@opentdf/sdk 0.1.0-beta.1701

package/dist/cjs/tdf3/src/tdf.js

@@ -0,0 +1,907 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readStream = exports.sliceAndDecrypt = exports.splitLookupTableFactory = exports.loadTDFStream = exports.writeStream = exports.upsert = exports.validatePolicyObject = exports.buildKeyAccess = exports.extractPemFromKeyString = exports.unwrapHtml = exports.wrapHtml = exports.fetchKasPublicKey = void 0;
+const axios_1 = __importDefault(require("axios"));
+const buffer_crc32_js_1 = require("./utils/buffer-crc32.js");
+const jose_1 = require("jose");
+const DecoratedReadableStream_js_1 = require("./client/DecoratedReadableStream.js");
+const utils_js_1 = require("../../src/utils.js");
+const assertions = __importStar(require("./assertions.js"));
+const index_js_1 = require("./models/index.js");
+const index_js_2 = require("../../src/encodings/index.js");
+const index_js_3 = require("./utils/index.js");
+const binary_js_1 = require("./binary.js");
+const access_js_1 = require("../../src/access.js");
+const errors_js_1 = require("../../src/errors.js");
+const index_js_4 = require("./templates/index.js");
+// configurable
+// TODO: remove dependencies from ciphers so that we can open-source instead of relying on other Virtru libs
+const index_js_5 = require("./ciphers/index.js");
+const auth_js_1 = require("../../src/auth/auth.js");
+// TODO: input validation on manifest JSON
+const DEFAULT_SEGMENT_SIZE = 1024 * 1024;
+/**
+ * If we have KAS url but not public key we can fetch it from KAS, fetching
+ * the value from `${kas}/kas_public_key`.
+ */
+async function fetchKasPublicKey(kas, algorithm) {
+    if (!kas) {
+        throw new errors_js_1.ConfigurationError('KAS definition not found');
+    }
+    // Logs insecure KAS. Secure is enforced in constructor
+    (0, utils_js_1.validateSecureUrl)(kas);
+    const infoStatic = { url: kas, algorithm: algorithm || 'rsa:2048' };
+    const params = {};
+    if (algorithm) {
+        params.algorithm = algorithm;
+    }
+    const v2Url = `${kas}/v2/kas_public_key`;
+    try {
+        const response = await axios_1.default.get(v2Url, {
+            params: {
+                ...params,
+                v: '2',
+            },
+        });
+        const publicKey = typeof response.data === 'string'
+            ? await extractPemFromKeyString(response.data)
+            : response.data.publicKey;
+        return {
+            publicKey,
+            key: (0, utils_js_1.pemToCryptoPublicKey)(publicKey),
+            ...infoStatic,
+            ...(typeof response.data !== 'string' && response.data.kid && { kid: response.data.kid }),
+        };
+    }
+    catch (cause) {
+        const status = cause?.response?.status;
+        switch (status) {
+            case 400:
+            case 404:
+                // KAS does not yet implement v2, maybe
+                break;
+            case 401:
+                throw new errors_js_1.UnauthenticatedError(`[${v2Url}] requires auth`, cause);
+            case 403:
+                throw new errors_js_1.PermissionDeniedError(`[${v2Url}] permission denied`, cause);
+            default:
+                if (status && status >= 400 && status < 500) {
+                    throw new errors_js_1.ConfigurationError(`[${v2Url}] request error [${status}] [${cause.name}] [${cause.message}]`, cause);
+                }
+                throw new errors_js_1.NetworkError(`[${v2Url}] error [${status}] [${cause.name}] [${cause.message}]`, cause);
+        }
+    }
+    // Retry with v1 params
+    const v1Url = `${kas}/kas_public_key`;
+    try {
+        const response = await axios_1.default.get(v1Url, {
+            params,
+        });
+        const publicKey = typeof response.data === 'string'
+            ? await extractPemFromKeyString(response.data)
+            : response.data.publicKey;
+        // future proof: allow v2 response even if not specified.
+        return {
+            publicKey,
+            key: (0, utils_js_1.pemToCryptoPublicKey)(publicKey),
+            ...infoStatic,
+            ...(typeof response.data !== 'string' && response.data.kid && { kid: response.data.kid }),
+        };
+    }
+    catch (cause) {
+        const status = cause?.response?.status;
+        switch (status) {
+            case 401:
+                throw new errors_js_1.UnauthenticatedError(`[${v1Url}] requires auth`, cause);
+            case 403:
+                throw new errors_js_1.PermissionDeniedError(`[${v1Url}] permission denied`, cause);
+            default:
+                if (status && status >= 400 && status < 500) {
+                    throw new errors_js_1.ConfigurationError(`[${v2Url}] request error [${status}] [${cause.name}] [${cause.message}]`, cause);
+                }
+                throw new errors_js_1.NetworkError(`[${v1Url}] error [${status}] [${cause.name}] [${cause.message}]`, cause);
+        }
+    }
+}
+exports.fetchKasPublicKey = fetchKasPublicKey;
+/**
+ *
+ * @param payload The TDF content to encode in HTML
+ * @param manifest A copy of the manifest
+ * @param transferUrl reader web-service start page
+ * @return utf-8 encoded HTML data
+ */
+function wrapHtml(payload, manifest, transferUrl) {
+    const { origin } = new URL(transferUrl);
+    const exportManifest = typeof manifest === 'string' ? manifest : JSON.stringify(manifest);
+    const fullHtmlString = (0, index_js_4.htmlWrapperTemplate)({
+        transferUrl,
+        transferBaseUrl: origin,
+        manifest: index_js_2.base64.encode(exportManifest),
+        payload: (0, index_js_3.buffToString)(payload, 'base64'),
+    });
+    return new TextEncoder().encode(fullHtmlString);
+}
+exports.wrapHtml = wrapHtml;
+function unwrapHtml(htmlPayload) {
+    let html;
+    if (htmlPayload instanceof ArrayBuffer || ArrayBuffer.isView(htmlPayload)) {
+        html = new TextDecoder().decode(htmlPayload);
+    }
+    else {
+        html = htmlPayload.toString();
+    }
+    const payloadRe = /<input id=['"]?data-input['"]?[^>]*?value=['"]?([a-zA-Z0-9+/=]+)['"]?/;
+    const reResult = payloadRe.exec(html);
+    if (reResult === null) {
+        throw new errors_js_1.InvalidFileError('Payload is missing');
+    }
+    const base64Payload = reResult[1];
+    try {
+        return (0, index_js_3.base64ToBuffer)(base64Payload);
+    }
+    catch (e) {
+        throw new errors_js_1.InvalidFileError('There was a problem extracting the TDF3 payload', e);
+    }
+}
+exports.unwrapHtml = unwrapHtml;
+async function extractPemFromKeyString(keyString) {
+    let pem = keyString;
+    // Skip the public key extraction if we find that the KAS url provides a
+    // PEM-encoded key instead of certificate
+    if (keyString.includes('CERTIFICATE')) {
+        const cert = await (0, jose_1.importX509)(keyString, 'RS256', { extractable: true });
+        pem = await (0, jose_1.exportSPKI)(cert);
+    }
+    return pem;
+}
+exports.extractPemFromKeyString = extractPemFromKeyString;
+/**
+ * Build a key access object and add it to the list. Can specify either
+ * a (url, publicKey) pair (legacy, deprecated) or an attribute URL (future).
+ * If all are missing then it attempts to use the default attribute. If that
+ * is missing it throws an error.
+ * @param  {Object} options
+ * @param  {String} options.type - enum representing how the object key is treated
+ * @param  {String} options.attributeUrl - URL of the attribute to use for pubKey and kasUrl. Omit to use default.
+ * @param  {String} options.url - directly set the KAS URL
+ * @param  {String} options.publicKey - directly set the (KAS) public key
+ * @param  {String?} options.kid - Key identifier of KAS public key
+ * @param  {String? Object?} options.metadata - Metadata. Appears to be dead code.
+ * @return {KeyAccess}- the key access object loaded
+ */
+async function buildKeyAccess({ attributeSet, type, url, publicKey, kid, attributeUrl, metadata, sid = '', }) {
+    /** Internal function to keep it DRY */
+    function createKeyAccess(type, kasUrl, kasKeyIdentifier, pubKey, metadata) {
+        switch (type) {
+            case 'wrapped':
+                return new index_js_1.Wrapped(kasUrl, kasKeyIdentifier, pubKey, metadata, sid);
+            case 'remote':
+                return new index_js_1.Remote(kasUrl, kasKeyIdentifier, pubKey, metadata, sid);
+            default:
+                throw new errors_js_1.ConfigurationError(`buildKeyAccess: Key access type ${type} is unknown`);
+        }
+    }
+    // If an attributeUrl is provided try to load with that first.
+    if (attributeUrl && attributeSet) {
+        const attr = attributeSet.get(attributeUrl);
+        if (attr && attr.kasUrl && attr.pubKey) {
+            return createKeyAccess(type, attr.kasUrl, attr.kid, attr.pubKey, metadata);
+        }
+    }
+    // if url and pulicKey are specified load the key access object with them
+    if (url && publicKey) {
+        return createKeyAccess(type, url, kid, await extractPemFromKeyString(publicKey), metadata);
+    }
+    // Assume the default attribute is the source for kasUrl and pubKey
+    const defaultAttr = attributeSet?.getDefault();
+    if (defaultAttr) {
+        const { pubKey, kasUrl } = defaultAttr;
+        if (pubKey && kasUrl) {
+            return createKeyAccess(type, kasUrl, kid, await extractPemFromKeyString(pubKey), metadata);
+        }
+    }
+    // All failed. Raise an error.
