@ofeklabs/horizon-auth 0.1.0 → 0.2.0

package/README.md

@@ -1,6 +1,22 @@
 # @ofeklabs/horizon-auth
 
-Production-ready NestJS authentication module with 2026 security standards. Add enterprise-grade authentication to your application in under 60 seconds.
+Production-ready NestJS authentication module with 2026 security standards. Deploy once, use everywhere.
+
+## Use Cases
+
+### 1. Portfolio SSO (Recommended)
+Deploy one auth service, use it across all your projects. Users sign in once and access everything.
+
+```
+auth.yourdomain.com (Auth Service)
+    ↓ Shared Authentication
+    ├── project1.yourdomain.com
+    ├── project2.yourdomain.com
+    └── project3.yourdomain.com
+```
+
+### 2. Embedded Auth
+Each application has its own isolated authentication.
 
 ## Features
 
@@ -13,7 +29,73 @@ Production-ready NestJS authentication module with 2026 security standards. Add
 - 🎯 **Type-Safe**: Full TypeScript support
 - 📦 **Zero Config**: Sensible defaults, fully customizable
 
-## Quick Start (60 seconds)
+## Quick Start
+
+### Portfolio SSO Setup (Recommended)
+
+Deploy one auth service, use it across all your projects.
+
+#### 1. Deploy Auth Service (One Time)
+
+```bash
+# Clone and deploy packages/horizon-auth to auth.yourdomain.com
+npm install
+npm run build
+npm run start:prod
+```
+
+**Environment Variables**:
+```env
+DATABASE_URL=postgresql://...
+REDIS_HOST=your-redis-host
+JWT_PRIVATE_KEY=<your-private-key>
+JWT_PUBLIC_KEY=<your-public-key>
+COOKIE_DOMAIN=.yourdomain.com
+NODE_ENV=production
+```
+
+#### 2. Use in Your Projects
+
+For each project:
+
+```bash
+npm install @ofeklabs/horizon-auth
+```
+
+```typescript
+// app.module.ts
+HorizonAuthModule.forRoot({
+  ssoMode: true,
+  authServiceUrl: process.env.AUTH_SERVICE_URL,
+  jwt: {
+    publicKey: process.env.JWT_PUBLIC_KEY,
+  },
+  cookie: {
+    domain: process.env.COOKIE_DOMAIN,
+    secure: process.env.NODE_ENV === 'production',
+  },
+})
+```
+
+```env
+# .env
+AUTH_SERVICE_URL=https://auth.yourdomain.com
+JWT_PUBLIC_KEY=<paste-public-key>
+COOKIE_DOMAIN=.yourdomain.com
+```
+
+Deploy to:
+- project1.yourdomain.com
+- project2.yourdomain.com
+- project3.yourdomain.com
+
+Users sign in once, access all projects.
+
+---
+
+### Embedded Auth Setup (Alternative)
+
+Each application has its own authentication.
 
 ### 1. Install
 
@@ -50,10 +132,12 @@ import { join } from 'path';
       redis: {
         host: process.env.REDIS_HOST || 'localhost',
         port: parseInt(process.env.REDIS_PORT) || 6379,
+        password: process.env.REDIS_PASSWORD,
       },
       jwt: {
-        privateKey: readFileSync(join(__dirname, '../certs/private.pem'), 'utf8'),
-        publicKey: readFileSync(join(__dirname, '../certs/public.pem'), 'utf8'),
+        // For production: use environment variables
+        privateKey: process.env.JWT_PRIVATE_KEY || readFileSync(join(__dirname, '../certs/private.pem'), 'utf8'),
+        publicKey: process.env.JWT_PUBLIC_KEY || readFileSync(join(__dirname, '../certs/public.pem'), 'utf8'),
       },
     }),
   ],
@@ -317,10 +401,136 @@ REDIS_HOST=localhost
 REDIS_PORT=6379
 REDIS_PASSWORD=your_redis_password
 
