@objectstack/spec 0.3.3 → 0.4.2

package/dist/permission/rls.zod.d.ts

@@ -0,0 +1,605 @@
+import { z } from 'zod';
+/**
+ * # Row-Level Security (RLS) Protocol
+ *
+ * Implements fine-grained record-level access control inspired by PostgreSQL RLS
+ * and Salesforce Criteria-Based Sharing Rules.
+ *
+ * ## Overview
+ *
+ * Row-Level Security (RLS) allows you to control which rows users can access
+ * in database tables based on their identity and role. Unlike object-level
+ * permissions (CRUD), RLS provides record-level filtering.
+ *
+ * ## Use Cases
+ *
+ * 1. **Multi-Tenant Data Isolation**
+ *    - Users only see records from their organization
+ *    - `using: "tenant_id = current_user.tenant_id"`
+ *
+ * 2. **Ownership-Based Access**
+ *    - Users only see records they own
+ *    - `using: "owner_id = current_user.id"`
+ *
+ * 3. **Department-Based Access**
+ *    - Users only see records from their department
+ *    - `using: "department = current_user.department"`
+ *
+ * 4. **Regional Access Control**
+ *    - Sales reps only see accounts in their territory
+ *    - `using: "region IN (current_user.assigned_regions)"`
+ *
+ * 5. **Time-Based Access**
+ *    - Users can only access active records
+ *    - `using: "status = 'active' AND expiry_date > NOW()"`
+ *
+ * ## PostgreSQL RLS Comparison
+ *
+ * PostgreSQL RLS Example:
+ * ```sql
+ * CREATE POLICY tenant_isolation ON accounts
+ *   FOR SELECT
+ *   USING (tenant_id = current_setting('app.current_tenant_id')::uuid);
+ *
+ * CREATE POLICY account_insert ON accounts
+ *   FOR INSERT
+ *   WITH CHECK (tenant_id = current_setting('app.current_tenant_id')::uuid);
+ * ```
+ *
+ * ObjectStack RLS Equivalent:
+ * ```typescript
+ * {
+ *   name: 'tenant_isolation',
+ *   object: 'account',
+ *   operation: 'select',
+ *   using: 'tenant_id = current_user.tenant_id'
+ * }
+ * ```
+ *
+ * ## Salesforce Sharing Rules Comparison
+ *
+ * Salesforce uses "Sharing Rules" and "Role Hierarchy" for record-level access.
+ * ObjectStack RLS provides similar functionality with more flexibility.
+ *
+ * Salesforce:
+ * - Criteria-Based Sharing: Share records matching criteria with users/roles
+ * - Owner-Based Sharing: Share records based on owner's role
+ * - Manual Sharing: Individual record sharing
+ *
+ * ObjectStack RLS:
+ * - More flexible formula-based conditions
+ * - Direct SQL-like syntax
+ * - Supports complex logic with AND/OR/NOT
+ *
+ * ## Best Practices
+ *
+ * 1. **Always Define SELECT Policy**: Control what users can view
+ * 2. **Define INSERT/UPDATE CHECK Policies**: Prevent data leakage
+ * 3. **Use Role-Based Policies**: Apply different rules to different roles
+ * 4. **Test Thoroughly**: RLS can have complex interactions
+ * 5. **Monitor Performance**: Complex RLS policies can impact query performance
+ *
+ * ## Security Considerations
+ *
+ * 1. **Defense in Depth**: RLS is one layer; use with object permissions
+ * 2. **Default Deny**: If no policy matches, access is denied
+ * 3. **Policy Precedence**: More permissive policy wins (OR logic)
+ * 4. **Context Variables**: Ensure current_user context is always set
+ *
+ * @see https://www.postgresql.org/docs/current/ddl-rowsecurity.html
+ * @see https://help.salesforce.com/s/articleView?id=sf.security_sharing_rules.htm
+ */
+/**
+ * RLS Operation Enum
+ * Specifies which database operation this policy applies to.