+    throw new errors_js_1.ConfigurationError('TDF.buildKeyAccess: No source for kasUrl or pubKey');
+}
+exports.buildKeyAccess = buildKeyAccess;
+function validatePolicyObject(policy) {
+    const missingFields = [];
+    if (!policy.uuid)
+        missingFields.push('uuid');
+    if (!policy.body)
+        missingFields.push('body', 'body.dissem');
+    if (policy.body && !policy.body.dissem)
+        missingFields.push('body.dissem');
+    if (missingFields.length) {
+        throw new errors_js_1.ConfigurationError(`The given policy object requires the following properties: ${missingFields}`);
+    }
+}
+exports.validatePolicyObject = validatePolicyObject;
+async function _generateManifest(keyInfo, encryptionInformation, policy, mimeType) {
+    // (maybe) Fields are quoted to avoid renaming
+    const payload = {
+        type: 'reference',
+        url: '0.payload',
+        protocol: 'zip',
+        isEncrypted: true,
+        schemaVersion: '3.0.0',
+        ...(mimeType && { mimeType }),
+    };
+    const encryptionInformationStr = await encryptionInformation.write(policy, keyInfo);
+    const assertions = [];
+    return {
+        payload,
+        // generate the manifest first, then insert integrity information into it
+        encryptionInformation: encryptionInformationStr,
+        assertions: assertions,
+    };
+}
+async function getSignature(unwrappedKeyBinary, payloadBinary, algorithmType, cryptoService) {
+    switch (algorithmType.toUpperCase()) {
+        case 'GMAC':
+            // use the auth tag baked into the encrypted payload
+            return (0, index_js_3.buffToString)(Uint8Array.from(payloadBinary.asByteArray()).slice(-16), 'hex');
+        case 'HS256':
+            // simple hmac is the default
+            return await cryptoService.hmac((0, index_js_3.buffToString)(new Uint8Array(unwrappedKeyBinary.asArrayBuffer()), 'hex'), (0, index_js_3.buffToString)(new Uint8Array(payloadBinary.asArrayBuffer()), 'utf-8'));
+        default:
+            throw new errors_js_1.ConfigurationError(`Unsupported signature alg [${algorithmType}]`);
+    }
+}
+function buildRequest(method, url, body) {
+    return {
+        headers: {},
+        method: method,
+        url: url,
+        body,
+    };
+}
+async function upsert({ allowedKases, allowList, authProvider, entity, privateKey, unsavedManifest, ignoreType, }) {
+    const allowed = (() => {
+        if (allowList) {
+            return allowList;
+        }
+        if (!allowedKases) {
+            throw new errors_js_1.ConfigurationError('Upsert cannot be done without allowlist');
+        }
+        return new access_js_1.OriginAllowList(allowedKases);
+    })();
+    const { keyAccess, policy } = unsavedManifest.encryptionInformation;
+    const isAppIdProvider = authProvider && (0, index_js_3.isAppIdProviderCheck)(authProvider);
+    if (authProvider === undefined) {
+        throw new errors_js_1.ConfigurationError('Upsert cannot be done without auth provider');
+    }
+    return Promise.all(keyAccess.map(async (keyAccessObject) => {
+        // We only care about remote key access objects for the policy sync portion
+        const isRemote = (0, index_js_1.isRemote)(keyAccessObject);
+        if (!ignoreType && !isRemote) {
+            return;
+        }
+        if (!allowed.allows(keyAccessObject.url)) {
+            throw new errors_js_1.UnsafeUrlError(`Unexpected KAS url: [${keyAccessObject.url}]`);
+        }
+        const url = `${keyAccessObject.url}/${isAppIdProvider ? '' : 'v2/'}upsert`;
+        //TODO I dont' think we need a body at all for KAS requests
+        // Do we need ANY of this if it's already embedded in the EO in the Bearer OIDC token?
+        const body = {
+            keyAccess: keyAccessObject,
+            policy: unsavedManifest.encryptionInformation.policy,
+            entity: (0, index_js_3.isAppIdProviderCheck)(authProvider) ? entity : undefined,
+            authToken: undefined,
+            clientPayloadSignature: undefined,
+        };
+        if ((0, index_js_3.isAppIdProviderCheck)(authProvider)) {
+            body.authToken = await (0, auth_js_1.reqSignature)({}, privateKey);
+        }
+        else {
+            body.clientPayloadSignature = await (0, auth_js_1.reqSignature)(body, privateKey);
+        }
+        const httpReq = await authProvider.withCreds(buildRequest('POST', url, body));
+        try {
+            const response = await axios_1.default.post(httpReq.url, httpReq.body, {
+                headers: httpReq.headers,
+            });
+            // Remove additional properties which were needed to sync, but not that we want to save to
+            // the manifest
+            delete keyAccessObject.wrappedKey;
+            delete keyAccessObject.encryptedMetadata;
+            delete keyAccessObject.policyBinding;
+            if (isRemote) {
+                // Decode the policy and extract only the required info to save -- the uuid
+                const decodedPolicy = JSON.parse(index_js_2.base64.decode(policy));
+                unsavedManifest.encryptionInformation.policy = index_js_2.base64.encode(JSON.stringify({ uuid: decodedPolicy.uuid }));
+            }
+            return response.data;
+        }
+        catch (e) {
+            if (e.response) {
+                if (e.response.status >= 500) {
+                    throw new errors_js_1.ServiceError('upsert failure', e);
+                }
+                else if (e.response.status === 403) {
+                    throw new errors_js_1.PermissionDeniedError('upsert failure', e);
+                }
+                else if (e.response.status === 401) {
+                    throw new errors_js_1.UnauthenticatedError('upsert auth failure', e);
+                }
+                else if (e.response.status === 400) {
+                    throw new errors_js_1.ConfigurationError('upsert bad request; likely a configuration error', e);
+                }
+                else {
+                    throw new errors_js_1.NetworkError('upsert server error', e);
+                }
+            }
+            else if (e.request) {
+                throw new errors_js_1.NetworkError('upsert request failure', e);
+            }
+            throw new errors_js_1.TdfError(`Unable to perform upsert operation on the KAS: [${e.name}: ${e.message}], response: [${e?.response?.body}]`, e);
+        }
+    }));
+}
+exports.upsert = upsert;
+async function writeStream(cfg) {
+    if (!cfg.authProvider) {
+        throw new errors_js_1.ConfigurationError('No authorization middleware defined');
+    }
+    if (!cfg.contentStream) {
+        throw new errors_js_1.ConfigurationError('No input stream defined');
+    }
+    // eslint-disable-next-line @typescript-eslint/no-this-alias
+    const segmentInfos = [];
+    cfg.byteLimit ??= Number.MAX_SAFE_INTEGER;
+    const entryInfos = [
+        {
+            filename: '0.payload',
+        },
+        {
+            filename: '0.manifest.json',
+        },
+    ];
+    let currentBuffer = new Uint8Array();
+    let totalByteCount = 0;
+    let bytesProcessed = 0;
+    let crcCounter = 0;
+    let fileByteCount = 0;
+    let aggregateHash = '';
+    const zipWriter = new index_js_3.ZipWriter();
+    const manifest = await _generateManifest(cfg.keyForManifest, cfg.encryptionInformation, cfg.policy, cfg.mimeType);
+    if (!manifest) {
+        // Set in encrypt; should never be reached.
+        throw new errors_js_1.ConfigurationError('internal: please use "loadTDFStream" first to load a manifest.');
+    }
+    const pkKeyLike = cfg.dpopKeys.privateKey;
+    // For all remote key access objects, sync its policy
+    const upsertResponse = await upsert({
+        allowedKases: cfg.allowList ? undefined : cfg.allowedKases,
+        allowList: cfg.allowList,
+        authProvider: cfg.authProvider,
+        entity: cfg.entity,
+        privateKey: pkKeyLike,
+        unsavedManifest: manifest,
+    });
+    // determine default segment size by writing empty buffer
+    const { segmentSizeDefault } = cfg;
+    const encryptedBlargh = await cfg.encryptionInformation.encrypt(binary_js_1.Binary.fromArrayBuffer(new ArrayBuffer(segmentSizeDefault)), cfg.keyForEncryption.unwrappedKeyBinary);
+    const payloadBuffer = new Uint8Array(encryptedBlargh.payload.asByteArray());
+    const encryptedSegmentSizeDefault = payloadBuffer.length;
+    // start writing the content
+    entryInfos[0].filename = '0.payload';
+    entryInfos[0].offset = totalByteCount;
+    const sourceReader = cfg.contentStream.getReader();
+    /*
+    TODO: Code duplication should be addressed
+    - RCA operations require that the write stream has already finished executing it's .on('end') handler before being returned,
+      thus both handlers are wrapped in a encompassing promise when we have an RCA source. We should investigate
+      if this causes O(n) promises to be loaded into memory.
+    - LFS operations can have the write stream returned immediately after both .on('end') and .on('data') handlers
+      have been defined, thus not requiring the handlers to be wrapped in a promise.
