@objectstack/platform-objects 15.0.0 → 15.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/apps/index.d.mts +2 -0
- package/dist/apps/index.d.ts +2 -0
- package/dist/apps/index.js +1316 -136
- package/dist/apps/index.js.map +1 -1
- package/dist/apps/index.mjs +1316 -136
- package/dist/apps/index.mjs.map +1 -1
- package/dist/audit/index.d.mts +933 -578
- package/dist/audit/index.d.ts +933 -578
- package/dist/audit/index.js +6 -19
- package/dist/audit/index.js.map +1 -1
- package/dist/audit/index.mjs +6 -19
- package/dist/audit/index.mjs.map +1 -1
- package/dist/identity/index.d.mts +15025 -2760
- package/dist/identity/index.d.ts +15025 -2760
- package/dist/identity/index.js +381 -27
- package/dist/identity/index.js.map +1 -1
- package/dist/identity/index.mjs +379 -28
- package/dist/identity/index.mjs.map +1 -1
- package/dist/index.d.mts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1804 -219
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +1802 -220
- package/dist/index.mjs.map +1 -1
- package/dist/metadata-translations/index.js +64 -0
- package/dist/metadata-translations/index.js.map +1 -1
- package/dist/metadata-translations/index.mjs +64 -0
- package/dist/metadata-translations/index.mjs.map +1 -1
- package/dist/plugin.js +1380 -136
- package/dist/plugin.js.map +1 -1
- package/dist/plugin.mjs +1380 -136
- package/dist/plugin.mjs.map +1 -1
- package/dist/system/index.d.mts +240 -24
- package/dist/system/index.d.ts +240 -24
- package/package.json +3 -3
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/identity/sys-user.object.ts","../../src/identity/sys-session.object.ts","../../src/identity/sys-account.object.ts","../../src/identity/sys-verification.object.ts","../../src/identity/sys-organization.object.ts","../../src/identity/sys-member.object.ts","../../src/identity/sys-invitation.object.ts","../../src/identity/sys-team.object.ts","../../src/identity/sys-team-member.object.ts","../../src/identity/sys-business-unit.object.ts","../../src/identity/sys-business-unit-member.object.ts","../../src/identity/sys-api-key.object.ts","../../src/identity/sys-two-factor.object.ts","../../src/identity/sys-device-code.object.ts","../../src/identity/sys-user-preference.object.ts","../../src/identity/sys-oauth-application.object.ts","../../src/identity/sys-oauth-access-token.object.ts","../../src/identity/sys-oauth-refresh-token.object.ts","../../src/identity/sys-oauth-consent.object.ts","../../src/identity/sys-jwks.object.ts","../../src/identity/sys-sso-provider.object.ts","../../src/identity/sys-scim-provider.object.ts"],"names":["ObjectSchema","Field"],"mappings":";;;AAeO,IAAM,OAAA,GAAU,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASX,WAAA,EAAa,EAAE,IAAA,EAAM,IAAA,EAAK;AAAA;AAAA,EAE1B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,kCAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,OAAA,EAAS,gBAAgB,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQnD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQR,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,IAAA,EAAK;AAAA,QACjC,EAAE,KAAA,EAAO,MAAA,EAAQ,cAAA,EAAgB,YAAA,EAAc,UAAU,IAAA;AAAK;AAChE,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA;AAAA,MACE,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,KAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,aAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,8EAAA;AAAA,MACb,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,cAAc,IAAA,EAAM,MAAA,EAAQ,UAAU,KAAA;AAAM;AAC1E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,gBAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,+BAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,eAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA,MAIE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,OAAA,EAAS,wBAAA;AAAA,MACT,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA;AAAA;AAAA,QAGN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,KAAA,EAAM;AAAA,QAClC;AAAA,UACE,IAAA,EAAM,aAAA;AAAA,UACN,KAAA,EAAO,cAAA;AAAA,UACP,IAAA,EAAM,MAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,QAAA,EAAU,qFAAA;AAAA;AAAA;AAAA;AAAA;AAAA,UAKV,OAAA,EAAS;AAAA,SACX;AAAA,QACA,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAM;AAAA,QACjC;AAAA,UACE,IAAA,EAAM,kBAAA;AAAA,UACN,KAAA,EAAO,6BAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA,SAChB;AAAA,QACA,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,sCAAsC,IAAA,EAAM,MAAA,EAAQ,UAAU,KAAA,EAAM;AAAA,QAC/F;AAAA,UACE,IAAA,EAAM,oBAAA;AAAA,UACN,KAAA,EAAO,wCAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA;AAChB,OACF;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,cAAA;AAAA,QACP,WAAA,EACE,gFAAA;AAAA,QACF,WAAA,EAAa,4BAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,QAAQ,MAAA,EAAO;AAAA,UACrD,EAAE,IAAA,EAAM,mBAAA,EAAqB,KAAA,EAAO,oBAAA,EAAsB,QAAQ,QAAA;AAAS;AAC7E;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,cAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMN,MAAA,EAAQ,sCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN;AAAA,UACE,IAAA,EAAM,kBAAA;AAAA,UACN,KAAA,EAAO,6BAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA,SAChB;AAAA,QACA,EAAE,MAAM,aAAA,EAAe,KAAA,EAAO,0CAA0C,IAAA,EAAM,MAAA,EAAQ,UAAU,KAAA,EAAM;AAAA,QACtG;AAAA,UACE,IAAA,EAAM,oBAAA;AAAA,UACN,KAAA,EAAO,uCAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA;AAChB,OACF;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,kBAAA;AAAA,QACP,WAAA,EACE,mGAAA;AAAA,QACF,WAAA,EAAa,MAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,mBAAA,EAAqB,KAAA,EAAO,oBAAA,EAAsB,QAAQ,QAAA;AAAS;AAC7E;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,MAAA,EAAQ,KAAA,EAAO,iBAAiB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AACvE,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,kBAAA;AAAA,MACN,KAAA,EAAO,kBAAA;AAAA,MACP,IAAA,EAAM,UAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,qCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,wBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAUA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,UAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,eAAe,CAAA;AAAA,MAC3B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,0BAAA;AAAA,MACR,OAAA,EAAS,0BAAA;AAAA,MACT,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,gBAAgB,IAAA,EAAK;AAAA,QACvD,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,gBAAgB,IAAA;AAAK;AAC1D,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,KAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,eAAA,EAAiB,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC5D,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8BAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKR,OAAA,EAAS,gEAAA;AAAA,MACT,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,iBAAA,EAAmB,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACnF,EAAE,MAAM,aAAA,EAAe,KAAA,EAAO,gBAAgB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QAC3E,EAAE,IAAA,EAAM,qBAAA,EAAuB,KAAA,EAAO,wBAAA,EAA0B,MAAM,SAAA,EAAW,QAAA,EAAU,KAAA,EAAO,YAAA,EAAc,IAAA;AAAK;AACvH,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,cAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,eAAA,EAAiB,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC5D,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,2BAAA;AAAA;AAAA;AAAA,MAGR,OAAA,EAAS,gEAAA;AAAA,MACT,cAAA,EAAgB,kEAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,aAAa,IAAA,EAAM,OAAA,EAAS,UAAU,IAAA;AAAK;AACxE,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,2BAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,eAAA,EAAiB,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC5D,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,sCAAA;AAAA;AAAA;AAAA,MAGR,OAAA,EAAS,4DAAA;AAAA,MACT,cAAA,EAAgB,kDAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,QAAQ;AAAC,KACX;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC3C,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,0BAAA;AAAA;AAAA;AAAA,MAGR,OAAA,EAAS,gEAAA;AAAA,MACT,WAAA,EAAa,8KAAA;AAAA,MACb,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,wBAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,OAAA,EAAS,+DAAA;AAAA,MACT,cAAA,EAAgB,iJAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,yBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,iCAAA;AAAA,MACR,OAAA,EAAS,+DAAA;AAAA,MACT,WAAA,EAAa,uEAAA;AAAA,MACb,cAAA,EAAgB,qCAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,KAAA,EAAO,yBAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,+CAAA;AAAA,MACR,OAAA,EAAS,+DAAA;AAAA,MACT,WAAA,EAAa,uFAAA;AAAA,MACb,cAAA,EAAgB,6DAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMT,EAAA,EAAI;AAAA,MACF,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,IAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,gBAAA,EAAkB,sBAAsB,YAAY,CAAA;AAAA,MAC/E,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,MAAM,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MACxE,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,CAAA;AAAE,KAC5B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,MAAA,EAAQ,SAAS,gBAAA,EAAkB,QAAA,EAAU,sBAAsB,YAAY,CAAA;AAAA,MACzF,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,kBAAkB,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MACtE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,sBAAsB,YAAY,CAAA;AAAA,MAC7D,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,sBAAsB,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACzE,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,QAAA,EAAU,cAAc,aAAa,CAAA;AAAA,MAChE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,KAAA,EAAO,MAAM,KAAA,CAAM;AAAA,MACjB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgB,MAAM,OAAA,CAAQ;AAAA,MAC5B,KAAA,EAAO,gBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoB,MAAM,OAAA,CAAQ;AAAA,MAChC,KAAA,EAAO,oBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQ,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAa,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,kBAAA,EAAoB,MAAM,MAAA,CAAO;AAAA,MAC/B,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,CAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAc,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,mBAAA,EAAqB,MAAM,QAAA,CAAS;AAAA,MAClC,KAAA,EAAO,qBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,YAAA,EAAc,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,EAAA;AAAA,MACX,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EACE;AAAA,KAEH,CAAA;AAAA,IAED,qBAAA,EAAuB,MAAM,OAAA,CAAQ;AAAA,MACnC,KAAA,EAAO,gBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EACE;AAAA,KAEH,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,oBAAA,EAAsB,MAAM,OAAA,CAAQ;AAAA,MAClC,KAAA,EAAO,sBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EACE;AAAA,KAEH,CAAA;AAAA;AAAA;AAAA,IAID,eAAA,EAAiB,MAAM,QAAA,CAAS;AAAA,MAC9B,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,aAAA,EAAe,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,aAAA,EAAe,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA;AAAA,MACX,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAW,MAAM,OAAA,CAAQ;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EACE;AAAA,KAMH,CAAA;AAAA;AAAA,IAGD,KAAA,EAAO,MAAM,GAAA,CAAI;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,cAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,wBAAA,EAA0B,KAAA,CAAM,MAAA,CAAO,mBAAA,EAAqB;AAAA,MAC1D,KAAA,EAAO,uBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,cAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaD,MAAA,EAAQ,MAAM,MAAA,CAAO;AAAA,MACnB,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,YAAA;AAAA,MACd,OAAA,EAAS;AAAA,QACP,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,iBAAA,EAAkB;AAAA,QACrD,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,YAAA;AAAa,OAC7C;AAAA,MACA,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,EAAA,EAAI,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA;AAAA;AAAA,IAGxC,EAAE,MAAA,EAAQ,CAAC,cAAc,CAAA,EAAG,QAAQ,IAAA;AAAK,GAC3C;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AACP;AAAA;AAAA;AAAA;AAMF,CAAC;AC7tBM,IAAM,UAAA,GAAaA,aAAa,MAAA,CAAO;AAAA,EAC5C,IAAA,EAAM,aAAA;AAAA,EACN,KAAA,EAAO,SAAA;AAAA,EACP,WAAA,EAAa,UAAA;AAAA,EACb,IAAA,EAAM,KAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,sBAAA;AAAA,EACb,gBAAA,EAAkB,SAAA;AAAA,EAClB,SAAA,EAAW,SAAA;AAAA;AAAA,EACX,WAAA,EAAa,0BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,YAAA,EAAc,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOvD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,wBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,oCAAA;AAAA,MACR,WAAA,EAAa,2GAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,gBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA;AAAA,MAER,aAAA,EAAe,OAAA;AAAA,MACf,aAAA,EAAe,OAAA;AAAA,MACf,WAAA,EAAa,oEAAA;AAAA,MACb,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,OAAA,EAAS,CAAC,YAAA,EAAc,wBAAA,EAA0B,cAAc,YAAY,CAAA;AAAA,MAC5E,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,SAAA,EAAW,YAAA,EAAc,wBAAA,EAA0B,cAAc,YAAY,CAAA;AAAA,MACvF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,OAAA,EAASC,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAA,EAAkBA,MAAM,QAAA,CAAS;AAAA,MAC/B,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IACD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IACD,aAAA,EAAeA,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,sBAAA,EAAwBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MACvD,KAAA,EAAO,qBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACvC,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACxC,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACrC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA;AAAM,GAC1C;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,UAAU,QAAQ,CAAA;AAAA,IAC9C,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK,KAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX,CAAC;AC7MM,IAAM,UAAA,GAAaD,aAAa,MAAA,CAAO;AAAA,EAC5C,IAAA,EAAM,aAAA;AAAA,EACN,KAAA,EAAO,SAAA;AAAA,EACP,WAAA,EAAa,UAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,4CAAA;AAAA,EACb,WAAA,EAAa,8BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,aAAA,EAAe,SAAA,EAAW,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcxD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,oHAAA;AAAA,MACR,MAAA,EAAQ;AAAA,QACN;AAAA,UACE,IAAA,EAAM,UAAA;AAAA,UACN,KAAA,EAAO,UAAA;AAAA,UACP,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,IAAA;AAAA,UACV,OAAA,EAAS;AAAA,YACP,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,YACnC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,YACnC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,WAAA,EAAY;AAAA,YACzC,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,YACjC,EAAE,KAAA,EAAO,UAAA,EAAY,KAAA,EAAO,UAAA,EAAW;AAAA,YACvC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,YACnC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,SAAA;AAAU;AACvC;AACF;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,gBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA,MACR,WAAA,EAAa,6IAAA;AAAA,MACb,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA,EAAK;AAAA,QACjF,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,cAAc,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AACjF;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,OAAA,EAAS,CAAC,aAAA,EAAe,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MACjE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,aAAA,EAAe,KAAA,EAAO,OAAO,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,OAAA,EAAS,CAAC,aAAA,EAAe,SAAA,EAAW,cAAc,YAAY,CAAA;AAAA,MAC9D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,aAAA,EAAe,SAAA,EAAW,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MAC5E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,qBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,uBAAA,EAAyBA,MAAM,QAAA,CAAS;AAAA,MACtC,KAAA,EAAO,yBAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,wBAAA,EAA0BA,MAAM,QAAA,CAAS;AAAA,MACvC,KAAA,EAAO,0BAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,wBAAA,EAA0BA,MAAM,QAAA,CAAS;AAAA,MACvC,KAAA,EAAO,0BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,MAAA,EAAQ,IAAA;AAAA,MACR,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACrC,EAAE,MAAA,EAAQ,CAAC,eAAe,YAAY,CAAA,EAAG,QAAQ,IAAA;AAAK,GACxD;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AChNM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,qCAAA;AAAA,EACb,WAAA,EAAa,+BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,YAAA,EAAc,YAAA,EAAc,YAAY,CAAA;AAAA,EAE1D,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACnC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA;AAAM,GAC1C;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,QAAA,EAAU,QAAQ,CAAA;AAAA,IACtC,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AClFM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,yCAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,MAAM,CAAA;AAAA;AAAA;AAAA,EAIhC,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,kCAAA;AAAA,MACR,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMd,OAAA,EAAS,mCAAA;AAAA,MACT,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,OAAO,MAAA;AAAO;AAClB,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,kCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA;AAAA,MAEf,SAAA,EAAW,EAAE,IAAA,EAAM,MAAA,EAAO;AAAA;AAAA;AAAA;AAAA,MAI1B,OAAA,EAAS,mCAAA;AAAA,MACT,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACtD,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACtD,EAAE,KAAA,EAAO,MAAA,EAAQ,cAAA,EAAgB,IAAA;AAAK;AACxC,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,kCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA,MACf,OAAA,EAAS,mCAAA;AAAA,MACT,WAAA,EAAa,4FAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,gBAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,sCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA,MACf,OAAA,EAAS,mCAAA;AAAA,MACT,cAAA,EAAgB,8BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA,MAIE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,iCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA,MACf,OAAA,EAAS,mCAAA;AAAA,MACT,WAAA,EAAa,wEAAA;AAAA,MACb,cAAA,EAAgB,gCAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,eAAe,CAAA;AAAA,MAC3B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,mCAAA;AAAA,MACT,WAAA,EAAa,gHAAA;AAAA,MACb,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,MAAA,EAAQ,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACpD,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,yBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,IAAA,EAAMA,MAAM,GAAA,CAAI;AAAA,MACd,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,uCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,WAAA,EAAaA,MAAM,OAAA,CAAQ;AAAA,MACzB,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO,eAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA;AAAE,GACrB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACjPM,IAAM,SAAA,GAAYD,aAAa,MAAA,CAAO;AAAA,EAC3C,IAAA,EAAM,YAAA;AAAA,EACN,KAAA,EAAO,QAAA;AAAA,EACP,WAAA,EAAa,SAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,iCAAA;AAAA;AAAA;AAAA;AAAA,EAIb,WAAA,EAAa,oBAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,iBAAA,EAAmB,MAAM,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOtD,OAAA,EAAS;AAAA,IACP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAME,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,sCAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKR,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,UAAU,IAAA,EAAK;AAAA,QACnD,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,IAAA,EAAM,gBAAA,EAAkB,KAAA,EAAO,iBAAA;AAAkB;AACrD,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,aAAA,EAAe,UAAA;AAAA,MACf,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA,MACR,aAAA,EAAe,iBAAA;AAAA,MACf,OAAA,EAAS,gCAAA;AAAA,MACT,WAAA,EAAa,uFAAA;AAAA,MACb,cAAA,EAAgB,gBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,OAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,aAAA,EAAe,UAAA;AAAA,MACf,SAAA,EAAW,EAAE,IAAA,EAAM,OAAA,EAAQ;AAAA,MAC3B,OAAA,EAAS,0DAAA;AAAA,MACT,WAAA,EAAa,8HAAA;AAAA,MACb,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,YAAA,EAAa;AAAA,MACjD,OAAA,EAAS,CAAC,iBAAA,EAAmB,MAAA,EAAQ,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA,EAAG;AAAA,MAC3B,UAAA,EAAY;AAAA,QACV,KAAA,EAAO,sBAAA;AAAA,QACP,OAAA,EAAS;AAAA;AACX;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA,MAIP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,MAAA,CAAO;AAAA,MACjB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,qCAAA;AAAA,MACb,OAAA,EAAS;AAAA,QACP,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA;AAAS,OACrC;AAAA,MACA,YAAA,EAAc;AAAA,KACf;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,mBAAmB,SAAS,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACvD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AClLM,IAAM,aAAA,GAAgBD,aAAa,MAAA,CAAO;AAAA,EAC/C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,aAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,8CAAA;AAAA;AAAA;AAAA;AAAA,EAIb,WAAA,EAAa,wBAAA;AAAA,EACb,eAAA,EAAiB,CAAC,OAAA,EAAS,iBAAA,EAAmB,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA,EAKtD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOR,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,IAAA,EAAK;AAAA,QACjC,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA;AAAK;AAClC,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,UAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6CAAA;AAAA,MACR,aAAA,EAAe,cAAA;AAAA,MACf,OAAA,EAAS,gCAAA;AAAA,MACT,WAAA,EAAa,4EAAA;AAAA,MACb,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,mBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACvD,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,OAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6CAAA;AAAA,MACR,aAAA,EAAe,cAAA;AAAA,MACf,OAAA,EAAS,8DAAA;AAAA,MACT,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,GAAA;AAAA,MACN,OAAA,EAAS,OAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6CAAA;AAAA,MACR,aAAA,EAAe,cAAA;AAAA,MACf,OAAA,EAAS,8DAAA;AAAA,MACT,WAAA,EAAa,mGAAA;AAAA,MACb,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MACxE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,OAAO,CAAA;AAAA,MAC5C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MACxE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,UAAA,EAAY,CAAA;AAAA,MACnE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,OAAA,EAAS,QAAA,EAAU,mBAAmB,YAAY,CAAA;AAAA,MAC5D,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,SAAA,EAAW,UAAA,EAAY,UAAU,GAAG,CAAA;AAAA,MACxF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,OAAA,EAAS,UAAU,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MAClF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA,MAIP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,KAAA,CAAM;AAAA,MACjB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,MAAA,CAAO;AAAA,MACjB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,gCAAA;AAAA,MACb,OAAA,EAAS;AAAA,QACP,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA;AAAS,OACrC;AAAA,MACA,YAAA,EAAc;AAAA,KACf,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,MAAA,CAAO,CAAC,WAAW,UAAA,EAAY,UAAA,EAAY,SAAA,EAAW,UAAU,CAAA,EAAG;AAAA,MAC/E,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAE;AAAA,IACpB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC5OM,IAAM,OAAA,GAAUD,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,sDAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,iBAAiB,CAAA;AAAA;AAAA;AAAA;AAAA,EAK3C,OAAA,EAAS;AAAA,IACP;AAAA;AAAA;AAAA,MAGE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,uCAAA;AAAA;AAAA;AAAA;AAAA,MAIR,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,IAAA,EAAM,gBAAA,EAAkB,KAAA,EAAO,iBAAA;AAAkB;AACrD,KACF;AAAA,IACA;AAAA;AAAA;AAAA;AAAA,MAIE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,uCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,SAAA,EAAW,EAAE,IAAA,EAAM,MAAA,EAAO;AAAA,MAC1B,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD,KACF;AAAA,IACA;AAAA;AAAA;AAAA,MAGE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,uCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,OAAA,EAAS,gCAAA;AAAA,MACT,WAAA,EAAa,oFAAA;AAAA,MACb,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,iBAAA,EAAmB,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MAC/D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MAClF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,QAAQ,iBAAiB,CAAA,EAAG,QAAQ,IAAA;AAAK,GACtD;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACrKM,IAAM,aAAA,GAAgBD,aAAa,MAAA,CAAO;AAAA,EAC/C,IAAA,EAAM,iBAAA;AAAA,EACN,KAAA,EAAO,aAAA;AAAA,EACP,WAAA,EAAa,cAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,gDAAA;AAAA,EACb,WAAA,EAAa,wBAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,SAAA,EAAW,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA,EAKpD,OAAA,EAAS;AAAA,IACP;AAAA;AAAA,MAEE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,2CAAA;AAAA;AAAA;AAAA;AAAA,MAIR,OAAA,EAAS,gCAAA;AAAA,MACT,cAAA,EAAgB,mBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,UAAU,IAAA,EAAK;AAAA,QACnD,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,UAAU,IAAA;AAAK;AACrD,KACF;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,kBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,OAAA,EAAS,gCAAA;AAAA,MACT,WAAA,EAAa,wEAAA;AAAA,MACb,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,QAAA,EAAU,KAAA,EAAO,WAAW,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACzE,EAAE,MAAM,QAAA,EAAU,KAAA,EAAO,WAAW,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AAC3E;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,SAAS,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC/C,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,UAAU,QAAQ,CAAA;AAAA,IAC9C,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC9FM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,mBAAA;AAAA,EACN,KAAA,EAAO,eAAA;AAAA,EACP,WAAA,EAAa,gBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,UAAA;AAAA,EACX,WAAA,EAAa,4IAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,MAAA,EAAQ,2BAA2B,iBAAiB,CAAA;AAAA,EAE9E,SAAA,EAAW;AAAA;AAAA;AAAA;AAAA;AAAA,IAKT,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,OAAA,EAAS,CAAC,MAAA,EAAQ,MAAA,EAAQ,mBAAmB,QAAQ,CAAA;AAAA,MACrD,IAAA,EAAM;AAAA,QACJ,WAAA,EAAa,yBAAA;AAAA,QACb,UAAA,EAAY,MAAA;AAAA,QACZ,MAAA,EAAQ,CAAC,MAAA,EAAQ,iBAAA,EAAmB,QAAQ,CAAA;AAAA,QAC5C,oBAAA,EAAsB;AAAA,OACxB;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO;AAAA,KACxC;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,SAAS,CAAC,MAAA,EAAQ,QAAQ,MAAA,EAAQ,yBAAA,EAA2B,mBAAmB,gBAAgB,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,OAAA,EAAS,CAAC,MAAA,EAAQ,MAAA,EAAQ,QAAQ,cAAc,CAAA;AAAA,MAChD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,cAAA,EAAgB,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC/C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,SAAS,CAAC,MAAA,EAAQ,QAAQ,MAAA,EAAQ,yBAAA,EAA2B,mBAAmB,QAAQ,CAAA;AAAA,MACxF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACvE,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MACxE,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,SAAS,CAAC,MAAA,EAAQ,QAAQ,MAAA,EAAQ,yBAAA,EAA2B,mBAAmB,QAAQ,CAAA;AAAA,MACxF,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAMA,KAAAA,CAAM,MAAA;AAAA,MACV,CAAC,SAAA,EAAW,UAAA,EAAY,YAAA,EAAc,UAAU,aAAa,CAAA;AAAA,MAC7D;AAAA,QACE,KAAA,EAAO,MAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,6DAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,uBAAA,EAAyBA,KAAAA,CAAM,MAAA,CAAO,mBAAA,EAAqB;AAAA,MACzD,KAAA,EAAO,sBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACxC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,wDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,yBAAyB,CAAA,EAAE;AAAA,IACtC,EAAE,MAAA,EAAQ,CAAC,QAAQ,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACpD,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC9MM,IAAM,qBAAA,GAAwBD,aAAa,MAAA,CAAO;AAAA,EACvD,IAAA,EAAM,0BAAA;AAAA,EACN,KAAA,EAAO,sBAAA;AAAA,EACP,WAAA,EAAa,uBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,UAAA;AAAA,EACX,WAAA,EAAa,4EAAA;AAAA,EACb,WAAA,EAAa,iCAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,kBAAA,EAAoB,6BAA6B,YAAY,CAAA;AAAA,EAE1F,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAA,EAAkBA,KAAAA,CAAM,MAAA,CAAO,mBAAA,EAAqB;AAAA,MAClD,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,2BAA2BA,KAAAA,CAAM,MAAA;AAAA,MAC/B,CAAC,QAAA,EAAU,MAAA,EAAQ,QAAQ,CAAA;AAAA,MAC3B;AAAA,QACE,KAAA,EAAO,2BAAA;AAAA,QACP,QAAA,EAAU,KAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,wFAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAA,EAAYA,MAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,0FAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,oBAAoB,SAAS,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC5FM,IAAM,SAAA,GAAYD,aAAa,MAAA,CAAO;AAAA,EAC3C,IAAA,EAAM,aAAA;AAAA,EACN,KAAA,EAAO,SAAA;AAAA,EACP,WAAA,EAAa,UAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,kCAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,iBAAiB,CAAC,MAAA,EAAQ,QAAA,EAAU,SAAA,EAAW,cAAc,SAAS,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMtE,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,gBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,+BAAA;AAAA,MACR,SAAA,EAAW,EAAE,OAAA,EAAS,IAAA,EAAK;AAAA,MAC3B,WAAA,EAAa,yEAAA;AAAA,MACb,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,+BAAA;AAAA,MACR,SAAA,EAAW,EAAE,OAAA,EAAS,KAAA,EAAM;AAAA,MAC5B,WAAA,EAAa,oFAAA;AAAA,MACb,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,QAAA,EAAU,YAAA,EAAc,gBAAgB,SAAS,CAAA;AAAA,MACnE,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACrE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,QAAA,EAAU,SAAA,EAAW,cAAc,cAAc,CAAA;AAAA,MACnE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,cAAA,EAAgB,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC/C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,QAAA,EAAU,SAAA,EAAW,cAAc,YAAY,CAAA;AAAA,MACjE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,UAAU,SAAA,EAAW,YAAA,EAAc,gBAAgB,SAAS,CAAA;AAAA,MAC9E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,MAAM,OAAA,CAAQ;AAAA,MACrB,KAAA,EAAO,SAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,GAAA,EAAKA,MAAM,IAAA,CAAK;AAAA,MACd,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,sDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,KAAK,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAChC,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA,EAAE;AAAA,IACrB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AChNM,IAAM,YAAA,GAAeD,aAAa,MAAA,CAAO;AAAA,EAC9C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,wBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,uCAAA;AAAA,EACb,WAAA,EAAa,0BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,YAAY,CAAA;AAAA,EAEzC,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,YAAA,EAAc,YAAY,CAAA;AAAA,MACpC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,SAAA,EAAW,YAAA,EAAc,YAAY,CAAA;AAAA,MAC/C,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK,OAC9E;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,mCAAA;AAAA,QACP,WAAA,EAAa,gIAAA;AAAA,QACb,WAAA,EAAa,8BAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,mBAAA,EAAqB,QAAQ,QAAA,EAAS;AAAA,UAChE,EAAE,IAAA,EAAM,aAAA,EAAe,KAAA,EAAO,cAAA,EAAgB,QAAQ,WAAA;AAAY;AACpE;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,iCAAA;AAAA,MACR,WAAA,EAAa,oDAAA;AAAA,MACb,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,yBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAA,EAAgB,WAAW,CAAA;AAAA,MACvC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,+CAAA;AAAA,MACR,WAAA,EAAa,mFAAA;AAAA,MACb,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK,OAC9E;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,4BAAA;AAAA,QACP,WAAA,EAAa,6GAAA;AAAA,QACb,WAAA,EAAa,4BAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,aAAA,EAAe,KAAA,EAAO,cAAA,EAAgB,QAAQ,WAAA;AAAY;AACpE;AACF;AACF,GACF;AAAA,EAGA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,OAAA,CAAQ;AAAA,MACtB,KAAA,EAAO,UAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,IAAA;AAAK,GACtC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IAChD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC5JM,IAAM,aAAA,GAAgBD,aAAa,MAAA,CAAO;AAAA,EAC/C,IAAA,EAAM,iBAAA;AAAA,EACN,KAAA,EAAO,aAAA;AAAA,EACP,WAAA,EAAa,cAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA,EAGX,SAAA,EAAW;AAAA,IACT,KAAA,EAAO,WAAA;AAAA,IACP,GAAA,EAAK,EAAE,KAAA,EAAO,YAAA,EAAc,aAAa,IAAA;AAAK,GAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,kEAAA;AAAA,EACb,SAAA,EAAW,WAAA;AAAA;AAAA,EACX,WAAA,EAAa,aAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,QAAA,EAAU,aAAa,YAAY,CAAA;AAAA,EAElE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,gBAAA,EAAkBA,MAAM,MAAA,CAAO;AAAA,MAC7B,KAAA,EAAO,uBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACtC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA,EAAG,QAAQ,KAAA;AAAM,GACtC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IAChD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC/HM,IAAM,iBAAA,GAAoBD,aAAa,MAAA,CAAO;AAAA,EACnD,IAAA,EAAM,qBAAA;AAAA,EACN,KAAA,EAAO,iBAAA;AAAA,EACP,WAAA,EAAa,kBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA;AAAA;AAAA;AAAA,EAIV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,sDAAA;AAAA,EACb,SAAA,EAAW,KAAA;AAAA;AAAA,EACX,WAAA,EAAa,OAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,KAAK,CAAA;AAAA,EAElC,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,qBAAA,EAAsB;AAAA,MAC1D,OAAA,EAAS,CAAC,KAAA,EAAO,YAAY,CAAA;AAAA,MAC7B,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,KAAA,EAAO,KAAA,EAAO,OAAO,CAAA;AAAA,MACrC,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,qBAAA,EAAsB;AAAA,MAC1D,OAAA,EAAS,CAAC,SAAA,EAAW,KAAA,EAAO,YAAY,CAAA;AAAA,MACxC,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,OAAO,CAAA;AAAA,MACzE,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,IAAA,EAAM,CAAA,EAAE;AAAA,MAC1E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,qBAAA,EAAsB;AAAA,MAC1D,OAAA,EAAS,CAAC,SAAA,EAAW,KAAA,EAAO,cAAc,YAAY,CAAA;AAAA,MACtD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,IAAA,CAAK;AAAA,MACd,KAAA,EAAO,KAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,KAAK,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC3C,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,KAAA;AAAM,GACvC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACjGM,IAAM,mBAAA,GAAsBD,aAAa,MAAA,CAAO;AAAA,EACrD,IAAA,EAAM,uBAAA;AAAA,EACN,KAAA,EAAO,mBAAA;AAAA,EACP,WAAA,EAAa,oBAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,2CAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,WAAA,EAAa,QAAQ,UAAU,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBzD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,2BAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,2CAAA;AAAA,MACR,WAAA,EAAa,gNAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,OAAA,EAAS,kBAAA;AAAA,MACT,SAAA,EAAW,EAAE,QAAA,EAAU,IAAA,EAAK;AAAA,MAC5B,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AAChF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,0BAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,2CAAA;AAAA,MACR,WAAA,EAAa,6GAAA;AAAA,MACb,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,OAAA,EAAS,iBAAA;AAAA,MACT,SAAA,EAAW,EAAE,QAAA,EAAU,KAAA,EAAM;AAAA,MAC7B,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AAChF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,4BAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,6CAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,MAAA,EAAQ,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACxE,EAAE,IAAA,EAAM,cAAA,EAAgB,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,oDAAA,EAAqD;AAAA,QACjJ,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,kBAAA,EAAoB,IAAA,EAAM,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS;AAAA,UACvG,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,KAAA,EAAM;AAAA,UAC7B,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,UACnC,EAAE,KAAA,EAAO,kBAAA,EAAoB,KAAA,EAAO,kBAAA,EAAmB;AAAA,UACvD,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA;AAAS,SACrC;AAAE,OACJ;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,8BAAA;AAAA,QACP,WAAA,EAAa,uHAAA;AAAA,QACb,WAAA,EAAa,gCAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,kBAAA,EAAoB,KAAA,EAAO,WAAA,EAAa,QAAQ,MAAA,EAAO;AAAA,UAC/D,EAAE,IAAA,EAAM,sBAAA,EAAwB,KAAA,EAAO,eAAA,EAAiB,QAAQ,QAAA;AAAS;AAC3E;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,KAAA,EAAO,sBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,0CAAA;AAAA,MACR,WAAA,EAAa,8MAAA;AAAA,MACb,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK,OAChF;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,uBAAA;AAAA,QACP,WAAA,EAAa,gIAAA;AAAA,QACb,WAAA,EAAa,gCAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,eAAA,EAAiB,KAAA,EAAO,mBAAA,EAAqB,QAAQ,QAAA;AAAS;AACxE;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,0BAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,mCAAA;AAAA,MACR,WAAA,EAAa,2LAAA;AAAA,MACb,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AAChF;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,SAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,MAAA,EAAQ,YAAY,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAK/D,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,OAAA,EAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,QAAQ,YAAY,CAAA;AAAA,MACnD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,YAAY,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAChE,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,OAAA,EAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,QAAQ,YAAY,CAAA;AAAA,MACnD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,YAAY,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,SAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,MAAA,EAAQ,YAAY,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,GAAA,CAAI;AAAA,MACd,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,GAAA,CAAI;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,0CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,GAAA,CAAI;AAAA,MACb,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,GAAA,CAAI;AAAA,MAChB,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,yBAAA,EAA2BA,MAAM,QAAA,CAAS;AAAA,MACxC,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,MAAA,CAAO,CAAC,OAAO,QAAA,EAAU,kBAAA,EAAoB,QAAQ,CAAA,EAAG;AAAA,MAClE,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,8DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,OAAA,CAAQ;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,0BAAA,EAA4BA,MAAM,IAAA,CAAK;AAAA,MACrC,KAAA,EAAO,4BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,QAAA,EAAUA,MAAM,OAAA,CAAQ;AAAA,MACtB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,OAAA,CAAQ;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,MAAM,OAAA,CAAQ;AAAA,MAChC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,wDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAA,EAAkBA,MAAM,IAAA,CAAK;AAAA,MAC3B,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,MAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACtC,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,cAAc,CAAA;AAAE,GAC7B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACtbM,IAAM,mBAAA,GAAsBD,aAAa,MAAA,CAAO;AAAA,EACrD,IAAA,EAAM,wBAAA;AAAA,EACN,KAAA,EAAO,oBAAA;AAAA,EACP,WAAA,EAAa,qBAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0DAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,SAAA,EAAW,YAAY,CAAA;AAAA,EAEtD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,aAAA,EAAe;AAAA,MACtC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,yBAAA,EAA2B;AAAA,MAClD,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAE;AAAA,IACzB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACvGM,IAAM,oBAAA,GAAuBD,aAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,mDAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,SAAA,EAAW,YAAY,CAAA;AAAA,EAEtD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,aAAA,EAAe;AAAA,MACtC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,MAAM,QAAA,CAAS;AAAA,MACtB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,QAAA,CAAS;AAAA,MACxB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAE;AAAA,IACzB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzGM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,mBAAA;AAAA,EACN,KAAA,EAAO,eAAA;AAAA,EACP,WAAA,EAAa,gBAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,oDAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,SAAA,EAAW,QAAQ,CAAA;AAAA,EAElD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC9EM,IAAM,OAAA,GAAUD,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,UAAA;AAAA,EACP,WAAA,EAAa,WAAA;AAAA,EACb,IAAA,EAAM,KAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0DAAA;AAAA,EACb,eAAA,EAAiB,CAAC,IAAA,EAAM,YAAA,EAAc,YAAY,CAAA;AAAA,EAElD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzDM,IAAM,cAAA,GAAiBD,aAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeX,OAAA,EAAS,EAAE,OAAA,EAAS,KAAA,EAAO,UAAU,QAAA,EAAS;AAAA,EAC9C,mBAAA,EAAqB,CAAC,0BAA0B,CAAA;AAAA;AAAA,EAEhD,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,+EAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,mFAAA;AAAA,EACb,gBAAA,EAAkB,aAAA;AAAA,EAClB,SAAA,EAAW,aAAA;AAAA;AAAA,EACX,WAAA,EAAa,eAAA;AAAA,EACb,eAAA,EAAiB,CAAC,aAAA,EAAe,QAAA,EAAU,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA,EAKnD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,KAAA,EAAO,uBAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOR,MAAA,EAAQ,iCAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,aAAA,EAAe,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,iDAAA,EAAkD;AAAA,QACtI,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,YAAA,EAAc,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,+GAAA,EAAgH;AAAA,QAC/L,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,qEAAA,EAAsE;AAAA,QACvJ,EAAE,IAAA,EAAM,UAAA,EAAY,KAAA,EAAO,WAAA,EAAa,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,yDAAA,EAA0D;AAAA,QAC1I,EAAE,IAAA,EAAM,cAAA,EAAgB,KAAA,EAAO,eAAA,EAAiB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,wDAAA,EAAyD;AAAA,QACjJ,EAAE,IAAA,EAAM,mBAAA,EAAqB,KAAA,EAAO,eAAA,EAAiB,MAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,2GAAA,EAA4G;AAAA,QAC1M,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,sBAAA,EAAwB,QAAA,EAAU,uFAAA,EAAwF;AAAA,QACzM,EAAE,IAAA,EAAM,OAAA,EAAS,KAAA,EAAO,oBAAA,EAAsB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,QAAA,EAAU,oEAAA,EAAqE;AAAA,QAChL,EAAE,IAAA,EAAM,UAAA,EAAY,KAAA,EAAO,kBAAA,EAAoB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,OAAA,EAAS,QAAA,EAAU,uDAAA,EAAwD;AAAA,QACtK,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,iBAAA,EAAmB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,MAAA,EAAQ,QAAA,EAAU,6DAAA;AAA8D;AAC3K,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,KAAA,EAAO,wBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQR,MAAA,EAAQ,sCAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,aAAA,EAAe,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,sCAAA,EAAuC;AAAA,QAC3H,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,eAAA,EAAiB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,6EAAA,EAAyE;AAAA,QAC3J,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,qEAAA,EAAsE;AAAA,QACvJ,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,aAAA,EAAe,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,uFAAA,EAAmF;AAAA,QACvK,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,yBAAA,EAA2B,MAAM,UAAA,EAAY,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,2FAAA,EAAuF;AAAA,QACrL,EAAE,IAAA,EAAM,kBAAA,EAAoB,KAAA,EAAO,eAAA,EAAiB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,wDAAA,EAA0D,QAAA,EAAU,uFAAA;AAAmF;AACzP,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,KAAA,EAAO,6BAAA;AAAA,MACP,IAAA,EAAM,OAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYR,MAAA,EAAQ,oDAAA;AAAA,MACR,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA,EAAK;AAAA,QACjF,EAAE,MAAM,QAAA,EAAU,KAAA,EAAO,UAAU,cAAA,EAAgB,IAAA,EAAM,UAAU,KAAA;AAAM,OAC3E;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,oBAAA;AAAA,QACP,WAAA,EACE,+HAAA;AAAA,QACF,WAAA,EAAa,MAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,eAAA,EAAiB,KAAA,EAAO,aAAA,EAAe,QAAQ,MAAA,EAAO;AAAA,UAC9D,EAAE,IAAA,EAAM,eAAA,EAAiB,KAAA,EAAO,aAAA,EAAe,QAAQ,QAAA,EAAS;AAAA,UAChE,EAAE,IAAA,EAAM,gBAAA,EAAkB,KAAA,EAAO,OAAA,EAAS,QAAQ,QAAA;AAAS;AAC7D;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA,MAIR,MAAA,EAAQ,sCAAA;AAAA,MACR,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AACnF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,kCAAA;AAAA,MACR,WAAA,EAAa,+FAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AACnF;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,GAAA,EAAK;AAAA,MACH,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,QAAA,EAAU,QAAA,EAAU,mBAAmB,YAAY,CAAA;AAAA,MAC5E,MAAM,CAAC,EAAE,OAAO,aAAA,EAAe,KAAA,EAAO,OAAO,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA,EAAG;AAAA;AAAA;AAAA;AAAA,MAI3B,UAAA,EAAY;AAAA,QACV,KAAA,EAAO,sBAAA;AAAA,QACP,OAAA,EAAS,sPAAA;AAAA,QACT,IAAA,EAAM;AAAA;AACR;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,KAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAE/E,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,gBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,OAAA,CAAQ;AAAA,MAC7B,KAAA,EAAO,iBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EACE,8QAAA;AAAA,MACF,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,4EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,mCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAC1G,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU;AAAA,GAC5G;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA,EAAE;AAAA,IACrB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA,IAIZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AClRM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,mBAAA;AAAA,EACN,KAAA,EAAO,eAAA;AAAA,EACP,WAAA,EAAa,gBAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQX,mBAAA,EAAqB,CAAC,0BAA0B,CAAA;AAAA;AAAA,EAEhD,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,gFAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0GAAA;AAAA,EACb,gBAAA,EAAkB,aAAA;AAAA,EAClB,SAAA,EAAW,aAAA;AAAA;AAAA,EACX,WAAA,EAAa,eAAA;AAAA,EACb,eAAA,EAAiB,CAAC,aAAA,EAAe,iBAAiB,CAAA;AAAA,EAElD,SAAA,EAAW;AAAA,IACT,GAAA,EAAK;AAAA,MACH,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA;AAAA,MAExD,OAAA,EAAS,CAAC,aAAA,EAAe,iBAAA,EAAmB,YAAY,CAAA;AAAA,MACxD,MAAM,CAAC,EAAE,OAAO,aAAA,EAAe,KAAA,EAAO,OAAO,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,KAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAE/E,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,mIAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAC1G,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU;AAAA,GAC5G;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA,IAIZ,UAAA,EAAY,CAAC,MAAM,CAAA;AAAA,IACnB,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC","file":"index.mjs","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user — System User Object\n *\n * Canonical user identity record for the ObjectStack platform.