@objectstack/platform-objects 6.8.1 → 7.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/dist/apps/index.d.mts +30 -1
  2. package/dist/apps/index.d.ts +30 -1
  3. package/dist/apps/index.js +994 -37
  4. package/dist/apps/index.js.map +1 -1
  5. package/dist/apps/index.mjs +994 -38
  6. package/dist/apps/index.mjs.map +1 -1
  7. package/dist/audit/index.d.mts +320 -16
  8. package/dist/audit/index.d.ts +320 -16
  9. package/dist/identity/index.d.mts +1000 -22
  10. package/dist/identity/index.d.ts +1000 -22
  11. package/dist/identity/index.js +384 -8
  12. package/dist/identity/index.js.map +1 -1
  13. package/dist/identity/index.mjs +384 -8
  14. package/dist/identity/index.mjs.map +1 -1
  15. package/dist/index.d.mts +5 -2
  16. package/dist/index.d.ts +5 -2
  17. package/dist/index.js +7060 -154
  18. package/dist/index.js.map +1 -1
  19. package/dist/index.mjs +7054 -155
  20. package/dist/index.mjs.map +1 -1
  21. package/dist/integration/index.d.mts +20 -1
  22. package/dist/integration/index.d.ts +20 -1
  23. package/dist/metadata/index.d.mts +40 -2
  24. package/dist/metadata/index.d.ts +40 -2
  25. package/dist/metadata-translations/index.d.mts +20 -0
  26. package/dist/metadata-translations/index.d.ts +20 -0
  27. package/dist/metadata-translations/index.js +4777 -0
  28. package/dist/metadata-translations/index.js.map +1 -0
  29. package/dist/metadata-translations/index.mjs +4775 -0
  30. package/dist/metadata-translations/index.mjs.map +1 -0
  31. package/dist/pages/index.d.mts +68 -0
  32. package/dist/pages/index.d.ts +68 -0
  33. package/dist/pages/index.js +371 -0
  34. package/dist/pages/index.js.map +1 -0
  35. package/dist/pages/index.mjs +368 -0
  36. package/dist/pages/index.mjs.map +1 -0
  37. package/dist/plugin.d.mts +35 -0
  38. package/dist/plugin.d.ts +35 -0
  39. package/dist/plugin.js +17566 -0
  40. package/dist/plugin.js.map +1 -0
  41. package/dist/plugin.mjs +17563 -0
  42. package/dist/plugin.mjs.map +1 -0
  43. package/dist/security/index.d.mts +6376 -2094
  44. package/dist/security/index.d.ts +6376 -2094
  45. package/dist/security/index.js +383 -1
  46. package/dist/security/index.js.map +1 -1
  47. package/dist/security/index.mjs +383 -2
  48. package/dist/security/index.mjs.map +1 -1
  49. package/dist/system/index.d.mts +60 -3
  50. package/dist/system/index.d.ts +60 -3
  51. package/package.json +17 -2
package/dist/security/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/security/sys-role.object.ts","../../src/security/sys-permission-set.object.ts","../../src/security/sys-user-permission-set.object.ts","../../src/security/sys-role-permission-set.object.ts","../../src/security/sys-record-share.object.ts","../../src/security/sys-sharing-rule.object.ts","../../src/security/default-permission-sets.ts"],"names":["ObjectSchema","Field"],"mappings":";;;;AAYO,IAAM,OAAA,GAAU,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,0CAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASvD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,gBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,6HAAA;AAAA,MACb,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,kBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,IAAA,EAAK;AAAA,MAC9B,WAAA,EAAa,0EAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,uBAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,KAAA,EAAO,QAAQ,IAAA,EAAK;AAAA,MAC7C,cAAA,EAAgB,aAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA;AAAK;AAC/C;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACrD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,QAAQ,CAAA;AAAA,MAClD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAO,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAa,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAa,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQ,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,cAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,qCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAI,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACtNM,IAAM,gBAAA,GAAmBA,aAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,4DAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzC,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,0BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,iHAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,KAAA,EAAO,OAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,iCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,oBAAA,EAAsB,cAAA,EAAgB,IAAA,EAAK;AAAA,QACpD,EAAE,KAAA,EAAO,mBAAA,EAAqB,cAAA,EAAgB,IAAA;AAAK;AACrD;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,YAAY,CAAA;AAAA,MACtD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,kBAAA,EAAoBA,MAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,iBAAA,EAAmBA,MAAM,QAAA,CAAS;AAAA,MAChC,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACpLM,IAAM,oBAAA,GAAuBD,aAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,yFAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAA,EAAqB,iBAAiB,CAAA;AAAA,EAEjE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,KAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAA,EAAW,qBAAqB,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC5E,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3EM,IAAM,oBAAA,GAAuBD,aAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,aAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,mCAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAmB,CAAA;AAAA,EAE9C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,KAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,mBAAmB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzCM,IAAM,cAAA,GAAiBD,aAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,kEAAA;AAAA,EACb,WAAA,EAAa,kEAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,WAAA,EAAa,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEpF,SAAA,EAAW;AAAA,IACT,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,gBAAA,EAAkB,QAAA,EAAU,QAAA,EAAU,OAAO,MAAA,EAAO;AAAA,QAC7D,EAAE,KAAA,EAAO,cAAA,EAAgB,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OAC1E;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACxE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,gBAAgB,cAAA,EAAgB,YAAA,EAAc,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,aAAa,YAAY,CAAA;AAAA,MAC/F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,WAAW,GAAG,CAAA;AAAA,MAClF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC9G,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAgBA,KAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,yBAAyB,OAAO,CAAA;AAAA,MAC1D;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,wCAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,KAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6EAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,QAAQA,KAAAA,CAAM,MAAA;AAAA,MACZ,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAA,EAAQ,WAAW,CAAA;AAAA,MACtC;AAAA,QACE,KAAA,EAAO,QAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,sEAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA,IAIP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,gBAAA,EAAkB,cAAc,CAAA,EAAE;AAAA;AAAA;AAAA,IAG5D,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,QAAA,EAAU,WAAW,CAAA;AAAE;AAEtC,CAAC;ACzMM,IAAM,cAAA,GAAiBD,aAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,WAAA,EAAa,EAAE,MAAA,EAAQ,IAAA,EAAM,MAAM,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAM;AAAA,EACrE,WAAA,EAAa,mJAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,eAAe,CAAC,MAAA,EAAQ,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEjG,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,YAAY,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,aAAA,EAAe,gBAAA,EAAkB,gBAAgB,YAAY,CAAA;AAAA,MAChF,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAA,EAAkB,gBAAgB,QAAQ,CAAA;AAAA,MAC5E,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,OAAA,EAAS,aAAA,EAAe,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,KAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAEpF,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,6BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,iCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAgBA,KAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,MAAA,EAAQ,YAAA,EAAc,QAAQ,OAAO,CAAA;AAAA,MAC9C;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,2KAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,KAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,QAAQ,CAAA,EAAE;AAAA,IACpC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA;AAAE;AAElC,CAAC;ACvKD,IAAM,2BAAA,GAA8B;AAAA,EAClC,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,0BAAA,GAA6B,MAK7B,MAAA,CAAO,WAAA;AAAA,EACX,2BAAA,CAA4B,GAAA,CAAI,CAAC,IAAA,KAAS;AAAA,IACxC,IAAA;AAAA,IACA,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,OAAO,SAAA,EAAW,KAAA,EAAO,aAAa,KAAA;AAAM,GAC7E;AACH,CAAA;AA4BO,IAAM,qBAAA,GAAyC;AAAA,EACpD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,mBAAA;AAAA,IACN,KAAA,EAAO,kCAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA;AACpB,KACF;AAAA,IACA,iBAAA,EAAmB,CAAC,cAAA,EAAgB,iBAAA,EAAmB,gBAAgB,eAAe;AAAA,GACvF,CAAA;AAAA,EACD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,gBAAA;AAAA,IACN,KAAA,EAAO,+BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA,MAEA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,mBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,iBAAA;AAAA,IACN,KAAA,EAAO,yBAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,KAAA;AAAA,QACb,SAAA,EAAW,KAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA;AAAA;AAAA,MAIA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA,MAGA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD;AACH","file":"index.mjs","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role — System Role Object\n *\n * RBAC role definition for the ObjectStack platform.\n * Roles group permissions and are assigned to users or members.\n *\n * @namespace sys\n */\nexport const SysRole = ObjectSchema.create({\n name: 'sys_role',\n label: 'Role',\n pluralLabel: 'Roles',\n icon: 'shield',\n isSystem: true,\n managedBy: 'config',\n description: 'Role definitions for RBAC access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active', 'is_default'],\n\n // Custom actions — system roles drive RBAC and are edited rarely but\n // require the four high-frequency sysadmin affordances every IdP\n // (Salesforce, ServiceNow, Okta) ships: activate/deactivate (lifecycle\n // without losing assignments), mark default (auto-assign to new users),\n // and clone (template for new roles). All operations hit the generic\n // data CRUD endpoint exposed by `apiEnabled` — no custom server route\n // required because `managedBy: 'config'` allows direct mutation.