+    */
+    const underlingSource = {
+        start: (controller) => {
+            controller.enqueue(getHeader(entryInfos[0].filename));
+            _countChunk(getHeader(entryInfos[0].filename));
+            crcCounter = 0;
+            fileByteCount = 0;
+        },
+        pull: async (controller) => {
+            let isDone;
+            while (currentBuffer.length < segmentSizeDefault && !isDone) {
+                const { value, done } = await sourceReader.read();
+                isDone = done;
+                if (value) {
+                    currentBuffer = (0, index_js_3.concatUint8)([currentBuffer, value]);
+                }
+            }
+            while (currentBuffer.length >= segmentSizeDefault &&
+                !!controller.desiredSize &&
+                controller.desiredSize > 0) {
+                const segment = currentBuffer.slice(0, segmentSizeDefault);
+                const encryptedSegment = await _encryptAndCountSegment(segment);
+                controller.enqueue(encryptedSegment);
+                currentBuffer = currentBuffer.slice(segmentSizeDefault);
+            }
+            const isFinalChunkLeft = isDone && currentBuffer.length;
+            if (isFinalChunkLeft) {
+                const encryptedSegment = await _encryptAndCountSegment(currentBuffer);
+                controller.enqueue(encryptedSegment);
+                currentBuffer = new Uint8Array();
+            }
+            if (isDone && currentBuffer.length === 0) {
+                entryInfos[0].crcCounter = crcCounter;
+                entryInfos[0].fileByteCount = fileByteCount;
+                const payloadDataDescriptor = zipWriter.writeDataDescriptor(crcCounter, fileByteCount);
+                controller.enqueue(payloadDataDescriptor);
+                _countChunk(payloadDataDescriptor);
+                // prepare the manifest
+                entryInfos[1].filename = '0.manifest.json';
+                entryInfos[1].offset = totalByteCount;
+                controller.enqueue(getHeader(entryInfos[1].filename));
+                _countChunk(getHeader(entryInfos[1].filename));
+                crcCounter = 0;
+                fileByteCount = 0;
+                // hash the concat of all hashes
+                const payloadSigStr = await getSignature(cfg.keyForEncryption.unwrappedKeyBinary, binary_js_1.Binary.fromString(aggregateHash), cfg.integrityAlgorithm, cfg.cryptoService);
+                manifest.encryptionInformation.integrityInformation.rootSignature.sig =
+                    index_js_2.base64.encode(payloadSigStr);
+                manifest.encryptionInformation.integrityInformation.rootSignature.alg =
+                    cfg.integrityAlgorithm;
+                manifest.encryptionInformation.integrityInformation.segmentSizeDefault = segmentSizeDefault;
+                manifest.encryptionInformation.integrityInformation.encryptedSegmentSizeDefault =
+                    encryptedSegmentSizeDefault;
+                manifest.encryptionInformation.integrityInformation.segmentHashAlg =
+                    cfg.segmentIntegrityAlgorithm;
+                manifest.encryptionInformation.integrityInformation.segments = segmentInfos;
+                manifest.encryptionInformation.method.isStreamable = true;
+                const signedAssertions = [];
+                if (cfg.assertionConfigs && cfg.assertionConfigs.length > 0) {
+                    await Promise.all(cfg.assertionConfigs.map(async (assertionConfig) => {
+                        // Create assertion using the assertionConfig values
+                        const signingKey = assertionConfig.signingKey ?? {
+                            alg: 'HS256',
+                            key: new Uint8Array(cfg.keyForEncryption.unwrappedKeyBinary.asArrayBuffer()),
+                        };
+                        const assertion = await assertions.CreateAssertion(aggregateHash, {
+                            ...assertionConfig,
+                            signingKey,
+                        });
+                        // Add signed assertion to the signedAssertions array
+                        signedAssertions.push(assertion);
+                    }));
+                }
+                manifest.assertions = signedAssertions;
+                // write the manifest
+                const manifestBuffer = new TextEncoder().encode(JSON.stringify(manifest));
+                controller.enqueue(manifestBuffer);
+                _countChunk(manifestBuffer);
+                entryInfos[1].crcCounter = crcCounter;
+                entryInfos[1].fileByteCount = fileByteCount;
+                const manifestDataDescriptor = zipWriter.writeDataDescriptor(crcCounter, fileByteCount);
+                controller.enqueue(manifestDataDescriptor);
+                _countChunk(manifestDataDescriptor);
+                // write the central directory out
+                const centralDirectoryByteCount = totalByteCount;
+                for (let i = 0; i < entryInfos.length; i++) {
+                    const entryInfo = entryInfos[i];
+                    const result = zipWriter.writeCentralDirectoryRecord(entryInfo.fileByteCount || 0, entryInfo.filename, entryInfo.offset || 0, entryInfo.crcCounter || 0, 2175008768);
+                    controller.enqueue(result);
+                    _countChunk(result);
+                }
+                const endOfCentralDirectoryByteCount = totalByteCount - centralDirectoryByteCount;
+                const finalChunk = zipWriter.writeEndOfCentralDirectoryRecord(entryInfos.length, endOfCentralDirectoryByteCount, centralDirectoryByteCount);
+                controller.enqueue(finalChunk);
+                _countChunk(finalChunk);
+                controller.close();
+            }
+        },
+    };
+    const plaintextStream = new DecoratedReadableStream_js_1.DecoratedReadableStream(underlingSource);
+    plaintextStream.manifest = manifest;
+    if (upsertResponse) {
+        plaintextStream.upsertResponse = upsertResponse;
+        plaintextStream.tdfSize = totalByteCount;
+        plaintextStream.algorithm = manifest.encryptionInformation.method.algorithm;
+    }
+    return plaintextStream;
+    // nested helper fn's
+    function getHeader(filename) {
+        return zipWriter.getLocalFileHeader(filename, 0, 0, 0);
+    }
+    function _countChunk(chunk) {
+        if (typeof chunk === 'string') {
+            chunk = new TextEncoder().encode(chunk);
+        }
+        totalByteCount += chunk.length;
+        if (totalByteCount > cfg.byteLimit) {
+            throw new errors_js_1.ConfigurationError(`Safe byte limit (${cfg.byteLimit}) exceeded`);
+        }
+        //new Uint8Array(chunk.buffer, chunk.byteOffset, chunk.byteLength);
+        crcCounter = (0, buffer_crc32_js_1.unsigned)(chunk, crcCounter);
+        fileByteCount += chunk.length;
+    }
+    async function _encryptAndCountSegment(chunk) {
+        bytesProcessed += chunk.length;
+        cfg.progressHandler?.(bytesProcessed);
+        // Don't pass in an IV here. The encrypt function will generate one for you, ensuring that each segment has a unique IV.
