQ;AAC5C,cAAM,WAAW,gBAAgB;AAEjC,YAAI,CAAC,YAAY,aAAa,aAAa,UAAU,SAAS,GAAG;AAC/D,gBAAM,SAAS,KAAK,qBAAqB,WAAW,MAAM;AAC1D,cAAI;AAAQ,mBAAO;QACrB;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAMQ,qBACN,KACA,SAAe;AAEf,YAAI,SAAS;AACb,YAAI,WAAW;AACf,YAAI,QAAQ;AACZ,cAAM,WAAW;AAEjB,eAAO,SAAS,IAAI,QAAQ;AAC1B,cAAI,SAAS,UAAU;AACrB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,oBAAoB,OAAO;;UAEvC;AAGA,cAAI;AACJ,cAAI;AACJ,cAAI;AACF,kBAAM,KAAI,GAAA,SAAA,cAAa,KAAK,MAAM;AAClC,mBAAO,EAAE;AACT,sBAAU,EAAE;UACd,QAAQ;AACN,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,4BAA4B,OAAO,cAAc,MAAM;;UAEnE;AACA,oBAAU;AAGV,cAAI,QAAQ,GAAG;AACb,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,eAAe,IAAI,OAAO,OAAO;;UAE7C;AAGA,cAAI,QAAQ,UAAU;AACpB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,8BAA8B,OAAO,KAAK,IAAI,UAAU,QAAQ;;UAE5E;AACA,qBAAW;AAGX,cAAI;AACJ,cAAI;AACJ,cAAI;AACF,kBAAM,KAAI,GAAA,SAAA,cAAa,KAAK,MAAM;AAClC,kBAAM,EAAE;AACR,qBAAS,EAAE;UACb,QAAQ;AACN,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,8BAA8B,OAAO;;UAEjD;AACA,oBAAU;AAGV,cAAI,SAAS,MAAM,IAAI,QAAQ;AAC7B,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,0BAA0B,OAAO;;UAE7C;AAEA,oBAAU;AACV;QACF;AAEA,eAAO;MACT;;AA7HW,YAAA,iBAAA;6BAAA,iBAAc,WAAA;OAF1B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,cAAc;;;;;;;;;;;;;;;;ACjC3B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AA6FO,QAAM,wBAAN,MAAM,sBAAqB;MAA3B,cAAA;AAEI,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,OAAO;AAGZ,aAAA,mBAAmB;MAoDtC;MA1CE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;MAC9C;MAcA,MAAM,IAAI,OAAkB;AAE1B,cAAM,OAAO,MAAM;AACnB,cAAM,SAAS;AACf,cAAM,YAAY,KAAK,IAAI,SAAS,IAAI,KAAK,MAAM;AAGnD,YAAI,oBAAoB;AACxB,iBAAS,IAAI,QAAQ,IAAI,WAAW,KAAK;AACvC,eAAK,KAAK,CAAC,IAAI,SAAU,GAAG;AAC1B;AACA,gBAAI,oBAAoB,KAAK,kBAAkB;AAC7C,qBAAO;gBACL,QAAQ;gBACR,MAAM;gBACN,QAAQ,kBAAkB,KAAK,gBAAgB;;YAEnD;UACF,OAAO;AAEL,gCAAoB;UACtB;QACF;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAjEW,YAAA,wBAAA;oCAAA,wBAAqB,WAAA;OAFjC,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAC9B,GAAA,SAAA,YAAU;OACE,qBAAqB;;;;;AChGlC;AAAA,IAAAC,gBAAA;AAAA;AAAA,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AAAA;AAAA;;;ACjBd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAsFA,mBAQA,gBAEA,sBAUA,mBA8BAC,gBAiJA,mBAsBA,qBAQA,2BACA,4BACA,0BACA,yBACAC,kBACAC,gBAcA;AA1UA;AAAA;AACA;AACA;AAIA;AAoBA;AACA;AASA;AAIA;AAIA;AAeA;AAIA;AAIA;AAmBA,wBAGO;AAIP;AACA,qBAA0B;AAC1B;AACA,2BAOO;AAGP,wBAAkC;AAmBlC;AAWA,IAAAF,iBAAyC;AACzC;AAIA;AAKA;AAQA;AASA;AAWA;AACA;AACA;AACA;AACA;AASA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAaA;AACA;AAGA;AACA;AAUA;AAwBA;AACA;AAGA;AAGA;AAGA;AAGA;AAGA;AAMA;AAWA,wBAGO;AACP;AAaA;AAKA,0BAKO;AAEP;AACA,gCAAyC;AACzC,iCAA0C;AAC1C,+BAAwC;AACxC,8BAAuC;AACvC,IAAAC,mBAAiC;AACjC,IAAAC,iBAA+B;AAE/B;AAYA,+BAAuC;AAIvC;AAWA;AAUA;AAGA;AAmCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAAC;AACA;AAAA;AAAA;","names":["Injectable","existing","SetMetadata","extractDtoSchema","buildDtoDecoder","tlvMap","AxisIdDto","AxisResponseDto","ObserverRegistry","ObserverDispatcherService","bytes","bytesToHex","sha256","bytes","bytesToHex","randomBytes","bytes","bytesToHex","hkdf","sha256","hexToBytes","bytes","Decision","verification","witness","handlerDuration","path","IntentRouter","AxisChainExecutor","bytes","normalize","schema","AxisChainExecutor","path","map","crypto","sha256","sha256","createHash","sha256","randomBytes","MAGIC","init_tlv","MAGIC","init_tlv","init_tlv","RiskDecision","createHash","IntentSensitivity","crypto","AxisFilesDownloadHandler","AxisFilesFinalizeHandler","ObserverDiscoveryService","HandlerDiscoveryService","SensorRegistry","SensorDiscoveryService","randomBytes","AxisSensorChainService","canonicalize","bytesToHex","canonicalize","base64UrlDecode","sha256","crypto","ProofType","z","BodyProfile","BodyProfileValidator","tlv","ProofType","TLV_SHA256_CHUNK","crypto","map","init_sensors","sha256","import_intent","import_observer","import_sensor","init_sensors"]}
1	+ {"version":3,"sources":["../src/decorators/chain.decorator.ts","../src/decorators/capsule-policy.decorator.ts","../src/decorators/intent-policy.decorator.ts","../src/decorators/handler.decorator.ts","../src/decorators/intent.decorator.ts","../src/decorators/intent-body.decorator.ts","../src/decorators/intent-sensors.decorator.ts","../src/decorators/observer.decorator.ts","../src/decorators/handler-sensors.decorator.ts","../src/decorators/sensor.decorator.ts","../src/decorators/tlv-field.decorator.ts","../src/core/tlv.ts","../src/decorators/dto-schema.util.ts","../src/base/axis-tlv.dto.ts","../src/base/axis-id.dto.ts","../src/base/axis-partial-type.ts","../src/base/axis-response.dto.ts","../src/core/constants.ts","../src/engine/axis-execution-context.ts","../src/engine/registry/observer.registry.ts","../src/engine/observer-dispatcher.service.ts","../src/cce/cce.types.ts","../src/cce/cce-derivation.service.ts","../src/cce/cce-crypto.ts","../src/cce/cce-response.service.ts","../src/cce/cce-witness.observer.ts","../src/sensor/axis-sensor.ts","../src/cce/cce-pipeline.ts","../src/core/axis-error.ts","../src/security/scopes.ts","../src/security/inline-capsule.ts","../src/engine/registry/sensor.registry.ts","../src/engine/intent.router.ts","../src/engine/axis-chain.executor.ts","../src/engine/sensor-bands.ts","../src/engine/observation/stable-json.ts","../src/engine/observation/observation-queue.codec.ts","../src/engine/observation/observation-hash.ts","../src/engine/observation/truth-scoring.ts","../src/engine/observation/response-observer.ts","../src/core/varint.ts","../src/core/axis-bin.ts","../src/core/signature.ts","../src/codec/ats1.constants.ts","../src/codec/ats1.ts","../src/codec/ats1.passkey.schemas.ts","../src/codec/tlv.encode.ts","../src/codec/axis1.encode.ts","../src/codec/axis1.signing.ts","../src/crypto/b64url.ts","../src/crypto/canonical-json.ts","../src/contract/execution-meter.ts","../src/contract/contract.interface.ts","../src/types/tlv.ts","../src/types/frame.ts","../src/types/packet.ts","../src/security/capabilities.ts","../src/law/law.types.ts","../src/law/index.ts","../src/risk/index.ts","../src/core/opcodes.ts","../src/core/receipt.ts","../src/core/intent-sensitivity.ts","../src/core/timeouts.ts","../src/core/frame-validator.ts","../src/upload/upload.tokens.ts","../src/upload/upload.types.ts","../src/upload/axis-files.handlers.ts","../src/upload/disk-upload-file.store.ts","../src/decorators/axis-request.decorator.ts","../src/engine/observer-discovery.service.ts","../src/engine/handler-discovery.service.ts","../src/engine/sensor-discovery.service.ts","../src/engine/axis-observation.ts","../src/security/axis-sensor-chain.service.ts","../src/timeline/timeline.engine.ts","../src/timeline/timeline.store.ts","../src/utils/axis-tlv-codec.ts","../src/loom/loom.types.ts","../src/loom/loom.engine.ts","../src/idel/idel.compiler.ts","../src/needle/needle.engine.ts","../src/needle/knot.engine.ts","../src/needle/fabric.engine.ts","../src/needle/pattern.engine.ts","../src/sensors/tps.sensor.ts","../src/sensors/risk-gate.sensor.ts","../src/sensors/tickauth.sensor.ts","../src/cce/sensors/cce-envelope-validation.sensor.ts","../src/cce/sensors/cce-client-signature.sensor.ts","../src/cce/sensors/cce-capsule-verification.sensor.ts","../src/cce/sensors/cce-tps-window.sensor.ts","../src/cce/sensors/cce-audience-intent-binding.sensor.ts","../src/cce/sensors/cce-replay-protection.sensor.ts","../src/cce/sensors/cce-payload-decryption.sensor.ts","../src/cce/sensors/index.ts","../src/cce/index.ts","../src/core/index.ts","../src/crypto/types.ts","../src/crypto/proof-verification.service.ts","../src/crypto/index.ts","../src/decorators/index.ts","../src/engine/axis-decoded.ts","../src/engine/axis-chain.types.ts","../src/engine/axis-observer.interface.ts","../src/engine/observation/observation-queue.types.ts","../src/engine/observation/index.ts","../src/engine/index.ts","../src/idel/idel.types.ts","../src/idel/index.ts","../src/loom/index.ts","../src/needle/needle.types.ts","../src/needle/knot.types.ts","../src/needle/fabric.types.ts","../src/needle/pattern.types.ts","../src/needle/index.ts","../src/schemas/axis-schemas.ts","../src/schemas/body-profile.validator.ts","../src/schemas/index.ts","../src/security/index.ts","../src/sensors/access-profile-resolver.sensor.ts","../src/sensors/body-budget.sensor.ts","../src/sensors/capability-enforcement.sensor.ts","../src/sensors/chunk-hash.sensor.ts","../src/sensors/entropy.sensor.ts","../src/sensors/execution-timeout.sensor.ts","../src/sensors/frame-budget.sensor.ts","../src/sensors/frame-header-sanity.sensor.ts","../src/sensors/header-tlv-limit.sensor.ts","../src/sensors/intent-allowlist.sensor.ts","../src/sensors/intent-registry.sensor.ts","../src/sensors/law-evaluation.sensor.ts","../src/sensors/proof-presence.sensor.ts","../src/sensors/protocol-strict.sensor.ts","../src/sensors/receipt-policy.sensor.ts","../src/sensors/schema-validation.sensor.ts","../src/sensors/stream-scope.sensor.ts","../src/sensors/tlv-parse.sensor.ts","../src/sensors/varint-hardening.sensor.ts","../src/sensors/index.ts","../src/timeline/timeline.types.ts","../src/timeline/index.ts","../src/utils/index.ts","../src/index.ts"],"sourcesContent":["import \"reflect-metadata\";\n\nimport type { ChainOptions, RegisteredChainConfig } from \"../engine/axis-chain.types\";\n\nexport const CHAIN_METADATA_KEY = \"axis:chain\";\n\nexport function Chain(options: ChainOptions = {}): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const value: RegisteredChainConfig = {\n enabled: true,\n ...options,\n };\n\n Reflect.defineMetadata(CHAIN_METADATA_KEY, value, target, propertyKey);\n };\n}","import \"reflect-metadata\";\n\nexport const CAPSULE_POLICY_METADATA_KEY = \"axis:capsule:policy\";\n\nexport type CapsuleScopeMode = \"all\" \| \"any\";\n\nexport interface CapsulePolicyOptions {\n required?: boolean;\n scopes?: string \| string[];\n scopeMode?: CapsuleScopeMode;\n intentBound?: boolean;\n allowCapsuleRef?: boolean;\n}\n\nexport function CapsulePolicy(\n options: CapsulePolicyOptions = {},\n): ClassDecorator & MethodDecorator {\n const normalized = normalizeCapsulePolicyOptions(options);\n\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n normalized,\n target,\n propertyKey,\n );\n return;\n }\n\n Reflect.defineMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n normalized,\n target as Function,\n );\n }) as ClassDecorator & MethodDecorator;\n}\n\nexport function normalizeCapsulePolicyOptions(\n options: CapsulePolicyOptions = {},\n): CapsulePolicyOptions {\n return {\n required: options.required ?? true,\n scopes: normalizeScopeValue(options.scopes),\n scopeMode: options.scopeMode ?? \"all\",\n intentBound: options.intentBound ?? true,\n allowCapsuleRef: options.allowCapsuleRef ?? false,\n };\n}\n\nexport function mergeCapsulePolicyOptions(\n base?: CapsulePolicyOptions,\n override?: CapsulePolicyOptions,\n): CapsulePolicyOptions \| undefined {\n if (!base && !override) {\n return undefined;\n }\n\n const normalizedBase = base ? normalizeCapsulePolicyOptions(base) : undefined;\n const normalizedOverride = override\n ? normalizeCapsulePolicyOptions(override)\n : undefined;\n\n const scopes = [\n ...toScopeList(normalizedBase?.scopes),\n ...toScopeList(normalizedOverride?.scopes),\n ];\n\n return {\n required: normalizedOverride?.required ?? normalizedBase?.required ?? true,\n scopes: normalizeScopeValue(scopes),\n scopeMode:\n normalizedOverride?.scopeMode ?? normalizedBase?.scopeMode ?? \"all\",\n intentBound:\n normalizedOverride?.intentBound ??\n normalizedBase?.intentBound ??\n true,\n allowCapsuleRef:\n normalizedOverride?.allowCapsuleRef ??\n normalizedBase?.allowCapsuleRef ??\n false,\n };\n}\n\nfunction normalizeScopeValue(\n value?: string \| string[],\n): string \| string[] \| undefined {\n const list = toScopeList(value);\n if (list.length === 0) {\n return undefined;\n }\n return list.length === 1 ? list[0] : list;\n}\n\nfunction toScopeList(value?: string \| string[]): string[] {\n if (!value) {\n return [];\n }\n\n return Array.from(new Set(Array.isArray(value) ? value : [value])).filter(\n (entry) => entry.trim().length > 0,\n );\n}","import \"reflect-metadata\";\n\nimport type { ExecutionContract } from \"../contract/contract.interface\";\nimport type { ProofKind, SensitivityLevel } from \"../schemas/axis-schemas\";\n\n// ─── Metadata Keys ────────────────────────────────────────────────────────────\n\n/** Metadata key stamped by @Axis on the protocol entry class. /\nexport const AXIS_META_KEY = \"axis:axis\";\n\nexport const SENSITIVITY_METADATA_KEY = \"axis:sensitivity\";\nexport const CONTRACT_METADATA_KEY = \"axis:contract\";\nexport const REQUIRED_PROOF_METADATA_KEY = \"axis:required_proof\";\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\n/\n Extends ProofKind with WITNESS — requires a co-signer witness signature\n * in addition to the standard proof kinds (CAPSULE, PASSPORT, MTLS, JWT).\n /\nexport type RequiredProofKind = ProofKind \| \"WITNESS\";\n\n// ─── @Sensitivity ─────────────────────────────────────────────────────────────\n\n/\n Declares the sensitivity tier of an intent.\n \n Used by risk gates and audit trails to apply appropriate scrutiny.\n \n @example\n * ```ts\n * @Sensitivity('CRITICAL')\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function Sensitivity(\n level: SensitivityLevel,\n): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n SENSITIVITY_METADATA_KEY,\n level,\n target,\n propertyKey,\n );\n return;\n }\n Reflect.defineMetadata(SENSITIVITY_METADATA_KEY, level, target as Function);\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Contract ────────────────────────────────────────────────────────────────\n\n/\n Declares the execution contract (resource ceiling) for an intent.\n \n The execution meter enforces these limits at runtime. Unspecified fields\n * fall back to handler-level or global defaults.\n \n @example\n * ```ts\n * @Contract({ maxDbWrites: 5, maxTimeMs: 300 })\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function Contract(\n options: Partial<ExecutionContract>,\n): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n CONTRACT_METADATA_KEY,\n options,\n target,\n propertyKey,\n );\n return;\n }\n Reflect.defineMetadata(CONTRACT_METADATA_KEY, options, target as Function);\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @RequiredProof ───────────────────────────────────────────────────────────\n\n/\n Specifies which proof kinds are accepted to satisfy this intent.\n * At least one of the listed kinds must be present in the request.\n \n Use `@Capsule()` or `@Witness()` as ergonomic shorthands for the\n * single-proof case.\n \n @example\n * ```ts\n * @RequiredProof(['CAPSULE', 'WITNESS'])\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function RequiredProof(\n proofs: [RequiredProofKind, ...RequiredProofKind[]],\n): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proofs,\n target,\n propertyKey,\n );\n return;\n }\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proofs,\n target as Function,\n );\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Capsule ─────────────────────────────────────────────────────────────────\n\n/\n Shorthand for `@RequiredProof(['CAPSULE'])`.\n \n Merges with any proof kinds already declared on the target so that\n * combining `@Capsule()` with `@Witness()` behaves identically to\n * `@RequiredProof(['CAPSULE', 'WITNESS'])`.\n \n @example\n * ```ts\n * @Capsule()\n * @Intent('axis.actor_keys.get')\n * async get() { ... }\n * ```\n /\nexport function Capsule(): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n const existing: RequiredProofKind[] =\n propertyKey !== undefined\n ? (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target,\n propertyKey,\n ) ?? [])\n : (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target as Function,\n ) ?? []);\n\n const merged: RequiredProofKind[] = existing.includes(\"CAPSULE\")\n ? existing\n : [...existing, \"CAPSULE\"];\n\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target,\n propertyKey,\n );\n } else {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target as Function,\n );\n }\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Witness ─────────────────────────────────────────────────────────────────\n\n/\n Shorthand for `@RequiredProof(['WITNESS'])`.\n \n Declares that the intent requires a co-signer witness signature\n * (maps to `ProofType.WITNESS_SIG` at the protocol layer).\n \n Merges with any proof kinds already declared on the target, so\n * `@Capsule()` + `@Witness()` is equivalent to\n * `@RequiredProof(['CAPSULE', 'WITNESS'])`.\n \n @example\n * ```ts\n * @Witness()\n * @Sensitivity('CRITICAL')\n * @Intent('axis.actor_keys.list')\n * async list() { ... }\n * ```\n /\nexport function Witness(): ClassDecorator & MethodDecorator {\n return ((target: object \| Function, propertyKey?: string \| symbol) => {\n const existing: RequiredProofKind[] =\n propertyKey !== undefined\n ? (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target,\n propertyKey,\n ) ?? [])\n : (Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n target as Function,\n ) ?? []);\n\n const merged: RequiredProofKind[] = existing.includes(\"WITNESS\")\n ? existing\n : [...existing, \"WITNESS\"];\n\n if (propertyKey !== undefined) {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target,\n propertyKey,\n );\n } else {\n Reflect.defineMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n merged,\n target as Function,\n );\n }\n }) as ClassDecorator & MethodDecorator;\n}\n\n// ─── @Axis ───────────────────────────────────────────────────────────────────\n\n/\n @Axis — AXIS protocol entry point decorator.\n \n Marks a class as the single binary pipeline entry. The decorated class\n * is auto-discovered by `AxisEngineModule` and wired to `POST /axis`.\n * There must be exactly ONE `@Axis()` class in the application.\n \n @example\n * ```typescript\n * @Axis()\n * @Injectable()\n * export class AxisEntry implements NestMiddleware { ... }\n * ```\n /\nexport function Axis(): ClassDecorator {\n return (target: Function) => {\n Reflect.defineMetadata(AXIS_META_KEY, { entry: true }, target);\n };\n}\n\n// ─── @AxisPublic ──────────────────────────────────────────────────────────────\n\n/\n Metadata key stamped on a class or method to mark it as public.\n * Read by HandlerDiscoveryService and injected into SensorInput.metadata.isPublic.\n /\nexport const AXIS_PUBLIC_KEY = \"axis:public\";\n\n/\n @AxisPublic — Marks a handler class or individual intent method as public.\n \n Public intents bypass signature verification and authentication sensors.\n * Use for discovery/catalog endpoints, health checks, and registration flows.\n \n Applied at class level → all intents in the handler are public.\n * Applied at method level → only that intent is public.\n \n @example\n * ```typescript\n * @AxisPublic()\n * @Handler('catalog')\n * export class CatalogHandler { ... }\n \n // Single public intent inside an authenticated handler:\n * @Handler('axis.auth')\n * export class AuthHandler {\n * @AxisPublic()\n * @Intent('axis.auth.register', { absolute: true, kind: 'action' })\n * async register(...) { ... }\n * }\n * ```\n /\nexport function AxisPublic(): ClassDecorator & MethodDecorator {\n return (\n target: any,\n propertyKey?: string \| symbol,\n descriptor?: PropertyDescriptor,\n ) => {\n if (descriptor) {\n Reflect.defineMetadata(AXIS_PUBLIC_KEY, true, target, propertyKey!);\n return descriptor;\n }\n Reflect.defineMetadata(AXIS_PUBLIC_KEY, true, target);\n return target;\n };\n}\n\n// ─── @AxisAnonymous ───────────────────────────────────────────────────────────\n\n/\n Metadata key stamped on a class or method to mark it as anonymous-accessible.\n * Anonymous intents can be called with an anonymous-session capsule.\n * Read by HandlerDiscoveryService and injected into SensorInput.metadata.isAnonymous.\n /\nexport const AXIS_ANONYMOUS_KEY = \"axis:anonymous\";\n\n/\n @AxisAnonymous — Marks a handler class or individual intent method as\n * accessible to anonymous sessions.\n \n Anonymous intents require an anonymous-session capsule (issued via\n * `public.session.anonymous`) but do NOT require full actor authentication.\n * A step above `@AxisPublic` (which needs no capsule at all).\n \n Applied at class level → all intents in the handler are anonymous-accessible.\n * Applied at method level → only that intent is anonymous-accessible.\n \n @example\n * ```typescript\n * @Handler('catalog')\n * export class CatalogHandler {\n * @AxisAnonymous()\n * @Intent('catalog.list', { absolute: true, kind: 'read' })\n * async list(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function AxisAnonymous(): ClassDecorator & MethodDecorator {\n return (\n target: any,\n propertyKey?: string \| symbol,\n descriptor?: PropertyDescriptor,\n ) => {\n if (descriptor) {\n Reflect.defineMetadata(AXIS_ANONYMOUS_KEY, true, target, propertyKey!);\n return descriptor;\n }\n Reflect.defineMetadata(AXIS_ANONYMOUS_KEY, true, target);\n return target;\n };\n}\n\n// ─── @AxisRateLimit ───────────────────────────────────────────────────────────\n\n/\n Metadata key for per-intent rate limit config.\n * Stamped on a method by @AxisRateLimit.\n * Read by HandlerDiscoveryService and consumed by RateLimitSensor at runtime.\n /\nexport const AXIS_RATE_LIMIT_KEY = \"axis:rateLimit\";\n\nexport interface AxisRateLimitConfig {\n /* Maximum requests allowed within the window. /\n max: number;\n /* Sliding window duration in seconds. /\n windowSec: number;\n /\n Key strategy or named bucket.\n * e.g. 'ip_fingerprint' \| 'actor_capsule' \| 'auth' \| 'qr-scan'\n /\n key?: string;\n}\n\n/\n @AxisRateLimit — Per-intent rate limit configuration.\n \n Overrides the handler-level or global default rate limit for a single intent.\n * The config is read by HandlerDiscoveryService and injected into\n * SensorInput.metadata.rateLimit, consumed by RateLimitSensor at runtime.\n \n @example\n * ```typescript\n * @AxisRateLimit({ max: 5, windowSec: 60, key: 'ip_fingerprint' })\n * @Intent('axis.auth.login', { absolute: true, kind: 'action' })\n * async login(body: Uint8Array) { ... }\n * ```\n /\nexport function AxisRateLimit(config: AxisRateLimitConfig): MethodDecorator {\n return (\n target: object,\n propertyKey: string \| symbol,\n descriptor: PropertyDescriptor,\n ) => {\n Reflect.defineMetadata(AXIS_RATE_LIMIT_KEY, config, target, propertyKey);\n return descriptor;\n };\n}\n","import { Injectable, SetMetadata } from '@nestjs/common';\n\nexport const HANDLER_METADATA_KEY = 'axis:handler';\n\n/\n Decorator to mark a class as an Axis Handler.\n * Handlers are responsible for processing intents or specific logic\n * for Axis modules.\n /\nexport function Handler(intent?: string): ClassDecorator {\n return (target: Function) => {\n SetMetadata(HANDLER_METADATA_KEY, { intent })(target);\n Injectable()(target as any);\n };\n}\n","import 'reflect-metadata';\n\nimport type { ChainOptions } from '../engine/axis-chain.types';\n\nexport const INTENT_METADATA_KEY = 'axis:intent';\nexport const INTENT_ROUTES_KEY = 'axis:intent_routes';\n\n/\n CRUD + action classification for an intent.\n /\nexport type IntentKind = 'create' \| 'read' \| 'update' \| 'delete' \| 'action';\n\n/\n A sensor reference declared on an intent.\n * - `string`: resolved from SensorRegistry by sensor name\n * - `Function`: resolved from SensorRegistry by provider class, with DI fallback\n /\nexport type AxisIntentSensorRef = string \| Function;\n\n/\n Shared options for attaching intent-specific sensors.\n * Kept separate so other decorators / route metadata can extend it cleanly.\n /\nexport interface AxisIntentSensorOptions {\n /* Intent-specific sensors resolved before the handler executes /\n is?: AxisIntentSensorRef[];\n}\n\n/\n Describes a single TLV field expected by an intent.\n * Used by SchemaValidationSensor to enforce field contracts.\n /\nexport interface IntentTlvField {\n /* Human-readable field name (used in error messages) /\n name: string;\n /* TLV tag number /\n tag: number;\n /* Value type for type-specific validation /\n kind: 'utf8' \| 'u64' \| 'bytes' \| 'bytes16' \| 'bool' \| 'obj' \| 'arr';\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\nexport interface IntentRoute extends AxisIntentSensorOptions {\n action: string;\n methodName: string \| symbol;\n absolute?: boolean;\n frame?: boolean;\n kind?: IntentKind;\n chain?: boolean \| ChainOptions;\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n tlv?: IntentTlvField[];\n dto?: Function;\n}\n\nexport interface IntentOptions extends AxisIntentSensorOptions {\n /* Operation classification for this intent /\n kind?: IntentKind;\n /* If true, the action is the full intent name (not prefixed with handler name) /\n absolute?: boolean;\n /* If true, register as { handle: fn } for frame-based handlers /\n frame?: boolean;\n /* Enables intent-chain semantics for this intent, optionally with chain defaults /\n chain?: boolean \| ChainOptions;\n /\n How the body is encoded. Drives TLVParseSensor behavior:\n * - `TLV_MAP` — flat TLV map (canonical ordering enforced)\n * - `RAW` — raw bytes, skip TLV body validation\n * - `TLV_OBJ` — nested TLV object\n * - `TLV_ARR` — TLV array container\n /\n bodyProfile?: 'TLV_MAP' \| 'RAW' \| 'TLV_OBJ' \| 'TLV_ARR';\n /* Inline TLV field definitions for schema validation /\n tlv?: IntentTlvField[];\n /* DTO class decorated with @TlvField for schema extraction /\n dto?: Function;\n}\n\n/\n Marks a method as an intent handler.\n \n Stores both per-method metadata (INTENT_METADATA_KEY) and\n * route-collection metadata (INTENT_ROUTES_KEY) for backward compatibility.\n \n @example\n * ```ts\n * @Handler('axis.actor_keys')\n * class MyHandler {\n * @Intent('create', { kind: 'create', dto: CreateDto })\n * async create(body: Uint8Array) { ... }\n \n @Intent('axis.auth.login', { absolute: true, kind: 'action', dto: LoginDto })\n * async login(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function Intent(\n action: string,\n options?: IntentOptions,\n): MethodDecorator {\n return (target, propertyKey) => {\n // Per-method metadata (backend-style)\n Reflect.defineMetadata(\n INTENT_METADATA_KEY,\n { intent: action, ...options },\n target,\n propertyKey,\n );\n\n // Route-collection metadata (SDK-style, backward compat)\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, target.constructor) \|\| [];\n routes.push({\n action,\n methodName: propertyKey,\n absolute: options?.absolute,\n frame: options?.frame,\n kind: options?.kind,\n chain: options?.chain,\n bodyProfile: options?.bodyProfile,\n tlv: options?.tlv,\n dto: options?.dto,\n is: options?.is,\n });\n Reflect.defineMetadata(INTENT_ROUTES_KEY, routes, target.constructor);\n };\n}\n","import 'reflect-metadata';\n\nexport const INTENT_BODY_KEY = 'axis:intent:body';\n\n/\n @IntentBody — Auto-decode the raw Uint8Array body before the handler runs.\n \n The router reads this metadata and applies the decoder so handlers can\n * receive a parsed payload instead of raw bytes.\n /\nexport function IntentBody(decoder: (buf: Buffer) => any): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_BODY_KEY, decoder, target, propertyKey);\n };\n}\n","import 'reflect-metadata';\n\nimport type { AxisIntentSensorRef } from './intent.decorator';\n\nexport const INTENT_SENSORS_KEY = 'axis:intent:sensors';\n\n/\n @IntentSensors — Attach additional sensors that must pass before the\n * annotated intent handler executes.\n /\nexport function IntentSensors(sensors: AxisIntentSensorRef[]): MethodDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n Reflect.defineMetadata(INTENT_SENSORS_KEY, sensors, target, propertyKey);\n };\n}\n","import \"reflect-metadata\";\n\nimport { Injectable } from \"@nestjs/common\";\n\nimport type { AxisObserverEvent } from \"../engine/axis-chain.types\";\n\nexport const OBSERVER_METADATA_KEY = \"axis:observer\";\nexport const OBSERVER_BINDINGS_KEY = \"axis:observer:bindings\";\n\nexport type AxisObserverRef = string \| Function;\n\nexport interface AxisObserverDefinition {\n name?: string;\n tags?: string[];\n events?: AxisObserverEvent[];\n intents?: string[];\n handlers?: string[];\n}\n\nexport interface AxisObserverBinding {\n refs: AxisObserverRef[];\n tags?: string[];\n events?: AxisObserverEvent[];\n}\n\nexport interface AxisObserverBindingOptions {\n use: AxisObserverRef \| AxisObserverRef[];\n tags?: string[];\n events?: AxisObserverEvent[];\n}\n\nfunction isBindingOptions(\n value: unknown,\n): value is AxisObserverBindingOptions {\n return !!value && typeof value === \"object\" && \"use\" in value;\n}\n\nfunction isDefinitionOptions(value: unknown): value is AxisObserverDefinition {\n return (\n !!value &&\n typeof value === \"object\" &&\n !Array.isArray(value) &&\n !isBindingOptions(value)\n );\n}\n\nfunction toBinding(\n input?:\n \| AxisObserverDefinition\n \| AxisObserverBindingOptions\n \| AxisObserverRef\n \| AxisObserverRef[],\n): AxisObserverBinding \| null {\n if (!input) return null;\n\n if (isBindingOptions(input)) {\n const refs = Array.isArray(input.use) ? input.use : [input.use];\n return { refs, tags: input.tags, events: input.events };\n }\n\n if (Array.isArray(input)) {\n return { refs: input };\n }\n\n if (typeof input === \"function\" \|\| typeof input === \"string\") {\n return { refs: [input] };\n }\n\n return null;\n}\n\nexport function Observer(\n input?:\n \| AxisObserverDefinition\n \| AxisObserverBindingOptions\n \| AxisObserverRef\n \| AxisObserverRef[],\n): ClassDecorator & MethodDecorator {\n return ((\n target: object \| Function,\n propertyKey?: string \| symbol,\n ) => {\n const binding = toBinding(input);\n if (binding) {\n if (propertyKey !== undefined) {\n const existing: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, target, propertyKey) \|\| [];\n existing.push(binding);\n Reflect.defineMetadata(\n OBSERVER_BINDINGS_KEY,\n existing,\n target,\n propertyKey,\n );\n return;\n }\n\n const existing: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, target as Function) \|\| [];\n existing.push(binding);\n Reflect.defineMetadata(OBSERVER_BINDINGS_KEY, existing, target as Function);\n return;\n }\n\n if (propertyKey !== undefined) {\n throw new Error(\n \"@Observer method usage must reference one or more observer classes or names\",\n );\n }\n\n const definition = isDefinitionOptions(input) ? input : {};\n Reflect.defineMetadata(OBSERVER_METADATA_KEY, definition, target as Function);\n Injectable()(target as any);\n }) as ClassDecorator & MethodDecorator;\n}","import \"reflect-metadata\";\n\nimport type { AxisIntentSensorRef } from \"./intent.decorator\";\n\nexport const HANDLER_SENSORS_KEY = \"axis:handler:sensors\";\n\n/\n @HandlerSensors — Attach sensors that must pass before ANY intent in this\n * handler class executes. Per-intent @IntentSensors still run after these.\n \n @example\n * ```ts\n * @Handler('axis.vault')\n * @HandlerSensors([RateLimitSensor, AuditSensor])\n * export class VaultHandler {\n * @Intent('create')\n * async create(body: Uint8Array) { ... }\n \n @Intent('delete')\n * @IntentSensors([MfaSensor]) // Runs AFTER handler-level sensors\n * async delete(body: Uint8Array) { ... }\n * }\n * ```\n /\nexport function HandlerSensors(sensors: AxisIntentSensorRef[]): ClassDecorator {\n return (target: Function) => {\n Reflect.defineMetadata(HANDLER_SENSORS_KEY, sensors, target);\n };\n}\n","import { SetMetadata } from '@nestjs/common';\n\nexport const SENSOR_METADATA_KEY = 'axis:sensor';\n\nexport type SensorPhase = 'PRE_DECODE' \| 'POST_DECODE';\n\nexport interface SensorOptions {\n /* Explicit phase override. If omitted, auto-derived from order at bootstrap. /\n phase?: SensorPhase;\n}\n\n/\n Marks a class as an AXIS sensor for auto-registration.\n \n The SensorDiscoveryService finds all @Sensor() classes at bootstrap\n * and registers them with the SensorRegistry automatically.\n \n Sensors still declare `name`, `order`, `supports()`, and `run()` as\n * instance members. The decorator replaces manual `registry.register(this)`\n * in `onModuleInit()`.\n \n Phase can be set explicitly via options or auto-derived from order:\n * < PRE_DECODE_BOUNDARY (40) = PRE_DECODE, >= 40 = POST_DECODE.\n \n @example\n * ```typescript\n * @Sensor({ phase: 'PRE_DECODE' })\n * @Injectable()\n * export class WireSensor implements AxisSensor {\n * readonly name = 'WireSensor';\n * readonly order = BAND.WIRE + 10;\n * }\n \n @Sensor() // phase auto-derived as POST_DECODE\n * @Injectable()\n * export class PolicySensor implements AxisSensor {\n * readonly name = 'PolicySensor';\n * readonly order = BAND.POLICY + 10;\n * }\n * ```\n /\nexport function Sensor(options?: SensorOptions): ClassDecorator {\n return SetMetadata(SENSOR_METADATA_KEY, options ?? true);\n}\n","import 'reflect-metadata';\n\nexport const TLV_FIELDS_KEY = 'axis:tlv:fields';\nexport const TLV_VALIDATORS_KEY = 'axis:tlv:validators';\nconst textDecoder = new TextDecoder();\n\nexport type TlvFieldKind =\n \| 'utf8'\n \| 'u64'\n \| 'bytes'\n \| 'bytes16'\n \| 'bool'\n \| 'obj'\n \| 'arr';\n\nexport interface TlvFieldOptions {\n /* Value type for type-specific validation /\n kind: TlvFieldKind;\n /* If true, sensor denies when this tag is missing /\n required?: boolean;\n /* Maximum byte length of the value /\n maxLen?: number;\n /* Maximum numeric value (string for bigint-safe limits) /\n max?: string;\n /* Which frame section contains this field (default: 'body') /\n scope?: 'header' \| 'body';\n}\n\n/* Stored per-property metadata from @TlvField /\nexport interface TlvFieldMeta {\n /* Property name on the DTO class /\n property: string;\n /* TLV tag number /\n tag: number;\n /* Field options /\n options: TlvFieldOptions;\n}\n\n/\n Custom validation function applied via @TlvValidate.\n * Receives the raw TLV value bytes and the property name.\n * Return null/undefined to pass, or a string error message to deny.\n /\nexport type TlvValidatorFn = (\n value: Uint8Array,\n property: string,\n) => string \| null \| undefined;\n\n/* Stored per-property validator from @TlvValidate /\nexport interface TlvValidatorMeta {\n property: string;\n tag: number;\n validators: TlvValidatorFn[];\n}\n\nfunction assertUniqueFieldMetadata(\n existing: TlvFieldMeta[],\n property: string,\n tag: number,\n): void {\n const duplicateProperty = existing.find((item) => item.property === property);\n if (duplicateProperty) {\n throw new Error(`Duplicate @TlvField for property ${property}`);\n }\n\n const duplicateTag = existing.find((item) => item.tag === tag);\n if (duplicateTag) {\n throw new Error(\n `Duplicate @TlvField tag ${tag} for ${property}; already used by ${duplicateTag.property}`,\n );\n }\n}\n\n/\n @TlvField — Declare a TLV field contract on a DTO property.\n \n Applied to properties of a class passed to `@Intent({ dto: MyDto })`.\n * The schema is extracted at bootstrap and forwarded to SchemaValidationSensor.\n \n @example\n * ```typescript\n * class LoginDto {\n * @TlvField(100, { kind: 'utf8', required: true, maxLen: 256 })\n * email: string;\n \n @TlvField(105, { kind: 'bytes16', required: true })\n * deviceId: Buffer;\n \n @TlvField(103, { kind: 'bool' })\n * remember?: boolean;\n * }\n * ```\n /\nexport function TlvField(\n tag: number,\n options: TlvFieldOptions,\n): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, target.constructor) \|\| [];\n\n const property = String(propertyKey);\n assertUniqueFieldMetadata(existing, property, tag);\n\n existing.push({\n property,\n tag,\n options,\n });\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, existing, target.constructor);\n };\n}\n\n/\n @TlvValidate — Attach custom validation logic to a TLV field.\n \n Runs after standard type/size checks. The validator receives raw bytes\n * and must return null (pass) or an error string (deny).\n \n Multiple @TlvValidate decorators can be stacked on the same property.\n /\nexport function TlvValidate(validator: TlvValidatorFn): PropertyDecorator {\n return (target: object, propertyKey: string \| symbol) => {\n const existing: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, target.constructor) \|\| [];\n\n const prop = String(propertyKey);\n let entry = existing.find((e) => e.property === prop);\n\n if (!entry) {\n entry = { property: prop, tag: 0, validators: [] };\n existing.push(entry);\n }\n\n entry.validators.push(validator);\n\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, existing, target.constructor);\n };\n}\n\n// ─── Built-in Validators (composable with @TlvValidate) ───\n\n/\n @TlvUtf8Pattern — Validate a UTF-8 field against a regex.\n /\nexport function TlvUtf8Pattern(\n pattern: RegExp,\n message?: string,\n): PropertyDecorator {\n const matcher = new RegExp(pattern.source, pattern.flags);\n return TlvValidate((val, prop) => {\n const str = textDecoder.decode(val);\n matcher.lastIndex = 0;\n return matcher.test(str)\n ? null\n : message \|\| `${prop}: failed pattern check`;\n });\n}\n\n/\n @TlvMinLen — Minimum byte length for a field value.\n /\nexport function TlvMinLen(min: number, message?: string): PropertyDecorator {\n return TlvValidate((val, prop) => {\n return val.length >= min\n ? null\n : message \|\| `${prop}: too short (${val.length} < ${min})`;\n });\n}\n\n/\n @TlvEnum — UTF-8 field must be one of the listed values.\n /\nexport function TlvEnum(\n allowed: string[],\n message?: string,\n): PropertyDecorator {\n const set = new Set(allowed);\n return TlvValidate((val, prop) => {\n const str = textDecoder.decode(val);\n return set.has(str)\n ? null\n : message \|\| `${prop}: must be one of [${allowed.join(', ')}]`;\n });\n}\n\n/\n @TlvRange — Numeric u64 field must be within [min, max].\n /\nexport function TlvRange(\n min: bigint,\n max: bigint,\n message?: string,\n): PropertyDecorator {\n return TlvValidate((val, prop) => {\n if (val.length !== 8) return `${prop}: u64 must be 8 bytes`;\n let n = 0n;\n for (const b of val) n = (n << 8n) \| BigInt(b);\n if (n < min \|\| n > max) {\n return message \|\| `${prop}: value ${n} out of range [${min}, ${max}]`;\n }\n return null;\n });\n}\n","export {\n TLV, encodeTLVs, decodeTLVs, decodeTLVsList, decodeObject, decodeArray,\n} from '@nextera.one/axis-protocol';\n","import 'reflect-metadata';\n\nimport type { IntentTlvField } from './intent.decorator';\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from './tlv-field.decorator';\nimport { decodeTLVs } from '../core/tlv';\n\n/* Extracted schema from a DTO class — fields + optional validators /\nexport interface DtoSchema {\n fields: IntentTlvField[];\n validators: Map<number, TlvValidatorFn[]>;\n}\n\n/\n Extracts TLV field definitions and validators from a DTO class\n * decorated with @TlvField and @TlvValidate.\n /\nexport function extractDtoSchema(dto: Function): DtoSchema {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — nothing to validate`,\n );\n }\n\n const tagByProp = new Map<string, number>();\n const fields: IntentTlvField[] = fieldMetas.map((m) => {\n tagByProp.set(m.property, m.tag);\n return {\n name: m.property,\n tag: m.tag,\n kind: m.options.kind,\n required: m.options.required,\n maxLen: m.options.maxLen,\n max: m.options.max,\n scope: m.options.scope,\n };\n });\n\n const validatorMetas: TlvValidatorMeta[] =\n Reflect.getMetadata(TLV_VALIDATORS_KEY, dto) \|\| [];\n\n const validators = new Map<number, TlvValidatorFn[]>();\n for (const vm of validatorMetas) {\n const tag = tagByProp.get(vm.property);\n if (tag === undefined) {\n throw new Error(\n `@TlvValidate on ${dto.name}.${vm.property} but no @TlvField found for that property`,\n );\n }\n vm.tag = tag;\n validators.set(tag, vm.validators);\n }\n\n return { fields, validators };\n}\n\n/\n Builds a decoder function for a DTO class.\n \n The returned function takes raw TLV body bytes and returns a plain object\n * with property names as keys and decoded values matching the DTO shape.\n \n Value decoding by kind:\n * - utf8 → string\n * - u64 → bigint\n * - bytes / bytes16 → Uint8Array\n * - bool → boolean (0x00 = false, anything else = true)\n * - obj → JSON.parse of utf8\n * - arr → JSON.parse of utf8\n /\nexport function buildDtoDecoder(\n dto: Function,\n): (bodyBytes: Buffer) => Record<string, any> {\n const fieldMetas: TlvFieldMeta[] =\n Reflect.getMetadata(TLV_FIELDS_KEY, dto) \|\| [];\n\n if (fieldMetas.length === 0) {\n throw new Error(\n `DTO class ${dto.name} has no @TlvField decorators — cannot build decoder`,\n );\n }\n\n const tagMap = new Map<number, { property: string; kind: string }>();\n for (const m of fieldMetas) {\n tagMap.set(m.tag, { property: m.property, kind: m.options.kind });\n }\n\n return (bodyBytes: Buffer): Record<string, any> => {\n const tlvMap = decodeTLVs(new Uint8Array(bodyBytes));\n const result: Record<string, any> = {};\n\n for (const [tag, raw] of tlvMap) {\n const meta = tagMap.get(tag);\n if (!meta) continue;\n\n switch (meta.kind) {\n case 'utf8':\n result[meta.property] = new TextDecoder().decode(raw);\n break;\n case 'u64': {\n let n = 0n;\n for (let i = 0; i < raw.length; i++) {\n n = (n << 8n) \| BigInt(raw[i]);\n }\n result[meta.property] = n;\n break;\n }\n case 'bytes':\n case 'bytes16':\n result[meta.property] = raw;\n break;\n case 'bool':\n result[meta.property] = raw.length > 0 && raw[0] !== 0;\n break;\n case 'obj':\n case 'arr':\n result[meta.property] = JSON.parse(new TextDecoder().decode(raw));\n break;\n default:\n result[meta.property] = raw;\n }\n }\n\n return result;\n };\n}\n","/\n AxisTlvDto — Base class for all TLV-decoded DTO classes.\n \n Any DTO decorated with @TlvField that is passed to @Intent({ dto })\n * should extend this class. This gives the CRUD handler interface\n * a type-safe union: `Uint8Array \| AxisTlvDto`.\n \n The base is intentionally empty — it serves as a type marker.\n /\nexport abstract class AxisTlvDto {}\n","import { TlvField, TlvMinLen } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\nexport class AxisIdDto extends AxisTlvDto {\n @TlvField(1, { kind: 'utf8', required: true, maxLen: 128 })\n @TlvMinLen(1, 'id must not be empty')\n id!: string;\n}\n","import 'reflect-metadata';\n\nimport {\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n TlvFieldMeta,\n TlvValidatorMeta,\n} from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n AxisPartialType — Creates a DTO class where all TLV fields are optional.\n \n Copies TLV metadata (`axis:tlv:fields` + `axis:tlv:validators`)\n * and sets `required: false` on every field.\n \n TLV naturally supports partial payloads — only fields present in the\n * binary body get decoded. This utility makes the schema/sensor layer\n * aware that missing fields are acceptable for update operations.\n \n @example\n * ```typescript\n * export class UpdateBlocklistDto extends AxisPartialType(CreateBlocklistDto) {}\n * ```\n /\nexport function AxisPartialType<T extends new (...args: any[]) => AxisTlvDto>(\n BaseDto: T,\n): new (...args: any[]) => Partial<InstanceType<T>> & AxisTlvDto {\n class PartialDto extends (BaseDto as any) {}\n\n const fields: TlvFieldMeta[] =\n Reflect.getOwnMetadata(TLV_FIELDS_KEY, BaseDto) \|\| [];\n\n const partialFields: TlvFieldMeta[] = fields.map((f) => ({\n property: f.property,\n tag: f.tag,\n options: { ...f.options, required: false },\n }));\n\n Reflect.defineMetadata(TLV_FIELDS_KEY, partialFields, PartialDto);\n\n const validators: TlvValidatorMeta[] =\n Reflect.getOwnMetadata(TLV_VALIDATORS_KEY, BaseDto) \|\| [];\n\n if (validators.length > 0) {\n Reflect.defineMetadata(TLV_VALIDATORS_KEY, [...validators], PartialDto);\n }\n\n Object.defineProperty(PartialDto, 'name', {\n value: `Partial${BaseDto.name}`,\n });\n\n return PartialDto as any;\n}\n","import { TlvField } from '../decorators/tlv-field.decorator';\nimport { AxisTlvDto } from './axis-tlv.dto';\n\n/\n Reserved TLV body tags for server-generated response fields.\n \n Tags 1–10 are reserved for system/audit fields in response bodies.\n * Entity-specific fields start at tag 100+.\n /\nexport const RESPONSE_TAG_ID = 1;\nexport const RESPONSE_TAG_CREATED_AT = 2;\nexport const RESPONSE_TAG_UPDATED_AT = 3;\nexport const RESPONSE_TAG_CREATED_BY = 4;\nexport const RESPONSE_TAG_UPDATED_BY = 5;\n\n/\n AxisResponseDto — Base class for outbound TLV response bodies.\n \n Server-generated audit fields that the backend appends to every\n * entity response. These are NEVER sent by the client — they flow\n * server → client only.\n \n Timestamps are u64 Unix milliseconds (same as TLV_TS in headers).\n /\nexport abstract class AxisResponseDto extends AxisTlvDto {\n @TlvField(RESPONSE_TAG_ID, { kind: 'utf8' })\n id?: string;\n\n @TlvField(RESPONSE_TAG_CREATED_AT, { kind: 'u64' })\n created_at?: bigint;\n\n @TlvField(RESPONSE_TAG_UPDATED_AT, { kind: 'u64' })\n updated_at?: bigint;\n\n @TlvField(RESPONSE_TAG_CREATED_BY, { kind: 'utf8' })\n created_by?: string;\n\n @TlvField(RESPONSE_TAG_UPDATED_BY, { kind: 'utf8' })\n updated_by?: string;\n}\n","export {\n AXIS_MAGIC,\n AXIS_VERSION,\n MAX_HDR_LEN,\n MAX_BODY_LEN,\n MAX_SIG_LEN,\n MAX_FRAME_LEN,\n FLAG_BODY_TLV,\n FLAG_CHAIN_REQ,\n FLAG_HAS_WITNESS,\n TLV_PID,\n TLV_TS,\n TLV_INTENT,\n TLV_ACTOR_ID,\n TLV_PROOF_TYPE,\n TLV_PROOF_REF,\n TLV_NONCE,\n TLV_AUD,\n TLV_REALM,\n TLV_NODE,\n TLV_TRACE_ID,\n TLV_KID,\n TLV_RID,\n TLV_OK,\n TLV_EFFECT,\n TLV_ERROR_CODE,\n TLV_ERROR_MSG,\n TLV_PREV_HASH,\n TLV_RECEIPT_HASH,\n TLV_NODE_KID,\n TLV_NODE_CERT_HASH,\n TLV_LOOM_PRESENCE_ID,\n TLV_LOOM_WRIT,\n TLV_LOOM_THREAD_HASH,\n TLV_UPLOAD_ID,\n TLV_INDEX,\n TLV_OFFSET,\n TLV_SHA256_CHUNK,\n TLV_CAPSULE,\n TLV_BODY_OBJ,\n TLV_BODY_ARR,\n NCERT_NODE_ID,\n NCERT_KID,\n NCERT_ALG,\n NCERT_PUB,\n NCERT_NBF,\n NCERT_EXP,\n NCERT_SCOPE,\n NCERT_ISSUER_KID,\n NCERT_PAYLOAD,\n NCERT_SIG,\n PROOF_NONE,\n PROOF_CAPSULE,\n PROOF_JWT,\n PROOF_MTLS,\n PROOF_LOOM,\n PROOF_WITNESS,\n ProofType,\n BodyProfile,\n ERR_INVALID_PACKET,\n ERR_BAD_SIGNATURE,\n ERR_REPLAY_DETECTED,\n ERR_CONTRACT_VIOLATION,\n} from '@nextera.one/axis-protocol';\n\nexport abstract class AxisMediaTypes {\n static readonly BINARY = 'application/axis-bin';\n static readonly OCTET_STREAM = 'application/octet-stream';\n static readonly LEGACY_BINARY = 'application/x-axis';\n\n static readonly VALID_AXIS_CONTENT_TYPES = [\n AxisMediaTypes.BINARY,\n AxisMediaTypes.OCTET_STREAM,\n AxisMediaTypes.LEGACY_BINARY,\n ] as const;\n\n static normalize(value?: string \| null): string \| undefined {\n if (!value) return undefined;\n return value.split(';', 1)[0].trim().toLowerCase();\n }\n\n static isAxisContentType(value?: string \| null): boolean {\n const normalized = AxisMediaTypes.normalize(value);\n return (\n !!normalized &&\n AxisMediaTypes.VALID_AXIS_CONTENT_TYPES.some(\n (contentType) => contentType === normalized,\n )\n );\n }\n}\n","import type { AxisFrame } from \"../core/axis-bin\";\n\nimport type { AxisCapsuleRef, AxisChainEnvelope, AxisChainStep } from \"./axis-chain.types\";\n\nexport const AXIS_EXECUTION_CONTEXT_KEY = Symbol.for(\"axis.executionContext\");\n\nexport interface AxisExecutionContext {\n metaIntent?: \"INTENT.EXEC\" \| \"CHAIN.EXEC\";\n actorId?: string;\n inlineCapsule?: Record<string, unknown>;\n capsuleRef?: AxisCapsuleRef;\n chainEnvelope?: AxisChainEnvelope;\n chainStep?: AxisChainStep;\n}\n\ntype FrameLike = Partial<AxisFrame> & {\n [AXIS_EXECUTION_CONTEXT_KEY]?: AxisExecutionContext;\n};\n\nexport function getAxisExecutionContext(\n frame?: Partial<AxisFrame>,\n): AxisExecutionContext \| undefined {\n return (frame as FrameLike \| undefined)?.[AXIS_EXECUTION_CONTEXT_KEY];\n}\n\nexport function withAxisExecutionContext<T extends object>(\n target: T,\n context: AxisExecutionContext,\n): T {\n Object.defineProperty(target, AXIS_EXECUTION_CONTEXT_KEY, {\n value: context,\n writable: true,\n configurable: true,\n enumerable: false,\n });\n\n return target;\n}\n\nexport function mergeAxisExecutionContext(\n base?: AxisExecutionContext,\n override?: AxisExecutionContext,\n): AxisExecutionContext \| undefined {\n if (!base && !override) {\n return undefined;\n }\n\n return {\n ...base,\n ...override,\n capsuleRef: {\n ...(base?.capsuleRef \|\| {}),\n ...(override?.capsuleRef \|\| {}),\n },\n };\n}","import { Injectable, Logger } from \"@nestjs/common\";\n\nimport type { AxisObserverDefinition, AxisObserverRef } from \"../../decorators/observer.decorator\";\nimport type {\n AxisIntentObserver,\n AxisObserverRegistration,\n} from \"../axis-observer.interface\";\n\n@Injectable()\nexport class ObserverRegistry {\n private readonly logger = new Logger(ObserverRegistry.name);\n private readonly byName = new Map<string, AxisObserverRegistration>();\n private readonly byType = new Map<Function, AxisObserverRegistration>();\n\n register(\n instance: AxisIntentObserver,\n meta: AxisObserverDefinition = {},\n ): void {\n const name = meta.name \|\| instance.name \|\| instance.constructor.name;\n const registration: AxisObserverRegistration = {\n name,\n instance,\n tags: meta.tags \|\| [],\n events: meta.events,\n intents: meta.intents,\n handlers: meta.handlers,\n };\n\n this.byName.set(name, registration);\n this.byType.set(instance.constructor, registration);\n this.logger.debug(`Registered observer: ${name}`);\n }\n\n resolve(ref: AxisObserverRef): AxisObserverRegistration \| undefined {\n if (typeof ref === \"string\") {\n return this.byName.get(ref);\n }\n\n return this.byType.get(ref) \|\| this.byName.get(ref.name);\n }\n\n list(): AxisObserverRegistration[] {\n return Array.from(this.byName.values()).sort((left, right) =>\n left.name.localeCompare(right.name),\n );\n }\n\n clear(): void {\n this.byName.clear();\n this.byType.clear();\n }\n}","import { Injectable, Logger } from \"@nestjs/common\";\n\nimport type { AxisObserverBinding } from \"../decorators/observer.decorator\";\nimport type { AxisObserverContext } from \"./axis-observer.interface\";\nimport { ObserverRegistry } from \"./registry/observer.registry\";\n\nfunction unique<T>(values: T[]): T[] {\n return Array.from(new Set(values));\n}\n\n@Injectable()\nexport class ObserverDispatcherService {\n private readonly logger = new Logger(ObserverDispatcherService.name);\n\n constructor(private readonly registry: ObserverRegistry) {}\n\n async dispatch(\n bindings: AxisObserverBinding[] \| undefined,\n context: AxisObserverContext,\n ): Promise<void> {\n if (!bindings \|\| bindings.length === 0) return;\n\n const invoked = new Set<string>();\n\n for (const binding of bindings) {\n if (\n binding.events &&\n binding.events.length > 0 &&\n !binding.events.includes(context.event)\n ) {\n continue;\n }\n\n for (const ref of binding.refs) {\n const registration = this.registry.resolve(ref);\n if (!registration) {\n this.logger.warn(`Observer ${String(ref)} could not be resolved`);\n continue;\n }\n\n if (invoked.has(registration.name)) continue;\n\n if (\n registration.events &&\n registration.events.length > 0 &&\n !registration.events.includes(context.event)\n ) {\n continue;\n }\n\n const observerContext: AxisObserverContext = {\n ...context,\n observerTags: unique([\n ...(registration.tags \|\| []),\n ...(binding.tags \|\| []),\n ...(context.observerTags \|\| []),\n ]),\n };\n\n if (\n registration.instance.supports &&\n !registration.instance.supports(observerContext)\n ) {\n continue;\n }\n\n try {\n invoked.add(registration.name);\n await registration.instance.observe(observerContext);\n } catch (error: any) {\n this.logger.warn(\n `Observer ${registration.name} failed during ${context.event}: ${error.message}`,\n );\n }\n }\n }\n }\n}","/\n Capsule-Carried Encryption (CCE) Types — v1\n \n Defines the core types for the CCE protocol where:\n * - TickAuth issues capsules (authority)\n * - AXIS verifies capsules, decrypts payloads, derives execution context\n * - Payload confidentiality uses hybrid encryption (AES-GCM + AXIS public key)\n /\n\n// ============================================================================\n// CCE Protocol Constants\n// ============================================================================\n\nexport const CCE_PROTOCOL_VERSION = \"cce-v1\" as const;\n\n/* Derivation context prefixes for HKDF /\nexport const CCE_DERIVATION = {\n /* Request execution context /\n REQUEST: \"axis:cce:req:v1\",\n /* Response execution context /\n RESPONSE: \"axis:cce:resp:v1\",\n /* Witness binding context /\n WITNESS: \"axis:cce:witness:v1\",\n} as const;\n\n/* Supported encryption algorithms /\nexport type CceAlgorithm = \"AES-256-GCM\";\n/* Supported key encapsulation algorithms /\nexport type CceKemAlgorithm = \"X25519\" \| \"RSA-OAEP-256\";\n/* Supported KDF algorithms /\nexport type CceKdfAlgorithm = \"HKDF-SHA256\";\n\nexport const CCE_AES_KEY_BYTES = 32; // 256-bit AES key\nexport const CCE_IV_BYTES = 12; // 96-bit GCM nonce\nexport const CCE_TAG_BYTES = 16; // 128-bit GCM auth tag\nexport const CCE_NONCE_BYTES = 32; // 256-bit request/response nonce\n\n// ============================================================================\n// CCE Capsule Claims (extends TickAuth capsule for AXIS binding)\n// ============================================================================\n\n/\n CCE-specific claims that extend the TickAuth capsule.\n * These claims bind the capsule to a specific AXIS audience and intent.\n /\nexport interface CceCapsuleClaims {\n /* Capsule identifier (content-addressed) /\n capsule_id: string;\n /* Protocol version /\n ver: typeof CCE_PROTOCOL_VERSION;\n /* Subject / actor identity /\n sub: string;\n /* Client key identifier /\n kid: string;\n /* Bound intent /\n intent: string;\n /* AXIS audience (service identity) /\n aud: string;\n /* TPS window start (Unix ms or TPS index) /\n tps_from: number;\n /* TPS window end (Unix ms or TPS index) /\n tps_to: number;\n /* Capsule nonce (hex, from challenge) /\n capsule_nonce: string;\n /* Reference to originating challenge /\n challenge_id: string;\n /* Content hash of the validated proof used to issue this capsule /\n proof_hash?: string;\n /* Policy hash (hex) — Digital Fabric Law binding /\n policy_hash?: string;\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expires-at timestamp (Unix seconds) /\n exp: number;\n /* Capsule usage mode /\n mode: \"SINGLE_USE\" \| \"SESSION\";\n /* Scope capabilities /\n scope?: string[];\n /* Constraints /\n constraints?: CceConstraints;\n /* TickAuth issuer signature over claims /\n issuer_sig: CceSignature;\n}\n\nexport interface CceConstraints {\n max_payload_bytes?: number;\n ip_allow?: string[];\n device_allow?: string[];\n country_allow?: string[];\n}\n\nexport interface CceSignature {\n alg: \"EdDSA\" \| \"ES256\";\n kid: string;\n value: string; // base64url or hex\n}\n\n// ============================================================================\n// CCE Request Envelope\n// ============================================================================\n\n/\n The encrypted request envelope sent from Client → AXIS.\n \n The client:\n * 1. Generates ephemeral AES-256 key\n * 2. Encrypts payload with AES-256-GCM\n * 3. Encrypts AES key with AXIS public key (X25519 or RSA-OAEP)\n * 4. Signs the envelope with client private key\n * 5. Attaches capsule\n /\nexport interface CceRequestEnvelope {\n /* Protocol version /\n ver: typeof CCE_PROTOCOL_VERSION;\n /* Unique request identifier /\n request_id: string;\n /* Correlation identifier (for request/response binding) /\n correlation_id: string;\n /* Client key identifier /\n client_kid: string;\n /* The capsule claims (signed by TickAuth) /\n capsule: CceCapsuleClaims;\n /* Encrypted transport key (AXIS public key encrypted) /\n encrypted_key: CceEncryptedKey;\n /* Encrypted payload /\n encrypted_payload: CceEncryptedPayload;\n /* Request nonce (hex, 32 bytes) /\n request_nonce: string;\n /* Client signature over canonical envelope /\n client_sig: CceSignature;\n /* Content type of the plaintext payload /\n content_type: string;\n /* Algorithm descriptors /\n algorithms: CceAlgorithmDescriptor;\n /* Additional authenticated data descriptor /\n aad_descriptor?: string;\n}\n\n/\n Encrypted symmetric key wrapped by AXIS public key.\n /\nexport interface CceEncryptedKey {\n /* Key encapsulation algorithm /\n alg: CceKemAlgorithm;\n /* AXIS key identifier used for encapsulation /\n axis_kid: string;\n /* Encrypted key bytes (base64url) /\n ciphertext: string;\n /* Ephemeral public key (for X25519 ECDH, base64url) /\n ephemeral_pk?: string;\n}\n\n/\n Encrypted payload with AEAD metadata.\n /\nexport interface CceEncryptedPayload {\n /* Encryption algorithm /\n alg: CceAlgorithm;\n /* Initialization vector / nonce (base64url, 12 bytes) /\n iv: string;\n /* Ciphertext (base64url) /\n ciphertext: string;\n /* Authentication tag (base64url, 16 bytes) /\n tag: string;\n}\n\n/\n Algorithm descriptor for the envelope.\n /\nexport interface CceAlgorithmDescriptor {\n /* Key encapsulation /\n kem: CceKemAlgorithm;\n /* Symmetric encryption /\n enc: CceAlgorithm;\n /* Key derivation (for execution context) /\n kdf: CceKdfAlgorithm;\n /* Signature algorithm /\n sig: \"EdDSA\" \| \"ES256\";\n}\n\n// ============================================================================\n// CCE Response Envelope\n// ============================================================================\n\n/\n The encrypted response envelope sent from AXIS → Client.\n /\nexport interface CceResponseEnvelope {\n /* Protocol version /\n ver: typeof CCE_PROTOCOL_VERSION;\n /* Response identifier /\n response_id: string;\n /* Request identifier (binding) /\n request_id: string;\n /* Correlation identifier /\n correlation_id: string;\n /* Capsule identifier of the originating request /\n capsule_id: string;\n /* Encrypted transport key (Client public key encrypted) /\n encrypted_key: CceEncryptedKey;\n /* Encrypted response payload /\n encrypted_payload: CceEncryptedPayload;\n /* Response nonce (hex, 32 bytes) /\n response_nonce: string;\n /* AXIS signature over canonical response /\n axis_sig: CceSignature;\n /* Witness reference /\n witness_ref?: string;\n /* Algorithm descriptors /\n algorithms: CceAlgorithmDescriptor;\n /* Response status (plaintext, allowed on error) /\n status: CceResponseStatus;\n}\n\nexport type CceResponseStatus =\n \| \"SUCCESS\"\n \| \"DENIED\"\n \| \"PARTIAL\"\n \| \"FAILED\"\n \| \"ERROR\";\n\n// ============================================================================\n// CCE Execution Context (derived inside AXIS)\n// ============================================================================\n\n/\n Execution context derived from capsule claims + AXIS local secret.\n * Proves that the request was not only decrypted but legally executable.\n /\nexport interface CceExecutionContext {\n /* Derived execution key (used for witness binding, never exposed) /\n execution_key_hash: string;\n /* Request identifier /\n request_id: string;\n /* Capsule identifier /\n capsule_id: string;\n /* Subject identity /\n sub: string;\n /* Client key identifier /\n kid: string;\n /* Intent /\n intent: string;\n /* Audience /\n aud: string;\n /* TPS window /\n tps_from: number;\n tps_to: number;\n /* Policy hash (if bound) /\n policy_hash?: string;\n /* Timestamp of context derivation /\n derived_at: number;\n /* Whether this context is valid /\n valid: boolean;\n}\n\n// ============================================================================\n// CCE Witness Record\n// ============================================================================\n\n/\n Witness record for the CCE request/response lifecycle.\n /\nexport interface CceWitnessRecord {\n /* Witness identifier /\n witness_id: string;\n /* Request identifier /\n request_id: string;\n /* Capsule identifier /\n capsule_id: string;\n /* Subject identity /\n sub: string;\n /* Intent /\n intent: string;\n /* Audience /\n aud: string;\n /* TPS window /\n tps_from: number;\n tps_to: number;\n /* Timestamp /\n timestamp: number;\n\n /* Verification results /\n verification: {\n client_sig: boolean;\n capsule_sig: boolean;\n tps_valid: boolean;\n audience_match: boolean;\n intent_match: boolean;\n replay_clean: boolean;\n nonce_unique: boolean;\n decryption_ok: boolean;\n };\n\n /* Handler execution result /\n execution: {\n status: CceResponseStatus;\n handler_duration_ms: number;\n effect?: string;\n };\n\n /* Response encryption result /\n response_encrypted: boolean;\n\n /* Execution context hash (proves legal execution) /\n execution_context_hash: string;\n\n /* Payload hash (redacted, never raw content) /\n request_payload_hash?: string;\n response_payload_hash?: string;\n}\n\n// ============================================================================\n// CCE Error Codes\n// ============================================================================\n\nexport const CCE_ERROR = {\n // Envelope errors\n INVALID_ENVELOPE: \"CCE_INVALID_ENVELOPE\",\n UNSUPPORTED_VERSION: \"CCE_UNSUPPORTED_VERSION\",\n MISSING_CAPSULE: \"CCE_MISSING_CAPSULE\",\n MISSING_ENCRYPTED_KEY: \"CCE_MISSING_ENCRYPTED_KEY\",\n\n // Signature errors\n CLIENT_SIG_INVALID: \"CCE_CLIENT_SIG_INVALID\",\n CLIENT_KEY_NOT_FOUND: \"CCE_CLIENT_KEY_NOT_FOUND\",\n\n // Capsule errors\n CAPSULE_SIG_INVALID: \"CCE_CAPSULE_SIG_INVALID\",\n CAPSULE_EXPIRED: \"CCE_CAPSULE_EXPIRED\",\n CAPSULE_NOT_YET_VALID: \"CCE_CAPSULE_NOT_YET_VALID\",\n CAPSULE_REVOKED: \"CCE_CAPSULE_REVOKED\",\n CAPSULE_CONSUMED: \"CCE_CAPSULE_CONSUMED\",\n\n // Binding errors\n AUDIENCE_MISMATCH: \"CCE_AUDIENCE_MISMATCH\",\n INTENT_MISMATCH: \"CCE_INTENT_MISMATCH\",\n TPS_WINDOW_EXPIRED: \"CCE_TPS_WINDOW_EXPIRED\",\n TPS_WINDOW_FUTURE: \"CCE_TPS_WINDOW_FUTURE\",\n\n // Replay / nonce errors\n REPLAY_DETECTED: \"CCE_REPLAY_DETECTED\",\n NONCE_REUSED: \"CCE_NONCE_REUSED\",\n\n // Decryption errors\n DECRYPTION_FAILED: \"CCE_DECRYPTION_FAILED\",\n KEY_UNWRAP_FAILED: \"CCE_KEY_UNWRAP_FAILED\",\n AEAD_TAG_MISMATCH: \"CCE_AEAD_TAG_MISMATCH\",\n PAYLOAD_TOO_LARGE: \"CCE_PAYLOAD_TOO_LARGE\",\n\n // Schema / validation errors\n PAYLOAD_SCHEMA_INVALID: \"CCE_PAYLOAD_SCHEMA_INVALID\",\n INTENT_SCHEMA_MISMATCH: \"CCE_INTENT_SCHEMA_MISMATCH\",\n\n // Policy errors\n POLICY_DENIED: \"CCE_POLICY_DENIED\",\n CONSTRAINT_VIOLATED: \"CCE_CONSTRAINT_VIOLATED\",\n\n // Handler errors\n HANDLER_NOT_FOUND: \"CCE_HANDLER_NOT_FOUND\",\n HANDLER_EXECUTION_FAILED: \"CCE_HANDLER_EXECUTION_FAILED\",\n HANDLER_TIMEOUT: \"CCE_HANDLER_TIMEOUT\",\n\n // Response errors\n RESPONSE_ENCRYPTION_FAILED: \"CCE_RESPONSE_ENCRYPTION_FAILED\",\n} as const;\n\nexport type CceErrorCode = (typeof CCE_ERROR)[keyof typeof CCE_ERROR];\n\n/\n Structured CCE error.\n /\nexport class CceError extends Error {\n constructor(\n public readonly code: CceErrorCode,\n message: string,\n public readonly metadata?: Record<string, unknown>,\n ) {\n super(`[${code}] ${message}`);\n this.name = \"CceError\";\n }\n\n /* Whether this error is safe to expose to the client /\n get clientSafe(): boolean {\n // Never expose internal decryption/handler details\n const internal: CceErrorCode[] = [\n CCE_ERROR.DECRYPTION_FAILED,\n CCE_ERROR.KEY_UNWRAP_FAILED,\n CCE_ERROR.AEAD_TAG_MISMATCH,\n CCE_ERROR.HANDLER_EXECUTION_FAILED,\n CCE_ERROR.RESPONSE_ENCRYPTION_FAILED,\n ];\n return !internal.includes(this.code);\n }\n\n /* Get client-safe representation /\n toClientError(): { code: CceErrorCode; message: string } {\n if (this.clientSafe) {\n return { code: this.code, message: this.message };\n }\n return {\n code: CCE_ERROR.DECRYPTION_FAILED,\n message: \"Request processing failed\",\n };\n }\n}\n","import { bytesToHex, hexToBytes } from \"@noble/hashes/utils.js\";\n/\n CCE Key Derivation Service\n \n Implements HKDF-based key derivation for the Capsule-Carried Encryption protocol.\n * Keys are never placed in capsules — they are derived from:\n * - AXIS local secret (IKM)\n * - Capsule claims (salt + info)\n * - Request/response nonce (direction binding)\n * - Protocol version (upgrade protection)\n \n Uses @noble/hashes HKDF (RFC 5869) with SHA-256.\n /\nimport { hkdf } from \"@noble/hashes/hkdf.js\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n\nimport { CCE_AES_KEY_BYTES, CCE_DERIVATION, CCE_NONCE_BYTES, type CceCapsuleClaims, type CceExecutionContext } from \"./cce.types\";\n\n/\n Input parameters for key derivation.\n /\nexport interface CceDerivationInput {\n /* AXIS local secret (hex, must be kept private) /\n axisLocalSecret: string;\n /* Capsule claims from the request /\n capsule: CceCapsuleClaims;\n /* Request nonce (hex) /\n requestNonce: string;\n /* Response nonce (hex, only for response derivation) /\n responseNonce?: string;\n}\n\n/\n Build the salt for HKDF from capsule + nonce.\n \n salt = SHA-256(capsule_id \|\| capsule_nonce \|\| request_nonce)\n /\nfunction buildSalt(\n capsuleId: string,\n capsuleNonce: string,\n requestNonce: string,\n): Uint8Array {\n const encoder = new TextEncoder();\n const data = encoder.encode(\n capsuleId + \"\|\" + capsuleNonce + \"\|\" + requestNonce,\n );\n return sha256(data);\n}\n\n/\n Build the info string for HKDF.\n * Binds the derived key to all authority dimensions.\n \n info = context_prefix \| sub \| kid \| intent \| aud \| tps_from \| tps_to \| policy_hash \| ver\n /\nfunction buildInfo(\n contextPrefix: string,\n capsule: CceCapsuleClaims,\n extraNonce?: string,\n): Uint8Array {\n const encoder = new TextEncoder();\n const parts = [\n contextPrefix,\n capsule.sub,\n capsule.kid,\n capsule.intent,\n capsule.aud,\n String(capsule.tps_from),\n String(capsule.tps_to),\n capsule.policy_hash ?? \"\",\n capsule.ver,\n ];\n if (extraNonce) {\n parts.push(extraNonce);\n }\n return encoder.encode(parts.join(\"\|\"));\n}\n\n/\n Derive the request execution key.\n \n This key is used internally by AXIS to prove that:\n * 1. The request arrived with a valid capsule\n * 2. The capsule was bound to this specific intent/audience/subject\n * 3. AXIS possessed the local secret at derivation time\n \n The key itself is NEVER exposed — only its hash appears in witness records.\n /\nexport function deriveRequestExecutionKey(\n input: CceDerivationInput,\n): Uint8Array {\n const ikm = hexToBytes(input.axisLocalSecret);\n const salt = buildSalt(\n input.capsule.capsule_id,\n input.capsule.capsule_nonce,\n input.requestNonce,\n );\n const info = buildInfo(CCE_DERIVATION.REQUEST, input.capsule);\n\n return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);\n}\n\n/\n Derive the response execution key.\n * Uses a different context prefix and includes the response nonce,\n * ensuring request and response keys are always distinct.\n /\nexport function deriveResponseExecutionKey(\n input: CceDerivationInput & { responseNonce: string },\n): Uint8Array {\n const ikm = hexToBytes(input.axisLocalSecret);\n\n // Response salt uses a different construction\n const encoder = new TextEncoder();\n const saltData = encoder.encode(\n input.capsule.capsule_id +\n \"\|\" +\n input.capsule.capsule_nonce +\n \"\|\" +\n input.requestNonce +\n \"\|\" +\n input.responseNonce,\n );\n const salt = sha256(saltData);\n\n const info = buildInfo(\n CCE_DERIVATION.RESPONSE,\n input.capsule,\n input.responseNonce,\n );\n\n return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);\n}\n\n/\n Derive the witness binding key.\n * Used to create tamper-evident witness records.\n /\nexport function deriveWitnessKey(input: CceDerivationInput): Uint8Array {\n const ikm = hexToBytes(input.axisLocalSecret);\n const salt = buildSalt(\n input.capsule.capsule_id,\n input.capsule.capsule_nonce,\n input.requestNonce,\n );\n const info = buildInfo(CCE_DERIVATION.WITNESS, input.capsule);\n\n return hkdf(sha256, ikm, salt, info, CCE_AES_KEY_BYTES);\n}\n\n/\n Build a complete execution context from capsule claims and derivation.\n * The execution key is derived but only its hash is stored.\n /\nexport function buildExecutionContext(\n input: CceDerivationInput,\n requestId: string,\n): CceExecutionContext {\n const executionKey = deriveRequestExecutionKey(input);\n const keyHash = bytesToHex(sha256(executionKey));\n\n // Clear the raw key from memory (best effort)\n executionKey.fill(0);\n\n return {\n execution_key_hash: keyHash,\n request_id: requestId,\n capsule_id: input.capsule.capsule_id,\n sub: input.capsule.sub,\n kid: input.capsule.kid,\n intent: input.capsule.intent,\n aud: input.capsule.aud,\n tps_from: input.capsule.tps_from,\n tps_to: input.capsule.tps_to,\n policy_hash: input.capsule.policy_hash,\n derived_at: Math.floor(Date.now() / 1000),\n valid: true,\n };\n}\n\n/\n Generate a cryptographically secure nonce for CCE requests/responses.\n /\nexport function generateCceNonce(): string {\n const bytes = new Uint8Array(CCE_NONCE_BYTES);\n crypto.getRandomValues(bytes);\n return bytesToHex(bytes);\n}\n","import { bytesToHex } from \"@noble/hashes/utils.js\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n/\n CCE Crypto Primitives\n \n AES-256-GCM encryption/decryption and X25519 key exchange\n * for the Capsule-Carried Encryption protocol.\n \n Uses Node.js native crypto for AES-GCM (performant and FIPS-capable).\n /\nimport { createCipheriv, createDecipheriv, randomBytes } from \"crypto\";\n\nimport { CCE_AES_KEY_BYTES, CCE_IV_BYTES, CCE_TAG_BYTES } from \"./cce.types\";\n\n// ============================================================================\n// AES-256-GCM\n// ============================================================================\n\n/\n Encrypt plaintext with AES-256-GCM.\n /\nexport function aesGcmEncrypt(\n key: Uint8Array,\n plaintext: Uint8Array,\n aad?: Uint8Array,\n): { iv: Uint8Array; ciphertext: Uint8Array; tag: Uint8Array } {\n if (key.length !== CCE_AES_KEY_BYTES) {\n throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);\n }\n\n const iv = randomBytes(CCE_IV_BYTES);\n const cipher = createCipheriv(\"aes-256-gcm\", key, iv);\n\n if (aad) {\n cipher.setAAD(aad);\n }\n\n const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);\n const tag = cipher.getAuthTag();\n\n return {\n iv: new Uint8Array(iv),\n ciphertext: new Uint8Array(encrypted),\n tag: new Uint8Array(tag),\n };\n}\n\n/\n Decrypt ciphertext with AES-256-GCM.\n * Returns null if AEAD tag verification fails.\n /\nexport function aesGcmDecrypt(\n key: Uint8Array,\n iv: Uint8Array,\n ciphertext: Uint8Array,\n tag: Uint8Array,\n aad?: Uint8Array,\n): Uint8Array \| null {\n if (key.length !== CCE_AES_KEY_BYTES) {\n throw new Error(`AES key must be ${CCE_AES_KEY_BYTES} bytes`);\n }\n if (iv.length !== CCE_IV_BYTES) {\n throw new Error(`IV must be ${CCE_IV_BYTES} bytes`);\n }\n if (tag.length !== CCE_TAG_BYTES) {\n throw new Error(`Tag must be ${CCE_TAG_BYTES} bytes`);\n }\n\n try {\n const decipher = createDecipheriv(\"aes-256-gcm\", key, iv);\n decipher.setAuthTag(tag);\n\n if (aad) {\n decipher.setAAD(aad);\n }\n\n const decrypted = Buffer.concat([\n decipher.update(ciphertext),\n decipher.final(),\n ]);\n return new Uint8Array(decrypted);\n } catch {\n // AEAD tag mismatch or other decryption failure\n return null;\n }\n}\n\n/\n Generate an ephemeral AES-256 key.\n /\nexport function generateAesKey(): Uint8Array {\n return new Uint8Array(randomBytes(CCE_AES_KEY_BYTES));\n}\n\n/\n Generate a random IV for AES-GCM.\n /\nexport function generateIv(): Uint8Array {\n return new Uint8Array(randomBytes(CCE_IV_BYTES));\n}\n\n// ============================================================================\n// Base64url helpers\n// ============================================================================\n\nexport function base64UrlEncode(bytes: Uint8Array): string {\n return Buffer.from(bytes)\n .toString(\"base64\")\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport function base64UrlDecode(input: string): Uint8Array {\n const base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padding = \"=\".repeat((4 - (base64.length % 4)) % 4);\n return new Uint8Array(Buffer.from(base64 + padding, \"base64\"));\n}\n\n// ============================================================================\n// Payload hashing (for witness records)\n// ============================================================================\n\n/\n Hash a payload for witness records (never store raw plaintext).\n /\nexport function hashPayload(payload: Uint8Array): string {\n return bytesToHex(sha256(payload));\n}\n\n// ============================================================================\n// Default AES-GCM Provider (for sensor injection)\n// ============================================================================\n\nimport type { CceAesGcmProvider } from \"./sensors/cce-payload-decryption.sensor\";\n\n/\n Node.js native AES-GCM provider.\n /\nexport const nodeAesGcmProvider: CceAesGcmProvider = {\n async decrypt(\n key: Uint8Array,\n iv: Uint8Array,\n ciphertext: Uint8Array,\n tag: Uint8Array,\n aad?: Uint8Array,\n ): Promise<Uint8Array \| null> {\n return aesGcmDecrypt(key, iv, ciphertext, tag, aad);\n },\n};\n","import { bytesToHex } from \"@noble/hashes/utils.js\";\n/\n CCE Response Encryption Service\n \n Encrypts AXIS response payloads back to the client.\n \n v1 model:\n * - Generate ephemeral AES-256 key\n * - Encrypt response body with AES-GCM\n * - Encrypt AES key with client public key\n * - Sign response envelope with AXIS private key\n /\nimport { randomBytes } from \"crypto\";\n\nimport { aesGcmEncrypt, base64UrlEncode, generateAesKey, hashPayload } from \"./cce-crypto\";\nimport { CCE_NONCE_BYTES, CCE_PROTOCOL_VERSION, type CceAlgorithmDescriptor, type CceCapsuleClaims, type CceEncryptedKey, type CceEncryptedPayload, type CceRequestEnvelope, type CceResponseEnvelope, type CceResponseStatus, type CceSignature } from \"./cce.types\";\n\n/\n Client public key encryptor — wraps AES key with client's public key.\n /\nexport interface CceClientKeyEncryptor {\n wrapKey(\n aesKey: Uint8Array,\n clientKid: string,\n clientPublicKeyHex: string,\n ): Promise<CceEncryptedKey>;\n}\n\n/\n AXIS signing provider — signs response envelopes.\n /\nexport interface CceAxisSigner {\n sign(payload: Uint8Array): Promise<CceSignature>;\n}\n\n/\n Options for building a CCE response.\n /\nexport interface CceResponseOptions {\n /* Original request envelope /\n request: CceRequestEnvelope;\n /* Verified capsule claims /\n capsule: CceCapsuleClaims;\n /* Response status /\n status: CceResponseStatus;\n /* Response body (plaintext) /\n body: Uint8Array;\n /* Client public key (hex) for response encryption /\n clientPublicKeyHex: string;\n /* Witness reference /\n witnessRef?: string;\n}\n\n/\n Build and encrypt a CCE response envelope.\n /\nexport async function buildCceResponse(\n options: CceResponseOptions,\n clientKeyEncryptor: CceClientKeyEncryptor,\n axisSigner: CceAxisSigner,\n): Promise<{ envelope: CceResponseEnvelope; responsePayloadHash: string }> {\n const { request, capsule, status, body, clientPublicKeyHex, witnessRef } =\n options;\n\n // Generate response nonce\n const responseNonce = bytesToHex(\n new Uint8Array(randomBytes(CCE_NONCE_BYTES)),\n );\n\n // Generate response ID\n const responseId = generateResponseId();\n\n // Generate ephemeral AES key for response\n const aesKey = generateAesKey();\n\n // Build AAD for response (binds ciphertext to response context)\n const aad = buildResponseAad(\n request.request_id,\n responseId,\n request.correlation_id,\n capsule.capsule_id,\n responseNonce,\n );\n\n // Encrypt response body\n const { iv, ciphertext, tag } = aesGcmEncrypt(aesKey, body, aad);\n\n // Wrap AES key with client public key\n const encryptedKey = await clientKeyEncryptor.wrapKey(\n aesKey,\n request.client_kid,\n clientPublicKeyHex,\n );\n\n // Clear the raw AES key\n aesKey.fill(0);\n\n const encryptedPayload: CceEncryptedPayload = {\n alg: \"AES-256-GCM\",\n iv: base64UrlEncode(iv),\n ciphertext: base64UrlEncode(ciphertext),\n tag: base64UrlEncode(tag),\n };\n\n const algorithms: CceAlgorithmDescriptor = {\n kem: encryptedKey.alg,\n enc: \"AES-256-GCM\",\n kdf: \"HKDF-SHA256\",\n sig: \"EdDSA\",\n };\n\n // Build unsigned response\n const unsignedResponse: Omit<CceResponseEnvelope, \"axis_sig\"> = {\n ver: CCE_PROTOCOL_VERSION,\n response_id: responseId,\n request_id: request.request_id,\n correlation_id: request.correlation_id,\n capsule_id: capsule.capsule_id,\n encrypted_key: encryptedKey,\n encrypted_payload: encryptedPayload,\n response_nonce: responseNonce,\n algorithms,\n status,\n ...(witnessRef ? { witness_ref: witnessRef } : {}),\n };\n\n // Sign the response\n const signPayload = new TextEncoder().encode(canonicalize(unsignedResponse));\n const axisSig = await axisSigner.sign(signPayload);\n\n const envelope: CceResponseEnvelope = {\n ...unsignedResponse,\n axis_sig: axisSig,\n };\n\n return {\n envelope,\n responsePayloadHash: hashPayload(body),\n };\n}\n\n/\n Build a plaintext (unencrypted) error response for cases where\n * encryption is impossible (e.g., before capsule verification).\n /\nexport function buildCceErrorResponse(\n requestId: string,\n correlationId: string,\n status: CceResponseStatus,\n errorCode: string,\n message: string,\n): {\n ver: string;\n request_id: string;\n correlation_id: string;\n status: CceResponseStatus;\n error: { code: string; message: string };\n} {\n return {\n ver: CCE_PROTOCOL_VERSION,\n request_id: requestId,\n correlation_id: correlationId,\n status,\n error: { code: errorCode, message },\n };\n}\n\n// ============================================================================\n// Helpers\n// ============================================================================\n\nfunction generateResponseId(): string {\n const bytes = randomBytes(16);\n return \"resp_\" + bytesToHex(new Uint8Array(bytes)).slice(0, 24);\n}\n\nfunction buildResponseAad(\n requestId: string,\n responseId: string,\n correlationId: string,\n capsuleId: string,\n responseNonce: string,\n): Uint8Array {\n const parts = [\n requestId,\n responseId,\n correlationId,\n capsuleId,\n responseNonce,\n ];\n return new TextEncoder().encode(parts.join(\"\|\"));\n}\n\nfunction canonicalize(obj: unknown): string {\n if (Array.isArray(obj)) {\n return \"[\" + obj.map(canonicalize).join(\",\") + \"]\";\n }\n if (obj !== null && typeof obj === \"object\") {\n const sorted = Object.keys(obj as object)\n .sort()\n .map(\n (k) =>\n JSON.stringify(k) +\n \":\" +\n canonicalize((obj as Record<string, unknown>)[k]),\n );\n return \"{\" + sorted.join(\",\") + \"}\";\n }\n return JSON.stringify(obj);\n}\n","import { bytesToHex } from \"@noble/hashes/utils.js\";\nimport { hkdf } from \"@noble/hashes/hkdf.js\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n/\n CCE Witness Observer\n \n Records tamper-evident witness logs for every CCE request/response lifecycle.\n \n Redaction rules:\n * - Never store raw plaintext payloads (only hashes)\n * - Never store raw encryption keys\n * - Store verification outcomes, not raw crypto material\n /\nimport { randomBytes } from \"crypto\";\n\nimport { hashPayload } from \"./cce-crypto\";\nimport { CCE_DERIVATION, type CceCapsuleClaims, type CceRequestEnvelope, type CceResponseStatus, type CceWitnessRecord } from \"./cce.types\";\n\n/\n Witness store interface — implementations persist witness records.\n /\nexport interface CceWitnessStore {\n record(witness: CceWitnessRecord): Promise<void>;\n}\n\n/\n In-memory witness store for development/testing.\n /\nexport class InMemoryCceWitnessStore implements CceWitnessStore {\n readonly records: CceWitnessRecord[] = [];\n\n async record(witness: CceWitnessRecord): Promise<void> {\n this.records.push(witness);\n }\n\n getByRequestId(requestId: string): CceWitnessRecord \| undefined {\n return this.records.find((w) => w.request_id === requestId);\n }\n\n getByCapsuleId(capsuleId: string): CceWitnessRecord[] {\n return this.records.filter((w) => w.capsule_id === capsuleId);\n }\n}\n\n/\n Verification state accumulated during sensor chain execution.\n /\nexport interface CceVerificationState {\n clientSigVerified: boolean;\n capsuleSigVerified: boolean;\n tpsValid: boolean;\n audienceMatch: boolean;\n intentMatch: boolean;\n replayClean: boolean;\n nonceUnique: boolean;\n decryptionOk: boolean;\n}\n\n/\n Build a witness record from verification state and execution result.\n /\nexport function buildWitnessRecord(\n envelope: CceRequestEnvelope,\n capsule: CceCapsuleClaims,\n verification: CceVerificationState,\n execution: {\n status: CceResponseStatus;\n handlerDurationMs: number;\n effect?: string;\n },\n options: {\n axisLocalSecret: string;\n requestPayload?: Uint8Array;\n responsePayload?: Uint8Array;\n responseEncrypted: boolean;\n },\n): CceWitnessRecord {\n // Generate witness ID\n const witnessId = generateWitnessId(envelope.request_id, capsule.capsule_id);\n\n // Compute execution context hash using HKDF witness derivation\n const executionContextHash = computeExecutionContextHash(\n options.axisLocalSecret,\n capsule,\n envelope.request_nonce,\n );\n\n return {\n witness_id: witnessId,\n request_id: envelope.request_id,\n capsule_id: capsule.capsule_id,\n sub: capsule.sub,\n intent: capsule.intent,\n aud: capsule.aud,\n tps_from: capsule.tps_from,\n tps_to: capsule.tps_to,\n timestamp: Math.floor(Date.now() / 1000),\n verification: {\n client_sig: verification.clientSigVerified,\n capsule_sig: verification.capsuleSigVerified,\n tps_valid: verification.tpsValid,\n audience_match: verification.audienceMatch,\n intent_match: verification.intentMatch,\n replay_clean: verification.replayClean,\n nonce_unique: verification.nonceUnique,\n decryption_ok: verification.decryptionOk,\n },\n execution: {\n status: execution.status,\n handler_duration_ms: execution.handlerDurationMs,\n ...(execution.effect ? { effect: execution.effect } : {}),\n },\n response_encrypted: options.responseEncrypted,\n execution_context_hash: executionContextHash,\n ...(options.requestPayload\n ? { request_payload_hash: hashPayload(options.requestPayload) }\n : {}),\n ...(options.responsePayload\n ? { response_payload_hash: hashPayload(options.responsePayload) }\n : {}),\n };\n}\n\n/\n Extract verification state from sensor chain metadata.\n /\nexport function extractVerificationState(\n metadata: Record<string, any>,\n): CceVerificationState {\n return {\n clientSigVerified: metadata.cceClientSigVerified === true,\n capsuleSigVerified: metadata.cceCapsuleVerified === true,\n tpsValid: metadata.cceTpsValid === true,\n audienceMatch: metadata.cceBindingVerified === true,\n intentMatch: metadata.cceBindingVerified === true,\n replayClean: metadata.cceReplayClean === true,\n nonceUnique: metadata.cceReplayClean === true,\n decryptionOk: metadata.cceDecryptionOk === true,\n };\n}\n\n// ============================================================================\n// Internal\n// ============================================================================\n\nfunction generateWitnessId(requestId: string, capsuleId: string): string {\n const input = `witness:${requestId}:${capsuleId}:${Date.now()}`;\n const hash = sha256(new TextEncoder().encode(input));\n return \"wit_\" + bytesToHex(hash).slice(0, 24);\n}\n\nfunction computeExecutionContextHash(\n axisLocalSecret: string,\n capsule: CceCapsuleClaims,\n requestNonce: string,\n): string {\n const encoder = new TextEncoder();\n\n // Use HKDF to derive witness key\n const ikm = hexToBytes(axisLocalSecret);\n const salt = sha256(\n encoder.encode(\n capsule.capsule_id + \"\|\" + capsule.capsule_nonce + \"\|\" + requestNonce,\n ),\n );\n const info = encoder.encode(\n [\n CCE_DERIVATION.WITNESS,\n capsule.sub,\n capsule.kid,\n capsule.intent,\n capsule.aud,\n String(capsule.tps_from),\n String(capsule.tps_to),\n capsule.policy_hash ?? \"\",\n capsule.ver,\n ].join(\"\|\"),\n );\n\n const witnessKey = hkdf(sha256, ikm, salt, info, 32);\n const hash = bytesToHex(sha256(witnessKey));\n\n // Clear sensitive material\n witnessKey.fill(0);\n\n return hash;\n}\n\nfunction hexToBytes(hex: string): Uint8Array {\n const bytes = new Uint8Array(hex.length / 2);\n for (let i = 0; i < bytes.length; i++) {\n bytes[i] = parseInt(hex.slice(i 2, i * 2 + 2), 16);\n }\n return bytes;\n}\n","import type { AxisObservedContext } from '../types/axis-frame.types';\n\n/*\n Sensor Phase Metadata\n \n Metadata describing which phase(s) a sensor executes in.\n * Used for validation and optimization.\n \n @interface SensorPhaseMetadata\n /\nexport interface SensorPhaseMetadata {\n /* Execution phase: pre-decode (middleware) or post-decode (controller) /\n phase: 'PRE_DECODE' \| 'POST_DECODE';\n\n /* Other sensors that must run before this one /\n dependencies?: string[];\n\n /* Whether this sensor can perform async I/O /\n asyncOk?: boolean;\n\n /* Whether this sensor can use cryptographic operations /\n cryptoOk?: boolean;\n\n /* Human-readable description of sensor purpose /\n description?: string;\n}\n\n/\n AXIS Sensor Interface\n \n Core interface for all security sensors in the AXIS pipeline.\n /\nexport interface AxisSensor {\n readonly name: string;\n readonly order?: number; // Lower runs first\n /* Execution phase hint /\n phase?: SensorPhaseMetadata \| 'PRE_DECODE' \| 'POST_DECODE';\n supports?(input: SensorInput): boolean;\n run(input: SensorInput): Promise<SensorDecision>;\n}\n\n// Optional lifecycle hook for frameworks that support module initialization.\nexport interface AxisSensorInit extends AxisSensor {\n onModuleInit?(): void \| Promise<void>;\n}\n\n/\n Sensors that run before frame decoding/deserialization.\n * They should be fast, avoid I/O, and fail fast on malformed traffic.\n /\nexport interface AxisPreSensor extends AxisSensor {\n phase: 'PRE_DECODE';\n}\n\n/\n Sensors that run after a frame is fully decoded and parsed.\n * They may use full context (intent, actor, proofs) and can perform I/O.\n /\nexport interface AxisPostSensor extends AxisSensor {\n phase: 'POST_DECODE';\n}\n\n/\n Sensor Input\n \n Represents the structured data passed to a security sensor for evaluation.\n * Depending on the execution phase, different fields may be populated.\n \n Flow:\n * - Phase 1 (Pre-decode): `rawBytes`, `ip`, `path`, and `peek` are typically available.\n * - Phase 2/3 (Post-decode): `intent`, `contentLength`, and `metadata` are populated after frame parsing.\n \n @interface SensorInput\n /\nexport interface SensorInput {\n /* The full raw binary frame from the wire (if available) /\n rawBytes?: Buffer \| Uint8Array;\n\n /* The AXIS intent string extracted from the frame header (e.g., 'system.info') /\n intent?: string;\n\n /* IPv4/IPv6 address of the edge client /\n ip?: string;\n\n /* The HTTP or transport path being accessed /\n path?: string;\n\n /* Total size of the frame body in bytes /\n contentLength?: number;\n\n /* A small slice of the beginning of the body for early pattern matching /\n peek?: Uint8Array;\n\n /* Geolocation country code (if resolved by upstream middleware) /\n country?: string;\n\n /* Client identifier from the transport layer (e.g., Capsule ID or Socket ID) /\n clientId?: string;\n\n /* Whether the request is coming via a WebSocket connection /\n isWs?: boolean;\n\n /* Extensible metadata for cross-sensor communication /\n metadata?: Record<string, any>;\n\n /* Actor ID from frame or request /\n actorId?: string;\n\n /* Operation code /\n opcode?: string;\n\n /* Audience field /\n aud?: string;\n\n /* Observed context from frame parsing /\n observed?: AxisObservedContext;\n\n /* Parsed frame body /\n frameBody?: any;\n\n /* Device identifier /\n deviceId?: string;\n\n /* Session identifier /\n sessionId?: string;\n\n /* Parsed packet data /\n packet?: Record<string, any>;\n\n /* Dynamic field access for sensor-specific data /\n [key: string]: any;\n}\n\nexport enum Decision {\n ALLOW = 'ALLOW',\n DENY = 'DENY',\n THROTTLE = 'THROTTLE',\n FLAG = 'FLAG',\n}\n/\n Sensor Decision\n \n Represents the outcome of an individual sensor's evaluation.\n * Supports two formats for backward compatibility:\n \n 1. Modern format (preferred): Uses decision/allow/riskScore/reasons\n * 2. Legacy format: Uses action/code/reason (deprecated, will be removed)\n /\nexport type SensorDecision =\n // Modern format (preferred)\n \| {\n /* Final decision outcome (optional for backward compatibility) /\n decision?: Decision;\n /* Whether the request may continue immediately /\n allow: boolean;\n /* Risk score from 0–100 (0 = safe, 100 = blocked) /\n riskScore: number;\n /* Human & machine traceable reasons /\n reasons: string[];\n /* Machine-readable error or control code /\n code?: string;\n /* Throttle hint (only relevant for THROTTLE) /\n retryAfterMs?: number;\n /* Optional delta applied to rolling risk/anomaly state /\n scoreDelta?: number;\n /* Extra signals for audit, observability, forensics /\n tags?: Record<string, any>;\n /* Optional capsule / verification metadata /\n meta?: any;\n /* Optional constraint tightening instructions /\n tighten?: {\n expSecondsMax?: number;\n constraintsPatch?: Record<string, any>;\n };\n }\n // Legacy action-based format (deprecated)\n \| { action: 'ALLOW'; meta?: any }\n \| {\n action: 'DENY';\n code: string;\n reason?: string;\n retryAfterMs?: number;\n meta?: any;\n }\n \| { action: 'THROTTLE'; retryAfterMs: number; meta?: any }\n \| { action: 'FLAG'; scoreDelta: number; reasons: string[]; meta?: any };\n\nexport type SensorMinifiedDecision = {\n allow: boolean;\n riskScore: number;\n reasons: string[];\n tags?: Record<string, any>;\n meta?: any;\n tighten?: { expSecondsMax?: number; constraintsPatch?: Record<string, any> };\n /* Legacy fields for compatibility /\n retryAfterMs?: number;\n};\n\n/\n Helper to normalize SensorDecision (handles both legacy and modern formats)\n /\nexport function normalizeSensorDecision(\n sensorDecision: SensorDecision,\n): SensorMinifiedDecision {\n // Check if it's a legacy action-based format\n if ('action' in sensorDecision) {\n // Convert legacy format to modern\n switch (sensorDecision.action) {\n case 'ALLOW':\n return {\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: sensorDecision.meta,\n };\n case 'DENY':\n return {\n allow: false,\n riskScore: 100,\n reasons: [sensorDecision.code, sensorDecision.reason].filter(\n Boolean,\n ) as string[],\n meta: sensorDecision.meta,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n case 'THROTTLE':\n return {\n allow: false,\n riskScore: 50,\n reasons: ['RATE_LIMIT'],\n retryAfterMs: sensorDecision.retryAfterMs,\n meta: sensorDecision.meta,\n };\n case 'FLAG':\n return {\n allow: true,\n riskScore: sensorDecision.scoreDelta,\n reasons: sensorDecision.reasons,\n meta: sensorDecision.meta,\n };\n }\n }\n\n // Modern format - already has the required fields\n return {\n allow: sensorDecision.allow,\n riskScore: sensorDecision.riskScore,\n reasons: sensorDecision.reasons,\n tags: sensorDecision.tags,\n meta: sensorDecision.meta,\n tighten: sensorDecision.tighten,\n retryAfterMs: sensorDecision.retryAfterMs,\n };\n}\n\n/\n Helper factories for creating SensorDecision objects\n /\nexport const SensorDecisions = {\n allow(meta?: any, tags?: Record<string, any>): SensorDecision {\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n tags,\n meta,\n };\n },\n\n deny(code: string, reason?: string, meta?: any): SensorDecision {\n return {\n decision: Decision.DENY,\n allow: false,\n riskScore: 100,\n code,\n reasons: [code, reason].filter(Boolean) as string[],\n meta,\n };\n },\n\n throttle(retryAfterMs: number, meta?: any): SensorDecision {\n return {\n decision: Decision.THROTTLE,\n allow: false,\n riskScore: 50,\n retryAfterMs,\n code: 'RATE_LIMIT',\n reasons: ['RATE_LIMIT'],\n meta,\n };\n },\n\n flag(scoreDelta: number, reasons: string[], meta?: any): SensorDecision {\n return {\n decision: Decision.FLAG,\n allow: true,\n riskScore: scoreDelta,\n scoreDelta,\n reasons,\n meta,\n };\n },\n};\n","import { buildExecutionContext, type CceDerivationInput } from \"./cce-derivation.service\";\nimport { buildCceErrorResponse, buildCceResponse, type CceAxisSigner, type CceClientKeyEncryptor } from \"./cce-response.service\";\nimport { buildWitnessRecord, type CceWitnessStore, extractVerificationState } from \"./cce-witness.observer\";\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../sensor/axis-sensor\";\nimport { normalizeSensorDecision } from \"../sensor/axis-sensor\";\n/\n CCE Pipeline Orchestrator\n \n Orchestrates the full CCE request/response lifecycle within AXIS:\n \n Request path:\n * 1. Parse envelope\n * 2. Run sensor chain (7 CCE sensors in order)\n * 3. Derive execution context\n * 4. Route to handler\n * 5. Execute handler\n \n Response path:\n * 6. Encrypt response\n * 7. Sign response\n * 8. Record witness\n * 9. Return response\n \n This orchestrator can be integrated into IntentRouter or used standalone.\n /\nimport { CCE_ERROR, CCE_PROTOCOL_VERSION, type CceCapsuleClaims, CceError, type CceExecutionContext, type CceRequestEnvelope, type CceResponseEnvelope, type CceResponseStatus } from \"./cce.types\";\n\n/\n CCE handler function — receives decrypted payload and execution context.\n /\nexport type CceHandler = (\n payload: Uint8Array,\n context: CceHandlerContext,\n) => Promise<CceHandlerResult>;\n\nexport interface CceHandlerContext {\n /* Verified capsule claims /\n capsule: CceCapsuleClaims;\n /* Derived execution context /\n executionContext: CceExecutionContext;\n /* Original request envelope /\n envelope: CceRequestEnvelope;\n /* Client's verified public key /\n clientPublicKeyHex: string;\n /* Request intent /\n intent: string;\n /* Actor identity /\n sub: string;\n}\n\nexport interface CceHandlerResult {\n status: CceResponseStatus;\n body: Uint8Array;\n effect?: string;\n}\n\nexport interface CcePolicyContext {\n envelope: CceRequestEnvelope;\n capsule: CceCapsuleClaims;\n executionContext: CceExecutionContext;\n decryptedPayload: Uint8Array;\n clientPublicKeyHex: string;\n}\n\nexport interface CcePolicyDecision {\n allow: boolean;\n code?: string;\n message?: string;\n}\n\nexport interface CcePolicyEvaluator {\n evaluate(context: CcePolicyContext): Promise<CcePolicyDecision>;\n}\n\n/\n CCE Pipeline Configuration\n /\nexport interface CcePipelineConfig {\n /* AXIS local secret for key derivation (hex) /\n axisLocalSecret: string;\n /* AXIS audience identifier /\n axisAudience: string;\n /* CCE sensors (will be sorted by order) /\n sensors: AxisSensor[];\n /* Intent → handler mapping /\n handlers: Map<string, CceHandler>;\n /* Witness store /\n witnessStore: CceWitnessStore;\n /* Client key encryptor (for response encryption) /\n clientKeyEncryptor: CceClientKeyEncryptor;\n /* AXIS response signer /\n axisSigner: CceAxisSigner;\n /* Optional policy/law evaluator run after decryption and before handler execution /\n policyEvaluator?: CcePolicyEvaluator;\n}\n\n/\n Result of CCE pipeline execution.\n /\nexport type CcePipelineResult =\n \| { ok: true; response: CceResponseEnvelope; witnessId: string }\n \| {\n ok: false;\n error: { code: string; message: string };\n status: CceResponseStatus;\n };\n\n/\n Execute the full CCE pipeline.\n /\nexport async function executeCcePipeline(\n envelope: CceRequestEnvelope,\n config: CcePipelineConfig,\n): Promise<CcePipelineResult> {\n const startTime = Date.now();\n\n // Validate protocol version\n if (envelope.ver !== CCE_PROTOCOL_VERSION) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.UNSUPPORTED_VERSION,\n message: `Unsupported version: ${envelope.ver}`,\n },\n status: \"ERROR\",\n };\n }\n\n // Build sensor input\n const sensorInput: SensorInput = {\n intent: envelope.capsule.intent,\n metadata: {\n cce: true,\n cceEnvelope: envelope,\n contentType: \"application/axis-cce\",\n },\n };\n\n // Run sensor chain in order\n const sortedSensors = [...config.sensors].sort(\n (a, b) => (a.order ?? 999) - (b.order ?? 999),\n );\n\n for (const sensor of sortedSensors) {\n if (sensor.supports && !sensor.supports(sensorInput)) {\n continue;\n }\n\n let decision: SensorDecision;\n try {\n decision = await sensor.run(sensorInput);\n } catch (err) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.DECRYPTION_FAILED,\n message: `Sensor ${sensor.name} failed`,\n },\n status: \"ERROR\",\n };\n }\n\n const normalized = normalizeSensorDecision(decision);\n if (!normalized.allow) {\n const code =\n normalized.reasons[0]?.split(\":\")[0] ?? CCE_ERROR.DECRYPTION_FAILED;\n return {\n ok: false,\n error: { code, message: normalized.reasons.join(\"; \") },\n status: \"DENIED\",\n };\n }\n }\n\n // Extract verified state\n const capsule = sensorInput.metadata?.cceCapsule as CceCapsuleClaims;\n const decryptedPayload = sensorInput.metadata\n ?.cceDecryptedPayload as Uint8Array;\n const clientKey = sensorInput.metadata?.cceClientKey as {\n publicKeyHex: string;\n };\n\n if (!capsule \|\| !decryptedPayload \|\| !clientKey) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.DECRYPTION_FAILED,\n message: \"Sensor chain did not produce required outputs\",\n },\n status: \"ERROR\",\n };\n }\n\n // Derive execution context\n const derivationInput: CceDerivationInput = {\n axisLocalSecret: config.axisLocalSecret,\n capsule,\n requestNonce: envelope.request_nonce,\n };\n const executionContext = buildExecutionContext(\n derivationInput,\n envelope.request_id,\n );\n\n if (config.policyEvaluator) {\n try {\n const policyDecision = await config.policyEvaluator.evaluate({\n envelope,\n capsule,\n executionContext,\n decryptedPayload,\n clientPublicKeyHex: clientKey.publicKeyHex,\n });\n if (!policyDecision.allow) {\n const verification = extractVerificationState(sensorInput.metadata ?? {});\n const witness = buildWitnessRecord(\n envelope,\n capsule,\n verification,\n {\n status: \"DENIED\",\n handlerDurationMs: 0,\n effect: \"policy_denied\",\n },\n {\n axisLocalSecret: config.axisLocalSecret,\n requestPayload: decryptedPayload,\n responseEncrypted: false,\n },\n );\n await config.witnessStore.record(witness);\n\n return {\n ok: false,\n error: {\n code: policyDecision.code ?? CCE_ERROR.POLICY_DENIED,\n message:\n policyDecision.message ?? \"Request denied by policy evaluator\",\n },\n status: \"DENIED\",\n };\n }\n } catch (err) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.POLICY_DENIED,\n message: \"Policy evaluator failed\",\n },\n status: \"ERROR\",\n };\n }\n }\n\n // Route to handler\n const handler = config.handlers.get(capsule.intent);\n if (!handler) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.HANDLER_NOT_FOUND,\n message: `No handler for intent: ${capsule.intent}`,\n },\n status: \"ERROR\",\n };\n }\n\n // Execute handler\n const handlerContext: CceHandlerContext = {\n capsule,\n executionContext,\n envelope,\n clientPublicKeyHex: clientKey.publicKeyHex,\n intent: capsule.intent,\n sub: capsule.sub,\n };\n\n let result: CceHandlerResult;\n const handlerStart = Date.now();\n try {\n result = await handler(decryptedPayload, handlerContext);\n } catch (err) {\n const handlerDuration = Date.now() - handlerStart;\n\n // Record failure witness\n const verification = extractVerificationState(sensorInput.metadata ?? {});\n const witness = buildWitnessRecord(\n envelope,\n capsule,\n verification,\n { status: \"FAILED\", handlerDurationMs: handlerDuration },\n {\n axisLocalSecret: config.axisLocalSecret,\n requestPayload: decryptedPayload,\n responseEncrypted: false,\n },\n );\n await config.witnessStore.record(witness);\n\n return {\n ok: false,\n error: {\n code: CCE_ERROR.HANDLER_EXECUTION_FAILED,\n message: \"Handler execution failed\",\n },\n status: \"FAILED\",\n };\n }\n const handlerDuration = Date.now() - handlerStart;\n\n // Encrypt response\n let responseEnvelope: CceResponseEnvelope;\n let responsePayloadHash: string;\n\n try {\n const responseResult = await buildCceResponse(\n {\n request: envelope,\n capsule,\n status: result.status,\n body: result.body,\n clientPublicKeyHex: clientKey.publicKeyHex,\n },\n config.clientKeyEncryptor,\n config.axisSigner,\n );\n responseEnvelope = responseResult.envelope;\n responsePayloadHash = responseResult.responsePayloadHash;\n } catch (err) {\n return {\n ok: false,\n error: {\n code: CCE_ERROR.RESPONSE_ENCRYPTION_FAILED,\n message: \"Response encryption failed\",\n },\n status: \"ERROR\",\n };\n }\n\n // Record witness\n const verification = extractVerificationState(sensorInput.metadata ?? {});\n const witness = buildWitnessRecord(\n envelope,\n capsule,\n verification,\n {\n status: result.status,\n handlerDurationMs: handlerDuration,\n effect: result.effect,\n },\n {\n axisLocalSecret: config.axisLocalSecret,\n requestPayload: decryptedPayload,\n responsePayload: result.body,\n responseEncrypted: true,\n },\n );\n await config.witnessStore.record(witness);\n\n return {\n ok: true,\n response: responseEnvelope,\n witnessId: witness.witness_id,\n };\n}\n","export class AxisError extends Error {\n constructor(\n public code: string,\n message: string,\n public httpStatus: number = 400,\n public details?: Record<string, any>,\n ) {\n super(message);\n this.name = 'AxisError';\n }\n}\n","/\n AXIS Scope Utilities\n * Validates capsule scopes against required resource access.