+ *
+ * - **select**: Controls which rows can be read (SELECT queries)
+ * - **insert**: Controls which rows can be inserted (INSERT statements)
+ * - **update**: Controls which rows can be updated (UPDATE statements)
+ * - **delete**: Controls which rows can be deleted (DELETE statements)
+ * - **all**: Shorthand for all operations (equivalent to defining 4 separate policies)
+ */
+export declare const RLSOperation: z.ZodEnum<["select", "insert", "update", "delete", "all"]>;
+export type RLSOperation = z.infer<typeof RLSOperation>;
+/**
+ * Row-Level Security Policy Schema
+ *
+ * Defines a single RLS policy that filters records based on conditions.
+ * Multiple policies can be defined for the same object, and they are
+ * combined with OR logic (union of results).
+ *
+ * @example Multi-Tenant Isolation
+ * ```typescript
+ * {
+ *   name: 'tenant_isolation',
+ *   label: 'Multi-Tenant Data Isolation',
+ *   object: 'account',
+ *   operation: 'select',
+ *   using: 'tenant_id = current_user.tenant_id',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Owner-Based Access
+ * ```typescript
+ * {
+ *   name: 'owner_access',
+ *   label: 'Users Can View Their Own Records',
+ *   object: 'opportunity',
+ *   operation: 'select',
+ *   using: 'owner_id = current_user.id',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Manager Can View Team Records
+ * ```typescript
+ * {
+ *   name: 'manager_team_access',
+ *   label: 'Managers Can View Team Records',
+ *   object: 'task',
+ *   operation: 'select',
+ *   using: 'assigned_to_id IN (SELECT id FROM users WHERE manager_id = current_user.id)',
+ *   roles: ['manager', 'director'],
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Prevent Cross-Tenant Data Insertion
+ * ```typescript
+ * {
+ *   name: 'tenant_insert_check',
+ *   label: 'Prevent Cross-Tenant Data Creation',
+ *   object: 'account',
+ *   operation: 'insert',
+ *   check: 'tenant_id = current_user.tenant_id',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Regional Sales Access
+ * ```typescript
+ * {
+ *   name: 'regional_sales_access',
+ *   label: 'Sales Reps Access Regional Accounts',
+ *   object: 'account',
+ *   operation: 'select',
+ *   using: 'region = current_user.region OR region IS NULL',
+ *   roles: ['sales_rep'],
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Time-Based Access Control
+ * ```typescript
+ * {
+ *   name: 'active_records_only',
+ *   label: 'Users Only Access Active Records',
+ *   object: 'contract',
+ *   operation: 'select',
+ *   using: 'status = "active" AND start_date <= NOW() AND end_date >= NOW()',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Hierarchical Access (Role-Based)
+ * ```typescript
+ * {
+ *   name: 'executive_full_access',
+ *   label: 'Executives See All Records',
+ *   object: 'account',
+ *   operation: 'all',
+ *   using: '1 = 1', // Always true - see everything
+ *   roles: ['ceo', 'cfo', 'cto'],
+ *   enabled: true
+ * }
+ * ```
+ */
+export declare const RowLevelSecurityPolicySchema: z.ZodEffects<z.ZodObject<{
+    /**
+     * Unique identifier for this policy.
+     * Must be unique within the object.
+     * Use snake_case following ObjectStack naming conventions.
+     *
+     * @example "tenant_isolation", "owner_access", "manager_team_view"
+     */
+    name: z.ZodString;
+    /**
+     * Human-readable label for the policy.
+     * Used in admin UI and logs.
+     *
+     * @example "Multi-Tenant Data Isolation", "Owner-Based Access"
+     */
+    label: z.ZodOptional<z.ZodString>;
+    /**
+     * Description explaining what this policy does and why.
+     * Helps with governance and compliance.
+     *
+     * @example "Ensures users can only access records from their own tenant organization"
+     */
+    description: z.ZodOptional<z.ZodString>;
+    /**
+     * Target object (table) this policy applies to.