+        const encryptedResult = await cfg.encryptionInformation.encrypt(binary_js_1.Binary.fromArrayBuffer(chunk.buffer), cfg.keyForEncryption.unwrappedKeyBinary);
+        const payloadBuffer = new Uint8Array(encryptedResult.payload.asByteArray());
+        const payloadSigStr = await getSignature(cfg.keyForEncryption.unwrappedKeyBinary, encryptedResult.payload, cfg.segmentIntegrityAlgorithm, cfg.cryptoService);
+        // combined string of all hashes for root signature
+        aggregateHash += payloadSigStr;
+        segmentInfos.push({
+            hash: index_js_2.base64.encode(payloadSigStr),
+            segmentSize: chunk.length === segmentSizeDefault ? undefined : chunk.length,
+            encryptedSegmentSize: payloadBuffer.length === encryptedSegmentSizeDefault ? undefined : payloadBuffer.length,
+        });
+        const result = new Uint8Array(encryptedResult.payload.asByteArray());
+        _countChunk(result);
+        return result;
+    }
+}
+exports.writeStream = writeStream;
+// load the TDF as a stream in memory, for further use in reading and key syncing
+async function loadTDFStream(chunker) {
+    const zipReader = new index_js_3.ZipReader(chunker);
+    const centralDirectory = await zipReader.getCentralDirectory();
+    const manifest = await zipReader.getManifest(centralDirectory, '0.manifest.json');
+    return { manifest, zipReader, centralDirectory };
+}
+exports.loadTDFStream = loadTDFStream;
+function splitLookupTableFactory(keyAccess, allowedKases) {
+    const allowed = (k) => allowedKases.allows(k.url);
+    const splitIds = new Set(keyAccess.map(({ sid }) => sid ?? ''));
+    const accessibleSplits = new Set(keyAccess.filter(allowed).map(({ sid }) => sid));
+    if (splitIds.size > accessibleSplits.size) {
+        const disallowedKases = new Set(keyAccess.filter((k) => !allowed(k)).map(({ url }) => url));
+        throw new errors_js_1.UnsafeUrlError(`Unreconstructable key - disallowed KASes include: ${JSON.stringify([
+            ...disallowedKases,
+        ])} from splitIds ${JSON.stringify([...splitIds])}`, ...disallowedKases);
+    }
+    const splitPotentials = Object.fromEntries([...splitIds].map((s) => [s, {}]));
+    for (const kao of keyAccess) {
+        const disjunction = splitPotentials[kao.sid ?? ''];
+        if (kao.url in disjunction) {
+            throw new errors_js_1.InvalidFileError(`TODO: Fallback to no split ids. Repetition found for [${kao.url}] on split [${kao.sid}]`);
+        }
+        if (allowed(kao)) {
+            disjunction[kao.url] = kao;
+        }
+    }
+    return splitPotentials;
+}
+exports.splitLookupTableFactory = splitLookupTableFactory;
+async function unwrapKey({ manifest, allowedKases, authProvider, dpopKeys, entity, cryptoService, }) {
+    if (authProvider === undefined) {
+        throw new errors_js_1.ConfigurationError('upsert requires auth provider; must be configured in client constructor');
+    }
+    const { keyAccess } = manifest.encryptionInformation;
+    const splitPotentials = splitLookupTableFactory(keyAccess, allowedKases);
+    const isAppIdProvider = authProvider && (0, index_js_3.isAppIdProviderCheck)(authProvider);
+    async function tryKasRewrap(keySplitInfo) {
+        const url = `${keySplitInfo.url}/${isAppIdProvider ? '' : 'v2/'}rewrap`;
+        const ephemeralEncryptionKeys = await cryptoService.cryptoToPemPair(await cryptoService.generateKeyPair());
+        const clientPublicKey = ephemeralEncryptionKeys.publicKey;
+        const requestBodyStr = JSON.stringify({
+            algorithm: 'RS256',
+            keyAccess: keySplitInfo,
+            policy: manifest.encryptionInformation.policy,
+            clientPublicKey,
+        });
+        const jwtPayload = { requestBody: requestBodyStr };
+        const signedRequestToken = await (0, auth_js_1.reqSignature)(isAppIdProvider ? {} : jwtPayload, dpopKeys.privateKey);
+        let requestBody;
+        if (isAppIdProvider) {
+            requestBody = {
+                keyAccess: keySplitInfo,
+                policy: manifest.encryptionInformation.policy,
+                entity: {
+                    ...entity,
+                    publicKey: clientPublicKey,
+                },
+                authToken: signedRequestToken,
+            };
+        }
+        else {
+            requestBody = {
+                signedRequestToken,
+            };
+        }
+        const httpReq = await authProvider.withCreds(buildRequest('POST', url, requestBody));
+        const { data: { entityWrappedKey, metadata }, } = await axios_1.default.post(httpReq.url, httpReq.body, { headers: httpReq.headers });
+        const key = binary_js_1.Binary.fromString(index_js_2.base64.decode(entityWrappedKey));
+        const decryptedKeyBinary = await cryptoService.decryptWithPrivateKey(key, ephemeralEncryptionKeys.privateKey);
+        return {
+            key: new Uint8Array(decryptedKeyBinary.asByteArray()),
+            metadata,
+        };
+    }
+    // Get unique split IDs to determine if we have an OR or AND condition
+    const splitIds = new Set(Object.keys(splitPotentials));
+    // If we have only one split ID, it's an OR condition
+    if (splitIds.size === 1) {
+        const [splitId] = splitIds;
+        const potentials = splitPotentials[splitId];
+        try {
+            // OR condition: Try all KAS servers for this split, take first success
+            const result = await Promise.any(Object.values(potentials).map(async (keySplitInfo) => {
+                try {
+                    return await tryKasRewrap(keySplitInfo);
+                }
+                catch (e) {
+                    // Rethrow with more context
+                    throw handleRewrapError(e);
+                }
+            }));
+            const reconstructedKey = (0, index_js_3.keyMerge)([result.key]);
+            return {
+                reconstructedKeyBinary: binary_js_1.Binary.fromArrayBuffer(reconstructedKey),
+                metadata: result.metadata,
+            };
+        }
+        catch (error) {
+            if (error instanceof AggregateError) {
+                // All KAS servers failed
+                throw error.errors[0]; // Throw the first error since we've already wrapped them
+            }
+            throw error;
+        }
+    }
+    else {
+        // AND condition: We need successful results from all different splits
+        const splitResults = await Promise.all(Object.entries(splitPotentials).map(async ([splitId, potentials]) => {
+            if (!potentials || !Object.keys(potentials).length) {
+                throw new errors_js_1.UnsafeUrlError(`Unreconstructable key - no valid KAS found for split ${JSON.stringify(splitId)}`, '');
+            }
+            try {
+                // For each split, try all potential KAS servers until one succeeds
+                return await Promise.any(Object.values(potentials).map(async (keySplitInfo) => {
+                    try {
+                        return await tryKasRewrap(keySplitInfo);
+                    }
+                    catch (e) {
+                        throw handleRewrapError(e);
+                    }
+                }));
+            }
+            catch (error) {