\n * Prevents BOLA (Broken Object Level Authorization) attacks.\n /\n\n/\n Check if a capsule has the required scope.\n * Scopes use colon notation: resource:id or resource:\n \n * Examples:\n * - wallet:w_123\n * - merchant:m_456\n * - payment:\n /\nexport function hasScope(scopes: string[], required: string): boolean {\n if (!Array.isArray(scopes) \|\| scopes.length === 0) {\n return false;\n }\n\n // Exact match\n if (scopes.includes(required)) {\n return true;\n }\n\n // Wildcard match: resource:* matches resource:anything\n const [resource, id] = required.split(':');\n if (resource && id) {\n const wildcard = `${resource}:`;\n if (scopes.includes(wildcard)) {\n return true;\n }\n }\n\n return false;\n}\n\n/\n Extract resource type and ID from scope.\n /\nexport function parseScope(\n scope: string,\n): { resource: string; id: string } \| null {\n const parts = scope.split(':');\n if (parts.length !== 2) return null;\n return { resource: parts[0], id: parts[1] };\n}\n\n/\n Check if actor can access a specific resource based on capsule scopes.\n /\nexport function canAccessResource(\n scopes: string[],\n resourceType: string,\n resourceId: string,\n): boolean {\n const required = `${resourceType}:${resourceId}`;\n return hasScope(scopes, required);\n}\n","import { hasScope } from \"./scopes\";\n\nexport interface InlineCapsuleClaims {\n id?: string;\n actorId?: string;\n intents?: string[];\n issuedAt?: bigint;\n expiresAt?: bigint;\n realm?: string;\n node?: string;\n scopes?: string[];\n raw: Record<string, unknown>;\n}\n\nexport function normalizeInlineCapsule(\n input: unknown,\n): InlineCapsuleClaims \| null {\n if (!input \|\| typeof input !== \"object\" \|\| Array.isArray(input)) {\n return null;\n }\n\n const raw = input as Record<string, unknown>;\n const scopes = normalizeStringList(raw.scopes ?? raw.scope);\n\n return {\n id: normalizeScalar(raw.id),\n actorId: normalizeScalar(raw.actorId),\n intents: normalizeStringList(raw.intents),\n issuedAt: normalizeTimestamp(raw.issuedAt ?? raw.iat),\n expiresAt: normalizeTimestamp(raw.expiresAt ?? raw.exp),\n realm: normalizeScalar(raw.realm),\n node: normalizeScalar(raw.node),\n scopes,\n raw,\n };\n}\n\nexport function inlineCapsuleAllowsIntent(\n capsule: InlineCapsuleClaims,\n intent: string,\n): boolean {\n if (!capsule.intents \|\| capsule.intents.length === 0) {\n return false;\n }\n\n for (const pattern of capsule.intents) {\n if (pattern === \"\" \|\| pattern === intent) {\n return true;\n }\n\n if (pattern.endsWith(\".\")) {\n const prefix = pattern.slice(0, -1);\n if (intent.startsWith(prefix)) {\n return true;\n }\n }\n }\n\n return false;\n}\n\nexport function isInlineCapsuleExpired(\n capsule: InlineCapsuleClaims,\n clockSkewMs = 30000,\n): boolean {\n if (capsule.expiresAt === undefined) {\n return false;\n }\n\n return BigInt(Date.now()) > capsule.expiresAt + BigInt(clockSkewMs);\n}\n\nexport function resolvePolicyScopes(\n scopes: string[],\n context: {\n body?: unknown;\n intent: string;\n actorId?: string;\n chainId?: string;\n stepId?: string;\n },\n): string[] {\n return scopes.map((scope) =>\n scope.replace(/\\$\\{([^}]+)\\}/g, (_match, expression: string) => {\n const resolved = resolveTemplateExpression(expression.trim(), context);\n if (resolved === undefined \|\| resolved === null \|\| resolved === \"\") {\n throw new Error(`CAPSULE_SCOPE_TEMPLATE_UNRESOLVED:${expression}`);\n }\n return String(resolved);\n }),\n );\n}\n\nexport function inlineCapsuleSatisfiesScopes(\n capsule: InlineCapsuleClaims,\n requiredScopes: string[],\n mode: \"all\" \| \"any\" = \"all\",\n): boolean {\n if (!capsule.scopes \|\| capsule.scopes.length === 0) {\n return false;\n }\n\n if (mode === \"any\") {\n return requiredScopes.some((scope) => hasScope(capsule.scopes!, scope));\n }\n\n return requiredScopes.every((scope) => hasScope(capsule.scopes!, scope));\n}\n\nfunction resolveTemplateExpression(\n expression: string,\n context: {\n body?: unknown;\n intent: string;\n actorId?: string;\n chainId?: string;\n stepId?: string;\n },\n): unknown {\n if (expression === \"intent\") {\n return context.intent;\n }\n\n if (expression === \"actorId\") {\n return context.actorId;\n }\n\n if (expression === \"chainId\") {\n return context.chainId;\n }\n\n if (expression === \"stepId\") {\n return context.stepId;\n }\n\n if (expression.startsWith(\"body.\")) {\n return getNestedValue(context.body, expression.slice(5));\n }\n\n return undefined;\n}\n\nfunction getNestedValue(value: unknown, path: string): unknown {\n if (!value \|\| typeof value !== \"object\") {\n return undefined;\n }\n\n return path.split(\".\").reduce<unknown>((current, segment) => {\n if (!current \|\| typeof current !== \"object\") {\n return undefined;\n }\n return (current as Record<string, unknown>)[segment];\n }, value);\n}\n\nfunction normalizeScalar(value: unknown): string \| undefined {\n if (typeof value === \"string\") {\n return value;\n }\n\n if (value instanceof Uint8Array) {\n return Buffer.from(value).toString(\"hex\");\n }\n\n return undefined;\n}\n\nfunction normalizeStringList(value: unknown): string[] \| undefined {\n if (!value) {\n return undefined;\n }\n\n const list = Array.isArray(value) ? value : [value];\n const normalized = list\n .map((entry) => (typeof entry === \"string\" ? entry : undefined))\n .filter((entry): entry is string => !!entry && entry.trim().length > 0);\n\n return normalized.length > 0 ? Array.from(new Set(normalized)) : undefined;\n}\n\nfunction normalizeTimestamp(value: unknown): bigint \| undefined {\n if (typeof value === \"bigint\") {\n return value;\n }\n\n if (typeof value === \"number\" && Number.isFinite(value)) {\n return BigInt(Math.trunc(value));\n }\n\n if (typeof value === \"string\" && value.trim().length > 0) {\n try {\n return BigInt(value);\n } catch {\n return undefined;\n }\n }\n\n return undefined;\n}","import { Injectable, Logger } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport {\n AxisSensor,\n AxisPreSensor,\n AxisPostSensor,\n} from '../../sensor/axis-sensor';\nimport type { AxisIntentSensorRef } from '../../decorators/intent.decorator';\n\n/\n AxisSensor Registry\n \n A central registry for all AXIS security sensors.\n * Sensors register themselves here during module initialization (onModuleInit).\n * The registry provides a list of sensors sorted by their execution priority (order).\n \n Supports phase-based filtering to separate pre-decode (middleware) from\n * post-decode (controller) sensors.\n \n PHASE SEPARATION:\n * - Pre-decode (order < 40): Run in middleware on raw bytes\n * - Post-decode (order >= 40): Run in controller on decoded frame\n \n @class SensorRegistry\n * @injectable\n /\n@Injectable()\nexport class SensorRegistry {\n private sensors: AxisSensor[] = [];\n private sensorsByName = new Map<string, AxisSensor>();\n private sensorsByType = new Map<Function, AxisSensor>();\n private readonly logger = new Logger(SensorRegistry.name);\n\n constructor(private readonly configService: ConfigService) {}\n\n /\n Registers a new sensor in the registry.\n \n Validates that:\n * - AxisSensor has a unique name\n * - AxisSensor has an order field\n * - Pre-decode sensors have order < 40\n * - Post-decode sensors have order >= 40\n \n @param {AxisSensor} sensor - The sensor instance to register\n * @throws Error if validation fails\n /\n register(sensor: AxisSensor): void {\n // Validation\n if (!sensor.name) {\n throw new Error('AxisSensor must have a name');\n }\n\n // Check environment variables for filtering\n const enabledSensorsStr = this.configService.get<string>('ENABLED_SENSORS');\n const disabledSensorsStr =\n this.configService.get<string>('DISABLED_SENSORS');\n\n const enabledSensors = enabledSensorsStr\n ? enabledSensorsStr.split(',').map((s) => s.trim())\n : null;\n const disabledSensors = disabledSensorsStr\n ? disabledSensorsStr.split(',').map((s) => s.trim())\n : [];\n\n if (enabledSensors && !enabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (not in ENABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (disabledSensors.includes(sensor.name)) {\n this.logger.log(`Skipping disabled sensor (in DISABLED_SENSORS): ${sensor.name}`);\n return;\n }\n\n if (sensor.order === undefined) {\n throw new Error(`AxisSensor \"${sensor.name}\" must have an order field`);\n }\n\n // Check for phase consistency\n const isPreDecodeSensor = this.isPreDecodeSensor(sensor);\n const isPostDecodeSensor = this.isPostDecodeSensor(sensor);\n\n if (isPreDecodeSensor && sensor.order >= 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as PRE_DECODE but has order ${sensor.order} (should be < 40)`,\n );\n }\n if (isPostDecodeSensor && sensor.order < 40) {\n this.logger.warn(\n `AxisSensor \"${sensor.name}\" is marked as POST_DECODE but has order ${sensor.order} (should be >= 40)`,\n );\n }\n\n this.sensors.push(sensor);\n this.indexSensor(sensor);\n const phaseLabel =\n typeof sensor.phase === 'string'\n ? sensor.phase\n : sensor.phase?.phase \|\| 'UNKNOWN';\n this.logger.debug(\n `Registered sensor: ${sensor.name} (order: ${sensor.order}, phase: ${phaseLabel})`,\n );\n }\n\n /\n Returns all registered sensors, sorted by their execution order.\n \n @returns {AxisSensor[]} A sorted array of sensors\n /\n list(): AxisSensor[] {\n return [...this.sensors].sort(\n (a, b) => (a.order ?? 999) - (b.order ?? 999),\n );\n }\n\n /\n Resolves a sensor by registry name or provider class.\n /\n resolve(ref: AxisIntentSensorRef): AxisSensor \| undefined {\n if (typeof ref === 'string') {\n return this.sensorsByName.get(ref);\n }\n\n return this.sensorsByType.get(ref) ?? this.sensorsByName.get(ref.name);\n }\n\n /\n Resolves a sensor by its declared registry name.\n /\n getByName(name: string): AxisSensor \| undefined {\n return this.sensorsByName.get(name);\n }\n\n /\n Returns only pre-decode sensors (order < 40).\n * These sensors run in middleware on raw bytes before frame decoding.\n \n @returns {AxisPreSensor[]} Pre-decode sensors sorted by order\n /\n getPreDecodeSensors(): AxisPreSensor[] {\n return this.list().filter((s): s is AxisPreSensor => (s.order ?? 999) < 40);\n }\n\n /\n Returns only post-decode sensors (order >= 40).\n * These sensors run in the controller on fully decoded frames.\n \n @returns {AxisPostSensor[]} Post-decode sensors sorted by order\n /\n getPostDecodeSensors(): AxisPostSensor[] {\n return this.list().filter(\n (s): s is AxisPostSensor => (s.order ?? 999) >= 40,\n );\n }\n\n /\n Helper: Check if a sensor is a pre-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is pre-decode\n /\n private isPreDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'PRE_DECODE' \|\| (sensor.order ?? 999) < 40;\n }\n\n /\n Helper: Check if a sensor is a post-decode sensor.\n \n @private\n * @param {AxisSensor} sensor - The sensor to check\n * @returns {boolean} True if sensor is post-decode\n /\n private isPostDecodeSensor(sensor: AxisSensor): boolean {\n const phase =\n typeof sensor.phase === 'string' ? sensor.phase : sensor.phase?.phase;\n return phase === 'POST_DECODE' \|\| (sensor.order ?? 999) >= 40;\n }\n\n /\n Returns sensor count by phase.\n * Useful for diagnostics and monitoring.\n \n @returns {{preDecodeCount: number, postDecodeCount: number}}\n /\n getSensorCountByPhase(): { preDecodeCount: number; postDecodeCount: number } {\n return {\n preDecodeCount: this.getPreDecodeSensors().length,\n postDecodeCount: this.getPostDecodeSensors().length,\n };\n }\n\n /\n Clears all registered sensors.\n * Useful for testing.\n \n @internal\n /\n clear(): void {\n this.sensors = [];\n this.sensorsByName.clear();\n this.sensorsByType.clear();\n }\n\n private indexSensor(sensor: AxisSensor): void {\n this.sensorsByName.set(sensor.name, sensor);\n\n const sensorType = sensor.constructor as Function \| undefined;\n if (!sensorType) return;\n\n this.sensorsByType.set(sensorType, sensor);\n\n // Allow lookup by class name when it differs from the declared sensor.name.\n if (!this.sensorsByName.has(sensorType.name)) {\n this.sensorsByName.set(sensorType.name, sensor);\n }\n }\n}\n","import { Injectable, Logger, Optional } from \"@nestjs/common\";\nimport { ModuleRef } from \"@nestjs/core\";\nimport {\n decodeChainEnvelope,\n decodeChainRequest,\n} from \"@nextera.one/axis-protocol\";\n\nimport {\n type CceHandler,\n type CcePipelineConfig,\n type CcePipelineResult,\n executeCcePipeline,\n} from \"../cce/cce-pipeline\";\nimport type { CceRequestEnvelope } from \"../cce/cce.types\";\nimport { AxisFrame } from \"../core/axis-bin\";\nimport { AxisError } from \"../core/axis-error\";\nimport {\n TLV_ACTOR_ID,\n TLV_CAPSULE,\n TLV_INTENT,\n TLV_NODE,\n TLV_PROOF_REF,\n TLV_REALM,\n} from \"../core/constants\";\nimport {\n CAPSULE_POLICY_METADATA_KEY,\n type CapsulePolicyOptions,\n mergeCapsulePolicyOptions,\n normalizeCapsulePolicyOptions,\n} from \"../decorators/capsule-policy.decorator\";\nimport { CHAIN_METADATA_KEY } from \"../decorators/chain.decorator\";\nimport {\n buildDtoDecoder,\n extractDtoSchema,\n} from \"../decorators/dto-schema.util\";\nimport { HANDLER_SENSORS_KEY } from \"../decorators/handler-sensors.decorator\";\nimport { HANDLER_METADATA_KEY } from \"../decorators/handler.decorator\";\nimport { INTENT_BODY_KEY } from \"../decorators/intent-body.decorator\";\nimport {\n AXIS_ANONYMOUS_KEY,\n AXIS_PUBLIC_KEY,\n AXIS_RATE_LIMIT_KEY,\n type AxisRateLimitConfig,\n CONTRACT_METADATA_KEY,\n type RequiredProofKind,\n REQUIRED_PROOF_METADATA_KEY,\n SENSITIVITY_METADATA_KEY,\n} from \"../decorators/intent-policy.decorator\";\nimport { INTENT_SENSORS_KEY } from \"../decorators/intent-sensors.decorator\";\nimport {\n type AxisIntentSensorRef,\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentKind,\n IntentRoute,\n IntentTlvField,\n} from \"../decorators/intent.decorator\";\nimport {\n AxisObserverBinding,\n AxisObserverRef,\n OBSERVER_BINDINGS_KEY,\n} from \"../decorators/observer.decorator\";\nimport type { TlvValidatorFn } from \"../decorators/tlv-field.decorator\";\nimport {\n inlineCapsuleAllowsIntent,\n inlineCapsuleSatisfiesScopes,\n isInlineCapsuleExpired,\n normalizeInlineCapsule,\n resolvePolicyScopes,\n} from \"../security/inline-capsule\";\nimport {\n AxisSensor,\n normalizeSensorDecision,\n SensorInput,\n} from \"../sensor/axis-sensor\";\nimport { SensorRegistry } from \"./registry/sensor.registry\";\nimport {\n AxisChainEnvelope,\n AxisChainRequest,\n ChainOptions,\n RegisteredChainConfig,\n} from \"./axis-chain.types\";\nimport {\n getAxisExecutionContext,\n mergeAxisExecutionContext,\n withAxisExecutionContext,\n} from \"./axis-execution-context\";\nimport { ObserverDispatcherService } from \"./observer-dispatcher.service\";\n\nfunction observerRefKey(ref: AxisObserverRef): string {\n return typeof ref === \"string\" ? ref : ref.name;\n}\n\nfunction sensorRefKey(ref: AxisIntentSensorRef): string {\n return typeof ref === \"string\" ? ref : ref.name;\n}\n\nfunction mergeIntentSensorRefs(\n ...sensorGroups: Array<AxisIntentSensorRef[] \| undefined>\n): AxisIntentSensorRef[] {\n const merged = new Map<string, AxisIntentSensorRef>();\n\n for (const group of sensorGroups) {\n if (!Array.isArray(group)) continue;\n\n for (const ref of group) {\n const key = sensorRefKey(ref);\n const existing = merged.get(key);\n\n if (!existing \|\| (typeof existing === \"string\" && typeof ref !== \"string\")) {\n merged.set(key, ref);\n }\n }\n }\n\n return Array.from(merged.values());\n}\n\nfunction isAxisSensorInstance(value: unknown): value is AxisSensor {\n return (\n !!value &&\n typeof (value as AxisSensor).name === \"string\" &&\n typeof (value as AxisSensor).run === \"function\"\n );\n}\n\nfunction mergeObserverBindings(\n bindings: AxisObserverBinding[],\n): AxisObserverBinding[] {\n const merged = new Map<string, AxisObserverBinding>();\n\n for (const binding of bindings) {\n for (const ref of binding.refs) {\n const key = observerRefKey(ref);\n const existing = merged.get(key);\n if (!existing) {\n merged.set(key, {\n refs: [ref],\n tags: binding.tags ? [...new Set(binding.tags)] : undefined,\n events: binding.events ? [...new Set(binding.events)] : undefined,\n });\n continue;\n }\n\n existing.tags = Array.from(\n new Set([...(existing.tags \|\| []), ...(binding.tags \|\| [])]),\n );\n existing.events =\n existing.events === undefined \|\| binding.events === undefined\n ? undefined\n : Array.from(new Set([...existing.events, ...binding.events]));\n }\n }\n\n return Array.from(merged.values());\n}\n\nfunction normalizeChainConfig(\n decoratorConfig?: RegisteredChainConfig,\n intentConfig?: boolean \| ChainOptions,\n): RegisteredChainConfig \| undefined {\n if (decoratorConfig) {\n return decoratorConfig;\n }\n\n if (!intentConfig) {\n return undefined;\n }\n\n if (intentConfig === true) {\n return { enabled: true };\n }\n\n return {\n enabled: true,\n ...intentConfig,\n };\n}\n\nexport interface IntentSchema {\n intent: string;\n version: number;\n bodyProfile: \"TLV_MAP\" \| \"RAW\" \| \"TLV_OBJ\" \| \"TLV_ARR\";\n fields: Array<{\n name: string;\n tlv: number;\n kind: IntentTlvField[\"kind\"];\n required?: boolean;\n maxLen?: number;\n max?: string;\n scope?: \"header\" \| \"body\";\n }>;\n}\n\n/\n Represents the outcome of an AXIS intent execution.\n \n @interface AxisEffect\n /\nexport interface AxisEffect {\n /* Whether the intent was processed successfully at the application level /\n ok: boolean;\n /* A descriptive string classifier for the result (e.g., 'FILE_CREATED', 'PONG') /\n effect: string;\n /* Optional binary payload (body) to be returned to the requester /\n body?: Uint8Array;\n /* Optional custom TLV headers to be included in the response frame /\n headers?: Map<number, Uint8Array>;\n /* Optional metadata for internal logging or audit (not sent to client) /\n metadata?: any;\n}\n\n/\n IntentRouter\n \n The central dispatching mechanism of the AXIS backend.\n * Maps binary intents (identified by their name in the header) to specialized handlers.\n \n Features:\n * 1. Built-in Fast Path: Handles high-frequency system intents (ping, time, echo) directly.\n * 2. Dynamic Handler Registration: Allows modules to register handlers at runtime.\n * 3. Decorator-driven Registration: Uses {@link registerHandler} to auto-register `@Intent`-decorated methods.\n * 4. Polymorphic Handlers: Supports both raw function handlers and object-based `{ handle }` handlers.\n \n @class IntentRouter\n /\n@Injectable()\nexport class IntentRouter {\n private readonly logger = new Logger(IntentRouter.name);\n private readonly decoder = new TextDecoder();\n private readonly encoder = new TextEncoder();\n\n /* Intents handled inline in route() — not in `handlers` map /\n private static readonly BUILTIN_INTENTS = new Set([\n \"system.ping\",\n \"public.ping\",\n \"system.time\",\n \"system.echo\",\n \"CHAIN.EXEC\",\n \"axis.chain.exec\",\n \"INTENT.EXEC\",\n \"axis.intent.exec\",\n ]);\n\n /* Internal registry of dynamic intent handlers /\n private handlers = new Map<string, any>();\n\n /* Per-intent sensor refs (resolved through SensorRegistry at call time) /\n private intentSensors = new Map<string, AxisIntentSensorRef[]>();\n\n /* Per-intent body decoders /\n private intentDecoders = new Map<string, (buf: Buffer) => any>();\n\n /* Per-intent TLV schemas /\n private intentSchemas = new Map<string, IntentSchema>();\n\n /* Per-intent custom validators /\n private intentValidators = new Map<string, Map<number, TlvValidatorFn[]>>();\n\n /* Per-intent operation kind /\n private intentKinds = new Map<string, IntentKind>();\n\n /* Per-intent chain configuration /\n private intentChains = new Map<string, RegisteredChainConfig>();\n\n /* Per-intent observer bindings /\n private intentObservers = new Map<string, AxisObserverBinding[]>();\n\n /* Per-intent capsule policies /\n private intentCapsulePolicies = new Map<string, CapsulePolicyOptions>();\n\n /* Per-intent sensitivity level /\n private intentSensitivity = new Map<string, string>();\n\n /* Per-intent execution contract overrides /\n private intentContracts = new Map<string, Record<string, any>>();\n\n /* Per-intent required proof kinds /\n private intentRequiredProof = new Map<string, RequiredProofKind[]>();\n\n /* Intents flagged as public (no auth required) /\n private publicIntents = new Set<string>();\n\n /* Intents flagged as anonymous-session accessible /\n private anonymousIntents = new Set<string>();\n\n /* Per-intent rate limit config /\n private intentRateLimits = new Map<string, AxisRateLimitConfig>();\n\n /* CCE handler registry /\n private cceHandlers = new Map<string, CceHandler>();\n\n /* CCE pipeline configuration (set via configureCce) /\n private ccePipelineConfig: Omit<CcePipelineConfig, \"handlers\"> \| null = null;\n\n constructor(\n @Optional() private readonly moduleRef?: ModuleRef,\n @Optional()\n private readonly observerDispatcher?: ObserverDispatcherService,\n @Optional()\n private readonly sensorRegistry?: SensorRegistry,\n ) {}\n\n getSchema(intent: string): IntentSchema \| undefined {\n return this.intentSchemas.get(intent);\n }\n\n getValidators(intent: string): Map<number, TlvValidatorFn[]> \| undefined {\n return this.intentValidators.get(intent);\n }\n\n has(intent: string): boolean {\n return (\n this.handlers.has(intent) \|\| IntentRouter.BUILTIN_INTENTS.has(intent)\n );\n }\n\n getRegisteredIntents(): string[] {\n return [...IntentRouter.BUILTIN_INTENTS, ...this.handlers.keys()];\n }\n\n getIntentEntry(intent: string): {\n schema?: IntentSchema;\n validators?: Map<number, TlvValidatorFn[]>;\n hasSensors: boolean;\n builtin: boolean;\n kind?: IntentKind;\n chain?: RegisteredChainConfig;\n capsulePolicy?: CapsulePolicyOptions;\n observerCount: number;\n } \| null {\n if (!this.has(intent)) return null;\n return {\n schema: this.intentSchemas.get(intent),\n validators: this.intentValidators.get(intent),\n hasSensors: this.intentSensors.has(intent),\n builtin: IntentRouter.BUILTIN_INTENTS.has(intent),\n kind: this.intentKinds.get(intent),\n chain: this.intentChains.get(intent),\n capsulePolicy: this.intentCapsulePolicies.get(intent),\n observerCount: this.getObservers(intent).length,\n };\n }\n\n getChainConfig(intent: string): RegisteredChainConfig \| undefined {\n return this.intentChains.get(intent);\n }\n\n getObservers(intent: string): AxisObserverBinding[] {\n return this.intentObservers.get(intent) \|\| [];\n }\n\n /\n Registers a handler for a specific intent.\n * Handlers can be functions: `(body, headers) => Promise<Uint8Array \| AxisEffect>`\n * Or objects with a method: `handle(frame: AxisFrame) => Promise<AxisEffect>`\n \n @param {string} intent - The unique intent identifier (e.g., 'axis.vault.create')\n * @param {any} handler - The handler function or object\n /\n register(intent: string, handler: any) {\n this.handlers.set(intent, handler);\n }\n\n /\n Automatically registers all `@Intent`-decorated methods from a handler instance.\n \n Reads the handler prefix from `@Handler` metadata (or falls back to `instance.name`),\n * then registers each `@Intent`-decorated method accordingly.\n \n @param {any} instance - The handler instance with `@Intent`-decorated methods\n /\n registerHandler(instance: any) {\n const handlerMeta = Reflect.getMetadata(\n HANDLER_METADATA_KEY,\n instance.constructor,\n );\n const prefix: string \| undefined = handlerMeta?.intent \|\| instance.name;\n\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, instance.constructor) \|\| [];\n const routedMethods = new Set(\n routes.map((route) => String(route.methodName)),\n );\n\n // Read @HandlerSensors from the class (if any)\n const handlerSensors: AxisIntentSensorRef[] =\n Reflect.getMetadata(HANDLER_SENSORS_KEY, instance.constructor) \|\| [];\n const handlerObservers: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, instance.constructor) \|\| [];\n\n const proto = Object.getPrototypeOf(instance);\n\n for (const route of routes) {\n const intentName = route.absolute\n ? route.action\n : `${prefix}.${route.action}`;\n const fn = instance[route.methodName].bind(instance);\n\n if (route.frame) {\n this.register(intentName, { handle: fn });\n } else {\n this.register(intentName, fn);\n }\n\n this.registerIntentMeta(\n intentName,\n proto,\n String(route.methodName),\n handlerSensors,\n handlerObservers,\n );\n }\n\n for (const key of Object.getOwnPropertyNames(proto)) {\n if (routedMethods.has(key)) continue;\n\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, key);\n if (!meta?.intent) continue;\n\n const intentName = meta.absolute\n ? meta.intent\n : `${prefix}.${meta.intent}`;\n\n if (!this.handlers.has(intentName)) {\n this.register(intentName, (instance as any)[key].bind(instance));\n }\n\n this.registerIntentMeta(\n intentName,\n proto,\n key,\n handlerSensors,\n handlerObservers,\n );\n }\n }\n\n /\n Routes a decoded AXIS frame to the appropriate handler.\n \n Precedence:\n * 1. System Built-ins (`system.ping`, `public.ping`, `system.time`, `system.echo`)\n * 2. Meta-intent execution (`INTENT.EXEC` / `axis.intent.exec`)\n * 3. Dynamically registered handlers from modules.\n \n @param {AxisFrame} frame - The validated and decoded binary frame\n * @returns {Promise<AxisEffect>} The resulting effect of the execution\n * @throws {Error} If the intent header is missing or no handler is registered\n /\n async route(frame: AxisFrame): Promise<AxisEffect> {\n const start = process.hrtime();\n let intent = \"unknown\";\n\n try {\n const intentBytes = frame.headers.get(TLV_INTENT);\n if (!intentBytes) throw new Error(\"Missing intent\");\n intent = this.decoder.decode(intentBytes);\n const observerBindings = this.getObservers(intent);\n\n await this.emitIntentObservers(observerBindings, {\n event: \"intent.received\",\n timestamp: Date.now(),\n intent,\n frame,\n });\n\n let effect: AxisEffect;\n\n if (intent === \"system.ping\" \|\| intent === \"public.ping\") {\n this.logger.debug(\"PING received\");\n effect = {\n ok: true,\n effect: \"pong\",\n headers: new Map([\n [100, new TextEncoder().encode(\"AXIS_BACKEND_V1\")],\n ]),\n body: new TextEncoder().encode(\n JSON.stringify({\n status: \"ok\",\n timestamp: new Date().toISOString(),\n version: \"1.0.0\",\n }),\n ),\n };\n } else if (intent === \"system.time\") {\n const ts = Date.now().toString();\n effect = {\n ok: true,\n effect: \"time\",\n body: new TextEncoder().encode(\n JSON.stringify({\n ts,\n iso: new Date().toISOString(),\n }),\n ),\n };\n } else if (intent === \"system.echo\") {\n effect = {\n ok: true,\n effect: \"echo\",\n body: frame.body,\n };\n } else if (intent === \"CHAIN.EXEC\" \|\| intent === \"axis.chain.exec\") {\n const chainRequest = this.parseChainRequestBody(frame.body);\n effect = await this.executeChainRequest(frame, chainRequest);\n } else if (intent === \"INTENT.EXEC\" \|\| intent === \"axis.intent.exec\") {\n const execBody = this.parseIntentExecBody(frame.body);\n const innerIntent = execBody.intent;\n const innerArgs = execBody.args \|\| {};\n\n if (!innerIntent) {\n throw new Error(\"INTENT.EXEC missing inner intent\");\n }\n\n this.logger.debug(`EXEC: routing to inner intent '${innerIntent}'`);\n\n const innerHeaders = new Map(frame.headers);\n innerHeaders.set(TLV_INTENT, this.encoder.encode(innerIntent));\n\n const inlineCapsule = this.toInlineCapsuleRecord(execBody.capsule);\n const capsuleId = this.extractInlineCapsuleId(inlineCapsule);\n if (capsuleId) {\n innerHeaders.set(TLV_CAPSULE, this.encoder.encode(capsuleId));\n innerHeaders.set(TLV_PROOF_REF, this.encoder.encode(capsuleId));\n }\n\n const innerFrame = withAxisExecutionContext(\n {\n ...frame,\n headers: innerHeaders,\n body: this.encodeJson(innerArgs),\n },\n mergeAxisExecutionContext(getAxisExecutionContext(frame), {\n metaIntent: \"INTENT.EXEC\",\n actorId: this.getActorIdFromFrame(frame),\n inlineCapsule,\n }) \|\| {},\n );\n\n effect = await this.route(innerFrame);\n } else {\n const handler = this.handlers.get(intent);\n if (!handler) {\n throw new Error(`Intent not found: ${intent}`);\n }\n\n const sensorRefs = this.intentSensors.get(intent);\n if (sensorRefs && sensorRefs.length > 0) {\n await this.runIntentSensors(sensorRefs, intent, frame);\n }\n\n const decoder = this.intentDecoders.get(intent);\n let decodedBody: any = frame.body;\n if (decoder) {\n try {\n decodedBody = decoder(Buffer.from(frame.body));\n } catch (decodeErr: any) {\n throw new Error(\n `IntentBody decode failed for ${intent}: ${decodeErr.message}`,\n );\n }\n }\n\n this.enforceCapsulePolicy(\n intent,\n frame,\n decodedBody,\n this.getEffectiveCapsulePolicy(intent, frame),\n );\n\n if (typeof handler === \"function\") {\n const resultBody = decoder\n ? await handler(decodedBody, frame.headers)\n : await handler(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: \"complete\",\n body: resultBody,\n };\n } else {\n if (typeof (handler as any).handle === \"function\") {\n effect = await (handler as any).handle(frame);\n } else if (typeof (handler as any).execute === \"function\") {\n const bodyRes = decoder\n ? await (handler as any).execute(decodedBody, frame.headers)\n : await (handler as any).execute(frame.body, frame.headers);\n effect = {\n ok: true,\n effect: \"complete\",\n body: bodyRes,\n };\n } else {\n throw new Error(\n `Handler for ${intent} does not implement handle or execute`,\n );\n }\n }\n }\n\n await this.emitIntentObservers(observerBindings, {\n event: \"intent.completed\",\n timestamp: Date.now(),\n intent,\n frame,\n effect,\n metadata: effect.metadata,\n });\n\n this.logIntent(intent, start, true);\n return effect;\n } catch (e: any) {\n await this.emitIntentObservers(this.getObservers(intent), {\n event: \"intent.failed\",\n timestamp: Date.now(),\n intent,\n frame,\n error: e.message,\n });\n this.logIntent(intent, start, false, e.message);\n throw e;\n }\n }\n\n private logIntent(\n intent: string,\n start: [number, number],\n ok: boolean,\n error?: string,\n ) {\n const diff = process.hrtime(start);\n const ms = (diff[0] 1e3 + diff[1] / 1e6).toFixed(2);\n if (ok) {\n this.logger.debug(`${intent} completed in ${ms}ms`);\n } else {\n this.logger.warn(`${intent} failed in ${ms}ms - ${error}`);\n }\n }\n\n registerIntentMeta(\n intent: string,\n proto: object,\n methodName: string,\n handlerSensors?: AxisIntentSensorRef[],\n handlerObservers?: AxisObserverBinding[],\n ): void {\n const decoder = Reflect.getMetadata(INTENT_BODY_KEY, proto, methodName);\n if (decoder) {\n this.intentDecoders.set(intent, decoder);\n }\n\n const intentSensors = Reflect.getMetadata(\n INTENT_SENSORS_KEY,\n proto,\n methodName,\n );\n const meta = Reflect.getMetadata(INTENT_METADATA_KEY, proto, methodName);\n const combined = mergeIntentSensorRefs(\n handlerSensors,\n Array.isArray(intentSensors) ? intentSensors : undefined,\n Array.isArray(meta?.is) ? meta.is : undefined,\n );\n if (combined.length > 0) {\n this.intentSensors.set(intent, combined);\n }\n\n const methodObservers: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, proto, methodName) \|\| [];\n const observers = mergeObserverBindings([\n ...(handlerObservers \|\| []),\n ...methodObservers,\n ]);\n if (observers.length > 0) {\n this.intentObservers.set(intent, observers);\n }\n\n const handlerCapsulePolicy = Reflect.getMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n proto.constructor,\n ) as CapsulePolicyOptions \| undefined;\n const methodCapsulePolicy = Reflect.getMetadata(\n CAPSULE_POLICY_METADATA_KEY,\n proto,\n methodName,\n ) as CapsulePolicyOptions \| undefined;\n const capsulePolicy = mergeCapsulePolicyOptions(\n handlerCapsulePolicy,\n methodCapsulePolicy,\n );\n if (capsulePolicy) {\n this.intentCapsulePolicies.set(intent, capsulePolicy);\n }\n\n if (meta) {\n this.storeSchema({ ...meta, intent });\n if (meta.kind) {\n this.intentKinds.set(intent, meta.kind);\n }\n\n const chainMeta = Reflect.getMetadata(\n CHAIN_METADATA_KEY,\n proto,\n methodName,\n ) as RegisteredChainConfig \| undefined;\n const chainConfig = normalizeChainConfig(chainMeta, meta.chain);\n if (chainConfig) {\n this.intentChains.set(intent, chainConfig);\n }\n }\n\n // ── @Sensitivity ────────────────────────────────────────────────────────\n const methodSensitivity: string \| undefined = Reflect.getMetadata(\n SENSITIVITY_METADATA_KEY,\n proto,\n methodName,\n );\n const classSensitivity: string \| undefined = Reflect.getMetadata(\n SENSITIVITY_METADATA_KEY,\n proto.constructor,\n );\n const sensitivity = methodSensitivity ?? classSensitivity;\n if (sensitivity) {\n this.intentSensitivity.set(intent, sensitivity);\n }\n\n // ── @Contract ───────────────────────────────────────────────────────────\n const methodContract: Record<string, any> \| undefined = Reflect.getMetadata(\n CONTRACT_METADATA_KEY,\n proto,\n methodName,\n );\n const classContract: Record<string, any> \| undefined = Reflect.getMetadata(\n CONTRACT_METADATA_KEY,\n proto.constructor,\n );\n const contract = methodContract ?? classContract;\n if (contract) {\n this.intentContracts.set(intent, contract);\n }\n\n // ── @RequiredProof / @Capsule / @Witness ─────────────────────────────────\n const methodProof: RequiredProofKind[] \| undefined = Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proto,\n methodName,\n );\n const classProof: RequiredProofKind[] \| undefined = Reflect.getMetadata(\n REQUIRED_PROOF_METADATA_KEY,\n proto.constructor,\n );\n const requiredProof = methodProof ?? classProof;\n if (requiredProof && requiredProof.length > 0) {\n this.intentRequiredProof.set(intent, requiredProof);\n }\n\n // ── @AxisPublic ──────────────────────────────────────────────────────────\n const isPublicMethod: boolean \| undefined = Reflect.getMetadata(\n AXIS_PUBLIC_KEY,\n proto,\n methodName,\n );\n const isPublicClass: boolean \| undefined = Reflect.getMetadata(\n AXIS_PUBLIC_KEY,\n proto.constructor,\n );\n if (isPublicMethod \|\| isPublicClass) {\n this.publicIntents.add(intent);\n }\n\n // ── @AxisAnonymous ───────────────────────────────────────────────────────\n const isAnonMethod: boolean \| undefined = Reflect.getMetadata(\n AXIS_ANONYMOUS_KEY,\n proto,\n methodName,\n );\n const isAnonClass: boolean \| undefined = Reflect.getMetadata(\n AXIS_ANONYMOUS_KEY,\n proto.constructor,\n );\n if (isAnonMethod \|\| isAnonClass) {\n this.anonymousIntents.add(intent);\n }\n\n // ── @AxisRateLimit ───────────────────────────────────────────────────────\n const rateLimit: AxisRateLimitConfig \| undefined = Reflect.getMetadata(\n AXIS_RATE_LIMIT_KEY,\n proto,\n methodName,\n );\n if (rateLimit) {\n this.intentRateLimits.set(intent, rateLimit);\n }\n }\n\n // ─── Policy Getters ────────────────────────────────────────────────────────\n\n getSensitivity(intent: string): string \| undefined {\n return this.intentSensitivity.get(intent);\n }\n\n getContract(intent: string): Record<string, any> \| undefined {\n return this.intentContracts.get(intent);\n }\n\n getRequiredProof(intent: string): RequiredProofKind[] \| undefined {\n return this.intentRequiredProof.get(intent);\n }\n\n isPublic(intent: string): boolean {\n return this.publicIntents.has(intent);\n }\n\n isAnonymous(intent: string): boolean {\n return this.anonymousIntents.has(intent);\n }\n\n getRateLimit(intent: string): AxisRateLimitConfig \| undefined {\n return this.intentRateLimits.get(intent);\n }\n\n private async emitIntentObservers(\n bindings: AxisObserverBinding[],\n context: Parameters<ObserverDispatcherService[\"dispatch\"]>[1],\n ): Promise<void> {\n if (!this.observerDispatcher \|\| bindings.length === 0) return;\n await this.observerDispatcher.dispatch(bindings, context);\n }\n\n private async runIntentSensors(\n sensorRefs: AxisIntentSensorRef[],\n intent: string,\n frame: AxisFrame,\n ): Promise<void> {\n for (const sensorRef of sensorRefs) {\n const sensor = this.resolveIntentSensor(sensorRef);\n const sensorName = sensorRefKey(sensorRef);\n\n if (!sensor) {\n this.logger.error(\n `Intent sensor ${sensorName} is not registered for ${intent}`,\n );\n throw new Error(`SENSOR_MISSING:${sensorName}`);\n }\n\n const sensorInput: SensorInput = {\n rawBytes: frame.body,\n intent,\n body: frame.body,\n headerTLVs: frame.headers as any,\n frameBody: frame.body,\n metadata: {\n phase: \"intent\",\n intent,\n schema: this.getSchema(intent),\n validators: this.getValidators(intent),\n },\n };\n\n if (sensor.supports && !sensor.supports(sensorInput)) continue;\n\n const decision = normalizeSensorDecision(await sensor.run(sensorInput));\n if (!decision.allow) {\n const reason = decision.reasons[0] \|\| `${sensor.name}:DENIED`;\n this.logger.warn(\n `Intent sensor ${sensor.name} denied ${intent}: ${reason}`,\n );\n throw new Error(`SENSOR_DENY:${reason}`);\n }\n }\n }\n\n private resolveIntentSensor(ref: AxisIntentSensorRef): AxisSensor \| undefined {\n const registered = this.sensorRegistry?.resolve(ref);\n if (registered) {\n return registered;\n }\n\n if (!this.moduleRef \|\| typeof ref === \"string\") {\n return undefined;\n }\n\n try {\n const resolved = this.moduleRef.get(ref as any, { strict: false });\n return isAxisSensorInstance(resolved) ? resolved : undefined;\n } catch {\n return undefined;\n }\n }\n\n private getEffectiveCapsulePolicy(\n intent: string,\n frame: AxisFrame,\n ): CapsulePolicyOptions \| undefined {\n const registeredPolicy = this.intentCapsulePolicies.get(intent);\n const chainConfig = this.intentChains.get(intent);\n const executionContext = getAxisExecutionContext(frame);\n\n const derivedScopes = Array.from(\n new Set([\n ...this.toScopeList(chainConfig?.capsuleScope),\n ...this.toScopeList(executionContext?.capsuleRef?.scope),\n ...this.toScopeList(executionContext?.chainStep?.capsuleScope),\n ]),\n );\n\n const requiresCapsule =\n chainConfig?.proofRequired \|\|\n executionContext?.capsuleRef?.proofRequired \|\|\n executionContext?.chainStep?.proofRequired \|\|\n executionContext?.chainEnvelope?.capsule?.proofRequired \|\|\n derivedScopes.length > 0;\n\n const derivedPolicy = requiresCapsule\n ? normalizeCapsulePolicyOptions({\n required: true,\n scopes: derivedScopes.length > 0 ? derivedScopes : undefined,\n })\n : undefined;\n\n return mergeCapsulePolicyOptions(registeredPolicy, derivedPolicy);\n }\n\n private enforceCapsulePolicy(\n intent: string,\n frame: AxisFrame,\n body: unknown,\n policy?: CapsulePolicyOptions,\n ): void {\n const executionContext = getAxisExecutionContext(frame);\n const inlineCapsuleRecord = this.toInlineCapsuleRecord(\n executionContext?.inlineCapsule,\n );\n const inlineCapsule = normalizeInlineCapsule(inlineCapsuleRecord);\n const normalizedPolicy = policy\n ? normalizeCapsulePolicyOptions(policy)\n : undefined;\n\n if (!inlineCapsule) {\n if (normalizedPolicy?.required) {\n if (\n normalizedPolicy.allowCapsuleRef &&\n this.hasCapsuleReference(frame) &&\n this.toScopeList(normalizedPolicy.scopes).length === 0 &&\n normalizedPolicy.intentBound === false\n ) {\n return;\n }\n\n throw new AxisError(\n this.hasCapsuleReference(frame)\n ? \"CAPSULE_CLAIMS_REQUIRED\"\n : \"CAPSULE_REQUIRED\",\n `Intent ${intent} requires an inline capsule for policy enforcement`,\n 403,\n { intent },\n );\n }\n\n return;\n }\n\n if (isInlineCapsuleExpired(inlineCapsule)) {\n throw new AxisError(\n \"CAPSULE_EXPIRED\",\n `Capsule for ${intent} is expired`,\n 403,\n { intent, capsuleId: inlineCapsule.id },\n );\n }\n\n const actorId =\n this.getActorIdFromFrame(frame) \|\| executionContext?.actorId;\n if (\n actorId &&\n inlineCapsule.actorId &&\n !this.identifiersMatch(actorId, inlineCapsule.actorId)\n ) {\n throw new AxisError(\n \"CAPSULE_ACTOR_MISMATCH\",\n `Capsule actor does not match request actor for ${intent}`,\n 403,\n {\n intent,\n actorId,\n capsuleActorId: inlineCapsule.actorId,\n },\n );\n }\n\n const proofRef = this.getProofRefFromFrame(frame);\n if (\n proofRef &&\n inlineCapsule.id &&\n !this.identifiersMatch(proofRef, inlineCapsule.id)\n ) {\n throw new AxisError(\n \"CAPSULE_REF_MISMATCH\",\n `Capsule reference does not match request proof for ${intent}`,\n 403,\n {\n intent,\n proofRef,\n capsuleId: inlineCapsule.id,\n },\n );\n }\n\n const realm = this.getHeaderValue(frame, TLV_REALM);\n if (realm && inlineCapsule.realm && realm !== inlineCapsule.realm) {\n throw new AxisError(\n \"CAPSULE_REALM_MISMATCH\",\n `Capsule realm does not match request realm for ${intent}`,\n 403,\n { intent, realm, capsuleRealm: inlineCapsule.realm },\n );\n }\n\n const node = this.getHeaderValue(frame, TLV_NODE);\n if (node && inlineCapsule.node && node !== inlineCapsule.node) {\n throw new AxisError(\n \"CAPSULE_NODE_MISMATCH\",\n `Capsule node does not match request node for ${intent}`,\n 403,\n { intent, node, capsuleNode: inlineCapsule.node },\n );\n }\n\n const shouldCheckIntent = normalizedPolicy?.intentBound ?? true;\n if (\n shouldCheckIntent &&\n !inlineCapsuleAllowsIntent(inlineCapsule, intent)\n ) {\n throw new AxisError(\n \"CAPSULE_DENIED\",\n `Capsule does not authorize ${intent}`,\n 403,\n {\n intent,\n capsuleId: inlineCapsule.id,\n allowedIntents: inlineCapsule.intents,\n },\n );\n }\n\n const requiredScopes = this.toScopeList(normalizedPolicy?.scopes);\n if (requiredScopes.length === 0) {\n return;\n }\n\n let resolvedScopes: string[];\n try {\n resolvedScopes = resolvePolicyScopes(requiredScopes, {\n body,\n intent,\n actorId,\n chainId: executionContext?.chainEnvelope?.chainId,\n stepId: executionContext?.chainStep?.stepId,\n });\n } catch (error: any) {\n this.logger.error(`Scope template error for ${intent}: ${error.message}`);\n throw new AxisError(\n \"CAPSULE_SCOPE_TEMPLATE_UNRESOLVED\",\n \"Scope policy validation failed\",\n 400,\n { intent },\n );\n }\n\n if (\n !inlineCapsuleSatisfiesScopes(\n inlineCapsule,\n resolvedScopes,\n normalizedPolicy?.scopeMode ?? \"all\",\n )\n ) {\n throw new AxisError(\n \"SCOPE_MISMATCH\",\n `Capsule scopes do not satisfy ${intent}`,\n 403,\n {\n intent,\n requiredScopes: resolvedScopes,\n availableScopes: inlineCapsule.scopes \|\| [],\n },\n );\n }\n }\n\n private async executeChainRequest(\n frame: AxisFrame,\n request: AxisChainRequest<unknown, Record<string, unknown>>,\n ): Promise<AxisEffect> {\n const { AxisChainExecutor } = await import(\"./axis-chain.executor\");\n const headerActorId = this.getActorIdFromFrame(frame);\n if (\n request.actorId &&\n headerActorId &&\n !this.identifiersMatch(request.actorId, headerActorId)\n ) {\n throw new AxisError(\n \"ACTOR_MISMATCH\",\n \"CHAIN.EXEC actorId conflicts with authenticated frame identity\",\n 403,\n );\n }\n const actorId = headerActorId \|\| request.actorId;\n const inlineCapsule = this.toInlineCapsuleRecord(request.capsule);\n const capsuleId = this.extractInlineCapsuleId(inlineCapsule);\n const headers = new Map(frame.headers);\n\n if (capsuleId) {\n headers.set(TLV_CAPSULE, this.encoder.encode(capsuleId));\n headers.set(TLV_PROOF_REF, this.encoder.encode(capsuleId));\n }\n\n const baseFrame = withAxisExecutionContext(\n {\n ...frame,\n headers,\n },\n mergeAxisExecutionContext(getAxisExecutionContext(frame), {\n metaIntent: \"CHAIN.EXEC\",\n actorId,\n inlineCapsule,\n capsuleRef: request.envelope.capsule,\n chainEnvelope: request.envelope,\n }) \|\| {},\n );\n\n const executor = new AxisChainExecutor(this, this.observerDispatcher);\n const result = await executor.execute(request.envelope, {\n actorId,\n baseFrame,\n });\n\n return {\n ok: result.status !== \"FAILED\",\n effect: \"chain.complete\",\n body: this.encodeJson(result),\n metadata: {\n chainId: result.chainId,\n status: result.status,\n },\n };\n }\n\n private parseIntentExecBody(bytes: Uint8Array): {\n intent: string;\n args?: unknown;\n capsule?: Record<string, unknown>;\n execNonce?: string;\n } {\n try {\n return JSON.parse(this.decoder.decode(bytes));\n } catch (error: any) {\n throw new Error(`INTENT.EXEC unwrapping failed: ${error.message}`);\n }\n }\n\n private parseChainRequestBody(\n bytes: Uint8Array,\n ): AxisChainRequest<unknown, Record<string, unknown>> {\n let jsonError: Error \| undefined;\n\n try {\n const parsed = JSON.parse(this.decoder.decode(bytes));\n if (this.isChainRequestLike(parsed)) {\n return {\n envelope: parsed.envelope,\n capsule: this.toInlineCapsuleRecord(parsed.capsule),\n actorId:\n typeof parsed.actorId === \"string\" ? parsed.actorId : undefined,\n };\n }\n\n if (this.isChainEnvelopeLike(parsed)) {\n return { envelope: parsed };\n }\n } catch (error: any) {\n jsonError = error;\n }\n\n try {\n const decoded = decodeChainRequest<unknown, Record<string, unknown>>(\n bytes,\n );\n return {\n envelope: decoded.envelope,\n capsule: this.toInlineCapsuleRecord(decoded.capsule),\n actorId: decoded.actorId,\n };\n } catch (requestError: any) {\n try {\n return {\n envelope: decodeChainEnvelope(bytes) as AxisChainEnvelope,\n };\n } catch (envelopeError: any) {\n const reason = [\n jsonError?.message,\n requestError.message,\n envelopeError.message,\n ]\n .filter(Boolean)\n .join(\" \| \");\n throw new Error(`CHAIN.EXEC decode failed: ${reason}`);\n }\n }\n }\n\n private isChainRequestLike(\n value: unknown,\n ): value is AxisChainRequest<unknown, Record<string, unknown>> {\n return (\n !!value &&\n typeof value === \"object\" &&\n \"envelope\" in value &&\n this.isChainEnvelopeLike((value as Record<string, unknown>).envelope)\n );\n }\n\n private isChainEnvelopeLike(value: unknown): value is AxisChainEnvelope {\n return (\n !!value &&\n typeof value === \"object\" &&\n typeof (value as Record<string, unknown>).chainId === \"string\" &&\n Array.isArray((value as Record<string, unknown>).steps)\n );\n }\n\n private encodeJson(value: unknown): Uint8Array {\n return this.encoder.encode(JSON.stringify(value));\n }\n\n private getActorIdFromFrame(frame: AxisFrame): string \| undefined {\n return this.getHeaderValue(frame, TLV_ACTOR_ID);\n }\n\n private getProofRefFromFrame(frame: AxisFrame): string \| undefined {\n return (\n this.getHeaderValue(frame, TLV_PROOF_REF) \|\|\n this.getHeaderValue(frame, TLV_CAPSULE)\n );\n }\n\n private hasCapsuleReference(frame: AxisFrame): boolean {\n return !!this.getProofRefFromFrame(frame);\n }\n\n private getHeaderValue(frame: AxisFrame, tag: number): string \| undefined {\n const value = frame.headers.get(tag);\n if (!value \|\| value.length === 0) {\n return undefined;\n }\n\n const decoded = this.decoder.decode(value);\n if (/^[\\x20-\\x7e]+$/.test(decoded)) {\n return decoded;\n }\n\n return Buffer.from(value).toString(\"hex\");\n }\n\n private identifiersMatch(left: string, right: string): boolean {\n const normalize = (value: string) =>\n /^[0-9a-f]+$/i.test(value) ? value.toLowerCase() : value;\n return normalize(left) === normalize(right);\n }\n\n private extractInlineCapsuleId(\n capsule?: Record<string, unknown>,\n ): string \| undefined {\n const id = capsule?.id;\n return typeof id === \"string\" && id.length > 0 ? id : undefined;\n }\n\n private toInlineCapsuleRecord(\n value: unknown,\n ): Record<string, unknown> \| undefined {\n if (!value \|\| typeof value !== \"object\" \|\| Array.isArray(value)) {\n return undefined;\n }\n\n return value as Record<string, unknown>;\n }\n\n private toScopeList(value?: string \| string[]): string[] {\n if (!value) {\n return [];\n }\n\n return Array.isArray(value) ? value : [value];\n }\n\n // ===========================================================================\n // CCE — Capsule-Carried Encryption Support\n // ===========================================================================\n\n /*\n Configure the CCE pipeline.\n * Must be called before routeCce() can process encrypted requests.\n /\n configureCce(config: Omit<CcePipelineConfig, \"handlers\">): void {\n this.ccePipelineConfig = config;\n this.logger.log(\"CCE pipeline configured\");\n }\n\n /\n Register a CCE-encrypted intent handler.\n * CCE handlers receive decrypted payloads and execution context.\n /\n registerCceHandler(intent: string, handler: CceHandler): void {\n this.cceHandlers.set(intent, handler);\n this.logger.debug(`CCE handler registered: ${intent}`);\n }\n\n /\n Check if a CCE handler exists for the given intent.\n /\n hasCceHandler(intent: string): boolean {\n return this.cceHandlers.has(intent);\n }\n\n /\n Route a CCE-encrypted request through the full pipeline.\n \n Steps:\n * 1. Sensor chain (envelope validation → capsule verification → replay → decrypt)\n * 2. Execution context derivation\n * 3. Handler execution\n * 4. Response encryption\n * 5. Witness recording\n /\n async routeCce(envelope: CceRequestEnvelope): Promise<CcePipelineResult> {\n if (!this.ccePipelineConfig) {\n return {\n ok: false,\n error: {\n code: \"CCE_NOT_CONFIGURED\",\n message: \"CCE pipeline not configured. Call configureCce() first.\",\n },\n status: \"ERROR\",\n };\n }\n\n const config: CcePipelineConfig = {\n ...this.ccePipelineConfig,\n handlers: this.cceHandlers,\n };\n\n return executeCcePipeline(envelope, config);\n }\n\n private storeSchema(meta: {\n intent: string;\n tlv?: IntentTlvField[];\n dto?: Function;\n bodyProfile?: \"TLV_MAP\" \| \"RAW\" \| \"TLV_OBJ\" \| \"TLV_ARR\";\n kind?: IntentKind;\n }): void {\n if (meta.dto) {\n if (meta.tlv && meta.tlv.length > 0) {\n this.logger.warn(\n `${meta.intent}: both 'dto' and 'tlv' specified - using dto, ignoring tlv`,\n );\n }\n\n const extracted = extractDtoSchema(meta.dto);\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| \"TLV_MAP\",\n fields: extracted.fields.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n\n if (extracted.validators.size > 0) {\n this.intentValidators.set(meta.intent, extracted.validators);\n }\n\n if (!this.intentDecoders.has(meta.intent)) {\n this.intentDecoders.set(meta.intent, buildDtoDecoder(meta.dto));\n }\n\n return;\n }\n\n if (!meta.tlv \|\| meta.tlv.length === 0) return;\n\n const schema: IntentSchema = {\n intent: meta.intent,\n version: 1,\n bodyProfile: meta.bodyProfile \|\| \"TLV_MAP\",\n fields: meta.tlv.map((f) => ({\n name: f.name,\n tlv: f.tag,\n kind: f.kind,\n required: f.required,\n maxLen: f.maxLen,\n max: f.max,\n scope: f.scope,\n })),\n };\n\n this.intentSchemas.set(meta.intent, schema);\n }\n}\n","import { createHash } from \"crypto\";\n\nimport { Injectable, Logger, Optional } from \"@nestjs/common\";\n\nimport type { AxisFrame } from \"../core/axis-bin\";\nimport { FLAG_CHAIN_REQ, TLV_ACTOR_ID, TLV_CAPSULE, TLV_INTENT, TLV_TRACE_ID } from \"../core/constants\";\nimport type { AxisObserverBinding } from \"../decorators/observer.decorator\";\nimport type {\n AxisChainEnvelope,\n AxisChainResult,\n AxisChainStatus,\n AxisChainStep,\n AxisChainStepResult,\n AxisChainStepStatus,\n AxisExecutionMode,\n} from \"./axis-chain.types\";\nimport {\n getAxisExecutionContext,\n mergeAxisExecutionContext,\n withAxisExecutionContext,\n} from \"./axis-execution-context\";\nimport { ObserverDispatcherService } from \"./observer-dispatcher.service\";\nimport { AxisEffect, IntentRouter } from \"./intent.router\";\n\nexport interface AxisChainExecutionOptions {\n actorId?: string;\n baseFrame?: Partial<AxisFrame>;\n}\n\n@Injectable()\nexport class AxisChainExecutor {\n private readonly logger = new Logger(AxisChainExecutor.name);\n private readonly encoder = new TextEncoder();\n private readonly decoder = new TextDecoder();\n\n constructor(\n private readonly router: IntentRouter,\n @Optional()\n private readonly observerDispatcher?: ObserverDispatcherService,\n ) {}\n\n async execute(\n envelope: AxisChainEnvelope,\n options: AxisChainExecutionOptions = {},\n ): Promise<AxisChainResult> {\n this.validateEnvelope(envelope);\n\n const startedAt = Date.now();\n const results = new Map<string, AxisChainStepResult>();\n const bindings = this.collectChainBindings(envelope);\n\n await this.dispatch(bindings, {\n event: \"chain.received\",\n timestamp: startedAt,\n chainId: envelope.chainId,\n envelope,\n observerTags: envelope.observerTags,\n capsule: envelope.capsule,\n keyExchange: envelope.keyExchange,\n });\n\n await this.dispatch(bindings, {\n event: \"chain.admitted\",\n timestamp: Date.now(),\n chainId: envelope.chainId,\n envelope,\n observerTags: envelope.observerTags,\n capsule: envelope.capsule,\n keyExchange: envelope.keyExchange,\n });\n\n const stepsById = new Map(envelope.steps.map((step) => [step.stepId, step]));\n const pending = new Set(stepsById.keys());\n\n while (pending.size > 0) {\n const ready = Array.from(pending)\n .map((stepId) => stepsById.get(stepId)!)\n .filter((step) => this.canRun(step, results));\n\n if (ready.length === 0) {\n this.markUnresolvedSteps(\n pending,\n stepsById,\n results,\n \"BLOCKED\",\n \"UNRESOLVED_DEPENDENCIES\",\n );\n break;\n }\n\n if (envelope.mode === \"parallel\") {\n const waveResults = await Promise.all(\n ready.map((step) => this.executeStep(step, envelope, results, options)),\n );\n for (const result of waveResults) {\n results.set(result.stepId, result);\n pending.delete(result.stepId);\n }\n } else {\n for (const step of ready) {\n const result = await this.executeStep(step, envelope, results, options);\n results.set(result.stepId, result);\n pending.delete(result.stepId);\n\n if (\n result.status === \"FAILED\" &&\n (envelope.mode === \"strict\" \|\| envelope.mode === \"atomic\")\n ) {\n this.markUnresolvedSteps(\n pending,\n stepsById,\n results,\n \"SKIPPED\",\n \"CHAIN_HALTED\",\n );\n pending.clear();\n break;\n }\n }\n }\n\n this.blockStepsWithFailedDependencies(pending, stepsById, results);\n }\n\n const finishedAt = Date.now();\n const orderedResults = envelope.steps.map((step) => results.get(step.stepId)!);\n const summary = this.buildSummary(envelope.mode, orderedResults, startedAt, finishedAt, envelope.chainId);\n\n await this.dispatch(bindings, {\n event:\n summary.status === \"SUCCEEDED\"\n ? \"chain.completed\"\n : summary.status === \"PARTIAL\"\n ? \"chain.partial\"\n : \"chain.failed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n envelope,\n result: summary,\n observerTags: envelope.observerTags,\n capsule: envelope.capsule,\n keyExchange: envelope.keyExchange,\n });\n\n return summary;\n }\n\n private async executeStep(\n step: AxisChainStep,\n envelope: AxisChainEnvelope,\n results: Map<string, AxisChainStepResult>,\n options: AxisChainExecutionOptions,\n ): Promise<AxisChainStepResult> {\n const stepBindings = this.router.getObservers(step.intent);\n const startedAt = Date.now();\n const input = this.resolveStepInput(step.input, results);\n\n await this.dispatch(stepBindings, {\n event: \"step.started\",\n timestamp: startedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n envelope,\n step,\n observerTags: [...(envelope.observerTags \|\| []), ...(step.observerTags \|\| [])],\n capsule: step.capsuleScope\n ? {\n ...envelope.capsule,\n scope: step.capsuleScope,\n }\n : envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n try {\n const frame = this.buildFrame(step, envelope, input, options);\n const effect = await this.router.route(frame);\n const finishedAt = Date.now();\n const output = this.decodeOutput(effect.body);\n const proofHash = this.computeProofHash(envelope.chainId, step.stepId, effect, output);\n\n const result: AxisChainStepResult = {\n stepId: step.stepId,\n intent: step.intent,\n status: \"SUCCEEDED\",\n effect: effect.effect,\n output,\n dependsOn: step.dependsOn,\n startedAt,\n finishedAt,\n proofHash,\n observerTags: [...(envelope.observerTags \|\| []), ...(step.observerTags \|\| [])],\n metadata: effect.metadata,\n };\n\n await this.dispatch(stepBindings, {\n event: \"handler.completed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n effect,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n await this.dispatch(stepBindings, {\n event: \"proof.recorded\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n metadata: { proofHash },\n });\n\n await this.dispatch(stepBindings, {\n event: \"step.completed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n effect,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n return result;\n } catch (error: any) {\n const finishedAt = Date.now();\n const result: AxisChainStepResult = {\n stepId: step.stepId,\n intent: step.intent,\n status: \"FAILED\",\n error: error.message,\n dependsOn: step.dependsOn,\n startedAt,\n finishedAt,\n observerTags: [...(envelope.observerTags \|\| []), ...(step.observerTags \|\| [])],\n };\n\n this.logger.warn(\n `Chain ${envelope.chainId} step ${step.stepId} failed: ${error.message}`,\n );\n\n await this.dispatch(stepBindings, {\n event: \"step.failed\",\n timestamp: finishedAt,\n chainId: envelope.chainId,\n stepId: step.stepId,\n intent: step.intent,\n error: error.message,\n envelope,\n step,\n result,\n observerTags: result.observerTags,\n capsule: envelope.capsule,\n keyExchange: step.keyExchange \|\| envelope.keyExchange,\n });\n\n return result;\n }\n }\n\n private buildFrame(\n step: AxisChainStep,\n envelope: AxisChainEnvelope,\n input: unknown,\n options: AxisChainExecutionOptions,\n ): AxisFrame {\n const baseContext = getAxisExecutionContext(options.baseFrame);\n const baseHeaders = new Map(options.baseFrame?.headers \|\| []);\n baseHeaders.set(TLV_INTENT, this.encoder.encode(step.intent));\n baseHeaders.set(TLV_TRACE_ID, this.encoder.encode(envelope.chainId));\n\n const capsuleId = envelope.capsule?.capsuleId;\n if (capsuleId) {\n baseHeaders.set(TLV_CAPSULE, this.encoder.encode(capsuleId));\n }\n\n if (options.actorId) {\n baseHeaders.set(TLV_ACTOR_ID, this.encoder.encode(options.actorId));\n }\n\n return withAxisExecutionContext(\n {\n flags: (options.baseFrame?.flags \|\| 0) \| FLAG_CHAIN_REQ,\n headers: baseHeaders,\n body: this.serializeInput(input),\n sig: options.baseFrame?.sig \|\| new Uint8Array(0),\n },\n mergeAxisExecutionContext(baseContext, {\n metaIntent: \"CHAIN.EXEC\",\n actorId: options.actorId \|\| baseContext?.actorId,\n capsuleRef: step.capsuleScope\n ? {\n ...(envelope.capsule \|\| {}),\n scope: step.capsuleScope,\n }\n : envelope.capsule,\n chainEnvelope: envelope,\n chainStep: step,\n }) \|\| {},\n );\n }\n\n private validateEnvelope(envelope: AxisChainEnvelope): void {\n if (!envelope.chainId) {\n throw new Error(\"CHAIN_ID_REQUIRED\");\n }\n\n if (!envelope.steps \|\| envelope.steps.length === 0) {\n throw new Error(\"CHAIN_STEPS_REQUIRED\");\n }\n\n const seen = new Set<string>();\n for (const step of envelope.steps) {\n if (!step.stepId) {\n throw new Error(\"CHAIN_STEP_ID_REQUIRED\");\n }\n\n if (!step.intent) {\n throw new Error(`CHAIN_STEP_INTENT_REQUIRED:${step.stepId}`);\n }\n\n if (seen.has(step.stepId)) {\n throw new Error(`CHAIN_STEP_DUPLICATE:${step.stepId}`);\n }\n seen.add(step.stepId);\n }\n\n for (const step of envelope.steps) {\n for (const dependency of step.dependsOn \|\| []) {\n if (!seen.has(dependency)) {\n throw new Error(\n `CHAIN_STEP_DEPENDENCY_UNKNOWN:${step.stepId}:${dependency}`,\n );\n }\n }\n }\n }\n\n private canRun(\n step: AxisChainStep,\n results: Map<string, AxisChainStepResult>,\n ): boolean {\n return (step.dependsOn \|\| []).every((dependency) => results.has(dependency));\n }\n\n private blockStepsWithFailedDependencies(\n pending: Set<string>,\n stepsById: Map<string, AxisChainStep>,\n results: Map<string, AxisChainStepResult>,\n ): void {\n for (const stepId of Array.from(pending)) {\n const step = stepsById.get(stepId);\n if (!step \|\| !step.dependsOn \|\| step.dependsOn.length === 0) continue;\n\n const dependencyResults = step.dependsOn\n .map((dependency) => results.get(dependency))\n .filter(Boolean) as AxisChainStepResult[];\n\n if (dependencyResults.length !== step.dependsOn.length) continue;\n\n const hasFailure = dependencyResults.some(\n (dependency) => dependency.status !== \"SUCCEEDED\",\n );\n if (!hasFailure) continue;\n\n results.set(step.stepId, {\n stepId: step.stepId,\n intent: step.intent,\n status: \"BLOCKED\",\n error: \"DEPENDENCY_FAILED\",\n dependsOn: step.dependsOn,\n startedAt: Date.now(),\n finishedAt: Date.now(),\n observerTags: step.observerTags,\n });\n pending.delete(step.stepId);\n }\n }\n\n private markUnresolvedSteps(\n pending: Set<string>,\n stepsById: Map<string, AxisChainStep>,\n results: Map<string, AxisChainStepResult>,\n status: AxisChainStepStatus,\n error: string,\n ): void {\n for (const stepId of pending) {\n const step = stepsById.get(stepId);\n if (!step) continue;\n results.set(stepId, {\n stepId,\n intent: step.intent,\n status,\n error,\n dependsOn: step.dependsOn,\n startedAt: Date.now(),\n finishedAt: Date.now(),\n observerTags: step.observerTags,\n });\n }\n }\n\n private buildSummary(\n mode: AxisExecutionMode,\n results: AxisChainStepResult[],\n startedAt: number,\n finishedAt: number,\n chainId: string,\n ): AxisChainResult {\n const completedSteps = results.filter((result) => result.status === \"SUCCEEDED\").length;\n const failedSteps = results.filter((result) => result.status === \"FAILED\").length;\n const blockedSteps = results.filter((result) => result.status === \"BLOCKED\").length;\n const skippedSteps = results.filter((result) => result.status === \"SKIPPED\").length;\n\n let status: AxisChainStatus = \"SUCCEEDED\";\n if (failedSteps > 0 \|\| blockedSteps > 0 \|\| skippedSteps > 0) {\n status =\n mode === \"best_effort\" \|\| mode === \"parallel\"\n ? completedSteps > 0\n ? \"PARTIAL\"\n : \"FAILED\"\n : \"FAILED\";\n }\n\n return {\n chainId,\n mode,\n status,\n completedSteps,\n failedSteps,\n blockedSteps,\n skippedSteps,\n startedAt,\n finishedAt,\n results,\n rollback:\n mode === \"atomic\"\n ? {\n supported: false,\n attempted: false,\n reason: \"AXIS handlers do not expose rollback semantics yet\",\n }\n : undefined,\n };\n }\n\n private resolveStepInput(\n value: unknown,\n results: Map<string, AxisChainStepResult>,\n ): unknown {\n if (typeof value === \"string\") {\n if (!value.startsWith(\"$\")) return value;\n return this.lookupReference(value.slice(1), results);\n }\n\n if (Array.isArray(value)) {\n return value.map((entry) => this.resolveStepInput(entry, results));\n }\n\n if (value && typeof value === \"object\") {\n return Object.fromEntries(\n Object.entries(value).map(([key, entry]) => [\n key,\n this.resolveStepInput(entry, results),\n ]),\n );\n }\n\n return value;\n }\n\n private lookupReference(\n path: string,\n results: Map<string, AxisChainStepResult>,\n ): unknown {\n const [stepId, ...segments] = path.split(\".\");\n const result = results.get(stepId);\n if (!result) return undefined;\n\n let current: unknown = result;\n for (const segment of segments) {\n if (current === undefined \|\| current === null) return undefined;\n if (typeof current !== \"object\") return undefined;\n current = (current as Record<string, unknown>)[segment];\n }\n return current;\n }\n\n private serializeInput(input: unknown): Uint8Array {\n if (input instanceof Uint8Array) return input;\n if (typeof input === \"string\") return this.encoder.encode(input);\n if (input === undefined) return new Uint8Array(0);\n return this.encoder.encode(JSON.stringify(input));\n }\n\n private decodeOutput(body?: Uint8Array): unknown {\n if (!body \|\| body.length === 0) return undefined;\n\n try {\n const text = this.decoder.decode(body);\n try {\n return JSON.parse(text);\n } catch {\n return /^[\\x20-\\x7E\\s]+$/.test(text) ? text : body;\n }\n } catch {\n return body;\n }\n }\n\n private computeProofHash(\n chainId: string,\n stepId: string,\n effect: AxisEffect,\n output: unknown,\n ): string {\n const hash = createHash(\"sha256\");\n hash.update(chainId);\n hash.update(\":\");\n hash.update(stepId);\n hash.update(\":\");\n hash.update(effect.effect);\n hash.update(\":\");\n hash.update(JSON.stringify(output ?? null));\n return hash.digest(\"hex\");\n }\n\n private collectChainBindings(\n envelope: AxisChainEnvelope,\n ): AxisObserverBinding[] {\n const uniqueBindings = new Map<string, AxisObserverBinding>();\n\n for (const step of envelope.steps) {\n for (const binding of this.router.getObservers(step.intent)) {\n const key = binding.refs.map((ref) => String(ref)).sort().join(\"\|\");\n if (!uniqueBindings.has(key)) {\n uniqueBindings.set(key, binding);\n }\n }\n }\n\n return Array.from(uniqueBindings.values());\n }\n\n private async dispatch(\n bindings: AxisObserverBinding[],\n context: Parameters<ObserverDispatcherService[\"dispatch\"]>[1],\n ): Promise<void> {\n if (!this.observerDispatcher) return;\n await this.observerDispatcher.dispatch(bindings, context);\n }\n}","/\n Sensor Execution Bands\n \n Semantic groupings for the AXIS sensor chain.\n * Each band has 50–100 slots for ordering sensors within it.\n \n WIRE (0–39): Raw bytes, no decode. PRE_DECODE phase.\n * IDENTITY (40–89): Who is this? IP, access, proof, capsule. POST_DECODE.\n * POLICY (90–139): Are they allowed? Sig, capability, rate limit. POST_DECODE.\n * CONTENT (140–199): What's in the frame? TLV, body, schema, files. POST_DECODE.\n * BUSINESS (200–299): Business context. Stream, WS, timeout. POST_DECODE.\n * AUDIT (900+): Finalization, logging. POST_DECODE.\n /\nexport const BAND = {\n /* Pre-decode: raw byte validation, geo, budget, magic /\n WIRE: 0,\n /* Post-decode: identity resolution, capsule, proof /\n IDENTITY: 40,\n /* Post-decode: authorization, signature, rate limiting /\n POLICY: 90,\n /* Post-decode: content validation, TLV, schema, files /\n CONTENT: 140,\n /* Post-decode: business logic sensors, streams, WS /\n BUSINESS: 200,\n /* Post-decode: audit, logging (always last) /\n AUDIT: 900,\n} as const;\n\nexport type SensorBand = keyof typeof BAND;\n\n/* Sensors with order below this boundary run in PRE_DECODE phase (middleware) /\nexport const PRE_DECODE_BOUNDARY = 40;\n","/\n Deterministic JSON serialization for observation hashing.\n \n Sorts object keys alphabetically and strips `undefined` values\n * so that two structurally equivalent observations always produce\n * the same string — required for reproducible SHA-256 hashing.\n /\n\nfunction normalize(value: unknown): unknown {\n if (Array.isArray(value)) {\n return value.map((item) => normalize(item));\n }\n\n if (value && typeof value === 'object') {\n const entries = Object.entries(value as Record<string, unknown>)\n .filter(([, nested]) => nested !== undefined)\n .sort(([left], [right]) => left.localeCompare(right));\n\n const normalized: Record<string, unknown> = {};\n for (const [key, nested] of entries) {\n normalized[key] = normalize(nested);\n }\n return normalized;\n }\n\n return value;\n}\n\nexport function stableJsonStringify(value: unknown): string {\n return JSON.stringify(normalize(value));\n}\n","import { AxisObservation } from '../axis-observation';\nimport { ObservationQueueMessage } from './observation-queue.types';\n\nexport interface ObservationStreamEntry {\n id: string;\n message: ObservationQueueMessage;\n}\n\nexport function buildQueueMessage(\n observation: AxisObservation,\n sourceNodeId: string,\n previous?: ObservationQueueMessage,\n lastError?: string,\n): ObservationQueueMessage {\n const now = Date.now();\n\n return {\n v: 1,\n observation,\n attempts: previous ? previous.attempts + 1 : 0,\n firstEnqueuedAt: previous?.firstEnqueuedAt ?? now,\n lastEnqueuedAt: now,\n sourceNodeId,\n lastError,\n };\n}\n\nexport function encodeQueueMessage(message: ObservationQueueMessage): string {\n return JSON.stringify(message);\n}\n\nexport function decodeQueueMessage(\n raw: string,\n): ObservationQueueMessage \| null {\n try {\n const parsed = JSON.parse(raw) as ObservationQueueMessage;\n if (!parsed \|\| parsed.v !== 1 \|\| !parsed.observation?.id) {\n return null;\n }\n return parsed;\n } catch {\n return null;\n }\n}\n\nexport function parseStreamEntries(raw: any): ObservationStreamEntry[] {\n if (!Array.isArray(raw)) {\n return [];\n }\n\n const entries: ObservationStreamEntry[] = [];\n for (const streamRow of raw) {\n if (!Array.isArray(streamRow) \|\| streamRow.length < 2) {\n continue;\n }\n\n const messageRows = streamRow[1];\n if (!Array.isArray(messageRows)) {\n continue;\n }\n\n for (const row of messageRows) {\n if (!Array.isArray(row) \|\| row.length < 2) {\n continue;\n }\n\n const id = String(row[0]);\n const fields = Array.isArray(row[1]) ? row[1] : [];\n const fieldMap = fieldsToMap(fields);\n const payload = fieldMap.get('payload');\n if (!payload) {\n continue;\n }\n\n const message = decodeQueueMessage(payload);\n if (!message) {\n continue;\n }\n\n entries.push({ id, message });\n }\n }\n\n return entries;\n}\n\nexport function parseAutoClaimEntries(raw: any): ObservationStreamEntry[] {\n if (!Array.isArray(raw) \|\| raw.length < 2) {\n return [];\n }\n\n const rows = Array.isArray(raw[1]) ? raw[1] : [];\n return parseStreamEntries([['stream', rows]]);\n}\n\nfunction fieldsToMap(fields: any[]): Map<string, string> {\n const map = new Map<string, string>();\n for (let i = 0; i < fields.length; i += 2) {\n const key = fields[i];\n const value = fields[i + 1];\n if (key !== undefined && value !== undefined) {\n map.set(String(key), String(value));\n }\n }\n return map;\n}\n","import { createHash } from 'crypto';\n\nimport { AxisObservation } from '../axis-observation';\nimport { stableJsonStringify } from './stable-json';\n\n/\n Witness summary — a compact proof-of-observation payload\n * signed by the node that observed the execution.\n /\nexport interface ObservationWitnessSummary {\n intent?: string;\n actorId?: string;\n decision?: string;\n statusCode?: number;\n durationMs?: number;\n sensorCount: number;\n stageCount: number;\n}\n\n/\n Unsigned witness artifact — everything except the signature.\n * The backend adds `kid`, `sig`, and `alg` using its keyring.\n /\nexport interface UnsignedObservationWitness {\n v: 1;\n observationId: string;\n payloadHash: string;\n sealedAt: number;\n summary: ObservationWitnessSummary;\n}\n\n/\n Build the canonical JSON representation of an observation.\n \n Only includes structurally meaningful fields (no transient state).\n * Keys are sorted deterministically via `stableJsonStringify` so that\n * the same observation always produces the same string.\n /\nexport function canonicalizeObservation(obs: AxisObservation): string {\n const obj: Record<string, unknown> = {\n id: obs.id,\n startMs: obs.startMs,\n endMs: obs.endMs,\n transport: obs.transport,\n ip: obs.ip,\n intent: obs.intent,\n actorId: obs.actorId,\n capsuleId: obs.capsuleId,\n decision: obs.decision,\n resultCode: obs.resultCode,\n statusCode: obs.statusCode,\n durationMs: obs.durationMs,\n stages: obs.stages.map((s) => ({\n name: s.name,\n status: s.status,\n startMs: s.startMs,\n endMs: s.endMs,\n durationMs: s.durationMs,\n reason: s.reason,\n code: s.code,\n })),\n sensors: obs.sensors.map((s) => ({\n name: s.name,\n allowed: s.allowed,\n riskScore: s.riskScore,\n durationMs: s.durationMs,\n reasons: s.reasons,\n code: s.code,\n })),\n };\n\n return stableJsonStringify(obj);\n}\n\n/\n SHA-256 hash of the canonical observation payload.\n /\nexport function hashObservation(obs: AxisObservation): string {\n const canonical = canonicalizeObservation(obs);\n return createHash('sha256').update(canonical).digest('hex');\n}\n\n/\n Build an unsigned witness from a finalized observation.\n \n Returns `null` if the observation has not been finalized\n * (no `decision` or `endMs`).\n \n The caller (backend WitnessBuilder) adds `kid`, `sig`, `alg`\n * using its keyring.\n /\nexport function buildUnsignedWitness(\n obs: AxisObservation,\n): UnsignedObservationWitness \| null {\n if (!obs.decision \|\| !obs.endMs) {\n return null;\n }\n\n return {\n v: 1,\n observationId: obs.id,\n payloadHash: hashObservation(obs),\n sealedAt: Date.now(),\n summary: {\n intent: obs.intent,\n actorId: obs.actorId,\n decision: obs.decision,\n statusCode: obs.statusCode,\n durationMs: obs.durationMs,\n sensorCount: obs.sensors.length,\n stageCount: obs.stages.length,\n },\n };\n}\n","/\n Observer Truth Scoring\n \n Extends the AxisObservation model with truth verification:\n * - Expected vs actual outcome comparison\n * - Truth status classification\n * - Anomaly detection\n * - Deed confirmation\n \n This transforms the Observer from a \"logger\" into a \"verifier\" —\n * the moment where execution becomes witnessed truth.\n /\n\nimport type { AxisObservation, ObservationStage } from '../axis-observation';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Truth Status\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type TruthStatus =\n \| 'confirmed' // Execution matched expected outcome exactly\n \| 'partial' // Some expectations met, some could not be verified\n \| 'uncertain' // Unable to determine correctness\n \| 'failed' // Execution produced wrong or error result\n \| 'disputed'; // Result contradicts expected state\n\n// ────────────────────────────────────────────────────────────────────────────\n// Expected Outcome\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface ExpectedOutcome {\n /* Expected final decision /\n decision?: 'ALLOW' \| 'DENY';\n /* Expected effect label from handler /\n effect?: string;\n /* Expected status code /\n statusCode?: number;\n /* Whether the handler should succeed /\n ok?: boolean;\n /* Expected state changes (key-value) /\n stateChanges?: Record<string, unknown>;\n /* Maximum acceptable duration in ms /\n maxDurationMs?: number;\n /* Minimum required sensor count /\n minSensorsPassed?: number;\n /* custom assertions: field path → expected value /\n assertions?: Record<string, unknown>;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Anomaly\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type AnomalyLevel = 'info' \| 'warning' \| 'critical';\n\nexport interface Anomaly {\n code: string;\n level: AnomalyLevel;\n message: string;\n field?: string;\n expected?: unknown;\n actual?: unknown;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Truth Verdict\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface TruthVerdict {\n /* Overall truth status /\n status: TruthStatus;\n /* Confidence score 0.0 – 1.0 /\n confidence: number;\n /* Detected anomalies /\n anomalies: Anomaly[];\n /* Number of checks that passed /\n passedChecks: number;\n /* Total number of checks performed /\n totalChecks: number;\n /* Timestamp of verdict /\n verifiedAt: number;\n /* Whether this observation constitutes a confirmed deed /\n isDeed: boolean;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Scoring Logic\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Score an observation against an expected outcome.\n * If no expectedOutcome is provided, performs structural verification only.\n /\nexport function scoreTruth(\n obs: AxisObservation,\n expected?: ExpectedOutcome,\n): TruthVerdict {\n const anomalies: Anomaly[] = [];\n let passedChecks = 0;\n let totalChecks = 0;\n\n // ── Structural checks (always run) ──\n\n // 1. Observation must be finalized\n totalChecks++;\n if (obs.endMs && obs.decision) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'OBS_NOT_FINALIZED',\n level: 'critical',\n message: 'Observation was not finalized',\n });\n }\n\n // 2. Must have at least one stage\n totalChecks++;\n if (obs.stages.length > 0) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'OBS_NO_STAGES',\n level: 'warning',\n message: 'Observation has no execution stages',\n });\n }\n\n // 3. No failed stages (unless decision is DENY)\n totalChecks++;\n const failedStages = obs.stages.filter((s) => s.status === 'fail');\n if (failedStages.length === 0 \|\| obs.decision === 'DENY') {\n passedChecks++;\n } else {\n for (const stage of failedStages) {\n anomalies.push({\n code: 'STAGE_FAILED',\n level: 'warning',\n message: `Stage '${stage.name}' failed: ${stage.reason ?? 'unknown'}`,\n field: `stages.${stage.name}`,\n });\n }\n }\n\n // 4. All sensors should have valid timing\n totalChecks++;\n const invalidSensors = obs.sensors.filter((s) => s.durationMs < 0);\n if (invalidSensors.length === 0) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'SENSOR_INVALID_TIMING',\n level: 'warning',\n message: `${invalidSensors.length} sensor(s) have negative duration`,\n });\n }\n\n // 5. Duration sanity\n totalChecks++;\n if (obs.durationMs !== undefined && obs.durationMs >= 0 && obs.durationMs < 300_000) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'OBS_DURATION_ANOMALY',\n level: 'warning',\n message: `Observation duration ${obs.durationMs}ms is suspicious`,\n actual: obs.durationMs,\n });\n }\n\n // ── Expected outcome checks (if provided) ──\n\n if (expected) {\n // Decision match\n if (expected.decision !== undefined) {\n totalChecks++;\n if (obs.decision === expected.decision) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'DECISION_MISMATCH',\n level: 'critical',\n message: `Expected decision '${expected.decision}', got '${obs.decision}'`,\n field: 'decision',\n expected: expected.decision,\n actual: obs.decision,\n });\n }\n }\n\n // Status code match\n if (expected.statusCode !== undefined) {\n totalChecks++;\n if (obs.statusCode === expected.statusCode) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'STATUS_MISMATCH',\n level: 'warning',\n message: `Expected status ${expected.statusCode}, got ${obs.statusCode}`,\n field: 'statusCode',\n expected: expected.statusCode,\n actual: obs.statusCode,\n });\n }\n }\n\n // Effect match\n if (expected.effect !== undefined) {\n totalChecks++;\n if (obs.resultCode === expected.effect \|\| obs.facts?.effect === expected.effect) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'EFFECT_MISMATCH',\n level: 'warning',\n message: `Expected effect '${expected.effect}', got '${obs.resultCode}'`,\n field: 'resultCode',\n expected: expected.effect,\n actual: obs.resultCode,\n });\n }\n }\n\n // Max duration\n if (expected.maxDurationMs !== undefined) {\n totalChecks++;\n if (obs.durationMs !== undefined && obs.durationMs <= expected.maxDurationMs) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'DURATION_EXCEEDED',\n level: 'warning',\n message: `Execution took ${obs.durationMs}ms, max allowed ${expected.maxDurationMs}ms`,\n field: 'durationMs',\n expected: expected.maxDurationMs,\n actual: obs.durationMs,\n });\n }\n }\n\n // Min sensors passed\n if (expected.minSensorsPassed !== undefined) {\n totalChecks++;\n const passed = obs.sensors.filter((s) => s.allowed).length;\n if (passed >= expected.minSensorsPassed) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'INSUFFICIENT_SENSORS',\n level: 'warning',\n message: `Only ${passed} sensors passed, minimum required ${expected.minSensorsPassed}`,\n field: 'sensors',\n expected: expected.minSensorsPassed,\n actual: passed,\n });\n }\n }\n\n // Custom assertions against facts\n if (expected.assertions) {\n for (const [key, expectedValue] of Object.entries(expected.assertions)) {\n totalChecks++;\n const actualValue = obs.facts[key];\n if (deepEqual(actualValue, expectedValue)) {\n passedChecks++;\n } else {\n anomalies.push({\n code: 'ASSERTION_FAILED',\n level: 'warning',\n message: `Assertion failed for facts.${key}`,\n field: `facts.${key}`,\n expected: expectedValue,\n actual: actualValue,\n });\n }\n }\n }\n }\n\n // ── Compute verdict ──\n\n const confidence = totalChecks > 0 ? passedChecks / totalChecks : 0;\n const hasCritical = anomalies.some((a) => a.level === 'critical');\n const status = computeTruthStatus(confidence, hasCritical, anomalies.length);\n const isDeed = status === 'confirmed' \|\| (status === 'partial' && !hasCritical);\n\n return {\n status,\n confidence,\n anomalies,\n passedChecks,\n totalChecks,\n verifiedAt: Date.now(),\n isDeed,\n };\n}\n\nfunction computeTruthStatus(\n confidence: number,\n hasCritical: boolean,\n anomalyCount: number,\n): TruthStatus {\n if (hasCritical) return 'failed';\n if (confidence === 1.0) return 'confirmed';\n if (confidence >= 0.8) return 'partial';\n if (confidence >= 0.5) return 'uncertain';\n return 'disputed';\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Attach truth to observation\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface ObservedDeed {\n observation: AxisObservation;\n verdict: TruthVerdict;\n}\n\n/\n Verify an observation and produce an ObservedDeed.\n * This is the moment where execution becomes accountable reality.\n /\nexport function verifyObservation(\n obs: AxisObservation,\n expected?: ExpectedOutcome,\n): ObservedDeed {\n const verdict = scoreTruth(obs, expected);\n return { observation: obs, verdict };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Helpers\n// ────────────────────────────────────────────────────────────────────────────\n\nfunction deepEqual(a: unknown, b: unknown): boolean {\n if (a === b) return true;\n if (a === null \|\| b === null) return false;\n if (typeof a !== typeof b) return false;\n if (typeof a !== 'object') return String(a) === String(b);\n\n if (Array.isArray(a) && Array.isArray(b)) {\n if (a.length !== b.length) return false;\n return a.every((v, i) => deepEqual(v, b[i]));\n }\n\n if (Array.isArray(a) !== Array.isArray(b)) return false;\n\n const aKeys = Object.keys(a as Record<string, unknown>);\n const bKeys = Object.keys(b as Record<string, unknown>);\n if (aKeys.length !== bKeys.length) return false;\n\n return aKeys.every((key) =>\n deepEqual(\n (a as Record<string, unknown>)[key],\n (b as Record<string, unknown>)[key],\n ),\n );\n}\n","import { MAX_BODY_LEN } from '../../core/constants';\n\n/\n Minimal request context needed by ResponseObserver.\n * Compatible with the full AxisContext from schemas.\n /\nexport interface ResponseObserverContext {\n actorId: string;\n intent: string;\n}\n\n/\n Response contract that the observer validates.\n /\nexport interface ResponseContract {\n /* Whether the handler reported success /\n ok: boolean;\n /* The effect label returned by the handler /\n effect: string;\n /* Response body bytes (may be undefined for error responses) /\n body?: Uint8Array;\n /* Response TLV headers /\n headers?: Map<number, Uint8Array>;\n}\n\n/\n Result of observer validation.\n /\nexport interface ObserverVerdict {\n /* true = response passes all checks /\n passed: boolean;\n /* Machine-readable code if rejected /\n code?: string;\n /* Human-readable reason if rejected /\n reason?: string;\n}\n\n/* TLV tags that must never appear in a response (ACTOR_ID, PROOF_TYPE, PROOF_REF). /\nconst SENSITIVE_RESPONSE_TAGS = [4, 5, 6];\n\n/\n ResponseObserver — post-execution policy gate (protocol layer).\n \n Validates that:\n * 1. Effect is a valid non-empty string.\n * 2. Mandatory response body exists for successful results.\n * 3. No sensitive data leaks in response headers.\n * 4. Response size is within protocol limits.\n * 5. Effect does not expose internal error details.\n \n This is a defense-in-depth layer — primary correctness comes from\n * deterministic execution, signature verification, and nonce/replay controls.\n \n On failure, the engine returns a safe error instead of the original response.\n /\nexport function verifyResponse(\n ctx: ResponseObserverContext,\n response: ResponseContract,\n): ObserverVerdict {\n // 1. Effect must be a non-empty string\n if (!response.effect \|\| typeof response.effect !== 'string') {\n return {\n passed: false,\n code: 'OBSERVER_INVALID_EFFECT',\n reason: 'Response effect is missing or invalid',\n };\n }\n\n // 2. Successful responses must have a body\n if (response.ok && (!response.body \|\| response.body.length === 0)) {\n return {\n passed: false,\n code: 'OBSERVER_EMPTY_BODY',\n reason: 'Successful response must contain a body',\n };\n }\n\n // 3. Response body must not exceed protocol limits\n if (response.body && response.body.length > MAX_BODY_LEN) {\n return {\n passed: false,\n code: 'OBSERVER_BODY_OVERFLOW',\n reason: `Response body exceeds ${MAX_BODY_LEN} bytes`,\n };\n }\n\n // 4. Verify no sensitive TLV tags leak in response headers\n if (response.headers) {\n for (const tag of SENSITIVE_RESPONSE_TAGS) {\n if (response.headers.has(tag)) {\n return {\n passed: false,\n code: 'OBSERVER_DATA_LEAK',\n reason: `Response must not contain sensitive TLV tag ${tag}`,\n };\n }\n }\n }\n\n // 5. Effect should not expose internal error details\n if (\n response.effect.includes('Error:') \|\|\n response.effect.includes('stack') \|\|\n response.effect.includes('at /')\n ) {\n return {\n passed: false,\n code: 'OBSERVER_INFO_LEAK',\n reason: 'Response effect may contain internal error details',\n };\n }\n\n return { passed: true };\n}\n\n/\n Function type and value alias for the response observer validator.\n /\nexport type ResponseObserver = (\n ctx: ResponseObserverContext,\n response: ResponseContract,\n) => ObserverVerdict;\n\nexport const ResponseObserver: ResponseObserver = verifyResponse;\n","export { encodeVarint, decodeVarint, varintLength } from '@nextera.one/axis-protocol';\n","import as z from 'zod';\nimport type { AxisFrame as ProtocolAxisFrame } from '@nextera.one/axis-protocol';\n\nexport {\n decodeFrame,\n encodeFrame,\n getSignTarget,\n} from '@nextera.one/axis-protocol';\nexport type { AxisFrame, AxisBinaryFrame } from '@nextera.one/axis-protocol';\n\n/*\n AxisFrame Schema\n \n Defines the logical structure of an AXIS frame using Zod for runtime validation.\n * This is used for internal processing after the low-level binary parsing is complete.\n /\nexport const AxisFrameZ: z.ZodType<ProtocolAxisFrame> = z.object({\n /* Flag bits for protocol control (e.g., encryption, compression) /\n flags: z.number().int().nonnegative(),\n /* A map of TLV headers where key=Tag and value=BinaryData /\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n /* The main payload of the frame /\n body: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n /* The cryptographic signature covering the frame (except the signature itself) /\n sig: z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n});\n","import as crypto from 'crypto';\n\nimport { AxisFrame, getSignTarget } from './axis-bin';\n\n/*\n Signature utilities for AXIS binary frames\n * Supports Ed25519 signature generation and verification\n /\n\n/\n Computes the canonical payload for signing an AXIS frame.\n * The signature covers all bytes of the encoded frame EXCEPT the signature field itself.\n \n @param {AxisFrame} frame - The frame to prepare for signing\n * @returns {Buffer} The serialized canonical bytes for the signature algorithm\n /\nexport function computeSignaturePayload(frame: AxisFrame): Buffer {\n return Buffer.from(getSignTarget(frame));\n}\n\n/\n Signs an AXIS frame using the Ed25519 algorithm.\n * Automatically handles both raw 32-byte seeds and pkcs8 DER-encoded private keys.\n \n @param {AxisFrame} frame - The frame to sign\n * @param {Buffer} privateKey - Ed25519 private key (32-byte raw OR pkcs8 DER)\n * @returns {Buffer} The 64-byte Ed25519 signature\n * @throws {Error} If key format is invalid or signing fail\n /\nexport function signFrame(frame: AxisFrame, privateKey: Buffer): Buffer {\n const payload = computeSignaturePayload(frame);\n\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte seed or DER-encoded\n if (privateKey.length === 32) {\n // Raw seed - wrap in pkcs8 DER format\n // pkcs8 prefix for Ed25519: 0x302e020100300506032b657004220420\n const pkcs8Prefix = Buffer.from([\n 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,\n 0x04, 0x22, 0x04, 0x20,\n ]);\n const pkcs8Key = Buffer.concat([pkcs8Prefix, privateKey]);\n\n keyObject = crypto.createPrivateKey({\n key: pkcs8Key,\n format: 'der',\n type: 'pkcs8',\n });\n } else {\n // Assume already DER-encoded pkcs8\n keyObject = crypto.createPrivateKey({\n key: privateKey,\n format: 'der',\n type: 'pkcs8',\n });\n }\n\n const signature = crypto.sign(null, payload, keyObject);\n\n if (signature.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n return signature;\n}\n\n/\n Verifies an Ed25519 signature on an AXIS frame.\n * Automatically handles both raw 32-byte public keys and spki DER-encoded public keys.\n \n @param {AxisFrame} frame - The frame containing the signature to verify\n * @param {Buffer} publicKey - Ed25519 public key (32-byte raw OR spki DER)\n * @returns {boolean} True if the signature is cryptographically valid\n * @throws {Error} If signature length is invalid\n /\nexport function verifyFrameSignature(\n frame: AxisFrame,\n publicKey: Buffer,\n): boolean {\n if (frame.sig.length === 0) {\n return false; // No signature\n }\n\n if (frame.sig.length !== 64) {\n throw new Error('Ed25519 signature must be 64 bytes');\n }\n\n const payload = computeSignaturePayload(frame);\n\n try {\n let keyObject: crypto.KeyObject;\n\n // Check if key is raw 32-byte or DER-encoded\n if (publicKey.length === 32) {\n // Raw key - wrap in spki DER format\n // spki prefix for Ed25519: 0x302a300506032b6570032100\n const spkiPrefix = Buffer.from([\n 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00,\n ]);\n const spkiKey = Buffer.concat([spkiPrefix, publicKey]);\n\n keyObject = crypto.createPublicKey({\n key: spkiKey,\n format: 'der',\n type: 'spki',\n });\n } else {\n // Assume already DER-encoded spki\n keyObject = crypto.createPublicKey({\n key: publicKey,\n format: 'der',\n type: 'spki',\n });\n }\n\n const valid = crypto.verify(\n null,\n payload,\n keyObject,\n Buffer.from(frame.sig),\n );\n return valid;\n } catch (error) {\n return false;\n }\n}\n\n/\n Generates a new Ed25519 key pair for use with the AXIS protocol.\n * Returns keys in canonical DER format (pkcs8 for private, spki for public).\n \n @returns {Object} An object containing the privateKey and publicKey as Buffers\n /\nexport function generateEd25519KeyPair(): {\n privateKey: Buffer;\n publicKey: Buffer;\n} {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('ed25519');\n\n return {\n privateKey: privateKey.export({ type: 'pkcs8', format: 'der' }) as Buffer,\n publicKey: publicKey.export({ type: 'spki', format: 'der' }) as Buffer,\n };\n}\n\n/\n Computes a standard SHA-256 hash of the provided data.\n \n @param {Buffer \| Uint8Array} data - The input data to hash\n * @returns {Buffer} The 32-byte SHA-256 digest\n /\nexport function sha256(data: Buffer \| Uint8Array): Buffer {\n return crypto.createHash('sha256').update(data).digest();\n}\n\n/\n Computes a hash for an AXIS receipt, optionally chaining it to a previous hash.\n * This is used for generating an immutable transaction chain.\n \n @param {Buffer \| Uint8Array} receiptBytes - The canonical binary representation of the receipt\n * @param {Buffer \| Uint8Array} [prevHash] - The hash of the previous receipt in the chain\n * @returns {Buffer} The 32-byte SHA-256 hash of the receipt (and link)\n /\nexport function computeReceiptHash(\n receiptBytes: Buffer \| Uint8Array,\n prevHash?: Buffer \| Uint8Array,\n): Buffer {\n const hasher = crypto.createHash('sha256');\n hasher.update(receiptBytes);\n\n if (prevHash && prevHash.length > 0) {\n hasher.update(prevHash);\n }\n\n return hasher.digest();\n}\n","// ats1.constants.ts\n\n// Header TLV tags (hdr TLVs)\nexport const ATS1_HDR = {\n INTENT_ID: 1, // uvarint\n ACTOR_KEY_ID: 2, // bytes (key fingerprint / credentialId hash)\n CAPSULE_ID: 3, // bytes or varint\n NONCE: 4, // 16 bytes\n TS_MS: 5, // u64be (8)\n SCHEMA_ID: 6, // uvarint\n BODY_HASH: 7, // 32 bytes (sha256)\n TRACE_ID: 8, // 16 bytes\n} as const;\n\n// Schema IDs (body TLVs meaning depends on schema)\nexport const ATS1_SCHEMA = {\n PASSKEY_LOGIN_OPTIONS_REQ: 2001,\n PASSKEY_LOGIN_OPTIONS_RES: 2002,\n\n PASSKEY_LOGIN_VERIFY_REQ: 2011,\n PASSKEY_LOGIN_VERIFY_RES: 2012,\n\n PASSKEY_REGISTER_OPTIONS_REQ: 2021,\n PASSKEY_REGISTER_OPTIONS_RES: 2022,\n\n PASSKEY_REGISTER_VERIFY_REQ: 2031,\n PASSKEY_REGISTER_VERIFY_RES: 2032,\n} as const;\n","/ eslint-disable @typescript-eslint/no-explicit-any /\n/\n ATS1 (AXIS-TLV Schema v1) — TypeScript Encoder/Decoder\n * - Canonical TLV: [TAG(uvarint)][LEN(uvarint)][VALUE(bytes)]\n * - Canonical ordering: ascending TAG\n * - Minimal varint encoding enforced in decoder\n * - Strict schema validation (unknown tags rejected by default)\n * - Nested TLV streams supported\n \n Node.js: uses crypto for SHA-256\n /\n\nimport { createHash, randomBytes } from 'crypto';\n\n// -----------------------------\n// Types\n// -----------------------------\n\nexport type Ats1FieldType = 'bytes' \| 'utf8' \| 'uvarint' \| 'u64be' \| 'nested';\n\nexport type Ats1FieldDescriptor = {\n tag: number;\n name: string;\n type: Ats1FieldType;\n required?: boolean;\n repeated?: boolean;\n nestedSchema?: Ats1SchemaDescriptor; // required if type === 'nested'\n maxLen?: number; // optional per-field limit (bytes length)\n};\n\nexport type Ats1SchemaDescriptor = {\n schemaId: number;\n name: string;\n strict: boolean; // if true: reject unknown tags\n maxNestingDepth: number; // e.g. 4\n maxBodyBytes?: number; // optional overall body limit\n fields: Ats1FieldDescriptor[];\n};\n\nexport type DecodedTlv = { tag: number; value: Buffer };\n\nexport type DecodedTlvMap = Map<number, Buffer[]>; // tag -> list of values\n\nexport type SensorInputLike = {\n hdrTLVs: DecodedTlvMap;\n bodyTLVs: DecodedTlvMap;\n schemaId: number;\n intentId: number;\n};\n\n// -----------------------------\n// Limits (sane defaults)\n// -----------------------------\n\nexport type Ats1Limits = {\n maxVarintBytes: number; // e.g. 10 for u64\n maxTlvCount: number; // e.g. 512\n maxValueBytes: number; // e.g. 1MB\n maxNestingDepth: number; // e.g. 4\n};\n\nexport const DEFAULT_LIMITS: Ats1Limits = {\n maxVarintBytes: 10,\n maxTlvCount: 512,\n maxValueBytes: 1_048_576, // 1 MiB\n maxNestingDepth: 4,\n};\n\n// -----------------------------\n// Varint (unsigned LEB128)\n// -----------------------------\n\nexport function encodeUVarint(n: number \| bigint): Buffer {\n let x = typeof n === 'bigint' ? n : BigInt(n);\n if (x < 0n) throw new Error('encodeUVarint: negative not allowed');\n\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function decodeUVarint(\n buf: Buffer,\n offset: number,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { value: bigint; offset: number; bytesRead: number } {\n let x = 0n;\n let shift = 0n;\n const start = offset;\n\n for (let i = 0; i < limits.maxVarintBytes; i++) {\n if (offset >= buf.length) throw new Error('decodeUVarint: truncated');\n const b = buf[offset++];\n x \|= BigInt(b & 0x7f) << shift;\n\n if ((b & 0x80) === 0) {\n const bytesRead = offset - start;\n\n // Minimal-encoding check:\n // Re-encode and compare exact bytes.\n const re = encodeUVarint(x);\n const original = buf.subarray(start, offset);\n if (!re.equals(original))\n throw new Error('decodeUVarint: non-minimal varint');\n\n return { value: x, offset, bytesRead };\n }\n\n shift += 7n;\n }\n\n throw new Error('decodeUVarint: too long');\n}\n\n// -----------------------------\n// Primitive encoders/decoders\n// -----------------------------\n\nexport function encodeU64BE(n: bigint): Buffer {\n if (n < 0n) throw new Error('encodeU64BE: negative not allowed');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(n, 0);\n return b;\n}\n\nexport function decodeU64BE(buf: Buffer): bigint {\n if (buf.length !== 8) throw new Error('decodeU64BE: length must be 8');\n return buf.readBigUInt64BE(0);\n}\n\nexport function sha256(data: Buffer): Buffer {\n return createHash('sha256').update(data).digest();\n}\n\n// -----------------------------\n// TLV encode/decode\n// -----------------------------\n\nexport function encodeTLV(tag: number, value: Buffer): Buffer {\n if (!Number.isInteger(tag) \|\| tag <= 0)\n throw new Error('encodeTLV: tag must be positive int');\n const t = encodeUVarint(tag);\n const l = encodeUVarint(value.length);\n return Buffer.concat([t, l, value]);\n}\n\nexport function encodeTLVStreamCanonical(entries: DecodedTlv[]): Buffer {\n // Canonical sort ascending tag\n const sorted = [...entries].sort((a, b) => a.tag - b.tag);\n\n // Duplicate tags are allowed only if the schema says repeated.\n // This function does not enforce schema; caller should.\n const parts: Buffer[] = [];\n for (const e of sorted) parts.push(encodeTLV(e.tag, e.value));\n return Buffer.concat(parts);\n}\n\nexport function decodeTLVStream(\n stream: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n const out: DecodedTlv[] = [];\n let off = 0;\n\n while (off < stream.length) {\n if (out.length >= limits.maxTlvCount)\n throw new Error('decodeTLVStream: too many TLVs');\n\n const tagRes = decodeUVarint(stream, off, limits);\n const tag = Number(tagRes.value);\n off = tagRes.offset;\n\n const lenRes = decodeUVarint(stream, off, limits);\n const len = Number(lenRes.value);\n off = lenRes.offset;\n\n if (len < 0) throw new Error('decodeTLVStream: negative length');\n if (len > limits.maxValueBytes)\n throw new Error('decodeTLVStream: value too large');\n if (off + len > stream.length)\n throw new Error('decodeTLVStream: truncated value');\n\n const value = stream.subarray(off, off + len);\n off += len;\n\n out.push({ tag, value: Buffer.from(value) });\n }\n\n // Canonical check: must be sorted ascending tag.\n for (let i = 1; i < out.length; i++) {\n if (out[i].tag < out[i - 1].tag)\n throw new Error('decodeTLVStream: non-canonical tag order');\n }\n\n return out;\n}\n\nexport function tlvsToMap(entries: DecodedTlv[]): DecodedTlvMap {\n const m: DecodedTlvMap = new Map();\n for (const e of entries) {\n const arr = m.get(e.tag) ?? [];\n arr.push(e.value);\n m.set(e.tag, arr);\n }\n return m;\n}\n\n// -----------------------------\n// Schema validation + object \\u2194 TLV mapping\n// -----------------------------\n\ntype LogicalBody = { schemaId: number; fields: Record<string, any> };\n\nexport function validateTLVsAgainstSchema(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n depth = 0,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): void {\n if (depth > Math.min(schema.maxNestingDepth, limits.maxNestingDepth)) {\n throw new Error('validateTLVsAgainstSchema: nesting depth exceeded');\n }\n\n if (schema.maxBodyBytes && tlvsBytes(tlvs) > schema.maxBodyBytes) {\n throw new Error('validateTLVsAgainstSchema: body too large');\n }\n\n const byTag = new Map<number, DecodedTlv[]>();\n for (const t of tlvs) {\n if (!byTag.has(t.tag)) byTag.set(t.tag, []);\n byTag.get(t.tag)!.push(t);\n }\n\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n // Unknown tags\n if (schema.strict) {\n for (const tag of byTag.keys()) {\n if (!fieldByTag.has(tag))\n throw new Error(`validateTLVsAgainstSchema: unknown tag ${tag}`);\n }\n }\n\n // Required fields & repetition rules\n for (const f of schema.fields) {\n const vals = byTag.get(f.tag) ?? [];\n if (f.required && vals.length === 0)\n throw new Error(`validateTLVsAgainstSchema: missing ${f.name}`);\n\n if (!f.repeated && vals.length > 1) {\n throw new Error(\n `validateTLVsAgainstSchema: duplicate tag not allowed for ${f.name}`,\n );\n }\n\n // Per-field max length\n if (typeof f.maxLen === 'number') {\n for (const v of vals) {\n if (v.value.length > f.maxLen)\n throw new Error(`validateTLVsAgainstSchema: ${f.name} too long`);\n }\n }\n\n // Type checks (lightweight)\n for (const v of vals) {\n switch (f.type) {\n case 'u64be':\n if (v.value.length !== 8)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} u64be must be 8 bytes`,\n );\n break;\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(\n `validateTLVsAgainstSchema: ${f.name} missing nestedSchema`,\n );\n const nestedTlvs = decodeTLVStream(v.value, limits);\n validateTLVsAgainstSchema(\n f.nestedSchema,\n nestedTlvs,\n depth + 1,\n limits,\n );\n break;\n }\n default:\n // bytes/utf8/uvarint are accepted structurally; deeper validation can be added if you want.\n break;\n }\n }\n }\n}\n\nfunction tlvsBytes(tlvs: DecodedTlv[]): number {\n // approximate encoded size if re-encoded\n let n = 0;\n for (const t of tlvs) {\n n +=\n encodeUVarint(t.tag).length +\n encodeUVarint(t.value.length).length +\n t.value.length;\n }\n return n;\n}\n\nexport function logicalBodyToTLVs(\n schema: Ats1SchemaDescriptor,\n body: LogicalBody,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): DecodedTlv[] {\n if (body.schemaId !