\n actions: [\n {\n name: 'activate_role',\n label: 'Activate Role',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: true },\n successMessage: 'Role activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_role',\n label: 'Deactivate Role',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this role? Users with the role keep their assignment but the role stops granting permissions until re-activated.',\n successMessage: 'Role deactivated',\n refreshAfter: true,\n },\n {\n name: 'set_default_role',\n label: 'Set as Default',\n icon: 'star',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { is_default: true },\n confirmText: 'Make this the default role for new users? Existing users are unaffected.',\n successMessage: 'Default role updated',\n refreshAfter: true,\n },\n {\n // Clone — POST a new sys_role row pre-filled from the source. The\n // dialog asks only for the new API name / label so the operator\n // can rename atomically; permissions JSON is copied wholesale via\n // defaultFromRow.\n name: 'clone_role',\n label: 'Clone Role',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_role',\n bodyExtra: { is_default: false, active: true },\n successMessage: 'Role cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'is_default', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n default_roles: {\n type: 'grid',\n name: 'default_roles',\n label: 'Default',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'description', 'active'],\n filter: [{ field: 'is_default', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n custom: {\n type: 'grid',\n name: 'custom',\n label: 'Custom',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'updated_at'],\n filter: [{ field: 'is_default', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_roles: {\n type: 'grid',\n name: 'all_roles',\n label: 'All',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'is_default', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the role (e.g. admin, editor, viewer)',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n permissions: Field.textarea({\n label: 'Permissions',\n required: false,\n description: 'JSON-serialized array of permission strings',\n group: 'Configuration',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n is_default: Field.boolean({\n label: 'Default Role',\n defaultValue: false,\n description: 'Automatically assigned to new users',\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Role ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_permission_set — System Permission Set Object\n *\n * Named groupings of fine-grained permissions.\n * Permission sets can be assigned to roles or directly to users\n * for granular access control.\n *\n * @namespace sys\n */\nexport const SysPermissionSet = ObjectSchema.create({\n name: 'sys_permission_set',\n label: 'Permission Set',\n pluralLabel: 'Permission Sets',\n icon: 'lock',\n isSystem: true,\n managedBy: 'config',\n description: 'Named permission groupings for fine-grained access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active'],\n\n // Custom actions — permission sets are templates assigned to roles or\n // users (via sys_role_permission_set / sys_user_permission_set). The\n // sysadmin operations that don't live on the parent-detail tabs are\n // lifecycle (activate/deactivate without losing assignments) and\n // clone (build a new permset by tweaking an existing one). Both hit\n // the generic data CRUD endpoint — managedBy: 'config' permits it.\n actions: [\n {\n name: 'activate_permission_set',\n label: 'Activate',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: true },\n successMessage: 'Permission set activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_permission_set',\n label: 'Deactivate',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this permission set? Existing assignments stay in place but stop granting access until re-activated.',\n successMessage: 'Permission set deactivated',\n refreshAfter: true,\n },\n {\n name: 'clone_permission_set',\n label: 'Clone',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_permission_set',\n bodyExtra: { active: true },\n successMessage: 'Permission set cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'object_permissions', defaultFromRow: true },\n { field: 'field_permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'description', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_permsets: {\n type: 'grid',\n name: 'all_permsets',\n label: 'All',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the permission set',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Permissions ──────────────────────────────────────────────\n object_permissions: Field.textarea({\n label: 'Object Permissions',\n required: false,\n description: 'JSON-serialized object-level CRUD permissions',\n group: 'Permissions',\n }),\n\n field_permissions: Field.textarea({\n label: 'Field Permissions',\n required: false,\n description: 'JSON-serialized field-level read/write permissions',\n group: 'Permissions',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Permission Set ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_permission_set — User ↔ PermissionSet assignment.\n *\n * Salesforce-style additive permission grant: a user may be assigned any\n * number of `sys_permission_set` rows, optionally scoped to a specific\n * organization. The runtime resolver (`resolveExecutionContext` in\n * `@objectstack/runtime`) reads this table when building the per-request\n * `ExecutionContext.permissions[]`.\n *\n * Uniqueness is `(user_id, permission_set_id, organization_id)` so the\n * same permission set can be granted independently in each org context\n * the user belongs to.\n *\n * @namespace sys\n */\nexport const SysUserPermissionSet = ObjectSchema.create({\n name: 'sys_user_permission_set',\n label: 'User Permission Set',\n pluralLabel: 'User Permission Sets',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'system',\n description: 'Direct assignment of a permission set to a user (optionally scoped to an organization).',\n titleFormat: '{user_id} → {permission_set_id}',\n compactLayout: ['user_id', 'permission_set_id', 'organization_id'],\n\n fields: {\n id: Field.text({\n label: 'Assignment ID',\n required: true,\n readonly: true,\n description: 'UUID of the assignment.',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Optional organization scope. NULL = applies in every org context.',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User who granted this permission set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'permission_set_id', 'organization_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['organization_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role_permission_set — Role ↔ PermissionSet binding.\n *\n * Allows administrators to compose a `sys_role` from one or more\n * `sys_permission_set` rows. At request time, the runtime resolver\n * (`resolveExecutionContext`) collects every permission set bound to\n * the user's roles via this table and injects their names into\n * `ExecutionContext.permissions[]` for downstream RBAC evaluation.\n *\n * @namespace sys\n */\nexport const SysRolePermissionSet = ObjectSchema.create({\n name: 'sys_role_permission_set',\n label: 'Role Permission Set',\n pluralLabel: 'Role Permission Sets',\n icon: 'shield-plus',\n isSystem: true,\n managedBy: 'system',\n description: 'Binds a permission set to a role.',\n titleFormat: '{role_id} → {permission_set_id}',\n compactLayout: ['role_id', 'permission_set_id'],\n\n fields: {\n id: Field.text({\n label: 'Binding ID',\n required: true,\n readonly: true,\n description: 'UUID of the role-permission-set binding.',\n }),\n\n role_id: Field.lookup('sys_role', {\n label: 'Role',\n required: true,\n description: 'Foreign key to sys_role.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['role_id', 'permission_set_id'], unique: true },\n { fields: ['role_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_record_share — Per-Record Sharing Grant\n *\n * Bridges the ownership-only baseline established by `object.sharingModel`\n * with the real-world need to delegate access to a single record. Each\n * row says: \"principal P has access level L on (object O, record R),\n * because of source S (manual grant or rule).\"\n *\n * Enforcement lives in `@objectstack/plugin-sharing`:\n * - For objects with `sharingModel: 'private'`, the engine middleware\n * AND-s `{$or:[{owner_id:userId},{id:{$in:[grantedRecordIds]}}]}`\n * into every `find` against that object.\n * - For objects with `sharingModel: 'private' | 'read'`, the same\n * middleware enforces edit/delete by checking ownership OR a share\n * row with `access_level in ('edit','full')`.\n *\n * Conventions:\n * - `object_name` is the short object name (e.g. `account`, `lead`).\n * - `recipient_type` mirrors `ShareRecipientType` from the spec\n * (`user` is enforced today; `group`/`role` are persisted for\n * forward-compatibility).\n * - `source = 'manual'` rows are created by a user via the REST\n * `POST /data/:object/:id/shares` endpoint. `source = 'rule'` rows\n * are materialised by the sharing-rule evaluator (future); the\n * `source_id` lets the evaluator reconcile stale grants.