+                if (error instanceof AggregateError) {
+                    // All KAS servers for this split failed
+                    throw error.errors[0]; // Throw the first error since we've already wrapped them
+                }
+                throw error;
+            }
+        }));
+        // Merge all the split keys
+        const reconstructedKey = (0, index_js_3.keyMerge)(splitResults.map((r) => r.key));
+        return {
+            reconstructedKeyBinary: binary_js_1.Binary.fromArrayBuffer(reconstructedKey),
+            metadata: splitResults[0].metadata, // Use metadata from first split
+        };
+    }
+}
+function handleRewrapError(error) {
+    if (axios_1.default.isAxiosError(error)) {
+        if (error.response?.status && error.response?.status >= 500) {
+            return new errors_js_1.ServiceError('rewrap failure', error);
+        }
+        else if (error.response?.status === 403) {
+            return new errors_js_1.PermissionDeniedError('rewrap failure', error);
+        }
+        else if (error.response?.status === 401) {
+            return new errors_js_1.UnauthenticatedError('rewrap auth failure', error);
+        }
+        else if (error.response?.status === 400) {
+            return new errors_js_1.InvalidFileError('rewrap bad request; could indicate an invalid policy binding or a configuration error', error);
+        }
+        else {
+            return new errors_js_1.NetworkError('rewrap server error', error);
+        }
+    }
+    else {
+        if (error.name === 'InvalidAccessError' || error.name === 'OperationError') {
+            return new errors_js_1.DecryptError('unable to unwrap key from kas', error);
+        }
+        return new errors_js_1.InvalidFileError(`Unable to decrypt the response from KAS: [${error.name}: ${error.message}]`, error);
+    }
+}
+async function decryptChunk(encryptedChunk, reconstructedKeyBinary, hash, cipher, segmentIntegrityAlgorithm, cryptoService) {
+    if (segmentIntegrityAlgorithm !== 'GMAC' && segmentIntegrityAlgorithm !== 'HS256') {
+    }
+    const segmentHashStr = await getSignature(reconstructedKeyBinary, binary_js_1.Binary.fromArrayBuffer(encryptedChunk.buffer), segmentIntegrityAlgorithm, cryptoService);
+    if (hash !== btoa(segmentHashStr)) {
+        throw new errors_js_1.IntegrityError('Failed integrity check on segment hash');
+    }
+    return await cipher.decrypt(encryptedChunk, reconstructedKeyBinary);
+}
+async function updateChunkQueue(chunkMap, centralDirectory, zipReader, reconstructedKeyBinary, cipher, segmentIntegrityAlgorithm, cryptoService) {
+    const chunksInOneDownload = 500;
+    let requests = [];
+    const maxLength = 3;
+    for (let i = 0; i < chunkMap.length; i += chunksInOneDownload) {
+        if (requests.length === maxLength) {
+            await Promise.all(requests);
+            requests = [];
+        }
+        requests.push((async () => {
+            let buffer;
+            const slice = chunkMap.slice(i, i + chunksInOneDownload);
+            try {
+                const bufferSize = slice.reduce((currentVal, { encryptedSegmentSize }) => currentVal + encryptedSegmentSize, 0);
+                buffer = await zipReader.getPayloadSegment(centralDirectory, '0.payload', slice[0].encryptedOffset, bufferSize);
+            }
+            catch (e) {
+                if (e instanceof errors_js_1.InvalidFileError) {
+                    throw e;
+                }
+                throw new errors_js_1.NetworkError('unable to fetch payload segment', e);
+            }
+            if (buffer) {
+                sliceAndDecrypt({
+                    buffer,
+                    cryptoService,
+                    reconstructedKeyBinary,
+                    slice,
+                    cipher,
+                    segmentIntegrityAlgorithm,
+                });
+            }
+        })());
+    }
+}
+async function sliceAndDecrypt({ buffer, reconstructedKeyBinary, slice, cipher, cryptoService, segmentIntegrityAlgorithm, }) {
+    for (const index in slice) {
+        const { encryptedOffset, encryptedSegmentSize, _resolve, _reject } = slice[index];
+        const offset = slice[0].encryptedOffset === 0 ? encryptedOffset : encryptedOffset % slice[0].encryptedOffset;
+        const encryptedChunk = new Uint8Array(buffer.slice(offset, offset + encryptedSegmentSize));
+        try {
+            const result = await decryptChunk(encryptedChunk, reconstructedKeyBinary, slice[index]['hash'], cipher, segmentIntegrityAlgorithm, cryptoService);
+            slice[index].decryptedChunk = result;
+            if (_resolve) {
+                _resolve(null);
+            }
+        }
+        catch (e) {
+            if (_reject) {
+                _reject(e);
+            }
+            else {
+                throw e;
+            }
+        }
+    }
+}
+exports.sliceAndDecrypt = sliceAndDecrypt;
+async function readStream(cfg) {
+    let { allowList } = cfg;
+    if (!allowList) {
+        if (!cfg.allowedKases) {
+            throw new errors_js_1.ConfigurationError('Upsert cannot be done without allowlist');
+        }
+        allowList = new access_js_1.OriginAllowList(cfg.allowedKases);
+    }
+    const { manifest, zipReader, centralDirectory } = await loadTDFStream(cfg.chunker);
+    if (!manifest) {
+        throw new errors_js_1.InvalidFileError('Missing manifest data');
+    }
+    cfg.keyMiddleware ??= async (key) => key;
+    const { encryptedSegmentSizeDefault: defaultSegmentSize, rootSignature, segmentHashAlg, segments, } = manifest.encryptionInformation.integrityInformation;
+    const { metadata, reconstructedKeyBinary } = await unwrapKey({
+        manifest,
+        authProvider: cfg.authProvider,
+        allowedKases: allowList,
+        dpopKeys: cfg.dpopKeys,
+        entity: cfg.entity,
+        cryptoService: cfg.cryptoService,
+    });
+    // async function unwrapKey(manifest: Manifest, allowedKases: string[], authProvider: AuthProvider | AppIdAuthProvider, publicKey: string, privateKey: string, entity: EntityObject) {
+    const keyForDecryption = await cfg.keyMiddleware(reconstructedKeyBinary);
+    const encryptedSegmentSizeDefault = defaultSegmentSize || DEFAULT_SEGMENT_SIZE;
+    // check the combined string of hashes
+    const aggregateHash = segments.map(({ hash }) => index_js_2.base64.decode(hash)).join('');
+    const integrityAlgorithm = rootSignature.alg;
+    if (integrityAlgorithm !== 'GMAC' && integrityAlgorithm !== 'HS256') {
+        throw new errors_js_1.UnsupportedFeatureError(`Unsupported integrity alg [${integrityAlgorithm}]`);
+    }
+    const payloadSigStr = await getSignature(keyForDecryption, binary_js_1.Binary.fromString(aggregateHash), integrityAlgorithm, cfg.cryptoService);
+    if (manifest.encryptionInformation.integrityInformation.rootSignature.sig !==
+        index_js_2.base64.encode(payloadSigStr)) {
+        throw new errors_js_1.IntegrityError('Failed integrity check on root signature');
+    }
+    if (!cfg.noVerifyAssertions) {
+        for (const assertion of manifest.assertions || []) {
+            // Create a default assertion key
+            let assertionKey = {
+                alg: 'HS256',