\n * Backed by better-auth's `user` model with ObjectStack field conventions.\n *\n * Field order drives default list/form layout: identity first, then profile,\n * then system-managed audit fields (hidden from create/edit forms).\n *\n * @namespace sys\n */\nexport const SysUser = ObjectSchema.create({\n name: 'sys_user',\n label: 'User',\n pluralLabel: 'Users',\n icon: 'user',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0092 D4 — the ONE generic affordance opened on an identity table:\n // standard row editing. Safe because the plugin-auth identity write guard\n // (ADR-0092 D2) enforces the profile whitelist server-side — a user-context\n // update may only touch SYS_USER_PROFILE_EDIT_FIELDS ({name, image});\n // everything else is stripped/rejected regardless of what a form submits.\n // The permission layer still decides WHO may edit (platform admins only by\n // default; member/org-admin sets keep allowEdit: false). create / import /\n // delete stay bucket-default (off).\n userActions: { edit: true },\n // ADR-0010 §3.7 — identity table is managed by better-auth; schema must not drift.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'User accounts for authentication',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'email', 'email_verified'],\n\n // Custom actions — generic CRUD is suppressed because user accounts are\n // managed by better-auth, but we still need first-class affordances for\n // common operations. Each action delegates to a Console-side named script\n // registered on the ActionRunner (see objectui `AppContent.tsx`). Adding\n // new affordances (reset password, revoke session, …) is now a pure\n // schema + script-registration change — no per-view code.\n actions: [\n {\n name: 'invite_user',\n label: 'Invite User',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/invite-member',\n // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the\n // better-auth organization plugin is always mounted, and single-org\n // mode now bootstraps a Default Organization (plugin-auth) so the\n // endpoint's active-org resolution works there too. This is THE\n // \"add a teammate\" affordance — the Users list is always reachable —\n // and every add flows through better-auth invitations, never bespoke\n // sys_user CRUD.\n visible: 'features.organization != false',\n successMessage: 'Invitation sent',\n refreshAfter: true,\n params: [\n { field: 'email', required: true },\n { field: 'role', objectOverride: 'sys_member', required: true },\n ],\n },\n\n // ── Platform admin operations (require better-auth `admin` plugin) ─\n //\n // These actions hit /api/v1/auth/admin/* endpoints that are only\n // wired when `auth.plugins.admin` is enabled. When the plugin is\n // disabled the actions still render (schema is static) but server\n // returns 404. UI surfaces them under the row menu AND the\n // record-detail header (`record_header`, overflowing into the ⋯\n // \"More\" menu) so platform admins can manage an account from either\n // the Users list or an open user record — without dropping to SQL or\n // a custom Setup wizard.\n {\n name: 'ban_user',\n label: 'Ban User',\n icon: 'ban',\n variant: 'danger',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/ban-user',\n recordIdParam: 'userId',\n successMessage: 'User banned',\n refreshAfter: true,\n confirmText: 'Ban this user? They will be signed out and unable to sign in until unbanned.',\n params: [\n { name: 'banReason', label: 'Ban Reason', type: 'text', required: false },\n ],\n },\n {\n name: 'unban_user',\n label: 'Unban User',\n icon: 'check-circle-2',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/unban-user',\n recordIdParam: 'userId',\n successMessage: 'User unbanned',\n refreshAfter: true,\n },\n {\n // ADR-0069 D2 — clear a brute-force lockout early (locked_until auto-\n // expires, but an admin can release a user immediately). Hits the\n // plugin-auth custom route, which is admin-guarded server-side.\n name: 'unlock_user',\n label: 'Unlock Account',\n icon: 'lock-open',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/unlock-user',\n recordIdParam: 'userId',\n successMessage: 'Account unlocked',\n refreshAfter: true,\n },\n {\n // #2766 V1 — a platform admin can add a login-capable teammate without\n // the email-dependent invite flow. Hits the plugin-auth wrapper route\n // (NOT better-auth's stock /admin/create-user): the wrapper runs the\n // ADR-0068 admin gate, drives the better-auth pipeline (scrypt hash +\n // credential sys_account), stamps must_change_password, and — when\n // \"Generate temporary password\" is picked — returns the password ONCE\n // in the response for the result dialog. It is never persisted or logged.\n name: 'create_user',\n label: 'Create User',\n icon: 'user-plus',\n variant: 'secondary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/admin/create-user',\n visible: 'features.admin == true',\n successMessage: 'User created',\n refreshAfter: true,\n params: [\n // The endpoint requires email OR phone (phone-only users get a\n // placeholder address; requires auth.plugins.phoneNumber).\n { field: 'email', required: false },\n {\n name: 'phoneNumber',\n label: 'Phone Number',\n type: 'text',\n required: false,\n helpText: 'Sign-in phone number (E.164, e.g. +8613800000000). Required when no email is given.',\n // Only offer phone when the opt-in phoneNumber auth plugin is loaded —\n // otherwise the create-user endpoint rejects a phone with\n // \"Phone numbers require the phoneNumber auth plugin\". `features.phoneNumber`\n // is served in /api/v1/auth/config (getPublicConfig).\n visible: 'features.phoneNumber == true',\n },\n { field: 'name', required: false },\n {\n name: 'generatePassword',\n label: 'Generate Temporary Password',\n type: 'boolean',\n required: false,\n defaultValue: true,\n },\n { name: 'password', label: 'Password (leave empty to generate)', type: 'text', required: false },\n {\n name: 'mustChangePassword',\n label: 'Require Password Change On First Login',\n type: 'boolean',\n required: false,\n defaultValue: true,\n },\n ],\n resultDialog: {\n title: 'User Created',\n description:\n 'Copy the temporary password now — it is shown only once and never stored.',\n acknowledge: 'I have saved this password',\n fields: [\n { path: 'user.email', label: 'Email', format: 'text' },\n { path: 'temporaryPassword', label: 'Temporary Password', format: 'secret' },\n ],\n },\n },\n {\n name: 'set_user_password',\n label: 'Set Password',\n icon: 'key-round',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n // #2766 V1 — same path as better-auth's stock route, but served by the\n // plugin-auth wrapper registered ahead of the catch-all: it accepts the\n // ADR-0068 platform-admin signals (the stock handler only honors the\n // legacy role scalar), can mint a temporary password, and stamps\n // must_change_password.\n target: '/api/v1/auth/admin/set-user-password',\n recordIdParam: 'userId',\n successMessage: 'Password updated',\n refreshAfter: false,\n params: [\n {\n name: 'generatePassword',\n label: 'Generate Temporary Password',\n type: 'boolean',\n required: false,\n defaultValue: false,\n },\n { name: 'newPassword', label: 'New Password (leave empty to generate)', type: 'text', required: false },\n {\n name: 'mustChangePassword',\n label: 'Require Password Change On Next Login',\n type: 'boolean',\n required: false,\n defaultValue: true,\n },\n ],\n resultDialog: {\n title: 'Password Updated',\n description:\n 'If a temporary password was generated, copy it now — it is shown only once and never stored.',\n acknowledge: 'Done',\n fields: [\n { path: 'temporaryPassword', label: 'Temporary Password', format: 'secret' },\n ],\n },\n },\n {\n name: 'set_user_role',\n label: 'Set Platform Role',\n icon: 'shield-check',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/set-role',\n recordIdParam: 'userId',\n successMessage: 'Role updated',\n refreshAfter: true,\n params: [\n { name: 'role', label: 'Platform Role', type: 'text', required: true },\n ],\n },\n {\n name: 'impersonate_user',\n label: 'Impersonate User',\n icon: 'user-cog',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/impersonate-user',\n recordIdParam: 'userId',\n successMessage: 'Now impersonating user',\n refreshAfter: true,\n confirmText: 'Start an impersonation session for this user? Use only for legitimate support cases — actions will be logged.',\n },\n\n // ── Self-service actions (the row owner only) ─────────────────────\n //\n // These four actions are the \"account settings\" surfaces the standalone\n // Account SPA used to own (`/account/profile`, `/account/security`).\n // They are visible only when the current row is the signed-in user —\n // i.e. opened from the user's own detail page or a \"My Account\" view —\n // via the `visible` CEL predicate. Admin equivalents (set_user_password\n // for any account) are above and stay separate.\n {\n name: 'update_my_profile',\n label: 'Update Profile',\n icon: 'user-pen',\n variant: 'primary',\n mode: 'edit',\n locations: ['record_header'],\n type: 'api',\n target: '/api/v1/auth/update-user',\n visible: 'record.id == ctx.user.id',\n successMessage: 'Profile updated',\n refreshAfter: true,\n params: [\n { field: 'name', required: false, defaultFromRow: true },\n { field: 'image', required: false, defaultFromRow: true },\n ],\n },\n {\n name: 'change_my_password',\n label: 'Change Password',\n icon: 'key',\n variant: 'secondary',\n locations: ['record_header', 'record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/change-password',\n // Managed (IdP-provisioned) users hold no local credential — hide the\n // password form so they can't self-mint a password that bypasses\n // enforced SSO. The break-glass owner (env-native, or flipped back when\n // their break-glass password is set) keeps it. ADR-0024 D4/D5.2.\n visible: 'record.id == ctx.user.id && record.source != \"idp_provisioned\"',\n successMessage: 'Password changed',\n refreshAfter: false,\n params: [\n { name: 'currentPassword', label: 'Current Password', type: 'text', required: true },\n { name: 'newPassword', label: 'New Password', type: 'text', required: true },\n { name: 'revokeOtherSessions', label: 'Sign out other devices', type: 'boolean', required: false, defaultValue: true },\n ],\n },\n {\n name: 'change_my_email',\n label: 'Change Email',\n icon: 'mail',\n variant: 'secondary',\n locations: ['record_header', 'record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/change-email',\n // A managed user's email is owned by the IdP — a local change would\n // desync. Hide for IdP-provisioned; env-native users keep it.\n visible: 'record.id == ctx.user.id && record.source != \"idp_provisioned\"',\n successMessage: 'Verification email sent — check the new address to confirm.',\n refreshAfter: false,\n params: [\n { name: 'newEmail', label: 'New Email', type: 'email', required: true },\n ],\n },\n {\n name: 'resend_verification_email',\n label: 'Resend Verification Email',\n icon: 'mail-check',\n variant: 'secondary',\n locations: ['record_header', 'record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/send-verification-email',\n // Only render for the row owner AND when their email is still\n // unverified — there's nothing to resend once verified.\n visible: 'record.id == ctx.user.id && record.email_verified == false',\n successMessage: 'Verification email sent — check your inbox.',\n refreshAfter: false,\n params: [],\n },\n {\n name: 'delete_my_account',\n label: 'Delete My Account',\n icon: 'user-x',\n variant: 'danger',\n mode: 'delete',\n locations: ['record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/delete-user',\n // Self-delete needs a local password; managed users are deprovisioned\n // via the IdP (org-removal / SCIM), not local self-service. Hide for them.\n visible: 'record.id == ctx.user.id && record.source != \"idp_provisioned\"',\n confirmText: 'Permanently delete your account? This cannot be undone — all your sessions will be terminated and all data you own will be removed per the configured retention policy.',\n successMessage: 'Account deleted',\n refreshAfter: false,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n // ── Two-factor authentication ─────────────────────────────────\n // Enable flow returns { totpURI, backupCodes } — surfacing those\n // safely needs a QR + verify UI that the generic action engine\n // can't render yet. We still expose it so the API call works\n // and the success toast displays the otpauth:// URI that users\n // can manually add to an authenticator app as a fallback.\n {\n name: 'enable_two_factor',\n label: 'Enable Two-Factor Auth',\n icon: 'shield-plus',\n variant: 'primary',\n locations: ['record_section'],\n type: 'api',\n target: '/api/v1/auth/two-factor/enable',\n visible: 'record.id == ctx.user.id && record.two_factor_enabled != true',\n successMessage: 'Two-factor authentication enabled. Scan the QR code or paste the otpauth URI into your authenticator app, then verify a code to complete setup.',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n {\n name: 'disable_two_factor',\n label: 'Disable Two-Factor Auth',\n icon: 'shield-off',\n variant: 'danger',\n locations: ['record_section'],\n type: 'api',\n target: '/api/v1/auth/two-factor/disable',\n visible: 'record.id == ctx.user.id && record.two_factor_enabled == true',\n confirmText: 'Turn off two-factor authentication? Your account will be less secure.',\n successMessage: 'Two-factor authentication disabled.',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n {\n name: 'generate_backup_codes',\n label: 'Regenerate Backup Codes',\n icon: 'list-restart',\n variant: 'secondary',\n locations: ['record_section'],\n type: 'api',\n target: '/api/v1/auth/two-factor/generate-backup-codes',\n visible: 'record.id == ctx.user.id && record.two_factor_enabled == true',\n confirmText: 'Generate a new set of backup codes? Any previously generated codes will stop working.',\n successMessage: 'New backup codes generated — save them somewhere safe.',\n refreshAfter: false,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n ],\n\n listViews: {\n // Self-service profile entry — surfaced by the Account App so every\n // authenticated user can view / edit their own basic profile (name,\n // email, avatar). Filtered to a single row (the caller) via the\n // `{current_user_id}` template variable; RLS additionally enforces\n // that non-admins cannot read other users' rows.\n me: {\n type: 'grid',\n name: 'me',\n label: 'My Profile',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'email_verified', 'two_factor_enabled', 'updated_at'],\n filter: [{ field: 'id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 1 },\n },\n all_users: {\n type: 'grid',\n name: 'all_users',\n label: 'All Users',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'email_verified', 'source', 'two_factor_enabled', 'created_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n unverified: {\n type: 'grid',\n name: 'unverified',\n label: 'Unverified',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'created_at'],\n filter: [{ field: 'email_verified', operator: 'equals', value: false }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n two_factor: {\n type: 'grid',\n name: 'two_factor',\n label: '2FA Enabled',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'two_factor_enabled', 'updated_at'],\n filter: [{ field: 'two_factor_enabled', operator: 'equals', value: true }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n banned: {\n type: 'grid',\n name: 'banned',\n label: 'Banned',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'banned', 'ban_reason', 'ban_expires'],\n filter: [{ field: 'banned', operator: 'equals', value: true }],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity (primary business fields) ───────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n // ADR-0092 D4 — with the generic edit affordance open, every non-profile\n // field is readonly so the standard edit form renders it non-editable.\n // This is UX only; the server boundary is the plugin-auth identity write\n // guard (ADR-0092 D2), which strips/rejects these regardless.\n email: Field.email({\n label: 'Email',\n required: true,\n readonly: true, // login identity — change flows through better-auth change-email verification\n searchable: true,\n group: 'Identity',\n }),\n\n email_verified: Field.boolean({\n label: 'Email Verified',\n defaultValue: false,\n readonly: true,\n group: 'Identity',\n }),\n\n two_factor_enabled: Field.boolean({\n label: 'Two-Factor Enabled',\n defaultValue: false,\n readonly: true,\n group: 'Identity',\n description: 'Whether two-factor authentication is enabled for this user. Maintained by the better-auth `twoFactor` plugin.',\n }),\n\n // ── Admin (managed by better-auth `admin` plugin when enabled) ───\n role: Field.text({\n label: 'Platform Role',\n required: false,\n readonly: true, // ADR-0092 — set via the Set Platform Role action, never the edit form\n maxLength: 64,\n group: 'Admin',\n description: 'Platform-level role (admin, user, …). Set via the Set Platform Role action.',\n }),\n\n banned: Field.boolean({\n label: 'Banned',\n defaultValue: false,\n readonly: true, // ADR-0092 — toggled via Ban/Unban actions (session side effects)\n group: 'Admin',\n description: 'When true, the user cannot sign in. Toggle via Ban User / Unban User actions.',\n }),\n\n ban_reason: Field.text({\n label: 'Ban Reason',\n required: false,\n readonly: true, // ADR-0092 — written by the Ban User action\n maxLength: 255,\n group: 'Admin',\n }),\n\n ban_expires: Field.datetime({\n label: 'Ban Expires',\n required: false,\n readonly: true, // ADR-0092 — written by the Ban User action\n group: 'Admin',\n description: 'When set, the ban auto-clears at this time.',\n }),\n\n // ── Anti-brute-force (ADR-0069 D2) — owned by objectql, better-auth is\n // oblivious. The auth manager's sign-in hooks maintain these: failures\n // increment the counter; crossing `lockout_threshold` stamps\n // `locked_until`; a successful sign-in resets both. Admins can clear\n // them early via the Unlock action.\n failed_login_count: Field.number({\n label: 'Failed Login Count',\n required: false,\n defaultValue: 0,\n readonly: true,\n group: 'Admin',\n description: 'Consecutive failed sign-in attempts; reset to 0 on success. Maintained by the auth manager.',\n }),\n\n locked_until: Field.datetime({\n label: 'Locked Until',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'When set and in the future, sign-in is rejected (brute-force lockout). Auto-clears past this time; an admin can clear it early via Unlock.',\n }),\n\n // ADR-0069 D1 — last password change; drives password-expiry enforcement.\n // Stamped on sign-up / change-password / reset-password. Null = never\n // expires (until the user next changes their password).\n password_changed_at: Field.datetime({\n label: 'Password Changed At',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'Timestamp of the last password change. Backs password_expiry_days; system-managed.',\n }),\n\n // #2766 V1.5 — phone-number sign-in identifier (better-auth phoneNumber\n // plugin, mapped via buildPhoneNumberPluginSchema). Unique when present;\n // null for email-only accounts. Written through better-auth, not CRUD.\n phone_number: Field.text({\n label: 'Phone Number',\n required: false,\n readonly: true,\n searchable: true,\n maxLength: 32,\n group: 'Account',\n description:\n 'Sign-in phone number (E.164 recommended). Unique per user; managed by ' +\n 'better-auth when the phoneNumber plugin is enabled.',\n }),\n\n phone_number_verified: Field.boolean({\n label: 'Phone Verified',\n defaultValue: false,\n readonly: true,\n group: 'Account',\n description:\n 'Whether the phone number has been verified (OTP verification requires ' +\n 'SMS infrastructure; false until that ships). System-managed.',\n }),\n\n // #2766 V1 — admin-issued \"must change password on next sign-in\" flag.\n // Set by the /admin/create-user and /admin/set-user-password routes when\n // a temporary password is issued; enforced through the ADR-0069 authGate\n // (surfaces as PASSWORD_EXPIRED); cleared by stampPasswordChangedAt once\n // the user completes a password change.\n must_change_password: Field.boolean({\n label: 'Must Change Password',\n defaultValue: false,\n readonly: true,\n group: 'Admin',\n description:\n 'When true, the user is blocked (403 PASSWORD_EXPIRED) until they change ' +\n 'their password. Stamped by the admin user-management routes; system-managed.',\n }),\n\n // ADR-0069 D3 — when enforced MFA first applied to this user; starts the\n // grace clock. Stamped lazily at session validation; system-managed.\n mfa_required_at: Field.datetime({\n label: 'MFA Required At',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'When enforced MFA first applied to this user (grace-period clock). Backs mfa_required; system-managed.',\n }),\n\n // ADR-0069 D7 — login audit. Stamped on every successful `/sign-in/email`\n // by the auth manager's after-hook (independent of lockout config). Backs\n // the admin \"last seen\" surface + anomaly review; system-managed, read-only.\n last_login_at: Field.datetime({\n label: 'Last Login At',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'Timestamp of the last successful sign-in. Stamped by the auth manager; system-managed.',\n }),\n\n last_login_ip: Field.text({\n label: 'Last Login IP',\n required: false,\n readonly: true,\n maxLength: 45, // IPv6 max textual length\n group: 'Admin',\n description: 'Client IP of the last successful sign-in (from the trusted proxy forwarded header). System-managed.',\n }),\n\n ai_access: Field.boolean({\n label: 'AI Access',\n defaultValue: false,\n readonly: true, // ADR-0092 — a licensed-seat grant; flows through the AiSeatPlugin enforcement path\n group: 'Admin',\n description:\n 'Whether this user holds an AI seat — grants access to the in-UI AI ' +\n 'agents (build / ask). The framework synthesizes the `ai_seat` ' +\n 'capability from this flag (plugin-hono-server resolveCtx). Assignment ' +\n 'is capped by the licensed / purchased seat count (enforced by ' +\n '@objectstack/security-enterprise AiSeatPlugin). Owned by objectql ' +\n '(better-auth is oblivious to this column).',\n }),\n\n // ── Profile ──────────────────────────────────────────────────\n image: Field.url({\n label: 'Profile Image',\n required: false,\n group: 'Profile',\n }),\n\n // ── Organization ─────────────────────────────────────────────\n manager_id: Field.lookup('sys_user', {\n label: 'Manager',\n required: false,\n readonly: true, // ADR-0092 — drives own_and_reports RLS scope; org-structure maintenance is its own surface\n group: 'Organization',\n description: \"This user's direct manager. Forms the reporting chain the `own_and_reports` hierarchy scope walks (ADR-0057 / @objectstack/security-enterprise).\",\n }),\n\n primary_business_unit_id: Field.lookup('sys_business_unit', {\n label: 'Primary Business Unit',\n required: false,\n readonly: true, // ADR-0092 — denormalised projection maintained by plugin-sharing; never hand-edited\n group: 'Organization',\n description: \"The user's primary business unit — a denormalised projection of sys_business_unit_member.is_primary, maintained by plugin-sharing (ADR-0057 addendum D12). Lets a user-lookup filter candidates by business unit without traversing the membership junction. Do not edit directly; set it via business-unit membership.\",\n }),\n\n // ── System (auto-managed, hidden from create/edit forms) ─────\n // Identity provenance (ADR-0024 D4). `idp_provisioned` users were\n // JIT-created on first federated login (a `sys_account` exists for an\n // external/OIDC provider — e.g. the cloud-as-IdP `objectstack-cloud`\n // provider, or a customer's own IdP); `env_native` users registered\n // locally (email/password) or are app end-users. Stamped automatically by\n // the AuthManager `account.create.after` hook — never edited by hand.\n // Drives the managed-vs-native user-mgmt UI gating (the password /\n // identity-edit actions hide for managed users, who hold no local\n // credential) and is the marker SCIM lifecycle keys off. Owned by objectql\n // (better-auth is oblivious to this column — like `ai_access`).\n source: Field.select({\n label: 'Identity Source',\n required: false,\n readonly: true,\n group: 'System',\n defaultValue: 'env_native',\n options: [\n { label: 'IdP-Provisioned', value: 'idp_provisioned' },\n { label: 'Env-Native', value: 'env_native' },\n ],\n description: 'How this identity was created — idp_provisioned (federated SSO JIT) or env_native (local signup / app end-user). System-managed; do not edit.',\n }),\n\n id: Field.text({\n label: 'User ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['email'], unique: true },\n { fields: ['created_at'], unique: false },\n // #2766 V1.5 — phone sign-in identifier; unique when present (null for\n // email-only accounts), also the upsert match key for identity import.\n { fields: ['phone_number'], unique: true },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n\n // Email uniqueness is enforced by the unique index above (and better-auth's\n // managed user table). A declarative `unique` validation rule is intentionally\n // not used — uniqueness needs a DB lookup, not a synchronous validation, so it\n // is not one of the declarable validation-rule types.\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_session — System Session Object\n *\n * Active user session record for the ObjectStack platform.\n * Backed by better-auth's `session` model with ObjectStack field conventions.\n *\n * The `token` field is hidden by default — sessions are managed by the\n * auth plugin, not edited manually. Admins see session metadata\n * (user, expiry, IP, active context) without exposing the token value.\n *\n * @namespace sys\n */\nexport const SysSession = ObjectSchema.create({\n name: 'sys_session',\n label: 'Session',\n pluralLabel: 'Sessions',\n icon: 'key',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Active user sessions',\n displayNameField: 'user_id',\n nameField: 'user_id', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: 'Session — {user_id}',\n highlightFields: ['user_id', 'ip_address', 'expires_at'],\n\n // Custom actions — sessions are managed by better-auth (generic CRUD\n // suppressed). \"Sign out other devices\" is the high-value self-service\n // affordance every IdP exposes. Maps to better-auth's\n // `revoke-other-sessions` endpoint which terminates every session for\n // the current user except the one making the request.\n actions: [\n {\n name: 'revoke_my_other_sessions',\n label: 'Sign out other devices',\n icon: 'log-out',\n variant: 'danger',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/revoke-other-sessions',\n confirmText: 'Sign out of every other device where you\\'re currently logged in? Your current session will remain active.',\n successMessage: 'All other sessions revoked',\n refreshAfter: true,\n },\n {\n name: 'revoke_session',\n label: 'Revoke Session',\n icon: 'log-out',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/revoke-session',\n // better-auth `revoke-session` keys off the session token, not the id.\n recordIdParam: 'token',\n recordIdField: 'token',\n confirmText: 'Revoke this session? The user will be signed out from that device.',\n successMessage: 'Session revoked',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Sessions',\n data: { provider: 'object', object: 'sys_session' },\n columns: ['ip_address', 'active_organization_id', 'created_at', 'expires_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_sessions: {\n type: 'grid',\n name: 'all_sessions',\n label: 'All',\n data: { provider: 'object', object: 'sys_session' },\n columns: ['user_id', 'ip_address', 'active_organization_id', 'created_at', 'expires_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Session owner & expiry ──────────────────────────────────\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n searchable: true,\n group: 'Session',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n group: 'Session',\n }),\n\n // ── ADR-0069 D4 — session controls (idle / absolute / revoke) ──\n last_activity_at: Field.datetime({\n label: 'Last Activity At',\n required: false,\n readonly: true,\n group: 'Session',\n description: 'Timestamp of the last request on this session; drives idle-timeout. System-managed.',\n }),\n revoked_at: Field.datetime({\n label: 'Revoked At',\n required: false,\n readonly: true,\n group: 'Session',\n description: 'When set, this session was revoked (idle / absolute-max / concurrent-cap / admin). System-managed.',\n }),\n revoke_reason: Field.text({\n label: 'Revoke Reason',\n required: false,\n maxLength: 64,\n readonly: true,\n group: 'Session',\n description: 'Why the session was revoked (idle_timeout, absolute_max, concurrent_cap, …).',\n }),\n\n // ── Active context (multi-org/team) ──────────────────────────\n active_organization_id: Field.lookup('sys_organization', {\n label: 'Active Organization',\n required: false,\n group: 'Context',\n }),\n\n active_team_id: Field.lookup('sys_team', {\n label: 'Active Team',\n required: false,\n group: 'Context',\n }),\n\n // ── Client fingerprint ───────────────────────────────────────\n ip_address: Field.text({\n label: 'IP Address',\n required: false,\n maxLength: 45, // Support IPv6\n group: 'Client',\n }),\n\n user_agent: Field.textarea({\n label: 'User Agent',\n required: false,\n group: 'Client',\n }),\n\n // ── Admin (managed by better-auth `admin` plugin) ────────────\n impersonated_by: Field.lookup('sys_user', {\n label: 'Impersonated By',\n required: false,\n group: 'Admin',\n description: 'User id of the admin that started this impersonation session, if any.',\n }),\n\n // ── Secret (hidden by default) ──────────────────────────────\n token: Field.text({\n label: 'Session Token',\n required: true,\n hidden: true,\n readonly: true,\n description: 'Opaque session token — never exposed in UI',\n group: 'Secret',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Session ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['token'], unique: true },\n { fields: ['user_id'], unique: false },\n { fields: ['expires_at'], unique: false },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'delete'],\n trash: false,\n mru: false,\n clone: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_account — System Account Object\n *\n * OAuth / credential provider account record.\n * Backed by better-auth's `account` model with ObjectStack field conventions.\n *\n * @namespace sys\n */\nexport const SysAccount = ObjectSchema.create({\n name: 'sys_account',\n label: 'Account',\n pluralLabel: 'Accounts',\n icon: 'link',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'OAuth and authentication provider accounts',\n titleFormat: '{provider_id} - {account_id}',\n highlightFields: ['provider_id', 'user_id', 'account_id'],\n\n // Custom actions — sysadmins routinely need to revoke a user's OAuth\n // link (e.g. when an SSO provider is decommissioned or the user\n // requests it). Better-auth exposes `/unlink-account { providerId,\n // accountId }` for this. The form is locked to the row's values so\n // it acts as a one-click confirmation rather than a free-form edit.\n //\n // `link_social` is the self-service counterpart — a toolbar action\n // that redirects the browser to better-auth's social sign-in endpoint\n // with a callbackURL pointing back to the linked-accounts view. The\n // endpoint sets the link cookie and OAuth-dances through the provider,\n // which is why it's `type: 'url'` (full page navigation) rather than\n // `type: 'api'` (XHR — would block on CORS / 302).\n actions: [\n {\n name: 'link_social',\n label: 'Link Social Account',\n icon: 'link-2',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'url',\n target: '/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/_console/apps/account/sys_account',\n params: [\n {\n name: 'provider',\n label: 'Provider',\n type: 'select',\n required: true,\n options: [\n { label: 'Google', value: 'google' },\n { label: 'GitHub', value: 'github' },\n { label: 'Microsoft', value: 'microsoft' },\n { label: 'Apple', value: 'apple' },\n { label: 'Facebook', value: 'facebook' },\n { label: 'GitLab', value: 'gitlab' },\n { label: 'Discord', value: 'discord' },\n ],\n },\n ],\n },\n {\n name: 'unlink_account',\n label: 'Unlink Account',\n icon: 'unlink',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/unlink-account',\n confirmText: 'Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.',\n successMessage: 'Identity link removed',\n refreshAfter: true,\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n { name: 'accountId', field: 'account_id', defaultFromRow: true, required: true },\n ],\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Links',\n data: { provider: 'object', object: 'sys_account' },\n columns: ['provider_id', 'account_id', 'created_at', 'updated_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'provider_id', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_provider: {\n type: 'grid',\n name: 'by_provider',\n label: 'By Provider',\n data: { provider: 'object', object: 'sys_account' },\n columns: ['provider_id', 'user_id', 'account_id', 'created_at'],\n sort: [{ field: 'provider_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'provider_id', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_links: {\n type: 'grid',\n name: 'all_links',\n label: 'All',\n data: { provider: 'object', object: 'sys_account' },\n columns: ['provider_id', 'user_id', 'account_id', 'created_at', 'updated_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n \n fields: {\n id: Field.text({\n label: 'Account ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n provider_id: Field.text({\n label: 'Provider ID',\n required: true,\n description: 'OAuth provider identifier (google, github, etc.)',\n }),\n \n account_id: Field.text({\n label: 'Provider Account ID',\n required: true,\n description: \"User's ID in the provider's system\",\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Link to user table',\n }),\n \n access_token: Field.textarea({\n label: 'Access Token',\n required: false,\n }),\n \n refresh_token: Field.textarea({\n label: 'Refresh Token',\n required: false,\n }),\n \n id_token: Field.textarea({\n label: 'ID Token',\n required: false,\n }),\n \n access_token_expires_at: Field.datetime({\n label: 'Access Token Expires At',\n required: false,\n }),\n \n refresh_token_expires_at: Field.datetime({\n label: 'Refresh Token Expires At',\n required: false,\n }),\n \n scope: Field.text({\n label: 'OAuth Scope',\n required: false,\n }),\n \n password: Field.text({\n label: 'Password Hash',\n required: false,\n description: 'Hashed password for email/password provider',\n }),\n\n // ADR-0069 D1 — bounded ring of previous password hashes (JSON array of\n // strings), used to reject password reuse on change/reset. Maintained by\n // the auth manager; never exposed in UI.\n previous_password_hashes: Field.textarea({\n label: 'Previous Password Hashes',\n required: false,\n readonly: true,\n hidden: true,\n description: 'JSON array of prior password hashes (bounded by password_history_count); reuse-prevention only. System-managed.',\n }),\n },\n \n indexes: [\n { fields: ['user_id'], unique: false },\n { fields: ['provider_id', 'account_id'], unique: true },\n ],\n \n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_verification — System Verification Object\n *\n * Email and phone verification token record.\n * Backed by better-auth's `verification` model with ObjectStack field conventions.\n *\n * @namespace sys\n */\nexport const SysVerification = ObjectSchema.create({\n name: 'sys_verification',\n label: 'Verification',\n pluralLabel: 'Verifications',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE one-time credentials\n // (email/phone verification + password-reset tokens) — reading one is\n // account takeover. Not covered by the wildcard `'*'` grant; admins retain\n // access via the superuser bypass; better-auth reads via its adapter\n // (system context), so verification flows are unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Email and phone verification tokens',\n titleFormat: 'Verification for {identifier}',\n highlightFields: ['identifier', 'expires_at', 'created_at'],\n \n fields: {\n id: Field.text({\n label: 'Verification ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n value: Field.text({\n label: 'Verification Token',\n required: true,\n description: 'Token or code for verification',\n }),\n \n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n \n identifier: Field.text({\n label: 'Identifier',\n required: true,\n description: 'Email address or phone number',\n }),\n },\n \n indexes: [\n // `value` must NOT be unique. better-auth's oauth-provider stores OIDC\n // authorization codes in this table with `value` = a JSON blob keyed by\n // user+client+state, which can legitimately repeat. A UNIQUE constraint\n // makes `/api/v1/auth/oauth2/authorize` fail (`UNIQUE constraint failed:\n // sys_verification.value`) → 503, breaking cloud-as-IdP SSO entirely.\n // better-auth keys verification lookups on `identifier`, not `value`.\n { fields: ['value'], unique: false },\n { fields: ['identifier'], unique: false },\n { fields: ['expires_at'], unique: false },\n ],\n \n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'create', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_organization — System Organization Object\n *\n * Multi-organization support for the ObjectStack platform.\n * Backed by better-auth's organization plugin.\n *\n * @namespace sys\n */\nexport const SysOrganization = ObjectSchema.create({\n name: 'sys_organization',\n label: 'Organization',\n pluralLabel: 'Organizations',\n icon: 'building-2',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Organizations for multi-tenant grouping',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'slug'],\n\n // Custom actions — generic CRUD is suppressed (better-auth-managed),\n // but admins still need to create new orgs from the Setup app.\n actions: [\n {\n name: 'create_organization',\n label: 'Create Organization',\n icon: 'plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/create',\n successMessage: 'Organization created',\n refreshAfter: true,\n // Hidden when the deployment is provisioned in single-org mode\n // (`OS_MULTI_ORG_ENABLED=false`). `features.multiOrgEnabled` is\n // populated by the console/account shells from `/auth/config`;\n // we default to visible when the flag is undefined so we don't\n // accidentally hide the button while auth config is still loading.\n visible: 'features.multiOrgEnabled != false',\n params: [\n { field: 'name', required: true },\n { field: 'slug', required: true },\n { field: 'logo' },\n ],\n },\n {\n name: 'update_organization',\n label: 'Edit Organization',\n icon: 'pencil',\n mode: 'edit',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update',\n recordIdParam: 'organizationId',\n // better-auth `organization/update` nests editable fields under `data`.\n bodyShape: { wrap: 'data' },\n // Org-admin actions are multi-org-only; hide them in single-org for\n // consistency with `create_organization` (the org list is empty there,\n // but this also guards direct record-URL access).\n visible: 'features.multiOrgEnabled != false',\n successMessage: 'Organization updated',\n refreshAfter: true,\n params: [\n { field: 'name', required: true, defaultFromRow: true },\n { field: 'slug', required: true, defaultFromRow: true },\n { field: 'logo', defaultFromRow: true },\n ],\n },\n {\n name: 'delete_organization',\n label: 'Delete Organization',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/delete',\n recordIdParam: 'organizationId',\n visible: 'features.multiOrgEnabled != false',\n confirmText: 'Delete this organization? All members will lose access immediately. This cannot be undone.',\n successMessage: 'Organization deleted',\n refreshAfter: true,\n },\n {\n // Switch the caller's active organization context. Standard\n // better-auth endpoint; no extra params needed (org id ships as\n // the row id). Used from the Setup list and the record header so\n // admins can context-switch without leaving the page.