+# JWT Keys (for production - use multiline env vars)
+JWT_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----"
+JWT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMIIB...\n-----END PUBLIC KEY-----"
+
 # Application
 NODE_ENV=production
+PORT=3000
+
+# Optional: SSO Mode
+AUTH_SERVICE_URL=https://auth.ofeklabs.dev
+```
+
+## Production Deployment
+
+### Portfolio SSO Architecture (Recommended)
+
+Perfect for portfolios, demo sites, or related projects.
+
+**Benefits**:
+- One login for all projects
+- Consistent user experience
+- No duplicate auth code
+- Single point of maintenance
+- Professional appearance
+
+**Setup**:
+
+1. Deploy auth service to `auth.yourdomain.com`
+2. Install package in each project
+3. Configure SSO mode with `AUTH_SERVICE_URL`
+4. Deploy projects to subdomains
+
+See [PRODUCTION-DEPLOYMENT.md](./PRODUCTION-DEPLOYMENT.md) for complete guide.
+
+### Deploy to Render
+
+#### 1. Deploy Auth Service
+
+Create a new Web Service on Render:
+
+**Environment Variables**:
+```env
+DATABASE_URL=<your-postgres-url>
+REDIS_HOST=<your-redis-host>
+REDIS_PORT=6379
+REDIS_PASSWORD=<your-redis-password>
+JWT_PRIVATE_KEY=<paste-private-key-with-\n>
+JWT_PUBLIC_KEY=<paste-public-key-with-\n>
+NODE_ENV=production
+COOKIE_DOMAIN=.ofeklabs.dev
+COOKIE_SECURE=true
+```
+
+**Build Command**: `npm install && npm run build`
+
+**Start Command**: `npm run start:prod`
+
+#### 2. Deploy Your Apps (SSO Mode)
+
+For each app (tasks, CRM, analytics):
+
+```typescript
+// app.module.ts
+HorizonAuthModule.forRoot({
+  ssoMode: true,
+  authServiceUrl: process.env.AUTH_SERVICE_URL || 'https://auth.ofeklabs.dev',
+  jwt: {
+    publicKey: process.env.JWT_PUBLIC_KEY,
+  },
+  cookie: {
+    domain: process.env.COOKIE_DOMAIN || '.ofeklabs.dev',
+    secure: process.env.NODE_ENV === 'production',
+  },
+})
+```
+
+**Environment Variables**:
+```env
+AUTH_SERVICE_URL=https://auth.ofeklabs.dev
+JWT_PUBLIC_KEY=<paste-public-key-with-\n>
+COOKIE_DOMAIN=.ofeklabs.dev
+NODE_ENV=production
+```
+
+#### 3. Configure Custom Domains
+
+On Render, add custom domains:
+- Auth service: `auth.ofeklabs.dev`
+- Tasks app: `tasks.ofeklabs.dev`
+- CRM app: `crm.ofeklabs.dev`
+
+All apps will share authentication via cookies! 🎉
+
+### Deploy to AWS/Docker
+
+```dockerfile
+FROM node:18-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --only=production
+
+COPY . .
+RUN npm run build
+
+EXPOSE 3000
+
+CMD ["node", "dist/main"]
 ```
 
+```bash
+# Build and run
+docker build -t horizon-auth .
+docker run -p 3000:3000 \
+  -e DATABASE_URL="postgresql://..." \
+  -e REDIS_HOST="redis" \
+  -e JWT_PRIVATE_KEY="$(cat certs/private.pem)" \
+  -e JWT_PUBLIC_KEY="$(cat certs/public.pem)" \
+  horizon-auth
+```
+
+### Environment Variable Best Practices
+
+1. **Never commit keys to Git**
+2. **Use secrets manager** (AWS Secrets Manager, Render Secrets)
+3. **Rotate keys periodically**
+4. **Use different keys** for dev/staging/production
+5. **Store keys as multiline strings** with `\n` for newlines
+
 ## Troubleshooting
 
 ### "Invalid or expired access token"

package/dist/lib/horizon-auth-config.interface.d.ts

@@ -1,15 +1,17 @@
 export interface HorizonAuthConfig {
-    database: {
+    ssoMode?: boolean;
+    authServiceUrl?: string;
+    database?: {
         url: string;
     };
-    redis: {
+    redis?: {
         host: string;
         port: number;
         password?: string;
         db?: number;
     };
     jwt: {
-        privateKey: string;
+        privateKey?: string;
         publicKey: string;
         accessTokenExpiry?: string;