== schema.schemaId)\n throw new Error('logicalBodyToTLVs: schemaId mismatch');\n\n const fieldsByName = new Map(schema.fields.map((f) => [f.name, f] as const));\n const tlvs: DecodedTlv[] = [];\n\n for (const [name, val] of Object.entries(body.fields ?? {})) {\n const f = fieldsByName.get(name);\n if (!f) {\n if (schema.strict)\n throw new Error(`logicalBodyToTLVs: unknown field ${name}`);\n continue;\n }\n\n const pushOne = (v: any) => {\n const valueBuf = encodeFieldValue(f, v, limits);\n if (valueBuf.length > limits.maxValueBytes)\n throw new Error('logicalBodyToTLVs: value too large');\n tlvs.push({ tag: f.tag, value: valueBuf });\n };\n\n if (f.repeated) {\n if (!Array.isArray(val))\n throw new Error(\n `logicalBodyToTLVs: repeated field ${name} must be array`,\n );\n for (const item of val) pushOne(item);\n } else {\n pushOne(val);\n }\n }\n\n // Validate required + duplicates + nested schema correctness\n // Validation also enforces canonical ordering check only after encoding/decoding;\n // here we validate semantics.\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n // NOTE: canonical ordering will be applied in encodeTLVStreamCanonical()\n return tlvs;\n}\n\nfunction encodeFieldValue(\n f: Ats1FieldDescriptor,\n val: any,\n limits: Ats1Limits,\n): Buffer {\n switch (f.type) {\n case 'bytes':\n if (Buffer.isBuffer(val)) return Buffer.from(val);\n if (val instanceof Uint8Array) return Buffer.from(val);\n throw new Error(`encodeFieldValue: ${f.name} expects bytes`);\n case 'utf8':\n if (typeof val !== 'string')\n throw new Error(`encodeFieldValue: ${f.name} expects string`);\n return Buffer.from(val, 'utf8');\n case 'uvarint':\n if (typeof val !== 'number' && typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects number/bigint`);\n return encodeUVarint(val);\n case 'u64be':\n if (typeof val !== 'bigint')\n throw new Error(`encodeFieldValue: ${f.name} expects bigint`);\n return encodeU64BE(val);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`encodeFieldValue: ${f.name} missing nestedSchema`);\n // Accept nested logical object in the form { fields: {...} } or direct record\n const nestedFields =\n val && typeof val === 'object' && 'fields' in val\n ? (val as any).fields\n : val;\n if (!nestedFields \|\| typeof nestedFields !== 'object')\n throw new Error(`encodeFieldValue: ${f.name} expects object`);\n const nestedBody: LogicalBody = {\n schemaId: f.nestedSchema.schemaId,\n fields: nestedFields,\n };\n const nestedTlvs = logicalBodyToTLVs(f.nestedSchema, nestedBody, limits);\n const nestedBytes = encodeTLVStreamCanonical(nestedTlvs);\n // Re-parse to ensure canonical encoding would pass, and validate\n const re = decodeTLVStream(nestedBytes, limits);\n validateTLVsAgainstSchema(f.nestedSchema, re, 1, limits);\n return nestedBytes;\n }\n default:\n throw new Error(`encodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\nexport function tlvsToLogicalBody(\n schema: Ats1SchemaDescriptor,\n tlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): LogicalBody {\n // TLVs must already be decoded and canonical-checked\n validateTLVsAgainstSchema(schema, tlvs, 0, limits);\n\n const fields: Record<string, any> = {};\n const fieldByTag = new Map(schema.fields.map((f) => [f.tag, f] as const));\n\n for (const t of tlvs) {\n const f = fieldByTag.get(t.tag);\n if (!f) {\n if (schema.strict)\n throw new Error(`tlvsToLogicalBody: unknown tag ${t.tag}`);\n continue;\n }\n\n const decoded = decodeFieldValue(f, t.value, limits);\n\n if (f.repeated) {\n if (!Array.isArray(fields[f.name])) fields[f.name] = [];\n fields[f.name].push(decoded);\n } else {\n fields[f.name] = decoded;\n }\n }\n\n return { schemaId: schema.schemaId, fields };\n}\n\nfunction decodeFieldValue(\n f: Ats1FieldDescriptor,\n value: Buffer,\n limits: Ats1Limits,\n): any {\n switch (f.type) {\n case 'bytes':\n return Buffer.from(value);\n case 'utf8':\n return value.toString('utf8');\n case 'uvarint': {\n const r = decodeUVarint(value, 0, limits);\n if (r.offset !== value.length)\n throw new Error(\n `decodeFieldValue: ${f.name} uvarint has trailing bytes`,\n );\n // return as number when safe, else bigint\n const asNum = Number(r.value);\n return Number.isSafeInteger(asNum) ? asNum : r.value;\n }\n case 'u64be':\n return decodeU64BE(value);\n case 'nested': {\n if (!f.nestedSchema)\n throw new Error(`decodeFieldValue: ${f.name} missing nestedSchema`);\n const nestedTlvs = decodeTLVStream(value, limits);\n // nested schema validation is called by validateTLVsAgainstSchema already,\n // but we decode again safely here.\n const nestedBody = tlvsToLogicalBody(f.nestedSchema, nestedTlvs, limits);\n return nestedBody.fields; // return the record by default\n }\n default:\n throw new Error(`decodeFieldValue: unsupported type ${(f as any).type}`);\n }\n}\n\n// -----------------------------\n// AXIS HDR tags (ATS1 header TLVs)\n// -----------------------------\n\nexport const HDR_TAGS = {\n intent_id: 1,\n actor_key_id: 2,\n capsule_id: 3,\n nonce: 4,\n ts_ms: 5,\n schema_id: 6,\n body_hash: 7,\n trace_id: 8,\n} as const;\n\nexport type AxisHeaderLogical = {\n intentId: number;\n actorKeyId: Uint8Array;\n capsuleId?: Uint8Array;\n nonce: Uint8Array; // 16 bytes\n tsMs: bigint; // ms\n schemaId: number;\n bodyHash: Uint8Array; // 32 bytes\n traceId?: Uint8Array; // 16 bytes\n version?: number; // optional\n headerHash?: Uint8Array; // 32 bytes\n headerTlvs?: DecodedTlv[]; // optional\n bodyTlvs?: DecodedTlv[]; // optional\n};\n\nexport type AxisLogicalRequest = {\n hdr: AxisHeaderLogical;\n body: LogicalBody;\n};\n\nexport function encodeAxisHeaderToTLVs(hdr: AxisHeaderLogical): DecodedTlv[] {\n if (hdr.nonce.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: nonce must be 16 bytes');\n if (hdr.bodyHash.byteLength !== 32)\n throw new Error('encodeAxisHeaderToTLVs: bodyHash must be 32 bytes');\n if (hdr.traceId && hdr.traceId.byteLength !== 16)\n throw new Error('encodeAxisHeaderToTLVs: traceId must be 16 bytes');\n\n const tlvs: DecodedTlv[] = [\n { tag: HDR_TAGS.intent_id, value: encodeUVarint(hdr.intentId) },\n { tag: HDR_TAGS.actor_key_id, value: Buffer.from(hdr.actorKeyId) },\n { tag: HDR_TAGS.nonce, value: Buffer.from(hdr.nonce) },\n { tag: HDR_TAGS.ts_ms, value: encodeU64BE(hdr.tsMs) },\n { tag: HDR_TAGS.schema_id, value: encodeUVarint(hdr.schemaId) },\n { tag: HDR_TAGS.body_hash, value: Buffer.from(hdr.bodyHash) },\n ];\n\n if (hdr.capsuleId)\n tlvs.push({ tag: HDR_TAGS.capsule_id, value: Buffer.from(hdr.capsuleId) });\n if (hdr.traceId)\n tlvs.push({ tag: HDR_TAGS.trace_id, value: Buffer.from(hdr.traceId) });\n\n return tlvs;\n}\n\nexport function decodeAxisHeaderFromTLVs(\n hdrTlvs: DecodedTlv[],\n limits: Ats1Limits = DEFAULT_LIMITS,\n): AxisHeaderLogical {\n // hdr TLVs must be canonical-ordered (enforced by decodeTLVStream) and duplicates only if allowed.\n const m = tlvsToMap(hdrTlvs);\n\n const get1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr \|\| arr.length !== 1)\n throw new Error(\n `decodeAxisHeaderFromTLVs: missing/dup header tag ${tag}`,\n );\n return arr[0];\n };\n const getOpt1 = (tag: number) => {\n const arr = m.get(tag);\n if (!arr) return undefined;\n if (arr.length !== 1)\n throw new Error(`decodeAxisHeaderFromTLVs: dup header tag ${tag}`);\n return arr[0];\n };\n\n const intentIdVar = decodeUVarint(get1(HDR_TAGS.intent_id), 0, limits);\n if (intentIdVar.offset !== get1(HDR_TAGS.intent_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: intent_id trailing bytes');\n\n const schemaIdVar = decodeUVarint(get1(HDR_TAGS.schema_id), 0, limits);\n if (schemaIdVar.offset !== get1(HDR_TAGS.schema_id).length)\n throw new Error('decodeAxisHeaderFromTLVs: schema_id trailing bytes');\n\n const ts = decodeU64BE(get1(HDR_TAGS.ts_ms));\n\n const nonce = get1(HDR_TAGS.nonce);\n if (nonce.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: nonce must be 16 bytes');\n\n const bodyHash = get1(HDR_TAGS.body_hash);\n if (bodyHash.length !== 32)\n throw new Error('decodeAxisHeaderFromTLVs: body_hash must be 32 bytes');\n\n const trace = getOpt1(HDR_TAGS.trace_id);\n if (trace && trace.length !== 16)\n throw new Error('decodeAxisHeaderFromTLVs: trace_id must be 16 bytes');\n\n return {\n intentId: Number(intentIdVar.value),\n actorKeyId: Buffer.from(get1(HDR_TAGS.actor_key_id)),\n capsuleId: getOpt1(HDR_TAGS.capsule_id)\n ? Buffer.from(getOpt1(HDR_TAGS.capsule_id)!)\n : undefined,\n nonce: Buffer.from(nonce),\n tsMs: ts,\n schemaId: Number(schemaIdVar.value),\n bodyHash: Buffer.from(bodyHash),\n traceId: trace ? Buffer.from(trace) : undefined,\n };\n}\n\n// -----------------------------\n// Encode/Decode AXIS request body + hdr with body_hash binding\n// -----------------------------\n\nexport function encodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n req: Omit<AxisLogicalRequest, 'hdr'> & {\n hdr: Omit<AxisHeaderLogical, 'bodyHash'>;\n },\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdrBytes: Buffer; bodyBytes: Buffer; bodyHash: Buffer } {\n // 1) encode body TLVs\n const bodyTlvs = logicalBodyToTLVs(schema, req.body, limits);\n const bodyBytes = encodeTLVStreamCanonical(bodyTlvs);\n\n // 2) compute body hash\n const bodyHash = sha256(bodyBytes);\n\n // 3) encode hdr TLVs (with computed hash)\n const hdr: AxisHeaderLogical = {\n ...req.hdr,\n schemaId: schema.schemaId,\n bodyHash,\n };\n const hdrTlvs = encodeAxisHeaderToTLVs(hdr);\n const hdrBytes = encodeTLVStreamCanonical(hdrTlvs);\n\n return { hdrBytes, bodyBytes, bodyHash };\n}\n\nexport function decodeAxisRequestBinary(\n schema: Ats1SchemaDescriptor,\n hdrBytes: Buffer,\n bodyBytes: Buffer,\n limits: Ats1Limits = DEFAULT_LIMITS,\n): { hdr: AxisHeaderLogical; body: LogicalBody; sensorInput: SensorInputLike } {\n const hdrTlvs = decodeTLVStream(hdrBytes, limits);\n const bodyTlvs = decodeTLVStream(bodyBytes, limits);\n\n const hdr = decodeAxisHeaderFromTLVs(hdrTlvs, limits);\n\n // Schema binding check\n if (hdr.schemaId !== schema.schemaId)\n throw new Error('decodeAxisRequestBinary: schemaId mismatch');\n\n // body_hash check\n const bh = sha256(bodyBytes);\n if (!Buffer.from(hdr.bodyHash).equals(bh))\n throw new Error('decodeAxisRequestBinary: body_hash mismatch');\n\n // validate + decode body\n const body = tlvsToLogicalBody(schema, bodyTlvs, limits);\n\n const sensorInput: SensorInputLike = {\n hdrTLVs: tlvsToMap(hdrTlvs),\n bodyTLVs: tlvsToMap(bodyTlvs),\n schemaId: hdr.schemaId,\n intentId: hdr.intentId,\n };\n\n return { hdr, body, sensorInput };\n}\n\n// -----------------------------\n// Example Schemas\n// -----------------------------\n\nexport const Schema3100_DeviceContext: Ats1SchemaDescriptor = {\n schemaId: 3100,\n name: 'device.context',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'deviceId', type: 'bytes', required: true, maxLen: 128 },\n { tag: 2, name: 'os', type: 'utf8', required: true, maxLen: 64 },\n { tag: 3, name: 'hw', type: 'utf8', required: true, maxLen: 64 },\n ],\n};\n\nexport const Schema2001_PasskeyLoginOptionsReq: Ats1SchemaDescriptor = {\n schemaId: 2001,\n name: 'axis.auth.passkey.login.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema4001_LoginWithDeviceReq: Ats1SchemaDescriptor = {\n schemaId: 4001,\n name: 'axis.auth.login.with_device.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'device',\n type: 'nested',\n required: true,\n nestedSchema: Schema3100_DeviceContext,\n },\n ],\n};\n","import { ATS1_HDR, ATS1_SCHEMA } from './ats1.constants';\nimport as ats1 from './ats1';\n\n/*\n Build canonical hdr for any request using ATS1 codec.\n /\nexport function buildAts1Hdr(params: {\n intentId: number;\n schemaId: number;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n tsMs?: bigint;\n nonce?: Buffer;\n bodyHash?: Buffer;\n}): Buffer {\n const hdr: ats1.AxisHeaderLogical = {\n intentId: params.intentId,\n schemaId: params.schemaId,\n actorKeyId: params.actorKeyId ?? Buffer.alloc(0),\n capsuleId: params.capsuleId,\n nonce: params.nonce ?? require('crypto').randomBytes(16),\n tsMs: params.tsMs ?? BigInt(Date.now()),\n bodyHash: params.bodyHash ?? Buffer.alloc(32),\n traceId: params.traceId,\n };\n\n const tlvs = ats1.encodeAxisHeaderToTLVs(hdr);\n return ats1.encodeTLVStreamCanonical(tlvs);\n}\n\n/\n PASSKEY: login.options.req\n * schema 2001 body:\n * - (1) username: utf8\n /\nexport function packPasskeyLoginOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n capsuleId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n capsuleId: params.capsuleId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n ats1.Schema2001_PasskeyLoginOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n Defined schemas for passkey operations\n /\nexport const Schema2021_PasskeyRegisterOptionsReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n name: 'axis.auth.passkey.register.options.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n ],\n};\n\nexport const Schema2011_PasskeyLoginVerifyReq: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n name: 'axis.auth.passkey.login.verify.req',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'username', type: 'utf8', required: true, maxLen: 128 },\n {\n tag: 2,\n name: 'credentialId',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n {\n tag: 3,\n name: 'clientDataJSON',\n type: 'bytes',\n required: true,\n maxLen: 4096,\n },\n {\n tag: 4,\n name: 'authenticatorData',\n type: 'bytes',\n required: true,\n maxLen: 1024,\n },\n { tag: 5, name: 'signature', type: 'bytes', required: true, maxLen: 1024 },\n { tag: 6, name: 'userHandle', type: 'bytes', required: false, maxLen: 128 },\n ],\n};\n\n/\n PASSKEY: register.options.req\n /\nexport function packPasskeyRegisterOptionsReq(params: {\n intentId: number;\n username: string;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(\n Schema2021_PasskeyRegisterOptionsReq,\n {\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n fields: { username: params.username },\n },\n );\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_REGISTER_OPTIONS_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyRegisterOptionsReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2021_PasskeyRegisterOptionsReq,\n tlvs,\n );\n return { username: decoded.fields.username as string };\n}\n\n/\n PASSKEY: login.verify.req\n /\nexport function packPasskeyLoginVerifyReq(params: {\n intentId: number;\n username: string;\n credentialId: Buffer;\n clientDataJSON: Buffer;\n authenticatorData: Buffer;\n signature: Buffer;\n userHandle?: Buffer;\n actorKeyId?: Buffer;\n traceId?: Buffer;\n}) {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2011_PasskeyLoginVerifyReq, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n fields: {\n username: params.username,\n credentialId: params.credentialId,\n clientDataJSON: params.clientDataJSON,\n authenticatorData: params.authenticatorData,\n signature: params.signature,\n userHandle: params.userHandle,\n },\n });\n\n const body = ats1.encodeTLVStreamCanonical(bodyTlvs);\n const bodyHash = ats1.sha256(body);\n\n const hdr = buildAts1Hdr({\n intentId: params.intentId,\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_REQ,\n actorKeyId: params.actorKeyId,\n traceId: params.traceId,\n bodyHash,\n });\n\n return { hdr, body };\n}\n\nexport function unpackPasskeyLoginVerifyReq(body: Buffer) {\n const tlvs = ats1.decodeTLVStream(body);\n const decoded = ats1.tlvsToLogicalBody(\n Schema2011_PasskeyLoginVerifyReq,\n tlvs,\n );\n const f = decoded.fields;\n\n return {\n username: f.username as string,\n credentialId: f.credentialId as Buffer,\n clientDataJSON: f.clientDataJSON as Buffer,\n authenticatorData: f.authenticatorData as Buffer,\n signature: f.signature as Buffer,\n userHandle: f.userHandle as Buffer \| undefined,\n };\n}\n\n// ========================================\n// Response Schemas\n// ========================================\n\n/\n Schema 2002: Passkey Login Options Response\n * - (1) challenge: bytes\n * - (2) timeout: uvarint (ms)\n * - (3) rpId: utf8\n * - (4) allowCredentials: bytes (nested TLV array, each item is id+type+transports)\n * - (5) userVerification: utf8\n /\nexport const Schema2002_PasskeyLoginOptionsRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n name: 'axis.auth.passkey.login.options.res',\n strict: false, // allow extra fields from WebAuthn library\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'challenge', type: 'utf8', required: true }, // base64url string\n { tag: 2, name: 'timeout', type: 'uvarint', required: false },\n { tag: 3, name: 'rpId', type: 'utf8', required: false },\n { tag: 4, name: 'userVerification', type: 'utf8', required: false },\n { tag: 5, name: 'allowCredentialsJson', type: 'utf8', required: false }, // JSON array for simplicity\n ],\n};\n\nexport function packPasskeyLoginOptionsRes(params: {\n challenge: string;\n timeout?: number;\n rpId?: string;\n userVerification?: string;\n allowCredentials?: { id: string; type: string; transports?: string[] }[];\n}): Buffer {\n const fields: Record<string, any> = {\n challenge: params.challenge,\n };\n if (params.timeout !== undefined) fields.timeout = params.timeout;\n if (params.rpId) fields.rpId = params.rpId;\n if (params.userVerification)\n fields.userVerification = params.userVerification;\n if (params.allowCredentials)\n fields.allowCredentialsJson = JSON.stringify(params.allowCredentials);\n\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2002_PasskeyLoginOptionsRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_OPTIONS_RES,\n fields,\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n\n/\n Schema 2012: Passkey Login Verify Response\n * - (1) actorId: utf8\n * - (2) keyId: utf8 (credentialId base64url)\n * - (3) capsule: bytes\n * - (4) expiresAt: u64be (ms)\n /\nexport const Schema2012_PasskeyLoginVerifyRes: ats1.Ats1SchemaDescriptor = {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n name: 'axis.auth.passkey.login.verify.res',\n strict: true,\n maxNestingDepth: 4,\n fields: [\n { tag: 1, name: 'actorId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 2, name: 'keyId', type: 'utf8', required: true, maxLen: 256 },\n { tag: 3, name: 'capsule', type: 'bytes', required: true, maxLen: 4096 },\n { tag: 4, name: 'expiresAt', type: 'u64be', required: true },\n ],\n};\n\nexport function packPasskeyLoginVerifyRes(params: {\n actorId: string;\n keyId: string;\n capsule: Buffer;\n expiresAt: bigint;\n}): Buffer {\n const bodyTlvs = ats1.logicalBodyToTLVs(Schema2012_PasskeyLoginVerifyRes, {\n schemaId: ATS1_SCHEMA.PASSKEY_LOGIN_VERIFY_RES,\n fields: {\n actorId: params.actorId,\n keyId: params.keyId,\n capsule: params.capsule,\n expiresAt: params.expiresAt,\n },\n });\n return ats1.encodeTLVStreamCanonical(bodyTlvs);\n}\n","// tlv.encode.ts\nimport { randomBytes } from 'crypto';\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('VARINT_NEG');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n\nexport function u64be(x: bigint): Buffer {\n if (x < 0n) throw new Error('U64_NEG');\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x, 0);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function bytes(b: Uint8Array \| Buffer): Buffer {\n return Buffer.isBuffer(b) ? b : Buffer.from(b);\n}\n\nexport function nonce16(): Buffer {\n return randomBytes(16);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n if (!Number.isSafeInteger(type) \|\| type < 0) throw new Error('TLV_BAD_TYPE');\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\n/\n Canonical TLV encoding:\n * - sorted by type ascending\n * - no duplicates by default\n /\nexport function buildTLVs(\n items: { type: number; value: Buffer }[],\n opts?: { allowDupTypes?: Set<number> },\n): Buffer {\n const allow = opts?.allowDupTypes ?? new Set<number>();\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type && !allow.has(sorted[i].type)) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n","// axis1.encode.ts\nimport { AXIS_MAGIC, AXIS_VERSION } from '@nextera.one/axis-protocol';\n\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from(AXIS_MAGIC);\n\nexport type Axis1FrameToEncode = {\n ver: number; // 1\n flags: number; // bit flags\n hdr: Buffer; // TLVs\n body: Buffer; // TLVs or raw payload\n sig: Buffer; // signature bytes\n};\n\nexport function encodeAxis1Frame(f: Axis1FrameToEncode): Buffer {\n if (\n !Buffer.isBuffer(f.hdr) \|\|\n !Buffer.isBuffer(f.body) \|\|\n !Buffer.isBuffer(f.sig)\n ) {\n throw new Error('AXIS1_BAD_BUFFERS');\n }\n if (f.ver !== AXIS_VERSION) throw new Error('AXIS1_BAD_VER');\n\n const hdrLen = encVarint(BigInt(f.hdr.length));\n const bodyLen = encVarint(BigInt(f.body.length));\n const sigLen = encVarint(BigInt(f.sig.length));\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([f.ver & 0xff]),\n Buffer.from([f.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLen,\n f.hdr,\n f.body,\n f.sig,\n ]);\n}\n","// axis1.signing.ts\nimport { AXIS_MAGIC, AXIS_VERSION } from '@nextera.one/axis-protocol';\n\nimport { encVarint } from './tlv.encode';\n\nconst MAGIC = Buffer.from(AXIS_MAGIC);\n\nexport function axis1SigningBytes(params: {\n ver: number;\n flags: number;\n hdr: Buffer;\n body: Buffer;\n}): Buffer {\n if (params.ver !== AXIS_VERSION) throw new Error('AXIS1_BAD_VER');\n const hdrLen = encVarint(BigInt(params.hdr.length));\n const bodyLen = encVarint(BigInt(params.body.length));\n const sigLenZero = encVarint(0n); // IMPORTANT: sigLen=0 in signing bytes\n\n return Buffer.concat([\n MAGIC,\n Buffer.from([params.ver & 0xff]),\n Buffer.from([params.flags & 0xff]),\n hdrLen,\n bodyLen,\n sigLenZero,\n params.hdr,\n params.body,\n ]);\n}\n","/\n Base64url encoding/decoding utilities\n * RFC 4648 base64url (URL-safe, no padding)\n /\n\n/\n Encode buffer to base64url string\n * @param buf - Buffer to encode\n * @returns Base64url string (no padding, URL-safe)\n /\nexport function b64urlEncode(buf: Buffer): string {\n return buf\n .toString('base64')\n .replace(/=/g, '')\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_');\n}\n\n/\n Decode base64url string to buffer\n * @param str - Base64url string\n * @returns Decoded buffer\n /\nexport function b64urlDecode(str: string): Buffer {\n // Add padding if needed\n const pad = str.length % 4 ? '='.repeat(4 - (str.length % 4)) : '';\n const base64 = (str + pad).replace(/-/g, '+').replace(/_/g, '/');\n return Buffer.from(base64, 'base64');\n}\n\n/\n Encode string to base64url\n * @param str - String to encode\n * @param encoding - String encoding (default: utf8)\n * @returns Base64url string\n /\nexport function b64urlEncodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlEncode(Buffer.from(str, encoding));\n}\n\n/\n Decode base64url string to string\n * @param str - Base64url string\n * @param encoding - String encoding (default: utf8)\n * @returns Decoded string\n /\nexport function b64urlDecodeString(\n str: string,\n encoding: BufferEncoding = 'utf8',\n): string {\n return b64urlDecode(str).toString(encoding);\n}\n","/\n Canonical JSON serialization for stable cryptographic signing\n \n Rules:\n * - Recursively sort object keys lexicographically\n * - Remove undefined values\n * - Preserve array order\n * - No whitespace in output\n * - Stable number formatting\n /\n\n/\n Recursively sort object keys and remove undefined values\n /\nfunction sortRec(value: any): any {\n if (value === null) {\n return null;\n }\n\n if (value === undefined) {\n return undefined;\n }\n\n if (Array.isArray(value)) {\n return value.map(sortRec);\n }\n\n if (typeof value === 'object') {\n const sorted: Record<string, any> = {};\n const keys = Object.keys(value).sort();\n\n for (const key of keys) {\n const sortedValue = sortRec(value[key]);\n // Skip undefined values\n if (sortedValue !== undefined) {\n sorted[key] = sortedValue;\n }\n }\n\n return sorted;\n }\n\n // Primitive types (number, string, boolean)\n return value;\n}\n\n/\n Convert value to canonical JSON string for signing\n \n @param value - Value to canonicalize\n * @returns Canonical JSON string (no whitespace, sorted keys, no undefined)\n /\nexport function canonicalJson(value: any): string {\n return JSON.stringify(sortRec(value));\n}\n\n/\n Helper to create canonical JSON for signing (excluding specific fields)\n \n @param obj - Object to canonicalize\n * @param exclude - Fields to exclude (e.g., 'sig' when signing)\n * @returns Canonical JSON string\n /\nexport function canonicalJsonExcluding(\n obj: Record<string, any>,\n exclude: string[],\n): string {\n const filtered: Record<string, any> = {};\n\n for (const key in obj) {\n if (!exclude.includes(key) && obj[key] !== undefined) {\n filtered[key] = obj[key];\n }\n }\n\n return canonicalJson(filtered);\n}\n","export class ContractViolationError extends Error {\n constructor(\n public code: string,\n message: string,\n ) {\n super(message);\n this.name = 'ContractViolationError';\n }\n}\n\nexport interface ExecutionMetrics {\n dbWrites: number;\n dbReads: number;\n externalCalls: number;\n elapsedMs: number;\n}\n\nexport class ExecutionMeter {\n private dbWrites = 0;\n private dbReads = 0;\n private externalCalls = 0;\n private startTime: number;\n private contract: any; // ExecutionContract\n\n constructor(contract: any) {\n this.contract = contract;\n this.startTime = Date.now();\n }\n\n recordDbWrite(): void {\n this.dbWrites++;\n if (this.dbWrites > this.contract.maxDbWrites) {\n throw new ContractViolationError(\n 'MAX_DB_WRITES_EXCEEDED',\n `DB writes exceeded: ${this.dbWrites}/${this.contract.maxDbWrites}`,\n );\n }\n }\n\n recordDbRead(): void {\n this.dbReads++;\n if (this.contract.maxDbReads && this.dbReads > this.contract.maxDbReads) {\n throw new ContractViolationError(\n 'MAX_DB_READS_EXCEEDED',\n `DB reads exceeded: ${this.dbReads}/${this.contract.maxDbReads}`,\n );\n }\n }\n\n recordExternalCall(): void {\n this.externalCalls++;\n if (this.externalCalls > this.contract.maxExternalCalls) {\n throw new ContractViolationError(\n 'MAX_EXTERNAL_CALLS_EXCEEDED',\n `External calls exceeded: ${this.externalCalls}/${this.contract.maxExternalCalls}`,\n );\n }\n }\n\n checkTime(): void {\n const elapsed = Date.now() - this.startTime;\n if (elapsed > this.contract.maxTimeMs) {\n throw new ContractViolationError(\n 'MAX_TIME_EXCEEDED',\n `Execution time exceeded: ${elapsed}ms/${this.contract.maxTimeMs}ms`,\n );\n }\n }\n\n validateEffect(effect: string): void {\n // Wildcard allows any effect\n if (this.contract.allowedEffects.includes('')) {\n return;\n }\n\n if (!this.contract.allowedEffects.includes(effect)) {\n throw new ContractViolationError(\n 'INVALID_EFFECT',\n `Effect '${effect}' not allowed. Allowed: ${this.contract.allowedEffects.join(', ')}`,\n );\n }\n }\n\n getMetrics(): ExecutionMetrics {\n return {\n dbWrites: this.dbWrites,\n dbReads: this.dbReads,\n externalCalls: this.externalCalls,\n elapsedMs: Date.now() - this.startTime,\n };\n }\n\n getContract() {\n return this.contract;\n }\n}\n","export interface ExecutionContract {\n maxDbWrites: number;\n maxDbReads?: number;\n maxExternalCalls: number;\n maxTimeMs: number;\n allowedEffects: string[];\n maxMemoryMb?: number;\n}\n\nexport const DEFAULT_CONTRACTS: Record<string, ExecutionContract> = {\n // System intents\n 'system.ping': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 100,\n allowedEffects: ['system.pong'],\n },\n\n // Catalog intents\n 'catalog.list': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['catalog.listed'],\n },\n 'catalog.search': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['catalog.searched'],\n },\n\n // Passport intents\n 'passport.issue': {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['passport.issued', 'passport.rejected'],\n },\n 'passport.revoke': {\n maxDbWrites: 5,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['passport.revoked', 'passport.revoke_failed'],\n },\n\n // File intents\n 'file.init': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['file.initialized'],\n },\n 'file.chunk': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: ['file.chunk.stored'],\n },\n 'file.finalize': {\n maxDbWrites: 2,\n maxExternalCalls: 0,\n maxTimeMs: 500,\n allowedEffects: ['file.finalized'],\n },\n\n // Stream intents\n 'stream.publish': {\n maxDbWrites: 1,\n maxExternalCalls: 0,\n maxTimeMs: 200,\n allowedEffects: ['stream.published'],\n },\n 'stream.read': {\n maxDbWrites: 0,\n maxExternalCalls: 0,\n maxTimeMs: 300,\n allowedEffects: ['stream.data'],\n },\n\n // Mail intents\n 'mail.send': {\n maxDbWrites: 3,\n maxExternalCalls: 1, // Email service\n maxTimeMs: 2000,\n allowedEffects: ['mail.sent', 'mail.failed'],\n },\n};\n\n// Default contract for unknown intents\nexport const FALLBACK_CONTRACT: ExecutionContract = {\n maxDbWrites: 10,\n maxExternalCalls: 0,\n maxTimeMs: 1000,\n allowedEffects: [''], // Allow any effect\n};\n","/\n Decodes a variable-length integer (Varint) from a buffer.\n * Supports up to 64-bit integers.\n \n @param {Buffer} buf - The buffer to read from\n * @param {number} off - The offset to start reading from\n * @returns {Object} The decoded bigint value and the new offset\n * @throws {Error} If the varint is malformed or exceeds 64 bits\n /\nexport function decVarint(\n buf: Buffer,\n off: number,\n): { val: bigint; off: number } {\n let shift = 0n;\n let x = 0n;\n while (true) {\n if (off >= buf.length) throw new Error('varint overflow');\n const b = BigInt(buf[off++]);\n x \|= (b & 0x7fn) << shift;\n if ((b & 0x80n) === 0n) break;\n shift += 7n;\n if (shift > 63n) throw new Error('varint too large');\n }\n return { val: x, off };\n}\n\nimport type { TLV } from '../core/tlv';\n\n/\n Parses a buffer into an array of TLV objects.\n \n @param {Buffer} buf - The buffer containing TLV-encoded data\n * @param {number} [maxItems=512] - Security limit for the number of TLVs to parse\n * @returns {TLV[]} An array of parsed TLVs\n * @throws {Error} If TLV structure is invalid or limits are exceeded\n /\nexport function parseTLVs(buf: Buffer, maxItems: number = 512): TLV[] {\n const out: TLV[] = [];\n let off = 0;\n while (off < buf.length) {\n if (out.length >= maxItems) throw new Error('TLV_TOO_MANY_ITEMS');\n const t1 = decVarint(buf, off);\n off = t1.off;\n const t2 = decVarint(buf, off);\n off = t2.off;\n const type = Number(t1.val);\n const len = Number(t2.val);\n if (len < 0 \|\| off + len > buf.length) {\n throw new Error('TLV_LEN_INVALID');\n }\n const value = buf.subarray(off, off + len);\n off += len;\n out.push({ type, value });\n }\n return out;\n}\n\n/\n Parses TLVs and organizes them into a Map for efficient access.\n * Multiple values for the same type are preserved in an array.\n \n @param {Buffer} buf - The raw TLV-encoded buffer\n * @returns {Map<number, Buffer[]>} A map of Tag -> [Values]\n /\nexport function tlvMap(buf: Buffer): Map<number, Buffer[]> {\n const m = new Map<number, Buffer[]>();\n for (const it of parseTLVs(buf)) {\n const arr = m.get(it.type) ?? [];\n arr.push(it.value as Buffer);\n m.set(it.type, arr);\n }\n return m;\n}\n\nexport function asUtf8(b?: Buffer): string \| undefined {\n if (!b) return undefined;\n return b.toString('utf8');\n}\n\nexport function asBigintVarint(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n const { val, off } = decVarint(b, 0);\n if (off !== b.length) throw new Error('VARINT_TRAILING_BYTES');\n return val;\n}\n\n/\n Parses an 8-byte big-endian buffer as a BigInt.\n * Used for timestamps which are sent as fixed 8-byte u64.\n /\nexport function asBigint64BE(b?: Buffer): bigint \| undefined {\n if (!b) return undefined;\n if (b.length !== 8) throw new Error('Expected 8 bytes for u64');\n return b.readBigUInt64BE(0);\n}\n\nexport function encVarint(x: bigint): Buffer {\n if (x < 0n) throw new Error('varint neg');\n const out: number[] = [];\n while (x >= 0x80n) {\n out.push(Number((x & 0x7fn) \| 0x80n));\n x >>= 7n;\n }\n out.push(Number(x));\n return Buffer.from(out);\n}\n\nexport function tlv(type: number, value: Buffer): Buffer {\n return Buffer.concat([\n encVarint(BigInt(type)),\n encVarint(BigInt(value.length)),\n value,\n ]);\n}\n\nexport function buildTLVs(items: { type: number; value: Buffer }[]): Buffer {\n // Canonical: sort by type ascending\n const sorted = [...items].sort((a, b) => a.type - b.type);\n\n // Canonical: forbid duplicate tags by default\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].type === sorted[i - 1].type) {\n throw new Error(`TLV_DUP_TYPE_${sorted[i].type}`);\n }\n }\n\n return Buffer.concat(sorted.map((it) => tlv(it.type, it.value)));\n}\n\nexport function u64be(x: bigint): Buffer {\n const b = Buffer.alloc(8);\n b.writeBigUInt64BE(x);\n return b;\n}\n\nexport function utf8(s: string): Buffer {\n return Buffer.from(s, 'utf8');\n}\n\nexport function varintU(x: number \| bigint): Buffer {\n const v = typeof x === 'number' ? BigInt(x) : x;\n return encVarint(v);\n}\n","import { AXIS_MAGIC } from '@nextera.one/axis-protocol';\n\nimport { decVarint } from './tlv';\n\n/\n Axis1DecodedFrame\n \n Represents a parsed AXIS v1 binary frame.\n \n @typedef {Object} Axis1DecodedFrame\n /\nexport type Axis1DecodedFrame = {\n /* Protocol version (should be 1) /\n ver: number;\n /* Frame flags for protocol extensions /\n flags: number;\n /* Raw header bytes (containing primary TLVs) /\n hdr: Buffer;\n /* Raw body bytes (the main payload) /\n body: Buffer;\n /* Cryptographic signature bytes /\n sig: Buffer;\n /* Total original size of the frame in bytes /\n frameSize: number;\n};\n\nconst MAGIC = Buffer.from(AXIS_MAGIC);\n\n/\n Decodes a raw binary buffer into a structured Axis1DecodedFrame.\n * Implements the AXIS v1 wire format specification.\n \n Binary Structure (canonical):\n * 1. Magic: 'AXIS1' (5 bytes)\n * 2. Version: (1 byte)\n * 3. Flags: (1 byte)\n * 4. HDR_LEN: Varint\n * 5. BODY_LEN: Varint\n * 6. SIG_LEN: Varint\n * 7. HDR: (HDR_LEN bytes)\n * 8. BODY: (BODY_LEN bytes)\n * 9. SIG: (SIG_LEN bytes)\n \n @param {Buffer} buf - Raw bytes from the wire\n * @returns {Axis1DecodedFrame} Parsed frame object\n * @throws {Error} If magic is invalid, frame is truncated, or lengths are inconsistent\n /\nexport function decodeAxis1Frame(buf: Buffer): Axis1DecodedFrame {\n let off = 0;\n\n const magic = buf.subarray(off, off + 5);\n off += 5;\n if (magic.length !== 5 \|\| !magic.equals(MAGIC))\n throw new Error('AXIS1_BAD_MAGIC');\n\n if (off + 2 > buf.length) throw new Error('AXIS1_TRUNCATED');\n const ver = buf[off++];\n const flags = buf[off++];\n\n // Read all three lengths first (canonical order: hdrLen, bodyLen, sigLen)\n const h1 = decVarint(buf, off);\n off = h1.off;\n const b1 = decVarint(buf, off);\n off = b1.off;\n const s1 = decVarint(buf, off);\n off = s1.off;\n\n const hdrLen = Number(h1.val);\n const bodyLen = Number(b1.val);\n const sigLen = Number(s1.val);\n\n if (hdrLen < 0 \|\| bodyLen < 0 \|\| sigLen < 0) throw new Error('AXIS1_LEN_NEG');\n\n if (off + hdrLen + bodyLen + sigLen > buf.length)\n throw new Error('AXIS1_TRUNCATED_PAYLOAD');\n\n // Then read payloads in order: HDR, BODY, SIG\n const hdr = buf.subarray(off, off + hdrLen);\n off += hdrLen;\n const body = buf.subarray(off, off + bodyLen);\n off += bodyLen;\n const sig = buf.subarray(off, off + sigLen);\n off += sigLen;\n\n if (off !== buf.length) throw new Error('AXIS1_TRAILING_BYTES');\n\n return { ver, flags, hdr, body, sig, frameSize: buf.length };\n}\n","import {\n TLV_ACTOR_ID,\n TLV_INTENT,\n TLV_NONCE,\n TLV_PID,\n TLV_PROOF_REF,\n TLV_PROOF_TYPE,\n TLV_TS,\n} from '../core/constants';\nimport { asBigint64BE, asBigintVarint, asUtf8, tlvMap } from './tlv';\n\n/\n AXIS TLV Tag Definitions (as per specification)\n /\nexport const T = {\n /* The specific intent or action (e.g., 'vault.create') /\n INTENT: TLV_INTENT,\n /* Package identifier / ID /\n PID: TLV_PID,\n /* Versioning of the intent schema /\n INTENT_VERSION: 10, // Defaulting to TRACE_ID for now or a new tag if available\n /* Unique identifier for the requesting actor /\n ACTOR_ID: TLV_ACTOR_ID,\n /* Optional Capability Token identifier (16 bytes) /\n CAPSULE_ID: TLV_PROOF_REF,\n /* Unique session/request identifier (16 bytes) /\n NONCE: TLV_NONCE,\n /* High-precision Unix timestamp in milliseconds /\n TS_MS: TLV_TS,\n /* Proof type /\n PROOF_TYPE: TLV_PROOF_TYPE,\n /* Standard binary body tag /\n BODY: 100,\n /* Standard JSON-encoded body tag /\n JSON: 200,\n};\n\n/\n AxisPacket\n \n A high-level representation of an AXIS message after TLV decoding.\n * Combines header metadata with the raw body and signature.\n \n @typedef {Object} AxisPacket\n /\nexport type AxisPacket = {\n /* The intent string /\n intent: string;\n /* Intent schema version /\n intentVersion: number;\n /* Actor identifier /\n actorId: string;\n /* Optional binary Capsule ID /\n capsuleId?: Buffer;\n /* Packet identifier /\n pid: Buffer;\n /* Random nonce for replay protection /\n nonce: Buffer;\n /* Request timestamp /\n tsMs: bigint;\n /* Decoded header TLV map /\n headersMap: Map<number, Buffer[]>;\n /* Decoded body TLV map (if body contains TLVs) /\n bodyMap: Map<number, Buffer[]>;\n /* Original raw header bytes /\n hdrBytes: Buffer;\n /* Original raw body bytes /\n bodyBytes: Buffer;\n /* Cryptographic signature of the frame /\n sig: Buffer;\n};\n\n/\n Constructs a structured AxisPacket from raw header, body, and signature buffers.\n * Performs rigorous validation on mandatory AXIS fields.\n \n @param {Buffer} hdr - Raw header bytes containing the primary TLVs\n * @param {Buffer} body - Raw body bytes\n * @param {Buffer} sig - Signature bytes for the frame\n * @param {number} [flags=0] - Frame flags (bit 0 = BODY_IS_TLV)\n * @returns {AxisPacket} A fully validated AxisPacket object\n * @throws {Error} If mandatory fields (intent, version, actor, nonce, ts) are missing or malformed\n /\nexport function buildPacket(\n hdr: Buffer,\n body: Buffer,\n sig: Buffer,\n flags: number = 0,\n): AxisPacket {\n const hm = tlvMap(hdr);\n\n // Only parse body as TLV if BODY_IS_TLV flag is set (bit 0)\n const BODY_IS_TLV = 0x01;\n const bm = flags & BODY_IS_TLV ? tlvMap(body) : new Map<number, Buffer[]>();\n\n const intent = asUtf8(hm.get(T.INTENT)?.[0]);\n const intentVerRaw = hm.get(T.INTENT_VERSION)?.[0];\n const intentVer = intentVerRaw ? Number(asBigintVarint(intentVerRaw)) : 1;\n const actorIdRaw = hm.get(T.ACTOR_ID)?.[0];\n const actorId = actorIdRaw ? actorIdRaw.toString('hex') : undefined;\n const capsuleId = hm.get(T.CAPSULE_ID)?.[0];\n const pid = hm.get(T.PID)?.[0] \|\| hm.get(T.NONCE)?.[0]; // Fallback to nonce if pid missing\n const nonce = hm.get(T.NONCE)?.[0];\n const tsMs = asBigint64BE(hm.get(T.TS_MS)?.[0]);\n\n if (!intent) throw new Error('PACKET_MISSING_INTENT');\n if (!actorId) throw new Error('PACKET_MISSING_ACTOR_ID');\n if (!nonce \|\| nonce.length < 16 \|\| nonce.length > 32)\n throw new Error('PACKET_BAD_NONCE');\n if (!pid) throw new Error('PACKET_MISSING_PID');\n if (!tsMs) throw new Error('PACKET_MISSING_TS');\n\n return {\n intent,\n intentVersion: intentVer,\n actorId,\n capsuleId,\n pid,\n nonce,\n tsMs,\n headersMap: hm,\n bodyMap: bm,\n hdrBytes: hdr,\n bodyBytes: body,\n sig,\n };\n}\n","/\n AXIS Capability Model\n * Maps proof types to capabilities and intents to requirements.\n /\nimport { PROOF_CAPSULE, PROOF_JWT, PROOF_LOOM, PROOF_MTLS, PROOF_NONE, PROOF_WITNESS } from '../core/constants';\n\n/\n Available capabilities in the AXIS system.\n * Each represents a distinct permission level.\n /\nexport const CAPABILITIES = {\n read: 'read',\n write: 'write',\n execute: 'execute',\n admin: 'admin',\n sign: 'sign',\n witness: 'witness',\n} as const;\n\nexport type Capability = keyof typeof CAPABILITIES;\n\n/\n Maps proof type codes to granted capabilities.\n /\nexport const PROOF_CAPABILITIES: Record<number, Capability[]> = {\n [PROOF_NONE]: [],\n [PROOF_CAPSULE]: ['read', 'write', 'execute'],\n [PROOF_JWT]: ['read'],\n [PROOF_MTLS]: ['read', 'write', 'admin'],\n [PROOF_LOOM]: ['read', 'write', 'execute'],\n [PROOF_WITNESS]: ['read', 'write', 'execute', 'witness'],\n};\n\n/\n Maps intent patterns to required capabilities.\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_REQUIREMENTS: Record<string, Capability[]> = {\n 'public.': [],\n 'schema.': [],\n 'catalog.': [],\n 'health.': [],\n 'system.': [],\n\n 'file.upload': ['write'],\n 'file.download': ['read'],\n 'file.delete': ['write', 'admin'],\n\n 'passport.issue': ['write', 'execute'],\n 'passport.revoke': ['write', 'witness'],\n\n 'stream.publish': ['write'],\n 'stream.subscribe': ['read'],\n\n // NestFlow intents\n 'auth.web.login.': ['execute'],\n 'tickauth.challenge.': ['execute'],\n 'capsule.issue.': ['write', 'execute'],\n 'session.': ['execute'],\n 'device.list': ['read'],\n 'device.rename': ['write'],\n 'device.trust.': ['write', 'execute'],\n 'device.revoke': ['write', 'execute'],\n 'identity.': ['admin', 'execute'],\n 'primary.device.': ['admin', 'execute'],\n 'secret.rotate': ['admin'],\n 'org.security.': ['admin'],\n 'production.execution.': ['admin', 'execute'],\n\n 'admin.': ['admin'],\n};\n","import type { SensorInput } from \"../sensor/axis-sensor\";\n\nexport type AxisLawDecision = \"allow\" \| \"deny\" \| \"conditional\";\n\nexport interface AxisLawArticleSummary {\n article_id: string;\n article_type?: string;\n decision?: string;\n reason?: string;\n}\n\nexport interface AxisLawEvaluationContext {\n actorId?: string;\n intent?: string;\n audience?: string;\n tps?: string \| number;\n country?: string;\n ip?: string;\n path?: string;\n clientId?: string;\n deviceId?: string;\n sessionId?: string;\n capsuleId?: string;\n metadata: Record<string, unknown>;\n packet?: Record<string, unknown>;\n frameBody?: unknown;\n}\n\nexport interface AxisLawEvaluationResult {\n decision: AxisLawDecision;\n reason: string;\n explanation?: string;\n denied?: AxisLawArticleSummary[];\n permitted?: AxisLawArticleSummary[];\n required?: AxisLawArticleSummary[];\n applicable?: AxisLawArticleSummary[];\n metadata?: Record<string, unknown>;\n}\n\nexport type AxisLawEvaluator =\n \| ((\n context: AxisLawEvaluationContext,\n ) => AxisLawEvaluationResult \| Promise<AxisLawEvaluationResult>);\n\nexport interface LawEvaluationSensorOptions {\n evaluator?: AxisLawEvaluator;\n conditionalDecision?: \"deny\" \| \"flag\" \| \"allow\";\n}\n\nexport function buildAxisLawEvaluationContext(\n input: SensorInput,\n): AxisLawEvaluationContext {\n const metadata = (input.metadata ?? {}) as Record<string, unknown>;\n const packet = input.packet as Record<string, unknown> \| undefined;\n const packetBody =\n input.frameBody ??\n (packet?.body as unknown) ??\n (packet?.args as unknown) ??\n undefined;\n const capsuleId =\n (metadata.capsule_id as string \| undefined) ??\n (metadata.capsuleId as string \| undefined) ??\n (packet?.capsuleId as string \| undefined) ??\n (input.clientId as string \| undefined);\n const audience =\n (input.aud as string \| undefined) ??\n (metadata.audience as string \| undefined) ??\n (packet?.aud as string \| undefined);\n const tps =\n (metadata.tps as string \| number \| undefined) ??\n (packet?.tps as string \| number \| undefined) ??\n (packet?.tickTps as string \| number \| undefined);\n\n return {\n actorId: input.actorId,\n intent: input.intent,\n audience,\n tps,\n country: input.country,\n ip: input.ip,\n path: input.path,\n clientId: input.clientId,\n deviceId: input.deviceId,\n sessionId: input.sessionId,\n capsuleId,\n metadata,\n packet,\n frameBody: packetBody,\n };\n}\n","export from \"./law.types\";\n","/*\n AXIS Risk Signal Types\n \n Protocol-level types for risk evaluation and signalling.\n * Used by sensors, risk gates, and anomaly detectors.\n /\n\n/\n A discrete risk signal emitted by a detector or sensor.\n * Signals are aggregated by the risk gate to produce a final RiskEvaluation.\n /\nexport interface RiskSignal {\n type: string;\n severity: 'low' \| 'medium' \| 'high' \| 'critical';\n value: any;\n message: string;\n}\n\n/\n Granular risk gate decision outcomes.\n * More expressive than a binary ALLOW/DENY — covers step-up and witness flows.\n /\nexport enum RiskDecision {\n ALLOW = 'ALLOW',\n THROTTLE = 'THROTTLE',\n STEP_UP = 'STEP_UP',\n WITNESS = 'WITNESS',\n DENY = 'DENY',\n}\n\n/\n The result of a risk gate evaluation over a set of signals.\n /\nexport interface RiskEvaluation {\n decision: RiskDecision;\n reason?: string;\n retryAfterMs?: number;\n /* Confidence score in range [0, 1]. /\n confidence: number;\n signals: RiskSignal[];\n}\n","/\n AXIS Opcode Registry\n * Central registry of all allowed opcodes.\n * Unknown opcodes are rejected by default (no shadow endpoints).\n /\n\nexport const AXIS_OPCODES = new Set([\n 'CAPSULE.ISSUE',\n 'CAPSULE.BATCH',\n 'CAPSULE.REVOKE',\n 'INTENT.EXEC',\n 'ACTOR.KEY.ROTATE',\n 'ACTOR.KEY.REVOKE',\n 'ISSUER.KEY.ROTATE',\n // NestFlow opcodes\n 'AUTH.WEB.LOGIN',\n 'AUTH.WEB.SCAN',\n 'TICKAUTH.CREATE',\n 'TICKAUTH.FULFILL',\n 'TICKAUTH.REJECT',\n 'SESSION.ACTIVATE',\n 'SESSION.REFRESH',\n 'SESSION.LOGOUT',\n 'DEVICE.TRUST',\n 'DEVICE.PROMOTE',\n 'DEVICE.REVOKE',\n 'DEVICE.LIST',\n 'DEVICE.RENAME',\n 'IDENTITY.RECOVERY',\n 'IDENTITY.LOCK',\n]);\n\nexport function isKnownOpcode(op: string): boolean {\n return AXIS_OPCODES.has(op);\n}\n\n/\n Returns true if the opcode requires elevated permissions.\n /\nexport function isAdminOpcode(op: string): boolean {\n return (\n op.startsWith('ACTOR.KEY.') \|\|\n op.startsWith('ISSUER.KEY.') \|\|\n op.startsWith('IDENTITY.')\n );\n}\n","/\n AXIS Receipt Hash Construction\n * Canonical receipt chain hash — protocol invariant.\n * Any compliant implementation must produce identical hashes.\n /\nimport { createHash } from 'crypto';\n\n/* Canonical receipt effect types /\nexport type ReceiptEffect = 'ALLOW' \| 'DENY' \| 'ERROR';\n\n/\n Builds the canonical SHA-256 hash for a receipt in the chain.\n \n Field order (protocol-defined):\n * prevHash? \| pid \| actorId (utf8) \| intent (utf8) \| effect (utf8) \| ts (utf8 string)\n \n @param prevHash Previous receipt hash (null for first receipt)\n * @param pid Process/packet ID (raw bytes)\n * @param actorId Actor identifier (string)\n * @param intent Intent name (string)\n * @param effect Execution effect ('ALLOW' \| 'DENY' \| 'ERROR')\n * @param ts Timestamp as bigint (milliseconds since epoch)\n * @returns 32-byte SHA-256 hash\n /\nexport function buildReceiptHash(\n prevHash: Buffer \| null,\n pid: Buffer,\n actorId: string,\n intent: string,\n effect: ReceiptEffect,\n ts: bigint,\n): Buffer {\n const h = createHash('sha256');\n if (prevHash) h.update(prevHash);\n h.update(pid);\n h.update(Buffer.from(actorId, 'utf8'));\n h.update(Buffer.from(intent, 'utf8'));\n h.update(Buffer.from(effect, 'utf8'));\n h.update(Buffer.from(ts.toString(), 'utf8'));\n return h.digest();\n}\n","/\n AXIS Intent Sensitivity Classification\n * Protocol-level risk classification for intents.\n /\n\nexport enum IntentSensitivity {\n LOW = 1,\n MEDIUM = 2,\n HIGH = 3,\n CRITICAL = 4,\n}\n\n/\n Maps known intents to their sensitivity level.\n /\nexport const INTENT_SENSITIVITY_MAP: Record<string, IntentSensitivity> = {\n // System intents\n 'system.ping': IntentSensitivity.LOW,\n\n // Catalog intents\n 'catalog.list': IntentSensitivity.LOW,\n 'catalog.search': IntentSensitivity.LOW,\n 'catalog.intent.describe': IntentSensitivity.LOW,\n 'catalog.intent.complete': IntentSensitivity.LOW,\n\n // Stream intents\n 'stream.publish': IntentSensitivity.MEDIUM,\n 'stream.read': IntentSensitivity.MEDIUM,\n 'stream.subscribe': IntentSensitivity.MEDIUM,\n\n // File intents\n 'file.init': IntentSensitivity.MEDIUM,\n 'file.chunk': IntentSensitivity.MEDIUM,\n 'file.finalize': IntentSensitivity.MEDIUM,\n 'file.status': IntentSensitivity.LOW,\n\n // Passport intents\n 'passport.issue': IntentSensitivity.HIGH,\n 'passport.verify': IntentSensitivity.MEDIUM,\n 'passport.revoke': IntentSensitivity.CRITICAL,\n\n // Mail intents\n 'mail.send': IntentSensitivity.HIGH,\n\n // Admin intents\n 'admin.create_capsule': IntentSensitivity.CRITICAL,\n 'admin.revoke_capsule': IntentSensitivity.CRITICAL,\n 'admin.issue_node_cert': IntentSensitivity.CRITICAL,\n\n // NestFlow: Auth\n 'auth.web.login.request': IntentSensitivity.MEDIUM,\n 'auth.web.login.scan': IntentSensitivity.HIGH,\n\n // NestFlow: TickAuth\n 'tickauth.challenge.create': IntentSensitivity.MEDIUM,\n 'tickauth.challenge.fulfill': IntentSensitivity.HIGH,\n 'tickauth.challenge.reject': IntentSensitivity.MEDIUM,\n\n // NestFlow: Capsule issuance\n 'capsule.issue.login': IntentSensitivity.HIGH,\n 'capsule.issue.device_registration': IntentSensitivity.HIGH,\n 'capsule.issue.step_up': IntentSensitivity.HIGH,\n 'capsule.issue.recovery': IntentSensitivity.CRITICAL,\n\n // NestFlow: Session\n 'session.activate': IntentSensitivity.HIGH,\n 'session.refresh': IntentSensitivity.MEDIUM,\n 'session.logout': IntentSensitivity.LOW,\n\n // NestFlow: Device trust\n 'device.trust.request': IntentSensitivity.HIGH,\n 'device.trust.promote': IntentSensitivity.CRITICAL,\n 'device.revoke': IntentSensitivity.CRITICAL,\n 'device.list': IntentSensitivity.LOW,\n 'device.rename': IntentSensitivity.LOW,\n\n // NestFlow: Protected operations\n 'flow.publish': IntentSensitivity.MEDIUM,\n 'flow.delete': IntentSensitivity.HIGH,\n 'node.delete': IntentSensitivity.CRITICAL,\n 'secret.rotate': IntentSensitivity.CRITICAL,\n 'org.security.update': IntentSensitivity.CRITICAL,\n 'production.execution.approve': IntentSensitivity.CRITICAL,\n\n // NestFlow: Recovery\n 'identity.recovery.start': IntentSensitivity.CRITICAL,\n 'identity.recovery.complete': IntentSensitivity.CRITICAL,\n 'primary.device.rotate': IntentSensitivity.CRITICAL,\n 'identity.lock': IntentSensitivity.CRITICAL,\n 'identity.unlock': IntentSensitivity.CRITICAL,\n};\n\n/\n Classifies an intent's sensitivity level.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix wildcard match (realm.)\n 3. Default to MEDIUM\n /\nexport function classifyIntent(intent: string): IntentSensitivity {\n if (INTENT_SENSITIVITY_MAP[intent]) {\n return INTENT_SENSITIVITY_MAP[intent];\n }\n\n const realm = intent.split('.')[0];\n const wildcardKey = `${realm}.`;\n if (INTENT_SENSITIVITY_MAP[wildcardKey]) {\n return INTENT_SENSITIVITY_MAP[wildcardKey];\n }\n\n return IntentSensitivity.MEDIUM;\n}\n\n/*\n Returns the string name for a sensitivity level.\n /\nexport function sensitivityName(level: IntentSensitivity): string {\n switch (level) {\n case IntentSensitivity.LOW:\n return 'LOW';\n case IntentSensitivity.MEDIUM:\n return 'MEDIUM';\n case IntentSensitivity.HIGH:\n return 'HIGH';\n case IntentSensitivity.CRITICAL:\n return 'CRITICAL';\n }\n}\n","/\n AXIS Intent Timeout Configuration\n * Protocol-level per-intent execution time limits.\n /\n\n/\n Per-intent timeout configuration (milliseconds).\n * Patterns ending with '.' match any intent with that prefix.\n /\nexport const INTENT_TIMEOUTS: Record<string, number> = {\n 'public.': 5000,\n 'schema.': 5000,\n 'catalog.': 5000,\n 'health.': 2000,\n\n 'file.upload': 60000,\n 'file.download': 60000,\n 'file.chunk': 30000,\n 'file.finalize': 30000,\n\n 'stream.': 30000,\n\n 'passport.': 15000,\n\n 'admin.': 30000,\n};\n\n/* Default timeout for unspecified intents /\nexport const DEFAULT_TIMEOUT = 10000;\n\n/\n Resolves the timeout for a given intent.\n \n Lookup strategy:\n * 1. Exact intent match\n * 2. Prefix pattern match (e.g. 'file.')\n 3. DEFAULT_TIMEOUT\n /\nexport function resolveTimeout(intent: string): number {\n if (INTENT_TIMEOUTS[intent]) {\n return INTENT_TIMEOUTS[intent];\n }\n\n for (const [pattern, timeout] of Object.entries(INTENT_TIMEOUTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1);\n if (intent.startsWith(prefix)) {\n return timeout;\n }\n }\n }\n\n return DEFAULT_TIMEOUT;\n}\n","/*\n AXIS Frame Shape Validator\n * Validates structural integrity of AXIS frames before cryptographic verification.\n /\n\n/\n Validates that a value has the structural shape of an AXIS Frame.\n * Checks version, required string fields, timestamp, signature envelope, and body.\n \n Note: This validates the JSON-level frame shape (v1 packet format).\n * For binary frame validation, use decodeFrame() which throws on malformed input.\n /\nexport function validateFrameShape(frame: any): boolean {\n if (!frame \|\| typeof frame !== 'object') {\n return false;\n }\n\n if (frame.v !== 1) {\n return false;\n }\n\n const requiredStrings = ['pid', 'nonce', 'actorId', 'opcode'];\n for (const key of requiredStrings) {\n if (typeof frame[key] !== 'string' \|\| frame[key].length < 6) {\n return false;\n }\n }\n\n if (typeof frame.ts !== 'number' \|\| !Number.isFinite(frame.ts)) {\n return false;\n }\n\n if (\n frame.aud !== undefined &&\n (typeof frame.aud !== 'string' \|\| frame.aud.length === 0)\n ) {\n return false;\n }\n\n if (!frame.sig \|\| typeof frame.sig !== 'object') {\n return false;\n }\n\n if (frame.sig.alg !== 'EdDSA') {\n return false;\n }\n\n if (typeof frame.sig.kid !== 'string' \|\| frame.sig.kid.length < 8) {\n return false;\n }\n\n if (typeof frame.sig.value !== 'string' \|\| frame.sig.value.length < 32) {\n return false;\n }\n\n if (typeof frame.body !== 'object' \|\| frame.body === null) {\n return false;\n }\n\n return true;\n}\n\n/\n Validates timestamp is within acceptable skew window.\n /\nexport function isTimestampValid(\n ts: number,\n skewSeconds: number = 120,\n): boolean {\n const now = Math.floor(Date.now() / 1000);\n const diff = Math.abs(now - ts);\n return diff <= skewSeconds;\n}\n","export const AXIS_UPLOAD_SESSION_STORE = 'AXIS_UPLOAD_SESSION_STORE';\nexport const AXIS_UPLOAD_FILE_STORE = 'AXIS_UPLOAD_FILE_STORE';\nexport const AXIS_UPLOAD_RECEIPT_SIGNER = 'AXIS_UPLOAD_RECEIPT_SIGNER';\n","export type UploadSessionStatus =\n \| 'ACTIVE'\n \| 'FINALIZING'\n \| 'COMPLETE'\n \| 'ABORTED';\n\nexport interface UploadSessionRecord {\n id?: string;\n fileId: string;\n filename?: string;\n status: UploadSessionStatus \| string;\n totalSize?: number;\n chunkSize?: number;\n totalChunks?: number;\n receivedBitmap?: Uint8Array \| Buffer \| null;\n hashState?: Uint8Array \| Buffer \| null;\n mimeType?: string \| null;\n version?: number;\n}\n\nexport interface UploadSessionStore {\n findByFileId(fileId: string): Promise<UploadSessionRecord \| null>;\n updateStatus(\n fileId: string,\n status: UploadSessionStatus,\n hashState?: Uint8Array \| Buffer \| null,\n ): Promise<void>;\n}\n\nexport interface UploadReceiptSigner {\n signActive(message: Uint8Array): { kid: string; sig: Uint8Array };\n}\n\nexport interface UploadFileStat {\n path: string;\n size: number;\n}\n\nexport interface UploadFileStore {\n getFinalPath(fileId: string, filename?: string): string;\n getTempPath(fileId: string): string;\n statFinal(fileId: string, filename?: string): Promise<UploadFileStat>;\n readFinalRange(\n fileId: string,\n filename: string \| undefined,\n start: number,\n length: number,\n ): Promise<Buffer>;\n hasTemp(fileId: string): Promise<boolean>;\n moveTempToFinal(fileId: string, filename?: string): Promise<string>;\n createTempReadStream(fileId: string): NodeJS.ReadableStream;\n}\n","import { Inject, Injectable, Logger, Optional } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { AxisFrame, encodeFrame, getSignTarget } from '../core/axis-bin';\nimport { decodeVarint, encodeVarint } from '../core/varint';\nimport { Handler } from '../decorators/handler.decorator';\nimport { Intent } from '../decorators/intent.decorator';\nimport { AxisHandler } from '../interfaces/axis-handler.interface';\nimport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from './upload.tokens';\nimport {\n UploadFileStore,\n UploadReceiptSigner,\n UploadSessionStore,\n} from './upload.types';\n\n@Handler('axis.files.download')\n@Injectable()\nexport class AxisFilesDownloadHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesDownloadHandler.name);\n\n readonly name = 'axis.files.download';\n readonly open = true;\n readonly description = 'File download handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n ) {}\n\n @Intent('file.download', { absolute: true, kind: 'read' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const h = headers;\n if (!h) throw new Error('MISSING_HEADERS');\n\n const uploadIdBytes = h.get(20);\n if (!uploadIdBytes) throw new Error('MISSING_UPLOAD_ID');\n const uploadId = new TextDecoder().decode(uploadIdBytes);\n\n let rangeStart = 0;\n let rangeLen = -1;\n\n const startBytes = h.get(21);\n if (startBytes) {\n const { value } = decodeVarint(startBytes);\n rangeStart = value;\n }\n\n const lenBytes = h.get(22);\n if (lenBytes) {\n const { value } = decodeVarint(lenBytes);\n rangeLen = value;\n }\n\n const session = await this.sessions.findByFileId(uploadId);\n if (!session) {\n throw new Error(`SESSION_NOT_FOUND: ${uploadId}`);\n }\n\n if (session.status !== 'COMPLETE') {\n throw new Error(`FILE_NOT_READY: Status is ${session.status}`);\n }\n\n const stat = await this.files.statFinal(\n uploadId,\n session.filename,\n );\n const fileSize = stat.size;\n\n if (rangeStart < 0) rangeStart = 0;\n if (rangeStart >= fileSize) throw new Error('RANGE_OUT_OF_BOUNDS');\n\n let end = fileSize;\n if (rangeLen >= 0) {\n end = Math.min(rangeStart + rangeLen, fileSize);\n }\n\n const actualLen = end - rangeStart;\n const buffer = await this.files.readFinalRange(\n uploadId,\n session.filename,\n rangeStart,\n actualLen,\n );\n\n const responseHeaders = new Map<number, Uint8Array>();\n responseHeaders.set(30, encodeVarint(fileSize));\n responseHeaders.set(31, encodeVarint(rangeStart));\n responseHeaders.set(32, encodeVarint(actualLen));\n\n return {\n ok: true,\n effect: 'FILE_PART',\n body: buffer,\n headers: responseHeaders,\n };\n }\n}\n\n@Handler('axis.files.finalize')\n@Injectable()\nexport class AxisFilesFinalizeHandler implements AxisHandler {\n private readonly logger = new Logger(AxisFilesFinalizeHandler.name);\n\n readonly name = 'axis.files.finalize';\n readonly open = false;\n readonly description = 'File upload finalization handler';\n\n constructor(\n @Inject(AXIS_UPLOAD_SESSION_STORE)\n private readonly sessions: UploadSessionStore,\n @Inject(AXIS_UPLOAD_FILE_STORE)\n private readonly files: UploadFileStore,\n @Optional()\n @Inject(AXIS_UPLOAD_RECEIPT_SIGNER)\n private readonly keyring?: UploadReceiptSigner,\n ) {}\n\n @Intent('file.finalize', { absolute: true, kind: 'action' })\n async execute(\n body: Uint8Array,\n headers?: Map<number, Uint8Array>,\n ): Promise<any> {\n const bodyStr = new TextDecoder().decode(body);\n const req = JSON.parse(bodyStr);\n\n const { fileId, expectedHash } = req;\n if (!fileId) throw new Error('MISSING_FILE_ID');\n\n const session = await this.sessions.findByFileId(fileId);\n if (!session) throw new Error('SESSION_NOT_FOUND');\n\n if (!(await this.files.hasTemp(fileId))) {\n throw new Error('CHUNKS_NOT_FOUND');\n }\n\n const hash = crypto.createHash('sha256');\n const rs = this.files.createTempReadStream(fileId);\n for await (const chunk of rs) {\n hash.update(chunk as Buffer);\n }\n const finalHash = hash.digest('hex');\n\n if (expectedHash && finalHash !== expectedHash) {\n throw new Error('HASH_MISMATCH');\n }\n\n const finalPath = await this.files.moveTempToFinal(\n fileId,\n session.filename,\n );\n\n await this.sessions.updateStatus(fileId, 'COMPLETE', null);\n\n if (!this.keyring) {\n this.logger.warn('Receipt signer not configured; returning unsigned receipt');\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n body: new TextEncoder().encode(\n JSON.stringify({\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n path: finalPath,\n }),\n ),\n };\n }\n\n const receiptData = {\n uploadId: fileId,\n sha256_final: finalHash,\n totalSize: session.totalSize,\n tsMs: Date.now(),\n };\n\n const receiptJson = JSON.stringify(receiptData);\n const receiptBody = new TextEncoder().encode(receiptJson);\n\n const SIG_PRESENT = 0x01;\n const responseFrame: AxisFrame = {\n flags: SIG_PRESENT,\n headers: new Map(),\n body: receiptBody,\n sig: new Uint8Array(0),\n };\n\n const signTarget = getSignTarget(responseFrame);\n const { sig, kid } = this.keyring.signActive(signTarget);\n responseFrame.sig = sig;\n\n return {\n ok: true,\n effect: 'FILE_FINALIZED',\n data: encodeFrame(responseFrame),\n headers: new Map([[1, new TextEncoder().encode(kid)]]),\n };\n }\n}\n","import * as fs from 'fs';\nimport * as path from 'path';\n\nimport { UploadFileStat, UploadFileStore } from './upload.types';\n\nexport interface DiskUploadFileStoreOptions {\n uploadDir: string;\n chunkDir: string;\n}\n\nexport class DiskUploadFileStore implements UploadFileStore {\n private readonly uploadDir: string;\n private readonly chunkDir: string;\n\n constructor(options: DiskUploadFileStoreOptions) {\n this.uploadDir = options.uploadDir;\n this.chunkDir = options.chunkDir;\n }\n\n getFinalPath(fileId: string, filename?: string): string {\n const safeFilename = filename ? path.basename(filename) : fileId;\n return path.join(this.uploadDir, safeFilename);\n }\n\n getTempPath(fileId: string): string {\n const safeId = path.basename(fileId);\n return path.join(this.chunkDir, safeId);\n }\n\n async statFinal(\n fileId: string,\n filename?: string,\n ): Promise<UploadFileStat> {\n const finalPath = this.getFinalPath(fileId, filename);\n if (!fs.existsSync(finalPath)) {\n throw new Error('FILE_MISSING_ON_DISK');\n }\n const stat = fs.statSync(finalPath);\n return { path: finalPath, size: stat.size };\n }\n\n async readFinalRange(\n fileId: string,\n filename: string \| undefined,\n start: number,\n length: number,\n ): Promise<Buffer> {\n const finalPath = this.getFinalPath(fileId, filename);\n const buffer = Buffer.alloc(length);\n const fd = fs.openSync(finalPath, 'r');\n try {\n fs.readSync(fd, buffer, 0, length, start);\n } finally {\n fs.closeSync(fd);\n }\n return buffer;\n }\n\n async hasTemp(fileId: string): Promise<boolean> {\n const tempPath = this.getTempPath(fileId);\n return fs.existsSync(tempPath);\n }\n\n async moveTempToFinal(\n fileId: string,\n filename?: string,\n ): Promise<string> {\n const tempPath = this.getTempPath(fileId);\n const finalPath = this.getFinalPath(fileId, filename);\n\n try {\n await fs.promises.rename(tempPath, finalPath);\n } catch {\n await fs.promises.copyFile(tempPath, finalPath);\n await fs.promises.unlink(tempPath);\n }\n\n return finalPath;\n }\n\n createTempReadStream(fileId: string): NodeJS.ReadableStream {\n const tempPath = this.getTempPath(fileId);\n return fs.createReadStream(tempPath);\n }\n}\n","import { createParamDecorator, ExecutionContext } from '@nestjs/common';\nimport { Request } from 'express';\nimport type { AxisDecoded } from '../engine/axis-decoded';\n\n/*\n Shape of the AXIS-specific data attached to the request by AxisSensorsMiddleware.\n /\nexport interface AxisRequestData {\n /* Raw binary frame body (full buffer after streaming) /\n raw: Buffer;\n /* Resolved client IP address /\n ip: string \| undefined;\n /* Pre-decode sensor context (risk score, metadata) /\n preDecodeInput: any;\n /* Total frame bytes received /\n frameBytesCount: number;\n}\n\n/\n Resolves the client IP from request headers, respecting common proxy headers.\n /\nfunction resolveIp(req: Request): string \| undefined {\n return (\n (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() \|\|\n (req.headers['x-real-ip'] as string) \|\|\n req.socket.remoteAddress \|\|\n undefined\n );\n}\n\n/\n @AxisRaw() — Extracts the raw binary Buffer from an AXIS request.\n \n Equivalent to NestJS `@Body()` but for the AXIS binary protocol.\n * The buffer has already passed streaming validation (magic bytes, size limits)\n * via AxisSensorsMiddleware before reaching the controller.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisRaw() raw: Buffer) {\n * return this.axis.process(raw, { ... });\n * }\n * ```\n /\nexport const AxisRaw = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): Buffer => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.body as Buffer;\n },\n);\n\n/\n @AxisIp() — Extracts the resolved client IP address.\n \n Checks `x-forwarded-for`, `x-real-ip`, and `socket.remoteAddress` in order.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisIp() ip: string \| undefined) { ... }\n * ```\n /\nexport const AxisIp = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n const req = ctx.switchToHttp().getRequest<Request>();\n return resolveIp(req);\n },\n);\n\n/\n @AxisContext() — Extracts the full AXIS request context.\n \n Returns the pre-decode sensor input and frame metadata attached by\n * AxisSensorsMiddleware. Useful when a controller needs risk scores or\n * other pre-decode metadata.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisContext() ctx: AxisRequestData) {\n * console.log(ctx.frameBytesCount, ctx.preDecodeInput.metadata.riskScore);\n * }\n * ```\n /\nexport const AxisContext = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisRequestData => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const axisData = (req as any).axis \|\| {};\n return {\n raw: req.body as Buffer,\n ip: resolveIp(req),\n preDecodeInput: axisData.preDecodeInput,\n frameBytesCount: axisData.frameBytesCount \|\| 0,\n };\n },\n);\n\n/\n @AxisDemoPubkey() — Extracts the demo public key header (development only).\n \n Returns `undefined` in non-development environments, blocking the header\n * at the decorator level.\n \n @example\n * ```typescript\n * @Post()\n * async handle(@AxisDemoPubkey() demoPubkeyHex: string \| undefined) { ... }\n * ```\n /\nexport const AxisDemoPubkey = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): string \| undefined => {\n if (process.env.NODE_ENV !== 'development') return undefined;\n const req = ctx.switchToHttp().getRequest<Request>();\n return req.headers['x-demo-pubkey'] as string \| undefined;\n },\n);\n\n/\n @AxisFrame() — Extracts the decoded + validated AXIS frame from the request.\n \n Requires `AxisDecodeInterceptor` to be applied to the route/controller.\n * The interceptor calls `AxisService.decode()` and attaches the result to `req.axisDecoded`.\n \n Returns the full `AxisDecoded` object containing the decoded frame, packet,\n * AxisContext, sensor input, and correlation IDs.\n \n @example\n * ```typescript\n * @Post('v1/decoded')\n * @UseInterceptors(AxisDecodeInterceptor)\n * async handle(@AxisFrame() decoded: AxisDecoded) {\n * return this.axis.execute(decoded);\n * }\n * ```\n /\nexport const AxisFrame = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AxisDecoded => {\n const req = ctx.switchToHttp().getRequest<Request>();\n const decoded = (req as any).axisDecoded as AxisDecoded \| undefined;\n if (!decoded) {\n throw new Error(\n '@AxisFrame() requires AxisDecodeInterceptor on the route. ' +\n 'Add @UseInterceptors(AxisDecodeInterceptor) to use this decorator.',\n );\n }\n return decoded;\n },\n);\n","import { Injectable, Logger, OnApplicationBootstrap } from \"@nestjs/common\";\nimport { DiscoveryService, Reflector } from \"@nestjs/core\";\n\nimport {\n AxisObserverDefinition,\n OBSERVER_METADATA_KEY,\n} from \"../decorators/observer.decorator\";\nimport type { AxisIntentObserver } from \"./axis-observer.interface\";\nimport { ObserverRegistry } from \"./registry/observer.registry\";\n\n@Injectable()\nexport class ObserverDiscoveryService implements OnApplicationBootstrap {\n private readonly logger = new Logger(ObserverDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly reflector: Reflector,\n private readonly registry: ObserverRegistry,\n ) {}\n\n onApplicationBootstrap() {\n const providers = this.discovery.getProviders();\n let count = 0;\n\n for (const wrapper of providers) {\n const { instance } = wrapper;\n if (!instance \|\| !instance.constructor) continue;\n\n const meta = this.reflector.get<AxisObserverDefinition>(\n OBSERVER_METADATA_KEY,\n instance.constructor,\n );\n if (!meta) continue;\n\n const observer = instance as AxisIntentObserver;\n if (typeof observer.observe !== \"function\") {\n this.logger.warn(\n `@Observer on ${instance.constructor.name} is missing observe() and was skipped`,\n );\n continue;\n }\n\n this.registry.register(observer, meta);\n count++;\n }\n\n this.logger.log(`Auto-registered ${count} observers via @Observer()`);\n }\n}","import { Injectable, Logger, OnModuleInit } from \"@nestjs/common\";\nimport { DiscoveryService, MetadataScanner } from \"@nestjs/core\";\n\nimport { OBSERVER_BINDINGS_KEY, type AxisObserverBinding } from \"../decorators/observer.decorator\";\nimport { HANDLER_SENSORS_KEY } from \"../decorators/handler-sensors.decorator\";\nimport { HANDLER_METADATA_KEY } from \"../decorators/handler.decorator\";\nimport {\n type AxisIntentSensorRef,\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n IntentRoute,\n} from \"../decorators/intent.decorator\";\nimport { IntentRouter } from \"./intent.router\";\n\n/\n HandlerDiscoveryService\n \n Automatically discovers all `@Handler`-decorated classes at bootstrap\n * and registers their `@Intent`-decorated methods with the IntentRouter.\n \n This eliminates the need for every handler to inject IntentRouter and\n * manually call `router.register()` or `router.registerHandler()` in onModuleInit.\n \n Before (manual, per-handler boilerplate):\n * ```typescript\n * onModuleInit() {\n * this.router.register('axis.capsules.create', this.create.bind(this));\n * this.router.register('axis.capsules.list', this.findAll.bind(this));\n * // ... repeated for every intent in every handler\n * }\n * ```\n \n After (zero-config):\n * ```typescript\n * @Handler('axis.capsules')\n * export class AxisCapsulesHandler {\n * @Intent('axis.capsules.create', { absolute: true })\n * async create(body: Uint8Array) { ... }\n * }\n * // That's it — no onModuleInit, no router injection\n * ```\n /\n@Injectable()\nexport class HandlerDiscoveryService implements OnModuleInit {\n private readonly logger = new Logger(HandlerDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly scanner: MetadataScanner,\n private readonly router: IntentRouter,\n ) {}\n\n onModuleInit() {\n const providers = this.discovery.getProviders();\n let totalIntents = 0;\n\n for (const wrapper of providers) {\n const { instance, metatype } = wrapper;\n if (!instance \|\| !metatype) continue;\n\n // Check if the class has @Handler metadata\n const handlerMeta = Reflect.getMetadata(HANDLER_METADATA_KEY, metatype);\n if (!handlerMeta) continue;\n\n const handlerName = handlerMeta.intent \|\| metatype.name;\n const prefix = handlerMeta.intent \|\| metatype.name;\n const proto = Object.getPrototypeOf(instance);\n const methods = this.scanner.getAllMethodNames(proto);\n const routes: IntentRoute[] =\n Reflect.getMetadata(INTENT_ROUTES_KEY, metatype) \|\| [];\n const routedMethods = new Set(routes.map((route) => String(route.methodName)));\n let registered = 0;\n\n // Read @HandlerSensors from the class (if any)\n const handlerSensors: AxisIntentSensorRef[] =\n Reflect.getMetadata(HANDLER_SENSORS_KEY, metatype) \|\| [];\n const handlerObservers: AxisObserverBinding[] =\n Reflect.getMetadata(OBSERVER_BINDINGS_KEY, metatype) \|\| [];\n\n for (const route of routes) {\n const intentName = route.absolute\n ? route.action\n : `${prefix}.${route.action}`;\n\n if (!this.router.has(intentName)) {\n this.router.register(intentName, (instance as any)[route.methodName].bind(instance));\n registered++;\n totalIntents++;\n }\n\n this.router.registerIntentMeta(\n intentName,\n proto,\n String(route.methodName),\n handlerSensors,\n handlerObservers,\n );\n }\n\n for (const methodName of methods) {\n if (routedMethods.has(methodName)) continue;\n\n const meta = Reflect.getMetadata(\n INTENT_METADATA_KEY,\n proto,\n methodName,\n );\n if (!meta?.intent) continue;\n\n const intentName = meta.absolute ? meta.intent : `${prefix}.${meta.intent}`;\n\n // Only auto-register if the router doesn't already have this intent\n // (allows manual registration in onModuleInit to take precedence)\n if (!this.router.has(intentName)) {\n this.router.register(\n intentName,\n (instance as any)[methodName].bind(instance),\n );\n registered++;\n totalIntents++;\n }\n\n // Always register metadata (@IntentBody, @IntentSensors) —\n // even for manually-registered intents\n this.router.registerIntentMeta(\n intentName,\n proto,\n methodName,\n handlerSensors,\n handlerObservers,\n );\n }\n\n if (registered > 0) {\n this.logger.log(\n `Auto-registered ${registered} intents from ${handlerName}`,\n );\n }\n }\n\n this.logger.log(\n `Handler discovery complete: ${totalIntents} intents auto-registered`,\n );\n }\n}\n","import { Injectable, Logger, OnApplicationBootstrap } from '@nestjs/common';\nimport { DiscoveryService, Reflector } from '@nestjs/core';\n\nimport {\n SENSOR_METADATA_KEY,\n SensorOptions,\n} from '../decorators/sensor.decorator';\nimport { SensorRegistry } from './registry/sensor.registry';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { PRE_DECODE_BOUNDARY } from './sensor-bands';\n\n/\n Discovers all providers decorated with @Sensor() and registers them\n * in the SensorRegistry at application bootstrap.\n \n Runs after all onModuleInit() calls, so config-reading sensors\n * have their settings loaded before registration.\n /\n@Injectable()\nexport class SensorDiscoveryService implements OnApplicationBootstrap {\n private readonly logger = new Logger(SensorDiscoveryService.name);\n\n constructor(\n private readonly discovery: DiscoveryService,\n private readonly reflector: Reflector,\n private readonly registry: SensorRegistry,\n ) {}\n\n onApplicationBootstrap() {\n const providers = this.discovery.getProviders();\n let count = 0;\n\n for (const wrapper of providers) {\n const { instance } = wrapper;\n if (!instance \|\| !instance.constructor) continue;\n\n const meta = this.reflector.get<SensorOptions \| true>(\n SENSOR_METADATA_KEY,\n instance.constructor,\n );\n if (!meta) continue;\n\n const sensor = instance as AxisSensor;\n\n if (!sensor.name \|\| sensor.order === undefined) {\n this.logger.warn(\n `@Sensor() on ${instance.constructor.name} missing name or order — skipped`,\n );\n continue;\n }\n\n // Phase priority: decorator option > instance property > auto-derive from order\n if (!sensor.phase) {\n const decoratorPhase = meta !== true ? meta.phase : undefined;\n (sensor as any).phase =\n decoratorPhase ??\n (sensor.order < PRE_DECODE_BOUNDARY ? 'PRE_DECODE' : 'POST_DECODE');\n }\n\n this.registry.register(sensor);\n count++;\n }\n\n this.logger.log(`Auto-registered ${count} sensors via @Sensor()`);\n }\n}\n","import { randomBytes } from 'crypto';\n\n/ ─── Stage ─── /\n\nexport interface ObservationStage {\n name: string;\n status: 'ok' \| 'fail' \| 'skip';\n startMs: number;\n endMs?: number;\n durationMs?: number;\n reason?: string;\n code?: string;\n}\n\n/ ─── Sensor Record ─── /\n\nexport interface ObservationSensor {\n name: string;\n allowed: boolean;\n riskScore: number;\n durationMs: number;\n reasons: string[];\n code?: string;\n}\n\n/ ─── Observation (the execution witness) ─── /\n\nexport interface AxisObservation {\n /* Correlation ID (hex) /\n id: string;\n /* High-res start timestamp /\n startMs: number;\n /* Transport origin /\n transport: 'http' \| 'ws';\n /* Client IP /\n ip?: string;\n /* Resolved intent /\n intent?: string;\n /* Actor ID (hex) /\n actorId?: string;\n /* Capsule ID /\n capsuleId?: string;\n\n /* Pipeline stages with timing /\n stages: ObservationStage[];\n /* Individual sensor decisions /\n sensors: ObservationSensor[];\n\n /* Final decision /\n decision?: 'ALLOW' \| 'DENY';\n /* Machine-readable result code /\n resultCode?: string;\n /* HTTP status code /\n statusCode?: number;\n\n /* End timestamp /\n endMs?: number;\n /* Total duration /\n durationMs?: number;\n\n /* Extensible facts for downstream (receipt builder, audit, etc.) /\n facts: Record<string, unknown>;\n}\n\n/ ─── Factory ─── /\n\nexport function createObservation(\n transport: 'http' \| 'ws',\n ip?: string,\n): AxisObservation {\n return {\n id: randomBytes(16).toString('hex'),\n startMs: Date.now(),\n transport,\n ip,\n stages: [],\n sensors: [],\n facts: {},\n };\n}\n\n/ ─── Stage helpers ─── /\n\nexport function startStage(\n obs: AxisObservation,\n name: string,\n): ObservationStage {\n const stage: ObservationStage = { name, status: 'ok', startMs: Date.now() };\n obs.stages.push(stage);\n return stage;\n}\n\nexport function endStage(\n stage: ObservationStage,\n status: 'ok' \| 'fail' \| 'skip' = 'ok',\n reason?: string,\n code?: string,\n): void {\n stage.endMs = Date.now();\n stage.durationMs = stage.endMs - stage.startMs;\n stage.status = status;\n if (reason) stage.reason = reason;\n if (code) stage.code = code;\n}\n\n/ ─── Sensor recording (called by chain service) ─── /\n\nexport function recordSensor(\n obs: AxisObservation,\n name: string,\n allowed: boolean,\n riskScore: number,\n durationMs: number,\n reasons: string[],\n code?: string,\n): void {\n obs.sensors.push({ name, allowed, riskScore, durationMs, reasons, code });\n}\n\n/ ─── Finalize ─── /\n\nexport function finalizeObservation(\n obs: AxisObservation,\n decision: 'ALLOW' \| 'DENY',\n statusCode: number,\n resultCode?: string,\n): void {\n obs.endMs = Date.now();\n obs.durationMs = obs.endMs - obs.startMs;\n obs.decision = decision;\n obs.statusCode = statusCode;\n if (resultCode) obs.resultCode = resultCode;\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { SensorRegistry } from '../engine/registry/sensor.registry';\nimport {\n SensorDecision,\n SensorInput,\n normalizeSensorDecision,\n AxisSensor,\n} from '../sensor/axis-sensor';\nimport { recordSensor, AxisObservation } from '../engine/axis-observation';\n\nexport { SensorInput, SensorDecision }; // Re-export for convenience\n\n/\n The consolidated result of a sensor chain evaluation.\n \n @interface ChainResult\n /\nexport interface ChainResult {\n /* True if all compulsory sensors allowed the request /\n allowed: boolean;\n /* The total risk score delta accumulated across all sensors /\n scoreDelta: number;\n /* Suggested HTTP status code for the response /\n statusCode: number;\n /* Binary or text body describing the reason for denial or containing the response /\n body?: string \| Buffer \| Uint8Array;\n /* Optional headers (TLVs) to be returned to the client /\n headers?: Map<number, Uint8Array>;\n}\n\n/\n AxisSensorChain\n \n Orchestrates the execution of a series of security sensors against an AXIS request.\n * Sensors are retrieved from the SensorRegistry and executed in order.\n \n Decision Handling:\n * - `DENY`: Immediately stops execution and returns a failure result.\n * - `THROTTLE`: Immediately stops execution and requests client retry.\n * - `FLAG`: Accumulates a risk score delta and continues.\n * - `ALLOW`: Continues to the next sensor.\n \n @class AxisSensorChain\n * @injectable\n /\n@Injectable()\nexport class AxisSensorChainService {\n constructor(private readonly registry: SensorRegistry) {}\n\n /\n Evaluate all applicable sensors based on phase.\n /\n async evaluate(\n input: SensorInput,\n phase: 'PRE_DECODE' \| 'POST_DECODE' \| 'BOTH' = 'POST_DECODE',\n baseDecision?: SensorDecision,\n ): Promise<SensorDecision> {\n if (phase === 'PRE_DECODE') {\n return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);\n }\n\n if (phase === 'BOTH') {\n const rawPreResult = await this.evaluateSensors(\n this.registry.getPreDecodeSensors(),\n input,\n );\n const preResult = normalizeSensorDecision(rawPreResult);\n if (!preResult.allow) return rawPreResult;\n return this.evaluateSensors(\n this.registry.getPostDecodeSensors(),\n input,\n rawPreResult,\n );\n }\n\n // Default: POST_DECODE only\n return this.evaluateSensors(\n this.registry.getPostDecodeSensors(),\n input,\n baseDecision,\n );\n }\n\n /* Run only pre-decode sensors. /\n async evaluatePre(input: SensorInput): Promise<SensorDecision> {\n return this.evaluateSensors(this.registry.getPreDecodeSensors(), input);\n }\n\n /* Run only post-decode sensors. /\n async evaluatePost(\n input: SensorInput,\n baseDecision?: SensorDecision,\n ): Promise<SensorDecision> {\n return this.evaluateSensors(\n this.registry.getPostDecodeSensors(),\n input,\n baseDecision,\n );\n }\n\n private async evaluateSensors(\n sensors: AxisSensor[],\n input: SensorInput,\n baseDecision?: SensorDecision,\n ): Promise<SensorDecision> {\n // Filter to relevant sensors\n const relevantSensors = sensors.filter(\n (s) => !s.supports \|\| s.supports(input),\n );\n\n // Normalize baseDecision if provided\n const normalizedBase = baseDecision\n ? normalizeSensorDecision(baseDecision)\n : undefined;\n\n let riskScore = normalizedBase?.riskScore ?? 0;\n const reasons: string[] = normalizedBase?.reasons\n ? [...normalizedBase.reasons]\n : [];\n const tags: Record<string, any> = normalizedBase?.tags\n ? { ...normalizedBase.tags }\n : {};\n let expSecondsMax = normalizedBase?.tighten?.expSecondsMax;\n let constraintsPatch: Record<string, any> = normalizedBase?.tighten\n ?.constraintsPatch\n ? { ...normalizedBase.tighten.constraintsPatch }\n : {};\n\n for (const sensor of relevantSensors) {\n try {\n const t0 = Date.now();\n const rawDecision = await sensor.run(input);\n const elapsed = Date.now() - t0;\n const decision = normalizeSensorDecision(rawDecision);\n\n // Record into observation if present\n const obs = input.metadata?.observation as AxisObservation \| undefined;\n if (obs) {\n recordSensor(\n obs,\n sensor.name,\n decision.allow,\n decision.riskScore,\n elapsed,\n decision.reasons,\n decision.allow ? undefined : (decision as any).code,\n );\n }\n\n // Hard block: any sensor can deny\n if (!decision.allow) {\n return {\n allow: false,\n riskScore: Math.min(100, riskScore + decision.riskScore),\n reasons: [...reasons, ...decision.reasons],\n tags,\n };\n }\n\n // Aggregate risk (cap at 100)\n riskScore = Math.min(100, riskScore + decision.riskScore);\n reasons.push(...decision.reasons);\n\n // Merge tags\n if (decision.tags) {\n Object.assign(tags, decision.tags);\n }\n\n // Tighten constraints (take most restrictive)\n if (decision.tighten?.expSecondsMax !== undefined) {\n expSecondsMax =\n expSecondsMax === undefined\n ? decision.tighten.expSecondsMax\n : Math.min(expSecondsMax, decision.tighten.expSecondsMax);\n }\n\n if (decision.tighten?.constraintsPatch) {\n constraintsPatch = {\n ...constraintsPatch,\n ...decision.tighten.constraintsPatch,\n };\n }\n } catch (error) {\n // Sensor failure = fail closed\n console.error(`[AXIS][SENSOR] ${sensor.name} failed:`, error);\n\n const obs = input.metadata?.observation as AxisObservation \| undefined;\n if (obs) {\n recordSensor(obs, sensor.name, false, 100, 0, [\n `sensor_error:${sensor.name}`,\n ]);\n }\n\n return {\n allow: false,\n riskScore: 100,\n reasons: [`sensor_error:${sensor.name}`],\n };\n }\n }\n\n const tightenPatch =\n Object.keys(constraintsPatch).length > 0 ? constraintsPatch : undefined;\n\n return {\n allow: true,\n riskScore,\n reasons,\n tags,\n tighten:\n expSecondsMax !== undefined \|\| tightenPatch\n ? {\n expSecondsMax,\n constraintsPatch: tightenPatch,\n }\n : undefined,\n };\n }\n}\n","/\n Timeline Engine\n \n Implements the three timeline operations:\n * - Replay: reconstruct and re-execute past events deterministically\n * - Fork: branch from a prior state with changed conditions\n * - Simulate: run scenarios in a shadow domain with no real effect\n \n Rules enforced:\n * 1. No past overwrite — original timeline is never modified\n * 2. Replay is not rewrite — original witness remains intact\n * 3. Forks are explicit — named branches with lineage\n * 4. Reality and shadow are separated — simulation never escapes\n * 5. Determinism is declared — each handler states its determinism class\n * 6. Witness is immutable — records are never altered\n /\n\nimport { createHash, randomBytes } from 'crypto';\n\nimport type {\n ForkRequest,\n ForkResult,\n ReplayDifference,\n ReplayRequest,\n ReplayResult,\n SimulatedSideEffect,\n SimulationRequest,\n SimulationResult,\n StateSnapshot,\n TimelineBranch,\n TimelineComparison,\n TimelineDomain,\n TimelineEvent,\n TimelineHandler,\n TimelineHandlerContext,\n TimelineHandlerResult,\n} from './timeline.types';\nimport type { TimelineStore } from './timeline.store';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Helpers\n// ────────────────────────────────────────────────────────────────────────────\n\nfunction generateId(prefix: string): string {\n return `${prefix}_${randomBytes(16).toString('hex')}`;\n}\n\nfunction sha256(data: string): string {\n return createHash('sha256').update(data).digest('hex');\n}\n\nfunction hashPayload(payload: Record<string, unknown>): string {\n return sha256(JSON.stringify(payload));\n}\n\nfunction diffObjects(\n a: Record<string, unknown>,\n b: Record<string, unknown>,\n): ReplayDifference[] {\n const diffs: ReplayDifference[] = [];\n const allKeys = new Set([...Object.keys(a), ...Object.keys(b)]);\n\n for (const key of allKeys) {\n const va = a[key];\n const vb = b[key];\n if (JSON.stringify(va) !== JSON.stringify(vb)) {\n diffs.push({ field: key, original: va, replayed: vb });\n }\n }\n\n return diffs;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Timeline Engine\n// ────────────────────────────────────────────────────────────────────────────\n\nexport class TimelineEngine {\n private handlers = new Map<string, TimelineHandler>();\n\n constructor(private readonly store: TimelineStore) {}\n\n /* Register an intent handler for timeline execution /\n registerHandler(handler: TimelineHandler): void {\n this.handlers.set(handler.intent, handler);\n }\n\n // ──────────────────────────────────────────────────────────────────────\n // Record (store a real execution as a timeline event)\n // ──────────────────────────────────────────────────────────────────────\n\n async recordEvent(\n intent: string,\n actorId: string,\n payload: Record<string, unknown>,\n result: Record<string, unknown>,\n options: {\n timelineId?: string;\n branchId?: string;\n capsuleId?: string;\n tpsCoordinate?: string;\n witnessId?: string;\n determinism?: TimelineEvent['determinism'];\n parentEventId?: string;\n } = {},\n ): Promise<TimelineEvent> {\n const event: TimelineEvent = {\n event_id: generateId('evt'),\n timeline_id: options.timelineId ?? 'prime',\n branch_id: options.branchId ?? 'main',\n parent_event_id: options.parentEventId ?? null,\n intent,\n actor_id: actorId,\n capsule_id: options.capsuleId,\n tps_coordinate: options.tpsCoordinate,\n payload_hash: hashPayload(payload),\n result_hash: hashPayload(result),\n status: 'executed',\n domain: 'prime',\n determinism: options.determinism ?? 'deterministic',\n witness_id: options.witnessId,\n created_at: Date.now(),\n metadata: { payload, result },\n };\n\n await this.store.saveEvent(event);\n return event;\n }\n\n // ──────────────────────────────────────────────────────────────────────\n // Replay\n // ──────────────────────────────────────────────────────────────────────\n\n async replay(request: ReplayRequest): Promise<ReplayResult> {\n const originalEvent = await this.store.getEvent(request.source_event_id);\n if (!originalEvent) {\n throw new Error(`Event ${request.source_event_id} not found`);\n }\n\n const handler = this.handlers.get(originalEvent.intent);\n if (!handler) {\n throw new Error(`No handler registered for intent '${originalEvent.intent}'`);\n }\n\n // Get original payload from metadata\n const originalPayload =\n (originalEvent.metadata?.payload as Record<string, unknown>) ?? {};\n const replayPayload =\n request.mode === 'analytical' && request.override_payload\n ? request.override_payload\n : originalPayload;\n\n // Load snapshot if available\n const snapshot = await this.store.getSnapshotByEvent(originalEvent.event_id);\n\n const context: TimelineHandlerContext = {\n event_id: generateId('evt'),\n timeline_id: originalEvent.timeline_id,\n branch_id: `replay_${originalEvent.branch_id}`,\n domain: 'audit',\n actor_id: originalEvent.actor_id,\n tps_coordinate: originalEvent.tps_coordinate,\n snapshot: snapshot ?? undefined,\n is_replay: true,\n is_simulation: false,\n };\n\n const startMs = Date.now();\n const handlerResult = await handler.execute(replayPayload, context);\n const durationMs = Date.now() - startMs;\n\n const replayedEvent: TimelineEvent = {\n event_id: context.event_id,\n timeline_id: originalEvent.timeline_id,\n branch_id: context.branch_id,\n parent_event_id: originalEvent.event_id,\n intent: originalEvent.intent,\n actor_id: originalEvent.actor_id,\n capsule_id: originalEvent.capsule_id,\n tps_coordinate: originalEvent.tps_coordinate,\n payload_hash: hashPayload(replayPayload),\n result_hash: hashPayload(handlerResult.result_data),\n status: 'replayed',\n domain: 'audit',\n determinism: originalEvent.determinism,\n created_at: Date.now(),\n metadata: { payload: replayPayload, result: handlerResult.result_data },\n };\n\n await this.store.saveEvent(replayedEvent);\n\n // Compare results\n const originalResult =\n (originalEvent.metadata?.result as Record<string, unknown>) ?? {};\n const differences = diffObjects(originalResult, handlerResult.result_data);\n const deterministicMatch =\n originalEvent.result_hash === replayedEvent.result_hash;\n\n return {\n original_event: originalEvent,\n replayed_event: replayedEvent,\n mode: request.mode,\n deterministic_match: deterministicMatch,\n differences,\n duration_ms: durationMs,\n };\n }\n\n // ──────────────────────────────────────────────────────────────────────\n // Fork\n // ──────────────────────────────────────────────────────────────────────\n\n async fork(request: ForkRequest): Promise<ForkResult> {\n const sourceEvent = await this.store.getEvent(request.source_event_id);\n if (!sourceEvent) {\n throw new Error(`Event ${request.source_event_id} not found`);\n }\n\n const handler = this.handlers.get(sourceEvent.intent);\n if (!handler) {\n throw new Error(`No handler registered for intent '${sourceEvent.intent}'`);\n }\n\n // Create branch\n const branch: TimelineBranch = {\n branch_id: generateId('branch'),\n timeline_id: generateId('timeline'),\n origin_timeline_id: sourceEvent.timeline_id,\n origin_event_id: sourceEvent.event_id,\n branch_type: 'fork',\n creator_subject_id: request.actor_id,\n purpose: request.purpose,\n status: 'active',\n };\n\n await this.store.saveBranch(branch);\n\n // Take snapshot of source state\n const snapshot: StateSnapshot = {\n snapshot_id: generateId('snap'),\n timeline_id: sourceEvent.timeline_id,\n event_id: sourceEvent.event_id,\n tps_coordinate: sourceEvent.tps_coordinate,\n state_hash: hashPayload(\n (sourceEvent.metadata?.result as Record<string, unknown>) ?? {},\n ),\n state_data:\n (sourceEvent.metadata?.result as Record<string, unknown>) ?? {},\n created_at: Date.now(),\n };\n\n await this.store.saveSnapshot(snapshot);\n\n // Execute with new payload\n const context: TimelineHandlerContext = {\n event_id: generateId('evt'),\n timeline_id: branch.timeline_id,\n branch_id: branch.branch_id,\n domain: 'fork',\n actor_id: request.actor_id,\n tps_coordinate: sourceEvent.tps_coordinate,\n snapshot,\n is_replay: false,\n is_simulation: false,\n };\n\n const handlerResult = await handler.execute(request.new_payload, context);\n\n const forkedEvent: TimelineEvent = {\n event_id: context.event_id,\n timeline_id: branch.timeline_id,\n branch_id: branch.branch_id,\n parent_event_id: sourceEvent.event_id,\n intent: sourceEvent.intent,\n actor_id: request.actor_id,\n tps_coordinate: sourceEvent.tps_coordinate,\n payload_hash: hashPayload(request.new_payload),\n result_hash: hashPayload(handlerResult.result_data),\n status: 'forked',\n domain: 'fork',\n determinism: sourceEvent.determinism,\n created_at: Date.now(),\n metadata: {\n payload: request.new_payload,\n result: handlerResult.result_data,\n },\n };\n\n await this.store.saveEvent(forkedEvent);\n\n return { branch, forked_event: forkedEvent, snapshot };\n }\n\n // ──────────────────────────────────────────────────────────────────────\n // Simulate\n // ──────────────────────────────────────────────────────────────────────\n\n async simulate(request: SimulationRequest): Promise<SimulationResult> {\n const handler = this.handlers.get(request.intent);\n if (!handler) {\n throw new Error(`No handler registered for intent '${request.intent}'`);\n }\n\n // Load source snapshot if specified\n let snapshot: StateSnapshot \| undefined;\n if (request.from_snapshot_id) {\n const loaded = await this.store.getSnapshot(request.from_snapshot_id);\n if (!loaded) {\n throw new Error(`Snapshot ${request.from_snapshot_id} not found`);\n }\n snapshot = loaded;\n }\n\n // Create shadow branch\n const branch: TimelineBranch = {\n branch_id: generateId('branch'),\n timeline_id: generateId('timeline'),\n origin_timeline_id: 'prime',\n origin_event_id: 'simulation_origin',\n branch_type: 'simulation',\n created_at_tps: request.at_tps,\n creator_subject_id: request.actor_id,\n purpose: request.purpose,\n status: 'active',\n };\n\n await this.store.saveBranch(branch);\n\n const context: TimelineHandlerContext = {\n event_id: generateId('evt'),\n timeline_id: branch.timeline_id,\n branch_id: branch.branch_id,\n domain: 'shadow',\n actor_id: request.actor_id,\n tps_coordinate: request.at_tps,\n snapshot,\n is_replay: false,\n is_simulation: true,\n };\n\n const startMs = Date.now();\n const handlerResult = await handler.execute(request.payload, context);\n const durationMs = Date.now() - startMs;\n\n const simulatedEvent: TimelineEvent = {\n event_id: context.event_id,\n timeline_id: branch.timeline_id,\n branch_id: branch.branch_id,\n parent_event_id: null,\n intent: request.intent,\n actor_id: request.actor_id,\n tps_coordinate: request.at_tps,\n payload_hash: hashPayload(request.payload),\n result_hash: hashPayload(handlerResult.result_data),\n status: 'simulated',\n domain: 'shadow',\n determinism: 'bounded_nondeterministic',\n created_at: Date.now(),\n metadata: { payload: request.payload, result: handlerResult.result_data },\n };\n\n await this.store.saveEvent(simulatedEvent);\n\n // Mark branch as completed\n branch.status = 'completed';\n await this.store.saveBranch(branch);\n\n return {\n branch,\n simulated_event: simulatedEvent,\n predicted_outcome: handlerResult.result_data,\n side_effects: handlerResult.side_effects ?? [],\n duration_ms: durationMs,\n };\n }\n\n // ──────────────────────────────────────────────────────────────────────\n // Compare timelines\n // ──────────────────────────────────────────────────────────────────────\n\n async compare(\n timelineIdA: string,\n timelineIdB: string,\n ): Promise<TimelineComparison> {\n const eventsA = await this.store.getEventsByTimeline(timelineIdA);\n const eventsB = await this.store.getEventsByTimeline(timelineIdB);\n\n // Sort by creation time\n eventsA.sort((a, b) => a.created_at - b.created_at);\n eventsB.sort((a, b) => a.created_at - b.created_at);\n\n const maxLen = Math.max(eventsA.length, eventsB.length);\n const eventPairs: TimelineComparison['event_pairs'] = [];\n let divergencePoint: string \| undefined;\n\n for (let i = 0; i < maxLen; i++) {\n const a = eventsA[i];\n const b = eventsB[i];\n\n if (!a \|\| !b) {\n if (!divergencePoint) {\n divergencePoint = a?.event_id ?? b?.event_id;\n }\n continue;\n }\n\n const match = a.result_hash === b.result_hash;\n const resultA =\n (a.metadata?.result as Record<string, unknown>) ?? {};\n const resultB =\n (b.metadata?.result as Record<string, unknown>) ?? {};\n const differences = match ? [] : diffObjects(resultA, resultB);\n\n if (!match && !divergencePoint) {\n divergencePoint = a.event_id;\n }\n\n eventPairs.push({ event_a: a, event_b: b, match, differences });\n }\n\n return {\n timeline_a: timelineIdA,\n timeline_b: timelineIdB,\n event_pairs: eventPairs,\n divergence_point: divergencePoint,\n };\n }\n\n // ──────────────────────────────────────────────────────────────────────\n // State snapshot management\n // ──────────────────────────────────────────────────────────────────────\n\n async createSnapshot(\n eventId: string,\n stateData: Record<string, unknown>,\n ): Promise<StateSnapshot> {\n const event = await this.store.getEvent(eventId);\n if (!event) {\n throw new Error(`Event ${eventId} not found`);\n }\n\n const snapshot: StateSnapshot = {\n snapshot_id: generateId('snap'),\n timeline_id: event.timeline_id,\n event_id: eventId,\n tps_coordinate: event.tps_coordinate,\n state_hash: hashPayload(stateData),\n state_data: stateData,\n created_at: Date.now(),\n };\n\n await this.store.saveSnapshot(snapshot);\n return snapshot;\n }\n\n async restoreSnapshot(snapshotId: string): Promise<StateSnapshot> {\n const snapshot = await this.store.getSnapshot(snapshotId);\n if (!snapshot) {\n throw new Error(`Snapshot ${snapshotId} not found`);\n }\n return snapshot;\n }\n}\n","/\n Timeline Store Interface\n \n Pluggable storage interface for timeline events, branches, and snapshots.\n * Implementations can use in-memory, database, or any persistence layer.\n /\n\nimport type {\n TimelineEvent,\n TimelineBranch,\n StateSnapshot,\n} from './timeline.types';\n\nexport interface TimelineStore {\n // Events\n saveEvent(event: TimelineEvent): Promise<void>;\n getEvent(eventId: string): Promise<TimelineEvent \| null>;\n getEventsByTimeline(timelineId: string): Promise<TimelineEvent[]>;\n getEventsByBranch(branchId: string): Promise<TimelineEvent[]>;\n\n // Branches\n saveBranch(branch: TimelineBranch): Promise<void>;\n getBranch(branchId: string): Promise<TimelineBranch \| null>;\n getBranchesByTimeline(timelineId: string): Promise<TimelineBranch[]>;\n\n // Snapshots\n saveSnapshot(snapshot: StateSnapshot): Promise<void>;\n getSnapshot(snapshotId: string): Promise<StateSnapshot \| null>;\n getSnapshotByEvent(eventId: string): Promise<StateSnapshot \| null>;\n}\n\n/\n In-memory timeline store for development and testing.\n /\nexport class InMemoryTimelineStore implements TimelineStore {\n private events = new Map<string, TimelineEvent>();\n private branches = new Map<string, TimelineBranch>();\n private snapshots = new Map<string, StateSnapshot>();\n\n async saveEvent(event: TimelineEvent): Promise<void> {\n this.events.set(event.event_id, event);\n }\n\n async getEvent(eventId: string): Promise<TimelineEvent \| null> {\n return this.events.get(eventId) ?? null;\n }\n\n async getEventsByTimeline(timelineId: string): Promise<TimelineEvent[]> {\n return [...this.events.values()].filter((e) => e.timeline_id === timelineId);\n }\n\n async getEventsByBranch(branchId: string): Promise<TimelineEvent[]> {\n return [...this.events.values()].filter((e) => e.branch_id === branchId);\n }\n\n async saveBranch(branch: TimelineBranch): Promise<void> {\n this.branches.set(branch.branch_id, branch);\n }\n\n async getBranch(branchId: string): Promise<TimelineBranch \| null> {\n return this.branches.get(branchId) ?? null;\n }\n\n async getBranchesByTimeline(timelineId: string): Promise<TimelineBranch[]> {\n return [...this.branches.values()].filter((b) => b.timeline_id === timelineId);\n }\n\n async saveSnapshot(snapshot: StateSnapshot): Promise<void> {\n this.snapshots.set(snapshot.snapshot_id, snapshot);\n }\n\n async getSnapshot(snapshotId: string): Promise<StateSnapshot \| null> {\n return this.snapshots.get(snapshotId) ?? null;\n }\n\n async getSnapshotByEvent(eventId: string): Promise<StateSnapshot \| null> {\n return (\n [...this.snapshots.values()].find((s) => s.event_id === eventId) ?? null\n );\n }\n}\n","import {\n buildTLVs,\n extractDtoSchema,\n} from '../index';\nimport type { IntentTlvField } from '../decorators/intent.decorator';\n\ntype AxisTlvDtoCtor<T = object> = new (...args: never[]) => T;\n\nexport function encodeAxisTlvDto<T extends object>(\n dtoClass: AxisTlvDtoCtor<T>,\n data: Partial<Record<keyof T, unknown>>,\n): Uint8Array {\n const schema = extractDtoSchema(dtoClass);\n const items = schema.fields.flatMap((field) => {\n const value = (data as Record<string, unknown>)[field.name];\n if (value === undefined \|\| value === null) {\n if (field.required) {\n throw new Error(`Missing required TLV response field: ${field.name}`);\n }\n return [];\n }\n\n return [{ type: field.tag, value: encodeField(field, value) }];\n });\n\n return buildTLVs(items);\n}\n\nfunction encodeField(field: IntentTlvField, value: unknown): Buffer {\n switch (field.kind) {\n case 'utf8':\n return Buffer.from(String(value), 'utf8');\n case 'u64':\n return encodeU64(value);\n case 'bytes':\n case 'bytes16':\n return toBuffer(value);\n case 'bool':\n return Buffer.from([value ? 