\n *\n * @namespace sys\n */\nexport const SysRecordShare = ObjectSchema.create({\n name: 'sys_record_share',\n label: 'Record Share',\n pluralLabel: 'Record Shares',\n icon: 'share',\n isSystem: true,\n managedBy: 'system',\n description: 'Per-record sharing grant — extends OWD with explicit access',\n titleFormat: '{object_name}/{record_id} → {recipient_id} ({access_level})',\n compactLayout: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source'],\n\n listViews: {\n granted_to_me: {\n type: 'grid',\n name: 'granted_to_me',\n label: 'Granted to Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'access_level', 'source', 'granted_by', 'created_at'],\n filter: [\n { field: 'recipient_type', operator: 'equals', value: 'user' },\n { field: 'recipient_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n granted_by_me: {\n type: 'grid',\n name: 'granted_by_me',\n label: 'Granted by Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n filter: [\n { field: 'granted_by', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n manual_grants: {\n type: 'grid',\n name: 'manual_grants',\n label: 'Manual Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'granted_by', 'reason', 'created_at'],\n filter: [{ field: 'source', operator: 'equals', value: 'manual' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n rule_grants: {\n type: 'grid',\n name: 'rule_grants',\n label: 'Rule Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source_id', 'created_at'],\n filter: [{ field: 'source', operator: 'in', value: ['rule', 'team', 'inherited'] }],\n sort: [{ field: 'source_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_shares: {\n type: 'grid',\n name: 'all_shares',\n label: 'All',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_type', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Share ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Target (which record is being shared) ────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Recipient (who receives access) ──────────────────────────\n recipient_type: Field.select(\n ['user', 'group', 'role', 'role_and_subordinates', 'guest'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'user',\n description: 'Kind of principal that holds the grant',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 100,\n description: 'ID of the user/group/role that receives access',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n description: 'What the recipient can do — read | edit | full (transfer/share/delete)',\n group: 'Recipient',\n },\n ),\n\n // ── Provenance ───────────────────────────────────────────────\n source: Field.select(\n ['manual', 'rule', 'team', 'inherited'],\n {\n label: 'Source',\n required: true,\n defaultValue: 'manual',\n description: 'Why this grant exists — used by the rule evaluator to reconcile',\n group: 'Provenance',\n },\n ),\n\n source_id: Field.text({\n label: 'Source ID',\n required: false,\n maxLength: 200,\n description: 'Rule name / team id when source != manual',\n group: 'Provenance',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User that created the grant (manual only)',\n group: 'Provenance',\n }),\n\n reason: Field.text({\n label: 'Reason',\n required: false,\n maxLength: 500,\n description: 'Optional free-text explanation surfaced to the recipient',\n group: 'Provenance',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n // Hot path: \"all records visible to user U on object O\" — the\n // middleware reads (object_name, recipient_type, recipient_id) to\n // build the `id IN (...)` predicate on every find.\n { fields: ['object_name', 'recipient_type', 'recipient_id'] },\n // \"all grants on this record\" — used by the share-management UI\n // and by canEdit() to look up explicit grants.\n { fields: ['object_name', 'record_id'] },\n // Reconciliation key for rule-driven shares.\n { fields: ['source', 'source_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sharing_rule — Declarative record-sharing rule.\n *\n * Salesforce-style criteria-based sharing: \"any record on object O that\n * matches criteria C is granted access level A to recipient R\". Rules\n * are evaluated by `@objectstack/plugin-sharing` and materialise their\n * grants as rows in `sys_record_share` with `source='rule'` and\n * `source_id={rule.id}` so the evaluator can reconcile (delete + re-\n * insert) on rule updates without touching manual grants.\n *\n * Evaluation triggers:\n * - `afterInsert` / `afterUpdate` on the target object (per-record,\n * incremental — the hot path).\n * - REST `POST /sharing/rules/:id/evaluate` (admin-initiated\n * bulk reconcile — used after rule edits).\n *\n * Criteria are stored as JSON (a normal `FilterCondition`) so the\n * existing engine `find()` can do the matching natively. v1 supports\n * simple `{field, op, value}` style filters; CEL predicates are a\n * follow-up.\n *\n * @namespace sys\n */\nexport const SysSharingRule = ObjectSchema.create({\n name: 'sys_sharing_rule',\n label: 'Sharing Rule',\n pluralLabel: 'Sharing Rules',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'config',\n // Sharing rules can now be authored visually via the Studio criteria\n // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).\n // We still recommend `defineSharingRule({...})` for repo-controlled\n // baselines, but admins can safely create/edit/delete from the UI.\n userActions: { create: true, edit: true, delete: true, import: false },\n description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',\n displayNameField: 'name',\n titleFormat: '{label}',\n compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_rules: {\n type: 'grid',\n name: 'all_rules',\n label: 'All',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n group: 'System',\n description: 'Tenant that owns this rule; null = global',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 100,\n description: 'Unique snake_case rule name',\n group: 'Identity',\n }),\n\n label: Field.text({\n label: 'Display Label',\n required: true,\n maxLength: 200,\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name (e.g. opportunity, account)',\n group: 'Target',\n }),\n\n criteria_json: Field.textarea({\n label: 'Criteria (FilterCondition JSON)',\n required: false,\n description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',\n group: 'Target',\n }),\n\n recipient_type: Field.select(\n ['user', 'team', 'department', 'role', 'queue'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'department',\n description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 200,\n description: 'department id / team id / role name / queue name / user id depending on recipient_type',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n group: 'Recipient',\n },\n ),\n\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'Only active rules participate in lifecycle evaluation',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['object_name', 'active'] },\n { fields: ['name'], unique: true },\n { fields: ['organization_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { PermissionSetSchema, type PermissionSet } from '@objectstack/spec/security';\n\n/**\n * Identity tables managed by the better-auth plugin (see\n * `packages/platform-objects/src/identity/`). Mutations to these tables\n * MUST flow through the better-auth API endpoints (sign-up, password\n * reset, organization invite/remove-member, api-key/create, …) rather\n * than the generic CRUD pipeline so that password hashing, token\n * signing, email verification, invitation flows and scope hashing all\n * fire correctly.\n *\n * The default member/viewer permission sets therefore explicitly DENY\n * `allowCreate / allowEdit / allowDelete` on these objects while still\n * permitting reads (subject to the rest of the RLS chain). Admin\n * permission sets keep their `*` wildcard so they can rescue data\n * directly when needed.\n *\n * Each entry mirrors the `managedBy: 'better-auth'` flag declared on\n * the corresponding object schema in `packages/platform-objects/src/identity/`.\n */\nconst BETTER_AUTH_MANAGED_OBJECTS = [\n 'sys_user',\n 'sys_account',\n 'sys_session',\n 'sys_organization',\n 'sys_member',\n 'sys_invitation',\n 'sys_team',\n 'sys_team_member',\n 'sys_api_key',\n 'sys_two_factor',\n 'sys_verification',\n 'sys_jwks',\n 'sys_device_code',\n 'sys_oauth_application',\n 'sys_oauth_access_token',\n 'sys_oauth_refresh_token',\n 'sys_oauth_consent',\n] as const;\n\nconst denyWritesOnManagedObjects = (): Record<string, {\n allowRead: boolean;\n allowCreate: boolean;\n allowEdit: boolean;\n allowDelete: boolean;\n}> => Object.fromEntries(\n BETTER_AUTH_MANAGED_OBJECTS.map((name) => [\n name,\n { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n ]),\n);\n\n/**\n * Default permission sets seeded by the platform.\n *\n * These are referenced by name (`admin_full_access`, `member_default`,\n * `viewer_readonly`) from `sys_role_permission_set` rows or assigned\n * directly to users via `sys_user_permission_set`.\n *\n * The runtime SecurityPlugin reads these via the metadata service when a\n * permission set name appears in the request `ExecutionContext.permissions[]`.\n *\n * Each entry is run through `PermissionSetSchema.parse(...)` so Zod fills\n * in the boolean/`priority`/`enabled` defaults — keeping the literal\n * source readable while still satisfying the strict output type.\n *\n * `objects: { '*': … }` uses the wildcard sentinel honoured by\n * `PermissionEvaluator` — admins do not need an explicit row per object.\n * Per-object entries fully override the wildcard for that object (see\n * `PermissionEvaluator.checkObjectPermission` — lookup, not merge).\n *\n * RLS policies use the canonical `current_user.*` placeholders compiled\n * by `RLSCompiler`. The active organization is exposed under\n * `current_user.organization_id` (sourced from\n * `ExecutionContext.tenantId` at request time) — there is no rewrite\n * step or `tenantField` indirection in SecurityPlugin. Schemas with a\n * different physical tenant column should fork these defaults.\n */\nexport const defaultPermissionSets: PermissionSet[] = [\n PermissionSetSchema.parse({\n name: 'admin_full_access',\n label: 'Administrator — Full Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n },\n systemPermissions: ['manage_users', 'manage_metadata', 'setup.access', 'studio.access'],\n }),\n PermissionSetSchema.parse({\n name: 'member_default',\n label: 'Member — Standard Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n },\n // Identity tables are managed by better-auth — no direct writes.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'owner_only_writes',\n object: '*',\n operation: 'update',\n using: 'owner_id = current_user.id',\n },\n {\n name: 'owner_only_deletes',\n object: '*',\n operation: 'delete',\n using: 'owner_id = current_user.id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be left unprotected by the wildcard rule above. ────\n //\n // The security plugin's RLS injector treats wildcard policies that\n // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a\n // per-object policy contributes an alternate match. Each `*_self`\n // policy below restores per-user visibility on a better-auth table\n // that has `user_id` but no `organization_id`. Tables without\n // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)\n // stay DENY for non-admins by design — only platform admins (via\n // `admin_full_access`, which has no RLS) should inspect them.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators: members can see other users in the same\n // organization. Without this, owner/assignee lookups, @-mention\n // suggestions, reviewer pickers and team-roster surfaces all\n // collapse to just the current user. `org_user_ids` is\n // pre-resolved by runtime/resolve-execution-context from\n // `sys_member` for the active organization. Sensitive credential\n // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep\n // their stricter self-only carve-outs above.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'viewer_readonly',\n label: 'Viewer — Read-Only',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: false,\n allowEdit: false,\n allowDelete: false,\n },\n // Belt-and-suspenders: explicit deny on managed objects even though\n // the wildcard already denies — keeps the policy readable when\n // future relaxations might widen the wildcard.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'select',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators (read-only): see `sys_user_org_members` in\n // `member_default` for rationale.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n];\n"]}
