@objectstack/plugin-sharing 4.0.1

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/sharing-service.ts","../src/team-graph.ts","../src/department-graph.ts","../src/sharing-rule-service.ts","../src/rule-hooks.ts","../src/sharing-plugin.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\n/**\n * @objectstack/plugin-sharing\n *\n * Record-level sharing for ObjectStack. Implements `ISharingService`\n * and installs an engine middleware that enforces\n * `object.sharingModel` (`private` / `read`) against the\n * authenticated execution context.\n */\n\nexport { SysRecordShare, SysSharingRule } from '@objectstack/platform-objects/security';\nexport { SysDepartment, SysDepartmentMember } from '@objectstack/platform-objects/identity';\nexport {\n  SharingService,\n  type SharingEngine,\n  type SharingServiceOptions,\n} from './sharing-service.js';\nexport {\n  SharingRuleService,\n  type SharingRuleServiceOptions,\n} from './sharing-rule-service.js';\nexport { TeamGraphService, expandPrincipal, type TeamGraphOptions } from './team-graph.js';\nexport { DepartmentGraphService, type DepartmentGraphOptions } from './department-graph.js';\nexport { bindRuleHooks, unbindAllRuleHooks, SHARING_RULE_HOOK_PACKAGE } from './rule-hooks.js';\nexport {\n  SharingServicePlugin,\n  buildSharingMiddleware,\n  type SharingPluginOptions,\n} from './sharing-plugin.js';\nexport type {\n  ISharingService,\n  ISharingRuleService,\n  ITeamGraphService,\n  IDepartmentGraphService,\n  RecordShare,\n  GrantShareInput,\n  SharingExecutionContext,\n  ShareAccessLevel,\n  ShareRecipientType,\n  ShareSource,\n  SharingRuleRow,\n  DefineSharingRuleInput,\n  SharingRuleEvaluationResult,\n  SharingRuleRecipientType,\n} from '@objectstack/spec/contracts';\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type {\n  ISharingService,\n  RecordShare,\n  GrantShareInput,\n  SharingExecutionContext,\n  ShareAccessLevel,\n} from '@objectstack/spec/contracts';\n\n/**\n * Shape of the data engine the service actually needs. Kept narrow so\n * unit tests can pass an in-memory fake without depending on the full\n * ObjectQL engine class.\n */\nexport interface SharingEngine {\n  find(object: string, options?: any): Promise<any[]>;\n  findOne?(object: string, options?: any): Promise<any>;\n  insert(object: string, data: any, options?: any): Promise<any>;\n  update(object: string, idOrData: any, dataOrOptions?: any, options?: any): Promise<any>;\n  delete(object: string, options?: any): Promise<any>;\n  getSchema?(object: string): any | undefined;\n}\n\n/**\n * Random share id. Keeps the plugin self-contained (no `crypto.randomUUID`\n * dependency in environments that don't expose it on `globalThis`).\n */\nfunction makeShareId(): string {\n  const g: any = globalThis as any;\n  if (g.crypto?.randomUUID) return `shr_${g.crypto.randomUUID()}`;\n  return `shr_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;\n}\n\n/** System-elevated context for the plugin's own queries / mutations. */\nconst SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] } as const;\n\n/**\n * Owner field convention. Hard-coded to `owner_id` for MVP — the\n * sharing model in Salesforce / ServiceNow / Dynamics all assume a\n * single owner field, and customising it is a follow-up. Objects\n * without `owner_id` are treated as \"unowned\" and read filters are\n * suppressed (they fall back to OWD-public behaviour).\n */\nconst OWNER_FIELD = 'owner_id';\n\n/**\n * Effective sharing model. Anything other than `private` / `read` is\n * treated as public — that includes objects that don't declare\n * `sharingModel` at all, so existing CRM behaviour is preserved\n * until an admin opts an object in.\n */\nfunction effectiveSharingModel(schema: any): 'private' | 'read' | 'public' {\n  const m = schema?.sharingModel ?? schema?.security?.sharingModel;\n  if (m === 'private') return 'private';\n  if (m === 'read') return 'read';\n  return 'public';\n}\n\nfunction hasOwnerField(schema: any): boolean {\n  return Boolean(schema?.fields && OWNER_FIELD in schema.fields);\n}\n\nexport interface SharingServiceOptions {\n  engine: SharingEngine;\n  /** Object names that bypass sharing — typically platform internals. */\n  bypassObjects?: string[];\n}\n\n/**\n * Default `ISharingService` implementation.\n *\n * Stores every grant in `sys_record_share`. The plugin layer registers\n * an engine middleware that calls `buildReadFilter` / `canEdit` so that\n * neither this class nor its callers need to know about middleware\n * plumbing.\n */\nexport class SharingService implements ISharingService {\n  private readonly engine: SharingEngine;\n  private readonly bypassObjects: Set<string>;\n\n  constructor(options: SharingServiceOptions) {\n    this.engine = options.engine;\n    this.bypassObjects = new Set([\n      'sys_record_share',\n      'sys_user',\n      'sys_organization',\n      'sys_member',\n      'sys_role',\n      'sys_permission_set',\n      'sys_user_permission_set',\n      'sys_role_permission_set',\n      ...(options.bypassObjects ?? []),\n    ]);\n  }\n\n  /**\n   * Build a `FilterCondition` restricting `find` to records the caller\n   * may see. Returns `null` when no filter should be applied.\n   */\n  async buildReadFilter(\n    object: string,\n    context: SharingExecutionContext,\n  ): Promise<unknown | null> {\n    if (this.shouldBypass(object, context)) return null;\n\n    const schema = this.engine.getSchema?.(object);\n    if (!schema) return null;\n    if (effectiveSharingModel(schema) !== 'private') return null;\n    if (!hasOwnerField(schema)) return null;\n    if (!context.userId) {\n      // Authenticated context with no user id is a degenerate case\n      // (e.g. anonymous API key). Restrict to nothing rather than\n      // accidentally leaking owner-only data.\n      return { id: '__deny_all__' };\n    }\n\n    const grants = await this.engine.find('sys_record_share', {\n      filter: {\n        object_name: object,\n        recipient_type: 'user',\n        recipient_id: context.userId,\n      },\n      fields: ['record_id', 'access_level'],\n      limit: 5000,\n      context: SYSTEM_CTX,\n    });\n\n    const grantedIds: string[] = Array.isArray(grants)\n      ? grants.map((g: any) => String(g.record_id)).filter(Boolean)\n      : [];\n\n    if (grantedIds.length === 0) {\n      return { [OWNER_FIELD]: context.userId };\n    }\n\n    return {\n      $or: [\n        { [OWNER_FIELD]: context.userId },\n        { id: { $in: grantedIds } },\n      ],\n    };\n  }\n\n  /**\n   * Return `true` if the caller may edit `(object, recordId)`. Always\n   * `true` for system context, public objects, and objects without an\n   * owner field.\n   */\n  async canEdit(\n    object: string,\n    recordId: string,\n    context: SharingExecutionContext,\n  ): Promise<boolean> {\n    if (this.shouldBypass(object, context)) return true;\n\n    const schema = this.engine.getSchema?.(object);\n    if (!schema) return true;\n    const model = effectiveSharingModel(schema);\n    if (model === 'public') return true;\n    if (!hasOwnerField(schema)) return true;\n    if (!context.userId) return false;\n\n    // 1) Ownership — fast path.\n    const own = await this.engine.find(object, {\n      filter: { id: recordId },\n      fields: ['id', OWNER_FIELD],\n      limit: 1,\n      context: SYSTEM_CTX,\n    });\n    const owner = Array.isArray(own) && own[0] ? (own[0] as any)[OWNER_FIELD] : undefined;\n    if (owner && String(owner) === String(context.userId)) return true;\n\n    // 2) Explicit edit / full share.\n    const editGrants = await this.engine.find('sys_record_share', {\n      filter: {\n        object_name: object,\n        record_id: recordId,\n        recipient_type: 'user',\n        recipient_id: context.userId,\n        access_level: { $in: ['edit', 'full'] },\n      },\n      fields: ['id'],\n      limit: 1,\n      context: SYSTEM_CTX,\n    });\n    return Array.isArray(editGrants) && editGrants.length > 0;\n  }\n\n  /**\n   * Upsert a share row. Returning the existing row when an identical\n   * grant already exists keeps the REST endpoint idempotent.\n   */\n  async grant(\n    input: GrantShareInput,\n    context: SharingExecutionContext,\n  ): Promise<RecordShare> {\n    if (!input.object) throw new Error('VALIDATION_FAILED: object is required');\n    if (!input.recordId) throw new Error('VALIDATION_FAILED: recordId is required');\n    if (!input.recipientId) throw new Error('VALIDATION_FAILED: recipientId is required');\n\n    const recipientType = input.recipientType ?? 'user';\n    const accessLevel: ShareAccessLevel = input.accessLevel ?? 'read';\n    const source = input.source ?? 'manual';\n\n    // Upsert: if a row with same (object, record, recipient) exists,\n    // update its access level / reason; otherwise insert a new one.