+     * Must reference a valid ObjectStack object name.
+     *
+     * @example "account", "opportunity", "contact", "custom_object"
+     */
+    object: z.ZodString;
+    /**
+     * Database operation(s) this policy applies to.
+     *
+     * - **select**: Controls read access (SELECT queries)
+     * - **insert**: Controls insert access (INSERT statements)
+     * - **update**: Controls update access (UPDATE statements)
+     * - **delete**: Controls delete access (DELETE statements)
+     * - **all**: Applies to all operations
+     *
+     * @example "select" - Most common, controls what users can view
+     * @example "all" - Apply same rule to all operations
+     */
+    operation: z.ZodEnum<["select", "insert", "update", "delete", "all"]>;
+    /**
+     * USING clause - Filter condition for SELECT/UPDATE/DELETE.
+     *
+     * This is a SQL-like expression evaluated for each row.
+     * Only rows where this expression returns TRUE are accessible.
+     *
+     * **Note**: For INSERT-only policies, USING is not required (only CHECK is needed).
+     * For SELECT/UPDATE/DELETE operations, USING is required.
+     *
+     * **Security Note**: RLS conditions are executed at the database level with
+     * parameterized queries. The implementation must use prepared statements
+     * to prevent SQL injection. Never concatenate user input directly into
+     * RLS conditions.
+     *
+     * **SQL Dialect**: Compatible with PostgreSQL SQL syntax. Implementations
+     * may adapt to other databases (MySQL, SQL Server, etc.) but should maintain
+     * semantic equivalence.
+     *
+     * Available context variables:
+     * - `current_user.id` - Current user's ID
+     * - `current_user.tenant_id` - Current user's tenant (maps to `tenantId` in RLSUserContext)
+     * - `current_user.role` - Current user's role
+     * - `current_user.department` - Current user's department
+     * - `current_user.*` - Any custom user field
+     * - `NOW()` - Current timestamp
+     * - `CURRENT_DATE` - Current date
+     * - `CURRENT_TIME` - Current time
+     *
+     * **Context Variable Mapping**: The RLSUserContext schema uses camelCase (e.g., `tenantId`),
+     * but expressions use snake_case with `current_user.` prefix (e.g., `current_user.tenant_id`).
+     * Implementations must handle this mapping.
+     *
+     * Supported operators:
+     * - Comparison: =, !=, <, >, <=, >=, <> (not equal)
+     * - Logical: AND, OR, NOT
+     * - NULL checks: IS NULL, IS NOT NULL
+     * - Set operations: IN, NOT IN
+     * - String: LIKE, NOT LIKE, ILIKE (case-insensitive)
+     * - Pattern matching: ~ (regex), !~ (not regex)
+     * - Subqueries: (SELECT ...)
+     * - Array operations: ANY, ALL
+     *
+     * **Prohibited**: Dynamic SQL, DDL statements, DML statements (INSERT/UPDATE/DELETE)
+     *
+     * @example "tenant_id = current_user.tenant_id"
+     * @example "owner_id = current_user.id OR created_by = current_user.id"
+     * @example "department IN (SELECT department FROM user_departments WHERE user_id = current_user.id)"
+     * @example "status = 'active' AND expiry_date > NOW()"
+     */
+    using: z.ZodOptional<z.ZodString>;
+    /**
+     * CHECK clause - Validation for INSERT/UPDATE operations.
+     *
+     * Similar to USING but applies to new/modified rows.
+     * Prevents users from creating/updating rows they wouldn't be able to see.
+     *
+     * **Default Behavior**: If not specified, implementations should use the
+     * USING clause as the CHECK clause. This ensures data integrity by preventing
+     * users from creating records they cannot view.