\n name: 'set_active_organization',\n label: 'Set Active',\n icon: 'check-circle-2',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/set-active',\n recordIdParam: 'organizationId',\n visible: 'features.multiOrgEnabled != false',\n successMessage: 'Active organization switched',\n refreshAfter: true,\n },\n {\n // Current user leaves the org. Distinct from `delete_organization`\n // (admin-only, destroys the org) — `leave` only removes the caller's\n // own membership. Better-auth: `organization/leave { organizationId }`.\n name: 'leave_organization',\n label: 'Leave Organization',\n icon: 'log-out',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/leave',\n recordIdParam: 'organizationId',\n visible: 'features.multiOrgEnabled != false',\n confirmText: 'Leave this organization? You will lose access to all of its resources.',\n successMessage: 'You have left the organization',\n refreshAfter: true,\n },\n {\n // Rename the organization slug (URL prefix). Backed by the cloud\n // orchestrator at /api/v1/cloud/organizations/{id}/change-slug,\n // which atomically updates sys_organization.slug, rewrites\n // platform_subdomain sys_domain rows under the new slug, soft-\n // retires the old rows with a redirect window, parks the old\n // slug in sys_slug_reservation, and refreshes the registry\n // mirror. See cloud `docs/design/sys-domain.md` §6.\n name: 'change_slug',\n label: 'Change Slug',\n icon: 'edit-3',\n variant: 'secondary',\n mode: 'custom',\n locations: ['record_header'],\n type: 'api',\n target: '/api/v1/cloud/organizations/{id}/change-slug',\n method: 'POST',\n visible: 'features.multiOrgEnabled != false',\n confirmText: 'Renaming the slug rewrites every platform subdomain for this org and parks the old slug for 90 days. Continue?',\n successMessage: 'Organization slug changed',\n refreshAfter: true,\n params: [\n { field: 'slug', required: true, defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n all_orgs: {\n type: 'grid',\n name: 'all_orgs',\n label: 'All',\n data: { provider: 'object', object: 'sys_organization' },\n columns: ['name', 'slug', 'created_at', 'updated_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n slug: Field.text({\n label: 'Slug',\n required: false,\n searchable: true,\n maxLength: 255,\n description: 'URL-friendly identifier',\n group: 'Identity',\n }),\n\n // ── Branding ─────────────────────────────────────────────────\n logo: Field.url({\n label: 'Logo',\n required: false,\n group: 'Branding',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n description: 'JSON-serialized organization metadata',\n group: 'Configuration',\n }),\n\n // ADR-0069 D3 — per-org MFA tightening above the global floor. When true,\n // members of this org must enrol TOTP to access data (enforced at the\n // session-validation gate). An org can only tighten, never loosen, the\n // global `mfa_required` setting.\n require_mfa: Field.boolean({\n label: 'Require Multi-Factor Auth',\n required: false,\n defaultValue: false,\n group: 'Configuration',\n description: 'When true, every member of this organization must enroll an authenticator app to access data.',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Organization ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['slug'], unique: true },\n { fields: ['name'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_member — System Member Object\n *\n * Organization membership linking users to organizations with roles.\n * Backed by better-auth's organization plugin.\n *\n * @namespace sys\n */\nexport const SysMember = ObjectSchema.create({\n name: 'sys_member',\n label: 'Member',\n pluralLabel: 'Members',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Organization membership records',\n // Org-independent title: organization_id is null in single-org mode, so a\n // '{user_id} in {organization_id}' format renders \"… in null\". User + role\n // identifies the membership in both single- and multi-org deployments.\n titleFormat: '{user_id} ({role})',\n highlightFields: ['user_id', 'organization_id', 'role'],\n\n // Row-level actions: better-auth `organization/update-member-role` and\n // `organization/remove-member`. Generic CRUD is suppressed on better-auth\n // managed tables, so these are the canonical edit/delete entry points.\n // The `add_member` toolbar action covers the admin \"attach an existing\n // user directly without sending an invitation\" flow.\n actions: [\n {\n // Admin-only: directly attach an existing user to the active org,\n // bypassing the invite-accept flow. Better-auth:\n // `organization/add-member { userId, role, organizationId?, teamId? }`.\n // organizationId/teamId default to the caller's active org/team when\n // omitted, so we leave them as optional params.\n name: 'add_member',\n label: 'Add Member',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/add-member',\n // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the\n // better-auth endpoints resolve the session's active org, which\n // single-org mode now guarantees via plugin-auth's default-org\n // bootstrap. Same gate on every membership mutation below.\n visible: 'features.organization != false',\n successMessage: 'Member added',\n refreshAfter: true,\n params: [\n { name: 'userId', field: 'user_id', required: true },\n { field: 'role', required: true },\n { name: 'organizationId', field: 'organization_id' },\n ],\n },\n {\n name: 'update_member_role',\n label: 'Change Role',\n icon: 'shield',\n mode: 'edit',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update-member-role',\n recordIdParam: 'memberId',\n visible: 'features.organization != false',\n successMessage: 'Member role updated',\n refreshAfter: true,\n params: [\n { field: 'role', required: true, defaultFromRow: true },\n ],\n },\n {\n name: 'remove_member',\n label: 'Remove Member',\n icon: 'user-minus',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/remove-member',\n recordIdParam: 'memberIdOrEmail',\n visible: 'features.organization != false',\n confirmText: 'Remove this member from the organization? They will lose access to all org resources.',\n successMessage: 'Member removed',\n refreshAfter: true,\n },\n // Transfer ownership is modeled as `update-member-role` with role=owner\n // (better-auth's organization plugin auto-demotes the previous owner\n // to admin). Kept as a separate action so the row menu can present a\n // distinct destructive-style affordance with the right confirm copy —\n // mixing it into `update_member_role` would hide the ownership-handoff\n // semantics behind a generic role dropdown.\n {\n name: 'transfer_ownership',\n label: 'Transfer Ownership',\n icon: 'crown',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update-member-role',\n recordIdParam: 'memberId',\n bodyExtra: { role: 'owner' },\n visible: \"record.role != 'owner' && features.organization != false\",\n confirmText: 'Transfer ownership of this organization to the selected member? You will be demoted to admin and lose owner-only privileges.',\n successMessage: 'Ownership transferred',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Memberships',\n data: { provider: 'object', object: 'sys_member' },\n columns: ['organization_id', 'role', 'created_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n emptyState: {\n title: 'No organizations yet',\n message: 'You haven\\'t joined any organizations.',\n },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Member ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant has no sys_organization row and no auto-stamp\n // (org-scoping is multi-tenant-only). Multi-tenant: OrgScopingPlugin stamps it\n // and tenant-isolation RLS hides null-org rows (fail-closed). ADR-0057 addendum.\n required: false,\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n }),\n \n role: Field.select({\n label: 'Role',\n required: false,\n description: 'Member role within the organization',\n options: [\n { label: 'Owner', value: 'owner' },\n { label: 'Admin', value: 'admin' },\n { label: 'Member', value: 'member' },\n ],\n defaultValue: 'member',\n }),\n },\n \n indexes: [\n { fields: ['organization_id', 'user_id'], unique: true },\n { fields: ['user_id'] },\n ],\n \n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_invitation — System Invitation Object\n *\n * Organization invitation tokens for inviting users.\n * Backed by better-auth's organization plugin.\n *\n * @namespace sys\n */\nexport const SysInvitation = ObjectSchema.create({\n name: 'sys_invitation',\n label: 'Invitation',\n pluralLabel: 'Invitations',\n icon: 'mail',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Organization invitations for user onboarding',\n // Title by invitee email rather than organization_id: the latter is null in\n // single-org mode (renders \"Invitation to null\"), and the recipient email is\n // the more useful identifier in both modes anyway.\n titleFormat: 'Invitation for {email}',\n highlightFields: ['email', 'organization_id', 'status'],\n\n // Custom actions — generic CRUD is suppressed (better-auth-managed).\n // Mirror the `invite_user` toolbar action from sys_user here so admins\n // landing on the Invitations page get an obvious entry point.\n actions: [\n {\n name: 'invite_user',\n label: 'Invite User',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/invite-member',\n // Inviting/managing invitations is a multi-org-only flow (the\n // endpoint resolves an active org absent in single-org mode). Gate\n // the admin-side actions on the multi-org flag (mirrors\n // sys_organization.create_organization). The recipient-side\n // accept/reject actions below stay record-gated — they are\n // unreachable in single-org anyway (no invitation rows exist).\n visible: 'features.organization != false',\n successMessage: 'Invitation sent',\n refreshAfter: true,\n params: [\n { field: 'email', required: true },\n { field: 'role', required: true },\n ],\n },\n {\n name: 'cancel_invitation',\n label: 'Cancel Invitation',\n icon: 'x-circle',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/cancel-invitation',\n recordIdParam: 'invitationId',\n visible: 'features.organization != false',\n confirmText: 'Cancel this invitation? The recipient will no longer be able to accept it.',\n successMessage: 'Invitation canceled',\n refreshAfter: true,\n },\n {\n name: 'resend_invitation',\n label: 'Resend Invitation',\n icon: 'send',\n variant: 'secondary',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/invite-member',\n bodyExtra: { resend: true },\n visible: 'features.organization != false',\n successMessage: 'Invitation resent',\n refreshAfter: true,\n params: [\n { field: 'email', required: true, defaultFromRow: true },\n { field: 'role', required: true, defaultFromRow: true },\n ],\n },\n\n // ── Recipient-side actions (the invited user) ────────────────────\n //\n // These two are the counterpart to invite/cancel/resend: they are\n // visible only on invitations addressed to the current user. Used\n // by an \"Inbox / Pending invitations\" list opened from the user's\n // own account page. The recipient-only `visible` predicate keeps\n // them out of the admin org-management view.\n {\n name: 'accept_invitation',\n label: 'Accept Invitation',\n icon: 'check',\n variant: 'primary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/accept-invitation',\n recordIdParam: 'invitationId',\n visible: \"record.email == ctx.user.email && record.status == 'pending'\",\n successMessage: 'Invitation accepted',\n refreshAfter: true,\n },\n {\n name: 'reject_invitation',\n label: 'Decline Invitation',\n icon: 'x',\n variant: 'ghost',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/reject-invitation',\n recordIdParam: 'invitationId',\n visible: \"record.email == ctx.user.email && record.status == 'pending'\",\n confirmText: 'Decline this invitation? The inviter will be notified and you will need a new invitation to join.',\n successMessage: 'Invitation declined',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n pending: {\n type: 'grid',\n name: 'pending',\n label: 'Pending',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'role', 'organization_id', 'inviter_id', 'expires_at'],\n filter: [{ field: 'status', operator: 'equals', value: 'pending' }],\n sort: [{ field: 'expires_at', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n accepted: {\n type: 'grid',\n name: 'accepted',\n label: 'Accepted',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'role', 'organization_id', 'inviter_id', 'created_at'],\n filter: [{ field: 'status', operator: 'equals', value: 'accepted' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n expired: {\n type: 'grid',\n name: 'expired',\n label: 'Expired / Canceled',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'status', 'organization_id', 'expires_at'],\n filter: [{ field: 'status', operator: 'in', value: ['expired', 'rejected', 'canceled'] }],\n sort: [{ field: 'expires_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_invitations: {\n type: 'grid',\n name: 'all_invitations',\n label: 'All',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'status', 'role', 'organization_id', 'inviter_id', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n \n fields: {\n id: Field.text({\n label: 'Invitation ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant has no sys_organization row and no auto-stamp\n // (org-scoping is multi-tenant-only). Multi-tenant: OrgScopingPlugin stamps it\n // and tenant-isolation RLS hides null-org rows (fail-closed). ADR-0057 addendum.\n required: false,\n }),\n \n email: Field.email({\n label: 'Email',\n required: true,\n description: 'Email address of the invited user',\n }),\n \n role: Field.select({\n label: 'Role',\n required: false,\n description: 'Role to assign upon acceptance',\n options: [\n { label: 'Owner', value: 'owner' },\n { label: 'Admin', value: 'admin' },\n { label: 'Member', value: 'member' },\n ],\n defaultValue: 'member',\n }),\n \n status: Field.select(['pending', 'accepted', 'rejected', 'expired', 'canceled'], {\n label: 'Status',\n required: true,\n defaultValue: 'pending',\n }),\n \n inviter_id: Field.lookup('sys_user', {\n label: 'Inviter',\n required: true,\n description: 'User who sent the invitation',\n }),\n \n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n \n team_id: Field.lookup('sys_team', {\n label: 'Team',\n required: false,\n description: 'Optional team to assign upon acceptance',\n }),\n },\n \n indexes: [\n { fields: ['organization_id'] },\n { fields: ['email'] },\n { fields: ['expires_at'] },\n ],\n \n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_team — System Team Object\n *\n * Teams within an organization for fine-grained grouping.\n * Backed by better-auth's organization plugin (teams feature).\n *\n * @namespace sys\n */\nexport const SysTeam = ObjectSchema.create({\n name: 'sys_team',\n label: 'Team',\n pluralLabel: 'Teams',\n icon: 'users',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Teams within organizations for fine-grained grouping',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'organization_id'],\n\n // Custom actions calling better-auth's team endpoints. Generic CRUD is\n // suppressed (managedBy: 'better-auth'), so these are the canonical\n // entry points for create/update/delete.\n actions: [\n {\n // Better-auth: `organization/create-team { name, organizationId? }`.\n // organizationId defaults to the caller's active org when omitted.\n name: 'create_team',\n label: 'Create Team',\n icon: 'plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/create-team',\n // Teams are nested inside organizations — a multi-org-only concept.\n // Gate every team mutation on the multi-org flag so the affordances\n // disappear in single-org (mirrors sys_organization.create_organization).\n visible: 'features.organization != false',\n successMessage: 'Team created',\n refreshAfter: true,\n params: [\n { field: 'name', required: true },\n { name: 'organizationId', field: 'organization_id' },\n ],\n },\n {\n // Better-auth: `organization/update-team { teamId, data: { name } }`.\n // teamId stays flat (top-level); the user-editable params nest under\n // `data` via bodyShape.\n name: 'update_team',\n label: 'Edit Team',\n icon: 'pencil',\n mode: 'edit',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update-team',\n recordIdParam: 'teamId',\n bodyShape: { wrap: 'data' },\n visible: 'features.organization != false',\n successMessage: 'Team updated',\n refreshAfter: true,\n params: [\n { field: 'name', required: true, defaultFromRow: true },\n ],\n },\n {\n // Better-auth: `organization/remove-team { teamId, organizationId? }`.\n // organizationId defaults to the caller's active org when omitted.\n name: 'remove_team',\n label: 'Delete Team',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/remove-team',\n recordIdParam: 'teamId',\n visible: 'features.organization != false',\n confirmText: 'Delete this team? Members will lose any team-scoped access. This cannot be undone.',\n successMessage: 'Team deleted',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n by_org: {\n type: 'grid',\n name: 'by_org',\n label: 'By Organization',\n data: { provider: 'object', object: 'sys_team' },\n columns: ['organization_id', 'name', 'created_at', 'updated_at'],\n sort: [{ field: 'organization_id', order: 'asc' }, { field: 'name', order: 'asc' }],\n grouping: { fields: [{ field: 'organization_id', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_teams: {\n type: 'grid',\n name: 'all_teams',\n label: 'All',\n data: { provider: 'object', object: 'sys_team' },\n columns: ['name', 'organization_id', 'created_at', 'updated_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant deployments have no organization row (org-scoping\n // is multi-tenant-only, nothing auto-stamps one) — requiring it would make\n // the object uncreatable single-tenant. In multi-tenant, OrgScopingPlugin\n // auto-stamps this from the active tenant and tenant-isolation RLS hides any\n // null-org row (fail-closed). ADR-0057 addendum.\n required: false,\n description: 'Parent organization for this team. Null in single-tenant; auto-stamped in multi-tenant.',\n group: 'Identity',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Team ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['organization_id'] },\n { fields: ['name', 'organization_id'], unique: true },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_team_member — System Team Member Object\n *\n * Links users to teams within organizations.\n * Backed by better-auth's organization plugin (teams feature).\n *\n * @namespace sys\n */\nexport const SysTeamMember = ObjectSchema.create({\n name: 'sys_team_member',\n label: 'Team Member',\n pluralLabel: 'Team Members',\n icon: 'user-plus',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Team membership records linking users to teams',\n titleFormat: '{user_id} in {team_id}',\n highlightFields: ['user_id', 'team_id', 'created_at'],\n\n // Custom actions calling better-auth's team-member endpoints. Generic\n // CRUD is suppressed (managedBy: 'better-auth') so these are the\n // canonical add/remove entry points.\n actions: [\n {\n // Better-auth: `organization/add-team-member { teamId, userId }`.\n name: 'add_team_member',\n label: 'Add Member',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/add-team-member',\n // Team membership lives under organizations — multi-org-only. Gate\n // both mutations so they vanish in single-org (mirrors\n // sys_organization.create_organization).\n visible: 'features.organization != false',\n successMessage: 'Team member added',\n refreshAfter: true,\n params: [\n { name: 'teamId', field: 'team_id', required: true },\n { name: 'userId', field: 'user_id', required: true },\n ],\n },\n {\n // Better-auth: `organization/remove-team-member { teamId, userId }`.\n // The endpoint identifies the membership by the (teamId, userId)\n // pair rather than the join-row id, so we pull both from the row\n // via `defaultFromRow` instead of using `recordIdParam`.\n name: 'remove_team_member',\n label: 'Remove from Team',\n icon: 'user-minus',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/remove-team-member',\n visible: 'features.organization != false',\n confirmText: 'Remove this user from the team? They will lose any team-scoped access.',\n successMessage: 'Team member removed',\n refreshAfter: true,\n params: [\n { name: 'teamId', field: 'team_id', required: true, defaultFromRow: true },\n { name: 'userId', field: 'user_id', required: true, defaultFromRow: true },\n ],\n },\n ],\n\n fields: {\n id: Field.text({\n label: 'Team Member ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n team_id: Field.lookup('sys_team', {\n label: 'Team',\n required: true,\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n }),\n },\n \n indexes: [\n { fields: ['team_id', 'user_id'], unique: true },\n { fields: ['user_id'] },\n ],\n \n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_business_unit — Business Unit (canonical org/data-partition tree, ADR-0057 D2)\n *\n * The persistent, hierarchical org chart node. **This is distinct from\n * `sys_team`** (which is the flat better-auth collaboration grouping).\n *\n * A single tenant typically has one `kind='company'` root, then nested\n * `division` / `department` / `office` nodes underneath. The\n * `kind` enum is purely a display/categorisation hint — the recursive\n * structure works identically regardless of value.\n *\n * Drives:\n * - `recipient_type='business_unit'` sharing rules\n * - `bu:` approver prefix in the approval engine\n * - Report rollups and manager chains in CRM/PM apps\n *\n * @namespace sys\n */\nexport const SysBusinessUnit = ObjectSchema.create({\n name: 'sys_business_unit',\n label: 'Business Unit',\n pluralLabel: 'Business Units',\n icon: 'building',\n isSystem: true,\n managedBy: 'platform',\n description: 'Canonical Business Unit tree — hierarchical org/data-partition node (company / division / department / region / office). ADR-0057 D2.',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'kind', 'parent_business_unit_id', 'manager_user_id'],\n\n listViews: {\n // Org chart — the hierarchy view. Surfaces the self-referencing\n // `parent_business_unit_id` tree (ADR-0057 D2) as an indented, expand/\n // collapse tree-grid. Listed first so it's the default tab; the grids\n // below stay for search / filter / bulk edit.\n org_chart: {\n type: 'tree',\n name: 'org_chart',\n label: 'Org Chart',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'kind', 'manager_user_id', 'active'],\n tree: {\n parentField: 'parent_business_unit_id',\n labelField: 'name',\n fields: ['kind', 'manager_user_id', 'active'],\n defaultExpandedDepth: 1,\n },\n sort: [{ field: 'name', order: 'asc' }],\n },\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'code', 'kind', 'parent_business_unit_id', 'manager_user_id', 'effective_from'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 100 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'code', 'kind', 'effective_to'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'effective_to', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_kind: {\n type: 'grid',\n name: 'by_kind',\n label: 'By Kind',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['kind', 'name', 'code', 'parent_business_unit_id', 'manager_user_id', 'active'],\n sort: [{ field: 'kind', order: 'asc' }, { field: 'name', order: 'asc' }],\n grouping: { fields: [{ field: 'kind', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_departments: {\n type: 'grid',\n name: 'all_departments',\n label: 'All',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'code', 'kind', 'parent_business_unit_id', 'manager_user_id', 'active'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n code: Field.text({\n label: 'Code',\n required: false,\n searchable: true,\n maxLength: 64,\n description: 'Short stable code (e.g. EMEA-SALES). Unique within tenant.',\n group: 'Identity',\n }),\n\n kind: Field.select(\n ['company', 'division', 'department', 'office', 'cost_center'],\n {\n label: 'Kind',\n required: true,\n defaultValue: 'department',\n description: 'Categorisation hint — does not change graph semantics.',\n group: 'Identity',\n },\n ),\n\n // ── Hierarchy ────────────────────────────────────────────────\n parent_business_unit_id: Field.lookup('sys_business_unit', {\n label: 'Parent Business Unit',\n required: false,\n description: 'Self-reference for the org tree. Null = root of tenant.',\n group: 'Hierarchy',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant deployments have no organization row (org-scoping\n // is multi-tenant-only, nothing auto-stamps one) — requiring it would make\n // the object uncreatable single-tenant. In multi-tenant, OrgScopingPlugin\n // auto-stamps this from the active tenant and tenant-isolation RLS hides any\n // null-org row (fail-closed). ADR-0057 addendum.\n required: false,\n description: 'Tenant scope. Null in single-tenant; auto-stamped in multi-tenant.',\n group: 'Hierarchy',\n }),\n\n // ── Leadership ───────────────────────────────────────────────\n manager_user_id: Field.lookup('sys_user', {\n label: 'Business Unit Head',\n required: false,\n description: 'User responsible for this org unit (business unit head / lead).',\n group: 'Leadership',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'When false, members are not expanded by graph queries.',\n group: 'Lifecycle',\n }),\n\n effective_from: Field.datetime({\n label: 'Effective From',\n required: false,\n description: 'When this business unit came into existence (HRIS sync).',\n group: 'Lifecycle',\n }),\n\n effective_to: Field.datetime({\n label: 'Effective To',\n required: false,\n description: 'When this business unit was retired (HRIS sync).',\n group: 'Lifecycle',\n }),\n\n external_ref: Field.text({\n label: 'External Reference',\n required: false,\n maxLength: 200,\n description: 'ID in upstream HRIS (Workday / SAP HR / 北森).',\n group: 'Lifecycle',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Business Unit ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['organization_id'] },\n { fields: ['parent_business_unit_id'] },\n { fields: ['code', 'organization_id'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_business_unit_member — User ↔ Business Unit Assignment\n *\n * Many-to-many between `sys_user` and `sys_business_unit`. A user can belong\n * to multiple business units (matrix orgs) but exactly one is marked\n * `is_primary` to drive the default reporting view.\n *\n * Effective-dated so that historical reports & audits can reconstruct\n * who reported to which unit at any point in time.\n *\n * @namespace sys\n */\nexport const SysBusinessUnitMember = ObjectSchema.create({\n name: 'sys_business_unit_member',\n label: 'Business Unit Member',\n pluralLabel: 'Business Unit Members',\n icon: 'user-cog',\n isSystem: true,\n managedBy: 'platform',\n description: 'User assignment to a business unit (matrix-org friendly, effective-dated).',\n titleFormat: '{user_id} in {business_unit_id}',\n highlightFields: ['user_id', 'business_unit_id', 'function_in_business_unit', 'is_primary'],\n\n fields: {\n id: Field.text({\n label: 'Member ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n business_unit_id: Field.lookup('sys_business_unit', {\n label: 'Business Unit',\n required: true,\n group: 'Assignment',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n group: 'Assignment',\n }),\n\n function_in_business_unit: Field.select(\n ['member', 'lead', 'deputy'],\n {\n label: 'Function in Business Unit',\n required: false,\n defaultValue: 'member',\n description: '`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.',\n group: 'Assignment',\n },\n ),\n\n is_primary: Field.boolean({\n label: 'Primary Assignment',\n required: false,\n defaultValue: true,\n description: 'When the user is in multiple business units, this marks the canonical one for reporting.',\n group: 'Assignment',\n }),\n\n effective_from: Field.datetime({\n label: 'Effective From',\n required: false,\n group: 'Lifecycle',\n }),\n\n effective_to: Field.datetime({\n label: 'Effective To',\n required: false,\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['business_unit_id', 'user_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['is_primary'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_api_key — System API Key Object\n *\n * API keys for programmatic/machine access to the platform.\n *\n * Field `key` stores a hashed value and is marked hidden so it never\n * leaks into default list/form rendering; the raw token is only\n * returned once on creation via the auth plugin API.\n *\n * @namespace sys\n */\nexport const SysApiKey = ObjectSchema.create({\n name: 'sys_api_key',\n label: 'API Key',\n pluralLabel: 'API Keys',\n icon: 'key-round',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'API keys for programmatic access',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'prefix', 'user_id', 'expires_at', 'revoked'],\n\n // Custom actions — sys_api_key is managed-by 'better-auth' but the\n // `revoked` boolean is a column we control via the data API. These row\n // actions use the generic PATCH /api/v1/sys_api_key/{id} endpoint with\n // `bodyExtra` to set the `revoked` flag explicitly.\n actions: [\n {\n name: 'revoke_api_key',\n label: 'Revoke API Key',\n icon: 'shield-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_api_key/{id}',\n bodyExtra: { revoked: true },\n confirmText: 'Revoke this API key? Any clients using it will immediately lose access.',\n successMessage: 'API key revoked',\n refreshAfter: true,\n },\n {\n name: 'restore_api_key',\n label: 'Restore API Key',\n icon: 'shield-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_api_key/{id}',\n bodyExtra: { revoked: false },\n confirmText: 'Restore this revoked API key? Existing clients holding the key will regain access.',\n successMessage: 'API key restored',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Keys',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'expires_at', 'last_used_at', 'revoked'],\n filter: [\n { field: 'user_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'user_id', 'expires_at', 'last_used_at'],\n filter: [{ field: 'revoked', operator: 'equals', value: false }],\n sort: [{ field: 'last_used_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n revoked: {\n type: 'grid',\n name: 'revoked',\n label: 'Revoked',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'user_id', 'expires_at', 'updated_at'],\n filter: [{ field: 'revoked', operator: 'equals', value: true }],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_keys: {\n type: 'grid',\n name: 'all_keys',\n label: 'All',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'user_id', 'expires_at', 'last_used_at', 'revoked'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n description: 'Human-readable label for the API key',\n group: 'Identity',\n }),\n\n prefix: Field.text({\n label: 'Prefix',\n required: false,\n maxLength: 16,\n description: 'Visible prefix for identifying the key (e.g., \"osk_\")',\n group: 'Identity',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'Owner',\n required: true,\n description: 'User who owns this API key',\n group: 'Identity',\n }),\n\n // ── Access ───────────────────────────────────────────────────\n scopes: Field.textarea({\n label: 'Scopes',\n required: false,\n description: 'JSON array of permission scopes',\n group: 'Access',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n expires_at: Field.datetime({\n label: 'Expires At',\n required: false,\n group: 'Lifecycle',\n }),\n\n last_used_at: Field.datetime({\n label: 'Last Used At',\n required: false,\n readonly: true,\n description: 'Automatically updated on each API call',\n group: 'Lifecycle',\n }),\n\n revoked: Field.boolean({\n label: 'Revoked',\n defaultValue: false,\n group: 'Lifecycle',\n }),\n\n // ── Secret (hidden by default) ──────────────────────────────\n key: Field.text({\n label: 'Hashed Key',\n required: true,\n hidden: true,\n readonly: true,\n description: 'Hashed API key value — never exposed to clients',\n group: 'Secret',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'API Key ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['key'], unique: true },\n { fields: ['user_id'] },\n { fields: ['prefix'] },\n { fields: ['revoked'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_two_factor — System Two-Factor Object\n *\n * Two-factor authentication credentials (TOTP, backup codes).\n * Backed by better-auth's two-factor plugin.\n *\n * @namespace sys\n */\nexport const SysTwoFactor = ObjectSchema.create({\n name: 'sys_two_factor',\n label: 'Two Factor',\n pluralLabel: 'Two Factor Credentials',\n icon: 'smartphone',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Two-factor authentication credentials',\n titleFormat: 'Two-factor for {user_id}',\n highlightFields: ['user_id', 'created_at'],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Enrollment',\n data: { provider: 'object', object: 'sys_two_factor' },\n columns: ['created_at', 'updated_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_enrollments: {\n type: 'grid',\n name: 'all_enrollments',\n label: 'All',\n data: { provider: 'object', object: 'sys_two_factor' },\n columns: ['user_id', 'created_at', 'updated_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n // Toolbar actions for self-service 2FA enrollment. Better-auth's\n // `/two-factor/enable` returns `{ totpURI, backupCodes }` — the user must\n // scan the URI into an authenticator app and save the backup codes NOW;\n // they are never recoverable afterward. The `resultDialog` field tells\n // the renderer to open a one-shot reveal dialog instead of toasting the\n // success message. Same shape used by `regenerate_backup_codes`.\n actions: [\n {\n name: 'enable_two_factor',\n label: 'Enable 2FA',\n icon: 'shield-check',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/two-factor/enable',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n resultDialog: {\n title: 'Two-factor authentication enabled',\n description: 'Scan the QR code with your authenticator app, then save the backup codes somewhere safe. The backup codes are shown only once.',\n acknowledge: 'I have saved my backup codes',\n fields: [\n { path: 'totpURI', label: 'Authenticator URI', format: 'qrcode' },\n { path: 'backupCodes', label: 'Backup Codes', format: 'code-list' },\n ],\n },\n },\n {\n name: 'disable_two_factor',\n label: 'Disable 2FA',\n icon: 'shield-off',\n variant: 'danger',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/two-factor/disable',\n confirmText: 'Disable two-factor authentication on your account?',\n successMessage: '2FA disabled',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n {\n name: 'regenerate_backup_codes',\n label: 'Regenerate Backup Codes',\n icon: 'refresh-cw',\n variant: 'secondary',\n locations: ['list_toolbar', 'list_item'],\n type: 'api',\n target: '/api/v1/auth/two-factor/generate-backup-codes',\n confirmText: 'Regenerate backup codes? All previous backup codes will stop working immediately.',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n resultDialog: {\n title: 'New backup codes generated',\n description: 'Previous backup codes are now invalid. Save these new codes somewhere safe — they are shown only once.',\n acknowledge: 'I have saved the new codes',\n fields: [\n { path: 'backupCodes', label: 'Backup Codes', format: 'code-list' },\n ],\n },\n },\n ],\n\n \n fields: {\n id: Field.text({\n label: 'Two Factor ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n }),\n \n secret: Field.text({\n label: 'Secret',\n required: true,\n description: 'TOTP secret key',\n }),\n \n backup_codes: Field.textarea({\n label: 'Backup Codes',\n required: false,\n description: 'JSON-serialized backup recovery codes',\n }),\n\n verified: Field.boolean({\n label: 'Verified',\n defaultValue: true,\n description: 'Whether the enrollment was confirmed with a valid TOTP code (managed by better-auth)',\n }),\n },\n \n indexes: [\n { fields: ['user_id'], unique: true },\n ],\n \n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_device_code — System Device Authorization Code Object\n *\n * Stores pending RFC 8628 OAuth Device Authorization Grant requests.\n * Backed by better-auth's `device-authorization` plugin (`deviceCode` model).\n *\n * Lifecycle:\n * 1. CLI calls `POST /device/code` → row inserted with status='pending'\n * 2. Browser visits `verification_uri_complete` and the signed-in user\n * calls `POST /device/approve` (or `/device/deny`) → status flips\n * 3. CLI's next `POST /device/token` poll either receives a session token\n * (status=approved) or one of the standard error codes\n * (`authorization_pending`, `slow_down`, `expired_token`,\n * `access_denied`). Approved rows are deleted on token issuance.\n *\n * @namespace sys\n */\nexport const SysDeviceCode = ObjectSchema.create({\n name: 'sys_device_code',\n label: 'Device Code',\n pluralLabel: 'Device Codes',\n icon: 'key-round',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0057: device codes are dead the moment `expires_at` passes — keep a\n // 1d grace for post-mortem, then reap.\n lifecycle: {\n class: 'transient',\n ttl: { field: 'expires_at', expireAfter: '1d' },\n },\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE pending device-grant\n // codes — reading `user_code`/`device_code` lets an attacker hijack a\n // pending CLI login. Not covered by the wildcard `'*'` grant; admins retain\n // access via the superuser bypass; better-auth reads via its adapter\n // (system context), so the device-grant flow is unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'OAuth 2.0 Device Authorization Grant (RFC 8628) pending requests',\n nameField: 'user_code', // [ADR-0079] canonical primary-title pointer (single-field titleFormat)\n titleFormat: '{user_code}',\n highlightFields: ['user_code', 'status', 'client_id', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'Device Code ID',\n required: true,\n readonly: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n /** High-entropy token returned to the device (CLI). Polled at /device/token. */\n device_code: Field.text({\n label: 'Device Code',\n required: true,\n description: 'High-entropy token returned to the polling device',\n }),\n\n /** Human-readable short code displayed to the user (e.g. ABCD-EFGH). */\n user_code: Field.text({\n label: 'User Code',\n required: true,\n description: 'Short user-facing code (e.g. ABCD-EFGH)',\n }),\n\n /** Owning user — populated when the request is approved. */\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: false,\n description: 'User who approved the device authorization',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n description: 'When the device & user codes are no longer valid',\n }),\n\n /** 'pending' | 'approved' | 'denied' */\n status: Field.text({\n label: 'Status',\n required: true,\n description: \"Current status: 'pending' | 'approved' | 'denied'\",\n }),\n\n last_polled_at: Field.datetime({\n label: 'Last Polled At',\n required: false,\n description: 'Timestamp of the most recent /device/token poll',\n }),\n\n polling_interval: Field.number({\n label: 'Polling Interval (ms)',\n required: false,\n description: 'Server-recommended minimum polling interval, in ms',\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: false,\n description: 'OAuth client identifier of the requesting device',\n }),\n\n scope: Field.text({\n label: 'Scope',\n required: false,\n description: 'Space-separated OAuth scopes requested by the device',\n }),\n },\n\n indexes: [\n { fields: ['device_code'], unique: true },\n { fields: ['user_code'], unique: true },\n { fields: ['status'], unique: false },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_preference — System User Preference Object\n *\n * Per-user key-value preferences for storing UI state, settings, and personalization.\n * Supports the User Preferences layer in the Config Resolution hierarchy\n * (Runtime > User Preferences > Tenant > Env).\n *\n * Common use cases:\n * - UI preferences: theme, locale, timezone, sidebar state\n * - Feature flags: plugin.ai.auto_save, plugin.dev.debug_mode\n * - User-specific settings: default_view, notifications_enabled\n *\n * @namespace sys\n */\nexport const SysUserPreference = ObjectSchema.create({\n name: 'sys_user_preference',\n label: 'User Preference',\n pluralLabel: 'User Preferences',\n icon: 'settings',\n isSystem: true,\n // managedBy: 'system' — preferences are per-user state authored from\n // the user's own settings page, never created by an admin. The list\n // surface in Setup is a support/diagnostic view only.\n managedBy: 'system',\n description: 'Per-user key-value preferences (theme, locale, etc.)',\n nameField: 'key', // [ADR-0079] canonical primary-title pointer (single-field titleFormat)\n titleFormat: '{key}',\n highlightFields: ['user_id', 'key'],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Preferences',\n data: { provider: 'object', object: 'sys_user_preference' },\n columns: ['key', 'updated_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'key', order: 'asc' }],\n pagination: { pageSize: 100 },\n },\n by_user: {\n type: 'grid',\n name: 'by_user',\n label: 'By User',\n data: { provider: 'object', object: 'sys_user_preference' },\n columns: ['user_id', 'key', 'updated_at'],\n sort: [{ field: 'user_id', order: 'asc' }, { field: 'key', order: 'asc' }],\n grouping: { fields: [{ field: 'user_id', order: 'asc', collapsed: true }] },\n pagination: { pageSize: 200 },\n },\n all_preferences: {\n type: 'grid',\n name: 'all_preferences',\n label: 'All',\n data: { provider: 'object', object: 'sys_user_preference' },\n columns: ['user_id', 'key', 'created_at', 'updated_at'],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Preference ID',\n required: true,\n readonly: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Owner user of this preference',\n }),\n\n key: Field.text({\n label: 'Key',\n required: true,\n maxLength: 255,\n description: 'Preference key (e.g., theme, locale, plugin.ai.auto_save)',\n }),\n\n value: Field.json({\n label: 'Value',\n description: 'Preference value (any JSON-serializable type)',\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'key'], unique: true },\n { fields: ['user_id'], unique: false },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_application — Registered OAuth/OIDC client application\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthClient` model. Each row\n * represents an external application that has been registered to authenticate\n * users against this ObjectStack server (acting as an OpenID Connect IdP).\n *\n * The table name is preserved from the deprecated `oidc-provider` plugin\n * (which used the `oauthApplication` model name) so existing data remains\n * accessible. The new model exposes a richer set of OAuth 2.1 / OIDC\n * registration fields — see RFC 7591 (Dynamic Client Registration) and\n * RFC 8414 (Authorization Server Metadata).