1 : 0]);\n case 'obj':\n case 'arr':\n return Buffer.from(JSON.stringify(value), 'utf8');\n default:\n return toBuffer(value);\n }\n}\n\nfunction encodeU64(value: unknown): Buffer {\n const encoded = Buffer.alloc(8);\n encoded.writeBigUInt64BE(\n typeof value === 'bigint' ? value : BigInt(value as number \| string),\n );\n return encoded;\n}\n\nfunction toBuffer(value: unknown): Buffer {\n if (Buffer.isBuffer(value)) {\n return value;\n }\n if (value instanceof Uint8Array) {\n return Buffer.from(value);\n }\n if (typeof value === 'string') {\n return Buffer.from(value, 'utf8');\n }\n\n throw new Error(`Unsupported TLV bytes value: ${typeof value}`);\n}","/\n Loom Runtime - Lawful Execution Types\n \n Core type definitions for the Loom execution engine.\n * Loom replaces traditional auth with \"Lawful Execution\":\n * - Presence: Liveness proof (replaces login/sessions)\n * - Writ: Executable intent (replaces JWT)\n * - Grant: Standing permission (replaces RBAC)\n * - Receipt: Proof of execution (hash-chained)\n /\n\n// ============================================================================\n// Presence Types (Liveness State)\n// ============================================================================\n\nexport interface PresenceDeclaration {\n /* SoftID of the entity resuming presence (e.g., \"~ayesh#work\") /\n softid: string;\n /* Optional device metadata for scope binding /\n device_meta?: {\n fingerprint?: string;\n platform?: string;\n user_agent?: string;\n };\n}\n\nexport interface PresenceChallenge {\n /* Unique challenge identifier /\n challenge_id: string;\n /* High-entropy random nonce (32-byte hex) /\n nonce: string;\n /* Server's current Unix timestamp in milliseconds (temporal anchor) /\n temporal_anchor: number;\n /* Time-to-live for response in milliseconds (default 5000ms) /\n ttl_ms: number;\n /* Challenge expiry timestamp /\n expires_at: number;\n}\n\nexport interface PresenceProof {\n /* Challenge ID being answered /\n challenge_id: string;\n /* Ed25519 signature over canonical(nonce + temporal_anchor + device_meta) /\n signature: string;\n /* Public key corresponding to the SoftID /\n public_key: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface PresenceReceipt {\n /* Presence ID - hash of the completed handshake /\n presence_id: string;\n /* SoftID that established presence /\n softid: string;\n /* Anchor Reflection ID for logs (privacy-preserving) /\n anchor_reflection: string;\n /* Scope constraints for this presence /\n scope: {\n ip?: string;\n device_fingerprint?: string;\n };\n /* When presence was established (Unix timestamp ms) /\n issued_at: number;\n /* When presence expires (Unix timestamp ms) /\n expires_at: number;\n /* Last renewal timestamp (updated on successful Writ execution) /\n renewed_at?: number;\n}\n\nexport type PresenceStatus = 'active' \| 'expired' \| 'revoked';\n\n// ============================================================================\n// Writ Types (Executable Intent)\n// ============================================================================\n\nexport interface WritHead {\n /* Thread ID - derived from actor, groups related writs /\n tid: string;\n /* Sequence number within the thread /\n seq: number;\n}\n\nexport interface WritBody {\n /* SoftID of the actor (Anchor or Shadow) /\n who: string;\n /* Operation Execution Code (e.g., \"dns.write\", \"file.upload\") /\n act: string;\n /* Resource target (e.g., \"zone:example.com\", \"bucket:uploads\") /\n res: string;\n /* Grant reference - grant_id or \"self\" for sovereign actions /\n law: string;\n}\n\nexport interface WritMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Previous receipt hash (thread continuity) - empty string for first writ /\n prev: string;\n}\n\nexport interface WritSignature {\n /* Signature algorithm /\n alg: 'ed25519';\n /* Base64-encoded signature value /\n value: string;\n /* Optional key identifier /\n kid?: string;\n}\n\nexport interface Writ {\n head: WritHead;\n body: WritBody;\n meta: WritMeta;\n sig: WritSignature;\n}\n\n// ============================================================================\n// Grant Types (Standing Permission / Law)\n// ============================================================================\n\nexport type GrantType = 'sovereign' \| 'delegated' \| 'system';\n\nexport interface GrantCapability {\n /* Operation Execution Code this grant allows /\n oec: string;\n /* Resource scope constraint (e.g., \"zone:.example.com\") /\n scope: string;\n /** Optional quantitative limits /\n limit?: {\n /* Rate limit (e.g., \"10/min\", \"100/day\") /\n rate?: string;\n /* Maximum amount/count /\n amount?: number;\n /* Depth constraint (e.g., \"subdomains_only\") /\n depth?: string;\n };\n}\n\nexport interface GrantMeta {\n /* Issued-at timestamp (Unix seconds) /\n iat: number;\n /* Expiry timestamp (Unix seconds) /\n exp: number;\n /* Whether this grant can be revoked /\n revocable: boolean;\n /* Version number for updates /\n version: number;\n /* Optional Digital Fabric contract reference /\n contract_ref?: string;\n}\n\nexport interface Grant {\n /* Unique grant identifier /\n grant_id: string;\n /* SoftID of the authority who issued this grant /\n issuer: string;\n /* SoftID of the grantee /\n subject: string;\n /* Grant type /\n grant_type: GrantType;\n /* Array of capabilities this grant provides /\n caps: GrantCapability[];\n /* Grant metadata /\n meta: GrantMeta;\n /* Signature over the grant /\n sig: WritSignature;\n}\n\nexport type GrantStatus = 'active' \| 'revoked' \| 'expired';\n\n// ============================================================================\n// Receipt Types (Proof of Execution)\n// ============================================================================\n\nexport interface LoomReceipt {\n /* Receipt ID /\n receipt_id: string;\n /* Hash of the writ that was executed /\n writ_hash: string;\n /* Thread ID /\n thread_id: string;\n /* Sequence number /\n sequence: number;\n /* Execution effect (e.g., \"ALLOW\", \"DENY\") /\n effect: string;\n /* Current receipt hash (for chaining) /\n hash: string;\n /* Previous receipt hash /\n prev_hash: string \| null;\n /* Execution timestamp /\n executed_at: number;\n /* Additional metadata /\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Thread Types (Causal Continuity)\n// ============================================================================\n\nexport interface ThreadState {\n /* Thread ID /\n thread_id: string;\n /* SoftID that owns this thread /\n softid: string;\n /* Hash of the last receipt in this thread /\n last_receipt_hash: string;\n /* Current sequence number /\n sequence: number;\n /* Last update timestamp /\n updated_at: number;\n}\n\n// ============================================================================\n// Revocation Types (Null-Receipts)\n// ============================================================================\n\nexport type RevocationTargetType = 'grant' \| 'presence' \| 'softid';\n\nexport interface Revocation {\n /* Revocation ID /\n revocation_id: string;\n /* What type of entity is being revoked /\n target_type: RevocationTargetType;\n /* ID of the entity being revoked /\n target_id: string;\n /* SoftID of the issuer of this revocation /\n issuer_softid: string;\n /* Reason for revocation /\n reason?: string;\n /* When revocation takes effect (Unix timestamp) /\n effective_at: number;\n /* Signature over the revocation /\n sig_value: string;\n}\n\n// ============================================================================\n// Validation Result Types\n// ============================================================================\n\nexport interface LoomValidationResult {\n valid: boolean;\n error?: string;\n code?: string;\n}\n\nexport interface PresenceVerifyResult extends LoomValidationResult {\n presence?: PresenceReceipt;\n}\n\nexport interface WritValidationResult extends LoomValidationResult {\n writ?: Writ;\n gate_failed?: 'temporal' \| 'causal' \| 'legal' \| 'authentic';\n}\n\nexport interface GrantValidationResult extends LoomValidationResult {\n grant?: Grant;\n}\n\n// ============================================================================\n// TLV Constants (re-exported from core/constants.ts for convenience)\n// ============================================================================\n\nexport {\n TLV_LOOM_PRESENCE_ID as TLV_PRESENCE_ID,\n TLV_LOOM_WRIT as TLV_WRIT,\n TLV_LOOM_THREAD_HASH as TLV_THREAD_HASH,\n PROOF_LOOM,\n} from '../core/constants';\n\n// ============================================================================\n// Utility Functions\n// ============================================================================\n\n/\n Derive Anchor Reflection ID (ARID) for privacy-preserving logs.\n * ARID = hash(anchor_pubkey + context + scope)\n /\nexport function deriveAnchorReflection(\n softid: string,\n context: string = 'openlogs',\n scope: string = 'loom',\n): string {\n // Implementation will use crypto hash\n // Placeholder structure: ar:<context>:<scope>:<hash>\n return `ar:${context}:${scope}:${softid}`;\n}\n\n/\n Canonicalize a Writ for signing/verification.\n * Returns deterministic JSON string.\n /\nexport function canonicalizeWrit(writ: Omit<Writ, 'sig'>): string {\n const ordered = {\n head: { tid: writ.head.tid, seq: writ.head.seq },\n body: {\n who: writ.body.who,\n act: writ.body.act,\n res: writ.body.res,\n law: writ.body.law,\n },\n meta: { iat: writ.meta.iat, exp: writ.meta.exp, prev: writ.meta.prev },\n };\n return JSON.stringify(ordered);\n}\n\n/\n Canonicalize a Grant for signing/verification.\n /\nexport function canonicalizeGrant(grant: Omit<Grant, 'sig'>): string {\n const ordered = {\n grant_id: grant.grant_id,\n issuer: grant.issuer,\n subject: grant.subject,\n grant_type: grant.grant_type,\n caps: grant.caps,\n meta: grant.meta,\n };\n return JSON.stringify(ordered);\n}\n","/\n Loom Runtime Engine\n \n Implements the full Loom execution lifecycle:\n * - Presence: challenge → proof → receipt (replaces login/sessions)\n * - Writ: creation → validation → execution (replaces JWT)\n * - Grant: resolution → capability matching (replaces RBAC)\n * - Receipt: hash-chained proof of execution\n * - Revocation: null-receipt revocation of grants/presence\n /\n\nimport { createHash, randomBytes } from 'crypto';\nimport { sign, verify } from 'tweetnacl';\n\nimport type {\n Grant,\n GrantCapability,\n GrantStatus,\n GrantValidationResult,\n LoomReceipt,\n PresenceChallenge,\n PresenceDeclaration,\n PresenceProof,\n PresenceReceipt,\n PresenceStatus,\n PresenceVerifyResult,\n Revocation,\n ThreadState,\n Writ,\n WritBody,\n WritHead,\n WritMeta,\n WritSignature,\n WritValidationResult,\n} from './loom.types';\nimport { canonicalizeGrant, canonicalizeWrit } from './loom.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Crypto helpers\n// ────────────────────────────────────────────────────────────────────────────\n\nfunction sha256(data: string): string {\n return createHash('sha256').update(data).digest('hex');\n}\n\nfunction hexToUint8(hex: string): Uint8Array {\n const bytes = new Uint8Array(hex.length / 2);\n for (let i = 0; i < hex.length; i += 2) {\n bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);\n }\n return bytes;\n}\n\nfunction uint8ToHex(bytes: Uint8Array): string {\n return Array.from(bytes)\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('');\n}\n\nfunction b64ToUint8(b64: string): Uint8Array {\n const bin = Buffer.from(b64, 'base64');\n return new Uint8Array(bin.buffer, bin.byteOffset, bin.byteLength);\n}\n\nfunction uint8ToB64(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString('base64');\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Presence Engine\n// ────────────────────────────────────────────────────────────────────────────\n\nconst DEFAULT_PRESENCE_TTL_MS = 5_000;\nconst DEFAULT_PRESENCE_DURATION_MS = 30 60 * 1000; // 30 minutes\n\n/*\n Create a challenge for a presence declaration.\n /\nexport function createPresenceChallenge(\n declaration: PresenceDeclaration,\n ttlMs: number = DEFAULT_PRESENCE_TTL_MS,\n): PresenceChallenge {\n const now = Date.now();\n const nonce = randomBytes(32).toString('hex');\n const challengeId = sha256(`${declaration.softid}:${nonce}:${now}`);\n\n return {\n challenge_id: challengeId,\n nonce,\n temporal_anchor: now,\n ttl_ms: ttlMs,\n expires_at: now + ttlMs,\n };\n}\n\n/\n Canonical data for presence challenge signing.\n /\nfunction presenceSigningData(\n challenge: PresenceChallenge,\n deviceMeta?: PresenceDeclaration['device_meta'],\n): string {\n return JSON.stringify({\n nonce: challenge.nonce,\n temporal_anchor: challenge.temporal_anchor,\n device_meta: deviceMeta ?? null,\n });\n}\n\n/\n Sign a presence challenge with a private key.\n /\nexport function signPresenceChallenge(\n challenge: PresenceChallenge,\n privateKeyHex: string,\n publicKeyHex: string,\n declaration: PresenceDeclaration,\n kid?: string,\n): PresenceProof {\n const data = presenceSigningData(challenge, declaration.device_meta);\n const msgBytes = new TextEncoder().encode(data);\n const secretKey = hexToUint8(privateKeyHex);\n const signature = sign.detached(msgBytes, secretKey);\n\n return {\n challenge_id: challenge.challenge_id,\n signature: uint8ToHex(signature),\n public_key: publicKeyHex,\n kid,\n };\n}\n\n/\n Verify a presence proof and issue a receipt.\n /\nexport function verifyPresenceProof(\n challenge: PresenceChallenge,\n proof: PresenceProof,\n declaration: PresenceDeclaration,\n durationMs: number = DEFAULT_PRESENCE_DURATION_MS,\n): PresenceVerifyResult {\n // 1. Challenge expiry\n if (Date.now() > challenge.expires_at) {\n return { valid: false, error: 'Challenge expired', code: 'CHALLENGE_EXPIRED' };\n }\n\n // 2. Challenge ID match\n if (proof.challenge_id !== challenge.challenge_id) {\n return { valid: false, error: 'Challenge ID mismatch', code: 'CHALLENGE_MISMATCH' };\n }\n\n // 3. Verify signature\n const data = presenceSigningData(challenge, declaration.device_meta);\n const msgBytes = new TextEncoder().encode(data);\n const sigBytes = hexToUint8(proof.signature);\n const pubBytes = hexToUint8(proof.public_key);\n\n let isValid: boolean;\n try {\n isValid = sign.detached.verify(msgBytes, sigBytes, pubBytes);\n } catch {\n return { valid: false, error: 'Signature verification failed', code: 'SIG_INVALID' };\n }\n\n if (!isValid) {\n return { valid: false, error: 'Invalid signature', code: 'SIG_INVALID' };\n }\n\n // 4. Build presence receipt\n const now = Date.now();\n const presenceId = sha256(\n `${proof.public_key}:${challenge.nonce}:${challenge.temporal_anchor}`,\n );\n const anchorReflection = sha256(\n `ar:openlogs:loom:${proof.public_key}`,\n );\n\n const receipt: PresenceReceipt = {\n presence_id: presenceId,\n softid: declaration.softid,\n anchor_reflection: anchorReflection,\n scope: {\n device_fingerprint: declaration.device_meta?.fingerprint,\n },\n issued_at: now,\n expires_at: now + durationMs,\n };\n\n return { valid: true, presence: receipt };\n}\n\n/\n Check if a presence receipt is currently active.\n /\nexport function getPresenceStatus(receipt: PresenceReceipt): PresenceStatus {\n const now = Date.now();\n if (now > receipt.expires_at) return 'expired';\n return 'active';\n}\n\n/\n Renew presence (extend expiry).\n /\nexport function renewPresence(\n receipt: PresenceReceipt,\n extensionMs: number = DEFAULT_PRESENCE_DURATION_MS,\n): PresenceReceipt {\n const now = Date.now();\n return {\n ...receipt,\n renewed_at: now,\n expires_at: now + extensionMs,\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Writ Engine\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Create a new Writ (executable intent).\n /\nexport function createWrit(\n body: WritBody,\n meta: Omit<WritMeta, 'prev'>,\n thread: { tid: string; seq: number; prevHash: string },\n privateKeyHex: string,\n kid?: string,\n): Writ {\n const head: WritHead = { tid: thread.tid, seq: thread.seq };\n const writMeta: WritMeta = { ...meta, prev: thread.prevHash };\n\n const unsigned: Omit<Writ, 'sig'> = { head, body, meta: writMeta };\n const canonical = canonicalizeWrit(unsigned);\n const msgBytes = new TextEncoder().encode(canonical);\n const secretKey = hexToUint8(privateKeyHex);\n const signature = sign.detached(msgBytes, secretKey);\n\n const sig: WritSignature = {\n alg: 'ed25519',\n value: uint8ToB64(signature),\n kid,\n };\n\n return { head, body, meta: writMeta, sig };\n}\n\n/\n Validate a Writ through all four gates:\n * 1. Temporal: is the writ within its time window?\n * 2. Causal: does the prev hash match the thread state?\n * 3. Legal: does a valid grant allow this operation?\n * 4. Authentic: is the signature valid?\n /\nexport function validateWrit(\n writ: Writ,\n publicKeyHex: string,\n threadState: ThreadState \| null,\n grants: Grant[],\n): WritValidationResult {\n const now = Math.floor(Date.now() / 1000);\n\n // Gate 1: Temporal\n if (now < writ.meta.iat) {\n return {\n valid: false,\n error: 'Writ not yet valid (iat in future)',\n code: 'TEMPORAL_NOT_YET',\n gate_failed: 'temporal',\n };\n }\n if (now > writ.meta.exp) {\n return {\n valid: false,\n error: 'Writ expired',\n code: 'TEMPORAL_EXPIRED',\n gate_failed: 'temporal',\n };\n }\n\n // Gate 2: Causal (thread continuity)\n if (threadState) {\n if (writ.head.tid !== threadState.thread_id) {\n return {\n valid: false,\n error: 'Thread ID mismatch',\n code: 'CAUSAL_TID',\n gate_failed: 'causal',\n };\n }\n if (writ.head.seq !== threadState.sequence + 1) {\n return {\n valid: false,\n error: `Expected seq ${threadState.sequence + 1}, got ${writ.head.seq}`,\n code: 'CAUSAL_SEQ',\n gate_failed: 'causal',\n };\n }\n if (writ.meta.prev !== threadState.last_receipt_hash) {\n return {\n valid: false,\n error: 'Previous receipt hash mismatch',\n code: 'CAUSAL_PREV',\n gate_failed: 'causal',\n };\n }\n } else {\n // First writ in thread\n if (writ.head.seq !== 1) {\n return {\n valid: false,\n error: 'First writ in thread must have seq=1',\n code: 'CAUSAL_FIRST_SEQ',\n gate_failed: 'causal',\n };\n }\n if (writ.meta.prev !== '') {\n return {\n valid: false,\n error: 'First writ must have empty prev hash',\n code: 'CAUSAL_FIRST_PREV',\n gate_failed: 'causal',\n };\n }\n }\n\n // Gate 3: Legal (grant matching)\n if (writ.body.law !== 'self') {\n const matchingGrant = grants.find((g) =>\n g.grant_id === writ.body.law &&\n g.subject === writ.body.who &&\n grantCoversAction(g, writ.body.act, writ.body.res, now),\n );\n if (!matchingGrant) {\n return {\n valid: false,\n error: `No valid grant found for law=${writ.body.law}`,\n code: 'LEGAL_NO_GRANT',\n gate_failed: 'legal',\n };\n }\n }\n\n // Gate 4: Authentic (signature verification)\n const unsigned: Omit<Writ, 'sig'> = {\n head: writ.head,\n body: writ.body,\n meta: writ.meta,\n };\n const canonical = canonicalizeWrit(unsigned);\n const msgBytes = new TextEncoder().encode(canonical);\n const sigBytes = b64ToUint8(writ.sig.value);\n const pubBytes = hexToUint8(publicKeyHex);\n\n let sigValid: boolean;\n try {\n sigValid = sign.detached.verify(msgBytes, sigBytes, pubBytes);\n } catch {\n return {\n valid: false,\n error: 'Signature verification failed',\n code: 'AUTH_SIG_FAIL',\n gate_failed: 'authentic',\n };\n }\n\n if (!sigValid) {\n return {\n valid: false,\n error: 'Invalid signature',\n code: 'AUTH_SIG_INVALID',\n gate_failed: 'authentic',\n };\n }\n\n return { valid: true, writ };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Grant Engine\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Check if a grant covers a specific action on a specific resource.\n /\nexport function grantCoversAction(\n grant: Grant,\n action: string,\n resource: string,\n nowUnix: number,\n): boolean {\n // Check temporal validity\n if (nowUnix < grant.meta.iat \|\| nowUnix > grant.meta.exp) {\n return false;\n }\n\n // Check capabilities\n return grant.caps.some((cap) =>\n matchOec(cap.oec, action) && matchScope(cap.scope, resource),\n );\n}\n\n/\n Match an Operation Execution Code pattern against an action.\n * Supports wildcards: \"dns.\" matches \"dns.write\", \"dns.read\", etc.\n /\nfunction matchOec(pattern: string, action: string): boolean {\n if (pattern === '') return true;\n if (pattern === action) return true;\n\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -2);\n return action.startsWith(prefix + '.');\n }\n\n return false;\n}\n\n/*\n Match a scope pattern against a resource.\n * Supports wildcards: \"zone:.example.com\" matches \"zone:sub.example.com\"\n /\nfunction matchScope(pattern: string, resource: string): boolean {\n if (pattern === '') return true;\n if (pattern === resource) return true;\n\n // Simple wildcard matching\n if (pattern.includes('')) {\n const regex = new RegExp(\n '^' + pattern.replace(/\\./g, '\\\\.').replace(/\\/g, '[^:]') + '$',\n );\n return regex.test(resource);\n }\n\n return false;\n}\n\n/*\n Get grant status based on current time and revocation state.\n /\nexport function getGrantStatus(\n grant: Grant,\n revocations: Revocation[],\n): GrantStatus {\n const now = Math.floor(Date.now() / 1000);\n\n // Check revocation\n const revoked = revocations.find(\n (r) => r.target_type === 'grant' && r.target_id === grant.grant_id,\n );\n if (revoked && revoked.effective_at <= now 1000) {\n return 'revoked';\n }\n\n // Check expiry\n if (now > grant.meta.exp) return 'expired';\n\n return 'active';\n}\n\n/*\n Validate a grant's signature.\n /\nexport function validateGrant(\n grant: Grant,\n issuerPublicKeyHex: string,\n): GrantValidationResult {\n const unsigned: Omit<Grant, 'sig'> = {\n grant_id: grant.grant_id,\n issuer: grant.issuer,\n subject: grant.subject,\n grant_type: grant.grant_type,\n caps: grant.caps,\n meta: grant.meta,\n };\n const canonical = canonicalizeGrant(unsigned);\n const msgBytes = new TextEncoder().encode(canonical);\n const sigBytes = b64ToUint8(grant.sig.value);\n const pubBytes = hexToUint8(issuerPublicKeyHex);\n\n let valid: boolean;\n try {\n valid = sign.detached.verify(msgBytes, sigBytes, pubBytes);\n } catch {\n return { valid: false, error: 'Grant signature verification failed', code: 'GRANT_SIG_FAIL' };\n }\n\n if (!valid) {\n return { valid: false, error: 'Invalid grant signature', code: 'GRANT_SIG_INVALID' };\n }\n\n return { valid: true, grant };\n}\n\n/\n Create and sign a new Grant.\n /\nexport function createGrant(\n grantId: string,\n issuer: string,\n subject: string,\n grantType: Grant['grant_type'],\n caps: GrantCapability[],\n meta: Grant['meta'],\n privateKeyHex: string,\n kid?: string,\n): Grant {\n const unsigned: Omit<Grant, 'sig'> = {\n grant_id: grantId,\n issuer,\n subject,\n grant_type: grantType,\n caps,\n meta,\n };\n\n const canonical = canonicalizeGrant(unsigned);\n const msgBytes = new TextEncoder().encode(canonical);\n const secretKey = hexToUint8(privateKeyHex);\n const signature = sign.detached(msgBytes, secretKey);\n\n return {\n ...unsigned,\n sig: {\n alg: 'ed25519',\n value: uint8ToB64(signature),\n kid,\n },\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Receipt Engine (hash-chained proof of execution)\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Create a hash-chained receipt for a writ execution.\n /\nexport function createReceipt(\n writ: Writ,\n effect: string,\n prevReceipt: LoomReceipt \| null,\n metadata?: Record<string, unknown>,\n): LoomReceipt {\n const now = Date.now();\n const sequence = prevReceipt ? prevReceipt.sequence + 1 : 1;\n const prevHash = prevReceipt?.hash ?? null;\n\n // Hash the writ\n const writHash = sha256(canonicalizeWrit({\n head: writ.head,\n body: writ.body,\n meta: writ.meta,\n }));\n\n // Build receipt hash (chain integrity)\n const hashInput = [\n prevHash ?? '',\n writHash,\n writ.head.tid,\n String(sequence),\n effect,\n String(now),\n ].join(':');\n\n const receiptHash = sha256(hashInput);\n const receiptId = sha256(`receipt:${receiptHash}:${now}`);\n\n return {\n receipt_id: receiptId,\n writ_hash: writHash,\n thread_id: writ.head.tid,\n sequence,\n effect,\n hash: receiptHash,\n prev_hash: prevHash,\n executed_at: now,\n metadata,\n };\n}\n\n/\n Verify receipt chain integrity.\n /\nexport function verifyReceiptChain(receipts: LoomReceipt[]): {\n valid: boolean;\n brokenAt?: number;\n error?: string;\n} {\n if (receipts.length === 0) return { valid: true };\n\n // Sort by sequence\n const sorted = [...receipts].sort((a, b) => a.sequence - b.sequence);\n\n // First receipt must have null prev_hash\n if (sorted[0].prev_hash !== null) {\n return {\n valid: false,\n brokenAt: 0,\n error: 'First receipt must have null prev_hash',\n };\n }\n\n // Verify chain continuity\n for (let i = 1; i < sorted.length; i++) {\n if (sorted[i].prev_hash !== sorted[i - 1].hash) {\n return {\n valid: false,\n brokenAt: i,\n error: `Receipt ${i} prev_hash does not match receipt ${i - 1} hash`,\n };\n }\n }\n\n return { valid: true };\n}\n\n/\n Update thread state after receipt creation.\n /\nexport function updateThreadState(\n receipt: LoomReceipt,\n softid: string,\n): ThreadState {\n return {\n thread_id: receipt.thread_id,\n softid,\n last_receipt_hash: receipt.hash,\n sequence: receipt.sequence,\n updated_at: receipt.executed_at,\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Revocation Engine\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Create a revocation record.\n /\nexport function createRevocation(\n targetType: Revocation['target_type'],\n targetId: string,\n issuerSoftid: string,\n privateKeyHex: string,\n reason?: string,\n): Revocation {\n const now = Date.now();\n const revocationId = sha256(`revoke:${targetType}:${targetId}:${now}`);\n\n const payload = JSON.stringify({\n revocation_id: revocationId,\n target_type: targetType,\n target_id: targetId,\n issuer_softid: issuerSoftid,\n effective_at: now,\n reason: reason ?? null,\n });\n\n const msgBytes = new TextEncoder().encode(payload);\n const secretKey = hexToUint8(privateKeyHex);\n const signature = sign.detached(msgBytes, secretKey);\n\n return {\n revocation_id: revocationId,\n target_type: targetType,\n target_id: targetId,\n issuer_softid: issuerSoftid,\n reason,\n effective_at: now,\n sig_value: uint8ToHex(signature),\n };\n}\n\n/\n Check if a target has been revoked.\n /\nexport function isRevoked(\n targetType: Revocation['target_type'],\n targetId: string,\n revocations: Revocation[],\n): boolean {\n const now = Date.now();\n return revocations.some(\n (r) =>\n r.target_type === targetType &&\n r.target_id === targetId &&\n r.effective_at <= now,\n );\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Full Loom Pipeline\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface LoomExecutionResult {\n receipt: LoomReceipt;\n threadState: ThreadState;\n writValidation: WritValidationResult;\n}\n\n/\n Execute a full Loom pipeline:\n * 1. Validate presence\n * 2. Validate writ (4 gates)\n * 3. Create receipt\n * 4. Update thread state\n /\nexport function executeLoomPipeline(\n writ: Writ,\n publicKeyHex: string,\n presence: PresenceReceipt,\n threadState: ThreadState \| null,\n grants: Grant[],\n revocations: Revocation[],\n prevReceipt: LoomReceipt \| null,\n): LoomExecutionResult \| { valid: false; error: string; code: string } {\n // 1. Check presence\n const presenceStatus = getPresenceStatus(presence);\n if (presenceStatus !== 'active') {\n return { valid: false, error: 'Presence not active', code: 'PRESENCE_INACTIVE' };\n }\n\n // 2. Check presence revocation\n if (isRevoked('presence', presence.presence_id, revocations)) {\n return { valid: false, error: 'Presence revoked', code: 'PRESENCE_REVOKED' };\n }\n\n // 3. Filter out revoked grants\n const activeGrants = grants.filter(\n (g) => getGrantStatus(g, revocations) === 'active',\n );\n\n // 4. Validate writ\n const writResult = validateWrit(writ, publicKeyHex, threadState, activeGrants);\n if (!writResult.valid) {\n return { valid: false, error: writResult.error!, code: writResult.code! };\n }\n\n // 5. Create receipt\n const receipt = createReceipt(writ, 'ALLOW', prevReceipt);\n\n // 6. Update thread state\n const newThreadState = updateThreadState(receipt, writ.body.who);\n\n return {\n receipt,\n threadState: newThreadState,\n writValidation: writResult,\n };\n}\n","/\n IDEL Compiler — Intent Description & Execution Language\n \n Compiles raw intent proposals into validated, executable structures.\n \n Pipeline:\n * 1. Resolve: match raw input to a known intent schema\n * 2. Validate: check all required params and constraints\n * 3. Assess risk: evaluate intent risk level\n * 4. Generate clarifications: if ambiguous or incomplete\n * 5. Output: CompiledIntent ready for AXIS execution\n /\n\nimport type {\n AlternativeIntent,\n ClarificationQuestion,\n CompilationError,\n CompilationResult,\n CompiledIntent,\n IntentConstraint,\n IntentParamSchema,\n IntentProposal,\n IntentRisk,\n IntentSchema,\n RiskLevel,\n} from './idel.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Schema Registry\n// ────────────────────────────────────────────────────────────────────────────\n\nexport class IdelSchemaRegistry {\n private schemas = new Map<string, IntentSchema>();\n private aliases = new Map<string, string>();\n\n register(schema: IntentSchema): void {\n this.schemas.set(schema.intent, schema);\n }\n\n registerAlias(alias: string, intent: string): void {\n this.aliases.set(alias.toLowerCase(), intent);\n }\n\n get(intent: string): IntentSchema \| undefined {\n return this.schemas.get(intent);\n }\n\n resolve(raw: string): IntentSchema \| undefined {\n // Exact match\n const exact = this.schemas.get(raw);\n if (exact) return exact;\n\n // Alias match\n const aliased = this.aliases.get(raw.toLowerCase());\n if (aliased) return this.schemas.get(aliased);\n\n // Prefix match (e.g., \"payment\" → \"payment.create\")\n const candidates = [...this.schemas.keys()].filter(\n (k) => k.startsWith(raw + '.') \|\| k.toLowerCase().includes(raw.toLowerCase()),\n );\n if (candidates.length === 1) {\n return this.schemas.get(candidates[0]);\n }\n\n return undefined;\n }\n\n /\n Find all schemas that partially match the raw input.\n * Returns scored candidates for ambiguity resolution.\n /\n findCandidates(raw: string): Array<{ schema: IntentSchema; score: number }> {\n const normalized = raw.toLowerCase().trim();\n const results: Array<{ schema: IntentSchema; score: number }> = [];\n\n for (const [key, schema] of this.schemas) {\n let score = 0;\n\n // Exact match\n if (key === raw) {\n score = 1.0;\n }\n // Case-insensitive exact\n else if (key.toLowerCase() === normalized) {\n score = 0.95;\n }\n // Alias match\n else if (this.aliases.get(normalized) === key) {\n score = 0.9;\n }\n // Prefix match\n else if (key.toLowerCase().startsWith(normalized)) {\n score = 0.7;\n }\n // Contains match\n else if (key.toLowerCase().includes(normalized)) {\n score = 0.5;\n }\n // Tag match\n else if (schema.tags?.some((t) => t.toLowerCase().includes(normalized))) {\n score = 0.4;\n }\n // Description match\n else if (schema.description.toLowerCase().includes(normalized)) {\n score = 0.3;\n }\n\n if (score > 0) {\n results.push({ schema, score });\n }\n }\n\n return results.sort((a, b) => b.score - a.score);\n }\n\n list(): IntentSchema[] {\n return [...this.schemas.values()];\n }\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// IDEL Compiler\n// ────────────────────────────────────────────────────────────────────────────\n\nexport class IdelCompiler {\n constructor(private readonly registry: IdelSchemaRegistry) {}\n\n /\n Compile a raw intent proposal into a validated, executable structure.\n /\n compile(proposal: IntentProposal): CompilationResult {\n const errors: CompilationError[] = [];\n\n // 1. Resolve intent\n const candidates = this.registry.findCandidates(proposal.raw);\n if (candidates.length === 0) {\n return {\n ok: false,\n errors: [{\n code: 'IDEL_UNKNOWN_INTENT',\n message: `No intent found matching '${proposal.raw}'`,\n }],\n };\n }\n\n const best = candidates[0];\n const schema = best.schema;\n\n // 2. Build alternatives\n const alternatives: AlternativeIntent[] = candidates\n .slice(1, 4)\n .filter((c) => c.score >= 0.3)\n .map((c) => ({\n intent: c.schema.intent,\n confidence: c.score,\n reason: c.schema.description,\n }));\n\n // 3. Validate parameters\n const constraints: IntentConstraint[] = [];\n const clarifications: ClarificationQuestion[] = [];\n const params = { ...proposal.params };\n\n for (const paramSchema of schema.params) {\n const value = params[paramSchema.name];\n\n // Required check\n if (paramSchema.required && value === undefined) {\n if (paramSchema.default !== undefined) {\n params[paramSchema.name] = paramSchema.default;\n constraints.push({\n kind: 'required_param',\n field: paramSchema.name,\n description: `Defaulted to ${JSON.stringify(paramSchema.default)}`,\n satisfied: true,\n value: paramSchema.default,\n });\n } else {\n constraints.push({\n kind: 'required_param',\n field: paramSchema.name,\n description: `Required parameter '${paramSchema.name}' is missing`,\n satisfied: false,\n });\n clarifications.push({\n id: `clarify_${paramSchema.name}`,\n question: paramSchema.description ?? `What is the ${paramSchema.name}?`,\n field: paramSchema.name,\n options: paramSchema.enum?.map(String),\n required: true,\n });\n }\n continue;\n }\n\n if (value === undefined) continue;\n\n // Type check\n const typeValid = validateType(value, paramSchema.type);\n constraints.push({\n kind: 'type_check',\n field: paramSchema.name,\n description: `Must be ${paramSchema.type}`,\n satisfied: typeValid,\n value,\n expected: paramSchema.type,\n });\n if (!typeValid) {\n errors.push({\n code: 'IDEL_TYPE_ERROR',\n message: `Parameter '${paramSchema.name}' must be ${paramSchema.type}, got ${typeof value}`,\n field: paramSchema.name,\n });\n }\n\n // Range check\n if (paramSchema.min !== undefined \|\| paramSchema.max !== undefined) {\n const numVal = typeof value === 'number' ? value : Number(value);\n const inRange =\n (paramSchema.min === undefined \|\| numVal >= paramSchema.min) &&\n (paramSchema.max === undefined \|\| numVal <= paramSchema.max);\n constraints.push({\n kind: 'range',\n field: paramSchema.name,\n description: `Must be between ${paramSchema.min ?? '-∞'} and ${paramSchema.max ?? '∞'}`,\n satisfied: inRange,\n value: numVal,\n });\n }\n\n // Pattern check\n if (paramSchema.pattern) {\n const matches = new RegExp(paramSchema.pattern).test(String(value));\n constraints.push({\n kind: 'pattern',\n field: paramSchema.name,\n description: `Must match ${paramSchema.pattern}`,\n satisfied: matches,\n value,\n expected: paramSchema.pattern,\n });\n }\n\n // Enum check\n if (paramSchema.enum) {\n const inEnum = paramSchema.enum.some(\n (e) => JSON.stringify(e) === JSON.stringify(value),\n );\n constraints.push({\n kind: 'custom',\n field: paramSchema.name,\n description: `Must be one of: ${paramSchema.enum.join(', ')}`,\n satisfied: inEnum,\n value,\n expected: paramSchema.enum,\n });\n }\n }\n\n // 4. Assess risk\n const risk = assessRisk(schema, proposal, constraints);\n\n // 5. Compute confidence\n const unsatisfied = constraints.filter((c) => !c.satisfied);\n const needsClarification = clarifications.length > 0;\n let confidence = best.score;\n if (unsatisfied.length > 0) {\n confidence = 1 - (unsatisfied.length / Math.max(constraints.length, 1)) * 0.5;\n }\n if (errors.length > 0) {\n confidence = 0.5;\n }\n\n const compiled: CompiledIntent = {\n intent: schema.intent,\n actor_id: proposal.actor_id,\n target: proposal.target,\n params,\n constraints,\n confidence,\n alternatives,\n needs_clarification: needsClarification,\n clarifications,\n expected_outcome: schema.description,\n fallback: schema.related?.[0],\n risk,\n metadata: {\n schema_intent: schema.intent,\n resolved_from: proposal.raw,\n has_side_effects: schema.has_side_effects,\n reversible: schema.reversible,\n },\n };\n\n return {\n ok: errors.length === 0 && !needsClarification,\n compiled,\n errors,\n };\n }\n\n /\n Apply clarification answers and re-compile.\n /\n applyClarifications(\n compiled: CompiledIntent,\n answers: Record<string, unknown>,\n ): CompilationResult {\n const proposal: IntentProposal = {\n raw: compiled.intent,\n actor_id: compiled.actor_id,\n target: compiled.target,\n params: { ...compiled.params, ...answers },\n };\n return this.compile(proposal);\n }\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Helpers\n// ────────────────────────────────────────────────────────────────────────────\n\nfunction validateType(value: unknown, expectedType: IntentParamSchema['type']): boolean {\n switch (expectedType) {\n case 'string':\n return typeof value === 'string';\n case 'number':\n return typeof value === 'number' && Number.isFinite(value);\n case 'boolean':\n return typeof value === 'boolean';\n case 'object':\n return typeof value === 'object' && value !== null && !Array.isArray(value);\n case 'array':\n return Array.isArray(value);\n default:\n return true;\n }\n}\n\nfunction assessRisk(\n schema: IntentSchema,\n proposal: IntentProposal,\n constraints: IntentConstraint[],\n): IntentRisk {\n const factors: string[] = [];\n let score = 0;\n\n // Base risk from schema\n const baseRiskMap: Record<RiskLevel, number> = {\n none: 0,\n low: 0.1,\n medium: 0.3,\n high: 0.6,\n critical: 0.9,\n };\n score = baseRiskMap[schema.risk_level] ?? 0;\n if (schema.risk_level !== 'none') {\n factors.push(`Base risk: ${schema.risk_level}`);\n }\n\n // Side effects increase risk\n if (schema.has_side_effects) {\n score += 0.1;\n factors.push('Has side effects');\n }\n\n // Irreversible actions increase risk\n if (!schema.reversible) {\n score += 0.1;\n factors.push('Not reversible');\n }\n\n // Failed constraints increase risk\n const failed = constraints.filter((c) => !c.satisfied);\n if (failed.length > 0) {\n score += 0.05 failed.length;\n factors.push(`${failed.length} unsatisfied constraint(s)`);\n }\n\n // Clamp\n score = Math.min(score, 1.0);\n\n let level: RiskLevel;\n if (score <= 0) level = 'none';\n else if (score <= 0.2) level = 'low';\n else if (score <= 0.5) level = 'medium';\n else if (score <= 0.8) level = 'high';\n else level = 'critical';\n\n return { level, score, factors };\n}\n","/*\n Needle Engine — The unified execution pipeline\n \n Runs the full formula:\n * Intent → Needle enters (AXIS) → Action happens →\n * Observer verifies → Stitch is formed → Thread grows\n \n Each phase maps to a concrete operation:\n * created → assembleNeedle()\n * validated → executeLoomPipeline() gates\n * executing → handler runs\n * observed → verifyObservation()\n * stitched → formStitch() + updateThreadState()\n /\n\nimport { createHash, randomBytes } from 'crypto';\nimport {\n createObservation,\n startStage,\n endStage,\n finalizeObservation,\n recordSensor,\n} from '../engine/axis-observation';\nimport type { AxisObservation, ObservationStage } from '../engine/axis-observation';\nimport { scoreTruth } from '../engine/observation/truth-scoring';\nimport type { ExpectedOutcome, TruthVerdict } from '../engine/observation/truth-scoring';\nimport {\n validateWrit,\n createReceipt,\n updateThreadState,\n} from '../loom/loom.engine';\nimport type { LoomReceipt, ThreadState } from '../loom/loom.types';\nimport type { CompiledIntent } from '../idel/idel.types';\nimport type {\n Needle,\n NeedleError,\n NeedleHandler,\n NeedleHandlerContext,\n NeedleHandlerResult,\n NeedlePipelineConfig,\n NeedlePipelineResult,\n Stitch,\n StitchKind,\n NeedlePhase,\n} from './needle.types';\nimport type { Grant, PresenceReceipt, Writ } from '../loom/loom.types';\nimport type { AxisSensor, SensorInput } from '../sensor/axis-sensor';\nimport { normalizeSensorDecision } from '../sensor/axis-sensor';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Needle Assembly\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Assemble a Needle — the execution carrier.\n * This combines intent + presence + writ + grants into a single context.\n /\nexport function assembleNeedle(params: {\n intent: CompiledIntent;\n presence: PresenceReceipt;\n writ: Writ;\n grants: Grant[];\n tps_coordinate?: string;\n}): Needle {\n return {\n needle_id: randomBytes(16).toString('hex'),\n phase: 'created',\n tps_coordinate: params.tps_coordinate,\n intent: params.intent,\n presence: params.presence,\n writ: params.writ,\n grants: params.grants,\n created_at: Date.now(),\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Stitch Formation\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Determine stitch kind from observation and verdict.\n /\nfunction classifyStitch(\n observation: AxisObservation,\n verdict: TruthVerdict,\n): StitchKind {\n // Failed or disputed → torn\n if (verdict.status === 'failed' \|\| verdict.status === 'disputed') {\n return 'torn';\n }\n\n // DENY or no visible effect → silent stitch\n if (observation.decision === 'DENY') {\n return 'silent';\n }\n\n // Confirmed or partial deed → deed\n if (verdict.isDeed) {\n return 'deed';\n }\n\n // Uncertain but not failed → silent\n return 'silent';\n}\n\n/\n Form a Stitch from a completed Needle.\n * A Stitch = Needle (execution) + Observer (verification)\n /\nexport function formStitch(\n needle: Needle,\n observation: AxisObservation,\n verdict: TruthVerdict,\n receipt: LoomReceipt,\n): Stitch {\n return {\n stitch_id: needle.needle_id,\n kind: classifyStitch(observation, verdict),\n intent: needle.intent.intent,\n actor_id: needle.intent.actor_id,\n tps_coordinate: needle.tps_coordinate,\n observation,\n verdict,\n receipt,\n thread_id: receipt.thread_id,\n sequence: receipt.sequence,\n stitched_at: Date.now(),\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Needle Pipeline\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Run the full Needle pipeline:\n \n 1. Validate (Loom gates: temporal, causal, legal, authentic)\n * 2. Execute (handler runs the action)\n * 3. Observe (create observation + score truth)\n * 4. Stitch (form stitch, create receipt, grow thread)\n /\nexport async function runNeedlePipeline(\n needle: Needle,\n config: NeedlePipelineConfig,\n threadState: ThreadState \| null,\n prevReceipt: LoomReceipt \| null,\n expectedOutcome?: ExpectedOutcome,\n): Promise<NeedlePipelineResult> {\n const obs = createObservation('http');\n obs.intent = needle.intent.intent;\n obs.actorId = needle.intent.actor_id;\n\n // ── Phase 1: Validate (Loom gates) ──\n needle.phase = 'validated';\n let stage: ObservationStage = startStage(obs, 'loom.validate');\n\n const validation = validateWrit(\n needle.writ,\n config.public_key,\n threadState,\n needle.grants,\n );\n\n if (!validation.valid) {\n endStage(stage, 'fail', validation.error);\n return failNeedle(needle, obs, 'validated', 'LOOM_VALIDATION_FAILED', validation.error ?? 'Writ validation failed');\n }\n\n endStage(stage, 'ok');\n\n // ── Phase 1.5: Sensors (reality gates) ──\n if (config.sensors && config.sensors.length > 0) {\n stage = startStage(obs, 'sensors.evaluate');\n\n const sensorInput: SensorInput = {\n intent: needle.intent.intent,\n actorId: needle.intent.actor_id,\n metadata: {\n observation: obs,\n needle_id: needle.needle_id,\n tps_coordinate: needle.tps_coordinate,\n writ: needle.writ,\n grants: needle.grants,\n params: needle.intent.params,\n },\n };\n\n for (const sensor of config.sensors) {\n if (sensor.supports && !sensor.supports(sensorInput)) continue;\n\n const t0 = Date.now();\n let decision;\n try {\n const rawDecision = await sensor.run(sensorInput);\n decision = normalizeSensorDecision(rawDecision);\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n recordSensor(obs, sensor.name, false, 100, Date.now() - t0, [`sensor_error:${msg}`]);\n endStage(stage, 'fail', `Sensor ${sensor.name} threw: ${msg}`);\n return failNeedle(needle, obs, 'validated', 'SENSOR_ERROR', `Sensor ${sensor.name} failed: ${msg}`);\n }\n\n recordSensor(obs, sensor.name, decision.allow, decision.riskScore, Date.now() - t0, decision.reasons);\n\n if (!decision.allow) {\n endStage(stage, 'fail', `Sensor ${sensor.name} denied`);\n return failNeedle(needle, obs, 'validated', 'SENSOR_DENY', decision.reasons[0] ?? `Denied by ${sensor.name}`);\n }\n }\n\n endStage(stage, 'ok');\n }\n\n // ── Phase 2: Execute (handler) ──\n needle.phase = 'executing';\n stage = startStage(obs, 'handler.execute');\n\n const handler = config.handlers.get(needle.intent.intent);\n if (!handler) {\n endStage(stage, 'fail', `No handler for intent '${needle.intent.intent}'`);\n return failNeedle(needle, obs, 'executing', 'NO_HANDLER', `No handler registered for intent '${needle.intent.intent}'`);\n }\n\n const handlerCtx: NeedleHandlerContext = {\n needle_id: needle.needle_id,\n actor_id: needle.intent.actor_id,\n presence_id: needle.presence.presence_id,\n writ: needle.writ,\n grants: needle.grants,\n tps_coordinate: needle.tps_coordinate,\n };\n\n let handlerResult: NeedleHandlerResult;\n try {\n handlerResult = await handler(needle.intent, handlerCtx);\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n endStage(stage, 'fail', msg);\n return failNeedle(needle, obs, 'executing', 'HANDLER_ERROR', msg);\n }\n\n if (!handlerResult.ok) {\n endStage(stage, 'fail', handlerResult.effect);\n obs.decision = 'DENY';\n obs.resultCode = handlerResult.effect;\n obs.statusCode = handlerResult.status_code ?? 400;\n } else {\n endStage(stage, 'ok');\n obs.decision = 'ALLOW';\n obs.resultCode = handlerResult.effect;\n obs.statusCode = handlerResult.status_code ?? 200;\n }\n\n if (handlerResult.data) {\n obs.facts = { ...obs.facts, ...handlerResult.data };\n }\n\n // ── Phase 3: Observe ──\n needle.phase = 'observed';\n finalizeObservation(obs, obs.decision ?? 'DENY', obs.statusCode ?? 500, obs.resultCode);\n needle.observation = obs;\n\n const verdict = scoreTruth(obs, expectedOutcome);\n needle.verdict = verdict;\n\n // ── Phase 4: Stitch ──\n needle.phase = 'stitched';\n stage = startStage(obs, 'stitch.form');\n\n const receipt = createReceipt(\n needle.writ,\n obs.decision ?? 'DENY',\n prevReceipt,\n );\n needle.receipt = receipt;\n\n const newThreadState = updateThreadState(\n receipt,\n needle.intent.actor_id,\n );\n\n const stitch = formStitch(needle, obs, verdict, receipt);\n needle.completed_at = Date.now();\n\n endStage(stage, 'ok');\n\n return {\n ok: handlerResult.ok,\n needle,\n stitch,\n thread_state: newThreadState,\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Helpers\n// ────────────────────────────────────────────────────────────────────────────\n\nfunction failNeedle(\n needle: Needle,\n obs: AxisObservation,\n phase: NeedlePhase,\n code: string,\n message: string,\n): NeedlePipelineResult {\n needle.phase = 'failed';\n needle.error = { phase, code, message };\n needle.completed_at = Date.now();\n\n obs.decision = obs.decision ?? 'DENY';\n obs.statusCode = obs.statusCode ?? 500;\n finalizeObservation(obs, obs.decision, obs.statusCode, obs.resultCode);\n needle.observation = obs;\n\n const verdict = scoreTruth(obs);\n needle.verdict = verdict;\n\n return {\n ok: false,\n needle,\n };\n}\n","/\n Knot Engine — Critical binding points in the Thread\n \n Operations:\n * openKnot() → start a knot (begin grouping stitches)\n * addStitch() → add a stitch to an open knot\n * validateKnot() → check if all stitches are valid and complete\n * tieKnot() → seal the knot (immutable from here)\n * breakKnot() → break a knot (requires authority for law/irreversible)\n * forkFromKnot() → create a new branch from a decision knot\n /\n\nimport { createHash, randomBytes } from 'crypto';\nimport type {\n Knot,\n KnotBreakRequest,\n KnotError,\n KnotStatus,\n KnotType,\n KnotValidationResult,\n} from './knot.types';\nimport type { Stitch } from './needle.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Open a Knot\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface OpenKnotParams {\n type: KnotType;\n thread_id: string;\n actor_id: string;\n tps_anchor?: string;\n capsule_id?: string;\n law_ref?: string;\n required_count?: number;\n all_or_nothing?: boolean;\n}\n\n/\n Open a new knot — begin grouping stitches into a critical binding point.\n /\nexport function openKnot(params: OpenKnotParams): Knot {\n const isIrreversible = params.type === 'irreversible';\n\n return {\n knot_id: `knot_${randomBytes(16).toString('hex')}`,\n type: params.type,\n status: 'open',\n stitch_ids: [],\n thread_id: params.thread_id,\n tps_anchor: params.tps_anchor,\n irreversible: isIrreversible,\n capsule_id: params.capsule_id,\n law_ref: params.law_ref,\n branch_ids: [],\n required_count: params.required_count,\n all_or_nothing: params.all_or_nothing ?? (params.type === 'authority' \|\| isIrreversible),\n actor_id: params.actor_id,\n created_at: Date.now(),\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Add Stitch to Knot\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Add a stitch to an open knot.\n * Returns an error string if the stitch cannot be added.\n /\nexport function addStitchToKnot(\n knot: Knot,\n stitch: Stitch,\n): string \| null {\n if (knot.status !== 'open') {\n return `Knot ${knot.knot_id} is ${knot.status}, cannot add stitches`;\n }\n\n if (stitch.thread_id !== knot.thread_id) {\n return `Stitch thread ${stitch.thread_id} does not match knot thread ${knot.thread_id}`;\n }\n\n if (knot.stitch_ids.includes(stitch.stitch_id)) {\n return `Stitch ${stitch.stitch_id} already in knot`;\n }\n\n // Authority knots: verify capsule matches\n if (knot.type === 'authority' && knot.capsule_id) {\n if (stitch.observation.capsuleId && stitch.observation.capsuleId !== knot.capsule_id) {\n return `Stitch capsule ${stitch.observation.capsuleId} does not match knot capsule ${knot.capsule_id}`;\n }\n }\n\n knot.stitch_ids.push(stitch.stitch_id);\n return null;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Validate Knot\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Validate a knot — check if all stitches are valid and the knot can be tied.\n /\nexport function validateKnot(\n knot: Knot,\n stitches: Stitch[],\n): KnotValidationResult {\n const errors: KnotError[] = [];\n const passedIds: string[] = [];\n const failedIds: string[] = [];\n\n // Rule 2: Knot must be fully witnessed — all stitches must exist\n const stitchMap = new Map(stitches.map((s) => [s.stitch_id, s]));\n\n for (const sid of knot.stitch_ids) {\n const stitch = stitchMap.get(sid);\n if (!stitch) {\n failedIds.push(sid);\n errors.push({\n code: 'KNOT_MISSING_STITCH',\n message: `Stitch ${sid} not found`,\n stitch_id: sid,\n });\n continue;\n }\n\n // Torn stitches fail validation\n if (stitch.kind === 'torn') {\n failedIds.push(sid);\n errors.push({\n code: 'KNOT_TORN_STITCH',\n message: `Stitch ${sid} is torn (failed/disputed)`,\n stitch_id: sid,\n });\n continue;\n }\n\n // Rule 3: Irreversible knots require deed-level stitches (not silent)\n if (knot.type === 'irreversible' && stitch.kind !== 'deed') {\n failedIds.push(sid);\n errors.push({\n code: 'KNOT_REQUIRES_DEED',\n message: `Irreversible knot requires deed stitch, got '${stitch.kind}'`,\n stitch_id: sid,\n });\n continue;\n }\n\n passedIds.push(sid);\n }\n\n // Check minimum required count\n if (knot.required_count !== undefined && knot.stitch_ids.length < knot.required_count) {\n errors.push({\n code: 'KNOT_INSUFFICIENT_STITCHES',\n message: `Knot requires ${knot.required_count} stitches, has ${knot.stitch_ids.length}`,\n });\n }\n\n // all_or_nothing: if any failed, knot cannot be tied\n const allPassed = failedIds.length === 0;\n const canTie = knot.all_or_nothing\n ? allPassed && (knot.required_count === undefined \|\| knot.stitch_ids.length >= knot.required_count)\n : passedIds.length > 0 && (knot.required_count === undefined \|\| passedIds.length >= knot.required_count);\n\n return {\n valid: allPassed && errors.length === 0,\n passed_stitch_ids: passedIds,\n failed_stitch_ids: failedIds,\n can_tie: canTie,\n errors,\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Tie Knot (seal it)\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Tie (seal) a knot — makes it immutable.\n * Computes a witness hash over all stitch receipt hashes.\n /\nexport function tieKnot(\n knot: Knot,\n stitches: Stitch[],\n): KnotValidationResult & { knot: Knot } {\n const validation = validateKnot(knot, stitches);\n\n if (!validation.can_tie) {\n return { ...validation, knot };\n }\n\n // Compute witness hash: H(stitch_receipt_hash_1 : stitch_receipt_hash_2 : ...)\n const receiptHashes = validation.passed_stitch_ids\n .map((sid) => stitches.find((s) => s.stitch_id === sid)!)\n .sort((a, b) => a.sequence - b.sequence)\n .map((s) => s.receipt.hash);\n\n const witnessPayload = receiptHashes.join(':');\n knot.witness_hash = createHash('sha256')\n .update(witnessPayload)\n .digest('hex');\n\n knot.status = 'tied';\n knot.tied_at = Date.now();\n\n return { ...validation, knot };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Break Knot\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Break a knot — requires authority for law/irreversible knots.\n \n Rule 1: Knot cannot be silently broken — must have reason + actor.\n * Rule 3: Irreversible knots require override_grant_id.\n /\nexport function breakKnot(\n knot: Knot,\n request: KnotBreakRequest,\n): { ok: boolean; error?: string } {\n if (knot.status === 'broken') {\n return { ok: false, error: 'Knot is already broken' };\n }\n\n if (knot.status === 'open') {\n // Open knots can be broken by the creator\n knot.status = 'broken';\n knot.broken_at = Date.now();\n knot.break_reason = request.reason;\n return { ok: true };\n }\n\n // Tied knots require stronger authority\n if (knot.status === 'tied') {\n // Rule 1: Must have a reason\n if (!request.reason) {\n return { ok: false, error: 'Breaking a tied knot requires a reason' };\n }\n\n // Rule 3: Irreversible + law knots need override authority\n if ((knot.irreversible \|\| knot.type === 'law') && !request.override_grant_id) {\n return {\n ok: false,\n error: `Breaking ${knot.type} knot requires override_grant_id from higher authority`,\n };\n }\n\n knot.status = 'broken';\n knot.broken_at = Date.now();\n knot.break_reason = request.reason;\n return { ok: true };\n }\n\n return { ok: false, error: `Cannot break knot in status '${knot.status}'` };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Fork from Knot\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Mark a knot as a decision/fork point and register a new branch.\n \n Rule 4: Forking from knot creates new branch.\n /\nexport function forkFromKnot(\n knot: Knot,\n branchId: string,\n decisionStitchId?: string,\n): { ok: boolean; error?: string } {\n if (knot.status !== 'tied' && knot.status !== 'open') {\n return { ok: false, error: `Cannot fork from knot in status '${knot.status}'` };\n }\n\n if (decisionStitchId) {\n if (!knot.stitch_ids.includes(decisionStitchId)) {\n return { ok: false, error: `Decision stitch ${decisionStitchId} is not part of this knot` };\n }\n knot.decision_stitch_id = decisionStitchId;\n }\n\n knot.branch_ids.push(branchId);\n knot.status = 'forked';\n return { ok: true };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Query Helpers\n// ────────────────────────────────────────────────────────────────────────────\n\n/* Check if a knot is still open and accepting stitches /\nexport function isKnotOpen(knot: Knot): boolean {\n return knot.status === 'open';\n}\n\n/* Check if a knot represents a point of no return /\nexport function isPointOfNoReturn(knot: Knot): boolean {\n return knot.irreversible && knot.status === 'tied';\n}\n\n/* Check if a stitch is part of any knot in a set /\nexport function findKnotsForStitch(\n stitchId: string,\n knots: Knot[],\n): Knot[] {\n return knots.filter((k) => k.stitch_ids.includes(stitchId));\n}\n\n/* Get all irreversible knots in a thread /\nexport function getIrreversibleKnots(knots: Knot[]): Knot[] {\n return knots.filter((k) => k.irreversible && k.status === 'tied');\n}\n\n/* Get decision points (fork knots) in a thread /\nexport function getDecisionPoints(knots: Knot[]): Knot[] {\n return knots.filter((k) => k.type === 'decision' \|\| k.status === 'forked');\n}\n","/\n Fabric Engine — State projection from stitches\n \n Weaves stitches into a unified state (Fabric).\n \n Operations:\n * createFabric() → empty fabric\n * applyStitch() → apply one stitch's effect to the fabric\n * weave() → project fabric from a sequence of stitches\n * projectAt() → compute fabric state at a specific TPS coordinate\n * queryFabric() → search fabric cells\n * diffFabrics() → compare two fabric states\n * lockCells() → mark cells as locked by an irreversible knot\n /\n\nimport { createHash, randomBytes } from 'crypto';\nimport type {\n Fabric,\n FabricCell,\n FabricDiff,\n FabricDiffEntry,\n FabricEffect,\n FabricEffectResolver,\n FabricQuery,\n} from './fabric.types';\nimport type { Knot } from './knot.types';\nimport type { Stitch } from './needle.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Create\n// ────────────────────────────────────────────────────────────────────────────\n\n/* Create an empty Fabric. /\nexport function createFabric(): Fabric {\n return {\n fabric_id: `fab_${randomBytes(16).toString('hex')}`,\n state_hash: hashState(new Map()),\n cells: new Map(),\n thread_ids: [],\n stitch_count: 0,\n knot_count: 0,\n computed_at: Date.now(),\n version: 0,\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Apply single stitch\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Apply a single stitch's effect to the fabric.\n * Mutates the fabric in place and increments version.\n /\nexport function applyStitch(\n fabric: Fabric,\n stitch: Stitch,\n effect: FabricEffect,\n): void {\n // Apply mutations\n for (const [key, value] of Object.entries(effect.mutations)) {\n if (value === null) {\n // Delete\n fabric.cells.delete(key);\n } else {\n const existing = fabric.cells.get(key);\n\n // Cannot write to locked cells\n if (existing?.locked) {\n continue;\n }\n\n fabric.cells.set(key, {\n key,\n value,\n last_stitch_id: stitch.stitch_id,\n last_tps: stitch.tps_coordinate,\n write_count: (existing?.write_count ?? 0) + 1,\n locked: false,\n });\n }\n }\n\n // Track thread\n if (!fabric.thread_ids.includes(stitch.thread_id)) {\n fabric.thread_ids.push(stitch.thread_id);\n }\n\n fabric.stitch_count++;\n fabric.version++;\n fabric.projected_at_tps = stitch.tps_coordinate ?? fabric.projected_at_tps;\n fabric.computed_at = Date.now();\n fabric.state_hash = hashState(fabric.cells);\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Weave (batch projection)\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Weave a sequence of stitches into a fabric.\n * Stitches must be in chronological order (by sequence).\n * The resolver extracts the FabricEffect from each stitch.\n /\nexport function weave(\n stitches: Stitch[],\n resolver: FabricEffectResolver,\n knots?: Knot[],\n): Fabric {\n const fabric = createFabric();\n\n // Sort by sequence to ensure deterministic ordering\n const sorted = [...stitches].sort((a, b) => a.sequence - b.sequence);\n\n for (const stitch of sorted) {\n // Skip torn stitches — they don't affect reality\n if (stitch.kind === 'torn') continue;\n\n const effect = resolver(stitch);\n applyStitch(fabric, stitch, effect);\n }\n\n // Apply knot locks\n if (knots) {\n for (const knot of knots) {\n if (knot.irreversible && knot.status === 'tied') {\n lockCellsByKnot(fabric, knot, stitches, resolver);\n fabric.knot_count++;\n }\n }\n }\n\n return fabric;\n}\n\n/\n Project fabric state at a specific TPS coordinate.\n * Only applies stitches up to (and including) the given TPS.\n /\nexport function projectAt(\n stitches: Stitch[],\n resolver: FabricEffectResolver,\n tpsFilter: (tps: string \| undefined) => boolean,\n knots?: Knot[],\n): Fabric {\n const filtered = stitches.filter((s) => tpsFilter(s.tps_coordinate));\n return weave(filtered, resolver, knots);\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Lock cells (irreversible knots)\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Lock all cells touched by stitches in an irreversible knot.\n * Locked cells cannot be overwritten by future stitches.\n /\nfunction lockCellsByKnot(\n fabric: Fabric,\n knot: Knot,\n stitches: Stitch[],\n resolver: FabricEffectResolver,\n): void {\n const knotStitchIds = new Set(knot.stitch_ids);\n const knotStitches = stitches.filter((s) => knotStitchIds.has(s.stitch_id));\n\n for (const stitch of knotStitches) {\n const effect = resolver(stitch);\n for (const key of Object.keys(effect.mutations)) {\n const cell = fabric.cells.get(key);\n if (cell) {\n cell.locked = true;\n cell.locked_by_knot = knot.knot_id;\n }\n }\n }\n}\n\n/* Manually lock specific cells by an irreversible knot. /\nexport function lockCells(\n fabric: Fabric,\n keys: string[],\n knotId: string,\n): void {\n for (const key of keys) {\n const cell = fabric.cells.get(key);\n if (cell) {\n cell.locked = true;\n cell.locked_by_knot = knotId;\n }\n }\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Query\n// ────────────────────────────────────────────────────────────────────────────\n\n/* Query the fabric for cells matching criteria. /\nexport function queryFabric(\n fabric: Fabric,\n query: FabricQuery,\n): FabricCell[] {\n let results = [...fabric.cells.values()];\n\n if (query.keys) {\n const keySet = new Set(query.keys);\n results = results.filter((c) => keySet.has(c.key));\n }\n\n if (query.prefix) {\n const prefix = query.prefix;\n results = results.filter((c) => c.key.startsWith(prefix));\n }\n\n if (query.locked_only) {\n results = results.filter((c) => c.locked);\n }\n\n return results;\n}\n\n/* Get a single cell value. /\nexport function getFabricValue(\n fabric: Fabric,\n key: string,\n): unknown \| undefined {\n return fabric.cells.get(key)?.value;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Diff\n// ────────────────────────────────────────────────────────────────────────────\n\n/* Compute the diff between two fabric states. /\nexport function diffFabrics(a: Fabric, b: Fabric): FabricDiff {\n const entries: FabricDiffEntry[] = [];\n let added = 0;\n let modified = 0;\n let deleted = 0;\n\n // Check all keys in B\n for (const [key, cellB] of b.cells) {\n const cellA = a.cells.get(key);\n if (!cellA) {\n entries.push({\n key,\n kind: 'added',\n after: cellB.value,\n caused_by_stitch: cellB.last_stitch_id,\n });\n added++;\n } else if (JSON.stringify(cellA.value) !== JSON.stringify(cellB.value)) {\n entries.push({\n key,\n kind: 'modified',\n before: cellA.value,\n after: cellB.value,\n caused_by_stitch: cellB.last_stitch_id,\n });\n modified++;\n }\n }\n\n // Check keys in A but not in B (deleted)\n for (const [key, cellA] of a.cells) {\n if (!b.cells.has(key)) {\n entries.push({\n key,\n kind: 'deleted',\n before: cellA.value,\n });\n deleted++;\n }\n }\n\n return {\n from_fabric_id: a.fabric_id,\n to_fabric_id: b.fabric_id,\n entries,\n added_count: added,\n modified_count: modified,\n deleted_count: deleted,\n };\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Hash\n// ────────────────────────────────────────────────────────────────────────────\n\nfunction hashState(cells: Map<string, FabricCell>): string {\n const keys = [...cells.keys()].sort();\n const payload = keys\n .map((k) => `${k}=${JSON.stringify(cells.get(k)!.value)}`)\n .join('\\n');\n return createHash('sha256').update(payload).digest('hex');\n}\n","/\n Pattern Engine — Detect, record, and predict from recurring structures\n \n Operations:\n * InMemoryPatternStore → simple pattern storage\n * detectSequencePattern() → find recurring intent sequences in stitches\n * detectKnotPattern() → find recurring knot formations\n * matchPatterns() → check stitches against known patterns\n * recordOccurrence() → update a pattern when it's seen again\n /\n\nimport { randomBytes } from 'crypto';\nimport type {\n Pattern,\n PatternKind,\n PatternMatch,\n PatternSignature,\n PatternStore,\n} from './pattern.types';\nimport type { Knot } from './knot.types';\nimport type { Stitch } from './needle.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// In-Memory Pattern Store\n// ────────────────────────────────────────────────────────────────────────────\n\nexport class InMemoryPatternStore implements PatternStore {\n private patterns = new Map<string, Pattern>();\n\n save(pattern: Pattern): void {\n this.patterns.set(pattern.pattern_id, pattern);\n }\n\n get(patternId: string): Pattern \| undefined {\n return this.patterns.get(patternId);\n }\n\n findByKind(kind: PatternKind): Pattern[] {\n return [...this.patterns.values()].filter((p) => p.kind === kind);\n }\n\n findByIntent(intent: string): Pattern[] {\n return [...this.patterns.values()].filter(\n (p) => p.signature.intent_sequence?.includes(intent),\n );\n }\n\n all(): Pattern[] {\n return [...this.patterns.values()];\n }\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Sequence Pattern Detection\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Detect recurring intent sequences within a set of stitches.\n * Uses a sliding window to find sequences that appear at least `minOccurrences` times.\n /\nexport function detectSequencePatterns(\n stitches: Stitch[],\n windowSize: number,\n minOccurrences: number,\n): Pattern[] {\n if (stitches.length < windowSize \|\| windowSize < 2) return [];\n\n const sorted = [...stitches].sort((a, b) => a.sequence - b.sequence);\n const sequenceCounts = new Map<string, { count: number; stitch_ids: string[][] }>();\n\n // Slide window across stitches\n for (let i = 0; i <= sorted.length - windowSize; i++) {\n const window = sorted.slice(i, i + windowSize);\n const key = window.map((s) => s.intent).join('→');\n const ids = window.map((s) => s.stitch_id);\n\n const existing = sequenceCounts.get(key);\n if (existing) {\n existing.count++;\n existing.stitch_ids.push(ids);\n } else {\n sequenceCounts.set(key, { count: 1, stitch_ids: [ids] });\n }\n }\n\n // Filter by minimum occurrences\n const patterns: Pattern[] = [];\n const now = Date.now();\n\n for (const [key, data] of sequenceCounts) {\n if (data.count < minOccurrences) continue;\n\n const intents = key.split('→');\n const confidence = Math.min(data.count / (minOccurrences 2), 1.0);\n\n patterns.push({\n pattern_id: `pat_seq_${randomBytes(8).toString('hex')}`,\n kind: 'sequence',\n name: `Sequence: ${intents.join(' → ')}`,\n signature: {\n intent_sequence: intents,\n min_length: windowSize,\n max_length: windowSize,\n },\n confidence,\n occurrence_count: data.count,\n first_seen_at: now,\n last_seen_at: now,\n seen_in_threads: [...new Set(\n data.stitch_ids.flatMap((ids) =>\n ids.map((id) => sorted.find((s) => s.stitch_id === id)?.thread_id).filter(Boolean) as string[],\n ),\n )],\n classification: 'unclassified',\n });\n }\n\n return patterns;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Knot Pattern Detection\n// ────────────────────────────────────────────────────────────────────────────\n\n/*\n Detect recurring knot formations (same type + similar size).\n /\nexport function detectKnotPatterns(\n knots: Knot[],\n minOccurrences: number,\n): Pattern[] {\n const groups = new Map<string, Knot[]>();\n\n for (const knot of knots) {\n if (knot.status !== 'tied') continue;\n const key = `${knot.type}:${knot.stitch_ids.length}`;\n const group = groups.get(key) ?? [];\n group.push(knot);\n groups.set(key, group);\n }\n\n const patterns: Pattern[] = [];\n const now = Date.now();\n\n for (const [key, group] of groups) {\n if (group.length < minOccurrences) continue;\n\n const [type, sizeStr] = key.split(':');\n const size = parseInt(sizeStr, 10);\n const confidence = Math.min(group.length / (minOccurrences 2), 1.0);\n\n patterns.push({\n pattern_id: `pat_knot_${randomBytes(8).toString('hex')}`,\n kind: 'knot',\n name: `Knot: ${type} (${size} stitches)`,\n signature: {\n knot_type: type as Pattern['signature']['knot_type'],\n knot_size: size,\n },\n confidence,\n occurrence_count: group.length,\n first_seen_at: now,\n last_seen_at: now,\n seen_in_threads: [...new Set(group.map((k) => k.thread_id))],\n classification: 'unclassified',\n });\n }\n\n return patterns;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Matching\n// ────────────────────────────────────────────────────────────────────────────\n\n/*\n Match a set of stitches against known patterns.\n * Returns all matches with their scores.\n /\nexport function matchPatterns(\n stitches: Stitch[],\n patterns: Pattern[],\n): PatternMatch[] {\n const sorted = [...stitches].sort((a, b) => a.sequence - b.sequence);\n const matches: PatternMatch[] = [];\n const now = Date.now();\n\n for (const pattern of patterns) {\n if (pattern.kind === 'sequence' && pattern.signature.intent_sequence) {\n const seq = pattern.signature.intent_sequence;\n const seqLen = seq.length;\n\n // Slide window\n for (let i = 0; i <= sorted.length - seqLen; i++) {\n const window = sorted.slice(i, i + seqLen);\n const windowIntents = window.map((s) => s.intent);\n\n if (windowIntents.every((intent, idx) => intent === seq[idx])) {\n matches.push({\n pattern_id: pattern.pattern_id,\n matched_stitch_ids: window.map((s) => s.stitch_id),\n match_score: 1.0,\n thread_id: window[0].thread_id,\n detected_at: now,\n });\n }\n }\n }\n }\n\n return matches;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Record Occurrence\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Record that a pattern was observed again.\n * Updates occurrence count, last_seen_at, confidence, and thread tracking.\n /\nexport function recordOccurrence(\n pattern: Pattern,\n threadId: string,\n): void {\n pattern.occurrence_count++;\n pattern.last_seen_at = Date.now();\n\n // Confidence grows with occurrences (asymptotic to 1.0)\n pattern.confidence = 1 - 1 / (1 + pattern.occurrence_count 0.5);\n\n if (!pattern.seen_in_threads.includes(threadId)) {\n pattern.seen_in_threads.push(threadId);\n }\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Anomaly Detection\n// ────────────────────────────────────────────────────────────────────────────\n\n/*\n Check if recent stitches deviate from established patterns.\n * Returns anomaly patterns for sequences that should match but don't.\n /\nexport function detectAnomalies(\n recentStitches: Stitch[],\n knownPatterns: Pattern[],\n threshold: number = 0.7,\n): Pattern[] {\n const anomalies: Pattern[] = [];\n const sorted = [...recentStitches].sort((a, b) => a.sequence - b.sequence);\n const now = Date.now();\n\n for (const pattern of knownPatterns) {\n if (pattern.kind !== 'sequence' \|\| !pattern.signature.intent_sequence) continue;\n if (pattern.confidence < threshold) continue;\n\n const seq = pattern.signature.intent_sequence;\n // Check if the sequence started but didn't complete\n if (sorted.length >= 1 && sorted.length < seq.length) {\n const partialMatch = sorted.every(\n (s, i) => i < seq.length && s.intent === seq[i],\n );\n\n if (partialMatch) {\n // Started the pattern but didn't finish — might be anomaly\n const expectedNext = seq[sorted.length];\n const lastStitch = sorted[sorted.length - 1];\n\n // Only flag if the pattern is well-established\n if (pattern.occurrence_count >= 3) {\n anomalies.push({\n pattern_id: `pat_anom_${randomBytes(8).toString('hex')}`,\n kind: 'anomaly',\n name: `Incomplete: ${pattern.name}`,\n description: `Expected '${expectedNext}' after '${lastStitch.intent}' based on pattern '${pattern.name}'`,\n signature: pattern.signature,\n confidence: pattern.confidence 0.8,\n occurrence_count: 1,\n first_seen_at: now,\n last_seen_at: now,\n seen_in_threads: [lastStitch.thread_id],\n classification: 'anomalous',\n });\n }\n }\n }\n }\n\n return anomalies;\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport type { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/*\n Configuration for the TPS Sensor.\n /\nexport interface TpsSensorOptions {\n /\n Maximum allowed clock drift in milliseconds between\n * the TPS coordinate timestamp and server time.\n * Defaults to 30_000 (30 seconds).\n /\n maxDriftMs?: number;\n\n /\n Optional function to resolve a TPS coordinate string\n * into a UTC epoch milliseconds value.\n * If not provided, the sensor parses i-notation directly.\n /\n resolver?: (tps: string) => number \| null;\n}\n\n/* TPS epoch: 1999-08-11T07:00:00Z in milliseconds /\nconst TPS_EPOCH_MS = 934354800000;\n\n/\n Parse a TPS i-notation coordinate (e.g. 'i858993459200.000')\n * into a UTC epoch milliseconds value.\n /\nfunction parseINotation(tps: string): number \| null {\n if (!tps.startsWith('i')) return null;\n const num = Number(tps.slice(1));\n if (!Number.isFinite(num)) return null;\n // i-notation is milliseconds since TPS epoch\n return TPS_EPOCH_MS + num;\n}\n\n/\n TPS Sensor — Temporal Positioning System time gate.\n \n Validates that the TPS coordinate attached to a request\n * is structurally valid and not excessively drifted from\n * the server's current time (guards against replay and\n * future-dated requests).\n \n Sensor rules:\n * - If no TPS coordinate is present, the sensor allows (other sensors gate identity).\n * - If the TPS coordinate is structurally invalid, DENY.\n * - If the resolved timestamp drifts beyond maxDriftMs, DENY.\n /\n@Sensor()\n@Injectable()\nexport class TpsSensor implements AxisSensor {\n readonly name = 'TpsSensor';\n readonly order = BAND.POLICY + 2; // runs early in POLICY band, before Law\n\n private readonly maxDriftMs: number;\n private readonly resolver: (tps: string) => number \| null;\n\n constructor(options: TpsSensorOptions = {}) {\n this.maxDriftMs = options.maxDriftMs ?? 30_000;\n this.resolver = options.resolver ?? parseINotation;\n }\n\n supports(input: SensorInput): boolean {\n // Only run when a TPS coordinate is present\n const tps =\n input.metadata?.tps_coordinate ??\n input.metadata?.tps ??\n input.packet?.tps;\n return typeof tps === 'string' && tps.length > 0;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const tps: string =\n input.metadata?.tps_coordinate ??\n input.metadata?.tps ??\n input.packet?.tps;\n\n // Resolve to UTC ms\n const resolved = this.resolver(tps);\n\n if (resolved === null) {\n return {\n allow: false,\n riskScore: 80,\n reasons: [`TPS coordinate '${tps}' is structurally invalid`],\n code: 'TPS_INVALID_FORMAT',\n };\n }\n\n // Check drift\n const now = Date.now();\n const drift = Math.abs(now - resolved);\n\n if (drift > this.maxDriftMs) {\n const direction = resolved > now ? 'future' : 'past';\n return {\n allow: false,\n riskScore: 70,\n reasons: [\n `TPS drift ${drift}ms exceeds max ${this.maxDriftMs}ms (${direction})`,\n ],\n code: 'TPS_DRIFT_EXCEEDED',\n tags: { tpsDriftMs: drift, tpsDirection: direction },\n };\n }\n\n return {\n allow: true,\n riskScore: 0,\n reasons: [],\n tags: {\n tpsResolved: resolved,\n tpsDriftMs: drift,\n },\n };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport type { RiskSignal, RiskEvaluation } from '../risk';\nimport { RiskDecision } from '../risk';\nimport type { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/\n Risk signal collector function.\n * Implementations gather signals from the request context\n * (anomaly scores, geo risk, velocity checks, device fingerprint, etc.)\n /\nexport type RiskSignalCollector = (\n input: SensorInput,\n) => Promise<RiskSignal[]> \| RiskSignal[];\n\n/\n Configuration for the Risk Gate Sensor.\n /\nexport interface RiskGateSensorOptions {\n /\n One or more collectors that produce RiskSignals.\n * All collectors run and their signals are aggregated.\n /\n collectors: RiskSignalCollector[];\n\n /\n Risk score threshold at which the sensor denies (0–100).\n * Defaults to 75.\n /\n denyThreshold?: number;\n\n /\n Risk score threshold at which the sensor flags but allows (0–100).\n * Defaults to 40.\n /\n flagThreshold?: number;\n}\n\n/* Map severity to a numeric weight /\nconst SEVERITY_WEIGHT: Record<RiskSignal['severity'], number> = {\n low: 10,\n medium: 25,\n high: 50,\n critical: 100,\n};\n\n/\n Risk Gate Sensor — Aggregates risk signals into a gate decision.\n \n Collects signals from pluggable collectors, computes a weighted\n * aggregate risk score, and translates RiskDecision into a\n * SensorDecision the chain can enforce.\n \n Runs in the BUSINESS band so all identity, policy, and content\n * sensors have already contributed their metadata.\n /\n@Sensor()\n@Injectable()\nexport class RiskGateSensor implements AxisSensor {\n readonly name = 'RiskGateSensor';\n readonly order = BAND.BUSINESS + 10;\n\n private readonly collectors: RiskSignalCollector[];\n private readonly denyThreshold: number;\n private readonly flagThreshold: number;\n\n constructor(options: RiskGateSensorOptions) {\n this.collectors = options.collectors;\n this.denyThreshold = options.denyThreshold ?? 75;\n this.flagThreshold = options.flagThreshold ?? 40;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n // Collect all signals in parallel\n const results = await Promise.all(\n this.collectors.map((c) => c(input)),\n );\n const signals: RiskSignal[] = results.flat();\n\n // Aggregate: weighted mean of severity scores, capped at 100\n let totalWeight = 0;\n let weightedSum = 0;\n for (const signal of signals) {\n const w = SEVERITY_WEIGHT[signal.severity];\n totalWeight += 1;\n weightedSum += w;\n }\n const aggregateScore =\n totalWeight > 0 ? Math.min(100, Math.round(weightedSum / totalWeight)) : 0;\n\n // Evaluate\n const evaluation = this.evaluate(aggregateScore, signals);\n\n // Store evaluation in metadata for downstream consumers\n input.metadata = {\n ...(input.metadata ?? {}),\n riskEvaluation: evaluation,\n };\n\n if (evaluation.decision === RiskDecision.DENY) {\n return {\n allow: false,\n riskScore: aggregateScore,\n reasons: signals.map((s) => s.message),\n code: 'RISK_GATE_DENY',\n tags: { riskDecision: evaluation.decision, signalCount: signals.length },\n };\n }\n\n if (evaluation.decision === RiskDecision.THROTTLE) {\n return {\n allow: false,\n riskScore: aggregateScore,\n reasons: signals.map((s) => s.message),\n code: 'RISK_GATE_THROTTLE',\n retryAfterMs: evaluation.retryAfterMs,\n tags: { riskDecision: evaluation.decision, signalCount: signals.length },\n };\n }\n\n // ALLOW, STEP_UP, WITNESS, FLAG — allow but propagate score\n return {\n allow: true,\n riskScore: aggregateScore,\n reasons: signals\n .filter((s) => s.severity === 'medium' \|\| s.severity === 'high')\n .map((s) => s.message),\n tags: {\n riskDecision: evaluation.decision,\n signalCount: signals.length,\n },\n };\n }\n\n private evaluate(\n score: number,\n signals: RiskSignal[],\n ): RiskEvaluation {\n // Any critical signal → immediate DENY\n const hasCritical = signals.some((s) => s.severity === 'critical');\n if (hasCritical) {\n return {\n decision: RiskDecision.DENY,\n reason: 'Critical risk signal detected',\n confidence: 1,\n signals,\n };\n }\n\n if (score >= this.denyThreshold) {\n return {\n decision: RiskDecision.DENY,\n reason: `Aggregate risk score ${score} exceeds deny threshold ${this.denyThreshold}`,\n confidence: score / 100,\n signals,\n };\n }\n\n if (score >= this.flagThreshold) {\n return {\n decision: RiskDecision.STEP_UP,\n reason: `Aggregate risk score ${score} exceeds flag threshold ${this.flagThreshold}`,\n confidence: score / 100,\n signals,\n };\n }\n\n return {\n decision: RiskDecision.ALLOW,\n confidence: 1 - score / 100,\n signals,\n };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport type { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/\n A TickAuth capsule as provided by the transport layer\n * or extracted by an earlier sensor.\n /\nexport interface TickAuthCapsuleRef {\n capsule_id: string;\n capsule_type?: string;\n intent?: string;\n mode?: string;\n verification?: {\n status: 'approved' \| 'denied' \| 'expired' \| 'replay_rejected' \| 'consumed' \| 'revoked';\n reason?: string;\n };\n scope?: string[];\n single_use?: boolean;\n tick_index?: number;\n}\n\n/\n Pluggable TickAuth verifier.\n * Returns `null` if verification succeeds, or an error string if it fails.\n /\nexport type TickAuthVerifier = (\n capsule: TickAuthCapsuleRef,\n input: SensorInput,\n) => Promise<string \| null> \| (string \| null);\n\n/\n Configuration for the TickAuth Sensor.\n /\nexport interface TickAuthSensorOptions {\n /\n Optional external verifier that performs full TickAuth handshake\n * validation (signature, window, replay).\n * If not provided the sensor performs structural checks only.\n /\n verifier?: TickAuthVerifier;\n\n /\n Whether to require the capsule intent to match the AXIS intent.\n * Defaults to true.\n /\n matchIntent?: boolean;\n\n /\n Accept these capsule types. If empty, all types are accepted.\n /\n acceptTypes?: string[];\n}\n\n/\n TickAuth Sensor — Validates TickAuth capsule handshake.\n \n Goes beyond `ProofPresenceSensor` (which only checks capsule presence)\n * to verify the capsule's structural integrity:\n \n 1. Capsule exists and has a valid ID\n * 2. Capsule status is 'approved'\n * 3. Capsule type is in the accept list (if configured)\n * 4. Capsule intent matches the AXIS intent (if matchIntent)\n * 5. External verifier (signature + replay + window) passes\n \n Runs in the IDENTITY band after proof-presence.\n /\n@Sensor()\n@Injectable()\nexport class TickAuthSensor implements AxisSensor {\n readonly name = 'TickAuthSensor';\n readonly order = BAND.IDENTITY + 40; // after ProofPresenceSensor (30)\n\n private readonly verifier?: TickAuthVerifier;\n private readonly matchIntent: boolean;\n private readonly acceptTypes: Set<string> \| null;\n\n constructor(options: TickAuthSensorOptions = {}) {\n this.verifier = options.verifier;\n this.matchIntent = options.matchIntent ?? true;\n this.acceptTypes = options.acceptTypes?.length\n ? new Set(options.acceptTypes)\n : null;\n }\n\n supports(input: SensorInput): boolean {\n // Only engage when a capsule reference is present\n return !!(\n input.metadata?.capsule \|\|\n input.metadata?.tickauthCapsule \|\|\n input.metadata?.cceEnvelope?.capsule\n );\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule: TickAuthCapsuleRef \| undefined =\n input.metadata?.capsule ??\n input.metadata?.tickauthCapsule ??\n input.metadata?.cceEnvelope?.capsule;\n\n if (!capsule) {\n return {\n allow: false,\n riskScore: 90,\n reasons: ['TickAuth capsule not found'],\n code: 'TICKAUTH_MISSING',\n };\n }\n\n // 1. Structural: capsule_id must be present\n if (!capsule.capsule_id \|\| typeof capsule.capsule_id !== 'string') {\n return {\n allow: false,\n riskScore: 100,\n reasons: ['TickAuth capsule has no valid capsule_id'],\n code: 'TICKAUTH_INVALID_ID',\n };\n }\n\n // 2. Status check\n const status = capsule.verification?.status;\n if (status && status !== 'approved') {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `TickAuth capsule status is '${status}'${capsule.verification?.reason ? `: ${capsule.verification.reason}` : ''}`,\n ],\n code: `TICKAUTH_STATUS_${status.toUpperCase()}`,\n };\n }\n\n // 3. Type filter\n if (this.acceptTypes && capsule.capsule_type) {\n if (!this.acceptTypes.has(capsule.capsule_type)) {\n return {\n allow: false,\n riskScore: 80,\n reasons: [\n `TickAuth capsule type '${capsule.capsule_type}' is not in accept list`,\n ],\n code: 'TICKAUTH_TYPE_REJECTED',\n };\n }\n }\n\n // 4. Intent match\n if (this.matchIntent && input.intent && capsule.intent) {\n if (capsule.intent !== input.intent) {\n return {\n allow: false,\n riskScore: 80,\n reasons: [\n `TickAuth capsule intent '${capsule.intent}' does not match AXIS intent '${input.intent}'`,\n ],\n code: 'TICKAUTH_INTENT_MISMATCH',\n };\n }\n }\n\n // 5. External verifier (full handshake: sig, window, replay)\n if (this.verifier) {\n const error = await this.verifier(capsule, input);\n if (error) {\n return {\n allow: false,\n riskScore: 90,\n reasons: [`TickAuth verification failed: ${error}`],\n code: 'TICKAUTH_VERIFY_FAILED',\n };\n }\n }\n\n return {\n allow: true,\n riskScore: 0,\n reasons: [],\n tags: {\n tickauthCapsuleId: capsule.capsule_id,\n tickauthMode: capsule.mode,\n tickauthSingleUse: capsule.single_use,\n },\n };\n }\n}\n","/\n CCE Envelope Validation Sensor\n \n Band: WIRE (order: 5)\n * Phase: PRE_DECODE\n \n Step 1-2 from CCE verification order:\n * 1. Validate envelope schema\n * 2. Check protocol version\n \n Fast-fails malformed CCE requests before any crypto work.\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, CCE_NONCE_BYTES, CCE_PROTOCOL_VERSION, type CceRequestEnvelope } from \"../cce.types\";\n\nconst REQUIRED_FIELDS: (keyof CceRequestEnvelope)[] = [\n \"ver\",\n \"request_id\",\n \"correlation_id\",\n \"client_kid\",\n \"capsule\",\n \"encrypted_key\",\n \"encrypted_payload\",\n \"request_nonce\",\n \"client_sig\",\n \"content_type\",\n \"algorithms\",\n];\n\nexport class CceEnvelopeValidationSensor implements AxisSensor {\n readonly name = \"cce.envelope.validation\";\n readonly order = 5;\n readonly phase = \"PRE_DECODE\" as const;\n\n supports(input: SensorInput): boolean {\n // Only process CCE envelopes (detected by metadata flag or content type)\n return (\n input.metadata?.cce === true \|\|\n input.metadata?.contentType === \"application/axis-cce\"\n );\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.INVALID_ENVELOPE],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Check required fields\n for (const field of REQUIRED_FIELDS) {\n if (envelope[field] === undefined \|\| envelope[field] === null) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: missing ${field}`],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n }\n\n // Check protocol version\n if (envelope.ver !== CCE_PROTOCOL_VERSION) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.UNSUPPORTED_VERSION}: ${envelope.ver}`],\n code: CCE_ERROR.UNSUPPORTED_VERSION,\n };\n }\n\n // Validate request nonce format (must be hex, correct length)\n if (!/^[0-9a-f]+$/i.test(envelope.request_nonce)) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INVALID_ENVELOPE}: invalid request_nonce format`,\n ],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n if (envelope.request_nonce.length !== CCE_NONCE_BYTES 2) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.INVALID_ENVELOPE}: request_nonce wrong length`],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Validate capsule has required fields\n const capsule = envelope.capsule;\n if (\n !capsule.capsule_id \|\|\n !capsule.ver \|\|\n !capsule.sub \|\|\n !capsule.kid \|\|\n !capsule.intent \|\|\n !capsule.aud \|\|\n !capsule.issuer_sig\n ) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.MISSING_CAPSULE}: incomplete capsule claims`],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Validate encrypted key structure\n if (!envelope.encrypted_key.ciphertext \|\| !envelope.encrypted_key.alg) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.MISSING_ENCRYPTED_KEY}: incomplete encrypted_key`,\n ],\n code: CCE_ERROR.MISSING_ENCRYPTED_KEY,\n };\n }\n\n // Pass: store parsed envelope in metadata for downstream sensors\n input.metadata = input.metadata ?? {};\n input.metadata.cceEnvelopeValid = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/*\n CCE Client Signature Verification Sensor\n \n Band: IDENTITY (order: 45)\n * Phase: POST_DECODE\n \n Steps 4-5 from CCE verification order:\n * 4. Resolve client public key\n * 5. Verify client signature over canonical envelope\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceRequestEnvelope } from \"../cce.types\";\n\n/\n Key resolver interface — implementations can look up Redis, DB, or in-memory.\n /\nexport interface CceClientKeyResolver {\n resolve(kid: string): Promise<{ publicKeyHex: string; alg: string } \| null>;\n}\n\n/\n Signature verifier interface — pluggable for Ed25519, ES256, etc.\n /\nexport interface CceSignatureVerifier {\n verify(\n message: Uint8Array,\n signatureHex: string,\n publicKeyHex: string,\n alg: string,\n ): Promise<boolean>;\n}\n\nexport class CceClientSignatureSensor implements AxisSensor {\n readonly name = \"cce.client.signature\";\n readonly order = 45;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n private readonly keyResolver: CceClientKeyResolver,\n private readonly signatureVerifier: CceSignatureVerifier,\n ) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceEnvelopeValid === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const envelope = input.metadata?.cceEnvelope as CceRequestEnvelope;\n if (!envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.INVALID_ENVELOPE],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Step 4: Resolve client public key\n const keyRecord = await this.keyResolver.resolve(envelope.client_kid);\n if (!keyRecord) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.CLIENT_KEY_NOT_FOUND}: kid=${envelope.client_kid}`,\n ],\n code: CCE_ERROR.CLIENT_KEY_NOT_FOUND,\n };\n }\n\n // Step 5: Verify client signature\n // Canonical signing payload: everything except client_sig\n const { client_sig, ...signable } = envelope;\n const canonical = canonicalize(signable);\n const message = new TextEncoder().encode(canonical);\n\n const valid = await this.signatureVerifier.verify(\n message,\n client_sig.value,\n keyRecord.publicKeyHex,\n keyRecord.alg,\n );\n\n if (!valid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.CLIENT_SIG_INVALID],\n code: CCE_ERROR.CLIENT_SIG_INVALID,\n };\n }\n\n // Store resolved key for downstream\n input.metadata = input.metadata ?? {};\n input.metadata.cceClientKey = keyRecord;\n input.metadata.cceClientSigVerified = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: { kid: envelope.client_kid },\n };\n }\n}\n\n// Canonical JSON for deterministic signature verification\nfunction canonicalize(obj: unknown): string {\n if (Array.isArray(obj)) {\n return \"[\" + obj.map(canonicalize).join(\",\") + \"]\";\n }\n if (obj !== null && typeof obj === \"object\") {\n const sorted = Object.keys(obj as object)\n .sort()\n .map(\n (k) =>\n JSON.stringify(k) +\n \":\" +\n canonicalize((obj as Record<string, unknown>)[k]),\n );\n return \"{\" + sorted.join(\",\") + \"}\";\n }\n return JSON.stringify(obj);\n}\n","/\n CCE Capsule Verification Sensor\n \n Band: IDENTITY (order: 50)\n * Phase: POST_DECODE\n \n Step 6 from CCE verification order:\n * 6. Parse capsule, verify TickAuth signature, verify integrity\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, CCE_PROTOCOL_VERSION, type CceCapsuleClaims } from \"../cce.types\";\n\n/\n TickAuth issuer key resolver.\n /\nexport interface CceIssuerKeyResolver {\n resolve(kid: string): Promise<{ publicKeyHex: string } \| null>;\n}\n\n/\n Signature verifier for capsule issuer signatures.\n /\nexport interface CceCapsuleSignatureVerifier {\n verify(\n claims: Omit<CceCapsuleClaims, \"issuer_sig\">,\n signature: { alg: string; kid: string; value: string },\n publicKeyHex: string,\n ): Promise<boolean>;\n}\n\nexport class CceCapsuleVerificationSensor implements AxisSensor {\n readonly name = \"cce.capsule.verification\";\n readonly order = 50;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n private readonly issuerKeyResolver: CceIssuerKeyResolver,\n private readonly capsuleVerifier: CceCapsuleSignatureVerifier,\n ) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceEnvelopeValid === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceEnvelope?.capsule as\n \| CceCapsuleClaims\n \| undefined;\n\n if (!capsule) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Verify protocol version\n if (capsule.ver !== CCE_PROTOCOL_VERSION) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.CAPSULE_SIG_INVALID}: wrong version ${capsule.ver}`,\n ],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Verify content integrity (ID matches hash)\n const { capsule_id, issuer_sig, ...claimsBody } = capsule;\n const expectedId = computeCceCapsuleId(claimsBody);\n if (capsule_id !== expectedId) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: content hash mismatch`],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Resolve TickAuth issuer key\n const issuerKey = await this.issuerKeyResolver.resolve(\n capsule.issuer_sig.kid,\n );\n if (!issuerKey) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_SIG_INVALID}: issuer key not found`],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Verify issuer signature\n const { issuer_sig: sig, ...rest } = capsule;\n const sigValid = await this.capsuleVerifier.verify(\n rest,\n sig,\n issuerKey.publicKeyHex,\n );\n if (!sigValid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.CAPSULE_SIG_INVALID],\n code: CCE_ERROR.CAPSULE_SIG_INVALID,\n };\n }\n\n // Check expiry\n const nowSeconds = Math.floor(Date.now() / 1000);\n if (capsule.exp < nowSeconds) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_EXPIRED}: exp=${capsule.exp}`],\n code: CCE_ERROR.CAPSULE_EXPIRED,\n };\n }\n\n // Check not-yet-valid (iat in future with tolerance)\n if (capsule.iat > nowSeconds + 5) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_NOT_YET_VALID}: iat=${capsule.iat}`],\n code: CCE_ERROR.CAPSULE_NOT_YET_VALID,\n };\n }\n\n // Store verified capsule for downstream\n input.metadata = input.metadata ?? {};\n input.metadata.cceCapsuleVerified = true;\n input.metadata.cceCapsule = capsule;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n meta: { capsule_id: capsule.capsule_id },\n };\n }\n}\n\n// Content-addressed capsule ID computation\nimport { blake3 } from \"@noble/hashes/blake3.js\";\nimport { bytesToHex } from \"@noble/hashes/utils.js\";\n\nfunction canonicalize(obj: unknown): string {\n if (Array.isArray(obj)) {\n return \"[\" + obj.map(canonicalize).join(\",\") + \"]\";\n }\n if (obj !== null && typeof obj === \"object\") {\n const sorted = Object.keys(obj as object)\n .sort()\n .map(\n (k) =>\n JSON.stringify(k) +\n \":\" +\n canonicalize((obj as Record<string, unknown>)[k]),\n );\n return \"{\" + sorted.join(\",\") + \"}\";\n }\n return JSON.stringify(obj);\n}\n\nfunction computeCceCapsuleId(claims: Record<string, unknown>): string {\n const canonical = canonicalize(claims);\n const hash = blake3(new TextEncoder().encode(canonical));\n return \"cce_b3_\" + bytesToHex(hash).slice(0, 32);\n}\n","/\n CCE TPS Window Validation Sensor\n \n Band: POLICY (order: 92)\n * Phase: POST_DECODE\n \n Step 7 from CCE verification order:\n * 7. Verify TPS window is current (not expired, not future)\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceCapsuleClaims } from \"../cce.types\";\n\n/* Maximum acceptable clock skew in milliseconds /\nconst DEFAULT_SKEW_MS = 5000;\n\nexport class CceTpsWindowSensor implements AxisSensor {\n readonly name = \"cce.tps.window\";\n readonly order = 92;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(private readonly skewMs: number = DEFAULT_SKEW_MS) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceCapsuleVerified === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceCapsule as CceCapsuleClaims \| undefined;\n if (!capsule) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n const nowMs = Date.now();\n\n // Check if TPS window has expired (with skew tolerance)\n if (nowMs > capsule.tps_to + this.skewMs) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.TPS_WINDOW_EXPIRED}: window ended at ${capsule.tps_to}, now=${nowMs}`,\n ],\n code: CCE_ERROR.TPS_WINDOW_EXPIRED,\n };\n }\n\n // Check if TPS window is in the future (with skew tolerance)\n if (nowMs < capsule.tps_from - this.skewMs) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.TPS_WINDOW_FUTURE}: window starts at ${capsule.tps_from}, now=${nowMs}`,\n ],\n code: CCE_ERROR.TPS_WINDOW_FUTURE,\n };\n }\n\n input.metadata = input.metadata ?? {};\n input.metadata.cceTpsValid = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/\n CCE Audience & Intent Binding Sensor\n \n Band: POLICY (order: 95)\n * Phase: POST_DECODE\n \n Steps 8-9 from CCE verification order:\n * 8. Verify audience matches this AXIS instance\n * 9. Verify intent matches the capsule-bound intent\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceCapsuleClaims, type CceRequestEnvelope } from \"../cce.types\";\n\nexport class CceAudienceIntentBindingSensor implements AxisSensor {\n readonly name = \"cce.audience.intent.binding\";\n readonly order = 95;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n /* This AXIS instance's audience identifier /\n private readonly axisAudience: string,\n ) {}\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceCapsuleVerified === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceCapsule as CceCapsuleClaims \| undefined;\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!capsule \|\| !envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Step 8: Verify audience\n if (capsule.aud !== this.axisAudience) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.AUDIENCE_MISMATCH}: capsule.aud=${capsule.aud}, expected=${this.axisAudience}`,\n ],\n code: CCE_ERROR.AUDIENCE_MISMATCH,\n };\n }\n\n // Step 9: Verify intent\n // The intent in the envelope should match the capsule-bound intent\n const requestIntent = input.intent ?? input.metadata?.cceRequestIntent;\n if (requestIntent && capsule.intent !== requestIntent) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INTENT_MISMATCH}: capsule.intent=${capsule.intent}, request=${requestIntent}`,\n ],\n code: CCE_ERROR.INTENT_MISMATCH,\n };\n }\n\n // Verify client_kid in envelope matches capsule kid\n if (envelope.client_kid !== capsule.kid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INTENT_MISMATCH}: envelope.kid=${envelope.client_kid}, capsule.kid=${capsule.kid}`,\n ],\n code: CCE_ERROR.INTENT_MISMATCH,\n };\n }\n\n input.metadata = input.metadata ?? {};\n input.metadata.cceBindingVerified = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/\n CCE Replay Protection Sensor\n \n Band: POLICY (order: 98)\n * Phase: POST_DECODE\n \n Steps 10-11 from CCE verification order:\n * 10. Verify capsule not replayed (capsule_id not consumed if SINGLE_USE)\n * 11. Verify request nonce uniqueness\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceCapsuleClaims, type CceRequestEnvelope } from \"../cce.types\";\n\n/\n Replay store interface — implementations can use Redis, in-memory, etc.\n * Must support O(1) lookups for performance in the hot path.\n /\nexport interface CceReplayStore {\n /\n Check and mark a nonce/id as used.\n * @returns true if this is the first time (valid), false if replay\n /\n checkAndMark(key: string, ttlMs: number): Promise<boolean>;\n\n /* Check if a capsule has been consumed /\n isCapsuleConsumed(capsuleId: string): Promise<boolean>;\n\n /* Mark a capsule as consumed /\n markCapsuleConsumed(capsuleId: string, ttlMs: number): Promise<void>;\n\n /* Check if a capsule has been revoked /\n isCapsuleRevoked(capsuleId: string): Promise<boolean>;\n}\n\n/\n In-memory replay store for development/testing.\n /\nexport class InMemoryCceReplayStore implements CceReplayStore {\n private nonces = new Map<string, number>();\n private consumed = new Set<string>();\n private revoked = new Set<string>();\n\n async checkAndMark(key: string, ttlMs: number): Promise<boolean> {\n this.cleanup();\n if (this.nonces.has(key)) return false;\n this.nonces.set(key, Date.now() + ttlMs);\n return true;\n }\n\n async isCapsuleConsumed(capsuleId: string): Promise<boolean> {\n return this.consumed.has(capsuleId);\n }\n\n async markCapsuleConsumed(capsuleId: string, _ttlMs: number): Promise<void> {\n this.consumed.add(capsuleId);\n }\n\n async isCapsuleRevoked(capsuleId: string): Promise<boolean> {\n return this.revoked.has(capsuleId);\n }\n\n /* Revoke a capsule (for testing/admin) /\n revoke(capsuleId: string): void {\n this.revoked.add(capsuleId);\n }\n\n private cleanup(): void {\n const now = Date.now();\n for (const [key, expiresAt] of this.nonces) {\n if (expiresAt < now) this.nonces.delete(key);\n }\n }\n}\n\nexport class CceReplayProtectionSensor implements AxisSensor {\n readonly name = \"cce.replay.protection\";\n readonly order = 98;\n readonly phase = \"POST_DECODE\" as const;\n\n /* Default nonce TTL: 5 minutes /\n private readonly nonceTtlMs: number;\n\n constructor(\n private readonly replayStore: CceReplayStore,\n options?: { nonceTtlMs?: number },\n ) {\n this.nonceTtlMs = options?.nonceTtlMs ?? 