+     *
+     * Use cases:
+     * - Prevent cross-tenant data creation
+     * - Enforce mandatory field values
+     * - Validate data integrity rules
+     * - Restrict certain operations (e.g., only allow creating "draft" status)
+     *
+     * @example "tenant_id = current_user.tenant_id"
+     * @example "status IN ('draft', 'pending')" - Only allow certain statuses
+     * @example "created_by = current_user.id" - Must be the creator
+     */
+    check: z.ZodOptional<z.ZodString>;
+    /**
+     * Restrict this policy to specific roles.
+     * If specified, only users with these roles will have this policy applied.
+     * If omitted, policy applies to all users (except those with bypassRLS permission).
+     *
+     * Role names must match defined roles in the system.
+     *
+     * @example ["sales_rep", "account_manager"]
+     * @example ["employee"] - Apply to all employees
+     * @example ["guest"] - Special restrictions for guests
+     */
+    roles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /**
+     * Whether this policy is currently active.
+     * Disabled policies are not evaluated.
+     * Useful for temporary policy changes without deletion.
+     *
+     * @default true
+     */
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    /**
+     * Policy priority for conflict resolution.
+     * Higher numbers = higher priority.
+     * When multiple policies apply, the most permissive wins (OR logic).
+     * Priority is only used for ordering evaluation (performance).
+     *
+     * @default 0
+     */
+    priority: z.ZodDefault<z.ZodNumber>;
+    /**
+     * Tags for policy categorization and reporting.
+     * Useful for governance, compliance, and auditing.
+     *
+     * @example ["compliance", "gdpr", "pci"]
+     * @example ["multi-tenant", "security"]
+     */
+    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    object: string;
+    name: string;
+    priority: number;
+    operation: "select" | "insert" | "update" | "delete" | "all";
+    enabled: boolean;
+    tags?: string[] | undefined;
+    label?: string | undefined;
+    description?: string | undefined;
+    roles?: string[] | undefined;
+    using?: string | undefined;
+    check?: string | undefined;
+}, {
+    object: string;
+    name: string;
+    operation: "select" | "insert" | "update" | "delete" | "all";
+    tags?: string[] | undefined;
+    label?: string | undefined;
+    description?: string | undefined;
+    priority?: number | undefined;
+    roles?: string[] | undefined;
+    using?: string | undefined;
+    check?: string | undefined;
+    enabled?: boolean | undefined;
+}>, {
+    object: string;
+    name: string;
+    priority: number;
+    operation: "select" | "insert" | "update" | "delete" | "all";
+    enabled: boolean;
+    tags?: string[] | undefined;
+    label?: string | undefined;
+    description?: string | undefined;
+    roles?: string[] | undefined;
+    using?: string | undefined;
+    check?: string | undefined;
+}, {
+    object: string;
+    name: string;
+    operation: "select" | "insert" | "update" | "delete" | "all";
+    tags?: string[] | undefined;
+    label?: string | undefined;
+    description?: string | undefined;
+    priority?: number | undefined;
+    roles?: string[] | undefined;
+    using?: string | undefined;
+    check?: string | undefined;
+    enabled?: boolean | undefined;
+}>;
+/**
+ * RLS Configuration Schema
+ *
+ * Global configuration for the Row-Level Security system.
+ * Defines how RLS is enforced across the entire platform.
+ */
+export declare const RLSConfigSchema: z.ZodObject<{
+    /**
+     * Global RLS enable/disable flag.
+     * When false, all RLS policies are ignored (use with caution!).
+     *
+     * @default true
+     */
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    /**
+     * Default behavior when no policies match.
+     *
+     * - **deny**: Deny access (secure default)
+     * - **allow**: Allow access (permissive mode, not recommended)
+     *
+     * @default "deny"
+     */
+    defaultPolicy: z.ZodDefault<z.ZodEnum<["deny", "allow"]>>;
+    /**
+     * Whether to allow superusers to bypass RLS.
+     * Superusers include system administrators and service accounts.
+     *
+     * @default true
+     */
+    allowSuperuserBypass: z.ZodDefault<z.ZodBoolean>;
+    /**
+     * List of roles that can bypass RLS.