\n    const existing = await this.engine.find('sys_record_share', {\n      filter: {\n        object_name: input.object,\n        record_id: input.recordId,\n        recipient_type: recipientType,\n        recipient_id: input.recipientId,\n      },\n      limit: 1,\n      context: SYSTEM_CTX,\n    });\n    const now = new Date().toISOString();\n    if (Array.isArray(existing) && existing[0]) {\n      const row: any = existing[0];\n      const patch: any = {\n        id: row.id,\n        access_level: accessLevel,\n        source,\n        source_id: input.sourceId ?? row.source_id ?? null,\n        reason: input.reason ?? row.reason ?? null,\n        updated_at: now,\n      };\n      await this.engine.update('sys_record_share', patch, { context: SYSTEM_CTX });\n      return { ...row, ...patch } as RecordShare;\n    }\n\n    const id = makeShareId();\n    const row: any = {\n      id,\n      object_name: input.object,\n      record_id: input.recordId,\n      recipient_type: recipientType,\n      recipient_id: input.recipientId,\n      access_level: accessLevel,\n      source,\n      source_id: input.sourceId ?? null,\n      granted_by: context.userId ?? null,\n      reason: input.reason ?? null,\n      created_at: now,\n      updated_at: now,\n    };\n    await this.engine.insert('sys_record_share', row, { context: SYSTEM_CTX });\n    return row as RecordShare;\n  }\n\n  /** Delete a share row by id. No-op when not found. */\n  async revoke(shareId: string, _context: SharingExecutionContext): Promise<void> {\n    if (!shareId) throw new Error('VALIDATION_FAILED: shareId is required');\n    await this.engine.delete('sys_record_share', {\n      where: { id: shareId },\n      context: SYSTEM_CTX,\n    });\n  }\n\n  /** List share rows for `(object, recordId)`. */\n  async listShares(\n    object: string,\n    recordId: string,\n    _context: SharingExecutionContext,\n  ): Promise<RecordShare[]> {\n    const rows = await this.engine.find('sys_record_share', {\n      filter: { object_name: object, record_id: recordId },\n      orderBy: [{ field: 'created_at', direction: 'desc' }],\n      limit: 500,\n      context: SYSTEM_CTX,\n    });\n    return Array.isArray(rows) ? (rows as RecordShare[]) : [];\n  }\n\n  // ── helpers ──────────────────────────────────────────────────────\n\n  private shouldBypass(object: string, context: SharingExecutionContext): boolean {\n    if (context?.isSystem) return true;\n    if (this.bypassObjects.has(object)) return true;\n    return false;\n  }\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { ITeamGraphService } from '@objectstack/spec/contracts';\nimport type { SharingEngine } from './sharing-service.js';\n\nconst SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] } as const;\n\ntype Cache = {\n  expandUsers?: Map<string, string[]>;\n  expandRole?: Map<string, string[]>;\n  manager?: Map<string, string | null>;\n};\n\nexport interface TeamGraphOptions {\n  engine: SharingEngine;\n  /** Optional tenant scope; null means cross-tenant lookups. */\n  organizationId?: string | null;\n  /** Optional shared cache across one evaluator pass. */\n  cache?: Cache;\n}\n\n/**\n * Default {@link ITeamGraphService} implementation backed by\n * `sys_team` + `sys_team_member` (better-auth's flat collaboration\n * grouping) plus `sys_member.role` for tenant role expansion.\n *\n * **This service does NOT walk a hierarchy.** Teams here are flat —\n * the enterprise org chart lives in `sys_department` and is served by\n * {@link DepartmentGraphService}.\n *\n * All queries elevate to {@link SYSTEM_CTX} since the graph is platform\n * metadata; callers (sharing rule evaluator, approval engine) own their\n * own enforcement.\n */\nexport class TeamGraphService implements ITeamGraphService {\n  private readonly engine: SharingEngine;\n  private readonly organizationId: string | null;\n  private readonly cache: Cache;\n\n  constructor(opts: TeamGraphOptions) {\n    this.engine = opts.engine;\n    this.organizationId = opts.organizationId ?? null;\n    this.cache = opts.cache ?? {};\n    this.cache.expandUsers ??= new Map();\n    this.cache.expandRole ??= new Map();\n    this.cache.manager ??= new Map();\n  }\n\n  async expandUsers(teamId: string): Promise<string[]> {\n    if (!teamId) return [];\n    const cached = this.cache.expandUsers!.get(teamId);\n    if (cached) return cached;\n\n    let rows: any[] = [];\n    try {\n      rows = await this.engine.find('sys_team_member', {\n        filter: { team_id: teamId },\n        fields: ['user_id'],\n        limit: 10000,\n        context: SYSTEM_CTX,\n      });\n    } catch {\n      rows = [];\n    }\n    const users = Array.from(new Set((rows ?? []).map((r: any) => String(r.user_id ?? '')).filter(Boolean)));\n    this.cache.expandUsers!.set(teamId, users);\n    return users;\n  }\n\n  async expandRoleUsers(roleName: string, organizationId?: string): Promise<string[]> {\n    if (!roleName) return [];\n    const key = `${organizationId ?? this.organizationId ?? '*'}::${roleName}`;\n    const cached = this.cache.expandRole!.get(key);\n    if (cached) return cached;\n    const filter: Record<string, unknown> = { role: roleName };\n    const org = organizationId ?? this.organizationId;\n    if (org) filter.organization_id = org;\n    let rows: any[] = [];\n    try {\n      rows = await this.engine.find('sys_member', {\n        filter,\n        fields: ['user_id'],\n        limit: 10000,\n        context: SYSTEM_CTX,\n      });\n    } catch {\n      rows = [];\n    }\n    const users = Array.from(new Set((rows ?? []).map((r: any) => String(r.user_id ?? '')).filter(Boolean)));\n    this.cache.expandRole!.set(key, users);\n    return users;\n  }\n\n  async managerOf(userId: string, _organizationId?: string): Promise<string | null> {\n    if (!userId) return null;\n    if (this.cache.manager!.has(userId)) return this.cache.manager!.get(userId) ?? null;\n    let row: any = null;\n    try {\n      const rows = await this.engine.find('sys_user', {\n        filter: { id: userId },\n        fields: ['id', 'manager_id'],\n        limit: 1,\n        context: SYSTEM_CTX,\n      });\n      row = Array.isArray(rows) ? rows[0] : null;\n    } catch {\n      row = null;\n    }\n    const mgr = row?.manager_id ? String(row.manager_id) : null;\n    this.cache.manager!.set(userId, mgr);\n    return mgr;\n  }\n}\n\n/**\n * Convenience helper used by the sharing-rule evaluator + approval\n * engine: expand an approver / recipient descriptor of the form\n * `{type, value}` into a flat list of user IDs by routing to the\n * appropriate graph service.\n *\n * `team` → flat team members (this service).\n * `department` → recursive department members (delegated; requires a\n *   {@link IDepartmentGraphService} instance passed in `opts.dept`).\n * `role` → tenant role members.\n * `manager` → submitter's manager via `record[value] ?? record.owner_id`.\n * `field` → literal user id stored in `record[value]`.\n * `user` → literal value.\n * Anything else echoes `type:value` for back-compat with legacy\n * substring-match approver flows.\n */\nexport async function expandPrincipal(\n  input: { type: string; value: string; record?: any },\n  ctx: { team: TeamGraphService; dept?: { expandUsers(id: string): Promise<string[]> }; organizationId?: string | null },\n): Promise<string[]> {\n  const t = input.type;\n  const v = String(input.value ?? '');\n  if (!v) return [];\n  if (t === 'user') return [v];\n  if (t === 'team') return ctx.team.expandUsers(v);\n  if (t === 'department' || t === 'dept') {\n    if (ctx.dept) return ctx.dept.expandUsers(v);\n    return [`${t}:${v}`];\n  }\n  if (t === 'role') return ctx.team.expandRoleUsers(v, ctx.organizationId ?? undefined);\n  if (t === 'field' && input.record) {\n    const fv = (input.record as any)[v];\n    return fv ? [String(fv)] : [];\n  }\n  if (t === 'manager' && input.record) {\n    const subject = (input.record as any)[v] ?? (input.record as any).owner_id;\n    if (!subject) return [];\n    const mgr = await ctx.team.managerOf(String(subject), ctx.organizationId ?? undefined);\n    return mgr ? [mgr] : [];\n  }\n  // queue / unknown — fall back to raw prefix string so existing\n  // string-match approver flows keep working.\n  return [`${t}:${v}`];\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { IDepartmentGraphService } from '@objectstack/spec/contracts';\nimport type { SharingEngine } from './sharing-service.js';\nimport { TeamGraphService } from './team-graph.js';\n\nconst SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] } as const;\n\ntype DeptCache = {\n  descendants?: Map<string, string[]>;\n  expandUsers?: Map<string, string[]>;\n  head?: Map<string, string | null>;\n};\n\nexport interface DepartmentGraphOptions {\n  engine: SharingEngine;\n  /** Optional tenant scope; null means cross-tenant lookups. */\n  organizationId?: string | null;\n  /** Optional shared cache across one evaluator pass. */\n  cache?: DeptCache;\n  /**\n   * Optional team-graph instance to share role / manager lookups with —\n   * department graph proxies `managerOf` through so callers only need one\n   * service.\n   */\n  teamGraph?: TeamGraphService;\n}\n\n/**\n * Default {@link IDepartmentGraphService} implementation.\n *\n * Walks `sys_department.parent_department_id` for hierarchy and\n * `sys_department_member` for member expansion. Treats the optional\n * `active` flag as a hard filter (inactive departments contribute no\n * members and stop BFS descent into their subtrees).