\n *\n * @namespace sys\n */\nexport const SysOauthApplication = ObjectSchema.create({\n name: 'sys_oauth_application',\n label: 'OAuth Application',\n pluralLabel: 'OAuth Applications',\n icon: 'key-round',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Registered OAuth/OIDC client applications',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'client_id', 'type', 'disabled'],\n\n // Custom actions — all OAuth-application mutations are routed through\n // better-auth's `@better-auth/oauth-provider` endpoints (and a thin\n // ObjectStack-added auth route for the enable/disable toggle) rather\n // than the generic data layer, so server-side validation, secret\n // hashing, and audit hooks all run. The generic `delete` API method\n // is intentionally dropped from `apiMethods` below so the only delete\n // path is the better-auth wrapper.\n //\n // Upstream gap (better-auth 1.6.11): the stock `/admin/oauth2/update-client`\n // endpoint's Zod body schema does NOT accept the `disabled` flag, even\n // though the column exists and the runtime honours it. We bridge the\n // gap with `POST /api/v1/auth/admin/oauth2/toggle-disabled`, registered\n // by plugin-auth, which writes through better-auth's own adapter under\n // the auth namespace (no generic data-layer bypass). When upstream\n // ships `disabled` support, retarget the enable/disable actions and\n // delete the bridge route.\n actions: [\n {\n name: 'disable_oauth_application',\n label: 'Disable OAuth Application',\n icon: 'pause-circle',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/admin/oauth2/toggle-disabled',\n confirmText: 'Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.',\n successMessage: 'OAuth application disabled',\n refreshAfter: true,\n visible: '!record.disabled',\n bodyExtra: { disabled: true },\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n },\n {\n name: 'enable_oauth_application',\n label: 'Enable OAuth Application',\n icon: 'play-circle',\n variant: 'primary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/admin/oauth2/toggle-disabled',\n confirmText: 'Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.',\n successMessage: 'OAuth application enabled',\n refreshAfter: true,\n visible: 'record.disabled',\n bodyExtra: { disabled: false },\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n },\n {\n name: 'create_oauth_application',\n label: 'Register OAuth Application',\n icon: 'plus-circle',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/sys-oauth-application/register',\n refreshAfter: true,\n params: [\n { name: 'name', label: 'Application Name', type: 'text', required: true },\n { name: 'redirectURLs', label: 'Redirect URLs', type: 'textarea', required: true, helpText: 'One URL per line. Must use https:// in production.' },\n { name: 'type', label: 'Application Type', type: 'select', required: true, defaultValue: 'web', options: [\n { label: 'Web', value: 'web' },\n { label: 'Native', value: 'native' },\n { label: 'User-agent based', value: 'user-agent-based' },\n { label: 'Public', value: 'public' },\n ] },\n ],\n resultDialog: {\n title: 'OAuth application registered',\n description: 'Save the client_secret now — it is shown only once and cannot be recovered. You can rotate it later if it leaks.',\n acknowledge: 'I have saved the client secret',\n fields: [\n { path: 'client.client_id', label: 'Client ID', format: 'text' },\n { path: 'client.client_secret', label: 'Client Secret', format: 'secret' },\n ],\n },\n },\n {\n name: 'rotate_client_secret',\n label: 'Rotate Client Secret',\n icon: 'refresh-cw',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/oauth2/client/rotate-secret',\n confirmText: 'Rotate this OAuth client\\'s secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.',\n refreshAfter: true,\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n resultDialog: {\n title: 'Client secret rotated',\n description: 'Save the new secret now — it is shown only once. Update every integration before the previous secret\\'s grace period ends.',\n acknowledge: 'I have updated my integrations',\n fields: [\n { path: 'client_secret', label: 'New Client Secret', format: 'secret' },\n ],\n },\n },\n {\n name: 'delete_oauth_application',\n label: 'Delete OAuth Application',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/oauth2/delete-client',\n confirmText: 'Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.',\n successMessage: 'OAuth application deleted',\n refreshAfter: true,\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Applications',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'disabled', 'created_at'],\n // Self-service Account view — scope to the signed-in user's own\n // registrations so they don't see other developers' apps. Admins\n // get the unfiltered `active` / `disabled_apps` / `all_apps` views\n // via the Setup → OAuth Applications nav.\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'updated_at'],\n filter: [{ field: 'disabled', operator: 'equals', value: false }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n disabled_apps: {\n type: 'grid',\n name: 'disabled_apps',\n label: 'Disabled',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'updated_at'],\n filter: [{ field: 'disabled', operator: 'equals', value: true }],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_apps: {\n type: 'grid',\n name: 'all_apps',\n label: 'All',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'disabled', 'created_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n name: Field.text({\n label: 'Name',\n required: false,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n icon: Field.url({\n label: 'Icon',\n required: false,\n description: 'Logo URL shown on the consent screen',\n group: 'Identity',\n }),\n\n uri: Field.url({\n label: 'Home URI',\n required: false,\n description: 'Public homepage of the registered client',\n group: 'Identity',\n }),\n\n contacts: Field.textarea({\n label: 'Contacts',\n required: false,\n description: 'JSON-serialized list of contact email addresses',\n group: 'Identity',\n }),\n\n tos: Field.url({\n label: 'Terms of Service',\n required: false,\n group: 'Identity',\n }),\n\n policy: Field.url({\n label: 'Privacy Policy',\n required: false,\n group: 'Identity',\n }),\n\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n description: 'JSON-serialized application metadata',\n group: 'Identity',\n }),\n\n // ── OAuth Credentials ────────────────────────────────────────\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n readonly: true,\n maxLength: 255,\n description: 'Public OAuth client identifier',\n group: 'Credentials',\n }),\n\n client_secret: Field.text({\n label: 'Client Secret',\n required: false,\n maxLength: 1024,\n description: 'OAuth client secret (hashed/encrypted at rest)',\n group: 'Credentials',\n }),\n\n redirect_uris: Field.textarea({\n label: 'Redirect URIs',\n required: true,\n description: 'JSON-serialized list of allowed redirect URIs',\n group: 'Credentials',\n }),\n\n post_logout_redirect_uris: Field.textarea({\n label: 'Post-logout Redirect URIs',\n required: false,\n description: 'JSON-serialized list of allowed post-logout redirect URIs',\n group: 'Credentials',\n }),\n\n type: Field.select(['web', 'native', 'user-agent-based', 'public'], {\n label: 'Client Type',\n required: false,\n defaultValue: 'web',\n group: 'Credentials',\n }),\n\n public: Field.boolean({\n label: 'Public Client',\n required: false,\n description: 'Marks the client as a public (non-confidential) OAuth client',\n group: 'Credentials',\n }),\n\n require_pkce: Field.boolean({\n label: 'Require PKCE',\n required: false,\n group: 'Credentials',\n }),\n\n token_endpoint_auth_method: Field.text({\n label: 'Token Endpoint Auth Method',\n required: false,\n maxLength: 64,\n description: 'e.g. client_secret_basic, client_secret_post, none',\n group: 'Credentials',\n }),\n\n grant_types: Field.textarea({\n label: 'Grant Types',\n required: false,\n description: 'JSON-serialized list of allowed grant types',\n group: 'Credentials',\n }),\n\n response_types: Field.textarea({\n label: 'Response Types',\n required: false,\n description: 'JSON-serialized list of allowed response types',\n group: 'Credentials',\n }),\n\n scopes: Field.textarea({\n label: 'Allowed Scopes',\n required: false,\n description: 'JSON-serialized list of scopes the client may request',\n group: 'Credentials',\n }),\n\n subject_type: Field.text({\n label: 'Subject Type',\n required: false,\n maxLength: 32,\n description: 'OIDC subject type (e.g. public, pairwise)',\n group: 'Credentials',\n }),\n\n // ── Behaviour flags ──────────────────────────────────────────\n disabled: Field.boolean({\n label: 'Disabled',\n required: false,\n defaultValue: false,\n group: 'Behaviour',\n }),\n\n skip_consent: Field.boolean({\n label: 'Skip Consent',\n required: false,\n description: 'Treat as a trusted client and bypass the consent screen',\n group: 'Behaviour',\n }),\n\n enable_end_session: Field.boolean({\n label: 'Enable End Session',\n required: false,\n description: 'Allow the client to call the OIDC end-session endpoint',\n group: 'Behaviour',\n }),\n\n // ── Software statement (RFC 7591 §2.3) ───────────────────────\n software_id: Field.text({\n label: 'Software ID',\n required: false,\n maxLength: 255,\n group: 'Software',\n }),\n\n software_version: Field.text({\n label: 'Software Version',\n required: false,\n maxLength: 64,\n group: 'Software',\n }),\n\n software_statement: Field.textarea({\n label: 'Software Statement',\n required: false,\n description: 'Signed JWT asserting the client metadata (RFC 7591 §2.3)',\n group: 'Software',\n }),\n\n // ── Ownership / system ───────────────────────────────────────\n user_id: Field.lookup('sys_user', {\n label: 'Owner User',\n required: false,\n description: 'User who registered this application',\n group: 'System',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['client_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['reference_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n // All mutations (create/update/delete) must go through better-auth's\n // oauth-provider endpoints under /api/v1/auth/{admin/,}oauth2/* — the\n // generic data layer is read-only for this object so sysadmins cannot\n // bypass server-side OAuth validation. The Delete row action above is\n // wired to /api/v1/auth/oauth2/delete-client.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_access_token — Issued OAuth/OIDC opaque access token\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthAccessToken` model. One\n * row per opaque access token issuance. Tokens are short-lived; expired\n * rows can be safely pruned.\n *\n * Refresh tokens have been split into a sibling table — see\n * {@link SysOauthRefreshToken}. The optional `refresh_id` column links an\n * access token back to the refresh-token row that minted it.\n *\n * @namespace sys\n */\nexport const SysOauthAccessToken = ObjectSchema.create({\n name: 'sys_oauth_access_token',\n label: 'OAuth Access Token',\n pluralLabel: 'OAuth Access Tokens',\n icon: 'ticket',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE bearer credentials —\n // reading one is session hijack. Not covered by the wildcard `'*'` grant;\n // admins retain access via the superuser bypass; better-auth reads via its\n // adapter (system context), so OAuth flows are unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Opaque OAuth access tokens issued to client applications',\n highlightFields: ['client_id', 'user_id', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 1024,\n description: 'Opaque access token value',\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n session_id: Field.lookup('sys_session', {\n label: 'Session',\n required: false,\n description: 'Foreign key to sys_session.id',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: false,\n description: 'Foreign key to sys_user.id',\n }),\n\n refresh_id: Field.lookup('sys_oauth_refresh_token', {\n label: 'Refresh Token',\n required: false,\n description: 'Foreign key to sys_oauth_refresh_token.id',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n }),\n\n scopes: Field.textarea({\n label: 'Scopes',\n required: true,\n description: 'JSON-serialized list of scopes granted to this token',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['token'], unique: true },\n { fields: ['client_id'] },\n { fields: ['session_id'] },\n { fields: ['user_id'] },\n { fields: ['refresh_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_refresh_token — Issued OAuth/OIDC refresh token\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthRefreshToken` model.\n * Refresh tokens are issued for the `offline_access` scope and are bound\n * to a specific session (`session_id`) and client (`client_id`).\n *\n * Each access-token rotation produces a new refresh-token row; revoked\n * tokens are kept (with `revoked` set) for audit purposes until pruned.\n *\n * @namespace sys\n */\nexport const SysOauthRefreshToken = ObjectSchema.create({\n name: 'sys_oauth_refresh_token',\n label: 'OAuth Refresh Token',\n pluralLabel: 'OAuth Refresh Tokens',\n icon: 'refresh-cw',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE long-lived credentials —\n // a refresh token mints new access tokens. Not covered by the wildcard `'*'`\n // grant; admins retain access via the superuser bypass; better-auth reads\n // via its adapter (system context), so OAuth flows are unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Opaque OAuth refresh tokens (linked to a session)',\n highlightFields: ['client_id', 'user_id', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 1024,\n description: 'Opaque refresh token value',\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n session_id: Field.lookup('sys_session', {\n label: 'Session',\n required: false,\n description: 'Foreign key to sys_session.id',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.id',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n }),\n\n scopes: Field.textarea({\n label: 'Scopes',\n required: true,\n description: 'JSON-serialized list of scopes granted to this token',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n revoked: Field.datetime({\n label: 'Revoked At',\n required: false,\n description: 'Timestamp at which this refresh token was revoked',\n }),\n\n auth_time: Field.datetime({\n label: 'Auth Time',\n required: false,\n description: 'When the user originally authenticated for this token chain',\n }),\n },\n\n indexes: [\n { fields: ['token'], unique: true },\n { fields: ['client_id'] },\n { fields: ['session_id'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_consent — Recorded user consent for an OAuth client + scopes\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthConsent` model. When a\n * user consents to a client requesting a particular set of scopes, the\n * decision is persisted here so future authorization requests for the same\n * client+scopes can skip the consent screen.\n *\n * The presence of a row implies consent was given for the listed scopes —\n * the previous boolean `consent_given` flag was removed in the migration\n * from `better-auth/plugins/oidc-provider` to `@better-auth/oauth-provider`.\n *\n * @namespace sys\n */\nexport const SysOauthConsent = ObjectSchema.create({\n name: 'sys_oauth_consent',\n label: 'OAuth Consent',\n pluralLabel: 'OAuth Consents',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'User consent records for OAuth client applications',\n highlightFields: ['client_id', 'user_id', 'scopes'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: false,\n description: 'Foreign key to sys_user.id',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n }),\n\n scopes: Field.textarea({\n label: 'Scopes',\n required: true,\n description: 'JSON-serialized list of scopes the user consented to',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['client_id'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_jwks — JWKS (JSON Web Key Set) key pair store\n *\n * Backed by better-auth's `jwt` plugin. Each row is a single asymmetric\n * key pair used to sign and verify JWTs (id_tokens, JWT access tokens)\n * issued by this ObjectStack server when it acts as an OAuth/OIDC IdP.\n *\n * The plugin rotates keys automatically — older rows are kept until\n * `expires_at` so existing tokens can still be verified.\n *\n * @namespace sys\n */\nexport const SysJwks = ObjectSchema.create({\n name: 'sys_jwks',\n label: 'JWKS Key',\n pluralLabel: 'JWKS Keys',\n icon: 'key',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are the environment's JWT SIGNING\n // KEYS (private key material). Not covered by the wildcard `'*'` grant — an\n // ordinary member gets 403 from the generic data layer. Platform admins\n // (viewAllRecords/modifyAllRecords) retain access via the posture-gated\n // superuser bypass; better-auth itself reads via its adapter (system\n // context), so token signing/verification is unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Asymmetric key pairs used to sign and verify issued JWTs',\n highlightFields: ['id', 'created_at', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'Key ID',\n required: true,\n readonly: true,\n description: 'JWK `kid` value',\n }),\n\n public_key: Field.textarea({\n label: 'Public Key',\n required: true,\n description: 'JSON-serialized JWK public key',\n }),\n\n private_key: Field.textarea({\n label: 'Private Key',\n required: true,\n description: 'JSON-serialized JWK private key (encrypted at rest)',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: false,\n description: 'When the key may no longer be used to verify tokens',\n }),\n },\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sso_provider — Registered external SSO identity provider (OIDC / SAML)\n *\n * Backed by `@better-auth/sso`'s `ssoProvider` model. Each row is an external\n * IdP that THIS environment federates LOGIN to (the relying-party / client\n * side) — e.g. the customer's Okta / Entra / Google Workspace. This is the\n * per-environment SSO **mechanism** (ADR-0024): OPEN, configured in the env,\n * and cloud-free for self-host.\n *\n * better-auth stores the protocol detail as a JSON blob in `oidc_config`\n * (OIDC: clientId, clientSecret, endpoints, scopes, mapping, pkce, …) or\n * `saml_config` (SAML: entryPoint, cert, identifierFormat, mapping, …) — not\n * as separate columns. Field set mirrors `@better-auth/sso@1.6.20`'s\n * `BaseSSOProvider`: issuer, oidcConfig, samlConfig, userId, providerId,\n * organizationId, domain.\n *\n * All mutations route through better-auth's `/api/v1/auth/sso/*` endpoints\n * (register / delete-provider) so config validation and secret handling run;\n * the generic data layer is read-only (see `enable.apiMethods`).\n *\n * @namespace sys\n */\nexport const SysSsoProvider = ObjectSchema.create({\n name: 'sys_sso_provider',\n label: 'SSO Provider',\n pluralLabel: 'SSO Providers',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0024 — env-global, ADMIN-ONLY identity config. Two orthogonal controls:\n // • `tenancy.enabled: false` — the env IS the tenant; providers are env-wide,\n // not org-partitioned. Opting out of multi-tenancy lets a platform admin's\n // `viewAllRecords` superuser bypass see every provider (without it, the\n // `member_default` wildcard `tenant_isolation` RLS denies every row, since\n // better-auth writes via its adapter with no tenantId → `organization_id`\n // is never stamped).\n // • `requiredPermissions: ['manage_platform_settings']` — object-level\n // capability gate (ADR-0066 D3) so ordinary members are denied entirely\n // (without it, tenancy-disabled + `member_default`'s `'*': allowRead` would\n // leak providers to every authenticated user).\n // Together: admins see all env providers; non-admins get 403. better-auth's\n // own endpoints already read via a system context. (Env-only object — no\n // control-plane cross-tenant risk.)\n tenancy: { enabled: false, strategy: 'shared' },\n requiredPermissions: ['manage_platform_settings'],\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth (@better-auth/sso) — see ADR-0024.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'External SSO identity providers (OIDC / SAML) this environment federates login to',\n displayNameField: 'provider_id',\n nameField: 'provider_id', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{provider_id}',\n highlightFields: ['provider_id', 'issuer', 'domain'],\n\n // All mutations go through @better-auth/sso's endpoints under\n // /api/v1/auth/sso/* (register / delete-provider) rather than the generic\n // data layer, so server-side config validation + secret handling run.\n actions: [\n {\n name: 'register_sso_provider',\n label: 'Register SSO Provider',\n icon: 'plus-circle',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'api',\n method: 'POST',\n // Routed through the env-side bridge (plugin-auth `auth-plugin.ts`), which\n // reshapes these FLAT form fields into the nested `oidcConfig` body that\n // `@better-auth/sso`'s /sso/register requires, then re-dispatches to it\n // (so the admin gate + discovery hydration run). Posting straight to\n // /sso/register would drop clientId/clientSecret (top-level → Zod-stripped)\n // and persist an unusable `oidc_config = null` provider.\n target: '/api/v1/auth/admin/sso/register',\n refreshAfter: true,\n params: [\n { name: 'providerId', label: 'Provider ID', type: 'text', required: true, helpText: 'Stable identifier, e.g. \"okta\" or \"acme-entra\".' },\n { name: 'issuer', label: 'Issuer URL', type: 'text', required: true, helpText: 'IdP issuer, e.g. https://acme.okta.com. Discovery is fetched from here unless an explicit URL is given below.' },\n { name: 'domain', label: 'Email Domain', type: 'text', required: true, helpText: 'Users with this email domain are routed to this IdP, e.g. acme.com.' },\n { name: 'clientId', label: 'Client ID', type: 'text', required: true, helpText: 'OAuth client ID issued by the IdP for this environment.' },\n { name: 'clientSecret', label: 'Client Secret', type: 'text', required: true, helpText: 'OAuth client secret (stored encrypted by better-auth).' },\n { name: 'discoveryEndpoint', label: 'Discovery URL', type: 'text', required: false, helpText: 'Optional. OIDC discovery document URL. Leave blank to derive `<issuer>/.well-known/openid-configuration`.' },\n { name: 'scopes', label: 'Scopes', type: 'text', required: false, placeholder: 'openid email profile', helpText: 'Optional. Space- or comma-separated OAuth scopes. Defaults to \"openid email profile\".' },\n { name: 'mapId', label: 'Map: User ID claim', type: 'text', required: false, placeholder: 'sub', helpText: 'Optional. ID-token claim mapped to the user ID. Defaults to \"sub\".' },\n { name: 'mapEmail', label: 'Map: Email claim', type: 'text', required: false, placeholder: 'email', helpText: 'Optional. Claim mapped to email. Defaults to \"email\".' },\n { name: 'mapName', label: 'Map: Name claim', type: 'text', required: false, placeholder: 'name', helpText: 'Optional. Claim mapped to display name. Defaults to \"name\".' },\n ],\n },\n {\n name: 'register_saml_provider',\n label: 'Register SAML Provider',\n icon: 'shield',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'api',\n method: 'POST',\n // SAML 2.0 via @better-auth/sso (samlify-backed). Routed through the\n // env-side bridge (plugin-auth `auth-plugin.ts` → register-saml), which\n // reshapes these FLAT IdP fields into the nested `samlConfig` body that\n // @better-auth/sso's /sso/register requires (entryPoint/cert/callbackUrl/\n // spMetadata/identifierFormat), derives the per-provider ACS URL, and\n // re-dispatches to /sso/register (admin gate runs). The response returns\n // the SP ACS + metadata URLs to configure on the IdP.\n target: '/api/v1/auth/admin/sso/register-saml',\n refreshAfter: true,\n params: [\n { name: 'providerId', label: 'Provider ID', type: 'text', required: true, helpText: 'Stable identifier, e.g. \"acme-saml\".' },\n { name: 'issuer', label: 'IdP Entity ID', type: 'text', required: true, helpText: 'The IdP’s SAML EntityID (issuer), e.g. https://saml.acme.com/entityid.' },\n { name: 'domain', label: 'Email Domain', type: 'text', required: true, helpText: 'Users with this email domain are routed to this IdP, e.g. acme.com.' },\n { name: 'entryPoint', label: 'IdP SSO URL', type: 'text', required: true, helpText: 'The IdP’s SAML single sign-on (redirect) endpoint that receives the SAMLRequest.' },\n { name: 'cert', label: 'IdP Signing Certificate', type: 'textarea', required: true, helpText: 'The IdP’s X.509 signing certificate (PEM body). Used to verify assertion signatures.' },\n { name: 'identifierFormat', label: 'NameID Format', type: 'text', required: false, placeholder: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', helpText: 'Optional. Requested SAML NameID format. Defaults to the IdP’s configured format.' },\n ],\n },\n {\n name: 'request_domain_verification',\n label: 'Request Domain Verification',\n icon: 'globe',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n // ADR-0024 ② (opt-in OS_SSO_DOMAIN_VERIFICATION). Asks @better-auth/sso\n // for a one-time DNS-TXT challenge and reveals the ready-to-paste record\n // ONCE via `resultDialog`. Routed through the env bridge (plugin-auth /\n // cloud AuthProxyPlugin) which reshapes the `{domainVerificationToken}`\n // response into a `{ success, data: { dnsRecordName, dnsRecordValue } }`\n // envelope. The console action runtime unwraps that envelope, so the\n // `resultDialog` field paths are relative to the inner `data` payload\n // (`dnsRecordName`, not `data.dnsRecordName`) — consistent with every\n // other object's resultDialog (create_user, two-factor, OAuth). When the\n // feature is OFF the bridge returns a clear \"not enabled for this\n // environment\" error instead of a bare 404.\n target: '/api/v1/auth/admin/sso/request-domain-verification',\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n { name: 'domain', field: 'domain', defaultFromRow: true, required: false },\n ],\n resultDialog: {\n title: 'Verify your domain',\n description:\n 'Add the DNS TXT record below at your domain’s DNS provider, then run “Verify Domain”. The token is shown once.',\n acknowledge: 'Done',\n fields: [\n { path: 'dnsRecordType', label: 'Record type', format: 'text' },\n { path: 'dnsRecordName', label: 'Name / Host', format: 'secret' },\n { path: 'dnsRecordValue', label: 'Value', format: 'secret' },\n ],\n },\n },\n {\n name: 'verify_domain',\n label: 'Verify Domain',\n icon: 'shield-check',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n // ADR-0024 ②. Re-checks the DNS-TXT record and flips `domain_verified`\n // on success. Routed through the env bridge, which maps @better-auth/sso's\n // empty 204 / 502 into a clear success/error toast.\n target: '/api/v1/auth/admin/sso/verify-domain',\n successMessage: 'Domain ownership verified',\n refreshAfter: true,\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n ],\n },\n {\n name: 'delete_sso_provider',\n label: 'Delete SSO Provider',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/sso/delete-provider',\n confirmText: 'Delete this SSO provider? Users from its domain will no longer be able to sign in through it.',\n successMessage: 'SSO provider deleted',\n refreshAfter: true,\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n ],\n },\n ],\n\n listViews: {\n all: {\n type: 'grid',\n name: 'all',\n label: 'All',\n data: { provider: 'object', object: 'sys_sso_provider' },\n columns: ['provider_id', 'issuer', 'domain', 'domain_verified', 'created_at'],\n sort: [{ field: 'provider_id', order: 'asc' }],\n pagination: { pageSize: 50 },\n // Per-object empty state — the shared identity-object copy (\"created\n // automatically … cannot be added here\") is wrong for this object, which\n // HAS a \"Register SSO Provider\" action. Point admins at it instead.\n emptyState: {\n title: 'No SSO providers yet',\n message: 'Register your organization’s external IdP — OIDC (Okta, Entra, Auth0, …) with “Register SSO Provider”, or SAML 2.0 with “Register SAML Provider”. Members whose email domain matches can then sign in through it.',\n icon: 'log-in',\n },\n },\n },\n\n fields: {\n id: Field.text({ label: 'ID', required: true, readonly: true, group: 'System' }),\n\n provider_id: Field.text({\n label: 'Provider ID',\n required: true,\n searchable: true,\n maxLength: 255,\n description: 'Stable provider identifier (unique within the environment)',\n group: 'Identity',\n }),\n\n issuer: Field.text({\n label: 'Issuer',\n required: true,\n maxLength: 2048,\n description: 'IdP issuer URL',\n group: 'Identity',\n }),\n\n domain: Field.text({\n label: 'Email Domain',\n required: true,\n maxLength: 255,\n description: 'Email domain routed to this IdP (e.g. acme.com)',\n group: 'Identity',\n }),\n\n domain_verified: Field.boolean({\n label: 'Domain Verified',\n defaultValue: false,\n readonly: true,\n description:\n 'Whether DNS ownership of the email domain has been proven (ADR-0024 ②). Set by “Verify Domain” after the DNS TXT record resolves. Managed by better-auth — not directly editable. Only enforced when domain verification is enabled for the environment.',\n group: 'Identity',\n }),\n\n oidc_config: Field.textarea({\n label: 'OIDC Config',\n required: false,\n description: 'JSON: clientId, clientSecret, endpoints, scopes, mapping, pkce (managed by better-auth)',\n group: 'Protocol',\n }),\n\n saml_config: Field.textarea({\n label: 'SAML Config',\n required: false,\n description: 'JSON: entryPoint, cert, identifierFormat, mapping (managed by better-auth)',\n group: 'Protocol',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'Registered By',\n required: false,\n description: 'User who registered this provider',\n group: 'System',\n }),\n\n organization_id: Field.text({\n label: 'Organization',\n required: false,\n maxLength: 255,\n description: 'Organization scope (when org-scoped SSO is used)',\n group: 'System',\n }),\n\n created_at: Field.datetime({ label: 'Created At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n updated_at: Field.datetime({ label: 'Updated At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n },\n\n indexes: [\n { fields: ['provider_id'], unique: true },\n { fields: ['domain'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n // Mutations go through /api/v1/auth/sso/* (register / delete-provider);\n // the generic data layer is read-only so sysadmins cannot bypass\n // server-side validation / secret handling.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_scim_provider — Registered SCIM 2.0 connection (@better-auth/scim)\n *\n * Backed by `@better-auth/scim`'s `scimProvider` model. Each row is a SCIM\n * connection: a bearer token an external IdP (Okta / Entra / OneLogin) uses to\n * **auto-provision / deprovision** THIS environment's users. The environment is\n * the SCIM **Service Provider** (the receiver); the IdP is the SCIM **client**\n * (the sender). This is the paid Identity lifecycle (ADR-0071) — the mechanism\n * is OPEN (here, framework `plugin-auth`); enablement is entitlement-gated by\n * the cloud / EE license.\n *\n * `scim_token` holds the connection's bearer credential. With the plugin's\n * `storeSCIMToken: 'hashed'` (the default this env wires) it stores only a\n * HASH — the plaintext is returned exactly once at `/scim/generate-token`. Even\n * so, treat this object as sensitive: it is read-only over the generic data API\n * and the token is excluded from list views.\n *\n * All mutations route through @better-auth/scim's endpoints under\n * `/api/v1/auth/scim/*` (generate-token / delete-provider-connection) and the\n * SCIM 2.0 protocol under `/api/v1/auth/scim/v2/*`; the generic data layer is\n * read-only (see `enable.apiMethods`).\n *\n * @namespace sys\n */\nexport const SysScimProvider = ObjectSchema.create({\n name: 'sys_scim_provider',\n label: 'SCIM Provider',\n pluralLabel: 'SCIM Providers',\n icon: 'users',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D3/④] Admin-only identity config carrying a live credential\n // (`scim_token` — the bearer external IdPs authenticate provisioning calls\n // with). Object-level capability gate, mirroring the sibling\n // `sys_sso_provider`: ordinary members are denied entirely (without it, the\n // `member_default` wildcard `'*': allowRead` would expose SCIM connections\n // to every authenticated user). better-auth's own endpoints read via a\n // system context, so SCIM provisioning is unaffected.\n requiredPermissions: ['manage_platform_settings'],\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth (@better-auth/scim) — see ADR-0071.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'SCIM 2.0 connections (bearer tokens) external IdPs use to provision/deprovision this environment\\'s users',\n displayNameField: 'provider_id',\n nameField: 'provider_id', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{provider_id}',\n highlightFields: ['provider_id', 'organization_id'],\n\n listViews: {\n all: {\n type: 'grid',\n name: 'all',\n label: 'All',\n data: { provider: 'object', object: 'sys_scim_provider' },\n // scim_token is intentionally excluded — never surface the credential.\n columns: ['provider_id', 'organization_id', 'created_at'],\n sort: [{ field: 'provider_id', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'ID', required: true, readonly: true, group: 'System' }),\n\n provider_id: Field.text({\n label: 'Provider ID',\n required: true,\n searchable: true,\n maxLength: 255,\n description: 'Stable SCIM provider identifier (e.g. \"okta-scim\")',\n group: 'Identity',\n }),\n\n scim_token: Field.text({\n label: 'SCIM Token (hash)',\n required: false,\n readonly: true,\n maxLength: 1024,\n description: 'Hashed bearer credential for this SCIM connection — the plaintext is shown once at generate-token. Sensitive; do not expose.',\n group: 'Secret',\n }),\n\n organization_id: Field.text({\n label: 'Organization',\n required: false,\n maxLength: 255,\n description: 'Organization scope of this token (org-scoped tokens restrict provisioning to that org)',\n group: 'System',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'Owned By',\n required: false,\n description: 'User who generated this token (when provider-ownership is enabled)',\n group: 'System',\n }),\n\n created_at: Field.datetime({ label: 'Created At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n updated_at: Field.datetime({ label: 'Updated At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n },\n\n indexes: [\n { fields: ['provider_id'], unique: true },\n { fields: ['organization_id'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n // Mutations + token issuance go through @better-auth/scim's endpoints\n // under /api/v1/auth/scim/*; the generic data layer is read-only so the\n // credential cannot be written/bypassed through it.\n apiMethods: ['list'],\n trash: false,\n mru: false,\n },\n});\n"]}
|
|
1
|
+
{"version":3,"sources":["../../src/identity/sys-user.object.ts","../../src/identity/sys-session.object.ts","../../src/identity/sys-account.object.ts","../../src/identity/sys-verification.object.ts","../../src/identity/sys-organization.object.ts","../../src/identity/sys-member.object.ts","../../src/identity/sys-invitation.object.ts","../../src/identity/sys-team.object.ts","../../src/identity/sys-team-member.object.ts","../../src/identity/sys-business-unit.object.ts","../../src/identity/sys-business-unit-member.object.ts","../../src/identity/sys-api-key.object.ts","../../src/identity/sys-two-factor.object.ts","../../src/identity/sys-device-code.object.ts","../../src/identity/sys-user-preference.object.ts","../../src/identity/sys-oauth-application.object.ts","../../src/identity/sys-oauth-access-token.object.ts","../../src/identity/sys-oauth-refresh-token.object.ts","../../src/identity/sys-oauth-consent.object.ts","../../src/identity/sys-oauth-resource.object.ts","../../src/identity/sys-oauth-client-resource.object.ts","../../src/identity/sys-oauth-client-assertion.object.ts","../../src/identity/sys-jwks.object.ts","../../src/identity/sys-sso-provider.object.ts","../../src/identity/sys-scim-provider.object.ts"],"names":["ObjectSchema","Field"],"mappings":";;;AAeO,IAAM,OAAA,GAAU,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASX,WAAA,EAAa,EAAE,IAAA,EAAM,IAAA,EAAK;AAAA;AAAA,EAE1B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,kCAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,OAAA,EAAS,gBAAgB,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQnD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQR,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,IAAA,EAAK;AAAA,QACjC,EAAE,KAAA,EAAO,MAAA,EAAQ,cAAA,EAAgB,YAAA,EAAc,UAAU,IAAA;AAAK;AAChE,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAcA;AAAA,MACE,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,KAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,aAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,8EAAA;AAAA,MACb,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,cAAc,IAAA,EAAM,MAAA,EAAQ,UAAU,KAAA;AAAM;AAC1E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,gBAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,+BAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,eAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA,MAIE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA;AAAA;AAAA,QAGN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,KAAA,EAAM;AAAA,QAClC;AAAA,UACE,IAAA,EAAM,aAAA;AAAA,UACN,KAAA,EAAO,cAAA;AAAA,UACP,IAAA,EAAM,MAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,QAAA,EAAU,qFAAA;AAAA;AAAA;AAAA;AAAA;AAAA,UAKV,eAAA,EAAiB;AAAA,SACnB;AAAA,QACA,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAM;AAAA,QACjC;AAAA,UACE,IAAA,EAAM,kBAAA;AAAA,UACN,KAAA,EAAO,6BAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA,SAChB;AAAA,QACA,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,sCAAsC,IAAA,EAAM,MAAA,EAAQ,UAAU,KAAA,EAAM;AAAA,QAC/F;AAAA,UACE,IAAA,EAAM,oBAAA;AAAA,UACN,KAAA,EAAO,wCAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA;AAChB,OACF;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,cAAA;AAAA,QACP,WAAA,EACE,gFAAA;AAAA,QACF,WAAA,EAAa,4BAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,QAAQ,MAAA,EAAO;AAAA,UACrD,EAAE,IAAA,EAAM,mBAAA,EAAqB,KAAA,EAAO,oBAAA,EAAsB,QAAQ,QAAA;AAAS;AAC7E;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,cAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMN,MAAA,EAAQ,sCAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN;AAAA,UACE,IAAA,EAAM,kBAAA;AAAA,UACN,KAAA,EAAO,6BAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA,SAChB;AAAA,QACA,EAAE,MAAM,aAAA,EAAe,KAAA,EAAO,0CAA0C,IAAA,EAAM,MAAA,EAAQ,UAAU,KAAA,EAAM;AAAA,QACtG;AAAA,UACE,IAAA,EAAM,oBAAA;AAAA,UACN,KAAA,EAAO,uCAAA;AAAA,UACP,IAAA,EAAM,SAAA;AAAA,UACN,QAAA,EAAU,KAAA;AAAA,UACV,YAAA,EAAc;AAAA;AAChB,OACF;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,kBAAA;AAAA,QACP,WAAA,EACE,mGAAA;AAAA,QACF,WAAA,EAAa,MAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,mBAAA,EAAqB,KAAA,EAAO,oBAAA,EAAsB,QAAQ,QAAA;AAAS;AAC7E;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,MAAA,EAAQ,KAAA,EAAO,iBAAiB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AACvE,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,kBAAA;AAAA,MACN,KAAA,EAAO,kBAAA;AAAA,MACP,IAAA,EAAM,UAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,qCAAA;AAAA,MACR,eAAA,EAAiB,OAAA;AAAA,MACjB,aAAA,EAAe,QAAA;AAAA,MACf,cAAA,EAAgB,wBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAUA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,UAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,eAAe,CAAA;AAAA,MAC3B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,0BAAA;AAAA,MACR,OAAA,EAAS,0BAAA;AAAA,MACT,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,gBAAgB,IAAA,EAAK;AAAA,QACvD,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,gBAAgB,IAAA;AAAK;AAC1D,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,KAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,eAAA,EAAiB,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC5D,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8BAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKR,OAAA,EAAS,gEAAA;AAAA,MACT,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,iBAAA,EAAmB,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACnF,EAAE,MAAM,aAAA,EAAe,KAAA,EAAO,gBAAgB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QAC3E,EAAE,IAAA,EAAM,qBAAA,EAAuB,KAAA,EAAO,wBAAA,EAA0B,MAAM,SAAA,EAAW,QAAA,EAAU,KAAA,EAAO,YAAA,EAAc,IAAA;AAAK;AACvH,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,cAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,eAAA,EAAiB,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC5D,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,2BAAA;AAAA;AAAA;AAAA,MAGR,OAAA,EAAS,gEAAA;AAAA,MACT,cAAA,EAAgB,kEAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,aAAa,IAAA,EAAM,OAAA,EAAS,UAAU,IAAA;AAAK;AACxE,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,2BAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,eAAA,EAAiB,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC5D,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,sCAAA;AAAA;AAAA;AAAA,MAGR,OAAA,EAAS,4DAAA;AAAA,MACT,cAAA,EAAgB,kDAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,QAAQ;AAAC,KACX;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,aAAA,EAAe,gBAAgB,CAAA;AAAA,MAC3C,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,0BAAA;AAAA;AAAA;AAAA,MAGR,OAAA,EAAS,gEAAA;AAAA,MACT,WAAA,EAAa,8KAAA;AAAA,MACb,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,wBAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,OAAA,EAAS,+DAAA;AAAA,MACT,eAAA,EAAiB,WAAA;AAAA,MACjB,cAAA,EAAgB,iJAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,yBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,iCAAA;AAAA,MACR,OAAA,EAAS,+DAAA;AAAA,MACT,eAAA,EAAiB,WAAA;AAAA,MACjB,WAAA,EAAa,uEAAA;AAAA,MACb,cAAA,EAAgB,qCAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,KAAA,EAAO,yBAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,+CAAA;AAAA,MACR,OAAA,EAAS,+DAAA;AAAA,MACT,eAAA,EAAiB,WAAA;AAAA,MACjB,WAAA,EAAa,uFAAA;AAAA,MACb,cAAA,EAAgB,6DAAA;AAAA,MAChB,YAAA,EAAc,KAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMT,EAAA,EAAI;AAAA,MACF,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,IAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,gBAAA,EAAkB,sBAAsB,YAAY,CAAA;AAAA,MAC/E,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,MAAM,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MACxE,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,CAAA;AAAE,KAC5B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,MAAA,EAAQ,SAAS,gBAAA,EAAkB,QAAA,EAAU,sBAAsB,YAAY,CAAA;AAAA,MACzF,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,kBAAkB,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MACtE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,sBAAsB,YAAY,CAAA;AAAA,MAC7D,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,sBAAsB,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACzE,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,QAAA,EAAU,cAAc,aAAa,CAAA;AAAA,MAChE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,KAAA,EAAO,MAAM,KAAA,CAAM;AAAA,MACjB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgB,MAAM,OAAA,CAAQ;AAAA,MAC5B,KAAA,EAAO,gBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoB,MAAM,OAAA,CAAQ;AAAA,MAChC,KAAA,EAAO,oBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQ,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAa,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,kBAAA,EAAoB,MAAM,MAAA,CAAO;AAAA,MAC/B,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,CAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAc,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,mBAAA,EAAqB,MAAM,QAAA,CAAS;AAAA,MAClC,KAAA,EAAO,qBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,YAAA,EAAc,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,EAAA;AAAA,MACX,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EACE;AAAA,KAEH,CAAA;AAAA,IAED,qBAAA,EAAuB,MAAM,OAAA,CAAQ;AAAA,MACnC,KAAA,EAAO,gBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EACE;AAAA,KAEH,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,oBAAA,EAAsB,MAAM,OAAA,CAAQ;AAAA,MAClC,KAAA,EAAO,sBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EACE;AAAA,KAEH,CAAA;AAAA;AAAA;AAAA,IAID,eAAA,EAAiB,MAAM,QAAA,CAAS;AAAA,MAC9B,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,aAAA,EAAe,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,aAAA,EAAe,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA;AAAA,MACX,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAW,MAAM,OAAA,CAAQ;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EACE;AAAA,KAMH,CAAA;AAAA;AAAA,IAGD,KAAA,EAAO,MAAM,GAAA,CAAI;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,cAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,wBAAA,EAA0B,KAAA,CAAM,MAAA,CAAO,mBAAA,EAAqB;AAAA,MAC1D,KAAA,EAAO,uBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA;AAAA,MACV,KAAA,EAAO,cAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaD,MAAA,EAAQ,MAAM,MAAA,CAAO;AAAA,MACnB,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,YAAA;AAAA,MACd,OAAA,EAAS;AAAA,QACP,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,iBAAA,EAAkB;AAAA,QACrD,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,YAAA;AAAa,OAC7C;AAAA,MACA,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,EAAA,EAAI,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA;AAAA;AAAA,IAGxC,EAAE,MAAA,EAAQ,CAAC,cAAc,CAAA,EAAG,QAAQ,IAAA;AAAK,GAC3C;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AACP;AAAA;AAAA;AAAA;AAMF,CAAC;ACxuBM,IAAM,UAAA,GAAaA,aAAa,MAAA,CAAO;AAAA,EAC5C,IAAA,EAAM,aAAA;AAAA,EACN,KAAA,EAAO,SAAA;AAAA,EACP,WAAA,EAAa,UAAA;AAAA,EACb,IAAA,EAAM,KAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,sBAAA;AAAA,EACb,gBAAA,EAAkB,SAAA;AAAA,EAClB,SAAA,EAAW,SAAA;AAAA;AAAA,EACX,WAAA,EAAa,0BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,YAAA,EAAc,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOvD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,wBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,oCAAA;AAAA,MACR,WAAA,EAAa,2GAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,gBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA;AAAA,MAER,aAAA,EAAe,OAAA;AAAA,MACf,aAAA,EAAe,OAAA;AAAA,MACf,WAAA,EAAa,oEAAA;AAAA,MACb,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,OAAA,EAAS,CAAC,YAAA,EAAc,wBAAA,EAA0B,cAAc,YAAY,CAAA;AAAA,MAC5E,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,SAAA,EAAW,YAAA,EAAc,wBAAA,EAA0B,cAAc,YAAY,CAAA;AAAA,MACvF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,OAAA,EAASC,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAA,EAAkBA,MAAM,QAAA,CAAS;AAAA,MAC/B,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IACD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IACD,aAAA,EAAeA,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO,SAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,sBAAA,EAAwBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MACvD,KAAA,EAAO,qBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACvC,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACxC,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACrC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA;AAAM,GAC1C;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,UAAU,QAAQ,CAAA;AAAA,IAC9C,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK,KAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX,CAAC;AC7MM,IAAM,UAAA,GAAaD,aAAa,MAAA,CAAO;AAAA,EAC5C,IAAA,EAAM,aAAA;AAAA,EACN,KAAA,EAAO,SAAA;AAAA,EACP,WAAA,EAAa,UAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,4CAAA;AAAA,EACb,WAAA,EAAa,8BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,aAAA,EAAe,SAAA,EAAW,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcxD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,oHAAA;AAAA,MACR,MAAA,EAAQ;AAAA,QACN;AAAA,UACE,IAAA,EAAM,UAAA;AAAA,UACN,KAAA,EAAO,UAAA;AAAA,UACP,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,IAAA;AAAA,UACV,OAAA,EAAS;AAAA,YACP,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,YACnC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,YACnC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,WAAA,EAAY;AAAA,YACzC,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,YACjC,EAAE,KAAA,EAAO,UAAA,EAAY,KAAA,EAAO,UAAA,EAAW;AAAA,YACvC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,YACnC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,SAAA;AAAU;AACvC;AACF;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,gBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6BAAA;AAAA,MACR,WAAA,EAAa,6IAAA;AAAA,MACb,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA,EAAK;AAAA,QACjF,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,cAAc,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AACjF;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,OAAA,EAAS,CAAC,aAAA,EAAe,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MACjE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,aAAA,EAAe,KAAA,EAAO,OAAO,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,OAAA,EAAS,CAAC,aAAA,EAAe,SAAA,EAAW,cAAc,YAAY,CAAA;AAAA,MAC9D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,aAAA,EAAe,SAAA,EAAW,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MAC5E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,qBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,uBAAA,EAAyBA,MAAM,QAAA,CAAS;AAAA,MACtC,KAAA,EAAO,yBAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,wBAAA,EAA0BA,MAAM,QAAA,CAAS;AAAA,MACvC,KAAA,EAAO,0BAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA,IAKD,wBAAA,EAA0BA,MAAM,QAAA,CAAS;AAAA,MACvC,KAAA,EAAO,0BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,MAAA,EAAQ,IAAA;AAAA,MACR,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACrC,EAAE,MAAA,EAAQ,CAAC,eAAe,YAAY,CAAA,EAAG,QAAQ,IAAA;AAAK,GACxD;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AChNM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,qCAAA;AAAA,EACb,WAAA,EAAa,+BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,YAAA,EAAc,YAAA,EAAc,YAAY,CAAA;AAAA,EAE1D,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACnC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA,EAAM;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,KAAA;AAAM,GAC1C;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,QAAA,EAAU,QAAQ,CAAA;AAAA,IACtC,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AClFM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,yCAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,MAAM,CAAA;AAAA;AAAA;AAAA,EAIhC,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,kCAAA;AAAA,MACR,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMd,eAAA,EAAiB,iBAAA;AAAA,MACjB,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,OAAO,MAAA;AAAO;AAClB,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,kCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA;AAAA,MAEf,SAAA,EAAW,EAAE,IAAA,EAAM,MAAA,EAAO;AAAA;AAAA;AAAA;AAAA,MAI1B,eAAA,EAAiB,iBAAA;AAAA,MACjB,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACtD,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACtD,EAAE,KAAA,EAAO,MAAA,EAAQ,cAAA,EAAgB,IAAA;AAAK;AACxC,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,kCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA,MACf,eAAA,EAAiB,iBAAA;AAAA,MACjB,WAAA,EAAa,4FAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,gBAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,sCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA,MACf,eAAA,EAAiB,iBAAA;AAAA,MACjB,cAAA,EAAgB,8BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA,MAIE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,iCAAA;AAAA,MACR,aAAA,EAAe,gBAAA;AAAA,MACf,eAAA,EAAiB,iBAAA;AAAA,MACjB,WAAA,EAAa,wEAAA;AAAA,MACb,cAAA,EAAgB,gCAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,eAAe,CAAA;AAAA,MAC3B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,MAAA,EAAQ,MAAA;AAAA,MACR,eAAA,EAAiB,iBAAA;AAAA,MACjB,WAAA,EAAa,gHAAA;AAAA,MACb,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,MAAA,EAAQ,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACpD,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,yBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,IAAA,EAAMA,MAAM,GAAA,CAAI;AAAA,MACd,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,uCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,WAAA,EAAaA,MAAM,OAAA,CAAQ;AAAA,MACzB,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO,eAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA;AAAE,GACrB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACjPM,IAAM,SAAA,GAAYD,aAAa,MAAA,CAAO;AAAA,EAC3C,IAAA,EAAM,YAAA;AAAA,EACN,KAAA,EAAO,QAAA;AAAA,EACP,WAAA,EAAa,SAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,iCAAA;AAAA;AAAA;AAAA;AAAA,EAIb,WAAA,EAAa,oBAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,iBAAA,EAAmB,MAAM,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOtD,OAAA,EAAS;AAAA,IACP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAME,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,sCAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKR,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,UAAU,IAAA,EAAK;AAAA,QACnD,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,IAAA,EAAM,gBAAA,EAAkB,KAAA,EAAO,iBAAA;AAAkB;AACrD,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,aAAA,EAAe,UAAA;AAAA,MACf,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA,MACR,aAAA,EAAe,iBAAA;AAAA,MACf,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,uFAAA;AAAA,MACb,cAAA,EAAgB,gBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,OAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,aAAA,EAAe,UAAA;AAAA,MACf,SAAA,EAAW,EAAE,IAAA,EAAM,OAAA,EAAQ;AAAA;AAAA;AAAA,MAG3B,OAAA,EAAS,wBAAA;AAAA,MACT,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,8HAAA;AAAA,MACb,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,YAAA,EAAa;AAAA,MACjD,OAAA,EAAS,CAAC,iBAAA,EAAmB,MAAA,EAAQ,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA,EAAG;AAAA,MAC3B,UAAA,EAAY;AAAA,QACV,KAAA,EAAO,sBAAA;AAAA,QACP,OAAA,EAAS;AAAA;AACX;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA,MAIP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,MAAA,CAAO;AAAA,MACjB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,qCAAA;AAAA,MACb,OAAA,EAAS;AAAA,QACP,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA;AAAS,OACrC;AAAA,MACA,YAAA,EAAc;AAAA,KACf;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,mBAAmB,SAAS,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACvD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACrLM,IAAM,aAAA,GAAgBD,aAAa,MAAA,CAAO;AAAA,EAC/C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,aAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,8CAAA;AAAA;AAAA;AAAA;AAAA,EAIb,WAAA,EAAa,wBAAA;AAAA,EACb,eAAA,EAAiB,CAAC,OAAA,EAAS,iBAAA,EAAmB,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA,EAKtD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOR,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,IAAA,EAAK;AAAA,QACjC,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA;AAAK;AAClC,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,UAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6CAAA;AAAA,MACR,aAAA,EAAe,cAAA;AAAA,MACf,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,4EAAA;AAAA,MACb,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,yCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,mBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACvD,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD,KACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,mBAAA;AAAA,MACP,IAAA,EAAM,OAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6CAAA;AAAA,MACR,aAAA,EAAe,cAAA;AAAA,MACf,OAAA,EAAS,8DAAA;AAAA,MACT,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,GAAA;AAAA,MACN,OAAA,EAAS,OAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,6CAAA;AAAA,MACR,aAAA,EAAe,cAAA;AAAA,MACf,OAAA,EAAS,8DAAA;AAAA,MACT,WAAA,EAAa,mGAAA;AAAA,MACb,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MACxE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,OAAO,CAAA;AAAA,MAC5C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MACxE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,UAAA,EAAY,CAAA;AAAA,MACnE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,oBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,OAAA,EAAS,QAAA,EAAU,mBAAmB,YAAY,CAAA;AAAA,MAC5D,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,SAAA,EAAW,UAAA,EAAY,UAAU,GAAG,CAAA;AAAA,MACxF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,OAAA,EAAS,UAAU,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MAClF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA,MAIP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,KAAA,CAAM;AAAA,MACjB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,MAAA,CAAO;AAAA,MACjB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,gCAAA;AAAA,MACb,OAAA,EAAS;AAAA,QACP,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAA,EAAQ;AAAA,QACjC,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA;AAAS,OACrC;AAAA,MACA,YAAA,EAAc;AAAA,KACf,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,MAAA,CAAO,CAAC,WAAW,UAAA,EAAY,UAAA,EAAY,SAAA,EAAW,UAAU,CAAA,EAAG;AAAA,MAC/E,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAE;AAAA,IACpB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC5OM,IAAM,OAAA,GAAUD,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,sDAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,iBAAiB,CAAA;AAAA;AAAA;AAAA;AAAA,EAK3C,OAAA,EAAS;AAAA,IACP;AAAA;AAAA;AAAA,MAGE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,uCAAA;AAAA;AAAA;AAAA;AAAA,MAIR,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAK;AAAA,QAChC,EAAE,IAAA,EAAM,gBAAA,EAAkB,KAAA,EAAO,iBAAA;AAAkB;AACrD,KACF;AAAA,IACA;AAAA;AAAA;AAAA;AAAA,MAIE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,uCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,SAAA,EAAW,EAAE,IAAA,EAAM,MAAA,EAAO;AAAA,MAC1B,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AACxD,KACF;AAAA,IACA;AAAA;AAAA;AAAA,MAGE,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,uCAAA;AAAA,MACR,aAAA,EAAe,QAAA;AAAA,MACf,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,oFAAA;AAAA,MACb,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,iBAAA,EAAmB,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MAC/D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MAClF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,MAAA,EAAQ,iBAAA,EAAmB,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,QAAQ,iBAAiB,CAAA,EAAG,QAAQ,IAAA;AAAK,GACtD;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACrKM,IAAM,aAAA,GAAgBD,aAAa,MAAA,CAAO;AAAA,EAC/C,IAAA,EAAM,iBAAA;AAAA,EACN,KAAA,EAAO,aAAA;AAAA,EACP,WAAA,EAAa,cAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,gDAAA;AAAA,EACb,WAAA,EAAa,wBAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,SAAA,EAAW,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA,EAKpD,OAAA,EAAS;AAAA,IACP;AAAA;AAAA,MAEE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,WAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,2CAAA;AAAA;AAAA;AAAA;AAAA,MAIR,eAAA,EAAiB,cAAA;AAAA,MACjB,cAAA,EAAgB,mBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,UAAU,IAAA,EAAK;AAAA,QACnD,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,SAAA,EAAW,UAAU,IAAA;AAAK;AACrD,KACF;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,kBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,8CAAA;AAAA,MACR,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,wEAAA;AAAA,MACb,cAAA,EAAgB,qBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,QAAA,EAAU,KAAA,EAAO,WAAW,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA,EAAK;AAAA,QACzE,EAAE,MAAM,QAAA,EAAU,KAAA,EAAO,WAAW,QAAA,EAAU,IAAA,EAAM,gBAAgB,IAAA;AAAK;AAC3E;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,SAAS,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC/C,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,UAAU,QAAQ,CAAA;AAAA,IAC9C,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC9FM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,mBAAA;AAAA,EACN,KAAA,EAAO,eAAA;AAAA,EACP,WAAA,EAAa,gBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,UAAA;AAAA,EACX,WAAA,EAAa,4IAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,MAAA,EAAQ,2BAA2B,iBAAiB,CAAA;AAAA,EAE9E,SAAA,EAAW;AAAA;AAAA;AAAA;AAAA;AAAA,IAKT,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,OAAA,EAAS,CAAC,MAAA,EAAQ,MAAA,EAAQ,mBAAmB,QAAQ,CAAA;AAAA,MACrD,IAAA,EAAM;AAAA,QACJ,WAAA,EAAa,yBAAA;AAAA,QACb,UAAA,EAAY,MAAA;AAAA,QACZ,MAAA,EAAQ,CAAC,MAAA,EAAQ,iBAAA,EAAmB,QAAQ,CAAA;AAAA,QAC5C,oBAAA,EAAsB;AAAA,OACxB;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO;AAAA,KACxC;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,SAAS,CAAC,MAAA,EAAQ,QAAQ,MAAA,EAAQ,yBAAA,EAA2B,mBAAmB,gBAAgB,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,OAAA,EAAS,CAAC,MAAA,EAAQ,MAAA,EAAQ,QAAQ,cAAc,CAAA;AAAA,MAChD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,cAAA,EAAgB,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC/C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,SAAS,CAAC,MAAA,EAAQ,QAAQ,MAAA,EAAQ,yBAAA,EAA2B,mBAAmB,QAAQ,CAAA;AAAA,MACxF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACvE,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MACxE,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA,MACxD,SAAS,CAAC,MAAA,EAAQ,QAAQ,MAAA,EAAQ,yBAAA,EAA2B,mBAAmB,QAAQ,CAAA;AAAA,MACxF,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAMA,KAAAA,CAAM,MAAA;AAAA,MACV,CAAC,SAAA,EAAW,UAAA,EAAY,YAAA,EAAc,UAAU,aAAa,CAAA;AAAA,MAC7D;AAAA,QACE,KAAA,EAAO,MAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,6DAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,uBAAA,EAAyBA,KAAAA,CAAM,MAAA,CAAO,mBAAA,EAAqB;AAAA,MACzD,KAAA,EAAO,sBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACxC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,wDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,yBAAyB,CAAA,EAAE;AAAA,IACtC,EAAE,MAAA,EAAQ,CAAC,QAAQ,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACpD,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC9MM,IAAM,qBAAA,GAAwBD,aAAa,MAAA,CAAO;AAAA,EACvD,IAAA,EAAM,0BAAA;AAAA,EACN,KAAA,EAAO,sBAAA;AAAA,EACP,WAAA,EAAa,uBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,UAAA;AAAA,EACX,WAAA,EAAa,4EAAA;AAAA,EACb,WAAA,EAAa,iCAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,kBAAA,EAAoB,6BAA6B,YAAY,CAAA;AAAA,EAE1F,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAA,EAAkBA,KAAAA,CAAM,MAAA,CAAO,mBAAA,EAAqB;AAAA,MAClD,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,2BAA2BA,KAAAA,CAAM,MAAA;AAAA,MAC/B,CAAC,QAAA,EAAU,MAAA,EAAQ,QAAQ,CAAA;AAAA,MAC3B;AAAA,QACE,KAAA,EAAO,2BAAA;AAAA,QACP,QAAA,EAAU,KAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,wFAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAA,EAAYA,MAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,0FAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,oBAAoB,SAAS,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC5FM,IAAM,SAAA,GAAYD,aAAa,MAAA,CAAO;AAAA,EAC3C,IAAA,EAAM,aAAA;AAAA,EACN,KAAA,EAAO,SAAA;AAAA,EACP,WAAA,EAAa,UAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,kCAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,iBAAiB,CAAC,MAAA,EAAQ,QAAA,EAAU,SAAA,EAAW,cAAc,SAAS,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMtE,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,gBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,+BAAA;AAAA,MACR,SAAA,EAAW,EAAE,OAAA,EAAS,IAAA,EAAK;AAAA,MAC3B,WAAA,EAAa,yEAAA;AAAA,MACb,cAAA,EAAgB,iBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAW,CAAA;AAAA,MACvB,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,+BAAA;AAAA,MACR,SAAA,EAAW,EAAE,OAAA,EAAS,KAAA,EAAM;AAAA,MAC5B,WAAA,EAAa,oFAAA;AAAA,MACb,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA;AAChB,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,QAAA,EAAU,YAAA,EAAc,gBAAgB,SAAS,CAAA;AAAA,MACnE,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACrE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,QAAA,EAAU,SAAA,EAAW,cAAc,cAAc,CAAA;AAAA,MACnE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,cAAA,EAAgB,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC/C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,QAAA,EAAU,SAAA,EAAW,cAAc,YAAY,CAAA;AAAA,MACjE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,aAAA,EAAc;AAAA,MAClD,SAAS,CAAC,MAAA,EAAQ,UAAU,SAAA,EAAW,YAAA,EAAc,gBAAgB,SAAS,CAAA;AAAA,MAC9E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,IAAA,EAAMC,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,MAAM,OAAA,CAAQ;AAAA,MACrB,KAAA,EAAO,SAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,GAAA,EAAKA,MAAM,IAAA,CAAK;AAAA,MACd,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,sDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,KAAK,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAChC,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA,EAAE;AAAA,IACrB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AChNM,IAAM,YAAA,GAAeD,aAAa,MAAA,CAAO;AAAA,EAC9C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,wBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,uCAAA;AAAA,EACb,WAAA,EAAa,0BAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,YAAY,CAAA;AAAA,EAEzC,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,YAAA,EAAc,YAAY,CAAA;AAAA,MACpC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,SAAA,EAAW,YAAA,EAAc,YAAY,CAAA;AAAA,MAC/C,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,mBAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,gCAAA;AAAA,MACR,eAAA,EAAiB,WAAA;AAAA,MACjB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK,OAC9E;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,mCAAA;AAAA,QACP,WAAA,EAAa,gIAAA;AAAA,QACb,WAAA,EAAa,8BAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,mBAAA,EAAqB,QAAQ,QAAA,EAAS;AAAA,UAChE,EAAE,IAAA,EAAM,aAAA,EAAe,KAAA,EAAO,cAAA,EAAgB,QAAQ,WAAA;AAAY;AACpE;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,iCAAA;AAAA,MACR,eAAA,EAAiB,WAAA;AAAA,MACjB,WAAA,EAAa,oDAAA;AAAA,MACb,cAAA,EAAgB,cAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK;AAC9E,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,yBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,cAAA,EAAgB,WAAW,CAAA;AAAA,MACvC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,+CAAA;AAAA,MACR,eAAA,EAAiB,WAAA;AAAA,MACjB,WAAA,EAAa,mFAAA;AAAA,MACb,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,UAAA,EAAY,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA;AAAK,OAC9E;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,4BAAA;AAAA,QACP,WAAA,EAAa,6GAAA;AAAA,QACb,WAAA,EAAa,4BAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,aAAA,EAAe,KAAA,EAAO,cAAA,EAAgB,QAAQ,WAAA;AAAY;AACpE;AACF;AACF,GACF;AAAA,EAGA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,OAAA,CAAQ;AAAA,MACtB,KAAA,EAAO,UAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,IAAA;AAAK,GACtC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IAChD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC/JM,IAAM,aAAA,GAAgBD,aAAa,MAAA,CAAO;AAAA,EAC/C,IAAA,EAAM,iBAAA;AAAA,EACN,KAAA,EAAO,aAAA;AAAA,EACP,WAAA,EAAa,cAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA,EAGX,SAAA,EAAW;AAAA,IACT,KAAA,EAAO,WAAA;AAAA,IACP,GAAA,EAAK,EAAE,KAAA,EAAO,YAAA,EAAc,aAAa,IAAA;AAAK,GAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,kEAAA;AAAA,EACb,SAAA,EAAW,WAAA;AAAA;AAAA,EACX,WAAA,EAAa,aAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,QAAA,EAAU,aAAa,YAAY,CAAA;AAAA,EAElE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,gBAAA,EAAkBA,MAAM,MAAA,CAAO;AAAA,MAC7B,KAAA,EAAO,uBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACtC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA,EAAG,QAAQ,KAAA;AAAM,GACtC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IAChD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC/HM,IAAM,iBAAA,GAAoBD,aAAa,MAAA,CAAO;AAAA,EACnD,IAAA,EAAM,qBAAA;AAAA,EACN,KAAA,EAAO,iBAAA;AAAA,EACP,WAAA,EAAa,kBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA;AAAA;AAAA;AAAA,EAIV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,sDAAA;AAAA,EACb,SAAA,EAAW,KAAA;AAAA;AAAA,EACX,WAAA,EAAa,OAAA;AAAA,EACb,eAAA,EAAiB,CAAC,SAAA,EAAW,KAAK,CAAA;AAAA,EAElC,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,qBAAA,EAAsB;AAAA,MAC1D,OAAA,EAAS,CAAC,KAAA,EAAO,YAAY,CAAA;AAAA,MAC7B,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,KAAA,EAAO,KAAA,EAAO,OAAO,CAAA;AAAA,MACrC,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,qBAAA,EAAsB;AAAA,MAC1D,OAAA,EAAS,CAAC,SAAA,EAAW,KAAA,EAAO,YAAY,CAAA;AAAA,MACxC,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,OAAO,CAAA;AAAA,MACzE,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,IAAA,EAAM,CAAA,EAAE;AAAA,MAC1E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,eAAA,EAAiB;AAAA,MACf,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,qBAAA,EAAsB;AAAA,MAC1D,OAAA,EAAS,CAAC,SAAA,EAAW,KAAA,EAAO,cAAc,YAAY,CAAA;AAAA,MACtD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,IAAA,CAAK;AAAA,MACd,KAAA,EAAO,KAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,KAAK,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC3C,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,QAAQ,KAAA;AAAM,GACvC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACjGM,IAAM,mBAAA,GAAsBD,aAAa,MAAA,CAAO;AAAA,EACrD,IAAA,EAAM,uBAAA;AAAA,EACN,KAAA,EAAO,mBAAA;AAAA,EACP,WAAA,EAAa,oBAAA;AAAA,EACb,IAAA,EAAM,WAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,2CAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA;AAAA,EACX,WAAA,EAAa,QAAA;AAAA,EACb,eAAA,EAAiB,CAAC,MAAA,EAAQ,WAAA,EAAa,QAAQ,UAAU,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBzD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,2BAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,2CAAA;AAAA,MACR,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,gNAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,OAAA,EAAS,kBAAA;AAAA,MACT,SAAA,EAAW,EAAE,QAAA,EAAU,IAAA,EAAK;AAAA,MAC5B,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AAChF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,0BAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,2CAAA;AAAA,MACR,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,6GAAA;AAAA,MACb,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,OAAA,EAAS,iBAAA;AAAA,MACT,SAAA,EAAW,EAAE,QAAA,EAAU,KAAA,EAAM;AAAA,MAC7B,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AAChF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,4BAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,6CAAA;AAAA,MACR,eAAA,EAAiB,cAAA;AAAA,MACjB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,MAAA,EAAQ,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACxE,EAAE,IAAA,EAAM,cAAA,EAAgB,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,oDAAA,EAAqD;AAAA,QACjJ,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,kBAAA,EAAoB,IAAA,EAAM,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS;AAAA,UACvG,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,KAAA,EAAM;AAAA,UAC7B,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA,EAAS;AAAA,UACnC,EAAE,KAAA,EAAO,kBAAA,EAAoB,KAAA,EAAO,kBAAA,EAAmB;AAAA,UACvD,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,EAAO,QAAA;AAAS,SACrC;AAAE,OACJ;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,8BAAA;AAAA,QACP,WAAA,EAAa,uHAAA;AAAA,QACb,WAAA,EAAa,gCAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,kBAAA,EAAoB,KAAA,EAAO,WAAA,EAAa,QAAQ,MAAA,EAAO;AAAA,UAC/D,EAAE,IAAA,EAAM,sBAAA,EAAwB,KAAA,EAAO,eAAA,EAAiB,QAAQ,QAAA;AAAS;AAC3E;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,KAAA,EAAO,sBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,0CAAA;AAAA,MACR,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,8MAAA;AAAA,MACb,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK,OAChF;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,uBAAA;AAAA,QACP,WAAA,EAAa,gIAAA;AAAA,QACb,WAAA,EAAa,gCAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,eAAA,EAAiB,KAAA,EAAO,mBAAA,EAAqB,QAAQ,QAAA;AAAS;AACxE;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,KAAA,EAAO,0BAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,mCAAA;AAAA,MACR,eAAA,EAAiB,cAAA;AAAA,MACjB,WAAA,EAAa,2LAAA;AAAA,MACb,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,WAAA,EAAa,KAAA,EAAO,aAAa,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AAChF;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,SAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,MAAA,EAAQ,YAAY,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAK/D,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,WAAW,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAC7E,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,OAAA,EAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,QAAQ,YAAY,CAAA;AAAA,MACnD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,YAAY,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAChE,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,OAAA,EAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,QAAQ,YAAY,CAAA;AAAA,MACnD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,YAAY,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,uBAAA,EAAwB;AAAA,MAC5D,SAAS,CAAC,MAAA,EAAQ,WAAA,EAAa,MAAA,EAAQ,YAAY,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,MAAA,EAAQ,KAAA,EAAO,OAAO,CAAA;AAAA,MACtC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,GAAA,CAAI;AAAA,MACd,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,GAAA,CAAI;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,0CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,GAAA,CAAI;AAAA,MACb,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,GAAA,CAAI;AAAA,MAChB,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,yBAAA,EAA2BA,MAAM,QAAA,CAAS;AAAA,MACxC,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,MAAA,CAAO,CAAC,OAAO,QAAA,EAAU,kBAAA,EAAoB,QAAQ,CAAA,EAAG;AAAA,MAClE,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,8DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,OAAA,CAAQ;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,0BAAA,EAA4BA,MAAM,IAAA,CAAK;AAAA,MACrC,KAAA,EAAO,4BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,QAAA,CAAS;AAAA,MACnB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,GAAA,CAAI;AAAA,MAClB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,wBAAA,EAA0BA,MAAM,OAAA,CAAQ;AAAA,MACtC,KAAA,EAAO,0BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,yEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,QAAA,EAAUA,MAAM,OAAA,CAAQ;AAAA,MACtB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,OAAA,CAAQ;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,MAAM,OAAA,CAAQ;AAAA,MAChC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,wDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,sBAAA,EAAwBA,MAAM,GAAA,CAAI;AAAA,MAChC,KAAA,EAAO,yBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,mCAAA,EAAqCA,MAAM,OAAA,CAAQ;AAAA,MACjD,KAAA,EAAO,sCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,gEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAA,EAAkBA,MAAM,IAAA,CAAK;AAAA,MAC3B,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,MAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,sCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACtC,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,cAAc,CAAA;AAAE,GAC7B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC/dM,IAAM,mBAAA,GAAsBD,aAAa,MAAA,CAAO;AAAA,EACrD,IAAA,EAAM,wBAAA;AAAA,EACN,KAAA,EAAO,oBAAA;AAAA,EACP,WAAA,EAAa,qBAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0DAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,SAAA,EAAW,YAAY,CAAA;AAAA,EAEtD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,aAAA,EAAe;AAAA,MACtC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,yBAAA,EAA2B;AAAA,MAClD,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,qBAAA,EAAuBA,MAAM,IAAA,CAAK;AAAA,MAChC,KAAA,EAAO,uBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,QAAA,CAAS;AAAA,MACxB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,0BAAA,EAA4BA,MAAM,QAAA,CAAS;AAAA,MACzC,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,MAAM,QAAA,CAAS;AAAA,MACtB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAE;AAAA,IACzB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAE;AAAA,IACzB,EAAE,MAAA,EAAQ,CAAC,uBAAuB,CAAA;AAAE,GACtC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACvIM,IAAM,oBAAA,GAAuBD,aAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,mDAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,SAAA,EAAW,YAAY,CAAA;AAAA,EAEtD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,aAAA,EAAe;AAAA,MACtC,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,qBAAA,EAAuBA,MAAM,IAAA,CAAK;AAAA,MAChC,KAAA,EAAO,uBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,QAAA,CAAS;AAAA,MACxB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,0BAAA,EAA4BA,MAAM,QAAA,CAAS;AAAA,MACzC,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,OAAA,EAASA,MAAM,QAAA,CAAS;AAAA,MACtB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,wBAAA,EAA0BA,MAAM,QAAA,CAAS;AAAA,MACvC,KAAA,EAAO,0BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,0BAAA,EAA4BA,MAAM,QAAA,CAAS;AAAA,MACzC,KAAA,EAAO,4BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,QAAA,CAAS;AAAA,MACxB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAClC,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAE;AAAA,IACzB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,uBAAuB,CAAA;AAAE,GACtC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACrJM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,mBAAA;AAAA,EACN,KAAA,EAAO,eAAA;AAAA,EACP,WAAA,EAAa,gBAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,oDAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,SAAA,EAAW,QAAQ,CAAA;AAAA,EAElD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,QAAA,CAAS;AAAA,MACxB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,0BAAA,EAA4BA,MAAM,QAAA,CAAS;AAAA,MACzC,KAAA,EAAO,2BAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,QAAA,CAAS;AAAA,MACrB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3FM,IAAM,gBAAA,GAAmBD,aAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,qEAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,SAAA,EAAW,MAAA;AAAA,EACX,eAAA,EAAiB,CAAC,MAAA,EAAQ,YAAA,EAAc,UAAU,CAAA;AAAA,EAElD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA,IAED,gBAAA,EAAkBA,MAAM,MAAA,CAAO;AAAA,MAC7B,KAAA,EAAO,kBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,MAAM,MAAA,CAAO;AAAA,MAC9B,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,MAAM,IAAA,CAAK;AAAA,MAC5B,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,IAAA,CAAK;AAAA,MACzB,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,QAAA,CAAS;AAAA,MAC7B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iCAAA,EAAmCA,MAAM,OAAA,CAAQ;AAAA,MAC/C,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,OAAA,CAAQ;AAAA,MACtB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA,IAED,cAAA,EAAgBA,MAAM,MAAA,CAAO;AAAA,MAC3B,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,CAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA,EAAG,QAAQ,IAAA;AAAK,GACzC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AClIM,IAAM,sBAAA,GAAyBD,aAAa,MAAA,CAAO;AAAA,EACxD,IAAA,EAAM,2BAAA;AAAA,EACN,KAAA,EAAO,uBAAA;AAAA,EACP,WAAA,EAAa,wBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,4EAAA;AAAA,EACb,eAAA,EAAiB,CAAC,WAAA,EAAa,aAAa,CAAA;AAAA,EAE5C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA,EAAE;AAAA,IACxB,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA;AAAE,GAC5B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AChEM,IAAM,uBAAA,GAA0BD,aAAa,MAAA,CAAO;AAAA,EACzD,IAAA,EAAM,4BAAA;AAAA,EACN,KAAA,EAAO,wBAAA;AAAA,EACP,WAAA,EAAa,yBAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA,EAIX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,mEAAA;AAAA,EACb,eAAA,EAAiB,CAAC,YAAY,CAAA;AAAA,EAE9B,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACtCM,IAAM,OAAA,GAAUD,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,UAAA;AAAA,EACP,WAAA,EAAa,WAAA;AAAA,EACb,IAAA,EAAM,KAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOX,MAAA,EAAQ,EAAE,OAAA,EAAS,SAAA,EAAU;AAAA;AAAA;AAAA;AAAA,EAI7B,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,4DAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0DAAA;AAAA,EACb,eAAA,EAAiB,CAAC,IAAA,EAAM,YAAA,EAAc,YAAY,CAAA;AAAA,EAElD,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,GAAA,EAAKA,MAAM,IAAA,CAAK;AAAA,MACd,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,GAAA,EAAKA,MAAM,IAAA,CAAK;AAAA,MACd,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd;AAAA,GACH;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,KAAA;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC1EM,IAAM,cAAA,GAAiBD,aAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeX,OAAA,EAAS,EAAE,OAAA,EAAS,KAAA,EAAM;AAAA,EAC1B,mBAAA,EAAqB,CAAC,0BAA0B,CAAA;AAAA;AAAA,EAEhD,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,+EAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,mFAAA;AAAA,EACb,gBAAA,EAAkB,aAAA;AAAA,EAClB,SAAA,EAAW,aAAA;AAAA;AAAA,EACX,WAAA,EAAa,eAAA;AAAA,EACb,eAAA,EAAiB,CAAC,aAAA,EAAe,QAAA,EAAU,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA,EAKnD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,KAAA,EAAO,uBAAA;AAAA,MACP,IAAA,EAAM,aAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOR,MAAA,EAAQ,iCAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,aAAA,EAAe,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,iDAAA,EAAkD;AAAA,QACtI,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,YAAA,EAAc,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,+GAAA,EAAgH;AAAA,QAC/L,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,qEAAA,EAAsE;AAAA,QACvJ,EAAE,IAAA,EAAM,UAAA,EAAY,KAAA,EAAO,WAAA,EAAa,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,yDAAA,EAA0D;AAAA,QAC1I,EAAE,IAAA,EAAM,cAAA,EAAgB,KAAA,EAAO,eAAA,EAAiB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,wDAAA,EAAyD;AAAA,QACjJ,EAAE,IAAA,EAAM,mBAAA,EAAqB,KAAA,EAAO,eAAA,EAAiB,MAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,2GAAA,EAA4G;AAAA,QAC1M,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,sBAAA,EAAwB,QAAA,EAAU,uFAAA,EAAwF;AAAA,QACzM,EAAE,IAAA,EAAM,OAAA,EAAS,KAAA,EAAO,oBAAA,EAAsB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,QAAA,EAAU,oEAAA,EAAqE;AAAA,QAChL,EAAE,IAAA,EAAM,UAAA,EAAY,KAAA,EAAO,kBAAA,EAAoB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,OAAA,EAAS,QAAA,EAAU,uDAAA,EAAwD;AAAA,QACtK,EAAE,IAAA,EAAM,SAAA,EAAW,KAAA,EAAO,iBAAA,EAAmB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,MAAA,EAAQ,QAAA,EAAU,6DAAA;AAA8D;AAC3K,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,KAAA,EAAO,wBAAA;AAAA,MACP,IAAA,EAAM,QAAA;AAAA,MACN,OAAA,EAAS,SAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,cAAc,CAAA;AAAA,MAC1B,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQR,MAAA,EAAQ,sCAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,aAAA,EAAe,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,sCAAA,EAAuC;AAAA,QAC3H,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,eAAA,EAAiB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,6EAAA,EAAyE;AAAA,QAC3J,EAAE,IAAA,EAAM,QAAA,EAAU,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,qEAAA,EAAsE;AAAA,QACvJ,EAAE,IAAA,EAAM,YAAA,EAAc,KAAA,EAAO,aAAA,EAAe,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,uFAAA,EAAmF;AAAA,QACvK,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,yBAAA,EAA2B,MAAM,UAAA,EAAY,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,2FAAA,EAAuF;AAAA,QACrL,EAAE,IAAA,EAAM,kBAAA,EAAoB,KAAA,EAAO,eAAA,EAAiB,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,wDAAA,EAA0D,QAAA,EAAU,uFAAA;AAAmF;AACzP,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,KAAA,EAAO,6BAAA;AAAA,MACP,IAAA,EAAM,OAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYR,MAAA,EAAQ,oDAAA;AAAA,MACR,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA,EAAK;AAAA,QACjF,EAAE,MAAM,QAAA,EAAU,KAAA,EAAO,UAAU,cAAA,EAAgB,IAAA,EAAM,UAAU,KAAA;AAAM,OAC3E;AAAA,MACA,YAAA,EAAc;AAAA,QACZ,KAAA,EAAO,oBAAA;AAAA,QACP,WAAA,EACE,+HAAA;AAAA,QACF,WAAA,EAAa,MAAA;AAAA,QACb,MAAA,EAAQ;AAAA,UACN,EAAE,IAAA,EAAM,eAAA,EAAiB,KAAA,EAAO,aAAA,EAAe,QAAQ,MAAA,EAAO;AAAA,UAC9D,EAAE,IAAA,EAAM,eAAA,EAAiB,KAAA,EAAO,aAAA,EAAe,QAAQ,QAAA,EAAS;AAAA,UAChE,EAAE,IAAA,EAAM,gBAAA,EAAkB,KAAA,EAAO,OAAA,EAAS,QAAQ,QAAA;AAAS;AAC7D;AACF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA;AAAA;AAAA;AAAA,MAIR,MAAA,EAAQ,sCAAA;AAAA,MACR,cAAA,EAAgB,2BAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AACnF,KACF;AAAA,IACA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,KAAA,EAAO,qBAAA;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,kCAAA;AAAA,MACR,WAAA,EAAa,+FAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,YAAA,EAAc,KAAA,EAAO,eAAe,cAAA,EAAgB,IAAA,EAAM,UAAU,IAAA;AAAK;AACnF;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,GAAA,EAAK;AAAA,MACH,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,QAAA,EAAU,QAAA,EAAU,mBAAmB,YAAY,CAAA;AAAA,MAC5E,MAAM,CAAC,EAAE,OAAO,aAAA,EAAe,KAAA,EAAO,OAAO,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA,EAAG;AAAA;AAAA;AAAA;AAAA,MAI3B,UAAA,EAAY;AAAA,QACV,KAAA,EAAO,sBAAA;AAAA,QACP,OAAA,EAAS,sPAAA;AAAA,QACT,IAAA,EAAM;AAAA;AACR;AACF,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,KAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAE/E,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,gBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,iDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,OAAA,CAAQ;AAAA,MAC7B,KAAA,EAAO,iBAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EACE,8QAAA;AAAA,MACF,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,4EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,mCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAC1G,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU;AAAA,GAC5G;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA,EAAE;AAAA,IACrB,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA,IAIZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AClRM,IAAM,eAAA,GAAkBD,aAAa,MAAA,CAAO;AAAA,EACjD,IAAA,EAAM,mBAAA;AAAA,EACN,KAAA,EAAO,eAAA;AAAA,EACP,WAAA,EAAa,gBAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQX,mBAAA,EAAqB,CAAC,0BAA0B,CAAA;AAAA;AAAA,EAEhD,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,MAAA;AAAA,IACN,MAAA,EAAQ,gFAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0GAAA;AAAA,EACb,gBAAA,EAAkB,aAAA;AAAA,EAClB,SAAA,EAAW,aAAA;AAAA;AAAA,EACX,WAAA,EAAa,eAAA;AAAA,EACb,eAAA,EAAiB,CAAC,aAAA,EAAe,iBAAiB,CAAA;AAAA,EAElD,SAAA,EAAW;AAAA,IACT,GAAA,EAAK;AAAA,MACH,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,KAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,mBAAA,EAAoB;AAAA;AAAA,MAExD,OAAA,EAAS,CAAC,aAAA,EAAe,iBAAA,EAAmB,YAAY,CAAA;AAAA,MACxD,MAAM,CAAC,EAAE,OAAO,aAAA,EAAe,KAAA,EAAO,OAAO,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,KAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAE/E,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,mIAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oEAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAC1G,UAAA,EAAYA,KAAAA,CAAM,QAAA,CAAS,EAAE,KAAA,EAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU;AAAA,GAC5G;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACxC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA;AAAE,GACxB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA;AAAA,IAIZ,UAAA,EAAY,CAAC,MAAM,CAAA;AAAA,IACnB,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC","file":"index.mjs","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user — System User Object\n *\n * Canonical user identity record for the ObjectStack platform.