+     * Users with these roles see all records regardless of policies.
+     *
+     * @example ["system_admin", "data_auditor"]
+     */
+    bypassRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /**
+     * Whether to log RLS policy evaluations.
+     * Useful for debugging and auditing.
+     * Can impact performance if enabled globally.
+     *
+     * @default false
+     */
+    logEvaluations: z.ZodDefault<z.ZodBoolean>;
+    /**
+     * Cache RLS policy evaluation results.
+     * Can improve performance for frequently accessed records.
+     * Cache is invalidated when policies change or user context changes.
+     *
+     * @default true
+     */
+    cacheResults: z.ZodDefault<z.ZodBoolean>;
+    /**
+     * Cache TTL in seconds.
+     * How long to cache RLS evaluation results.
+     *
+     * @default 300 (5 minutes)
+     */
+    cacheTtlSeconds: z.ZodDefault<z.ZodNumber>;
+    /**
+     * Performance optimization: Pre-fetch user context.
+     * Load user context once per request instead of per-query.
+     *
+     * @default true
+     */
+    prefetchUserContext: z.ZodDefault<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    enabled: boolean;
+    defaultPolicy: "deny" | "allow";
+    allowSuperuserBypass: boolean;
+    logEvaluations: boolean;
+    cacheResults: boolean;
+    cacheTtlSeconds: number;
+    prefetchUserContext: boolean;
+    bypassRoles?: string[] | undefined;
+}, {
+    enabled?: boolean | undefined;
+    defaultPolicy?: "deny" | "allow" | undefined;
+    allowSuperuserBypass?: boolean | undefined;
+    bypassRoles?: string[] | undefined;
+    logEvaluations?: boolean | undefined;
+    cacheResults?: boolean | undefined;
+    cacheTtlSeconds?: number | undefined;
+    prefetchUserContext?: boolean | undefined;
+}>;
+/**
+ * User Context Schema
+ *
+ * Represents the current user's context for RLS evaluation.
+ * This data is used to evaluate USING and CHECK clauses.
+ */
+export declare const RLSUserContextSchema: z.ZodObject<{
+    /**
+     * User ID
+     */
+    id: z.ZodString;
+    /**
+     * User email
+     */
+    email: z.ZodOptional<z.ZodString>;
+    /**
+     * Tenant/Organization ID
+     */
+    tenantId: z.ZodOptional<z.ZodString>;
+    /**
+     * User role(s)
+     */
+    role: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+    /**
+     * User department
+     */
+    department: z.ZodOptional<z.ZodString>;
+    /**
+     * Additional custom attributes
+     * Can include any custom user fields for RLS evaluation
+     */
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    email?: string | undefined;
+    tenantId?: string | undefined;
+    role?: string | string[] | undefined;
+    department?: string | undefined;
+    attributes?: Record<string, any> | undefined;
+}, {
+    id: string;
+    email?: string | undefined;
+    tenantId?: string | undefined;
+    role?: string | string[] | undefined;
+    department?: string | undefined;
+    attributes?: Record<string, any> | undefined;
+}>;
+/**
+ * RLS Policy Evaluation Result
+ *
+ * Result of evaluating an RLS policy for a specific record.
+ * Used for debugging and audit logging.