1
+ {"version":3,"sources":["../../src/security/sys-role.object.ts","../../src/security/sys-permission-set.object.ts","../../src/security/sys-user-permission-set.object.ts","../../src/security/sys-role-permission-set.object.ts","../../src/security/sys-record-share.object.ts","../../src/security/sys-sharing-rule.object.ts","../../src/security/sys-share-link.object.ts","../../src/security/default-permission-sets.ts"],"names":["ObjectSchema","Field"],"mappings":";;;;AAYO,IAAM,OAAA,GAAU,aAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,0CAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASvD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,gBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,6HAAA;AAAA,MACb,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,kBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,IAAA,EAAK;AAAA,MAC9B,WAAA,EAAa,0EAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,uBAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,KAAA,EAAO,QAAQ,IAAA,EAAK;AAAA,MAC7C,cAAA,EAAgB,aAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA;AAAK;AAC/C;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACrD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,QAAQ,CAAA;AAAA,MAClD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAO,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAa,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAa,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQ,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,cAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,qCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAI,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACtNM,IAAM,gBAAA,GAAmBA,aAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,4DAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzC,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,0BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,iHAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,KAAA,EAAO,OAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,iCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,oBAAA,EAAsB,cAAA,EAAgB,IAAA,EAAK;AAAA,QACpD,EAAE,KAAA,EAAO,mBAAA,EAAqB,cAAA,EAAgB,IAAA;AAAK;AACrD;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,YAAY,CAAA;AAAA,MACtD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,kBAAA,EAAoBA,MAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,iBAAA,EAAmBA,MAAM,QAAA,CAAS;AAAA,MAChC,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,MAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yGAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,MAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,4EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,QAAA,CAAS;AAAA,MAC9B,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzMM,IAAM,oBAAA,GAAuBD,aAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,yFAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAA,EAAqB,iBAAiB,CAAA;AAAA,EAEjE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,KAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAA,EAAW,qBAAqB,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC5E,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3EM,IAAM,oBAAA,GAAuBD,aAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,aAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,mCAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAmB,CAAA;AAAA,EAE9C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,KAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,mBAAmB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzCM,IAAM,cAAA,GAAiBD,aAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,kEAAA;AAAA,EACb,WAAA,EAAa,kEAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,WAAA,EAAa,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEpF,SAAA,EAAW;AAAA,IACT,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,gBAAA,EAAkB,QAAA,EAAU,QAAA,EAAU,OAAO,MAAA,EAAO;AAAA,QAC7D,EAAE,KAAA,EAAO,cAAA,EAAgB,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OAC1E;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACxE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,gBAAgB,cAAA,EAAgB,YAAA,EAAc,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,aAAa,YAAY,CAAA;AAAA,MAC/F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,WAAW,GAAG,CAAA;AAAA,MAClF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC9G,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAgBA,KAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,yBAAyB,OAAO,CAAA;AAAA,MAC1D;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,wCAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,KAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6EAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,QAAQA,KAAAA,CAAM,MAAA;AAAA,MACZ,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAA,EAAQ,WAAW,CAAA;AAAA,MACtC;AAAA,QACE,KAAA,EAAO,QAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,sEAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA,IAIP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,gBAAA,EAAkB,cAAc,CAAA,EAAE;AAAA;AAAA;AAAA,IAG5D,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,QAAA,EAAU,WAAW,CAAA;AAAE;AAEtC,CAAC;ACzMM,IAAM,cAAA,GAAiBD,aAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,WAAA,EAAa,EAAE,MAAA,EAAQ,IAAA,EAAM,MAAM,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAM;AAAA,EACrE,WAAA,EAAa,mJAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,eAAe,CAAC,MAAA,EAAQ,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEjG,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,YAAY,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,aAAA,EAAe,gBAAA,EAAkB,gBAAgB,YAAY,CAAA;AAAA,MAChF,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAA,EAAkB,gBAAgB,QAAQ,CAAA;AAAA,MAC5E,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,OAAA,EAAS,aAAA,EAAe,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,KAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAEpF,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,6BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,iCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAgBA,KAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,MAAA,EAAQ,YAAA,EAAc,QAAQ,OAAO,CAAA;AAAA,MAC9C;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,2KAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,MAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,KAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,MAAA,EAAQA,MAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,QAAQ,CAAA,EAAE;AAAA,IACpC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA;AAAE;AAElC,CAAC;ACnJM,IAAM,YAAA,GAAeD,aAAa,MAAA,CAAO;AAAA,EAC9C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,aAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,qGAAA;AAAA,EACb,WAAA,EAAa,0CAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,aAAa,YAAA,EAAc,UAAA,EAAY,cAAc,YAAY,CAAA;AAAA,EAEhG,SAAA,EAAW;AAAA,IACT,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,UAAA,EAAY,YAAA,EAAc,aAAa,cAAc,CAAA;AAAA,MACzG,QAAQ,CAAC,EAAE,OAAO,YAAA,EAAc,QAAA,EAAU,UAAU,CAAA;AAAA,MACpD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,aAAA,EAAe,aAAa,YAAA,EAAc,UAAA,EAAY,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAChF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,YAAY,CAAA;AAAA,MAChE,QAAQ,CAAC,EAAE,OAAO,YAAA,EAAc,QAAA,EAAU,aAAa,CAAA;AAAA,MACvD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,UAAA,EAAY,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MACxG,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,8EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,mFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,YAAYA,KAAAA,CAAM,MAAA;AAAA,MAChB;AAAA,QACE,EAAE,KAAA,EAAO,MAAA,EAAW,KAAA,EAAO,MAAA,EAAO;AAAA,QAClC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,SAAA,EAAU;AAAA,QACrC,EAAE,KAAA,EAAO,MAAA,EAAW,KAAA,EAAO,MAAA;AAAO,OACpC;AAAA,MACA;AAAA,QACE,KAAA,EAAO,YAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6CAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAUA,KAAAA,CAAM,MAAA;AAAA,MACd;AAAA,QACE,EAAE,KAAA,EAAO,oBAAA,EAAsB,KAAA,EAAO,QAAA,EAAS;AAAA,QAC/C,EAAE,KAAA,EAAO,sBAAA,EAAwB,KAAA,EAAO,WAAA,EAAY;AAAA,QACpD,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,WAAA,EAAY;AAAA,QAC/C,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,OAAA;AAAQ,OAC7C;AAAA,MACA;AAAA,QACE,KAAA,EAAO,UAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,WAAA;AAAA,QACd,WAAA,EAAa,gDAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,MAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,iBAAA;AAAA,MACP,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,MAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,qBAAA;AAAA,MACP,WAAA,EAAa,2EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,oBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,MAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,0EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,MAAM,MAAA,CAAO;AAAA,MACtB,KAAA,EAAO,WAAA;AAAA,MACP,YAAA,EAAc,CAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA,IAEP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA;AAAA,IAElC