\n * Backed by better-auth's `user` model with ObjectStack field conventions.\n *\n * Field order drives default list/form layout: identity first, then profile,\n * then system-managed audit fields (hidden from create/edit forms).\n *\n * @namespace sys\n */\nexport const SysUser = ObjectSchema.create({\n name: 'sys_user',\n label: 'User',\n pluralLabel: 'Users',\n icon: 'user',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0092 D4 — the ONE generic affordance opened on an identity table:\n // standard row editing. Safe because the plugin-auth identity write guard\n // (ADR-0092 D2) enforces the profile whitelist server-side — a user-context\n // update may only touch SYS_USER_PROFILE_EDIT_FIELDS ({name, image});\n // everything else is stripped/rejected regardless of what a form submits.\n // The permission layer still decides WHO may edit (platform admins only by\n // default; member/org-admin sets keep allowEdit: false). create / import /\n // delete stay bucket-default (off).\n userActions: { edit: true },\n // ADR-0010 §3.7 — identity table is managed by better-auth; schema must not drift.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'User accounts for authentication',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'email', 'email_verified'],\n\n // Custom actions — generic CRUD is suppressed because user accounts are\n // managed by better-auth, but we still need first-class affordances for\n // common operations. Each action delegates to a Console-side named script\n // registered on the ActionRunner (see objectui `AppContent.tsx`). Adding\n // new affordances (reset password, revoke session, …) is now a pure\n // schema + script-registration change — no per-view code.\n actions: [\n {\n name: 'invite_user',\n label: 'Invite User',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/invite-member',\n // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the\n // better-auth organization plugin is always mounted, and single-org\n // mode now bootstraps a Default Organization (plugin-auth) so the\n // endpoint's active-org resolution works there too. This is THE\n // \"add a teammate\" affordance — the Users list is always reachable —\n // and every add flows through better-auth invitations, never bespoke\n // sys_user CRUD.\n requiresFeature: 'organization',\n successMessage: 'Invitation sent',\n refreshAfter: true,\n params: [\n { field: 'email', required: true },\n { field: 'role', objectOverride: 'sys_member', required: true },\n ],\n },\n\n // ── Platform admin operations (require better-auth `admin` plugin) ─\n //\n // These actions hit /api/v1/auth/admin/* endpoints that are only\n // wired when `auth.plugins.admin` is enabled, so each one is gated on\n // `requiresFeature: 'admin'` (#2874) — when the plugin is off the UI\n // hides them instead of rendering buttons that 404. SCIM deployments\n // keep them: SCIM forces the admin plugin (and `features.admin`) on\n // (ADR-0071). UI surfaces them under the row menu AND the\n // record-detail header (`record_header`, overflowing into the ⋯\n // \"More\" menu) so platform admins can manage an account from either\n // the Users list or an open user record — without dropping to SQL or\n // a custom Setup wizard.\n {\n name: 'ban_user',\n label: 'Ban User',\n icon: 'ban',\n variant: 'danger',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/ban-user',\n requiresFeature: 'admin',\n recordIdParam: 'userId',\n successMessage: 'User banned',\n refreshAfter: true,\n confirmText: 'Ban this user? They will be signed out and unable to sign in until unbanned.',\n params: [\n { name: 'banReason', label: 'Ban Reason', type: 'text', required: false },\n ],\n },\n {\n name: 'unban_user',\n label: 'Unban User',\n icon: 'check-circle-2',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/unban-user',\n requiresFeature: 'admin',\n recordIdParam: 'userId',\n successMessage: 'User unbanned',\n refreshAfter: true,\n },\n {\n // ADR-0069 D2 — clear a brute-force lockout early (locked_until auto-\n // expires, but an admin can release a user immediately). Hits the\n // plugin-auth custom route, which is admin-guarded server-side.\n name: 'unlock_user',\n label: 'Unlock Account',\n icon: 'lock-open',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/unlock-user',\n requiresFeature: 'admin',\n recordIdParam: 'userId',\n successMessage: 'Account unlocked',\n refreshAfter: true,\n },\n {\n // #2766 V1 — a platform admin can add a login-capable teammate without\n // the email-dependent invite flow. Hits the plugin-auth wrapper route\n // (NOT better-auth's stock /admin/create-user): the wrapper runs the\n // ADR-0068 admin gate, drives the better-auth pipeline (scrypt hash +\n // credential sys_account), stamps must_change_password, and — when\n // \"Generate temporary password\" is picked — returns the password ONCE\n // in the response for the result dialog. It is never persisted or logged.\n name: 'create_user',\n label: 'Create User',\n icon: 'user-plus',\n variant: 'secondary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/admin/create-user',\n requiresFeature: 'admin',\n successMessage: 'User created',\n refreshAfter: true,\n params: [\n // The endpoint requires email OR phone (phone-only users get a\n // placeholder address; requires auth.plugins.phoneNumber).\n { field: 'email', required: false },\n {\n name: 'phoneNumber',\n label: 'Phone Number',\n type: 'text',\n required: false,\n helpText: 'Sign-in phone number (E.164, e.g. +8613800000000). Required when no email is given.',\n // Only offer phone when the opt-in phoneNumber auth plugin is loaded —\n // otherwise the create-user endpoint rejects a phone with\n // \"Phone numbers require the phoneNumber auth plugin\". `features.phoneNumber`\n // is served in /api/v1/auth/config (getPublicConfig).\n requiresFeature: 'phoneNumber',\n },\n { field: 'name', required: false },\n {\n name: 'generatePassword',\n label: 'Generate Temporary Password',\n type: 'boolean',\n required: false,\n defaultValue: true,\n },\n { name: 'password', label: 'Password (leave empty to generate)', type: 'text', required: false },\n {\n name: 'mustChangePassword',\n label: 'Require Password Change On First Login',\n type: 'boolean',\n required: false,\n defaultValue: true,\n },\n ],\n resultDialog: {\n title: 'User Created',\n description:\n 'Copy the temporary password now — it is shown only once and never stored.',\n acknowledge: 'I have saved this password',\n fields: [\n { path: 'user.email', label: 'Email', format: 'text' },\n { path: 'temporaryPassword', label: 'Temporary Password', format: 'secret' },\n ],\n },\n },\n {\n name: 'set_user_password',\n label: 'Set Password',\n icon: 'key-round',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n // #2766 V1 — same path as better-auth's stock route, but served by the\n // plugin-auth wrapper registered ahead of the catch-all: it accepts the\n // ADR-0068 platform-admin signals (the stock handler only honors the\n // legacy role scalar), can mint a temporary password, and stamps\n // must_change_password.\n target: '/api/v1/auth/admin/set-user-password',\n requiresFeature: 'admin',\n recordIdParam: 'userId',\n successMessage: 'Password updated',\n refreshAfter: false,\n params: [\n {\n name: 'generatePassword',\n label: 'Generate Temporary Password',\n type: 'boolean',\n required: false,\n defaultValue: false,\n },\n { name: 'newPassword', label: 'New Password (leave empty to generate)', type: 'text', required: false },\n {\n name: 'mustChangePassword',\n label: 'Require Password Change On Next Login',\n type: 'boolean',\n required: false,\n defaultValue: true,\n },\n ],\n resultDialog: {\n title: 'Password Updated',\n description:\n 'If a temporary password was generated, copy it now — it is shown only once and never stored.',\n acknowledge: 'Done',\n fields: [\n { path: 'temporaryPassword', label: 'Temporary Password', format: 'secret' },\n ],\n },\n },\n {\n name: 'set_user_role',\n label: 'Set Platform Role',\n icon: 'shield-check',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/set-role',\n requiresFeature: 'admin',\n recordIdParam: 'userId',\n successMessage: 'Role updated',\n refreshAfter: true,\n params: [\n { name: 'role', label: 'Platform Role', type: 'text', required: true },\n ],\n },\n {\n name: 'impersonate_user',\n label: 'Impersonate User',\n icon: 'user-cog',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/admin/impersonate-user',\n requiresFeature: 'admin',\n recordIdParam: 'userId',\n successMessage: 'Now impersonating user',\n refreshAfter: true,\n confirmText: 'Start an impersonation session for this user? Use only for legitimate support cases — actions will be logged.',\n },\n\n // ── Self-service actions (the row owner only) ─────────────────────\n //\n // These four actions are the \"account settings\" surfaces the standalone\n // Account SPA used to own (`/account/profile`, `/account/security`).\n // They are visible only when the current row is the signed-in user —\n // i.e. opened from the user's own detail page or a \"My Account\" view —\n // via the `visible` CEL predicate. Admin equivalents (set_user_password\n // for any account) are above and stay separate.\n {\n name: 'update_my_profile',\n label: 'Update Profile',\n icon: 'user-pen',\n variant: 'primary',\n mode: 'edit',\n locations: ['record_header'],\n type: 'api',\n target: '/api/v1/auth/update-user',\n visible: 'record.id == ctx.user.id',\n successMessage: 'Profile updated',\n refreshAfter: true,\n params: [\n { field: 'name', required: false, defaultFromRow: true },\n { field: 'image', required: false, defaultFromRow: true },\n ],\n },\n {\n name: 'change_my_password',\n label: 'Change Password',\n icon: 'key',\n variant: 'secondary',\n locations: ['record_header', 'record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/change-password',\n // Managed (IdP-provisioned) users hold no local credential — hide the\n // password form so they can't self-mint a password that bypasses\n // enforced SSO. The break-glass owner (env-native, or flipped back when\n // their break-glass password is set) keeps it. ADR-0024 D4/D5.2.\n visible: 'record.id == ctx.user.id && record.source != \"idp_provisioned\"',\n successMessage: 'Password changed',\n refreshAfter: false,\n params: [\n { name: 'currentPassword', label: 'Current Password', type: 'text', required: true },\n { name: 'newPassword', label: 'New Password', type: 'text', required: true },\n { name: 'revokeOtherSessions', label: 'Sign out other devices', type: 'boolean', required: false, defaultValue: true },\n ],\n },\n {\n name: 'change_my_email',\n label: 'Change Email',\n icon: 'mail',\n variant: 'secondary',\n locations: ['record_header', 'record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/change-email',\n // A managed user's email is owned by the IdP — a local change would\n // desync. Hide for IdP-provisioned; env-native users keep it.\n visible: 'record.id == ctx.user.id && record.source != \"idp_provisioned\"',\n successMessage: 'Verification email sent — check the new address to confirm.',\n refreshAfter: false,\n params: [\n { name: 'newEmail', label: 'New Email', type: 'email', required: true },\n ],\n },\n {\n name: 'resend_verification_email',\n label: 'Resend Verification Email',\n icon: 'mail-check',\n variant: 'secondary',\n locations: ['record_header', 'record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/send-verification-email',\n // Only render for the row owner AND when their email is still\n // unverified — there's nothing to resend once verified.\n visible: 'record.id == ctx.user.id && record.email_verified == false',\n successMessage: 'Verification email sent — check your inbox.',\n refreshAfter: false,\n params: [],\n },\n {\n name: 'delete_my_account',\n label: 'Delete My Account',\n icon: 'user-x',\n variant: 'danger',\n mode: 'delete',\n locations: ['record_more', 'record_section'],\n type: 'api',\n target: '/api/v1/auth/delete-user',\n // Self-delete needs a local password; managed users are deprovisioned\n // via the IdP (org-removal / SCIM), not local self-service. Hide for them.\n visible: 'record.id == ctx.user.id && record.source != \"idp_provisioned\"',\n confirmText: 'Permanently delete your account? This cannot be undone — all your sessions will be terminated and all data you own will be removed per the configured retention policy.',\n successMessage: 'Account deleted',\n refreshAfter: false,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n // ── Two-factor authentication ─────────────────────────────────\n // Enable flow returns { totpURI, backupCodes } — surfacing those\n // safely needs a QR + verify UI that the generic action engine\n // can't render yet. We still expose it so the API call works\n // and the success toast displays the otpauth:// URI that users\n // can manually add to an authenticator app as a fallback.\n {\n name: 'enable_two_factor',\n label: 'Enable Two-Factor Auth',\n icon: 'shield-plus',\n variant: 'primary',\n locations: ['record_section'],\n type: 'api',\n target: '/api/v1/auth/two-factor/enable',\n visible: 'record.id == ctx.user.id && record.two_factor_enabled != true',\n requiresFeature: 'twoFactor',\n successMessage: 'Two-factor authentication enabled. Scan the QR code or paste the otpauth URI into your authenticator app, then verify a code to complete setup.',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n {\n name: 'disable_two_factor',\n label: 'Disable Two-Factor Auth',\n icon: 'shield-off',\n variant: 'danger',\n locations: ['record_section'],\n type: 'api',\n target: '/api/v1/auth/two-factor/disable',\n visible: 'record.id == ctx.user.id && record.two_factor_enabled == true',\n requiresFeature: 'twoFactor',\n confirmText: 'Turn off two-factor authentication? Your account will be less secure.',\n successMessage: 'Two-factor authentication disabled.',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n {\n name: 'generate_backup_codes',\n label: 'Regenerate Backup Codes',\n icon: 'list-restart',\n variant: 'secondary',\n locations: ['record_section'],\n type: 'api',\n target: '/api/v1/auth/two-factor/generate-backup-codes',\n visible: 'record.id == ctx.user.id && record.two_factor_enabled == true',\n requiresFeature: 'twoFactor',\n confirmText: 'Generate a new set of backup codes? Any previously generated codes will stop working.',\n successMessage: 'New backup codes generated — save them somewhere safe.',\n refreshAfter: false,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n ],\n\n listViews: {\n // Self-service profile entry — surfaced by the Account App so every\n // authenticated user can view / edit their own basic profile (name,\n // email, avatar). Filtered to a single row (the caller) via the\n // `{current_user_id}` template variable; RLS additionally enforces\n // that non-admins cannot read other users' rows.\n me: {\n type: 'grid',\n name: 'me',\n label: 'My Profile',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'email_verified', 'two_factor_enabled', 'updated_at'],\n filter: [{ field: 'id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 1 },\n },\n all_users: {\n type: 'grid',\n name: 'all_users',\n label: 'All Users',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'email_verified', 'source', 'two_factor_enabled', 'created_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n unverified: {\n type: 'grid',\n name: 'unverified',\n label: 'Unverified',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'created_at'],\n filter: [{ field: 'email_verified', operator: 'equals', value: false }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n two_factor: {\n type: 'grid',\n name: 'two_factor',\n label: '2FA Enabled',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'two_factor_enabled', 'updated_at'],\n filter: [{ field: 'two_factor_enabled', operator: 'equals', value: true }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n banned: {\n type: 'grid',\n name: 'banned',\n label: 'Banned',\n data: { provider: 'object', object: 'sys_user' },\n columns: ['name', 'email', 'banned', 'ban_reason', 'ban_expires'],\n filter: [{ field: 'banned', operator: 'equals', value: true }],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity (primary business fields) ───────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n // ADR-0092 D4 — with the generic edit affordance open, every non-profile\n // field is readonly so the standard edit form renders it non-editable.\n // This is UX only; the server boundary is the plugin-auth identity write\n // guard (ADR-0092 D2), which strips/rejects these regardless.\n email: Field.email({\n label: 'Email',\n required: true,\n readonly: true, // login identity — change flows through better-auth change-email verification\n searchable: true,\n group: 'Identity',\n }),\n\n email_verified: Field.boolean({\n label: 'Email Verified',\n defaultValue: false,\n readonly: true,\n group: 'Identity',\n }),\n\n two_factor_enabled: Field.boolean({\n label: 'Two-Factor Enabled',\n defaultValue: false,\n readonly: true,\n group: 'Identity',\n description: 'Whether two-factor authentication is enabled for this user. Maintained by the better-auth `twoFactor` plugin.',\n }),\n\n // ── Admin (managed by better-auth `admin` plugin when enabled) ───\n role: Field.text({\n label: 'Platform Role',\n required: false,\n readonly: true, // ADR-0092 — set via the Set Platform Role action, never the edit form\n maxLength: 64,\n group: 'Admin',\n description: 'Platform-level role (admin, user, …). Set via the Set Platform Role action.',\n }),\n\n banned: Field.boolean({\n label: 'Banned',\n defaultValue: false,\n readonly: true, // ADR-0092 — toggled via Ban/Unban actions (session side effects)\n group: 'Admin',\n description: 'When true, the user cannot sign in. Toggle via Ban User / Unban User actions.',\n }),\n\n ban_reason: Field.text({\n label: 'Ban Reason',\n required: false,\n readonly: true, // ADR-0092 — written by the Ban User action\n maxLength: 255,\n group: 'Admin',\n }),\n\n ban_expires: Field.datetime({\n label: 'Ban Expires',\n required: false,\n readonly: true, // ADR-0092 — written by the Ban User action\n group: 'Admin',\n description: 'When set, the ban auto-clears at this time.',\n }),\n\n // ── Anti-brute-force (ADR-0069 D2) — owned by objectql, better-auth is\n // oblivious. The auth manager's sign-in hooks maintain these: failures\n // increment the counter; crossing `lockout_threshold` stamps\n // `locked_until`; a successful sign-in resets both. Admins can clear\n // them early via the Unlock action.\n failed_login_count: Field.number({\n label: 'Failed Login Count',\n required: false,\n defaultValue: 0,\n readonly: true,\n group: 'Admin',\n description: 'Consecutive failed sign-in attempts; reset to 0 on success. Maintained by the auth manager.',\n }),\n\n locked_until: Field.datetime({\n label: 'Locked Until',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'When set and in the future, sign-in is rejected (brute-force lockout). Auto-clears past this time; an admin can clear it early via Unlock.',\n }),\n\n // ADR-0069 D1 — last password change; drives password-expiry enforcement.\n // Stamped on sign-up / change-password / reset-password. Null = never\n // expires (until the user next changes their password).\n password_changed_at: Field.datetime({\n label: 'Password Changed At',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'Timestamp of the last password change. Backs password_expiry_days; system-managed.',\n }),\n\n // #2766 V1.5 — phone-number sign-in identifier (better-auth phoneNumber\n // plugin, mapped via buildPhoneNumberPluginSchema). Unique when present;\n // null for email-only accounts. Written through better-auth, not CRUD.\n phone_number: Field.text({\n label: 'Phone Number',\n required: false,\n readonly: true,\n searchable: true,\n maxLength: 32,\n group: 'Account',\n description:\n 'Sign-in phone number (E.164 recommended). Unique per user; managed by ' +\n 'better-auth when the phoneNumber plugin is enabled.',\n }),\n\n phone_number_verified: Field.boolean({\n label: 'Phone Verified',\n defaultValue: false,\n readonly: true,\n group: 'Account',\n description:\n 'Whether the phone number has been verified (OTP verification requires ' +\n 'SMS infrastructure; false until that ships). System-managed.',\n }),\n\n // #2766 V1 — admin-issued \"must change password on next sign-in\" flag.\n // Set by the /admin/create-user and /admin/set-user-password routes when\n // a temporary password is issued; enforced through the ADR-0069 authGate\n // (surfaces as PASSWORD_EXPIRED); cleared by stampPasswordChangedAt once\n // the user completes a password change.\n must_change_password: Field.boolean({\n label: 'Must Change Password',\n defaultValue: false,\n readonly: true,\n group: 'Admin',\n description:\n 'When true, the user is blocked (403 PASSWORD_EXPIRED) until they change ' +\n 'their password. Stamped by the admin user-management routes; system-managed.',\n }),\n\n // ADR-0069 D3 — when enforced MFA first applied to this user; starts the\n // grace clock. Stamped lazily at session validation; system-managed.\n mfa_required_at: Field.datetime({\n label: 'MFA Required At',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'When enforced MFA first applied to this user (grace-period clock). Backs mfa_required; system-managed.',\n }),\n\n // ADR-0069 D7 — login audit. Stamped on every successful `/sign-in/email`\n // by the auth manager's after-hook (independent of lockout config). Backs\n // the admin \"last seen\" surface + anomaly review; system-managed, read-only.\n last_login_at: Field.datetime({\n label: 'Last Login At',\n required: false,\n readonly: true,\n group: 'Admin',\n description: 'Timestamp of the last successful sign-in. Stamped by the auth manager; system-managed.',\n }),\n\n last_login_ip: Field.text({\n label: 'Last Login IP',\n required: false,\n readonly: true,\n maxLength: 45, // IPv6 max textual length\n group: 'Admin',\n description: 'Client IP of the last successful sign-in (from the trusted proxy forwarded header). System-managed.',\n }),\n\n ai_access: Field.boolean({\n label: 'AI Access',\n defaultValue: false,\n readonly: true, // ADR-0092 — a licensed-seat grant; flows through the AiSeatPlugin enforcement path\n group: 'Admin',\n description:\n 'Whether this user holds an AI seat — grants access to the in-UI AI ' +\n 'agents (build / ask). The framework synthesizes the `ai_seat` ' +\n 'capability from this flag (plugin-hono-server resolveCtx). Assignment ' +\n 'is capped by the licensed / purchased seat count (enforced by ' +\n '@objectstack/security-enterprise AiSeatPlugin). Owned by objectql ' +\n '(better-auth is oblivious to this column).',\n }),\n\n // ── Profile ──────────────────────────────────────────────────\n image: Field.url({\n label: 'Profile Image',\n required: false,\n group: 'Profile',\n }),\n\n // ── Organization ─────────────────────────────────────────────\n manager_id: Field.lookup('sys_user', {\n label: 'Manager',\n required: false,\n readonly: true, // ADR-0092 — drives own_and_reports RLS scope; org-structure maintenance is its own surface\n group: 'Organization',\n description: \"This user's direct manager. Forms the reporting chain the `own_and_reports` hierarchy scope walks (ADR-0057 / @objectstack/security-enterprise).\",\n }),\n\n primary_business_unit_id: Field.lookup('sys_business_unit', {\n label: 'Primary Business Unit',\n required: false,\n readonly: true, // ADR-0092 — denormalised projection maintained by plugin-sharing; never hand-edited\n group: 'Organization',\n description: \"The user's primary business unit — a denormalised projection of sys_business_unit_member.is_primary, maintained by plugin-sharing (ADR-0057 addendum D12). Lets a user-lookup filter candidates by business unit without traversing the membership junction. Do not edit directly; set it via business-unit membership.\",\n }),\n\n // ── System (auto-managed, hidden from create/edit forms) ─────\n // Identity provenance (ADR-0024 D4). `idp_provisioned` users were\n // JIT-created on first federated login (a `sys_account` exists for an\n // external/OIDC provider — e.g. the cloud-as-IdP `objectstack-cloud`\n // provider, or a customer's own IdP); `env_native` users registered\n // locally (email/password) or are app end-users. Stamped automatically by\n // the AuthManager `account.create.after` hook — never edited by hand.\n // Drives the managed-vs-native user-mgmt UI gating (the password /\n // identity-edit actions hide for managed users, who hold no local\n // credential) and is the marker SCIM lifecycle keys off. Owned by objectql\n // (better-auth is oblivious to this column — like `ai_access`).\n source: Field.select({\n label: 'Identity Source',\n required: false,\n readonly: true,\n group: 'System',\n defaultValue: 'env_native',\n options: [\n { label: 'IdP-Provisioned', value: 'idp_provisioned' },\n { label: 'Env-Native', value: 'env_native' },\n ],\n description: 'How this identity was created — idp_provisioned (federated SSO JIT) or env_native (local signup / app end-user). System-managed; do not edit.',\n }),\n\n id: Field.text({\n label: 'User ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['email'], unique: true },\n { fields: ['created_at'], unique: false },\n // #2766 V1.5 — phone sign-in identifier; unique when present (null for\n // email-only accounts), also the upsert match key for identity import.\n { fields: ['phone_number'], unique: true },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n\n // Email uniqueness is enforced by the unique index above (and better-auth's\n // managed user table). A declarative `unique` validation rule is intentionally\n // not used — uniqueness needs a DB lookup, not a synchronous validation, so it\n // is not one of the declarable validation-rule types.\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_session — System Session Object\n *\n * Active user session record for the ObjectStack platform.\n * Backed by better-auth's `session` model with ObjectStack field conventions.\n *\n * The `token` field is hidden by default — sessions are managed by the\n * auth plugin, not edited manually. Admins see session metadata\n * (user, expiry, IP, active context) without exposing the token value.\n *\n * @namespace sys\n */\nexport const SysSession = ObjectSchema.create({\n name: 'sys_session',\n label: 'Session',\n pluralLabel: 'Sessions',\n icon: 'key',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Active user sessions',\n displayNameField: 'user_id',\n nameField: 'user_id', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: 'Session — {user_id}',\n highlightFields: ['user_id', 'ip_address', 'expires_at'],\n\n // Custom actions — sessions are managed by better-auth (generic CRUD\n // suppressed). \"Sign out other devices\" is the high-value self-service\n // affordance every IdP exposes. Maps to better-auth's\n // `revoke-other-sessions` endpoint which terminates every session for\n // the current user except the one making the request.\n actions: [\n {\n name: 'revoke_my_other_sessions',\n label: 'Sign out other devices',\n icon: 'log-out',\n variant: 'danger',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/revoke-other-sessions',\n confirmText: 'Sign out of every other device where you\\'re currently logged in? Your current session will remain active.',\n successMessage: 'All other sessions revoked',\n refreshAfter: true,\n },\n {\n name: 'revoke_session',\n label: 'Revoke Session',\n icon: 'log-out',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/revoke-session',\n // better-auth `revoke-session` keys off the session token, not the id.\n recordIdParam: 'token',\n recordIdField: 'token',\n confirmText: 'Revoke this session? The user will be signed out from that device.',\n successMessage: 'Session revoked',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Sessions',\n data: { provider: 'object', object: 'sys_session' },\n columns: ['ip_address', 'active_organization_id', 'created_at', 'expires_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_sessions: {\n type: 'grid',\n name: 'all_sessions',\n label: 'All',\n data: { provider: 'object', object: 'sys_session' },\n columns: ['user_id', 'ip_address', 'active_organization_id', 'created_at', 'expires_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Session owner & expiry ──────────────────────────────────\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n searchable: true,\n group: 'Session',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n group: 'Session',\n }),\n\n // ── ADR-0069 D4 — session controls (idle / absolute / revoke) ──\n last_activity_at: Field.datetime({\n label: 'Last Activity At',\n required: false,\n readonly: true,\n group: 'Session',\n description: 'Timestamp of the last request on this session; drives idle-timeout. System-managed.',\n }),\n revoked_at: Field.datetime({\n label: 'Revoked At',\n required: false,\n readonly: true,\n group: 'Session',\n description: 'When set, this session was revoked (idle / absolute-max / concurrent-cap / admin). System-managed.',\n }),\n revoke_reason: Field.text({\n label: 'Revoke Reason',\n required: false,\n maxLength: 64,\n readonly: true,\n group: 'Session',\n description: 'Why the session was revoked (idle_timeout, absolute_max, concurrent_cap, …).',\n }),\n\n // ── Active context (multi-org/team) ──────────────────────────\n active_organization_id: Field.lookup('sys_organization', {\n label: 'Active Organization',\n required: false,\n group: 'Context',\n }),\n\n active_team_id: Field.lookup('sys_team', {\n label: 'Active Team',\n required: false,\n group: 'Context',\n }),\n\n // ── Client fingerprint ───────────────────────────────────────\n ip_address: Field.text({\n label: 'IP Address',\n required: false,\n maxLength: 45, // Support IPv6\n group: 'Client',\n }),\n\n user_agent: Field.textarea({\n label: 'User Agent',\n required: false,\n group: 'Client',\n }),\n\n // ── Admin (managed by better-auth `admin` plugin) ────────────\n impersonated_by: Field.lookup('sys_user', {\n label: 'Impersonated By',\n required: false,\n group: 'Admin',\n description: 'User id of the admin that started this impersonation session, if any.',\n }),\n\n // ── Secret (hidden by default) ──────────────────────────────\n token: Field.text({\n label: 'Session Token',\n required: true,\n hidden: true,\n readonly: true,\n description: 'Opaque session token — never exposed in UI',\n group: 'Secret',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Session ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['token'], unique: true },\n { fields: ['user_id'], unique: false },\n { fields: ['expires_at'], unique: false },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'delete'],\n trash: false,\n mru: false,\n clone: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_account — System Account Object\n *\n * OAuth / credential provider account record.\n * Backed by better-auth's `account` model with ObjectStack field conventions.\n *\n * @namespace sys\n */\nexport const SysAccount = ObjectSchema.create({\n name: 'sys_account',\n label: 'Account',\n pluralLabel: 'Accounts',\n icon: 'link',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'OAuth and authentication provider accounts',\n titleFormat: '{provider_id} - {account_id}',\n highlightFields: ['provider_id', 'user_id', 'account_id'],\n\n // Custom actions — sysadmins routinely need to revoke a user's OAuth\n // link (e.g. when an SSO provider is decommissioned or the user\n // requests it). Better-auth exposes `/unlink-account { providerId,\n // accountId }` for this. The form is locked to the row's values so\n // it acts as a one-click confirmation rather than a free-form edit.\n //\n // `link_social` is the self-service counterpart — a toolbar action\n // that redirects the browser to better-auth's social sign-in endpoint\n // with a callbackURL pointing back to the linked-accounts view. The\n // endpoint sets the link cookie and OAuth-dances through the provider,\n // which is why it's `type: 'url'` (full page navigation) rather than\n // `type: 'api'` (XHR — would block on CORS / 302).\n actions: [\n {\n name: 'link_social',\n label: 'Link Social Account',\n icon: 'link-2',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'url',\n target: '/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/_console/apps/account/sys_account',\n params: [\n {\n name: 'provider',\n label: 'Provider',\n type: 'select',\n required: true,\n options: [\n { label: 'Google', value: 'google' },\n { label: 'GitHub', value: 'github' },\n { label: 'Microsoft', value: 'microsoft' },\n { label: 'Apple', value: 'apple' },\n { label: 'Facebook', value: 'facebook' },\n { label: 'GitLab', value: 'gitlab' },\n { label: 'Discord', value: 'discord' },\n ],\n },\n ],\n },\n {\n name: 'unlink_account',\n label: 'Unlink Account',\n icon: 'unlink',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/unlink-account',\n confirmText: 'Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.',\n successMessage: 'Identity link removed',\n refreshAfter: true,\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n { name: 'accountId', field: 'account_id', defaultFromRow: true, required: true },\n ],\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Links',\n data: { provider: 'object', object: 'sys_account' },\n columns: ['provider_id', 'account_id', 'created_at', 'updated_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'provider_id', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_provider: {\n type: 'grid',\n name: 'by_provider',\n label: 'By Provider',\n data: { provider: 'object', object: 'sys_account' },\n columns: ['provider_id', 'user_id', 'account_id', 'created_at'],\n sort: [{ field: 'provider_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'provider_id', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_links: {\n type: 'grid',\n name: 'all_links',\n label: 'All',\n data: { provider: 'object', object: 'sys_account' },\n columns: ['provider_id', 'user_id', 'account_id', 'created_at', 'updated_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n \n fields: {\n id: Field.text({\n label: 'Account ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n provider_id: Field.text({\n label: 'Provider ID',\n required: true,\n description: 'OAuth provider identifier (google, github, etc.)',\n }),\n \n account_id: Field.text({\n label: 'Provider Account ID',\n required: true,\n description: \"User's ID in the provider's system\",\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Link to user table',\n }),\n \n access_token: Field.textarea({\n label: 'Access Token',\n required: false,\n }),\n \n refresh_token: Field.textarea({\n label: 'Refresh Token',\n required: false,\n }),\n \n id_token: Field.textarea({\n label: 'ID Token',\n required: false,\n }),\n \n access_token_expires_at: Field.datetime({\n label: 'Access Token Expires At',\n required: false,\n }),\n \n refresh_token_expires_at: Field.datetime({\n label: 'Refresh Token Expires At',\n required: false,\n }),\n \n scope: Field.text({\n label: 'OAuth Scope',\n required: false,\n }),\n \n password: Field.text({\n label: 'Password Hash',\n required: false,\n description: 'Hashed password for email/password provider',\n }),\n\n // ADR-0069 D1 — bounded ring of previous password hashes (JSON array of\n // strings), used to reject password reuse on change/reset. Maintained by\n // the auth manager; never exposed in UI.\n previous_password_hashes: Field.textarea({\n label: 'Previous Password Hashes',\n required: false,\n readonly: true,\n hidden: true,\n description: 'JSON array of prior password hashes (bounded by password_history_count); reuse-prevention only. System-managed.',\n }),\n },\n \n indexes: [\n { fields: ['user_id'], unique: false },\n { fields: ['provider_id', 'account_id'], unique: true },\n ],\n \n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_verification — System Verification Object\n *\n * Email and phone verification token record.\n * Backed by better-auth's `verification` model with ObjectStack field conventions.\n *\n * @namespace sys\n */\nexport const SysVerification = ObjectSchema.create({\n name: 'sys_verification',\n label: 'Verification',\n pluralLabel: 'Verifications',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE one-time credentials\n // (email/phone verification + password-reset tokens) — reading one is\n // account takeover. Not covered by the wildcard `'*'` grant; admins retain\n // access via the superuser bypass; better-auth reads via its adapter\n // (system context), so verification flows are unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Email and phone verification tokens',\n titleFormat: 'Verification for {identifier}',\n highlightFields: ['identifier', 'expires_at', 'created_at'],\n \n fields: {\n id: Field.text({\n label: 'Verification ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n value: Field.text({\n label: 'Verification Token',\n required: true,\n description: 'Token or code for verification',\n }),\n \n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n \n identifier: Field.text({\n label: 'Identifier',\n required: true,\n description: 'Email address or phone number',\n }),\n },\n \n indexes: [\n // `value` must NOT be unique. better-auth's oauth-provider stores OIDC\n // authorization codes in this table with `value` = a JSON blob keyed by\n // user+client+state, which can legitimately repeat. A UNIQUE constraint\n // makes `/api/v1/auth/oauth2/authorize` fail (`UNIQUE constraint failed:\n // sys_verification.value`) → 503, breaking cloud-as-IdP SSO entirely.\n // better-auth keys verification lookups on `identifier`, not `value`.\n { fields: ['value'], unique: false },\n { fields: ['identifier'], unique: false },\n { fields: ['expires_at'], unique: false },\n ],\n \n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'create', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_organization — System Organization Object\n *\n * Multi-organization support for the ObjectStack platform.\n * Backed by better-auth's organization plugin.\n *\n * @namespace sys\n */\nexport const SysOrganization = ObjectSchema.create({\n name: 'sys_organization',\n label: 'Organization',\n pluralLabel: 'Organizations',\n icon: 'building-2',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Organizations for multi-tenant grouping',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'slug'],\n\n // Custom actions — generic CRUD is suppressed (better-auth-managed),\n // but admins still need to create new orgs from the Setup app.\n actions: [\n {\n name: 'create_organization',\n label: 'Create Organization',\n icon: 'plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/create',\n successMessage: 'Organization created',\n refreshAfter: true,\n // Hidden when the deployment is provisioned in single-org mode\n // (`OS_MULTI_ORG_ENABLED=false`). `features.multiOrgEnabled` is\n // populated by the console/account shells from `/auth/config`;\n // we default to visible when the flag is undefined so we don't\n // accidentally hide the button while auth config is still loading.\n requiresFeature: 'multiOrgEnabled',\n params: [\n { field: 'name', required: true },\n { field: 'slug', required: true },\n { field: 'logo' },\n ],\n },\n {\n name: 'update_organization',\n label: 'Edit Organization',\n icon: 'pencil',\n mode: 'edit',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update',\n recordIdParam: 'organizationId',\n // better-auth `organization/update` nests editable fields under `data`.\n bodyShape: { wrap: 'data' },\n // Org-admin actions are multi-org-only; hide them in single-org for\n // consistency with `create_organization` (the org list is empty there,\n // but this also guards direct record-URL access).\n requiresFeature: 'multiOrgEnabled',\n successMessage: 'Organization updated',\n refreshAfter: true,\n params: [\n { field: 'name', required: true, defaultFromRow: true },\n { field: 'slug', required: true, defaultFromRow: true },\n { field: 'logo', defaultFromRow: true },\n ],\n },\n {\n name: 'delete_organization',\n label: 'Delete Organization',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/delete',\n recordIdParam: 'organizationId',\n requiresFeature: 'multiOrgEnabled',\n confirmText: 'Delete this organization? All members will lose access immediately. This cannot be undone.',\n successMessage: 'Organization deleted',\n refreshAfter: true,\n },\n {\n // Switch the caller's active organization context. Standard\n // better-auth endpoint; no extra params needed (org id ships as\n // the row id). Used from the Setup list and the record header so\n // admins can context-switch without leaving the page.\n name: 'set_active_organization',\n label: 'Set Active',\n icon: 'check-circle-2',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/set-active',\n recordIdParam: 'organizationId',\n requiresFeature: 'multiOrgEnabled',\n successMessage: 'Active organization switched',\n refreshAfter: true,\n },\n {\n // Current user leaves the org. Distinct from `delete_organization`\n // (admin-only, destroys the org) — `leave` only removes the caller's\n // own membership. Better-auth: `organization/leave { organizationId }`.\n name: 'leave_organization',\n label: 'Leave Organization',\n icon: 'log-out',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/leave',\n recordIdParam: 'organizationId',\n requiresFeature: 'multiOrgEnabled',\n confirmText: 'Leave this organization? You will lose access to all of its resources.',\n successMessage: 'You have left the organization',\n refreshAfter: true,\n },\n {\n // Rename the organization slug (URL prefix). Backed by the cloud\n // orchestrator at /api/v1/cloud/organizations/{id}/change-slug,\n // which atomically updates sys_organization.slug, rewrites\n // platform_subdomain sys_domain rows under the new slug, soft-\n // retires the old rows with a redirect window, parks the old\n // slug in sys_slug_reservation, and refreshes the registry\n // mirror. See cloud `docs/design/sys-domain.md` §6.\n name: 'change_slug',\n label: 'Change Slug',\n icon: 'edit-3',\n variant: 'secondary',\n mode: 'custom',\n locations: ['record_header'],\n type: 'api',\n target: '/api/v1/cloud/organizations/{id}/change-slug',\n method: 'POST',\n requiresFeature: 'multiOrgEnabled',\n confirmText: 'Renaming the slug rewrites every platform subdomain for this org and parks the old slug for 90 days. Continue?',\n successMessage: 'Organization slug changed',\n refreshAfter: true,\n params: [\n { field: 'slug', required: true, defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n all_orgs: {\n type: 'grid',\n name: 'all_orgs',\n label: 'All',\n data: { provider: 'object', object: 'sys_organization' },\n columns: ['name', 'slug', 'created_at', 'updated_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n slug: Field.text({\n label: 'Slug',\n required: false,\n searchable: true,\n maxLength: 255,\n description: 'URL-friendly identifier',\n group: 'Identity',\n }),\n\n // ── Branding ─────────────────────────────────────────────────\n logo: Field.url({\n label: 'Logo',\n required: false,\n group: 'Branding',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n description: 'JSON-serialized organization metadata',\n group: 'Configuration',\n }),\n\n // ADR-0069 D3 — per-org MFA tightening above the global floor. When true,\n // members of this org must enrol TOTP to access data (enforced at the\n // session-validation gate). An org can only tighten, never loosen, the\n // global `mfa_required` setting.