         refreshTokenExpiry?: string;
@@ -17,6 +19,11 @@ export interface HorizonAuthConfig {
         audience?: string;
         kid?: string;
     };
+    cookie?: {
+        domain?: string;
+        secure?: boolean;
+        sameSite?: 'strict' | 'lax' | 'none';
+    };
     multiTenant?: {
         enabled: boolean;
         tenantIdExtractor?: 'header' | 'subdomain' | 'custom';

package/dist/lib/horizon-auth.module.js

@@ -31,6 +31,16 @@ let HorizonAuthModule = HorizonAuthModule_1 = class HorizonAuthModule {
                 useClass: jwt_auth_guard_1.JwtAuthGuard,
             });
         }
+        if (finalConfig.ssoMode) {
+            return {
+                module: HorizonAuthModule_1,
+                imports: [
+                    auth_module_1.AuthModule,
+                ],
+                providers,
+                exports: ['HORIZON_AUTH_CONFIG', auth_module_1.AuthModule],
+            };
+        }
         return {
             module: HorizonAuthModule_1,
             imports: [
@@ -63,14 +73,26 @@ let HorizonAuthModule = HorizonAuthModule_1 = class HorizonAuthModule {
         };
     }
     static validateConfig(config) {
+        if (config.ssoMode) {
+            if (!config.jwt?.publicKey) {
+                throw new Error('HorizonAuth (SSO Mode): jwt.publicKey is required');
+            }
+            if (!config.authServiceUrl) {
+                throw new Error('HorizonAuth (SSO Mode): authServiceUrl is required');
+            }
+            if (!config.jwt.publicKey.includes('BEGIN')) {
+                throw new Error('HorizonAuth: JWT public key must be in PEM format');
+            }
+            return;
+        }
         if (!config.database?.url) {
-            throw new Error('HorizonAuth: database.url is required');
+            throw new Error('HorizonAuth: database.url is required (or enable ssoMode)');
         }
         if (!config.redis?.host || !config.redis?.port) {
-            throw new Error('HorizonAuth: redis.host and redis.port are required');
+            throw new Error('HorizonAuth: redis.host and redis.port are required (or enable ssoMode)');
         }
         if (!config.jwt?.privateKey || !config.jwt?.publicKey) {
-            throw new Error('HorizonAuth: jwt.privateKey and jwt.publicKey are required');
+            throw new Error('HorizonAuth: jwt.privateKey and jwt.publicKey are required (or enable ssoMode with only publicKey)');
         }
         if (!config.jwt.privateKey.includes('BEGIN') || !config.jwt.publicKey.includes('BEGIN')) {
             throw new Error('HorizonAuth: JWT keys must be in PEM format');
@@ -79,6 +101,7 @@ let HorizonAuthModule = HorizonAuthModule_1 = class HorizonAuthModule {
     static applyDefaults(config) {
         return {
             ...config,
+            ssoMode: config.ssoMode || false,
             jwt: {
                 ...config.jwt,
                 accessTokenExpiry: config.jwt.accessTokenExpiry || '15m',
@@ -87,6 +110,11 @@ let HorizonAuthModule = HorizonAuthModule_1 = class HorizonAuthModule {
                 audience: config.jwt.audience || 'horizon-api',
                 kid: config.jwt.kid || 'horizon-auth-key-1',
             },
+            cookie: {
+                domain: config.cookie?.domain || config.security?.cookieDomain,
+                secure: config.cookie?.secure ?? config.security?.cookieSecure ?? (process.env.NODE_ENV === 'production'),
+                sameSite: config.cookie?.sameSite || 'lax',
+            },
             multiTenant: {