,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,YAAA,EAAc,YAAY,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA,IAGZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK,KAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX,CAAC;ACxOD,IAAM,2BAAA,GAA8B;AAAA,EAClC,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,0BAAA,GAA6B,MAK7B,MAAA,CAAO,WAAA;AAAA,EACX,2BAAA,CAA4B,GAAA,CAAI,CAAC,IAAA,KAAS;AAAA,IACxC,IAAA;AAAA,IACA,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,OAAO,SAAA,EAAW,KAAA,EAAO,aAAa,KAAA;AAAM,GAC7E;AACH,CAAA;AA4BO,IAAM,qBAAA,GAAyC;AAAA,EACpD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,mBAAA;AAAA,IACN,KAAA,EAAO,kCAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA;AACpB,KACF;AAAA,IACA,iBAAA,EAAmB;AAAA,MACjB,cAAA;AAAA,MACA,iBAAA;AAAA,MACA,0BAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA;AACF,GACD,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,oBAAA;AAAA,IACN,KAAA,EAAO,4BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA,OACpB;AAAA;AAAA;AAAA,MAGA,GAAG,0BAAA,EAA2B;AAAA;AAAA,MAE9B,QAAA,EAAU,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACtF,kBAAA,EAAoB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MAChG,uBAAA,EAAyB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACrG,uBAAA,EAAyB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACrG,aAAA,EAAe,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA;AAAM,KAC7F;AAAA,IACA,iBAAA,EAAmB,CAAC,kBAAA,EAAoB,cAAc,CAAA;AAAA,IACtD,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA,MAIA;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,MAAA,EAAQ,YAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,cAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,gBAAA;AAAA,IACN,KAAA,EAAO,+BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA,MAEA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,mBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACD,oBAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,iBAAA;AAAA,IACN,KAAA,EAAO,yBAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,KAAA;AAAA,QACb,SAAA,EAAW,KAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA;AAAA;AAAA,MAIA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA,MAGA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD;AACH","file":"index.mjs","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role — System Role Object\n *\n * RBAC role definition for the ObjectStack platform.\n * Roles group permissions and are assigned to users or members.\n *\n * @namespace sys\n */\nexport const SysRole = ObjectSchema.create({\n name: 'sys_role',\n label: 'Role',\n pluralLabel: 'Roles',\n icon: 'shield',\n isSystem: true,\n managedBy: 'config',\n description: 'Role definitions for RBAC access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active', 'is_default'],\n\n // Custom actions — system roles drive RBAC and are edited rarely but\n // require the four high-frequency sysadmin affordances every IdP\n // (Salesforce, ServiceNow, Okta) ships: activate/deactivate (lifecycle\n // without losing assignments), mark default (auto-assign to new users),\n // and clone (template for new roles). All operations hit the generic\n // data CRUD endpoint exposed by `apiEnabled` — no custom server route\n // required because `managedBy: 'config'` allows direct mutation.\n actions: [\n {\n name: 'activate_role',\n label: 'Activate Role',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: true },\n successMessage: 'Role activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_role',\n label: 'Deactivate Role',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this role? Users with the role keep their assignment but the role stops granting permissions until re-activated.',\n successMessage: 'Role deactivated',\n refreshAfter: true,\n },\n {\n name: 'set_default_role',\n label: 'Set as Default',\n icon: 'star',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { is_default: true },\n confirmText: 'Make this the default role for new users? Existing users are unaffected.',\n successMessage: 'Default role updated',\n refreshAfter: true,\n },\n {\n // Clone — POST a new sys_role row pre-filled from the source. The\n // dialog asks only for the new API name / label so the operator\n // can rename atomically; permissions JSON is copied wholesale via\n // defaultFromRow.\n name: 'clone_role',\n label: 'Clone Role',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_role',\n bodyExtra: { is_default: false, active: true },\n successMessage: 'Role cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'is_default', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n default_roles: {\n type: 'grid',\n name: 'default_roles',\n label: 'Default',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'description', 'active'],\n filter: [{ field: 'is_default', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n custom: {\n type: 'grid',\n name: 'custom',\n label: 'Custom',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'updated_at'],\n filter: [{ field: 'is_default', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_roles: {\n type: 'grid',\n name: 'all_roles',\n label: 'All',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'is_default', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the role (e.g. admin, editor, viewer)',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n permissions: Field.textarea({\n label: 'Permissions',\n required: false,\n description: 'JSON-serialized array of permission strings',\n group: 'Configuration',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n is_default: Field.boolean({\n label: 'Default Role',\n defaultValue: false,\n description: 'Automatically assigned to new users',\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Role ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_permission_set — System Permission Set Object\n *\n * Named groupings of fine-grained permissions.\n * Permission sets can be assigned to roles or directly to users\n * for granular access control.\n *\n * @namespace sys\n */\nexport const SysPermissionSet = ObjectSchema.create({\n name: 'sys_permission_set',\n label: 'Permission Set',\n pluralLabel: 'Permission Sets',\n icon: 'lock',\n isSystem: true,\n managedBy: 'config',\n description: 'Named permission groupings for fine-grained access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active'],\n\n // Custom actions — permission sets are templates assigned to roles or\n // users (via sys_role_permission_set / sys_user_permission_set). The\n // sysadmin operations that don't live on the parent-detail tabs are\n // lifecycle (activate/deactivate without losing assignments) and\n // clone (build a new permset by tweaking an existing one). Both hit\n // the generic data CRUD endpoint — managedBy: 'config' permits it.\n actions: [\n {\n name: 'activate_permission_set',\n label: 'Activate',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: true },\n successMessage: 'Permission set activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_permission_set',\n label: 'Deactivate',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this permission set? Existing assignments stay in place but stop granting access until re-activated.',\n successMessage: 'Permission set deactivated',\n refreshAfter: true,\n },\n {\n name: 'clone_permission_set',\n label: 'Clone',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_permission_set',\n bodyExtra: { active: true },\n successMessage: 'Permission set cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'object_permissions', defaultFromRow: true },\n { field: 'field_permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'description', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_permsets: {\n type: 'grid',\n name: 'all_permsets',\n label: 'All',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the permission set',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Permissions ──────────────────────────────────────────────\n object_permissions: Field.textarea({\n label: 'Object Permissions',\n required: false,\n description: 'JSON-serialized object-level CRUD permissions',\n group: 'Permissions',\n }),\n\n field_permissions: Field.textarea({\n label: 'Field Permissions',\n required: false,\n description: 'JSON-serialized field-level read/write permissions',\n group: 'Permissions',\n }),\n\n system_permissions: Field.textarea({\n label: 'System Permissions',\n required: false,\n description: 'JSON-serialized array of system capability names (e.g. [\"setup.access\",\"studio.access\",\"manage_users\"])',\n group: 'Permissions',\n }),\n\n row_level_security: Field.textarea({\n label: 'Row-Level Security',\n required: false,\n description: 'JSON-serialized array of row-level security policies (USING/CHECK clauses)',\n group: 'Permissions',\n }),\n\n tab_permissions: Field.textarea({\n label: 'Tab Permissions',\n required: false,\n description: 'JSON-serialized map of app tab visibility (visible | hidden | default_on | default_off)',\n group: 'Permissions',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Permission Set ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_permission_set — User ↔ PermissionSet assignment.\n *\n * Salesforce-style additive permission grant: a user may be assigned any\n * number of `sys_permission_set` rows, optionally scoped to a specific\n * organization. The runtime resolver (`resolveExecutionContext` in\n * `@objectstack/runtime`) reads this table when building the per-request\n * `ExecutionContext.permissions[]`.\n *\n * Uniqueness is `(user_id, permission_set_id, organization_id)` so the\n * same permission set can be granted independently in each org context\n * the user belongs to.\n *\n * @namespace sys\n */\nexport const SysUserPermissionSet = ObjectSchema.create({\n name: 'sys_user_permission_set',\n label: 'User Permission Set',\n pluralLabel: 'User Permission Sets',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'system',\n description: 'Direct assignment of a permission set to a user (optionally scoped to an organization).',\n titleFormat: '{user_id} → {permission_set_id}',\n compactLayout: ['user_id', 'permission_set_id', 'organization_id'],\n\n fields: {\n id: Field.text({\n label: 'Assignment ID',\n required: true,\n readonly: true,\n description: 'UUID of the assignment.',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Optional organization scope. NULL = applies in every org context.',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User who granted this permission set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'permission_set_id', 'organization_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['organization_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role_permission_set — Role ↔ PermissionSet binding.