5 60 * 1000;\n }\n\n supports(input: SensorInput): boolean {\n return input.metadata?.cceCapsuleVerified === true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const capsule = input.metadata?.cceCapsule as CceCapsuleClaims \| undefined;\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!capsule \|\| !envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.MISSING_CAPSULE],\n code: CCE_ERROR.MISSING_CAPSULE,\n };\n }\n\n // Check capsule revocation\n const revoked = await this.replayStore.isCapsuleRevoked(capsule.capsule_id);\n if (revoked) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_REVOKED}: ${capsule.capsule_id}`],\n code: CCE_ERROR.CAPSULE_REVOKED,\n };\n }\n\n // Check capsule consumption (SINGLE_USE mode)\n if (capsule.mode === \"SINGLE_USE\") {\n const consumed = await this.replayStore.isCapsuleConsumed(\n capsule.capsule_id,\n );\n if (consumed) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.CAPSULE_CONSUMED}: ${capsule.capsule_id}`],\n code: CCE_ERROR.CAPSULE_CONSUMED,\n };\n }\n }\n\n // Check request nonce uniqueness\n // Namespace: sub + aud + intent to prevent cross-context collision\n const nonceKey = `cce:nonce:${capsule.sub}:${capsule.aud}:${capsule.intent}:${envelope.request_nonce}`;\n const nonceValid = await this.replayStore.checkAndMark(\n nonceKey,\n this.nonceTtlMs,\n );\n if (!nonceValid) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.NONCE_REUSED}: ${envelope.request_nonce.slice(0, 16)}...`,\n ],\n code: CCE_ERROR.NONCE_REUSED,\n };\n }\n\n // Mark capsule consumed for SINGLE_USE\n if (capsule.mode === \"SINGLE_USE\") {\n const capsuleTtl = (capsule.exp - capsule.iat) * 1000 + 60_000; // TTL + 1 min buffer\n await this.replayStore.markCapsuleConsumed(\n capsule.capsule_id,\n capsuleTtl,\n );\n }\n\n input.metadata = input.metadata ?? {};\n input.metadata.cceReplayClean = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n","/*\n CCE Payload Decryption Sensor\n \n Band: CONTENT (order: 145)\n * Phase: POST_DECODE\n \n Steps 12-13 from CCE verification order:\n * 12. Decrypt transport key → decrypt payload\n * 13. Validate plaintext payload schema\n \n This sensor performs the actual cryptographic decryption of the request payload.\n * It unwraps the AES transport key using the AXIS private key, then decrypts\n * the payload with AES-256-GCM.\n /\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../../sensor/axis-sensor\";\nimport { Decision } from \"../../sensor/axis-sensor\";\nimport { CCE_ERROR, type CceRequestEnvelope } from \"../cce.types\";\n\n/\n AXIS private key provider for decrypting the transport key.\n /\nexport interface CceAxisKeyProvider {\n /\n Decrypt a transport key using AXIS private key.\n * Supports X25519 (ECDH) and RSA-OAEP key unwrapping.\n /\n unwrapKey(\n encryptedKeyB64: string,\n algorithm: string,\n axisKid: string,\n ephemeralPkB64?: string,\n ): Promise<Uint8Array \| null>;\n}\n\n/\n AES-GCM decryption provider.\n /\nexport interface CceAesGcmProvider {\n /\n Decrypt ciphertext with AES-256-GCM.\n * @returns plaintext bytes, or null if AEAD tag verification failed\n /\n decrypt(\n key: Uint8Array,\n iv: Uint8Array,\n ciphertext: Uint8Array,\n tag: Uint8Array,\n aad?: Uint8Array,\n ): Promise<Uint8Array \| null>;\n}\n\nexport interface CcePayloadValidatorResult {\n ok: boolean;\n intent?: string;\n code?: string;\n reason?: string;\n}\n\n/\n Optional decrypted payload validator.\n * Use this hook to enforce intent-specific schema checks before handler execution.\n /\nexport interface CcePayloadValidator {\n validate(\n plaintext: Uint8Array,\n envelope: CceRequestEnvelope,\n ): Promise<CcePayloadValidatorResult>;\n}\n\nexport class CcePayloadDecryptionSensor implements AxisSensor {\n readonly name = \"cce.payload.decryption\";\n readonly order = 145;\n readonly phase = \"POST_DECODE\" as const;\n\n constructor(\n private readonly keyProvider: CceAxisKeyProvider,\n private readonly aesProvider: CceAesGcmProvider,\n private readonly maxPayloadBytes: number = 64 1024,\n private readonly payloadValidator?: CcePayloadValidator,\n ) {}\n\n supports(input: SensorInput): boolean {\n return (\n input.metadata?.cceEnvelopeValid === true &&\n input.metadata?.cceClientSigVerified === true &&\n input.metadata?.cceCapsuleVerified === true &&\n input.metadata?.cceReplayClean === true\n );\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const envelope = input.metadata?.cceEnvelope as\n \| CceRequestEnvelope\n \| undefined;\n\n if (!envelope) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.INVALID_ENVELOPE],\n code: CCE_ERROR.INVALID_ENVELOPE,\n };\n }\n\n // Step 11 (from spec): Decrypt transport key\n let aesKey: Uint8Array \| null;\n try {\n aesKey = await this.keyProvider.unwrapKey(\n envelope.encrypted_key.ciphertext,\n envelope.encrypted_key.alg,\n envelope.encrypted_key.axis_kid,\n envelope.encrypted_key.ephemeral_pk,\n );\n } catch {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],\n code: CCE_ERROR.KEY_UNWRAP_FAILED,\n };\n }\n\n if (!aesKey) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.KEY_UNWRAP_FAILED],\n code: CCE_ERROR.KEY_UNWRAP_FAILED,\n };\n }\n\n // Step 12: Decrypt payload with AES-GCM\n let iv: Uint8Array;\n let ciphertext: Uint8Array;\n let tag: Uint8Array;\n\n try {\n iv = base64UrlDecode(envelope.encrypted_payload.iv);\n ciphertext = base64UrlDecode(envelope.encrypted_payload.ciphertext);\n tag = base64UrlDecode(envelope.encrypted_payload.tag);\n } catch {\n return {\n allow: false,\n riskScore: 100,\n reasons: [`${CCE_ERROR.DECRYPTION_FAILED}: invalid base64url encoding`],\n code: CCE_ERROR.DECRYPTION_FAILED,\n };\n }\n\n // Check payload size before decryption\n if (ciphertext.length > this.maxPayloadBytes) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.PAYLOAD_TOO_LARGE}: ${ciphertext.length} > ${this.maxPayloadBytes}`,\n ],\n code: CCE_ERROR.PAYLOAD_TOO_LARGE,\n };\n }\n\n // Build AAD from envelope metadata (binds ciphertext to context)\n const aad = buildAad(envelope);\n\n let plaintext: Uint8Array \| null;\n try {\n plaintext = await this.aesProvider.decrypt(\n aesKey,\n iv,\n ciphertext,\n tag,\n aad,\n );\n } catch {\n plaintext = null;\n } finally {\n // Clear AES key from memory (best effort)\n aesKey.fill(0);\n }\n\n if (!plaintext) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [CCE_ERROR.AEAD_TAG_MISMATCH],\n code: CCE_ERROR.AEAD_TAG_MISMATCH,\n };\n }\n\n const capsule = input.metadata?.cceCapsule as\n \| { intent: string }\n \| undefined;\n\n // Built-in JSON intent binding check.\n if (capsule && isJsonContentType(envelope.content_type)) {\n const parsed = tryParseJsonObject(plaintext);\n if (parsed && typeof parsed.intent === \"string\") {\n if (parsed.intent !== capsule.intent) {\n return {\n allow: false,\n riskScore: 100,\n reasons: [\n `${CCE_ERROR.INTENT_SCHEMA_MISMATCH}: payload.intent=${parsed.intent}, capsule.intent=${capsule.intent}`,\n ],\n code: CCE_ERROR.INTENT_SCHEMA_MISMATCH,\n };\n }\n input.metadata = input.metadata ?? {};\n input.metadata.cceRequestIntent = parsed.intent;\n }\n }\n\n if (this.payloadValidator) {\n const verdict = await this.payloadValidator.validate(plaintext, envelope);\n if (!verdict.ok) {\n const code = verdict.code ?? CCE_ERROR.PAYLOAD_SCHEMA_INVALID;\n return {\n allow: false,\n riskScore: 100,\n reasons: [verdict.reason ?? code],\n code,\n };\n }\n\n if (verdict.intent) {\n input.metadata = input.metadata ?? {};\n input.metadata.cceRequestIntent = verdict.intent;\n }\n }\n\n // Store decrypted payload for handler\n input.metadata = input.metadata ?? {};\n input.metadata.cceDecryptedPayload = plaintext;\n input.metadata.cceDecryptionOk = true;\n\n return {\n decision: Decision.ALLOW,\n allow: true,\n riskScore: 0,\n reasons: [],\n };\n }\n}\n\n/*\n Build Additional Authenticated Data from envelope fields.\n * Binds the ciphertext to the request context and prevents\n * transplanting encrypted payloads between requests.\n /\nfunction buildAad(envelope: CceRequestEnvelope): Uint8Array {\n const parts = [\n envelope.ver,\n envelope.request_id,\n envelope.correlation_id,\n envelope.client_kid,\n envelope.capsule.capsule_id,\n envelope.capsule.intent,\n envelope.capsule.aud,\n envelope.request_nonce,\n ];\n return new TextEncoder().encode(parts.join(\"\|\"));\n}\n\nfunction isJsonContentType(contentType: string \| undefined): boolean {\n return (\n typeof contentType === \"string\" &&\n contentType.toLowerCase().includes(\"application/json\")\n );\n}\n\nfunction tryParseJsonObject(\n payload: Uint8Array,\n): Record<string, unknown> \| null {\n try {\n const parsed = JSON.parse(new TextDecoder().decode(payload));\n if (parsed && typeof parsed === \"object\" && !Array.isArray(parsed)) {\n return parsed as Record<string, unknown>;\n }\n return null;\n } catch {\n return null;\n }\n}\n\n/* Base64url decode /\nfunction base64UrlDecode(input: string): Uint8Array {\n const base64 = input.replace(/-/g, \"+\").replace(/_/g, \"/\");\n const padding = \"=\".repeat((4 - (base64.length % 4)) % 4);\n return new Uint8Array(Buffer.from(base64 + padding, \"base64\"));\n}\n","/\n CCE Sensors — Index\n \n All CCE security sensors in execution order:\n \n 1. CceEnvelopeValidationSensor (order: 5, WIRE) — Schema + version check\n * 2. CceClientSignatureSensor (order: 45, IDENTITY) — Client key resolve + sig verify\n * 3. CceCapsuleVerificationSensor (order: 50, IDENTITY) — Capsule parse + TickAuth sig verify\n * 4. CceTpsWindowSensor (order: 92, POLICY) — TPS window validation\n * 5. CceAudienceIntentBindingSensor (order: 95, POLICY) — Audience + intent binding\n * 6. CceReplayProtectionSensor (order: 98, POLICY) — Replay + nonce check\n * 7. CcePayloadDecryptionSensor (order: 145, CONTENT) — Key unwrap + AES-GCM decrypt\n /\n\nexport { CceEnvelopeValidationSensor } from \"./cce-envelope-validation.sensor\";\n\nexport {\n CceClientSignatureSensor,\n type CceClientKeyResolver,\n type CceSignatureVerifier,\n} from \"./cce-client-signature.sensor\";\n\nexport {\n CceCapsuleVerificationSensor,\n type CceIssuerKeyResolver,\n type CceCapsuleSignatureVerifier,\n} from \"./cce-capsule-verification.sensor\";\n\nexport { CceTpsWindowSensor } from \"./cce-tps-window.sensor\";\n\nexport { CceAudienceIntentBindingSensor } from \"./cce-audience-intent-binding.sensor\";\n\nexport {\n CceReplayProtectionSensor,\n InMemoryCceReplayStore,\n type CceReplayStore,\n} from \"./cce-replay-protection.sensor\";\n\nexport {\n CcePayloadDecryptionSensor,\n type CceAxisKeyProvider,\n type CceAesGcmProvider,\n type CcePayloadValidator,\n type CcePayloadValidatorResult,\n} from \"./cce-payload-decryption.sensor\";\n","/\n CCE Module — Index\n \n Capsule-Carried Encryption for AXIS Protocol (Server SDK)\n \n Architecture:\n * - cce.types: Core types, error codes, envelope definitions\n * - cce-derivation: HKDF key derivation and execution context\n * - cce-crypto: AES-GCM encryption/decryption primitives\n * - cce-response: Response encryption and signing\n * - cce-witness: Witness/OpenLogs observer\n * - cce-pipeline: Full request/response orchestrator\n * - sensors/: 7 CCE security sensors for the verification chain\n /\n\n// Types and Constants\nexport {\n CCE_PROTOCOL_VERSION,\n CCE_DERIVATION,\n CCE_AES_KEY_BYTES,\n CCE_IV_BYTES,\n CCE_TAG_BYTES,\n CCE_NONCE_BYTES,\n CCE_ERROR,\n CceError,\n type CceAlgorithm,\n type CceKemAlgorithm,\n type CceKdfAlgorithm,\n type CceCapsuleClaims,\n type CceConstraints,\n type CceSignature,\n type CceRequestEnvelope,\n type CceResponseEnvelope,\n type CceResponseStatus,\n type CceEncryptedKey,\n type CceEncryptedPayload,\n type CceAlgorithmDescriptor,\n type CceExecutionContext,\n type CceWitnessRecord,\n type CceErrorCode,\n} from \"./cce.types\";\n\n// Key Derivation\nexport {\n deriveRequestExecutionKey,\n deriveResponseExecutionKey,\n deriveWitnessKey,\n buildExecutionContext,\n generateCceNonce,\n type CceDerivationInput,\n} from \"./cce-derivation.service\";\n\n// Crypto Primitives\nexport {\n aesGcmEncrypt,\n aesGcmDecrypt,\n generateAesKey,\n generateIv,\n base64UrlEncode,\n base64UrlDecode,\n hashPayload,\n nodeAesGcmProvider,\n} from \"./cce-crypto\";\n\n// Response Encryption\nexport {\n buildCceResponse,\n buildCceErrorResponse,\n type CceClientKeyEncryptor,\n type CceAxisSigner,\n type CceResponseOptions,\n} from \"./cce-response.service\";\n\n// Witness Observer\nexport {\n buildWitnessRecord,\n extractVerificationState,\n InMemoryCceWitnessStore,\n type CceWitnessStore,\n type CceVerificationState,\n} from \"./cce-witness.observer\";\n\n// Pipeline Orchestrator\nexport {\n executeCcePipeline,\n type CceHandler,\n type CceHandlerContext,\n type CceHandlerResult,\n type CcePolicyContext,\n type CcePolicyDecision,\n type CcePolicyEvaluator,\n type CcePipelineConfig,\n type CcePipelineResult,\n} from \"./cce-pipeline\";\n\n// Sensors\nexport {\n CceEnvelopeValidationSensor,\n CceClientSignatureSensor,\n CceCapsuleVerificationSensor,\n CceTpsWindowSensor,\n CceAudienceIntentBindingSensor,\n CceReplayProtectionSensor,\n CcePayloadDecryptionSensor,\n InMemoryCceReplayStore,\n type CceClientKeyResolver,\n type CceSignatureVerifier,\n type CceIssuerKeyResolver,\n type CceCapsuleSignatureVerifier,\n type CceReplayStore,\n type CceAxisKeyProvider,\n type CceAesGcmProvider,\n type CcePayloadValidator,\n type CcePayloadValidatorResult,\n} from \"./sensors\";\n","export from '@nextera.one/axis-protocol';\nexport { AxisFrameZ } from './axis-bin';\nexport * from './signature';\nexport * from './axis-error';\n","/*\n AXIS Cryptographic Types\n * Ed25519 signature system for packets and capsules\n /\n\nexport type AxisAlg = 'EdDSA' \| 'ES256' \| 'RS256';\n\nexport type CapsuleStatus = 'ACTIVE' \| 'CONSUMED' \| 'REVOKED' \| 'EXPIRED';\nexport type CapsuleMode = 'SINGLE_USE' \| 'MULTI_USE';\n\nexport type KeyStatus = 'ACTIVE' \| 'GRACE' \| 'REVOKED' \| 'RETIRED';\n\n/\n Signature envelope for packets and capsules\n /\nexport interface AxisSig {\n alg: AxisAlg;\n kid: string; // Key identifier\n value: string; // base64url signature\n}\n\n/\n AXIS packet structure (client → server)\n /\nexport interface AxisPacket<T = any> {\n v: 1;\n pid: string; // Packet ID for tracing\n nonce: string; // Anti-replay nonce\n ts: number; // Unix timestamp (seconds)\n actorId: string; // Actor identifier\n opcode: string; // Operation code (e.g., CAPSULE.ISSUE, INTENT.EXEC)\n body: T; // Opcode-specific payload\n sig: AxisSig; // Actor signature over packet (excluding sig itself)\n}\n\n/\n Capsule constraints for execution context\n /\nexport interface AxisCapsuleConstraints {\n // Hard limits\n maxAmount?: number;\n maxCount?: number;\n ttlSeconds?: number;\n\n // Context locks\n ipCidrAllow?: string[]; // [\"1.2.3.0/24\"]\n countryAllow?: string[]; // [\"JO\", \"SA\"]\n deviceIdAllow?: string[]; // Device fingerprints\n sessionIdLock?: string; // Bind to specific session\n nonceRequired?: boolean; // Require per-execution nonce\n}\n\n/\n TickAuth time window for temporal binding\n /\nexport interface TickWindow {\n start: number; // Unix timestamp\n end: number; // Unix timestamp\n}\n\n/\n Capsule payload (what gets signed by issuer)\n /\nexport interface AxisCapsulePayload {\n v: 1;\n\n // Identity binding\n capsuleId: string; // ULID or UUID\n actorId: string; // Who this capsule belongs to\n issuer: string; // Who issued it\n audience: string; // Who may accept it\n subject?: string; // Optional target entity\n\n // Intent binding\n intent: string; // Single intent (e.g., \"PAYMENT_CREATE\")\n scopes: string[]; // Fine-grained resources [\"wallet:123\", \"merchant:77\"]\n actions?: string[]; // Optional action verbs [\"create\", \"approve\"]\n\n // Time/window\n iat: number; // Issued at (unix seconds)\n nbf?: number; // Not before (unix seconds)\n exp: number; // Expires at (unix seconds)\n tickWindow?: TickWindow; // Optional TickAuth temporal window\n\n // Usage control\n mode: CapsuleMode;\n maxUses: number; // 1 for SINGLE_USE\n nonceSeed?: string; // Optional server nonce seed\n\n // Policy linkage\n policyRefs?: string[]; // [\"policy:transfer:v3\", \"risk:geo:v1\"]\n riskScore?: number; // Risk snapshot at issuance\n\n // Constraints\n constraints?: AxisCapsuleConstraints;\n\n // Optional metadata (never trusted for auth decisions)\n meta?: Record<string, unknown>;\n}\n\n/\n Complete capsule (payload + issuer signature)\n /\nexport interface AxisCapsule {\n payload: AxisCapsulePayload;\n sig: AxisSig; // Issuer signature over canonical payload\n}\n\n/\n Capsule issuance request body (CAPSULE.ISSUE opcode)\n /\nexport interface CapsuleIssueBody {\n intent: string;\n audience: string;\n scopes: string[];\n subject?: string;\n mode: CapsuleMode;\n maxUses?: number;\n expSeconds?: number; // Server will clamp (e.g., 30-120)\n constraints?: AxisCapsuleConstraints;\n hints?: {\n // Optional client hints (not trusted)\n ip?: string;\n ua?: string;\n deviceId?: string;\n geo?: string;\n };\n}\n\n/\n Batch capsule issuance request (CAPSULE.BATCH opcode)\n /\nexport interface CapsuleBatchBody extends Omit<\n CapsuleIssueBody,\n 'mode' \| 'maxUses'\n> {\n count: number; // Number of capsules to issue\n mode: 'SINGLE_USE'; // Batch typically single-use\n}\n\n/\n Intent execution request (INTENT.EXEC opcode)\n /\nexport interface IntentExecBody {\n intent: string;\n capsule: AxisCapsule; // Attached capsule\n execNonce?: string; // Required if capsule.constraints.nonceRequired\n args: Record<string, any>; // Intent-specific arguments\n}\n\n/\n Capsule revocation request (CAPSULE.REVOKE opcode)\n /\nexport interface CapsuleRevokeBody {\n capsuleId: string;\n reason: string;\n}\n\n/\n AXIS response envelope\n /\nexport interface AxisResponse<T = any> {\n ok: boolean;\n pid: string; // Echoes request pid\n decisionId: string; // AXIS decision trace id\n code: string; // AXIS error/success code\n message?: string;\n data?: T;\n meta?: Record<string, unknown>;\n}\n\n/\n Capsule issuance result\n /\nexport interface CapsuleIssueResult {\n capsule: AxisCapsule;\n}\n\n/\n Batch capsule issuance result\n /\nexport interface CapsuleBatchResult {\n capsules: AxisCapsule[];\n}\n\n/\n Actor key record (from DB)\n /\nexport interface ActorKeyRecord {\n id: Buffer;\n actor_id: string;\n key_id: string;\n algorithm: string;\n public_key: Buffer;\n purpose: string;\n status: KeyStatus;\n is_primary: boolean;\n not_before: Date \| null;\n expires_at: Date \| null;\n rotated_from_key_id: string \| null;\n revoked_at: Date \| null;\n revocation_reason: string \| null;\n metadata: any;\n created_at: Date;\n updated_at: Date;\n}\n\n/\n Issuer key record (from DB)\n /\nexport interface IssuerKeyRecord {\n id: Buffer;\n kid: string;\n issuer_id: string;\n alg: string;\n public_key_pem: string;\n status: KeyStatus;\n not_before: Date \| null;\n not_after: Date \| null;\n fingerprint: string \| null;\n metadata: any;\n created_at: Date;\n updated_at: Date;\n}\n\n/\n Capsule record (from DB)\n /\nexport interface CapsuleRecord {\n id: Buffer;\n capsule_id: string;\n actor_id: string;\n intent: string;\n audience: string;\n issuer: string;\n subject: string \| null;\n status: CapsuleStatus;\n mode: CapsuleMode;\n max_uses: number;\n used_count: number;\n iat: Date;\n nbf: Date \| null;\n exp: Date;\n scopes_json: any;\n constraints_json: any;\n policy_refs_json: any;\n risk_score: number \| null;\n payload_hash: Buffer;\n sig_alg: string;\n sig_kid: string;\n sig_value: Buffer;\n created_at: Date;\n updated_at: Date;\n last_used_at: Date \| null;\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport as crypto from 'crypto';\nimport * as nacl from 'tweetnacl';\n\n/*\n Proof Verification Service\n \n Verifies proof types according to AXIS spec:\n * - CAPSULE (1): Capability token verification\n * - JWT (2): JSON Web Token verification\n * - MTLS_ID (3): mTLS client certificate verification\n * - DEVICE_SE (4): Device Secure Element signature verification\n \n Related: AXIS spec - Proof Types\n /\n\nexport type ProofType = 1 \| 2 \| 3 \| 4; // CAPSULE, JWT, MTLS_ID, DEVICE_SE\n\nexport interface ProofVerificationResult {\n valid: boolean;\n actorId?: string;\n error?: string;\n metadata?: Record<string, any>;\n}\n\nexport interface MTLSContext {\n clientCertPem?: string;\n clientCertFingerprint?: string;\n clientCertSubject?: string;\n clientCertIssuer?: string;\n verified?: boolean;\n}\n\nexport interface DeviceSEContext {\n deviceId: string;\n signature: Uint8Array;\n publicKey: Uint8Array;\n challenge?: Uint8Array;\n}\n\n@Injectable()\nexport class ProofVerificationService {\n private readonly logger = new Logger(ProofVerificationService.name);\n\n // Cache of registered device public keys (deviceId -> pubKey)\n private readonly deviceKeys = new Map<string, Uint8Array>();\n\n // Cache of trusted mTLS certificate fingerprints\n private readonly trustedCerts = new Map<\n string,\n { actorId: string; issuedAt: number }\n >();\n\n /\n Verifies an authentication proof based on its type.\n \n Supported Types:\n * - 1 (CAPSULE): Delegated to `verifyCapsuleProof`\n * - 2 (JWT): Verified by `verifyJWTProof`\n * - 3 (MTLS_ID): Verified by `verifyMTLSProof`\n * - 4 (DEVICE_SE): Verified by `verifyDeviceSEProof`\n \n @param {ProofType} proofType - The numeric AXIS proof type\n * @param {Uint8Array} proofRef - The binary reference or token for the proof\n * @param {Object} context - Additional metadata required for specific proof types\n * @param {Uint8Array} [context.signTarget] - The canonical bytes that were signed (for Ed25519)\n * @param {Uint8Array} [context.signature] - The signature to verify (for Ed25519)\n * @param {MTLSContext} [context.mtls] - mTLS certificate data\n * @param {DeviceSEContext} [context.deviceSE] - Device Secure Element information\n * @returns {Promise<ProofVerificationResult>} The outcome of the verification\n /\n async verifyProof(\n proofType: ProofType,\n proofRef: Uint8Array,\n context: {\n signTarget?: Uint8Array;\n signature?: Uint8Array;\n mtls?: MTLSContext;\n deviceSE?: DeviceSEContext;\n },\n ): Promise<ProofVerificationResult> {\n switch (proofType) {\n case 1: // CAPSULE\n return this.verifyCapsuleProof(proofRef);\n case 2: // JWT\n return this.verifyJWTProof(proofRef);\n case 3: // MTLS_ID\n return this.verifyMTLSProof(context.mtls);\n case 4: // DEVICE_SE\n return this.verifyDeviceSEProof(\n context.signTarget,\n context.signature,\n context.deviceSE,\n );\n default:\n return { valid: false, error: `Unknown proof type: ${proofType}` };\n }\n }\n\n /\n Verify CAPSULE proof (delegated to CapsuleService)\n /\n private async verifyCapsuleProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n // Capsule verification is handled by CapsuleService\n // This is a pass-through that returns valid to signal capsule processing\n const capsuleId = new TextDecoder().decode(proofRef);\n return {\n valid: true,\n metadata: { capsuleId, requiresCapsuleValidation: true },\n };\n }\n\n /\n Verifies a JSON Web Token (JWT) proof.\n \n Validation Logic:\n * 1. Decodes the token string.\n * 2. Checks for valid 3-part JWT structure.\n * 3. Validates `exp` (expiration) and `nbf` (not before) claims.\n * 4. Extracts `actor_id` or `sub` as the identity.\n \n @param {Uint8Array} proofRef - Binary representation of the JWT string\n * @returns {Promise<ProofVerificationResult>} Result including the actor identifier\n /\n private async verifyJWTProof(\n proofRef: Uint8Array,\n ): Promise<ProofVerificationResult> {\n try {\n const token = new TextDecoder().decode(proofRef);\n const parts = token.split('.');\n\n if (parts.length !== 3) {\n return { valid: false, error: 'Invalid JWT format' };\n }\n\n // Decode header and payload\n const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());\n const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());\n\n // Check expiration\n if (payload.exp && Date.now() / 1000 > payload.exp) {\n return { valid: false, error: 'JWT expired' };\n }\n\n // Check not before\n if (payload.nbf && Date.now() / 1000 < payload.nbf) {\n return { valid: false, error: 'JWT not yet valid' };\n }\n\n // For production: verify signature against known keys\n // For now, we trust the JWT if it has valid structure and timing\n return {\n valid: true,\n actorId: payload.sub \|\| payload.actor_id,\n metadata: { iss: payload.iss, scope: payload.scope },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return { valid: false, error: `JWT parse error: ${message}` };\n }\n }\n\n /\n Verify mTLS client certificate proof\n /\n private async verifyMTLSProof(\n mtls?: MTLSContext,\n ): Promise<ProofVerificationResult> {\n if (!mtls) {\n return { valid: false, error: 'No mTLS context provided' };\n }\n\n // Check if connection was verified by TLS layer\n if (!mtls.verified) {\n return { valid: false, error: 'mTLS not verified by TLS terminator' };\n }\n\n // Check certificate fingerprint against trusted list\n if (mtls.clientCertFingerprint) {\n const trusted = this.trustedCerts.get(mtls.clientCertFingerprint);\n if (trusted) {\n return {\n valid: true,\n actorId: trusted.actorId,\n metadata: {\n fingerprint: mtls.clientCertFingerprint,\n subject: mtls.clientCertSubject,\n },\n };\n }\n }\n\n // Extract actor ID from certificate subject (CN field)\n if (mtls.clientCertSubject) {\n const cnMatch = mtls.clientCertSubject.match(/CN=([^,]+)/);\n if (cnMatch) {\n return {\n valid: true,\n actorId: cnMatch[1],\n metadata: {\n subject: mtls.clientCertSubject,\n issuer: mtls.clientCertIssuer,\n },\n };\n }\n }\n\n return { valid: false, error: 'Could not extract actor from certificate' };\n }\n\n /\n Verify Device Secure Element signature\n /\n private async verifyDeviceSEProof(\n signTarget?: Uint8Array,\n signature?: Uint8Array,\n deviceSE?: DeviceSEContext,\n ): Promise<ProofVerificationResult> {\n if (!deviceSE \|\| !signTarget \|\| !signature) {\n return { valid: false, error: 'Missing Device SE context' };\n }\n\n // Get registered public key for device\n let publicKey = deviceSE.publicKey;\n\n // If device is pre-registered, use registered key\n const registeredKey = this.deviceKeys.get(deviceSE.deviceId);\n if (registeredKey) {\n publicKey = registeredKey;\n }\n\n if (!publicKey \|\| publicKey.length !== 32) {\n return {\n valid: false,\n error: 'Invalid or unregistered device public key',\n };\n }\n\n // Verify Ed25519 signature\n try {\n const valid = nacl.sign.detached.verify(signTarget, signature, publicKey);\n\n if (!valid) {\n return { valid: false, error: 'Device signature verification failed' };\n }\n\n return {\n valid: true,\n actorId: deviceSE.deviceId,\n metadata: { deviceId: deviceSE.deviceId, proofType: 'DEVICE_SE' },\n };\n } catch (e) {\n const message = e instanceof Error ? e.message : 'Unknown error';\n return {\n valid: false,\n error: `Signature verification error: ${message}`,\n };\n }\n }\n\n /\n Registers a public key for a trusted device.\n * This key will be used for future `DEVICE_SE` proof verifications.\n \n @param {string} deviceId - Unique identifier for the device\n * @param {Uint8Array} publicKey - 32-byte Ed25519 public key\n * @throws {Error} If the public key is not 32 bytes\n /\n registerDeviceKey(deviceId: string, publicKey: Uint8Array): void {\n if (publicKey.length !== 32) {\n throw new Error('Device public key must be 32 bytes (Ed25519)');\n }\n this.deviceKeys.set(deviceId, publicKey);\n this.logger.log(`Registered device key for ${deviceId}`);\n }\n\n /\n Unregister a device\n /\n unregisterDevice(deviceId: string): boolean {\n return this.deviceKeys.delete(deviceId);\n }\n\n /\n Registers a trusted mTLS certificate fingerprint and associates it with an actor.\n \n @param {string} fingerprint - SHA-256 fingerprint of the client certificate\n * @param {string} actorId - The actor to associate with this certificate\n /\n registerMTLSCert(fingerprint: string, actorId: string): void {\n this.trustedCerts.set(fingerprint, { actorId, issuedAt: Date.now() });\n this.logger.log(`Registered mTLS cert ${fingerprint} for actor ${actorId}`);\n }\n\n /\n Revoke an mTLS certificate\n /\n revokeMTLSCert(fingerprint: string): boolean {\n return this.trustedCerts.delete(fingerprint);\n }\n\n /\n Calculate certificate fingerprint (SHA-256)\n /\n static calculateFingerprint(certPem: string): string {\n // Extract DER from PEM\n const der = Buffer.from(\n certPem\n .replace(/-----BEGIN CERTIFICATE-----/, '')\n .replace(/-----END CERTIFICATE-----/, '')\n .replace(/\\s/g, ''),\n 'base64',\n );\n return crypto.createHash('sha256').update(der).digest('hex');\n }\n}\n","export from './b64url';\nexport * from './canonical-json';\nexport * from './types';\nexport * from './proof-verification.service';\n","export * from \"./axis-request.decorator\";\nexport * from \"./capsule-policy.decorator\";\nexport * from \"./intent-policy.decorator\";\nexport * from \"./chain.decorator\";\nexport * from \"./dto-schema.util\";\nexport * from \"./handler.decorator\";\nexport * from \"./intent-body.decorator\";\nexport * from \"./intent-sensors.decorator\";\nexport * from \"./intent.decorator\";\nexport * from \"./observer.decorator\";\nexport * from \"./sensor.decorator\";\nexport * from \"./tlv-field.decorator\";\n","import type { Axis1DecodedFrame } from '../types/frame';\nimport type { AxisPacket as AxisBinaryPacket } from '../types/packet';\nimport type { AxisContext } from '../schemas/axis-schemas';\nimport type { SensorInput } from '../sensor/axis-sensor';\nimport type { AxisObservation } from './axis-observation';\n\nexport interface AxisDecoded {\n frame: Axis1DecodedFrame;\n packet: AxisBinaryPacket;\n axisCtx: AxisContext;\n correlationId: Buffer;\n correlationIdHex: string;\n sensorInput: SensorInput;\n extra: { ip?: string; demoPubkeyHex?: string };\n observation: AxisObservation;\n}\n","export type AxisExecutionMode = 'strict' \| 'parallel' \| 'best_effort' \| 'atomic';\n\nexport type AxisObserverEvent =\n \| 'intent.received'\n \| 'intent.completed'\n \| 'intent.failed'\n \| 'chain.received'\n \| 'chain.admitted'\n \| 'chain.completed'\n \| 'chain.failed'\n \| 'chain.partial'\n \| 'step.started'\n \| 'step.completed'\n \| 'step.failed'\n \| 'step.blocked'\n \| 'step.skipped'\n \| 'signature.verified'\n \| 'decryption.succeeded'\n \| 'sensor.passed'\n \| 'sensor.failed'\n \| 'handler.completed'\n \| 'proof.recorded';\n\nexport interface AxisCapsuleRef {\n capsuleId?: string;\n scope?: string \| string[];\n scopeMode?: 'chain' \| 'step' \| 'chain+step';\n proofRequired?: boolean;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisKeyExchangeRef {\n profile?: string;\n sessionId?: string;\n clientKid?: string;\n serverKid?: string;\n algorithm?: string;\n derivedKeyRef?: string;\n required?: boolean;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisIntentEnvelope<TPayload = unknown> {\n intent: string;\n handler?: string;\n payload: TPayload;\n capsule?: AxisCapsuleRef;\n keyExchange?: AxisKeyExchangeRef;\n observerTags?: string[];\n proofRequired?: boolean;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisChainStep<TInput = unknown> {\n stepId: string;\n intent: string;\n handler?: string;\n input?: TInput;\n dependsOn?: string[];\n onSuccess?: string[];\n onFailure?: string[];\n capsuleScope?: string \| string[];\n observerTags?: string[];\n proofRequired?: boolean;\n keyExchange?: AxisKeyExchangeRef;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisChainEncryption {\n enabled?: boolean;\n profile?: string;\n keyExchange?: AxisKeyExchangeRef;\n}\n\nexport interface AxisChainEnvelope<TInput = unknown> {\n chainId: string;\n subject?: string;\n issuer?: string;\n issuedAtTps?: string \| number;\n expiresAtTps?: string \| number;\n mode: AxisExecutionMode;\n signature?: string;\n encryption?: AxisChainEncryption;\n capsule?: AxisCapsuleRef;\n keyExchange?: AxisKeyExchangeRef;\n observerTags?: string[];\n dynamic?: boolean;\n metadata?: Record<string, unknown>;\n steps: Array<AxisChainStep<TInput>>;\n}\n\nexport interface AxisChainRequest<\n TInput = unknown,\n TCapsule = Record<string, unknown>,\n> {\n envelope: AxisChainEnvelope<TInput>;\n capsule?: TCapsule;\n actorId?: string;\n}\n\nexport type AxisChainStepStatus =\n \| 'SUCCEEDED'\n \| 'FAILED'\n \| 'BLOCKED'\n \| 'SKIPPED';\n\nexport interface AxisChainStepResult<TOutput = unknown> {\n stepId: string;\n intent: string;\n status: AxisChainStepStatus;\n effect?: string;\n output?: TOutput;\n error?: string;\n dependsOn?: string[];\n startedAt: number;\n finishedAt: number;\n proofHash?: string;\n observerTags?: string[];\n metadata?: Record<string, unknown>;\n}\n\nexport type AxisChainStatus = 'SUCCEEDED' \| 'FAILED' \| 'PARTIAL';\n\nexport interface AxisChainResult<TOutput = unknown> {\n chainId: string;\n mode: AxisExecutionMode;\n status: AxisChainStatus;\n completedSteps: number;\n failedSteps: number;\n blockedSteps: number;\n skippedSteps: number;\n startedAt: number;\n finishedAt: number;\n results: Array<AxisChainStepResult<TOutput>>;\n rollback?: {\n supported: boolean;\n attempted: boolean;\n reason?: string;\n };\n metadata?: Record<string, unknown>;\n}\n\nexport interface ChainOptions {\n mode?: AxisExecutionMode;\n allowPartial?: boolean;\n dynamic?: boolean;\n proofRequired?: boolean;\n capsuleScope?: string \| string[];\n observerTags?: string[];\n keyExchangeRequired?: boolean;\n}\n\nexport interface RegisteredChainConfig extends ChainOptions {\n enabled: boolean;\n}","import type { AxisFrame } from \"../core/axis-bin\";\nimport type {\n AxisCapsuleRef,\n AxisChainEnvelope,\n AxisChainResult,\n AxisChainStep,\n AxisChainStepResult,\n AxisKeyExchangeRef,\n AxisObserverEvent,\n} from \"./axis-chain.types\";\nimport type { AxisEffect } from \"./intent.router\";\n\nexport interface AxisObserverContext {\n event: AxisObserverEvent;\n timestamp: number;\n intent?: string;\n chainId?: string;\n stepId?: string;\n handler?: string;\n frame?: AxisFrame;\n envelope?: AxisChainEnvelope;\n step?: AxisChainStep;\n effect?: AxisEffect;\n result?: AxisChainStepResult \| AxisChainResult;\n error?: string;\n observerTags?: string[];\n capsule?: AxisCapsuleRef;\n keyExchange?: AxisKeyExchangeRef;\n metadata?: Record<string, unknown>;\n}\n\nexport interface AxisIntentObserver {\n readonly name: string;\n supports?(context: AxisObserverContext): boolean;\n observe(context: AxisObserverContext): Promise<void> \| void;\n}\n\nexport interface AxisObserverRegistration {\n name: string;\n instance: AxisIntentObserver;\n tags: string[];\n events?: AxisObserverEvent[];\n intents?: string[];\n handlers?: string[];\n}","import { AxisObservation } from '../axis-observation';\n\nexport interface ObservationQueueMessage {\n v: 1;\n observation: AxisObservation;\n attempts: number;\n firstEnqueuedAt: number;\n lastEnqueuedAt: number;\n sourceNodeId: string;\n lastError?: string;\n}\n\nexport interface ObservationQueueConfig {\n enabled: boolean;\n workerEnabled: boolean;\n streamKey: string;\n deadLetterStreamKey: string;\n groupName: string;\n consumerName: string;\n readBlockMs: number;\n readBatchSize: number;\n reclaimIdleMs: number;\n reclaimBatchSize: number;\n maxRetries: number;\n maxStreamLength: number;\n workerConcurrency: number;\n}\n","export * from './stable-json';\nexport * from './observation-queue.types';\nexport * from './observation-queue.codec';\nexport * from './observation-hash';\nexport * from './response-observer';\n","export * from './axis-decoded';\nexport * from './axis-chain.executor';\nexport * from './axis-chain.types';\nexport * from './axis-execution-context';\nexport * from './axis-observation';\nexport * from './axis-observer.interface';\nexport * from './handler-discovery.service';\nexport * from './intent.router';\nexport * from './observation';\nexport * from './observer-discovery.service';\nexport * from './observer-dispatcher.service';\nexport * from './sensor-bands';\nexport * from './sensor-discovery.service';\nexport * from './registry/observer.registry';\nexport * from './registry/sensor.registry';\nexport * as observation from './observation';\n","/*\n IDEL Types — Intent Description & Execution Language\n \n IDEL is the structured cognition layer that sits above AXIS execution.\n * It transforms intent proposals into validated, executable structures.\n \n IDEL answers: \"What does the actor want to do, and is it well-formed?\"\n * AXIS answers: \"Execute it.\"\n * TickAuth answers: \"Is it allowed?\"\n /\n\n// ────────────────────────────────────────────────────────────────────────────\n// Intent Proposal (raw input before compilation)\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface IntentProposal {\n /* Raw intent name or free-text description /\n raw: string;\n /* Actor proposing the intent /\n actor_id: string;\n /* Optional explicit target /\n target?: string;\n /* Optional raw parameters /\n params?: Record<string, unknown>;\n /* Optional context (environment, device, location) /\n context?: Record<string, unknown>;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Compiled Intent (output of IDEL compilation)\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface CompiledIntent {\n /* Resolved intent name (dot notation) /\n intent: string;\n /* Actor /\n actor_id: string;\n /* Target resource or entity /\n target?: string;\n /* Validated and normalized parameters /\n params: Record<string, unknown>;\n /* Extracted constraints /\n constraints: IntentConstraint[];\n /* Confidence that the compilation is correct (0.0 – 1.0) /\n confidence: number;\n /* Alternative interpretations (if ambiguous) /\n alternatives: AlternativeIntent[];\n /* Whether the intent requires clarification before execution /\n needs_clarification: boolean;\n /* Clarification questions (if needs_clarification is true) /\n clarifications: ClarificationQuestion[];\n /* Expected outcome description /\n expected_outcome?: string;\n /* Fallback intent if this one fails /\n fallback?: string;\n /* Risk assessment /\n risk: IntentRisk;\n /* Metadata from compilation /\n metadata: Record<string, unknown>;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Constraints\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type ConstraintKind =\n \| 'required_param'\n \| 'type_check'\n \| 'range'\n \| 'pattern'\n \| 'temporal'\n \| 'spatial'\n \| 'authority'\n \| 'safety'\n \| 'custom';\n\nexport interface IntentConstraint {\n kind: ConstraintKind;\n field: string;\n description: string;\n satisfied: boolean;\n value?: unknown;\n expected?: unknown;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Alternatives and Clarification\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface AlternativeIntent {\n intent: string;\n confidence: number;\n reason: string;\n}\n\nexport interface ClarificationQuestion {\n id: string;\n question: string;\n field: string;\n options?: string[];\n required: boolean;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Risk\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type RiskLevel = 'none' \| 'low' \| 'medium' \| 'high' \| 'critical';\n\nexport interface IntentRisk {\n level: RiskLevel;\n score: number; // 0.0 – 1.0\n factors: string[];\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Intent Schema (definition of what intents exist and their requirements)\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface IntentParamSchema {\n name: string;\n type: 'string' \| 'number' \| 'boolean' \| 'object' \| 'array';\n required: boolean;\n description?: string;\n default?: unknown;\n pattern?: string;\n min?: number;\n max?: number;\n enum?: unknown[];\n}\n\nexport interface IntentSchema {\n intent: string;\n description: string;\n params: IntentParamSchema[];\n /* Required authority / scope /\n required_scopes?: string[];\n /* Risk level of this intent /\n risk_level: RiskLevel;\n /* Whether the intent has side effects /\n has_side_effects: boolean;\n /* Whether this intent is reversible /\n reversible: boolean;\n /* Related intents /\n related?: string[];\n /* Tags for categorization /\n tags?: string[];\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Compilation Result\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface CompilationResult {\n ok: boolean;\n compiled?: CompiledIntent;\n errors: CompilationError[];\n}\n\nexport interface CompilationError {\n code: string;\n message: string;\n field?: string;\n}\n","export from './idel.types';\nexport * from './idel.compiler';\n","export * from './loom.types';\nexport * from './loom.engine';\n","/*\n Needle & Thread — Core Metaphor Types\n \n Needle: The execution carrier that penetrates reality at a specific\n * TPS moment to perform an intent. It is the live action.\n \n Thread: The continuous chain of witnessed events that preserves\n * the history of actions across time. It is the memory.\n \n Stitch: A completed, observed, and verified action (deed).\n * Needle (execution) + Observer (verification) = Stitch.\n \n Fabric: Reality / state space — what stitches are woven into.\n \n Formula:\n * Intent → Needle enters (AXIS) → Action happens →\n * Observer verifies → Stitch is formed → Thread grows\n /\n\nimport type { CompiledIntent } from '../idel/idel.types';\nimport type {\n Grant,\n LoomReceipt,\n PresenceReceipt,\n ThreadState,\n Writ,\n} from '../loom/loom.types';\nimport type { AxisObservation } from '../engine/axis-observation';\nimport type { TruthVerdict } from '../engine/observation/truth-scoring';\nimport type { TimelineEvent } from '../timeline/timeline.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Needle — The execution carrier (live action)\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type NeedlePhase =\n \| 'created' // Needle assembled, not yet entered\n \| 'validated' // Passed through Loom gates\n \| 'executing' // Inside AXIS handler\n \| 'observed' // Observer has witnessed result\n \| 'stitched' // Stitch formed, thread updated\n \| 'failed'; // Broke during any phase\n\n/\n The Needle is the unified execution context that carries an intent\n * through the full AXIS pipeline: IDEL → Loom → Execution → Observation → Stitch\n /\nexport interface Needle {\n /* Unique needle identifier /\n needle_id: string;\n\n /* Current lifecycle phase /\n phase: NeedlePhase;\n\n /* TPS coordinate at which this needle enters reality /\n tps_coordinate?: string;\n\n // ── What the needle carries ──\n\n /* Compiled intent (from IDEL) /\n intent: CompiledIntent;\n\n /* Loom presence proof for the actor /\n presence: PresenceReceipt;\n\n /* Writ — the executable intent in Loom form /\n writ: Writ;\n\n /* Active grants that authorize this action /\n grants: Grant[];\n\n // ── What the needle produces ──\n\n /* Observation — filled after execution /\n observation?: AxisObservation;\n\n /* Loom receipt — filled after stitch /\n receipt?: LoomReceipt;\n\n /* Truth verdict — filled after observation scoring /\n verdict?: TruthVerdict;\n\n // ── Metadata ──\n\n /* Timestamp when needle was created /\n created_at: number;\n\n /* Timestamp when needle completed (stitched or failed) /\n completed_at?: number;\n\n /* Error if needle failed /\n error?: NeedleError;\n}\n\nexport interface NeedleError {\n phase: NeedlePhase;\n code: string;\n message: string;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Stitch — Completed, observed, verified action (deed)\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type StitchKind =\n \| 'deed' // Confirmed action with real effect\n \| 'silent' // Recorded but no visible external effect (deny, internal, simulation)\n \| 'torn'; // Failed or disputed — still recorded, but not trusted\n\n/\n A Stitch is a completed Needle that has been observed and verified.\n * Stitches are the atomic units that form a Thread.\n \n Needle (execution) + Observer (verification) = Stitch\n /\nexport interface Stitch {\n /* Stitch identifier (same as needle_id that produced it) /\n stitch_id: string;\n\n /* What kind of stitch /\n kind: StitchKind;\n\n /* The intent that was executed /\n intent: string;\n\n /* Actor who performed the action /\n actor_id: string;\n\n /* TPS coordinate of execution /\n tps_coordinate?: string;\n\n /* The observation record /\n observation: AxisObservation;\n\n /* Truth verification result /\n verdict: TruthVerdict;\n\n /* Loom receipt anchoring this stitch to the thread /\n receipt: LoomReceipt;\n\n /* Thread this stitch belongs to /\n thread_id: string;\n\n /* Position in the thread /\n sequence: number;\n\n /* Timeline event reference (if recorded in timeline) /\n timeline_event_id?: string;\n\n /* When the stitch was formed /\n stitched_at: number;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Thread — The continuous witness chain (memory of reality)\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n A Thread is a continuous, immutable chain of stitches that preserves\n * the history of actions across time. Built from OpenLogs + Witness + TPS.\n \n Thread rules:\n * 1. Immutable — past stitches cannot be modified\n * 2. Ordered — by TPS coordinate and sequence number\n * 3. Branchable — can fork into alternate timelines\n * 4. Replayable — can re-execute past stitches\n * 5. Provable — backed by witness records\n /\nexport interface Thread {\n /* Thread state (from Loom) /\n state: ThreadState;\n\n /* Total stitch count /\n length: number;\n\n /* TPS coordinate of first stitch /\n started_at_tps?: string;\n\n /* TPS coordinate of most recent stitch /\n last_stitch_tps?: string;\n\n /* Whether this thread has forked branches /\n has_branches: boolean;\n\n /* Branch IDs if any /\n branch_ids: string[];\n}\n\nimport type { AxisSensor } from '../sensor/axis-sensor';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Needle Pipeline Configuration\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Handler function that the Needle pipeline invokes to execute the intent.\n * This is the \"action happens\" step.\n /\nexport type NeedleHandler = (\n intent: CompiledIntent,\n context: NeedleHandlerContext,\n) => Promise<NeedleHandlerResult>;\n\nexport interface NeedleHandlerContext {\n needle_id: string;\n actor_id: string;\n presence_id: string;\n writ: Writ;\n grants: Grant[];\n tps_coordinate?: string;\n}\n\nexport interface NeedleHandlerResult {\n ok: boolean;\n effect: string;\n data?: Record<string, unknown>;\n status_code?: number;\n}\n\n/\n Configuration for the Needle pipeline.\n /\nexport interface NeedlePipelineConfig {\n /* Handler registry: intent name → handler function /\n handlers: Map<string, NeedleHandler>;\n\n /* Private key for Loom signing (hex string) /\n private_key: string;\n\n /* Public key for verification (hex string) /\n public_key: string;\n\n /* Sensors to run as reality gates before handler execution /\n sensors?: AxisSensor[];\n\n /* Whether to record stitches into the Timeline engine /\n record_timeline?: boolean;\n\n /* Default TPS coordinate generator (if not provided per-needle) /\n tps_provider?: () => string;\n}\n\n/\n The result of running a full Needle pipeline.\n /\nexport interface NeedlePipelineResult {\n /* Whether the full pipeline succeeded /\n ok: boolean;\n\n /* The completed needle /\n needle: Needle;\n\n /* The stitch produced (if successful) /\n stitch?: Stitch;\n\n /* Updated thread state /\n thread_state?: ThreadState;\n\n /* Timeline event (if timeline recording enabled) /\n timeline_event?: TimelineEvent;\n}\n","/\n Knot — Critical binding points in the Thread\n \n A Knot is where multiple stitches converge and become inseparable\n * due to dependency, authority, or consequence.\n \n Stitch = one action\n * Thread = sequence of actions\n * Knot = critical point that ties multiple actions together\n \n Thread shows what happened.\n * Knot shows what mattered.\n \n Rules:\n * 1. Knot cannot be silently broken\n * 2. Knot must be fully witnessed\n * 3. Irreversible knots require strict validation\n * 4. Forking from a knot creates a new branch\n /\n\nimport type { Stitch } from './needle.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Knot Types\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Authority: Multiple actions bound under one capsule / approval\n * Law: Actions tied by legal consequence\n * Causal: Actions that depend on each other sequentially\n * Decision: Fork point where different futures emerge\n * Irreversible: Point of no return — cannot be undone\n /\nexport type KnotType =\n \| 'authority'\n \| 'law'\n \| 'causal'\n \| 'decision'\n \| 'irreversible';\n\nexport type KnotStatus =\n \| 'open' // Knot is still forming (accepting stitches)\n \| 'tied' // Knot is complete and sealed\n \| 'broken' // Knot was broken (override, failure, revocation)\n \| 'forked'; // Knot became a branch point\n\n// ────────────────────────────────────────────────────────────────────────────\n// Knot\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface Knot {\n /* Unique knot identifier /\n knot_id: string;\n\n /* What kind of binding this knot represents /\n type: KnotType;\n\n /* Current state /\n status: KnotStatus;\n\n /* Stitch IDs that form this knot /\n stitch_ids: string[];\n\n /* Thread this knot belongs to /\n thread_id: string;\n\n /* TPS coordinate that anchors this knot in time /\n tps_anchor?: string;\n\n /* Whether this knot represents a point of no return /\n irreversible: boolean;\n\n // ── Binding context ──\n\n /* Capsule that authorizes this group (authority knots) /\n capsule_id?: string;\n\n /* DFL law coordinate that governs this knot (law knots) /\n law_ref?: string;\n\n /* The stitch that is the decision point (decision knots) /\n decision_stitch_id?: string;\n\n /* Branch IDs spawned from this knot (decision/fork knots) /\n branch_ids: string[];\n\n // ── Constraints ──\n\n /* Minimum stitches required to tie this knot /\n required_count?: number;\n\n /* Whether all stitches must succeed for the knot to hold /\n all_or_nothing: boolean;\n\n // ── Metadata ──\n\n /* Actor who initiated this knot /\n actor_id: string;\n\n /* When the knot was created (opened) /\n created_at: number;\n\n /* When the knot was tied (sealed) /\n tied_at?: number;\n\n /* When the knot was broken (if broken) /\n broken_at?: number;\n\n /* Reason for breaking, if applicable /\n break_reason?: string;\n\n /* Witness hash covering all stitch receipts in this knot /\n witness_hash?: string;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Knot Validation\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface KnotValidationResult {\n valid: boolean;\n /* Which stitches passed /\n passed_stitch_ids: string[];\n /* Which stitches failed or are missing /\n failed_stitch_ids: string[];\n /* Whether the knot can be tied given current stitches /\n can_tie: boolean;\n /* Errors /\n errors: KnotError[];\n}\n\nexport interface KnotError {\n code: string;\n message: string;\n stitch_id?: string;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Knot Break Request\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface KnotBreakRequest {\n /* Knot to break /\n knot_id: string;\n /* Who is breaking it /\n actor_id: string;\n /* Why it's being broken /\n reason: string;\n /* Authority override (required for law/irreversible knots) /\n override_grant_id?: string;\n /* Signature proving authority /\n signature?: string;\n}\n","/\n Fabric — The resulting reality after stitches are woven\n \n Fabric is the state space — the unified projection of all threads,\n * stitches, and knots into \"what is true right now.\"\n \n Thread records what happened.\n * Knot records what mattered.\n * Fabric records what IS.\n \n A Fabric is built by replaying all stitches in order,\n * applying their effects to produce the current world state.\n \n Properties:\n * 1. Deterministic — same stitches produce same fabric\n * 2. Projectable — can compute fabric at any TPS coordinate\n * 3. Verifiable — fabric hash proves state integrity\n * 4. Multi-thread — weaves all threads into one reality\n * 5. Knot-aware — knots create structural boundaries in fabric\n /\n\nimport type { Knot } from './knot.types';\nimport type { Stitch, Thread } from './needle.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Fabric State\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n A single cell of state within the fabric.\n * Each cell tracks what produced it and when.\n /\nexport interface FabricCell {\n /* State key (e.g., \"account:alice:balance\", \"zone:example.com:records\") /\n key: string;\n /* Current value /\n value: unknown;\n /* Stitch that last wrote this cell /\n last_stitch_id: string;\n /* TPS coordinate of last write /\n last_tps?: string;\n /* How many stitches have touched this cell /\n write_count: number;\n /* Whether this cell is inside an irreversible knot /\n locked: boolean;\n /* Knot ID that locked this cell (if locked) /\n locked_by_knot?: string;\n}\n\n/\n The Fabric — the current state of reality.\n * Produced by weaving all stitches across all threads.\n /\nexport interface Fabric {\n /* Unique fabric snapshot identifier /\n fabric_id: string;\n\n /* SHA-256 hash of the entire fabric state (for integrity verification) /\n state_hash: string;\n\n /* All state cells /\n cells: Map<string, FabricCell>;\n\n /* Thread IDs woven into this fabric /\n thread_ids: string[];\n\n /* Total stitches applied /\n stitch_count: number;\n\n /* Total knots present /\n knot_count: number;\n\n /* TPS coordinate this fabric was projected at (latest stitch) /\n projected_at_tps?: string;\n\n /* Timestamp of fabric computation /\n computed_at: number;\n\n /* Sequence: monotonically increasing fabric version /\n version: number;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Fabric Projection\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n A FabricEffect describes the state changes a stitch produces.\n * Handlers return this to tell the Fabric what changed.\n /\nexport interface FabricEffect {\n /* State mutations: key → new value (null = delete) /\n mutations: Record<string, unknown \| null>;\n /* Keys this stitch read but didn't write (dependency tracking) /\n reads?: string[];\n}\n\n/\n Resolver function: given a stitch, return the effect it has on the fabric.\n * Used during fabric projection to convert stitches into state changes.\n /\nexport type FabricEffectResolver = (stitch: Stitch) => FabricEffect;\n\n// ────────────────────────────────────────────────────────────────────────────\n// Fabric Diff\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type FabricDiffKind = 'added' \| 'modified' \| 'deleted';\n\nexport interface FabricDiffEntry {\n key: string;\n kind: FabricDiffKind;\n before?: unknown;\n after?: unknown;\n caused_by_stitch?: string;\n}\n\n/\n Diff between two fabric states.\n /\nexport interface FabricDiff {\n from_fabric_id: string;\n to_fabric_id: string;\n entries: FabricDiffEntry[];\n added_count: number;\n modified_count: number;\n deleted_count: number;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Fabric Query\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface FabricQuery {\n /* Key prefix to match (e.g., \"account:alice:\" returns all alice's state) /\n prefix?: string;\n /* Exact keys to retrieve /\n keys?: string[];\n /* Only return cells touched by this actor /\n actor_id?: string;\n /* Only return cells within this thread /\n thread_id?: string;\n /* Only return locked cells /\n locked_only?: boolean;\n}\n","/\n Pattern — Recurring structure in the Fabric\n \n A Pattern is a recognized shape of stitches, knots, or state changes\n * that repeats across threads or timelines. Patterns are the learning\n * layer — they answer: \"I've seen this shape before.\"\n \n Hierarchy:\n * Stitches form Threads\n * Important stitches form Knots\n * Knots define Reality Structure\n * Recurring structures form Patterns\n * Patterns reveal the nature of the Fabric\n \n Pattern detection enables AXIS Being to:\n * - Predict outcomes before execution\n * - Suggest alternatives based on history\n * - Identify anomalies (deviation from known patterns)\n * - Learn from past executions\n /\n\nimport type { Knot, KnotType } from './knot.types';\nimport type { Stitch, StitchKind } from './needle.types';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Types\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Sequence: Ordered chain of intents that recur (A → B → C)\n * Knot: Recurring knot formation (same knot type + shape)\n * State: Recurring state mutation pattern in the Fabric\n * Decision: Recurring decision path at fork points\n * Anomaly: Deviation from an established pattern\n /\nexport type PatternKind =\n \| 'sequence'\n \| 'knot'\n \| 'state'\n \| 'decision'\n \| 'anomaly';\n\nexport type PatternConfidence = number; // 0.0 – 1.0\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Definition\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n A Pattern is a recognized recurring structure in the Fabric.\n /\nexport interface Pattern {\n /* Unique pattern identifier /\n pattern_id: string;\n\n /* What kind of pattern /\n kind: PatternKind;\n\n /* Human-readable name /\n name: string;\n\n /* Description of what this pattern represents /\n description?: string;\n\n /* The signature that defines this pattern (what to look for) /\n signature: PatternSignature;\n\n /* How confident the system is that this is a real pattern /\n confidence: PatternConfidence;\n\n /* How many times this pattern has been observed /\n occurrence_count: number;\n\n /* When this pattern was first detected /\n first_seen_at: number;\n\n /* When this pattern was last matched /\n last_seen_at: number;\n\n /* Thread IDs where this pattern has appeared /\n seen_in_threads: string[];\n\n /* Whether this pattern is considered normal or anomalous /\n classification: 'normal' \| 'anomalous' \| 'unclassified';\n\n /* What typically follows this pattern (predicted next step) /\n predicted_next?: PatternPrediction;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Signature — What defines a pattern\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface PatternSignature {\n /* Ordered list of intent names (for sequence patterns) /\n intent_sequence?: string[];\n\n /* Stitch kinds in order (for stitch-level patterns) /\n stitch_kinds?: StitchKind[];\n\n /* Knot type (for knot patterns) /\n knot_type?: KnotType;\n\n /* Number of stitches in the knot (for knot patterns) /\n knot_size?: number;\n\n /* State key prefixes affected (for state patterns) /\n state_keys?: string[];\n\n /* State mutation shape: key → 'created' \| 'updated' \| 'deleted' /\n state_mutations?: Record<string, 'created' \| 'updated' \| 'deleted'>;\n\n /* Decision outcome that recurs (for decision patterns) /\n decision_outcome?: string;\n\n /* Actor pattern: specific actor or '' for any /\n actor?: string;\n\n /** Minimum stitches in the sequence /\n min_length?: number;\n\n /* Maximum stitches in the sequence /\n max_length?: number;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Match\n// ────────────────────────────────────────────────────────────────────────────\n\n/* A match of a pattern against actual stitches. /\nexport interface PatternMatch {\n /* Pattern that was matched /\n pattern_id: string;\n\n /* Stitch IDs that form this match /\n matched_stitch_ids: string[];\n\n /* Knot IDs involved (if knot pattern) /\n matched_knot_ids?: string[];\n\n /* How well the match fits (0.0 – 1.0) /\n match_score: number;\n\n /* Thread where the match was found /\n thread_id: string;\n\n /* When the match was detected /\n detected_at: number;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Prediction\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n What the system predicts will happen next based on a pattern.\n * Used by AXIS Being for pre-execution intelligence.\n /\nexport interface PatternPrediction {\n /* Most likely next intent /\n next_intent: string;\n\n /* Confidence that this prediction is correct /\n confidence: PatternConfidence;\n\n /* Alternative possible next intents /\n alternatives: Array<{\n intent: string;\n confidence: PatternConfidence;\n }>;\n\n /* Predicted outcome if the pattern completes /\n predicted_outcome?: string;\n\n /* Risk level if the pattern continues /\n risk_note?: string;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Pattern Registry\n// ────────────────────────────────────────────────────────────────────────────\n\n/\n Store interface for patterns.\n * Implementations can use in-memory, database, or ML model.\n /\nexport interface PatternStore {\n save(pattern: Pattern): void;\n get(patternId: string): Pattern \| undefined;\n findByKind(kind: PatternKind): Pattern[];\n findByIntent(intent: string): Pattern[];\n all(): Pattern[];\n}\n","export from './needle.types';\nexport * from './needle.engine';\nexport * from './knot.types';\nexport * from './knot.engine';\nexport * from './fabric.types';\nexport * from './fabric.engine';\nexport * from './pattern.types';\nexport * from './pattern.engine';\n","import * as z from 'zod';\nimport { AxisFrameZ } from '../core/axis-bin';\n\n/*\n AXIS Sensor Input/Output Validation Schemas\n \n Centralized Zod schemas for all sensor input validation.\n * Ensures type-safe, runtime-validated data across the entire sensor chain.\n \n Usage:\n * const input = CountryBlockSensorInputZ.parse(data);\n * const input = CountryBlockSensorInputZ.safeParse(data);\n /\n\n// ============================================================================\n// COMMON TYPES & UTILITIES\n// ============================================================================\n\n/\n Sensor decision outcomes (Zod version for schema composition)\n /\nexport const SensorDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n meta: z.any().optional(),\n }),\n]);\n\nexport const SensorDecisionWithMetadataZ = z.union([\n z.object({ action: z.literal('ALLOW'), meta: z.any().optional() }),\n z.object({\n action: z.literal('DENY'),\n code: z.string(),\n reason: z.string().optional(),\n retryAfterMs: z.number().int().positive().optional(),\n meta: z.any().optional(),\n }),\n]);\n\n// ============================================================================\n// COUNTRY BLOCK SENSOR\n// ============================================================================\n\nexport const CountryBlockSensorInputZ = z.object({\n ip: z.string().min(1),\n country: z.string().length(2).toUpperCase().optional(),\n});\nexport type CountryBlockSensorInput = z.infer<typeof CountryBlockSensorInputZ>;\n\nexport const CountryBlockDecisionZ = SensorDecisionZ;\nexport type CountryBlockDecision = z.infer<typeof CountryBlockDecisionZ>;\n\n// ============================================================================\n// SCAN BURST SENSOR\n// ============================================================================\n\nexport const ScanBurstSensorInputZ = z.object({\n ip: z.string().min(1),\n isFailure: z.boolean().optional(),\n});\nexport type ScanBurstSensorInput = z.infer<typeof ScanBurstSensorInputZ>;\n\nexport const ScanBurstDecisionZ = SensorDecisionWithMetadataZ;\nexport type ScanBurstDecision = z.infer<typeof ScanBurstDecisionZ>;\n\n// ============================================================================\n// PROOF PRESENCE SENSOR\n// ============================================================================\n\nexport const ProofKindZ = z.enum([\n 'NONE',\n 'CAPSULE',\n 'PASSPORT',\n 'MTLS',\n 'JWT',\n]);\nexport type ProofKind = z.infer<typeof ProofKindZ>;\n\nexport const AccessProfileZ = z.enum(['PUBLIC', 'PARTNER', 'INTERNAL', 'NODE']);\nexport type AccessProfile = z.infer<typeof AccessProfileZ>;\n\nexport const ProofPresenceInputZ = z.object({\n profile: AccessProfileZ,\n visibility: z.enum(['PUBLIC', 'GUARDED']),\n requiredProof: z.array(ProofKindZ).min(1),\n hasCapsule: z.boolean(),\n hasPassportSignature: z.boolean(),\n intent: z.string().min(1),\n});\nexport type ProofPresenceInput = z.infer<typeof ProofPresenceInputZ>;\n\n// ============================================================================\n// INTENT POLICY SENSOR\n// ============================================================================\n\nexport const SensitivityLevelZ = z.enum(['LOW', 'MEDIUM', 'HIGH', 'CRITICAL']);\nexport type SensitivityLevel = z.infer<typeof SensitivityLevelZ>;\n\nexport const IntentPolicyZ = z.object({\n intent: z.string().min(1),\n sensitivity: SensitivityLevelZ,\n maxFrameBytes: z.number().int().positive(),\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n maxSigBytes: z.number().int().positive().optional(),\n rateLimitPerMinute: z.number().int().positive().optional(),\n rateLimitPerHour: z.number().int().positive().optional(),\n requiresSignature: z.boolean(),\n requiresCapsule: z.boolean(),\n timeoutMs: z.number().int().positive(),\n});\nexport type IntentPolicy = z.infer<typeof IntentPolicyZ>;\n\nexport const IntentPolicySensorInputZ = z.object({\n frame: AxisFrameZ,\n intent: z.string().min(1),\n rawFrameSize: z.number().int().positive(),\n});\nexport type IntentPolicySensorInput = z.infer<typeof IntentPolicySensorInputZ>;\n\nexport const IntentPolicyDecisionZ = z.union([\n z.object({\n action: z.literal('ALLOW'),\n policy: IntentPolicyZ,\n }),\n z.object({\n action: z.literal('DENY'),\n reason: z.string(),\n }),\n]);\nexport type IntentPolicyDecision = z.infer<typeof IntentPolicyDecisionZ>;\n\n// ============================================================================\n// CAPSULE VERIFY SENSOR\n// ============================================================================\n\nexport const CapsuleClaimsZ = z.object({\n capsuleId: z.string().min(8),\n allowIntents: z.array(z.string()).min(1),\n limits: z\n .object({\n maxBodyBytes: z.number().int().positive().optional(),\n })\n .optional(),\n scopes: z.record(z.string(), z.any()).optional(),\n});\nexport type CapsuleClaims = z.infer<typeof CapsuleClaimsZ>;\n\nexport const CapsuleZ = z.object({\n id: z.string(),\n claims: CapsuleClaimsZ,\n issuedAt: z.number().int(),\n expiresAt: z.number().int(),\n tier: z.enum(['FREE', 'STANDARD', 'PREMIUM']),\n});\nexport type Capsule = z.infer<typeof CapsuleZ>;\n\nexport const CapsuleValidationResultZ = z.object({\n valid: z.boolean(),\n capsule: CapsuleZ.optional(),\n reason: z.string().optional(),\n requiresStepUp: z.boolean().optional(),\n});\nexport type CapsuleValidationResult = z.infer<typeof CapsuleValidationResultZ>;\n\nexport const CapsuleVerifySensorInputZ = z.object({\n headers: z.map(\n z.number(),\n z.custom<Uint8Array>((v) => v instanceof Uint8Array),\n ),\n intent: z.string().min(1),\n ctx: z.any(), // AxisContext - avoid circular dependency\n});\nexport type CapsuleVerifySensorInput = z.infer<\n typeof CapsuleVerifySensorInputZ\n>;\n\nexport const CapsuleVerifyResultZ = z.object({\n ok: z.literal(true),\n capsule: CapsuleZ,\n});\nexport type CapsuleVerifyResult = z.infer<typeof CapsuleVerifyResultZ>;\n\n// ============================================================================\n// RATE LIMIT SENSOR\n// ============================================================================\n\nexport const RateLimitProfileZ = z.enum([\n 'PUBLIC',\n 'PARTNER',\n 'INTERNAL',\n 'NODE',\n]);\nexport type RateLimitProfile = z.infer<typeof RateLimitProfileZ>;\n\nexport const RateLimitInputZ = z.object({\n ip: z.string().min(1),\n userAgent: z.string().optional(),\n actorId: z.string().optional(),\n capsuleId: z.string().optional(),\n intent: z.string().min(1),\n profile: RateLimitProfileZ,\n});\nexport type RateLimitInput = z.infer<typeof RateLimitInputZ>;\n\nexport const RateLimitConfigZ = z.object({\n windowSec: z.number().int().positive(),\n max: z.number().int().positive(),\n key: z.enum(['ip_fingerprint', 'actor_capsule']),\n});\nexport type RateLimitConfig = z.infer<typeof RateLimitConfigZ>;\n\nexport const SensorResultZ = z.object({\n ok: z.literal(true),\n});\nexport type SensorResult = z.infer<typeof SensorResultZ>;\n\n// ============================================================================\n// SIGNATURE VERIFICATION SENSOR (Detailed)\n// ============================================================================\n\nexport const PassportZ = z.object({\n id: z.string(),\n public_key: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n status: z.enum(['ACTIVE', 'REVOKED', 'EXPIRED', 'PENDING']),\n issuedAt: z.number().int(),\n expiresAt: z.number().int().optional(),\n});\nexport const ExecutionMetricsZ = z.object({\n dbWrites: z.number().int(),\n dbReads: z.number().int(),\n externalCalls: z.number().int(),\n elapsedMs: z.number().int().optional(),\n});\n\nexport type Passport = z.infer<typeof PassportZ>;\n\n// ============================================================================\n// GENERAL SENSOR CHAIN INPUT\n// ============================================================================\n\nexport const SensorChainInputZ = z.object({\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n});\nexport type SensorChainInput = z.infer<typeof SensorChainInputZ>;\n\n// ============================================================================\n// ENTROPY SENSOR\n// ============================================================================\n\nexport const EntropySensorInputZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)).optional(),\n ip: z.string().min(1),\n});\nexport type EntropySensorInput = z.infer<typeof EntropySensorInputZ>;\n\n// ============================================================================\n// PROTOCOL STRICT SENSOR\n// ============================================================================\n\nexport const ProtocolStrictInputZ = z.object({\n rawBytes: z\n .union([z.custom<Buffer>((v) => Buffer.isBuffer(v)), z.instanceof(Uint8Array)])\n .optional(),\n ip: z.string().min(1),\n path: z.string().min(1),\n contentLength: z.number().int().nonnegative(),\n peek: z.instanceof(Uint8Array),\n country: z.string().optional(),\n contentType: z.string().optional(),\n});\nexport type ProtocolStrictInput = z.infer<typeof ProtocolStrictInputZ>;\n\n// ============================================================================\n// SCHEMA VALIDATION SENSOR\n// ============================================================================\n\nexport const SchemaFieldKindZ = z.enum([\n 'utf8',\n 'u64',\n 'bytes',\n 'bytes16',\n 'bool',\n 'obj',\n 'arr',\n]);\nexport type SchemaFieldKind = z.infer<typeof SchemaFieldKindZ>;\n\nexport const ScopeZ = z.enum(['header', 'body']);\nexport type Scope = z.infer<typeof ScopeZ>;\n\nexport const SchemaFieldZ = z.object({\n name: z.string().min(1),\n tlv: z.number().int().positive(),\n kind: SchemaFieldKindZ,\n required: z.boolean().optional(),\n maxLen: z.number().int().positive().optional(),\n max: z.string().optional(),\n scope: ScopeZ.optional(),\n});\nexport type SchemaField = z.infer<typeof SchemaFieldZ>;\n\nexport const BodyProfileZ = z.enum(['TLV_MAP', 'RAW', 'TLV_OBJ', 'TLV_ARR']);\nexport type BodyProfile = z.infer<typeof BodyProfileZ>;\n\nexport const IntentSchemaZ = z.object({\n intent: z.string().min(1),\n version: z.number().int().positive(),\n bodyProfile: BodyProfileZ,\n fields: z.array(SchemaFieldZ).min(1),\n});\nexport type IntentSchema = z.infer<typeof IntentSchemaZ>;\n\n// ============================================================================\n// WEBSOCKET HANDSHAKE SENSOR\n// ============================================================================\n\nexport const WsHandshakeInputZ = z.object({\n clientId: z.string().min(1),\n isWs: z.boolean(),\n ip: z.string().min(1),\n});\nexport type WsHandshakeInput = z.infer<typeof WsHandshakeInputZ>;\n\nexport const WsHandshakeDecisionZ = z.union([\n z.object({ action: z.literal('ALLOW') }),\n z.object({ action: z.literal('DENY'), code: z.string() }),\n]);\nexport type WsHandshakeDecision = z.infer<typeof WsHandshakeDecisionZ>;\n\n// ============================================================================\n// IP REPUTATION SENSOR\n// ============================================================================\n\nexport const IPReputationInputZ = z.object({\n ip: z.string().min(1),\n});\nexport type IPReputationInput = z.infer<typeof IPReputationInputZ>;\n\nexport const IPReputationZ = z.object({\n score: z.number().min(-100).max(100),\n lastUpdated: z.number().int(),\n totalRequests: z.number().int().nonnegative(),\n failedRequests: z.number().int().nonnegative(),\n blockedRequests: z.number().int().nonnegative(),\n tags: z.array(z.string()),\n});\nexport type IPReputation = z.infer<typeof IPReputationZ>;\n\n// ============================================================================\n// FILE UPLOAD STATE SENSOR\n// ============================================================================\n\nexport const UploadStatusZ = z.enum([\n 'INIT',\n 'UPLOADING',\n 'FINALIZING',\n 'DONE',\n 'ABORTED',\n]);\nexport type UploadStatus = z.infer<typeof UploadStatusZ>;\n\nexport const UploadSessionZ = z.object({\n uploadIdHex: z.string().min(1),\n fileName: z.string().min(1),\n totalSize: z.number().int().positive(),\n chunkSize: z.number().int().positive(),\n totalChunks: z.number().int().positive(),\n receivedCount: z.number().int().nonnegative(),\n status: UploadStatusZ,\n});\nexport type UploadSession = z.infer<typeof UploadSessionZ>;\n\n// ============================================================================\n// BODY BUDGET SENSOR\n// ============================================================================\n\nexport const BodyBudgetInputZ = z.object({\n intent: z.string().min(1),\n headerLen: z.number().int().nonnegative(),\n bodyLen: z.number().int().nonnegative(),\n});\nexport type BodyBudgetInput = z.infer<typeof BodyBudgetInputZ>;\n\nexport const BodyBudgetPolicyZ = z.object({\n maxHeaderBytes: z.number().int().positive(),\n maxBodyBytes: z.number().int().positive(),\n});\nexport type BodyBudgetPolicy = z.infer<typeof BodyBudgetPolicyZ>;\n\n// ============================================================================\n// CHUNK HASH SENSOR\n// ============================================================================\n\nexport const ChunkHashInputZ = z.object({\n headerTLVs: z.any(), // Map<number, Uint8Array> - flexible validation for compatibility\n bodyBytes: z.any(), // Uint8Array - flexible validation for compatibility\n intent: z.string().min(1),\n});\nexport type ChunkHashInput = z.infer<typeof ChunkHashInputZ>;\n\n// ============================================================================\n// AXIS CONTEXT (Request Context across sensors)\n// ============================================================================\n\nexport enum ProofType {\n CAPSULE = 1,\n JWT = 2,\n MTLS_ID = 3,\n DEVICE_SE = 4,\n WITNESS_SIG = 5,\n}\n\nexport const AxisContextZ = z.object({\n pid: z.custom<Buffer>((v) => Buffer.isBuffer(v)), // Process ID\n ts: z.bigint(), // Timestamp\n intent: z.string().min(1),\n actorId: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n proofType: z.enum(ProofType),\n proofRef: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n nonce: z.custom<Buffer>((v) => Buffer.isBuffer(v)),\n ip: z.string().min(1),\n nodeCertHash: z.string().optional(),\n capsule: CapsuleZ.optional(),\n passport: PassportZ.optional(),\n meter: z.any().optional(), // ExecutionMeter instance - any to avoid circular dependency and allow class instance\n});\n\nexport type AxisContext = z.infer<typeof AxisContextZ>;\n\n// ============================================================================\n// ERROR HANDLING\n// ============================================================================\n\nexport const AxisErrorZ = z.object({\n code: z.string(),\n message: z.string(),\n httpStatus: z.number().int(),\n});\nexport type AxisError = z.infer<typeof AxisErrorZ>;\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { decodeTLVsList } from '../core/tlv';\n\n/\n Body Profile Types\n /\nexport enum BodyProfile {\n RAW = 0, // Raw binary (no structure)\n TLV_MAP = 1, // Flat TLV map (type -> value)\n OBJ = 2, // Nested object (OBJ TLVs)\n ARR = 3, // Array (ARR TLVs)\n}\n\nexport interface BodyProfileValidation {\n valid: boolean;\n error?: string;\n profile: BodyProfile;\n}\n\n/\n Validates AXIS frame body against declared body profile\n /\n@Injectable()\nexport class BodyProfileValidator {\n private readonly logger = new Logger(BodyProfileValidator.name);\n\n /\n Validate body matches declared profile\n /\n validate(body: Uint8Array, profile: BodyProfile): BodyProfileValidation {\n switch (profile) {\n case BodyProfile.RAW:\n return this.validateRaw(body);\n\n case BodyProfile.TLV_MAP:\n return this.validateTlvMap(body);\n\n case BodyProfile.OBJ:\n return this.validateObj(body);\n\n case BodyProfile.ARR:\n return this.validateArr(body);\n\n default:\n return {\n valid: false,\n error: `Unknown body profile: ${profile}`,\n profile,\n };\n }\n }\n\n /\n RAW profile - no validation, any bytes accepted\n /\n private validateRaw(body: Uint8Array): BodyProfileValidation {\n return {\n valid: true,\n profile: BodyProfile.RAW,\n };\n }\n\n /\n TLV_MAP profile - flat TLV list (no nested structures)\n /\n private validateTlvMap(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Check no nested structures (OBJ or ARR types)\n for (const tlv of tlvs) {\n if (tlv.type === 254 \|\| tlv.type === 255) {\n return {\n valid: false,\n error: 'TLV_MAP profile cannot contain nested OBJ/ARR types',\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n return {\n valid: true,\n profile: BodyProfile.TLV_MAP,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `TLV_MAP decode failed: ${message}`,\n profile: BodyProfile.TLV_MAP,\n };\n }\n }\n\n /\n OBJ profile - must be valid nested object\n /\n private validateObj(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one OBJ type (254)\n const hasObj = tlvs.some((t) => t.type === 254);\n if (!hasObj && tlvs.length > 0) {\n return {\n valid: false,\n error: 'OBJ profile must contain OBJ type (254)',\n profile: BodyProfile.OBJ,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.OBJ,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `OBJ decode failed: ${message}`,\n profile: BodyProfile.OBJ,\n };\n }\n }\n\n /\n ARR profile - must be valid array\n /\n private validateArr(body: Uint8Array): BodyProfileValidation {\n try {\n const tlvs = decodeTLVsList(body);\n\n // Must contain at least one ARR type (255)\n const hasArr = tlvs.some((t) => t.type === 255);\n if (!hasArr && tlvs.length > 0) {\n return {\n valid: false,\n error: 'ARR profile must contain ARR type (255)',\n profile: BodyProfile.ARR,\n };\n }\n\n return {\n valid: true,\n profile: BodyProfile.ARR,\n };\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n valid: false,\n error: `ARR decode failed: ${message}`,\n profile: BodyProfile.ARR,\n };\n }\n }\n}\n","export from './axis-schemas';\nexport {\n BodyProfileValidator,\n BodyProfile,\n type BodyProfileValidation,\n} from './body-profile.validator';\n","export * from './scopes';\nexport * from './capabilities';\nexport * from './axis-sensor-chain.service';\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Access Profile Resolver AxisSensor\n \n This sensor determines whether an AXIS request should be handled under the\n * 'PUBLIC' or 'GUARDED' access profile. It does this by checking for the presence\n * of authentication proofs in the request metadata.\n \n Execution Order: 50 (runs very early)\n \n Core Concept:\n * - If any structural proof is present (Capsule, Passport, or mTLS certificate),\n * the request is flagged as `GUARDED`.\n * - Otherwise, it is treated as `PUBLIC`.\n \n Impact:\n * This determination is stored in `input.metadata.profile` and is used by\n * downstream sensors like `CapabilityEnforcementSensor` to decide whether\n * to enforce strict authorization checks.\n \n @class AccessProfileResolverSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class AccessProfileResolverSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'AccessProfileResolverSensor';\n\n /\n Execution order - runs early to establish the access profile\n * for downstream sensors.\n /\n readonly order = BAND.IDENTITY + 10;\n\n supports(): boolean {\n return true;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n // Resolve profile: presence of proof => GUARDED, else PUBLIC\n const hasCapsule = !!input.metadata?.capsuleId;\n const hasPassport = !!input.metadata?.passportSig;\n const hasMTLS = !!input.metadata?.mtlsId;\n\n const profile = hasCapsule \|\| hasPassport \|\| hasMTLS ? 'GUARDED' : 'PUBLIC';\n\n // Store in metadata for downstream sensors\n if (!input.metadata) input.metadata = {};\n input.metadata.profile = profile;\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { MAX_BODY_LEN, MAX_HDR_LEN } from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Body Budget AxisSensor - Section Size Limit Enforcement\n \n Validates that header and body sections of AXIS frames are within\n * configured size limits. This prevents memory exhaustion attacks and\n * ensures efficient processing.\n \n Execution Order: 150 (after auth, before schema validation)\n \n Core Concept:\n * AXIS frames have three main sections:\n * - Header (TLVs for routing, auth, etc.)\n * - Body (payload data)\n * - Signature\n \n Each section has a declared length in the frame header. This sensor\n * validates those lengths against configured maximums BEFORE reading\n * the full content.\n \n Frame Format Reference:\n * ```\n * Offset 0-4: Magic (AXIS1)\n * Offset 5: Version (0x01)\n * Offset 6: Flags\n * Offset 7+: HDR_LEN (varint)\n * Following: BODY_LEN (varint)\n * Following: SIG_LEN (varint)\n * Then: HDR bytes, BODY bytes, SIG bytes\n * ```\n \n Default Limits (from constants.ts):\n * - MAX_HDR_LEN: 2048 bytes (2KB)\n * - MAX_BODY_LEN: 65536 bytes (64KB)\n \n Security Model:\n * - Fail Open: Parse errors allow (other sensors catch)\n * - Early Rejection: Rejects before reading large payloads\n * - Defense in Depth: Works with FrameBudgetSensor\n \n Actions:\n * - `ALLOW` - Sizes within limits\n * - `DENY` - Header or body exceeds maximum\n \n Error Codes:\n * - `HEADER_TOO_LARGE` - Header exceeds MAX_HDR_LEN\n * - `BODY_TOO_LARGE` - Body exceeds MAX_BODY_LEN\n \n Performance:\n * - Parses first ~20 bytes (varint lengths)\n * - O(1) comparison\n * - Latency: <0.5ms\n \n @class BodyBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Within limits:\n * ```typescript\n * // HDR_LEN: 500 (< 2048), BODY_LEN: 10000 (< 65536)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Body too large:\n * ```typescript\n * // BODY_LEN: 100000 (> 65536)\n * {\n * action: 'DENY',\n * code: 'BODY_TOO_LARGE',\n * reason: 'Body size 100000 exceeds limit 65536'\n * }\n * ```\n \n @see {@link FrameBudgetSensor} - Content-Length based limiting\n * @see {@link MAX_BODY_LEN} - Configurable body limit\n /\n@Sensor()\n@Injectable()\nexport class BodyBudgetSensor implements AxisSensor {\n /* AxisSensor identifier /\n readonly name = 'BodyBudgetSensor';\n\n /\n Execution order - after authentication\n \n Order 150 ensures:\n * - Authentication complete\n * - Runs before full body read\n * - Before schema validation (170)\n /\n readonly order = BAND.CONTENT + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 8 bytes of peeked data to read headers.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data available\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 8;\n }\n\n /\n Validates header and body lengths against configured limits.\n \n Frame Parsing:\n * - Skip magic (5 bytes)\n * - Skip version (1 byte)\n * - Skip flags (1 byte)\n * - Read HDR_LEN varint\n * - Read BODY_LEN varint\n * - Compare against MAX_HDR_LEN and MAX_BODY_LEN\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size limits\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { peek } = input;\n\n // Should be caught by ProtocolStrict, but defensive check\n if (!peek \|\| peek.length < 8) {\n return { action: 'ALLOW' };\n }\n\n try {\n // Frame structure:\n // 0-4: Magic (AXIS1)\n // 5: Version\n // 6: Flags\n // 7+: Varints for HDR_LEN, BODY_LEN, SIG_LEN\n\n let offset = 5; // After magic\n offset += 1; // Skip version\n offset += 1; // Skip flags\n\n // Now at offset 7: read HDR_LEN varint\n const { value: hdrLen, length: hdrBytes } = decodeVarint(peek, offset);\n offset += hdrBytes;\n\n // Read BODY_LEN varint\n const { value: bodyLen } = decodeVarint(peek, offset);\n\n // === Check Header Limit ===\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds limit ${MAX_HDR_LEN}`,\n };\n }\n\n // === Check Body Limit ===\n if (bodyLen > MAX_BODY_LEN) {\n return {\n action: 'DENY',\n code: 'BODY_TOO_LARGE',\n reason: `Body size ${bodyLen} exceeds limit ${MAX_BODY_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n } catch (e) {\n // Parse errors are likely malformed frames\n // ProtocolStrict will handle them\n return { action: 'ALLOW' };\n }\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n Capability,\n INTENT_REQUIREMENTS,\n PROOF_CAPABILITIES,\n SensorDecision,\n SensorInput,\n} from '../index';\n\n/\n Capability Enforcement AxisSensor - Authorization Based on Proof Type\n \n Maps authentication proof types to capabilities and enforces capability\n * requirements per intent. This implements role-based access control (RBAC)\n * at the intent level.\n \n Execution Order: 100 (after capsule/signature verification)\n \n Core Concept:\n * Different authentication methods grant different capabilities:\n * - Stronger auth = more capabilities\n * - Weaker auth = fewer capabilities\n \n Each intent has required capabilities. The request's proof type must\n * grant ALL required capabilities for the intent to proceed.\n \n Capability Definitions:\n * - `read` - Can read/query data\n * - `write` - Can create/update data\n * - `execute` - Can trigger actions/operations\n * - `admin` - Administrative operations\n * - `sign` - Can create digital signatures\n * - `witness` - Can act as independent witness\n \n Proof Type Mappings:\n * \| Type \| Name \| Capabilities \|\n * \|------\|------\|--------------\|\n * \| 0 \| NONE \| (none) \|\n * \| 1 \| CAPSULE \| read, write, execute \|\n * \| 2 \| JWT \| read \|\n * \| 3 \| MTLS \| read, write, admin \|\n * \| 4 \| DEVICE_SE \| read, write, sign \|\n * \| 5 \| WITNESS_SIG \| read, write, execute, witness \|\n \n @class CapabilityEnforcementSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload (requires 'write'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'file.upload' (requires: write)\n * // write ∈ [read, write, execute] ✓\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Admin operation (requires 'admin'):\n * ```typescript\n * // Proof type: CAPSULE (grants: read, write, execute)\n * // Intent: 'admin.users.delete' (requires: admin)\n * // admin ∉ [read, write, execute] ✗\n * {\n * action: 'DENY',\n * code: 'CAPABILITY_DENIED',\n * reason: 'Missing capabilities: admin'\n * }\n * ```\n /\n\n@Sensor()\n@Injectable()\nexport class CapabilityEnforcementSensor implements AxisSensor {\n private readonly logger = new Logger(CapabilityEnforcementSensor.name);\n\n /* AxisSensor identifier for logging and registry /\n readonly name = 'CapabilityEnforcementSensor';\n\n /\n Execution order - runs after authentication\n \n Order 100 ensures:\n * - Capsule is verified (CapsuleVerifySensor @ 80)\n * - Signature is verified (SigVerifySensor @ 90)\n * - We know the proof type for capability lookup\n /\n readonly order = BAND.POLICY + 10;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when an intent is present.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Enforces capability requirements for the requested intent.\n \n Processing Flow:\n * 1. Extract proof type from packet (default: 0/NONE)\n * 2. Look up capabilities granted by this proof type\n * 3. Look up capabilities required by the intent\n * 4. If no requirements, ALLOW\n * 5. Check if all required capabilities are granted\n * 6. If missing capabilities, DENY with details\n * 7. Otherwise, ALLOW\n \n @param {SensorInput} input - Request with intent and packet\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on capabilities\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, packet } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n const proofType = packet?.proofType ?? 0;\n\n // === STEP 1: Get Granted Capabilities ===\n // Look up what this proof type allows\n const grantedCapabilities = PROOF_CAPABILITIES[proofType] \|\| [];\n\n // === STEP 2: Get Required Capabilities ===\n // Look up what this intent requires\n const requiredCapabilities = this.getRequiredCapabilities(intent);\n\n // === STEP 3: Check Public Intents ===\n // No capabilities required = public access\n if (requiredCapabilities.length === 0) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 4: Check Capability Match ===\n // Find any required capabilities not granted\n const missingCapabilities = requiredCapabilities.filter(\n (cap) => !grantedCapabilities.includes(cap),\n );\n\n if (missingCapabilities.length > 0) {\n // Capability mismatch - deny with details\n this.logger.warn(\n `Capability denied for ${intent}: missing ${missingCapabilities.join(', ')} (has: ${grantedCapabilities.join(', ')})`,\n );\n return {\n action: 'DENY',\n code: 'CAPABILITY_DENIED',\n reason: `Missing capabilities: ${missingCapabilities.join(', ')}`,\n };\n }\n\n // All required capabilities present\n return { action: 'ALLOW' };\n }\n\n /\n Gets required capabilities for an intent.\n \n Lookup Strategy:\n * 1. Check for exact intent match\n * 2. Check for prefix pattern match (.suffix)\n 3. Default to 'execute' for unknown intents\n \n @private\n * @param {string} intent - Intent name to look up\n * @returns {Capability[]} Array of required capabilities\n /\n private getRequiredCapabilities(intent: string): Capability[] {\n // Check exact match first\n if (INTENT_REQUIREMENTS[intent]) {\n return INTENT_REQUIREMENTS[intent];\n }\n\n // Check prefix patterns (e.g., 'admin.' matches 'admin.users.delete')\n for (const [pattern, caps] of Object.entries(INTENT_REQUIREMENTS)) {\n if (pattern.endsWith('.')) {\n const prefix = pattern.slice(0, -1); // Remove ''\n if (intent.startsWith(prefix)) {\n return caps;\n }\n }\n }\n\n // Default: require execute for unknown intents (safe default)\n return ['execute'];\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { createHash } from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/*\n Chunk Hash Sensor - Data Integrity Verification\n \n Validates that uploaded file chunks match their declared SHA-256 hash.\n * This ensures data integrity during transfer and detects corruption or\n * tampering.\n \n Execution Order: 190 (after session validation, before handler)\n \n Core Concept:\n * Each file chunk includes a SHA-256 hash in the header. The sensor:\n * 1. Extracts the expected hash from header TLV\n * 2. Computes the actual hash of the body\n * 3. Compares them byte-by-byte\n * 4. Rejects if mismatch (data corruption)\n \n This provides end-to-end integrity verification, catching:\n * - Network corruption\n * - Storage errors\n * - Man-in-the-middle modifications\n * - Client-side bugs\n \n TLV Type:\n * - Type 73 (`TLV_SHA256_CHUNK`): 32-byte SHA-256 hash\n \n Hash Calculation:\n * ```typescript\n * const actual = createHash('sha256').update(bodyBytes).digest();\n * ```\n \n Security Model:\n * - Fail Closed: Hash mismatch = DENY\n * - Immutable Check: Hash computed server-side\n * - Early Rejection: Before storage writes\n \n Actions:\n * - `ALLOW` - Hash matches\n * - `DENY` - Hash mismatch or missing\n \n Error Codes:\n * - `FILE_CHUNK_HASH_MISSING` - TLV 73 not present or wrong size\n * - `FILE_CHUNK_HASH_MISMATCH` - Computed hash != expected hash\n \n Performance:\n * - SHA-256 computation: ~100MB/s on modern CPUs\n * - For 1MB chunk: ~10ms\n \n @class ChunkHashSensor\n * @implements {AxisSensor}\n \n @example\n * Hash matches:\n * ```typescript\n * // Header TLV 73: sha256(body) = expected\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Hash mismatch:\n * ```typescript\n * // Body was corrupted during transfer\n * {\n * action: 'DENY',\n * code: 'FILE_CHUNK_HASH_MISMATCH',\n * reason: 'Chunk hash mismatch - data corrupted'\n * }\n * ```\n \n @see {@link FileUploadStateSensor} - Session validation\n * @see {@link https://en.wikipedia.org/wiki/SHA-2 SHA-256}\n /\n@Sensor()\n@Injectable()\nexport class ChunkHashSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'ChunkHashSensor';\n\n /\n Execution order - after session validation\n \n Order 190 ensures:\n * - Session validated (180)\n * - Chunk parameters verified\n * - Hash check before storage\n /\n readonly order = BAND.CONTENT + 50;\n\n /\n Determines if this sensor should process the given input.\n \n Only processes file.chunk intents.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is 'file.chunk'\n /\n supports(input: SensorInput): boolean {\n return input.intent === 'file.chunk';\n }\n\n /\n Validates chunk data against declared SHA-256 hash.\n \n Processing Flow:\n * 1. Check for required headerTLVs and body\n * 2. Extract expected hash from TLV 73\n * 3. Verify hash is exactly 32 bytes\n * 4. Compute SHA-256 of body\n * 5. Compare bytes (timing-safe)\n * 6. DENY on mismatch\n \n @param {SensorInput} input - Request with chunk body\n * @returns {Promise<SensorDecision>} ALLOW if hash matches, DENY otherwise\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyBytes = input.body as Uint8Array;\n\n // Validate required inputs\n if (!headerTLVs \|\| !bodyBytes) {\n return {\n action: 'DENY',\n code: 'SENSOR_INVALID_INPUT',\n reason: 'Missing headerTLVs or body',\n };\n }\n\n // TLV type for chunk SHA-256 hash\n const TLV_SHA256_CHUNK = 73;\n\n // === STEP 1: Extract Expected Hash ===\n const expected = headerTLVs.get(TLV_SHA256_CHUNK);\n\n if (!expected \|\| expected.length !== 32) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISSING',\n reason: 'Missing sha256Chunk TLV in header',\n };\n }\n\n // === STEP 2: Compute Actual Hash ===\n const actual = createHash('sha256').update(bodyBytes).digest();\n\n // === STEP 3: Compare Hashes ===\n // Using Buffer.equals for comparison\n if (!Buffer.from(actual).equals(Buffer.from(expected))) {\n return {\n action: 'DENY',\n code: 'FILE_CHUNK_HASH_MISMATCH',\n reason: 'Chunk hash mismatch - data corrupted',\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\nimport as crypto from 'crypto';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\n\nimport { TLV_NONCE, TLV_PID } from '../core/constants';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/*\n Entropy AxisSensor - Randomness Quality Analysis\n \n Validates that cryptographic identifiers (PIDs, nonces) have sufficient\n * randomness to prevent predictability attacks. Weak entropy in IDs can\n * lead to collision attacks and session hijacking.\n \n Execution Order: 130 (after replay protection, before policy checks)\n \n Core Concept:\n * Proper cryptographic security requires high-quality randomness. This sensor\n * detects patterns that suggest weak random number generation:\n * - Low Shannon entropy\n * - Sequential patterns (1,2,3,4...)\n * - Repeated patterns (0xAB,0xAB,0xAB...)\n \n How It Works:\n * ```\n * 1. Extract PID and nonce from headers\n * 2. Calculate Shannon entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. FLAG if issues found (doesn't DENY for availability)\n * ```\n \n Shannon Entropy Calculation:\n * ```\n * H = -Σ(p_i * log2(p_i))\n * ```\n * Where p_i is the probability of byte value i appearing.\n * - High entropy (7-8 bits/byte): Good randomness\n * - Low entropy (<3 bits/byte): Suspicious pattern\n \n Pattern Detection:\n * - Sequential: More than 50% of bytes are +1 or -1 from previous\n * - Repeated: 90%+ match with 2, 4, or 8 byte repeating pattern\n \n Security Model:\n * - Fail Open: Issues cause FLAG, not DENY\n * - Trust Score Impact: Each issue reduces trust score\n * - Detection Only: Logs suspicious patterns for investigation\n \n Actions:\n * - `ALLOW` - Sufficient entropy, no patterns detected\n * - `FLAG` - Issues detected (reduces trust score)\n \n Score Deltas:\n * \| Issue \| Delta \|\n * \|-------\|-------\|\n * \| Low entropy (<3 bits/byte) \| -3 \|\n * \| Sequential pattern \| -5 \|\n * \| Repeated pattern \| -5 \|\n \n Why Not DENY?\n * Legitimate clients with older RNG libraries might trigger false positives.\n * FLAG allows monitoring without breaking legitimate traffic.\n \n Performance:\n * - In-memory analysis\n * - O(n) where n = bytes analyzed\n * - Latency: <1ms\n \n @class EntropySensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * High-entropy nonce (good):\n * ```typescript\n * // Nonce from crypto.randomBytes(16)\n * // Entropy: 7.2 bits/byte\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Sequential pattern (suspicious):\n * ```typescript\n * // Nonce: [1,2,3,4,5,6,7,8,9,10,11,12]\n * {\n * action: 'FLAG',\n * scoreDelta: -5,\n * reasons: ['nonce_sequential']\n * }\n * ```\n \n @see {@link https://en.wikipedia.org/wiki/Entropy_(information_theory) Shannon Entropy}\n /\n@Sensor()\n@Injectable()\nexport class EntropySensor implements AxisSensor {\n private readonly logger = new Logger(EntropySensor.name);\n\n /\n Minimum acceptable entropy in bits per byte.\n \n 3.0 bits/byte is a conservative threshold:\n * - Random data: ~7.9 bits/byte\n * - English text: ~4.5 bits/byte\n * - Sequential data: ~0-2 bits/byte\n /\n private readonly MIN_ENTROPY_THRESHOLD = 3.0;\n\n /* AxisSensor identifier /\n readonly name = 'EntropySensor';\n\n /\n Execution order - anomaly detection phase\n \n Order 130 ensures:\n * - Replay protection done (120)\n * - Runs before expensive policy lookups\n /\n readonly order = BAND.POLICY + 35;\n\n /\n Calculates Shannon entropy of a byte array.\n \n Algorithm:\n * 1. Count frequency of each byte value (0-255)\n * 2. Calculate probability p = count / total\n * 3. Sum: -Σ(p * log2(p))\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {number} Entropy in bits per byte (0-8 scale)\n /\n private calculateEntropy(data: Uint8Array): number {\n if (data.length === 0) return 0;\n\n // Count byte frequencies\n const freq = new Map<number, number>();\n for (const byte of data) {\n freq.set(byte, (freq.get(byte) \|\| 0) + 1);\n }\n\n // Calculate Shannon entropy\n let entropy = 0;\n const len = data.length;\n for (const count of freq.values()) {\n const p = count / len;\n entropy -= p Math.log2(p);\n }\n\n return entropy;\n }\n\n /*\n Checks for sequential patterns in data.\n \n Detects sequences like [1,2,3,4...] or [10,9,8,7...].\n * More than 50% sequential is considered suspicious.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if sequential pattern detected\n /\n private hasSequentialPattern(data: Uint8Array): boolean {\n if (data.length < 4) return false;\n\n let ascending = 0;\n let descending = 0;\n\n for (let i = 1; i < data.length; i++) {\n if (data[i] === data[i - 1] + 1) ascending++;\n if (data[i] === data[i - 1] - 1) descending++;\n }\n\n // More than 50% sequential is suspicious\n return ascending > data.length / 2 \|\| descending > data.length / 2;\n }\n\n /\n Checks for repeated patterns in data.\n \n Detects patterns like [0xAB, 0xCD, 0xAB, 0xCD...].\n * Checks for 2, 4, and 8 byte repeating patterns.\n \n @private\n * @param {Uint8Array} data - Bytes to analyze\n * @returns {boolean} True if repeated pattern detected\n /\n private hasRepeatedPattern(data: Uint8Array): boolean {\n if (data.length < 8) return false;\n\n // Check for 2-byte, 4-byte, and 8-byte repeating patterns\n for (const patternLen of [2, 4, 8]) {\n if (data.length % patternLen !== 0) continue;\n\n let matches = 0;\n for (let i = patternLen; i < data.length; i++) {\n if (data[i] === data[i % patternLen]) matches++;\n }\n\n // 90%+ match = repeating pattern\n if (matches > (data.length - patternLen) 0.9) {\n return true;\n }\n }\n\n return false;\n }\n\n /*\n Analyzes entropy of PID and nonce in request headers.\n \n Processing Flow:\n * 1. Extract PID and nonce from header TLVs\n * 2. Calculate entropy for each\n * 3. Check for sequential patterns\n * 4. Check for repeated patterns\n * 5. Accumulate issues and score delta\n * 6. Return FLAG if issues found, ALLOW otherwise\n \n @param {SensorInput} input - Request with header TLVs\n * @returns {Promise<SensorDecision>} ALLOW or FLAG based on entropy analysis\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const headers = input.headerTLVs as Map<number, Uint8Array>;\n\n // If no headers, allow (WebSocket handshake, etc.)