+ */
+export declare const RLSEvaluationResultSchema: z.ZodObject<{
+    /**
+     * Policy name that was evaluated
+     */
+    policyName: z.ZodString;
+    /**
+     * Whether access was granted
+     */
+    granted: z.ZodBoolean;
+    /**
+     * Evaluation duration in milliseconds
+     */
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    /**
+     * Error message if evaluation failed
+     */
+    error: z.ZodOptional<z.ZodString>;
+    /**
+     * Evaluated USING clause result
+     */
+    usingResult: z.ZodOptional<z.ZodBoolean>;
+    /**
+     * Evaluated CHECK clause result (for INSERT/UPDATE)
+     */
+    checkResult: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    policyName: string;
+    granted: boolean;
+    error?: string | undefined;
+    durationMs?: number | undefined;
+    usingResult?: boolean | undefined;
+    checkResult?: boolean | undefined;
+}, {
+    policyName: string;
+    granted: boolean;
+    error?: string | undefined;
+    durationMs?: number | undefined;
+    usingResult?: boolean | undefined;
+    checkResult?: boolean | undefined;
+}>;
+/**
+ * Type exports
+ */
+export type RowLevelSecurityPolicy = z.infer<typeof RowLevelSecurityPolicySchema>;
+export type RLSConfig = z.infer<typeof RLSConfigSchema>;
+export type RLSUserContext = z.infer<typeof RLSUserContextSchema>;
+export type RLSEvaluationResult = z.infer<typeof RLSEvaluationResultSchema>;
+/**
+ * Helper factory for creating RLS policies
+ */
+export declare const RLS: {
+    /**
+     * Create a simple owner-based policy
+     */
+    readonly ownerPolicy: (object: string, ownerField?: string) => RowLevelSecurityPolicy;
+    /**
+     * Create a tenant isolation policy
+     */
+    readonly tenantPolicy: (object: string, tenantField?: string) => RowLevelSecurityPolicy;
+    /**
+     * Create a role-based policy
+     */
+    readonly rolePolicy: (object: string, roles: string[], condition: string) => RowLevelSecurityPolicy;
+    /**
+     * Create a permissive policy (allow all for specific roles)
+     */
+    readonly allowAllPolicy: (object: string, roles: string[]) => RowLevelSecurityPolicy;
+};
+//# sourceMappingURL=rls.zod.d.ts.map

package/dist/permission/rls.zod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rls.zod.d.ts","sourceRoot":"","sources":["../../src/permission/rls.zod.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyFG;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,YAAY,4DAA0D,CAAC;AAEpF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6FG;AACH,eAAO,MAAM,4BAA4B;IACvC;;;;;;OAMG;;IAKH;;;;;OAKG;;IAKH;;;;;OAKG;;IAKH;;;;;OAKG;;IAIH;;;;;;;;;;;OAWG;;IAIH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgDG;;IAKH;;;;;;;;;;;;;;;;;;;OAmBG;;IAKH;;;;;;;;;;OAUG;;IAKH;;;;;;OAMG;;IAKH;;;;;;;OAOG;;IAMH;;;;;;OAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBH,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,eAAe;IAC1B;;;;;OAKG;;IAKH;;;;;;;OAOG;;IAKH;;;;;OAKG;;IAKH;;;;;OAKG;;IAKH;;;;;;OAMG;;IAKH;;;;;;OAMG;;IAKH;;;;;OAKG;;IAOH;;;;;OAKG;;;;;;;;;;;;;;;;;;;;EAIH,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;IAC/B;;OAEG;;IAIH;;OAEG;;IAMH;;OAEG;;IAKH;;OAEG;;IAQH;;OAEG;;IAKH;;;OAGG;;;;;;;;;;;;;;;;EAIH,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB;IACpC;;OAEG;;IAIH;;OAEG;;IAIH;;OAEG;;IAKH;;OAEG;;IAKH;;OAEG;;IAKH;;OAEG;;;;;;;;;;;;;;;;EAIH,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E;;GAEG;AACH,eAAO,MAAM,GAAG;IACd;;OAEG;mCACmB,MAAM,eAAc,MAAM,KAAgB,sBAAsB;IAUtF;;OAEG;oCACoB,MAAM,gBAAe,MAAM,KAAiB,sBAAsB;IAWzF;;OAEG;kCACkB,MAAM,SAAS,MAAM,EAAE,aAAa,MAAM,KAAG,sBAAsB;IAWxF;;OAEG;sCACsB,MAAM,SAAS,MAAM,EAAE,KAAG,sBAAsB;CAUjE,CAAC"}