+                key: new Uint8Array(reconstructedKeyBinary.asArrayBuffer()),
+            };
+            if (cfg.assertionVerificationKeys) {
+                const foundKey = cfg.assertionVerificationKeys.Keys[assertion.id];
+                if (foundKey) {
+                    assertionKey = foundKey;
+                }
+            }
+            await assertions.verify(assertion, aggregateHash, assertionKey);
+        }
+    }
+    let mapOfRequestsOffset = 0;
+    const chunkMap = new Map(segments.map(({ hash, encryptedSegmentSize = encryptedSegmentSizeDefault }) => {
+        const result = (() => {
+            let _resolve, _reject;
+            const chunk = {
+                hash,
+                encryptedOffset: mapOfRequestsOffset,
+                encryptedSegmentSize,
+                promise: new Promise((resolve, reject) => {
+                    _resolve = resolve;
+                    _reject = reject;
+                }),
+            };
+            chunk._resolve = _resolve;
+            chunk._reject = _reject;
+            return chunk;
+        })();
+        mapOfRequestsOffset += encryptedSegmentSize || encryptedSegmentSizeDefault;
+        return [hash, result];
+    }));
+    const cipher = new index_js_5.AesGcmCipher(cfg.cryptoService);
+    const segmentIntegrityAlg = segmentHashAlg || integrityAlgorithm;
+    if (segmentIntegrityAlg !== 'GMAC' && segmentIntegrityAlg !== 'HS256') {
+        throw new errors_js_1.UnsupportedFeatureError(`Unsupported segment hash alg [${segmentIntegrityAlg}]`);
+    }
+    // Not waiting for Promise to resolve
+    updateChunkQueue(Array.from(chunkMap.values()), centralDirectory, zipReader, keyForDecryption, cipher, segmentIntegrityAlg, cfg.cryptoService);
+    let progress = 0;
+    const underlyingSource = {
+        pull: async (controller) => {
+            if (chunkMap.size === 0) {
+                controller.close();
+                return;
+            }
+            const [hash, chunk] = chunkMap.entries().next().value;
+            if (!chunk.decryptedChunk) {
+                await chunk.promise;
+            }
+            const decryptedSegment = chunk.decryptedChunk;
+            controller.enqueue(new Uint8Array(decryptedSegment.payload.asByteArray()));
+            progress += chunk.encryptedSegmentSize;
+            cfg.progressHandler?.(progress);
+            chunk.decryptedChunk = null;
+            chunkMap.delete(hash);
+        },
+        ...(cfg.fileStreamServiceWorker && { fileStreamServiceWorker: cfg.fileStreamServiceWorker }),
+    };
+    const outputStream = new DecoratedReadableStream_js_1.DecoratedReadableStream(underlyingSource);
+    outputStream.manifest = manifest;
+    outputStream.emit('manifest', manifest);
+    outputStream.metadata = metadata;
+    outputStream.emit('rewrap', metadata);
+    return outputStream;
+}
+exports.readStream = readStream;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidGRmLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vdGRmMy9zcmMvdGRmLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsa0RBQTBDO0FBQzFDLDZEQUFtRDtBQUNuRCwrQkFBOEM7QUFDOUMsb0ZBQThFO0FBRTlFLGlEQUE2RTtBQUc3RSw0REFBOEM7QUFFOUMsZ0RBYzJCO0FBQzNCLDJEQUFzRDtBQUN0RCwrQ0FTMEI7QUFDMUIsMkNBQXFDO0FBQ3JDLG1EQUErRjtBQUMvRixtREFZNkI7QUFDN0IsbURBQTJEO0FBRTNELGVBQWU7QUFDZiw0R0FBNEc7QUFDNUcsaURBQWtEO0FBQ2xELG9EQU1nQztBQU1oQywwQ0FBMEM7QUFDMUMsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLEdBQUcsSUFBSSxDQUFDO0FBZ0l6Qzs7O0dBR0c7QUFDSSxLQUFLLFVBQVUsaUJBQWlCLENBQ3JDLEdBQVcsRUFDWCxTQUFpQztJQUVqQyxJQUFJLENBQUMsR0FBRyxFQUFFO1FBQ1IsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDBCQUEwQixDQUFDLENBQUM7S0FDMUQ7SUFDRCx1REFBdUQ7SUFDdkQsSUFBQSw0QkFBaUIsRUFBQyxHQUFHLENBQUMsQ0FBQztJQUN2QixNQUFNLFVBQVUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsU0FBUyxFQUFFLFNBQVMsSUFBSSxVQUFVLEVBQUUsQ0FBQztJQUNwRSxNQUFNLE1BQU0sR0FBdUIsRUFBRSxDQUFDO0lBQ3RDLElBQUksU0FBUyxFQUFFO1FBQ2IsTUFBTSxDQUFDLFNBQVMsR0FBRyxTQUFTLENBQUM7S0FDOUI7SUFDRCxNQUFNLEtBQUssR0FBRyxHQUFHLEdBQUcsb0JBQW9CLENBQUM7SUFDekMsSUFBSTtRQUNGLE1BQU0sUUFBUSxHQUF3QyxNQUFNLGVBQUssQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFO1lBQzNFLE1BQU0sRUFBRTtnQkFDTixHQUFHLE1BQU07Z0JBQ1QsQ0FBQyxFQUFFLEdBQUc7YUFDUDtTQUNGLENBQUMsQ0FBQztRQUNILE1BQU0sU0FBUyxHQUNiLE9BQU8sUUFBUSxDQUFDLElBQUksS0FBSyxRQUFRO1lBQy9CLENBQUMsQ0FBQyxNQUFNLHVCQUF1QixDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7WUFDOUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDO1FBQzlCLE9BQU87WUFDTCxTQUFTO1lBQ1QsR0FBRyxFQUFFLElBQUEsK0JBQW9CLEVBQUMsU0FBUyxDQUFDO1lBQ3BDLEdBQUcsVUFBVTtZQUNiLEdBQUcsQ0FBQyxPQUFPLFFBQVEsQ0FBQyxJQUFJLEtBQUssUUFBUSxJQUFJLFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxJQUFJLEVBQUUsR0FBRyxFQUFFLFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7U0FDMUYsQ0FBQztLQUNIO0lBQUMsT0FBTyxLQUFLLEVBQUU7UUFDZCxNQUFNLE1BQU0sR0FBRyxLQUFLLEVBQUUsUUFBUSxFQUFFLE1BQU0sQ0FBQztRQUN2QyxRQUFRLE1BQU0sRUFBRTtZQUNkLEtBQUssR0FBRyxDQUFDO1lBQ1QsS0FBSyxHQUFHO2dCQUNOLHVDQUF1QztnQkFDdkMsTUFBTTtZQUNSLEtBQUssR0FBRztnQkFDTixNQUFNLElBQUksZ0NBQW9CLENBQUMsSUFBSSxLQUFLLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxDQUFDO1lBQ3BFLEtBQUssR0FBRztnQkFDTixNQUFNLElBQUksaUNBQXFCLENBQUMsSUFBSSxLQUFLLHFCQUFxQixFQUFFLEtBQUssQ0FBQyxDQUFDO1lBQ3pFO2dCQUNFLElBQUksTUFBTSxJQUFJLE1BQU0sSUFBSSxHQUFHLElBQUksTUFBTSxHQUFHLEdBQUcsRUFBRTtvQkFDM0MsTUFBTSxJQUFJLDhCQUFrQixDQUMxQixJQUFJLEtBQUssb0JBQW9CLE1BQU0sTUFBTSxLQUFLLENBQUMsSUFBSSxNQUFNLEtBQUssQ0FBQyxPQUFPLEdBQUcsRUFDekUsS0FBSyxDQUNOLENBQUM7aUJBQ0g7Z0JBQ0QsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLElBQUksS0FBSyxZQUFZLE1BQU0sTUFBTSxLQUFLLENBQUMsSUFBSSxNQUFNLEtBQUssQ0FBQyxPQUFPLEdBQUcsRUFDakUsS0FBSyxDQUNOLENBQUM7U0FDTDtLQUNGO0lBQ0QsdUJBQXVCO0lBQ3ZCLE1BQU0sS0FBSyxHQUFHLEdBQUcsR0FBRyxpQkFBaUIsQ0FBQztJQUN0QyxJQUFJO1FBQ0YsTUFBTSxRQUFRLEdBQXdDLE1BQU0sZUFBSyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUU7WUFDM0UsTUFBTTtTQUNQLENBQUMsQ0FBQztRQUNILE1BQU0sU0FBUyxHQUNiLE9BQU8sUUFBUSxDQUFDLElBQUksS0FBSyxRQUFRO1lBQy9CLENBQUMsQ0FBQyxNQUFNLHVCQUF1QixDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7WUFDOUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDO1FBQzlCLHlEQUF5RDtRQUN6RCxPQUFPO1lBQ0wsU0FBUztZQUNULEdBQUcsRUFBRSxJQUFBLCtCQUFvQixFQUFDLFNBQVMsQ0FBQztZQUNwQyxHQUFHLFVBQVU7WUFDYixHQUFHLENBQUMsT0FBTyxRQUFRLENBQUMsSUFBSSxLQUFLLFFBQVEsSUFBSSxRQUFRLENBQUMsSUFBSSxDQUFDLEdBQUcsSUFBSSxFQUFFLEdBQUcsRUFBRSxRQUFRLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1NBQzFGLENBQUM7S0FDSDtJQUFDLE9BQU8sS0FBSyxFQUFFO1FBQ2QsTUFBTSxNQUFNLEdBQUcsS0FBSyxFQUFFLFFBQVEsRUFBRSxNQUFNLENBQUM7UUFDdkMsUUFBUSxNQUFNLEVBQUU7WUFDZCxLQUFLLEdBQUc7Z0JBQ04sTUFBTSxJQUFJLGdDQUFvQixDQUFDLElBQUksS0FBSyxpQkFBaUIsRUFBRSxLQUFLLENBQUMsQ0FBQztZQUNwRSxLQUFLLEdBQUc7Z0JBQ04sTUFBTSxJQUFJLGlDQUFxQixDQUFDLElBQUksS0FBSyxxQkFBcUIsRUFBRSxLQUFLLENBQUMsQ0FBQztZQUN6RTtnQkFDRSxJQUFJLE1BQU0sSUFBSSxNQUFNLElBQUksR0FBRyxJQUFJLE1BQU0sR0FBRyxHQUFHLEVBQUU7b0JBQzNDLE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsSUFBSSxLQUFLLG9CQUFvQixNQUFNLE1BQU0sS0FBSyxDQUFDLElBQUksTUFBTSxLQUFLLENBQUMsT0FBTyxHQUFHLEVBQ3pFLEtBQUssQ0FDTixDQUFDO2lCQUNIO2dCQUNELE1BQU0sSUFBSSx3QkFBWSxDQUNwQixJQUFJLEtBQUssWUFBWSxNQUFNLE1BQU0sS0FBSyxDQUFDLElBQUksTUFBTSxLQUFLLENBQUMsT0FBTyxHQUFHLEVBQ2pFLEtBQUssQ0FDTixDQUFDO1NBQ0w7S