\n *\n * Reuses {@link TeamGraphService.managerOf} for user-level manager\n * lookup so callers can use this single service in approval / sharing\n * pipelines.\n */\nexport class DepartmentGraphService implements IDepartmentGraphService {\n  private readonly engine: SharingEngine;\n  private readonly organizationId: string | null;\n  private readonly cache: DeptCache;\n  private readonly teamGraph?: TeamGraphService;\n\n  constructor(opts: DepartmentGraphOptions) {\n    this.engine = opts.engine;\n    this.organizationId = opts.organizationId ?? null;\n    this.cache = opts.cache ?? {};\n    this.cache.descendants ??= new Map();\n    this.cache.expandUsers ??= new Map();\n    this.cache.head ??= new Map();\n    this.teamGraph = opts.teamGraph;\n  }\n\n  async descendants(departmentId: string): Promise<string[]> {\n    if (!departmentId) return [];\n    const cached = this.cache.descendants!.get(departmentId);\n    if (cached) return cached;\n\n    // Verify seed itself is active + within tenant scope.\n    let seedActive = true;\n    try {\n      const seedRows = await this.engine.find('sys_department', {\n        filter: this.orgScope({ id: departmentId }),\n        fields: ['id', 'active'],\n        limit: 1,\n        context: SYSTEM_CTX,\n      });\n      const seedRow: any = Array.isArray(seedRows) ? seedRows[0] : null;\n      if (!seedRow) seedActive = false;\n      else if (seedRow.active === false) seedActive = false;\n    } catch {\n      seedActive = false;\n    }\n    if (!seedActive) {\n      this.cache.descendants!.set(departmentId, []);\n      return [];\n    }\n\n    const seen = new Set<string>([departmentId]);\n    const queue: string[] = [departmentId];\n    while (queue.length) {\n      const parent = queue.shift()!;\n      let children: any[] = [];\n      try {\n        children = await this.engine.find('sys_department', {\n          filter: this.orgScope({ parent_department_id: parent, active: { $ne: false } }),\n          fields: ['id'],\n          limit: 1000,\n          context: SYSTEM_CTX,\n        });\n      } catch {\n        children = [];\n      }\n      for (const c of children ?? []) {\n        const cid = String((c as any).id ?? '');\n        if (cid && !seen.has(cid)) {\n          seen.add(cid);\n          queue.push(cid);\n        }\n      }\n    }\n    const out = Array.from(seen);\n    this.cache.descendants!.set(departmentId, out);\n    return out;\n  }\n\n  async expandUsers(departmentId: string): Promise<string[]> {\n    if (!departmentId) return [];\n    const cached = this.cache.expandUsers!.get(departmentId);\n    if (cached) return cached;\n\n    const depts = await this.descendants(departmentId);\n    if (depts.length === 0) return [];\n\n    let rows: any[] = [];\n    try {\n      rows = await this.engine.find('sys_department_member', {\n        filter: { department_id: { $in: depts } },\n        fields: ['user_id'],\n        limit: 10000,\n        context: SYSTEM_CTX,\n      });\n    } catch {\n      rows = [];\n    }\n    const users = Array.from(\n      new Set((rows ?? []).map((r: any) => String(r.user_id ?? '')).filter(Boolean)),\n    );\n    this.cache.expandUsers!.set(departmentId, users);\n    return users;\n  }\n\n  async headOf(departmentId: string): Promise<string | null> {\n    if (!departmentId) return null;\n    if (this.cache.head!.has(departmentId)) return this.cache.head!.get(departmentId) ?? null;\n    let row: any = null;\n    try {\n      const rows = await this.engine.find('sys_department', {\n        filter: { id: departmentId },\n        fields: ['id', 'manager_user_id'],\n        limit: 1,\n        context: SYSTEM_CTX,\n      });\n      row = Array.isArray(rows) ? rows[0] : null;\n    } catch {\n      row = null;\n    }\n    const head = row?.manager_user_id ? String(row.manager_user_id) : null;\n    this.cache.head!.set(departmentId, head);\n    return head;\n  }\n\n  async managerOf(userId: string, organizationId?: string): Promise<string | null> {\n    if (this.teamGraph) return this.teamGraph.managerOf(userId, organizationId);\n    // Standalone fallback: read sys_user.manager_id directly.\n    if (!userId) return null;\n    try {\n      const rows = await this.engine.find('sys_user', {\n        filter: { id: userId },\n        fields: ['id', 'manager_id'],\n        limit: 1,\n        context: SYSTEM_CTX,\n      });\n      const row: any = Array.isArray(rows) ? rows[0] : null;\n      return row?.manager_id ? String(row.manager_id) : null;\n    } catch {\n      return null;\n    }\n  }\n\n  private orgScope(filter: Record<string, unknown>): Record<string, unknown> {\n    if (this.organizationId) return { ...filter, organization_id: this.organizationId };\n    return filter;\n  }\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type {\n  ISharingRuleService,\n  DefineSharingRuleInput,\n  SharingRuleRow,\n  SharingRuleEvaluationResult,\n  SharingExecutionContext,\n  ShareAccessLevel,\n  SharingRuleRecipientType,\n} from '@objectstack/spec/contracts';\nimport type { SharingEngine } from './sharing-service.js';\nimport type { SharingService } from './sharing-service.js';\nimport { TeamGraphService } from './team-graph.js';\nimport { DepartmentGraphService } from './department-graph.js';\n\nconst SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] } as const;\n\nfunction uid(prefix: string): string {\n  const g: any = globalThis as any;\n  if (g.crypto?.randomUUID) return `${prefix}_${g.crypto.randomUUID()}`;\n  return `${prefix}_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;\n}\n\nfunction parseCriteria(raw: unknown): unknown | undefined {\n  if (raw == null || raw === '') return undefined;\n  if (typeof raw === 'string') {\n    const trimmed = raw.trim();\n    if (!trimmed) return undefined;\n    try {\n      return JSON.parse(trimmed);\n    } catch {\n      // Treat unparsable strings as opaque — most likely a CEL source\n      // that v1's evaluator doesn't grok yet; rule will match nothing.\n      return undefined;\n    }\n  }\n  return raw;\n}\n\nfunction rowFromRule(row: any): SharingRuleRow {\n  return {\n    id: row.id,\n    organization_id: row.organization_id ?? null,\n    name: row.name,\n    label: row.label,\n    description: row.description ?? null,\n    object_name: row.object_name,\n    criteria: parseCriteria(row.criteria_json),\n    recipient_type: row.recipient_type as SharingRuleRecipientType,\n    recipient_id: row.recipient_id,\n    access_level: row.access_level as ShareAccessLevel,\n    active: row.active !== false,\n    created_at: row.created_at ?? undefined,\n    updated_at: row.updated_at ?? undefined,\n  };\n}\n\nexport interface SharingRuleServiceOptions {\n  engine: SharingEngine;\n  sharing: SharingService;\n  logger?: { info?: Function; warn?: Function; error?: Function; debug?: Function };\n}\n\n/**\n * Default {@link ISharingRuleService} implementation.\n *\n * Stores rule definitions in `sys_sharing_rule` and materialises grants\n * as `sys_record_share` rows with `source='rule'` and `source_id={ruleId}`\n * so reconcile can diff old grants vs fresh evaluation results without\n * touching manual / team-derived shares.\n */\nexport class SharingRuleService implements ISharingRuleService {\n  private readonly engine: SharingEngine;\n  private readonly sharing: SharingService;\n  private readonly logger?: SharingRuleServiceOptions['logger'];\n\n  constructor(opts: SharingRuleServiceOptions) {\n    this.engine = opts.engine;\n    this.sharing = opts.sharing;\n    this.logger = opts.logger;\n  }\n\n  async defineRule(input: DefineSharingRuleInput, context: SharingExecutionContext): Promise<SharingRuleRow> {\n    if (!input.name) throw new Error('VALIDATION_FAILED: name is required');\n    if (!input.label) throw new Error('VALIDATION_FAILED: label is required');\n    if (!input.object) throw new Error('VALIDATION_FAILED: object is required');\n    if (!input.recipientType) throw new Error('VALIDATION_FAILED: recipientType is required');\n    if (!input.recipientId) throw new Error('VALIDATION_FAILED: recipientId is required');\n\n    const orgId = (context as any)?.organizationId ?? (context as any)?.tenantId ?? null;\n    const now = new Date().toISOString();\n    const accessLevel: ShareAccessLevel = input.accessLevel ?? 'read';\n    const active = input.active !