\n require_mfa: Field.boolean({\n label: 'Require Multi-Factor Auth',\n required: false,\n defaultValue: false,\n group: 'Configuration',\n description: 'When true, every member of this organization must enroll an authenticator app to access data.',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Organization ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['slug'], unique: true },\n { fields: ['name'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_member — System Member Object\n *\n * Organization membership linking users to organizations with roles.\n * Backed by better-auth's organization plugin.\n *\n * @namespace sys\n */\nexport const SysMember = ObjectSchema.create({\n name: 'sys_member',\n label: 'Member',\n pluralLabel: 'Members',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Organization membership records',\n // Org-independent title: organization_id is null in single-org mode, so a\n // '{user_id} in {organization_id}' format renders \"… in null\". User + role\n // identifies the membership in both single- and multi-org deployments.\n titleFormat: '{user_id} ({role})',\n highlightFields: ['user_id', 'organization_id', 'role'],\n\n // Row-level actions: better-auth `organization/update-member-role` and\n // `organization/remove-member`. Generic CRUD is suppressed on better-auth\n // managed tables, so these are the canonical edit/delete entry points.\n // The `add_member` toolbar action covers the admin \"attach an existing\n // user directly without sending an invitation\" flow.\n actions: [\n {\n // Admin-only: directly attach an existing user to the active org,\n // bypassing the invite-accept flow. Better-auth:\n // `organization/add-member { userId, role, organizationId?, teamId? }`.\n // organizationId/teamId default to the caller's active org/team when\n // omitted, so we leave them as optional params.\n name: 'add_member',\n label: 'Add Member',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/add-member',\n // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the\n // better-auth endpoints resolve the session's active org, which\n // single-org mode now guarantees via plugin-auth's default-org\n // bootstrap. Same gate on every membership mutation below.\n requiresFeature: 'organization',\n successMessage: 'Member added',\n refreshAfter: true,\n params: [\n { name: 'userId', field: 'user_id', required: true },\n { field: 'role', required: true },\n { name: 'organizationId', field: 'organization_id' },\n ],\n },\n {\n name: 'update_member_role',\n label: 'Change Role',\n icon: 'shield',\n mode: 'edit',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update-member-role',\n recordIdParam: 'memberId',\n requiresFeature: 'organization',\n successMessage: 'Member role updated',\n refreshAfter: true,\n params: [\n { field: 'role', required: true, defaultFromRow: true },\n ],\n },\n {\n name: 'remove_member',\n label: 'Remove Member',\n icon: 'user-minus',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/remove-member',\n recordIdParam: 'memberIdOrEmail',\n requiresFeature: 'organization',\n confirmText: 'Remove this member from the organization? They will lose access to all org resources.',\n successMessage: 'Member removed',\n refreshAfter: true,\n },\n // Transfer ownership is modeled as `update-member-role` with role=owner\n // (better-auth's organization plugin auto-demotes the previous owner\n // to admin). Kept as a separate action so the row menu can present a\n // distinct destructive-style affordance with the right confirm copy —\n // mixing it into `update_member_role` would hide the ownership-handoff\n // semantics behind a generic role dropdown.\n {\n name: 'transfer_ownership',\n label: 'Transfer Ownership',\n icon: 'crown',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update-member-role',\n recordIdParam: 'memberId',\n bodyExtra: { role: 'owner' },\n // The residual row predicate stays hand-written; the feature gate is\n // AND-composed onto it by the requiresFeature lowering.\n visible: \"record.role != 'owner'\",\n requiresFeature: 'organization',\n confirmText: 'Transfer ownership of this organization to the selected member? You will be demoted to admin and lose owner-only privileges.',\n successMessage: 'Ownership transferred',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Memberships',\n data: { provider: 'object', object: 'sys_member' },\n columns: ['organization_id', 'role', 'created_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n emptyState: {\n title: 'No organizations yet',\n message: 'You haven\\'t joined any organizations.',\n },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Member ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant has no sys_organization row and no auto-stamp\n // (org-scoping is multi-tenant-only). Multi-tenant: OrgScopingPlugin stamps it\n // and tenant-isolation RLS hides null-org rows (fail-closed). ADR-0057 addendum.\n required: false,\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n }),\n \n role: Field.select({\n label: 'Role',\n required: false,\n description: 'Member role within the organization',\n options: [\n { label: 'Owner', value: 'owner' },\n { label: 'Admin', value: 'admin' },\n { label: 'Member', value: 'member' },\n ],\n defaultValue: 'member',\n }),\n },\n \n indexes: [\n { fields: ['organization_id', 'user_id'], unique: true },\n { fields: ['user_id'] },\n ],\n \n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_invitation — System Invitation Object\n *\n * Organization invitation tokens for inviting users.\n * Backed by better-auth's organization plugin.\n *\n * @namespace sys\n */\nexport const SysInvitation = ObjectSchema.create({\n name: 'sys_invitation',\n label: 'Invitation',\n pluralLabel: 'Invitations',\n icon: 'mail',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Organization invitations for user onboarding',\n // Title by invitee email rather than organization_id: the latter is null in\n // single-org mode (renders \"Invitation to null\"), and the recipient email is\n // the more useful identifier in both modes anyway.\n titleFormat: 'Invitation for {email}',\n highlightFields: ['email', 'organization_id', 'status'],\n\n // Custom actions — generic CRUD is suppressed (better-auth-managed).\n // Mirror the `invite_user` toolbar action from sys_user here so admins\n // landing on the Invitations page get an obvious entry point.\n actions: [\n {\n name: 'invite_user',\n label: 'Invite User',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/invite-member',\n // Inviting/managing invitations is a multi-org-only flow (the\n // endpoint resolves an active org absent in single-org mode). Gate\n // the admin-side actions on the multi-org flag (mirrors\n // sys_organization.create_organization). The recipient-side\n // accept/reject actions below stay record-gated — they are\n // unreachable in single-org anyway (no invitation rows exist).\n requiresFeature: 'organization',\n successMessage: 'Invitation sent',\n refreshAfter: true,\n params: [\n { field: 'email', required: true },\n { field: 'role', required: true },\n ],\n },\n {\n name: 'cancel_invitation',\n label: 'Cancel Invitation',\n icon: 'x-circle',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/cancel-invitation',\n recordIdParam: 'invitationId',\n requiresFeature: 'organization',\n confirmText: 'Cancel this invitation? The recipient will no longer be able to accept it.',\n successMessage: 'Invitation canceled',\n refreshAfter: true,\n },\n {\n name: 'resend_invitation',\n label: 'Resend Invitation',\n icon: 'send',\n variant: 'secondary',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/invite-member',\n bodyExtra: { resend: true },\n requiresFeature: 'organization',\n successMessage: 'Invitation resent',\n refreshAfter: true,\n params: [\n { field: 'email', required: true, defaultFromRow: true },\n { field: 'role', required: true, defaultFromRow: true },\n ],\n },\n\n // ── Recipient-side actions (the invited user) ────────────────────\n //\n // These two are the counterpart to invite/cancel/resend: they are\n // visible only on invitations addressed to the current user. Used\n // by an \"Inbox / Pending invitations\" list opened from the user's\n // own account page. The recipient-only `visible` predicate keeps\n // them out of the admin org-management view.\n {\n name: 'accept_invitation',\n label: 'Accept Invitation',\n icon: 'check',\n variant: 'primary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/accept-invitation',\n recordIdParam: 'invitationId',\n visible: \"record.email == ctx.user.email && record.status == 'pending'\",\n successMessage: 'Invitation accepted',\n refreshAfter: true,\n },\n {\n name: 'reject_invitation',\n label: 'Decline Invitation',\n icon: 'x',\n variant: 'ghost',\n locations: ['list_item', 'record_header'],\n type: 'api',\n target: '/api/v1/auth/organization/reject-invitation',\n recordIdParam: 'invitationId',\n visible: \"record.email == ctx.user.email && record.status == 'pending'\",\n confirmText: 'Decline this invitation? The inviter will be notified and you will need a new invitation to join.',\n successMessage: 'Invitation declined',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n pending: {\n type: 'grid',\n name: 'pending',\n label: 'Pending',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'role', 'organization_id', 'inviter_id', 'expires_at'],\n filter: [{ field: 'status', operator: 'equals', value: 'pending' }],\n sort: [{ field: 'expires_at', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n accepted: {\n type: 'grid',\n name: 'accepted',\n label: 'Accepted',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'role', 'organization_id', 'inviter_id', 'created_at'],\n filter: [{ field: 'status', operator: 'equals', value: 'accepted' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n expired: {\n type: 'grid',\n name: 'expired',\n label: 'Expired / Canceled',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'status', 'organization_id', 'expires_at'],\n filter: [{ field: 'status', operator: 'in', value: ['expired', 'rejected', 'canceled'] }],\n sort: [{ field: 'expires_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_invitations: {\n type: 'grid',\n name: 'all_invitations',\n label: 'All',\n data: { provider: 'object', object: 'sys_invitation' },\n columns: ['email', 'status', 'role', 'organization_id', 'inviter_id', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n \n fields: {\n id: Field.text({\n label: 'Invitation ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant has no sys_organization row and no auto-stamp\n // (org-scoping is multi-tenant-only). Multi-tenant: OrgScopingPlugin stamps it\n // and tenant-isolation RLS hides null-org rows (fail-closed). ADR-0057 addendum.\n required: false,\n }),\n \n email: Field.email({\n label: 'Email',\n required: true,\n description: 'Email address of the invited user',\n }),\n \n role: Field.select({\n label: 'Role',\n required: false,\n description: 'Role to assign upon acceptance',\n options: [\n { label: 'Owner', value: 'owner' },\n { label: 'Admin', value: 'admin' },\n { label: 'Member', value: 'member' },\n ],\n defaultValue: 'member',\n }),\n \n status: Field.select(['pending', 'accepted', 'rejected', 'expired', 'canceled'], {\n label: 'Status',\n required: true,\n defaultValue: 'pending',\n }),\n \n inviter_id: Field.lookup('sys_user', {\n label: 'Inviter',\n required: true,\n description: 'User who sent the invitation',\n }),\n \n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n \n team_id: Field.lookup('sys_team', {\n label: 'Team',\n required: false,\n description: 'Optional team to assign upon acceptance',\n }),\n },\n \n indexes: [\n { fields: ['organization_id'] },\n { fields: ['email'] },\n { fields: ['expires_at'] },\n ],\n \n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_team — System Team Object\n *\n * Teams within an organization for fine-grained grouping.\n * Backed by better-auth's organization plugin (teams feature).\n *\n * @namespace sys\n */\nexport const SysTeam = ObjectSchema.create({\n name: 'sys_team',\n label: 'Team',\n pluralLabel: 'Teams',\n icon: 'users',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Teams within organizations for fine-grained grouping',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'organization_id'],\n\n // Custom actions calling better-auth's team endpoints. Generic CRUD is\n // suppressed (managedBy: 'better-auth'), so these are the canonical\n // entry points for create/update/delete.\n actions: [\n {\n // Better-auth: `organization/create-team { name, organizationId? }`.\n // organizationId defaults to the caller's active org when omitted.\n name: 'create_team',\n label: 'Create Team',\n icon: 'plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/create-team',\n // Teams are nested inside organizations — a multi-org-only concept.\n // Gate every team mutation on the multi-org flag so the affordances\n // disappear in single-org (mirrors sys_organization.create_organization).\n requiresFeature: 'organization',\n successMessage: 'Team created',\n refreshAfter: true,\n params: [\n { field: 'name', required: true },\n { name: 'organizationId', field: 'organization_id' },\n ],\n },\n {\n // Better-auth: `organization/update-team { teamId, data: { name } }`.\n // teamId stays flat (top-level); the user-editable params nest under\n // `data` via bodyShape.\n name: 'update_team',\n label: 'Edit Team',\n icon: 'pencil',\n mode: 'edit',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/update-team',\n recordIdParam: 'teamId',\n bodyShape: { wrap: 'data' },\n requiresFeature: 'organization',\n successMessage: 'Team updated',\n refreshAfter: true,\n params: [\n { field: 'name', required: true, defaultFromRow: true },\n ],\n },\n {\n // Better-auth: `organization/remove-team { teamId, organizationId? }`.\n // organizationId defaults to the caller's active org when omitted.\n name: 'remove_team',\n label: 'Delete Team',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/remove-team',\n recordIdParam: 'teamId',\n requiresFeature: 'organization',\n confirmText: 'Delete this team? Members will lose any team-scoped access. This cannot be undone.',\n successMessage: 'Team deleted',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n by_org: {\n type: 'grid',\n name: 'by_org',\n label: 'By Organization',\n data: { provider: 'object', object: 'sys_team' },\n columns: ['organization_id', 'name', 'created_at', 'updated_at'],\n sort: [{ field: 'organization_id', order: 'asc' }, { field: 'name', order: 'asc' }],\n grouping: { fields: [{ field: 'organization_id', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_teams: {\n type: 'grid',\n name: 'all_teams',\n label: 'All',\n data: { provider: 'object', object: 'sys_team' },\n columns: ['name', 'organization_id', 'created_at', 'updated_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant deployments have no organization row (org-scoping\n // is multi-tenant-only, nothing auto-stamps one) — requiring it would make\n // the object uncreatable single-tenant. In multi-tenant, OrgScopingPlugin\n // auto-stamps this from the active tenant and tenant-isolation RLS hides any\n // null-org row (fail-closed). ADR-0057 addendum.\n required: false,\n description: 'Parent organization for this team. Null in single-tenant; auto-stamped in multi-tenant.',\n group: 'Identity',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Team ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['organization_id'] },\n { fields: ['name', 'organization_id'], unique: true },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_team_member — System Team Member Object\n *\n * Links users to teams within organizations.\n * Backed by better-auth's organization plugin (teams feature).\n *\n * @namespace sys\n */\nexport const SysTeamMember = ObjectSchema.create({\n name: 'sys_team_member',\n label: 'Team Member',\n pluralLabel: 'Team Members',\n icon: 'user-plus',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Team membership records linking users to teams',\n titleFormat: '{user_id} in {team_id}',\n highlightFields: ['user_id', 'team_id', 'created_at'],\n\n // Custom actions calling better-auth's team-member endpoints. Generic\n // CRUD is suppressed (managedBy: 'better-auth') so these are the\n // canonical add/remove entry points.\n actions: [\n {\n // Better-auth: `organization/add-team-member { teamId, userId }`.\n name: 'add_team_member',\n label: 'Add Member',\n icon: 'user-plus',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/organization/add-team-member',\n // Team membership lives under organizations — multi-org-only. Gate\n // both mutations so they vanish in single-org (mirrors\n // sys_organization.create_organization).\n requiresFeature: 'organization',\n successMessage: 'Team member added',\n refreshAfter: true,\n params: [\n { name: 'teamId', field: 'team_id', required: true },\n { name: 'userId', field: 'user_id', required: true },\n ],\n },\n {\n // Better-auth: `organization/remove-team-member { teamId, userId }`.\n // The endpoint identifies the membership by the (teamId, userId)\n // pair rather than the join-row id, so we pull both from the row\n // via `defaultFromRow` instead of using `recordIdParam`.\n name: 'remove_team_member',\n label: 'Remove from Team',\n icon: 'user-minus',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item'],\n type: 'api',\n target: '/api/v1/auth/organization/remove-team-member',\n requiresFeature: 'organization',\n confirmText: 'Remove this user from the team? They will lose any team-scoped access.',\n successMessage: 'Team member removed',\n refreshAfter: true,\n params: [\n { name: 'teamId', field: 'team_id', required: true, defaultFromRow: true },\n { name: 'userId', field: 'user_id', required: true, defaultFromRow: true },\n ],\n },\n ],\n\n fields: {\n id: Field.text({\n label: 'Team Member ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n team_id: Field.lookup('sys_team', {\n label: 'Team',\n required: true,\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n }),\n },\n \n indexes: [\n { fields: ['team_id', 'user_id'], unique: true },\n { fields: ['user_id'] },\n ],\n \n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_business_unit — Business Unit (canonical org/data-partition tree, ADR-0057 D2)\n *\n * The persistent, hierarchical org chart node. **This is distinct from\n * `sys_team`** (which is the flat better-auth collaboration grouping).\n *\n * A single tenant typically has one `kind='company'` root, then nested\n * `division` / `department` / `office` nodes underneath. The\n * `kind` enum is purely a display/categorisation hint — the recursive\n * structure works identically regardless of value.\n *\n * Drives:\n * - `recipient_type='business_unit'` sharing rules\n * - `bu:` approver prefix in the approval engine\n * - Report rollups and manager chains in CRM/PM apps\n *\n * @namespace sys\n */\nexport const SysBusinessUnit = ObjectSchema.create({\n name: 'sys_business_unit',\n label: 'Business Unit',\n pluralLabel: 'Business Units',\n icon: 'building',\n isSystem: true,\n managedBy: 'platform',\n description: 'Canonical Business Unit tree — hierarchical org/data-partition node (company / division / department / region / office). ADR-0057 D2.',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'kind', 'parent_business_unit_id', 'manager_user_id'],\n\n listViews: {\n // Org chart — the hierarchy view. Surfaces the self-referencing\n // `parent_business_unit_id` tree (ADR-0057 D2) as an indented, expand/\n // collapse tree-grid. Listed first so it's the default tab; the grids\n // below stay for search / filter / bulk edit.\n org_chart: {\n type: 'tree',\n name: 'org_chart',\n label: 'Org Chart',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'kind', 'manager_user_id', 'active'],\n tree: {\n parentField: 'parent_business_unit_id',\n labelField: 'name',\n fields: ['kind', 'manager_user_id', 'active'],\n defaultExpandedDepth: 1,\n },\n sort: [{ field: 'name', order: 'asc' }],\n },\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'code', 'kind', 'parent_business_unit_id', 'manager_user_id', 'effective_from'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 100 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'code', 'kind', 'effective_to'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'effective_to', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_kind: {\n type: 'grid',\n name: 'by_kind',\n label: 'By Kind',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['kind', 'name', 'code', 'parent_business_unit_id', 'manager_user_id', 'active'],\n sort: [{ field: 'kind', order: 'asc' }, { field: 'name', order: 'asc' }],\n grouping: { fields: [{ field: 'kind', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_departments: {\n type: 'grid',\n name: 'all_departments',\n label: 'All',\n data: { provider: 'object', object: 'sys_business_unit' },\n columns: ['name', 'code', 'kind', 'parent_business_unit_id', 'manager_user_id', 'active'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n code: Field.text({\n label: 'Code',\n required: false,\n searchable: true,\n maxLength: 64,\n description: 'Short stable code (e.g. EMEA-SALES). Unique within tenant.',\n group: 'Identity',\n }),\n\n kind: Field.select(\n ['company', 'division', 'department', 'office', 'cost_center'],\n {\n label: 'Kind',\n required: true,\n defaultValue: 'department',\n description: 'Categorisation hint — does not change graph semantics.',\n group: 'Identity',\n },\n ),\n\n // ── Hierarchy ────────────────────────────────────────────────\n parent_business_unit_id: Field.lookup('sys_business_unit', {\n label: 'Parent Business Unit',\n required: false,\n description: 'Self-reference for the org tree. Null = root of tenant.',\n group: 'Hierarchy',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n // Optional: single-tenant deployments have no organization row (org-scoping\n // is multi-tenant-only, nothing auto-stamps one) — requiring it would make\n // the object uncreatable single-tenant. In multi-tenant, OrgScopingPlugin\n // auto-stamps this from the active tenant and tenant-isolation RLS hides any\n // null-org row (fail-closed). ADR-0057 addendum.\n required: false,\n description: 'Tenant scope. Null in single-tenant; auto-stamped in multi-tenant.',\n group: 'Hierarchy',\n }),\n\n // ── Leadership ───────────────────────────────────────────────\n manager_user_id: Field.lookup('sys_user', {\n label: 'Business Unit Head',\n required: false,\n description: 'User responsible for this org unit (business unit head / lead).',\n group: 'Leadership',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'When false, members are not expanded by graph queries.',\n group: 'Lifecycle',\n }),\n\n effective_from: Field.datetime({\n label: 'Effective From',\n required: false,\n description: 'When this business unit came into existence (HRIS sync).',\n group: 'Lifecycle',\n }),\n\n effective_to: Field.datetime({\n label: 'Effective To',\n required: false,\n description: 'When this business unit was retired (HRIS sync).',\n group: 'Lifecycle',\n }),\n\n external_ref: Field.text({\n label: 'External Reference',\n required: false,\n maxLength: 200,\n description: 'ID in upstream HRIS (Workday / SAP HR / 北森).',\n group: 'Lifecycle',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Business Unit ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['organization_id'] },\n { fields: ['parent_business_unit_id'] },\n { fields: ['code', 'organization_id'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_business_unit_member — User ↔ Business Unit Assignment\n *\n * Many-to-many between `sys_user` and `sys_business_unit`. A user can belong\n * to multiple business units (matrix orgs) but exactly one is marked\n * `is_primary` to drive the default reporting view.\n *\n * Effective-dated so that historical reports & audits can reconstruct\n * who reported to which unit at any point in time.\n *\n * @namespace sys\n */\nexport const SysBusinessUnitMember = ObjectSchema.create({\n name: 'sys_business_unit_member',\n label: 'Business Unit Member',\n pluralLabel: 'Business Unit Members',\n icon: 'user-cog',\n isSystem: true,\n managedBy: 'platform',\n description: 'User assignment to a business unit (matrix-org friendly, effective-dated).',\n titleFormat: '{user_id} in {business_unit_id}',\n highlightFields: ['user_id', 'business_unit_id', 'function_in_business_unit', 'is_primary'],\n\n fields: {\n id: Field.text({\n label: 'Member ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n business_unit_id: Field.lookup('sys_business_unit', {\n label: 'Business Unit',\n required: true,\n group: 'Assignment',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n group: 'Assignment',\n }),\n\n function_in_business_unit: Field.select(\n ['member', 'lead', 'deputy'],\n {\n label: 'Function in Business Unit',\n required: false,\n defaultValue: 'member',\n description: '`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.',\n group: 'Assignment',\n },\n ),\n\n is_primary: Field.boolean({\n label: 'Primary Assignment',\n required: false,\n defaultValue: true,\n description: 'When the user is in multiple business units, this marks the canonical one for reporting.',\n group: 'Assignment',\n }),\n\n effective_from: Field.datetime({\n label: 'Effective From',\n required: false,\n group: 'Lifecycle',\n }),\n\n effective_to: Field.datetime({\n label: 'Effective To',\n required: false,\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['business_unit_id', 'user_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['is_primary'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_api_key — System API Key Object\n *\n * API keys for programmatic/machine access to the platform.\n *\n * Field `key` stores a hashed value and is marked hidden so it never\n * leaks into default list/form rendering; the raw token is only\n * returned once on creation via the auth plugin API.\n *\n * @namespace sys\n */\nexport const SysApiKey = ObjectSchema.create({\n name: 'sys_api_key',\n label: 'API Key',\n pluralLabel: 'API Keys',\n icon: 'key-round',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'API keys for programmatic access',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'prefix', 'user_id', 'expires_at', 'revoked'],\n\n // Custom actions — sys_api_key is managed-by 'better-auth' but the\n // `revoked` boolean is a column we control via the data API. These row\n // actions use the generic PATCH /api/v1/sys_api_key/{id} endpoint with\n // `bodyExtra` to set the `revoked` flag explicitly.\n actions: [\n {\n name: 'revoke_api_key',\n label: 'Revoke API Key',\n icon: 'shield-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_api_key/{id}',\n bodyExtra: { revoked: true },\n confirmText: 'Revoke this API key? Any clients using it will immediately lose access.',\n successMessage: 'API key revoked',\n refreshAfter: true,\n },\n {\n name: 'restore_api_key',\n label: 'Restore API Key',\n icon: 'shield-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_api_key/{id}',\n bodyExtra: { revoked: false },\n confirmText: 'Restore this revoked API key? Existing clients holding the key will regain access.',\n successMessage: 'API key restored',\n refreshAfter: true,\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Keys',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'expires_at', 'last_used_at', 'revoked'],\n filter: [\n { field: 'user_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'user_id', 'expires_at', 'last_used_at'],\n filter: [{ field: 'revoked', operator: 'equals', value: false }],\n sort: [{ field: 'last_used_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n revoked: {\n type: 'grid',\n name: 'revoked',\n label: 'Revoked',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'user_id', 'expires_at', 'updated_at'],\n filter: [{ field: 'revoked', operator: 'equals', value: true }],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_keys: {\n type: 'grid',\n name: 'all_keys',\n label: 'All',\n data: { provider: 'object', object: 'sys_api_key' },\n columns: ['name', 'prefix', 'user_id', 'expires_at', 'last_used_at', 'revoked'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n description: 'Human-readable label for the API key',\n group: 'Identity',\n }),\n\n prefix: Field.text({\n label: 'Prefix',\n required: false,\n maxLength: 16,\n description: 'Visible prefix for identifying the key (e.g., \"osk_\")',\n group: 'Identity',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'Owner',\n required: true,\n description: 'User who owns this API key',\n group: 'Identity',\n }),\n\n // ── Access ───────────────────────────────────────────────────\n scopes: Field.textarea({\n label: 'Scopes',\n required: false,\n description: 'JSON array of permission scopes',\n group: 'Access',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n expires_at: Field.datetime({\n label: 'Expires At',\n required: false,\n group: 'Lifecycle',\n }),\n\n last_used_at: Field.datetime({\n label: 'Last Used At',\n required: false,\n readonly: true,\n description: 'Automatically updated on each API call',\n group: 'Lifecycle',\n }),\n\n revoked: Field.boolean({\n label: 'Revoked',\n defaultValue: false,\n group: 'Lifecycle',\n }),\n\n // ── Secret (hidden by default) ──────────────────────────────\n key: Field.text({\n label: 'Hashed Key',\n required: true,\n hidden: true,\n readonly: true,\n description: 'Hashed API key value — never exposed to clients',\n group: 'Secret',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'API Key ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['key'], unique: true },\n { fields: ['user_id'] },\n { fields: ['prefix'] },\n { fields: ['revoked'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_two_factor — System Two-Factor Object\n *\n * Two-factor authentication credentials (TOTP, backup codes).\n * Backed by better-auth's two-factor plugin.\n *\n * @namespace sys\n */\nexport const SysTwoFactor = ObjectSchema.create({\n name: 'sys_two_factor',\n label: 'Two Factor',\n pluralLabel: 'Two Factor Credentials',\n icon: 'smartphone',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Two-factor authentication credentials',\n titleFormat: 'Two-factor for {user_id}',\n highlightFields: ['user_id', 'created_at'],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Enrollment',\n data: { provider: 'object', object: 'sys_two_factor' },\n columns: ['created_at', 'updated_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_enrollments: {\n type: 'grid',\n name: 'all_enrollments',\n label: 'All',\n data: { provider: 'object', object: 'sys_two_factor' },\n columns: ['user_id', 'created_at', 'updated_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n // Toolbar actions for self-service 2FA enrollment. Better-auth's\n // `/two-factor/enable` returns `{ totpURI, backupCodes }` — the user must\n // scan the URI into an authenticator app and save the backup codes NOW;\n // they are never recoverable afterward. The `resultDialog` field tells\n // the renderer to open a one-shot reveal dialog instead of toasting the\n // success message. Same shape used by `regenerate_backup_codes`.\n actions: [\n {\n name: 'enable_two_factor',\n label: 'Enable 2FA',\n icon: 'shield-check',\n variant: 'primary',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/two-factor/enable',\n requiresFeature: 'twoFactor',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n resultDialog: {\n title: 'Two-factor authentication enabled',\n description: 'Scan the QR code with your authenticator app, then save the backup codes somewhere safe. The backup codes are shown only once.',\n acknowledge: 'I have saved my backup codes',\n fields: [\n { path: 'totpURI', label: 'Authenticator URI', format: 'qrcode' },\n { path: 'backupCodes', label: 'Backup Codes', format: 'code-list' },\n ],\n },\n },\n {\n name: 'disable_two_factor',\n label: 'Disable 2FA',\n icon: 'shield-off',\n variant: 'danger',\n locations: ['list_toolbar'],\n type: 'api',\n target: '/api/v1/auth/two-factor/disable',\n requiresFeature: 'twoFactor',\n confirmText: 'Disable two-factor authentication on your account?',\n successMessage: '2FA disabled',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n },\n {\n name: 'regenerate_backup_codes',\n label: 'Regenerate Backup Codes',\n icon: 'refresh-cw',\n variant: 'secondary',\n locations: ['list_toolbar', 'list_item'],\n type: 'api',\n target: '/api/v1/auth/two-factor/generate-backup-codes',\n requiresFeature: 'twoFactor',\n confirmText: 'Regenerate backup codes? All previous backup codes will stop working immediately.',\n refreshAfter: true,\n params: [\n { name: 'password', label: 'Current Password', type: 'text', required: true },\n ],\n resultDialog: {\n title: 'New backup codes generated',\n description: 'Previous backup codes are now invalid. Save these new codes somewhere safe — they are shown only once.',\n acknowledge: 'I have saved the new codes',\n fields: [\n { path: 'backupCodes', label: 'Backup Codes', format: 'code-list' },\n ],\n },\n },\n ],\n\n \n fields: {\n id: Field.text({\n label: 'Two Factor ID',\n required: true,\n readonly: true,\n }),\n \n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n \n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n }),\n \n secret: Field.text({\n label: 'Secret',\n required: true,\n description: 'TOTP secret key',\n }),\n \n backup_codes: Field.textarea({\n label: 'Backup Codes',\n required: false,\n description: 'JSON-serialized backup recovery codes',\n }),\n\n verified: Field.boolean({\n label: 'Verified',\n defaultValue: true,\n description: 'Whether the enrollment was confirmed with a valid TOTP code (managed by better-auth)',\n }),\n },\n \n indexes: [\n { fields: ['user_id'], unique: true },\n ],\n \n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_device_code — System Device Authorization Code Object\n *\n * Stores pending RFC 8628 OAuth Device Authorization Grant requests.\n * Backed by better-auth's `device-authorization` plugin (`deviceCode` model).\n *\n * Lifecycle:\n * 1. CLI calls `POST /device/code` → row inserted with status='pending'\n * 2. Browser visits `verification_uri_complete` and the signed-in user\n * calls `POST /device/approve` (or `/device/deny`) → status flips\n * 3. CLI's next `POST /device/token` poll either receives a session token\n * (status=approved) or one of the standard error codes\n * (`authorization_pending`, `slow_down`, `expired_token`,\n * `access_denied`). Approved rows are deleted on token issuance.\n *\n * @namespace sys\n */\nexport const SysDeviceCode = ObjectSchema.create({\n name: 'sys_device_code',\n label: 'Device Code',\n pluralLabel: 'Device Codes',\n icon: 'key-round',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0057: device codes are dead the moment `expires_at` passes — keep a\n // 1d grace for post-mortem, then reap.\n lifecycle: {\n class: 'transient',\n ttl: { field: 'expires_at', expireAfter: '1d' },\n },\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE pending device-grant\n // codes — reading `user_code`/`device_code` lets an attacker hijack a\n // pending CLI login. Not covered by the wildcard `'*'` grant; admins retain\n // access via the superuser bypass; better-auth reads via its adapter\n // (system context), so the device-grant flow is unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'OAuth 2.0 Device Authorization Grant (RFC 8628) pending requests',\n nameField: 'user_code', // [ADR-0079] canonical primary-title pointer (single-field titleFormat)\n titleFormat: '{user_code}',\n highlightFields: ['user_code', 'status', 'client_id', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'Device Code ID',\n required: true,\n readonly: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n /** High-entropy token returned to the device (CLI). Polled at /device/token. */\n device_code: Field.text({\n label: 'Device Code',\n required: true,\n description: 'High-entropy token returned to the polling device',\n }),\n\n /** Human-readable short code displayed to the user (e.g. ABCD-EFGH). */\n user_code: Field.text({\n label: 'User Code',\n required: true,\n description: 'Short user-facing code (e.g. ABCD-EFGH)',\n }),\n\n /** Owning user — populated when the request is approved. */\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: false,\n description: 'User who approved the device authorization',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n description: 'When the device & user codes are no longer valid',\n }),\n\n /** 'pending' | 'approved' | 'denied' */\n status: Field.text({\n label: 'Status',\n required: true,\n description: \"Current status: 'pending' | 'approved' | 'denied'\",\n }),\n\n last_polled_at: Field.datetime({\n label: 'Last Polled At',\n required: false,\n description: 'Timestamp of the most recent /device/token poll',\n }),\n\n polling_interval: Field.number({\n label: 'Polling Interval (ms)',\n required: false,\n description: 'Server-recommended minimum polling interval, in ms',\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: false,\n description: 'OAuth client identifier of the requesting device',\n }),\n\n scope: Field.text({\n label: 'Scope',\n required: false,\n description: 'Space-separated OAuth scopes requested by the device',\n }),\n },\n\n indexes: [\n { fields: ['device_code'], unique: true },\n { fields: ['user_code'], unique: true },\n { fields: ['status'], unique: false },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_preference — System User Preference Object\n *\n * Per-user key-value preferences for storing UI state, settings, and personalization.\n * Supports the User Preferences layer in the Config Resolution hierarchy\n * (Runtime > User Preferences > Tenant > Env).\n *\n * Common use cases:\n * - UI preferences: theme, locale, timezone, sidebar state\n * - Feature flags: plugin.ai.auto_save, plugin.dev.debug_mode\n * - User-specific settings: default_view, notifications_enabled\n *\n * @namespace sys\n */\nexport const SysUserPreference = ObjectSchema.create({\n name: 'sys_user_preference',\n label: 'User Preference',\n pluralLabel: 'User Preferences',\n icon: 'settings',\n isSystem: true,\n // managedBy: 'system' — preferences are per-user state authored from\n // the user's own settings page, never created by an admin. The list\n // surface in Setup is a support/diagnostic view only.\n managedBy: 'system',\n description: 'Per-user key-value preferences (theme, locale, etc.)',\n nameField: 'key', // [ADR-0079] canonical primary-title pointer (single-field titleFormat)\n titleFormat: '{key}',\n highlightFields: ['user_id', 'key'],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Preferences',\n data: { provider: 'object', object: 'sys_user_preference' },\n columns: ['key', 'updated_at'],\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'key', order: 'asc' }],\n pagination: { pageSize: 100 },\n },\n by_user: {\n type: 'grid',\n name: 'by_user',\n label: 'By User',\n data: { provider: 'object', object: 'sys_user_preference' },\n columns: ['user_id', 'key', 'updated_at'],\n sort: [{ field: 'user_id', order: 'asc' }, { field: 'key', order: 'asc' }],\n grouping: { fields: [{ field: 'user_id', order: 'asc', collapsed: true }] },\n pagination: { pageSize: 200 },\n },\n all_preferences: {\n type: 'grid',\n name: 'all_preferences',\n label: 'All',\n data: { provider: 'object', object: 'sys_user_preference' },\n columns: ['user_id', 'key', 'created_at', 'updated_at'],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Preference ID',\n required: true,\n readonly: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Owner user of this preference',\n }),\n\n key: Field.text({\n label: 'Key',\n required: true,\n maxLength: 255,\n description: 'Preference key (e.g., theme, locale, plugin.ai.auto_save)',\n }),\n\n value: Field.json({\n label: 'Value',\n description: 'Preference value (any JSON-serializable type)',\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'key'], unique: true },\n { fields: ['user_id'], unique: false },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_application — Registered OAuth/OIDC client application\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthClient` model. Each row\n * represents an external application that has been registered to authenticate\n * users against this ObjectStack server (acting as an OpenID Connect IdP).\n *\n * The table name is preserved from the deprecated `oidc-provider` plugin\n * (which used the `oauthApplication` model name) so existing data remains\n * accessible. The new model exposes a richer set of OAuth 2.1 / OIDC\n * registration fields — see RFC 7591 (Dynamic Client Registration) and\n * RFC 8414 (Authorization Server Metadata).\n *\n * @namespace sys\n */\nexport const SysOauthApplication = ObjectSchema.create({\n name: 'sys_oauth_application',\n label: 'OAuth Application',\n pluralLabel: 'OAuth Applications',\n icon: 'key-round',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Registered OAuth/OIDC client applications',\n displayNameField: 'name',\n nameField: 'name', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{name}',\n highlightFields: ['name', 'client_id', 'type', 'disabled'],\n\n // Custom actions — all OAuth-application mutations are routed through\n // better-auth's `@better-auth/oauth-provider` endpoints (and a thin\n // ObjectStack-added auth route for the enable/disable toggle) rather\n // than the generic data layer, so server-side validation, secret\n // hashing, and audit hooks all run. The generic `delete` API method\n // is intentionally dropped from `apiMethods` below so the only delete\n // path is the better-auth wrapper.\n //\n // Upstream gap (better-auth 1.6.11): the stock `/admin/oauth2/update-client`\n // endpoint's Zod body schema does NOT accept the `disabled` flag, even\n // though the column exists and the runtime honours it. We bridge the\n // gap with `POST /api/v1/auth/admin/oauth2/toggle-disabled`, registered\n // by plugin-auth, which writes through better-auth's own adapter under\n // the auth namespace (no generic data-layer bypass). When upstream\n // ships `disabled` support, retarget the enable/disable actions and\n // delete the bridge route.