\n *\n * Allows administrators to compose a `sys_role` from one or more\n * `sys_permission_set` rows. At request time, the runtime resolver\n * (`resolveExecutionContext`) collects every permission set bound to\n * the user's roles via this table and injects their names into\n * `ExecutionContext.permissions[]` for downstream RBAC evaluation.\n *\n * @namespace sys\n */\nexport const SysRolePermissionSet = ObjectSchema.create({\n name: 'sys_role_permission_set',\n label: 'Role Permission Set',\n pluralLabel: 'Role Permission Sets',\n icon: 'shield-plus',\n isSystem: true,\n managedBy: 'system',\n description: 'Binds a permission set to a role.',\n titleFormat: '{role_id} → {permission_set_id}',\n compactLayout: ['role_id', 'permission_set_id'],\n\n fields: {\n id: Field.text({\n label: 'Binding ID',\n required: true,\n readonly: true,\n description: 'UUID of the role-permission-set binding.',\n }),\n\n role_id: Field.lookup('sys_role', {\n label: 'Role',\n required: true,\n description: 'Foreign key to sys_role.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['role_id', 'permission_set_id'], unique: true },\n { fields: ['role_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_record_share — Per-Record Sharing Grant\n *\n * Bridges the ownership-only baseline established by `object.sharingModel`\n * with the real-world need to delegate access to a single record. Each\n * row says: \"principal P has access level L on (object O, record R),\n * because of source S (manual grant or rule).\"\n *\n * Enforcement lives in `@objectstack/plugin-sharing`:\n * - For objects with `sharingModel: 'private'`, the engine middleware\n * AND-s `{$or:[{owner_id:userId},{id:{$in:[grantedRecordIds]}}]}`\n * into every `find` against that object.\n * - For objects with `sharingModel: 'private' | 'read'`, the same\n * middleware enforces edit/delete by checking ownership OR a share\n * row with `access_level in ('edit','full')`.\n *\n * Conventions:\n * - `object_name` is the short object name (e.g. `account`, `lead`).\n * - `recipient_type` mirrors `ShareRecipientType` from the spec\n * (`user` is enforced today; `group`/`role` are persisted for\n * forward-compatibility).\n * - `source = 'manual'` rows are created by a user via the REST\n * `POST /data/:object/:id/shares` endpoint. `source = 'rule'` rows\n * are materialised by the sharing-rule evaluator (future); the\n * `source_id` lets the evaluator reconcile stale grants.\n *\n * @namespace sys\n */\nexport const SysRecordShare = ObjectSchema.create({\n name: 'sys_record_share',\n label: 'Record Share',\n pluralLabel: 'Record Shares',\n icon: 'share',\n isSystem: true,\n managedBy: 'system',\n description: 'Per-record sharing grant — extends OWD with explicit access',\n titleFormat: '{object_name}/{record_id} → {recipient_id} ({access_level})',\n compactLayout: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source'],\n\n listViews: {\n granted_to_me: {\n type: 'grid',\n name: 'granted_to_me',\n label: 'Granted to Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'access_level', 'source', 'granted_by', 'created_at'],\n filter: [\n { field: 'recipient_type', operator: 'equals', value: 'user' },\n { field: 'recipient_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n granted_by_me: {\n type: 'grid',\n name: 'granted_by_me',\n label: 'Granted by Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n filter: [\n { field: 'granted_by', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n manual_grants: {\n type: 'grid',\n name: 'manual_grants',\n label: 'Manual Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'granted_by', 'reason', 'created_at'],\n filter: [{ field: 'source', operator: 'equals', value: 'manual' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n rule_grants: {\n type: 'grid',\n name: 'rule_grants',\n label: 'Rule Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source_id', 'created_at'],\n filter: [{ field: 'source', operator: 'in', value: ['rule', 'team', 'inherited'] }],\n sort: [{ field: 'source_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_shares: {\n type: 'grid',\n name: 'all_shares',\n label: 'All',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_type', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Share ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Target (which record is being shared) ────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Recipient (who receives access) ──────────────────────────\n recipient_type: Field.select(\n ['user', 'group', 'role', 'role_and_subordinates', 'guest'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'user',\n description: 'Kind of principal that holds the grant',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 100,\n description: 'ID of the user/group/role that receives access',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n description: 'What the recipient can do — read | edit | full (transfer/share/delete)',\n group: 'Recipient',\n },\n ),\n\n // ── Provenance ───────────────────────────────────────────────\n source: Field.select(\n ['manual', 'rule', 'team', 'inherited'],\n {\n label: 'Source',\n required: true,\n defaultValue: 'manual',\n description: 'Why this grant exists — used by the rule evaluator to reconcile',\n group: 'Provenance',\n },\n ),\n\n source_id: Field.text({\n label: 'Source ID',\n required: false,\n maxLength: 200,\n description: 'Rule name / team id when source != manual',\n group: 'Provenance',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User that created the grant (manual only)',\n group: 'Provenance',\n }),\n\n reason: Field.text({\n label: 'Reason',\n required: false,\n maxLength: 500,\n description: 'Optional free-text explanation surfaced to the recipient',\n group: 'Provenance',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n // Hot path: \"all records visible to user U on object O\" — the\n // middleware reads (object_name, recipient_type, recipient_id) to\n // build the `id IN (...)` predicate on every find.\n { fields: ['object_name', 'recipient_type', 'recipient_id'] },\n // \"all grants on this record\" — used by the share-management UI\n // and by canEdit() to look up explicit grants.\n { fields: ['object_name', 'record_id'] },\n // Reconciliation key for rule-driven shares.\n { fields: ['source', 'source_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sharing_rule — Declarative record-sharing rule.\n *\n * Salesforce-style criteria-based sharing: \"any record on object O that\n * matches criteria C is granted access level A to recipient R\". Rules\n * are evaluated by `@objectstack/plugin-sharing` and materialise their\n * grants as rows in `sys_record_share` with `source='rule'` and\n * `source_id={rule.id}` so the evaluator can reconcile (delete + re-\n * insert) on rule updates without touching manual grants.\n *\n * Evaluation triggers:\n * - `afterInsert` / `afterUpdate` on the target object (per-record,\n * incremental — the hot path).\n * - REST `POST /sharing/rules/:id/evaluate` (admin-initiated\n * bulk reconcile — used after rule edits).\n *\n * Criteria are stored as JSON (a normal `FilterCondition`) so the\n * existing engine `find()` can do the matching natively. v1 supports\n * simple `{field, op, value}` style filters; CEL predicates are a\n * follow-up.\n *\n * @namespace sys\n */\nexport const SysSharingRule = ObjectSchema.create({\n name: 'sys_sharing_rule',\n label: 'Sharing Rule',\n pluralLabel: 'Sharing Rules',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'config',\n // Sharing rules can now be authored visually via the Studio criteria\n // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).\n // We still recommend `defineSharingRule({...})` for repo-controlled\n // baselines, but admins can safely create/edit/delete from the UI.\n userActions: { create: true, edit: true, delete: true, import: false },\n description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',\n displayNameField: 'name',\n titleFormat: '{label}',\n compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_rules: {\n type: 'grid',\n name: 'all_rules',\n label: 'All',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n group: 'System',\n description: 'Tenant that owns this rule; null = global',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 100,\n description: 'Unique snake_case rule name',\n group: 'Identity',\n }),\n\n label: Field.text({\n label: 'Display Label',\n required: true,\n maxLength: 200,\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name (e.g. opportunity, account)',\n group: 'Target',\n }),\n\n criteria_json: Field.textarea({\n label: 'Criteria (FilterCondition JSON)',\n required: false,\n description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',\n group: 'Target',\n }),\n\n recipient_type: Field.select(\n ['user', 'team', 'department', 'role', 'queue'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'department',\n description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 200,\n description: 'department id / team id / role name / queue name / user id depending on recipient_type',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n group: 'Recipient',\n },\n ),\n\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'Only active rules participate in lifecycle evaluation',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['object_name', 'active'] },\n { fields: ['name'], unique: true },\n { fields: ['organization_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_share_link — Capability-Token Public Share Links\n *\n * Each row authorises read (or write) access to ONE record of ONE\n * object via an opaque URL-safe token. Complements `sys_record_share`,\n * which models principal-based grants (share with a specific user /\n * team / role). A single record may have rows in both tables; the\n * union determines effective access.\n *\n * Lifecycle:\n *\n * 1. `IShareLinkService.createLink` validates the request against the\n * target object's `publicSharing` whitelist and inserts a row.\n * Token is a 24-char URL-safe random string.