== false;\n    const criteriaJson = input.criteria == null\n      ? null\n      : (typeof input.criteria === 'string' ? input.criteria : JSON.stringify(input.criteria));\n\n    const existing = await this.engine.find('sys_sharing_rule', {\n      filter: orgId ? { name: input.name, organization_id: orgId } : { name: input.name },\n      limit: 1,\n      context: SYSTEM_CTX,\n    });\n    if (Array.isArray(existing) && existing[0]) {\n      const row: any = existing[0];\n      const patch: any = {\n        id: row.id,\n        label: input.label,\n        description: input.description ?? null,\n        object_name: input.object,\n        criteria_json: criteriaJson,\n        recipient_type: input.recipientType,\n        recipient_id: input.recipientId,\n        access_level: accessLevel,\n        active,\n        updated_at: now,\n      };\n      await this.engine.update('sys_sharing_rule', patch, { context: SYSTEM_CTX });\n      return rowFromRule({ ...row, ...patch });\n    }\n\n    const newRow: any = {\n      id: uid('srule'),\n      organization_id: orgId,\n      name: input.name,\n      label: input.label,\n      description: input.description ?? null,\n      object_name: input.object,\n      criteria_json: criteriaJson,\n      recipient_type: input.recipientType,\n      recipient_id: input.recipientId,\n      access_level: accessLevel,\n      active,\n      created_at: now,\n      updated_at: now,\n    };\n    await this.engine.insert('sys_sharing_rule', newRow, { context: SYSTEM_CTX });\n    return rowFromRule(newRow);\n  }\n\n  async listRules(\n    filter: { object?: string; activeOnly?: boolean },\n    context: SharingExecutionContext,\n  ): Promise<SharingRuleRow[]> {\n    const where: any = {};\n    if (filter.object) where.object_name = filter.object;\n    if (filter.activeOnly) where.active = true;\n    const orgId = (context as any)?.organizationId ?? (context as any)?.tenantId;\n    if (orgId) where.organization_id = orgId;\n    const rows = await this.engine.find('sys_sharing_rule', {\n      filter: where,\n      orderBy: [{ field: 'name', direction: 'asc' }],\n      limit: 1000,\n      context: SYSTEM_CTX,\n    });\n    return Array.isArray(rows) ? rows.map(rowFromRule) : [];\n  }\n\n  async getRule(idOrName: string, context: SharingExecutionContext): Promise<SharingRuleRow | null> {\n    if (!idOrName) return null;\n    const orgId = (context as any)?.organizationId ?? (context as any)?.tenantId;\n    const byId = await this.engine.find('sys_sharing_rule', {\n      filter: { id: idOrName },\n      limit: 1,\n      context: SYSTEM_CTX,\n    });\n    if (Array.isArray(byId) && byId[0]) return rowFromRule(byId[0]);\n    const byName = await this.engine.find('sys_sharing_rule', {\n      filter: orgId ? { name: idOrName, organization_id: orgId } : { name: idOrName },\n      limit: 1,\n      context: SYSTEM_CTX,\n    });\n    if (Array.isArray(byName) && byName[0]) return rowFromRule(byName[0]);\n    return null;\n  }\n\n  async deleteRule(idOrName: string, context: SharingExecutionContext): Promise<void> {\n    const row = await this.getRule(idOrName, context);\n    if (!row) return;\n    // Drop materialised grants first so we don't orphan them.\n    await this.engine.delete('sys_record_share', {\n      where: { source: 'rule', source_id: row.id },\n      context: SYSTEM_CTX,\n    } as any);\n    await this.engine.delete('sys_sharing_rule', {\n      where: { id: row.id },\n      context: SYSTEM_CTX,\n    } as any);\n  }\n\n  async evaluateRule(idOrName: string, context: SharingExecutionContext): Promise<SharingRuleEvaluationResult> {\n    const rule = await this.getRule(idOrName, context);\n    if (!rule) throw new Error('RULE_NOT_FOUND');\n    if (!rule.active) {\n      // Inactive — purge any leftover grants and report revoke count.\n      const revoked = await this.purgeRuleGrants(rule.id);\n      return { ruleId: rule.id, matchedRecords: 0, expandedUsers: 0, grantsCreated: 0, grantsUpdated: 0, grantsRevoked: revoked };\n    }\n    const matches = await this.findMatchingRecords(rule);\n    const users = await this.expandRecipient(rule);\n    return this.reconcile(rule, matches, users);\n  }\n\n  async evaluateAllForRecord(\n    object: string,\n    recordId: string,\n    context: SharingExecutionContext,\n  ): Promise<SharingRuleEvaluationResult[]> {\n    const rules = await this.listRules({ object, activeOnly: true }, context);\n    if (rules.length === 0) return [];\n    const results: SharingRuleEvaluationResult[] = [];\n    for (const rule of rules) {\n      const match = await this.recordMatches(rule, recordId);\n      const users = match ? await this.expandRecipient(rule) : [];\n      results.push(await this.reconcileForRecord(rule, recordId, match, users));\n    }\n    return results;\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  private async findMatchingRecords(rule: SharingRuleRow): Promise<string[]> {\n    const filter = (rule.criteria ?? {}) as any;\n    try {\n      const rows = await this.engine.find(rule.object_name, {\n        filter,\n        fields: ['id'],\n        limit: 5000,\n        context: SYSTEM_CTX,\n      });\n      return Array.isArray(rows) ? rows.map((r: any) => String(r.id)).filter(Boolean) : [];\n    } catch (err: any) {\n      this.logger?.warn?.('[sharing-rule] criteria query failed', { rule: rule.name, error: err?.message });\n      return [];\n    }\n  }\n\n  private async recordMatches(rule: SharingRuleRow, recordId: string): Promise<boolean> {\n    const filter = { ...((rule.criteria ?? {}) as any), id: recordId };\n    try {\n      const rows = await this.engine.find(rule.object_name, {\n        filter,\n        fields: ['id'],\n        limit: 1,\n        context: SYSTEM_CTX,\n      });\n      return Array.isArray(rows) && rows.length > 0;\n    } catch {\n      return false;\n    }\n  }\n\n  private async expandRecipient(rule: SharingRuleRow): Promise<string[]> {\n    const team = new TeamGraphService({\n      engine: this.engine,\n      organizationId: rule.organization_id ?? null,\n    });\n    if (rule.recipient_type === 'user') return [rule.recipient_id];\n    if (rule.recipient_type === 'team') return team.expandUsers(rule.recipient_id);\n    if (rule.recipient_type === 'department') {\n      const dept = new DepartmentGraphService({\n        engine: this.engine,\n        organizationId: rule.organization_id ?? null,\n        teamGraph: team,\n      });\n      return dept.expandUsers(rule.recipient_id);\n    }\n    if (rule.recipient_type === 'role') return team.expandRoleUsers(rule.recipient_id, rule.organization_id ?? undefined);\n    // queue — v1 stores literal; treat as no-op until queue impl lands.\n    return [];\n  }\n\n  private async reconcile(\n    rule: SharingRuleRow,\n    matchedIds: string[],\n    users: string[],\n  ): Promise<SharingRuleEvaluationResult> {\n    const existing = await this.engine.find('sys_record_share', {\n      filter: { source: 'rule', source_id: rule.id },\n      fields: ['id', 'record_id', 'recipient_id', 'access_level'],\n      limit: 100000,\n      context: SYSTEM_CTX,\n    });\n    const desired = new Map<string, { record_id: string; recipient_id: string }>();\n    for (const rid of matchedIds) {\n      for (const uId of users) desired.set(`${rid}::${uId}`, { record_id: rid, recipient_id: uId });\n    }\n    const existingMap = new Map<string, any>();\n    for (const row of (existing ?? [])) existingMap.set(`${row.record_id}::${row.recipient_id}`, row);\n\n    let created = 0;\n    let updated = 0;\n    let revoked = 0;\n\n    // Upsert desired.\n    for (const [k, want] of desired.entries()) {\n      const cur = existingMap.get(k);\n      if (cur) {\n        if (cur.access_level !== rule.access_level) {\n          await this.sharing.grant(\n            {\n              object: rule.object_name,\n              recordId: want.record_id,\n              recipientType: 'user',\n              recipientId: want.recipient_id,\n              accessLevel: rule.access_level,\n              source: 'rule',\n              sourceId: rule.id,\n              reason: `rule:${rule.name}`,\n            } as any,\n            SYSTEM_CTX as any,\n          );\n          updated += 1;\n        }\n        existingMap.delete(k);\n      } else {\n        await this.sharing.grant(\n          {\n            object: rule.object_name,\n            recordId: want.record_id,\n            recipientType: 'user',\n            recipientId: want.recipient_id,\n            accessLevel: rule.access_level,\n            source: 'rule',\n            sourceId: rule.id,\n            reason: `rule:${rule.name}`,\n          } as any,\n          SYSTEM_CTX as any,\n        );\n        created += 1;\n      }\n    }\n    // Revoke stale.\n    for (const [, stale] of existingMap.entries()) {\n      await this.sharing.revoke(stale.id, SYSTEM_CTX as any);\n      revoked += 1;\n    }\n\n    return {\n      ruleId: rule.id,\n      matchedRecords: matchedIds.length,\n      expandedUsers: users.length,\n      grantsCreated: created,\n      grantsUpdated: updated,\n      grantsRevoked: revoked,\n    };\n  }\n\n  private async reconcileForRecord(\n    rule: SharingRuleRow,\n    recordId: string,\n    match: boolean,\n    users: string[],\n  ): Promise<SharingRuleEvaluationResult> {\n    const existing = await this.engine.find('sys_record_share', {\n      filter: { source: 'rule', source_id: rule.id, record_id: recordId },\n      fields: ['id', 'record_id', 'recipient_id', 'access_level'],\n      limit: 1000,\n      context: SYSTEM_CTX,\n    });\n    const existingMap = new Map<string, any>();\n    for (const row of (existing ?? [])) existingMap.set(String(row.recipient_id), row);\n\n    let created = 0;\n    let updated = 0;\n    let revoked = 0;\n\n    if (match) {\n      for (const userId of users) {\n        const cur = existingMap.get(userId);\n        if (cur) {\n          if (cur.access_level !