\n if (!headers) {\n return { action: 'ALLOW' };\n }\n\n // Extract PID and nonce from headers\n const pid = headers.get(TLV_PID);\n const nonce = headers.get(TLV_NONCE);\n\n const issues: string[] = [];\n let totalDelta = 0;\n\n // === Analyze PID ===\n if (pid && pid.length > 0) {\n const pidEntropy = this.calculateEntropy(pid);\n\n // Check minimum entropy threshold\n if (pidEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`pid_low_entropy:${pidEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(pid)) {\n issues.push('pid_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(pid)) {\n issues.push('pid_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Analyze Nonce ===\n if (nonce && nonce.length > 0) {\n const nonceEntropy = this.calculateEntropy(nonce);\n\n // Check minimum entropy threshold\n if (nonceEntropy < this.MIN_ENTROPY_THRESHOLD) {\n issues.push(`nonce_low_entropy:${nonceEntropy.toFixed(2)}`);\n totalDelta -= 3;\n }\n\n // Check for sequential pattern\n if (this.hasSequentialPattern(nonce)) {\n issues.push('nonce_sequential');\n totalDelta -= 5;\n }\n\n // Check for repeated pattern\n if (this.hasRepeatedPattern(nonce)) {\n issues.push('nonce_repeated');\n totalDelta -= 5;\n }\n }\n\n // === Return Decision ===\n if (issues.length > 0) {\n this.logger.warn(`Entropy issues from ${input.ip}: ${issues.join(', ')}`);\n return {\n action: 'FLAG',\n scoreDelta: totalDelta,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Generates cryptographically secure random bytes.\n \n Utility method for SDK/client code to ensure proper entropy.\n * Uses Node.js crypto.randomBytes for secure PRNG.\n \n @static\n * @param {number} length - Number of random bytes\n * @returns {Uint8Array} Cryptographically secure random bytes\n /\n static generateSecureRandom(length: number): Uint8Array {\n return new Uint8Array(crypto.randomBytes(length));\n }\n}\n","import { Injectable, Logger } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { resolveTimeout } from '../core/timeouts';\n\n/\n Execution Timeout AxisSensor - Intent-Based Deadline Enforcement\n \n Sets per-intent execution time limits and stores deadlines in the request\n * context. This prevents runaway handlers and ensures predictable response times.\n \n Execution Order: 210 (late, before handler execution)\n \n Core Concept:\n * Different intents have different acceptable latencies:\n * - Health checks: 2 seconds (must be fast)\n * - File uploads: 60 seconds (large transfers)\n * - Standard operations: 10 seconds (default)\n \n The sensor calculates a deadline timestamp and stores it in the context.\n * Handler code can check this deadline to abort if running too long.\n \n How It Works:\n * ```\n * 1. Look up timeout for intent (exact match or prefix pattern)\n * 2. Calculate deadline = now + timeout\n * 3. Store deadline in context\n * 4. Return ALLOW (enforcement happens in handler)\n * ```\n \n Timeout Lookup:\n * 1. Check exact intent match first\n * 2. Then check prefix patterns (e.g., 'file.')\n 3. Fall back to DEFAULT_TIMEOUT (10s)\n \n Context Properties Set:\n * - `deadline`: Absolute timestamp (ms since epoch)\n * - `timeoutMs`: Configured timeout duration\n \n Handler Usage:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new Error('Execution timeout exceeded');\n * }\n \n const remaining = ExecutionTimeoutSensor.getRemainingMs(ctx);\n * ```\n \n Security Model:\n * - Always Allow: This sensor only sets context, doesn't block\n * - Handler Responsibility: Actual enforcement in handler code\n * - Defense in Depth: Works with ExecutionContractSensor\n \n Actions:\n * - `ALLOW` - Always (only sets context)\n \n Performance:\n * - Map lookup: O(1) to O(n patterns)\n * - Latency: <0.1ms\n \n @class ExecutionTimeoutSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * File upload:\n * ```typescript\n * // Intent: file.upload\n * // Timeout: 60000ms\n * // ctx.deadline = Date.now() + 60000\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Checking deadline in handler:\n * ```typescript\n * if (ExecutionTimeoutSensor.isExpired(ctx)) {\n * throw new TimeoutError('Handler exceeded deadline');\n * }\n * ```\n \n @see {@link ExecutionContractSensor} - Resource limit enforcement\n /\n@Sensor()\n@Injectable()\nexport class ExecutionTimeoutSensor implements AxisSensor {\n private readonly logger = new Logger(ExecutionTimeoutSensor.name);\n\n /* AxisSensor identifier /\n readonly name = 'ExecutionTimeoutSensor';\n\n /\n Execution order - late, near handler execution\n \n Order 210 ensures:\n * - All validation complete\n * - Deadline set just before handler\n /\n readonly order = BAND.BUSINESS + 10;\n\n /\n Determines if this sensor should process the given input.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if intent is present\n /\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n /\n Sets execution deadline in the request context.\n \n Processing Flow:\n * 1. Look up timeout for intent\n * 2. Calculate absolute deadline\n * 3. Store in context for handler use\n * 4. Return ALLOW\n \n @param {SensorInput} input - Request with intent\n * @returns {Promise<SensorDecision>} Always ALLOW\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const { intent, context } = input;\n if (!intent) {\n return { action: 'ALLOW' };\n }\n\n // Get timeout for this intent\n const timeout = resolveTimeout(intent);\n\n // Calculate absolute deadline\n const deadline = Date.now() + timeout;\n\n // Store deadline in context for downstream components\n if (context) {\n (context as any).deadline = deadline;\n (context as any).timeoutMs = timeout;\n }\n\n this.logger.debug(\n `Set ${timeout}ms timeout for ${intent} (deadline: ${new Date(deadline).toISOString()})`,\n );\n\n // Actual timeout enforcement happens in the intent router/executor\n // This sensor just sets the deadline\n return { action: 'ALLOW' };\n }\n\n /\n Checks if a deadline has been exceeded.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {boolean} True if deadline passed\n /\n static isExpired(ctx: { deadline?: number }): boolean {\n if (!ctx.deadline) return false;\n return Date.now() > ctx.deadline;\n }\n\n /\n Gets remaining time until deadline.\n \n Utility method for handler code.\n \n @static\n * @param {object} ctx - Context with deadline\n * @returns {number} Remaining milliseconds (0 if expired, Infinity if no deadline)\n /\n static getRemainingMs(ctx: { deadline?: number }): number {\n if (!ctx.deadline) return Infinity;\n return Math.max(0, ctx.deadline - Date.now());\n }\n}\n","import { Injectable } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Frame Budget AxisSensor - Request Size Validation\n \n Validates that incoming frame sizes do not exceed configured limits.\n * This prevents memory exhaustion attacks and ensures fair resource allocation.\n \n Execution Order: 20 (after ProtocolStrictSensor, before security checks)\n \n Core Concept:\n * Large payloads can be used for denial-of-service attacks, buffer overflows,\n * or to exhaust server memory. This sensor enforces per-intent size limits\n * defined in the intent policy, rejecting oversized frames before they are\n * fully processed.\n \n How It Works:\n * 1. Extract Content-Length from request\n * 2. Look up maximum allowed size from intent policy\n * 3. If size exceeds limit, DENY the request\n * 4. Otherwise, ALLOW request to proceed\n \n Default Limits:\n * - Standard requests: 1MB (1,048,576 bytes)\n * - File uploads: 100MB (104,857,600 bytes)\n * - Streaming: No limit (handled by StreamScopeSensor)\n \n Security Model:\n * - Fail Open: If Content-Length is not available, ALLOW (other sensors handle)\n * - Early Rejection: Reject oversized frames before full download\n * - Per-Intent Limits: Different intents can have different size limits\n \n Configuration:\n * ```env\n * AXIS_MAX_FRAME_BYTES=1048576 # 1MB default\n * AXIS_MAX_UPLOAD_BYTES=104857600 # 100MB for uploads\n * ```\n \n Actions:\n * - `ALLOW` - Frame size within limits or unknown\n * - `DENY` - Frame exceeds configured maximum (code: FRAME_TOO_LARGE)\n \n Performance:\n * - Single comparison operation\n * - No I/O or external calls\n * - Latency: <0.1ms\n \n @class FrameBudgetSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Normal request (within limits):\n * ```typescript\n * // Content-Length: 50000 (50KB)\n * // Policy max: 1MB\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Oversized request:\n * ```typescript\n * // Content-Length: 10485760 (10MB)\n * // Policy max: 1MB\n * {\n * action: 'DENY',\n * code: 'FRAME_TOO_LARGE',\n * reason: 'Frame size 10485760 exceeds limit 1048576'\n * }\n * ```\n \n @todo Implement actual size checking against intent policy maxFrameBytes\n * @see {@link BodyBudgetSensor} - Body-specific size limiting\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class FrameBudgetSensor implements AxisSensor {\n /* AxisSensor identifier for logging and registry /\n readonly name = 'FrameBudgetSensor';\n\n /\n Execution order - runs after protocol validation\n \n Order 20 ensures:\n * - Protocol is valid (ProtocolStrictSensor @ 10)\n * - Size checked before expensive processing\n /\n readonly order = BAND.WIRE + 20;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when Content-Length header is available.\n * WebSocket frames may not have Content-Length; they use different size tracking.\n \n @param {SensorInput} input - Incoming AXIS request\n * @returns {boolean} True if Content-Length is present\n /\n supports(input: SensorInput): boolean {\n return typeof input.contentLength === 'number';\n }\n\n /\n Validates frame size against configured limits.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Load intent policy for the request\n * 2. Get maxFrameBytes from policy\n * 3. Compare against contentLength\n * 4. DENY if exceeded\n \n @param {SensorInput} input - Request with contentLength\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on size\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const maxBytes =\n this.config.get<number>('AXIS_MAX_FRAME_SIZE') \|\| 50 1024 * 1024;\n const contentLength = input.contentLength;\n\n if (typeof contentLength !== 'number') {\n return { action: 'ALLOW' };\n }\n\n if (contentLength > maxBytes) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLength} exceeds limit ${maxBytes}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { AXIS_MAGIC, AXIS_VERSION, MAX_FRAME_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor({ phase: 'PRE_DECODE' })\nexport class FrameHeaderSanitySensor implements AxisSensor {\n readonly name = 'FrameHeaderSanitySensor';\n readonly order = BAND.WIRE + 30;\n\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const peek = input.peek!;\n const contentLen = input.contentLength \|\| 0;\n\n // Check magic (first 5 bytes: AXIS1)\n if (peek.length < 5 \|\| !this.bufferEqual(peek.slice(0, 5), AXIS_MAGIC)) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: 'Frame magic is not AXIS1',\n };\n }\n\n // Check version (byte 5)\n if (peek[5] !== AXIS_VERSION) {\n return {\n action: 'DENY',\n code: 'UNSUPPORTED_VERSION',\n reason: `Unsupported version: ${peek[5]}`,\n };\n }\n\n // Check frame length against hard limit\n if (contentLen > MAX_FRAME_LEN) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_LARGE',\n reason: `Frame size ${contentLen} exceeds max ${MAX_FRAME_LEN}`,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n private bufferEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { MAX_HDR_LEN } from '../core/constants';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class HeaderTLVLimitSensor implements AxisSensor {\n readonly name = 'HeaderTLVLimitSensor';\n readonly order = BAND.CONTENT + 0;\n private readonly MAX_TLVS = 64;\n\n supports(input: SensorInput): boolean {\n return !!input.headerTLVs \|\| !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n if (input.headerTLVs && input.headerTLVs.size > this.MAX_TLVS) {\n return {\n action: 'DENY',\n code: 'TOO_MANY_TLVS',\n reason: `Header TLVs (${input.headerTLVs.size}) exceed max (${this.MAX_TLVS})`,\n };\n }\n\n if (input.packet && input.packet.headerBytes) {\n const hdrLen = input.packet.headerBytes.length;\n if (hdrLen > MAX_HDR_LEN) {\n return {\n action: 'DENY',\n code: 'HEADER_TOO_LARGE',\n reason: `Header size ${hdrLen} exceeds max ${MAX_HDR_LEN}`,\n };\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n// Public intent allowlist (exact or prefix)\nconst PUBLIC_INTENT_ALLOWLIST = [\n 'public.',\n 'schema.',\n 'catalog.',\n 'health.',\n 'system.',\n];\n\n@Injectable()\n@Sensor()\nexport class IntentAllowlistSensor implements AxisSensor {\n readonly name = 'IntentAllowlistSensor';\n readonly order = BAND.IDENTITY + 20;\n\n supports(input: SensorInput): boolean {\n // Only run in post-decode phase when intent is available\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const profile = input.metadata?.profile \|\| 'PUBLIC';\n const intent = input.intent \|\| '';\n\n // PUBLIC profile: only allow whitelisted intents\n if (profile === 'PUBLIC') {\n const isAllowed = PUBLIC_INTENT_ALLOWLIST.some((prefix) =>\n intent.startsWith(prefix),\n );\n if (!isAllowed) {\n return {\n action: 'DENY',\n code: 'INTENT_NOT_ALLOWED',\n reason: `Intent '${intent}' not in public allowlist`,\n };\n }\n }\n\n // GUARDED profile: allow all intents (capability enforcement comes later)\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { IntentRouter } from '../engine/intent.router';\nimport { BAND } from '../engine/sensor-bands';\n\n/*\n IntentRegistrySensor\n \n Runs early in POST_DECODE to reject intents that have no registered handler.\n * This prevents wasting resources on sensors, decoding, and routing for\n * intents that will inevitably fail with \"Intent not found\".\n \n Order: BAND.IDENTITY + 25 (65) — right after IntentAllowlistSensor (60).\n /\n@Injectable()\n@Sensor({ phase: 'POST_DECODE' })\nexport class IntentRegistrySensor implements AxisSensor {\n readonly name = 'IntentRegistrySensor';\n readonly order = BAND.IDENTITY + 25;\n\n constructor(private readonly router: IntentRouter) {}\n\n supports(input: SensorInput): boolean {\n return !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const intent = input.intent!;\n\n if (this.router.has(intent)) {\n return { action: 'ALLOW' };\n }\n\n return {\n action: 'DENY',\n code: 'INTENT_NOT_REGISTERED',\n reason: `Intent '${intent}' is not registered`,\n };\n }\n}\n","import { Injectable, Logger } from \"@nestjs/common\";\n\nimport { Sensor } from \"../decorators/sensor.decorator\";\nimport { BAND } from \"../engine/sensor-bands\";\nimport type {\n AxisLawEvaluationContext,\n AxisLawEvaluationResult,\n LawEvaluationSensorOptions,\n} from \"../law\";\nimport { buildAxisLawEvaluationContext } from \"../law\";\nimport type { AxisSensor, SensorDecision, SensorInput } from \"../sensor/axis-sensor\";\n\n@Sensor()\n@Injectable()\nexport class LawEvaluationSensor implements AxisSensor {\n private readonly logger = new Logger(LawEvaluationSensor.name);\n\n readonly name = \"LawEvaluationSensor\";\n readonly order = BAND.POLICY + 5;\n\n constructor(\n private readonly options: LawEvaluationSensorOptions = {},\n ) {}\n\n supports(input: SensorInput): boolean {\n return !!this.options.evaluator && !!input.intent;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const evaluator = this.options.evaluator;\n if (!evaluator) {\n return { action: \"ALLOW\" };\n }\n\n const context = buildAxisLawEvaluationContext(input);\n\n let result: AxisLawEvaluationResult;\n try {\n result = await evaluator(context);\n } catch (error) {\n const message =\n error instanceof Error ? error.message : \"Unknown law evaluation error\";\n this.logger.error(`Law evaluation failed for ${input.intent}: ${message}`);\n input.metadata = {\n ...(input.metadata ?? {}),\n lawEvaluation: {\n decision: \"deny\",\n reason: \"Law evaluation failed\",\n explanation: message,\n },\n };\n return {\n action: \"DENY\",\n code: \"LAW_EVALUATION_ERROR\",\n reason: message,\n meta: { lawDecision: \"deny\" },\n };\n }\n\n input.metadata = {\n ...(input.metadata ?? {}),\n lawEvaluation: {\n ...result,\n context: sanitizeLawContext(context),\n },\n };\n\n if (result.decision === \"allow\") {\n return {\n allow: true,\n riskScore: 0,\n reasons: result.reason ? [result.reason] : [],\n tags: {\n lawDecision: \"allow\",\n ...(result.applicable ? { lawApplicableArticles: result.applicable.length } : {}),\n },\n meta: result,\n };\n }\n\n if (result.decision === \"conditional\") {\n const mode = this.options.conditionalDecision ?? \"deny\";\n const reasons = [result.reason, result.explanation].filter(Boolean) as string[];\n\n if (mode === \"allow\") {\n return {\n allow: true,\n riskScore: 0,\n reasons,\n tags: {\n lawDecision: \"conditional\",\n },\n meta: result,\n };\n }\n\n if (mode === \"flag\") {\n return {\n action: \"FLAG\",\n scoreDelta: 25,\n reasons:\n reasons.length > 0\n ? reasons\n : [\"Execution is conditionally permitted pending additional requirements\"],\n meta: result,\n };\n }\n\n return {\n action: \"DENY\",\n code: \"LAW_CONDITIONAL\",\n reason:\n reasons.join(\" \| \") \|\|\n \"Execution is conditionally permitted pending additional requirements\",\n meta: { lawDecision: \"conditional\", evaluation: result },\n };\n }\n\n return {\n action: \"DENY\",\n code: \"LAW_DENIED\",\n reason:\n [result.reason, result.explanation].filter(Boolean).join(\" \| \") \|\|\n \"Execution denied by law evaluation\",\n meta: { lawDecision: \"deny\", evaluation: result },\n };\n }\n}\n\nfunction sanitizeLawContext(\n context: AxisLawEvaluationContext,\n): Record<string, unknown> {\n return {\n actorId: context.actorId,\n intent: context.intent,\n audience: context.audience,\n tps: context.tps,\n country: context.country,\n ip: context.ip,\n path: context.path,\n clientId: context.clientId,\n deviceId: context.deviceId,\n sessionId: context.sessionId,\n capsuleId: context.capsuleId,\n };\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n ProofPresenceInput,\n ProofPresenceInputZ,\n} from '../schemas/axis-schemas';\nimport { AxisError } from '../core/axis-error';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Sensor()\n@Injectable()\nexport class ProofPresenceSensor implements AxisSensor {\n readonly name = 'ProofPresenceSensor';\n readonly order = BAND.IDENTITY + 30;\n\n supports(input: ProofPresenceInput): boolean {\n return !!input.profile && !!input.visibility;\n }\n\n async run(input: ProofPresenceInput): Promise<SensorDecision> {\n // Validate input with Zod\n const validatedInput = ProofPresenceInputZ.safeParse(input);\n if (!validatedInput.success) {\n throw new AxisError(\n 'SENSOR_INVALID_INPUT',\n `Input validation failed: ${validatedInput.error.message}`,\n 400,\n );\n }\n\n const {\n visibility,\n requiredProof,\n hasCapsule,\n hasPassportSignature,\n profile,\n intent,\n } = validatedInput.data;\n\n // Public intents don't require proof\n if (visibility === 'PUBLIC') {\n return { action: 'ALLOW' };\n }\n\n // If NONE is in required proofs, allow without proof\n if (requiredProof.includes('NONE')) {\n return { action: 'ALLOW' };\n }\n\n // Check if any required proof is satisfied\n const hasCapsuleProof = requiredProof.includes('CAPSULE') && hasCapsule;\n const hasPassportProof =\n requiredProof.includes('PASSPORT') && hasPassportSignature;\n const hasNodeProof = requiredProof.includes('MTLS') && profile === 'NODE';\n\n const satisfied = hasCapsuleProof \|\| hasPassportProof \|\| hasNodeProof;\n\n if (!satisfied) {\n throw new AxisError(\n 'SENSOR_PROOF_REQUIRED',\n `Proof required for guarded intent: ${intent}`,\n 403,\n );\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable, Logger, OnModuleInit } from '@nestjs/common';\nimport { ConfigService } from '@nestjs/config';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { ProtocolStrictInputZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport {\n AXIS_MAGIC,\n AXIS_VERSION,\n AxisMediaTypes,\n FLAG_BODY_TLV,\n FLAG_CHAIN_REQ,\n FLAG_HAS_WITNESS,\n} from '../core/constants';\nimport { decodeVarint } from '../core/varint';\nimport { SensorDecision, SensorInput } from '../sensor/axis-sensor';\n\n/\n Valid flag combinations for AXIS frames.\n \n Flags can be combined using bitwise OR:\n * - 0x00: No flags (basic request)\n * - FLAG_BODY_TLV: Body section contains TLV-encoded data\n * - FLAG_CHAIN_REQ: Request requires receipt chaining\n * - FLAG_HAS_WITNESS: Frame includes witness signatures\n \n Any other flag combination is considered invalid.\n /\nconst VALID_FLAGS = [\n 0x00, // No flags\n FLAG_BODY_TLV, // Body contains TLVs\n FLAG_CHAIN_REQ, // Requires receipt chaining\n FLAG_HAS_WITNESS, // Has witness signatures\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ,\n FLAG_BODY_TLV \| FLAG_HAS_WITNESS,\n FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n FLAG_BODY_TLV \| FLAG_CHAIN_REQ \| FLAG_HAS_WITNESS,\n];\n\n/\n Protocol Strict Sensor - Binary Protocol Validation Gateway\n \n CRITICAL SECURITY COMPONENT - FIRST LINE OF DEFENSE\n \n This sensor validates the raw binary structure of incoming AXIS frames before\n * any further processing occurs. It acts as the protocol gatekeeper, ensuring\n * only well-formed, spec-compliant frames are processed by the system.\n \n Execution Order: 10 (FIRST sensor in the chain)\n \n Core Concept:\n * AXIS uses a custom binary wire format for efficiency and security. This sensor\n * validates the frame structure at the byte level, catching malformed packets\n * before they can exploit parsing vulnerabilities deeper in the stack.\n \n Frame Structure Validated:\n * ```\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| MAGIC (5 bytes: \"AXIS1\") \| VER \| FLAGS \| HDR_LEN (varint)\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY_LEN (varint) \| SIG_LEN (varint) \| HDR TLVs... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * \| BODY... \| SIGNATURE... \|\n * +-------+-------+-------+-------+-------+-------+-------+...\n * ```\n \n Validations Performed:\n * 1. Content-Type - Must be `application/axis-bin` or similar\n * 2. Magic Bytes - Must be \"AXIS1\" (5 bytes)\n * 3. Version - Must match AXIS_VERSION constant\n * 4. Flags - Must be a valid combination\n * 5. Varint Encoding - Must be minimal (no unnecessary bytes)\n * 6. TLV Ordering - Must be canonical (sorted by type)\n * 7. Client Version - TLV 100 should be present\n \n Security Model:\n * - Fail Closed: Invalid magic/version = DENY\n * - Flag for Minor Issues: Non-critical violations decrease trust score\n * - Defense in Depth: First of multiple validation layers\n \n Actions:\n * - `ALLOW` - Frame is well-formed and spec-compliant\n * - `DENY` - Critical protocol violation (magic, version, frame too short)\n * - `FLAG` - Minor issues that decrease trust score\n \n Performance:\n * - Validates first 20 bytes of each frame\n * - No external dependencies (pure byte validation)\n * - Latency: <1ms for typical frames\n \n @class ProtocolStrictSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid AXIS frame:\n * ```typescript\n * // Frame starts with: \"AXIS1\" + version(1) + flags(0x01) + lengths...\n * // Sensor returns: { action: 'ALLOW' }\n * ```\n \n @example\n * Invalid magic bytes:\n * ```typescript\n * // Frame starts with: \"HTTP1\" (wrong protocol)\n * // Sensor returns: {\n * // action: 'DENY',\n * // code: 'INVALID_MAGIC',\n * // reason: 'Expected AXIS1 magic, got HTTP1'\n * // }\n * ```\n \n @see {@link https://axis-spec.example.com/wire-format AXIS Wire Format Spec}\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class ProtocolStrictSensor implements AxisSensor, OnModuleInit {\n private readonly logger = new Logger(ProtocolStrictSensor.name);\n\n /* Sensor identifier for logging and registry /\n readonly name = 'ProtocolStrictSensor';\n\n /\n Execution order - FIRST sensor in the chain\n \n Order 10 ensures:\n * - Runs before any other processing\n * - Invalid frames rejected immediately\n * - Protects all downstream sensors from malformed input\n /\n readonly order = BAND.WIRE + 10;\n\n private protocolMagic: Uint8Array = AXIS_MAGIC;\n private protocolVersion = AXIS_VERSION;\n\n constructor(private readonly config: ConfigService) {}\n\n /\n Static validation for streaming middleware (Fast Check)\n /\n public static validateMagic(\n chunk: Uint8Array,\n expected: Uint8Array,\n ): { valid: boolean; actual?: string } {\n if (chunk.length < expected.length) return { valid: true }; // Not enough data yet\n const actual = chunk.subarray(0, expected.length);\n const valid = Buffer.from(actual).equals(Buffer.from(expected));\n return {\n valid,\n actual: valid ? undefined : new TextDecoder().decode(actual),\n };\n }\n\n public static validateVersion(version: number, expected: number): boolean {\n return version === expected;\n }\n\n /\n Lifecycle hook: Registers this sensor in the chain on module initialization.\n /\n onModuleInit() {\n const magicStr = this.config.get<string>('AXIS_PROTOCOL_MAGIC');\n this.protocolMagic = magicStr ? Buffer.from(magicStr, 'ascii') : AXIS_MAGIC;\n this.protocolVersion =\n this.config.get<number>('AXIS_PROTOCOL_VERSION') \|\| AXIS_VERSION;\n }\n\n /\n Evaluate protocol strictness\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n const validatedInput = ProtocolStrictInputZ.safeParse(input);\n if (!validatedInput.success) {\n this.logger.error(\n `Invalid input: ${validatedInput.error.message}`,\n validatedInput.error.issues,\n );\n return {\n action: 'DENY',\n code: 'INVALID_INPUT',\n reason: 'Protocol validation input failed',\n };\n }\n\n const { contentType, peek } = validatedInput.data;\n const issues: string[] = [];\n\n // Debug: Log first 10 bytes\n if (peek.length >= 8) {\n const hex = Buffer.from(peek.subarray(0, 10)).toString('hex');\n this.logger.debug(`Raw Frame Header (Hex): ${hex} (IP: ${input.ip})`);\n }\n\n // 1. Check Content-Type header (HTTP only)\n if (contentType !== undefined) {\n if (!this.isValidContentType(contentType)) {\n issues.push(`invalid_content_type:${contentType}`);\n }\n }\n\n // Need at least 9 bytes for basic frame header (Magic:5, Ver:1, Flags:1, HLen:1, BLen:1, SLen:1)\n if (peek.length < 9) {\n return {\n action: 'DENY',\n code: 'FRAME_TOO_SHORT',\n reason: 'Frame too short for protocol header',\n };\n }\n\n // 2. Check magic bytes\n const magicCheck = ProtocolStrictSensor.validateMagic(\n peek,\n this.protocolMagic,\n );\n if (!magicCheck.valid) {\n return {\n action: 'DENY',\n code: 'INVALID_MAGIC',\n reason: `Expected ${new TextDecoder().decode(this.protocolMagic)} magic, got ${magicCheck.actual}`,\n };\n }\n\n // 3. Check version (Offset 5)\n const version = peek[5];\n if (!ProtocolStrictSensor.validateVersion(version, this.protocolVersion)) {\n issues.push(`unsupported_version:${version}`);\n }\n\n // 4. Check flags validity (Offset 6)\n const flags = peek[6];\n if (!this.isValidFlags(flags)) {\n issues.push(`invalid_flags:0x${flags.toString(16)}`);\n }\n\n // 5. Check length encoding (varints should be minimal) - Starts at Offset 7\n if (peek.length >= 10) {\n const lengthCheck = this.checkVarintEncoding(peek.subarray(7));\n if (!lengthCheck.valid) {\n issues.push(`non_minimal_varint:${lengthCheck.reason}`);\n }\n }\n\n // 6. Check TLV ordering if we have enough data\n if (peek.length >= 20) {\n const tlvCheck = this.checkTLVOrdering(peek);\n if (!tlvCheck.valid) {\n issues.push(`tlv_not_canonical:${tlvCheck.reason}`);\n }\n\n // 7. Check Client Version (TLV 100) presence\n const hasClientVersion = await this.checkForClientVersion(peek);\n if (!hasClientVersion) {\n // Warn for now (Phase 7 Soft Rollout)\n issues.push('missing_client_version');\n }\n }\n\n // Return FLAG for minor issues, DENY for critical\n if (issues.length > 0) {\n // Check for critical issues\n const critical = issues.some(\n (i) =>\n i.startsWith('invalid_magic') \|\| i.startsWith('unsupported_version'),\n );\n\n if (critical) {\n return {\n action: 'DENY',\n code: 'PROTOCOL_VIOLATION',\n reason: issues.join(', '),\n };\n }\n\n this.logger.warn(\n `Protocol issues from ${input.ip}: ${issues.join(', ')}`,\n );\n return {\n action: 'FLAG',\n scoreDelta: -issues.length 2,\n reasons: issues,\n };\n }\n\n return { action: 'ALLOW' };\n }\n\n /*\n Compare two buffers for equality\n /\n private buffersEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n for (let i = 0; i < a.length; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n }\n\n /\n Check if Content-Type is valid for AXIS\n /\n private isValidContentType(contentType: string): boolean {\n return AxisMediaTypes.isAxisContentType(contentType);\n }\n\n /\n Check if flags are a valid combination\n /\n private isValidFlags(flags: number): boolean {\n return VALID_FLAGS.includes(flags);\n }\n\n /\n Check varint encoding is minimal (no leading zeros)\n /\n private checkVarintEncoding(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n try {\n const { value, length: bytesRead } = decodeVarint(data, 0);\n\n // Check for non-minimal encoding\n // A varint should use the minimum number of bytes\n if (value < 128 && bytesRead > 1) {\n return { valid: false, reason: 'non-minimal-small-value' };\n }\n if (value < 16384 && bytesRead > 2) {\n return { valid: false, reason: 'non-minimal-medium-value' };\n }\n\n return { valid: true };\n } catch {\n return { valid: false, reason: 'varint-decode-error' };\n }\n }\n\n /\n Check TLV ordering is canonical (sorted by type, no duplicates)\n /\n private checkTLVOrdering(data: Uint8Array): {\n valid: boolean;\n reason?: string;\n } {\n // This is a simplified check - full check would require decoding the frame\n // For now, we do a heuristic check on the first few TLVs\n\n try {\n // Skip to length section (after magic, version, flags)\n let offset = 7;\n\n // Decode header length\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n\n // Decode body length\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n\n // Decode sig length\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n // Now at HDR TLVs\n const hdrStart = offset;\n const hdrEnd = hdrStart + Number(hdrLen);\n\n if (hdrEnd > data.length) {\n return { valid: true }; // Not enough data to check\n }\n\n // Check TLV types are ascending\n let lastType = -1;\n let pos = hdrStart;\n\n while (pos < hdrEnd && pos < data.length - 2) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n\n if (pos >= hdrEnd) break;\n\n const { value: len, length: lenBytes } = decodeVarint(data, pos);\n pos += lenBytes;\n\n // Check ordering\n if (Number(type) <= lastType) {\n return {\n valid: false,\n reason: `type-${type}-after-${lastType}`,\n };\n }\n\n lastType = Number(type);\n pos += Number(len);\n }\n\n return { valid: true };\n } catch {\n return { valid: true }; // On error, don't block\n }\n }\n\n /\n Check if TLV 100 (Client Version) exists in the headers\n /\n private async checkForClientVersion(data: Uint8Array): Promise<boolean> {\n try {\n let offset = 7;\n const { value: hdrLen, length: hdrBytes } = decodeVarint(data, offset);\n offset += hdrBytes;\n const { length: bodyBytes } = decodeVarint(data, offset);\n offset += bodyBytes;\n const { length: sigBytes } = decodeVarint(data, offset);\n offset += sigBytes;\n\n const hdrEnd = offset + Number(hdrLen);\n\n let pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const { value: type, length: typeBytes } = decodeVarint(data, pos);\n pos += typeBytes;\n const { length: lenBytes } = decodeVarint(data, pos); // value not needed\n pos += lenBytes;\n\n const { value: valLen, length: valLenBytes } = decodeVarint(\n data,\n pos - lenBytes,\n ); // reread legnth\n\n // Correct interaction: varint includes bytes read.\n // decodeVarint returns { value, length } -> length is how many bytes the varint took.\n // Wait, I need to read the length value to skip.\n\n // Re-do loop structure correctly:\n // 1. Read Type\n // 2. Read Length\n // 3. Skip Value\n }\n\n // Let's use a simpler heuristic scan for now as full parse is expensive here\n // and done elsewhere. But for correctness let's do it right.\n\n pos = offset;\n while (pos < hdrEnd && pos < data.length) {\n const t = decodeVarint(data, pos);\n pos += t.length;\n const l = decodeVarint(data, pos);\n pos += l.length;\n\n if (t.value === 100) return true;\n\n pos += Number(l.value);\n }\n\n return false;\n } catch {\n return false;\n }\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n@Injectable()\n@Sensor()\nexport class ReceiptPolicySensor implements AxisSensor {\n readonly name = 'ReceiptPolicySensor';\n readonly order = BAND.BUSINESS + 20;\n\n supports(): boolean {\n return true;\n }\n\n async run(): Promise<SensorDecision> {\n // Stub: allow. Real impl defines which intents must yield signed receipts.\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { IntentSchema, IntentSchemaZ } from '../schemas/axis-schemas';\nimport { AxisSensor } from '../sensor/axis-sensor';\nimport { AxisError } from '../core/axis-error';\nimport type { TlvValidatorFn } from '../decorators/tlv-field.decorator';\n\n/\n Reads a big-endian unsigned 64-bit integer from a byte array.\n \n @param {Uint8Array} b - 8-byte array\n * @returns {bigint} The decoded integer\n * @throws {AxisError} If array is not exactly 8 bytes\n /\nfunction readU64be(b: Uint8Array): bigint {\n if (b.length !== 8)\n throw new AxisError('SCHEMA_TYPE_MISMATCH', 'u64 must be 8 bytes', 400);\n let x = 0n;\n for (const by of b) x = (x << 8n) \| BigInt(by);\n return x;\n}\n\n/\n Schema Validation Sensor - TLV Field Contract Enforcement\n \n Validates that incoming request bodies conform to the defined intent schema.\n * This ensures type safety and data integrity before handler execution.\n \n Execution Order: 170 (late in pipeline, after all auth/policy checks)\n \n Core Concept:\n * Every AXIS intent can define a schema that specifies:\n * - Required fields and their TLV types\n * - Field types (utf8, bytes, u64, bool, etc.)\n * - Size limits per field\n * - Scope (header or body)\n \n The sensor validates each field against its schema definition, rejecting\n * requests that violate the contract.\n \n Supported Field Types:\n * \| Kind \| Description \| Validation \|\n * \|------\|-------------\|------------\|\n * \| `utf8` \| UTF-8 string \| Valid UTF-8 encoding \|\n * \| `bool` \| Boolean \| 1 byte: 0x00 or 0x01 \|\n * \| `u64` \| Unsigned 64-bit int \| Exactly 8 bytes, big-endian \|\n * \| `bytes16` \| Fixed 16 bytes \| Exactly 16 bytes (UUIDs) \|\n * \| `bytes` \| Variable bytes \| Any length up to maxLen \|\n * \| `obj` \| Nested object \| (Reserved for future) \|\n * \| `arr` \| Array \| (Reserved for future) \|\n \n How It Works:\n * ```\n * 1. Validate schema structure with Zod\n * 2. For each field in schema:\n * a. Look up TLV in headers or body (based on scope)\n * b. Check if field is required\n * c. Check size against maxLen\n * d. Validate type (utf8 encoding, bool values, etc.)\n * 3. Throw AxisError on any violation\n * ```\n \n Security Model:\n * - Fail Closed: Schema violations throw errors (no silent failures)\n * - Pre-Handler: All validation happens before handler execution\n * - Type-Safe: Handlers receive type-validated data\n \n Error Codes:\n * - `SCHEMA_INVALID` - Schema itself is malformed\n * - `SCHEMA_FIELD_MISSING` - Required field not present\n * - `SCHEMA_LIMIT_EXCEEDED` - Field exceeds maxLen or max value\n * - `SCHEMA_TYPE_MISMATCH` - Field type doesn't match expected\n \n Performance:\n * - In-memory validation (no I/O)\n * - O(n) where n = number of schema fields\n * - Latency: ~1-5ms for typical schemas\n \n @class SchemaValidationSensor\n * @implements {OnModuleInit}\n \n @example\n * Valid schema validation:\n * ```typescript\n * const schema = {\n * fields: [\n * { name: 'fullName', tlv: 100, kind: 'utf8', required: true, maxLen: 256 },\n * { name: 'age', tlv: 101, kind: 'u64', max: 150 }\n * ]\n * };\n * // Body TLVs contain valid data\n * { ok: true }\n * ```\n \n @example\n * Missing required field:\n * ```typescript\n * // TLV 100 (fullName) not present in body\n * throw AxisError('SCHEMA_FIELD_MISSING',\n * 'Missing required field: fullName (TLV 100)', 400);\n * ```\n \n @see {@link IntentSchema}\n /\n@Sensor()\n@Injectable()\nexport class SchemaValidationSensor implements AxisSensor {\n /* Sensor identifier for logging and registry /\n readonly name = 'SchemaValidationSensor';\n\n /\n Execution order - runs late in the pipeline\n \n Order 170 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Data validated before handler execution\n /\n readonly order = BAND.CONTENT + 35;\n\n /\n Determines if this sensor should process the given input.\n \n Only activates when a schema is provided for the intent (post-decode phase).\n \n @param {any} input - Sensor input\n * @returns {boolean} True if schema exists in metadata\n /\n supports(input: any): boolean {\n // Only run in post-decode phase when schema is provided\n return !!input.metadata?.schema;\n }\n\n /\n Validates TLV fields against the schema definition.\n \n Validation Steps:\n * 1. Validate the schema itself using Zod\n * 2. Iterate through each field definition\n * 3. Check required fields are present\n * 4. Validate size limits (maxLen)\n * 5. Validate type-specific rules\n \n @param {any} input - Standard SensorInput\n * @returns {{ action: 'ALLOW' } \| { action: 'DENY', code: string, reason: string }} Decision\n /\n async run(\n input: any,\n ): Promise<\n { action: 'ALLOW' } \| { action: 'DENY'; code: string; reason: string }\n > {\n const schema = input.metadata?.schema as IntentSchema;\n const headerTLVs = input.headerTLVs as Map<number, Uint8Array>;\n const bodyTLVs = input.bodyTLVs as Map<number, Uint8Array> \| undefined;\n\n // If no schema, allow (no validation needed)\n if (!schema) {\n return { action: 'ALLOW' };\n }\n\n // === STEP 1: Validate Schema Structure ===\n const validatedSchema = IntentSchemaZ.safeParse(schema);\n if (!validatedSchema.success) {\n return {\n action: 'DENY',\n code: 'SCHEMA_INVALID',\n reason: `Schema validation failed: ${validatedSchema.error.message}`,\n };\n }\n\n // === STEP 2: Validate Each Field ===\n try {\n for (const field of schema.fields) {\n // Determine which TLV map to use (header or body)\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n\n // Get the field value from the appropriate map\n const val = map?.get(field.tlv);\n\n // === Check Required Fields ===\n if (field.required && !val) {\n throw new AxisError(\n 'SCHEMA_FIELD_MISSING',\n `Missing required field: ${field.name} (TLV ${field.tlv})`,\n 400,\n );\n }\n\n // Skip validation if field not present (and not required)\n if (!val) continue;\n\n // === Check Size Limit ===\n if (typeof field.maxLen === 'number' && val.length > field.maxLen) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `Field ${field.name} too large (${val.length} > ${field.maxLen})`,\n 413, // Payload Too Large\n );\n }\n\n // === Type-Specific Validation ===\n switch (field.kind) {\n case 'utf8':\n // Validate UTF-8 encoding\n try {\n new TextDecoder('utf-8', { fatal: true }).decode(val);\n } catch {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid UTF-8 in ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bool':\n // Boolean must be exactly 1 byte: 0x00 or 0x01\n if (val.length !== 1 \|\| (val[0] !== 0 && val[0] !== 1)) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Invalid bool: ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'u64': {\n // Unsigned 64-bit integer (big-endian)\n const x = readU64be(val);\n\n // Check max value if specified\n if (field.max) {\n const mx = BigInt(field.max);\n if (x > mx) {\n throw new AxisError(\n 'SCHEMA_LIMIT_EXCEEDED',\n `u64 ${field.name} exceeds max (${x} > ${mx})`,\n 400,\n );\n }\n }\n break;\n }\n\n case 'bytes16':\n // Fixed 16-byte field (UUIDs, IDs)\n if (val.length !== 16) {\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `bytes16 required for ${field.name}`,\n 400,\n );\n }\n break;\n\n case 'bytes':\n // Variable-length bytes - any length within maxLen is allowed\n break;\n\n case 'obj':\n case 'arr':\n // Nested object/array validation (reserved for future)\n // TODO: Implement nested validation\n break;\n\n default:\n throw new AxisError(\n 'SCHEMA_TYPE_MISMATCH',\n `Unknown schema kind: ${field.kind}`,\n 500,\n );\n }\n }\n\n // === STEP 3: Run custom @TlvValidate validators ===\n const validators = input.metadata?.validators as\n \| Map<number, TlvValidatorFn[]>\n \| undefined;\n if (validators && validators.size > 0) {\n for (const field of schema.fields) {\n const fns = validators.get(field.tlv);\n if (!fns \|\| fns.length === 0) continue;\n\n const scope = field.scope ?? 'body';\n const map = scope === 'header' ? headerTLVs : bodyTLVs;\n const val = map?.get(field.tlv);\n if (!val) continue; // missing fields already handled above\n\n for (const fn of fns) {\n const error = fn(val, field.name);\n if (error) {\n throw new AxisError(\n 'SCHEMA_VALIDATION_FAILED',\n `${field.name} (TLV ${field.tlv}): ${error}`,\n 400,\n );\n }\n }\n }\n }\n } catch (err: any) {\n // Convert AxisError to DENY decision\n if (err instanceof AxisError) {\n return {\n action: 'DENY',\n code: err.code,\n reason: err.message,\n };\n }\n throw err; // Re-throw unknown errors\n }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport { AxisSensor, SensorDecision } from '../sensor/axis-sensor';\n\n/\n Stream Scope Sensor - Topic-Level Access Control\n \n Enforces read/write permissions on stream topics. Validates that\n * the actor has appropriate access to subscribe or publish to the\n * requested stream topic.\n \n Execution Order: 200 (near execution, after all validation)\n \n Core Concept:\n * AXIS supports real-time streaming via WebSocket. Streams are organized\n * by topics (e.g., 'citizen.123.timeline', 'hub.news.updates'). This\n * sensor enforces topic-level access control:\n * - Can the actor subscribe to this topic?\n * - Can the actor publish to this topic?\n \n Topic Patterns:\n * - `citizen.{id}.timeline` - Personal timeline (owner + admin)\n * - `hub.{name}.updates` - Hub updates (members)\n * - `public.` - Public topics (anyone)\n - `admin.` - Admin topics (admins only)\n \n * How It Would Work (Full Implementation):\n * ```\n * 1. Extract topic from stream intent body\n * 2. Parse topic pattern (e.g., citizen.123.timeline)\n * 3. Determine required access (read for subscribe, write for publish)\n * 4. Check actor's permissions against topic ACL\n * 5. DENY if unauthorized, ALLOW if permitted\n * ```\n \n Stream Operations:\n * - `stream.subscribe` - Requires READ access\n * - `stream.publish` - Requires WRITE access\n * - `stream.unsubscribe` - Always allowed (cleanup)\n \n Security Model:\n * - Stub Implementation: Currently allows all\n * - Topic Isolation: Each topic has independent ACL\n * - Inheritance: Pattern-based permissions (citizen.* = citizen owner)\n \n Actions (planned):\n * - `ALLOW` - Actor has permission\n * - `DENY` - Unauthorized topic access\n \n Error Codes (planned):\n * - `STREAM_UNAUTHORIZED` - No permission for topic\n * - `STREAM_TOPIC_NOT_FOUND` - Topic doesn't exist\n \n Performance:\n * - ACL lookup: O(1) with caching\n * - Pattern matching: O(patterns)\n \n @class StreamScopeSensor\n * @implements {Sensor}\n * @implements {OnModuleInit}\n \n @example\n * Authorized subscription:\n * ```typescript\n * // Actor: user123\n * // Topic: citizen.user123.timeline\n * // Permission: owner can read own timeline\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Unauthorized subscription (planned):\n * ```typescript\n * // Actor: user456\n * // Topic: citizen.user123.timeline\n * // Permission: NOT owner\n * {\n * action: 'DENY',\n * code: 'STREAM_UNAUTHORIZED',\n * reason: 'No read access to citizen.user123.timeline'\n * }\n * ```\n \n @todo Implement topic ACL lookup and permission checking\n * @see {@link CapabilityEnforcementSensor} - Request-level capabilities\n /\n@Sensor()\n@Injectable()\nexport class StreamScopeSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'StreamScopeSensor';\n\n /\n Execution order - near handler execution\n \n Order 200 ensures:\n * - All authentication complete\n * - All policy checks complete\n * - Stream-specific check right before subscription\n /\n readonly order = BAND.BUSINESS + 0;\n\n /\n Determines if this sensor should process the given input.\n \n Currently processes all inputs.\n \n @returns {boolean} Always true\n /\n supports(): boolean {\n return true;\n }\n\n /\n Validates stream topic access permissions.\n \n Current Implementation: Stub that always allows.\n \n TODO: Full implementation should:\n * 1. Check if intent is stream.subscribe or stream.publish\n * 2. Extract topic from body TLVs\n * 3. Parse topic into owner/resource pattern\n * 4. Look up topic ACL from database/cache\n * 5. Check if actor has required permission (read/write)\n * 6. DENY if unauthorized\n \n @returns {Promise<SensorDecision>} ALLOW (stub implementation)\n /\n async run(): Promise<SensorDecision> {\n // TODO: Implement topic scope enforcement\n //\n // Full implementation would:\n // const { intent, packet, actorId } = input;\n //\n // if (!intent?.startsWith('stream.')) {\n // return { action: 'ALLOW' }; // Not a stream intent\n // }\n //\n // const topic = extractTopicFromBody(input.bodyTLVs);\n // const operation = intent === 'stream.publish' ? 'write' : 'read';\n //\n // const acl = await this.getTopicACL(topic);\n // if (!acl.allows(actorId, operation)) {\n // return {\n // action: 'DENY',\n // code: 'STREAM_UNAUTHORIZED',\n // reason: `No ${operation} access to ${topic}`\n // };\n // }\n\n return { action: 'ALLOW' };\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\nimport { decodeVarint } from '../core/varint';\n\n/\n TLV Parse AxisSensor - Type-Length-Value Parsing Verification\n \n Verifies that TLV data in packets is properly formed and follows\n * canonical ordering rules. Ensures binary payload integrity before\n * field extraction.\n \n Execution Order: 160 (after policy checks, before schema validation)\n \n Validates:\n * - TLV types are ascending (canonical ordering)\n * - No duplicate TLV types\n * - Length values are accurate (no buffer overrun)\n * - Varint encoding is minimal (no padding bytes)\n * - Tag values are > 0\n \n @class TLVParseSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n /\n@Sensor()\n@Injectable()\nexport class TLVParseSensor implements AxisSensor {\n readonly name = 'TLVParseSensor';\n readonly order = BAND.CONTENT + 20;\n\n supports(input: SensorInput): boolean {\n return !!input.packet;\n }\n\n async run(input: SensorInput): Promise<SensorDecision> {\n const packet = input.packet;\n if (!packet) return { action: 'ALLOW' };\n\n // Validate header TLVs if raw header bytes are available\n const hdrBytes: Uint8Array \| Buffer \| undefined =\n packet.hdrBytes ?? packet.headerBytes;\n if (hdrBytes && hdrBytes.length > 0) {\n const result = this.validateCanonicalTLV(hdrBytes, 'header');\n if (result) return result;\n }\n\n // Validate body TLVs if body is flagged as TLV-encoded\n const bodyBytes: Uint8Array \| Buffer \| undefined =\n packet.bodyBytes ?? input.body;\n const bodyIsTlv =\n packet.flags !== undefined ? (packet.flags & 0x01) !== 0 : false;\n\n // @Intent({ bodyProfile: 'RAW' }) explicitly skips body TLV validation\n const bodyProfile = input.metadata?.schema?.bodyProfile;\n const skipBody = bodyProfile === 'RAW';\n\n if (!skipBody && bodyIsTlv && bodyBytes && bodyBytes.length > 0) {\n const result = this.validateCanonicalTLV(bodyBytes, 'body');\n if (result) return result;\n }\n\n return { action: 'ALLOW' };\n }\n\n /\n Validates a TLV buffer for canonical ordering, no duplicates,\n * valid bounds, and minimal varint encoding.\n /\n private validateCanonicalTLV(\n buf: Uint8Array,\n section: string,\n ): SensorDecision \| null {\n let offset = 0;\n let lastType = -1;\n let count = 0;\n const maxItems = 512;\n\n while (offset < buf.length) {\n if (count >= maxItems) {\n return {\n action: 'DENY',\n code: 'TLV_LIMIT',\n reason: `Too many TLVs in ${section}`,\n };\n }\n\n // Decode TYPE varint\n let type: number;\n let typeLen: number;\n try {\n const r = decodeVarint(buf, offset);\n type = r.value;\n typeLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed type varint in ${section} at offset ${offset}`,\n };\n }\n offset += typeLen;\n\n // Tag must be > 0\n if (type <= 0) {\n return {\n action: 'DENY',\n code: 'TLV_INVALID_TAG',\n reason: `Invalid tag ${type} in ${section}`,\n };\n }\n\n // Canonical order: strictly ascending\n if (type <= lastType) {\n return {\n action: 'DENY',\n code: 'TLV_NOT_CANONICAL',\n reason: `Non-canonical tag order in ${section}: ${type} after ${lastType}`,\n };\n }\n lastType = type;\n\n // Decode LEN varint\n let len: number;\n let lenLen: number;\n try {\n const r = decodeVarint(buf, offset);\n len = r.value;\n lenLen = r.length;\n } catch {\n return {\n action: 'DENY',\n code: 'TLV_PARSE_ERROR',\n reason: `Malformed length varint in ${section}`,\n };\n }\n offset += lenLen;\n\n // Bounds check\n if (offset + len > buf.length) {\n return {\n action: 'DENY',\n code: 'TLV_TRUNCATED',\n reason: `TLV value truncated in ${section}`,\n };\n }\n\n offset += len;\n count++;\n }\n\n return null; // Valid\n }\n}\n","import { Injectable } from '@nestjs/common';\n\nimport { Sensor } from '../decorators/sensor.decorator';\nimport { BAND } from '../engine/sensor-bands';\nimport {\n AxisSensor,\n SensorDecision,\n SensorInput,\n} from '../sensor/axis-sensor';\n\n/\n Varint Hardening Sensor - Variable-Length Integer Overflow Protection\n \n Detects and blocks malicious varint values that could cause integer overflow\n * or excessive memory allocation. Varints in AXIS frames encode lengths and types.\n \n Execution Order: 40 (early, before length-based parsing)\n \n Core Concept:\n * AXIS uses variable-length integers (varints) to encode:\n * - Header length\n * - Body length\n * - Signature length\n * - TLV types and lengths\n \n Varints use a continuation bit (MSB) to indicate more bytes follow.\n * An attacker could send an extremely long varint (many continuation bytes)\n * to cause:\n * - Integer overflow\n * - Excessive parsing time\n * - Memory exhaustion\n \n Varint Format:\n * ```\n * Each byte: [1-bit continuation][7-bit data]\n \n Examples:\n * 127 = 0x7F (1 byte)\n * 128 = 0x80 0x01 (2 bytes)\n * 16384 = 0x80 0x80 0x01 (3 bytes)\n * ```\n \n Limit: Maximum 5 bytes per varint\n * - 5 bytes = 35 bits of data = max value ~34 billion\n * - Sufficient for any legitimate length in AXIS\n \n How It Works:\n * ```\n * 1. Skip to varint start (offset 7: after magic+version+flags)\n * 2. Count consecutive bytes with MSB set (continuation bit)\n * 3. If count > 5, reject frame\n * ```\n \n Security Model:\n * - Fail Closed: Overflow = DENY\n * - Early Detection: Before full parsing\n * - Low Cost: Simple bit check\n \n Actions:\n * - `ALLOW` - Varint within bounds\n * - `DENY` - Varint exceeds 5 bytes\n \n Error Codes:\n * - `VARINT_OVERFLOW` - Varint exceeds maximum length\n \n Performance:\n * - Bit masking: O(1) per byte\n * - Maximum 15 bytes checked\n * - Latency: <0.1ms\n \n @class VarintHardeningSensor\n * @implements {AxisSensor}\n * @implements {OnModuleInit}\n \n @example\n * Valid varint:\n * ```typescript\n * // Length 16384 encoded as 0x80 0x80 0x01 (3 bytes)\n * { action: 'ALLOW' }\n * ```\n \n @example\n * Overflow attack:\n * ```typescript\n * // 6 bytes with continuation bits set\n * {\n * action: 'DENY',\n * code: 'VARINT_OVERFLOW',\n * reason: 'Varint exceeds 5 bytes'\n * }\n * ```\n \n @see {@link BodyBudgetSensor} - Uses varints for length parsing\n /\n@Sensor({ phase: 'PRE_DECODE' })\n@Injectable()\nexport class VarintHardeningSensor implements AxisSensor {\n /* Sensor identifier /\n readonly name = 'VarintHardeningSensor';\n\n /\n Execution order - early detection\n \n Order 40 ensures:\n * - After protocol magic check\n * - Before length-based parsing\n /\n readonly order = BAND.WIRE + 35;\n\n /* Maximum allowed bytes for a single varint /\n private readonly MAX_VARINT_BYTES = 5;\n\n /\n Determines if this sensor should process the given input.\n \n Requires at least 7 bytes of peeked data.\n \n @param {SensorInput} input - Incoming request\n * @returns {boolean} True if sufficient peek data\n /\n supports(input: SensorInput): boolean {\n return !!input.peek && input.peek.length >= 7;\n }\n\n /\n Validates varint lengths in frame header.\n \n Processing Flow:\n * 1. Skip to varint section (offset 7)\n * 2. Scan for continuation bytes (MSB = 1)\n * 3. Count consecutive continuation bytes\n * 4. DENY if count exceeds MAX_VARINT_BYTES\n \n @param {SensorInput} input - Request with peek data\n * @returns {Promise<SensorDecision>} ALLOW or DENY based on varint length\n /\n async run(input: SensorInput): Promise<SensorDecision> {\n // After magic(5) + version(1) + flags(1), varints follow for hdrLen, bodyLen, sigLen\n const peek = input.peek!;\n const offset = 7;\n const maxOffset = Math.min(offset + 15, peek.length);\n\n // Count consecutive bytes with continuation bit set (MSB = 1)\n let continuationCount = 0;\n for (let i = offset; i < maxOffset; i++) {\n if ((peek[i] & 0x80) !== 0) {\n continuationCount++;\n if (continuationCount > this.MAX_VARINT_BYTES) {\n return {\n action: 'DENY',\n code: 'VARINT_OVERFLOW',\n reason: `Varint exceeds ${this.MAX_VARINT_BYTES} bytes`,\n };\n }\n } else {\n // End of current varint - reset for next\n continuationCount = 0;\n }\n }\n\n return { action: 'ALLOW' };\n }\n}\n","export from './access-profile-resolver.sensor';\nexport * from './body-budget.sensor';\nexport * from './capability-enforcement.sensor';\nexport * from './chunk-hash.sensor';\nexport * from './entropy.sensor';\nexport * from './execution-timeout.sensor';\nexport * from './frame-budget.sensor';\nexport * from './frame-header-sanity.sensor';\nexport * from './header-tlv-limit.sensor';\nexport * from './intent-allowlist.sensor';\nexport * from './intent-registry.sensor';\nexport * from './law-evaluation.sensor';\nexport * from './proof-presence.sensor';\nexport * from './protocol-strict.sensor';\nexport * from './receipt-policy.sensor';\nexport * from './risk-gate.sensor';\nexport * from './schema-validation.sensor';\nexport * from './stream-scope.sensor';\nexport * from './tickauth.sensor';\nexport * from './tlv-parse.sensor';\nexport * from './tps.sensor';\nexport * from './varint-hardening.sensor';\n","/*\n Timeline Engine Types\n \n Core type definitions for the AXIS Timeline system:\n * - Replay: re-execute past events under deterministic rules\n * - Fork: create branch from prior state with changed conditions\n * - Simulate: run events in shadow domain with no real effect\n /\n\n// ────────────────────────────────────────────────────────────────────────────\n// Timeline Domain\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type TimelineDomain =\n \| 'prime' // Main authoritative timeline\n \| 'fork' // Branch derived from earlier coordinate\n \| 'shadow' // Simulation with no real effect\n \| 'training' // Learning and rehearsal\n \| 'audit'; // Replay-focused for diagnostics\n\nexport type TimelineEventStatus =\n \| 'executed'\n \| 'replayed'\n \| 'forked'\n \| 'simulated'\n \| 'failed';\n\n// ────────────────────────────────────────────────────────────────────────────\n// Timeline Event\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface TimelineEvent {\n event_id: string;\n timeline_id: string;\n branch_id: string;\n parent_event_id: string \| null;\n intent: string;\n actor_id: string;\n capsule_id?: string;\n tps_coordinate?: string;\n payload_hash: string;\n result_hash?: string;\n status: TimelineEventStatus;\n domain: TimelineDomain;\n /* Determinism classification /\n determinism: 'deterministic' \| 'bounded_nondeterministic' \| 'open_nondeterministic';\n /* Witness reference /\n witness_id?: string;\n created_at: number;\n metadata?: Record<string, unknown>;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Timeline Branch\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface TimelineBranch {\n branch_id: string;\n timeline_id: string;\n origin_timeline_id: string;\n origin_event_id: string;\n branch_type: 'fork' \| 'simulation' \| 'replay' \| 'training';\n created_at_tps?: string;\n creator_subject_id: string;\n purpose: string;\n status: 'active' \| 'completed' \| 'abandoned';\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// State Snapshot\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface StateSnapshot {\n snapshot_id: string;\n timeline_id: string;\n event_id: string;\n tps_coordinate?: string;\n state_hash: string;\n state_data: Record<string, unknown>;\n created_at: number;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Replay\n// ────────────────────────────────────────────────────────────────────────────\n\nexport type ReplayMode = 'strict' \| 'analytical';\n\nexport interface ReplayRequest {\n /* Event to replay /\n source_event_id: string;\n /* Mode: strict = expect same output; analytical = compare /\n mode: ReplayMode;\n /* Optional override payload for analytical mode /\n override_payload?: Record<string, unknown>;\n}\n\nexport interface ReplayResult {\n original_event: TimelineEvent;\n replayed_event: TimelineEvent;\n mode: ReplayMode;\n /* Whether the replay produced the same result /\n deterministic_match: boolean;\n /* Differences between original and replayed result /\n differences: ReplayDifference[];\n duration_ms: number;\n}\n\nexport interface ReplayDifference {\n field: string;\n original: unknown;\n replayed: unknown;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Fork\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface ForkRequest {\n /* Event to fork from /\n source_event_id: string;\n /* New payload to use in the forked branch /\n new_payload: Record<string, unknown>;\n /* Purpose description /\n purpose: string;\n /* Actor creating the fork /\n actor_id: string;\n}\n\nexport interface ForkResult {\n branch: TimelineBranch;\n forked_event: TimelineEvent;\n snapshot?: StateSnapshot;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Simulation\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface SimulationRequest {\n /* Intent to simulate /\n intent: string;\n /* Simulated payload /\n payload: Record<string, unknown>;\n /* Actor identity for simulation context /\n actor_id: string;\n /* Optional TPS coordinate for temporal context /\n at_tps?: string;\n /* Optional state snapshot to start from /\n from_snapshot_id?: string;\n /* Purpose description /\n purpose: string;\n}\n\nexport interface SimulationResult {\n branch: TimelineBranch;\n simulated_event: TimelineEvent;\n predicted_outcome: Record<string, unknown>;\n side_effects: SimulatedSideEffect[];\n duration_ms: number;\n}\n\nexport interface SimulatedSideEffect {\n type: string;\n target: string;\n action: string;\n predicted_result: unknown;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Comparison\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface TimelineComparison {\n timeline_a: string;\n timeline_b: string;\n event_pairs: Array<{\n event_a: TimelineEvent;\n event_b: TimelineEvent;\n match: boolean;\n differences: ReplayDifference[];\n }>;\n divergence_point?: string;\n}\n\n// ────────────────────────────────────────────────────────────────────────────\n// Handler interface\n// ────────────────────────────────────────────────────────────────────────────\n\nexport interface TimelineHandler {\n intent: string;\n execute(payload: Record<string, unknown>, context: TimelineHandlerContext): Promise<TimelineHandlerResult>;\n}\n\nexport interface TimelineHandlerContext {\n event_id: string;\n timeline_id: string;\n branch_id: string;\n domain: TimelineDomain;\n actor_id: string;\n tps_coordinate?: string;\n snapshot?: StateSnapshot;\n is_replay: boolean;\n is_simulation: boolean;\n}\n\nexport interface TimelineHandlerResult {\n ok: boolean;\n effect: string;\n result_data: Record<string, unknown>;\n side_effects?: SimulatedSideEffect[];\n}\n","export from './timeline.types';\nexport * from './timeline.store';\nexport * from './timeline.engine';\n","export * from './axis-tlv-codec';\n","// Decorators\nexport { Chain, CHAIN_METADATA_KEY } from \"./decorators/chain.decorator\";\nexport {\n CapsulePolicy,\n CAPSULE_POLICY_METADATA_KEY,\n} from \"./decorators/capsule-policy.decorator\";\nexport {\n Axis,\n AXIS_META_KEY,\n AxisPublic,\n AXIS_PUBLIC_KEY,\n AxisAnonymous,\n AXIS_ANONYMOUS_KEY,\n AxisRateLimit,\n AXIS_RATE_LIMIT_KEY,\n Sensitivity,\n SENSITIVITY_METADATA_KEY,\n Contract,\n CONTRACT_METADATA_KEY,\n RequiredProof,\n REQUIRED_PROOF_METADATA_KEY,\n Capsule,\n Witness,\n} from \"./decorators/intent-policy.decorator\";\nexport type {\n RequiredProofKind,\n AxisRateLimitConfig,\n} from \"./decorators/intent-policy.decorator\";\nexport { Handler, HANDLER_METADATA_KEY } from \"./decorators/handler.decorator\";\nexport {\n Intent,\n INTENT_METADATA_KEY,\n INTENT_ROUTES_KEY,\n AxisIntentSensorOptions,\n AxisIntentSensorRef,\n IntentRoute,\n IntentOptions,\n IntentTlvField,\n IntentKind,\n} from \"./decorators/intent.decorator\";\nexport {\n IntentBody,\n INTENT_BODY_KEY,\n} from \"./decorators/intent-body.decorator\";\nexport {\n IntentSensors,\n INTENT_SENSORS_KEY,\n} from \"./decorators/intent-sensors.decorator\";\nexport {\n Observer,\n OBSERVER_BINDINGS_KEY,\n OBSERVER_METADATA_KEY,\n} from \"./decorators/observer.decorator\";\nexport type {\n CapsulePolicyOptions,\n CapsuleScopeMode,\n} from \"./decorators/capsule-policy.decorator\";\nexport type {\n AxisObserverBinding,\n AxisObserverBindingOptions,\n AxisObserverDefinition,\n AxisObserverRef,\n} from \"./decorators/observer.decorator\";\nexport {\n HandlerSensors,\n HANDLER_SENSORS_KEY,\n} from \"./decorators/handler-sensors.decorator\";\nexport { Sensor, SENSOR_METADATA_KEY } from \"./decorators/sensor.decorator\";\nexport type { SensorOptions, SensorPhase } from \"./decorators/sensor.decorator\";\n\n// TLV Field Decorators\nexport {\n TlvField,\n TlvValidate,\n TlvUtf8Pattern,\n TlvMinLen,\n TlvEnum,\n TlvRange,\n TLV_FIELDS_KEY,\n TLV_VALIDATORS_KEY,\n} from \"./decorators/tlv-field.decorator\";\nexport type {\n TlvFieldKind,\n TlvFieldOptions,\n TlvFieldMeta,\n TlvValidatorFn,\n TlvValidatorMeta,\n} from \"./decorators/tlv-field.decorator\";\n\n// DTO Schema Utilities\nexport {\n extractDtoSchema,\n buildDtoDecoder,\n} from \"./decorators/dto-schema.util\";\nexport type { DtoSchema } from \"./decorators/dto-schema.util\";\n\n// Base DTO Classes\nexport { AxisTlvDto } from \"./base/axis-tlv.dto\";\nexport { AxisIdDto } from \"./base/axis-id.dto\";\nexport { AxisPartialType } from \"./base/axis-partial-type\";\nexport {\n AxisResponseDto,\n RESPONSE_TAG_ID,\n RESPONSE_TAG_CREATED_AT,\n RESPONSE_TAG_UPDATED_AT,\n RESPONSE_TAG_CREATED_BY,\n RESPONSE_TAG_UPDATED_BY,\n} from \"./base/axis-response.dto\";\n\n// Engine\nexport { AxisChainExecutor } from \"./engine/axis-chain.executor\";\nexport type {\n AxisCapsuleRef,\n AxisChainEnvelope,\n AxisChainEncryption,\n AxisChainRequest,\n AxisChainResult,\n AxisChainStatus,\n AxisChainStep,\n AxisChainStepResult,\n AxisChainStepStatus,\n AxisExecutionMode,\n AxisIntentEnvelope,\n AxisKeyExchangeRef,\n AxisObserverEvent,\n ChainOptions,\n RegisteredChainConfig,\n} from \"./engine/axis-chain.types\";\nexport type { AxisExecutionContext } from \"./engine/axis-execution-context\";\nexport {\n AXIS_EXECUTION_CONTEXT_KEY,\n getAxisExecutionContext,\n mergeAxisExecutionContext,\n withAxisExecutionContext,\n} from \"./engine/axis-execution-context\";\nexport type {\n AxisIntentObserver,\n AxisObserverContext,\n AxisObserverRegistration,\n} from \"./engine/axis-observer.interface\";\nexport { IntentRouter, AxisEffect } from \"./engine/intent.router\";\nexport { BAND, PRE_DECODE_BOUNDARY } from \"./engine/sensor-bands\";\nexport type { SensorBand } from \"./engine/sensor-bands\";\n\n// Observation (protocol-level observation pipeline)\nexport { stableJsonStringify } from \"./engine/observation/stable-json\";\nexport type {\n ObservationQueueMessage,\n ObservationQueueConfig,\n} from \"./engine/observation/observation-queue.types\";\nexport {\n buildQueueMessage,\n encodeQueueMessage,\n decodeQueueMessage,\n parseStreamEntries,\n parseAutoClaimEntries,\n} from \"./engine/observation/observation-queue.codec\";\nexport type { ObservationStreamEntry } from \"./engine/observation/observation-queue.codec\";\nexport {\n canonicalizeObservation,\n hashObservation,\n buildUnsignedWitness,\n} from \"./engine/observation/observation-hash\";\nexport type {\n ObservationWitnessSummary,\n UnsignedObservationWitness,\n} from \"./engine/observation/observation-hash\";\nexport {\n scoreTruth,\n verifyObservation,\n} from \"./engine/observation/truth-scoring\";\nexport type {\n TruthStatus,\n TruthVerdict,\n ExpectedOutcome,\n Anomaly,\n AnomalyLevel,\n ObservedDeed,\n} from \"./engine/observation/truth-scoring\";\nexport {\n verifyResponse,\n ResponseObserver,\n} from \"./engine/observation/response-observer\";\nexport type {\n ResponseObserverContext,\n ResponseContract,\n ObserverVerdict,\n} from \"./engine/observation/response-observer\";\n\n// Core Protocol\nexport * from \"./core/constants\";\nexport * from \"./core/varint\";\nexport * from \"./core/tlv\";\nexport * from \"./core/signature\";\nexport {\n AxisFrameZ,\n decodeFrame,\n encodeFrame,\n getSignTarget,\n} from \"./core/axis-bin\";\nexport type { AxisFrame, AxisBinaryFrame } from \"./core/axis-bin\";\n\n// Codec\nexport * from \"./codec/ats1.constants\";\nexport * from \"./codec/ats1.passkey.schemas\";\nexport * as Ats1Codec from \"./codec/ats1\";\nexport * from \"./codec/axis1.encode\";\nexport * from \"./codec/axis1.signing\";\nexport * from \"./codec/tlv.encode\";\n\n// Crypto Utilities\nexport * from \"./crypto/b64url\";\nexport * from \"./crypto/canonical-json\";\nexport type {\n AxisAlg,\n AxisCapsule,\n CapsuleMode,\n KeyStatus,\n AxisSig,\n AxisPacket,\n AxisCapsuleConstraints,\n AxisCapsulePayload,\n} from \"./crypto/types\";\n\n// Contract Utilities\nexport * from \"./contract/execution-meter\";\nexport * from \"./contract/contract.interface\";\n\n// Packet and Sensor Types\nexport { Axis1DecodedFrame, decodeAxis1Frame } from \"./types/frame\";\nexport {\n AxisPacket as AxisBinaryPacket,\n T as AxisPacketTags,\n buildPacket,\n} from \"./types/packet\";\nexport type {\n AxisObservedContext,\n AxisRequestContext,\n} from \"./types/axis-frame.types\";\nexport type { TLV as AxisTlvType } from \"./core/tlv\";\nexport {\n Decision,\n normalizeSensorDecision,\n SensorDecisions,\n} from \"./sensor/axis-sensor\";\nexport type {\n AxisSensor,\n AxisSensorInit,\n AxisPreSensor,\n AxisPostSensor,\n SensorPhaseMetadata,\n SensorInput,\n SensorDecision,\n SensorMinifiedDecision,\n} from \"./sensor/axis-sensor\";\n\n// Interfaces\nexport {\n AxisHandler,\n AxisHandlerInit,\n} from \"./interfaces/axis-handler.interface\";\nexport { AxisCrudHandler } from \"./interfaces/axis-crud-handler.interface\";\n\n// Security\nexport * from \"./security/scopes\";\nexport * from \"./security/capabilities\";\n\n// Law\nexport * from \"./law\";\n\n// Risk\nexport * from \"./risk/index\";\n\n// Core: Opcode Registry\nexport * from \"./core/opcodes\";\n\n// Core: Receipt Hash\nexport * from \"./core/receipt\";\n\n// Core: Intent Sensitivity\nexport * from \"./core/intent-sensitivity\";\n\n// Core: Timeouts\nexport * from \"./core/timeouts\";\n\n// Types: Intent Definitions\nexport type { IntentDefinition } from \"./types/intent-definition\";\n\n// Frame Validation\nexport { validateFrameShape, isTimestampValid } from \"./core/frame-validator\";\n\n// Types: JSON-level Frame Types\nexport type {\n AxisFrame as AxisJsonFrame,\n AxisResponse as AxisJsonResponse,\n AxisSig as AxisJsonSig,\n AxisAlg as AxisJsonAlg,\n} from \"./types/axis-frame.types\";\n\n// Upload handlers and stores\nexport {\n AxisFilesDownloadHandler,\n AxisFilesFinalizeHandler,\n} from \"./upload/axis-files.handlers\";\nexport {\n AXIS_UPLOAD_FILE_STORE,\n AXIS_UPLOAD_RECEIPT_SIGNER,\n AXIS_UPLOAD_SESSION_STORE,\n} from \"./upload/upload.tokens\";\nexport type {\n UploadFileStore,\n UploadFileStat,\n UploadReceiptSigner,\n UploadSessionRecord,\n UploadSessionStatus,\n UploadSessionStore,\n} from \"./upload/upload.types\";\nexport { DiskUploadFileStore } from \"./upload/disk-upload-file.store\";\n\n// Types\n\n// Additional root exports for import ergonomics\nexport {\n AxisRaw,\n AxisIp,\n AxisContext,\n AxisDemoPubkey,\n} from \"./decorators/axis-request.decorator\";\nexport type { AxisRequestData } from \"./decorators/axis-request.decorator\";\nexport { AxisError } from \"./core/axis-error\";\nexport { ObserverDiscoveryService } from \"./engine/observer-discovery.service\";\nexport { ObserverDispatcherService } from \"./engine/observer-dispatcher.service\";\nexport { HandlerDiscoveryService } from \"./engine/handler-discovery.service\";\nexport { SensorDiscoveryService } from \"./engine/sensor-discovery.service\";\nexport { ObserverRegistry } from \"./engine/registry/observer.registry\";\nexport { SensorRegistry } from \"./engine/registry/sensor.registry\";\nexport type { AxisDecoded } from \"./engine/axis-decoded\";\nexport {\n createObservation,\n startStage,\n endStage,\n recordSensor,\n finalizeObservation,\n} from \"./engine/axis-observation\";\nexport type {\n AxisObservation,\n ObservationSensor,\n ObservationStage,\n} from \"./engine/axis-observation\";\nexport { AxisSensorChainService } from \"./security/axis-sensor-chain.service\";\nexport type { ChainResult } from \"./security/axis-sensor-chain.service\";\n\n// Timeline Engine\nexport { TimelineEngine } from \"./timeline/timeline.engine\";\nexport { InMemoryTimelineStore } from \"./timeline/timeline.store\";\nexport type { TimelineStore } from \"./timeline/timeline.store\";\nexport type {\n TimelineEvent,\n TimelineBranch,\n TimelineDomain,\n TimelineEventStatus,\n StateSnapshot,\n ReplayRequest,\n ReplayResult,\n ReplayDifference,\n ForkRequest,\n ForkResult,\n SimulationRequest,\n SimulationResult,\n SimulatedSideEffect,\n TimelineComparison,\n TimelineHandler,\n TimelineHandlerContext,\n TimelineHandlerResult,\n} from \"./timeline/timeline.types\";\n\n// CCE — Capsule-Carried Encryption\nexport { executeCcePipeline } from \"./cce/cce-pipeline\";\nexport type {\n CceHandler,\n CceHandlerContext,\n CceHandlerResult,\n CcePolicyContext,\n CcePolicyDecision,\n CcePolicyEvaluator,\n CcePipelineConfig,\n CcePipelineResult,\n} from \"./cce/cce-pipeline\";\nexport { CCE_PROTOCOL_VERSION, CCE_ERROR, CceError } from \"./cce/cce.types\";\nexport type {\n CceCapsuleClaims as CceCapsuleClaimsType,\n CceRequestEnvelope as CceRequestEnvelopeType,\n CceResponseEnvelope as CceResponseEnvelopeType,\n CceExecutionContext as CceExecutionContextType,\n CceWitnessRecord as CceWitnessRecordType,\n} from \"./cce/cce.types\";\n\n// Utils\nexport { encodeAxisTlvDto } from \"./utils/axis-tlv-codec\";\n\n// Loom runtime helpers and types\nexport {\n TLV_PRESENCE_ID,\n TLV_WRIT,\n TLV_THREAD_HASH,\n deriveAnchorReflection,\n canonicalizeWrit,\n canonicalizeGrant,\n} from \"./loom/loom.types\";\nexport {\n createPresenceChallenge,\n signPresenceChallenge,\n verifyPresenceProof,\n getPresenceStatus,\n renewPresence,\n createWrit,\n validateWrit,\n grantCoversAction,\n getGrantStatus,\n validateGrant,\n createGrant,\n createReceipt,\n verifyReceiptChain,\n updateThreadState,\n createRevocation,\n isRevoked,\n executeLoomPipeline,\n} from \"./loom/loom.engine\";\nexport type {\n LoomExecutionResult,\n} from \"./loom/loom.engine\";\nexport type {\n PresenceDeclaration,\n PresenceChallenge,\n PresenceProof,\n PresenceReceipt,\n PresenceStatus,\n WritHead,\n WritBody,\n WritMeta,\n WritSignature,\n Writ,\n GrantType,\n GrantCapability,\n GrantMeta,\n Grant,\n GrantStatus,\n LoomReceipt,\n ThreadState,\n RevocationTargetType,\n Revocation,\n LoomValidationResult,\n PresenceVerifyResult,\n WritValidationResult,\n GrantValidationResult,\n} from \"./loom/loom.types\";\n\n// IDEL — Intent Description & Execution Language\nexport { IdelSchemaRegistry, IdelCompiler } from \"./idel/idel.compiler\";\nexport type {\n IntentProposal,\n CompiledIntent,\n IntentConstraint,\n ConstraintKind,\n AlternativeIntent,\n ClarificationQuestion,\n IntentRisk,\n RiskLevel,\n IntentSchema,\n IntentParamSchema,\n CompilationResult,\n CompilationError,\n} from \"./idel/idel.types\";\n\n// Needle & Thread — Unified execution pipeline\nexport { assembleNeedle, formStitch, runNeedlePipeline } from \"./needle/needle.engine\";\nexport type {\n Needle,\n NeedlePhase,\n NeedleError,\n NeedleHandler,\n NeedleHandlerContext,\n NeedleHandlerResult,\n NeedlePipelineConfig,\n NeedlePipelineResult,\n Stitch,\n StitchKind,\n Thread,\n} from \"./needle/needle.types\";\n\n// Knot — Critical binding points in the Thread\nexport {\n openKnot,\n addStitchToKnot,\n validateKnot,\n tieKnot,\n breakKnot,\n forkFromKnot,\n isKnotOpen,\n isPointOfNoReturn,\n findKnotsForStitch,\n getIrreversibleKnots,\n getDecisionPoints,\n} from \"./needle/knot.engine\";\nexport type {\n KnotType,\n KnotStatus,\n Knot,\n KnotValidationResult,\n KnotError,\n KnotBreakRequest,\n} from \"./needle/knot.types\";\n\n// Fabric — State-space projection from woven Stitches\nexport {\n createFabric,\n applyStitch,\n weave,\n projectAt,\n lockCells,\n queryFabric,\n getFabricValue,\n diffFabrics,\n} from \"./needle/fabric.engine\";\nexport type {\n FabricCell,\n Fabric,\n FabricEffect,\n FabricEffectResolver,\n FabricDiff,\n FabricDiffEntry,\n FabricDiffKind,\n FabricQuery,\n} from \"./needle/fabric.types\";\n\n// Pattern — Recurring structure detection\nexport {\n InMemoryPatternStore,\n detectSequencePatterns,\n detectKnotPatterns,\n matchPatterns,\n recordOccurrence,\n detectAnomalies,\n} from \"./needle/pattern.engine\";\nexport type {\n PatternKind,\n Pattern,\n PatternSignature,\n PatternMatch,\n PatternPrediction,\n PatternStore,\n PatternConfidence,\n} from \"./needle/pattern.types\";\n\n// Sensors — Reality gates\nexport { TpsSensor } from \"./sensors/tps.sensor\";\nexport type { TpsSensorOptions } from \"./sensors/tps.sensor\";\nexport { RiskGateSensor } from \"./sensors/risk-gate.sensor\";\nexport type { RiskGateSensorOptions, RiskSignalCollector } from \"./sensors/risk-gate.sensor\";\nexport { TickAuthSensor } from \"./sensors/tickauth.sensor\";\nexport type { TickAuthSensorOptions, TickAuthVerifier, TickAuthCapsuleRef } from \"./sensors/tickauth.sensor\";\n\n// Grouped namespaces for the backend package merge surface\nexport * as cce from \"./cce\";\nexport * as core from \"./core\";\nexport * as crypto from \"./crypto\";\nexport * as decorators from \"./decorators\";\nexport * as engine from \"./engine\";\nexport * as idel from \"./idel\";\nexport * as loom from \"./loom\";\nexport * as needle from \"./needle\";\nexport * as schemas from \"./schemas\";\nexport * as security from \"./security\";\nexport * as sensors from \"./sensors\";\nexport * as timeline from \"./timeline\";\nexport * as utils from \"./utils\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAMA,SAAS,MAAM,UAAwB,CAAC,GAAoB;AACjE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,UAAM,QAA+B;AAAA,MACnC,SAAS;AAAA,MACT,GAAG;AAAA,IACL;AAEA,YAAQ,eAAe,oBAAoB,OAAO,QAAQ,WAAW;AAAA,EACvE;AACF;AAfA,IAIa;AAJb;AAAA;AAIO,IAAM,qBAAqB;AAAA;AAAA;;;ACJlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAcA,SAAS,cACd,UAAgC,CAAC,GACC;AAClC,QAAM,aAAa,8BAA8B,OAAO;AAExD,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AAEA,YAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,8BACd,UAAgC,CAAC,GACX;AACtB,SAAO;AAAA,IACL,UAAU,QAAQ,YAAY;AAAA,IAC9B,QAAQ,oBAAoB,QAAQ,MAAM;AAAA,IAC1C,WAAW,QAAQ,aAAa;AAAA,IAChC,aAAa,QAAQ,eAAe;AAAA,IACpC,iBAAiB,QAAQ,mBAAmB;AAAA,EAC9C;AACF;AAEO,SAAS,0BACd,MACA,UACkC;AAClC,MAAI,CAAC,QAAQ,CAAC,UAAU;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,iBAAiB,OAAO,8BAA8B,IAAI,IAAI;AACpE,QAAM,qBAAqB,WACvB,8BAA8B,QAAQ,IACtC;AAEJ,QAAM,SAAS;AAAA,IACb,GAAG,YAAY,gBAAgB,MAAM;AAAA,IACrC,GAAG,YAAY,oBAAoB,MAAM;AAAA,EAC3C;AAEA,SAAO;AAAA,IACL,UAAU,oBAAoB,YAAY,gBAAgB,YAAY;AAAA,IACtE,QAAQ,oBAAoB,MAAM;AAAA,IAClC,WACE,oBAAoB,aAAa,gBAAgB,aAAa;AAAA,IAChE,aACE,oBAAoB,eACpB,gBAAgB,eAChB;AAAA,IACF,iBACE,oBAAoB,mBACpB,gBAAgB,mBAChB;AAAA,EACJ;AACF;AAEA,SAAS,oBACP,OAC+B;AAC/B,QAAM,OAAO,YAAY,KAAK;AAC9B,MAAI,KAAK,WAAW,GAAG;AACrB,WAAO;AAAA,EACT;AACA,SAAO,KAAK,WAAW,IAAI,KAAK,CAAC,IAAI;AACvC;AAEA,SAAS,YAAY,OAAqC;AACxD,MAAI,CAAC,OAAO;AACV,WAAO,CAAC;AAAA,EACV;AAEA,SAAO,MAAM,KAAK,IAAI,IAAI,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;AAAA,IACjE,CAAC,UAAU,MAAM,KAAK,EAAE,SAAS;AAAA,EACnC;AACF;AAtGA,IAEa;AAFb;AAAA;AAEO,IAAM,8BAA8B;AAAA;AAAA;;;ACF3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAoCA,SAAS,YACd,OACkC;AAClC,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AACA,YAAQ,eAAe,0BAA0B,OAAO,MAAkB;AAAA,EAC5E;AACF;AAiBO,SAAS,SACd,SACkC;AAClC,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AACA,YAAQ,eAAe,uBAAuB,SAAS,MAAkB;AAAA,EAC3E;AACF;AAkBO,SAAS,cACd,QACkC;AAClC,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA;AAAA,IACF;AACA,YAAQ;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAkBO,SAAS,UAA4C;AAC1D,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,UAAM,WACJ,gBAAgB,SACX,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,MACA;AAAA,IACF,KAAK,CAAC,IACL,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,IACF,KAAK,CAAC;AAEZ,UAAM,SAA8B,SAAS,SAAS,SAAS,IAC3D,WACA,CAAC,GAAG,UAAU,SAAS;AAE3B,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,OAAO;AACL,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAsBO,SAAS,UAA4C;AAC1D,UAAQ,CAAC,QAA2B,gBAAkC;AACpE,UAAM,WACJ,gBAAgB,SACX,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,MACA;AAAA,IACF,KAAK,CAAC,IACL,QAAQ;AAAA,MACP;AAAA,MACA;AAAA,IACF,KAAK,CAAC;AAEZ,UAAM,SAA8B,SAAS,SAAS,SAAS,IAC3D,WACA,CAAC,GAAG,UAAU,SAAS;AAE3B,QAAI,gBAAgB,QAAW;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,OAAO;AACL,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAkBO,SAAS,OAAuB;AACrC,SAAO,CAAC,WAAqB;AAC3B,YAAQ,eAAe,eAAe,EAAE,OAAO,KAAK,GAAG,MAAM;AAAA,EAC/D;AACF;AAkCO,SAAS,aAA+C;AAC7D,SAAO,CACL,QACA,aACA,eACG;AACH,QAAI,YAAY;AACd,cAAQ,eAAe,iBAAiB,MAAM,QAAQ,WAAY;AAClE,aAAO;AAAA,IACT;AACA,YAAQ,eAAe,iBAAiB,MAAM,MAAM;AACpD,WAAO;AAAA,EACT;AACF;AAgCO,SAAS,gBAAkD;AAChE,SAAO,CACL,QACA,aACA,eACG;AACH,QAAI,YAAY;AACd,cAAQ,eAAe,oBAAoB,MAAM,QAAQ,WAAY;AACrE,aAAO;AAAA,IACT;AACA,YAAQ,eAAe,oBAAoB,MAAM,MAAM;AACvD,WAAO;AAAA,EACT;AACF;AAqCO,SAAS,cAAc,QAA8C;AAC1E,SAAO,CACL,QACA,aACA,eACG;AACH,YAAQ,eAAe,qBAAqB,QAAQ,QAAQ,WAAW;AACvE,WAAO;AAAA,EACT;AACF;AAlYA,IAQa,eAEA,0BACA,uBACA,6BAoPA,iBAgDA,oBA6CA;AA7Vb;AAAA;AAQO,IAAM,gBAAgB;AAEtB,IAAM,2BAA2B;AACjC,IAAM,wBAAwB;AAC9B,IAAM,8BAA8B;AAoPpC,IAAM,kBAAkB;AAgDxB,IAAM,qBAAqB;AA6C3B,IAAM,sBAAsB;AAAA;AAAA;;;AC7VnC;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,YAAY,mBAAmB;AASjC,SAAS,QAAQ,QAAiC;AACvD,SAAO,CAAC,WAAqB;AAC3B,gBAAY,sBAAsB,EAAE,OAAO,CAAC,EAAE,MAAM;AACpD,eAAW,EAAE,MAAa;AAAA,EAC5B;AACF;AAdA,IAEa;AAFb;AAAA;AAEO,IAAM,uBAAuB;AAAA;AAAA;;;ACFpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAsGA,SAAS,OACd,QACA,SACiB;AACjB,SAAO,CAAC,QAAQ,gBAAgB;AAE9B,YAAQ;AAAA,MACN;AAAA,MACA,EAAE,QAAQ,QAAQ,GAAG,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAGA,UAAM,SACJ,QAAQ,YAAY,mBAAmB,OAAO,WAAW,KAAK,CAAC;AACjE,WAAO,KAAK;AAAA,MACV;AAAA,MACA,YAAY;AAAA,MACZ,UAAU,SAAS;AAAA,MACnB,OAAO,SAAS;AAAA,MAChB,MAAM,SAAS;AAAA,MACf,OAAO,SAAS;AAAA,MAChB,aAAa,SAAS;AAAA,MACtB,KAAK,SAAS;AAAA,MACd,KAAK,SAAS;AAAA,MACd,IAAI,SAAS;AAAA,IACf,CAAC;AACD,YAAQ,eAAe,mBAAmB,QAAQ,OAAO,WAAW;AAAA,EACtE;AACF;AApIA,IAIa,qBACA;AALb;AAAA;AAIO,IAAM,sBAAsB;AAC5B,IAAM,oBAAoB;AAAA;AAAA;;;ACLjC;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAUA,SAAS,WAAW,SAAgD;AACzE,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,iBAAiB,SAAS,QAAQ,WAAW;AAAA,EACtE;AACF;AAdA,IAEa;AAFb;AAAA;AAEO,IAAM,kBAAkB;AAAA;AAAA;;;ACF/B;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAUA,SAAS,cAAc,SAAiD;AAC7E,SAAO,CAAC,QAAgB,gBAAiC;AACvD,YAAQ,eAAe,oBAAoB,SAAS,QAAQ,WAAW;AAAA,EACzE;AACF;AAdA,IAIa;AAJb;AAAA;AAIO,IAAM,qBAAqB;AAAA;AAAA;;;ACJlC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAEP,SAAS,cAAAA,mBAAkB;AA6B3B,SAAS,iBACP,OACqC;AACrC,SAAO,CAAC,CAAC,SAAS,OAAO,UAAU,YAAY,SAAS;AAC1D;AAEA,SAAS,oBAAoB,OAAiD;AAC5E,SACE,CAAC,CAAC,SACF,OAAO,UAAU,YACjB,CAAC,MAAM,QAAQ,KAAK,KACpB,CAAC,iBAAiB,KAAK;AAE3B;AAEA,SAAS,UACP,OAK4B;AAC5B,MAAI,CAAC,MAAO,QAAO;AAEnB,MAAI,iBAAiB,KAAK,GAAG;AAC3B,UAAM,OAAO,MAAM,QAAQ,MAAM,GAAG,IAAI,MAAM,MAAM,CAAC,MAAM,GAAG;AAC9D,WAAO,EAAE,MAAM,MAAM,MAAM,MAAM,QAAQ,MAAM,OAAO;AAAA,EACxD;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,EAAE,MAAM,MAAM;AAAA,EACvB;AAEA,MAAI,OAAO,UAAU,cAAc,OAAO,UAAU,UAAU;AAC5D,WAAO,EAAE,MAAM,CAAC,KAAK,EAAE;AAAA,EACzB;AAEA,SAAO;AACT;AAEO,SAAS,SACd,OAKkC;AAClC,UAAQ,CACN,QACA,gBACG;AACH,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,SAAS;AACX,UAAI,gBAAgB,QAAW;AAC7B,cAAMC,YACJ,QAAQ,YAAY,uBAAuB,QAAQ,WAAW,KAAK,CAAC;AACtE,QAAAA,UAAS,KAAK,OAAO;AACrB,gBAAQ;AAAA,UACN;AAAA,UACAA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA;AAAA,MACF;AAEA,YAAM,WACJ,QAAQ,YAAY,uBAAuB,MAAkB,KAAK,CAAC;AACrE,eAAS,KAAK,OAAO;AACrB,cAAQ,eAAe,uBAAuB,UAAU,MAAkB;AAC1E;AAAA,IACF;AAEA,QAAI,gBAAgB,QAAW;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,oBAAoB,KAAK,IAAI,QAAQ,CAAC;AACzD,YAAQ,eAAe,uBAAuB,YAAY,MAAkB;AAC5E,IAAAD,YAAW,EAAE,MAAa;AAAA,EAC5B;AACF;AAlHA,IAMa,uBACA;AAPb;AAAA;AAMO,IAAM,wBAAwB;AAC9B,IAAM,wBAAwB;AAAA;AAAA;;;ACPrC;AAAA;AAAA;AAAA;AAAA;AAAA,OAAO;AAwBA,SAAS,eAAe,SAAgD;AAC7E,SAAO,CAAC,WAAqB;AAC3B,YAAQ,eAAe,qBAAqB,SAAS,MAAM;AAAA,EAC7D;AACF;AA5BA,IAIa;AAJb;AAAA;AAIO,IAAM,sBAAsB;AAAA;AAAA;;;ACJnC;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,eAAAE,oBAAmB;AAyCrB,SAAS,OAAO,SAAyC;AAC9D,SAAOA,aAAY,qBAAqB,WAAW,IAAI;AACzD;AA3CA,IAEa;AAFb;AAAA;AAEO,IAAM,sBAAsB;AAAA;AAAA;;;;;;;;AC2FnC,YAAA,WAAAC;AA6BA,YAAA,cAAAC;AAwBA,YAAA,iBAAAC;AAiBA,YAAA,YAAAC;AAWA,YAAA,UAAAC;AAgBA,YAAA,WAAAC;AA9LA,cAAA,kBAAA;AAEa,YAAA,iBAAiB;AACjB,YAAA,qBAAqB;AAClC,QAAM,cAAc,IAAI,YAAW;AAmDnC,aAAS,0BACP,UACA,UACA,KAAW;AAEX,YAAM,oBAAoB,SAAS,KAAK,CAAC,SAAS,KAAK,aAAa,QAAQ;AAC5E,UAAI,mBAAmB;AACrB,cAAM,IAAI,MAAM,oCAAoC,QAAQ,EAAE;MAChE;AAEA,YAAM,eAAe,SAAS,KAAK,CAAC,SAAS,KAAK,QAAQ,GAAG;AAC7D,UAAI,cAAc;AAChB,cAAM,IAAI,MACR,2BAA2B,GAAG,QAAQ,QAAQ,qBAAqB,aAAa,QAAQ,EAAE;MAE9F;IACF;AAsBA,aAAgBL,UACd,KACA,SAAwB;AAExB,aAAO,CAAC,QAAgB,gBAAgC;AACtD,cAAM,WACJ,QAAQ,eAAe,QAAA,gBAAgB,OAAO,WAAW,KAAK,CAAA;AAEhE,cAAM,WAAW,OAAO,WAAW;AACnC,kCAA0B,UAAU,UAAU,GAAG;AAEjD,iBAAS,KAAK;UACZ;UACA;UACA;SACD;AAED,gBAAQ,eAAe,QAAA,gBAAgB,UAAU,OAAO,WAAW;MACrE;IACF;AAUA,aAAgBC,aAAY,WAAyB;AACnD,aAAO,CAAC,QAAgB,gBAAgC;AACtD,cAAM,WACJ,QAAQ,eAAe,QAAA,oBAAoB,OAAO,WAAW,KAAK,CAAA;AAEpE,cAAM,OAAO,OAAO,WAAW;AAC/B,YAAI,QAAQ,SAAS,KAAK,CAAC,MAAM,EAAE,aAAa,IAAI;AAEpD,YAAI,CAAC,OAAO;AACV,kBAAQ,EAAE,UAAU,MAAM,KAAK,GAAG,YAAY,CAAA,EAAE;AAChD,mBAAS,KAAK,KAAK;QACrB;AAEA,cAAM,WAAW,KAAK,SAAS;AAE/B,gBAAQ,eAAe,QAAA,oBAAoB,UAAU,OAAO,WAAW;MACzE;IACF;AAOA,aAAgBC,gBACd,SACA,SAAgB;AAEhB,YAAM,UAAU,IAAI,OAAO,QAAQ,QAAQ,QAAQ,KAAK;AACxD,aAAOD,aAAY,CAAC,KAAK,SAAQ;AAC/B,cAAM,MAAM,YAAY,OAAO,GAAG;AAClC,gBAAQ,YAAY;AACpB,eAAO,QAAQ,KAAK,GAAG,IACnB,OACA,WAAW,GAAG,IAAI;MACxB,CAAC;IACH;AAKA,aAAgBE,WAAU,KAAa,SAAgB;AACrD,aAAOF,aAAY,CAAC,KAAK,SAAQ;AAC/B,eAAO,IAAI,UAAU,MACjB,OACA,WAAW,GAAG,IAAI,gBAAgB,IAAI,MAAM,MAAM,GAAG;MAC3D,CAAC;IACH;AAKA,aAAgBG,SACd,SACA,SAAgB;AAEhB,YAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,aAAOH,aAAY,CAAC,KAAK,SAAQ;AAC/B,cAAM,MAAM,YAAY,OAAO,GAAG;AAClC,eAAO,IAAI,IAAI,GAAG,IACd,OACA,WAAW,GAAG,IAAI,qBAAqB,QAAQ,KAAK,IAAI,CAAC;MAC/D,CAAC;IACH;AAKA,aAAgBI,UACd,KACA,KACA,SAAgB;AAEhB,aAAOJ,aAAY,CAAC,KAAK,SAAQ;AAC/B,YAAI,IAAI,WAAW;AAAG,iBAAO,GAAG,IAAI;AACpC,YAAI,IAAI;AACR,mBAAW,KAAK;AAAK,cAAK,KAAK,KAAM,OAAO,CAAC;AAC7C,YAAI,IAAI,OAAO,IAAI,KAAK;AACtB,iBAAO,WAAW,GAAG,IAAI,WAAW,CAAC,kBAAkB,GAAG,KAAK,GAAG;QACpE;AACA,eAAO;MACT,CAAC;IACH;;;;;AC5MA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EACE;AAAA,EAAK;AAAA,EAAY;AAAA,EAAY;AAAA,EAAgB;AAAA,EAAc;AAAA,OACtD;AAFP;AAAA;AAAA;AAAA;;;;;;;ACsBA,YAAA,mBAAAK;AAwDA,YAAA,kBAAAC;AA9EA,cAAA,kBAAA;AAGA,QAAA,wBAAA;AAOA,QAAA,QAAA;AAYA,aAAgBD,kBAAiB,KAAa;AAC5C,YAAM,aACJ,QAAQ,YAAY,sBAAA,gBAAgB,GAAG,KAAK,CAAA;AAE9C,UAAI,WAAW,WAAW,GAAG;AAC3B,cAAM,IAAI,MACR,aAAa,IAAI,IAAI,yDAAoD;MAE7E;AAEA,YAAM,YAAY,oBAAI,IAAG;AACzB,YAAM,SAA2B,WAAW,IAAI,CAAC,MAAK;AACpD,kBAAU,IAAI,EAAE,UAAU,EAAE,GAAG;AAC/B,eAAO;UACL,MAAM,EAAE;UACR,KAAK,EAAE;UACP,MAAM,EAAE,QAAQ;UAChB,UAAU,EAAE,QAAQ;UACpB,QAAQ,EAAE,QAAQ;UAClB,KAAK,EAAE,QAAQ;UACf,OAAO,EAAE,QAAQ;;MAErB,CAAC;AAED,YAAM,iBACJ,QAAQ,YAAY,sBAAA,oBAAoB,GAAG,KAAK,CAAA;AAElD,YAAM,aAAa,oBAAI,IAAG;AAC1B,iBAAW,MAAM,gBAAgB;AAC/B,cAAM,MAAM,UAAU,IAAI,GAAG,QAAQ;AACrC,YAAI,QAAQ,QAAW;AACrB,gBAAM,IAAI,MACR,mBAAmB,IAAI,IAAI,IAAI,GAAG,QAAQ,2CAA2C;QAEzF;AACA,WAAG,MAAM;AACT,mBAAW,IAAI,KAAK,GAAG,UAAU;MACnC;AAEA,aAAO,EAAE,QAAQ,WAAU;IAC7B;AAgBA,aAAgBC,iBACd,KAAa;AAEb,YAAM,aACJ,QAAQ,YAAY,sBAAA,gBAAgB,GAAG,KAAK,CAAA;AAE9C,UAAI,WAAW,WAAW,GAAG;AAC3B,cAAM,IAAI,MACR,aAAa,IAAI,IAAI,0DAAqD;MAE9E;AAEA,YAAM,SAAS,oBAAI,IAAG;AACtB,iBAAW,KAAK,YAAY;AAC1B,eAAO,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,MAAM,EAAE,QAAQ,KAAI,CAAE;MAClE;AAEA,aAAO,CAAC,cAA0C;AAChD,cAAMC,WAAS,GAAA,MAAA,YAAW,IAAI,WAAW,SAAS,CAAC;AACnD,cAAM,SAA8B,CAAA;AAEpC,mBAAW,CAAC,KAAK,GAAG,KAAKA,SAAQ;AAC/B,gBAAM,OAAO,OAAO,IAAI,GAAG;AAC3B,cAAI,CAAC;AAAM;AAEX,kBAAQ,KAAK,MAAM;YACjB,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI,IAAI,YAAW,EAAG,OAAO,GAAG;AACpD;YACF,KAAK,OAAO;AACV,kBAAI,IAAI;AACR,uBAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,oBAAK,KAAK,KAAM,OAAO,IAAI,CAAC,CAAC;cAC/B;AACA,qBAAO,KAAK,QAAQ,IAAI;AACxB;YACF;YACA,KAAK;YACL,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI;AACxB;YACF,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI,IAAI,SAAS,KAAK,IAAI,CAAC,MAAM;AACrD;YACF,KAAK;YACL,KAAK;AACH,qBAAO,KAAK,QAAQ,IAAI,KAAK,MAAM,IAAI,YAAW,EAAG,OAAO,GAAG,CAAC;AAChE;YACF;AACE,qBAAO,KAAK,QAAQ,IAAI;UAC5B;QACF;AAEA,eAAO;MACT;IACF;;;;;ACrIA;AAAA;AAAA;AAAA;AAAA,IASsB;AATtB;AAAA;AASO,IAAe,aAAf,MAA0B;AAAA,IAAC;AAAA;AAAA;;;;;;;;;;;;;;;;;ACTlC,QAAA,wBAAA;AACA,QAAA,iBAAA;AAEA,QAAaC,aAAb,cAA+B,eAAA,WAAU;;AAAzC,YAAA,YAAAA;AAGE,eAAA;OAFC,GAAA,sBAAA,UAAS,GAAG,EAAE,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAG,CAAE;OACzD,GAAA,sBAAA,WAAU,GAAG,sBAAsB;;;;;;;ACLtC,OAAO;AAyBA,SAAS,gBACd,SAC+D;AAAA,EAC/D,MAAM,mBAAoB,QAAgB;AAAA,EAAC;AAE3C,QAAM,SACJ,QAAQ,eAAe,iCAAgB,OAAO,KAAK,CAAC;AAEtD,QAAM,gBAAgC,OAAO,IAAI,CAAC,OAAO;AAAA,IACvD,UAAU,EAAE;AAAA,IACZ,KAAK,EAAE;AAAA,IACP,SAAS,EAAE,GAAG,EAAE,SAAS,UAAU,MAAM;AAAA,EAC3C,EAAE;AAEF,UAAQ,eAAe,iCAAgB,eAAe,UAAU;AAEhE,QAAM,aACJ,QAAQ,eAAe,qCAAoB,OAAO,KAAK,CAAC;AAE1D,MAAI,WAAW,SAAS,GAAG;AACzB,YAAQ,eAAe,qCAAoB,CAAC,GAAG,UAAU,GAAG,UAAU;AAAA,EACxE;AAEA,SAAO,eAAe,YAAY,QAAQ;AAAA,IACxC,OAAO,UAAU,QAAQ,IAAI;AAAA,EAC/B,CAAC;AAED,SAAO;AACT;AArDA,IAEA;AAFA;AAAA;AAEA,uBAKO;AAAA;AAAA;;;;;;;;;;;;;;;;;ACPP,QAAA,wBAAA;AACA,QAAA,iBAAA;AAQa,YAAA,kBAAkB;AAClB,YAAA,0BAA0B;AAC1B,YAAA,0BAA0B;AAC1B,YAAA,0BAA0B;AAC1B,YAAA,0BAA0B;AAWvC,QAAsBC,mBAAtB,cAA8C,eAAA,WAAU;;AAAxD,YAAA,kBAAAA;AAEE,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,iBAAiB,EAAE,MAAM,OAAM,CAAE;;;AAI3C,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,MAAK,CAAE;;;AAIlD,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,MAAK,CAAE;;;AAIlD,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,OAAM,CAAE;;;AAInD,eAAA;OADC,GAAA,sBAAA,UAAS,QAAA,yBAAyB,EAAE,MAAM,OAAM,CAAE;;;;;;;ACrCrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AA/DP,IAiEsB;AAjEtB;AAAA;AAiEO,IAAe,kBAAf,MAAe,gBAAe;AAAA,MAWnC,OAAO,UAAU,OAA2C;AAC1D,YAAI,CAAC,MAAO,QAAO;AACnB,eAAO,MAAM,MAAM,KAAK,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,YAAY;AAAA,MACnD;AAAA,MAEA,OAAO,kBAAkB,OAAgC;AACvD,cAAM,aAAa,gBAAe,UAAU,KAAK;AACjD,eACE,CAAC,CAAC,cACF,gBAAe,yBAAyB;AAAA,UACtC,CAAC,gBAAgB,gBAAgB;AAAA,QACnC;AAAA,MAEJ;AAAA,IACF;AAxBE,IADoB,gBACJ,SAAS;AACzB,IAFoB,gBAEJ,eAAe;AAC/B,IAHoB,gBAGJ,gBAAgB;AAEhC,IALoB,gBAKJ,2BAA2B;AAAA,MACzC,gBAAe;AAAA,MACf,gBAAe;AAAA,MACf,gBAAe;AAAA,IACjB;AATK,IAAe,iBAAf;AAAA;AAAA;;;ACjEP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAmBO,SAAS,wBACd,OACkC;AAClC,SAAQ,QAAkC,0BAA0B;AACtE;AAEO,SAAS,yBACd,QACA,SACG;AACH,SAAO,eAAe,QAAQ,4BAA4B;AAAA,IACxD,OAAO;AAAA,IACP,UAAU;AAAA,IACV,cAAc;AAAA,IACd,YAAY;AAAA,EACd,CAAC;AAED,SAAO;AACT;AAEO,SAAS,0BACd,MACA,UACkC;AAClC,MAAI,CAAC,QAAQ,CAAC,UAAU;AACtB,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAG;AAAA,IACH,YAAY;AAAA,MACV,GAAI,MAAM,cAAc,CAAC;AAAA,MACzB,GAAI,UAAU,cAAc,CAAC;AAAA,IAC/B;AAAA,EACF;AACF;AAvDA,IAIa;AAJb;AAAA;AAIO,IAAM,6BAA6B,uBAAO,IAAI,uBAAuB;AAAA;AAAA;;;;;;;;;;;;;;;ACJ5E,QAAA,WAAA,UAAA,gBAAA;AASO,QAAMC,oBAAgB,qBAAtB,MAAM,iBAAgB;MAAtB,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,mBAAiB,IAAI;AACzC,aAAA,SAAS,oBAAI,IAAG;AAChB,aAAA,SAAS,oBAAI,IAAG;MAuCnC;MArCE,SACE,UACA,OAA+B,CAAA,GAAE;AAEjC,cAAM,OAAO,KAAK,QAAQ,SAAS,QAAQ,SAAS,YAAY;AAChE,cAAM,eAAyC;UAC7C;UACA;UACA,MAAM,KAAK,QAAQ,CAAA;UACnB,QAAQ,KAAK;UACb,SAAS,KAAK;UACd,UAAU,KAAK;;AAGjB,aAAK,OAAO,IAAI,MAAM,YAAY;AAClC,aAAK,OAAO,IAAI,SAAS,aAAa,YAAY;AAClD,aAAK,OAAO,MAAM,wBAAwB,IAAI,EAAE;MAClD;MAEA,QAAQ,KAAoB;AAC1B,YAAI,OAAO,QAAQ,UAAU;AAC3B,iBAAO,KAAK,OAAO,IAAI,GAAG;QAC5B;AAEA,eAAO,KAAK,OAAO,IAAI,GAAG,KAAK,KAAK,OAAO,IAAI,IAAI,IAAI;MACzD;MAEA,OAAI;AACF,eAAO,MAAM,KAAK,KAAK,OAAO,OAAM,CAAE,EAAE,KAAK,CAAC,MAAM,UAClD,KAAK,KAAK,cAAc,MAAM,IAAI,CAAC;MAEvC;MAEA,QAAK;AACH,aAAK,OAAO,MAAK;AACjB,aAAK,OAAO,MAAK;MACnB;;AAzCW,YAAA,mBAAAA;+BAAAA,oBAAgB,qBAAA,WAAA;OAD5B,GAAA,SAAA,YAAU;OACEA,iBAAgB;;;;;;;;;;;;;;;;;;;;;ACT7B,QAAA,WAAA,UAAA,gBAAA;AAIA,QAAA,sBAAA;AAEA,aAAS,OAAU,QAAW;AAC5B,aAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC;IACnC;AAGO,QAAMC,6BAAyB,8BAA/B,MAAM,0BAAyB;MAGpC,YAA6B,UAA0B;AAA1B,aAAA,WAAA;AAFZ,aAAA,SAAS,IAAI,SAAA,OAAO,4BAA0B,IAAI;MAET;MAE1D,MAAM,SACJ,UACA,SAA4B;AAE5B,YAAI,CAAC,YAAY,SAAS,WAAW;AAAG;AAExC,cAAM,UAAU,oBAAI,IAAG;AAEvB,mBAAW,WAAW,UAAU;AAC9B,cACE,QAAQ,UACR,QAAQ,OAAO,SAAS,KACxB,CAAC,QAAQ,OAAO,SAAS,QAAQ,KAAK,GACtC;AACA;UACF;AAEA,qBAAW,OAAO,QAAQ,MAAM;AAC9B,kBAAM,eAAe,KAAK,SAAS,QAAQ,GAAG;AAC9C,gBAAI,CAAC,cAAc;AACjB,mBAAK,OAAO,KAAK,YAAY,OAAO,GAAG,CAAC,wBAAwB;AAChE;YACF;AAEA,gBAAI,QAAQ,IAAI,aAAa,IAAI;AAAG;AAEpC,gBACE,aAAa,UACb,aAAa,OAAO,SAAS,KAC7B,CAAC,aAAa,OAAO,SAAS,QAAQ,KAAK,GAC3C;AACA;YACF;AAEA,kBAAM,kBAAuC;cAC3C,GAAG;cACH,cAAc,OAAO;gBACnB,GAAI,aAAa,QAAQ,CAAA;gBACzB,GAAI,QAAQ,QAAQ,CAAA;gBACpB,GAAI,QAAQ,gBAAgB,CAAA;eAC7B;;AAGH,gBACE,aAAa,SAAS,YACtB,CAAC,aAAa,SAAS,SAAS,eAAe,GAC/C;AACA;YACF;AAEA,gBAAI;AACF,sBAAQ,IAAI,aAAa,IAAI;AAC7B,oBAAM,aAAa,SAAS,QAAQ,eAAe;YACrD,SAAS,OAAY;AACnB,mBAAK,OAAO,KACV,YAAY,aAAa,IAAI,kBAAkB,QAAQ,KAAK,KAAK,MAAM,OAAO,EAAE;YAEpF;UACF;QACF;MACF;;AAjEW,YAAA,4BAAAA;wCAAAA,6BAAyB,8BAAA,WAAA;OADrC,GAAA,SAAA,YAAU;2DAI8B,oBAAA,qBAAgB,eAAhB,oBAAA,sBAAgB,aAAA,KAAA,MAAA,CAAA;OAH5CA,0BAAyB;;;;;ACXtC,IAaa,sBAGA,gBAgBA,mBACA,cACA,eACA,iBAwRA,WAwDA;AAnXb;AAAA;AAaO,IAAM,uBAAuB;AAG7B,IAAM,iBAAiB;AAAA;AAAA,MAE5B,SAAS;AAAA;AAAA,MAET,UAAU;AAAA;AAAA,MAEV,SAAS;AAAA,IACX;AASO,IAAM,oBAAoB;AAC1B,IAAM,eAAe;AACrB,IAAM,gBAAgB;AACtB,IAAM,kBAAkB;AAwRxB,IAAM,YAAY;AAAA;AAAA,MAEvB,kBAAkB;AAAA,MAClB,qBAAqB;AAAA,MACrB,iBAAiB;AAAA,MACjB,uBAAuB;AAAA;AAAA,MAGvB,oBAAoB;AAAA,MACpB,sBAAsB;AAAA;AAAA,MAGtB,qBAAqB;AAAA,MACrB,iBAAiB;AAAA,MACjB,uBAAuB;AAAA,MACvB,iBAAiB;AAAA,MACjB,kBAAkB;AAAA;AAAA,MAGlB,mBAAmB;AAAA,MACnB,iBAAiB;AAAA,MACjB,oBAAoB;AAAA,MACpB,mBAAmB;AAAA;AAAA,MAGnB,iBAAiB;AAAA,MACjB,cAAc;AAAA;AAAA,MAGd,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA;AAAA,MAGnB,wBAAwB;AAAA,MACxB,wBAAwB;AAAA;AAAA,MAGxB,eAAe;AAAA,MACf,qBAAqB;AAAA;AAAA,MAGrB,mBAAmB;AAAA,MACnB,0BAA0B;AAAA,MAC1B,iBAAiB;AAAA;AAAA,MAGjB,4BAA4B;AAAA,IAC9B;AAOO,IAAM,WAAN,cAAuB,MAAM;AAAA,MAClC,YACkB,MAChB,SACgB,UAChB;AACA,cAAM,IAAI,IAAI,KAAK,OAAO,EAAE;AAJZ;AAEA;AAGhB,aAAK,OAAO;AAAA,MACd;AAAA;AAAA,MAGA,IAAI,aAAsB;AAExB,cAAM,WAA2B;AAAA,UAC/B,UAAU;AAAA,UACV,UAAU;AAAA,UACV,UAAU;AAAA,UACV,UAAU;AAAA,UACV,UAAU;AAAA,QACZ;AACA,eAAO,CAAC,SAAS,SAAS,KAAK,IAAI;AAAA,MACrC;AAAA;AAAA,MAGA,gBAAyD;AACvD,YAAI,KAAK,YAAY;AACnB,iBAAO,EAAE,MAAM,KAAK,MAAM,SAAS,KAAK,QAAQ;AAAA,QAClD;AACA,eAAO;AAAA,UACL,MAAM,UAAU;AAAA,UAChB,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACpZA,SAAS,YAAY,kBAAkB;AAavC,SAAS,YAAY;AACrB,SAAS,cAAc;AAuBvB,SAAS,UACP,WACA,cACA,cACY;AACZ,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ;AAAA,IACnB,YAAY,MAAM,eAAe,MAAM;AAAA,EACzC;AACA,SAAO,OAAO,IAAI;AACpB;AAQA,SAAS,UACP,eACA,SACA,YACY;AACZ,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,OAAO,QAAQ,QAAQ;AAAA,IACvB,OAAO,QAAQ,MAAM;AAAA,IACrB,QAAQ,eAAe;AAAA,IACvB,QAAQ;AAAA,EACV;AACA,MAAI,YAAY;AACd,UAAM,KAAK,UAAU;AAAA,EACvB;AACA,SAAO,QAAQ,OAAO,MAAM,KAAK,GAAG,CAAC;AACvC;AAYO,SAAS,0BACd,OACY;AACZ,QAAM,MAAM,WAAW,MAAM,eAAe;AAC5C,QAAM,OAAO;AAAA,IACX,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,MAAM;AAAA,EACR;AACA,QAAM,OAAO,UAAU,eAAe,SAAS,MAAM,OAAO;AAE5D,SAAO,KAAK,QAAQ,KAAK,MAAM,MAAM,iBAAiB;AACxD;AAOO,SAAS,2BACd,OACY;AACZ,QAAM,MAAM,WAAW,MAAM,eAAe;AAG5C,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,WAAW,QAAQ;AAAA,IACvB,MAAM,QAAQ,aACZ,MACA,MAAM,QAAQ,gBACd,MACA,MAAM,eACN,MACA,MAAM;AAAA,EACV;AACA,QAAM,OAAO,OAAO,QAAQ;AAE5B,QAAM,OAAO;AAAA,IACX,eAAe;AAAA,IACf,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AAEA,SAAO,KAAK,QAAQ,KAAK,MAAM,MAAM,iBAAiB;AACxD;AAMO,SAAS,iBAAiB,OAAuC;AACtE,QAAM,MAAM,WAAW,MAAM,eAAe;AAC5C,QAAM,OAAO;AAAA,IACX,MAAM,QAAQ;AAAA,IACd,MAAM,QAAQ;AAAA,IACd,MAAM;AAAA,EACR;AACA,QAAM,OAAO,UAAU,eAAe,SAAS,MAAM,OAAO;AAE5D,SAAO,KAAK,QAAQ,KAAK,MAAM,MAAM,iBAAiB;AACxD;AAMO,SAAS,sBACd,OACA,WACqB;AACrB,QAAM,eAAe,0BAA0B,KAAK;AACpD,QAAM,UAAU,WAAW,OAAO,YAAY,CAAC;AAG/C,eAAa,KAAK,CAAC;AAEnB,SAAO;AAAA,IACL,oBAAoB;AAAA,IACpB,YAAY;AAAA,IACZ,YAAY,MAAM,QAAQ;AAAA,IAC1B,KAAK,MAAM,QAAQ;AAAA,IACnB,KAAK,MAAM,QAAQ;AAAA,IACnB,QAAQ,MAAM,QAAQ;AAAA,IACtB,KAAK,MAAM,QAAQ;AAAA,IACnB,UAAU,MAAM,QAAQ;AAAA,IACxB,QAAQ,MAAM,QAAQ;AAAA,IACtB,aAAa,MAAM,QAAQ;AAAA,IAC3B,YAAY,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAAA,IACxC,OAAO;AAAA,EACT;AACF;AAKO,SAAS,mBAA2B;AACzC,QAAMC,SAAQ,IAAI,WAAW,eAAe;AAC5C,SAAO,gBAAgBA,MAAK;AAC5B,SAAO,WAAWA,MAAK;AACzB;AA3LA;AAAA;AAgBA;AAAA;AAAA;;;AChBA,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,UAAAC,eAAc;AASvB,SAAS,gBAAgB,kBAAkB,mBAAmB;AAWvD,SAAS,cACd,KACA,WACA,KAC6D;AAC7D,MAAI,IAAI,WAAW,mBAAmB;AACpC,UAAM,IAAI,MAAM,mBAAmB,iBAAiB,QAAQ;AAAA,EAC9D;AAEA,QAAM,KAAK,YAAY,YAAY;AACnC,QAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AAEpD,MAAI,KAAK;AACP,WAAO,OAAO,GAAG;AAAA,EACnB;AAEA,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,SAAS,GAAG,OAAO,MAAM,CAAC,CAAC;AAC1E,QAAM,MAAM,OAAO,WAAW;AAE9B,SAAO;AAAA,IACL,IAAI,IAAI,WAAW,EAAE;AAAA,IACrB,YAAY,IAAI,WAAW,SAAS;AAAA,IACpC,KAAK,IAAI,WAAW,GAAG;AAAA,EACzB;AACF;AAMO,SAAS,cACd,KACA,IACA,YACA,KACA,KACmB;AACnB,MAAI,IAAI,WAAW,mBAAmB;AACpC,UAAM,IAAI,MAAM,mBAAmB,iBAAiB,QAAQ;AAAA,EAC9D;AACA,MAAI,GAAG,WAAW,cAAc;AAC9B,UAAM,IAAI,MAAM,cAAc,YAAY,QAAQ;AAAA,EACpD;AACA,MAAI,IAAI,WAAW,eAAe;AAChC,UAAM,IAAI,MAAM,eAAe,aAAa,QAAQ;AAAA,EACtD;AAEA,MAAI;AACF,UAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AAEvB,QAAI,KAAK;AACP,eAAS,OAAO,GAAG;AAAA,IACrB;AAEA,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,SAAS,OAAO,UAAU;AAAA,MAC1B,SAAS,MAAM;AAAA,IACjB,CAAC;AACD,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,QAAQ;AAEN,WAAO;AAAA,EACT;AACF;AAKO,SAAS,iBAA6B;AAC3C,SAAO,IAAI,WAAW,YAAY,iBAAiB,CAAC;AACtD;AAKO,SAAS,aAAyB;AACvC,SAAO,IAAI,WAAW,YAAY,YAAY,CAAC;AACjD;AAMO,SAAS,gBAAgBC,QAA2B;AACzD,SAAO,OAAO,KAAKA,MAAK,EACrB,SAAS,QAAQ,EACjB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACtB;AAEO,SAAS,gBAAgB,OAA2B;AACzD,QAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACzD,QAAM,UAAU,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AACxD,SAAO,IAAI,WAAW,OAAO,KAAK,SAAS,SAAS,QAAQ,CAAC;AAC/D;AASO,SAAS,YAAY,SAA6B;AACvD,SAAOF,YAAWC,QAAO,OAAO,CAAC;AACnC;AAhIA,IA2Ia;AA3Ib;AAAA;AAYA;AA+HO,IAAM,qBAAwC;AAAA,MACnD,MAAM,QACJ,KACA,IACA,YACA,KACA,KAC4B;AAC5B,eAAO,cAAc,KAAK,IAAI,YAAY,KAAK,GAAG;AAAA,MACpD;AAAA,IACF;AAAA;AAAA;;;ACrJA,SAAS,cAAAE,mBAAkB;AAY3B,SAAS,eAAAC,oBAAmB;AA4C5B,eAAsB,iBACpB,SACA,oBACA,YACyE;AACzE,QAAM,EAAE,SAAS,SAAS,QAAQ,MAAM,oBAAoB,WAAW,IACrE;AAGF,QAAM,gBAAgBD;AAAA,IACpB,IAAI,WAAWC,aAAY,eAAe,CAAC;AAAA,EAC7C;AAGA,QAAM,aAAa,mBAAmB;AAGtC,QAAM,SAAS,eAAe;AAG9B,QAAM,MAAM;AAAA,IACV,QAAQ;AAAA,IACR;AAAA,IACA,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR;AAAA,EACF;AAGA,QAAM,EAAE,IAAI,YAAY,IAAI,IAAI,cAAc,QAAQ,MAAM,GAAG;AAG/D,QAAM,eAAe,MAAM,mBAAmB;AAAA,IAC5C;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,EACF;AAGA,SAAO,KAAK,CAAC;AAEb,QAAM,mBAAwC;AAAA,IAC5C,KAAK;AAAA,IACL,IAAI,gBAAgB,EAAE;AAAA,IACtB,YAAY,gBAAgB,UAAU;AAAA,IACtC,KAAK,gBAAgB,GAAG;AAAA,EAC1B;AAEA,QAAM,aAAqC;AAAA,IACzC,KAAK,aAAa;AAAA,IAClB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EACP;AAGA,QAAM,mBAA0D;AAAA,IAC9D,KAAK;AAAA,IACL,aAAa;AAAA,IACb,YAAY,QAAQ;AAAA,IACpB,gBAAgB,QAAQ;AAAA,IACxB,YAAY,QAAQ;AAAA,IACpB,eAAe;AAAA,IACf,mBAAmB;AAAA,IACnB,gBAAgB;AAAA,IAChB;AAAA,IACA;AAAA,IACA,GAAI,aAAa,EAAE,aAAa,WAAW,IAAI,CAAC;AAAA,EAClD;AAGA,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,aAAa,gBAAgB,CAAC;AAC3E,QAAM,UAAU,MAAM,WAAW,KAAK,WAAW;AAEjD,QAAM,WAAgC;AAAA,IACpC,GAAG;AAAA,IACH,UAAU;AAAA,EACZ;AAEA,SAAO;AAAA,IACL;AAAA,IACA,qBAAqB,YAAY,IAAI;AAAA,EACvC;AACF;AAMO,SAAS,sBACd,WACA,eACA,QACA,WACA,SAOA;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,YAAY;AAAA,IACZ,gBAAgB;AAAA,IAChB;AAAA,IACA,OAAO,EAAE,MAAM,WAAW,QAAQ;AAAA,EACpC;AACF;AAMA,SAAS,qBAA6B;AACpC,QAAMC,SAAQD,aAAY,EAAE;AAC5B,SAAO,UAAUD,YAAW,IAAI,WAAWE,MAAK,CAAC,EAAE,MAAM,GAAG,EAAE;AAChE;AAEA,SAAS,iBACP,WACA,YACA,eACA,WACA,eACY;AACZ,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,IAAI,YAAY,EAAE,OAAO,MAAM,KAAK,GAAG,CAAC;AACjD;AAEA,SAAS,aAAa,KAAsB;AAC1C,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,MAAM,IAAI,IAAI,YAAY,EAAE,KAAK,GAAG,IAAI;AAAA,EACjD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAS,OAAO,KAAK,GAAa,EACrC,KAAK,EACL;AAAA,MACC,CAAC,MACC,KAAK,UAAU,CAAC,IAChB,MACA,aAAc,IAAgC,CAAC,CAAC;AAAA,IACpD;AACF,WAAO,MAAM,OAAO,KAAK,GAAG,IAAI;AAAA,EAClC;AACA,SAAO,KAAK,UAAU,GAAG;AAC3B;AAjNA;AAAA;AAcA;AACA;AAAA;AAAA;;;ACfA,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,QAAAC,aAAY;AACrB,SAAS,UAAAC,eAAc;AA2DhB,SAAS,mBACd,UACA,SACA,cACA,WAKA,SAMkB;AAElB,QAAM,YAAY,kBAAkB,SAAS,YAAY,QAAQ,UAAU;AAG3E,QAAM,uBAAuB;AAAA,IAC3B,QAAQ;AAAA,IACR;AAAA,IACA,SAAS;AAAA,EACX;AAEA,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,YAAY,SAAS;AAAA,IACrB,YAAY,QAAQ;AAAA,IACpB,KAAK,QAAQ;AAAA,IACb,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,IAChB,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAAA,IACvC,cAAc;AAAA,MACZ,YAAY,aAAa;AAAA,MACzB,aAAa,aAAa;AAAA,MAC1B,WAAW,aAAa;AAAA,MACxB,gBAAgB,aAAa;AAAA,MAC7B,cAAc,aAAa;AAAA,MAC3B,cAAc,aAAa;AAAA,MAC3B,cAAc,aAAa;AAAA,MAC3B,eAAe,aAAa;AAAA,IAC9B;AAAA,IACA,WAAW;AAAA,MACT,QAAQ,UAAU;AAAA,MAClB,qBAAqB,UAAU;AAAA,MAC/B,GAAI,UAAU,SAAS,EAAE,QAAQ,UAAU,OAAO,IAAI,CAAC;AAAA,IACzD;AAAA,IACA,oBAAoB,QAAQ;AAAA,IAC5B,wBAAwB;AAAA,IACxB,GAAI,QAAQ,iBACR,EAAE,sBAAsB,YAAY,QAAQ,cAAc,EAAE,IAC5D,CAAC;AAAA,IACL,GAAI,QAAQ,kBACR,EAAE,uBAAuB,YAAY,QAAQ,eAAe,EAAE,IAC9D,CAAC;AAAA,EACP;AACF;AAKO,SAAS,yBACd,UACsB;AACtB,SAAO;AAAA,IACL,mBAAmB,SAAS,yBAAyB;AAAA,IACrD,oBAAoB,SAAS,uBAAuB;AAAA,IACpD,UAAU,SAAS,gBAAgB;AAAA,IACnC,eAAe,SAAS,uBAAuB;AAAA,IAC/C,aAAa,SAAS,uBAAuB;AAAA,IAC7C,aAAa,SAAS,mBAAmB;AAAA,IACzC,aAAa,SAAS,mBAAmB;AAAA,IACzC,cAAc,SAAS,oBAAoB;AAAA,EAC7C;AACF;AAMA,SAAS,kBAAkB,WAAmB,WAA2B;AACvE,QAAM,QAAQ,WAAW,SAAS,IAAI,SAAS,IAAI,KAAK,IAAI,CAAC;AAC7D,QAAM,OAAOA,QAAO,IAAI,YAAY,EAAE,OAAO,KAAK,CAAC;AACnD,SAAO,SAASF,YAAW,IAAI,EAAE,MAAM,GAAG,EAAE;AAC9C;AAEA,SAAS,4BACP,iBACA,SACA,cACQ;AACR,QAAM,UAAU,IAAI,YAAY;AAGhC,QAAM,MAAMG,YAAW,eAAe;AACtC,QAAM,OAAOD;AAAA,IACX,QAAQ;AAAA,MACN,QAAQ,aAAa,MAAM,QAAQ,gBAAgB,MAAM;AAAA,IAC3D;AAAA,EACF;AACA,QAAM,OAAO,QAAQ;AAAA,IACnB;AAAA,MACE,eAAe;AAAA,MACf,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,OAAO,QAAQ,QAAQ;AAAA,MACvB,OAAO,QAAQ,MAAM;AAAA,MACrB,QAAQ,eAAe;AAAA,MACvB,QAAQ;AAAA,IACV,EAAE,KAAK,GAAG;AAAA,EACZ;AAEA,QAAM,aAAaD,MAAKC,SAAQ,KAAK,MAAM,MAAM,EAAE;AACnD,QAAM,OAAOF,YAAWE,QAAO,UAAU,CAAC;AAG1C,aAAW,KAAK,CAAC;AAEjB,SAAO;AACT;AAEA,SAASC,YAAW,KAAyB;AAC3C,QAAMC,SAAQ,IAAI,WAAW,IAAI,SAAS,CAAC;AAC3C,WAAS,IAAI,GAAG,IAAIA,OAAM,QAAQ,KAAK;AACrC,IAAAA,OAAM,CAAC,IAAI,SAAS,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;AAAA,EACrD;AACA,SAAOA;AACT;AAlMA,IA4Ba;AA5Bb;AAAA;AAeA;AACA;AAYO,IAAM,0BAAN,MAAyD;AAAA,MAAzD;AACL,aAAS,UAA8B,CAAC;AAAA;AAAA,MAExC,MAAM,OAAO,SAA0C;AACrD,aAAK,QAAQ,KAAK,OAAO;AAAA,MAC3B;AAAA,MAEA,eAAe,WAAiD;AAC9D,eAAO,KAAK,QAAQ,KAAK,CAAC,MAAM,EAAE,eAAe,SAAS;AAAA,MAC5D;AAAA,MAEA,eAAe,WAAuC;AACpD,eAAO,KAAK,QAAQ,OAAO,CAAC,MAAM,EAAE,eAAe,SAAS;AAAA,MAC9D;AAAA,IACF;AAAA;AAAA;;;AC1CA;AAAA;AAAA;AAAA;AAAA;AAAA;AAyMO,SAAS,wBACd,gBACwB;AAExB,MAAI,YAAY,gBAAgB;AAE9B,YAAQ,eAAe,QAAQ;AAAA,MAC7B,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,eAAe,MAAM,eAAe,MAAM,EAAE;AAAA,YACpD;AAAA,UACF;AAAA,UACA,MAAM,eAAe;AAAA,UACrB,cAAc,eAAe;AAAA,QAC/B;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC,YAAY;AAAA,UACtB,cAAc,eAAe;AAAA,UAC7B,MAAM,eAAe;AAAA,QACvB;AAAA,MACF,KAAK;AACH,eAAO;AAAA,UACL,OAAO;AAAA,UACP,WAAW,eAAe;AAAA,UAC1B,SAAS,eAAe;AAAA,UACxB,MAAM,eAAe;AAAA,QACvB;AAAA,IACJ;AAAA,EACF;AAGA,SAAO;AAAA,IACL,OAAO,eAAe;AAAA,IACtB,WAAW,eAAe;AAAA,IAC1B,SAAS,eAAe;AAAA,IACxB,MAAM,eAAe;AAAA,IACrB,MAAM,eAAe;AAAA,IACrB,SAAS,eAAe;AAAA,IACxB,cAAc,eAAe;AAAA,EAC/B;AACF;AA7PA,IAqIY,UA6HC;AAlQb;AAAA;AAqIO,IAAK,WAAL,kBAAKC,cAAL;AACL,MAAAA,UAAA,WAAQ;AACR,MAAAA,UAAA,UAAO;AACP,MAAAA,UAAA,cAAW;AACX,MAAAA,UAAA,UAAO;AAJG,aAAAA;AAAA,OAAA;AA6HL,IAAM,kBAAkB;AAAA,MAC7B,MAAM,MAAY,MAA4C;AAC5D,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MAEA,KAAK,MAAc,QAAiB,MAA4B;AAC9D,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,SAAS,CAAC,MAAM,MAAM,EAAE,OAAO,OAAO;AAAA,UACtC;AAAA,QACF;AAAA,MACF;AAAA,MAEA,SAAS,cAAsB,MAA4B;AACzD,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA,MAAM;AAAA,UACN,SAAS,CAAC,YAAY;AAAA,UACtB;AAAA,QACF;AAAA,MACF;AAAA,MAEA,KAAK,YAAoB,SAAmB,MAA4B;AACtE,eAAO;AAAA,UACL,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC/SA;AAAA;AAAA;AAAA;AA8GA,eAAsB,mBACpB,UACA,QAC4B;AAC5B,QAAM,YAAY,KAAK,IAAI;AAG3B,MAAI,SAAS,QAAQ,sBAAsB;AACzC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS,wBAAwB,SAAS,GAAG;AAAA,MAC/C;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,cAA2B;AAAA,IAC/B,QAAQ,SAAS,QAAQ;AAAA,IACzB,UAAU;AAAA,MACR,KAAK;AAAA,MACL,aAAa;AAAA,MACb,aAAa;AAAA,IACf;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,OAAO,OAAO,EAAE;AAAA,IACxC,CAAC,GAAG,OAAO,EAAE,SAAS,QAAQ,EAAE,SAAS;AAAA,EAC3C;AAEA,aAAW,UAAU,eAAe;AAClC,QAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW,GAAG;AACpD;AAAA,IACF;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,OAAO,IAAI,WAAW;AAAA,IACzC,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO;AAAA,UACL,MAAM,UAAU;AAAA,UAChB,SAAS,UAAU,OAAO,IAAI;AAAA,QAChC;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,UAAM,aAAa,wBAAwB,QAAQ;AACnD,QAAI,CAAC,WAAW,OAAO;AACrB,YAAM,OACJ,WAAW,QAAQ,CAAC,GAAG,MAAM,GAAG,EAAE,CAAC,KAAK,UAAU;AACpD,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO,EAAE,MAAM,SAAS,WAAW,QAAQ,KAAK,IAAI,EAAE;AAAA,QACtD,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,UAAU,YAAY,UAAU;AACtC,QAAM,mBAAmB,YAAY,UACjC;AACJ,QAAM,YAAY,YAAY,UAAU;AAIxC,MAAI,CAAC,WAAW,CAAC,oBAAoB,CAAC,WAAW;AAC/C,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,kBAAsC;AAAA,IAC1C,iBAAiB,OAAO;AAAA,IACxB;AAAA,IACA,cAAc,SAAS;AAAA,EACzB;AACA,QAAM,mBAAmB;AAAA,IACvB;AAAA,IACA,SAAS;AAAA,EACX;AAEA,MAAI,OAAO,iBAAiB;AAC1B,QAAI;AACF,YAAM,iBAAiB,MAAM,OAAO,gBAAgB,SAAS;AAAA,QAC3D;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,oBAAoB,UAAU;AAAA,MAChC,CAAC;AACD,UAAI,CAAC,eAAe,OAAO;AACzB,cAAMC,gBAAe,yBAAyB,YAAY,YAAY,CAAC,CAAC;AACxE,cAAMC,WAAU;AAAA,UACd;AAAA,UACA;AAAA,UACAD;AAAA,UACA;AAAA,YACE,QAAQ;AAAA,YACR,mBAAmB;AAAA,YACnB,QAAQ;AAAA,UACV;AAAA,UACA;AAAA,YACE,iBAAiB,OAAO;AAAA,YACxB,gBAAgB;AAAA,YAChB,mBAAmB;AAAA,UACrB;AAAA,QACF;AACA,cAAM,OAAO,aAAa,OAAOC,QAAO;AAExC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO;AAAA,YACL,MAAM,eAAe,QAAQ,UAAU;AAAA,YACvC,SACE,eAAe,WAAW;AAAA,UAC9B;AAAA,UACA,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO;AAAA,UACL,MAAM,UAAU;AAAA,UAChB,SAAS;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,UAAU,OAAO,SAAS,IAAI,QAAQ,MAAM;AAClD,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS,0BAA0B,QAAQ,MAAM;AAAA,MACnD;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,iBAAoC;AAAA,IACxC;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB,UAAU;AAAA,IAC9B,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,EACf;AAEA,MAAI;AACJ,QAAM,eAAe,KAAK,IAAI;AAC9B,MAAI;AACF,aAAS,MAAM,QAAQ,kBAAkB,cAAc;AAAA,EACzD,SAAS,KAAK;AACZ,UAAMC,mBAAkB,KAAK,IAAI,IAAI;AAGrC,UAAMF,gBAAe,yBAAyB,YAAY,YAAY,CAAC,CAAC;AACxE,UAAMC,WAAU;AAAA,MACd;AAAA,MACA;AAAA,MACAD;AAAA,MACA,EAAE,QAAQ,UAAU,mBAAmBE,iBAAgB;AAAA,MACvD;AAAA,QACE,iBAAiB,OAAO;AAAA,QACxB,gBAAgB;AAAA,QAChB,mBAAmB;AAAA,MACrB;AAAA,IACF;AACA,UAAM,OAAO,aAAa,OAAOD,QAAO;AAExC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AACA,QAAM,kBAAkB,KAAK,IAAI,IAAI;AAGrC,MAAI;AACJ,MAAI;AAEJ,MAAI;AACF,UAAM,iBAAiB,MAAM;AAAA,MAC3B;AAAA,QACE,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,OAAO;AAAA,QACf,MAAM,OAAO;AAAA,QACb,oBAAoB,UAAU;AAAA,MAChC;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,uBAAmB,eAAe;AAClC,0BAAsB,eAAe;AAAA,EACvC,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM,UAAU;AAAA,QAChB,SAAS;AAAA,MACX;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,QAAM,eAAe,yBAAyB,YAAY,YAAY,CAAC,CAAC;AACxE,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,QAAQ,OAAO;AAAA,MACf,mBAAmB;AAAA,MACnB,QAAQ,OAAO;AAAA,IACjB;AAAA,IACA;AAAA,MACE,iBAAiB,OAAO;AAAA,MACxB,gBAAgB;AAAA,MAChB,iBAAiB,OAAO;AAAA,MACxB,mBAAmB;AAAA,IACrB;AAAA,EACF;AACA,QAAM,OAAO,aAAa,OAAO,OAAO;AAExC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,UAAU;AAAA,IACV,WAAW,QAAQ;AAAA,EACrB;AACF;AA5WA;AAAA;AAAA;AACA;AACA;AAEA;AAqBA;AAAA;AAAA;;;ACzBA;AAAA;AAAA;AAAA;AAAA,IAAa;AAAb;AAAA;AAAO,IAAM,YAAN,cAAwB,MAAM;AAAA,MACnC,YACS,MACP,SACO,aAAqB,KACrB,SACP;AACA,cAAM,OAAO;AALN;AAEA;AACA;AAGP,aAAK,OAAO;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;ACKO,SAAS,SAAS,QAAkB,UAA2B;AACpE,MAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,OAAO,WAAW,GAAG;AACjD,WAAO;AAAA,EACT;AAGA,MAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,WAAO;AAAA,EACT;AAGA,QAAM,CAAC,UAAU,EAAE,IAAI,SAAS,MAAM,GAAG;AACzC,MAAI,YAAY,IAAI;AAClB,UAAM,WAAW,GAAG,QAAQ;AAC5B,QAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,WACd,OACyC;AACzC,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,SAAO,EAAE,UAAU,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,EAAE;AAC5C;AAKO,SAAS,kBACd,QACA,cACA,YACS;AACT,QAAM,WAAW,GAAG,YAAY,IAAI,UAAU;AAC9C,SAAO,SAAS,QAAQ,QAAQ;AAClC;AA1DA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAcO,SAAS,uBACd,OAC4B;AAC5B,MAAI,CAAC,SAAS,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AAC/D,WAAO;AAAA,EACT;AAEA,QAAM,MAAM;AACZ,QAAM,SAAS,oBAAoB,IAAI,UAAU,IAAI,KAAK;AAE1D,SAAO;AAAA,IACL,IAAI,gBAAgB,IAAI,EAAE;AAAA,IAC1B,SAAS,gBAAgB,IAAI,OAAO;AAAA,IACpC,SAAS,oBAAoB,IAAI,OAAO;AAAA,IACxC,UAAU,mBAAmB,IAAI,YAAY,IAAI,GAAG;AAAA,IACpD,WAAW,mBAAmB,IAAI,aAAa,IAAI,GAAG;AAAA,IACtD,OAAO,gBAAgB,IAAI,KAAK;AAAA,IAChC,MAAM,gBAAgB,IAAI,IAAI;AAAA,IAC9B;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,0BACd,SACA,QACS;AACT,MAAI,CAAC,QAAQ,WAAW,QAAQ,QAAQ,WAAW,GAAG;AACpD,WAAO;AAAA,EACT;AAEA,aAAW,WAAW,QAAQ,SAAS;AACrC,QAAI,YAAY,OAAO,YAAY,QAAQ;AACzC,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,uBACd,SACA,cAAc,KACL;AACT,MAAI,QAAQ,cAAc,QAAW;AACnC,WAAO;AAAA,EACT;AAEA,SAAO,OAAO,KAAK,IAAI,CAAC,IAAI,QAAQ,YAAY,OAAO,WAAW;AACpE;AAEO,SAAS,oBACd,QACA,SAOU;AACV,SAAO,OAAO;AAAA,IAAI,CAAC,UACjB,MAAM,QAAQ,kBAAkB,CAAC,QAAQ,eAAuB;AAC9D,YAAM,WAAW,0BAA0B,WAAW,KAAK,GAAG,OAAO;AACrE,UAAI,aAAa,UAAa,aAAa,QAAQ,aAAa,IAAI;AAClE,cAAM,IAAI,MAAM,qCAAqC,UAAU,EAAE;AAAA,MACnE;AACA,aAAO,OAAO,QAAQ;AAAA,IACxB,CAAC;AAAA,EACH;AACF;AAEO,SAAS,6BACd,SACA,gBACA,OAAsB,OACb;AACT,MAAI,CAAC,QAAQ,UAAU,QAAQ,OAAO,WAAW,GAAG;AAClD,WAAO;AAAA,EACT;AAEA,MAAI,SAAS,OAAO;AAClB,WAAO,eAAe,KAAK,CAAC,UAAU,SAAS,QAAQ,QAAS,KAAK,CAAC;AAAA,EACxE;AAEA,SAAO,eAAe,MAAM,CAAC,UAAU,SAAS,QAAQ,QAAS,KAAK,CAAC;AACzE;AAEA,SAAS,0BACP,YACA,SAOS;AACT,MAAI,eAAe,UAAU;AAC3B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,eAAe,WAAW;AAC5B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,eAAe,WAAW;AAC5B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,eAAe,UAAU;AAC3B,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,WAAW,WAAW,OAAO,GAAG;AAClC,WAAO,eAAe,QAAQ,MAAM,WAAW,MAAM,CAAC,CAAC;AAAA,EACzD;AAEA,SAAO;AACT;AAEA,SAAS,eAAe,OAAgBE,OAAuB;AAC7D,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AAEA,SAAOA,MAAK,MAAM,GAAG,EAAE,OAAgB,CAAC,SAAS,YAAY;AAC3D,QAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,aAAO;AAAA,IACT;AACA,WAAQ,QAAoC,OAAO;AAAA,EACrD,GAAG,KAAK;AACV;AAEA,SAAS,gBAAgB,OAAoC;AAC3D,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,OAAO,KAAK,KAAK,EAAE,SAAS,KAAK;AAAA,EAC1C;AAEA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAAsC;AACjE,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,EACT;AAEA,QAAM,OAAO,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;AAClD,QAAM,aAAa,KAChB,IAAI,CAAC,UAAW,OAAO,UAAU,WAAW,QAAQ,MAAU,EAC9D,OAAO,CAAC,UAA2B,CAAC,CAAC,SAAS,MAAM,KAAK,EAAE,SAAS,CAAC;AAExE,SAAO,WAAW,SAAS,IAAI,MAAM,KAAK,IAAI,IAAI,UAAU,CAAC,IAAI;AACnE;AAEA,SAAS,mBAAmB,OAAoC;AAC9D,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,GAAG;AACvD,WAAO,OAAO,KAAK,MAAM,KAAK,CAAC;AAAA,EACjC;AAEA,MAAI,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,GAAG;AACxD,QAAI;AACF,aAAO,OAAO,KAAK;AAAA,IACrB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAtMA;AAAA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,gBAAA;AA2BO,QAAMC,kBAAc,mBAApB,MAAM,eAAc;MAMzB,YAA6B,eAA4B;AAA5B,aAAA,gBAAA;AALrB,aAAA,UAAwB,CAAA;AACxB,aAAA,gBAAgB,oBAAI,IAAG;AACvB,aAAA,gBAAgB,oBAAI,IAAG;AACd,aAAA,SAAS,IAAI,SAAA,OAAO,iBAAe,IAAI;MAEI;MAc5D,SAAS,QAAkB;AAEzB,YAAI,CAAC,OAAO,MAAM;AAChB,gBAAM,IAAI,MAAM,6BAA6B;QAC/C;AAGA,cAAM,oBAAoB,KAAK,cAAc,IAAY,iBAAiB;AAC1E,cAAM,qBACJ,KAAK,cAAc,IAAY,kBAAkB;AAEnD,cAAM,iBAAiB,oBACnB,kBAAkB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAI,CAAE,IAChD;AACJ,cAAM,kBAAkB,qBACpB,mBAAmB,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAI,CAAE,IACjD,CAAA;AAEJ,YAAI,kBAAkB,CAAC,eAAe,SAAS,OAAO,IAAI,GAAG;AAC3D,eAAK,OAAO,IAAI,sDAAsD,OAAO,IAAI,EAAE;AACnF;QACF;AAEA,YAAI,gBAAgB,SAAS,OAAO,IAAI,GAAG;AACzC,eAAK,OAAO,IAAI,mDAAmD,OAAO,IAAI,EAAE;AAChF;QACF;AAEA,YAAI,OAAO,UAAU,QAAW;AAC9B,gBAAM,IAAI,MAAM,eAAe,OAAO,IAAI,4BAA4B;QACxE;AAGA,cAAM,oBAAoB,KAAK,kBAAkB,MAAM;AACvD,cAAM,qBAAqB,KAAK,mBAAmB,MAAM;AAEzD,YAAI,qBAAqB,OAAO,SAAS,IAAI;AAC3C,eAAK,OAAO,KACV,eAAe,OAAO,IAAI,2CAA2C,OAAO,KAAK,mBAAmB;QAExG;AACA,YAAI,sBAAsB,OAAO,QAAQ,IAAI;AAC3C,eAAK,OAAO,KACV,eAAe,OAAO,IAAI,4CAA4C,OAAO,KAAK,oBAAoB;QAE1G;AAEA,aAAK,QAAQ,KAAK,MAAM;AACxB,aAAK,YAAY,MAAM;AACvB,cAAM,aACJ,OAAO,OAAO,UAAU,WACpB,OAAO,QACP,OAAO,OAAO,SAAS;AAC7B,aAAK,OAAO,MACV,sBAAsB,OAAO,IAAI,YAAY,OAAO,KAAK,YAAY,UAAU,GAAG;MAEtF;MAOA,OAAI;AACF,eAAO,CAAC,GAAG,KAAK,OAAO,EAAE,KACvB,CAAC,GAAG,OAAO,EAAE,SAAS,QAAQ,EAAE,SAAS,IAAI;MAEjD;MAKA,QAAQ,KAAwB;AAC9B,YAAI,OAAO,QAAQ,UAAU;AAC3B,iBAAO,KAAK,cAAc,IAAI,GAAG;QACnC;AAEA,eAAO,KAAK,cAAc,IAAI,GAAG,KAAK,KAAK,cAAc,IAAI,IAAI,IAAI;MACvE;MAKA,UAAU,MAAY;AACpB,eAAO,KAAK,cAAc,IAAI,IAAI;MACpC;MAQA,sBAAmB;AACjB,eAAO,KAAK,KAAI,EAAG,OAAO,CAAC,OAA2B,EAAE,SAAS,OAAO,EAAE;MAC5E;MAQA,uBAAoB;AAClB,eAAO,KAAK,KAAI,EAAG,OACjB,CAAC,OAA4B,EAAE,SAAS,QAAQ,EAAE;MAEtD;MASQ,kBAAkB,QAAkB;AAC1C,cAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,eAAO,UAAU,iBAAiB,OAAO,SAAS,OAAO;MAC3D;MASQ,mBAAmB,QAAkB;AAC3C,cAAM,QACJ,OAAO,OAAO,UAAU,WAAW,OAAO,QAAQ,OAAO,OAAO;AAClE,eAAO,UAAU,kBAAkB,OAAO,SAAS,QAAQ;MAC7D;MAQA,wBAAqB;AACnB,eAAO;UACL,gBAAgB,KAAK,oBAAmB,EAAG;UAC3C,iBAAiB,KAAK,qBAAoB,EAAG;;MAEjD;MAQA,QAAK;AACH,aAAK,UAAU,CAAA;AACf,aAAK,cAAc,MAAK;AACxB,aAAK,cAAc,MAAK;MAC1B;MAEQ,YAAY,QAAkB;AACpC,aAAK,cAAc,IAAI,OAAO,MAAM,MAAM;AAE1C,cAAM,aAAa,OAAO;AAC1B,YAAI,CAAC;AAAY;AAEjB,aAAK,cAAc,IAAI,YAAY,MAAM;AAGzC,YAAI,CAAC,KAAK,cAAc,IAAI,WAAW,IAAI,GAAG;AAC5C,eAAK,cAAc,IAAI,WAAW,MAAM,MAAM;QAChD;MACF;;AAhMW,YAAA,iBAAAA;6BAAAA,kBAAc,mBAAA,WAAA;OAD1B,GAAA,SAAA,YAAU;2DAOmC,SAAA,kBAAa,eAAb,SAAA,mBAAa,aAAA,KAAA,MAAA,CAAA;OAN9CA,eAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC5B3B,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AACA,QAAA,kBAAA,UAAA,4BAAA;AAKA,QAAA,iBAAA;AAQA,QAAA,eAAA;AACA,QAAA,cAAA;AAQA,QAAA,6BAAA;AAMA,QAAA,oBAAA;AACA,QAAA,oBAAA;AAIA,QAAA,8BAAA;AACA,QAAA,sBAAA;AACA,QAAA,0BAAA;AACA,QAAA,4BAAA;AAUA,QAAA,6BAAA;AACA,QAAA,qBAAA;AAQA,QAAA,uBAAA;AAMA,QAAA,mBAAA;AAOA,QAAA,gBAAA;AAKA,QAAA,oBAAA;AAOA,QAAA,2BAAA;AAKA,QAAA,gCAAA;AAEA,aAAS,eAAe,KAAoB;AAC1C,aAAO,OAAO,QAAQ,WAAW,MAAM,IAAI;IAC7C;AAEA,aAAS,aAAa,KAAwB;AAC5C,aAAO,OAAO,QAAQ,WAAW,MAAM,IAAI;IAC7C;AAEA,aAAS,yBACJ,cAAsD;AAEzD,YAAM,SAAS,oBAAI,IAAG;AAEtB,iBAAW,SAAS,cAAc;AAChC,YAAI,CAAC,MAAM,QAAQ,KAAK;AAAG;AAE3B,mBAAW,OAAO,OAAO;AACvB,gBAAM,MAAM,aAAa,GAAG;AAC5B,gBAAM,WAAW,OAAO,IAAI,GAAG;AAE/B,cAAI,CAAC,YAAa,OAAO,aAAa,YAAY,OAAO,QAAQ,UAAW;AAC1E,mBAAO,IAAI,KAAK,GAAG;UACrB;QACF;MACF;AAEA,aAAO,MAAM,KAAK,OAAO,OAAM,CAAE;IACnC;AAEA,aAAS,qBAAqB,OAAc;AAC1C,aACE,CAAC,CAAC,SACF,OAAQ,MAAqB,SAAS,YACtC,OAAQ,MAAqB,QAAQ;IAEzC;AAEA,aAAS,sBACP,UAA+B;AAE/B,YAAM,SAAS,oBAAI,IAAG;AAEtB,iBAAW,WAAW,UAAU;AAC9B,mBAAW,OAAO,QAAQ,MAAM;AAC9B,gBAAM,MAAM,eAAe,GAAG;AAC9B,gBAAM,WAAW,OAAO,IAAI,GAAG;AAC/B,cAAI,CAAC,UAAU;AACb,mBAAO,IAAI,KAAK;cACd,MAAM,CAAC,GAAG;cACV,MAAM,QAAQ,OAAO,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,CAAC,IAAI;cAClD,QAAQ,QAAQ,SAAS,CAAC,GAAG,IAAI,IAAI,QAAQ,MAAM,CAAC,IAAI;aACzD;AACD;UACF;AAEA,mBAAS,OAAO,MAAM,KACpB,oBAAI,IAAI,CAAC,GAAI,SAAS,QAAQ,CAAA,GAAK,GAAI,QAAQ,QAAQ,CAAA,CAAG,CAAC,CAAC;AAE9D,mBAAS,SACP,SAAS,WAAW,UAAa,QAAQ,WAAW,SAChD,SACA,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,SAAS,QAAQ,GAAG,QAAQ,MAAM,CAAC,CAAC;QACnE;MACF;AAEA,aAAO,MAAM,KAAK,OAAO,OAAM,CAAE;IACnC;AAEA,aAAS,qBACP,iBACA,cAAqC;AAErC,UAAI,iBAAiB;AACnB,eAAO;MACT;AAEA,UAAI,CAAC,cAAc;AACjB,eAAO;MACT;AAEA,UAAI,iBAAiB,MAAM;AACzB,eAAO,EAAE,SAAS,KAAI;MACxB;AAEA,aAAO;QACL,SAAS;QACT,GAAG;;IAEP;AAkDO,QAAMC,gBAAY,iBAAlB,MAAM,aAAY;MAoEvB,YACc,WAEZ,oBAEA,gBAAgD;AAJnB,aAAA,YAAA;AAEZ,aAAA,qBAAA;AAEA,aAAA,iBAAA;AAxEF,aAAA,SAAS,IAAI,SAAA,OAAO,eAAa,IAAI;AACrC,aAAA,UAAU,IAAI,YAAW;AACzB,aAAA,UAAU,IAAI,YAAW;AAelC,aAAA,WAAW,oBAAI,IAAG;AAGlB,aAAA,gBAAgB,oBAAI,IAAG;AAGvB,aAAA,iBAAiB,oBAAI,IAAG;AAGxB,aAAA,gBAAgB,oBAAI,IAAG;AAGvB,aAAA,mBAAmB,oBAAI,IAAG;AAG1B,aAAA,cAAc,oBAAI,IAAG;AAGrB,aAAA,eAAe,oBAAI,IAAG;AAGtB,aAAA,kBAAkB,oBAAI,IAAG;AAGzB,aAAA,wBAAwB,oBAAI,IAAG;AAG/B,aAAA,oBAAoB,oBAAI,IAAG;AAG3B,aAAA,kBAAkB,oBAAI,IAAG;AAGzB,aAAA,sBAAsB,oBAAI,IAAG;AAG7B,aAAA,gBAAgB,oBAAI,IAAG;AAGvB,aAAA,mBAAmB,oBAAI,IAAG;AAG1B,aAAA,mBAAmB,oBAAI,IAAG;AAG1B,aAAA,cAAc,oBAAI,IAAG;AAGrB,aAAA,oBAAgE;MAQrE;MAEH,UAAU,QAAc;AACtB,eAAO,KAAK,cAAc,IAAI,MAAM;MACtC;MAEA,cAAc,QAAc;AAC1B,eAAO,KAAK,iBAAiB,IAAI,MAAM;MACzC;MAEA,IAAI,QAAc;AAChB,eACE,KAAK,SAAS,IAAI,MAAM,KAAK,eAAa,gBAAgB,IAAI,MAAM;MAExE;MAEA,uBAAoB;AAClB,eAAO,CAAC,GAAG,eAAa,iBAAiB,GAAG,KAAK,SAAS,KAAI,CAAE;MAClE;MAEA,eAAe,QAAc;AAU3B,YAAI,CAAC,KAAK,IAAI,MAAM;AAAG,iBAAO;AAC9B,eAAO;UACL,QAAQ,KAAK,cAAc,IAAI,MAAM;UACrC,YAAY,KAAK,iBAAiB,IAAI,MAAM;UAC5C,YAAY,KAAK,cAAc,IAAI,MAAM;UACzC,SAAS,eAAa,gBAAgB,IAAI,MAAM;UAChD,MAAM,KAAK,YAAY,IAAI,MAAM;UACjC,OAAO,KAAK,aAAa,IAAI,MAAM;UACnC,eAAe,KAAK,sBAAsB,IAAI,MAAM;UACpD,eAAe,KAAK,aAAa,MAAM,EAAE;;MAE7C;MAEA,eAAe,QAAc;AAC3B,eAAO,KAAK,aAAa,IAAI,MAAM;MACrC;MAEA,aAAa,QAAc;AACzB,eAAO,KAAK,gBAAgB,IAAI,MAAM,KAAK,CAAA;MAC7C;MAUA,SAAS,QAAgB,SAAY;AACnC,aAAK,SAAS,IAAI,QAAQ,OAAO;MACnC;MAUA,gBAAgB,UAAa;AAC3B,cAAM,cAAc,QAAQ,YAC1B,oBAAA,sBACA,SAAS,WAAW;AAEtB,cAAM,SAA6B,aAAa,UAAU,SAAS;AAEnE,cAAM,SACJ,QAAQ,YAAY,mBAAA,mBAAmB,SAAS,WAAW,KAAK,CAAA;AAClE,cAAM,gBAAgB,IAAI,IACxB,OAAO,IAAI,CAAC,UAAU,OAAO,MAAM,UAAU,CAAC,CAAC;AAIjD,cAAM,iBACJ,QAAQ,YAAY,4BAAA,qBAAqB,SAAS,WAAW,KAAK,CAAA;AACpE,cAAM,mBACJ,QAAQ,YAAY,qBAAA,uBAAuB,SAAS,WAAW,KAAK,CAAA;AAEtE,cAAM,QAAQ,OAAO,eAAe,QAAQ;AAE5C,mBAAW,SAAS,QAAQ;AAC1B,gBAAM,aAAa,MAAM,WACrB,MAAM,SACN,GAAG,MAAM,IAAI,MAAM,MAAM;AAC7B,gBAAM,KAAK,SAAS,MAAM,UAAU,EAAE,KAAK,QAAQ;AAEnD,cAAI,MAAM,OAAO;AACf,iBAAK,SAAS,YAAY,EAAE,QAAQ,GAAE,CAAE;UAC1C,OAAO;AACL,iBAAK,SAAS,YAAY,EAAE;UAC9B;AAEA,eAAK,mBACH,YACA,OACA,OAAO,MAAM,UAAU,GACvB,gBACA,gBAAgB;QAEpB;AAEA,mBAAW,OAAO,OAAO,oBAAoB,KAAK,GAAG;AACnD,cAAI,cAAc,IAAI,GAAG;AAAG;AAE5B,gBAAM,OAAO,QAAQ,YAAY,mBAAA,qBAAqB,OAAO,GAAG;AAChE,cAAI,CAAC,MAAM;AAAQ;AAEnB,gBAAM,aAAa,KAAK,WACpB,KAAK,SACL,GAAG,MAAM,IAAI,KAAK,MAAM;AAE5B,cAAI,CAAC,KAAK,SAAS,IAAI,UAAU,GAAG;AAClC,iBAAK,SAAS,YAAa,SAAiB,GAAG,EAAE,KAAK,QAAQ,CAAC;UACjE;AAEA,eAAK,mBACH,YACA,OACA,KACA,gBACA,gBAAgB;QAEpB;MACF;MAcA,MAAM,MAAM,OAAgB;AAC1B,cAAM,QAAQ,QAAQ,OAAM;AAC5B,YAAI,SAAS;AAEb,YAAI;AACF,gBAAM,cAAc,MAAM,QAAQ,IAAI,YAAA,UAAU;AAChD,cAAI,CAAC;AAAa,kBAAM,IAAI,MAAM,gBAAgB;AAClD,mBAAS,KAAK,QAAQ,OAAO,WAAW;AACxC,gBAAM,mBAAmB,KAAK,aAAa,MAAM;AAEjD,gBAAM,KAAK,oBAAoB,kBAAkB;YAC/C,OAAO;YACP,WAAW,KAAK,IAAG;YACnB;YACA;WACD;AAED,cAAI;AAEJ,cAAI,WAAW,iBAAiB,WAAW,eAAe;AACxD,iBAAK,OAAO,MAAM,eAAe;AACjC,qBAAS;cACP,IAAI;cACJ,QAAQ;cACR,SAAS,oBAAI,IAAI;gBACf,CAAC,KAAK,IAAI,YAAW,EAAG,OAAO,iBAAiB,CAAC;eAClD;cACD,MAAM,IAAI,YAAW,EAAG,OACtB,KAAK,UAAU;gBACb,QAAQ;gBACR,YAAW,oBAAI,KAAI,GAAG,YAAW;gBACjC,SAAS;eACV,CAAC;;UAGR,WAAW,WAAW,eAAe;AACnC,kBAAM,KAAK,KAAK,IAAG,EAAG,SAAQ;AAC9B,qBAAS;cACP,IAAI;cACJ,QAAQ;cACR,MAAM,IAAI,YAAW,EAAG,OACtB,KAAK,UAAU;gBACb;gBACA,MAAK,oBAAI,KAAI,GAAG,YAAW;eAC5B,CAAC;;UAGR,WAAW,WAAW,eAAe;AACnC,qBAAS;cACP,IAAI;cACJ,QAAQ;cACR,MAAM,MAAM;;UAEhB,WAAW,WAAW,gBAAgB,WAAW,mBAAmB;AAClE,kBAAM,eAAe,KAAK,sBAAsB,MAAM,IAAI;AAC1D,qBAAS,MAAM,KAAK,oBAAoB,OAAO,YAAY;UAC7D,WAAW,WAAW,iBAAiB,WAAW,oBAAoB;AACpE,kBAAM,WAAW,KAAK,oBAAoB,MAAM,IAAI;AACpD,kBAAM,cAAc,SAAS;AAC7B,kBAAM,YAAY,SAAS,QAAQ,CAAA;AAEnC,gBAAI,CAAC,aAAa;AAChB,oBAAM,IAAI,MAAM,kCAAkC;YACpD;AAEA,iBAAK,OAAO,MAAM,kCAAkC,WAAW,GAAG;AAElE,kBAAM,eAAe,IAAI,IAAI,MAAM,OAAO;AAC1C,yBAAa,IAAI,YAAA,YAAY,KAAK,QAAQ,OAAO,WAAW,CAAC;AAE7D,kBAAM,gBAAgB,KAAK,sBAAsB,SAAS,OAAO;AACjE,kBAAM,YAAY,KAAK,uBAAuB,aAAa;AAC3D,gBAAI,WAAW;AACb,2BAAa,IAAI,YAAA,aAAa,KAAK,QAAQ,OAAO,SAAS,CAAC;AAC5D,2BAAa,IAAI,YAAA,eAAe,KAAK,QAAQ,OAAO,SAAS,CAAC;YAChE;AAEA,kBAAM,cAAa,GAAA,yBAAA,0BACjB;cACE,GAAG;cACH,SAAS;cACT,MAAM,KAAK,WAAW,SAAS;gBAEjC,GAAA,yBAAA,4BAA0B,GAAA,yBAAA,yBAAwB,KAAK,GAAG;cACxD,YAAY;cACZ,SAAS,KAAK,oBAAoB,KAAK;cACvC;aACD,KAAK,CAAA,CAAE;AAGV,qBAAS,MAAM,KAAK,MAAM,UAAU;UACtC,OAAO;AACL,kBAAM,UAAU,KAAK,SAAS,IAAI,MAAM;AACxC,gBAAI,CAAC,SAAS;AACZ,oBAAM,IAAI,MAAM,qBAAqB,MAAM,EAAE;YAC/C;AAEA,kBAAM,aAAa,KAAK,cAAc,IAAI,MAAM;AAChD,gBAAI,cAAc,WAAW,SAAS,GAAG;AACvC,oBAAM,KAAK,iBAAiB,YAAY,QAAQ,KAAK;YACvD;AAEA,kBAAM,UAAU,KAAK,eAAe,IAAI,MAAM;AAC9C,gBAAI,cAAmB,MAAM;AAC7B,gBAAI,SAAS;AACX,kBAAI;AACF,8BAAc,QAAQ,OAAO,KAAK,MAAM,IAAI,CAAC;cAC/C,SAAS,WAAgB;AACvB,sBAAM,IAAI,MACR,gCAAgC,MAAM,KAAK,UAAU,OAAO,EAAE;cAElE;YACF;AAEA,iBAAK,qBACH,QACA,OACA,aACA,KAAK,0BAA0B,QAAQ,KAAK,CAAC;AAG/C,gBAAI,OAAO,YAAY,YAAY;AACjC,oBAAM,aAAa,UACf,MAAM,QAAQ,aAAa,MAAM,OAAO,IACxC,MAAM,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC3C,uBAAS;gBACP,IAAI;gBACJ,QAAQ;gBACR,MAAM;;YAEV,OAAO;AACL,kBAAI,OAAQ,QAAgB,WAAW,YAAY;AACjD,yBAAS,MAAO,QAAgB,OAAO,KAAK;cAC9C,WAAW,OAAQ,QAAgB,YAAY,YAAY;AACzD,sBAAM,UAAU,UACZ,MAAO,QAAgB,QAAQ,aAAa,MAAM,OAAO,IACzD,MAAO,QAAgB,QAAQ,MAAM,MAAM,MAAM,OAAO;AAC5D,yBAAS;kBACP,IAAI;kBACJ,QAAQ;kBACR,MAAM;;cAEV,OAAO;AACL,sBAAM,IAAI,MACR,eAAe,MAAM,uCAAuC;cAEhE;YACF;UACF;AAEA,gBAAM,KAAK,oBAAoB,kBAAkB;YAC/C,OAAO;YACP,WAAW,KAAK,IAAG;YACnB;YACA;YACA;YACA,UAAU,OAAO;WAClB;AAED,eAAK,UAAU,QAAQ,OAAO,IAAI;AAClC,iBAAO;QACT,SAAS,GAAQ;AACf,gBAAM,KAAK,oBAAoB,KAAK,aAAa,MAAM,GAAG;YACxD,OAAO;YACP,WAAW,KAAK,IAAG;YACnB;YACA;YACA,OAAO,EAAE;WACV;AACD,eAAK,UAAU,QAAQ,OAAO,OAAO,EAAE,OAAO;AAC9C,gBAAM;QACR;MACF;MAEQ,UACN,QACA,OACA,IACA,OAAc;AAEd,cAAM,OAAO,QAAQ,OAAO,KAAK;AACjC,cAAM,MAAM,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC;AACpD,YAAI,IAAI;AACN,eAAK,OAAO,MAAM,GAAG,MAAM,iBAAiB,EAAE,IAAI;QACpD,OAAO;AACL,eAAK,OAAO,KAAK,GAAG,MAAM,cAAc,EAAE,QAAQ,KAAK,EAAE;QAC3D;MACF;MAEA,mBACE,QACA,OACA,YACA,gBACA,kBAAwC;AAExC,cAAM,UAAU,QAAQ,YAAY,wBAAA,iBAAiB,OAAO,UAAU;AACtE,YAAI,SAAS;AACX,eAAK,eAAe,IAAI,QAAQ,OAAO;QACzC;AAEA,cAAM,gBAAgB,QAAQ,YAC5B,2BAAA,oBACA,OACA,UAAU;AAEZ,cAAM,OAAO,QAAQ,YAAY,mBAAA,qBAAqB,OAAO,UAAU;AACvE,cAAM,WAAW,sBACf,gBACA,MAAM,QAAQ,aAAa,IAAI,gBAAgB,QAC/C,MAAM,QAAQ,MAAM,EAAE,IAAI,KAAK,KAAK,MAAS;AAE/C,YAAI,SAAS,SAAS,GAAG;AACvB,eAAK,cAAc,IAAI,QAAQ,QAAQ;QACzC;AAEA,cAAM,kBACJ,QAAQ,YAAY,qBAAA,uBAAuB,OAAO,UAAU,KAAK,CAAA;AACnE,cAAM,YAAY,sBAAsB;UACtC,GAAI,oBAAoB,CAAA;UACxB,GAAG;SACJ;AACD,YAAI,UAAU,SAAS,GAAG;AACxB,eAAK,gBAAgB,IAAI,QAAQ,SAAS;QAC5C;AAEA,cAAM,uBAAuB,QAAQ,YACnC,2BAAA,6BACA,MAAM,WAAW;AAEnB,cAAM,sBAAsB,QAAQ,YAClC,2BAAA,6BACA,OACA,UAAU;AAEZ,cAAM,iBAAgB,GAAA,2BAAA,2BACpB,sBACA,mBAAmB;AAErB,YAAI,eAAe;AACjB,eAAK,sBAAsB,IAAI,QAAQ,aAAa;QACtD;AAEA,YAAI,MAAM;AACR,eAAK,YAAY,EAAE,GAAG,MAAM,OAAM,CAAE;AACpC,cAAI,KAAK,MAAM;AACb,iBAAK,YAAY,IAAI,QAAQ,KAAK,IAAI;UACxC;AAEA,gBAAM,YAAY,QAAQ,YACxB,kBAAA,oBACA,OACA,UAAU;AAEZ,gBAAM,cAAc,qBAAqB,WAAW,KAAK,KAAK;AAC9D,cAAI,aAAa;AACf,iBAAK,aAAa,IAAI,QAAQ,WAAW;UAC3C;QACF;AAGA,cAAM,oBAAwC,QAAQ,YACpD,0BAAA,0BACA,OACA,UAAU;AAEZ,cAAM,mBAAuC,QAAQ,YACnD,0BAAA,0BACA,MAAM,WAAW;AAEnB,cAAM,cAAc,qBAAqB;AACzC,YAAI,aAAa;AACf,eAAK,kBAAkB,IAAI,QAAQ,WAAW;QAChD;AAGA,cAAM,iBAAkD,QAAQ,YAC9D,0BAAA,uBACA,OACA,UAAU;AAEZ,cAAM,gBAAiD,QAAQ,YAC7D,0BAAA,uBACA,MAAM,WAAW;AAEnB,cAAM,WAAW,kBAAkB;AACnC,YAAI,UAAU;AACZ,eAAK,gBAAgB,IAAI,QAAQ,QAAQ;QAC3C;AAGA,cAAM,cAA+C,QAAQ,YAC3D,0BAAA,6BACA,OACA,UAAU;AAEZ,cAAM,aAA8C,QAAQ,YAC1D,0BAAA,6BACA,MAAM,WAAW;AAEnB,cAAM,gBAAgB,eAAe;AACrC,YAAI,iBAAiB,cAAc,SAAS,GAAG;AAC7C,eAAK,oBAAoB,IAAI,QAAQ,aAAa;QACpD;AAGA,cAAM,iBAAsC,QAAQ,YAClD,0BAAA,iBACA,OACA,UAAU;AAEZ,cAAM,gBAAqC,QAAQ,YACjD,0BAAA,iBACA,MAAM,WAAW;AAEnB,YAAI,kBAAkB,eAAe;AACnC,eAAK,cAAc,IAAI,MAAM;QAC/B;AAGA,cAAM,eAAoC,QAAQ,YAChD,0BAAA,oBACA,OACA,UAAU;AAEZ,cAAM,cAAmC,QAAQ,YAC/C,0BAAA,oBACA,MAAM,WAAW;AAEnB,YAAI,gBAAgB,aAAa;AAC/B,eAAK,iBAAiB,IAAI,MAAM;QAClC;AAGA,cAAM,YAA6C,QAAQ,YACzD,0BAAA,qBACA,OACA,UAAU;AAEZ,YAAI,WAAW;AACb,eAAK,iBAAiB,IAAI,QAAQ,SAAS;QAC7C;MACF;MAIA,eAAe,QAAc;AAC3B,eAAO,KAAK,kBAAkB,IAAI,MAAM;MAC1C;MAEA,YAAY,QAAc;AACxB,eAAO,KAAK,gBAAgB,IAAI,MAAM;MACxC;MAEA,iBAAiB,QAAc;AAC7B,eAAO,KAAK,oBAAoB,IAAI,MAAM;MAC5C;MAEA,SAAS,QAAc;AACrB,eAAO,KAAK,cAAc,IAAI,MAAM;MACtC;MAEA,YAAY,QAAc;AACxB,eAAO,KAAK,iBAAiB,IAAI,MAAM;MACzC;MAEA,aAAa,QAAc;AACzB,eAAO,KAAK,iBAAiB,IAAI,MAAM;MACzC;MAEQ,MAAM,oBACZ,UACA,SAA6D;AAE7D,YAAI,CAAC,KAAK,sBAAsB,SAAS,WAAW;AAAG;AACvD,cAAM,KAAK,mBAAmB,SAAS,UAAU,OAAO;MAC1D;MAEQ,MAAM,iBACZ,YACA,QACA,OAAgB;AAEhB,mBAAW,aAAa,YAAY;AAClC,gBAAM,SAAS,KAAK,oBAAoB,SAAS;AACjD,gBAAM,aAAa,aAAa,SAAS;AAEzC,cAAI,CAAC,QAAQ;AACX,iBAAK,OAAO,MACV,iBAAiB,UAAU,0BAA0B,MAAM,EAAE;AAE/D,kBAAM,IAAI,MAAM,kBAAkB,UAAU,EAAE;UAChD;AAEA,gBAAM,cAA2B;YAC/B,UAAU,MAAM;YAChB;YACA,MAAM,MAAM;YACZ,YAAY,MAAM;YAClB,WAAW,MAAM;YACjB,UAAU;cACR,OAAO;cACP;cACA,QAAQ,KAAK,UAAU,MAAM;cAC7B,YAAY,KAAK,cAAc,MAAM;;;AAIzC,cAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW;AAAG;AAEtD,gBAAM,YAAW,GAAA,cAAA,yBAAwB,MAAM,OAAO,IAAI,WAAW,CAAC;AACtE,cAAI,CAAC,SAAS,OAAO;AACnB,kBAAM,SAAS,SAAS,QAAQ,CAAC,KAAK,GAAG,OAAO,IAAI;AACpD,iBAAK,OAAO,KACV,iBAAiB,OAAO,IAAI,WAAW,MAAM,KAAK,MAAM,EAAE;AAE5D,kBAAM,IAAI,MAAM,eAAe,MAAM,EAAE;UACzC;QACF;MACF;MAEQ,oBAAoB,KAAwB;AAClD,cAAM,aAAa,KAAK,gBAAgB,QAAQ,GAAG;AACnD,YAAI,YAAY;AACd,iBAAO;QACT;AAEA,YAAI,CAAC,KAAK,aAAa,OAAO,QAAQ,UAAU;AAC9C,iBAAO;QACT;AAEA,YAAI;AACF,gBAAM,WAAW,KAAK,UAAU,IAAI,KAAY,EAAE,QAAQ,MAAK,CAAE;AACjE,iBAAO,qBAAqB,QAAQ,IAAI,WAAW;QACrD,QAAQ;AACN,iBAAO;QACT;MACF;MAEQ,0BACN,QACA,OAAgB;AAEhB,cAAM,mBAAmB,KAAK,sBAAsB,IAAI,MAAM;AAC9D,cAAM,cAAc,KAAK,aAAa,IAAI,MAAM;AAChD,cAAM,oBAAmB,GAAA,yBAAA,yBAAwB,KAAK;AAEtD,cAAM,gBAAgB,MAAM,KAC1B,oBAAI,IAAI;UACN,GAAG,KAAK,YAAY,aAAa,YAAY;UAC7C,GAAG,KAAK,YAAY,kBAAkB,YAAY,KAAK;UACvD,GAAG,KAAK,YAAY,kBAAkB,WAAW,YAAY;SAC9D,CAAC;AAGJ,cAAM,kBACJ,aAAa,iBACb,kBAAkB,YAAY,iBAC9B,kBAAkB,WAAW,iBAC7B,kBAAkB,eAAe,SAAS,iBAC1C,cAAc,SAAS;AAEzB,cAAM,gBAAgB,mBAClB,GAAA,2BAAA,+BAA8B;UAC5B,UAAU;UACV,QAAQ,cAAc,SAAS,IAAI,gBAAgB;SACpD,IACD;AAEJ,gBAAO,GAAA,2BAAA,2BAA0B,kBAAkB,aAAa;MAClE;MAEQ,qBACN,QACA,OACA,MACA,QAA6B;AAE7B,cAAM,oBAAmB,GAAA,yBAAA,yBAAwB,KAAK;AACtD,cAAM,sBAAsB,KAAK,sBAC/B,kBAAkB,aAAa;AAEjC,cAAM,iBAAgB,GAAA,iBAAA,wBAAuB,mBAAmB;AAChE,cAAM,mBAAmB,UACrB,GAAA,2BAAA,+BAA8B,MAAM,IACpC;AAEJ,YAAI,CAAC,eAAe;AAClB,cAAI,kBAAkB,UAAU;AAC9B,gBACE,iBAAiB,mBACjB,KAAK,oBAAoB,KAAK,KAC9B,KAAK,YAAY,iBAAiB,MAAM,EAAE,WAAW,KACrD,iBAAiB,gBAAgB,OACjC;AACA;YACF;AAEA,kBAAM,IAAI,aAAA,UACR,KAAK,oBAAoB,KAAK,IAC1B,4BACA,oBACJ,UAAU,MAAM,sDAChB,KACA,EAAE,OAAM,CAAE;UAEd;AAEA;QACF;AAEA,aAAI,GAAA,iBAAA,wBAAuB,aAAa,GAAG;AACzC,gBAAM,IAAI,aAAA,UACR,mBACA,eAAe,MAAM,eACrB,KACA,EAAE,QAAQ,WAAW,cAAc,GAAE,CAAE;QAE3C;AAEA,cAAM,UACJ,KAAK,oBAAoB,KAAK,KAAK,kBAAkB;AACvD,YACE,WACA,cAAc,WACd,CAAC,KAAK,iBAAiB,SAAS,cAAc,OAAO,GACrD;AACA,gBAAM,IAAI,aAAA,UACR,0BACA,kDAAkD,MAAM,IACxD,KACA;YACE;YACA;YACA,gBAAgB,cAAc;WAC/B;QAEL;AAEA,cAAM,WAAW,KAAK,qBAAqB,KAAK;AAChD,YACE,YACA,cAAc,MACd,CAAC,KAAK,iBAAiB,UAAU,cAAc,EAAE,GACjD;AACA,gBAAM,IAAI,aAAA,UACR,wBACA,sDAAsD,MAAM,IAC5D,KACA;YACE;YACA;YACA,WAAW,cAAc;WAC1B;QAEL;AAEA,cAAM,QAAQ,KAAK,eAAe,OAAO,YAAA,SAAS;AAClD,YAAI,SAAS,cAAc,SAAS,UAAU,cAAc,OAAO;AACjE,gBAAM,IAAI,aAAA,UACR,0BACA,kDAAkD,MAAM,IACxD,KACA,EAAE,QAAQ,OAAO,cAAc,cAAc,MAAK,CAAE;QAExD;AAEA,cAAM,OAAO,KAAK,eAAe,OAAO,YAAA,QAAQ;AAChD,YAAI,QAAQ,cAAc,QAAQ,SAAS,cAAc,MAAM;AAC7D,gBAAM,IAAI,aAAA,UACR,yBACA,gDAAgD,MAAM,IACtD,KACA,EAAE,QAAQ,MAAM,aAAa,cAAc,KAAI,CAAE;QAErD;AAEA,cAAM,oBAAoB,kBAAkB,eAAe;AAC3D,YACE,qBACA,EAAC,GAAA,iBAAA,2BAA0B,eAAe,MAAM,GAChD;AACA,gBAAM,IAAI,aAAA,UACR,kBACA,8BAA8B,MAAM,IACpC,KACA;YACE;YACA,WAAW,cAAc;YACzB,gBAAgB,cAAc;WAC/B;QAEL;AAEA,cAAM,iBAAiB,KAAK,YAAY,kBAAkB,MAAM;AAChE,YAAI,eAAe,WAAW,GAAG;AAC/B;QACF;AAEA,YAAI;AACJ,YAAI;AACF,4BAAiB,GAAA,iBAAA,qBAAoB,gBAAgB;YACnD;YACA;YACA;YACA,SAAS,kBAAkB,eAAe;YAC1C,QAAQ,kBAAkB,WAAW;WACtC;QACH,SAAS,OAAY;AACnB,eAAK,OAAO,MAAM,4BAA4B,MAAM,KAAK,MAAM,OAAO,EAAE;AACxE,gBAAM,IAAI,aAAA,UACR,qCACA,kCACA,KACA,EAAE,OAAM,CAAE;QAEd;AAEA,YACE,EAAC,GAAA,iBAAA,8BACC,eACA,gBACA,kBAAkB,aAAa,KAAK,GAEtC;AACA,gBAAM,IAAI,aAAA,UACR,kBACA,iCAAiC,MAAM,IACvC,KACA;YACE;YACA,gBAAgB;YAChB,iBAAiB,cAAc,UAAU,CAAA;WAC1C;QAEL;MACF;MAEQ,MAAM,oBACZ,OACA,SAA2D;AAE3D,cAAM,EAAE,mBAAAC,mBAAiB,IAAK,MAAA,QAAA,QAAA,EAAA,KAAA,MAAA,6BAAoC;AAClE,cAAM,gBAAgB,KAAK,oBAAoB,KAAK;AACpD,YACE,QAAQ,WACR,iBACA,CAAC,KAAK,iBAAiB,QAAQ,SAAS,aAAa,GACrD;AACA,gBAAM,IAAI,aAAA,UACR,kBACA,kEACA,GAAG;QAEP;AACA,cAAM,UAAU,iBAAiB,QAAQ;AACzC,cAAM,gBAAgB,KAAK,sBAAsB,QAAQ,OAAO;AAChE,cAAM,YAAY,KAAK,uBAAuB,aAAa;AAC3D,cAAM,UAAU,IAAI,IAAI,MAAM,OAAO;AAErC,YAAI,WAAW;AACb,kBAAQ,IAAI,YAAA,aAAa,KAAK,QAAQ,OAAO,SAAS,CAAC;AACvD,kBAAQ,IAAI,YAAA,eAAe,KAAK,QAAQ,OAAO,SAAS,CAAC;QAC3D;AAEA,cAAM,aAAY,GAAA,yBAAA,0BAChB;UACE,GAAG;UACH;YAEF,GAAA,yBAAA,4BAA0B,GAAA,yBAAA,yBAAwB,KAAK,GAAG;UACxD,YAAY;UACZ;UACA;UACA,YAAY,QAAQ,SAAS;UAC7B,eAAe,QAAQ;SACxB,KAAK,CAAA,CAAE;AAGV,cAAM,WAAW,IAAIA,mBAAkB,MAAM,KAAK,kBAAkB;AACpE,cAAM,SAAS,MAAM,SAAS,QAAQ,QAAQ,UAAU;UACtD;UACA;SACD;AAED,eAAO;UACL,IAAI,OAAO,WAAW;UACtB,QAAQ;UACR,MAAM,KAAK,WAAW,MAAM;UAC5B,UAAU;YACR,SAAS,OAAO;YAChB,QAAQ,OAAO;;;MAGrB;MAEQ,oBAAoBC,QAAiB;AAM3C,YAAI;AACF,iBAAO,KAAK,MAAM,KAAK,QAAQ,OAAOA,MAAK,CAAC;QAC9C,SAAS,OAAY;AACnB,gBAAM,IAAI,MAAM,kCAAkC,MAAM,OAAO,EAAE;QACnE;MACF;MAEQ,sBACNA,QAAiB;AAEjB,YAAI;AAEJ,YAAI;AACF,gBAAM,SAAS,KAAK,MAAM,KAAK,QAAQ,OAAOA,MAAK,CAAC;AACpD,cAAI,KAAK,mBAAmB,MAAM,GAAG;AACnC,mBAAO;cACL,UAAU,OAAO;cACjB,SAAS,KAAK,sBAAsB,OAAO,OAAO;cAClD,SACE,OAAO,OAAO,YAAY,WAAW,OAAO,UAAU;;UAE5D;AAEA,cAAI,KAAK,oBAAoB,MAAM,GAAG;AACpC,mBAAO,EAAE,UAAU,OAAM;UAC3B;QACF,SAAS,OAAY;AACnB,sBAAY;QACd;AAEA,YAAI;AACF,gBAAM,WAAU,GAAA,gBAAA,oBACdA,MAAK;AAEP,iBAAO;YACL,UAAU,QAAQ;YAClB,SAAS,KAAK,sBAAsB,QAAQ,OAAO;YACnD,SAAS,QAAQ;;QAErB,SAAS,cAAmB;AAC1B,cAAI;AACF,mBAAO;cACL,WAAU,GAAA,gBAAA,qBAAoBA,MAAK;;UAEvC,SAAS,eAAoB;AAC3B,kBAAM,SAAS;cACb,WAAW;cACX,aAAa;cACb,cAAc;cAEb,OAAO,OAAO,EACd,KAAK,KAAK;AACb,kBAAM,IAAI,MAAM,6BAA6B,MAAM,EAAE;UACvD;QACF;MACF;MAEQ,mBACN,OAAc;AAEd,eACE,CAAC,CAAC,SACF,OAAO,UAAU,YACjB,cAAc,SACd,KAAK,oBAAqB,MAAkC,QAAQ;MAExE;MAEQ,oBAAoB,OAAc;AACxC,eACE,CAAC,CAAC,SACF,OAAO,UAAU,YACjB,OAAQ,MAAkC,YAAY,YACtD,MAAM,QAAS,MAAkC,KAAK;MAE1D;MAEQ,WAAW,OAAc;AAC/B,eAAO,KAAK,QAAQ,OAAO,KAAK,UAAU,KAAK,CAAC;MAClD;MAEQ,oBAAoB,OAAgB;AAC1C,eAAO,KAAK,eAAe,OAAO,YAAA,YAAY;MAChD;MAEQ,qBAAqB,OAAgB;AAC3C,eACE,KAAK,eAAe,OAAO,YAAA,aAAa,KACxC,KAAK,eAAe,OAAO,YAAA,WAAW;MAE1C;MAEQ,oBAAoB,OAAgB;AAC1C,eAAO,CAAC,CAAC,KAAK,qBAAqB,KAAK;MAC1C;MAEQ,eAAe,OAAkB,KAAW;AAClD,cAAM,QAAQ,MAAM,QAAQ,IAAI,GAAG;AACnC,YAAI,CAAC,SAAS,MAAM,WAAW,GAAG;AAChC,iBAAO;QACT;AAEA,cAAM,UAAU,KAAK,QAAQ,OAAO,KAAK;AACzC,YAAI,iBAAiB,KAAK,OAAO,GAAG;AAClC,iBAAO;QACT;AAEA,eAAO,OAAO,KAAK,KAAK,EAAE,SAAS,KAAK;MAC1C;MAEQ,iBAAiB,MAAc,OAAa;AAClD,cAAMC,aAAY,CAAC,UACjB,eAAe,KAAK,KAAK,IAAI,MAAM,YAAW,IAAK;AACrD,eAAOA,WAAU,IAAI,MAAMA,WAAU,KAAK;MAC5C;MAEQ,uBACN,SAAiC;AAEjC,cAAM,KAAK,SAAS;AACpB,eAAO,OAAO,OAAO,YAAY,GAAG,SAAS,IAAI,KAAK;MACxD;MAEQ,sBACN,OAAc;AAEd,YAAI,CAAC,SAAS,OAAO,UAAU,YAAY,MAAM,QAAQ,KAAK,GAAG;AAC/D,iBAAO;QACT;AAEA,eAAO;MACT;MAEQ,YAAY,OAAyB;AAC3C,YAAI,CAAC,OAAO;AACV,iBAAO,CAAA;QACT;AAEA,eAAO,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;MAC9C;MAUA,aAAa,QAA2C;AACtD,aAAK,oBAAoB;AACzB,aAAK,OAAO,IAAI,yBAAyB;MAC3C;MAMA,mBAAmB,QAAgB,SAAmB;AACpD,aAAK,YAAY,IAAI,QAAQ,OAAO;AACpC,aAAK,OAAO,MAAM,2BAA2B,MAAM,EAAE;MACvD;MAKA,cAAc,QAAc;AAC1B,eAAO,KAAK,YAAY,IAAI,MAAM;MACpC;MAYA,MAAM,SAAS,UAA4B;AACzC,YAAI,CAAC,KAAK,mBAAmB;AAC3B,iBAAO;YACL,IAAI;YACJ,OAAO;cACL,MAAM;cACN,SAAS;;YAEX,QAAQ;;QAEZ;AAEA,cAAM,SAA4B;UAChC,GAAG,KAAK;UACR,UAAU,KAAK;;AAGjB,gBAAO,GAAA,eAAA,oBAAmB,UAAU,MAAM;MAC5C;MAEQ,YAAY,MAMnB;AACC,YAAI,KAAK,KAAK;AACZ,cAAI,KAAK,OAAO,KAAK,IAAI,SAAS,GAAG;AACnC,iBAAK,OAAO,KACV,GAAG,KAAK,MAAM,4DAA4D;UAE9E;AAEA,gBAAM,aAAY,GAAA,kBAAA,kBAAiB,KAAK,GAAG;AAC3C,gBAAMC,UAAuB;YAC3B,QAAQ,KAAK;YACb,SAAS;YACT,aAAa,KAAK,eAAe;YACjC,QAAQ,UAAU,OAAO,IAAI,CAAC,OAAO;cACnC,MAAM,EAAE;cACR,KAAK,EAAE;cACP,MAAM,EAAE;cACR,UAAU,EAAE;cACZ,QAAQ,EAAE;cACV,KAAK,EAAE;cACP,OAAO,EAAE;cACT;;AAGJ,eAAK,cAAc,IAAI,KAAK,QAAQA,OAAM;AAE1C,cAAI,UAAU,WAAW,OAAO,GAAG;AACjC,iBAAK,iBAAiB,IAAI,KAAK,QAAQ,UAAU,UAAU;UAC7D;AAEA,cAAI,CAAC,KAAK,eAAe,IAAI,KAAK,MAAM,GAAG;AACzC,iBAAK,eAAe,IAAI,KAAK,SAAQ,GAAA,kBAAA,iBAAgB,KAAK,GAAG,CAAC;UAChE;AAEA;QACF;AAEA,YAAI,CAAC,KAAK,OAAO,KAAK,IAAI,WAAW;AAAG;AAExC,cAAM,SAAuB;UAC3B,QAAQ,KAAK;UACb,SAAS;UACT,aAAa,KAAK,eAAe;UACjC,QAAQ,KAAK,IAAI,IAAI,CAAC,OAAO;YAC3B,MAAM,EAAE;YACR,KAAK,EAAE;YACP,MAAM,EAAE;YACR,UAAU,EAAE;YACZ,QAAQ,EAAE;YACV,KAAK,EAAE;YACP,OAAO,EAAE;YACT;;AAGJ,aAAK,cAAc,IAAI,KAAK,QAAQ,MAAM;MAC5C;;AAlqCW,YAAA,eAAAJ;AAMa,IAAAA,cAAA,kBAAkB,oBAAI,IAAI;MAChD;MACA;MACA;MACA;MACA;MACA;MACA;MACA;KACD;2BAfUA,gBAAY,iBAAA,WAAA;OADxB,GAAA,SAAA,YAAU;MAsEN,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;MACV,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;MAEV,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;2DAH8B,OAAA,cAAS,eAAT,OAAA,eAAS,aAAA,KAAA,QAAA,QAAA,KAAA,OAEZ,8BAAA,8BAAyB,eAAzB,8BAAA,+BAAyB,aAAA,KAAA,QAAA,QAAA,KAAA,OAE7B,kBAAA,mBAAc,eAAd,kBAAA,oBAAc,aAAA,KAAA,MAAA,CAAA;OAzEvCA,aAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;ACnOzB,QAAA,WAAA,UAAA,QAAA;AAEA,QAAA,WAAA,UAAA,gBAAA;AAGA,QAAA,cAAA;AAWA,QAAA,2BAAA;AAKA,QAAA,gCAAA;AACA,QAAA,kBAAA;AAQO,QAAMK,qBAAiB,sBAAvB,MAAM,kBAAiB;MAK5B,YACmB,QAEjB,oBAA+D;AAF9C,aAAA,SAAA;AAEA,aAAA,qBAAA;AAPF,aAAA,SAAS,IAAI,SAAA,OAAO,oBAAkB,IAAI;AAC1C,aAAA,UAAU,IAAI,YAAW;AACzB,aAAA,UAAU,IAAI,YAAW;MAMvC;MAEH,MAAM,QACJ,UACA,UAAqC,CAAA,GAAE;AAEvC,aAAK,iBAAiB,QAAQ;AAE9B,cAAM,YAAY,KAAK,IAAG;AAC1B,cAAM,UAAU,oBAAI,IAAG;AACvB,cAAM,WAAW,KAAK,qBAAqB,QAAQ;AAEnD,cAAM,KAAK,SAAS,UAAU;UAC5B,OAAO;UACP,WAAW;UACX,SAAS,SAAS;UAClB;UACA,cAAc,SAAS;UACvB,SAAS,SAAS;UAClB,aAAa,SAAS;SACvB;AAED,cAAM,KAAK,SAAS,UAAU;UAC5B,OAAO;UACP,WAAW,KAAK,IAAG;UACnB,SAAS,SAAS;UAClB;UACA,cAAc,SAAS;UACvB,SAAS,SAAS;UAClB,aAAa,SAAS;SACvB;AAED,cAAM,YAAY,IAAI,IAAI,SAAS,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC;AAC3E,cAAM,UAAU,IAAI,IAAI,UAAU,KAAI,CAAE;AAExC,eAAO,QAAQ,OAAO,GAAG;AACvB,gBAAM,QAAQ,MAAM,KAAK,OAAO,EAC7B,IAAI,CAAC,WAAW,UAAU,IAAI,MAAM,CAAE,EACtC,OAAO,CAAC,SAAS,KAAK,OAAO,MAAM,OAAO,CAAC;AAE9C,cAAI,MAAM,WAAW,GAAG;AACtB,iBAAK,oBACH,SACA,WACA,SACA,WACA,yBAAyB;AAE3B;UACF;AAEA,cAAI,SAAS,SAAS,YAAY;AAChC,kBAAM,cAAc,MAAM,QAAQ,IAChC,MAAM,IAAI,CAAC,SAAS,KAAK,YAAY,MAAM,UAAU,SAAS,OAAO,CAAC,CAAC;AAEzE,uBAAW,UAAU,aAAa;AAChC,sBAAQ,IAAI,OAAO,QAAQ,MAAM;AACjC,sBAAQ,OAAO,OAAO,MAAM;YAC9B;UACF,OAAO;AACL,uBAAW,QAAQ,OAAO;AACxB,oBAAM,SAAS,MAAM,KAAK,YAAY,MAAM,UAAU,SAAS,OAAO;AACtE,sBAAQ,IAAI,OAAO,QAAQ,MAAM;AACjC,sBAAQ,OAAO,OAAO,MAAM;AAE5B,kBACE,OAAO,WAAW,aACjB,SAAS,SAAS,YAAY,SAAS,SAAS,WACjD;AACA,qBAAK,oBACH,SACA,WACA,SACA,WACA,cAAc;AAEhB,wBAAQ,MAAK;AACb;cACF;YACF;UACF;AAEA,eAAK,iCAAiC,SAAS,WAAW,OAAO;QACnE;AAEA,cAAM,aAAa,KAAK,IAAG;AAC3B,cAAM,iBAAiB,SAAS,MAAM,IAAI,CAAC,SAAS,QAAQ,IAAI,KAAK,MAAM,CAAE;AAC7E,cAAM,UAAU,KAAK,aAAa,SAAS,MAAM,gBAAgB,WAAW,YAAY,SAAS,OAAO;AAExG,cAAM,KAAK,SAAS,UAAU;UAC5B,OACE,QAAQ,WAAW,cACf,oBACA,QAAQ,WAAW,YACjB,kBACA;UACR,WAAW;UACX,SAAS,SAAS;UAClB;UACA,QAAQ;UACR,cAAc,SAAS;UACvB,SAAS,SAAS;UAClB,aAAa,SAAS;SACvB;AAED,eAAO;MACT;MAEQ,MAAM,YACZ,MACA,UACA,SACA,SAAkC;AAElC,cAAM,eAAe,KAAK,OAAO,aAAa,KAAK,MAAM;AACzD,cAAM,YAAY,KAAK,IAAG;AAC1B,cAAM,QAAQ,KAAK,iBAAiB,KAAK,OAAO,OAAO;AAEvD,cAAM,KAAK,SAAS,cAAc;UAChC,OAAO;UACP,WAAW;UACX,SAAS,SAAS;UAClB,QAAQ,KAAK;UACb,QAAQ,KAAK;UACb;UACA;UACA,cAAc,CAAC,GAAI,SAAS,gBAAgB,CAAA,GAAK,GAAI,KAAK,gBAAgB,CAAA,CAAG;UAC7E,SAAS,KAAK,eACV;YACE,GAAG,SAAS;YACZ,OAAO,KAAK;cAEd,SAAS;UACb,aAAa,KAAK,eAAe,SAAS;SAC3C;AAED,YAAI;AACF,gBAAM,QAAQ,KAAK,WAAW,MAAM,UAAU,OAAO,OAAO;AAC5D,gBAAM,SAAS,MAAM,KAAK,OAAO,MAAM,KAAK;AAC5C,gBAAM,aAAa,KAAK,IAAG;AAC3B,gBAAM,SAAS,KAAK,aAAa,OAAO,IAAI;AAC5C,gBAAM,YAAY,KAAK,iBAAiB,SAAS,SAAS,KAAK,QAAQ,QAAQ,MAAM;AAErF,gBAAM,SAA8B;YAClC,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,QAAQ;YACR,QAAQ,OAAO;YACf;YACA,WAAW,KAAK;YAChB;YACA;YACA;YACA,cAAc,CAAC,GAAI,SAAS,gBAAgB,CAAA,GAAK,GAAI,KAAK,gBAAgB,CAAA,CAAG;YAC7E,UAAU,OAAO;;AAGnB,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb;YACA;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;WAC3C;AAED,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;YAC1C,UAAU,EAAE,UAAS;WACtB;AAED,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb;YACA;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;WAC3C;AAED,iBAAO;QACT,SAAS,OAAY;AACnB,gBAAM,aAAa,KAAK,IAAG;AAC3B,gBAAM,SAA8B;YAClC,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,QAAQ;YACR,OAAO,MAAM;YACb,WAAW,KAAK;YAChB;YACA;YACA,cAAc,CAAC,GAAI,SAAS,gBAAgB,CAAA,GAAK,GAAI,KAAK,gBAAgB,CAAA,CAAG;;AAG/E,eAAK,OAAO,KACV,SAAS,SAAS,OAAO,SAAS,KAAK,MAAM,YAAY,MAAM,OAAO,EAAE;AAG1E,gBAAM,KAAK,SAAS,cAAc;YAChC,OAAO;YACP,WAAW;YACX,SAAS,SAAS;YAClB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,OAAO,MAAM;YACb;YACA;YACA;YACA,cAAc,OAAO;YACrB,SAAS,SAAS;YAClB,aAAa,KAAK,eAAe,SAAS;WAC3C;AAED,iBAAO;QACT;MACF;MAEQ,WACN,MACA,UACA,OACA,SAAkC;AAElC,cAAM,eAAc,GAAA,yBAAA,yBAAwB,QAAQ,SAAS;AAC7D,cAAM,cAAc,IAAI,IAAI,QAAQ,WAAW,WAAW,CAAA,CAAE;AAC5D,oBAAY,IAAI,YAAA,YAAY,KAAK,QAAQ,OAAO,KAAK,MAAM,CAAC;AAC5D,oBAAY,IAAI,YAAA,cAAc,KAAK,QAAQ,OAAO,SAAS,OAAO,CAAC;AAEnE,cAAM,YAAY,SAAS,SAAS;AACpC,YAAI,WAAW;AACb,sBAAY,IAAI,YAAA,aAAa,KAAK,QAAQ,OAAO,SAAS,CAAC;QAC7D;AAEA,YAAI,QAAQ,SAAS;AACnB,sBAAY,IAAI,YAAA,cAAc,KAAK,QAAQ,OAAO,QAAQ,OAAO,CAAC;QACpE;AAEA,gBAAO,GAAA,yBAAA,0BACL;UACA,QAAQ,QAAQ,WAAW,SAAS,KAAK,YAAA;UACzC,SAAS;UACT,MAAM,KAAK,eAAe,KAAK;UAC/B,KAAK,QAAQ,WAAW,OAAO,IAAI,WAAW,CAAC;YAE/C,GAAA,yBAAA,2BAA0B,aAAa;UACrC,YAAY;UACZ,SAAS,QAAQ,WAAW,aAAa;UACzC,YAAY,KAAK,eACb;YACE,GAAI,SAAS,WAAW,CAAA;YACxB,OAAO,KAAK;cAEd,SAAS;UACb,eAAe;UACf,WAAW;SACZ,KAAK,CAAA,CAAE;MAEZ;MAEQ,iBAAiB,UAA2B;AAClD,YAAI,CAAC,SAAS,SAAS;AACrB,gBAAM,IAAI,MAAM,mBAAmB;QACrC;AAEA,YAAI,CAAC,SAAS,SAAS,SAAS,MAAM,WAAW,GAAG;AAClD,gBAAM,IAAI,MAAM,sBAAsB;QACxC;AAEA,cAAM,OAAO,oBAAI,IAAG;AACpB,mBAAW,QAAQ,SAAS,OAAO;AACjC,cAAI,CAAC,KAAK,QAAQ;AAChB,kBAAM,IAAI,MAAM,wBAAwB;UAC1C;AAEA,cAAI,CAAC,KAAK,QAAQ;AAChB,kBAAM,IAAI,MAAM,8BAA8B,KAAK,MAAM,EAAE;UAC7D;AAEA,cAAI,KAAK,IAAI,KAAK,MAAM,GAAG;AACzB,kBAAM,IAAI,MAAM,wBAAwB,KAAK,MAAM,EAAE;UACvD;AACA,eAAK,IAAI,KAAK,MAAM;QACtB;AAEA,mBAAW,QAAQ,SAAS,OAAO;AACjC,qBAAW,cAAc,KAAK,aAAa,CAAA,GAAI;AAC7C,gBAAI,CAAC,KAAK,IAAI,UAAU,GAAG;AACzB,oBAAM,IAAI,MACR,iCAAiC,KAAK,MAAM,IAAI,UAAU,EAAE;YAEhE;UACF;QACF;MACF;MAEQ,OACN,MACA,SAAyC;AAEzC,gBAAQ,KAAK,aAAa,CAAA,GAAI,MAAM,CAAC,eAAe,QAAQ,IAAI,UAAU,CAAC;MAC7E;MAEQ,iCACN,SACA,WACA,SAAyC;AAEzC,mBAAW,UAAU,MAAM,KAAK,OAAO,GAAG;AACxC,gBAAM,OAAO,UAAU,IAAI,MAAM;AACjC,cAAI,CAAC,QAAQ,CAAC,KAAK,aAAa,KAAK,UAAU,WAAW;AAAG;AAE7D,gBAAM,oBAAoB,KAAK,UAC5B,IAAI,CAAC,eAAe,QAAQ,IAAI,UAAU,CAAC,EAC3C,OAAO,OAAO;AAEjB,cAAI,kBAAkB,WAAW,KAAK,UAAU;AAAQ;AAExD,gBAAM,aAAa,kBAAkB,KACnC,CAAC,eAAe,WAAW,WAAW,WAAW;AAEnD,cAAI,CAAC;AAAY;AAEjB,kBAAQ,IAAI,KAAK,QAAQ;YACvB,QAAQ,KAAK;YACb,QAAQ,KAAK;YACb,QAAQ;YACR,OAAO;YACP,WAAW,KAAK;YAChB,WAAW,KAAK,IAAG;YACnB,YAAY,KAAK,IAAG;YACpB,cAAc,KAAK;WACpB;AACD,kBAAQ,OAAO,KAAK,MAAM;QAC5B;MACF;MAEQ,oBACN,SACA,WACA,SACA,QACA,OAAa;AAEb,mBAAW,UAAU,SAAS;AAC5B,gBAAM,OAAO,UAAU,IAAI,MAAM;AACjC,cAAI,CAAC;AAAM;AACX,kBAAQ,IAAI,QAAQ;YAClB;YACA,QAAQ,KAAK;YACb;YACA;YACA,WAAW,KAAK;YAChB,WAAW,KAAK,IAAG;YACnB,YAAY,KAAK,IAAG;YACpB,cAAc,KAAK;WACpB;QACH;MACF;MAEQ,aACN,MACA,SACA,WACA,YACA,SAAe;AAEf,cAAM,iBAAiB,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,WAAW,EAAE;AACjF,cAAM,cAAc,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,QAAQ,EAAE;AAC3E,cAAM,eAAe,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,SAAS,EAAE;AAC7E,cAAM,eAAe,QAAQ,OAAO,CAAC,WAAW,OAAO,WAAW,SAAS,EAAE;AAE7E,YAAI,SAA0B;AAC9B,YAAI,cAAc,KAAK,eAAe,KAAK,eAAe,GAAG;AAC3D,mBACE,SAAS,iBAAiB,SAAS,aAC/B,iBAAiB,IACf,YACA,WACF;QACR;AAEA,eAAO;UACL;UACA;UACA;UACA;UACA;UACA;UACA;UACA;UACA;UACA;UACA,UACE,SAAS,WACL;YACE,WAAW;YACX,WAAW;YACX,QAAQ;cAEV;;MAEV;MAEQ,iBACN,OACA,SAAyC;AAEzC,YAAI,OAAO,UAAU,UAAU;AAC7B,cAAI,CAAC,MAAM,WAAW,GAAG;AAAG,mBAAO;AACnC,iBAAO,KAAK,gBAAgB,MAAM,MAAM,CAAC,GAAG,OAAO;QACrD;AAEA,YAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,iBAAO,MAAM,IAAI,CAAC,UAAU,KAAK,iBAAiB,OAAO,OAAO,CAAC;QACnE;AAEA,YAAI,SAAS,OAAO,UAAU,UAAU;AACtC,iBAAO,OAAO,YACZ,OAAO,QAAQ,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM;YAC1C;YACA,KAAK,iBAAiB,OAAO,OAAO;WACrC,CAAC;QAEN;AAEA,eAAO;MACT;MAEQ,gBACNC,OACA,SAAyC;AAEzC,cAAM,CAAC,QAAQ,GAAG,QAAQ,IAAIA,MAAK,MAAM,GAAG;AAC5C,cAAM,SAAS,QAAQ,IAAI,MAAM;AACjC,YAAI,CAAC;AAAQ,iBAAO;AAEpB,YAAI,UAAmB;AACvB,mBAAW,WAAW,UAAU;AAC9B,cAAI,YAAY,UAAa,YAAY;AAAM,mBAAO;AACtD,cAAI,OAAO,YAAY;AAAU,mBAAO;AACxC,oBAAW,QAAoC,OAAO;QACxD;AACA,eAAO;MACT;MAEQ,eAAe,OAAc;AACnC,YAAI,iBAAiB;AAAY,iBAAO;AACxC,YAAI,OAAO,UAAU;AAAU,iBAAO,KAAK,QAAQ,OAAO,KAAK;AAC/D,YAAI,UAAU;AAAW,iBAAO,IAAI,WAAW,CAAC;AAChD,eAAO,KAAK,QAAQ,OAAO,KAAK,UAAU,KAAK,CAAC;MAClD;MAEQ,aAAa,MAAiB;AACpC,YAAI,CAAC,QAAQ,KAAK,WAAW;AAAG,iBAAO;AAEvC,YAAI;AACF,gBAAM,OAAO,KAAK,QAAQ,OAAO,IAAI;AACrC,cAAI;AACF,mBAAO,KAAK,MAAM,IAAI;UACxB,QAAQ;AACN,mBAAO,mBAAmB,KAAK,IAAI,IAAI,OAAO;UAChD;QACF,QAAQ;AACN,iBAAO;QACT;MACF;MAEQ,iBACN,SACA,QACA,QACA,QAAe;AAEf,cAAM,QAAO,GAAA,SAAA,YAAW,QAAQ;AAChC,aAAK,OAAO,OAAO;AACnB,aAAK,OAAO,GAAG;AACf,aAAK,OAAO,MAAM;AAClB,aAAK,OAAO,GAAG;AACf,aAAK,OAAO,OAAO,MAAM;AACzB,aAAK,OAAO,GAAG;AACf,aAAK,OAAO,KAAK,UAAU,UAAU,IAAI,CAAC;AAC1C,eAAO,KAAK,OAAO,KAAK;MAC1B;MAEQ,qBACN,UAA2B;AAE3B,cAAM,iBAAiB,oBAAI,IAAG;AAE9B,mBAAW,QAAQ,SAAS,OAAO;AACjC,qBAAW,WAAW,KAAK,OAAO,aAAa,KAAK,MAAM,GAAG;AAC3D,kBAAM,MAAM,QAAQ,KAAK,IAAI,CAAC,QAAQ,OAAO,GAAG,CAAC,EAAE,KAAI,EAAG,KAAK,GAAG;AAClE,gBAAI,CAAC,eAAe,IAAI,GAAG,GAAG;AAC5B,6BAAe,IAAI,KAAK,OAAO;YACjC;UACF;QACF;AAEA,eAAO,MAAM,KAAK,eAAe,OAAM,CAAE;MAC3C;MAEQ,MAAM,SACZ,UACA,SAA6D;AAE7D,YAAI,CAAC,KAAK;AAAoB;AAC9B,cAAM,KAAK,mBAAmB,SAAS,UAAU,OAAO;MAC1D;;AA1hBW,YAAA,oBAAAD;gCAAAA,qBAAiB,sBAAA,WAAA;OAD7B,GAAA,SAAA,YAAU;MAQN,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;2DADc,gBAAA,iBAAY,eAAZ,gBAAA,kBAAY,aAAA,KAAA,QAAA,QAAA,KAAA,OAEC,8BAAA,8BAAyB,eAAzB,8BAAA,+BAAyB,aAAA,KAAA,MAAA,CAAA;OARtDA,kBAAiB;;;;;AC9B9B;AAAA;AAAA;AAAA;AAAA;AAAA,IAaa,MAkBA;AA/Bb;AAAA;AAaO,IAAM,OAAO;AAAA;AAAA,MAElB,MAAM;AAAA;AAAA,MAEN,UAAU;AAAA;AAAA,MAEV,QAAQ;AAAA;AAAA,MAER,SAAS;AAAA;AAAA,MAET,UAAU;AAAA;AAAA,MAEV,OAAO;AAAA,IACT;AAKO,IAAM,sBAAsB;AAAA;AAAA;;;ACvBnC,SAAS,UAAU,OAAyB;AAC1C,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,CAAC,SAAS,UAAU,IAAI,CAAC;AAAA,EAC5C;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,UAAU,OAAO,QAAQ,KAAgC,EAC5D,OAAO,CAAC,CAAC,EAAE,MAAM,MAAM,WAAW,MAAS,EAC3C,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,MAAM,KAAK,cAAc,KAAK,CAAC;AAEtD,UAAM,aAAsC,CAAC;AAC7C,eAAW,CAAC,KAAK,MAAM,KAAK,SAAS;AACnC,iBAAW,GAAG,IAAI,UAAU,MAAM;AAAA,IACpC;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,oBAAoB,OAAwB;AAC1D,SAAO,KAAK,UAAU,UAAU,KAAK,CAAC;AACxC;AA9BA;AAAA;AAAA;AAAA;;;ACQO,SAAS,kBACd,aACA,cACA,UACA,WACyB;AACzB,QAAM,MAAM,KAAK,IAAI;AAErB,SAAO;AAAA,IACL,GAAG;AAAA,IACH;AAAA,IACA,UAAU,WAAW,SAAS,WAAW,IAAI;AAAA,IAC7C,iBAAiB,UAAU,mBAAmB;AAAA,IAC9C,gBAAgB;AAAA,IAChB;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBAAmB,SAA0C;AAC3E,SAAO,KAAK,UAAU,OAAO;AAC/B;AAEO,SAAS,mBACd,KACgC;AAChC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,QAAI,CAAC,UAAU,OAAO,MAAM,KAAK,CAAC,OAAO,aAAa,IAAI;AACxD,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB,KAAoC;AACrE,MAAI,CAAC,MAAM,QAAQ,GAAG,GAAG;AACvB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAoC,CAAC;AAC3C,aAAW,aAAa,KAAK;AAC3B,QAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,UAAU,SAAS,GAAG;AACrD;AAAA,IACF;AAEA,UAAM,cAAc,UAAU,CAAC;AAC/B,QAAI,CAAC,MAAM,QAAQ,WAAW,GAAG;AAC/B;AAAA,IACF;AAEA,eAAW,OAAO,aAAa;AAC7B,UAAI,CAAC,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,GAAG;AACzC;AAAA,MACF;AAEA,YAAM,KAAK,OAAO,IAAI,CAAC,CAAC;AACxB,YAAM,SAAS,MAAM,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;AACjD,YAAM,WAAW,YAAY,MAAM;AACnC,YAAM,UAAU,SAAS,IAAI,SAAS;AACtC,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,UAAU,mBAAmB,OAAO;AAC1C,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,cAAQ,KAAK,EAAE,IAAI,QAAQ,CAAC;AAAA,IAC9B;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,sBAAsB,KAAoC;AACxE,MAAI,CAAC,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,GAAG;AACzC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,OAAO,MAAM,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;AAC/C,SAAO,mBAAmB,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC;AAC9C;AAEA,SAAS,YAAY,QAAoC;AACvD,QAAME,OAAM,oBAAI,IAAoB;AACpC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK,GAAG;AACzC,UAAM,MAAM,OAAO,CAAC;AACpB,UAAM,QAAQ,OAAO,IAAI,CAAC;AAC1B,QAAI,QAAQ,UAAa,UAAU,QAAW;AAC5C,MAAAA,KAAI,IAAI,OAAO,GAAG,GAAG,OAAO,KAAK,CAAC;AAAA,IACpC;AAAA,EACF;AACA,SAAOA;AACT;AAzGA;AAAA;AAAA;AAAA;;;ACAA,SAAS,kBAAkB;AAsCpB,SAAS,wBAAwB,KAA8B;AACpE,QAAM,MAA+B;AAAA,IACnC,IAAI,IAAI;AAAA,IACR,SAAS,IAAI;AAAA,IACb,OAAO,IAAI;AAAA,IACX,WAAW,IAAI;AAAA,IACf,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,WAAW,IAAI;AAAA,IACf,UAAU,IAAI;AAAA,IACd,YAAY,IAAI;AAAA,IAChB,YAAY,IAAI;AAAA,IAChB,YAAY,IAAI;AAAA,IAChB,QAAQ,IAAI,OAAO,IAAI,CAAC,OAAO;AAAA,MAC7B,MAAM,EAAE;AAAA,MACR,QAAQ,EAAE;AAAA,MACV,SAAS,EAAE;AAAA,MACX,OAAO,EAAE;AAAA,MACT,YAAY,EAAE;AAAA,MACd,QAAQ,EAAE;AAAA,MACV,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,IACF,SAAS,IAAI,QAAQ,IAAI,CAAC,OAAO;AAAA,MAC/B,MAAM,EAAE;AAAA,MACR,SAAS,EAAE;AAAA,MACX,WAAW,EAAE;AAAA,MACb,YAAY,EAAE;AAAA,MACd,SAAS,EAAE;AAAA,MACX,MAAM,EAAE;AAAA,IACV,EAAE;AAAA,EACJ;AAEA,SAAO,oBAAoB,GAAG;AAChC;AAKO,SAAS,gBAAgB,KAA8B;AAC5D,QAAM,YAAY,wBAAwB,GAAG;AAC7C,SAAO,WAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAO,KAAK;AAC5D;AAWO,SAAS,qBACd,KACmC;AACnC,MAAI,CAAC,IAAI,YAAY,CAAC,IAAI,OAAO;AAC/B,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,IAAI;AAAA,IACnB,aAAa,gBAAgB,GAAG;AAAA,IAChC,UAAU,KAAK,IAAI;AAAA,IACnB,SAAS;AAAA,MACP,QAAQ,IAAI;AAAA,MACZ,SAAS,IAAI;AAAA,MACb,UAAU,IAAI;AAAA,MACd,YAAY,IAAI;AAAA,MAChB,YAAY,IAAI;AAAA,MAChB,aAAa,IAAI,QAAQ;AAAA,MACzB,YAAY,IAAI,OAAO;AAAA,IACzB;AAAA,EACF;AACF;AAjHA;AAAA;AAGA;AAAA;AAAA;;;AC0FO,SAAS,WACd,KACA,UACc;AACd,QAAM,YAAuB,CAAC;AAC9B,MAAI,eAAe;AACnB,MAAI,cAAc;AAKlB;AACA,MAAI,IAAI,SAAS,IAAI,UAAU;AAC7B;AAAA,EACF,OAAO;AACL,cAAU,KAAK;AAAA,MACb,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAGA;AACA,MAAI,IAAI,OAAO,SAAS,GAAG;AACzB;AAAA,EACF,OAAO;AACL,cAAU,KAAK;AAAA,MACb,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAGA;AACA,QAAM,eAAe,IAAI,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM;AACjE,MAAI,aAAa,WAAW,KAAK,IAAI,aAAa,QAAQ;AACxD;AAAA,EACF,OAAO;AACL,eAAW,SAAS,cAAc;AAChC,gBAAU,KAAK;AAAA,QACb,MAAM;AAAA,QACN,OAAO;AAAA,QACP,SAAS,UAAU,MAAM,IAAI,aAAa,MAAM,UAAU,SAAS;AAAA,QACnE,OAAO,UAAU,MAAM,IAAI;AAAA,MAC7B,CAAC;AAAA,IACH;AAAA,EACF;AAGA;AACA,QAAM,iBAAiB,IAAI,QAAQ,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC;AACjE,MAAI,eAAe,WAAW,GAAG;AAC/B;AAAA,EACF,OAAO;AACL,cAAU,KAAK;AAAA,MACb,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS,GAAG,eAAe,MAAM;AAAA,IACnC,CAAC;AAAA,EACH;AAGA;AACA,MAAI,IAAI,eAAe,UAAa,IAAI,cAAc,KAAK,IAAI,aAAa,KAAS;AACnF;AAAA,EACF,OAAO;AACL,cAAU,KAAK;AAAA,MACb,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS,wBAAwB,IAAI,UAAU;AAAA,MAC/C,QAAQ,IAAI;AAAA,IACd,CAAC;AAAA,EACH;AAIA,MAAI,UAAU;AAEZ,QAAI,SAAS,aAAa,QAAW;AACnC;AACA,UAAI,IAAI,aAAa,SAAS,UAAU;AACtC;AAAA,MACF,OAAO;AACL,kBAAU,KAAK;AAAA,UACb,MAAM;AAAA,UACN,OAAO;AAAA,UACP,SAAS,sBAAsB,SAAS,QAAQ,WAAW,IAAI,QAAQ;AAAA,UACvE,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,QAAQ,IAAI;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,SAAS,eAAe,QAAW;AACrC;AACA,UAAI,IAAI,eAAe,SAAS,YAAY;AAC1C;AAAA,MACF,OAAO;AACL,kBAAU,KAAK;AAAA,UACb,MAAM;AAAA,UACN,OAAO;AAAA,UACP,SAAS,mBAAmB,SAAS,UAAU,SAAS,IAAI,UAAU;AAAA,UACtE,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,QAAQ,IAAI;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,SAAS,WAAW,QAAW;AACjC;AACA,UAAI,IAAI,eAAe,SAAS,UAAU,IAAI,OAAO,WAAW,SAAS,QAAQ;AAC/E;AAAA,MACF,OAAO;AACL,kBAAU,KAAK;AAAA,UACb,MAAM;AAAA,UACN,OAAO;AAAA,UACP,SAAS,oBAAoB,SAAS,MAAM,WAAW,IAAI,UAAU;AAAA,UACrE,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,QAAQ,IAAI;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,SAAS,kBAAkB,QAAW;AACxC;AACA,UAAI,IAAI,eAAe,UAAa,IAAI,cAAc,SAAS,eAAe;AAC5E;AAAA,MACF,OAAO;AACL,kBAAU,KAAK;AAAA,UACb,MAAM;AAAA,UACN,OAAO;AAAA,UACP,SAAS,kBAAkB,IAAI,UAAU,mBAAmB,SAAS,aAAa;AAAA,UAClF,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,QAAQ,IAAI;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,SAAS,qBAAqB,QAAW;AAC3C;AACA,YAAM,SAAS,IAAI,QAAQ,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE;AACpD,UAAI,UAAU,SAAS,kBAAkB;AACvC;AAAA,MACF,OAAO;AACL,kBAAU,KAAK;AAAA,UACb,MAAM;AAAA,UACN,OAAO;AAAA,UACP,SAAS,QAAQ,MAAM,qCAAqC,SAAS,gBAAgB;AAAA,UACrF,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,SAAS,YAAY;AACvB,iBAAW,CAAC,KAAK,aAAa,KAAK,OAAO,QAAQ,SAAS,UAAU,GAAG;AACtE;AACA,cAAM,cAAc,IAAI,MAAM,GAAG;AACjC,YAAI,UAAU,aAAa,aAAa,GAAG;AACzC;AAAA,QACF,OAAO;AACL,oBAAU,KAAK;AAAA,YACb,MAAM;AAAA,YACN,OAAO;AAAA,YACP,SAAS,8BAA8B,GAAG;AAAA,YAC1C,OAAO,SAAS,GAAG;AAAA,YACnB,UAAU;AAAA,YACV,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAIA,QAAM,aAAa,cAAc,IAAI,eAAe,cAAc;AAClE,QAAM,cAAc,UAAU,KAAK,CAAC,MAAM,EAAE,UAAU,UAAU;AAChE,QAAM,SAAS,mBAAmB,YAAY,aAAa,UAAU,MAAM;AAC3E,QAAM,SAAS,WAAW,eAAgB,WAAW,aAAa,CAAC;AAEnE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,KAAK,IAAI;AAAA,IACrB;AAAA,EACF;AACF;AAEA,SAAS,mBACP,YACA,aACA,cACa;AACb,MAAI,YAAa,QAAO;AACxB,MAAI,eAAe,EAAK,QAAO;AAC/B,MAAI,cAAc,IAAK,QAAO;AAC9B,MAAI,cAAc,IAAK,QAAO;AAC9B,SAAO;AACT;AAeO,SAAS,kBACd,KACA,UACc;AACd,QAAM,UAAU,WAAW,KAAK,QAAQ;AACxC,SAAO,EAAE,aAAa,KAAK,QAAQ;AACrC;AAMA,SAAS,UAAU,GAAY,GAAqB;AAClD,MAAI,MAAM,EAAG,QAAO;AACpB,MAAI,MAAM,QAAQ,MAAM,KAAM,QAAO;AACrC,MAAI,OAAO,MAAM,OAAO,EAAG,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO,OAAO,CAAC,MAAM,OAAO,CAAC;AAExD,MAAI,MAAM,QAAQ,CAAC,KAAK,MAAM,QAAQ,CAAC,GAAG;AACxC,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,WAAO,EAAE,MAAM,CAAC,GAAG,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,CAAC;AAAA,EAC7C;AAEA,MAAI,MAAM,QAAQ,CAAC,MAAM,MAAM,QAAQ,CAAC,EAAG,QAAO;AAElD,QAAM,QAAQ,OAAO,KAAK,CAA4B;AACtD,QAAM,QAAQ,OAAO,KAAK,CAA4B;AACtD,MAAI,MAAM,WAAW,MAAM,OAAQ,QAAO;AAE1C,SAAO,MAAM;AAAA,IAAM,CAAC,QAClB;AAAA,MACG,EAA8B,GAAG;AAAA,MACjC,EAA8B,GAAG;AAAA,IACpC;AAAA,EACF;AACF;AArWA;AAAA;AAAA;AAAA;;;ACuDO,SAAS,eACd,KACA,UACiB;AAEjB,MAAI,CAAC,SAAS,UAAU,OAAO,SAAS,WAAW,UAAU;AAC3D,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,MAAI,SAAS,OAAO,CAAC,SAAS,QAAQ,SAAS,KAAK,WAAW,IAAI;AACjE,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAGA,MAAI,SAAS,QAAQ,SAAS,KAAK,SAAS,cAAc;AACxD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ,yBAAyB,YAAY;AAAA,IAC/C;AAAA,EACF;AAGA,MAAI,SAAS,SAAS;AACpB,eAAW,OAAO,yBAAyB;AACzC,UAAI,SAAS,QAAQ,IAAI,GAAG,GAAG;AAC7B,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,QAAQ,+CAA+C,GAAG;AAAA,QAC5D;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MACE,SAAS,OAAO,SAAS,QAAQ,KACjC,SAAS,OAAO,SAAS,OAAO,KAChC,SAAS,OAAO,SAAS,MAAM,GAC/B;AACA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,KAAK;AACxB;AAjHA,IAsCM,yBAqFO;AA3Hb;AAAA;AAAA;AAsCA,IAAM,0BAA0B,CAAC,GAAG,GAAG,CAAC;AAqFjC,IAAM,mBAAqC;AAAA;AAAA;;;AC3HlD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,cAAc,cAAc,oBAAoB;AAAzD;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAAY,OAAO;AAGnB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAPP,IAgBa;AAhBb;AAAA;AAgBO,IAAM,aAA6C,SAAO;AAAA;AAAA,MAE/D,OAAS,SAAO,EAAE,IAAI,EAAE,YAAY;AAAA;AAAA,MAEpC,SAAW;AAAA,QACP,SAAO;AAAA,QACP,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,MACrD;AAAA;AAAA,MAEA,MAAQ,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA;AAAA,MAEzD,KAAO,SAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,IAC1D,CAAC;AAAA;AAAA;;;AC5BD,YAAYC,aAAY;AAgBjB,SAAS,wBAAwB,OAA0B;AAChE,SAAO,OAAO,KAAK,cAAc,KAAK,CAAC;AACzC;AAWO,SAAS,UAAU,OAAkB,YAA4B;AACtE,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AAGJ,MAAI,WAAW,WAAW,IAAI;AAG5B,UAAM,cAAc,OAAO,KAAK;AAAA,MAC9B;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,MAClE;AAAA,MAAM;AAAA,MAAM;AAAA,MAAM;AAAA,IACpB,CAAC;AACD,UAAM,WAAW,OAAO,OAAO,CAAC,aAAa,UAAU,CAAC;AAExD,gBAAmB,yBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH,OAAO;AAEL,gBAAmB,yBAAiB;AAAA,MAClC,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,YAAmB,aAAK,MAAM,SAAS,SAAS;AAEtD,MAAI,UAAU,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO;AACT;AAWO,SAAS,qBACd,OACA,WACS;AACT,MAAI,MAAM,IAAI,WAAW,GAAG;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,WAAW,IAAI;AAC3B,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,UAAU,wBAAwB,KAAK;AAE7C,MAAI;AACF,QAAI;AAGJ,QAAI,UAAU,WAAW,IAAI;AAG3B,YAAM,aAAa,OAAO,KAAK;AAAA,QAC7B;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,QAAM;AAAA,MACpE,CAAC;AACD,YAAM,UAAU,OAAO,OAAO,CAAC,YAAY,SAAS,CAAC;AAErD,kBAAmB,wBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH,OAAO;AAEL,kBAAmB,wBAAgB;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,UAAM,QAAe;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,KAAK,MAAM,GAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AAQO,SAAS,yBAGd;AACA,QAAM,EAAE,YAAY,UAAU,IAAW,4BAAoB,SAAS;AAEtE,SAAO;AAAA,IACL,YAAY,WAAW,OAAO,EAAE,MAAM,SAAS,QAAQ,MAAM,CAAC;AAAA,IAC9D,WAAW,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AAAA,EAC7D;AACF;AAQO,SAASC,QAAO,MAAmC;AACxD,SAAc,mBAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AACzD;AAUO,SAAS,mBACd,cACA,UACQ;AACR,QAAM,SAAgB,mBAAW,QAAQ;AACzC,SAAO,OAAO,YAAY;AAE1B,MAAI,YAAY,SAAS,SAAS,GAAG;AACnC,WAAO,OAAO,QAAQ;AAAA,EACxB;AAEA,SAAO,OAAO,OAAO;AACvB;AAhLA;AAAA;AAEA;AAAA;AAAA;;;ACFA,IAGa,UAYA;AAfb;AAAA;AAGO,IAAM,WAAW;AAAA,MACtB,WAAW;AAAA;AAAA,MACX,cAAc;AAAA;AAAA,MACd,YAAY;AAAA;AAAA,MACZ,OAAO;AAAA;AAAA,MACP,OAAO;AAAA;AAAA,MACP,WAAW;AAAA;AAAA,MACX,WAAW;AAAA;AAAA,MACX,UAAU;AAAA;AAAA,IACZ;AAGO,IAAM,cAAc;AAAA,MACzB,2BAA2B;AAAA,MAC3B,2BAA2B;AAAA,MAE3B,0BAA0B;AAAA,MAC1B,0BAA0B;AAAA,MAE1B,8BAA8B;AAAA,MAC9B,8BAA8B;AAAA,MAE9B,6BAA6B;AAAA,MAC7B,6BAA6B;AAAA,IAC/B;AAAA;AAAA;;;AC3BA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAYA,SAAS,cAAAC,mBAA+B;AA4DjC,SAAS,cAAc,GAA4B;AACxD,MAAI,IAAI,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC;AAC5C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,qCAAqC;AAEjE,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,cACd,KACA,QACA,SAAqB,gBACiC;AACtD,MAAI,IAAI;AACR,MAAI,QAAQ;AACZ,QAAM,QAAQ;AAEd,WAAS,IAAI,GAAG,IAAI,OAAO,gBAAgB,KAAK;AAC9C,QAAI,UAAU,IAAI,OAAQ,OAAM,IAAI,MAAM,0BAA0B;AACpE,UAAM,IAAI,IAAI,QAAQ;AACtB,SAAK,OAAO,IAAI,GAAI,KAAK;AAEzB,SAAK,IAAI,SAAU,GAAG;AACpB,YAAM,YAAY,SAAS;AAI3B,YAAM,KAAK,cAAc,CAAC;AAC1B,YAAM,WAAW,IAAI,SAAS,OAAO,MAAM;AAC3C,UAAI,CAAC,GAAG,OAAO,QAAQ;AACrB,cAAM,IAAI,MAAM,mCAAmC;AAErD,aAAO,EAAE,OAAO,GAAG,QAAQ,UAAU;AAAA,IACvC;AAEA,aAAS;AAAA,EACX;AAEA,QAAM,IAAI,MAAM,yBAAyB;AAC3C;AAMO,SAAS,YAAY,GAAmB;AAC7C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,mCAAmC;AAC/D,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,YAAY,KAAqB;AAC/C,MAAI,IAAI,WAAW,EAAG,OAAM,IAAI,MAAM,+BAA+B;AACrE,SAAO,IAAI,gBAAgB,CAAC;AAC9B;AAEO,SAASD,QAAO,MAAsB;AAC3C,SAAOC,YAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO;AAClD;AAMO,SAAS,UAAU,KAAa,OAAuB;AAC5D,MAAI,CAAC,OAAO,UAAU,GAAG,KAAK,OAAO;AACnC,UAAM,IAAI,MAAM,qCAAqC;AACvD,QAAM,IAAI,cAAc,GAAG;AAC3B,QAAM,IAAI,cAAc,MAAM,MAAM;AACpC,SAAO,OAAO,OAAO,CAAC,GAAG,GAAG,KAAK,CAAC;AACpC;AAEO,SAAS,yBAAyB,SAA+B;AAEtE,QAAM,SAAS,CAAC,GAAG,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;AAIxD,QAAM,QAAkB,CAAC;AACzB,aAAW,KAAK,OAAQ,OAAM,KAAK,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC;AAC5D,SAAO,OAAO,OAAO,KAAK;AAC5B;AAEO,SAAS,gBACd,QACA,SAAqB,gBACP;AACd,QAAM,MAAoB,CAAC;AAC3B,MAAI,MAAM;AAEV,SAAO,MAAM,OAAO,QAAQ;AAC1B,QAAI,IAAI,UAAU,OAAO;AACvB,YAAM,IAAI,MAAM,gCAAgC;AAElD,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,UAAM,SAAS,cAAc,QAAQ,KAAK,MAAM;AAChD,UAAM,MAAM,OAAO,OAAO,KAAK;AAC/B,UAAM,OAAO;AAEb,QAAI,MAAM,EAAG,OAAM,IAAI,MAAM,kCAAkC;AAC/D,QAAI,MAAM,OAAO;AACf,YAAM,IAAI,MAAM,kCAAkC;AACpD,QAAI,MAAM,MAAM,OAAO;AACrB,YAAM,IAAI,MAAM,kCAAkC;AAEpD,UAAM,QAAQ,OAAO,SAAS,KAAK,MAAM,GAAG;AAC5C,WAAO;AAEP,QAAI,KAAK,EAAE,KAAK,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC;AAAA,EAC7C;AAGA,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,QAAI,IAAI,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC,EAAE;AAC1B,YAAM,IAAI,MAAM,0CAA0C;AAAA,EAC9D;AAEA,SAAO;AACT;AAEO,SAAS,UAAU,SAAsC;AAC9D,QAAM,IAAmB,oBAAI,IAAI;AACjC,aAAW,KAAK,SAAS;AACvB,UAAM,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;AAC7B,QAAI,KAAK,EAAE,KAAK;AAChB,MAAE,IAAI,EAAE,KAAK,GAAG;AAAA,EAClB;AACA,SAAO;AACT;AAQO,SAAS,0BACd,QACA,MACA,QAAQ,GACR,SAAqB,gBACf;AACN,MAAI,QAAQ,KAAK,IAAI,OAAO,iBAAiB,OAAO,eAAe,GAAG;AACpE,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,OAAO,gBAAgB,UAAU,IAAI,IAAI,OAAO,cAAc;AAChE,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,QAAQ,oBAAI,IAA0B;AAC5C,aAAW,KAAK,MAAM;AACpB,QAAI,CAAC,MAAM,IAAI,EAAE,GAAG,EAAG,OAAM,IAAI,EAAE,KAAK,CAAC,CAAC;AAC1C,UAAM,IAAI,EAAE,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AAEA,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAGxE,MAAI,OAAO,QAAQ;AACjB,eAAW,OAAO,MAAM,KAAK,GAAG;AAC9B,UAAI,CAAC,WAAW,IAAI,GAAG;AACrB,cAAM,IAAI,MAAM,0CAA0C,GAAG,EAAE;AAAA,IACnE;AAAA,EACF;AAGA,aAAW,KAAK,OAAO,QAAQ;AAC7B,UAAM,OAAO,MAAM,IAAI,EAAE,GAAG,KAAK,CAAC;AAClC,QAAI,EAAE,YAAY,KAAK,WAAW;AAChC,YAAM,IAAI,MAAM,sCAAsC,EAAE,IAAI,EAAE;AAEhE,QAAI,CAAC,EAAE,YAAY,KAAK,SAAS,GAAG;AAClC,YAAM,IAAI;AAAA,QACR,4DAA4D,EAAE,IAAI;AAAA,MACpE;AAAA,IACF;AAGA,QAAI,OAAO,EAAE,WAAW,UAAU;AAChC,iBAAW,KAAK,MAAM;AACpB,YAAI,EAAE,MAAM,SAAS,EAAE;AACrB,gBAAM,IAAI,MAAM,8BAA8B,EAAE,IAAI,WAAW;AAAA,MACnE;AAAA,IACF;AAGA,eAAW,KAAK,MAAM;AACpB,cAAQ,EAAE,MAAM;AAAA,QACd,KAAK;AACH,cAAI,EAAE,MAAM,WAAW;AACrB,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF;AAAA,QACF,KAAK,UAAU;AACb,cAAI,CAAC,EAAE;AACL,kBAAM,IAAI;AAAA,cACR,8BAA8B,EAAE,IAAI;AAAA,YACtC;AACF,gBAAM,aAAa,gBAAgB,EAAE,OAAO,MAAM;AAClD;AAAA,YACE,EAAE;AAAA,YACF;AAAA,YACA,QAAQ;AAAA,YACR;AAAA,UACF;AACA;AAAA,QACF;AAAA,QACA;AAEE;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,UAAU,MAA4B;AAE7C,MAAI,IAAI;AACR,aAAW,KAAK,MAAM;AACpB,SACE,cAAc,EAAE,GAAG,EAAE,SACrB,cAAc,EAAE,MAAM,MAAM,EAAE,SAC9B,EAAE,MAAM;AAAA,EACZ;AACA,SAAO;AACT;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACP;AACd,MAAI,KAAK,aAAa,OAAO;AAC3B,UAAM,IAAI,MAAM,sCAAsC;AAExD,QAAM,eAAe,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAU,CAAC;AAC3E,QAAM,OAAqB,CAAC;AAE5B,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,GAAG;AAC3D,UAAM,IAAI,aAAa,IAAI,IAAI;AAC/B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,oCAAoC,IAAI,EAAE;AAC5D;AAAA,IACF;AAEA,UAAM,UAAU,CAAC,MAAW;AAC1B,YAAM,WAAW,iBAAiB,GAAG,GAAG,MAAM;AAC9C,UAAI,SAAS,SAAS,OAAO;AAC3B,cAAM,IAAI,MAAM,oCAAoC;AACtD,WAAK,KAAK,EAAE,KAAK,EAAE,KAAK,OAAO,SAAS,CAAC;AAAA,IAC3C;AAEA,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,GAAG;AACpB,cAAM,IAAI;AAAA,UACR,qCAAqC,IAAI;AAAA,QAC3C;AACF,iBAAW,QAAQ,IAAK,SAAQ,IAAI;AAAA,IACtC,OAAO;AACL,cAAQ,GAAG;AAAA,IACb;AAAA,EACF;AAKA,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAGjD,SAAO;AACT;AAEA,SAAS,iBACP,GACA,KACA,QACQ;AACR,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,UAAI,OAAO,SAAS,GAAG,EAAG,QAAO,OAAO,KAAK,GAAG;AAChD,UAAI,eAAe,WAAY,QAAO,OAAO,KAAK,GAAG;AACrD,YAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,gBAAgB;AAAA,IAC7D,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,OAAO,KAAK,KAAK,MAAM;AAAA,IAChC,KAAK;AACH,UAAI,OAAO,QAAQ,YAAY,OAAO,QAAQ;AAC5C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,wBAAwB;AACrE,aAAO,cAAc,GAAG;AAAA,IAC1B,KAAK;AACH,UAAI,OAAO,QAAQ;AACjB,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,aAAO,YAAY,GAAG;AAAA,IACxB,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AAEpE,YAAM,eACJ,OAAO,OAAO,QAAQ,YAAY,YAAY,MACzC,IAAY,SACb;AACN,UAAI,CAAC,gBAAgB,OAAO,iBAAiB;AAC3C,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,iBAAiB;AAC9D,YAAM,aAA0B;AAAA,QAC9B,UAAU,EAAE,aAAa;AAAA,QACzB,QAAQ;AAAA,MACV;AACA,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,YAAM,cAAc,yBAAyB,UAAU;AAEvD,YAAM,KAAK,gBAAgB,aAAa,MAAM;AAC9C,gCAA0B,EAAE,cAAc,IAAI,GAAG,MAAM;AACvD,aAAO;AAAA,IACT;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAEO,SAAS,kBACd,QACA,MACA,SAAqB,gBACR;AAEb,4BAA0B,QAAQ,MAAM,GAAG,MAAM;AAEjD,QAAM,SAA8B,CAAC;AACrC,QAAM,aAAa,IAAI,IAAI,OAAO,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAU,CAAC;AAExE,aAAW,KAAK,MAAM;AACpB,UAAM,IAAI,WAAW,IAAI,EAAE,GAAG;AAC9B,QAAI,CAAC,GAAG;AACN,UAAI,OAAO;AACT,cAAM,IAAI,MAAM,kCAAkC,EAAE,GAAG,EAAE;AAC3D;AAAA,IACF;AAEA,UAAM,UAAU,iBAAiB,GAAG,EAAE,OAAO,MAAM;AAEnD,QAAI,EAAE,UAAU;AACd,UAAI,CAAC,MAAM,QAAQ,OAAO,EAAE,IAAI,CAAC,EAAG,QAAO,EAAE,IAAI,IAAI,CAAC;AACtD,aAAO,EAAE,IAAI,EAAE,KAAK,OAAO;AAAA,IAC7B,OAAO;AACL,aAAO,EAAE,IAAI,IAAI;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,OAAO,UAAU,OAAO;AAC7C;AAEA,SAAS,iBACP,GACA,OACA,QACK;AACL,UAAQ,EAAE,MAAM;AAAA,IACd,KAAK;AACH,aAAO,OAAO,KAAK,KAAK;AAAA,IAC1B,KAAK;AACH,aAAO,MAAM,SAAS,MAAM;AAAA,IAC9B,KAAK,WAAW;AACd,YAAM,IAAI,cAAc,OAAO,GAAG,MAAM;AACxC,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,qBAAqB,EAAE,IAAI;AAAA,QAC7B;AAEF,YAAM,QAAQ,OAAO,EAAE,KAAK;AAC5B,aAAO,OAAO,cAAc,KAAK,IAAI,QAAQ,EAAE;AAAA,IACjD;AAAA,IACA,KAAK;AACH,aAAO,YAAY,KAAK;AAAA,IAC1B,KAAK,UAAU;AACb,UAAI,CAAC,EAAE;AACL,cAAM,IAAI,MAAM,qBAAqB,EAAE,IAAI,uBAAuB;AACpE,YAAM,aAAa,gBAAgB,OAAO,MAAM;AAGhD,YAAM,aAAa,kBAAkB,EAAE,cAAc,YAAY,MAAM;AACvE,aAAO,WAAW;AAAA,IACpB;AAAA,IACA;AACE,YAAM,IAAI,MAAM,sCAAuC,EAAU,IAAI,EAAE;AAAA,EAC3E;AACF;AAqCO,SAAS,uBAAuB,KAAsC;AAC3E,MAAI,IAAI,MAAM,eAAe;AAC3B,UAAM,IAAI,MAAM,gDAAgD;AAClE,MAAI,IAAI,SAAS,eAAe;AAC9B,UAAM,IAAI,MAAM,mDAAmD;AACrE,MAAI,IAAI,WAAW,IAAI,QAAQ,eAAe;AAC5C,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,OAAqB;AAAA,IACzB,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,cAAc,OAAO,OAAO,KAAK,IAAI,UAAU,EAAE;AAAA,IACjE,EAAE,KAAK,SAAS,OAAO,OAAO,OAAO,KAAK,IAAI,KAAK,EAAE;AAAA,IACrD,EAAE,KAAK,SAAS,OAAO,OAAO,YAAY,IAAI,IAAI,EAAE;AAAA,IACpD,EAAE,KAAK,SAAS,WAAW,OAAO,cAAc,IAAI,QAAQ,EAAE;AAAA,IAC9D,EAAE,KAAK,SAAS,WAAW,OAAO,OAAO,KAAK,IAAI,QAAQ,EAAE;AAAA,EAC9D;AAEA,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,YAAY,OAAO,OAAO,KAAK,IAAI,SAAS,EAAE,CAAC;AAC3E,MAAI,IAAI;AACN,SAAK,KAAK,EAAE,KAAK,SAAS,UAAU,OAAO,OAAO,KAAK,IAAI,OAAO,EAAE,CAAC;AAEvE,SAAO;AACT;AAEO,SAAS,yBACd,SACA,SAAqB,gBACF;AAEnB,QAAM,IAAI,UAAU,OAAO;AAE3B,QAAM,OAAO,CAAC,QAAgB;AAC5B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,OAAO,IAAI,WAAW;AACzB,YAAM,IAAI;AAAA,QACR,oDAAoD,GAAG;AAAA,MACzD;AACF,WAAO,IAAI,CAAC;AAAA,EACd;AACA,QAAM,UAAU,CAAC,QAAgB;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG;AACrB,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,IAAI,WAAW;AACjB,YAAM,IAAI,MAAM,4CAA4C,GAAG,EAAE;AACnE,WAAO,IAAI,CAAC;AAAA,EACd;AAEA,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,cAAc,cAAc,KAAK,SAAS,SAAS,GAAG,GAAG,MAAM;AACrE,MAAI,YAAY,WAAW,KAAK,SAAS,SAAS,EAAE;AAClD,UAAM,IAAI,MAAM,oDAAoD;AAEtE,QAAM,KAAK,YAAY,KAAK,SAAS,KAAK,CAAC;AAE3C,QAAM,QAAQ,KAAK,SAAS,KAAK;AACjC,MAAI,MAAM,WAAW;AACnB,UAAM,IAAI,MAAM,kDAAkD;AAEpE,QAAM,WAAW,KAAK,SAAS,SAAS;AACxC,MAAI,SAAS,WAAW;AACtB,UAAM,IAAI,MAAM,sDAAsD;AAExE,QAAM,QAAQ,QAAQ,SAAS,QAAQ;AACvC,MAAI,SAAS,MAAM,WAAW;AAC5B,UAAM,IAAI,MAAM,qDAAqD;AAEvE,SAAO;AAAA,IACL,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,YAAY,OAAO,KAAK,KAAK,SAAS,YAAY,CAAC;AAAA,IACnD,WAAW,QAAQ,SAAS,UAAU,IAClC,OAAO,KAAK,QAAQ,SAAS,UAAU,CAAE,IACzC;AAAA,IACJ,OAAO,OAAO,KAAK,KAAK;AAAA,IACxB,MAAM;AAAA,IACN,UAAU,OAAO,YAAY,KAAK;AAAA,IAClC,UAAU,OAAO,KAAK,QAAQ;AAAA,IAC9B,SAAS,QAAQ,OAAO,KAAK,KAAK,IAAI;AAAA,EACxC;AACF;AAMO,SAAS,wBACd,QACA,KAGA,SAAqB,gBACsC;AAE3D,QAAM,WAAW,kBAAkB,QAAQ,IAAI,MAAM,MAAM;AAC3D,QAAM,YAAY,yBAAyB,QAAQ;AAGnD,QAAM,WAAWD,QAAO,SAAS;AAGjC,QAAM,MAAyB;AAAA,IAC7B,GAAG,IAAI;AAAA,IACP,UAAU,OAAO;AAAA,IACjB;AAAA,EACF;AACA,QAAM,UAAU,uBAAuB,GAAG;AAC1C,QAAM,WAAW,yBAAyB,OAAO;AAEjD,SAAO,EAAE,UAAU,WAAW,SAAS;AACzC;AAEO,SAAS,wBACd,QACA,UACA,WACA,SAAqB,gBACwD;AAC7E,QAAM,UAAU,gBAAgB,UAAU,MAAM;AAChD,QAAM,WAAW,gBAAgB,WAAW,MAAM;AAElD,QAAM,MAAM,yBAAyB,SAAS,MAAM;AAGpD,MAAI,IAAI,aAAa,OAAO;AAC1B,UAAM,IAAI,MAAM,4CAA4C;AAG9D,QAAM,KAAKA,QAAO,SAAS;AAC3B,MAAI,CAAC,OAAO,KAAK,IAAI,QAAQ,EAAE,OAAO,EAAE;AACtC,UAAM,IAAI,MAAM,6CAA6C;AAG/D,QAAM,OAAO,kBAAkB,QAAQ,UAAU,MAAM;AAEvD,QAAM,cAA+B;AAAA,IACnC,SAAS,UAAU,OAAO;AAAA,IAC1B,UAAU,UAAU,QAAQ;AAAA,IAC5B,UAAU,IAAI;AAAA,IACd,UAAU,IAAI;AAAA,EAChB;AAEA,SAAO,EAAE,KAAK,MAAM,YAAY;AAClC;AA5oBA,IA6Da,gBA+ZA,UAsLA,0BAYA,mCAUA;AAxqBb;AAAA;AA6DO,IAAM,iBAA6B;AAAA,MACxC,gBAAgB;AAAA,MAChB,aAAa;AAAA,MACb,eAAe;AAAA;AAAA,MACf,iBAAiB;AAAA,IACnB;AA0ZO,IAAM,WAAW;AAAA,MACtB,WAAW;AAAA,MACX,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,OAAO;AAAA,MACP,OAAO;AAAA,MACP,WAAW;AAAA,MACX,WAAW;AAAA,MACX,UAAU;AAAA,IACZ;AA6KO,IAAM,2BAAiD;AAAA,MAC5D,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,SAAS,UAAU,MAAM,QAAQ,IAAI;AAAA,QACvE,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,QAC/D,EAAE,KAAK,GAAG,MAAM,MAAM,MAAM,QAAQ,UAAU,MAAM,QAAQ,GAAG;AAAA,MACjE;AAAA,IACF;AAEO,IAAM,oCAA0D;AAAA,MACrE,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,MACxE;AAAA,IACF;AAEO,IAAM,gCAAsD;AAAA,MACjE,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACtE;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,cAAc;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACjrBO,SAAS,aAAa,QASlB;AACT,QAAM,MAA8B;AAAA,IAClC,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO;AAAA,IACjB,YAAY,OAAO,cAAc,OAAO,MAAM,CAAC;AAAA,IAC/C,WAAW,OAAO;AAAA,IAClB,OAAO,OAAO,SAAS,UAAQ,QAAQ,EAAE,YAAY,EAAE;AAAA,IACvD,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI,CAAC;AAAA,IACtC,UAAU,OAAO,YAAY,OAAO,MAAM,EAAE;AAAA,IAC5C,SAAS,OAAO;AAAA,EAClB;AAEA,QAAM,OAAY,uBAAuB,GAAG;AAC5C,SAAY,yBAAyB,IAAI;AAC3C;AAOO,SAAS,2BAA2B,QAMxC;AACD,QAAM,WAAgB;AAAA,IACf;AAAA,IACL;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBE,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,6BAA6B,MAAc;AACzD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACd;AAAA,IACL;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAmDO,SAAS,8BAA8B,QAK3C;AACD,QAAM,WAAgB;AAAA,IACpB;AAAA,IACA;AAAA,MACE,UAAU,YAAY;AAAA,MACtB,QAAQ,EAAE,UAAU,OAAO,SAAS;AAAA,IACtC;AAAA,EACF;AACA,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,gCAAgC,MAAc;AAC5D,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,SAAO,EAAE,UAAU,QAAQ,OAAO,SAAmB;AACvD;AAKO,SAAS,0BAA0B,QAUvC;AACD,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,UAAU,OAAO;AAAA,MACjB,cAAc,OAAO;AAAA,MACrB,gBAAgB,OAAO;AAAA,MACvB,mBAAmB,OAAO;AAAA,MAC1B,WAAW,OAAO;AAAA,MAClB,YAAY,OAAO;AAAA,IACrB;AAAA,EACF,CAAC;AAED,QAAM,OAAY,yBAAyB,QAAQ;AACnD,QAAM,WAAgBA,QAAO,IAAI;AAEjC,QAAM,MAAM,aAAa;AAAA,IACvB,UAAU,OAAO;AAAA,IACjB,UAAU,YAAY;AAAA,IACtB,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,CAAC;AAED,SAAO,EAAE,KAAK,KAAK;AACrB;AAEO,SAAS,4BAA4B,MAAc;AACxD,QAAM,OAAY,gBAAgB,IAAI;AACtC,QAAM,UAAe;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AACA,QAAM,IAAI,QAAQ;AAElB,SAAO;AAAA,IACL,UAAU,EAAE;AAAA,IACZ,cAAc,EAAE;AAAA,IAChB,gBAAgB,EAAE;AAAA,IAClB,mBAAmB,EAAE;AAAA,IACrB,WAAW,EAAE;AAAA,IACb,YAAY,EAAE;AAAA,EAChB;AACF;AA4BO,SAAS,2BAA2B,QAMhC;AACT,QAAM,SAA8B;AAAA,IAClC,WAAW,OAAO;AAAA,EACpB;AACA,MAAI,OAAO,YAAY,OAAW,QAAO,UAAU,OAAO;AAC1D,MAAI,OAAO,KAAM,QAAO,OAAO,OAAO;AACtC,MAAI,OAAO;AACT,WAAO,mBAAmB,OAAO;AACnC,MAAI,OAAO;AACT,WAAO,uBAAuB,KAAK,UAAU,OAAO,gBAAgB;AAEtE,QAAM,WAAgB,kBAAkB,mCAAmC;AAAA,IACzE,UAAU,YAAY;AAAA,IACtB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;AAsBO,SAAS,0BAA0B,QAK/B;AACT,QAAM,WAAgB,kBAAkB,kCAAkC;AAAA,IACxE,UAAU,YAAY;AAAA,IACtB,QAAQ;AAAA,MACN,SAAS,OAAO;AAAA,MAChB,OAAO,OAAO;AAAA,MACd,SAAS,OAAO;AAAA,MAChB,WAAW,OAAO;AAAA,IACpB;AAAA,EACF,CAAC;AACD,SAAY,yBAAyB,QAAQ;AAC/C;AA/SA,IA6Ea,sCAUA,kCA8IA,mCA6CA;AAlRb;AAAA;AAAA;AACA;AA4EO,IAAM,uCAAkE;AAAA,MAC7E,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,MACxE;AAAA,IACF;AAEO,IAAM,mCAA8D;AAAA,MACzE,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,YAAY,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACtE;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,KAAK;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,QACA,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,QACzE,EAAE,KAAK,GAAG,MAAM,cAAc,MAAM,SAAS,UAAU,OAAO,QAAQ,IAAI;AAAA,MAC5E;AAAA,IACF;AA+GO,IAAM,oCAA+D;AAAA,MAC1E,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,QAAQ,UAAU,KAAK;AAAA;AAAA,QAC1D,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,WAAW,UAAU,MAAM;AAAA,QAC5D,EAAE,KAAK,GAAG,MAAM,QAAQ,MAAM,QAAQ,UAAU,MAAM;AAAA,QACtD,EAAE,KAAK,GAAG,MAAM,oBAAoB,MAAM,QAAQ,UAAU,MAAM;AAAA,QAClE,EAAE,KAAK,GAAG,MAAM,wBAAwB,MAAM,QAAQ,UAAU,MAAM;AAAA;AAAA,MACxE;AAAA,IACF;AAiCO,IAAM,mCAA8D;AAAA,MACzE,UAAU,YAAY;AAAA,MACtB,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,QAAQ;AAAA,QACN,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACrE,EAAE,KAAK,GAAG,MAAM,SAAS,MAAM,QAAQ,UAAU,MAAM,QAAQ,IAAI;AAAA,QACnE,EAAE,KAAK,GAAG,MAAM,WAAW,MAAM,SAAS,UAAU,MAAM,QAAQ,KAAK;AAAA,QACvE,EAAE,KAAK,GAAG,MAAM,aAAa,MAAM,SAAS,UAAU,KAAK;AAAA,MAC7D;AAAA,IACF;AAAA;AAAA;;;AC5RA,SAAS,eAAAC,oBAAmB;AAErB,SAAS,UAAU,GAAmB;AAC3C,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,YAAY;AACxC,QAAM,MAAgB,CAAC;AACvB,SAAO,KAAK,OAAO;AACjB,QAAI,KAAK,OAAQ,IAAI,QAAS,KAAK,CAAC;AACpC,UAAM;AAAA,EACR;AACA,MAAI,KAAK,OAAO,CAAC,CAAC;AAClB,SAAO,OAAO,KAAK,GAAG;AACxB;AAEO,SAAS,QAAQ,GAA4B;AAClD,QAAM,IAAI,OAAO,MAAM,WAAW,OAAO,CAAC,IAAI;AAC9C,SAAO,UAAU,CAAC;AACpB;AAEO,SAAS,MAAM,GAAmB;AACvC,MAAI,IAAI,GAAI,OAAM,IAAI,MAAM,SAAS;AACrC,QAAM,IAAI,OAAO,MAAM,CAAC;AACxB,IAAE,iBAAiB,GAAG,CAAC;AACvB,SAAO;AACT;AAEO,SAAS,KAAK,GAAmB;AACtC,SAAO,OAAO,KAAK,GAAG,MAAM;AAC9B;AAEO,SAAS,MAAM,GAAgC;AACpD,SAAO,OAAO,SAAS,CAAC,IAAI,IAAI,OAAO,KAAK,CAAC;AAC/C;AAEO,SAAS,UAAkB;AAChC,SAAOA,aAAY,EAAE;AACvB;AAEO,SAAS,IAAI,MAAc,OAAuB;AACvD,MAAI,CAAC,OAAO,cAAc,IAAI,KAAK,OAAO,EAAG,OAAM,IAAI,MAAM,cAAc;AAC3E,SAAO,OAAO,OAAO;AAAA,IACnB,UAAU,OAAO,IAAI,CAAC;AAAA,IACtB,UAAU,OAAO,MAAM,MAAM,CAAC;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAOO,SAAS,UACd,OACA,MACQ;AACR,QAAM,QAAQ,MAAM,iBAAiB,oBAAI,IAAY;AACrD,QAAM,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,IAAI;AAExD,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,OAAO,CAAC,EAAE,SAAS,OAAO,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,IAAI,GAAG;AACvE,YAAM,IAAI,MAAM,gBAAgB,OAAO,CAAC,EAAE,IAAI,EAAE;AAAA,IAClD;AAAA,EACF;AAEA,SAAO,OAAO,OAAO,OAAO,IAAI,CAAC,OAAO,IAAI,GAAG,MAAM,GAAG,KAAK,CAAC,CAAC;AACjE;AAlEA;AAAA;AAAA;AAAA;;;ACCA,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AAclC,SAAS,iBAAiB,GAA+B;AAC9D,MACE,CAAC,OAAO,SAAS,EAAE,GAAG,KACtB,CAAC,OAAO,SAAS,EAAE,IAAI,KACvB,CAAC,OAAO,SAAS,EAAE,GAAG,GACtB;AACA,UAAM,IAAI,MAAM,mBAAmB;AAAA,EACrC;AACA,MAAI,EAAE,QAAQA,cAAc,OAAM,IAAI,MAAM,eAAe;AAE3D,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAC7C,QAAM,UAAU,UAAU,OAAO,EAAE,KAAK,MAAM,CAAC;AAC/C,QAAM,SAAS,UAAU,OAAO,EAAE,IAAI,MAAM,CAAC;AAE7C,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,OAAO,KAAK,CAAC,EAAE,MAAM,GAAI,CAAC;AAAA,IAC1B,OAAO,KAAK,CAAC,EAAE,QAAQ,GAAI,CAAC;AAAA,IAC5B;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,EACJ,CAAC;AACH;AAxCA,IAKM;AALN;AAAA;AAGA;AAEA,IAAM,QAAQ,OAAO,KAAKD,WAAU;AAAA;AAAA;;;ACJpC,SAAS,cAAAE,aAAY,gBAAAC,qBAAoB;AAMlC,SAAS,kBAAkB,QAKvB;AACT,MAAI,OAAO,QAAQA,cAAc,OAAM,IAAI,MAAM,eAAe;AAChE,QAAM,SAAS,UAAU,OAAO,OAAO,IAAI,MAAM,CAAC;AAClD,QAAM,UAAU,UAAU,OAAO,OAAO,KAAK,MAAM,CAAC;AACpD,QAAM,aAAa,UAAU,EAAE;AAE/B,SAAO,OAAO,OAAO;AAAA,IACnBC;AAAA,IACA,OAAO,KAAK,CAAC,OAAO,MAAM,GAAI,CAAC;AAAA,IAC/B,OAAO,KAAK,CAAC,OAAO,QAAQ,GAAI,CAAC;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACH;AA5BA,IAKMA;AALN;AAAA;AAGA;AAEA,IAAMA,SAAQ,OAAO,KAAKF,WAAU;AAAA;AAAA;;;ACK7B,SAAS,aAAa,KAAqB;AAChD,SAAO,IACJ,SAAS,QAAQ,EACjB,QAAQ,MAAM,EAAE,EAChB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG;AACvB;AAOO,SAAS,aAAa,KAAqB;AAEhD,QAAM,MAAM,IAAI,SAAS,IAAI,IAAI,OAAO,IAAK,IAAI,SAAS,CAAE,IAAI;AAChE,QAAM,UAAU,MAAM,KAAK,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC/D,SAAO,OAAO,KAAK,QAAQ,QAAQ;AACrC;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,OAAO,KAAK,KAAK,QAAQ,CAAC;AAChD;AAQO,SAAS,mBACd,KACA,WAA2B,QACnB;AACR,SAAO,aAAa,GAAG,EAAE,SAAS,QAAQ;AAC5C;AAtDA;AAAA;AAAA;AAAA;;;ACcA,SAAS,QAAQ,OAAiB;AAChC,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,MAAI,UAAU,QAAW;AACvB,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,OAAO;AAAA,EAC1B;AAEA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,SAA8B,CAAC;AACrC,UAAM,OAAO,OAAO,KAAK,KAAK,EAAE,KAAK;AAErC,eAAW,OAAO,MAAM;AACtB,YAAM,cAAc,QAAQ,MAAM,GAAG,CAAC;AAEtC,UAAI,gBAAgB,QAAW;AAC7B,eAAO,GAAG,IAAI;AAAA,MAChB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAQO,SAAS,cAAc,OAAoB;AAChD,SAAO,KAAK,UAAU,QAAQ,KAAK,CAAC;AACtC;AASO,SAAS,uBACd,KACA,SACQ;AACR,QAAM,WAAgC,CAAC;AAEvC,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,QAAQ,SAAS,GAAG,KAAK,IAAI,GAAG,MAAM,QAAW;AACpD,eAAS,GAAG,IAAI,IAAI,GAAG;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,cAAc,QAAQ;AAC/B;AA5EA;AAAA;AAAA;AAAA;;;ACAA,IAAa,wBAiBA;AAjBb;AAAA;AAAO,IAAM,yBAAN,cAAqC,MAAM;AAAA,MAChD,YACS,MACP,SACA;AACA,cAAM,OAAO;AAHN;AAIP,aAAK,OAAO;AAAA,MACd;AAAA,IACF;AASO,IAAM,iBAAN,MAAqB;AAAA;AAAA,MAO1B,YAAY,UAAe;AAN3B,aAAQ,WAAW;AACnB,aAAQ,UAAU;AAClB,aAAQ,gBAAgB;AAKtB,aAAK,WAAW;AAChB,aAAK,YAAY,KAAK,IAAI;AAAA,MAC5B;AAAA,MAEA,gBAAsB;AACpB,aAAK;AACL,YAAI,KAAK,WAAW,KAAK,SAAS,aAAa;AAC7C,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,uBAAuB,KAAK,QAAQ,IAAI,KAAK,SAAS,WAAW;AAAA,UACnE;AAAA,QACF;AAAA,MACF;AAAA,MAEA,eAAqB;AACnB,aAAK;AACL,YAAI,KAAK,SAAS,cAAc,KAAK,UAAU,KAAK,SAAS,YAAY;AACvE,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,sBAAsB,KAAK,OAAO,IAAI,KAAK,SAAS,UAAU;AAAA,UAChE;AAAA,QACF;AAAA,MACF;AAAA,MAEA,qBAA2B;AACzB,aAAK;AACL,YAAI,KAAK,gBAAgB,KAAK,SAAS,kBAAkB;AACvD,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,4BAA4B,KAAK,aAAa,IAAI,KAAK,SAAS,gBAAgB;AAAA,UAClF;AAAA,QACF;AAAA,MACF;AAAA,MAEA,YAAkB;AAChB,cAAM,UAAU,KAAK,IAAI,IAAI,KAAK;AAClC,YAAI,UAAU,KAAK,SAAS,WAAW;AACrC,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,4BAA4B,OAAO,MAAM,KAAK,SAAS,SAAS;AAAA,UAClE;AAAA,QACF;AAAA,MACF;AAAA,MAEA,eAAe,QAAsB;AAEnC,YAAI,KAAK,SAAS,eAAe,SAAS,GAAG,GAAG;AAC9C;AAAA,QACF;AAEA,YAAI,CAAC,KAAK,SAAS,eAAe,SAAS,MAAM,GAAG;AAClD,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,WAAW,MAAM,2BAA2B,KAAK,SAAS,eAAe,KAAK,IAAI,CAAC;AAAA,UACrF;AAAA,QACF;AAAA,MACF;AAAA,MAEA,aAA+B;AAC7B,eAAO;AAAA,UACL,UAAU,KAAK;AAAA,UACf,SAAS,KAAK;AAAA,UACd,eAAe,KAAK;AAAA,UACpB,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,QAC/B;AAAA,MACF;AAAA,MAEA,cAAc;AACZ,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;AC/FA,IASa,mBAiFA;AA1Fb;AAAA;AASO,IAAM,oBAAuD;AAAA;AAAA,MAElE,eAAe;AAAA,QACb,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,aAAa;AAAA,MAChC;AAAA;AAAA,MAGA,gBAAgB;AAAA,QACd,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,gBAAgB;AAAA,MACnC;AAAA,MACA,kBAAkB;AAAA,QAChB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,kBAAkB;AAAA,MACrC;AAAA;AAAA,MAGA,kBAAkB;AAAA,QAChB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,mBAAmB,mBAAmB;AAAA,MACzD;AAAA,MACA,mBAAmB;AAAA,QACjB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,oBAAoB,wBAAwB;AAAA,MAC/D;AAAA;AAAA,MAGA,aAAa;AAAA,QACX,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,kBAAkB;AAAA,MACrC;AAAA,MACA,cAAc;AAAA,QACZ,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,mBAAmB;AAAA,MACtC;AAAA,MACA,iBAAiB;AAAA,QACf,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,gBAAgB;AAAA,MACnC;AAAA;AAAA,MAGA,kBAAkB;AAAA,QAChB,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,kBAAkB;AAAA,MACrC;AAAA,MACA,eAAe;AAAA,QACb,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,aAAa;AAAA,MAChC;AAAA;AAAA,MAGA,aAAa;AAAA,QACX,aAAa;AAAA,QACb,kBAAkB;AAAA;AAAA,QAClB,WAAW;AAAA,QACX,gBAAgB,CAAC,aAAa,aAAa;AAAA,MAC7C;AAAA,IACF;AAGO,IAAM,oBAAuC;AAAA,MAClD,aAAa;AAAA,MACb,kBAAkB;AAAA,MAClB,WAAW;AAAA,MACX,gBAAgB,CAAC,GAAG;AAAA;AAAA,IACtB;AAAA;AAAA;;;ACtFO,SAAS,UACd,KACA,KAC8B;AAC9B,MAAI,QAAQ;AACZ,MAAI,IAAI;AACR,SAAO,MAAM;AACX,QAAI,OAAO,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AACxD,UAAM,IAAI,OAAO,IAAI,KAAK,CAAC;AAC3B,UAAM,IAAI,UAAU;AACpB,SAAK,IAAI,WAAW,GAAI;AACxB,aAAS;AACT,QAAI,QAAQ,IAAK,OAAM,IAAI,MAAM,kBAAkB;AAAA,EACrD;AACA,SAAO,EAAE,KAAK,GAAG,IAAI;AACvB;AAYO,SAAS,UAAU,KAAa,WAAmB,KAAY;AACpE,QAAM,MAAa,CAAC;AACpB,MAAI,MAAM;AACV,SAAO,MAAM,IAAI,QAAQ;AACvB,QAAI,IAAI,UAAU,SAAU,OAAM,IAAI,MAAM,oBAAoB;AAChE,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,UAAM,GAAG;AACT,UAAM,OAAO,OAAO,GAAG,GAAG;AAC1B,UAAM,MAAM,OAAO,GAAG,GAAG;AACzB,QAAI,MAAM,KAAK,MAAM,MAAM,IAAI,QAAQ;AACrC,YAAM,IAAI,MAAM,iBAAiB;AAAA,IACnC;AACA,UAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,GAAG;AACzC,WAAO;AACP,QAAI,KAAK,EAAE,MAAM,MAAM,CAAC;AAAA,EAC1B;AACA,SAAO;AACT;AASO,SAAS,OAAO,KAAoC;AACzD,QAAM,IAAI,oBAAI,IAAsB;AACpC,aAAW,MAAM,UAAU,GAAG,GAAG;AAC/B,UAAM,MAAM,EAAE,IAAI,GAAG,IAAI,KAAK,CAAC;AAC/B,QAAI,KAAK,GAAG,KAAe;AAC3B,MAAE,IAAI,GAAG,MAAM,GAAG;AAAA,EACpB;AACA,SAAO;AACT;AAEO,SAAS,OAAO,GAAgC;AACrD,MAAI,CAAC,EAAG,QAAO;AACf,SAAO,EAAE,SAAS,MAAM;AAC1B;AAEO,SAAS,eAAe,GAAgC;AAC7D,MAAI,CAAC,EAAG,QAAO;AACf,QAAM,EAAE,KAAK,IAAI,IAAI,UAAU,GAAG,CAAC;AACnC,MAAI,QAAQ,EAAE,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AAC7D,SAAO;AACT;AAMO,SAAS,aAAa,GAAgC;AAC3D,MAAI,CAAC,EAAG,QAAO;AACf,MAAI,EAAE,WAAW,EAAG,OAAM,IAAI,MAAM,0BAA0B;AAC9D,SAAO,EAAE,gBAAgB,CAAC;AAC5B;AA9FA,IAAAG,YAAA;AAAA;AAAA;AAAA;;;ACAA,SAAS,cAAAC,mBAAkB;AA+CpB,SAAS,iBAAiB,KAAgC;AAC/D,MAAI,MAAM;AAEV,QAAM,QAAQ,IAAI,SAAS,KAAK,MAAM,CAAC;AACvC,SAAO;AACP,MAAI,MAAM,WAAW,KAAK,CAAC,MAAM,OAAOC,MAAK;AAC3C,UAAM,IAAI,MAAM,iBAAiB;AAEnC,MAAI,MAAM,IAAI,IAAI,OAAQ,OAAM,IAAI,MAAM,iBAAiB;AAC3D,QAAM,MAAM,IAAI,KAAK;AACrB,QAAM,QAAQ,IAAI,KAAK;AAGvB,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AACT,QAAM,KAAK,UAAU,KAAK,GAAG;AAC7B,QAAM,GAAG;AAET,QAAM,SAAS,OAAO,GAAG,GAAG;AAC5B,QAAM,UAAU,OAAO,GAAG,GAAG;AAC7B,QAAM,SAAS,OAAO,GAAG,GAAG;AAE5B,MAAI,SAAS,KAAK,UAAU,KAAK,SAAS,EAAG,OAAM,IAAI,MAAM,eAAe;AAE5E,MAAI,MAAM,SAAS,UAAU,SAAS,IAAI;AACxC,UAAM,IAAI,MAAM,yBAAyB;AAG3C,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AACP,QAAM,OAAO,IAAI,SAAS,KAAK,MAAM,OAAO;AAC5C,SAAO;AACP,QAAM,MAAM,IAAI,SAAS,KAAK,MAAM,MAAM;AAC1C,SAAO;AAEP,MAAI,QAAQ,IAAI,OAAQ,OAAM,IAAI,MAAM,sBAAsB;AAE9D,SAAO,EAAE,KAAK,OAAO,KAAK,MAAM,KAAK,WAAW,IAAI,OAAO;AAC7D;AAvFA,IA0BMA;AA1BN;AAAA;AAEA,IAAAC;AAwBA,IAAMD,SAAQ,OAAO,KAAKD,WAAU;AAAA;AAAA;;;ACyD7B,SAAS,YACd,KACA,MACA,KACA,QAAgB,GACJ;AACZ,QAAM,KAAK,OAAO,GAAG;AAGrB,QAAM,cAAc;AACpB,QAAM,KAAK,QAAQ,cAAc,OAAO,IAAI,IAAI,oBAAI,IAAsB;AAE1E,QAAM,SAAS,OAAO,GAAG,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC;AAC3C,QAAM,eAAe,GAAG,IAAI,EAAE,cAAc,IAAI,CAAC;AACjD,QAAM,YAAY,eAAe,OAAO,eAAe,YAAY,CAAC,IAAI;AACxE,QAAM,aAAa,GAAG,IAAI,EAAE,QAAQ,IAAI,CAAC;AACzC,QAAM,UAAU,aAAa,WAAW,SAAS,KAAK,IAAI;AAC1D,QAAM,YAAY,GAAG,IAAI,EAAE,UAAU,IAAI,CAAC;AAC1C,QAAM,MAAM,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACrD,QAAM,QAAQ,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC;AACjC,QAAM,OAAO,aAAa,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC;AAE9C,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AACpD,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM,yBAAyB;AACvD,MAAI,CAAC,SAAS,MAAM,SAAS,MAAM,MAAM,SAAS;AAChD,UAAM,IAAI,MAAM,kBAAkB;AACpC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,oBAAoB;AAC9C,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,mBAAmB;AAE9C,SAAO;AAAA,IACL;AAAA,IACA,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY;AAAA,IACZ,SAAS;AAAA,IACT,UAAU;AAAA,IACV,WAAW;AAAA,IACX;AAAA,EACF;AACF;AA9HA,IAca;AAdb;AAAA;AAAA;AASA,IAAAG;AAKO,IAAM,IAAI;AAAA;AAAA,MAEf,QAAQ;AAAA;AAAA,MAER,KAAK;AAAA;AAAA,MAEL,gBAAgB;AAAA;AAAA;AAAA,MAEhB,UAAU;AAAA;AAAA,MAEV,YAAY;AAAA;AAAA,MAEZ,OAAO;AAAA;AAAA,MAEP,OAAO;AAAA;AAAA,MAEP,YAAY;AAAA;AAAA,MAEZ,MAAM;AAAA;AAAA,MAEN,MAAM;AAAA,IACR;AAAA;AAAA;;;ACnCA,IAUa,cAcA,oBAaA;AArCb;AAAA;AAIA;AAMO,IAAM,eAAe;AAAA,MAC1B,MAAM;AAAA,MACN,OAAO;AAAA,MACP,SAAS;AAAA,MACT,OAAO;AAAA,MACP,MAAM;AAAA,MACN,SAAS;AAAA,IACX;AAOO,IAAM,qBAAmD;AAAA,MAC9D,CAAC,UAAU,GAAG,CAAC;AAAA,MACf,CAAC,aAAa,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,MAC5C,CAAC,SAAS,GAAG,CAAC,MAAM;AAAA,MACpB,CAAC,UAAU,GAAG,CAAC,QAAQ,SAAS,OAAO;AAAA,MACvC,CAAC,UAAU,GAAG,CAAC,QAAQ,SAAS,SAAS;AAAA,MACzC,CAAC,aAAa,GAAG,CAAC,QAAQ,SAAS,WAAW,SAAS;AAAA,IACzD;AAMO,IAAM,sBAAoD;AAAA,MAC/D,YAAY,CAAC;AAAA,MACb,YAAY,CAAC;AAAA,MACb,aAAa,CAAC;AAAA,MACd,YAAY,CAAC;AAAA,MACb,YAAY,CAAC;AAAA,MAEb,eAAe,CAAC,OAAO;AAAA,MACvB,iBAAiB,CAAC,MAAM;AAAA,MACxB,eAAe,CAAC,SAAS,OAAO;AAAA,MAEhC,kBAAkB,CAAC,SAAS,SAAS;AAAA,MACrC,mBAAmB,CAAC,SAAS,SAAS;AAAA,MAEtC,kBAAkB,CAAC,OAAO;AAAA,MAC1B,oBAAoB,CAAC,MAAM;AAAA;AAAA,MAG3B,oBAAoB,CAAC,SAAS;AAAA,MAC9B,wBAAwB,CAAC,SAAS;AAAA,MAClC,mBAAmB,CAAC,SAAS,SAAS;AAAA,MACtC,aAAa,CAAC,SAAS;AAAA,MACvB,eAAe,CAAC,MAAM;AAAA,MACtB,iBAAiB,CAAC,OAAO;AAAA,MACzB,kBAAkB,CAAC,SAAS,SAAS;AAAA,MACrC,iBAAiB,CAAC,SAAS,SAAS;AAAA,MACpC,cAAc,CAAC,SAAS,SAAS;AAAA,MACjC,oBAAoB,CAAC,SAAS,SAAS;AAAA,MACvC,iBAAiB,CAAC,OAAO;AAAA,MACzB,kBAAkB,CAAC,OAAO;AAAA,MAC1B,0BAA0B,CAAC,SAAS,SAAS;AAAA,MAE7C,WAAW,CAAC,OAAO;AAAA,IACrB;AAAA;AAAA;;;ACrBO,SAAS,8BACd,OAC0B;AAC1B,QAAM,WAAY,MAAM,YAAY,CAAC;AACrC,QAAM,SAAS,MAAM;AACrB,QAAM,aACJ,MAAM,aACL,QAAQ,QACR,QAAQ,QACT;AACF,QAAM,YACH,SAAS,cACT,SAAS,aACT,QAAQ,aACR,MAAM;AACT,QAAM,WACH,MAAM,OACN,SAAS,YACT,QAAQ;AACX,QAAM,MACH,SAAS,OACT,QAAQ,OACR,QAAQ;AAEX,SAAO;AAAA,IACL,SAAS,MAAM;AAAA,IACf,QAAQ,MAAM;AAAA,IACd;AAAA,IACA;AAAA,IACA,SAAS,MAAM;AAAA,IACf,IAAI,MAAM;AAAA,IACV,MAAM,MAAM;AAAA,IACZ,UAAU,MAAM;AAAA,IAChB,UAAU,MAAM;AAAA,IAChB,WAAW,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACb;AACF;AAzFA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA,IAsBY;AAtBZ;AAAA;AAsBO,IAAK,eAAL,kBAAKC,kBAAL;AACL,MAAAA,cAAA,WAAQ;AACR,MAAAA,cAAA,cAAW;AACX,MAAAA,cAAA,aAAU;AACV,MAAAA,cAAA,aAAU;AACV,MAAAA,cAAA,UAAO;AALG,aAAAA;AAAA,OAAA;AAAA;AAAA;;;ACUL,SAAS,cAAc,IAAqB;AACjD,SAAO,aAAa,IAAI,EAAE;AAC5B;AAKO,SAAS,cAAc,IAAqB;AACjD,SACE,GAAG,WAAW,YAAY,KAC1B,GAAG,WAAW,aAAa,KAC3B,GAAG,WAAW,WAAW;AAE7B;AA7CA,IAMa;AANb;AAAA;AAMO,IAAM,eAAe,oBAAI,IAAI;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MAEA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA;AAAA;;;ACzBD,SAAS,cAAAC,mBAAkB;AAmBpB,SAAS,iBACd,UACA,KACA,SACA,QACA,QACA,IACQ;AACR,QAAM,IAAIA,YAAW,QAAQ;AAC7B,MAAI,SAAU,GAAE,OAAO,QAAQ;AAC/B,IAAE,OAAO,GAAG;AACZ,IAAE,OAAO,OAAO,KAAK,SAAS,MAAM,CAAC;AACrC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,QAAQ,MAAM,CAAC;AACpC,IAAE,OAAO,OAAO,KAAK,GAAG,SAAS,GAAG,MAAM,CAAC;AAC3C,SAAO,EAAE,OAAO;AAClB;AAxCA;AAAA;AAAA;AAAA;;;ACoGO,SAAS,eAAe,QAAmC;AAChE,MAAI,uBAAuB,MAAM,GAAG;AAClC,WAAO,uBAAuB,MAAM;AAAA,EACtC;AAEA,QAAM,QAAQ,OAAO,MAAM,GAAG,EAAE,CAAC;AACjC,QAAM,cAAc,GAAG,KAAK;AAC5B,MAAI,uBAAuB,WAAW,GAAG;AACvC,WAAO,uBAAuB,WAAW;AAAA,EAC3C;AAEA,SAAO;AACT;AAKO,SAAS,gBAAgB,OAAkC;AAChE,UAAQ,OAAO;AAAA,IACb,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAhIA,IAKY,mBAUC;AAfb;AAAA;AAKO,IAAK,oBAAL,kBAAKC,uBAAL;AACL,MAAAA,sCAAA,SAAM,KAAN;AACA,MAAAA,sCAAA,YAAS,KAAT;AACA,MAAAA,sCAAA,UAAO,KAAP;AACA,MAAAA,sCAAA,cAAW,KAAX;AAJU,aAAAA;AAAA,OAAA;AAUL,IAAM,yBAA4D;AAAA;AAAA,MAEvE,eAAe;AAAA;AAAA,MAGf,gBAAgB;AAAA,MAChB,kBAAkB;AAAA,MAClB,2BAA2B;AAAA,MAC3B,2BAA2B;AAAA;AAAA,MAG3B,kBAAkB;AAAA,MAClB,eAAe;AAAA,MACf,oBAAoB;AAAA;AAAA,MAGpB,aAAa;AAAA,MACb,cAAc;AAAA,MACd,iBAAiB;AAAA,MACjB,eAAe;AAAA;AAAA,MAGf,kBAAkB;AAAA,MAClB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA;AAAA,MAGnB,aAAa;AAAA;AAAA,MAGb,wBAAwB;AAAA,MACxB,wBAAwB;AAAA,MACxB,yBAAyB;AAAA;AAAA,MAGzB,0BAA0B;AAAA,MAC1B,uBAAuB;AAAA;AAAA,MAGvB,6BAA6B;AAAA,MAC7B,8BAA8B;AAAA,MAC9B,6BAA6B;AAAA;AAAA,MAG7B,uBAAuB;AAAA,MACvB,qCAAqC;AAAA,MACrC,yBAAyB;AAAA,MACzB,0BAA0B;AAAA;AAAA,MAG1B,oBAAoB;AAAA,MACpB,mBAAmB;AAAA,MACnB,kBAAkB;AAAA;AAAA,MAGlB,wBAAwB;AAAA,MACxB,wBAAwB;AAAA,MACxB,iBAAiB;AAAA,MACjB,eAAe;AAAA,MACf,iBAAiB;AAAA;AAAA,MAGjB,gBAAgB;AAAA,MAChB,eAAe;AAAA,MACf,eAAe;AAAA,MACf,iBAAiB;AAAA,MACjB,uBAAuB;AAAA,MACvB,gCAAgC;AAAA;AAAA,MAGhC,2BAA2B;AAAA,MAC3B,8BAA8B;AAAA,MAC9B,yBAAyB;AAAA,MACzB,iBAAiB;AAAA,MACjB,mBAAmB;AAAA,IACrB;AAAA;AAAA;;;AC1FA;AAAA;AAAA;AAAA;AAAA;AAAA;AAsCO,SAAS,eAAe,QAAwB;AACrD,MAAI,gBAAgB,MAAM,GAAG;AAC3B,WAAO,gBAAgB,MAAM;AAAA,EAC/B;AAEA,aAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,eAAe,GAAG;AAChE,QAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,YAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,UAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AArDA,IASa,iBAmBA;AA5Bb;AAAA;AASO,IAAM,kBAA0C;AAAA,MACrD,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,aAAa;AAAA,MACb,YAAY;AAAA,MAEZ,eAAe;AAAA,MACf,iBAAiB;AAAA,MACjB,cAAc;AAAA,MACd,iBAAiB;AAAA,MAEjB,YAAY;AAAA,MAEZ,cAAc;AAAA,MAEd,WAAW;AAAA,IACb;AAGO,IAAM,kBAAkB;AAAA;AAAA;;;AChBxB,SAAS,mBAAmB,OAAqB;AACtD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,MAAM,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,kBAAkB,CAAC,OAAO,SAAS,WAAW,QAAQ;AAC5D,aAAW,OAAO,iBAAiB;AACjC,QAAI,OAAO,MAAM,GAAG,MAAM,YAAY,MAAM,GAAG,EAAE,SAAS,GAAG;AAC3D,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,OAAO,MAAM,OAAO,YAAY,CAAC,OAAO,SAAS,MAAM,EAAE,GAAG;AAC9D,WAAO;AAAA,EACT;AAEA,MACE,MAAM,QAAQ,WACb,OAAO,MAAM,QAAQ,YAAY,MAAM,IAAI,WAAW,IACvD;AACA,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,MAAM,OAAO,OAAO,MAAM,QAAQ,UAAU;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,IAAI,QAAQ,SAAS;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,QAAQ,YAAY,MAAM,IAAI,IAAI,SAAS,GAAG;AACjE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,IAAI,UAAU,YAAY,MAAM,IAAI,MAAM,SAAS,IAAI;AACtE,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,MAAM;AACzD,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAKO,SAAS,iBACd,IACA,cAAsB,KACb;AACT,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,OAAO,KAAK,IAAI,MAAM,EAAE;AAC9B,SAAO,QAAQ;AACjB;AAxEA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAa,2BACA,wBACA;AAFb;AAAA;AAAO,IAAM,4BAA4B;AAClC,IAAM,yBAAyB;AAC/B,IAAM,6BAA6B;AAAA;AAAA;;;ACF1C;AAAA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AACA,QAAAC,UAAA,UAAA,QAAA;AAEA,QAAA,aAAA;AACA,QAAA,WAAA;AACA,QAAA,sBAAA;AACA,QAAA,qBAAA;AAEA,QAAA,kBAAA;AAKA,QAAA,iBAAA;AAQO,QAAMC,4BAAwB,6BAA9B,MAAM,yBAAwB;MAOnC,YAEE,UAEA,OAAuC;AAFtB,aAAA,WAAA;AAEA,aAAA,QAAA;AAVF,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;AAEzD,aAAA,OAAO;AACP,aAAA,OAAO;AACP,aAAA,cAAc;MAOpB;MAGH,MAAM,QACJ,MACA,SAAiC;AAEjC,cAAM,IAAI;AACV,YAAI,CAAC;AAAG,gBAAM,IAAI,MAAM,iBAAiB;AAEzC,cAAM,gBAAgB,EAAE,IAAI,EAAE;AAC9B,YAAI,CAAC;AAAe,gBAAM,IAAI,MAAM,mBAAmB;AACvD,cAAM,WAAW,IAAI,YAAW,EAAG,OAAO,aAAa;AAEvD,YAAI,aAAa;AACjB,YAAI,WAAW;AAEf,cAAM,aAAa,EAAE,IAAI,EAAE;AAC3B,YAAI,YAAY;AACd,gBAAM,EAAE,MAAK,KAAK,GAAA,SAAA,cAAa,UAAU;AACzC,uBAAa;QACf;AAEA,cAAM,WAAW,EAAE,IAAI,EAAE;AACzB,YAAI,UAAU;AACZ,gBAAM,EAAE,MAAK,KAAK,GAAA,SAAA,cAAa,QAAQ;AACvC,qBAAW;QACb;AAEA,cAAM,UAAU,MAAM,KAAK,SAAS,aAAa,QAAQ;AACzD,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,sBAAsB,QAAQ,EAAE;QAClD;AAEA,YAAI,QAAQ,WAAW,YAAY;AACjC,gBAAM,IAAI,MAAM,6BAA6B,QAAQ,MAAM,EAAE;QAC/D;AAEA,cAAM,OAAO,MAAM,KAAK,MAAM,UAC5B,UACA,QAAQ,QAAQ;AAElB,cAAM,WAAW,KAAK;AAEtB,YAAI,aAAa;AAAG,uBAAa;AACjC,YAAI,cAAc;AAAU,gBAAM,IAAI,MAAM,qBAAqB;AAEjE,YAAI,MAAM;AACV,YAAI,YAAY,GAAG;AACjB,gBAAM,KAAK,IAAI,aAAa,UAAU,QAAQ;QAChD;AAEA,cAAM,YAAY,MAAM;AACxB,cAAM,SAAS,MAAM,KAAK,MAAM,eAC9B,UACA,QAAQ,UACR,YACA,SAAS;AAGX,cAAM,kBAAkB,oBAAI,IAAG;AAC/B,wBAAgB,IAAI,KAAI,GAAA,SAAA,cAAa,QAAQ,CAAC;AAC9C,wBAAgB,IAAI,KAAI,GAAA,SAAA,cAAa,UAAU,CAAC;AAChD,wBAAgB,IAAI,KAAI,GAAA,SAAA,cAAa,SAAS,CAAC;AAE/C,eAAO;UACL,IAAI;UACJ,QAAQ;UACR,MAAM;UACN,SAAS;;MAEb;;AAnFW,YAAA,2BAAAA;AAeL,eAAA;OADL,GAAA,mBAAA,QAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,OAAM,CAAE;;2DAEjD,eAAU,eAAV,gBAAU,aAAA,KAAA,QAAA,QAAA,KAAA,OACN,QAAG,eAAH,SAAG,aAAA,KAAA,MAAA,CAAA;0DACZ,YAAO,eAAP,aAAO,aAAA,KAAA,MAAA;;uCAlBCA,4BAAwB,6BAAA,WAAA;OAFpC,GAAA,oBAAA,SAAQ,qBAAqB;OAC7B,GAAA,SAAA,YAAU;MASN,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,yBAAyB,CAAC;MAEjC,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,sBAAsB,CAAC;2DADJ,eAAA,uBAAkB,eAAlB,eAAA,wBAAkB,aAAA,KAAA,QAAA,QAAA,KAAA,OAErB,eAAA,oBAAe,eAAf,eAAA,qBAAe,aAAA,KAAA,MAAA,CAAA;OAX9BA,yBAAwB;AAwF9B,QAAMC,4BAAwB,6BAA9B,MAAM,yBAAwB;MAOnC,YAEE,UAEA,OAGA,SAA8C;AAL7B,aAAA,WAAA;AAEA,aAAA,QAAA;AAGA,aAAA,UAAA;AAbF,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;AAEzD,aAAA,OAAO;AACP,aAAA,OAAO;AACP,aAAA,cAAc;MAUpB;MAGH,MAAM,QACJ,MACA,SAAiC;AAEjC,cAAM,UAAU,IAAI,YAAW,EAAG,OAAO,IAAI;AAC7C,cAAM,MAAM,KAAK,MAAM,OAAO;AAE9B,cAAM,EAAE,QAAQ,aAAY,IAAK;AACjC,YAAI,CAAC;AAAQ,gBAAM,IAAI,MAAM,iBAAiB;AAE9C,cAAM,UAAU,MAAM,KAAK,SAAS,aAAa,MAAM;AACvD,YAAI,CAAC;AAAS,gBAAM,IAAI,MAAM,mBAAmB;AAEjD,YAAI,CAAE,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAI;AACvC,gBAAM,IAAI,MAAM,kBAAkB;QACpC;AAEA,cAAM,OAAOF,QAAO,WAAW,QAAQ;AACvC,cAAM,KAAK,KAAK,MAAM,qBAAqB,MAAM;AACjD,yBAAiB,SAAS,IAAI;AAC5B,eAAK,OAAO,KAAe;QAC7B;AACA,cAAM,YAAY,KAAK,OAAO,KAAK;AAEnC,YAAI,gBAAgB,cAAc,cAAc;AAC9C,gBAAM,IAAI,MAAM,eAAe;QACjC;AAEA,cAAM,YAAY,MAAM,KAAK,MAAM,gBACjC,QACA,QAAQ,QAAQ;AAGlB,cAAM,KAAK,SAAS,aAAa,QAAQ,YAAY,IAAI;AAEzD,YAAI,CAAC,KAAK,SAAS;AACjB,eAAK,OAAO,KAAK,2DAA2D;AAC5E,iBAAO;YACL,IAAI;YACJ,QAAQ;YACR,MAAM,IAAI,YAAW,EAAG,OACtB,KAAK,UAAU;cACb,UAAU;cACV,cAAc;cACd,WAAW,QAAQ;cACnB,MAAM,KAAK,IAAG;cACd,MAAM;aACP,CAAC;;QAGR;AAEA,cAAM,cAAc;UAClB,UAAU;UACV,cAAc;UACd,WAAW,QAAQ;UACnB,MAAM,KAAK,IAAG;;AAGhB,cAAM,cAAc,KAAK,UAAU,WAAW;AAC9C,cAAM,cAAc,IAAI,YAAW,EAAG,OAAO,WAAW;AAExD,cAAM,cAAc;AACpB,cAAM,gBAA2B;UAC/B,OAAO;UACP,SAAS,oBAAI,IAAG;UAChB,MAAM;UACN,KAAK,IAAI,WAAW,CAAC;;AAGvB,cAAM,cAAa,GAAA,WAAA,eAAc,aAAa;AAC9C,cAAM,EAAE,KAAK,IAAG,IAAK,KAAK,QAAQ,WAAW,UAAU;AACvD,sBAAc,MAAM;AAEpB,eAAO;UACL,IAAI;UACJ,QAAQ;UACR,OAAM,GAAA,WAAA,aAAY,aAAa;UAC/B,SAAS,oBAAI,IAAI,CAAC,CAAC,GAAG,IAAI,YAAW,EAAG,OAAO,GAAG,CAAC,CAAC,CAAC;;MAEzD;;AAlGW,YAAA,2BAAAE;AAkBL,eAAA;OADL,GAAA,mBAAA,QAAO,iBAAiB,EAAE,UAAU,MAAM,MAAM,SAAQ,CAAE;;2DAEnD,eAAU,eAAV,gBAAU,aAAA,KAAA,QAAA,QAAA,KAAA,OACN,QAAG,eAAH,SAAG,aAAA,KAAA,MAAA,CAAA;0DACZ,YAAO,eAAP,aAAO,aAAA,KAAA,MAAA;;uCArBCA,4BAAwB,6BAAA,WAAA;OAFpC,GAAA,oBAAA,SAAQ,qBAAqB;OAC7B,GAAA,SAAA,YAAU;MASN,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,yBAAyB,CAAC;MAEjC,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,sBAAsB,CAAC;MAE9B,QAAA,IAAA,GAAA,SAAA,UAAQ,CAAE;MACV,QAAA,IAAA,GAAA,SAAA,QAAO,gBAAA,0BAA0B,CAAC;2DAJR,eAAA,uBAAkB,eAAlB,eAAA,wBAAkB,aAAA,KAAA,QAAA,QAAA,KAAA,OAErB,eAAA,oBAAe,eAAf,eAAA,qBAAe,aAAA,KAAA,QAAA,QAAA,KAAA,OAGZ,eAAA,wBAAmB,eAAnB,eAAA,yBAAmB,aAAA,KAAA,MAAA,CAAA;OAdrCA,yBAAwB;;;;;AC7GrC,YAAY,QAAQ;AACpB,YAAY,UAAU;AADtB,IAUa;AAVb;AAAA;AAUO,IAAM,sBAAN,MAAqD;AAAA,MAI1D,YAAY,SAAqC;AAC/C,aAAK,YAAY,QAAQ;AACzB,aAAK,WAAW,QAAQ;AAAA,MAC1B;AAAA,MAEA,aAAa,QAAgB,UAA2B;AACtD,cAAM,eAAe,WAAgB,cAAS,QAAQ,IAAI;AAC1D,eAAY,UAAK,KAAK,WAAW,YAAY;AAAA,MAC/C;AAAA,MAEA,YAAY,QAAwB;AAClC,cAAM,SAAc,cAAS,MAAM;AACnC,eAAY,UAAK,KAAK,UAAU,MAAM;AAAA,MACxC;AAAA,MAEA,MAAM,UACJ,QACA,UACyB;AACzB,cAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,YAAI,CAAI,cAAW,SAAS,GAAG;AAC7B,gBAAM,IAAI,MAAM,sBAAsB;AAAA,QACxC;AACA,cAAM,OAAU,YAAS,SAAS;AAClC,eAAO,EAAE,MAAM,WAAW,MAAM,KAAK,KAAK;AAAA,MAC5C;AAAA,MAEA,MAAM,eACJ,QACA,UACA,OACA,QACiB;AACjB,cAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AACpD,cAAM,SAAS,OAAO,MAAM,MAAM;AAClC,cAAM,KAAQ,YAAS,WAAW,GAAG;AACrC,YAAI;AACF,UAAG,YAAS,IAAI,QAAQ,GAAG,QAAQ,KAAK;AAAA,QAC1C,UAAE;AACA,UAAG,aAAU,EAAE;AAAA,QACjB;AACA,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,QAAQ,QAAkC;AAC9C,cAAM,WAAW,KAAK,YAAY,MAAM;AACxC,eAAU,cAAW,QAAQ;AAAA,MAC/B;AAAA,MAEA,MAAM,gBACJ,QACA,UACiB;AACjB,cAAM,WAAW,KAAK,YAAY,MAAM;AACxC,cAAM,YAAY,KAAK,aAAa,QAAQ,QAAQ;AAEpD,YAAI;AACF,gBAAS,YAAS,OAAO,UAAU,SAAS;AAAA,QAC9C,QAAQ;AACN,gBAAS,YAAS,SAAS,UAAU,SAAS;AAC9C,gBAAS,YAAS,OAAO,QAAQ;AAAA,QACnC;AAEA,eAAO;AAAA,MACT;AAAA,MAEA,qBAAqB,QAAuC;AAC1D,cAAM,WAAW,KAAK,YAAY,MAAM;AACxC,eAAU,oBAAiB,QAAQ;AAAA,MACrC;AAAA,IACF;AAAA;AAAA;;;;;;;;ACpFA,QAAA,WAAA,UAAA,gBAAA;AAqBA,aAAS,UAAU,KAAY;AAC7B,aACG,IAAI,QAAQ,iBAAiB,GAAc,MAAM,GAAG,EAAE,CAAC,GAAG,KAAI,KAC9D,IAAI,QAAQ,WAAW,KACxB,IAAI,OAAO,iBACX;IAEJ;AAiBa,YAAA,WAAU,GAAA,SAAA,sBACrB,CAAC,OAAgB,QAAiC;AAChD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,aAAO,IAAI;IACb,CAAC;AAcU,YAAA,UAAS,GAAA,SAAA,sBACpB,CAAC,OAAgB,QAA6C;AAC5D,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,aAAO,UAAU,GAAG;IACtB,CAAC;AAkBU,YAAA,eAAc,GAAA,SAAA,sBACzB,CAAC,OAAgB,QAA0C;AACzD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,YAAM,WAAY,IAAY,QAAQ,CAAA;AACtC,aAAO;QACL,KAAK,IAAI;QACT,IAAI,UAAU,GAAG;QACjB,gBAAgB,SAAS;QACzB,iBAAiB,SAAS,mBAAmB;;IAEjD,CAAC;AAeU,YAAA,kBAAiB,GAAA,SAAA,sBAC5B,CAAC,OAAgB,QAA6C;AAC5D,UAAI,QAAQ,IAAI,aAAa;AAAe,eAAO;AACnD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,aAAO,IAAI,QAAQ,eAAe;IACpC,CAAC;AAqBU,YAAA,aAAY,GAAA,SAAA,sBACvB,CAAC,OAAgB,QAAsC;AACrD,YAAM,MAAM,IAAI,aAAY,EAAG,WAAU;AACzC,YAAM,UAAW,IAAY;AAC7B,UAAI,CAAC,SAAS;AACZ,cAAM,IAAI,MACR,8HACsE;MAE1E;AACA,aAAO;IACT,CAAC;;;;;;;;;;;;;;;;;;;;;;;ACnJH,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AAEA,QAAA,uBAAA;AAKA,QAAA,sBAAA;AAGO,QAAMC,4BAAwB,6BAA9B,MAAM,yBAAwB;MAGnC,YACmB,WACA,WACA,UAA0B;AAF1B,aAAA,YAAA;AACA,aAAA,YAAA;AACA,aAAA,WAAA;AALF,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;MAM/D;MAEH,yBAAsB;AACpB,cAAM,YAAY,KAAK,UAAU,aAAY;AAC7C,YAAI,QAAQ;AAEZ,mBAAW,WAAW,WAAW;AAC/B,gBAAM,EAAE,SAAQ,IAAK;AACrB,cAAI,CAAC,YAAY,CAAC,SAAS;AAAa;AAExC,gBAAM,OAAO,KAAK,UAAU,IAC1B,qBAAA,uBACA,SAAS,WAAW;AAEtB,cAAI,CAAC;AAAM;AAEX,gBAAM,WAAW;AACjB,cAAI,OAAO,SAAS,YAAY,YAAY;AAC1C,iBAAK,OAAO,KACV,gBAAgB,SAAS,YAAY,IAAI,uCAAuC;AAElF;UACF;AAEA,eAAK,SAAS,SAAS,UAAU,IAAI;AACrC;QACF;AAEA,aAAK,OAAO,IAAI,mBAAmB,KAAK,4BAA4B;MACtE;;AApCW,YAAA,2BAAAA;uCAAAA,4BAAwB,6BAAA,WAAA;OADpC,GAAA,SAAA,YAAU;2DAKqB,OAAA,qBAAgB,eAAhB,OAAA,sBAAgB,aAAA,KAAA,QAAA,QAAA,KAAA,OAChB,OAAA,cAAS,eAAT,OAAA,eAAS,aAAA,KAAA,QAAA,QAAA,KAAA,OACV,oBAAA,qBAAgB,eAAhB,oBAAA,sBAAgB,aAAA,KAAA,MAAA,CAAA;OANlCA,yBAAwB;;;;;;;;;;;;;;;;;;;;;;;ACXrC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AAEA,QAAA,uBAAA;AACA,QAAA,8BAAA;AACA,QAAA,sBAAA;AACA,QAAA,qBAAA;AAMA,QAAA,kBAAA;AA+BO,QAAMC,2BAAuB,4BAA7B,MAAM,wBAAuB;MAGlC,YACmB,WACA,SACA,QAAoB;AAFpB,aAAA,YAAA;AACA,aAAA,UAAA;AACA,aAAA,SAAA;AALF,aAAA,SAAS,IAAI,SAAA,OAAO,0BAAwB,IAAI;MAM9D;MAEH,eAAY;AACV,cAAM,YAAY,KAAK,UAAU,aAAY;AAC7C,YAAI,eAAe;AAEnB,mBAAW,WAAW,WAAW;AAC/B,gBAAM,EAAE,UAAU,SAAQ,IAAK;AAC/B,cAAI,CAAC,YAAY,CAAC;AAAU;AAG5B,gBAAM,cAAc,QAAQ,YAAY,oBAAA,sBAAsB,QAAQ;AACtE,cAAI,CAAC;AAAa;AAElB,gBAAM,cAAc,YAAY,UAAU,SAAS;AACnD,gBAAM,SAAS,YAAY,UAAU,SAAS;AAC9C,gBAAM,QAAQ,OAAO,eAAe,QAAQ;AAC5C,gBAAM,UAAU,KAAK,QAAQ,kBAAkB,KAAK;AACpD,gBAAM,SACJ,QAAQ,YAAY,mBAAA,mBAAmB,QAAQ,KAAK,CAAA;AACtD,gBAAM,gBAAgB,IAAI,IAAI,OAAO,IAAI,CAAC,UAAU,OAAO,MAAM,UAAU,CAAC,CAAC;AAC7E,cAAI,aAAa;AAGjB,gBAAM,iBACJ,QAAQ,YAAY,4BAAA,qBAAqB,QAAQ,KAAK,CAAA;AACxD,gBAAM,mBACJ,QAAQ,YAAY,qBAAA,uBAAuB,QAAQ,KAAK,CAAA;AAE1D,qBAAW,SAAS,QAAQ;AAC1B,kBAAM,aAAa,MAAM,WACrB,MAAM,SACN,GAAG,MAAM,IAAI,MAAM,MAAM;AAE7B,gBAAI,CAAC,KAAK,OAAO,IAAI,UAAU,GAAG;AAChC,mBAAK,OAAO,SAAS,YAAa,SAAiB,MAAM,UAAU,EAAE,KAAK,QAAQ,CAAC;AACnF;AACA;YACF;AAEA,iBAAK,OAAO,mBACV,YACA,OACA,OAAO,MAAM,UAAU,GACvB,gBACA,gBAAgB;UAEpB;AAEA,qBAAW,cAAc,SAAS;AAChC,gBAAI,cAAc,IAAI,UAAU;AAAG;AAEnC,kBAAM,OAAO,QAAQ,YACnB,mBAAA,qBACA,OACA,UAAU;AAEZ,gBAAI,CAAC,MAAM;AAAQ;AAEnB,kBAAM,aAAa,KAAK,WAAW,KAAK,SAAS,GAAG,MAAM,IAAI,KAAK,MAAM;AAIzE,gBAAI,CAAC,KAAK,OAAO,IAAI,UAAU,GAAG;AAChC,mBAAK,OAAO,SACV,YACC,SAAiB,UAAU,EAAE,KAAK,QAAQ,CAAC;AAE9C;AACA;YACF;AAIA,iBAAK,OAAO,mBACV,YACA,OACA,YACA,gBACA,gBAAgB;UAEpB;AAEA,cAAI,aAAa,GAAG;AAClB,iBAAK,OAAO,IACV,mBAAmB,UAAU,iBAAiB,WAAW,EAAE;UAE/D;QACF;AAEA,aAAK,OAAO,IACV,+BAA+B,YAAY,0BAA0B;MAEzE;;AApGW,YAAA,0BAAAA;sCAAAA,2BAAuB,4BAAA,WAAA;OADnC,GAAA,SAAA,YAAU;2DAKqB,OAAA,qBAAgB,eAAhB,OAAA,sBAAgB,aAAA,KAAA,QAAA,QAAA,KAAA,OAClB,OAAA,oBAAe,eAAf,OAAA,qBAAe,aAAA,KAAA,QAAA,QAAA,KAAA,OAChB,gBAAA,iBAAY,eAAZ,gBAAA,kBAAY,aAAA,KAAA,MAAA,CAAA;OAN5BA,wBAAuB;;;;;;;;;;;;;;;;;;;;;;;AC3CpC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,SAAA,UAAA,cAAA;AAEA,QAAA,qBAAA;AAIA,QAAA,oBAAA;AAEA,QAAA,iBAAA;AAUO,QAAMC,0BAAsB,2BAA5B,MAAM,uBAAsB;MAGjC,YACmB,WACA,WACA,UAAwB;AAFxB,aAAA,YAAA;AACA,aAAA,YAAA;AACA,aAAA,WAAA;AALF,aAAA,SAAS,IAAI,SAAA,OAAO,yBAAuB,IAAI;MAM7D;MAEH,yBAAsB;AACpB,cAAM,YAAY,KAAK,UAAU,aAAY;AAC7C,YAAI,QAAQ;AAEZ,mBAAW,WAAW,WAAW;AAC/B,gBAAM,EAAE,SAAQ,IAAK;AACrB,cAAI,CAAC,YAAY,CAAC,SAAS;AAAa;AAExC,gBAAM,OAAO,KAAK,UAAU,IAC1B,mBAAA,qBACA,SAAS,WAAW;AAEtB,cAAI,CAAC;AAAM;AAEX,gBAAM,SAAS;AAEf,cAAI,CAAC,OAAO,QAAQ,OAAO,UAAU,QAAW;AAC9C,iBAAK,OAAO,KACV,gBAAgB,SAAS,YAAY,IAAI,uCAAkC;AAE7E;UACF;AAGA,cAAI,CAAC,OAAO,OAAO;AACjB,kBAAM,iBAAiB,SAAS,OAAO,KAAK,QAAQ;AACnD,mBAAe,QACd,mBACC,OAAO,QAAQ,eAAA,sBAAsB,eAAe;UACzD;AAEA,eAAK,SAAS,SAAS,MAAM;AAC7B;QACF;AAEA,aAAK,OAAO,IAAI,mBAAmB,KAAK,wBAAwB;MAClE;;AA7CW,YAAA,yBAAAA;qCAAAA,0BAAsB,2BAAA,WAAA;OADlC,GAAA,SAAA,YAAU;2DAKqB,OAAA,qBAAgB,eAAhB,OAAA,sBAAgB,aAAA,KAAA,QAAA,QAAA,KAAA,OAChB,OAAA,cAAS,eAAT,OAAA,eAAS,aAAA,KAAA,QAAA,QAAA,KAAA,OACV,kBAAA,mBAAc,eAAd,kBAAA,oBAAc,aAAA,KAAA,MAAA,CAAA;OANhCA,uBAAsB;;;;;ACnBnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAAS,eAAAC,oBAAmB;AAkErB,SAAS,kBACd,WACA,IACiB;AACjB,SAAO;AAAA,IACL,IAAIA,aAAY,EAAE,EAAE,SAAS,KAAK;AAAA,IAClC,SAAS,KAAK,IAAI;AAAA,IAClB;AAAA,IACA;AAAA,IACA,QAAQ,CAAC;AAAA,IACT,SAAS,CAAC;AAAA,IACV,OAAO,CAAC;AAAA,EACV;AACF;AAIO,SAAS,WACd,KACA,MACkB;AAClB,QAAM,QAA0B,EAAE,MAAM,QAAQ,MAAM,SAAS,KAAK,IAAI,EAAE;AAC1E,MAAI,OAAO,KAAK,KAAK;AACrB,SAAO;AACT;AAEO,SAAS,SACd,OACA,SAAiC,MACjC,QACA,MACM;AACN,QAAM,QAAQ,KAAK,IAAI;AACvB,QAAM,aAAa,MAAM,QAAQ,MAAM;AACvC,QAAM,SAAS;AACf,MAAI,OAAQ,OAAM,SAAS;AAC3B,MAAI,KAAM,OAAM,OAAO;AACzB;AAIO,SAAS,aACd,KACA,MACA,SACA,WACA,YACA,SACA,MACM;AACN,MAAI,QAAQ,KAAK,EAAE,MAAM,SAAS,WAAW,YAAY,SAAS,KAAK,CAAC;AAC1E;AAIO,SAAS,oBACd,KACA,UACA,YACA,YACM;AACN,MAAI,QAAQ,KAAK,IAAI;AACrB,MAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,MAAI,WAAW;AACf,MAAI,aAAa;AACjB,MAAI,WAAY,KAAI,aAAa;AACnC;AApIA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,oBAAA;AACA,QAAA,gBAAA;AAQsB,WAAA,eAAA,SAAA,kBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAPpB,cAAA;IAAc,EAAA,CAAA;AAOP,WAAA,eAAA,SAAA,eAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aANP,cAAA;IAAW,EAAA,CAAA;AAIb,QAAA,qBAAA;AAsCO,QAAMC,0BAAN,MAAM,uBAAsB;MACjC,YAA6B,UAAwB;AAAxB,aAAA,WAAA;MAA2B;MAKxD,MAAM,SACJ,OACA,QAA+C,eAC/C,cAA6B;AAE7B,YAAI,UAAU,cAAc;AAC1B,iBAAO,KAAK,gBAAgB,KAAK,SAAS,oBAAmB,GAAI,KAAK;QACxE;AAEA,YAAI,UAAU,QAAQ;AACpB,gBAAM,eAAe,MAAM,KAAK,gBAC9B,KAAK,SAAS,oBAAmB,GACjC,KAAK;AAEP,gBAAM,aAAY,GAAA,cAAA,yBAAwB,YAAY;AACtD,cAAI,CAAC,UAAU;AAAO,mBAAO;AAC7B,iBAAO,KAAK,gBACV,KAAK,SAAS,qBAAoB,GAClC,OACA,YAAY;QAEhB;AAGA,eAAO,KAAK,gBACV,KAAK,SAAS,qBAAoB,GAClC,OACA,YAAY;MAEhB;MAGA,MAAM,YAAY,OAAkB;AAClC,eAAO,KAAK,gBAAgB,KAAK,SAAS,oBAAmB,GAAI,KAAK;MACxE;MAGA,MAAM,aACJ,OACA,cAA6B;AAE7B,eAAO,KAAK,gBACV,KAAK,SAAS,qBAAoB,GAClC,OACA,YAAY;MAEhB;MAEQ,MAAM,gBACZ,SACA,OACA,cAA6B;AAG7B,cAAM,kBAAkB,QAAQ,OAC9B,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,SAAS,KAAK,CAAC;AAIzC,cAAM,iBAAiB,gBACnB,GAAA,cAAA,yBAAwB,YAAY,IACpC;AAEJ,YAAI,YAAY,gBAAgB,aAAa;AAC7C,cAAM,UAAoB,gBAAgB,UACtC,CAAC,GAAG,eAAe,OAAO,IAC1B,CAAA;AACJ,cAAM,OAA4B,gBAAgB,OAC9C,EAAE,GAAG,eAAe,KAAI,IACxB,CAAA;AACJ,YAAI,gBAAgB,gBAAgB,SAAS;AAC7C,YAAI,mBAAwC,gBAAgB,SACxD,mBACA,EAAE,GAAG,eAAe,QAAQ,iBAAgB,IAC5C,CAAA;AAEJ,mBAAW,UAAU,iBAAiB;AACpC,cAAI;AACF,kBAAM,KAAK,KAAK,IAAG;AACnB,kBAAM,cAAc,MAAM,OAAO,IAAI,KAAK;AAC1C,kBAAM,UAAU,KAAK,IAAG,IAAK;AAC7B,kBAAM,YAAW,GAAA,cAAA,yBAAwB,WAAW;AAGpD,kBAAM,MAAM,MAAM,UAAU;AAC5B,gBAAI,KAAK;AACP,eAAA,GAAA,mBAAA,cACE,KACA,OAAO,MACP,SAAS,OACT,SAAS,WACT,SACA,SAAS,SACT,SAAS,QAAQ,SAAa,SAAiB,IAAI;YAEvD;AAGA,gBAAI,CAAC,SAAS,OAAO;AACnB,qBAAO;gBACL,OAAO;gBACP,WAAW,KAAK,IAAI,KAAK,YAAY,SAAS,SAAS;gBACvD,SAAS,CAAC,GAAG,SAAS,GAAG,SAAS,OAAO;gBACzC;;YAEJ;AAGA,wBAAY,KAAK,IAAI,KAAK,YAAY,SAAS,SAAS;AACxD,oBAAQ,KAAK,GAAG,SAAS,OAAO;AAGhC,gBAAI,SAAS,MAAM;AACjB,qBAAO,OAAO,MAAM,SAAS,IAAI;YACnC;AAGA,gBAAI,SAAS,SAAS,kBAAkB,QAAW;AACjD,8BACE,kBAAkB,SACd,SAAS,QAAQ,gBACjB,KAAK,IAAI,eAAe,SAAS,QAAQ,aAAa;YAC9D;AAEA,gBAAI,SAAS,SAAS,kBAAkB;AACtC,iCAAmB;gBACjB,GAAG;gBACH,GAAG,SAAS,QAAQ;;YAExB;UACF,SAAS,OAAO;AAEd,oBAAQ,MAAM,kBAAkB,OAAO,IAAI,YAAY,KAAK;AAE5D,kBAAM,MAAM,MAAM,UAAU;AAC5B,gBAAI,KAAK;AACP,eAAA,GAAA,mBAAA,cAAa,KAAK,OAAO,MAAM,OAAO,KAAK,GAAG;gBAC5C,gBAAgB,OAAO,IAAI;eAC5B;YACH;AAEA,mBAAO;cACL,OAAO;cACP,WAAW;cACX,SAAS,CAAC,gBAAgB,OAAO,IAAI,EAAE;;UAE3C;QACF;AAEA,cAAM,eACJ,OAAO,KAAK,gBAAgB,EAAE,SAAS,IAAI,mBAAmB;AAEhE,eAAO;UACL,OAAO;UACP;UACA;UACA;UACA,SACE,kBAAkB,UAAa,eAC3B;YACE;YACA,kBAAkB;cAEpB;;MAEV;;AA3KW,YAAA,yBAAAA;qCAAAA,0BAAsB,WAAA;OADlC,GAAA,SAAA,YAAU;2DAE8B,kBAAA,mBAAc,eAAd,kBAAA,oBAAc,aAAA,KAAA,MAAA,CAAA;OAD1CA,uBAAsB;;;;;AC9BnC,SAAS,cAAAC,aAAY,eAAAC,oBAAmB;AA0BxC,SAAS,WAAW,QAAwB;AAC1C,SAAO,GAAG,MAAM,IAAIA,aAAY,EAAE,EAAE,SAAS,KAAK,CAAC;AACrD;AAEA,SAASC,QAAO,MAAsB;AACpC,SAAOF,YAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO,KAAK;AACvD;AAEA,SAASG,aAAY,SAA0C;AAC7D,SAAOD,QAAO,KAAK,UAAU,OAAO,CAAC;AACvC;AAEA,SAAS,YACP,GACA,GACoB;AACpB,QAAM,QAA4B,CAAC;AACnC,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,CAAC,GAAG,GAAG,OAAO,KAAK,CAAC,CAAC,CAAC;AAE9D,aAAW,OAAO,SAAS;AACzB,UAAM,KAAK,EAAE,GAAG;AAChB,UAAM,KAAK,EAAE,GAAG;AAChB,QAAI,KAAK,UAAU,EAAE,MAAM,KAAK,UAAU,EAAE,GAAG;AAC7C,YAAM,KAAK,EAAE,OAAO,KAAK,UAAU,IAAI,UAAU,GAAG,CAAC;AAAA,IACvD;AAAA,EACF;AAEA,SAAO;AACT;AAvEA,IA6Ea;AA7Eb;AAAA;AA6EO,IAAM,iBAAN,MAAqB;AAAA,MAG1B,YAA6B,OAAsB;AAAtB;AAF7B,aAAQ,WAAW,oBAAI,IAA6B;AAAA,MAEA;AAAA;AAAA,MAGpD,gBAAgB,SAAgC;AAC9C,aAAK,SAAS,IAAI,QAAQ,QAAQ,OAAO;AAAA,MAC3C;AAAA;AAAA;AAAA;AAAA,MAMA,MAAM,YACJ,QACA,SACA,SACA,QACA,UAQI,CAAC,GACmB;AACxB,cAAM,QAAuB;AAAA,UAC3B,UAAU,WAAW,KAAK;AAAA,UAC1B,aAAa,QAAQ,cAAc;AAAA,UACnC,WAAW,QAAQ,YAAY;AAAA,UAC/B,iBAAiB,QAAQ,iBAAiB;AAAA,UAC1C;AAAA,UACA,UAAU;AAAA,UACV,YAAY,QAAQ;AAAA,UACpB,gBAAgB,QAAQ;AAAA,UACxB,cAAcC,aAAY,OAAO;AAAA,UACjC,aAAaA,aAAY,MAAM;AAAA,UAC/B,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,aAAa,QAAQ,eAAe;AAAA,UACpC,YAAY,QAAQ;AAAA,UACpB,YAAY,KAAK,IAAI;AAAA,UACrB,UAAU,EAAE,SAAS,OAAO;AAAA,QAC9B;AAEA,cAAM,KAAK,MAAM,UAAU,KAAK;AAChC,eAAO;AAAA,MACT;AAAA;AAAA;AAAA;AAAA,MAMA,MAAM,OAAO,SAA+C;AAC1D,cAAM,gBAAgB,MAAM,KAAK,MAAM,SAAS,QAAQ,eAAe;AACvE,YAAI,CAAC,eAAe;AAClB,gBAAM,IAAI,MAAM,SAAS,QAAQ,eAAe,YAAY;AAAA,QAC9D;AAEA,cAAM,UAAU,KAAK,SAAS,IAAI,cAAc,MAAM;AACtD,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,qCAAqC,cAAc,MAAM,GAAG;AAAA,QAC9E;AAGA,cAAM,kBACH,cAAc,UAAU,WAAuC,CAAC;AACnE,cAAM,gBACJ,QAAQ,SAAS,gBAAgB,QAAQ,mBACrC,QAAQ,mBACR;AAGN,cAAM,WAAW,MAAM,KAAK,MAAM,mBAAmB,cAAc,QAAQ;AAE3E,cAAM,UAAkC;AAAA,UACtC,UAAU,WAAW,KAAK;AAAA,UAC1B,aAAa,cAAc;AAAA,UAC3B,WAAW,UAAU,cAAc,SAAS;AAAA,UAC5C,QAAQ;AAAA,UACR,UAAU,cAAc;AAAA,UACxB,gBAAgB,cAAc;AAAA,UAC9B,UAAU,YAAY;AAAA,UACtB,WAAW;AAAA,UACX,eAAe;AAAA,QACjB;AAEA,cAAM,UAAU,KAAK,IAAI;AACzB,cAAM,gBAAgB,MAAM,QAAQ,QAAQ,eAAe,OAAO;AAClE,cAAM,aAAa,KAAK,IAAI,IAAI;AAEhC,cAAM,gBAA+B;AAAA,UACnC,UAAU,QAAQ;AAAA,UAClB,aAAa,cAAc;AAAA,UAC3B,WAAW,QAAQ;AAAA,UACnB,iBAAiB,cAAc;AAAA,UAC/B,QAAQ,cAAc;AAAA,UACtB,UAAU,cAAc;AAAA,UACxB,YAAY,cAAc;AAAA,UAC1B,gBAAgB,cAAc;AAAA,UAC9B,cAAcA,aAAY,aAAa;AAAA,UACvC,aAAaA,aAAY,cAAc,WAAW;AAAA,UAClD,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,aAAa,cAAc;AAAA,UAC3B,YAAY,KAAK,IAAI;AAAA,UACrB,UAAU,EAAE,SAAS,eAAe,QAAQ,cAAc,YAAY;AAAA,QACxE;AAEA,cAAM,KAAK,MAAM,UAAU,aAAa;AAGxC,cAAM,iBACH,cAAc,UAAU,UAAsC,CAAC;AAClE,cAAM,cAAc,YAAY,gBAAgB,cAAc,WAAW;AACzE,cAAM,qBACJ,cAAc,gBAAgB,cAAc;AAE9C,eAAO;AAAA,UACL,gBAAgB;AAAA,UAChB,gBAAgB;AAAA,UAChB,MAAM,QAAQ;AAAA,UACd,qBAAqB;AAAA,UACrB;AAAA,UACA,aAAa;AAAA,QACf;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAMA,MAAM,KAAK,SAA2C;AACpD,cAAM,cAAc,MAAM,KAAK,MAAM,SAAS,QAAQ,eAAe;AACrE,YAAI,CAAC,aAAa;AAChB,gBAAM,IAAI,MAAM,SAAS,QAAQ,eAAe,YAAY;AAAA,QAC9D;AAEA,cAAM,UAAU,KAAK,SAAS,IAAI,YAAY,MAAM;AACpD,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,qCAAqC,YAAY,MAAM,GAAG;AAAA,QAC5E;AAGA,cAAM,SAAyB;AAAA,UAC7B,WAAW,WAAW,QAAQ;AAAA,UAC9B,aAAa,WAAW,UAAU;AAAA,UAClC,oBAAoB,YAAY;AAAA,UAChC,iBAAiB,YAAY;AAAA,UAC7B,aAAa;AAAA,UACb,oBAAoB,QAAQ;AAAA,UAC5B,SAAS,QAAQ;AAAA,UACjB,QAAQ;AAAA,QACV;AAEA,cAAM,KAAK,MAAM,WAAW,MAAM;AAGlC,cAAM,WAA0B;AAAA,UAC9B,aAAa,WAAW,MAAM;AAAA,UAC9B,aAAa,YAAY;AAAA,UACzB,UAAU,YAAY;AAAA,UACtB,gBAAgB,YAAY;AAAA,UAC5B,YAAYA;AAAA,YACT,YAAY,UAAU,UAAsC,CAAC;AAAA,UAChE;AAAA,UACA,YACG,YAAY,UAAU,UAAsC,CAAC;AAAA,UAChE,YAAY,KAAK,IAAI;AAAA,QACvB;AAEA,cAAM,KAAK,MAAM,aAAa,QAAQ;AAGtC,cAAM,UAAkC;AAAA,UACtC,UAAU,WAAW,KAAK;AAAA,UAC1B,aAAa,OAAO;AAAA,UACpB,WAAW,OAAO;AAAA,UAClB,QAAQ;AAAA,UACR,UAAU,QAAQ;AAAA,UAClB,gBAAgB,YAAY;AAAA,UAC5B;AAAA,UACA,WAAW;AAAA,UACX,eAAe;AAAA,QACjB;AAEA,cAAM,gBAAgB,MAAM,QAAQ,QAAQ,QAAQ,aAAa,OAAO;AAExE,cAAM,cAA6B;AAAA,UACjC,UAAU,QAAQ;AAAA,UAClB,aAAa,OAAO;AAAA,UACpB,WAAW,OAAO;AAAA,UAClB,iBAAiB,YAAY;AAAA,UAC7B,QAAQ,YAAY;AAAA,UACpB,UAAU,QAAQ;AAAA,UAClB,gBAAgB,YAAY;AAAA,UAC5B,cAAcA,aAAY,QAAQ,WAAW;AAAA,UAC7C,aAAaA,aAAY,cAAc,WAAW;AAAA,UAClD,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,aAAa,YAAY;AAAA,UACzB,YAAY,KAAK,IAAI;AAAA,UACrB,UAAU;AAAA,YACR,SAAS,QAAQ;AAAA,YACjB,QAAQ,cAAc;AAAA,UACxB;AAAA,QACF;AAEA,cAAM,KAAK,MAAM,UAAU,WAAW;AAEtC,eAAO,EAAE,QAAQ,cAAc,aAAa,SAAS;AAAA,MACvD;AAAA;AAAA;AAAA;AAAA,MAMA,MAAM,SAAS,SAAuD;AACpE,cAAM,UAAU,KAAK,SAAS,IAAI,QAAQ,MAAM;AAChD,YAAI,CAAC,SAAS;AACZ,gBAAM,IAAI,MAAM,qCAAqC,QAAQ,MAAM,GAAG;AAAA,QACxE;AAGA,YAAI;AACJ,YAAI,QAAQ,kBAAkB;AAC5B,gBAAM,SAAS,MAAM,KAAK,MAAM,YAAY,QAAQ,gBAAgB;AACpE,cAAI,CAAC,QAAQ;AACX,kBAAM,IAAI,MAAM,YAAY,QAAQ,gBAAgB,YAAY;AAAA,UAClE;AACA,qBAAW;AAAA,QACb;AAGA,cAAM,SAAyB;AAAA,UAC7B,WAAW,WAAW,QAAQ;AAAA,UAC9B,aAAa,WAAW,UAAU;AAAA,UAClC,oBAAoB;AAAA,UACpB,iBAAiB;AAAA,UACjB,aAAa;AAAA,UACb,gBAAgB,QAAQ;AAAA,UACxB,oBAAoB,QAAQ;AAAA,UAC5B,SAAS,QAAQ;AAAA,UACjB,QAAQ;AAAA,QACV;AAEA,cAAM,KAAK,MAAM,WAAW,MAAM;AAElC,cAAM,UAAkC;AAAA,UACtC,UAAU,WAAW,KAAK;AAAA,UAC1B,aAAa,OAAO;AAAA,UACpB,WAAW,OAAO;AAAA,UAClB,QAAQ;AAAA,UACR,UAAU,QAAQ;AAAA,UAClB,gBAAgB,QAAQ;AAAA,UACxB;AAAA,UACA,WAAW;AAAA,UACX,eAAe;AAAA,QACjB;AAEA,cAAM,UAAU,KAAK,IAAI;AACzB,cAAM,gBAAgB,MAAM,QAAQ,QAAQ,QAAQ,SAAS,OAAO;AACpE,cAAM,aAAa,KAAK,IAAI,IAAI;AAEhC,cAAM,iBAAgC;AAAA,UACpC,UAAU,QAAQ;AAAA,UAClB,aAAa,OAAO;AAAA,UACpB,WAAW,OAAO;AAAA,UAClB,iBAAiB;AAAA,UACjB,QAAQ,QAAQ;AAAA,UAChB,UAAU,QAAQ;AAAA,UAClB,gBAAgB,QAAQ;AAAA,UACxB,cAAcA,aAAY,QAAQ,OAAO;AAAA,UACzC,aAAaA,aAAY,cAAc,WAAW;AAAA,UAClD,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,YAAY,KAAK,IAAI;AAAA,UACrB,UAAU,EAAE,SAAS,QAAQ,SAAS,QAAQ,cAAc,YAAY;AAAA,QAC1E;AAEA,cAAM,KAAK,MAAM,UAAU,cAAc;AAGzC,eAAO,SAAS;AAChB,cAAM,KAAK,MAAM,WAAW,MAAM;AAElC,eAAO;AAAA,UACL;AAAA,UACA,iBAAiB;AAAA,UACjB,mBAAmB,cAAc;AAAA,UACjC,cAAc,cAAc,gBAAgB,CAAC;AAAA,UAC7C,aAAa;AAAA,QACf;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAMA,MAAM,QACJ,aACA,aAC6B;AAC7B,cAAM,UAAU,MAAM,KAAK,MAAM,oBAAoB,WAAW;AAChE,cAAM,UAAU,MAAM,KAAK,MAAM,oBAAoB,WAAW;AAGhE,gBAAQ,KAAK,CAAC,GAAG,MAAM,EAAE,aAAa,EAAE,UAAU;AAClD,gBAAQ,KAAK,CAAC,GAAG,MAAM,EAAE,aAAa,EAAE,UAAU;AAElD,cAAM,SAAS,KAAK,IAAI,QAAQ,QAAQ,QAAQ,MAAM;AACtD,cAAM,aAAgD,CAAC;AACvD,YAAI;AAEJ,iBAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,gBAAM,IAAI,QAAQ,CAAC;AACnB,gBAAM,IAAI,QAAQ,CAAC;AAEnB,cAAI,CAAC,KAAK,CAAC,GAAG;AACZ,gBAAI,CAAC,iBAAiB;AACpB,gCAAkB,GAAG,YAAY,GAAG;AAAA,YACtC;AACA;AAAA,UACF;AAEA,gBAAM,QAAQ,EAAE,gBAAgB,EAAE;AAClC,gBAAM,UACH,EAAE,UAAU,UAAsC,CAAC;AACtD,gBAAM,UACH,EAAE,UAAU,UAAsC,CAAC;AACtD,gBAAM,cAAc,QAAQ,CAAC,IAAI,YAAY,SAAS,OAAO;AAE7D,cAAI,CAAC,SAAS,CAAC,iBAAiB;AAC9B,8BAAkB,EAAE;AAAA,UACtB;AAEA,qBAAW,KAAK,EAAE,SAAS,GAAG,SAAS,GAAG,OAAO,YAAY,CAAC;AAAA,QAChE;AAEA,eAAO;AAAA,UACL,YAAY;AAAA,UACZ,YAAY;AAAA,UACZ,aAAa;AAAA,UACb,kBAAkB;AAAA,QACpB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAMA,MAAM,eACJ,SACA,WACwB;AACxB,cAAM,QAAQ,MAAM,KAAK,MAAM,SAAS,OAAO;AAC/C,YAAI,CAAC,OAAO;AACV,gBAAM,IAAI,MAAM,SAAS,OAAO,YAAY;AAAA,QAC9C;AAEA,cAAM,WAA0B;AAAA,UAC9B,aAAa,WAAW,MAAM;AAAA,UAC9B,aAAa,MAAM;AAAA,UACnB,UAAU;AAAA,UACV,gBAAgB,MAAM;AAAA,UACtB,YAAYA,aAAY,SAAS;AAAA,UACjC,YAAY;AAAA,UACZ,YAAY,KAAK,IAAI;AAAA,QACvB;AAEA,cAAM,KAAK,MAAM,aAAa,QAAQ;AACtC,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,gBAAgB,YAA4C;AAChE,cAAM,WAAW,MAAM,KAAK,MAAM,YAAY,UAAU;AACxD,YAAI,CAAC,UAAU;AACb,gBAAM,IAAI,MAAM,YAAY,UAAU,YAAY;AAAA,QACpD;AACA,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AAAA;;;AC9cA,IAkCa;AAlCb;AAAA;AAkCO,IAAM,wBAAN,MAAqD;AAAA,MAArD;AACL,aAAQ,SAAS,oBAAI,IAA2B;AAChD,aAAQ,WAAW,oBAAI,IAA4B;AACnD,aAAQ,YAAY,oBAAI,IAA2B;AAAA;AAAA,MAEnD,MAAM,UAAU,OAAqC;AACnD,aAAK,OAAO,IAAI,MAAM,UAAU,KAAK;AAAA,MACvC;AAAA,MAEA,MAAM,SAAS,SAAgD;AAC7D,eAAO,KAAK,OAAO,IAAI,OAAO,KAAK;AAAA,MACrC;AAAA,MAEA,MAAM,oBAAoB,YAA8C;AACtE,eAAO,CAAC,GAAG,KAAK,OAAO,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,gBAAgB,UAAU;AAAA,MAC7E;AAAA,MAEA,MAAM,kBAAkB,UAA4C;AAClE,eAAO,CAAC,GAAG,KAAK,OAAO,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,cAAc,QAAQ;AAAA,MACzE;AAAA,MAEA,MAAM,WAAW,QAAuC;AACtD,aAAK,SAAS,IAAI,OAAO,WAAW,MAAM;AAAA,MAC5C;AAAA,MAEA,MAAM,UAAU,UAAkD;AAChE,eAAO,KAAK,SAAS,IAAI,QAAQ,KAAK;AAAA,MACxC;AAAA,MAEA,MAAM,sBAAsB,YAA+C;AACzE,eAAO,CAAC,GAAG,KAAK,SAAS,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,gBAAgB,UAAU;AAAA,MAC/E;AAAA,MAEA,MAAM,aAAa,UAAwC;AACzD,aAAK,UAAU,IAAI,SAAS,aAAa,QAAQ;AAAA,MACnD;AAAA,MAEA,MAAM,YAAY,YAAmD;AACnE,eAAO,KAAK,UAAU,IAAI,UAAU,KAAK;AAAA,MAC3C;AAAA,MAEA,MAAM,mBAAmB,SAAgD;AACvE,eACE,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,EAAE,KAAK,CAAC,MAAM,EAAE,aAAa,OAAO,KAAK;AAAA,MAExE;AAAA,IACF;AAAA;AAAA;;;ACxEO,SAAS,iBACd,UACA,MACY;AACZ,QAAM,aAAS,oCAAiB,QAAQ;AACxC,QAAM,QAAQ,OAAO,OAAO,QAAQ,CAAC,UAAU;AAC7C,UAAM,QAAS,KAAiC,MAAM,IAAI;AAC1D,QAAI,UAAU,UAAa,UAAU,MAAM;AACzC,UAAI,MAAM,UAAU;AAClB,cAAM,IAAI,MAAM,wCAAwC,MAAM,IAAI,EAAE;AAAA,MACtE;AACA,aAAO,CAAC;AAAA,IACV;AAEA,WAAO,CAAC,EAAE,MAAM,MAAM,KAAK,OAAO,YAAY,OAAO,KAAK,EAAE,CAAC;AAAA,EAC/D,CAAC;AAED,SAAO,UAAU,KAAK;AACxB;AAEA,SAAS,YAAY,OAAuB,OAAwB;AAClE,UAAQ,MAAM,MAAM;AAAA,IAClB,KAAK;AACH,aAAO,OAAO,KAAK,OAAO,KAAK,GAAG,MAAM;AAAA,IAC1C,KAAK;AACH,aAAO,UAAU,KAAK;AAAA,IACxB,KAAK;AAAA,IACL,KAAK;AACH,aAAO,SAAS,KAAK;AAAA,IACvB,KAAK;AACH,aAAO,OAAO,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;AAAA,IACpC,KAAK;AAAA,IACL,KAAK;AACH,aAAO,OAAO,KAAK,KAAK,UAAU,KAAK,GAAG,MAAM;AAAA,IAClD;AACE,aAAO,SAAS,KAAK;AAAA,EACzB;AACF;AAEA,SAAS,UAAU,OAAwB;AACzC,QAAM,UAAU,OAAO,MAAM,CAAC;AAC9B,UAAQ;AAAA,IACN,OAAO,UAAU,WAAW,QAAQ,OAAO,KAAwB;AAAA,EACrE;AACA,SAAO;AACT;AAEA,SAAS,SAAS,OAAwB;AACxC,MAAI,OAAO,SAAS,KAAK,GAAG;AAC1B,WAAO;AAAA,EACT;AACA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,OAAO,KAAK,KAAK;AAAA,EAC1B;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,OAAO,KAAK,OAAO,MAAM;AAAA,EAClC;AAEA,QAAM,IAAI,MAAM,gCAAgC,OAAO,KAAK,EAAE;AAChE;AAnEA;AAAA;AAAA;AAAA;AAAA;;;ACwRO,SAAS,uBACd,QACA,UAAkB,YAClB,QAAgB,QACR;AAGR,SAAO,MAAM,OAAO,IAAI,KAAK,IAAI,MAAM;AACzC;AAMO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU;AAAA,IACd,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,IAAI;AAAA,IAC/C,MAAM;AAAA,MACJ,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,MACf,KAAK,KAAK,KAAK;AAAA,IACjB;AAAA,IACA,MAAM,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,MAAM,KAAK,KAAK,KAAK;AAAA,EACvE;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;AAKO,SAAS,kBAAkB,OAAmC;AACnE,QAAM,UAAU;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,QAAQ,MAAM;AAAA,IACd,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,IAClB,MAAM,MAAM;AAAA,IACZ,MAAM,MAAM;AAAA,EACd;AACA,SAAO,KAAK,UAAU,OAAO;AAC/B;AAjUA;AAAA;AAyQA;AAAA;AAAA;;;AC9PA,SAAS,cAAAC,aAAY,eAAAC,oBAAmB;AACxC,SAAS,QAAAC,aAAoB;AA6B7B,SAASC,QAAO,MAAsB;AACpC,SAAOH,YAAW,QAAQ,EAAE,OAAO,IAAI,EAAE,OAAO,KAAK;AACvD;AAEA,SAAS,WAAW,KAAyB;AAC3C,QAAMI,SAAQ,IAAI,WAAW,IAAI,SAAS,CAAC;AAC3C,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK,GAAG;AACtC,IAAAA,OAAM,IAAI,CAAC,IAAI,SAAS,IAAI,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE;AAAA,EACrD;AACA,SAAOA;AACT;AAEA,SAAS,WAAWA,QAA2B;AAC7C,SAAO,MAAM,KAAKA,MAAK,EACpB,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAEA,SAAS,WAAW,KAAyB;AAC3C,QAAM,MAAM,OAAO,KAAK,KAAK,QAAQ;AACrC,SAAO,IAAI,WAAW,IAAI,QAAQ,IAAI,YAAY,IAAI,UAAU;AAClE;AAEA,SAAS,WAAWA,QAA2B;AAC7C,SAAO,OAAO,KAAKA,MAAK,EAAE,SAAS,QAAQ;AAC7C;AAYO,SAAS,wBACd,aACA,QAAgB,yBACG;AACnB,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,QAAQH,aAAY,EAAE,EAAE,SAAS,KAAK;AAC5C,QAAM,cAAcE,QAAO,GAAG,YAAY,MAAM,IAAI,KAAK,IAAI,GAAG,EAAE;AAElE,SAAO;AAAA,IACL,cAAc;AAAA,IACd;AAAA,IACA,iBAAiB;AAAA,IACjB,QAAQ;AAAA,IACR,YAAY,MAAM;AAAA,EACpB;AACF;AAKA,SAAS,oBACP,WACA,YACQ;AACR,SAAO,KAAK,UAAU;AAAA,IACpB,OAAO,UAAU;AAAA,IACjB,iBAAiB,UAAU;AAAA,IAC3B,aAAa,cAAc;AAAA,EAC7B,CAAC;AACH;AAKO,SAAS,sBACd,WACA,eACA,cACA,aACA,KACe;AACf,QAAM,OAAO,oBAAoB,WAAW,YAAY,WAAW;AACnE,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,IAAI;AAC9C,QAAM,YAAY,WAAW,aAAa;AAC1C,QAAM,YAAYD,MAAK,SAAS,UAAU,SAAS;AAEnD,SAAO;AAAA,IACL,cAAc,UAAU;AAAA,IACxB,WAAW,WAAW,SAAS;AAAA,IAC/B,YAAY;AAAA,IACZ;AAAA,EACF;AACF;AAKO,SAAS,oBACd,WACA,OACA,aACA,aAAqB,8BACC;AAEtB,MAAI,KAAK,IAAI,IAAI,UAAU,YAAY;AACrC,WAAO,EAAE,OAAO,OAAO,OAAO,qBAAqB,MAAM,oBAAoB;AAAA,EAC/E;AAGA,MAAI,MAAM,iBAAiB,UAAU,cAAc;AACjD,WAAO,EAAE,OAAO,OAAO,OAAO,yBAAyB,MAAM,qBAAqB;AAAA,EACpF;AAGA,QAAM,OAAO,oBAAoB,WAAW,YAAY,WAAW;AACnE,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,IAAI;AAC9C,QAAM,WAAW,WAAW,MAAM,SAAS;AAC3C,QAAM,WAAW,WAAW,MAAM,UAAU;AAE5C,MAAI;AACJ,MAAI;AACF,cAAUA,MAAK,SAAS,OAAO,UAAU,UAAU,QAAQ;AAAA,EAC7D,QAAQ;AACN,WAAO,EAAE,OAAO,OAAO,OAAO,iCAAiC,MAAM,cAAc;AAAA,EACrF;AAEA,MAAI,CAAC,SAAS;AACZ,WAAO,EAAE,OAAO,OAAO,OAAO,qBAAqB,MAAM,cAAc;AAAA,EACzE;AAGA,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,aAAaC;AAAA,IACjB,GAAG,MAAM,UAAU,IAAI,UAAU,KAAK,IAAI,UAAU,eAAe;AAAA,EACrE;AACA,QAAM,mBAAmBA;AAAA,IACvB,oBAAoB,MAAM,UAAU;AAAA,EACtC;AAEA,QAAM,UAA2B;AAAA,IAC/B,aAAa;AAAA,IACb,QAAQ,YAAY;AAAA,IACpB,mBAAmB;AAAA,IACnB,OAAO;AAAA,MACL,oBAAoB,YAAY,aAAa;AAAA,IAC/C;AAAA,IACA,WAAW;AAAA,IACX,YAAY,MAAM;AAAA,EACpB;AAEA,SAAO,EAAE,OAAO,MAAM,UAAU,QAAQ;AAC1C;AAKO,SAAS,kBAAkB,SAA0C;AAC1E,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,MAAM,QAAQ,WAAY,QAAO;AACrC,SAAO;AACT;AAKO,SAAS,cACd,SACA,cAAsB,8BACL;AACjB,QAAM,MAAM,KAAK,IAAI;AACrB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,YAAY;AAAA,IACZ,YAAY,MAAM;AAAA,EACpB;AACF;AASO,SAAS,WACd,MACA,MACA,QACA,eACA,KACM;AACN,QAAM,OAAiB,EAAE,KAAK,OAAO,KAAK,KAAK,OAAO,IAAI;AAC1D,QAAM,WAAqB,EAAE,GAAG,MAAM,MAAM,OAAO,SAAS;AAE5D,QAAM,WAA8B,EAAE,MAAM,MAAM,MAAM,SAAS;AACjE,QAAM,YAAY,iBAAiB,QAAQ;AAC3C,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,QAAM,YAAY,WAAW,aAAa;AAC1C,QAAM,YAAYD,MAAK,SAAS,UAAU,SAAS;AAEnD,QAAM,MAAqB;AAAA,IACzB,KAAK;AAAA,IACL,OAAO,WAAW,SAAS;AAAA,IAC3B;AAAA,EACF;AAEA,SAAO,EAAE,MAAM,MAAM,MAAM,UAAU,IAAI;AAC3C;AASO,SAAS,aACd,MACA,cACA,aACA,QACsB;AACtB,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,MAAI,MAAM,KAAK,KAAK,KAAK;AACvB,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,MACP,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AACA,MAAI,MAAM,KAAK,KAAK,KAAK;AACvB,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,MACP,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AAGA,MAAI,aAAa;AACf,QAAI,KAAK,KAAK,QAAQ,YAAY,WAAW;AAC3C,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO;AAAA,QACP,MAAM;AAAA,QACN,aAAa;AAAA,MACf;AAAA,IACF;AACA,QAAI,KAAK,KAAK,QAAQ,YAAY,WAAW,GAAG;AAC9C,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,gBAAgB,YAAY,WAAW,CAAC,SAAS,KAAK,KAAK,GAAG;AAAA,QACrE,MAAM;AAAA,QACN,aAAa;AAAA,MACf;AAAA,IACF;AACA,QAAI,KAAK,KAAK,SAAS,YAAY,mBAAmB;AACpD,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO;AAAA,QACP,MAAM;AAAA,QACN,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF,OAAO;AAEL,QAAI,KAAK,KAAK,QAAQ,GAAG;AACvB,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO;AAAA,QACP,MAAM;AAAA,QACN,aAAa;AAAA,MACf;AAAA,IACF;AACA,QAAI,KAAK,KAAK,SAAS,IAAI;AACzB,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO;AAAA,QACP,MAAM;AAAA,QACN,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,MAAI,KAAK,KAAK,QAAQ,QAAQ;AAC5B,UAAM,gBAAgB,OAAO;AAAA,MAAK,CAAC,MACjC,EAAE,aAAa,KAAK,KAAK,OACzB,EAAE,YAAY,KAAK,KAAK,OACxB,kBAAkB,GAAG,KAAK,KAAK,KAAK,KAAK,KAAK,KAAK,GAAG;AAAA,IACxD;AACA,QAAI,CAAC,eAAe;AAClB,aAAO;AAAA,QACL,OAAO;AAAA,QACP,OAAO,gCAAgC,KAAK,KAAK,GAAG;AAAA,QACpD,MAAM;AAAA,QACN,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAA8B;AAAA,IAClC,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,EACb;AACA,QAAM,YAAY,iBAAiB,QAAQ;AAC3C,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,QAAM,WAAW,WAAW,KAAK,IAAI,KAAK;AAC1C,QAAM,WAAW,WAAW,YAAY;AAExC,MAAI;AACJ,MAAI;AACF,eAAWA,MAAK,SAAS,OAAO,UAAU,UAAU,QAAQ;AAAA,EAC9D,QAAQ;AACN,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,MACP,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AAEA,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,MACP,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,MAAM,KAAK;AAC7B;AASO,SAAS,kBACd,OACA,QACA,UACA,SACS;AAET,MAAI,UAAU,MAAM,KAAK,OAAO,UAAU,MAAM,KAAK,KAAK;AACxD,WAAO;AAAA,EACT;AAGA,SAAO,MAAM,KAAK;AAAA,IAAK,CAAC,QACtB,SAAS,IAAI,KAAK,MAAM,KAAK,WAAW,IAAI,OAAO,QAAQ;AAAA,EAC7D;AACF;AAMA,SAAS,SAAS,SAAiB,QAAyB;AAC1D,MAAI,YAAY,IAAK,QAAO;AAC5B,MAAI,YAAY,OAAQ,QAAO;AAE/B,MAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,UAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,WAAO,OAAO,WAAW,SAAS,GAAG;AAAA,EACvC;AAEA,SAAO;AACT;AAMA,SAAS,WAAW,SAAiB,UAA2B;AAC9D,MAAI,YAAY,IAAK,QAAO;AAC5B,MAAI,YAAY,SAAU,QAAO;AAGjC,MAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,UAAM,QAAQ,IAAI;AAAA,MAChB,MAAM,QAAQ,QAAQ,OAAO,KAAK,EAAE,QAAQ,OAAO,OAAO,IAAI;AAAA,IAChE;AACA,WAAO,MAAM,KAAK,QAAQ;AAAA,EAC5B;AAEA,SAAO;AACT;AAKO,SAAS,eACd,OACA,aACa;AACb,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAGxC,QAAM,UAAU,YAAY;AAAA,IAC1B,CAAC,MAAM,EAAE,gBAAgB,WAAW,EAAE,cAAc,MAAM;AAAA,EAC5D;AACA,MAAI,WAAW,QAAQ,gBAAgB,MAAM,KAAM;AACjD,WAAO;AAAA,EACT;AAGA,MAAI,MAAM,MAAM,KAAK,IAAK,QAAO;AAEjC,SAAO;AACT;AAKO,SAAS,cACd,OACA,oBACuB;AACvB,QAAM,WAA+B;AAAA,IACnC,UAAU,MAAM;AAAA,IAChB,QAAQ,MAAM;AAAA,IACd,SAAS,MAAM;AAAA,IACf,YAAY,MAAM;AAAA,IAClB,MAAM,MAAM;AAAA,IACZ,MAAM,MAAM;AAAA,EACd;AACA,QAAM,YAAY,kBAAkB,QAAQ;AAC5C,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,QAAM,WAAW,WAAW,MAAM,IAAI,KAAK;AAC3C,QAAM,WAAW,WAAW,kBAAkB;AAE9C,MAAI;AACJ,MAAI;AACF,YAAQA,MAAK,SAAS,OAAO,UAAU,UAAU,QAAQ;AAAA,EAC3D,QAAQ;AACN,WAAO,EAAE,OAAO,OAAO,OAAO,uCAAuC,MAAM,iBAAiB;AAAA,EAC9F;AAEA,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,OAAO,OAAO,OAAO,2BAA2B,MAAM,oBAAoB;AAAA,EACrF;AAEA,SAAO,EAAE,OAAO,MAAM,MAAM;AAC9B;AAKO,SAAS,YACd,SACA,QACA,SACA,WACA,MACA,MACA,eACA,KACO;AACP,QAAM,WAA+B;AAAA,IACnC,UAAU;AAAA,IACV;AAAA,IACA;AAAA,IACA,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,EACF;AAEA,QAAM,YAAY,kBAAkB,QAAQ;AAC5C,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,QAAM,YAAY,WAAW,aAAa;AAC1C,QAAM,YAAYA,MAAK,SAAS,UAAU,SAAS;AAEnD,SAAO;AAAA,IACL,GAAG;AAAA,IACH,KAAK;AAAA,MACH,KAAK;AAAA,MACL,OAAO,WAAW,SAAS;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AACF;AASO,SAAS,cACd,MACA,QACA,aACA,UACa;AACb,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,WAAW,cAAc,YAAY,WAAW,IAAI;AAC1D,QAAM,WAAW,aAAa,QAAQ;AAGtC,QAAM,WAAWC,QAAO,iBAAiB;AAAA,IACvC,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,EACb,CAAC,CAAC;AAGF,QAAM,YAAY;AAAA,IAChB,YAAY;AAAA,IACZ;AAAA,IACA,KAAK,KAAK;AAAA,IACV,OAAO,QAAQ;AAAA,IACf;AAAA,IACA,OAAO,GAAG;AAAA,EACZ,EAAE,KAAK,GAAG;AAEV,QAAM,cAAcA,QAAO,SAAS;AACpC,QAAM,YAAYA,QAAO,WAAW,WAAW,IAAI,GAAG,EAAE;AAExD,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,WAAW,KAAK,KAAK;AAAA,IACrB;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,WAAW;AAAA,IACX,aAAa;AAAA,IACb;AAAA,EACF;AACF;AAKO,SAAS,mBAAmB,UAIjC;AACA,MAAI,SAAS,WAAW,EAAG,QAAO,EAAE,OAAO,KAAK;AAGhD,QAAM,SAAS,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ;AAGnE,MAAI,OAAO,CAAC,EAAE,cAAc,MAAM;AAChC,WAAO;AAAA,MACL,OAAO;AAAA,MACP,UAAU;AAAA,MACV,OAAO;AAAA,IACT;AAAA,EACF;AAGA,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,OAAO,CAAC,EAAE,cAAc,OAAO,IAAI,CAAC,EAAE,MAAM;AAC9C,aAAO;AAAA,QACL,OAAO;AAAA,QACP,UAAU;AAAA,QACV,OAAO,WAAW,CAAC,qCAAqC,IAAI,CAAC;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,KAAK;AACvB;AAKO,SAAS,kBACd,SACA,QACa;AACb,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB;AAAA,IACA,mBAAmB,QAAQ;AAAA,IAC3B,UAAU,QAAQ;AAAA,IAClB,YAAY,QAAQ;AAAA,EACtB;AACF;AASO,SAAS,iBACd,YACA,UACA,cACA,eACA,QACY;AACZ,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,eAAeA,QAAO,UAAU,UAAU,IAAI,QAAQ,IAAI,GAAG,EAAE;AAErE,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,eAAe;AAAA,IACf,aAAa;AAAA,IACb,WAAW;AAAA,IACX,eAAe;AAAA,IACf,cAAc;AAAA,IACd,QAAQ,UAAU;AAAA,EACpB,CAAC;AAED,QAAM,WAAW,IAAI,YAAY,EAAE,OAAO,OAAO;AACjD,QAAM,YAAY,WAAW,aAAa;AAC1C,QAAM,YAAYD,MAAK,SAAS,UAAU,SAAS;AAEnD,SAAO;AAAA,IACL,eAAe;AAAA,IACf,aAAa;AAAA,IACb,WAAW;AAAA,IACX,eAAe;AAAA,IACf;AAAA,IACA,cAAc;AAAA,IACd,WAAW,WAAW,SAAS;AAAA,EACjC;AACF;AAKO,SAAS,UACd,YACA,UACA,aACS;AACT,QAAM,MAAM,KAAK,IAAI;AACrB,SAAO,YAAY;AAAA,IACjB,CAAC,MACC,EAAE,gBAAgB,cAClB,EAAE,cAAc,YAChB,EAAE,gBAAgB;AAAA,EACtB;AACF;AAmBO,SAAS,oBACd,MACA,cACA,UACA,aACA,QACA,aACA,aACqE;AAErE,QAAM,iBAAiB,kBAAkB,QAAQ;AACjD,MAAI,mBAAmB,UAAU;AAC/B,WAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,MAAM,oBAAoB;AAAA,EACjF;AAGA,MAAI,UAAU,YAAY,SAAS,aAAa,WAAW,GAAG;AAC5D,WAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,MAAM,mBAAmB;AAAA,EAC7E;AAGA,QAAM,eAAe,OAAO;AAAA,IAC1B,CAAC,MAAM,eAAe,GAAG,WAAW,MAAM;AAAA,EAC5C;AAGA,QAAM,aAAa,aAAa,MAAM,cAAc,aAAa,YAAY;AAC7E,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,EAAE,OAAO,OAAO,OAAO,WAAW,OAAQ,MAAM,WAAW,KAAM;AAAA,EAC1E;AAGA,QAAM,UAAU,cAAc,MAAM,SAAS,WAAW;AAGxD,QAAM,iBAAiB,kBAAkB,SAAS,KAAK,KAAK,GAAG;AAE/D,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,gBAAgB;AAAA,EAClB;AACF;AA9uBA,IAwEM,yBACA;AAzEN;AAAA;AAmCA;AAqCA,IAAM,0BAA0B;AAChC,IAAM,+BAA+B,KAAK,KAAK;AAAA;AAAA;;;ACyP/C,SAAS,aAAa,OAAgB,cAAkD;AACtF,UAAQ,cAAc;AAAA,IACpB,KAAK;AACH,aAAO,OAAO,UAAU;AAAA,IAC1B,KAAK;AACH,aAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK;AAAA,IAC3D,KAAK;AACH,aAAO,OAAO,UAAU;AAAA,IAC1B,KAAK;AACH,aAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAAA,IAC5E,KAAK;AACH,aAAO,MAAM,QAAQ,KAAK;AAAA,IAC5B;AACE,aAAO;AAAA,EACX;AACF;AAEA,SAAS,WACP,QACA,UACA,aACY;AACZ,QAAM,UAAoB,CAAC;AAC3B,MAAI,QAAQ;AAGZ,QAAM,cAAyC;AAAA,IAC7C,MAAM;AAAA,IACN,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AACA,UAAQ,YAAY,OAAO,UAAU,KAAK;AAC1C,MAAI,OAAO,eAAe,QAAQ;AAChC,YAAQ,KAAK,cAAc,OAAO,UAAU,EAAE;AAAA,EAChD;AAGA,MAAI,OAAO,kBAAkB;AAC3B,aAAS;AACT,YAAQ,KAAK,kBAAkB;AAAA,EACjC;AAGA,MAAI,CAAC,OAAO,YAAY;AACtB,aAAS;AACT,YAAQ,KAAK,gBAAgB;AAAA,EAC/B;AAGA,QAAM,SAAS,YAAY,OAAO,CAAC,MAAM,CAAC,EAAE,SAAS;AACrD,MAAI,OAAO,SAAS,GAAG;AACrB,aAAS,OAAO,OAAO;AACvB,YAAQ,KAAK,GAAG,OAAO,MAAM,4BAA4B;AAAA,EAC3D;AAGA,UAAQ,KAAK,IAAI,OAAO,CAAG;AAE3B,MAAI;AACJ,MAAI,SAAS,EAAG,SAAQ;AAAA,WACf,SAAS,IAAK,SAAQ;AAAA,WACtB,SAAS,IAAK,SAAQ;AAAA,WACtB,SAAS,IAAK,SAAQ;AAAA,MAC1B,SAAQ;AAEb,SAAO,EAAE,OAAO,OAAO,QAAQ;AACjC;AAtYA,IA+Ba,oBA6FA;AA5Hb;AAAA;AA+BO,IAAM,qBAAN,MAAyB;AAAA,MAAzB;AACL,aAAQ,UAAU,oBAAI,IAA0B;AAChD,aAAQ,UAAU,oBAAI,IAAoB;AAAA;AAAA,MAE1C,SAAS,QAA4B;AACnC,aAAK,QAAQ,IAAI,OAAO,QAAQ,MAAM;AAAA,MACxC;AAAA,MAEA,cAAc,OAAe,QAAsB;AACjD,aAAK,QAAQ,IAAI,MAAM,YAAY,GAAG,MAAM;AAAA,MAC9C;AAAA,MAEA,IAAI,QAA0C;AAC5C,eAAO,KAAK,QAAQ,IAAI,MAAM;AAAA,MAChC;AAAA,MAEA,QAAQ,KAAuC;AAE7C,cAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,YAAI,MAAO,QAAO;AAGlB,cAAM,UAAU,KAAK,QAAQ,IAAI,IAAI,YAAY,CAAC;AAClD,YAAI,QAAS,QAAO,KAAK,QAAQ,IAAI,OAAO;AAG5C,cAAM,aAAa,CAAC,GAAG,KAAK,QAAQ,KAAK,CAAC,EAAE;AAAA,UAC1C,CAAC,MAAM,EAAE,WAAW,MAAM,GAAG,KAAK,EAAE,YAAY,EAAE,SAAS,IAAI,YAAY,CAAC;AAAA,QAC9E;AACA,YAAI,WAAW,WAAW,GAAG;AAC3B,iBAAO,KAAK,QAAQ,IAAI,WAAW,CAAC,CAAC;AAAA,QACvC;AAEA,eAAO;AAAA,MACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,eAAe,KAA6D;AAC1E,cAAM,aAAa,IAAI,YAAY,EAAE,KAAK;AAC1C,cAAM,UAA0D,CAAC;AAEjE,mBAAW,CAAC,KAAK,MAAM,KAAK,KAAK,SAAS;AACxC,cAAI,QAAQ;AAGZ,cAAI,QAAQ,KAAK;AACf,oBAAQ;AAAA,UACV,WAES,IAAI,YAAY,MAAM,YAAY;AACzC,oBAAQ;AAAA,UACV,WAES,KAAK,QAAQ,IAAI,UAAU,MAAM,KAAK;AAC7C,oBAAQ;AAAA,UACV,WAES,IAAI,YAAY,EAAE,WAAW,UAAU,GAAG;AACjD,oBAAQ;AAAA,UACV,WAES,IAAI,YAAY,EAAE,SAAS,UAAU,GAAG;AAC/C,oBAAQ;AAAA,UACV,WAES,OAAO,MAAM,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,UAAU,CAAC,GAAG;AACvE,oBAAQ;AAAA,UACV,WAES,OAAO,YAAY,YAAY,EAAE,SAAS,UAAU,GAAG;AAC9D,oBAAQ;AAAA,UACV;AAEA,cAAI,QAAQ,GAAG;AACb,oBAAQ,KAAK,EAAE,QAAQ,MAAM,CAAC;AAAA,UAChC;AAAA,QACF;AAEA,eAAO,QAAQ,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK;AAAA,MACjD;AAAA,MAEA,OAAuB;AACrB,eAAO,CAAC,GAAG,KAAK,QAAQ,OAAO,CAAC;AAAA,MAClC;AAAA,IACF;AAMO,IAAM,eAAN,MAAmB;AAAA,MACxB,YAA6B,UAA8B;AAA9B;AAAA,MAA+B;AAAA;AAAA;AAAA;AAAA,MAK5D,QAAQ,UAA6C;AACnD,cAAM,SAA6B,CAAC;AAGpC,cAAM,aAAa,KAAK,SAAS,eAAe,SAAS,GAAG;AAC5D,YAAI,WAAW,WAAW,GAAG;AAC3B,iBAAO;AAAA,YACL,IAAI;AAAA,YACJ,QAAQ,CAAC;AAAA,cACP,MAAM;AAAA,cACN,SAAS,6BAA6B,SAAS,GAAG;AAAA,YACpD,CAAC;AAAA,UACH;AAAA,QACF;AAEA,cAAM,OAAO,WAAW,CAAC;AACzB,cAAM,SAAS,KAAK;AAGpB,cAAM,eAAoC,WACvC,MAAM,GAAG,CAAC,EACV,OAAO,CAAC,MAAM,EAAE,SAAS,GAAG,EAC5B,IAAI,CAAC,OAAO;AAAA,UACX,QAAQ,EAAE,OAAO;AAAA,UACjB,YAAY,EAAE;AAAA,UACd,QAAQ,EAAE,OAAO;AAAA,QACnB,EAAE;AAGJ,cAAM,cAAkC,CAAC;AACzC,cAAM,iBAA0C,CAAC;AACjD,cAAM,SAAS,EAAE,GAAG,SAAS,OAAO;AAEpC,mBAAW,eAAe,OAAO,QAAQ;AACvC,gBAAM,QAAQ,OAAO,YAAY,IAAI;AAGrC,cAAI,YAAY,YAAY,UAAU,QAAW;AAC/C,gBAAI,YAAY,YAAY,QAAW;AACrC,qBAAO,YAAY,IAAI,IAAI,YAAY;AACvC,0BAAY,KAAK;AAAA,gBACf,MAAM;AAAA,gBACN,OAAO,YAAY;AAAA,gBACnB,aAAa,gBAAgB,KAAK,UAAU,YAAY,OAAO,CAAC;AAAA,gBAChE,WAAW;AAAA,gBACX,OAAO,YAAY;AAAA,cACrB,CAAC;AAAA,YACH,OAAO;AACL,0BAAY,KAAK;AAAA,gBACf,MAAM;AAAA,gBACN,OAAO,YAAY;AAAA,gBACnB,aAAa,uBAAuB,YAAY,IAAI;AAAA,gBACpD,WAAW;AAAA,cACb,CAAC;AACD,6BAAe,KAAK;AAAA,gBAClB,IAAI,WAAW,YAAY,IAAI;AAAA,gBAC/B,UAAU,YAAY,eAAe,eAAe,YAAY,IAAI;AAAA,gBACpE,OAAO,YAAY;AAAA,gBACnB,SAAS,YAAY,MAAM,IAAI,MAAM;AAAA,gBACrC,UAAU;AAAA,cACZ,CAAC;AAAA,YACH;AACA;AAAA,UACF;AAEA,cAAI,UAAU,OAAW;AAGzB,gBAAM,YAAY,aAAa,OAAO,YAAY,IAAI;AACtD,sBAAY,KAAK;AAAA,YACf,MAAM;AAAA,YACN,OAAO,YAAY;AAAA,YACnB,aAAa,WAAW,YAAY,IAAI;AAAA,YACxC,WAAW;AAAA,YACX;AAAA,YACA,UAAU,YAAY;AAAA,UACxB,CAAC;AACD,cAAI,CAAC,WAAW;AACd,mBAAO,KAAK;AAAA,cACV,MAAM;AAAA,cACN,SAAS,cAAc,YAAY,IAAI,aAAa,YAAY,IAAI,SAAS,OAAO,KAAK;AAAA,cACzF,OAAO,YAAY;AAAA,YACrB,CAAC;AAAA,UACH;AAGA,cAAI,YAAY,QAAQ,UAAa,YAAY,QAAQ,QAAW;AAClE,kBAAM,SAAS,OAAO,UAAU,WAAW,QAAQ,OAAO,KAAK;AAC/D,kBAAM,WACH,YAAY,QAAQ,UAAa,UAAU,YAAY,SACvD,YAAY,QAAQ,UAAa,UAAU,YAAY;AAC1D,wBAAY,KAAK;AAAA,cACf,MAAM;AAAA,cACN,OAAO,YAAY;AAAA,cACnB,aAAa,mBAAmB,YAAY,OAAO,SAAI,QAAQ,YAAY,OAAO,QAAG;AAAA,cACrF,WAAW;AAAA,cACX,OAAO;AAAA,YACT,CAAC;AAAA,UACH;AAGA,cAAI,YAAY,SAAS;AACvB,kBAAM,UAAU,IAAI,OAAO,YAAY,OAAO,EAAE,KAAK,OAAO,KAAK,CAAC;AAClE,wBAAY,KAAK;AAAA,cACf,MAAM;AAAA,cACN,OAAO,YAAY;AAAA,cACnB,aAAa,cAAc,YAAY,OAAO;AAAA,cAC9C,WAAW;AAAA,cACX;AAAA,cACA,UAAU,YAAY;AAAA,YACxB,CAAC;AAAA,UACH;AAGA,cAAI,YAAY,MAAM;AACpB,kBAAM,SAAS,YAAY,KAAK;AAAA,cAC9B,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,KAAK,UAAU,KAAK;AAAA,YACnD;AACA,wBAAY,KAAK;AAAA,cACf,MAAM;AAAA,cACN,OAAO,YAAY;AAAA,cACnB,aAAa,mBAAmB,YAAY,KAAK,KAAK,IAAI,CAAC;AAAA,cAC3D,WAAW;AAAA,cACX;AAAA,cACA,UAAU,YAAY;AAAA,YACxB,CAAC;AAAA,UACH;AAAA,QACF;AAGA,cAAM,OAAO,WAAW,QAAQ,UAAU,WAAW;AAGrD,cAAM,cAAc,YAAY,OAAO,CAAC,MAAM,CAAC,EAAE,SAAS;AAC1D,cAAM,qBAAqB,eAAe,SAAS;AACnD,YAAI,aAAa,KAAK;AACtB,YAAI,YAAY,SAAS,GAAG;AAC1B,wBAAc,IAAK,YAAY,SAAS,KAAK,IAAI,YAAY,QAAQ,CAAC,IAAK;AAAA,QAC7E;AACA,YAAI,OAAO,SAAS,GAAG;AACrB,wBAAc;AAAA,QAChB;AAEA,cAAM,WAA2B;AAAA,UAC/B,QAAQ,OAAO;AAAA,UACf,UAAU,SAAS;AAAA,UACnB,QAAQ,SAAS;AAAA,UACjB;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA,qBAAqB;AAAA,UACrB;AAAA,UACA,kBAAkB,OAAO;AAAA,UACzB,UAAU,OAAO,UAAU,CAAC;AAAA,UAC5B;AAAA,UACA,UAAU;AAAA,YACR,eAAe,OAAO;AAAA,YACtB,eAAe,SAAS;AAAA,YACxB,kBAAkB,OAAO;AAAA,YACzB,YAAY,OAAO;AAAA,UACrB;AAAA,QACF;AAEA,eAAO;AAAA,UACL,IAAI,OAAO,WAAW,KAAK,CAAC;AAAA,UAC5B;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,oBACE,UACA,SACmB;AACnB,cAAM,WAA2B;AAAA,UAC/B,KAAK,SAAS;AAAA,UACd,UAAU,SAAS;AAAA,UACnB,QAAQ,SAAS;AAAA,UACjB,QAAQ,EAAE,GAAG,SAAS,QAAQ,GAAG,QAAQ;AAAA,QAC3C;AACA,eAAO,KAAK,QAAQ,QAAQ;AAAA,MAC9B;AAAA,IACF;AAAA;AAAA;;;AC7SA,SAAqB,eAAAG,oBAAmB;AA0CjC,SAAS,eAAe,QAMpB;AACT,SAAO;AAAA,IACL,WAAWA,aAAY,EAAE,EAAE,SAAS,KAAK;AAAA,IACzC,OAAO;AAAA,IACP,gBAAgB,OAAO;AAAA,IACvB,QAAQ,OAAO;AAAA,IACf,UAAU,OAAO;AAAA,IACjB,MAAM,OAAO;AAAA,IACb,QAAQ,OAAO;AAAA,IACf,YAAY,KAAK,IAAI;AAAA,EACvB;AACF;AASA,SAAS,eACP,aACA,SACY;AAEZ,MAAI,QAAQ,WAAW,YAAY,QAAQ,WAAW,YAAY;AAChE,WAAO;AAAA,EACT;AAGA,MAAI,YAAY,aAAa,QAAQ;AACnC,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,QAAQ;AAClB,WAAO;AAAA,EACT;AAGA,SAAO;AACT;AAMO,SAAS,WACd,QACA,aACA,SACA,SACQ;AACR,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,MAAM,eAAe,aAAa,OAAO;AAAA,IACzC,QAAQ,OAAO,OAAO;AAAA,IACtB,UAAU,OAAO,OAAO;AAAA,IACxB,gBAAgB,OAAO;AAAA,IACvB;AAAA,IACA;AAAA,IACA;AAAA,IACA,WAAW,QAAQ;AAAA,IACnB,UAAU,QAAQ;AAAA,IAClB,aAAa,KAAK,IAAI;AAAA,EACxB;AACF;AAcA,eAAsB,kBACpB,QACA,QACA,aACA,aACA,iBAC+B;AAC/B,QAAM,MAAM,kBAAkB,MAAM;AACpC,MAAI,SAAS,OAAO,OAAO;AAC3B,MAAI,UAAU,OAAO,OAAO;AAG5B,SAAO,QAAQ;AACf,MAAI,QAA0B,WAAW,KAAK,eAAe;AAE7D,QAAM,aAAa;AAAA,IACjB,OAAO;AAAA,IACP,OAAO;AAAA,IACP;AAAA,IACA,OAAO;AAAA,EACT;AAEA,MAAI,CAAC,WAAW,OAAO;AACrB,aAAS,OAAO,QAAQ,WAAW,KAAK;AACxC,WAAO,WAAW,QAAQ,KAAK,aAAa,0BAA0B,WAAW,SAAS,wBAAwB;AAAA,EACpH;AAEA,WAAS,OAAO,IAAI;AAGpB,MAAI,OAAO,WAAW,OAAO,QAAQ,SAAS,GAAG;AAC/C,YAAQ,WAAW,KAAK,kBAAkB;AAE1C,UAAM,cAA2B;AAAA,MAC/B,QAAQ,OAAO,OAAO;AAAA,MACtB,SAAS,OAAO,OAAO;AAAA,MACvB,UAAU;AAAA,QACR,aAAa;AAAA,QACb,WAAW,OAAO;AAAA,QAClB,gBAAgB,OAAO;AAAA,QACvB,MAAM,OAAO;AAAA,QACb,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO,OAAO;AAAA,MACxB;AAAA,IACF;AAEA,eAAW,UAAU,OAAO,SAAS;AACnC,UAAI,OAAO,YAAY,CAAC,OAAO,SAAS,WAAW,EAAG;AAEtD,YAAM,KAAK,KAAK,IAAI;AACpB,UAAI;AACJ,UAAI;AACF,cAAM,cAAc,MAAM,OAAO,IAAI,WAAW;AAChD,mBAAW,wBAAwB,WAAW;AAAA,MAChD,SAAS,KAAK;AACZ,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,qBAAa,KAAK,OAAO,MAAM,OAAO,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC,gBAAgB,GAAG,EAAE,CAAC;AACnF,iBAAS,OAAO,QAAQ,UAAU,OAAO,IAAI,WAAW,GAAG,EAAE;AAC7D,eAAO,WAAW,QAAQ,KAAK,aAAa,gBAAgB,UAAU,OAAO,IAAI,YAAY,GAAG,EAAE;AAAA,MACpG;AAEA,mBAAa,KAAK,OAAO,MAAM,SAAS,OAAO,SAAS,WAAW,KAAK,IAAI,IAAI,IAAI,SAAS,OAAO;AAEpG,UAAI,CAAC,SAAS,OAAO;AACnB,iBAAS,OAAO,QAAQ,UAAU,OAAO,IAAI,SAAS;AACtD,eAAO,WAAW,QAAQ,KAAK,aAAa,eAAe,SAAS,QAAQ,CAAC,KAAK,aAAa,OAAO,IAAI,EAAE;AAAA,MAC9G;AAAA,IACF;AAEA,aAAS,OAAO,IAAI;AAAA,EACtB;AAGA,SAAO,QAAQ;AACf,UAAQ,WAAW,KAAK,iBAAiB;AAEzC,QAAM,UAAU,OAAO,SAAS,IAAI,OAAO,OAAO,MAAM;AACxD,MAAI,CAAC,SAAS;AACZ,aAAS,OAAO,QAAQ,0BAA0B,OAAO,OAAO,MAAM,GAAG;AACzE,WAAO,WAAW,QAAQ,KAAK,aAAa,cAAc,qCAAqC,OAAO,OAAO,MAAM,GAAG;AAAA,EACxH;AAEA,QAAM,aAAmC;AAAA,IACvC,WAAW,OAAO;AAAA,IAClB,UAAU,OAAO,OAAO;AAAA,IACxB,aAAa,OAAO,SAAS;AAAA,IAC7B,MAAM,OAAO;AAAA,IACb,QAAQ,OAAO;AAAA,IACf,gBAAgB,OAAO;AAAA,EACzB;AAEA,MAAI;AACJ,MAAI;AACF,oBAAgB,MAAM,QAAQ,OAAO,QAAQ,UAAU;AAAA,EACzD,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,aAAS,OAAO,QAAQ,GAAG;AAC3B,WAAO,WAAW,QAAQ,KAAK,aAAa,iBAAiB,GAAG;AAAA,EAClE;AAEA,MAAI,CAAC,cAAc,IAAI;AACrB,aAAS,OAAO,QAAQ,cAAc,MAAM;AAC5C,QAAI,WAAW;AACf,QAAI,aAAa,cAAc;AAC/B,QAAI,aAAa,cAAc,eAAe;AAAA,EAChD,OAAO;AACL,aAAS,OAAO,IAAI;AACpB,QAAI,WAAW;AACf,QAAI,aAAa,cAAc;AAC/B,QAAI,aAAa,cAAc,eAAe;AAAA,EAChD;AAEA,MAAI,cAAc,MAAM;AACtB,QAAI,QAAQ,EAAE,GAAG,IAAI,OAAO,GAAG,cAAc,KAAK;AAAA,EACpD;AAGA,SAAO,QAAQ;AACf,sBAAoB,KAAK,IAAI,YAAY,QAAQ,IAAI,cAAc,KAAK,IAAI,UAAU;AACtF,SAAO,cAAc;AAErB,QAAM,UAAU,WAAW,KAAK,eAAe;AAC/C,SAAO,UAAU;AAGjB,SAAO,QAAQ;AACf,UAAQ,WAAW,KAAK,aAAa;AAErC,QAAM,UAAU;AAAA,IACd,OAAO;AAAA,IACP,IAAI,YAAY;AAAA,IAChB;AAAA,EACF;AACA,SAAO,UAAU;AAEjB,QAAM,iBAAiB;AAAA,IACrB;AAAA,IACA,OAAO,OAAO;AAAA,EAChB;AAEA,QAAM,SAAS,WAAW,QAAQ,KAAK,SAAS,OAAO;AACvD,SAAO,eAAe,KAAK,IAAI;AAE/B,WAAS,OAAO,IAAI;AAEpB,SAAO;AAAA,IACL,IAAI,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,cAAc;AAAA,EAChB;AACF;AAMA,SAAS,WACP,QACA,KACA,OACA,MACA,SACsB;AACtB,SAAO,QAAQ;AACf,SAAO,QAAQ,EAAE,OAAO,MAAM,QAAQ;AACtC,SAAO,eAAe,KAAK,IAAI;AAE/B,MAAI,WAAW,IAAI,YAAY;AAC/B,MAAI,aAAa,IAAI,cAAc;AACnC,sBAAoB,KAAK,IAAI,UAAU,IAAI,YAAY,IAAI,UAAU;AACrE,SAAO,cAAc;AAErB,QAAM,UAAU,WAAW,GAAG;AAC9B,SAAO,UAAU;AAEjB,SAAO;AAAA,IACL,IAAI;AAAA,IACJ;AAAA,EACF;AACF;AAnUA;AAAA;AAgBA;AAQA;AAEA;AAqBA;AAAA;AAAA;;;ACnCA,SAAS,cAAAC,aAAY,eAAAC,oBAAmB;AA6BjC,SAAS,SAAS,QAA8B;AACrD,QAAM,iBAAiB,OAAO,SAAS;AAEvC,SAAO;AAAA,IACL,SAAS,QAAQA,aAAY,EAAE,EAAE,SAAS,KAAK,CAAC;AAAA,IAChD,MAAM,OAAO;AAAA,IACb,QAAQ;AAAA,IACR,YAAY,CAAC;AAAA,IACb,WAAW,OAAO;AAAA,IAClB,YAAY,OAAO;AAAA,IACnB,cAAc;AAAA,IACd,YAAY,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB,YAAY,CAAC;AAAA,IACb,gBAAgB,OAAO;AAAA,IACvB,gBAAgB,OAAO,mBAAmB,OAAO,SAAS,eAAe;AAAA,IACzE,UAAU,OAAO;AAAA,IACjB,YAAY,KAAK,IAAI;AAAA,EACvB;AACF;AAUO,SAAS,gBACd,MACA,QACe;AACf,MAAI,KAAK,WAAW,QAAQ;AAC1B,WAAO,QAAQ,KAAK,OAAO,OAAO,KAAK,MAAM;AAAA,EAC/C;AAEA,MAAI,OAAO,cAAc,KAAK,WAAW;AACvC,WAAO,iBAAiB,OAAO,SAAS,+BAA+B,KAAK,SAAS;AAAA,EACvF;AAEA,MAAI,KAAK,WAAW,SAAS,OAAO,SAAS,GAAG;AAC9C,WAAO,UAAU,OAAO,SAAS;AAAA,EACnC;AAGA,MAAI,KAAK,SAAS,eAAe,KAAK,YAAY;AAChD,QAAI,OAAO,YAAY,aAAa,OAAO,YAAY,cAAc,KAAK,YAAY;AACpF,aAAO,kBAAkB,OAAO,YAAY,SAAS,gCAAgC,KAAK,UAAU;AAAA,IACtG;AAAA,EACF;AAEA,OAAK,WAAW,KAAK,OAAO,SAAS;AACrC,SAAO;AACT;AASO,SAAS,aACd,MACA,UACsB;AACtB,QAAM,SAAsB,CAAC;AAC7B,QAAM,YAAsB,CAAC;AAC7B,QAAM,YAAsB,CAAC;AAG7B,QAAM,YAAY,IAAI,IAAI,SAAS,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC;AAE/D,aAAW,OAAO,KAAK,YAAY;AACjC,UAAM,SAAS,UAAU,IAAI,GAAG;AAChC,QAAI,CAAC,QAAQ;AACX,gBAAU,KAAK,GAAG;AAClB,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SAAS,UAAU,GAAG;AAAA,QACtB,WAAW;AAAA,MACb,CAAC;AACD;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,QAAQ;AAC1B,gBAAU,KAAK,GAAG;AAClB,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SAAS,UAAU,GAAG;AAAA,QACtB,WAAW;AAAA,MACb,CAAC;AACD;AAAA,IACF;AAGA,QAAI,KAAK,SAAS,kBAAkB,OAAO,SAAS,QAAQ;AAC1D,gBAAU,KAAK,GAAG;AAClB,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN,SAAS,gDAAgD,OAAO,IAAI;AAAA,QACpE,WAAW;AAAA,MACb,CAAC;AACD;AAAA,IACF;AAEA,cAAU,KAAK,GAAG;AAAA,EACpB;AAGA,MAAI,KAAK,mBAAmB,UAAa,KAAK,WAAW,SAAS,KAAK,gBAAgB;AACrF,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,iBAAiB,KAAK,cAAc,kBAAkB,KAAK,WAAW,MAAM;AAAA,IACvF,CAAC;AAAA,EACH;AAGA,QAAM,YAAY,UAAU,WAAW;AACvC,QAAM,SAAS,KAAK,iBAChB,cAAc,KAAK,mBAAmB,UAAa,KAAK,WAAW,UAAU,KAAK,kBAClF,UAAU,SAAS,MAAM,KAAK,mBAAmB,UAAa,UAAU,UAAU,KAAK;AAE3F,SAAO;AAAA,IACL,OAAO,aAAa,OAAO,WAAW;AAAA,IACtC,mBAAmB;AAAA,IACnB,mBAAmB;AAAA,IACnB,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAUO,SAAS,QACd,MACA,UACuC;AACvC,QAAM,aAAa,aAAa,MAAM,QAAQ;AAE9C,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO,EAAE,GAAG,YAAY,KAAK;AAAA,EAC/B;AAGA,QAAM,gBAAgB,WAAW,kBAC9B,IAAI,CAAC,QAAQ,SAAS,KAAK,CAAC,MAAM,EAAE,cAAc,GAAG,CAAE,EACvD,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ,EACtC,IAAI,CAAC,MAAM,EAAE,QAAQ,IAAI;AAE5B,QAAM,iBAAiB,cAAc,KAAK,GAAG;AAC7C,OAAK,eAAeD,YAAW,QAAQ,EACpC,OAAO,cAAc,EACrB,OAAO,KAAK;AAEf,OAAK,SAAS;AACd,OAAK,UAAU,KAAK,IAAI;AAExB,SAAO,EAAE,GAAG,YAAY,KAAK;AAC/B;AAYO,SAAS,UACd,MACA,SACiC;AACjC,MAAI,KAAK,WAAW,UAAU;AAC5B,WAAO,EAAE,IAAI,OAAO,OAAO,yBAAyB;AAAA,EACtD;AAEA,MAAI,KAAK,WAAW,QAAQ;AAE1B,SAAK,SAAS;AACd,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,eAAe,QAAQ;AAC5B,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AAGA,MAAI,KAAK,WAAW,QAAQ;AAE1B,QAAI,CAAC,QAAQ,QAAQ;AACnB,aAAO,EAAE,IAAI,OAAO,OAAO,yCAAyC;AAAA,IACtE;AAGA,SAAK,KAAK,gBAAgB,KAAK,SAAS,UAAU,CAAC,QAAQ,mBAAmB;AAC5E,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO,YAAY,KAAK,IAAI;AAAA,MAC9B;AAAA,IACF;AAEA,SAAK,SAAS;AACd,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,eAAe,QAAQ;AAC5B,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AAEA,SAAO,EAAE,IAAI,OAAO,OAAO,gCAAgC,KAAK,MAAM,IAAI;AAC5E;AAWO,SAAS,aACd,MACA,UACA,kBACiC;AACjC,MAAI,KAAK,WAAW,UAAU,KAAK,WAAW,QAAQ;AACpD,WAAO,EAAE,IAAI,OAAO,OAAO,oCAAoC,KAAK,MAAM,IAAI;AAAA,EAChF;AAEA,MAAI,kBAAkB;AACpB,QAAI,CAAC,KAAK,WAAW,SAAS,gBAAgB,GAAG;AAC/C,aAAO,EAAE,IAAI,OAAO,OAAO,mBAAmB,gBAAgB,4BAA4B;AAAA,IAC5F;AACA,SAAK,qBAAqB;AAAA,EAC5B;AAEA,OAAK,WAAW,KAAK,QAAQ;AAC7B,OAAK,SAAS;AACd,SAAO,EAAE,IAAI,KAAK;AACpB;AAOO,SAAS,WAAW,MAAqB;AAC9C,SAAO,KAAK,WAAW;AACzB;AAGO,SAAS,kBAAkB,MAAqB;AACrD,SAAO,KAAK,gBAAgB,KAAK,WAAW;AAC9C;AAGO,SAAS,mBACd,UACA,OACQ;AACR,SAAO,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS,QAAQ,CAAC;AAC5D;AAGO,SAAS,qBAAqB,OAAuB;AAC1D,SAAO,MAAM,OAAO,CAAC,MAAM,EAAE,gBAAgB,EAAE,WAAW,MAAM;AAClE;AAGO,SAAS,kBAAkB,OAAuB;AACvD,SAAO,MAAM,OAAO,CAAC,MAAM,EAAE,SAAS,cAAc,EAAE,WAAW,QAAQ;AAC3E;AAhUA;AAAA;AAAA;AAAA;;;ACeA,SAAS,cAAAE,aAAY,eAAAC,qBAAmB;AAkBjC,SAAS,eAAuB;AACrC,SAAO;AAAA,IACL,WAAW,OAAOA,cAAY,EAAE,EAAE,SAAS,KAAK,CAAC;AAAA,IACjD,YAAY,UAAU,oBAAI,IAAI,CAAC;AAAA,IAC/B,OAAO,oBAAI,IAAI;AAAA,IACf,YAAY,CAAC;AAAA,IACb,cAAc;AAAA,IACd,YAAY;AAAA,IACZ,aAAa,KAAK,IAAI;AAAA,IACtB,SAAS;AAAA,EACX;AACF;AAUO,SAAS,YACd,QACA,QACA,QACM;AAEN,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,SAAS,GAAG;AAC3D,QAAI,UAAU,MAAM;AAElB,aAAO,MAAM,OAAO,GAAG;AAAA,IACzB,OAAO;AACL,YAAM,WAAW,OAAO,MAAM,IAAI,GAAG;AAGrC,UAAI,UAAU,QAAQ;AACpB;AAAA,MACF;AAEA,aAAO,MAAM,IAAI,KAAK;AAAA,QACpB;AAAA,QACA;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,UAAU,OAAO;AAAA,QACjB,cAAc,UAAU,eAAe,KAAK;AAAA,QAC5C,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAAA,EACF;AAGA,MAAI,CAAC,OAAO,WAAW,SAAS,OAAO,SAAS,GAAG;AACjD,WAAO,WAAW,KAAK,OAAO,SAAS;AAAA,EACzC;AAEA,SAAO;AACP,SAAO;AACP,SAAO,mBAAmB,OAAO,kBAAkB,OAAO;AAC1D,SAAO,cAAc,KAAK,IAAI;AAC9B,SAAO,aAAa,UAAU,OAAO,KAAK;AAC5C;AAWO,SAAS,MACd,UACA,UACA,OACQ;AACR,QAAM,SAAS,aAAa;AAG5B,QAAM,SAAS,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ;AAEnE,aAAW,UAAU,QAAQ;AAE3B,QAAI,OAAO,SAAS,OAAQ;AAE5B,UAAM,SAAS,SAAS,MAAM;AAC9B,gBAAY,QAAQ,QAAQ,MAAM;AAAA,EACpC;AAGA,MAAI,OAAO;AACT,eAAW,QAAQ,OAAO;AACxB,UAAI,KAAK,gBAAgB,KAAK,WAAW,QAAQ;AAC/C,wBAAgB,QAAQ,MAAM,UAAU,QAAQ;AAChD,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,UACd,UACA,UACA,WACA,OACQ;AACR,QAAM,WAAW,SAAS,OAAO,CAAC,MAAM,UAAU,EAAE,cAAc,CAAC;AACnE,SAAO,MAAM,UAAU,UAAU,KAAK;AACxC;AAUA,SAAS,gBACP,QACA,MACA,UACA,UACM;AACN,QAAM,gBAAgB,IAAI,IAAI,KAAK,UAAU;AAC7C,QAAM,eAAe,SAAS,OAAO,CAAC,MAAM,cAAc,IAAI,EAAE,SAAS,CAAC;AAE1E,aAAW,UAAU,cAAc;AACjC,UAAM,SAAS,SAAS,MAAM;AAC9B,eAAW,OAAO,OAAO,KAAK,OAAO,SAAS,GAAG;AAC/C,YAAM,OAAO,OAAO,MAAM,IAAI,GAAG;AACjC,UAAI,MAAM;AACR,aAAK,SAAS;AACd,aAAK,iBAAiB,KAAK;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AACF;AAGO,SAAS,UACd,QACA,MACA,QACM;AACN,aAAW,OAAO,MAAM;AACtB,UAAM,OAAO,OAAO,MAAM,IAAI,GAAG;AACjC,QAAI,MAAM;AACR,WAAK,SAAS;AACd,WAAK,iBAAiB;AAAA,IACxB;AAAA,EACF;AACF;AAOO,SAAS,YACd,QACA,OACc;AACd,MAAI,UAAU,CAAC,GAAG,OAAO,MAAM,OAAO,CAAC;AAEvC,MAAI,MAAM,MAAM;AACd,UAAM,SAAS,IAAI,IAAI,MAAM,IAAI;AACjC,cAAU,QAAQ,OAAO,CAAC,MAAM,OAAO,IAAI,EAAE,GAAG,CAAC;AAAA,EACnD;AAEA,MAAI,MAAM,QAAQ;AAChB,UAAM,SAAS,MAAM;AACrB,cAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,IAAI,WAAW,MAAM,CAAC;AAAA,EAC1D;AAEA,MAAI,MAAM,aAAa;AACrB,cAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,MAAM;AAAA,EAC1C;AAEA,SAAO;AACT;AAGO,SAAS,eACd,QACA,KACqB;AACrB,SAAO,OAAO,MAAM,IAAI,GAAG,GAAG;AAChC;AAOO,SAAS,YAAY,GAAW,GAAuB;AAC5D,QAAM,UAA6B,CAAC;AACpC,MAAI,QAAQ;AACZ,MAAI,WAAW;AACf,MAAI,UAAU;AAGd,aAAW,CAAC,KAAK,KAAK,KAAK,EAAE,OAAO;AAClC,UAAM,QAAQ,EAAE,MAAM,IAAI,GAAG;AAC7B,QAAI,CAAC,OAAO;AACV,cAAQ,KAAK;AAAA,QACX;AAAA,QACA,MAAM;AAAA,QACN,OAAO,MAAM;AAAA,QACb,kBAAkB,MAAM;AAAA,MAC1B,CAAC;AACD;AAAA,IACF,WAAW,KAAK,UAAU,MAAM,KAAK,MAAM,KAAK,UAAU,MAAM,KAAK,GAAG;AACtE,cAAQ,KAAK;AAAA,QACX;AAAA,QACA,MAAM;AAAA,QACN,QAAQ,MAAM;AAAA,QACd,OAAO,MAAM;AAAA,QACb,kBAAkB,MAAM;AAAA,MAC1B,CAAC;AACD;AAAA,IACF;AAAA,EACF;AAGA,aAAW,CAAC,KAAK,KAAK,KAAK,EAAE,OAAO;AAClC,QAAI,CAAC,EAAE,MAAM,IAAI,GAAG,GAAG;AACrB,cAAQ,KAAK;AAAA,QACX;AAAA,QACA,MAAM;AAAA,QACN,QAAQ,MAAM;AAAA,MAChB,CAAC;AACD;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,gBAAgB,EAAE;AAAA,IAClB,cAAc,EAAE;AAAA,IAChB;AAAA,IACA,aAAa;AAAA,IACb,gBAAgB;AAAA,IAChB,eAAe;AAAA,EACjB;AACF;AAMA,SAAS,UAAU,OAAwC;AACzD,QAAM,OAAO,CAAC,GAAG,MAAM,KAAK,CAAC,EAAE,KAAK;AACpC,QAAM,UAAU,KACb,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,UAAU,MAAM,IAAI,CAAC,EAAG,KAAK,CAAC,EAAE,EACxD,KAAK,IAAI;AACZ,SAAOD,YAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AAC1D;AAvSA;AAAA;AAAA;AAAA;;;ACWA,SAAS,eAAAE,qBAAmB;AAiDrB,SAAS,uBACd,UACA,YACA,gBACW;AACX,MAAI,SAAS,SAAS,cAAc,aAAa,EAAG,QAAO,CAAC;AAE5D,QAAM,SAAS,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ;AACnE,QAAM,iBAAiB,oBAAI,IAAuD;AAGlF,WAAS,IAAI,GAAG,KAAK,OAAO,SAAS,YAAY,KAAK;AACpD,UAAM,SAAS,OAAO,MAAM,GAAG,IAAI,UAAU;AAC7C,UAAM,MAAM,OAAO,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,QAAG;AAChD,UAAM,MAAM,OAAO,IAAI,CAAC,MAAM,EAAE,SAAS;AAEzC,UAAM,WAAW,eAAe,IAAI,GAAG;AACvC,QAAI,UAAU;AACZ,eAAS;AACT,eAAS,WAAW,KAAK,GAAG;AAAA,IAC9B,OAAO;AACL,qBAAe,IAAI,KAAK,EAAE,OAAO,GAAG,YAAY,CAAC,GAAG,EAAE,CAAC;AAAA,IACzD;AAAA,EACF;AAGA,QAAM,WAAsB,CAAC;AAC7B,QAAM,MAAM,KAAK,IAAI;AAErB,aAAW,CAAC,KAAK,IAAI,KAAK,gBAAgB;AACxC,QAAI,KAAK,QAAQ,eAAgB;AAEjC,UAAM,UAAU,IAAI,MAAM,QAAG;AAC7B,UAAM,aAAa,KAAK,IAAI,KAAK,SAAS,iBAAiB,IAAI,CAAG;AAElE,aAAS,KAAK;AAAA,MACZ,YAAY,WAAWA,cAAY,CAAC,EAAE,SAAS,KAAK,CAAC;AAAA,MACrD,MAAM;AAAA,MACN,MAAM,aAAa,QAAQ,KAAK,UAAK,CAAC;AAAA,MACtC,WAAW;AAAA,QACT,iBAAiB;AAAA,QACjB,YAAY;AAAA,QACZ,YAAY;AAAA,MACd;AAAA,MACA;AAAA,MACA,kBAAkB,KAAK;AAAA,MACvB,eAAe;AAAA,MACf,cAAc;AAAA,MACd,iBAAiB,CAAC,GAAG,IAAI;AAAA,QACvB,KAAK,WAAW;AAAA,UAAQ,CAAC,QACvB,IAAI,IAAI,CAAC,OAAO,OAAO,KAAK,CAAC,MAAM,EAAE,cAAc,EAAE,GAAG,SAAS,EAAE,OAAO,OAAO;AAAA,QACnF;AAAA,MACF,CAAC;AAAA,MACD,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AASO,SAAS,mBACd,OACA,gBACW;AACX,QAAM,SAAS,oBAAI,IAAoB;AAEvC,aAAW,QAAQ,OAAO;AACxB,QAAI,KAAK,WAAW,OAAQ;AAC5B,UAAM,MAAM,GAAG,KAAK,IAAI,IAAI,KAAK,WAAW,MAAM;AAClD,UAAM,QAAQ,OAAO,IAAI,GAAG,KAAK,CAAC;AAClC,UAAM,KAAK,IAAI;AACf,WAAO,IAAI,KAAK,KAAK;AAAA,EACvB;AAEA,QAAM,WAAsB,CAAC;AAC7B,QAAM,MAAM,KAAK,IAAI;AAErB,aAAW,CAAC,KAAK,KAAK,KAAK,QAAQ;AACjC,QAAI,MAAM,SAAS,eAAgB;AAEnC,UAAM,CAAC,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;AACrC,UAAM,OAAO,SAAS,SAAS,EAAE;AACjC,UAAM,aAAa,KAAK,IAAI,MAAM,UAAU,iBAAiB,IAAI,CAAG;AAEpE,aAAS,KAAK;AAAA,MACZ,YAAY,YAAYA,cAAY,CAAC,EAAE,SAAS,KAAK,CAAC;AAAA,MACtD,MAAM;AAAA,MACN,MAAM,SAAS,IAAI,KAAK,IAAI;AAAA,MAC5B,WAAW;AAAA,QACT,WAAW;AAAA,QACX,WAAW;AAAA,MACb;AAAA,MACA;AAAA,MACA,kBAAkB,MAAM;AAAA,MACxB,eAAe;AAAA,MACf,cAAc;AAAA,MACd,iBAAiB,CAAC,GAAG,IAAI,IAAI,MAAM,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAAA,MAC3D,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAUO,SAAS,cACd,UACA,UACgB;AAChB,QAAM,SAAS,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ;AACnE,QAAM,UAA0B,CAAC;AACjC,QAAM,MAAM,KAAK,IAAI;AAErB,aAAW,WAAW,UAAU;AAC9B,QAAI,QAAQ,SAAS,cAAc,QAAQ,UAAU,iBAAiB;AACpE,YAAM,MAAM,QAAQ,UAAU;AAC9B,YAAM,SAAS,IAAI;AAGnB,eAAS,IAAI,GAAG,KAAK,OAAO,SAAS,QAAQ,KAAK;AAChD,cAAM,SAAS,OAAO,MAAM,GAAG,IAAI,MAAM;AACzC,cAAM,gBAAgB,OAAO,IAAI,CAAC,MAAM,EAAE,MAAM;AAEhD,YAAI,cAAc,MAAM,CAAC,QAAQ,QAAQ,WAAW,IAAI,GAAG,CAAC,GAAG;AAC7D,kBAAQ,KAAK;AAAA,YACX,YAAY,QAAQ;AAAA,YACpB,oBAAoB,OAAO,IAAI,CAAC,MAAM,EAAE,SAAS;AAAA,YACjD,aAAa;AAAA,YACb,WAAW,OAAO,CAAC,EAAE;AAAA,YACrB,aAAa;AAAA,UACf,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAUO,SAAS,iBACd,SACA,UACM;AACN,UAAQ;AACR,UAAQ,eAAe,KAAK,IAAI;AAGhC,UAAQ,aAAa,IAAI,KAAK,IAAI,QAAQ,mBAAmB;AAE7D,MAAI,CAAC,QAAQ,gBAAgB,SAAS,QAAQ,GAAG;AAC/C,YAAQ,gBAAgB,KAAK,QAAQ;AAAA,EACvC;AACF;AAUO,SAAS,gBACd,gBACA,eACA,YAAoB,KACT;AACX,QAAM,YAAuB,CAAC;AAC9B,QAAM,SAAS,CAAC,GAAG,cAAc,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,WAAW,EAAE,QAAQ;AACzE,QAAM,MAAM,KAAK,IAAI;AAErB,aAAW,WAAW,eAAe;AACnC,QAAI,QAAQ,SAAS,cAAc,CAAC,QAAQ,UAAU,gBAAiB;AACvE,QAAI,QAAQ,aAAa,UAAW;AAEpC,UAAM,MAAM,QAAQ,UAAU;AAE9B,QAAI,OAAO,UAAU,KAAK,OAAO,SAAS,IAAI,QAAQ;AACpD,YAAM,eAAe,OAAO;AAAA,QAC1B,CAAC,GAAG,MAAM,IAAI,IAAI,UAAU,EAAE,WAAW,IAAI,CAAC;AAAA,MAChD;AAEA,UAAI,cAAc;AAEhB,cAAM,eAAe,IAAI,OAAO,MAAM;AACtC,cAAM,aAAa,OAAO,OAAO,SAAS,CAAC;AAG3C,YAAI,QAAQ,oBAAoB,GAAG;AACjC,oBAAU,KAAK;AAAA,YACb,YAAY,YAAYA,cAAY,CAAC,EAAE,SAAS,KAAK,CAAC;AAAA,YACtD,MAAM;AAAA,YACN,MAAM,eAAe,QAAQ,IAAI;AAAA,YACjC,aAAa,aAAa,YAAY,YAAY,WAAW,MAAM,uBAAuB,QAAQ,IAAI;AAAA,YACtG,WAAW,QAAQ;AAAA,YACnB,YAAY,QAAQ,aAAa;AAAA,YACjC,kBAAkB;AAAA,YAClB,eAAe;AAAA,YACf,cAAc;AAAA,YACd,iBAAiB,CAAC,WAAW,SAAS;AAAA,YACtC,gBAAgB;AAAA,UAClB,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAlSA,IA0Ba;AA1Bb;AAAA;AA0BO,IAAM,uBAAN,MAAmD;AAAA,MAAnD;AACL,aAAQ,WAAW,oBAAI,IAAqB;AAAA;AAAA,MAE5C,KAAK,SAAwB;AAC3B,aAAK,SAAS,IAAI,QAAQ,YAAY,OAAO;AAAA,MAC/C;AAAA,MAEA,IAAI,WAAwC;AAC1C,eAAO,KAAK,SAAS,IAAI,SAAS;AAAA,MACpC;AAAA,MAEA,WAAW,MAA8B;AACvC,eAAO,CAAC,GAAG,KAAK,SAAS,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,IAAI;AAAA,MAClE;AAAA,MAEA,aAAa,QAA2B;AACtC,eAAO,CAAC,GAAG,KAAK,SAAS,OAAO,CAAC,EAAE;AAAA,UACjC,CAAC,MAAM,EAAE,UAAU,iBAAiB,SAAS,MAAM;AAAA,QACrD;AAAA,MACF;AAAA,MAEA,MAAiB;AACf,eAAO,CAAC,GAAG,KAAK,SAAS,OAAO,CAAC;AAAA,MACnC;AAAA,IACF;AAAA;AAAA;;;;;;;;;;;;;;;;;AClDA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAuBA,QAAM,eAAe;AAMrB,aAAS,eAAe,KAAW;AACjC,UAAI,CAAC,IAAI,WAAW,GAAG;AAAG,eAAO;AACjC,YAAM,MAAM,OAAO,IAAI,MAAM,CAAC,CAAC;AAC/B,UAAI,CAAC,OAAO,SAAS,GAAG;AAAG,eAAO;AAElC,aAAO,eAAe;IACxB;AAiBO,QAAMC,aAAN,MAAM,UAAS;MAOpB,YAAY,UAA4B,CAAA,GAAE;AANjC,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,SAAS;AAM7B,aAAK,aAAa,QAAQ,cAAc;AACxC,aAAK,WAAW,QAAQ,YAAY;MACtC;MAEA,SAAS,OAAkB;AAEzB,cAAM,MACJ,MAAM,UAAU,kBAChB,MAAM,UAAU,OAChB,MAAM,QAAQ;AAChB,eAAO,OAAO,QAAQ,YAAY,IAAI,SAAS;MACjD;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,MACJ,MAAM,UAAU,kBAChB,MAAM,UAAU,OAChB,MAAM,QAAQ;AAGhB,cAAM,WAAW,KAAK,SAAS,GAAG;AAElC,YAAI,aAAa,MAAM;AACrB,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS,CAAC,mBAAmB,GAAG,2BAA2B;YAC3D,MAAM;;QAEV;AAGA,cAAM,MAAM,KAAK,IAAG;AACpB,cAAM,QAAQ,KAAK,IAAI,MAAM,QAAQ;AAErC,YAAI,QAAQ,KAAK,YAAY;AAC3B,gBAAM,YAAY,WAAW,MAAM,WAAW;AAC9C,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS;cACP,aAAa,KAAK,kBAAkB,KAAK,UAAU,OAAO,SAAS;;YAErE,MAAM;YACN,MAAM,EAAE,YAAY,OAAO,cAAc,UAAS;;QAEtD;AAEA,eAAO;UACL,OAAO;UACP,WAAW;UACX,SAAS,CAAA;UACT,MAAM;YACJ,aAAa;YACb,YAAY;;;MAGlB;;AAjEW,YAAA,YAAAA;wBAAAA,aAAS,WAAA;OAFrB,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;;OACEA,UAAS;;;;;;;;;;;;;;;;;;;ACvDtB,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,SAAA;AAoCA,QAAM,kBAA0D;MAC9D,KAAK;MACL,QAAQ;MACR,MAAM;MACN,UAAU;;AAeL,QAAMC,kBAAN,MAAM,eAAc;MAQzB,YAAY,SAA8B;AAPjC,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;AAO/B,aAAK,aAAa,QAAQ;AAC1B,aAAK,gBAAgB,QAAQ,iBAAiB;AAC9C,aAAK,gBAAgB,QAAQ,iBAAiB;MAChD;MAEA,MAAM,IAAI,OAAkB;AAE1B,cAAM,UAAU,MAAM,QAAQ,IAC5B,KAAK,WAAW,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAEtC,cAAM,UAAwB,QAAQ,KAAI;AAG1C,YAAI,cAAc;AAClB,YAAI,cAAc;AAClB,mBAAW,UAAU,SAAS;AAC5B,gBAAM,IAAI,gBAAgB,OAAO,QAAQ;AACzC,yBAAe;AACf,yBAAe;QACjB;AACA,cAAM,iBACJ,cAAc,IAAI,KAAK,IAAI,KAAK,KAAK,MAAM,cAAc,WAAW,CAAC,IAAI;AAG3E,cAAM,aAAa,KAAK,SAAS,gBAAgB,OAAO;AAGxD,cAAM,WAAW;UACf,GAAI,MAAM,YAAY,CAAA;UACtB,gBAAgB;;AAGlB,YAAI,WAAW,aAAa,OAAA,aAAa,MAAM;AAC7C,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS,QAAQ,IAAI,CAAC,MAAM,EAAE,OAAO;YACrC,MAAM;YACN,MAAM,EAAE,cAAc,WAAW,UAAU,aAAa,QAAQ,OAAM;;QAE1E;AAEA,YAAI,WAAW,aAAa,OAAA,aAAa,UAAU;AACjD,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS,QAAQ,IAAI,CAAC,MAAM,EAAE,OAAO;YACrC,MAAM;YACN,cAAc,WAAW;YACzB,MAAM,EAAE,cAAc,WAAW,UAAU,aAAa,QAAQ,OAAM;;QAE1E;AAGA,eAAO;UACL,OAAO;UACP,WAAW;UACX,SAAS,QACN,OAAO,CAAC,MAAM,EAAE,aAAa,YAAY,EAAE,aAAa,MAAM,EAC9D,IAAI,CAAC,MAAM,EAAE,OAAO;UACvB,MAAM;YACJ,cAAc,WAAW;YACzB,aAAa,QAAQ;;;MAG3B;MAEQ,SACN,OACA,SAAqB;AAGrB,cAAM,cAAc,QAAQ,KAAK,CAAC,MAAM,EAAE,aAAa,UAAU;AACjE,YAAI,aAAa;AACf,iBAAO;YACL,UAAU,OAAA,aAAa;YACvB,QAAQ;YACR,YAAY;YACZ;;QAEJ;AAEA,YAAI,SAAS,KAAK,eAAe;AAC/B,iBAAO;YACL,UAAU,OAAA,aAAa;YACvB,QAAQ,wBAAwB,KAAK,2BAA2B,KAAK,aAAa;YAClF,YAAY,QAAQ;YACpB;;QAEJ;AAEA,YAAI,SAAS,KAAK,eAAe;AAC/B,iBAAO;YACL,UAAU,OAAA,aAAa;YACvB,QAAQ,wBAAwB,KAAK,2BAA2B,KAAK,aAAa;YAClF,YAAY,QAAQ;YACpB;;QAEJ;AAEA,eAAO;UACL,UAAU,OAAA,aAAa;UACvB,YAAY,IAAI,QAAQ;UACxB;;MAEJ;;AAlHW,YAAA,iBAAAA;6BAAAA,kBAAc,WAAA;OAF1B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;;OACEA,eAAc;;;;;;;;;;;;;;;;;;;AC5D3B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAqEO,QAAMC,kBAAN,MAAM,eAAc;MAQzB,YAAY,UAAiC,CAAA,GAAE;AAPtC,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;AAO/B,aAAK,WAAW,QAAQ;AACxB,aAAK,cAAc,QAAQ,eAAe;AAC1C,aAAK,cAAc,QAAQ,aAAa,SACpC,IAAI,IAAI,QAAQ,WAAW,IAC3B;MACN;MAEA,SAAS,OAAkB;AAEzB,eAAO,CAAC,EACN,MAAM,UAAU,WAChB,MAAM,UAAU,mBAChB,MAAM,UAAU,aAAa;MAEjC;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,UACJ,MAAM,UAAU,WAChB,MAAM,UAAU,mBAChB,MAAM,UAAU,aAAa;AAE/B,YAAI,CAAC,SAAS;AACZ,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS,CAAC,4BAA4B;YACtC,MAAM;;QAEV;AAGA,YAAI,CAAC,QAAQ,cAAc,OAAO,QAAQ,eAAe,UAAU;AACjE,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS,CAAC,0CAA0C;YACpD,MAAM;;QAEV;AAGA,cAAM,SAAS,QAAQ,cAAc;AACrC,YAAI,UAAU,WAAW,YAAY;AACnC,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS;cACP,+BAA+B,MAAM,IAAI,QAAQ,cAAc,SAAS,KAAK,QAAQ,aAAa,MAAM,KAAK,EAAE;;YAEjH,MAAM,mBAAmB,OAAO,YAAW,CAAE;;QAEjD;AAGA,YAAI,KAAK,eAAe,QAAQ,cAAc;AAC5C,cAAI,CAAC,KAAK,YAAY,IAAI,QAAQ,YAAY,GAAG;AAC/C,mBAAO;cACL,OAAO;cACP,WAAW;cACX,SAAS;gBACP,0BAA0B,QAAQ,YAAY;;cAEhD,MAAM;;UAEV;QACF;AAGA,YAAI,KAAK,eAAe,MAAM,UAAU,QAAQ,QAAQ;AACtD,cAAI,QAAQ,WAAW,MAAM,QAAQ;AACnC,mBAAO;cACL,OAAO;cACP,WAAW;cACX,SAAS;gBACP,4BAA4B,QAAQ,MAAM,iCAAiC,MAAM,MAAM;;cAEzF,MAAM;;UAEV;QACF;AAGA,YAAI,KAAK,UAAU;AACjB,gBAAM,QAAQ,MAAM,KAAK,SAAS,SAAS,KAAK;AAChD,cAAI,OAAO;AACT,mBAAO;cACL,OAAO;cACP,WAAW;cACX,SAAS,CAAC,iCAAiC,KAAK,EAAE;cAClD,MAAM;;UAEV;QACF;AAEA,eAAO;UACL,OAAO;UACP,WAAW;UACX,SAAS,CAAA;UACT,MAAM;YACJ,mBAAmB,QAAQ;YAC3B,cAAc,QAAQ;YACtB,mBAAmB,QAAQ;;;MAGjC;;AAlHW,YAAA,iBAAAA;6BAAAA,kBAAc,WAAA;OAF1B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;;OACEA,eAAc;;;;;ACxE3B,IAgBM,iBAcO;AA9Bb;AAAA;AAaA;AACA;AAEA,IAAM,kBAAgD;AAAA,MACpD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEO,IAAM,8BAAN,MAAwD;AAAA,MAAxD;AACL,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA;AAAA,MAEjB,SAAS,OAA6B;AAEpC,eACE,MAAM,UAAU,QAAQ,QACxB,MAAM,UAAU,gBAAgB;AAAA,MAEpC;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,gBAAgB;AAAA,YACpC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,mBAAW,SAAS,iBAAiB;AACnC,cAAI,SAAS,KAAK,MAAM,UAAa,SAAS,KAAK,MAAM,MAAM;AAC7D,mBAAO;AAAA,cACL,OAAO;AAAA,cACP,WAAW;AAAA,cACX,SAAS,CAAC,GAAG,UAAU,gBAAgB,aAAa,KAAK,EAAE;AAAA,cAC3D,MAAM,UAAU;AAAA,YAClB;AAAA,UACF;AAAA,QACF;AAGA,YAAI,SAAS,QAAQ,sBAAsB;AACzC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,mBAAmB,KAAK,SAAS,GAAG,EAAE;AAAA,YAC7D,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,CAAC,eAAe,KAAK,SAAS,aAAa,GAAG;AAChD,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,gBAAgB;AAAA,YAC/B;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,YAAI,SAAS,cAAc,WAAW,kBAAkB,GAAG;AACzD,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,gBAAgB,8BAA8B;AAAA,YACrE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,UAAU,SAAS;AACzB,YACE,CAAC,QAAQ,cACT,CAAC,QAAQ,OACT,CAAC,QAAQ,OACT,CAAC,QAAQ,OACT,CAAC,QAAQ,UACT,CAAC,QAAQ,OACT,CAAC,QAAQ,YACT;AACA,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,eAAe,6BAA6B;AAAA,YACnE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,CAAC,SAAS,cAAc,cAAc,CAAC,SAAS,cAAc,KAAK;AACrE,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,qBAAqB;AAAA,YACpC;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,mBAAmB;AAElC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;ACjCA,SAASC,cAAa,KAAsB;AAC1C,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,MAAM,IAAI,IAAIA,aAAY,EAAE,KAAK,GAAG,IAAI;AAAA,EACjD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAS,OAAO,KAAK,GAAa,EACrC,KAAK,EACL;AAAA,MACC,CAAC,MACC,KAAK,UAAU,CAAC,IAChB,MACAA,cAAc,IAAgC,CAAC,CAAC;AAAA,IACpD;AACF,WAAO,MAAM,OAAO,KAAK,GAAG,IAAI;AAAA,EAClC;AACA,SAAO,KAAK,UAAU,GAAG;AAC3B;AA7HA,IAiCa;AAjCb;AAAA;AAWA;AACA;AAqBO,IAAM,2BAAN,MAAqD;AAAA,MAK1D,YACmB,aACA,mBACjB;AAFiB;AACA;AANnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAKd;AAAA,MAEH,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,qBAAqB;AAAA,MAC9C;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,WAAW,MAAM,UAAU;AACjC,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,gBAAgB;AAAA,YACpC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,YAAY,MAAM,KAAK,YAAY,QAAQ,SAAS,UAAU;AACpE,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,oBAAoB,SAAS,SAAS,UAAU;AAAA,YAC/D;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAIA,cAAM,EAAE,YAAY,GAAG,SAAS,IAAI;AACpC,cAAM,YAAYA,cAAa,QAAQ;AACvC,cAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAElD,cAAM,QAAQ,MAAM,KAAK,kBAAkB;AAAA,UACzC;AAAA,UACA,WAAW;AAAA,UACX,UAAU;AAAA,UACV,UAAU;AAAA,QACZ;AAEA,YAAI,CAAC,OAAO;AACV,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,kBAAkB;AAAA,YACtC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,eAAe;AAC9B,cAAM,SAAS,uBAAuB;AAEtC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,EAAE,KAAK,SAAS,WAAW;AAAA,QACnC;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC2CA,SAAS,cAAc;AACvB,SAAS,cAAAC,mBAAkB;AAE3B,SAASC,cAAa,KAAsB;AAC1C,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,MAAM,IAAI,IAAIA,aAAY,EAAE,KAAK,GAAG,IAAI;AAAA,EACjD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAS,OAAO,KAAK,GAAa,EACrC,KAAK,EACL;AAAA,MACC,CAAC,MACC,KAAK,UAAU,CAAC,IAChB,MACAA,cAAc,IAAgC,CAAC,CAAC;AAAA,IACpD;AACF,WAAO,MAAM,OAAO,KAAK,GAAG,IAAI;AAAA,EAClC;AACA,SAAO,KAAK,UAAU,GAAG;AAC3B;AAEA,SAAS,oBAAoB,QAAyC;AACpE,QAAM,YAAYA,cAAa,MAAM;AACrC,QAAM,OAAO,OAAO,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AACvD,SAAO,YAAYD,YAAW,IAAI,EAAE,MAAM,GAAG,EAAE;AACjD;AA9KA,IA+Ba;AA/Bb;AAAA;AAUA;AACA;AAoBO,IAAM,+BAAN,MAAyD;AAAA,MAK9D,YACmB,mBACA,iBACjB;AAFiB;AACA;AANnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAKd;AAAA,MAEH,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,qBAAqB;AAAA,MAC9C;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU,aAAa;AAI7C,YAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,QAAQ,sBAAsB;AACxC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,mBAAmB,mBAAmB,QAAQ,GAAG;AAAA,YAChE;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,EAAE,YAAY,YAAY,GAAG,WAAW,IAAI;AAClD,cAAM,aAAa,oBAAoB,UAAU;AACjD,YAAI,eAAe,YAAY;AAC7B,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,mBAAmB,yBAAyB;AAAA,YACnE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,YAAY,MAAM,KAAK,kBAAkB;AAAA,UAC7C,QAAQ,WAAW;AAAA,QACrB;AACA,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,mBAAmB,wBAAwB;AAAA,YAClE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,EAAE,YAAY,KAAK,GAAG,KAAK,IAAI;AACrC,cAAM,WAAW,MAAM,KAAK,gBAAgB;AAAA,UAC1C;AAAA,UACA;AAAA,UACA,UAAU;AAAA,QACZ;AACA,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,mBAAmB;AAAA,YACvC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC/C,YAAI,QAAQ,MAAM,YAAY;AAC5B,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,eAAe,SAAS,QAAQ,GAAG,EAAE;AAAA,YAC5D,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,MAAM,aAAa,GAAG;AAChC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,qBAAqB,SAAS,QAAQ,GAAG,EAAE;AAAA,YAClE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,qBAAqB;AACpC,cAAM,SAAS,aAAa;AAE5B,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,UACV,MAAM,EAAE,YAAY,QAAQ,WAAW;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AClJA,IAcM,iBAEO;AAhBb;AAAA;AAUA;AACA;AAGA,IAAM,kBAAkB;AAEjB,IAAM,qBAAN,MAA+C;AAAA,MAKpD,YAA6B,SAAiB,iBAAiB;AAAlC;AAJ7B,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAE+C;AAAA,MAEhE,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,uBAAuB;AAAA,MAChD;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU;AAChC,YAAI,CAAC,SAAS;AACZ,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,QAAQ,KAAK,IAAI;AAGvB,YAAI,QAAQ,QAAQ,SAAS,KAAK,QAAQ;AACxC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,kBAAkB,qBAAqB,QAAQ,MAAM,SAAS,KAAK;AAAA,YAClF;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,QAAQ,WAAW,KAAK,QAAQ;AAC1C,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,iBAAiB,sBAAsB,QAAQ,QAAQ,SAAS,KAAK;AAAA,YACpF;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,cAAc;AAE7B,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC1EA,IAca;AAdb;AAAA;AAWA;AACA;AAEO,IAAM,iCAAN,MAA2D;AAAA,MAKhE,YAEmB,cACjB;AADiB;AANnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAKd;AAAA,MAEH,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,uBAAuB;AAAA,MAChD;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU;AAChC,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,WAAW,CAAC,UAAU;AACzB,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,QAAQ,KAAK,cAAc;AACrC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,iBAAiB,iBAAiB,QAAQ,GAAG,cAAc,KAAK,YAAY;AAAA,YAC3F;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAIA,cAAM,gBAAgB,MAAM,UAAU,MAAM,UAAU;AACtD,YAAI,iBAAiB,QAAQ,WAAW,eAAe;AACrD,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,eAAe,oBAAoB,QAAQ,MAAM,aAAa,aAAa;AAAA,YAC1F;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,SAAS,eAAe,QAAQ,KAAK;AACvC,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,eAAe,kBAAkB,SAAS,UAAU,iBAAiB,QAAQ,GAAG;AAAA,YAC/F;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,qBAAqB;AAEpC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC3FA,IAsCa,wBAqCA;AA3Eb;AAAA;AAWA;AACA;AA0BO,IAAM,yBAAN,MAAuD;AAAA,MAAvD;AACL,aAAQ,SAAS,oBAAI,IAAoB;AACzC,aAAQ,WAAW,oBAAI,IAAY;AACnC,aAAQ,UAAU,oBAAI,IAAY;AAAA;AAAA,MAElC,MAAM,aAAa,KAAa,OAAiC;AAC/D,aAAK,QAAQ;AACb,YAAI,KAAK,OAAO,IAAI,GAAG,EAAG,QAAO;AACjC,aAAK,OAAO,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK;AACvC,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,kBAAkB,WAAqC;AAC3D,eAAO,KAAK,SAAS,IAAI,SAAS;AAAA,MACpC;AAAA,MAEA,MAAM,oBAAoB,WAAmB,QAA+B;AAC1E,aAAK,SAAS,IAAI,SAAS;AAAA,MAC7B;AAAA,MAEA,MAAM,iBAAiB,WAAqC;AAC1D,eAAO,KAAK,QAAQ,IAAI,SAAS;AAAA,MACnC;AAAA;AAAA,MAGA,OAAO,WAAyB;AAC9B,aAAK,QAAQ,IAAI,SAAS;AAAA,MAC5B;AAAA,MAEQ,UAAgB;AACtB,cAAM,MAAM,KAAK,IAAI;AACrB,mBAAW,CAAC,KAAK,SAAS,KAAK,KAAK,QAAQ;AAC1C,cAAI,YAAY,IAAK,MAAK,OAAO,OAAO,GAAG;AAAA,QAC7C;AAAA,MACF;AAAA,IACF;AAEO,IAAM,4BAAN,MAAsD;AAAA,MAQ3D,YACmB,aACjB,SACA;AAFiB;AARnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AASf,aAAK,aAAa,SAAS,cAAc,IAAI,KAAK;AAAA,MACpD;AAAA,MAEA,SAAS,OAA6B;AACpC,eAAO,MAAM,UAAU,uBAAuB;AAAA,MAChD;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,UAAU,MAAM,UAAU;AAChC,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,WAAW,CAAC,UAAU;AACzB,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,eAAe;AAAA,YACnC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,UAAU,MAAM,KAAK,YAAY,iBAAiB,QAAQ,UAAU;AAC1E,YAAI,SAAS;AACX,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,eAAe,KAAK,QAAQ,UAAU,EAAE;AAAA,YAC/D,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,SAAS,cAAc;AACjC,gBAAM,WAAW,MAAM,KAAK,YAAY;AAAA,YACtC,QAAQ;AAAA,UACV;AACA,cAAI,UAAU;AACZ,mBAAO;AAAA,cACL,OAAO;AAAA,cACP,WAAW;AAAA,cACX,SAAS,CAAC,GAAG,UAAU,gBAAgB,KAAK,QAAQ,UAAU,EAAE;AAAA,cAChE,MAAM,UAAU;AAAA,YAClB;AAAA,UACF;AAAA,QACF;AAIA,cAAM,WAAW,aAAa,QAAQ,GAAG,IAAI,QAAQ,GAAG,IAAI,QAAQ,MAAM,IAAI,SAAS,aAAa;AACpG,cAAM,aAAa,MAAM,KAAK,YAAY;AAAA,UACxC;AAAA,UACA,KAAK;AAAA,QACP;AACA,YAAI,CAAC,YAAY;AACf,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,YAAY,KAAK,SAAS,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,YACnE;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,QAAQ,SAAS,cAAc;AACjC,gBAAM,cAAc,QAAQ,MAAM,QAAQ,OAAO,MAAO;AACxD,gBAAM,KAAK,YAAY;AAAA,YACrB,QAAQ;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAEA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,iBAAiB;AAEhC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AC6EA,SAAS,SAAS,UAA0C;AAC1D,QAAM,QAAQ;AAAA,IACZ,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS;AAAA,IACT,SAAS,QAAQ;AAAA,IACjB,SAAS,QAAQ;AAAA,IACjB,SAAS,QAAQ;AAAA,IACjB,SAAS;AAAA,EACX;AACA,SAAO,IAAI,YAAY,EAAE,OAAO,MAAM,KAAK,GAAG,CAAC;AACjD;AAEA,SAAS,kBAAkB,aAA0C;AACnE,SACE,OAAO,gBAAgB,YACvB,YAAY,YAAY,EAAE,SAAS,kBAAkB;AAEzD;AAEA,SAAS,mBACP,SACgC;AAChC,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,OAAO,CAAC;AAC3D,QAAI,UAAU,OAAO,WAAW,YAAY,CAAC,MAAM,QAAQ,MAAM,GAAG;AAClE,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,SAASE,iBAAgB,OAA2B;AAClD,QAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACzD,QAAM,UAAU,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AACxD,SAAO,IAAI,WAAW,OAAO,KAAK,SAAS,SAAS,QAAQ,CAAC;AAC/D;AAjSA,IAqEa;AArEb;AAAA;AAeA;AACA;AAqDO,IAAM,6BAAN,MAAuD;AAAA,MAK5D,YACmB,aACA,aACA,kBAA0B,KAAK,MAC/B,kBACjB;AAJiB;AACA;AACA;AACA;AARnB,aAAS,OAAO;AAChB,aAAS,QAAQ;AACjB,aAAS,QAAQ;AAAA,MAOd;AAAA,MAEH,SAAS,OAA6B;AACpC,eACE,MAAM,UAAU,qBAAqB,QACrC,MAAM,UAAU,yBAAyB,QACzC,MAAM,UAAU,uBAAuB,QACvC,MAAM,UAAU,mBAAmB;AAAA,MAEvC;AAAA,MAEA,MAAM,IAAI,OAA6C;AACrD,cAAM,WAAW,MAAM,UAAU;AAIjC,YAAI,CAAC,UAAU;AACb,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,gBAAgB;AAAA,YACpC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI;AACJ,YAAI;AACF,mBAAS,MAAM,KAAK,YAAY;AAAA,YAC9B,SAAS,cAAc;AAAA,YACvB,SAAS,cAAc;AAAA,YACvB,SAAS,cAAc;AAAA,YACvB,SAAS,cAAc;AAAA,UACzB;AAAA,QACF,QAAQ;AACN,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,iBAAiB;AAAA,YACrC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,YAAI,CAAC,QAAQ;AACX,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,iBAAiB;AAAA,YACrC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI;AACJ,YAAI;AACJ,YAAI;AAEJ,YAAI;AACF,eAAKA,iBAAgB,SAAS,kBAAkB,EAAE;AAClD,uBAAaA,iBAAgB,SAAS,kBAAkB,UAAU;AAClE,gBAAMA,iBAAgB,SAAS,kBAAkB,GAAG;AAAA,QACtD,QAAQ;AACN,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,GAAG,UAAU,iBAAiB,8BAA8B;AAAA,YACtE,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,YAAI,WAAW,SAAS,KAAK,iBAAiB;AAC5C,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS;AAAA,cACP,GAAG,UAAU,iBAAiB,KAAK,WAAW,MAAM,MAAM,KAAK,eAAe;AAAA,YAChF;AAAA,YACA,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAGA,cAAM,MAAM,SAAS,QAAQ;AAE7B,YAAI;AACJ,YAAI;AACF,sBAAY,MAAM,KAAK,YAAY;AAAA,YACjC;AAAA,YACA;AAAA,YACA;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,QACF,QAAQ;AACN,sBAAY;AAAA,QACd,UAAE;AAEA,iBAAO,KAAK,CAAC;AAAA,QACf;AAEA,YAAI,CAAC,WAAW;AACd,iBAAO;AAAA,YACL,OAAO;AAAA,YACP,WAAW;AAAA,YACX,SAAS,CAAC,UAAU,iBAAiB;AAAA,YACrC,MAAM,UAAU;AAAA,UAClB;AAAA,QACF;AAEA,cAAM,UAAU,MAAM,UAAU;AAKhC,YAAI,WAAW,kBAAkB,SAAS,YAAY,GAAG;AACvD,gBAAM,SAAS,mBAAmB,SAAS;AAC3C,cAAI,UAAU,OAAO,OAAO,WAAW,UAAU;AAC/C,gBAAI,OAAO,WAAW,QAAQ,QAAQ;AACpC,qBAAO;AAAA,gBACL,OAAO;AAAA,gBACP,WAAW;AAAA,gBACX,SAAS;AAAA,kBACP,GAAG,UAAU,sBAAsB,oBAAoB,OAAO,MAAM,oBAAoB,QAAQ,MAAM;AAAA,gBACxG;AAAA,gBACA,MAAM,UAAU;AAAA,cAClB;AAAA,YACF;AACA,kBAAM,WAAW,MAAM,YAAY,CAAC;AACpC,kBAAM,SAAS,mBAAmB,OAAO;AAAA,UAC3C;AAAA,QACF;AAEA,YAAI,KAAK,kBAAkB;AACzB,gBAAM,UAAU,MAAM,KAAK,iBAAiB,SAAS,WAAW,QAAQ;AACxE,cAAI,CAAC,QAAQ,IAAI;AACf,kBAAM,OAAO,QAAQ,QAAQ,UAAU;AACvC,mBAAO;AAAA,cACL,OAAO;AAAA,cACP,WAAW;AAAA,cACX,SAAS,CAAC,QAAQ,UAAU,IAAI;AAAA,cAChC;AAAA,YACF;AAAA,UACF;AAEA,cAAI,QAAQ,QAAQ;AAClB,kBAAM,WAAW,MAAM,YAAY,CAAC;AACpC,kBAAM,SAAS,mBAAmB,QAAQ;AAAA,UAC5C;AAAA,QACF;AAGA,cAAM,WAAW,MAAM,YAAY,CAAC;AACpC,cAAM,SAAS,sBAAsB;AACrC,cAAM,SAAS,kBAAkB;AAEjC,eAAO;AAAA,UACL;AAAA,UACA,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS,CAAC;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA;AAAA;;;AClPA;AAAA;AAcA;AAEA;AAMA;AAMA;AAEA;AAEA;AAMA;AAAA;AAAA;;;ACtCA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAgBA;AA2BA;AAUA;AAYA;AASA;AASA;AAaA;AAAA;AAAA;;;AChGA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA,oCAAc;AAAd;AAAA;AAAA;AACA;AACA;AACA;AAAA;AAAA;;;ACHA;AAAA;AAAA;AAAA;;;;;;;;;;;;;;;ACAA,QAAA,WAAA,UAAA,gBAAA;AACA,QAAAC,UAAA,UAAA,QAAA;AACA,QAAA,OAAA,UAAA,WAAA;AAuCO,QAAM,2BAAwB,6BAA9B,MAAM,yBAAwB;MAA9B,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,2BAAyB,IAAI;AAGjD,aAAA,aAAa,oBAAI,IAAG;AAGpB,aAAA,eAAe,oBAAI,IAAG;MA6QzC;MAtPE,MAAM,YACJ,WACA,UACA,SAKC;AAED,gBAAQ,WAAW;UACjB,KAAK;AACH,mBAAO,KAAK,mBAAmB,QAAQ;UACzC,KAAK;AACH,mBAAO,KAAK,eAAe,QAAQ;UACrC,KAAK;AACH,mBAAO,KAAK,gBAAgB,QAAQ,IAAI;UAC1C,KAAK;AACH,mBAAO,KAAK,oBACV,QAAQ,YACR,QAAQ,WACR,QAAQ,QAAQ;UAEpB;AACE,mBAAO,EAAE,OAAO,OAAO,OAAO,uBAAuB,SAAS,GAAE;QACpE;MACF;MAKQ,MAAM,mBACZ,UAAoB;AAIpB,cAAM,YAAY,IAAI,YAAW,EAAG,OAAO,QAAQ;AACnD,eAAO;UACL,OAAO;UACP,UAAU,EAAE,WAAW,2BAA2B,KAAI;;MAE1D;MAcQ,MAAM,eACZ,UAAoB;AAEpB,YAAI;AACF,gBAAM,QAAQ,IAAI,YAAW,EAAG,OAAO,QAAQ;AAC/C,gBAAM,QAAQ,MAAM,MAAM,GAAG;AAE7B,cAAI,MAAM,WAAW,GAAG;AACtB,mBAAO,EAAE,OAAO,OAAO,OAAO,qBAAoB;UACpD;AAGA,gBAAM,SAAS,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAQ,CAAE;AACvE,gBAAM,UAAU,KAAK,MAAM,OAAO,KAAK,MAAM,CAAC,GAAG,WAAW,EAAE,SAAQ,CAAE;AAGxE,cAAI,QAAQ,OAAO,KAAK,IAAG,IAAK,MAAO,QAAQ,KAAK;AAClD,mBAAO,EAAE,OAAO,OAAO,OAAO,cAAa;UAC7C;AAGA,cAAI,QAAQ,OAAO,KAAK,IAAG,IAAK,MAAO,QAAQ,KAAK;AAClD,mBAAO,EAAE,OAAO,OAAO,OAAO,oBAAmB;UACnD;AAIA,iBAAO;YACL,OAAO;YACP,SAAS,QAAQ,OAAO,QAAQ;YAChC,UAAU,EAAE,KAAK,QAAQ,KAAK,OAAO,QAAQ,MAAK;;QAEtD,SAAS,GAAG;AACV,gBAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,iBAAO,EAAE,OAAO,OAAO,OAAO,oBAAoB,OAAO,GAAE;QAC7D;MACF;MAKQ,MAAM,gBACZ,MAAkB;AAElB,YAAI,CAAC,MAAM;AACT,iBAAO,EAAE,OAAO,OAAO,OAAO,2BAA0B;QAC1D;AAGA,YAAI,CAAC,KAAK,UAAU;AAClB,iBAAO,EAAE,OAAO,OAAO,OAAO,sCAAqC;QACrE;AAGA,YAAI,KAAK,uBAAuB;AAC9B,gBAAM,UAAU,KAAK,aAAa,IAAI,KAAK,qBAAqB;AAChE,cAAI,SAAS;AACX,mBAAO;cACL,OAAO;cACP,SAAS,QAAQ;cACjB,UAAU;gBACR,aAAa,KAAK;gBAClB,SAAS,KAAK;;;UAGpB;QACF;AAGA,YAAI,KAAK,mBAAmB;AAC1B,gBAAM,UAAU,KAAK,kBAAkB,MAAM,YAAY;AACzD,cAAI,SAAS;AACX,mBAAO;cACL,OAAO;cACP,SAAS,QAAQ,CAAC;cAClB,UAAU;gBACR,SAAS,KAAK;gBACd,QAAQ,KAAK;;;UAGnB;QACF;AAEA,eAAO,EAAE,OAAO,OAAO,OAAO,2CAA0C;MAC1E;MAKQ,MAAM,oBACZ,YACA,WACA,UAA0B;AAE1B,YAAI,CAAC,YAAY,CAAC,cAAc,CAAC,WAAW;AAC1C,iBAAO,EAAE,OAAO,OAAO,OAAO,4BAA2B;QAC3D;AAGA,YAAI,YAAY,SAAS;AAGzB,cAAM,gBAAgB,KAAK,WAAW,IAAI,SAAS,QAAQ;AAC3D,YAAI,eAAe;AACjB,sBAAY;QACd;AAEA,YAAI,CAAC,aAAa,UAAU,WAAW,IAAI;AACzC,iBAAO;YACL,OAAO;YACP,OAAO;;QAEX;AAGA,YAAI;AACF,gBAAM,QAAQ,KAAK,KAAK,SAAS,OAAO,YAAY,WAAW,SAAS;AAExE,cAAI,CAAC,OAAO;AACV,mBAAO,EAAE,OAAO,OAAO,OAAO,uCAAsC;UACtE;AAEA,iBAAO;YACL,OAAO;YACP,SAAS,SAAS;YAClB,UAAU,EAAE,UAAU,SAAS,UAAU,WAAW,YAAW;;QAEnE,SAAS,GAAG;AACV,gBAAM,UAAU,aAAa,QAAQ,EAAE,UAAU;AACjD,iBAAO;YACL,OAAO;YACP,OAAO,iCAAiC,OAAO;;QAEnD;MACF;MAUA,kBAAkB,UAAkB,WAAqB;AACvD,YAAI,UAAU,WAAW,IAAI;AAC3B,gBAAM,IAAI,MAAM,8CAA8C;QAChE;AACA,aAAK,WAAW,IAAI,UAAU,SAAS;AACvC,aAAK,OAAO,IAAI,6BAA6B,QAAQ,EAAE;MACzD;MAKA,iBAAiB,UAAgB;AAC/B,eAAO,KAAK,WAAW,OAAO,QAAQ;MACxC;MAQA,iBAAiB,aAAqB,SAAe;AACnD,aAAK,aAAa,IAAI,aAAa,EAAE,SAAS,UAAU,KAAK,IAAG,EAAE,CAAE;AACpE,aAAK,OAAO,IAAI,wBAAwB,WAAW,cAAc,OAAO,EAAE;MAC5E;MAKA,eAAe,aAAmB;AAChC,eAAO,KAAK,aAAa,OAAO,WAAW;MAC7C;MAKA,OAAO,qBAAqB,SAAe;AAEzC,cAAM,MAAM,OAAO,KACjB,QACG,QAAQ,+BAA+B,EAAE,EACzC,QAAQ,6BAA6B,EAAE,EACvC,QAAQ,OAAO,EAAE,GACpB,QAAQ;AAEV,eAAOA,QAAO,WAAW,QAAQ,EAAE,OAAO,GAAG,EAAE,OAAO,KAAK;MAC7D;;AAnRW,YAAA,2BAAA;uCAAA,2BAAwB,6BAAA,WAAA;OADpC,GAAA,SAAA,YAAU;OACE,wBAAwB;;;;;ACzCrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AACA,+BAAc;AAAA;AAAA;;;ACHd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mCAAc;AACd;AACA;AACA;AACA,mCAAc;AACd;AACA;AACA;AACA;AACA;AACA;AACA,mCAAc;AAAA;AAAA;;;ACXd;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACJA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,+BAAc;AACd;AACA;AACA;AACA;AACA,+BAAc;AACd,+BAAc;AACd;AACA,+BAAc;AACd,+BAAc;AACd;AACA,+BAAc;AACd,+BAAc;AACd,+BAAc;AACd;AAAA;AAAA;;;ACfA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AAAA;AAAA;;;ACDA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;;;ACPA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAAYC,QAAO;AAAnB,IAqBa,iBAUA,6BAeA,0BAMA,uBAOA,uBAMA,oBAOA,YASA,gBAGA,qBAcA,mBAGA,eAeA,0BAOA,uBAgBA,gBAYA,UASA,0BAQA,2BAYA,sBAUA,mBAQA,iBAUA,kBAOA,eASA,WAOA,mBAaA,mBAaA,qBAWA,sBAiBA,kBAWA,QAGA,cAWA,cAGA,eAYA,mBAOA,sBAUA,oBAKA,eAcA,eASA,gBAeA,kBAOA,mBAUA,iBAWDD,YAQC,cAqBA;AA1bb;AAAA;AACA;AAoBO,IAAM,kBAAoB,SAAM;AAAA,MACnC,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,MAC/D,UAAO;AAAA,QACP,QAAU,WAAQ,MAAM;AAAA,QACxB,MAAQ,UAAO;AAAA,QACf,QAAU,UAAO,EAAE,SAAS;AAAA,QAC5B,MAAQ,OAAI,EAAE,SAAS;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAEM,IAAM,8BAAgC,SAAM;AAAA,MAC/C,UAAO,EAAE,QAAU,WAAQ,OAAO,GAAG,MAAQ,OAAI,EAAE,SAAS,EAAE,CAAC;AAAA,MAC/D,UAAO;AAAA,QACP,QAAU,WAAQ,MAAM;AAAA,QACxB,MAAQ,UAAO;AAAA,QACf,QAAU,UAAO,EAAE,SAAS;AAAA,QAC5B,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,QACnD,MAAQ,OAAI,EAAE,SAAS;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAMM,IAAM,2BAA6B,UAAO;AAAA,MAC/C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,SAAW,UAAO,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS;AAAA,IACvD,CAAC;AAGM,IAAM,wBAAwB;AAO9B,IAAM,wBAA0B,UAAO;AAAA,MAC5C,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,WAAa,WAAQ,EAAE,SAAS;AAAA,IAClC,CAAC;AAGM,IAAM,qBAAqB;AAO3B,IAAM,aAAe,QAAK;AAAA,MAC/B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,iBAAmB,QAAK,CAAC,UAAU,WAAW,YAAY,MAAM,CAAC;AAGvE,IAAM,sBAAwB,UAAO;AAAA,MAC1C,SAAS;AAAA,MACT,YAAc,QAAK,CAAC,UAAU,SAAS,CAAC;AAAA,MACxC,eAAiB,SAAM,UAAU,EAAE,IAAI,CAAC;AAAA,MACxC,YAAc,WAAQ;AAAA,MACtB,sBAAwB,WAAQ;AAAA,MAChC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,IAC1B,CAAC;AAOM,IAAM,oBAAsB,QAAK,CAAC,OAAO,UAAU,QAAQ,UAAU,CAAC;AAGtE,IAAM,gBAAkB,UAAO;AAAA,MACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,aAAa;AAAA,MACb,eAAiB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACzC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACxC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MAClD,oBAAsB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MACzD,kBAAoB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MACvD,mBAAqB,WAAQ;AAAA,MAC7B,iBAAmB,WAAQ;AAAA,MAC3B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IACvC,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,MAC/C,OAAO;AAAA,MACP,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IAC1C,CAAC;AAGM,IAAM,wBAA0B,SAAM;AAAA,MACzC,UAAO;AAAA,QACP,QAAU,WAAQ,OAAO;AAAA,QACzB,QAAQ;AAAA,MACV,CAAC;AAAA,MACC,UAAO;AAAA,QACP,QAAU,WAAQ,MAAM;AAAA,QACxB,QAAU,UAAO;AAAA,MACnB,CAAC;AAAA,IACH,CAAC;AAOM,IAAM,iBAAmB,UAAO;AAAA,MACrC,WAAa,UAAO,EAAE,IAAI,CAAC;AAAA,MAC3B,cAAgB,SAAQ,UAAO,CAAC,EAAE,IAAI,CAAC;AAAA,MACvC,QACG,UAAO;AAAA,QACN,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MACrD,CAAC,EACA,SAAS;AAAA,MACZ,QAAU,UAAS,UAAO,GAAK,OAAI,CAAC,EAAE,SAAS;AAAA,IACjD,CAAC;AAGM,IAAM,WAAa,UAAO;AAAA,MAC/B,IAAM,UAAO;AAAA,MACb,QAAQ;AAAA,MACR,UAAY,UAAO,EAAE,IAAI;AAAA,MACzB,WAAa,UAAO,EAAE,IAAI;AAAA,MAC1B,MAAQ,QAAK,CAAC,QAAQ,YAAY,SAAS,CAAC;AAAA,IAC9C,CAAC;AAGM,IAAM,2BAA6B,UAAO;AAAA,MAC/C,OAAS,WAAQ;AAAA,MACjB,SAAS,SAAS,SAAS;AAAA,MAC3B,QAAU,UAAO,EAAE,SAAS;AAAA,MAC5B,gBAAkB,WAAQ,EAAE,SAAS;AAAA,IACvC,CAAC;AAGM,IAAM,4BAA8B,UAAO;AAAA,MAChD,SAAW;AAAA,QACP,UAAO;AAAA,QACP,UAAmB,CAAC,MAAM,aAAa,UAAU;AAAA,MACrD;AAAA,MACA,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,KAAO,OAAI;AAAA;AAAA,IACb,CAAC;AAKM,IAAM,uBAAyB,UAAO;AAAA,MAC3C,IAAM,WAAQ,IAAI;AAAA,MAClB,SAAS;AAAA,IACX,CAAC;AAOM,IAAM,oBAAsB,QAAK;AAAA,MACtC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,kBAAoB,UAAO;AAAA,MACtC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,WAAa,UAAO,EAAE,SAAS;AAAA,MAC/B,SAAW,UAAO,EAAE,SAAS;AAAA,MAC7B,WAAa,UAAO,EAAE,SAAS;AAAA,MAC/B,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,SAAS;AAAA,IACX,CAAC;AAGM,IAAM,mBAAqB,UAAO;AAAA,MACvC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACrC,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC/B,KAAO,QAAK,CAAC,kBAAkB,eAAe,CAAC;AAAA,IACjD,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,MACpC,IAAM,WAAQ,IAAI;AAAA,IACpB,CAAC;AAOM,IAAM,YAAc,UAAO;AAAA,MAChC,IAAM,UAAO;AAAA,MACb,YAAc,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACtD,QAAU,QAAK,CAAC,UAAU,WAAW,WAAW,SAAS,CAAC;AAAA,MAC1D,UAAY,UAAO,EAAE,IAAI;AAAA,MACzB,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IACvC,CAAC;AACM,IAAM,oBAAsB,UAAO;AAAA,MACxC,UAAY,UAAO,EAAE,IAAI;AAAA,MACzB,SAAW,UAAO,EAAE,IAAI;AAAA,MACxB,eAAiB,UAAO,EAAE,IAAI;AAAA,MAC9B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IACvC,CAAC;AAQM,IAAM,oBAAsB,UAAO;AAAA,MACxC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,MACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,MAAQ,cAAW,UAAU;AAAA,MAC7B,SAAW,UAAO,EAAE,SAAS;AAAA,IAC/B,CAAC;AAOM,IAAM,sBAAwB,UAAO;AAAA,MAC1C,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,MAC1D,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,EAAE,SAAS;AAAA,MAC5D,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,IACtB,CAAC;AAOM,IAAM,uBAAyB,UAAO;AAAA,MAC3C,UACG,SAAM,CAAG,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC,GAAK,cAAW,UAAU,CAAC,CAAC,EAC7E,SAAS;AAAA,MACZ,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,MACtB,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,MAAQ,cAAW,UAAU;AAAA,MAC7B,SAAW,UAAO,EAAE,SAAS;AAAA,MAC7B,aAAe,UAAO,EAAE,SAAS;AAAA,IACnC,CAAC;AAOM,IAAM,mBAAqB,QAAK;AAAA,MACrC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,SAAW,QAAK,CAAC,UAAU,MAAM,CAAC;AAGxC,IAAM,eAAiB,UAAO;AAAA,MACnC,MAAQ,UAAO,EAAE,IAAI,CAAC;AAAA,MACtB,KAAO,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC/B,MAAM;AAAA,MACN,UAAY,WAAQ,EAAE,SAAS;AAAA,MAC/B,QAAU,UAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,MAC7C,KAAO,UAAO,EAAE,SAAS;AAAA,MACzB,OAAO,OAAO,SAAS;AAAA,IACzB,CAAC;AAGM,IAAM,eAAiB,QAAK,CAAC,WAAW,OAAO,WAAW,SAAS,CAAC;AAGpE,IAAM,gBAAkB,UAAO;AAAA,MACpC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,SAAW,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACnC,aAAa;AAAA,MACb,QAAU,SAAM,YAAY,EAAE,IAAI,CAAC;AAAA,IACrC,CAAC;AAOM,IAAM,oBAAsB,UAAO;AAAA,MACxC,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,MAC1B,MAAQ,WAAQ;AAAA,MAChB,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,IACtB,CAAC;AAGM,IAAM,uBAAyB,SAAM;AAAA,MACxC,UAAO,EAAE,QAAU,WAAQ,OAAO,EAAE,CAAC;AAAA,MACrC,UAAO,EAAE,QAAU,WAAQ,MAAM,GAAG,MAAQ,UAAO,EAAE,CAAC;AAAA,IAC1D,CAAC;AAOM,IAAM,qBAAuB,UAAO;AAAA,MACzC,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,IACtB,CAAC;AAGM,IAAM,gBAAkB,UAAO;AAAA,MACpC,OAAS,UAAO,EAAE,IAAI,IAAI,EAAE,IAAI,GAAG;AAAA,MACnC,aAAe,UAAO,EAAE,IAAI;AAAA,MAC5B,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,gBAAkB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC7C,iBAAmB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC9C,MAAQ,SAAQ,UAAO,CAAC;AAAA,IAC1B,CAAC;AAOM,IAAM,gBAAkB,QAAK;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAGM,IAAM,iBAAmB,UAAO;AAAA,MACrC,aAAe,UAAO,EAAE,IAAI,CAAC;AAAA,MAC7B,UAAY,UAAO,EAAE,IAAI,CAAC;AAAA,MAC1B,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACrC,WAAa,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACrC,aAAe,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MACvC,eAAiB,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MAC5C,QAAQ;AAAA,IACV,CAAC;AAOM,IAAM,mBAAqB,UAAO;AAAA,MACvC,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,WAAa,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,MACxC,SAAW,UAAO,EAAE,IAAI,EAAE,YAAY;AAAA,IACxC,CAAC;AAGM,IAAM,oBAAsB,UAAO;AAAA,MACxC,gBAAkB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,MAC1C,cAAgB,UAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IAC1C,CAAC;AAOM,IAAM,kBAAoB,UAAO;AAAA,MACtC,YAAc,OAAI;AAAA;AAAA,MAClB,WAAa,OAAI;AAAA;AAAA,MACjB,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,IAC1B,CAAC;AAOM,IAAKA,aAAL,kBAAKA,eAAL;AACL,MAAAA,sBAAA,aAAU,KAAV;AACA,MAAAA,sBAAA,SAAM,KAAN;AACA,MAAAA,sBAAA,aAAU,KAAV;AACA,MAAAA,sBAAA,eAAY,KAAZ;AACA,MAAAA,sBAAA,iBAAc,KAAd;AALU,aAAAA;AAAA,qBAAA;AAQL,IAAM,eAAiB,UAAO;AAAA,MACnC,KAAO,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA;AAAA,MAC/C,IAAM,UAAO;AAAA;AAAA,MACb,QAAU,UAAO,EAAE,IAAI,CAAC;AAAA,MACxB,SAAW,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACnD,WAAa,QAAKA,UAAS;AAAA,MAC3B,UAAY,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACpD,OAAS,UAAe,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAAA,MACjD,IAAM,UAAO,EAAE,IAAI,CAAC;AAAA,MACpB,cAAgB,UAAO,EAAE,SAAS;AAAA,MAClC,SAAS,SAAS,SAAS;AAAA,MAC3B,UAAU,UAAU,SAAS;AAAA,MAC7B,OAAS,OAAI,EAAE,SAAS;AAAA;AAAA,IAC1B,CAAC;AAQM,IAAM,aAAe,UAAO;AAAA,MACjC,MAAQ,UAAO;AAAA,MACf,SAAW,UAAO;AAAA,MAClB,YAAc,UAAO,EAAE,IAAI;AAAA,IAC7B,CAAC;AAAA;AAAA;;;;;;;;;;;;;;;AC9bD,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,QAAA;AAKA,QAAYE;AAAZ,KAAA,SAAYA,cAAW;AACrB,MAAAA,aAAAA,aAAA,KAAA,IAAA,CAAA,IAAA;AACA,MAAAA,aAAAA,aAAA,SAAA,IAAA,CAAA,IAAA;AACA,MAAAA,aAAAA,aAAA,KAAA,IAAA,CAAA,IAAA;AACA,MAAAA,aAAAA,aAAA,KAAA,IAAA,CAAA,IAAA;IACF,GALYA,iBAAW,QAAA,cAAXA,eAAW,CAAA,EAAA;AAiBhB,QAAMC,wBAAoB,yBAA1B,MAAM,qBAAoB;MAA1B,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,uBAAqB,IAAI;MAmIhE;MA9HE,SAAS,MAAkB,SAAoB;AAC7C,gBAAQ,SAAS;UACf,KAAKD,aAAY;AACf,mBAAO,KAAK,YAAY,IAAI;UAE9B,KAAKA,aAAY;AACf,mBAAO,KAAK,eAAe,IAAI;UAEjC,KAAKA,aAAY;AACf,mBAAO,KAAK,YAAY,IAAI;UAE9B,KAAKA,aAAY;AACf,mBAAO,KAAK,YAAY,IAAI;UAE9B;AACE,mBAAO;cACL,OAAO;cACP,OAAO,yBAAyB,OAAO;cACvC;;QAEN;MACF;MAKQ,YAAY,MAAgB;AAClC,eAAO;UACL,OAAO;UACP,SAASA,aAAY;;MAEzB;MAKQ,eAAe,MAAgB;AACrC,YAAI;AACF,gBAAM,QAAO,GAAA,MAAA,gBAAe,IAAI;AAGhC,qBAAWE,QAAO,MAAM;AACtB,gBAAIA,KAAI,SAAS,OAAOA,KAAI,SAAS,KAAK;AACxC,qBAAO;gBACL,OAAO;gBACP,OAAO;gBACP,SAASF,aAAY;;YAEzB;UACF;AAEA,iBAAO;YACL,OAAO;YACP,SAASA,aAAY;;QAEzB,SAAS,OAAO;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,iBAAO;YACL,OAAO;YACP,OAAO,0BAA0B,OAAO;YACxC,SAASA,aAAY;;QAEzB;MACF;MAKQ,YAAY,MAAgB;AAClC,YAAI;AACF,gBAAM,QAAO,GAAA,MAAA,gBAAe,IAAI;AAGhC,gBAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,cAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,mBAAO;cACL,OAAO;cACP,OAAO;cACP,SAASA,aAAY;;UAEzB;AAEA,iBAAO;YACL,OAAO;YACP,SAASA,aAAY;;QAEzB,SAAS,OAAO;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,iBAAO;YACL,OAAO;YACP,OAAO,sBAAsB,OAAO;YACpC,SAASA,aAAY;;QAEzB;MACF;MAKQ,YAAY,MAAgB;AAClC,YAAI;AACF,gBAAM,QAAO,GAAA,MAAA,gBAAe,IAAI;AAGhC,gBAAM,SAAS,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG;AAC9C,cAAI,CAAC,UAAU,KAAK,SAAS,GAAG;AAC9B,mBAAO;cACL,OAAO;cACP,OAAO;cACP,SAASA,aAAY;;UAEzB;AAEA,iBAAO;YACL,OAAO;YACP,SAASA,aAAY;;QAEzB,SAAS,OAAO;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,iBAAO;YACL,OAAO;YACP,OAAO,sBAAsB,OAAO;YACpC,SAASA,aAAY;;QAEzB;MACF;;AAnIW,YAAA,uBAAAC;mCAAAA,wBAAoB,yBAAA,WAAA;OADhC,GAAA,SAAA,YAAU;OACEA,qBAAoB;;;;;ACxBjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAAAE;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IACA;AADA;AAAA;AAAA;AACA,0BAIO;AAAA;AAAA;;;ACLP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA,iCAAc;AAAA;AAAA;;;;;;;;;;;;;;ACFd,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAgCO,QAAM,8BAAN,MAAM,4BAA2B;MAAjC,cAAA;AAEI,aAAA,OAAO;AAMP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAoBnC;MAlBE,WAAQ;AACN,eAAO;MACT;MAEA,MAAM,IAAI,OAAkB;AAE1B,cAAM,aAAa,CAAC,CAAC,MAAM,UAAU;AACrC,cAAM,cAAc,CAAC,CAAC,MAAM,UAAU;AACtC,cAAM,UAAU,CAAC,CAAC,MAAM,UAAU;AAElC,cAAM,UAAU,cAAc,eAAe,UAAU,YAAY;AAGnE,YAAI,CAAC,MAAM;AAAU,gBAAM,WAAW,CAAA;AACtC,cAAM,SAAS,UAAU;AAEzB,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA3BW,YAAA,8BAAA;0CAAA,8BAA2B,WAAA;OAFvC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,2BAA2B;;;;;;;;;;;;;;;;ACnCxC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,cAAA;AACA,QAAA,WAAA;AACA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAsFO,QAAM,mBAAN,MAAM,iBAAgB;MAAtB,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,UAAU;MA+ElC;MArEE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;MAC9C;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,EAAE,KAAI,IAAK;AAGjB,YAAI,CAAC,QAAQ,KAAK,SAAS,GAAG;AAC5B,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,YAAI;AAOF,cAAI,SAAS;AACb,oBAAU;AACV,oBAAU;AAGV,gBAAM,EAAE,OAAO,QAAQ,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACrE,oBAAU;AAGV,gBAAM,EAAE,OAAO,QAAO,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AAGpD,cAAI,SAAS,YAAA,aAAa;AACxB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,eAAe,MAAM,kBAAkB,YAAA,WAAW;;UAE9D;AAGA,cAAI,UAAU,YAAA,cAAc;AAC1B,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,aAAa,OAAO,kBAAkB,YAAA,YAAY;;UAE9D;AAEA,iBAAO,EAAE,QAAQ,QAAO;QAC1B,SAAS,GAAG;AAGV,iBAAO,EAAE,QAAQ,QAAO;QAC1B;MACF;;AA1FW,YAAA,mBAAA;+BAAA,mBAAgB,WAAA;OAF5B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,gBAAgB;;;;;;;;;;;;;;;;;AC3F7B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,UAAA;AAyEO,QAAM,8BAA2B,gCAAjC,MAAM,4BAA2B;MAAjC,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,8BAA4B,IAAI;AAG5D,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,SAAS;MAwGjC;MA9FE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAiBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,EAAE,QAAQ,OAAM,IAAK;AAC3B,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,cAAM,YAAY,QAAQ,aAAa;AAIvC,cAAM,sBAAsB,QAAA,mBAAmB,SAAS,KAAK,CAAA;AAI7D,cAAM,uBAAuB,KAAK,wBAAwB,MAAM;AAIhE,YAAI,qBAAqB,WAAW,GAAG;AACrC,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAIA,cAAM,sBAAsB,qBAAqB,OAC/C,CAAC,QAAQ,CAAC,oBAAoB,SAAS,GAAG,CAAC;AAG7C,YAAI,oBAAoB,SAAS,GAAG;AAElC,eAAK,OAAO,KACV,yBAAyB,MAAM,aAAa,oBAAoB,KAAK,IAAI,CAAC,UAAU,oBAAoB,KAAK,IAAI,CAAC,GAAG;AAEvH,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,yBAAyB,oBAAoB,KAAK,IAAI,CAAC;;QAEnE;AAGA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAcQ,wBAAwB,QAAc;AAE5C,YAAI,QAAA,oBAAoB,MAAM,GAAG;AAC/B,iBAAO,QAAA,oBAAoB,MAAM;QACnC;AAGA,mBAAW,CAAC,SAAS,IAAI,KAAK,OAAO,QAAQ,QAAA,mBAAmB,GAAG;AACjE,cAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,kBAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,gBAAI,OAAO,WAAW,MAAM,GAAG;AAC7B,qBAAO;YACT;UACF;QACF;AAGA,eAAO,CAAC,SAAS;MACnB;;AArHW,YAAA,8BAAA;0CAAA,8BAA2B,gCAAA,WAAA;OAFvC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,2BAA2B;;;;;;;;;;;;;;;;AC7ExC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,QAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AA6EO,QAAM,kBAAN,MAAM,gBAAe;MAArB,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,UAAU;MAsElC;MA5DE,SAAS,OAAkB;AACzB,eAAO,MAAM,WAAW;MAC1B;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,aAAa,MAAM;AACzB,cAAM,YAAY,MAAM;AAGxB,YAAI,CAAC,cAAc,CAAC,WAAW;AAC7B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,cAAMC,oBAAmB;AAGzB,cAAM,WAAW,WAAW,IAAIA,iBAAgB;AAEhD,YAAI,CAAC,YAAY,SAAS,WAAW,IAAI;AACvC,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,cAAM,UAAS,GAAA,SAAA,YAAW,QAAQ,EAAE,OAAO,SAAS,EAAE,OAAM;AAI5D,YAAI,CAAC,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC,GAAG;AACtD,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAjFW,YAAA,kBAAA;8BAAA,kBAAe,WAAA;OAF3B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,eAAe;;;;;;;;;;;;;;;;;ACjF5B,QAAA,WAAA,UAAA,gBAAA;AACA,QAAAC,UAAA,UAAA,QAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,cAAA;AAgGO,QAAM,gBAAa,kBAAnB,MAAM,cAAa;MAAnB,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,gBAAc,IAAI;AAUtC,aAAA,wBAAwB;AAGhC,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,SAAS;MA+LjC;MAjLU,iBAAiB,MAAgB;AACvC,YAAI,KAAK,WAAW;AAAG,iBAAO;AAG9B,cAAM,OAAO,oBAAI,IAAG;AACpB,mBAAW,QAAQ,MAAM;AACvB,eAAK,IAAI,OAAO,KAAK,IAAI,IAAI,KAAK,KAAK,CAAC;QAC1C;AAGA,YAAI,UAAU;AACd,cAAM,MAAM,KAAK;AACjB,mBAAW,SAAS,KAAK,OAAM,GAAI;AACjC,gBAAM,IAAI,QAAQ;AAClB,qBAAW,IAAI,KAAK,KAAK,CAAC;QAC5B;AAEA,eAAO;MACT;MAYQ,qBAAqB,MAAgB;AAC3C,YAAI,KAAK,SAAS;AAAG,iBAAO;AAE5B,YAAI,YAAY;AAChB,YAAI,aAAa;AAEjB,iBAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,cAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI;AAAG;AACjC,cAAI,KAAK,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI;AAAG;QACnC;AAGA,eAAO,YAAY,KAAK,SAAS,KAAK,aAAa,KAAK,SAAS;MACnE;MAYQ,mBAAmB,MAAgB;AACzC,YAAI,KAAK,SAAS;AAAG,iBAAO;AAG5B,mBAAW,cAAc,CAAC,GAAG,GAAG,CAAC,GAAG;AAClC,cAAI,KAAK,SAAS,eAAe;AAAG;AAEpC,cAAI,UAAU;AACd,mBAAS,IAAI,YAAY,IAAI,KAAK,QAAQ,KAAK;AAC7C,gBAAI,KAAK,CAAC,MAAM,KAAK,IAAI,UAAU;AAAG;UACxC;AAGA,cAAI,WAAW,KAAK,SAAS,cAAc,KAAK;AAC9C,mBAAO;UACT;QACF;AAEA,eAAO;MACT;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,UAAU,MAAM;AAGtB,YAAI,CAAC,SAAS;AACZ,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,MAAM,QAAQ,IAAI,YAAA,OAAO;AAC/B,cAAM,QAAQ,QAAQ,IAAI,YAAA,SAAS;AAEnC,cAAM,SAAmB,CAAA;AACzB,YAAI,aAAa;AAGjB,YAAI,OAAO,IAAI,SAAS,GAAG;AACzB,gBAAM,aAAa,KAAK,iBAAiB,GAAG;AAG5C,cAAI,aAAa,KAAK,uBAAuB;AAC3C,mBAAO,KAAK,mBAAmB,WAAW,QAAQ,CAAC,CAAC,EAAE;AACtD,0BAAc;UAChB;AAGA,cAAI,KAAK,qBAAqB,GAAG,GAAG;AAClC,mBAAO,KAAK,gBAAgB;AAC5B,0BAAc;UAChB;AAGA,cAAI,KAAK,mBAAmB,GAAG,GAAG;AAChC,mBAAO,KAAK,cAAc;AAC1B,0BAAc;UAChB;QACF;AAGA,YAAI,SAAS,MAAM,SAAS,GAAG;AAC7B,gBAAM,eAAe,KAAK,iBAAiB,KAAK;AAGhD,cAAI,eAAe,KAAK,uBAAuB;AAC7C,mBAAO,KAAK,qBAAqB,aAAa,QAAQ,CAAC,CAAC,EAAE;AAC1D,0BAAc;UAChB;AAGA,cAAI,KAAK,qBAAqB,KAAK,GAAG;AACpC,mBAAO,KAAK,kBAAkB;AAC9B,0BAAc;UAChB;AAGA,cAAI,KAAK,mBAAmB,KAAK,GAAG;AAClC,mBAAO,KAAK,gBAAgB;AAC5B,0BAAc;UAChB;QACF;AAGA,YAAI,OAAO,SAAS,GAAG;AACrB,eAAK,OAAO,KAAK,uBAAuB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC,EAAE;AACxE,iBAAO;YACL,QAAQ;YACR,YAAY;YACZ,SAAS;;QAEb;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAYA,OAAO,qBAAqB,QAAc;AACxC,eAAO,IAAI,WAAWA,QAAO,YAAY,MAAM,CAAC;MAClD;;AArNW,YAAA,gBAAA;4BAAA,gBAAa,kBAAA,WAAA;OAFzB,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,aAAa;;;;;;;;;;;;;;;;;ACtG1B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAMA,QAAA,aAAA;AAkFO,QAAM,yBAAsB,2BAA5B,MAAM,uBAAsB;MAA5B,cAAA;AACY,aAAA,SAAS,IAAI,SAAA,OAAO,yBAAuB,IAAI;AAGvD,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,WAAW;MA8EnC;MAtEE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAcA,MAAM,IAAI,OAAkB;AAC1B,cAAM,EAAE,QAAQ,QAAO,IAAK;AAC5B,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,WAAU,GAAA,WAAA,gBAAe,MAAM;AAGrC,cAAM,WAAW,KAAK,IAAG,IAAK;AAG9B,YAAI,SAAS;AACV,kBAAgB,WAAW;AAC3B,kBAAgB,YAAY;QAC/B;AAEA,aAAK,OAAO,MACV,OAAO,OAAO,kBAAkB,MAAM,eAAe,IAAI,KAAK,QAAQ,EAAE,YAAW,CAAE,GAAG;AAK1F,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAWA,OAAO,UAAU,KAA0B;AACzC,YAAI,CAAC,IAAI;AAAU,iBAAO;AAC1B,eAAO,KAAK,IAAG,IAAK,IAAI;MAC1B;MAWA,OAAO,eAAe,KAA0B;AAC9C,YAAI,CAAC,IAAI;AAAU,iBAAO;AAC1B,eAAO,KAAK,IAAI,GAAG,IAAI,WAAW,KAAK,IAAG,CAAE;MAC9C;;AA1FW,YAAA,yBAAA;qCAAA,yBAAsB,2BAAA,WAAA;OAFlC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,sBAAsB;;;;;;;;;;;;;;;;;;;;AC3FnC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAiFO,QAAM,oBAAN,MAAM,kBAAiB;MAa5B,YAA6B,QAAqB;AAArB,aAAA,SAAA;AAXpB,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,OAAO;MAEwB;MAWrD,SAAS,OAAkB;AACzB,eAAO,OAAO,MAAM,kBAAkB;MACxC;MAgBA,MAAM,IAAI,OAAkB;AAC1B,cAAM,WACJ,KAAK,OAAO,IAAY,qBAAqB,KAAK,KAAK,OAAO;AAChE,cAAM,gBAAgB,MAAM;AAE5B,YAAI,OAAO,kBAAkB,UAAU;AACrC,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,YAAI,gBAAgB,UAAU;AAC5B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,cAAc,aAAa,kBAAkB,QAAQ;;QAEjE;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA5DW,YAAA,oBAAA;gCAAA,oBAAiB,WAAA;OAF7B,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAC9B,GAAA,SAAA,YAAU;2DAc4B,SAAA,kBAAa,eAAb,SAAA,mBAAa,aAAA,KAAA,MAAA,CAAA;OAbvC,iBAAiB;;;;;;;;;;;;;;;;ACrF9B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,cAAA;AACA,QAAA,iBAAA;AAKO,QAAM,0BAAN,MAAM,wBAAuB;MAA7B,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,OAAO;MA+C/B;MA7CE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;MAC9C;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,OAAO,MAAM;AACnB,cAAM,aAAa,MAAM,iBAAiB;AAG1C,YAAI,KAAK,SAAS,KAAK,CAAC,KAAK,YAAY,KAAK,MAAM,GAAG,CAAC,GAAG,YAAA,UAAU,GAAG;AACtE,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,YAAI,KAAK,CAAC,MAAM,YAAA,cAAc;AAC5B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,wBAAwB,KAAK,CAAC,CAAC;;QAE3C;AAGA,YAAI,aAAa,YAAA,eAAe;AAC9B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,cAAc,UAAU,gBAAgB,YAAA,aAAa;;QAEjE;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAEQ,YAAY,GAAe,GAAa;AAC9C,YAAI,EAAE,WAAW,EAAE;AAAQ,iBAAO;AAClC,iBAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,cAAI,EAAE,CAAC,MAAM,EAAE,CAAC;AAAG,mBAAO;QAC5B;AACA,eAAO;MACT;;AAhDW,YAAA,0BAAA;sCAAA,0BAAuB,WAAA;OAFnC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAClB,uBAAuB;;;;;;;;;;;;;;;;ACTpC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,cAAA;AACA,QAAA,iBAAA;AAKO,QAAM,uBAAN,MAAM,qBAAoB;MAA1B,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,UAAU;AACf,aAAA,WAAW;MA4B9B;MA1BE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,cAAc,CAAC,CAAC,MAAM;MACvC;MAEA,MAAM,IAAI,OAAkB;AAC1B,YAAI,MAAM,cAAc,MAAM,WAAW,OAAO,KAAK,UAAU;AAC7D,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,gBAAgB,MAAM,WAAW,IAAI,iBAAiB,KAAK,QAAQ;;QAE/E;AAEA,YAAI,MAAM,UAAU,MAAM,OAAO,aAAa;AAC5C,gBAAM,SAAS,MAAM,OAAO,YAAY;AACxC,cAAI,SAAS,YAAA,aAAa;AACxB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,eAAe,MAAM,gBAAgB,YAAA,WAAW;;UAE5D;QACF;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA9BW,YAAA,uBAAA;mCAAA,uBAAoB,WAAA;OAFhC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAM;OACM,oBAAoB;;;;;;;;;;;;;;;;ACTjC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAIA,QAAM,0BAA0B;MAC9B;MACA;MACA;MACA;MACA;;AAKK,QAAM,wBAAN,MAAM,sBAAqB;MAA3B,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MA4BnC;MA1BE,SAAS,OAAkB;AAEzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,UAAU,MAAM,UAAU,WAAW;AAC3C,cAAM,SAAS,MAAM,UAAU;AAG/B,YAAI,YAAY,UAAU;AACxB,gBAAM,YAAY,wBAAwB,KAAK,CAAC,WAC9C,OAAO,WAAW,MAAM,CAAC;AAE3B,cAAI,CAAC,WAAW;AACd,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,WAAW,MAAM;;UAE7B;QACF;AAGA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA7BW,YAAA,wBAAA;oCAAA,wBAAqB,WAAA;OAFjC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAM;OACM,qBAAqB;;;;;;;;;;;;;;;;;;;;ACjBlC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AAMA,QAAA,kBAAA;AACA,QAAA,iBAAA;AAaO,QAAM,uBAAN,MAAM,qBAAoB;MAI/B,YAA6B,QAAoB;AAApB,aAAA,SAAA;AAHpB,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAEmB;MAEpD,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,SAAS,MAAM;AAErB,YAAI,KAAK,OAAO,IAAI,MAAM,GAAG;AAC3B,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,eAAO;UACL,QAAQ;UACR,MAAM;UACN,QAAQ,WAAW,MAAM;;MAE7B;;AAtBW,YAAA,uBAAA;mCAAA,uBAAoB,WAAA;OAFhC,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAO,EAAE,OAAO,cAAa,CAAE;2DAKO,gBAAA,iBAAY,eAAZ,gBAAA,kBAAY,aAAA,KAAA,MAAA,CAAA;OAJtC,oBAAoB;;;;;;;;;;;;;;;;;;;;ACtBjC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAMA,QAAA,QAAA;AAKO,QAAM,sBAAmB,wBAAzB,MAAM,oBAAmB;MAM9B,YACmB,UAAsC,CAAA,GAAE;AAAxC,aAAA,UAAA;AANF,aAAA,SAAS,IAAI,SAAA,OAAO,sBAAoB,IAAI;AAEpD,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,SAAS;MAI5B;MAEH,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,KAAK,QAAQ,aAAa,CAAC,CAAC,MAAM;MAC7C;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,YAAY,KAAK,QAAQ;AAC/B,YAAI,CAAC,WAAW;AACd,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAEA,cAAM,WAAU,GAAA,MAAA,+BAA8B,KAAK;AAEnD,YAAI;AACJ,YAAI;AACF,mBAAS,MAAM,UAAU,OAAO;QAClC,SAAS,OAAO;AACd,gBAAM,UACJ,iBAAiB,QAAQ,MAAM,UAAU;AAC3C,eAAK,OAAO,MAAM,6BAA6B,MAAM,MAAM,KAAK,OAAO,EAAE;AACzE,gBAAM,WAAW;YACf,GAAI,MAAM,YAAY,CAAA;YACtB,eAAe;cACb,UAAU;cACV,QAAQ;cACR,aAAa;;;AAGjB,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,aAAa,OAAM;;QAE/B;AAEA,cAAM,WAAW;UACf,GAAI,MAAM,YAAY,CAAA;UACtB,eAAe;YACb,GAAG;YACH,SAAS,mBAAmB,OAAO;;;AAIvC,YAAI,OAAO,aAAa,SAAS;AAC/B,iBAAO;YACL,OAAO;YACP,WAAW;YACX,SAAS,OAAO,SAAS,CAAC,OAAO,MAAM,IAAI,CAAA;YAC3C,MAAM;cACJ,aAAa;cACb,GAAI,OAAO,aAAa,EAAE,uBAAuB,OAAO,WAAW,OAAM,IAAK,CAAA;;YAEhF,MAAM;;QAEV;AAEA,YAAI,OAAO,aAAa,eAAe;AACrC,gBAAM,OAAO,KAAK,QAAQ,uBAAuB;AACjD,gBAAM,UAAU,CAAC,OAAO,QAAQ,OAAO,WAAW,EAAE,OAAO,OAAO;AAElE,cAAI,SAAS,SAAS;AACpB,mBAAO;cACL,OAAO;cACP,WAAW;cACX;cACA,MAAM;gBACJ,aAAa;;cAEf,MAAM;;UAEV;AAEA,cAAI,SAAS,QAAQ;AACnB,mBAAO;cACL,QAAQ;cACR,YAAY;cACZ,SACE,QAAQ,SAAS,IACb,UACA,CAAC,sEAAsE;cAC7E,MAAM;;UAEV;AAEA,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QACE,QAAQ,KAAK,KAAK,KAClB;YACF,MAAM,EAAE,aAAa,eAAe,YAAY,OAAM;;QAE1D;AAEA,eAAO;UACL,QAAQ;UACR,MAAM;UACN,QACE,CAAC,OAAO,QAAQ,OAAO,WAAW,EAAE,OAAO,OAAO,EAAE,KAAK,KAAK,KAC9D;UACF,MAAM,EAAE,aAAa,QAAQ,YAAY,OAAM;;MAEnD;;AAhHW,YAAA,sBAAA;kCAAA,sBAAmB,wBAAA,WAAA;OAF/B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;;OACE,mBAAmB;AAmHhC,aAAS,mBACP,SAAiC;AAEjC,aAAO;QACL,SAAS,QAAQ;QACjB,QAAQ,QAAQ;QAChB,UAAU,QAAQ;QAClB,KAAK,QAAQ;QACb,SAAS,QAAQ;QACjB,IAAI,QAAQ;QACZ,MAAM,QAAQ;QACd,UAAU,QAAQ;QAClB,UAAU,QAAQ;QAClB,WAAW,QAAQ;QACnB,WAAW,QAAQ;;IAEvB;;;;;;;;;;;;;;;;ACjJA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,iBAAA;AAIA,QAAA,eAAA;AAKO,QAAM,sBAAN,MAAM,oBAAmB;MAAzB,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAsDnC;MApDE,SAAS,OAAyB;AAChC,eAAO,CAAC,CAAC,MAAM,WAAW,CAAC,CAAC,MAAM;MACpC;MAEA,MAAM,IAAI,OAAyB;AAEjC,cAAM,iBAAiB,eAAA,oBAAoB,UAAU,KAAK;AAC1D,YAAI,CAAC,eAAe,SAAS;AAC3B,gBAAM,IAAI,aAAA,UACR,wBACA,4BAA4B,eAAe,MAAM,OAAO,IACxD,GAAG;QAEP;AAEA,cAAM,EACJ,YACA,eACA,YACA,sBACA,SACA,OAAM,IACJ,eAAe;AAGnB,YAAI,eAAe,UAAU;AAC3B,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,YAAI,cAAc,SAAS,MAAM,GAAG;AAClC,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,kBAAkB,cAAc,SAAS,SAAS,KAAK;AAC7D,cAAM,mBACJ,cAAc,SAAS,UAAU,KAAK;AACxC,cAAM,eAAe,cAAc,SAAS,MAAM,KAAK,YAAY;AAEnE,cAAM,YAAY,mBAAmB,oBAAoB;AAEzD,YAAI,CAAC,WAAW;AACd,gBAAM,IAAI,aAAA,UACR,yBACA,sCAAsC,MAAM,IAC5C,GAAG;QAEP;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAvDW,YAAA,sBAAA;kCAAA,sBAAmB,WAAA;OAF/B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,mBAAmB;;;;;;;;;;;;;;;;;;;;;ACbhC,QAAA,WAAA,UAAA,gBAAA;AACA,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,cAAA;AAQA,QAAA,WAAA;AAcA,QAAM,cAAc;MAClB;MACA,YAAA;MACA,YAAA;MACA,YAAA;MACA,YAAA,gBAAgB,YAAA;MAChB,YAAA,gBAAgB,YAAA;MAChB,YAAA,iBAAiB,YAAA;MACjB,YAAA,gBAAgB,YAAA,iBAAiB,YAAA;;AAgF5B,QAAM,uBAAoB,yBAA1B,MAAM,qBAAoB;MAmB/B,YAA6B,QAAqB;AAArB,aAAA,SAAA;AAlBZ,aAAA,SAAS,IAAI,SAAA,OAAO,uBAAqB,IAAI;AAGrD,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,OAAO;AAErB,aAAA,gBAA4B,YAAA;AAC5B,aAAA,kBAAkB,YAAA;MAE2B;MAK9C,OAAO,cACZ,OACA,UAAoB;AAEpB,YAAI,MAAM,SAAS,SAAS;AAAQ,iBAAO,EAAE,OAAO,KAAI;AACxD,cAAM,SAAS,MAAM,SAAS,GAAG,SAAS,MAAM;AAChD,cAAM,QAAQ,OAAO,KAAK,MAAM,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC;AAC9D,eAAO;UACL;UACA,QAAQ,QAAQ,SAAY,IAAI,YAAW,EAAG,OAAO,MAAM;;MAE/D;MAEO,OAAO,gBAAgB,SAAiB,UAAgB;AAC7D,eAAO,YAAY;MACrB;MAKA,eAAY;AACV,cAAM,WAAW,KAAK,OAAO,IAAY,qBAAqB;AAC9D,aAAK,gBAAgB,WAAW,OAAO,KAAK,UAAU,OAAO,IAAI,YAAA;AACjE,aAAK,kBACH,KAAK,OAAO,IAAY,uBAAuB,KAAK,YAAA;MACxD;MAKA,MAAM,IAAI,OAAkB;AAC1B,cAAM,iBAAiB,eAAA,qBAAqB,UAAU,KAAK;AAC3D,YAAI,CAAC,eAAe,SAAS;AAC3B,eAAK,OAAO,MACV,kBAAkB,eAAe,MAAM,OAAO,IAC9C,eAAe,MAAM,MAAM;AAE7B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAEA,cAAM,EAAE,aAAa,KAAI,IAAK,eAAe;AAC7C,cAAM,SAAmB,CAAA;AAGzB,YAAI,KAAK,UAAU,GAAG;AACpB,gBAAM,MAAM,OAAO,KAAK,KAAK,SAAS,GAAG,EAAE,CAAC,EAAE,SAAS,KAAK;AAC5D,eAAK,OAAO,MAAM,2BAA2B,GAAG,SAAS,MAAM,EAAE,GAAG;QACtE;AAGA,YAAI,gBAAgB,QAAW;AAC7B,cAAI,CAAC,KAAK,mBAAmB,WAAW,GAAG;AACzC,mBAAO,KAAK,wBAAwB,WAAW,EAAE;UACnD;QACF;AAGA,YAAI,KAAK,SAAS,GAAG;AACnB,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ;;QAEZ;AAGA,cAAM,aAAa,uBAAqB,cACtC,MACA,KAAK,aAAa;AAEpB,YAAI,CAAC,WAAW,OAAO;AACrB,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,YAAY,IAAI,YAAW,EAAG,OAAO,KAAK,aAAa,CAAC,eAAe,WAAW,MAAM;;QAEpG;AAGA,cAAM,UAAU,KAAK,CAAC;AACtB,YAAI,CAAC,uBAAqB,gBAAgB,SAAS,KAAK,eAAe,GAAG;AACxE,iBAAO,KAAK,uBAAuB,OAAO,EAAE;QAC9C;AAGA,cAAM,QAAQ,KAAK,CAAC;AACpB,YAAI,CAAC,KAAK,aAAa,KAAK,GAAG;AAC7B,iBAAO,KAAK,mBAAmB,MAAM,SAAS,EAAE,CAAC,EAAE;QACrD;AAGA,YAAI,KAAK,UAAU,IAAI;AACrB,gBAAM,cAAc,KAAK,oBAAoB,KAAK,SAAS,CAAC,CAAC;AAC7D,cAAI,CAAC,YAAY,OAAO;AACtB,mBAAO,KAAK,sBAAsB,YAAY,MAAM,EAAE;UACxD;QACF;AAGA,YAAI,KAAK,UAAU,IAAI;AACrB,gBAAM,WAAW,KAAK,iBAAiB,IAAI;AAC3C,cAAI,CAAC,SAAS,OAAO;AACnB,mBAAO,KAAK,qBAAqB,SAAS,MAAM,EAAE;UACpD;AAGA,gBAAM,mBAAmB,MAAM,KAAK,sBAAsB,IAAI;AAC9D,cAAI,CAAC,kBAAkB;AAErB,mBAAO,KAAK,wBAAwB;UACtC;QACF;AAGA,YAAI,OAAO,SAAS,GAAG;AAErB,gBAAM,WAAW,OAAO,KACtB,CAAC,MACC,EAAE,WAAW,eAAe,KAAK,EAAE,WAAW,qBAAqB,CAAC;AAGxE,cAAI,UAAU;AACZ,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,OAAO,KAAK,IAAI;;UAE5B;AAEA,eAAK,OAAO,KACV,wBAAwB,MAAM,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC,EAAE;AAE1D,iBAAO;YACL,QAAQ;YACR,YAAY,CAAC,OAAO,SAAS;YAC7B,SAAS;;QAEb;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAKQ,aAAa,GAAe,GAAa;AAC/C,YAAI,EAAE,WAAW,EAAE;AAAQ,iBAAO;AAClC,iBAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,cAAI,EAAE,CAAC,MAAM,EAAE,CAAC;AAAG,mBAAO;QAC5B;AACA,eAAO;MACT;MAKQ,mBAAmB,aAAmB;AAC5C,eAAO,YAAA,eAAe,kBAAkB,WAAW;MACrD;MAKQ,aAAa,OAAa;AAChC,eAAO,YAAY,SAAS,KAAK;MACnC;MAKQ,oBAAoB,MAAgB;AAI1C,YAAI;AACF,gBAAM,EAAE,OAAO,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,CAAC;AAIzD,cAAI,QAAQ,OAAO,YAAY,GAAG;AAChC,mBAAO,EAAE,OAAO,OAAO,QAAQ,0BAAyB;UAC1D;AACA,cAAI,QAAQ,SAAS,YAAY,GAAG;AAClC,mBAAO,EAAE,OAAO,OAAO,QAAQ,2BAA0B;UAC3D;AAEA,iBAAO,EAAE,OAAO,KAAI;QACtB,QAAQ;AACN,iBAAO,EAAE,OAAO,OAAO,QAAQ,sBAAqB;QACtD;MACF;MAKQ,iBAAiB,MAAgB;AAOvC,YAAI;AAEF,cAAI,SAAS;AAGb,gBAAM,EAAE,OAAO,QAAQ,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACrE,oBAAU;AAGV,gBAAM,EAAE,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACvD,oBAAU;AAGV,gBAAM,EAAE,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACtD,oBAAU;AAGV,gBAAM,WAAW;AACjB,gBAAM,SAAS,WAAW,OAAO,MAAM;AAEvC,cAAI,SAAS,KAAK,QAAQ;AACxB,mBAAO,EAAE,OAAO,KAAI;UACtB;AAGA,cAAI,WAAW;AACf,cAAI,MAAM;AAEV,iBAAO,MAAM,UAAU,MAAM,KAAK,SAAS,GAAG;AAC5C,kBAAM,EAAE,OAAO,MAAM,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AACjE,mBAAO;AAEP,gBAAI,OAAO;AAAQ;AAEnB,kBAAM,EAAE,OAAO,KAAK,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AAC/D,mBAAO;AAGP,gBAAI,OAAO,IAAI,KAAK,UAAU;AAC5B,qBAAO;gBACL,OAAO;gBACP,QAAQ,QAAQ,IAAI,UAAU,QAAQ;;YAE1C;AAEA,uBAAW,OAAO,IAAI;AACtB,mBAAO,OAAO,GAAG;UACnB;AAEA,iBAAO,EAAE,OAAO,KAAI;QACtB,QAAQ;AACN,iBAAO,EAAE,OAAO,KAAI;QACtB;MACF;MAKQ,MAAM,sBAAsB,MAAgB;AAClD,YAAI;AACF,cAAI,SAAS;AACb,gBAAM,EAAE,OAAO,QAAQ,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACrE,oBAAU;AACV,gBAAM,EAAE,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACvD,oBAAU;AACV,gBAAM,EAAE,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,MAAM;AACtD,oBAAU;AAEV,gBAAM,SAAS,SAAS,OAAO,MAAM;AAErC,cAAI,MAAM;AACV,iBAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,kBAAM,EAAE,OAAO,MAAM,QAAQ,UAAS,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AACjE,mBAAO;AACP,kBAAM,EAAE,QAAQ,SAAQ,KAAK,GAAA,SAAA,cAAa,MAAM,GAAG;AACnD,mBAAO;AAEP,kBAAM,EAAE,OAAO,QAAQ,QAAQ,YAAW,KAAK,GAAA,SAAA,cAC7C,MACA,MAAM,QAAQ;UAWlB;AAKA,gBAAM;AACN,iBAAO,MAAM,UAAU,MAAM,KAAK,QAAQ;AACxC,kBAAM,KAAI,GAAA,SAAA,cAAa,MAAM,GAAG;AAChC,mBAAO,EAAE;AACT,kBAAM,KAAI,GAAA,SAAA,cAAa,MAAM,GAAG;AAChC,mBAAO,EAAE;AAET,gBAAI,EAAE,UAAU;AAAK,qBAAO;AAE5B,mBAAO,OAAO,EAAE,KAAK;UACvB;AAEA,iBAAO;QACT,QAAQ;AACN,iBAAO;QACT;MACF;;AArVW,YAAA,uBAAA;mCAAA,uBAAoB,yBAAA,WAAA;OAFhC,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAC9B,GAAA,SAAA,YAAU;2DAoB4B,SAAA,kBAAa,eAAb,SAAA,mBAAa,aAAA,KAAA,MAAA,CAAA;OAnBvC,oBAAoB;;;;;;;;;;;;;;;;ACrHjC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAKO,QAAM,sBAAN,MAAM,oBAAmB;MAAzB,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAUnC;MARE,WAAQ;AACN,eAAO;MACT;MAEA,MAAM,MAAG;AAEP,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAXW,YAAA,sBAAA;kCAAA,sBAAmB,WAAA;OAF/B,GAAA,SAAA,YAAU;OACV,GAAA,mBAAA,QAAM;OACM,mBAAmB;;;;;;;;;;;;;;;;ACRhC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AACA,QAAA,iBAAA;AAEA,QAAA,eAAA;AAUA,aAAS,UAAU,GAAa;AAC9B,UAAI,EAAE,WAAW;AACf,cAAM,IAAI,aAAA,UAAU,wBAAwB,uBAAuB,GAAG;AACxE,UAAI,IAAI;AACR,iBAAW,MAAM;AAAG,YAAK,KAAK,KAAM,OAAO,EAAE;AAC7C,aAAO;IACT;AAsFO,QAAM,yBAAN,MAAM,uBAAsB;MAA5B,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,UAAU;MAqMlC;MA3LE,SAAS,OAAU;AAEjB,eAAO,CAAC,CAAC,MAAM,UAAU;MAC3B;MAeA,MAAM,IACJ,OAAU;AAIV,cAAM,SAAS,MAAM,UAAU;AAC/B,cAAM,aAAa,MAAM;AACzB,cAAM,WAAW,MAAM;AAGvB,YAAI,CAAC,QAAQ;AACX,iBAAO,EAAE,QAAQ,QAAO;QAC1B;AAGA,cAAM,kBAAkB,eAAA,cAAc,UAAU,MAAM;AACtD,YAAI,CAAC,gBAAgB,SAAS;AAC5B,iBAAO;YACL,QAAQ;YACR,MAAM;YACN,QAAQ,6BAA6B,gBAAgB,MAAM,OAAO;;QAEtE;AAGA,YAAI;AACF,qBAAW,SAAS,OAAO,QAAQ;AAEjC,kBAAM,QAAQ,MAAM,SAAS;AAC7B,kBAAMC,OAAM,UAAU,WAAW,aAAa;AAG9C,kBAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAG9B,gBAAI,MAAM,YAAY,CAAC,KAAK;AAC1B,oBAAM,IAAI,aAAA,UACR,wBACA,2BAA2B,MAAM,IAAI,SAAS,MAAM,GAAG,KACvD,GAAG;YAEP;AAGA,gBAAI,CAAC;AAAK;AAGV,gBAAI,OAAO,MAAM,WAAW,YAAY,IAAI,SAAS,MAAM,QAAQ;AACjE,oBAAM,IAAI,aAAA,UACR,yBACA,SAAS,MAAM,IAAI,eAAe,IAAI,MAAM,MAAM,MAAM,MAAM,KAC9D,GAAG;YAEP;AAGA,oBAAQ,MAAM,MAAM;cAClB,KAAK;AAEH,oBAAI;AACF,sBAAI,YAAY,SAAS,EAAE,OAAO,KAAI,CAAE,EAAE,OAAO,GAAG;gBACtD,QAAQ;AACN,wBAAM,IAAI,aAAA,UACR,wBACA,oBAAoB,MAAM,IAAI,IAC9B,GAAG;gBAEP;AACA;cAEF,KAAK;AAEH,oBAAI,IAAI,WAAW,KAAM,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,GAAI;AACtD,wBAAM,IAAI,aAAA,UACR,wBACA,iBAAiB,MAAM,IAAI,IAC3B,GAAG;gBAEP;AACA;cAEF,KAAK,OAAO;AAEV,sBAAM,IAAI,UAAU,GAAG;AAGvB,oBAAI,MAAM,KAAK;AACb,wBAAM,KAAK,OAAO,MAAM,GAAG;AAC3B,sBAAI,IAAI,IAAI;AACV,0BAAM,IAAI,aAAA,UACR,yBACA,OAAO,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAE,KAC3C,GAAG;kBAEP;gBACF;AACA;cACF;cAEA,KAAK;AAEH,oBAAI,IAAI,WAAW,IAAI;AACrB,wBAAM,IAAI,aAAA,UACR,wBACA,wBAAwB,MAAM,IAAI,IAClC,GAAG;gBAEP;AACA;cAEF,KAAK;AAEH;cAEF,KAAK;cACL,KAAK;AAGH;cAEF;AACE,sBAAM,IAAI,aAAA,UACR,wBACA,wBAAwB,MAAM,IAAI,IAClC,GAAG;YAET;UACF;AAGA,gBAAM,aAAa,MAAM,UAAU;AAGnC,cAAI,cAAc,WAAW,OAAO,GAAG;AACrC,uBAAW,SAAS,OAAO,QAAQ;AACjC,oBAAM,MAAM,WAAW,IAAI,MAAM,GAAG;AACpC,kBAAI,CAAC,OAAO,IAAI,WAAW;AAAG;AAE9B,oBAAM,QAAQ,MAAM,SAAS;AAC7B,oBAAMA,OAAM,UAAU,WAAW,aAAa;AAC9C,oBAAM,MAAMA,MAAK,IAAI,MAAM,GAAG;AAC9B,kBAAI,CAAC;AAAK;AAEV,yBAAW,MAAM,KAAK;AACpB,sBAAM,QAAQ,GAAG,KAAK,MAAM,IAAI;AAChC,oBAAI,OAAO;AACT,wBAAM,IAAI,aAAA,UACR,4BACA,GAAG,MAAM,IAAI,SAAS,MAAM,GAAG,MAAM,KAAK,IAC1C,GAAG;gBAEP;cACF;YACF;UACF;QACF,SAAS,KAAU;AAEjB,cAAI,eAAe,aAAA,WAAW;AAC5B,mBAAO;cACL,QAAQ;cACR,MAAM,IAAI;cACV,QAAQ,IAAI;;UAEhB;AACA,gBAAM;QACR;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAhNW,YAAA,yBAAA;qCAAA,yBAAsB,WAAA;OAFlC,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,sBAAsB;;;;;;;;;;;;;;;;AC5GnC,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAuFO,QAAM,oBAAN,MAAM,kBAAiB;MAAvB,cAAA;AAEI,aAAA,OAAO;AAUP,aAAA,QAAQ,eAAA,KAAK,WAAW;MAoDnC;MA3CE,WAAQ;AACN,eAAO;MACT;MAiBA,MAAM,MAAG;AAsBP,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AA/DW,YAAA,oBAAA;gCAAA,oBAAiB,WAAA;OAF7B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,iBAAiB;;;;;;;;;;;;;;;;AC1F9B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AAMA,QAAA,WAAA;AAwBO,QAAM,iBAAN,MAAM,eAAc;MAApB,cAAA;AACI,aAAA,OAAO;AACP,aAAA,QAAQ,eAAA,KAAK,UAAU;MA4HlC;MA1HE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM;MACjB;MAEA,MAAM,IAAI,OAAkB;AAC1B,cAAM,SAAS,MAAM;AACrB,YAAI,CAAC;AAAQ,iBAAO,EAAE,QAAQ,QAAO;AAGrC,cAAM,WACJ,OAAO,YAAY,OAAO;AAC5B,YAAI,YAAY,SAAS,SAAS,GAAG;AACnC,gBAAM,SAAS,KAAK,qBAAqB,UAAU,QAAQ;AAC3D,cAAI;AAAQ,mBAAO;QACrB;AAGA,cAAM,YACJ,OAAO,aAAa,MAAM;AAC5B,cAAM,YACJ,OAAO,UAAU,UAAa,OAAO,QAAQ,OAAU,IAAI;AAG7D,cAAM,cAAc,MAAM,UAAU,QAAQ;AAC5C,cAAM,WAAW,gBAAgB;AAEjC,YAAI,CAAC,YAAY,aAAa,aAAa,UAAU,SAAS,GAAG;AAC/D,gBAAM,SAAS,KAAK,qBAAqB,WAAW,MAAM;AAC1D,cAAI;AAAQ,mBAAO;QACrB;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;MAMQ,qBACN,KACA,SAAe;AAEf,YAAI,SAAS;AACb,YAAI,WAAW;AACf,YAAI,QAAQ;AACZ,cAAM,WAAW;AAEjB,eAAO,SAAS,IAAI,QAAQ;AAC1B,cAAI,SAAS,UAAU;AACrB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,oBAAoB,OAAO;;UAEvC;AAGA,cAAI;AACJ,cAAI;AACJ,cAAI;AACF,kBAAM,KAAI,GAAA,SAAA,cAAa,KAAK,MAAM;AAClC,mBAAO,EAAE;AACT,sBAAU,EAAE;UACd,QAAQ;AACN,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,4BAA4B,OAAO,cAAc,MAAM;;UAEnE;AACA,oBAAU;AAGV,cAAI,QAAQ,GAAG;AACb,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,eAAe,IAAI,OAAO,OAAO;;UAE7C;AAGA,cAAI,QAAQ,UAAU;AACpB,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,8BAA8B,OAAO,KAAK,IAAI,UAAU,QAAQ;;UAE5E;AACA,qBAAW;AAGX,cAAI;AACJ,cAAI;AACJ,cAAI;AACF,kBAAM,KAAI,GAAA,SAAA,cAAa,KAAK,MAAM;AAClC,kBAAM,EAAE;AACR,qBAAS,EAAE;UACb,QAAQ;AACN,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,8BAA8B,OAAO;;UAEjD;AACA,oBAAU;AAGV,cAAI,SAAS,MAAM,IAAI,QAAQ;AAC7B,mBAAO;cACL,QAAQ;cACR,MAAM;cACN,QAAQ,0BAA0B,OAAO;;UAE7C;AAEA,oBAAU;AACV;QACF;AAEA,eAAO;MACT;;AA7HW,YAAA,iBAAA;6BAAA,iBAAc,WAAA;OAF1B,GAAA,mBAAA,QAAM;OACN,GAAA,SAAA,YAAU;OACE,cAAc;;;;;;;;;;;;;;;;ACjC3B,QAAA,WAAA,UAAA,gBAAA;AAEA,QAAA,qBAAA;AACA,QAAA,iBAAA;AA6FO,QAAM,wBAAN,MAAM,sBAAqB;MAA3B,cAAA;AAEI,aAAA,OAAO;AASP,aAAA,QAAQ,eAAA,KAAK,OAAO;AAGZ,aAAA,mBAAmB;MAoDtC;MA1CE,SAAS,OAAkB;AACzB,eAAO,CAAC,CAAC,MAAM,QAAQ,MAAM,KAAK,UAAU;MAC9C;MAcA,MAAM,IAAI,OAAkB;AAE1B,cAAM,OAAO,MAAM;AACnB,cAAM,SAAS;AACf,cAAM,YAAY,KAAK,IAAI,SAAS,IAAI,KAAK,MAAM;AAGnD,YAAI,oBAAoB;AACxB,iBAAS,IAAI,QAAQ,IAAI,WAAW,KAAK;AACvC,eAAK,KAAK,CAAC,IAAI,SAAU,GAAG;AAC1B;AACA,gBAAI,oBAAoB,KAAK,kBAAkB;AAC7C,qBAAO;gBACL,QAAQ;gBACR,MAAM;gBACN,QAAQ,kBAAkB,KAAK,gBAAgB;;YAEnD;UACF,OAAO;AAEL,gCAAoB;UACtB;QACF;AAEA,eAAO,EAAE,QAAQ,QAAO;MAC1B;;AAjEW,YAAA,wBAAA;oCAAA,wBAAqB,WAAA;OAFjC,GAAA,mBAAA,QAAO,EAAE,OAAO,aAAY,CAAE;OAC9B,GAAA,SAAA,YAAU;OACE,qBAAqB;;;;;AChGlC;AAAA,IAAAC,gBAAA;AAAA;AAAA,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AACd,gCAAc;AAAA;AAAA;;;ACrBd;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA;AACA;AAAA;AAAA;;;ACFA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAAC;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAuEAC,mBAmBA,mBAQA,gBAEA,sBAUA,mBA8BAC,gBAgKA,mBAsBA,qBAQA,2BACA,4BACA,0BACA,yBACAC,kBACAC,gBAcA,0BA8MA,YAEA,kBAEA;AA/iBA;AAAA;AACA;AACA;AAIA;AAsBA;AACA;AAWA;AAIA;AAIA;AAeA;AAIA;AAIA,IAAAH,oBASO;AAUP,wBAGO;AAIP;AACA,qBAA0B;AAC1B;AACA,2BAOO;AAGP,wBAAkC;AAmBlC;AAWA,IAAAC,iBAAyC;AACzC;AAIA;AAKA;AAQA;AASA;AAYA;AAWA;AACA;AACA;AACA;AACA;AASA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAaA;AACA;AAGA;AACA;AAUA;AAwBA;AACA;AAGA;AAGA;AAGA;AAGA;AAGA;AAGA;AAMA;AAWA,wBAGO;AACP;AAaA;AAKA,0BAKO;AAEP;AACA,gCAAyC;AACzC,iCAA0C;AAC1C,+BAAwC;AACxC,8BAAuC;AACvC,IAAAC,mBAAiC;AACjC,IAAAC,iBAA+B;AAE/B;AAYA,+BAAuC;AAIvC;AACA;AAuBA;AAWA;AAUA;AAGA;AAQA;AAiDA;AAiBA;AAgBA;AAuBA;AAsBA;AAmBA,iBAA0B;AAE1B,uBAA+B;AAE/B,sBAA+B;AAI/B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAAC;AACA;AACA;AAAA;AAAA;","names":["Injectable","existing","SetMetadata","TlvField","TlvValidate","TlvUtf8Pattern","TlvMinLen","TlvEnum","TlvRange","extractDtoSchema","buildDtoDecoder","tlvMap","AxisIdDto","AxisResponseDto","ObserverRegistry","ObserverDispatcherService","bytes","bytesToHex","sha256","bytes","bytesToHex","randomBytes","bytes","bytesToHex","hkdf","sha256","hexToBytes","bytes","Decision","verification","witness","handlerDuration","path","SensorRegistry","IntentRouter","AxisChainExecutor","bytes","normalize","schema","AxisChainExecutor","path","map","crypto","sha256","sha256","createHash","sha256","randomBytes","AXIS_MAGIC","AXIS_VERSION","AXIS_MAGIC","AXIS_VERSION","MAGIC","init_tlv","AXIS_MAGIC","MAGIC","init_tlv","init_tlv","RiskDecision","createHash","IntentSensitivity","crypto","AxisFilesDownloadHandler","AxisFilesFinalizeHandler","ObserverDiscoveryService","HandlerDiscoveryService","SensorDiscoveryService","randomBytes","AxisSensorChainService","createHash","randomBytes","sha256","hashPayload","createHash","randomBytes","sign","sha256","bytes","randomBytes","createHash","randomBytes","createHash","randomBytes","randomBytes","TpsSensor","RiskGateSensor","TickAuthSensor","canonicalize","bytesToHex","canonicalize","base64UrlDecode","sha256","crypto","ProofType","z","BodyProfile","BodyProfileValidator","tlv","ProofType","TLV_SHA256_CHUNK","crypto","map","init_sensors","sha256","import_tlv_field","import_intent","import_observer","import_sensor","init_sensors"]}