                 enabled: config.multiTenant?.enabled || false,
                 tenantIdExtractor: config.multiTenant?.tenantIdExtractor || 'header',

package/dist/lib/horizon-auth.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"horizon-auth.module.js","sourceRoot":"","sources":["../../src/lib/horizon-auth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAyE;AACzE,uCAAyC;AAEzC,qDAAiD;AACjD,wDAAoD;AACpD,wDAAoD;AACpD,2DAAuD;AACvD,kEAA6D;AAItD,IAAM,iBAAiB,yBAAvB,MAAM,iBAAiB;IAM5B,MAAM,CAAC,OAAO,CAAC,MAAyB;QAEtC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAG5B,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAE/C,MAAM,SAAS,GAAe;YAC5B;gBACE,OAAO,EAAE,qBAAqB;gBAC9B,QAAQ,EAAE,WAAW;aACtB;SACF,CAAC;QAGF,IAAI,WAAW,CAAC,MAAM,EAAE,qBAAqB,EAAE,CAAC;YAC9C,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,gBAAS;gBAClB,QAAQ,EAAE,6BAAY;aACvB,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,MAAM,EAAE,mBAAiB;YACzB,OAAO,EAAE;gBACP,4BAAY,CAAC,OAAO,CAAC,WAAW,CAAC;gBACjC,0BAAW,CAAC,OAAO,CAAC,WAAW,CAAC;gBAChC,wBAAU;gBACV,0BAAW;aACZ;YACD,SAAS;YACT,OAAO,EAAE,CAAC,qBAAqB,EAAE,wBAAU,CAAC;SAC7C,CAAC;IACJ,CAAC;IAOD,MAAM,CAAC,YAAY,CAAC,OAGnB;QACC,MAAM,SAAS,GAAe;YAC5B;gBACE,OAAO,EAAE,qBAAqB;gBAC9B,UAAU,EAAE,KAAK,EAAE,GAAG,IAAW,EAAE,EAAE;oBACnC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;oBACjD,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;oBAC5B,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;gBACpC,CAAC;gBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;aAC7B;SACF,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,mBAAiB;YACzB,OAAO,EAAE,CAAC,wBAAU,EAAE,0BAAW,CAAC;YAClC,SAAS;YACT,OAAO,EAAE,CAAC,qBAAqB,EAAE,wBAAU,CAAC;SAC7C,CAAC;IACJ,CAAC;IAMO,MAAM,CAAC,cAAc,CAAC,MAAyB;QAErD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QAGD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACxF,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAOO,MAAM,CAAC,aAAa,CAAC,MAAyB;QACpD,OAAO;YACL,GAAG,MAAM;YACT,GAAG,EAAE;gBACH,GAAG,MAAM,CAAC,GAAG;gBACb,iBAAiB,EAAE,MAAM,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK;gBACxD,kBAAkB,EAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI;gBACzD,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,cAAc;gBAC3C,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa;gBAC9C,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,oBAAoB;aAC5C;YACD,WAAW,EAAE;gBACX,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE,OAAO,IAAI,KAAK;gBAC7C,iBAAiB,EAAE,MAAM,CAAC,WAAW,EAAE,iBAAiB,IAAI,QAAQ;gBACpE,eAAe,EAAE,MAAM,CAAC,WAAW,EAAE,eAAe,IAAI,SAAS;gBACjE,GAAG,MAAM,CAAC,WAAW;aACtB;YACD,SAAS,EAAE;gBACT,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;gBACvD,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,QAAQ,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;gBAC7D,aAAa,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE;aAC1E;YACD,QAAQ,EAAE;gBACR,eAAe,EAAE,MAAM,CAAC,QAAQ,EAAE,eAAe,IAAI,KAAK;gBAC1D,YAAY,EAAE,MAAM,CAAC,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;gBACtF,GAAG,MAAM,CAAC,QAAQ;aACnB;YACD,MAAM,EAAE;gBACN,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,IAAI,KAAK;aACrE;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAnIY,8CAAiB;4BAAjB,iBAAiB;IAF7B,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,iBAAiB,CAmI7B"}