== rule.access_level) {\n            await this.sharing.grant(\n              {\n                object: rule.object_name,\n                recordId,\n                recipientType: 'user',\n                recipientId: userId,\n                accessLevel: rule.access_level,\n                source: 'rule',\n                sourceId: rule.id,\n                reason: `rule:${rule.name}`,\n              } as any,\n              SYSTEM_CTX as any,\n            );\n            updated += 1;\n          }\n          existingMap.delete(userId);\n        } else {\n          await this.sharing.grant(\n            {\n              object: rule.object_name,\n              recordId,\n              recipientType: 'user',\n              recipientId: userId,\n              accessLevel: rule.access_level,\n              source: 'rule',\n              sourceId: rule.id,\n              reason: `rule:${rule.name}`,\n            } as any,\n            SYSTEM_CTX as any,\n          );\n          created += 1;\n        }\n      }\n    }\n    // Anything still in existingMap is stale (either match=false or\n    // user no longer in expanded set).\n    for (const [, stale] of existingMap.entries()) {\n      await this.sharing.revoke(stale.id, SYSTEM_CTX as any);\n      revoked += 1;\n    }\n\n    return {\n      ruleId: rule.id,\n      matchedRecords: match ? 1 : 0,\n      expandedUsers: users.length,\n      grantsCreated: created,\n      grantsUpdated: updated,\n      grantsRevoked: revoked,\n    };\n  }\n\n  private async purgeRuleGrants(ruleId: string): Promise<number> {\n    const existing = await this.engine.find('sys_record_share', {\n      filter: { source: 'rule', source_id: ruleId },\n      fields: ['id'],\n      limit: 100000,\n      context: SYSTEM_CTX,\n    });\n    let revoked = 0;\n    for (const row of (existing ?? [])) {\n      await this.sharing.revoke((row as any).id, SYSTEM_CTX as any);\n      revoked += 1;\n    }\n    return revoked;\n  }\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { SharingRuleService } from './sharing-rule-service.js';\nimport type { SharingRuleRow } from '@objectstack/spec/contracts';\n\nconst SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] } as const;\n\nexport const SHARING_RULE_HOOK_PACKAGE = 'plugin-sharing:rules';\n\ninterface MinimalEngine {\n  registerHook(event: string, handler: (ctx: any) => any | Promise<any>, options?: {\n    object?: string | string[];\n    priority?: number;\n    packageId?: string;\n  }): void;\n  unregisterHooksByPackage(packageId: string): number;\n}\n\ninterface MinimalLogger {\n  info?: (msg: any, ...rest: any[]) => void;\n  warn?: (msg: any, ...rest: any[]) => void;\n}\n\n/**\n * Bind afterInsert/afterUpdate hooks for every distinct object_name in\n * `rules`. Each hook calls `service.evaluateAllForRecord(object, id, …)`\n * with SYSTEM_CTX so the evaluator can write `sys_record_share` rows\n * without being blocked by its own enforcement.\n *\n * Caller is responsible for invoking {@link unbindAllRuleHooks} before\n * re-binding when the rule set changes.\n */\nexport function bindRuleHooks(\n  engine: MinimalEngine,\n  service: SharingRuleService,\n  rules: SharingRuleRow[],\n  logger?: MinimalLogger,\n): void {\n  const objects = new Set<string>();\n  for (const r of rules) {\n    if (r.active === false) continue;\n    if (r.object_name) objects.add(r.object_name);\n  }\n  for (const objectName of objects) {\n    const handler = async (ctx: any) => {\n      if ((ctx?.session as any)?.isSystem) return;\n      try {\n        const data = ctx?.result ?? ctx?.input?.data ?? {};\n        const id = String((data as any)?.id ?? ctx?.input?.id ?? '');\n        if (!id) return;\n        await service.evaluateAllForRecord(objectName, id, SYSTEM_CTX as any);\n      } catch (err: any) {\n        logger?.warn?.('[sharing-rule] hook evaluation failed', { object: objectName, error: err?.message });\n      }\n    };\n    engine.registerHook('afterInsert', handler, { object: objectName, packageId: SHARING_RULE_HOOK_PACKAGE, priority: 180 });\n    engine.registerHook('afterUpdate', handler, { object: objectName, packageId: SHARING_RULE_HOOK_PACKAGE, priority: 180 });\n  }\n  logger?.info?.('[sharing-rule] hooks bound', { objects: Array.from(objects), ruleCount: rules.length });\n}\n\nexport function unbindAllRuleHooks(engine: MinimalEngine): number {\n  return engine.unregisterHooksByPackage(SHARING_RULE_HOOK_PACKAGE);\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { Plugin, PluginContext } from '@objectstack/core';\nimport type { EngineMiddleware, OperationContext } from '@objectstack/objectql';\nimport { SysRecordShare, SysSharingRule } from '@objectstack/platform-objects/security';\nimport { SysDepartment, SysDepartmentMember } from '@objectstack/platform-objects/identity';\nimport { SharingService, type SharingEngine } from './sharing-service.js';\nimport { SharingRuleService } from './sharing-rule-service.js';\nimport { bindRuleHooks, unbindAllRuleHooks } from './rule-hooks.js';\n\nexport interface SharingPluginOptions {\n  /** Extra object names that bypass sharing entirely. */\n  bypassObjects?: string[];\n  /**\n   * Disable enforcement (read filter + canEdit) while still registering\n   * the schema + service. Useful in development to flip enforcement on\n   * via env var without rebuilding.\n   */\n  enforce?: boolean;\n}\n\n/**\n * SharingServicePlugin — registers `sys_record_share`, the `sharing`\n * service, and the engine middleware that enforces\n * `object.sharingModel`.\n *\n * Enforcement is opt-in per object:\n *\n *   - `sharingModel: 'private'` → reads filtered to `(owner_id == me) OR\n *     (record explicitly shared with me)`. Writes require ownership or\n *     an `edit`/`full` share.\n *   - `sharingModel: 'read'` → reads unrestricted; writes gated as\n *     above (typical \"everyone can see, only owner can edit\").\n *   - any other value (or no value) → no enforcement. This keeps\n *     existing CRM behaviour identical until admins explicitly enable\n *     sharing on a per-object basis.\n *\n * @example\n * ```ts\n * import { SharingServicePlugin } from '@objectstack/plugin-sharing';\n *\n * kernel.use(new SharingServicePlugin());\n *\n * // Mark an object private — middleware enforces from this point on.\n * defineObject({\n *   name: 'account',\n *   sharingModel: 'private',\n *   fields: { owner_id: Field.lookup('sys_user'), ... },\n * });\n * ```\n */\nexport class SharingServicePlugin implements Plugin {\n  name = 'com.objectstack.service.sharing';\n  version = '1.0.0';\n  type = 'standard';\n  dependencies = ['com.objectstack.engine.objectql'];\n\n  private readonly options: SharingPluginOptions;\n  private service?: SharingService;\n  private ruleService?: SharingRuleService;\n\n  constructor(options: SharingPluginOptions = {}) {\n    this.options = options;\n  }\n\n  async init(ctx: PluginContext): Promise<void> {\n    // Register sys_record_share via the manifest service.\n    ctx.getService<{ register(m: any): void }>('manifest').register({\n      id: 'com.objectstack.service.sharing',\n      name: 'Sharing Service',\n      version: '1.0.0',\n      type: 'plugin',\n      scope: 'system',\n      defaultDatasource: 'cloud',\n      namespace: 'sys',\n      objects: [SysRecordShare, SysSharingRule, SysDepartment, SysDepartmentMember],\n    });\n    ctx.logger.info('SharingServicePlugin: schema registered');\n  }\n\n  async start(ctx: PluginContext): Promise<void> {\n    ctx.hook('kernel:ready', async () => {\n      let engine: any = null;\n      try { engine = ctx.getService<any>('objectql'); }\n      catch { try { engine = ctx.getService<any>('data'); } catch { /* ignore */ } }\n      if (!engine) {\n        ctx.logger.warn('SharingServicePlugin: no ObjectQL engine — service NOT registered');\n        return;\n      }\n\n      this.service = new SharingService({\n        engine: engine as SharingEngine,\n        bypassObjects: this.options.bypassObjects,\n      });\n      ctx.registerService('sharing', this.service);\n\n      if (this.options.enforce === false) {\n        ctx.logger.info('SharingServicePlugin: enforcement disabled (enforce=false)');\n        return;\n      }\n\n      const mw = buildSharingMiddleware(this.service);\n      if (typeof engine.registerMiddleware === 'function') {\n        engine.registerMiddleware(mw, { object: '*' });\n        ctx.logger.info('SharingServicePlugin: enforcement middleware installed');\n      } else {\n        ctx.logger.warn('SharingServicePlugin: engine has no registerMiddleware — enforcement not applied');\n      }\n\n      // Rule evaluator + hot-rebindable lifecycle hooks.\n      try {\n        this.ruleService = new SharingRuleService({\n          engine: engine as SharingEngine,\n          sharing: this.service,\n          logger: ctx.logger as any,\n        });\n        ctx.registerService('sharingRules', this.ruleService);\n\n        if (typeof engine.registerHook === 'function' && typeof engine.unregisterHooksByPackage === 'function') {\n          const rules = await this.ruleService.listRules({ activeOnly: true }, { isSystem: true } as any);\n          unbindAllRuleHooks(engine);\n          bindRuleHooks(engine, this.ruleService, rules, ctx.logger as any);\n        } else {\n          ctx.logger.warn('SharingServicePlugin: engine has no hook API — sharing rule auto-evaluation disabled');\n        }\n      } catch (err: any) {\n        ctx.logger.warn('SharingServicePlugin: sharing-rule subsystem not started', { error: err?.message });\n      }\n    });\n  }\n}\n\n/**\n * Build the engine middleware that injects read filters and gates\n * write operations. Exported so it can be unit-tested without booting\n * a kernel.