\n *\n * 2. `IShareLinkService.resolveToken` (called from the public\n * `/api/v1/share-links/:token` middleware on every request)\n * verifies the row is not revoked / not expired, applies audience\n * / password gates, increments `use_count` + `last_used_at`, and\n * returns the effective redaction set.\n *\n * 3. `IShareLinkService.revokeLink` stamps `revoked_at`. Rows are\n * preserved for audit; resolveToken returns null after revocation.\n *\n * Conventions:\n * - `object_name` is the short object name (`account`, `ai_conversation`, …)\n * - `record_id` is the primary key of the target record within object_name\n * - `audience` mirrors `ShareLinkAudience` in spec/contracts; the\n * middleware enforces additional gating per audience\n * - `redact_fields` overlays on top of the schema-default redaction\n * set declared on `object.publicSharing.redactFields`\n *\n * managedBy: 'system' — admins inspect via the audit grid but all\n * writes flow through `IShareLinkService` so the per-object opt-in,\n * expiry caps, and audit hooks fire.\n *\n * @namespace sys\n */\nexport const SysShareLink = ObjectSchema.create({\n name: 'sys_share_link',\n label: 'Share Link',\n pluralLabel: 'Share Links',\n icon: 'link-2',\n isSystem: true,\n managedBy: 'system',\n description: 'Opaque capability token granting access to a single record. Notion/Figma-style public link sharing.',\n titleFormat: '{object_name}/{record_id} ({permission})',\n compactLayout: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at'],\n\n listViews: {\n active_links: {\n type: 'grid',\n name: 'active_links',\n label: 'Active',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'use_count', 'last_used_at'],\n filter: [{ field: 'revoked_at', operator: 'isNull' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n by_me: {\n type: 'grid',\n name: 'by_me',\n label: 'Created by Me',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at'],\n filter: [{ field: 'created_by', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n revoked: {\n type: 'grid',\n name: 'revoked',\n label: 'Revoked',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'revoked_at', 'created_by'],\n filter: [{ field: 'revoked_at', operator: 'isNotNull' }],\n sort: [{ field: 'revoked_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_links: {\n type: 'grid',\n name: 'all_links',\n label: 'All',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 200 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Link ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Token (the secret) ───────────────────────────────────────\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 64,\n description: 'Opaque URL-safe random token (≥ 22 chars). The only secret in this row.',\n group: 'Token',\n }),\n\n // ── Target ───────────────────────────────────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record (e.g. ai_conversation, contracts_contract)',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Access Policy ────────────────────────────────────────────\n permission: Field.select(\n [\n { label: 'View', value: 'view' },\n { label: 'Comment', value: 'comment' },\n { label: 'Edit', value: 'edit' },\n ],\n {\n label: 'Permission',\n required: true,\n defaultValue: 'view',\n description: 'What the link holder can do with the record',\n group: 'Access Policy',\n },\n ),\n\n audience: Field.select(\n [\n { label: 'Public (indexable)', value: 'public' },\n { label: 'Anyone with the link', value: 'link_only' },\n { label: 'Signed-in users', value: 'signed_in' },\n { label: 'Specific emails', value: 'email' },\n ],\n {\n label: 'Audience',\n required: true,\n defaultValue: 'link_only',\n description: 'Gating layer applied on top of the token check',\n group: 'Access Policy',\n },\n ),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n description: 'When set, resolveToken returns null after this timestamp',\n group: 'Access Policy',\n }),\n\n email_allowlist: Field.json({\n label: 'Email Allowlist',\n description: 'Lowercased addresses checked when audience=email',\n group: 'Access Policy',\n }),\n\n password_hash: Field.text({\n label: 'Password Hash',\n maxLength: 256,\n description: 'Argon2/bcrypt hash. When set, the UI prompts for a password before rendering.',\n group: 'Access Policy',\n }),\n\n redact_fields: Field.json({\n label: 'Per-Link Redactions',\n description: 'Extra fields stripped from the response, on top of the object-default set',\n group: 'Access Policy',\n }),\n\n label: Field.text({\n label: 'Label',\n maxLength: 200,\n description: 'Free-text shown in the share dialog (e.g. \"ACME Q3 contract\")',\n group: 'Metadata',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n revoked_at: Field.datetime({\n label: 'Revoked At',\n readonly: true,\n description: 'When set, the link is permanently disabled',\n group: 'Lifecycle',\n }),\n\n created_by: Field.lookup('sys_user', {\n label: 'Created By',\n readonly: true,\n description: 'Issuer of the link',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'Lifecycle',\n }),\n\n last_used_at: Field.datetime({\n label: 'Last Used At',\n readonly: true,\n description: 'Stamped by resolveToken; used by the dashboard to highlight active links',\n group: 'Lifecycle',\n }),\n\n use_count: Field.number({\n label: 'Use Count',\n defaultValue: 0,\n readonly: true,\n description: 'Incremented by resolveToken on every successful resolution',\n group: 'Lifecycle',\n }),\n },\n\n indexes: [\n // Hot path: resolveToken — one row lookup per public request.\n { fields: ['token'], unique: true },\n // Management UI: \"all links for this record\".\n { fields: ['object_name', 'record_id'] },\n // \"Active links I issued\".\n { fields: ['created_by', 'revoked_at'] },\n // Reaper for expired rows (background sweep).\n { fields: ['expires_at'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n // The /api/v1/share-links endpoints are the authoritative surface;\n // the generic data API is exposed read-only for the admin grid.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n clone: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { PermissionSetSchema, type PermissionSet } from '@objectstack/spec/security';\n\n/**\n * Identity tables managed by the better-auth plugin (see\n * `packages/platform-objects/src/identity/`). Mutations to these tables\n * MUST flow through the better-auth API endpoints (sign-up, password\n * reset, organization invite/remove-member, api-key/create, …) rather\n * than the generic CRUD pipeline so that password hashing, token\n * signing, email verification, invitation flows and scope hashing all\n * fire correctly.\n *\n * The default member/viewer permission sets therefore explicitly DENY\n * `allowCreate / allowEdit / allowDelete` on these objects while still\n * permitting reads (subject to the rest of the RLS chain). Admin\n * permission sets keep their `*` wildcard so they can rescue data\n * directly when needed.\n *\n * Each entry mirrors the `managedBy: 'better-auth'` flag declared on\n * the corresponding object schema in `packages/platform-objects/src/identity/`.\n */\nconst BETTER_AUTH_MANAGED_OBJECTS = [\n 'sys_user',\n 'sys_account',\n 'sys_session',\n 'sys_organization',\n 'sys_member',\n 'sys_invitation',\n 'sys_team',\n 'sys_team_member',\n 'sys_api_key',\n 'sys_two_factor',\n 'sys_verification',\n 'sys_jwks',\n 'sys_device_code',\n 'sys_oauth_application',\n 'sys_oauth_access_token',\n 'sys_oauth_refresh_token',\n 'sys_oauth_consent',\n] as const;\n\nconst denyWritesOnManagedObjects = (): Record<string, {\n allowRead: boolean;\n allowCreate: boolean;\n allowEdit: boolean;\n allowDelete: boolean;\n}> => Object.fromEntries(\n BETTER_AUTH_MANAGED_OBJECTS.map((name) => [\n name,\n { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n ]),\n);\n\n/**\n * Default permission sets seeded by the platform.\n *\n * These are referenced by name (`admin_full_access`, `member_default`,\n * `viewer_readonly`) from `sys_role_permission_set` rows or assigned\n * directly to users via `sys_user_permission_set`.\n *\n * The runtime SecurityPlugin reads these via the metadata service when a\n * permission set name appears in the request `ExecutionContext.permissions[]`.\n *\n * Each entry is run through `PermissionSetSchema.parse(...)` so Zod fills\n * in the boolean/`priority`/`enabled` defaults — keeping the literal\n * source readable while still satisfying the strict output type.\n *\n * `objects: { '*': … }` uses the wildcard sentinel honoured by\n * `PermissionEvaluator` — admins do not need an explicit row per object.\n * Per-object entries fully override the wildcard for that object (see\n * `PermissionEvaluator.checkObjectPermission` — lookup, not merge).\n *\n * RLS policies use the canonical `current_user.*` placeholders compiled\n * by `RLSCompiler`. The active organization is exposed under\n * `current_user.organization_id` (sourced from\n * `ExecutionContext.tenantId` at request time) — there is no rewrite\n * step or `tenantField` indirection in SecurityPlugin. Schemas with a\n * different physical tenant column should fork these defaults.\n */\nexport const defaultPermissionSets: PermissionSet[] = [\n PermissionSetSchema.parse({\n name: 'admin_full_access',\n label: 'Administrator — Full Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n },\n systemPermissions: [\n 'manage_users',\n 'manage_metadata',\n 'manage_platform_settings',\n 'setup.access',\n 'studio.access',\n ],\n }),\n // ── Organization Administrator ──────────────────────────────────────\n //\n // Third tier between platform admin (`admin_full_access`) and rank-and-file\n // member. Lives at the *organization* scope: full CRUD on business\n // objects within their org (governed by `tenant_isolation` RLS), plus\n // `setup.access` so the Setup app shell is reachable.\n //\n // **Deliberately withheld** vs `admin_full_access`:\n // - `studio.access` — schema-design surfaces are platform-level (a\n // tenant cannot mutate the shared metadata) and Studio is hidden.\n // - `manage_metadata` — same reasoning.\n // - `manage_platform_settings` — global settings manifests\n // (mail / storage / AI / knowledge) and platform-only Setup pages\n // (sharing rules, audit logs, OAuth apps, JWKS, …) require this\n // and are hidden / 403'd for org admins. Tenant-scoped manifests\n // (`branding`, `feature_flags`) keep using `setup.access` so org\n // admins CAN configure their own org's branding.