+{"version":3,"file":"horizon-auth.module.js","sourceRoot":"","sources":["../../src/lib/horizon-auth.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAyE;AACzE,uCAAyC;AAEzC,qDAAiD;AACjD,wDAAoD;AACpD,wDAAoD;AACpD,2DAAuD;AACvD,kEAA6D;AAItD,IAAM,iBAAiB,yBAAvB,MAAM,iBAAiB;IAM5B,MAAM,CAAC,OAAO,CAAC,MAAyB;QAEtC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAG5B,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAE/C,MAAM,SAAS,GAAe;YAC5B;gBACE,OAAO,EAAE,qBAAqB;gBAC9B,QAAQ,EAAE,WAAW;aACtB;SACF,CAAC;QAGF,IAAI,WAAW,CAAC,MAAM,EAAE,qBAAqB,EAAE,CAAC;YAC9C,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,gBAAS;gBAClB,QAAQ,EAAE,6BAAY;aACvB,CAAC,CAAC;QACL,CAAC;QAGD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO;gBACL,MAAM,EAAE,mBAAiB;gBACzB,OAAO,EAAE;oBACP,wBAAU;iBACX;gBACD,SAAS;gBACT,OAAO,EAAE,CAAC,qBAAqB,EAAE,wBAAU,CAAC;aAC7C,CAAC;QACJ,CAAC;QAGD,OAAO;YACL,MAAM,EAAE,mBAAiB;YACzB,OAAO,EAAE;gBACP,4BAAY,CAAC,OAAO,CAAC,WAAW,CAAC;gBACjC,0BAAW,CAAC,OAAO,CAAC,WAAW,CAAC;gBAChC,wBAAU;gBACV,0BAAW;aACZ;YACD,SAAS;YACT,OAAO,EAAE,CAAC,qBAAqB,EAAE,wBAAU,CAAC;SAC7C,CAAC;IACJ,CAAC;IAOD,MAAM,CAAC,YAAY,CAAC,OAGnB;QACC,MAAM,SAAS,GAAe;YAC5B;gBACE,OAAO,EAAE,qBAAqB;gBAC9B,UAAU,EAAE,KAAK,EAAE,GAAG,IAAW,EAAE,EAAE;oBACnC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;oBACjD,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;oBAC5B,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;gBACpC,CAAC;gBACD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE;aAC7B;SACF,CAAC;QAEF,OAAO;YACL,MAAM,EAAE,mBAAiB;YACzB,OAAO,EAAE,CAAC,wBAAU,EAAE,0BAAW,CAAC;YAClC,SAAS;YACT,OAAO,EAAE,CAAC,qBAAqB,EAAE,wBAAU,CAAC;SAC7C,CAAC;IACJ,CAAC;IAMO,MAAM,CAAC,cAAc,CAAC,MAAyB;QAErD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAEnB,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;YACxE,CAAC;YAGD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5C,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YAED,OAAO;QACT,CAAC;QAGD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;QAC7F,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,UAAU,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,oGAAoG,CAAC,CAAC;QACxH,CAAC;QAGD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACxF,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAOO,MAAM,CAAC,aAAa,CAAC,MAAyB;QACpD,OAAO;YACL,GAAG,MAAM;YACT,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;YAChC,GAAG,EAAE;gBACH,GAAG,MAAM,CAAC,GAAG;gBACb,iBAAiB,EAAE,MAAM,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK;gBACxD,kBAAkB,EAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI;gBACzD,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,cAAc;gBAC3C,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa;gBAC9C,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,oBAAoB;aAC5C;YACD,MAAM,EAAE;gBACN,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,YAAY;gBAC9D,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;gBACzG,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,IAAI,KAAK;aAC3C;YACD,WAAW,EAAE;gBACX,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE,OAAO,IAAI,KAAK;gBAC7C,iBAAiB,EAAE,MAAM,CAAC,WAAW,EAAE,iBAAiB,IAAI,QAAQ;gBACpE,eAAe,EAAE,MAAM,CAAC,WAAW,EAAE,eAAe,IAAI,SAAS;gBACjE,GAAG,MAAM,CAAC,WAAW;aACtB;YACD,SAAS,EAAE;gBACT,KAAK,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;gBACvD,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,QAAQ,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;gBAC7D,aAAa,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE;aAC1E;YACD,QAAQ,EAAE;gBACR,eAAe,EAAE,MAAM,CAAC,QAAQ,EAAE,eAAe,IAAI,KAAK;gBAC1D,YAAY,EAAE,MAAM,CAAC,QAAQ,EAAE,YAAY,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;gBACtF,GAAG,MAAM,CAAC,QAAQ;aACnB;YACD,MAAM,EAAE;gBACN,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,IAAI,KAAK;aACrE;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAzKY,8CAAiB;4BAAjB,iBAAiB;IAF7B,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,iBAAiB,CAyK7B"}