\n */\nexport function buildSharingMiddleware(service: SharingService): EngineMiddleware {\n  return async function sharingMiddleware(ctx: OperationContext, next: () => Promise<void>) {\n    const op = ctx.operation;\n    const exec = ctx.context as any;\n\n    // READS — AND the visibility filter into the AST.\n    if (op === 'find' || op === 'findOne' || op === 'count' || op === 'aggregate') {\n      const filter = await service.buildReadFilter(ctx.object, exec ?? {});\n      if (filter) {\n        const ast: any = ctx.ast ?? {};\n        ast.where = composeAnd(ast.where, filter);\n        ast.filter = composeAnd(ast.filter, filter);\n        ctx.ast = ast;\n      }\n      return next();\n    }\n\n    // WRITES — gate on canEdit for update / delete.\n    if (op === 'update' || op === 'delete') {\n      const data: any = ctx.data;\n      const options: any = ctx.options;\n      const id = inferTargetId(data, options);\n      if (id != null) {\n        const ok = await service.canEdit(ctx.object, String(id), exec ?? {});\n        if (!ok) {\n          const err: any = new Error(\n            `FORBIDDEN: insufficient privileges to ${op} ${ctx.object} ${id}`,\n          );\n          err.code = 'FORBIDDEN';\n          err.status = 403;\n          throw err;\n        }\n      }\n      return next();\n    }\n\n    // INSERT / others pass through — ownership stamping is the\n    // application's job (and is enforced by existing field defaults).\n    return next();\n  };\n}\n\nfunction composeAnd(existing: unknown, addition: unknown): unknown {\n  if (existing == null) return addition;\n  if (addition == null) return existing;\n  // Both objects — merge with $and.\n  if (\n    typeof existing === 'object' && existing !== null && !Array.isArray(existing) &&\n    typeof addition === 'object' && addition !== null && !Array.isArray(addition)\n  ) {\n    const ex: any = existing;\n    if (Array.isArray(ex.$and)) {\n      return { $and: [...ex.$and, addition] };\n    }\n    // Heuristic: if existing has no operator keys, attempt shallow merge;\n    // otherwise nest into $and to preserve semantics.\n    return { $and: [existing, addition] };\n  }\n  return { $and: [existing, addition] };\n}\n\nfunction inferTargetId(data: any, options: any): string | number | undefined {\n  if (data && typeof data === 'object' && data.id != null) return data.id;\n  if (options && typeof options === 'object') {\n    if (options.id != null) return options.id;\n    if (options.where && typeof options.where === 'object' && options.where.id != null) {\n      return options.where.id;\n    }\n    if (options.filter && typeof options.filter === 'object' && options.filter.id != null) {\n      return options.filter.id;\n    }\n  }\n  return undefined;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAWA,IAAAA,mBAA+C;AAC/C,IAAAC,mBAAmD;;;ACgBnD,SAAS,cAAsB;AAC7B,QAAM,IAAS;AACf,MAAI,EAAE,QAAQ,WAAY,QAAO,OAAO,EAAE,OAAO,WAAW,CAAC;AAC7D,SAAO,OAAO,KAAK,IAAI,EAAE,SAAS,EAAE,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;AAClF;AAGA,IAAM,aAAa,EAAE,UAAU,MAAM,OAAO,CAAC,GAAG,aAAa,CAAC,EAAE;AAShE,IAAM,cAAc;AAQpB,SAAS,sBAAsB,QAA4C;AACzE,QAAM,IAAI,QAAQ,gBAAgB,QAAQ,UAAU;AACpD,MAAI,MAAM,UAAW,QAAO;AAC5B,MAAI,MAAM,OAAQ,QAAO;AACzB,SAAO;AACT;AAEA,SAAS,cAAc,QAAsB;AAC3C,SAAO,QAAQ,QAAQ,UAAU,eAAe,OAAO,MAAM;AAC/D;AAgBO,IAAM,iBAAN,MAAgD;AAAA,EAIrD,YAAY,SAAgC;AAC1C,SAAK,SAAS,QAAQ;AACtB,SAAK,gBAAgB,oBAAI,IAAI;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,GAAI,QAAQ,iBAAiB,CAAC;AAAA,IAChC,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBACJ,QACA,SACyB;AACzB,QAAI,KAAK,aAAa,QAAQ,OAAO,EAAG,QAAO;AAE/C,UAAM,SAAS,KAAK,OAAO,YAAY,MAAM;AAC7C,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,sBAAsB,MAAM,MAAM,UAAW,QAAO;AACxD,QAAI,CAAC,cAAc,MAAM,EAAG,QAAO;AACnC,QAAI,CAAC,QAAQ,QAAQ;AAInB,aAAO,EAAE,IAAI,eAAe;AAAA,IAC9B;AAEA,UAAM,SAAS,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MACxD,QAAQ;AAAA,QACN,aAAa;AAAA,QACb,gBAAgB;AAAA,QAChB,cAAc,QAAQ;AAAA,MACxB;AAAA,MACA,QAAQ,CAAC,aAAa,cAAc;AAAA,MACpC,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AAED,UAAM,aAAuB,MAAM,QAAQ,MAAM,IAC7C,OAAO,IAAI,CAAC,MAAW,OAAO,EAAE,SAAS,CAAC,EAAE,OAAO,OAAO,IAC1D,CAAC;AAEL,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO,EAAE,CAAC,WAAW,GAAG,QAAQ,OAAO;AAAA,IACzC;AAEA,WAAO;AAAA,MACL,KAAK;AAAA,QACH,EAAE,CAAC,WAAW,GAAG,QAAQ,OAAO;AAAA,QAChC,EAAE,IAAI,EAAE,KAAK,WAAW,EAAE;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,QACJ,QACA,UACA,SACkB;AAClB,QAAI,KAAK,aAAa,QAAQ,OAAO,EAAG,QAAO;AAE/C,UAAM,SAAS,KAAK,OAAO,YAAY,MAAM;AAC7C,QAAI,CAAC,OAAQ,QAAO;AACpB,UAAM,QAAQ,sBAAsB,MAAM;AAC1C,QAAI,UAAU,SAAU,QAAO;AAC/B,QAAI,CAAC,cAAc,MAAM,EAAG,QAAO;AACnC,QAAI,CAAC,QAAQ,OAAQ,QAAO;AAG5B,UAAM,MAAM,MAAM,KAAK,OAAO,KAAK,QAAQ;AAAA,MACzC,QAAQ,EAAE,IAAI,SAAS;AAAA,MACvB,QAAQ,CAAC,MAAM,WAAW;AAAA,MAC1B,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AACD,UAAM,QAAQ,MAAM,QAAQ,GAAG,KAAK,IAAI,CAAC,IAAK,IAAI,CAAC,EAAU,WAAW,IAAI;AAC5E,QAAI,SAAS,OAAO,KAAK,MAAM,OAAO,QAAQ,MAAM,EAAG,QAAO;AAG9D,UAAM,aAAa,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MAC5D,QAAQ;AAAA,QACN,aAAa;AAAA,QACb,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,cAAc,QAAQ;AAAA,QACtB,cAAc,EAAE,KAAK,CAAC,QAAQ,MAAM,EAAE;AAAA,MACxC;AAAA,MACA,QAAQ,CAAC,IAAI;AAAA,MACb,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AACD,WAAO,MAAM,QAAQ,UAAU,KAAK,WAAW,SAAS;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MACJ,OACA,SACsB;AACtB,QAAI,CAAC,MAAM,OAAQ,OAAM,IAAI,MAAM,uCAAuC;AAC1E,QAAI,CAAC,MAAM,SAAU,OAAM,IAAI,MAAM,yCAAyC;AAC9E,QAAI,CAAC,MAAM,YAAa,OAAM,IAAI,MAAM,4CAA4C;AAEpF,UAAM,gBAAgB,MAAM,iBAAiB;AAC7C,UAAM,cAAgC,MAAM,eAAe;AAC3D,UAAM,SAAS,MAAM,UAAU;AAI/B,UAAM,WAAW,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MAC1D,QAAQ;AAAA,QACN,aAAa,MAAM;AAAA,QACnB,WAAW,MAAM;AAAA,QACjB,gBAAgB;AAAA,QAChB,cAAc,MAAM;AAAA,MACtB;AAAA,MACA,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AACD,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,QAAI,MAAM,QAAQ,QAAQ,KAAK,SAAS,CAAC,GAAG;AAC1C,YAAMC,OAAW,SAAS,CAAC;AAC3B,YAAM,QAAa;AAAA,QACjB,IAAIA,KAAI;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,WAAW,MAAM,YAAYA,KAAI,aAAa;AAAA,QAC9C,QAAQ,MAAM,UAAUA,KAAI,UAAU;AAAA,QACtC,YAAY;AAAA,MACd;AACA,YAAM,KAAK,OAAO,OAAO,oBAAoB,OAAO,EAAE,SAAS,WAAW,CAAC;AAC3E,aAAO,EAAE,GAAGA,MAAK,GAAG,MAAM;AAAA,IAC5B;AAEA,UAAM,KAAK,YAAY;AACvB,UAAM,MAAW;AAAA,MACf;AAAA,MACA,aAAa,MAAM;AAAA,MACnB,WAAW,MAAM;AAAA,MACjB,gBAAgB;AAAA,MAChB,cAAc,MAAM;AAAA,MACpB,cAAc;AAAA,MACd;AAAA,MACA,WAAW,MAAM,YAAY;AAAA,MAC7B,YAAY,QAAQ,UAAU;AAAA,MAC9B,QAAQ,MAAM,UAAU;AAAA,MACxB,YAAY;AAAA,MACZ,YAAY;AAAA,IACd;AACA,UAAM,KAAK,OAAO,OAAO,oBAAoB,KAAK,EAAE,SAAS,WAAW,CAAC;AACzE,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,OAAO,SAAiB,UAAkD;AAC9E,QAAI,CAAC,QAAS,OAAM,IAAI,MAAM,wCAAwC;AACtE,UAAM,KAAK,OAAO,OAAO,oBAAoB;AAAA,MAC3C,OAAO,EAAE,IAAI,QAAQ;AAAA,MACrB,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,MAAM,WACJ,QACA,UACA,UACwB;AACxB,UAAM,OAAO,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MACtD,QAAQ,EAAE,aAAa,QAAQ,WAAW,SAAS;AAAA,MACnD,SAAS,CAAC,EAAE,OAAO,cAAc,WAAW,OAAO,CAAC;AAAA,MACpD,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AACD,WAAO,MAAM,QAAQ,IAAI,IAAK,OAAyB,CAAC;AAAA,EAC1D;AAAA;AAAA,EAIQ,aAAa,QAAgB,SAA2C;AAC9E,QAAI,SAAS,SAAU,QAAO;AAC9B,QAAI,KAAK,cAAc,IAAI,MAAM,EAAG,QAAO;AAC3C,WAAO;AAAA,EACT;AACF;;;ACrRA,IAAMC,cAAa,EAAE,UAAU,MAAM,OAAO,CAAC,GAAG,aAAa,CAAC,EAAE;AA6BzD,IAAM,mBAAN,MAAoD;AAAA,EAKzD,YAAY,MAAwB;AAvCtC;AAwCI,SAAK,SAAS,KAAK;AACnB,SAAK,iBAAiB,KAAK,kBAAkB;AAC7C,SAAK,QAAQ,KAAK,SAAS,CAAC;AAC5B,eAAK,OAAM,gBAAX,GAAW,cAAgB,oBAAI,IAAI;AACnC,eAAK,OAAM,eAAX,GAAW,aAAe,oBAAI,IAAI;AAClC,eAAK,OAAM,YAAX,GAAW,UAAY,oBAAI,IAAI;AAAA,EACjC;AAAA,EAEA,MAAM,YAAY,QAAmC;AACnD,QAAI,CAAC,OAAQ,QAAO,CAAC;AACrB,UAAM,SAAS,KAAK,MAAM,YAAa,IAAI,MAAM;AACjD,QAAI,OAAQ,QAAO;AAEnB,QAAI,OAAc,CAAC;AACnB,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,KAAK,mBAAmB;AAAA,QAC/C,QAAQ,EAAE,SAAS,OAAO;AAAA,QAC1B,QAAQ,CAAC,SAAS;AAAA,QAClB,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AAAA,IACH,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AACA,UAAM,QAAQ,MAAM,KAAK,IAAI,KAAK,QAAQ,CAAC,GAAG,IAAI,CAAC,MAAW,OAAO,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AACvG,SAAK,MAAM,YAAa,IAAI,QAAQ,KAAK;AACzC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,UAAkB,gBAA4C;AAClF,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,MAAM,GAAG,kBAAkB,KAAK,kBAAkB,GAAG,KAAK,QAAQ;AACxE,UAAM,SAAS,KAAK,MAAM,WAAY,IAAI,GAAG;AAC7C,QAAI,OAAQ,QAAO;AACnB,UAAM,SAAkC,EAAE,MAAM,SAAS;AACzD,UAAM,MAAM,kBAAkB,KAAK;AACnC,QAAI,IAAK,QAAO,kBAAkB;AAClC,QAAI,OAAc,CAAC;AACnB,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,KAAK,cAAc;AAAA,QAC1C;AAAA,QACA,QAAQ,CAAC,SAAS;AAAA,QAClB,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AAAA,IACH,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AACA,UAAM,QAAQ,MAAM,KAAK