\n //\n // **Anti-escalation**: writes to the global RBAC tables\n // (`sys_role`, `sys_permission_set`, `sys_role_permission_set`,\n // `sys_user_permission_set`, `sys_user_role`) are denied. Allowing\n // them would let an org admin bind `admin_full_access` (which has no\n // RLS) to themselves and break out of tenant isolation. Reads are\n // permitted so the Roles / Permission Sets nav entries still render.\n //\n // Auto-granted to every `sys_member` whose role contains `owner` or\n // `admin` by `plugin-security/src/auto-org-admin-grant.ts`.\n PermissionSetSchema.parse({\n name: 'organization_admin',\n label: 'Organization Administrator',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n // Identity tables — go through better-auth endpoints (invite,\n // accept, remove-member, transfer, …) rather than raw CRUD.\n ...denyWritesOnManagedObjects(),\n // RBAC tables — read-only to prevent privilege escalation.\n sys_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_role_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_user_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_user_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n },\n systemPermissions: ['manage_org_users', 'setup.access'],\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be denied by the wildcard policy. Same self-only\n // carve-outs as `member_default` — an org admin does not get to\n // inspect cross-tenant identity rows.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // Org-scoped visibility for organization-owned identity-adjacent\n // tables. Org admins may inspect their own org's invitations and\n // memberships (read; writes still flow through better-auth).\n {\n name: 'sys_member_org',\n object: 'sys_member',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_invitation_org',\n object: 'sys_invitation',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_team_org',\n object: 'sys_team',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'member_default',\n label: 'Member — Standard Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n },\n // Identity tables are managed by better-auth — no direct writes.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'owner_only_writes',\n object: '*',\n operation: 'update',\n using: 'owner_id = current_user.id',\n },\n {\n name: 'owner_only_deletes',\n object: '*',\n operation: 'delete',\n using: 'owner_id = current_user.id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be left unprotected by the wildcard rule above. ────\n //\n // The security plugin's RLS injector treats wildcard policies that\n // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a\n // per-object policy contributes an alternate match. Each `*_self`\n // policy below restores per-user visibility on a better-auth table\n // that has `user_id` but no `organization_id`. Tables without\n // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)\n // stay DENY for non-admins by design — only platform admins (via\n // `admin_full_access`, which has no RLS) should inspect them.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators: members can see other users in the same\n // organization. Without this, owner/assignee lookups, @-mention\n // suggestions, reviewer pickers and team-roster surfaces all\n // collapse to just the current user. `org_user_ids` is\n // pre-resolved by runtime/resolve-execution-context from\n // `sys_member` for the active organization. Sensitive credential\n // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep\n // their stricter self-only carve-outs above.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'viewer_readonly',\n label: 'Viewer — Read-Only',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: false,\n allowEdit: false,\n allowDelete: false,\n },\n // Belt-and-suspenders: explicit deny on managed objects even though\n // the wildcard already denies — keeps the policy readable when\n // future relaxations might widen the wildcard.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'select',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators (read-only): see `sys_user_org_members` in\n // `member_default` for rationale.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n];\n"]}
package/dist/system/index.d.mts CHANGED
@@ -618,6 +618,14 @@ declare const SysSetting: Omit<{
618
618
  } | undefined;
619
619
  recordTypes?: string[] | undefined;
620
620
  sharingModel?: "read" | "full" | "private" | "read_write" | undefined;
621
+ publicSharing?: {
622
+ enabled: boolean;
623
+ allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
624
+ allowedPermissions?: ("edit" | "view" | "comment")[] | undefined;
625
+ maxExpiryDays?: number | undefined;
626
+ redactFields?: string[] | undefined;
627
+ eligibility?: string | undefined;
628
+ } | undefined;
621
629
  keyPrefix?: string | undefined;
622
630
  detail?: {
623
631
  [x: string]: unknown;
@@ -632,7 +640,7 @@ declare const SysSetting: Omit<{
632
640
  refreshAfter: boolean;
633
641
  objectName?: string | undefined;
634
642
  icon?: string | undefined;
635
- locations?: ("list_toolbar" | "list_item" | "record_header" | "record_more" | "record_related" | "global_nav")[] | undefined;
643
+ locations?: ("list_toolbar" | "list_item" | "record_header" | "record_more" | "record_related" | "record_section" | "global_nav")[] | undefined;
636
644
  component?: "action:button" | "action:icon" | "action:menu" | "action:group" | undefined;
637
645
  target?: string | undefined;
638
646
  body?: {
@@ -665,6 +673,17 @@ declare const SysSetting: Omit<{
665
673
  variant?: "link" | "primary" | "secondary" | "danger" | "ghost" | undefined;
666
674
  confirmText?: string | undefined;
667
675
  successMessage?: string | undefined;
676
+ resultDialog?: {
677
+ title?: string | undefined;
678
+ description?: string | undefined;
679
+ acknowledge?: string | undefined;
680
+ format?: "secret" | "text" | "json" | "qrcode" | "code-list" | undefined;
681
+ fields?: {
682
+ path: string;
683
+ label?: string | undefined;
684
+ format?: "secret" | "text" | "json" | "qrcode" | "code-list" | undefined;
685
+ }[] | undefined;
686
+ } | undefined;
668
687
  visible?: {
669
688
  dialect: "cel" | "js" | "cron" | "template";
670
689
  source?: string | undefined;
@@ -3719,6 +3738,14 @@ declare const SysSecret: Omit<{
3719
3738
  } | undefined;
3720
3739
  recordTypes?: string[] | undefined;
3721
3740
  sharingModel?: "read" | "full" | "private" | "read_write" | undefined;
3741
+ publicSharing?: {
3742
+ enabled: boolean;
3743
+ allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
3744
+ allowedPermissions?: ("edit" | "view" | "comment")[] | undefined;
3745
+ maxExpiryDays?: number | undefined;
3746
+ redactFields?: string[] | undefined;
3747
+ eligibility?: string | undefined;
3748
+ } | undefined;
3722
3749
  keyPrefix?: string | undefined;
3723
3750
  detail?: {
3724
3751
  [x: string]: unknown;
@@ -3733,7 +3760,7 @@ declare const SysSecret: Omit<{
3733
3760
  refreshAfter: boolean;
3734
3761
  objectName?: string | undefined;
3735
3762
  icon?: string | undefined;
3736
- locations?: ("list_toolbar" | "list_item" | "record_header" | "record_more" | "record_related" | "global_nav")[] | undefined;
3763
+ locations?: ("list_toolbar" | "list_item" | "record_header" | "record_more" | "record_related" | "record_section" | "global_nav")[] | undefined;
3737
3764
  component?: "action:button" | "action:icon" | "action:menu" | "action:group" | undefined;
3738
3765
  target?: string | undefined;
3739
3766
  body?: {
@@ -3766,6 +3793,17 @@ declare const SysSecret: Omit<{
3766
3793
  variant?: "link" | "primary" | "secondary" | "danger" | "ghost" | undefined;
3767
3794
  confirmText?: string | undefined;
3768
3795
  successMessage?: string | undefined;
3796
+ resultDialog?: {
3797
+ title?: string | undefined;
3798
+ description?: string | undefined;
3799
+ acknowledge?: string | undefined;
3800
+ format?: "secret" | "text" | "json" | "qrcode" | "code-list" | undefined;
3801
+ fields?: {
3802
+ path: string;
3803
+ label?: string | undefined;
3804
+ format?: "secret" | "text" | "json" | "qrcode" | "code-list" | undefined;
3805
+ }[] | undefined;
3806
+ } | undefined;
3769
3807
  visible?: {
3770
3808
  dialect: "cel" | "js" | "cron" | "template";
3771
3809
  source?: string | undefined;
@@ -6031,6 +6069,14 @@ declare const SysSettingAudit: Omit<{
6031
6069
  } | undefined;
6032
6070
  recordTypes?: string[] | undefined;
6033
6071
  sharingModel?: "read" | "full" | "private" | "read_write" | undefined;
6072
+ publicSharing?: {
6073
+ enabled: boolean;
6074
+ allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
6075
+ allowedPermissions?: ("edit" | "view" | "comment")[] | undefined;
6076
+ maxExpiryDays?: number | undefined;
6077
+ redactFields?: string[] | undefined;
6078
+ eligibility?: string | undefined;
6079
+ } | undefined;
6034
6080
  keyPrefix?: string | undefined;
6035
6081
  detail?: {
6036
6082
  [x: string]: unknown;
@@ -6045,7 +6091,7 @@ declare const SysSettingAudit: Omit<{
6045
6091
  refreshAfter: boolean;
6046
6092
  objectName?: string | undefined;
6047
6093
  icon?: string | undefined;
6048
- locations?: ("list_toolbar" | "list_item" | "record_header" | "record_more" | "record_related" | "global_nav")[] | undefined;
6094
+ locations?: ("list_toolbar" | "list_item" | "record_header" | "record_more" | "record_related" | "record_section" | "global_nav")[] | undefined;
6049
6095
  component?: "action:button" | "action:icon" | "action:menu" | "action:group" | undefined;
6050
6096
  target?: string | undefined;
6051
6097
  body?: {
@@ -6078,6 +6124,17 @@ declare const SysSettingAudit: Omit<{
6078
6124
  variant?: "link" | "primary" | "secondary" | "danger" | "ghost" | undefined;
6079
6125
  confirmText?: string | undefined;
6080
6126
  successMessage?: string | undefined;
6127
+ resultDialog?: {
6128
+ title?: string | undefined;
6129
+ description?: string | undefined;
6130
+ acknowledge?: string | undefined;
6131
+ format?: "secret" | "text" | "json" | "qrcode" | "code-list" | undefined;
6132
+ fields?: {
6133
+ path: string;
6134
+ label?: string | undefined;
6135
+ format?: "secret" | "text" | "json" | "qrcode" | "code-list" | undefined;
6136
+ }[] | undefined;
6137
+ } | undefined;
6081
6138
  visible?: {
6082
6139
  dialect: "cel" | "js" | "cron" | "template";
6083
6140
  source?: string | undefined;