\n actions: [\n {\n name: 'disable_oauth_application',\n label: 'Disable OAuth Application',\n icon: 'pause-circle',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/admin/oauth2/toggle-disabled',\n requiresFeature: 'oidcProvider',\n confirmText: 'Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.',\n successMessage: 'OAuth application disabled',\n refreshAfter: true,\n visible: '!record.disabled',\n bodyExtra: { disabled: true },\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n },\n {\n name: 'enable_oauth_application',\n label: 'Enable OAuth Application',\n icon: 'play-circle',\n variant: 'primary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/admin/oauth2/toggle-disabled',\n requiresFeature: 'oidcProvider',\n confirmText: 'Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.',\n successMessage: 'OAuth application enabled',\n refreshAfter: true,\n visible: 'record.disabled',\n bodyExtra: { disabled: false },\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n },\n {\n name: 'create_oauth_application',\n label: 'Register OAuth Application',\n icon: 'plus-circle',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/sys-oauth-application/register',\n requiresFeature: 'oidcProvider',\n refreshAfter: true,\n params: [\n { name: 'name', label: 'Application Name', type: 'text', required: true },\n { name: 'redirectURLs', label: 'Redirect URLs', type: 'textarea', required: true, helpText: 'One URL per line. Must use https:// in production.' },\n { name: 'type', label: 'Application Type', type: 'select', required: true, defaultValue: 'web', options: [\n { label: 'Web', value: 'web' },\n { label: 'Native', value: 'native' },\n { label: 'User-agent based', value: 'user-agent-based' },\n { label: 'Public', value: 'public' },\n ] },\n ],\n resultDialog: {\n title: 'OAuth application registered',\n description: 'Save the client_secret now — it is shown only once and cannot be recovered. You can rotate it later if it leaks.',\n acknowledge: 'I have saved the client secret',\n fields: [\n { path: 'client.client_id', label: 'Client ID', format: 'text' },\n { path: 'client.client_secret', label: 'Client Secret', format: 'secret' },\n ],\n },\n },\n {\n name: 'rotate_client_secret',\n label: 'Rotate Client Secret',\n icon: 'refresh-cw',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/oauth2/client/rotate-secret',\n requiresFeature: 'oidcProvider',\n confirmText: 'Rotate this OAuth client\\'s secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.',\n refreshAfter: true,\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n resultDialog: {\n title: 'Client secret rotated',\n description: 'Save the new secret now — it is shown only once. Update every integration before the previous secret\\'s grace period ends.',\n acknowledge: 'I have updated my integrations',\n fields: [\n { path: 'client_secret', label: 'New Client Secret', format: 'secret' },\n ],\n },\n },\n {\n name: 'delete_oauth_application',\n label: 'Delete OAuth Application',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/oauth2/delete-client',\n requiresFeature: 'oidcProvider',\n confirmText: 'Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.',\n successMessage: 'OAuth application deleted',\n refreshAfter: true,\n params: [\n { name: 'client_id', field: 'client_id', defaultFromRow: true, required: true },\n ],\n },\n ],\n\n listViews: {\n mine: {\n type: 'grid',\n name: 'mine',\n label: 'My Applications',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'disabled', 'created_at'],\n // Self-service Account view — scope to the signed-in user's own\n // registrations so they don't see other developers' apps. Admins\n // get the unfiltered `active` / `disabled_apps` / `all_apps` views\n // via the Setup → OAuth Applications nav.\n filter: [{ field: 'user_id', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'updated_at'],\n filter: [{ field: 'disabled', operator: 'equals', value: false }],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n disabled_apps: {\n type: 'grid',\n name: 'disabled_apps',\n label: 'Disabled',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'updated_at'],\n filter: [{ field: 'disabled', operator: 'equals', value: true }],\n sort: [{ field: 'updated_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_apps: {\n type: 'grid',\n name: 'all_apps',\n label: 'All',\n data: { provider: 'object', object: 'sys_oauth_application' },\n columns: ['name', 'client_id', 'type', 'disabled', 'created_at'],\n sort: [{ field: 'name', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n name: Field.text({\n label: 'Name',\n required: false,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n icon: Field.url({\n label: 'Icon',\n required: false,\n description: 'Logo URL shown on the consent screen',\n group: 'Identity',\n }),\n\n uri: Field.url({\n label: 'Home URI',\n required: false,\n description: 'Public homepage of the registered client',\n group: 'Identity',\n }),\n\n contacts: Field.textarea({\n label: 'Contacts',\n required: false,\n description: 'JSON-serialized list of contact email addresses',\n group: 'Identity',\n }),\n\n tos: Field.url({\n label: 'Terms of Service',\n required: false,\n group: 'Identity',\n }),\n\n policy: Field.url({\n label: 'Privacy Policy',\n required: false,\n group: 'Identity',\n }),\n\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n description: 'JSON-serialized application metadata',\n group: 'Identity',\n }),\n\n // ── OAuth Credentials ────────────────────────────────────────\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n readonly: true,\n maxLength: 255,\n description: 'Public OAuth client identifier',\n group: 'Credentials',\n }),\n\n client_secret: Field.text({\n label: 'Client Secret',\n required: false,\n maxLength: 1024,\n description: 'OAuth client secret (hashed/encrypted at rest)',\n group: 'Credentials',\n }),\n\n redirect_uris: Field.textarea({\n label: 'Redirect URIs',\n required: true,\n description: 'JSON-serialized list of allowed redirect URIs',\n group: 'Credentials',\n }),\n\n post_logout_redirect_uris: Field.textarea({\n label: 'Post-logout Redirect URIs',\n required: false,\n description: 'JSON-serialized list of allowed post-logout redirect URIs',\n group: 'Credentials',\n }),\n\n type: Field.select(['web', 'native', 'user-agent-based', 'public'], {\n label: 'Client Type',\n required: false,\n defaultValue: 'web',\n group: 'Credentials',\n }),\n\n public: Field.boolean({\n label: 'Public Client',\n required: false,\n description: 'Marks the client as a public (non-confidential) OAuth client',\n group: 'Credentials',\n }),\n\n require_pkce: Field.boolean({\n label: 'Require PKCE',\n required: false,\n group: 'Credentials',\n }),\n\n token_endpoint_auth_method: Field.text({\n label: 'Token Endpoint Auth Method',\n required: false,\n maxLength: 64,\n description: 'e.g. client_secret_basic, client_secret_post, none',\n group: 'Credentials',\n }),\n\n grant_types: Field.textarea({\n label: 'Grant Types',\n required: false,\n description: 'JSON-serialized list of allowed grant types',\n group: 'Credentials',\n }),\n\n response_types: Field.textarea({\n label: 'Response Types',\n required: false,\n description: 'JSON-serialized list of allowed response types',\n group: 'Credentials',\n }),\n\n scopes: Field.textarea({\n label: 'Allowed Scopes',\n required: false,\n description: 'JSON-serialized list of scopes the client may request',\n group: 'Credentials',\n }),\n\n subject_type: Field.text({\n label: 'Subject Type',\n required: false,\n maxLength: 32,\n description: 'OIDC subject type (e.g. public, pairwise)',\n group: 'Credentials',\n }),\n\n jwks: Field.textarea({\n label: 'JWKS',\n required: false,\n description: 'Client JSON Web Key Set (for private_key_jwt / signed-request verification)',\n group: 'Credentials',\n }),\n\n jwks_uri: Field.url({\n label: 'JWKS URI',\n required: false,\n description: 'URL of the client JSON Web Key Set',\n group: 'Credentials',\n }),\n\n dpop_bound_access_tokens: Field.boolean({\n label: 'DPoP-bound Access Tokens',\n required: false,\n defaultValue: false,\n description: 'Require access tokens issued to this client to be DPoP-bound (RFC 9449)',\n group: 'Credentials',\n }),\n\n // ── Behaviour flags ──────────────────────────────────────────\n disabled: Field.boolean({\n label: 'Disabled',\n required: false,\n defaultValue: false,\n group: 'Behaviour',\n }),\n\n skip_consent: Field.boolean({\n label: 'Skip Consent',\n required: false,\n description: 'Treat as a trusted client and bypass the consent screen',\n group: 'Behaviour',\n }),\n\n enable_end_session: Field.boolean({\n label: 'Enable End Session',\n required: false,\n description: 'Allow the client to call the OIDC end-session endpoint',\n group: 'Behaviour',\n }),\n\n backchannel_logout_uri: Field.url({\n label: 'Back-channel Logout URI',\n required: false,\n description: 'OIDC back-channel logout endpoint of the client',\n group: 'Behaviour',\n }),\n\n backchannel_logout_session_required: Field.boolean({\n label: 'Back-channel Logout Session Required',\n required: false,\n description: 'Whether the back-channel logout token must include a sid claim',\n group: 'Behaviour',\n }),\n\n // ── Software statement (RFC 7591 §2.3) ───────────────────────\n software_id: Field.text({\n label: 'Software ID',\n required: false,\n maxLength: 255,\n group: 'Software',\n }),\n\n software_version: Field.text({\n label: 'Software Version',\n required: false,\n maxLength: 64,\n group: 'Software',\n }),\n\n software_statement: Field.textarea({\n label: 'Software Statement',\n required: false,\n description: 'Signed JWT asserting the client metadata (RFC 7591 §2.3)',\n group: 'Software',\n }),\n\n // ── Ownership / system ───────────────────────────────────────\n user_id: Field.lookup('sys_user', {\n label: 'Owner User',\n required: false,\n description: 'User who registered this application',\n group: 'System',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['client_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['reference_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n // All mutations (create/update/delete) must go through better-auth's\n // oauth-provider endpoints under /api/v1/auth/{admin/,}oauth2/* — the\n // generic data layer is read-only for this object so sysadmins cannot\n // bypass server-side OAuth validation. The Delete row action above is\n // wired to /api/v1/auth/oauth2/delete-client.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_access_token — Issued OAuth/OIDC opaque access token\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthAccessToken` model. One\n * row per opaque access token issuance. Tokens are short-lived; expired\n * rows can be safely pruned.\n *\n * Refresh tokens have been split into a sibling table — see\n * {@link SysOauthRefreshToken}. The optional `refresh_id` column links an\n * access token back to the refresh-token row that minted it.\n *\n * @namespace sys\n */\nexport const SysOauthAccessToken = ObjectSchema.create({\n name: 'sys_oauth_access_token',\n label: 'OAuth Access Token',\n pluralLabel: 'OAuth Access Tokens',\n icon: 'ticket',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE bearer credentials —\n // reading one is session hijack. Not covered by the wildcard `'*'` grant;\n // admins retain access via the superuser bypass; better-auth reads via its\n // adapter (system context), so OAuth flows are unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Opaque OAuth access tokens issued to client applications',\n highlightFields: ['client_id', 'user_id', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 1024,\n description: 'Opaque access token value',\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n session_id: Field.lookup('sys_session', {\n label: 'Session',\n required: false,\n description: 'Foreign key to sys_session.id',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: false,\n description: 'Foreign key to sys_user.id',\n }),\n\n refresh_id: Field.lookup('sys_oauth_refresh_token', {\n label: 'Refresh Token',\n required: false,\n description: 'Foreign key to sys_oauth_refresh_token.id',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n }),\n\n authorization_code_id: Field.text({\n label: 'Authorization Code ID',\n required: false,\n maxLength: 255,\n description: 'ID of the authorization-code grant this token originates from',\n }),\n\n resources: Field.textarea({\n label: 'Resources',\n required: false,\n description: 'JSON-serialized list of RFC 8707 resource indicators bound to this token',\n }),\n\n requested_user_info_claims: Field.textarea({\n label: 'Requested UserInfo Claims',\n required: false,\n description: 'JSON-serialized list of OIDC claims requested for the userinfo endpoint',\n }),\n\n scopes: Field.textarea({\n label: 'Scopes',\n required: true,\n description: 'JSON-serialized list of scopes granted to this token',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n revoked: Field.datetime({\n label: 'Revoked At',\n required: false,\n description: 'Timestamp at which this access token was revoked',\n }),\n\n confirmation: Field.textarea({\n label: 'Confirmation',\n required: false,\n description: 'JSON RFC 7800 cnf claim (e.g. DPoP key thumbprint) binding this token to a key',\n }),\n },\n\n indexes: [\n { fields: ['token'], unique: true },\n { fields: ['client_id'] },\n { fields: ['session_id'] },\n { fields: ['user_id'] },\n { fields: ['refresh_id'] },\n { fields: ['authorization_code_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_refresh_token — Issued OAuth/OIDC refresh token\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthRefreshToken` model.\n * Refresh tokens are issued for the `offline_access` scope and are bound\n * to a specific session (`session_id`) and client (`client_id`).\n *\n * Each access-token rotation produces a new refresh-token row; revoked\n * tokens are kept (with `revoked` set) for audit purposes until pruned.\n *\n * @namespace sys\n */\nexport const SysOauthRefreshToken = ObjectSchema.create({\n name: 'sys_oauth_refresh_token',\n label: 'OAuth Refresh Token',\n pluralLabel: 'OAuth Refresh Tokens',\n icon: 'refresh-cw',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are LIVE long-lived credentials —\n // a refresh token mints new access tokens. Not covered by the wildcard `'*'`\n // grant; admins retain access via the superuser bypass; better-auth reads\n // via its adapter (system context), so OAuth flows are unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Opaque OAuth refresh tokens (linked to a session)',\n highlightFields: ['client_id', 'user_id', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 1024,\n description: 'Opaque refresh token value',\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n session_id: Field.lookup('sys_session', {\n label: 'Session',\n required: false,\n description: 'Foreign key to sys_session.id',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.id',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n }),\n\n authorization_code_id: Field.text({\n label: 'Authorization Code ID',\n required: false,\n maxLength: 255,\n description: 'ID of the authorization-code grant this token chain originates from',\n }),\n\n resources: Field.textarea({\n label: 'Resources',\n required: false,\n description: 'JSON-serialized list of RFC 8707 resource indicators bound to this token',\n }),\n\n requested_user_info_claims: Field.textarea({\n label: 'Requested UserInfo Claims',\n required: false,\n description: 'JSON-serialized list of OIDC claims requested for the userinfo endpoint',\n }),\n\n scopes: Field.textarea({\n label: 'Scopes',\n required: true,\n description: 'JSON-serialized list of scopes granted to this token',\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n revoked: Field.datetime({\n label: 'Revoked At',\n required: false,\n description: 'Timestamp at which this refresh token was revoked',\n }),\n\n rotated_at: Field.datetime({\n label: 'Rotated At',\n required: false,\n description: 'Timestamp at which this token was rotated (superseded by a new row)',\n }),\n\n rotation_replay_response: Field.textarea({\n label: 'Rotation Replay Response',\n required: false,\n description: 'Cached token response replayed when the old token is re-presented within the reuse interval',\n }),\n\n rotation_replay_expires_at: Field.datetime({\n label: 'Rotation Replay Expires At',\n required: false,\n description: 'End of the post-rotation reuse interval during which the replay response is served',\n }),\n\n auth_time: Field.datetime({\n label: 'Auth Time',\n required: false,\n description: 'When the user originally authenticated for this token chain',\n }),\n\n confirmation: Field.textarea({\n label: 'Confirmation',\n required: false,\n description: 'JSON RFC 7800 cnf claim (e.g. DPoP key thumbprint) binding this token to a key',\n }),\n },\n\n indexes: [\n { fields: ['token'], unique: true },\n { fields: ['client_id'] },\n { fields: ['session_id'] },\n { fields: ['user_id'] },\n { fields: ['authorization_code_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_consent — Recorded user consent for an OAuth client + scopes\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthConsent` model. When a\n * user consents to a client requesting a particular set of scopes, the\n * decision is persisted here so future authorization requests for the same\n * client+scopes can skip the consent screen.\n *\n * The presence of a row implies consent was given for the listed scopes —\n * the previous boolean `consent_given` flag was removed in the migration\n * from `better-auth/plugins/oidc-provider` to `@better-auth/oauth-provider`.\n *\n * @namespace sys\n */\nexport const SysOauthConsent = ObjectSchema.create({\n name: 'sys_oauth_consent',\n label: 'OAuth Consent',\n pluralLabel: 'OAuth Consents',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'User consent records for OAuth client applications',\n highlightFields: ['client_id', 'user_id', 'scopes'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: false,\n description: 'Foreign key to sys_user.id',\n }),\n\n reference_id: Field.text({\n label: 'Reference ID',\n required: false,\n maxLength: 255,\n description: 'Caller-supplied correlation identifier',\n }),\n\n resources: Field.textarea({\n label: 'Resources',\n required: false,\n description: 'JSON-serialized list of RFC 8707 resource indicators the consent covers',\n }),\n\n requested_user_info_claims: Field.textarea({\n label: 'Requested UserInfo Claims',\n required: false,\n description: 'JSON-serialized list of OIDC claims the user consented to expose',\n }),\n\n scopes: Field.textarea({\n label: 'Scopes',\n required: true,\n description: 'JSON-serialized list of scopes the user consented to',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['client_id'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_resource — Registered OAuth protected resource (RFC 8707)\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthResource` model\n * (better-auth ≥ 1.7). Each row registers a resource server (audience)\n * that clients may request tokens for via the RFC 8707 `resource`\n * parameter — e.g. the platform's own MCP endpoint. Carries the per-\n * resource token policy (TTLs, signing, allowed scopes, DPoP requirement).\n *\n * @namespace sys\n */\nexport const SysOauthResource = ObjectSchema.create({\n name: 'sys_oauth_resource',\n label: 'OAuth Resource',\n pluralLabel: 'OAuth Resources',\n icon: 'server',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Registered OAuth protected resources (RFC 8707 resource indicators)',\n displayNameField: 'name',\n nameField: 'name',\n highlightFields: ['name', 'identifier', 'disabled'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n identifier: Field.text({\n label: 'Identifier',\n required: true,\n maxLength: 1024,\n description: 'Resource indicator URI presented in the RFC 8707 resource parameter',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 255,\n }),\n\n access_token_ttl: Field.number({\n label: 'Access Token TTL',\n required: false,\n description: 'Access-token lifetime in seconds for this resource (overrides the server default)',\n }),\n\n refresh_token_ttl: Field.number({\n label: 'Refresh Token TTL',\n required: false,\n description: 'Refresh-token lifetime in seconds for this resource (overrides the server default)',\n }),\n\n signing_algorithm: Field.text({\n label: 'Signing Algorithm',\n required: false,\n maxLength: 32,\n description: 'JWS algorithm used to sign access tokens for this resource',\n }),\n\n signing_key_id: Field.text({\n label: 'Signing Key ID',\n required: false,\n maxLength: 255,\n description: 'Key id (kid) used to sign access tokens for this resource',\n }),\n\n allowed_scopes: Field.textarea({\n label: 'Allowed Scopes',\n required: false,\n description: 'JSON-serialized list of scopes clients may request for this resource',\n }),\n\n custom_claims: Field.textarea({\n label: 'Custom Claims',\n required: false,\n description: 'JSON object of extra claims stamped on access tokens for this resource',\n }),\n\n dpop_bound_access_tokens_required: Field.boolean({\n label: 'DPoP Required',\n required: false,\n defaultValue: false,\n description: 'Require access tokens for this resource to be DPoP-bound (RFC 9449)',\n }),\n\n disabled: Field.boolean({\n label: 'Disabled',\n required: false,\n defaultValue: false,\n }),\n\n policy_version: Field.number({\n label: 'Policy Version',\n required: false,\n defaultValue: 1,\n description: 'Monotonic version of the resource token policy',\n }),\n\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n description: 'JSON object of additional resource metadata',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['identifier'], unique: true },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_client_resource — Client ↔ protected-resource grant\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthClientResource` model\n * (better-auth ≥ 1.7). Join table allowing a registered client to request\n * tokens for a registered resource (RFC 8707). A missing row means the\n * client is not authorized for that audience.\n *\n * @namespace sys\n */\nexport const SysOauthClientResource = ObjectSchema.create({\n name: 'sys_oauth_client_resource',\n label: 'OAuth Client Resource',\n pluralLabel: 'OAuth Client Resources',\n icon: 'link',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Grants allowing an OAuth client to request tokens for a protected resource',\n highlightFields: ['client_id', 'resource_id'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n client_id: Field.text({\n label: 'Client ID',\n required: true,\n description: 'Foreign key to sys_oauth_application.client_id',\n }),\n\n resource_id: Field.text({\n label: 'Resource ID',\n required: true,\n maxLength: 1024,\n description: 'Foreign key to sys_oauth_resource.identifier',\n }),\n\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n description: 'JSON object of additional grant metadata',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['client_id'] },\n { fields: ['resource_id'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_oauth_client_assertion — Consumed client-assertion JTI\n *\n * Backed by `@better-auth/oauth-provider`'s `oauthClientAssertion` model\n * (better-auth ≥ 1.7). One row per consumed `private_key_jwt` /\n * `client_secret_jwt` assertion `jti` — replay prevention for RFC 7523\n * client authentication. Rows are short-lived; expired ones can be pruned.\n *\n * @namespace sys\n */\nexport const SysOauthClientAssertion = ObjectSchema.create({\n name: 'sys_oauth_client_assertion',\n label: 'OAuth Client Assertion',\n pluralLabel: 'OAuth Client Assertions',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Consumed OAuth client-assertion JTIs (RFC 7523 replay prevention)',\n highlightFields: ['expires_at'],\n\n fields: {\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: true,\n description: 'Assertion expiry — rows past this instant are safe to prune',\n }),\n },\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_jwks — JWKS (JSON Web Key Set) key pair store\n *\n * Backed by better-auth's `jwt` plugin. Each row is a single asymmetric\n * key pair used to sign and verify JWTs (id_tokens, JWT access tokens)\n * issued by this ObjectStack server when it acts as an OAuth/OIDC IdP.\n *\n * The plugin rotates keys automatically — older rows are kept until\n * `expires_at` so existing tokens can still be verified.\n *\n * @namespace sys\n */\nexport const SysJwks = ObjectSchema.create({\n name: 'sys_jwks',\n label: 'JWKS Key',\n pluralLabel: 'JWKS Keys',\n icon: 'key',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D2/④] Secure-by-default: rows are the environment's JWT SIGNING\n // KEYS (private key material). Not covered by the wildcard `'*'` grant — an\n // ordinary member gets 403 from the generic data layer. Platform admins\n // (viewAllRecords/modifyAllRecords) retain access via the posture-gated\n // superuser bypass; better-auth itself reads via its adapter (system\n // context), so token signing/verification is unaffected.\n access: { default: 'private' },\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,\n // but may add overlay row-level config. Use `no-overlay` if you need to\n // forbid sys_metadata overlays entirely.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Asymmetric key pairs used to sign and verify issued JWTs',\n highlightFields: ['id', 'created_at', 'expires_at'],\n\n fields: {\n id: Field.text({\n label: 'Key ID',\n required: true,\n readonly: true,\n description: 'JWK `kid` value',\n }),\n\n public_key: Field.textarea({\n label: 'Public Key',\n required: true,\n description: 'JSON-serialized JWK public key',\n }),\n\n private_key: Field.textarea({\n label: 'Private Key',\n required: true,\n description: 'JSON-serialized JWK private key (encrypted at rest)',\n }),\n\n // better-auth 1.7 records the key's signing algorithm and (for EdDSA/EC\n // keys) its curve alongside the key material, so tokens can advertise the\n // correct `alg`/`crv` in the JWKS response. Both are optional — legacy rows\n // minted before 1.7 leave them null and better-auth falls back to the\n // configured `keyPairConfig.alg` (default `EdDSA`).\n alg: Field.text({\n label: 'Algorithm',\n required: false,\n description: 'JWK signing algorithm, e.g. `EdDSA` (better-auth 1.7+)',\n }),\n\n crv: Field.text({\n label: 'Curve',\n required: false,\n description: 'JWK curve for EdDSA/EC keys, e.g. `Ed25519` (better-auth 1.7+)',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n required: false,\n description: 'When the key may no longer be used to verify tokens',\n }),\n },\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: false,\n apiMethods: [],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sso_provider — Registered external SSO identity provider (OIDC / SAML)\n *\n * Backed by `@better-auth/sso`'s `ssoProvider` model. Each row is an external\n * IdP that THIS environment federates LOGIN to (the relying-party / client\n * side) — e.g. the customer's Okta / Entra / Google Workspace. This is the\n * per-environment SSO **mechanism** (ADR-0024): OPEN, configured in the env,\n * and cloud-free for self-host.\n *\n * better-auth stores the protocol detail as a JSON blob in `oidc_config`\n * (OIDC: clientId, clientSecret, endpoints, scopes, mapping, pkce, …) or\n * `saml_config` (SAML: entryPoint, cert, identifierFormat, mapping, …) — not\n * as separate columns. Field set mirrors `@better-auth/sso@1.6.20`'s\n * `BaseSSOProvider`: issuer, oidcConfig, samlConfig, userId, providerId,\n * organizationId, domain.\n *\n * All mutations route through better-auth's `/api/v1/auth/sso/*` endpoints\n * (register / delete-provider) so config validation and secret handling run;\n * the generic data layer is read-only (see `enable.apiMethods`).\n *\n * @namespace sys\n */\nexport const SysSsoProvider = ObjectSchema.create({\n name: 'sys_sso_provider',\n label: 'SSO Provider',\n pluralLabel: 'SSO Providers',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'better-auth',\n // ADR-0024 — env-global, ADMIN-ONLY identity config. Two orthogonal controls:\n // • `tenancy.enabled: false` — the env IS the tenant; providers are env-wide,\n // not org-partitioned. Opting out of multi-tenancy lets a platform admin's\n // `viewAllRecords` superuser bypass see every provider (without it, the\n // `member_default` wildcard `tenant_isolation` RLS denies every row, since\n // better-auth writes via its adapter with no tenantId → `organization_id`\n // is never stamped).\n // • `requiredPermissions: ['manage_platform_settings']` — object-level\n // capability gate (ADR-0066 D3) so ordinary members are denied entirely\n // (without it, tenancy-disabled + `member_default`'s `'*': allowRead` would\n // leak providers to every authenticated user).\n // Together: admins see all env providers; non-admins get 403. better-auth's\n // own endpoints already read via a system context. (Env-only object — no\n // control-plane cross-tenant risk.)\n tenancy: { enabled: false },\n requiredPermissions: ['manage_platform_settings'],\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth (@better-auth/sso) — see ADR-0024.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'External SSO identity providers (OIDC / SAML) this environment federates login to',\n displayNameField: 'provider_id',\n nameField: 'provider_id', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{provider_id}',\n highlightFields: ['provider_id', 'issuer', 'domain'],\n\n // All mutations go through @better-auth/sso's endpoints under\n // /api/v1/auth/sso/* (register / delete-provider) rather than the generic\n // data layer, so server-side config validation + secret handling run.\n actions: [\n {\n name: 'register_sso_provider',\n label: 'Register SSO Provider',\n icon: 'plus-circle',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'api',\n method: 'POST',\n // Routed through the env-side bridge (plugin-auth `auth-plugin.ts`), which\n // reshapes these FLAT form fields into the nested `oidcConfig` body that\n // `@better-auth/sso`'s /sso/register requires, then re-dispatches to it\n // (so the admin gate + discovery hydration run). Posting straight to\n // /sso/register would drop clientId/clientSecret (top-level → Zod-stripped)\n // and persist an unusable `oidc_config = null` provider.\n target: '/api/v1/auth/admin/sso/register',\n refreshAfter: true,\n params: [\n { name: 'providerId', label: 'Provider ID', type: 'text', required: true, helpText: 'Stable identifier, e.g. \"okta\" or \"acme-entra\".' },\n { name: 'issuer', label: 'Issuer URL', type: 'text', required: true, helpText: 'IdP issuer, e.g. https://acme.okta.com. Discovery is fetched from here unless an explicit URL is given below.' },\n { name: 'domain', label: 'Email Domain', type: 'text', required: true, helpText: 'Users with this email domain are routed to this IdP, e.g. acme.com.' },\n { name: 'clientId', label: 'Client ID', type: 'text', required: true, helpText: 'OAuth client ID issued by the IdP for this environment.' },\n { name: 'clientSecret', label: 'Client Secret', type: 'text', required: true, helpText: 'OAuth client secret (stored encrypted by better-auth).' },\n { name: 'discoveryEndpoint', label: 'Discovery URL', type: 'text', required: false, helpText: 'Optional. OIDC discovery document URL. Leave blank to derive `<issuer>/.well-known/openid-configuration`.' },\n { name: 'scopes', label: 'Scopes', type: 'text', required: false, placeholder: 'openid email profile', helpText: 'Optional. Space- or comma-separated OAuth scopes. Defaults to \"openid email profile\".' },\n { name: 'mapId', label: 'Map: User ID claim', type: 'text', required: false, placeholder: 'sub', helpText: 'Optional. ID-token claim mapped to the user ID. Defaults to \"sub\".' },\n { name: 'mapEmail', label: 'Map: Email claim', type: 'text', required: false, placeholder: 'email', helpText: 'Optional. Claim mapped to email. Defaults to \"email\".' },\n { name: 'mapName', label: 'Map: Name claim', type: 'text', required: false, placeholder: 'name', helpText: 'Optional. Claim mapped to display name. Defaults to \"name\".' },\n ],\n },\n {\n name: 'register_saml_provider',\n label: 'Register SAML Provider',\n icon: 'shield',\n variant: 'primary',\n mode: 'create',\n locations: ['list_toolbar'],\n type: 'api',\n method: 'POST',\n // SAML 2.0 via @better-auth/sso (samlify-backed). Routed through the\n // env-side bridge (plugin-auth `auth-plugin.ts` → register-saml), which\n // reshapes these FLAT IdP fields into the nested `samlConfig` body that\n // @better-auth/sso's /sso/register requires (entryPoint/cert/callbackUrl/\n // spMetadata/identifierFormat), derives the per-provider ACS URL, and\n // re-dispatches to /sso/register (admin gate runs). The response returns\n // the SP ACS + metadata URLs to configure on the IdP.\n target: '/api/v1/auth/admin/sso/register-saml',\n refreshAfter: true,\n params: [\n { name: 'providerId', label: 'Provider ID', type: 'text', required: true, helpText: 'Stable identifier, e.g. \"acme-saml\".' },\n { name: 'issuer', label: 'IdP Entity ID', type: 'text', required: true, helpText: 'The IdP’s SAML EntityID (issuer), e.g. https://saml.acme.com/entityid.' },\n { name: 'domain', label: 'Email Domain', type: 'text', required: true, helpText: 'Users with this email domain are routed to this IdP, e.g. acme.com.' },\n { name: 'entryPoint', label: 'IdP SSO URL', type: 'text', required: true, helpText: 'The IdP’s SAML single sign-on (redirect) endpoint that receives the SAMLRequest.' },\n { name: 'cert', label: 'IdP Signing Certificate', type: 'textarea', required: true, helpText: 'The IdP’s X.509 signing certificate (PEM body). Used to verify assertion signatures.' },\n { name: 'identifierFormat', label: 'NameID Format', type: 'text', required: false, placeholder: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', helpText: 'Optional. Requested SAML NameID format. Defaults to the IdP’s configured format.' },\n ],\n },\n {\n name: 'request_domain_verification',\n label: 'Request Domain Verification',\n icon: 'globe',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n // ADR-0024 ② (opt-in OS_SSO_DOMAIN_VERIFICATION). Asks @better-auth/sso\n // for a one-time DNS-TXT challenge and reveals the ready-to-paste record\n // ONCE via `resultDialog`. Routed through the env bridge (plugin-auth /\n // cloud AuthProxyPlugin) which reshapes the `{domainVerificationToken}`\n // response into a `{ success, data: { dnsRecordName, dnsRecordValue } }`\n // envelope. The console action runtime unwraps that envelope, so the\n // `resultDialog` field paths are relative to the inner `data` payload\n // (`dnsRecordName`, not `data.dnsRecordName`) — consistent with every\n // other object's resultDialog (create_user, two-factor, OAuth). When the\n // feature is OFF the bridge returns a clear \"not enabled for this\n // environment\" error instead of a bare 404.\n target: '/api/v1/auth/admin/sso/request-domain-verification',\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n { name: 'domain', field: 'domain', defaultFromRow: true, required: false },\n ],\n resultDialog: {\n title: 'Verify your domain',\n description:\n 'Add the DNS TXT record below at your domain’s DNS provider, then run “Verify Domain”. The token is shown once.',\n acknowledge: 'Done',\n fields: [\n { path: 'dnsRecordType', label: 'Record type', format: 'text' },\n { path: 'dnsRecordName', label: 'Name / Host', format: 'secret' },\n { path: 'dnsRecordValue', label: 'Value', format: 'secret' },\n ],\n },\n },\n {\n name: 'verify_domain',\n label: 'Verify Domain',\n icon: 'shield-check',\n variant: 'secondary',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n // ADR-0024 ②. Re-checks the DNS-TXT record and flips `domain_verified`\n // on success. Routed through the env bridge, which maps @better-auth/sso's\n // empty 204 / 502 into a clear success/error toast.\n target: '/api/v1/auth/admin/sso/verify-domain',\n successMessage: 'Domain ownership verified',\n refreshAfter: true,\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n ],\n },\n {\n name: 'delete_sso_provider',\n label: 'Delete SSO Provider',\n icon: 'trash-2',\n variant: 'danger',\n mode: 'delete',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/auth/sso/delete-provider',\n confirmText: 'Delete this SSO provider? Users from its domain will no longer be able to sign in through it.',\n successMessage: 'SSO provider deleted',\n refreshAfter: true,\n params: [\n { name: 'providerId', field: 'provider_id', defaultFromRow: true, required: true },\n ],\n },\n ],\n\n listViews: {\n all: {\n type: 'grid',\n name: 'all',\n label: 'All',\n data: { provider: 'object', object: 'sys_sso_provider' },\n columns: ['provider_id', 'issuer', 'domain', 'domain_verified', 'created_at'],\n sort: [{ field: 'provider_id', order: 'asc' }],\n pagination: { pageSize: 50 },\n // Per-object empty state — the shared identity-object copy (\"created\n // automatically … cannot be added here\") is wrong for this object, which\n // HAS a \"Register SSO Provider\" action. Point admins at it instead.\n emptyState: {\n title: 'No SSO providers yet',\n message: 'Register your organization’s external IdP — OIDC (Okta, Entra, Auth0, …) with “Register SSO Provider”, or SAML 2.0 with “Register SAML Provider”. Members whose email domain matches can then sign in through it.',\n icon: 'log-in',\n },\n },\n },\n\n fields: {\n id: Field.text({ label: 'ID', required: true, readonly: true, group: 'System' }),\n\n provider_id: Field.text({\n label: 'Provider ID',\n required: true,\n searchable: true,\n maxLength: 255,\n description: 'Stable provider identifier (unique within the environment)',\n group: 'Identity',\n }),\n\n issuer: Field.text({\n label: 'Issuer',\n required: true,\n maxLength: 2048,\n description: 'IdP issuer URL',\n group: 'Identity',\n }),\n\n domain: Field.text({\n label: 'Email Domain',\n required: true,\n maxLength: 255,\n description: 'Email domain routed to this IdP (e.g. acme.com)',\n group: 'Identity',\n }),\n\n domain_verified: Field.boolean({\n label: 'Domain Verified',\n defaultValue: false,\n readonly: true,\n description:\n 'Whether DNS ownership of the email domain has been proven (ADR-0024 ②). Set by “Verify Domain” after the DNS TXT record resolves. Managed by better-auth — not directly editable. Only enforced when domain verification is enabled for the environment.',\n group: 'Identity',\n }),\n\n oidc_config: Field.textarea({\n label: 'OIDC Config',\n required: false,\n description: 'JSON: clientId, clientSecret, endpoints, scopes, mapping, pkce (managed by better-auth)',\n group: 'Protocol',\n }),\n\n saml_config: Field.textarea({\n label: 'SAML Config',\n required: false,\n description: 'JSON: entryPoint, cert, identifierFormat, mapping (managed by better-auth)',\n group: 'Protocol',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'Registered By',\n required: false,\n description: 'User who registered this provider',\n group: 'System',\n }),\n\n organization_id: Field.text({\n label: 'Organization',\n required: false,\n maxLength: 255,\n description: 'Organization scope (when org-scoped SSO is used)',\n group: 'System',\n }),\n\n created_at: Field.datetime({ label: 'Created At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n updated_at: Field.datetime({ label: 'Updated At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n },\n\n indexes: [\n { fields: ['provider_id'], unique: true },\n { fields: ['domain'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n // Mutations go through /api/v1/auth/sso/* (register / delete-provider);\n // the generic data layer is read-only so sysadmins cannot bypass\n // server-side validation / secret handling.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_scim_provider — Registered SCIM 2.0 connection (@better-auth/scim)\n *\n * Backed by `@better-auth/scim`'s `scimProvider` model. Each row is a SCIM\n * connection: a bearer token an external IdP (Okta / Entra / OneLogin) uses to\n * **auto-provision / deprovision** THIS environment's users. The environment is\n * the SCIM **Service Provider** (the receiver); the IdP is the SCIM **client**\n * (the sender). This is the paid Identity lifecycle (ADR-0071) — the mechanism\n * is OPEN (here, framework `plugin-auth`); enablement is entitlement-gated by\n * the cloud / EE license.\n *\n * `scim_token` holds the connection's bearer credential. With the plugin's\n * `storeSCIMToken: 'hashed'` (the default this env wires) it stores only a\n * HASH — the plaintext is returned exactly once at `/scim/generate-token`. Even\n * so, treat this object as sensitive: it is read-only over the generic data API\n * and the token is excluded from list views.\n *\n * All mutations route through @better-auth/scim's endpoints under\n * `/api/v1/auth/scim/*` (generate-token / delete-provider-connection) and the\n * SCIM 2.0 protocol under `/api/v1/auth/scim/v2/*`; the generic data layer is\n * read-only (see `enable.apiMethods`).\n *\n * @namespace sys\n */\nexport const SysScimProvider = ObjectSchema.create({\n name: 'sys_scim_provider',\n label: 'SCIM Provider',\n pluralLabel: 'SCIM Providers',\n icon: 'users',\n isSystem: true,\n managedBy: 'better-auth',\n // [ADR-0066 D3/④] Admin-only identity config carrying a live credential\n // (`scim_token` — the bearer external IdPs authenticate provisioning calls\n // with). Object-level capability gate, mirroring the sibling\n // `sys_sso_provider`: ordinary members are denied entirely (without it, the\n // `member_default` wildcard `'*': allowRead` would expose SCIM connections\n // to every authenticated user). better-auth's own endpoints read via a\n // system context, so SCIM provisioning is unaffected.\n requiredPermissions: ['manage_platform_settings'],\n // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.\n protection: {\n lock: 'full',\n reason: 'Identity table managed by better-auth (@better-auth/scim) — see ADR-0071.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'SCIM 2.0 connections (bearer tokens) external IdPs use to provision/deprovision this environment\\'s users',\n displayNameField: 'provider_id',\n nameField: 'provider_id', // [ADR-0079] canonical primary-title pointer (mirrors deprecated displayNameField)\n titleFormat: '{provider_id}',\n highlightFields: ['provider_id', 'organization_id'],\n\n listViews: {\n all: {\n type: 'grid',\n name: 'all',\n label: 'All',\n data: { provider: 'object', object: 'sys_scim_provider' },\n // scim_token is intentionally excluded — never surface the credential.\n columns: ['provider_id', 'organization_id', 'created_at'],\n sort: [{ field: 'provider_id', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'ID', required: true, readonly: true, group: 'System' }),\n\n provider_id: Field.text({\n label: 'Provider ID',\n required: true,\n searchable: true,\n maxLength: 255,\n description: 'Stable SCIM provider identifier (e.g. \"okta-scim\")',\n group: 'Identity',\n }),\n\n scim_token: Field.text({\n label: 'SCIM Token (hash)',\n required: false,\n readonly: true,\n maxLength: 1024,\n description: 'Hashed bearer credential for this SCIM connection — the plaintext is shown once at generate-token. Sensitive; do not expose.',\n group: 'Secret',\n }),\n\n organization_id: Field.text({\n label: 'Organization',\n required: false,\n maxLength: 255,\n description: 'Organization scope of this token (org-scoped tokens restrict provisioning to that org)',\n group: 'System',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'Owned By',\n required: false,\n description: 'User who generated this token (when provider-ownership is enabled)',\n group: 'System',\n }),\n\n created_at: Field.datetime({ label: 'Created At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n updated_at: Field.datetime({ label: 'Updated At', defaultValue: 'NOW()', readonly: true, group: 'System' }),\n },\n\n indexes: [\n { fields: ['provider_id'], unique: true },\n { fields: ['organization_id'] },\n { fields: ['user_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n // Mutations + token issuance go through @better-auth/scim's endpoints\n // under /api/v1/auth/scim/*; the generic data layer is read-only so the\n // credential cannot be written/bypassed through it.\n apiMethods: ['list'],\n trash: false,\n mru: false,\n },\n});\n"]}
|