,IAAI,KAAK,QAAQ,CAAC,GAAG,IAAI,CAAC,MAAW,OAAO,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AACvG,SAAK,MAAM,WAAY,IAAI,KAAK,KAAK;AACrC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,QAAgB,iBAAkD;AAChF,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,KAAK,MAAM,QAAS,IAAI,MAAM,EAAG,QAAO,KAAK,MAAM,QAAS,IAAI,MAAM,KAAK;AAC/E,QAAI,MAAW;AACf,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,OAAO,KAAK,YAAY;AAAA,QAC9C,QAAQ,EAAE,IAAI,OAAO;AAAA,QACrB,QAAQ,CAAC,MAAM,YAAY;AAAA,QAC3B,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AACD,YAAM,MAAM,QAAQ,IAAI,IAAI,KAAK,CAAC,IAAI;AAAA,IACxC,QAAQ;AACN,YAAM;AAAA,IACR;AACA,UAAM,MAAM,KAAK,aAAa,OAAO,IAAI,UAAU,IAAI;AACvD,SAAK,MAAM,QAAS,IAAI,QAAQ,GAAG;AACnC,WAAO;AAAA,EACT;AACF;AAkBA,eAAsB,gBACpB,OACA,KACmB;AACnB,QAAM,IAAI,MAAM;AAChB,QAAM,IAAI,OAAO,MAAM,SAAS,EAAE;AAClC,MAAI,CAAC,EAAG,QAAO,CAAC;AAChB,MAAI,MAAM,OAAQ,QAAO,CAAC,CAAC;AAC3B,MAAI,MAAM,OAAQ,QAAO,IAAI,KAAK,YAAY,CAAC;AAC/C,MAAI,MAAM,gBAAgB,MAAM,QAAQ;AACtC,QAAI,IAAI,KAAM,QAAO,IAAI,KAAK,YAAY,CAAC;AAC3C,WAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;AAAA,EACrB;AACA,MAAI,MAAM,OAAQ,QAAO,IAAI,KAAK,gBAAgB,GAAG,IAAI,kBAAkB,MAAS;AACpF,MAAI,MAAM,WAAW,MAAM,QAAQ;AACjC,UAAM,KAAM,MAAM,OAAe,CAAC;AAClC,WAAO,KAAK,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC;AAAA,EAC9B;AACA,MAAI,MAAM,aAAa,MAAM,QAAQ;AACnC,UAAM,UAAW,MAAM,OAAe,CAAC,KAAM,MAAM,OAAe;AAClE,QAAI,CAAC,QAAS,QAAO,CAAC;AACtB,UAAM,MAAM,MAAM,IAAI,KAAK,UAAU,OAAO,OAAO,GAAG,IAAI,kBAAkB,MAAS;AACrF,WAAO,MAAM,CAAC,GAAG,IAAI,CAAC;AAAA,EACxB;AAGA,SAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;AACrB;;;ACvJA,IAAMC,cAAa,EAAE,UAAU,MAAM,OAAO,CAAC,GAAG,aAAa,CAAC,EAAE;AAkCzD,IAAM,yBAAN,MAAgE;AAAA,EAMrE,YAAY,MAA8B;AA9C5C;AA+CI,SAAK,SAAS,KAAK;AACnB,SAAK,iBAAiB,KAAK,kBAAkB;AAC7C,SAAK,QAAQ,KAAK,SAAS,CAAC;AAC5B,eAAK,OAAM,gBAAX,GAAW,cAAgB,oBAAI,IAAI;AACnC,eAAK,OAAM,gBAAX,GAAW,cAAgB,oBAAI,IAAI;AACnC,eAAK,OAAM,SAAX,GAAW,OAAS,oBAAI,IAAI;AAC5B,SAAK,YAAY,KAAK;AAAA,EACxB;AAAA,EAEA,MAAM,YAAY,cAAyC;AACzD,QAAI,CAAC,aAAc,QAAO,CAAC;AAC3B,UAAM,SAAS,KAAK,MAAM,YAAa,IAAI,YAAY;AACvD,QAAI,OAAQ,QAAO;AAGnB,QAAI,aAAa;AACjB,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,OAAO,KAAK,kBAAkB;AAAA,QACxD,QAAQ,KAAK,SAAS,EAAE,IAAI,aAAa,CAAC;AAAA,QAC1C,QAAQ,CAAC,MAAM,QAAQ;AAAA,QACvB,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AACD,YAAM,UAAe,MAAM,QAAQ,QAAQ,IAAI,SAAS,CAAC,IAAI;AAC7D,UAAI,CAAC,QAAS,cAAa;AAAA,eAClB,QAAQ,WAAW,MAAO,cAAa;AAAA,IAClD,QAAQ;AACN,mBAAa;AAAA,IACf;AACA,QAAI,CAAC,YAAY;AACf,WAAK,MAAM,YAAa,IAAI,cAAc,CAAC,CAAC;AAC5C,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,OAAO,oBAAI,IAAY,CAAC,YAAY,CAAC;AAC3C,UAAM,QAAkB,CAAC,YAAY;AACrC,WAAO,MAAM,QAAQ;AACnB,YAAM,SAAS,MAAM,MAAM;AAC3B,UAAI,WAAkB,CAAC;AACvB,UAAI;AACF,mBAAW,MAAM,KAAK,OAAO,KAAK,kBAAkB;AAAA,UAClD,QAAQ,KAAK,SAAS,EAAE,sBAAsB,QAAQ,QAAQ,EAAE,KAAK,MAAM,EAAE,CAAC;AAAA,UAC9E,QAAQ,CAAC,IAAI;AAAA,UACb,OAAO;AAAA,UACP,SAASA;AAAA,QACX,CAAC;AAAA,MACH,QAAQ;AACN,mBAAW,CAAC;AAAA,MACd;AACA,iBAAW,KAAK,YAAY,CAAC,GAAG;AAC9B,cAAM,MAAM,OAAQ,EAAU,MAAM,EAAE;AACtC,YAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,eAAK,IAAI,GAAG;AACZ,gBAAM,KAAK,GAAG;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,IAAI;AAC3B,SAAK,MAAM,YAAa,IAAI,cAAc,GAAG;AAC7C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,YAAY,cAAyC;AACzD,QAAI,CAAC,aAAc,QAAO,CAAC;AAC3B,UAAM,SAAS,KAAK,MAAM,YAAa,IAAI,YAAY;AACvD,QAAI,OAAQ,QAAO;AAEnB,UAAM,QAAQ,MAAM,KAAK,YAAY,YAAY;AACjD,QAAI,MAAM,WAAW,EAAG,QAAO,CAAC;AAEhC,QAAI,OAAc,CAAC;AACnB,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,KAAK,yBAAyB;AAAA,QACrD,QAAQ,EAAE,eAAe,EAAE,KAAK,MAAM,EAAE;AAAA,QACxC,QAAQ,CAAC,SAAS;AAAA,QAClB,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AAAA,IACH,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AACA,UAAM,QAAQ,MAAM;AAAA,MAClB,IAAI,KAAK,QAAQ,CAAC,GAAG,IAAI,CAAC,MAAW,OAAO,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,OAAO,CAAC;AAAA,IAC/E;AACA,SAAK,MAAM,YAAa,IAAI,cAAc,KAAK;AAC/C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,OAAO,cAA8C;AACzD,QAAI,CAAC,aAAc,QAAO;AAC1B,QAAI,KAAK,MAAM,KAAM,IAAI,YAAY,EAAG,QAAO,KAAK,MAAM,KAAM,IAAI,YAAY,KAAK;AACrF,QAAI,MAAW;AACf,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,OAAO,KAAK,kBAAkB;AAAA,QACpD,QAAQ,EAAE,IAAI,aAAa;AAAA,QAC3B,QAAQ,CAAC,MAAM,iBAAiB;AAAA,QAChC,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AACD,YAAM,MAAM,QAAQ,IAAI,IAAI,KAAK,CAAC,IAAI;AAAA,IACxC,QAAQ;AACN,YAAM;AAAA,IACR;AACA,UAAM,OAAO,KAAK,kBAAkB,OAAO,IAAI,eAAe,IAAI;AAClE,SAAK,MAAM,KAAM,IAAI,cAAc,IAAI;AACvC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,QAAgB,gBAAiD;AAC/E,QAAI,KAAK,UAAW,QAAO,KAAK,UAAU,UAAU,QAAQ,cAAc;AAE1E,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,OAAO,KAAK,YAAY;AAAA,QAC9C,QAAQ,EAAE,IAAI,OAAO;AAAA,QACrB,QAAQ,CAAC,MAAM,YAAY;AAAA,QAC3B,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AACD,YAAM,MAAW,MAAM,QAAQ,IAAI,IAAI,KAAK,CAAC,IAAI;AACjD,aAAO,KAAK,aAAa,OAAO,IAAI,UAAU,IAAI;AAAA,IACpD,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,SAAS,QAA0D;AACzE,QAAI,KAAK,eAAgB,QAAO,EAAE,GAAG,QAAQ,iBAAiB,KAAK,eAAe;AAClF,WAAO;AAAA,EACT;AACF;;;ACjKA,IAAMC,cAAa,EAAE,UAAU,MAAM,OAAO,CAAC,GAAG,aAAa,CAAC,EAAE;AAEhE,SAAS,IAAI,QAAwB;AACnC,QAAM,IAAS;AACf,MAAI,EAAE,QAAQ,WAAY,QAAO,GAAG,MAAM,IAAI,EAAE,OAAO,WAAW,CAAC;AACnE,SAAO,GAAG,MAAM,IAAI,KAAK,IAAI,EAAE,SAAS,EAAE,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;AACxF;AAEA,SAAS,cAAc,KAAmC;AACxD,MAAI,OAAO,QAAQ,QAAQ,GAAI,QAAO;AACtC,MAAI,OAAO,QAAQ,UAAU;AAC3B,UAAM,UAAU,IAAI,KAAK;AACzB,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI;AACF,aAAO,KAAK,MAAM,OAAO;AAAA,IAC3B,QAAQ;AAGN,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,KAA0B;AAC7C,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,iBAAiB,IAAI,mBAAmB;AAAA,IACxC,MAAM,IAAI;AAAA,IACV,OAAO,IAAI;AAAA,IACX,aAAa,IAAI,eAAe;AAAA,IAChC,aAAa,IAAI;AAAA,IACjB,UAAU,cAAc,IAAI,aAAa;AAAA,IACzC,gBAAgB,IAAI;AAAA,IACpB,cAAc,IAAI;AAAA,IAClB,cAAc,IAAI;AAAA,IAClB,QAAQ,IAAI,WAAW;AAAA,IACvB,YAAY,IAAI,cAAc;AAAA,IAC9B,YAAY,IAAI,cAAc;AAAA,EAChC;AACF;AAgBO,IAAM,qBAAN,MAAwD;AAAA,EAK7D,YAAY,MAAiC;AAC3C,SAAK,SAAS,KAAK;AACnB,SAAK,UAAU,KAAK;AACpB,SAAK,SAAS,KAAK;AAAA,EACrB;AAAA,EAEA,MAAM,WAAW,OAA+B,SAA2D;AACzG,QAAI,CAAC,MAAM,KAAM,OAAM,IAAI,MAAM,qCAAqC;AACtE,QAAI,CAAC,MAAM,MAAO,OAAM,IAAI,MAAM,sCAAsC;AACxE,QAAI,CAAC,MAAM,OAAQ,OAAM,IAAI,MAAM,uCAAuC;AAC1E,QAAI,CAAC,MAAM,cAAe,OAAM,IAAI,MAAM,8CAA8C;AACxF,QAAI,CAAC,MAAM,YAAa,OAAM,IAAI,MAAM,4CAA4C;AAEpF,UAAM,QAAS,SAAiB,kBAAmB,SAAiB,YAAY;AAChF,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,cAAgC,MAAM,eAAe;AAC3D,UAAM,SAAS,MAAM,WAAW;AAChC,UAAM,eAAe,MAAM,YAAY,OACnC,OACC,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,KAAK,UAAU,MAAM,QAAQ;AAExF,UAAM,WAAW,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MAC1D,QAAQ,QAAQ,EAAE,MAAM,MAAM,MAAM,iBAAiB,MAAM,IAAI,EAAE,MAAM,MAAM,KAAK;AAAA,MAClF,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,QAAI,MAAM,QAAQ,QAAQ,KAAK,SAAS,CAAC,GAAG;AAC1C,YAAM,MAAW,SAAS,CAAC;AAC3B,YAAM,QAAa;AAAA,QACjB,IAAI,IAAI;AAAA,QACR,OAAO,MAAM;AAAA,QACb,aAAa,MAAM,eAAe;AAAA,QAClC,aAAa,MAAM;AAAA,QACnB,eAAe;AAAA,QACf,gBAAgB,MAAM;AAAA,QACtB,cAAc,MAAM;AAAA,QACpB,cAAc;AAAA,QACd;AAAA,QACA,YAAY;AAAA,MACd;AACA,YAAM,KAAK,OAAO,OAAO,oBAAoB,OAAO,EAAE,SAASA,YAAW,CAAC;AAC3E,aAAO,YAAY,EAAE,GAAG,KAAK,GAAG,MAAM,CAAC;AAAA,IACzC;AAEA,UAAM,SAAc;AAAA,MAClB,IAAI,IAAI,OAAO;AAAA,MACf,iBAAiB;AAAA,MACjB,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,aAAa,MAAM,eAAe;AAAA,MAClC,aAAa,MAAM;AAAA,MACnB,eAAe;AAAA,MACf,gBAAgB,MAAM;AAAA,MACtB,cAAc,MAAM;AAAA,MACpB,cAAc;AAAA,MACd;AAAA,MACA,YAAY;AAAA,MACZ,YAAY;AAAA,IACd;AACA,UAAM,KAAK,OAAO,OAAO,oBAAoB,QAAQ,EAAE,SAASA,YAAW,CAAC;AAC5E,WAAO,YAAY,MAAM;AAAA,EAC3B;AAAA,EAEA,MAAM,UACJ,QACA,SAC2B;AAC3B,UAAM,QAAa,CAAC;AACpB,QAAI,OAAO,OAAQ,OAAM,cAAc,OAAO;AAC9C,QAAI,OAAO,WAAY,OAAM,SAAS;AACtC,UAAM,QAAS,SAAiB,kBAAmB,SAAiB;AACpE,QAAI,MAAO,OAAM,kBAAkB;AACnC,UAAM,OAAO,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MACtD,QAAQ;AAAA,MACR,SAAS,CAAC,EAAE,OAAO,QAAQ,WAAW,MAAM,CAAC;AAAA,MAC7C,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,WAAO,MAAM,QAAQ,IAAI,IAAI,KAAK,IAAI,WAAW,IAAI,CAAC;AAAA,EACxD;AAAA,EAEA,MAAM,QAAQ,UAAkB,SAAkE;AAChG,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,QAAS,SAAiB,kBAAmB,SAAiB;AACpE,UAAM,OAAO,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MACtD,QAAQ,EAAE,IAAI,SAAS;AAAA,MACvB,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,QAAI,MAAM,QAAQ,IAAI,KAAK,KAAK,CAAC,EAAG,QAAO,YAAY,KAAK,CAAC,CAAC;AAC9D,UAAM,SAAS,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MACxD,QAAQ,QAAQ,EAAE,MAAM,UAAU,iBAAiB,MAAM,IAAI,EAAE,MAAM,SAAS;AAAA,MAC9E,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,QAAI,MAAM,QAAQ,MAAM,KAAK,OAAO,CAAC,EAAG,QAAO,YAAY,OAAO,CAAC,CAAC;AACpE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,UAAkB,SAAiD;AAClF,UAAM,MAAM,MAAM,KAAK,QAAQ,UAAU,OAAO;AAChD,QAAI,CAAC,IAAK;AAEV,UAAM,KAAK,OAAO,OAAO,oBAAoB;AAAA,MAC3C,OAAO,EAAE,QAAQ,QAAQ,WAAW,IAAI,GAAG;AAAA,MAC3C,SAASA;AAAA,IACX,CAAQ;AACR,UAAM,KAAK,OAAO,OAAO,oBAAoB;AAAA,MAC3C,OAAO,EAAE,IAAI,IAAI,GAAG;AAAA,MACpB,SAASA;AAAA,IACX,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,aAAa,UAAkB,SAAwE;AAC3G,UAAM,OAAO,MAAM,KAAK,QAAQ,UAAU,OAAO;AACjD,QAAI,CAAC,KAAM,OAAM,IAAI,MAAM,gBAAgB;AAC3C,QAAI,CAAC,KAAK,QAAQ;AAEhB,YAAM,UAAU,MAAM,KAAK,gBAAgB,KAAK,EAAE;AAClD,aAAO,EAAE,QAAQ,KAAK,IAAI,gBAAgB,GAAG,eAAe,GAAG,eAAe,GAAG,eAAe,GAAG,eAAe,QAAQ;AAAA,IAC5H;AACA,UAAM,UAAU,MAAM,KAAK,oBAAoB,IAAI;AACnD,UAAM,QAAQ,MAAM,KAAK,gBAAgB,IAAI;AAC7C,WAAO,KAAK,UAAU,MAAM,SAAS,KAAK;AAAA,EAC5C;AAAA,EAEA,MAAM,qBACJ,QACA,UACA,SACwC;AACxC,UAAM,QAAQ,MAAM,KAAK,UAAU,EAAE,QAAQ,YAAY,KAAK,GAAG,OAAO;AACxE,QAAI,MAAM,WAAW,EAAG,QAAO,CAAC;AAChC,UAAM,UAAyC,CAAC;AAChD,eAAW,QAAQ,OAAO;AACxB,YAAM,QAAQ,MAAM,KAAK,cAAc,MAAM,QAAQ;AACrD,YAAM,QAAQ,QAAQ,MAAM,KAAK,gBAAgB,IAAI,IAAI,CAAC;AAC1D,cAAQ,KAAK,MAAM,KAAK,mBAAmB,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC1E;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAIA,MAAc,oBAAoB,MAAyC;AACzE,UAAM,SAAU,KAAK,YAAY,CAAC;AAClC,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,OAAO,KAAK,KAAK,aAAa;AAAA,QACpD;AAAA,QACA,QAAQ,CAAC,IAAI;AAAA,QACb,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AACD,aAAO,MAAM,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,MAAW,OAAO,EAAE,EAAE,CAAC,EAAE,OAAO,OAAO,IAAI,CAAC;AAAA,IACrF,SAAS,KAAU;AACjB,WAAK,QAAQ,OAAO,wCAAwC,EAAE,MAAM,KAAK,MAAM,OAAO,KAAK,QAAQ,CAAC;AACpG,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAAA,EAEA,MAAc,cAAc,MAAsB,UAAoC;AACpF,UAAM,SAAS,EAAE,GAAK,KAAK,YAAY,CAAC,GAAY,IAAI,SAAS;AACjE,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,OAAO,KAAK,KAAK,aAAa;AAAA,QACpD;AAAA,QACA,QAAQ,CAAC,IAAI;AAAA,QACb,OAAO;AAAA,QACP,SAASA;AAAA,MACX,CAAC;AACD,aAAO,MAAM,QAAQ,IAAI,KAAK,KAAK,SAAS;AAAA,IAC9C,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,gBAAgB,MAAyC;AACrE,UAAM,OAAO,IAAI,iBAAiB;AAAA,MAChC,QAAQ,KAAK;AAAA,MACb,gBAAgB,KAAK,mBAAmB;AAAA,IAC1C,CAAC;AACD,QAAI,KAAK,mBAAmB,OAAQ,QAAO,CAAC,KAAK,YAAY;AAC7D,QAAI,KAAK,mBAAmB,OAAQ,QAAO,KAAK,YAAY,KAAK,YAAY;AAC7E,QAAI,KAAK,mBAAmB,cAAc;AACxC,YAAM,OAAO,IAAI,uBAAuB;AAAA,QACtC,QAAQ,KAAK;AAAA,QACb,gBAAgB,KAAK,mBAAmB;AAAA,QACxC,WAAW;AAAA,MACb,CAAC;AACD,aAAO,KAAK,YAAY,KAAK,YAAY;AAAA,IAC3C;AACA,QAAI,KAAK,mBAAmB,OAAQ,QAAO,KAAK,gBAAgB,KAAK,cAAc,KAAK,mBAAmB,MAAS;AAEpH,WAAO,CAAC;AAAA,EACV;AAAA,EAEA,MAAc,UACZ,MACA,YACA,OACsC;AACtC,UAAM,WAAW,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MAC1D,QAAQ,EAAE,QAAQ,QAAQ,WAAW,KAAK,GAAG;AAAA,MAC7C,QAAQ,CAAC,MAAM,aAAa,gBAAgB,cAAc;AAAA,MAC1D,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,UAAM,UAAU,oBAAI,IAAyD;AAC7E,eAAW,OAAO,YAAY;AAC5B,iBAAW,OAAO,MAAO,SAAQ,IAAI,GAAG,GAAG,KAAK,GAAG,IAAI,EAAE,WAAW,KAAK,cAAc,IAAI,CAAC;AAAA,IAC9F;AACA,UAAM,cAAc,oBAAI,IAAiB;AACzC,eAAW,OAAQ,YAAY,CAAC,EAAI,aAAY,IAAI,GAAG,IAAI,SAAS,KAAK,IAAI,YAAY,IAAI,GAAG;AAEhG,QAAI,UAAU;AACd,QAAI,UAAU;AACd,QAAI,UAAU;AAGd,eAAW,CAAC,GAAG,IAAI,KAAK,QAAQ,QAAQ,GAAG;AACzC,YAAM,MAAM,YAAY,IAAI,CAAC;AAC7B,UAAI,KAAK;AACP,YAAI,IAAI,iBAAiB,KAAK,cAAc;AAC1C,gBAAM,KAAK,QAAQ;AAAA,YACjB;AAAA,cACE,QAAQ,KAAK;AAAA,cACb,UAAU,KAAK;AAAA,cACf,eAAe;AAAA,cACf,aAAa,KAAK;AAAA,cAClB,aAAa,KAAK;AAAA,cAClB,QAAQ;AAAA,cACR,UAAU,KAAK;AAAA,cACf,QAAQ,QAAQ,KAAK,IAAI;AAAA,YAC3B;AAAA,YACAA;AAAA,UACF;AACA,qBAAW;AAAA,QACb;AACA,oBAAY,OAAO,CAAC;AAAA,MACtB,OAAO;AACL,cAAM,KAAK,QAAQ;AAAA,UACjB;AAAA,YACE,QAAQ,KAAK;AAAA,YACb,UAAU,KAAK;AAAA,YACf,eAAe;AAAA,YACf,aAAa,KAAK;AAAA,YAClB,aAAa,KAAK;AAAA,YAClB,QAAQ;AAAA,YACR,UAAU,KAAK;AAAA,YACf,QAAQ,QAAQ,KAAK,IAAI;AAAA,UAC3B;AAAA,UACAA;AAAA,QACF;AACA,mBAAW;AAAA,MACb;AAAA,IACF;AAEA,eAAW,CAAC,EAAE,KAAK,KAAK,YAAY,QAAQ,GAAG;AAC7C,YAAM,KAAK,QAAQ,OAAO,MAAM,IAAIA,WAAiB;AACrD,iBAAW;AAAA,IACb;AAEA,WAAO;AAAA,MACL,QAAQ,KAAK;AAAA,MACb,gBAAgB,WAAW;AAAA,MAC3B,eAAe,MAAM;AAAA,MACrB,eAAe;AAAA,MACf,eAAe;AAAA,MACf,eAAe;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,MAAc,mBACZ,MACA,UACA,OACA,OACsC;AACtC,UAAM,WAAW,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MAC1D,QAAQ,EAAE,QAAQ,QAAQ,WAAW,KAAK,IAAI,WAAW,SAAS;AAAA,MAClE,QAAQ,CAAC,MAAM,aAAa,gBAAgB,cAAc;AAAA,MAC1D,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,UAAM,cAAc,oBAAI,IAAiB;AACzC,eAAW,OAAQ,YAAY,CAAC,EAAI,aAAY,IAAI,OAAO,IAAI,YAAY,GAAG,GAAG;AAEjF,QAAI,UAAU;AACd,QAAI,UAAU;AACd,QAAI,UAAU;AAEd,QAAI,OAAO;AACT,iBAAW,UAAU,OAAO;AAC1B,cAAM,MAAM,YAAY,IAAI,MAAM;AAClC,YAAI,KAAK;AACP,cAAI,IAAI,iBAAiB,KAAK,cAAc;AAC1C,kBAAM,KAAK,QAAQ;AAAA,cACjB;AAAA,gBACE,QAAQ,KAAK;AAAA,gBACb;AAAA,gBACA,eAAe;AAAA,gBACf,aAAa;AAAA,gBACb,aAAa,KAAK;AAAA,gBAClB,QAAQ;AAAA,gBACR,UAAU,KAAK;AAAA,gBACf,QAAQ,QAAQ,KAAK,IAAI;AAAA,cAC3B;AAAA,cACAA;AAAA,YACF;AACA,uBAAW;AAAA,UACb;AACA,sBAAY,OAAO,MAAM;AAAA,QAC3B,OAAO;AACL,gBAAM,KAAK,QAAQ;AAAA,YACjB;AAAA,cACE,QAAQ,KAAK;AAAA,cACb;AAAA,cACA,eAAe;AAAA,cACf,aAAa;AAAA,cACb,aAAa,KAAK;AAAA,cAClB,QAAQ;AAAA,cACR,UAAU,KAAK;AAAA,cACf,QAAQ,QAAQ,KAAK,IAAI;AAAA,YAC3B;AAAA,YACAA;AAAA,UACF;AACA,qBAAW;AAAA,QACb;AAAA,MACF;AAAA,IACF;AAGA,eAAW,CAAC,EAAE,KAAK,KAAK,YAAY,QAAQ,GAAG;AAC7C,YAAM,KAAK,QAAQ,OAAO,MAAM,IAAIA,WAAiB;AACrD,iBAAW;AAAA,IACb;AAEA,WAAO;AAAA,MACL,QAAQ,KAAK;AAAA,MACb,gBAAgB,QAAQ,IAAI;AAAA,MAC5B,eAAe,MAAM;AAAA,MACrB,eAAe;AAAA,MACf,eAAe;AAAA,MACf,eAAe;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,MAAc,gBAAgB,QAAiC;AAC7D,UAAM,WAAW,MAAM,KAAK,OAAO,KAAK,oBAAoB;AAAA,MAC1D,QAAQ,EAAE,QAAQ,QAAQ,WAAW,OAAO;AAAA,MAC5C,QAAQ,CAAC,IAAI;AAAA,MACb,OAAO;AAAA,MACP,SAASA;AAAA,IACX,CAAC;AACD,QAAI,UAAU;AACd,eAAW,OAAQ,YAAY,CAAC,GAAI;AAClC,YAAM,KAAK,QAAQ,OAAQ,IAAY,IAAIA,WAAiB;AAC5D,iBAAW;AAAA,IACb;AACA,WAAO;AAAA,EACT;AACF;;;AChbA,IAAMC,cAAa,EAAE,UAAU,MAAM,OAAO,CAAC,GAAG,aAAa,CAAC,EAAE;AAEzD,IAAM,4BAA4B;AAyBlC,SAAS,cACd,QACA,SACA,OACA,QACM;AACN,QAAM,UAAU,oBAAI,IAAY;AAChC,aAAW,KAAK,OAAO;AACrB,QAAI,EAAE,WAAW,MAAO;AACxB,QAAI,EAAE,YAAa,SAAQ,IAAI,EAAE,WAAW;AAAA,EAC9C;AACA,aAAW,cAAc,SAAS;AAChC,UAAM,UAAU,OAAO,QAAa;AAClC,UAAK,KAAK,SAAiB,SAAU;AACrC,UAAI;AACF,cAAM,OAAO,KAAK,UAAU,KAAK,OAAO,QAAQ,CAAC;AACjD,cAAM,KAAK,OAAQ,MAAc,MAAM,KAAK,OAAO,MAAM,EAAE;AAC3D,YAAI,CAAC,GAAI;AACT,cAAM,QAAQ,qBAAqB,YAAY,IAAIA,WAAiB;AAAA,MACtE,SAAS,KAAU;AACjB,gBAAQ,OAAO,yCAAyC,EAAE,QAAQ,YAAY,OAAO,KAAK,QAAQ,CAAC;AAAA,MACrG;AAAA,IACF;AACA,WAAO,aAAa,eAAe,SAAS,EAAE,QAAQ,YAAY,WAAW,2BAA2B,UAAU,IAAI,CAAC;AACvH,WAAO,aAAa,eAAe,SAAS,EAAE,QAAQ,YAAY,WAAW,2BAA2B,UAAU,IAAI,CAAC;AAAA,EACzH;AACA,UAAQ,OAAO,8BAA8B,EAAE,SAAS,MAAM,KAAK,OAAO,GAAG,WAAW,MAAM,OAAO,CAAC;AACxG;AAEO,SAAS,mBAAmB,QAA+B;AAChE,SAAO,OAAO,yBAAyB,yBAAyB;AAClE;;;AC3DA,sBAA+C;AAC/C,sBAAmD;AA8C5C,IAAM,uBAAN,MAA6C;AAAA,EAUlD,YAAY,UAAgC,CAAC,GAAG;AAThD,gBAAO;AACP,mBAAU;AACV,gBAAO;AACP,wBAAe,CAAC,iCAAiC;AAO/C,SAAK,UAAU;AAAA,EACjB;AAAA,EAEA,MAAM,KAAK,KAAmC;AAE5C,QAAI,WAAuC,UAAU,EAAE,SAAS;AAAA,MAC9D,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,MACN,OAAO;AAAA,MACP,mBAAmB;AAAA,MACnB,WAAW;AAAA,MACX,SAAS,CAAC,gCAAgB,gCAAgB,+BAAe,mCAAmB;AAAA,IAC9E,CAAC;AACD,QAAI,OAAO,KAAK,yCAAyC;AAAA,EAC3D;AAAA,EAEA,MAAM,MAAM,KAAmC;AAC7C,QAAI,KAAK,gBAAgB,YAAY;AACnC,UAAI,SAAc;AAClB,UAAI;AAAE,iBAAS,IAAI,WAAgB,UAAU;AAAA,MAAG,QAC1C;AAAE,YAAI;AAAE,mBAAS,IAAI,WAAgB,MAAM;AAAA,QAAG,QAAQ;AAAA,QAAe;AAAA,MAAE;AAC7E,UAAI,CAAC,QAAQ;AACX,YAAI,OAAO,KAAK,wEAAmE;AACnF;AAAA,MACF;AAEA,WAAK,UAAU,IAAI,eAAe;AAAA,QAChC;AAAA,QACA,eAAe,KAAK,QAAQ;AAAA,MAC9B,CAAC;AACD,UAAI,gBAAgB,WAAW,KAAK,OAAO;AAE3C,UAAI,KAAK,QAAQ,YAAY,OAAO;AAClC,YAAI,OAAO,KAAK,4DAA4D;AAC5E;AAAA,MACF;AAEA,YAAM,KAAK,uBAAuB,KAAK,OAAO;AAC9C,UAAI,OAAO,OAAO,uBAAuB,YAAY;AACnD,eAAO,mBAAmB,IAAI,EAAE,QAAQ,IAAI,CAAC;AAC7C,YAAI,OAAO,KAAK,wDAAwD;AAAA,MAC1E,OAAO;AACL,YAAI,OAAO,KAAK,uFAAkF;AAAA,MACpG;AAGA,UAAI;AACF,aAAK,cAAc,IAAI,mBAAmB;AAAA,UACxC;AAAA,UACA,SAAS,KAAK;AAAA,UACd,QAAQ,IAAI;AAAA,QACd,CAAC;AACD,YAAI,gBAAgB,gBAAgB,KAAK,WAAW;AAEpD,YAAI,OAAO,OAAO,iBAAiB,cAAc,OAAO,OAAO,6BAA6B,YAAY;AACtG,gBAAM,QAAQ,MAAM,KAAK,YAAY,UAAU,EAAE,YAAY,KAAK,GAAG,EAAE,UAAU,KAAK,CAAQ;AAC9F,6BAAmB,MAAM;AACzB,wBAAc,QAAQ,KAAK,aAAa,OAAO,IAAI,MAAa;AAAA,QAClE,OAAO;AACL,cAAI,OAAO,KAAK,2FAAsF;AAAA,QACxG;AAAA,MACF,SAAS,KAAU;AACjB,YAAI,OAAO,KAAK,4DAA4D,EAAE,OAAO,KAAK,QAAQ,CAAC;AAAA,MACrG;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAOO,SAAS,uBAAuB,SAA2C;AAChF,SAAO,eAAe,kBAAkB,KAAuB,MAA2B;AACxF,UAAM,KAAK,IAAI;AACf,UAAM,OAAO,IAAI;AAGjB,QAAI,OAAO,UAAU,OAAO,aAAa,OAAO,WAAW,OAAO,aAAa;AAC7E,YAAM,SAAS,MAAM,QAAQ,gBAAgB,IAAI,QAAQ,QAAQ,CAAC,CAAC;AACnE,UAAI,QAAQ;AACV,cAAM,MAAW,IAAI,OAAO,CAAC;AAC7B,YAAI,QAAQ,WAAW,IAAI,OAAO,MAAM;AACxC,YAAI,SAAS,WAAW,IAAI,QAAQ,MAAM;AAC1C,YAAI,MAAM;AAAA,MACZ;AACA,aAAO,KAAK;AAAA,IACd;AAGA,QAAI,OAAO,YAAY,OAAO,UAAU;AACtC,YAAM,OAAY,IAAI;AACtB,YAAM,UAAe,IAAI;AACzB,YAAM,KAAK,cAAc,MAAM,OAAO;AACtC,UAAI,MAAM,MAAM;AACd,cAAM,KAAK,MAAM,QAAQ,QAAQ,IAAI,QAAQ,OAAO,EAAE,GAAG,QAAQ,CAAC,CAAC;AACnE,YAAI,CAAC,IAAI;AACP,gBAAM,MAAW,IAAI;AAAA,YACnB,yCAAyC,EAAE,IAAI,IAAI,MAAM,IAAI,EAAE;AAAA,UACjE;AACA,cAAI,OAAO;AACX,cAAI,SAAS;AACb,gBAAM;AAAA,QACR;AAAA,MACF;AACA,aAAO,KAAK;AAAA,IACd;AAIA,WAAO,KAAK;AAAA,EACd;AACF;AAEA,SAAS,WAAW,UAAmB,UAA4B;AACjE,MAAI,YAAY,KAAM,QAAO;AAC7B,MAAI,YAAY,KAAM,QAAO;AAE7B,MACE,OAAO,aAAa,YAAY,aAAa,QAAQ,CAAC,MAAM,QAAQ,QAAQ,KAC5E,OAAO,aAAa,YAAY,aAAa,QAAQ,CAAC,MAAM,QAAQ,QAAQ,GAC5E;AACA,UAAM,KAAU;AAChB,QAAI,MAAM,QAAQ,GAAG,IAAI,GAAG;AAC1B,aAAO,EAAE,MAAM,CAAC,GAAG,GAAG,MAAM,QAAQ,EAAE;AAAA,IACxC;AAGA,WAAO,EAAE,MAAM,CAAC,UAAU,QAAQ,EAAE;AAAA,EACtC;AACA,SAAO,EAAE,MAAM,CAAC,UAAU,QAAQ,EAAE;AACtC;AAEA,SAAS,cAAc,MAAW,SAA2C;AAC3E,MAAI,QAAQ,OAAO,SAAS,YAAY,KAAK,MAAM,KAAM,QAAO,KAAK;AACrE,MAAI,WAAW,OAAO,YAAY,UAAU;AAC1C,QAAI,QAAQ,MAAM,KAAM,QAAO,QAAQ;AACvC,QAAI,QAAQ,SAAS,OAAO,QAAQ,UAAU,YAAY,QAAQ,MAAM,MAAM,MAAM;AAClF,aAAO,QAAQ,MAAM;AAAA,IACvB;AACA,QAAI,QAAQ,UAAU,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,MAAM,MAAM;AACrF,aAAO,QAAQ,OAAO;AAAA,IACxB;AAAA,EACF;AACA,SAAO;AACT;","names":["import_security","import_identity","row","SYSTEM_CTX","SYSTEM_CTX","SYSTEM_CTX","SYSTEM_CTX"]}