0FDRjtBQUNILENBQUM7QUE3RkQsOENBNkZDO0FBQ0Q7Ozs7OztHQU1HO0FBQ0gsU0FBZ0IsUUFBUSxDQUN0QixPQUFtQixFQUNuQixRQUEyQixFQUMzQixXQUFtQjtJQUVuQixNQUFNLEVBQUUsTUFBTSxFQUFFLEdBQUcsSUFBSSxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDeEMsTUFBTSxjQUFjLEdBQVcsT0FBTyxRQUFRLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLENBQUM7SUFFbEcsTUFBTSxjQUFjLEdBQUcsSUFBQSw4QkFBbUIsRUFBQztRQUN6QyxXQUFXO1FBQ1gsZUFBZSxFQUFFLE1BQU07UUFDdkIsUUFBUSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLGNBQWMsQ0FBQztRQUN2QyxPQUFPLEVBQUUsSUFBQSx1QkFBWSxFQUFDLE9BQU8sRUFBRSxRQUFRLENBQUM7S0FDekMsQ0FBQyxDQUFDO0lBRUgsT0FBTyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUMsQ0FBQztBQUNsRCxDQUFDO0FBaEJELDRCQWdCQztBQUVELFNBQWdCLFVBQVUsQ0FBQyxXQUF1RDtJQUNoRixJQUFJLElBQUksQ0FBQztJQUNULElBQUksV0FBVyxZQUFZLFdBQVcsSUFBSSxXQUFXLENBQUMsTUFBTSxDQUFDLFdBQVcsQ0FBQyxFQUFFO1FBQ3pFLElBQUksR0FBRyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsQ0FBQztLQUM5QztTQUFNO1FBQ0wsSUFBSSxHQUFHLFdBQVcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztLQUMvQjtJQUNELE1BQU0sU0FBUyxHQUFHLHVFQUF1RSxDQUFDO0lBQzFGLE1BQU0sUUFBUSxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDdEMsSUFBSSxRQUFRLEtBQUssSUFBSSxFQUFFO1FBQ3JCLE1BQU0sSUFBSSw0QkFBZ0IsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO0tBQ2xEO0lBQ0QsTUFBTSxhQUFhLEdBQUcsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ2xDLElBQUk7UUFDRixPQUFPLElBQUEseUJBQWMsRUFBQyxhQUFhLENBQUMsQ0FBQztLQUN0QztJQUFDLE9BQU8sQ0FBQyxFQUFFO1FBQ1YsTUFBTSxJQUFJLDRCQUFnQixDQUFDLGlEQUFpRCxFQUFFLENBQUMsQ0FBQyxDQUFDO0tBQ2xGO0FBQ0gsQ0FBQztBQWxCRCxnQ0FrQkM7QUFFTSxLQUFLLFVBQVUsdUJBQXVCLENBQUMsU0FBaUI7SUFDN0QsSUFBSSxHQUFHLEdBQVcsU0FBUyxDQUFDO0lBRTVCLHdFQUF3RTtJQUN4RSx5Q0FBeUM7SUFDekMsSUFBSSxTQUFTLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyxFQUFFO1FBQ3JDLE1BQU0sSUFBSSxHQUFHLE1BQU0sSUFBQSxpQkFBVSxFQUFDLFNBQVMsRUFBRSxPQUFPLEVBQUUsRUFBRSxXQUFXLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUN6RSxHQUFHLEdBQUcsTUFBTSxJQUFBLGlCQUFVLEVBQUMsSUFBSSxDQUFDLENBQUM7S0FDOUI7SUFFRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUM7QUFYRCwwREFXQztBQUVEOzs7Ozs7Ozs7Ozs7O0dBYUc7QUFDSSxLQUFLLFVBQVUsY0FBYyxDQUFDLEVBQ25DLFlBQVksRUFDWixJQUFJLEVBQ0osR0FBRyxFQUNILFNBQVMsRUFDVCxHQUFHLEVBQ0gsWUFBWSxFQUNaLFFBQVEsRUFDUixHQUFHLEdBQUcsRUFBRSxHQUNPO0lBQ2YsdUNBQXVDO0lBQ3ZDLFNBQVMsZUFBZSxDQUN0QixJQUFtQixFQUNuQixNQUFjLEVBQ2QsZ0JBQW9DLEVBQ3BDLE1BQWMsRUFDZCxRQUFtQjtRQUVuQixRQUFRLElBQUksRUFBRTtZQUNaLEtBQUssU0FBUztnQkFDWixPQUFPLElBQUksa0JBQWdCLENBQUMsTUFBTSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsR0FBRyxDQUFDLENBQUM7WUFDL0UsS0FBSyxRQUFRO2dCQUNYLE9BQU8sSUFBSSxpQkFBZSxDQUFDLE1BQU0sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLEVBQUUsUUFBUSxFQUFFLEdBQUcsQ0FBQyxDQUFDO1lBQzlFO2dCQUNFLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyxtQ0FBbUMsSUFBSSxhQUFhLENBQUMsQ0FBQztTQUN0RjtJQUNILENBQUM7SUFFRCw4REFBOEQ7SUFDOUQsSUFBSSxZQUFZLElBQUksWUFBWSxFQUFFO1FBQ2hDLE1BQU0sSUFBSSxHQUFHLFlBQVksQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLENBQUM7UUFDNUMsSUFBSSxJQUFJLElBQUksSUFBSSxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFO1lBQ3RDLE9BQU8sZUFBZSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxHQUFHLEVBQUUsSUFBSSxDQUFDLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztTQUM1RTtLQUNGO0lBRUQseUVBQXlFO0lBQ3pFLElBQUksR0FBRyxJQUFJLFNBQVMsRUFBRTtRQUNwQixPQUFPLGVBQWUsQ0FBQyxJQUFJLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxNQUFNLHVCQUF1QixDQUFDLFNBQVMsQ0FBQyxFQUFFLFFBQVEsQ0FBQyxDQUFDO0tBQzVGO0lBRUQsbUVBQW1FO0lBQ25FLE1BQU0sV0FBVyxHQUFHLFlBQVksRUFBRSxVQUFVLEVBQUUsQ0FBQztJQUMvQyxJQUFJLFdBQVcsRUFBRTtRQUNmLE1BQU0sRUFBRSxNQUFNLEVBQUUsTUFBTSxFQUFFLEdBQUcsV0FBVyxDQUFDO1FBQ3ZDLElBQUksTUFBTSxJQUFJLE1BQU0sRUFBRTtZQUNwQixPQUFPLGVBQWUsQ0FBQyxJQUFJLEVBQUUsTUFBTSxFQUFFLEdBQUcsRUFBRSxNQUFNLHVCQUF1QixDQUFDLE1BQU0sQ0FBQyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1NBQzVGO0tBQ0Y7SUFDRCw4QkFBOEI7SUFDOUIsTUFBTSxJQUFJLDhCQUFrQixDQUFDLG9EQUFvRCxDQUFDLENBQUM7QUFDckYsQ0FBQztBQW5ERCx3Q0FtREM7QUFFRCxTQUFnQixvQkFBb0IsQ0FBQyxNQUFjO0lBQ2pELE1BQU0sYUFBYSxHQUFhLEVBQUUsQ0FBQztJQUVuQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUk7UUFBRSxhQUFhLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQzdDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSTtRQUFFLGFBQWEsQ0FBQyxJQUFJLENBQUMsTUFBTSxFQUFFLGFBQWEsQ0FBQyxDQUFDO0lBQzVELElBQUksTUFBTSxDQUFDLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTTtRQUFFLGFBQWEsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7SUFFMUUsSUFBSSxhQUFhLENBQUMsTUFBTSxFQUFFO1FBQ3hCLE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsOERBQThELGFBQWEsRUFBRSxDQUM5RSxDQUFDO0tBQ0g7QUFDSCxDQUFDO0FBWkQsb0RBWUM7QUFFRCxLQUFLLFVBQVUsaUJBQWlCLENBQzlCLE9BQWdCLEVBQ2hCLHFCQUErQixFQUMvQixNQUFjLEVBQ2QsUUFBNEI7SUFFNUIsOENBQThDO0lBQzlDLE1BQU0sT0FBTyxHQUFHO1FBQ2QsSUFBSSxFQUFFLFdBQVc7UUFDakIsR0FBRyxFQUFFLFdBQVc7UUFDaEIsUUFBUSxFQUFFLEtBQUs7UUFDZixXQUFXLEVBQUUsSUFBSTtRQUNqQixhQUFhLEVBQUUsT0FBTztRQUN0QixHQUFHLENBQUMsUUFBUSxJQUFJLEVBQUUsUUFBUSxFQUFFLENBQUM7S0FDOUIsQ0FBQztJQUVGLE1BQU0sd0JBQXdCLEdBQUcsTUFBTSxxQkFBcUIsQ0FBQyxLQUFLLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ3BGLE1BQU0sVUFBVSxHQUEyQixFQUFFLENBQUM7SUFDOUMsT0FBTztRQUNMLE9BQU87UUFDUCx5RUFBeUU7UUFDekUscUJBQXFCLEVBQUUsd0JBQXdCO1FBQy9DLFVBQVUsRUFBRSxVQUFVO0tBQ3ZCLENBQUM7QUFDSixDQUFDO0FBRUQsS0FBSyxVQUFVLFlBQVksQ0FDekIsa0JBQTBCLEVBQzFCLGFBQXFCLEVBQ3JCLGFBQWlDLEVBQ2pDLGFBQTRCO0lBRTVCLFFBQVEsYUFBYSxDQUFDLFdBQVcsRUFBRSxFQUFFO1FBQ25DLEtBQUssTUFBTTtZQUNULG9EQUFvRDtZQUNwRCxPQUFPLElBQUEsdUJBQVksRUFBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3RGLEtBQUssT0FBTztZQUNWLDZCQUE2QjtZQUM3QixPQUFPLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FDN0IsSUFBQSx1QkFBWSxFQUFDLElBQUksVUFBVSxDQUFDLGtCQUFrQixDQUFDLGFBQWEsRUFBRSxDQUFDLEVBQUUsS0FBSyxDQUFDLEVBQ3ZFLElBQUEsdUJBQVksRUFBQyxJQUFJLFVBQVUsQ0FBQyxhQUFhLENBQUMsYUFBYSxFQUFFLENBQUMsRUFBRSxPQUFPLENBQUMsQ0FDckUsQ0FBQztRQUNKO1lBQ0UsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDhCQUE4QixhQUFhLEdBQUcsQ0FBQyxDQUFDO0tBQ2hGO0FBQ0gsQ0FBQztBQUVELFNBQVMsWUFBWSxDQUFDLE1BQWtCLEVBQUUsR0FBVyxFQUFFLElBQWM7SUFDbkUsT0FBTztRQUNMLE9BQU8sRUFBRSxFQUFFO1FBQ1gsTUFBTSxFQUFFLE1BQU07UUFDZCxHQUFHLEVBQUUsR0FBRztRQUNSLElBQUk7S0FDTCxDQUFDO0FBQ0osQ0FBQztBQUVNLEtBQUssVUFBVSxNQUFNLENBQUMsRUFDM0IsWUFBWSxFQUNaLFNBQVMsRUFDVCxZQUFZLEVBQ1osTUFBTSxFQUNOLFVBQVUsRUFDVixlQUFlLEVBQ2YsVUFBVSxHQUNVO0lBQ3BCLE1BQU0sT0FBTyxHQUFHLENBQUMsR0FBRyxFQUFFO1FBQ3BCLElBQUksU0FBUyxFQUFFO1lBQ2IsT0FBTyxTQUFTLENBQUM7U0FDbEI7UUFDRCxJQUFJLENBQUMsWUFBWSxFQUFFO1lBQ2pCLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx5Q0FBeUMsQ0FBQyxDQUFDO1NBQ3pFO1FBQ0QsT0FBTyxJQUFJLDJCQUFlLENBQUMsWUFBWSxDQUFDLENBQUM7SUFDM0MsQ0FBQyxDQUFDLEVBQUUsQ0FBQztJQUNMLE1BQU0sRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLEdBQUcsZUFBZSxDQUFDLHFCQUFxQixDQUFDO0lBQ3BFLE1BQU0sZUFBZSxHQUFHLFlBQVksSUFBSSxJQUFBLCtCQUFvQixFQUFDLFlBQVksQ0FBQyxDQUFDO0lBQzNFLElBQUksWUFBWSxLQUFLLFNBQVMsRUFBRTtRQUM5QixNQUFNLElBQUksOEJBQWtCLENBQUMsNkNBQTZDLENBQUMsQ0FBQztLQUM3RTtJQUNELE9BQU8sT0FBTyxDQUFDLEdBQUcsQ0FDaEIsU0FBUyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsZUFBZSxFQUFFLEVBQUU7UUFDdEMsMkVBQTJFO1FBQzNFLE1BQU0sUUFBUSxHQUFHLElBQUEsbUJBQWlCLEVBQUMsZUFBZSxDQUFDLENBQUM7UUFDcEQsSUFBSSxDQUFDLFVBQVUsSUFBSSxDQUFDLFFBQVEsRUFBRTtZQUM1QixPQUFPO1NBQ1I7UUFFRCxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLEVBQUU7WUFDeEMsTUFBTSxJQUFJLDBCQUFjLENBQUMsd0JBQXdCLGVBQWUsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDO1NBQzFFO1FBRUQsTUFBTSxHQUFHLEdBQUcsR0FBRyxlQUFlLENBQUMsR0FBRyxJQUFJLGVBQWUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxLQUFLLFFBQVEsQ0FBQztRQUUzRSwyREFBMkQ7UUFDM0Qsc0ZBQXNGO1FBQ3RGLE1BQU0sSUFBSSxHQUE0QjtZQUNwQyxTQUFTLEVBQUUsZUFBZTtZQUMxQixNQUFNLEVBQUUsZUFBZSxDQUFDLHFCQUFxQixDQUFDLE1BQU07WUFDcEQsTUFBTSxFQUFFLElBQUEsK0JBQW9CLEVBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsU0FBUztZQUMvRCxTQUFTLEVBQUUsU0FBUztZQUNwQixzQkFBc0IsRUFBRSxTQUFTO1NBQ2xDLENBQUM7UUFFRixJQUFJLElBQUEsK0JBQW9CLEVBQUMsWUFBWSxDQUFDLEVBQUU7WUFDdEMsSUFBSSxDQUFDLFNBQVMsR0FBRyxNQUFNLElBQUEsc0JBQVksRUFBQyxFQUFFLEVBQUUsVUFBVSxDQUFDLENBQUM7U0FDckQ7YUFBTTtZQUNMLElBQUksQ0FBQyxzQkFBc0IsR0FBRyxNQUFNLElBQUEsc0JBQVksRUFBQyxJQUFJLEVBQUUsVUFBVSxDQUFDLENBQUM7U0FDcEU7UUFDRCxNQUFNLE9BQU8sR0FBRyxNQUFNLFlBQVksQ0FBQyxTQUFTLENBQUMsWUFBWSxDQUFDLE1BQU0sRUFBRSxHQUFHLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUU5RSxJQUFJO1lBQ0YsTUFBTSxRQUFRLEdBQUcsTUFBTSxlQUFLLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLElBQUksRUFBRTtnQkFDM0QsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPO2FBQ3pCLENBQUMsQ0FBQztZQUVILDBGQUEwRjtZQUMxRixlQUFlO1lBQ2YsT0FBTyxlQUFlLENBQUMsVUFBVSxDQUFDO1lBQ2xDLE9BQU8sZUFBZSxDQUFDLGlCQUFpQixDQUFDO1lBQ3pDLE9BQU8sZUFBZSxDQUFDLGFBQWEsQ0FBQztZQUVyQyxJQUFJLFFBQVEsRUFBRTtnQkFDWiwyRUFBMkU7Z0JBQzNFLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsaUJBQU0sQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztnQkFDeEQsZUFBZSxDQUFDLHFCQUFxQixDQUFDLE1BQU0sR0FBRyxpQkFBTSxDQUFDLE1BQU0sQ0FDMUQsSUFBSSxDQUFDLFNBQVMsQ0FBQyxFQUFFLElBQUksRUFBRSxhQUFhLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FDN0MsQ0FBQzthQUNIO1lBQ0QsT0FBTyxRQUFRLENBQUMsSUFBSSxDQUFDO1NBQ3RCO1FBQUMsT0FBTyxDQUFDLEVBQUU7WUFDVixJQUFJLENBQUMsQ0FBQyxRQUFRLEVBQUU7Z0JBQ2QsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLE1BQU0sSUFBSSxHQUFHLEVBQUU7b0JBQzVCLE1BQU0sSUFBSSx3QkFBWSxDQUFDLGdCQUFnQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUM3QztxQkFBTSxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxLQUFLLEdBQUcsRUFBRTtvQkFDcEMsTUFBTSxJQUFJLGlDQUFxQixDQUFDLGdCQUFnQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUN0RDtxQkFBTSxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxLQUFLLEdBQUcsRUFBRTtvQkFDcEMsTUFBTSxJQUFJLGdDQUFvQixDQUFDLHFCQUFxQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUMxRDtxQkFBTSxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxLQUFLLEdBQUcsRUFBRTtvQkFDcEMsTUFBTSxJQUFJLDhCQUFrQixDQUFDLGtEQUFrRCxFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUNyRjtxQkFBTTtvQkFDTCxNQUFNLElBQUksd0JBQVksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDLENBQUMsQ0FBQztpQkFDbEQ7YUFDRjtpQkFBTSxJQUFJLENBQUMsQ0FBQyxPQUFPLEVBQUU7Z0JBQ3BCLE1BQU0sSUFBSSx3QkFBWSxDQUFDLHdCQUF3QixFQUFFLENBQUMsQ0FBQyxDQUFDO2FBQ3JEO1lBQ0QsTUFBTSxJQUFJLG9CQUFRLENBQ2hCLG1EQUFtRCxDQUFDLENBQUMsSUFBSSxLQUFLLENBQUMsQ0FBQyxPQUFPLGlCQUFpQixDQUFDLEVBQUUsUUFBUSxFQUFFLElBQUksR0FBRyxFQUM1RyxDQUFDLENBQ0YsQ0FBQztTQUNIO0lBQ0gsQ0FBQyxDQUFDLENBQ0gsQ0FBQztBQUNKLENBQUM7QUFoR0Qsd0JBZ0dDO0FBRU0sS0FBSyxVQUFVLFdBQVcsQ0FBQyxHQUF5QjtJQUN6RCxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksRUFBRTtRQUNyQixNQUFNLElBQUksOEJBQWtCLENBQUMscUNBQXFDLENBQUMsQ0FBQztLQUNyRTtJQUNELElBQUksQ0FBQyxHQUFHLENBQUMsYUFBYSxFQUFFO1FBQ3RCLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO0tBQ3pEO0lBRUQsNERBQTREO0lBQzVELE1BQU0sWUFBWSxHQUFjLEVBQUUsQ0FBQztJQUVuQyxHQUFHLENBQUMsU0FBUyxLQUFLLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQztJQUUxQyxNQUFNLFVBQVUsR0FBZ0I7UUFDOUI7WUFDRSxRQUFRLEVBQUUsV0FBVztTQUN0QjtRQUNEO1lBQ0UsUUFBUSxFQUFFLGlCQUFpQjtTQUM1QjtLQUNGLENBQUM7SUFFRixJQUFJLGFBQWEsR0FBRyxJQUFJLFVBQVUsRUFBRSxDQUFDO0lBRXJDLElBQUksY0FBYyxHQUFHLENBQUMsQ0FBQztJQUN2QixJQUFJLGNBQWMsR0FBRyxDQUFDLENBQUM7SUFDdkIsSUFBSSxVQUFVLEdBQUcsQ0FBQyxDQUFDO0lBQ25CLElBQUksYUFBYSxHQUFHLENBQUMsQ0FBQztJQUN0QixJQUFJLGFBQWEsR0FBRyxFQUFFLENBQUM7SUFFdkIsTUFBTSxTQUFTLEdBQUcsSUFBSSxvQkFBUyxFQUFFLENBQUM7SUFDbEMsTUFBTSxRQUFRLEdBQUcsTUFBTSxpQkFBaUIsQ0FDdEMsR0FBRyxDQUFDLGNBQWMsRUFDbEIsR0FBRyxDQUFDLHFCQUFxQixFQUN6QixHQUFHLENBQUMsTUFBTSxFQUNWLEdBQUcsQ0FBQyxRQUFRLENBQ2IsQ0FBQztJQUVGLElBQUksQ0FBQyxRQUFRLEVBQUU7UUFDYiwyQ0FBMkM7UUFDM0MsTUFBTSxJQUFJLDhCQUFrQixDQUFDLGdFQUFnRSxDQUFDLENBQUM7S0FDaEc7SUFDRCxNQUFNLFNBQVMsR0FBRyxHQUFHLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQztJQUUxQyxxREFBcUQ7SUFDckQsTUFBTSxjQUFjLEdBQUcsTUFBTSxNQUFNLENBQUM7UUFDbEMsWUFBWSxFQUFFLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLFlBQVk7UUFDMUQsU0FBUyxFQUFFLEdBQUcsQ0FBQyxTQUFTO1FBQ3hCLFlBQVksRUFBRSxHQUFHLENBQUMsWUFBWTtRQUM5QixNQUFNLEVBQUUsR0FBRyxDQUFDLE1BQU07UUFDbEIsVUFBVSxFQUFFLFNBQVM7UUFDckIsZUFBZSxFQUFFLFFBQVE7S0FDMUIsQ0FBQyxDQUFDO0lBRUgseURBQXlEO0lBQ3pELE1BQU0sRUFBRSxrQkFBa0IsRUFBRSxHQUFHLEdBQUcsQ0FBQztJQUNuQyxNQUFNLGVBQWUsR0FBRyxNQUFNLEdBQUcsQ0FBQyxxQkFBcUIsQ0FBQyxPQUFPLENBQzdELGtCQUFNLENBQUMsZUFBZSxDQUFDLElBQUksV0FBVyxDQUFDLGtCQUFrQixDQUFDLENBQUMsRUFDM0QsR0FBRyxDQUFDLGdCQUFnQixDQUFDLGtCQUFrQixDQUN4QyxDQUFDO0lBQ0YsTUFBTSxhQUFhLEdBQUcsSUFBSSxVQUFVLENBQUMsZUFBZSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBQzVFLE1BQU0sMkJBQTJCLEdBQUcsYUFBYSxDQUFDLE1BQU0sQ0FBQztJQUV6RCw0QkFBNEI7SUFDNUIsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsR0FBRyxXQUFXLENBQUM7SUFDckMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sR0FBRyxjQUFjLENBQUM7SUFDdEMsTUFBTSxZQUFZLEdBQUcsR0FBRyxDQUFDLGFBQWEsQ0FBQyxTQUFTLEVBQUUsQ0FBQztJQUVuRDs7Ozs7OztNQU9FO0lBQ0YsTUFBTSxlQUFlLEdBQUc7UUFDdEIsS0FBSyxFQUFFLENBQUMsVUFBMkMsRUFBRSxFQUFFO1lBQ3JELFVBQVUsQ0FBQyxPQUFPLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDO1lBQ3RELFdBQVcsQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUM7WUFDL0MsVUFBVSxHQUFHLENBQUMsQ0FBQztZQUNmLGFBQWEsR0FBRyxDQUFDLENBQUM7UUFDcEIsQ0FBQztRQUVELElBQUksRUFBRSxLQUFLLEVBQUUsVUFBMkMsRUFBRSxFQUFFO1lBQzFELElBQUksTUFBTSxDQUFDO1lBRVgsT0FBTyxhQUFhLENBQUMsTUFBTSxHQUFHLGtCQUFrQixJQUFJLENBQUMsTUFBTSxFQUFFO2dCQUMzRCxNQUFNLEVBQUUsS0FBSyxFQUFFLElBQUksRUFBRSxHQUFHLE1BQU0sWUFBWSxDQUFDLElBQUksRUFBRSxDQUFDO2dCQUNsRCxNQUFNLEdBQUcsSUFBSSxDQUFDO2dCQUNkLElBQUksS0FBSyxFQUFFO29CQUNULGFBQWEsR0FBRyxJQUFBLHNCQUFXLEVBQUMsQ0FBQyxhQUFhLEVBQUUsS0FBSyxDQUFDLENBQUMsQ0FBQztpQkFDckQ7YUFDRjtZQUVELE9BQ0UsYUFBYSxDQUFDLE1BQU0sSUFBSSxrQkFBa0I7Z0JBQzFDLENBQUMsQ0FBQyxVQUFVLENBQUMsV0FBVztnQkFDeEIsVUFBVSxDQUFDLFdBQVcsR0FBRyxDQUFDLEVBQzFCO2dCQUNBLE1BQU0sT0FBTyxHQUFHLGFBQWEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLGtCQUFrQixDQUFDLENBQUM7Z0JBQzNELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSx1QkFBdUIsQ0FBQyxPQUFPLENBQUMsQ0FBQztnQkFDaEUsVUFBVSxDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO2dCQUVyQyxhQUFhLEdBQUcsYUFBYSxDQUFDLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO2FBQ3pEO1lBRUQsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLElBQUksYUFBYSxDQUFDLE1BQU0sQ0FBQztZQUV4RCxJQUFJLGdCQUFnQixFQUFFO2dCQUNwQixNQUFNLGdCQUFnQixHQUFHLE1BQU0sdUJBQXVCLENBQUMsYUFBYSxDQUFDLENBQUM7Z0JBQ3RFLFVBQVUsQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztnQkFDckMsYUFBYSxHQUFHLElBQUksVUFBVSxFQUFFLENBQUM7YUFDbEM7WUFFRCxJQUFJLE1BQU0sSUFBSSxhQUFhLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRTtnQkFDeEMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFVBQVUsR0FBRyxVQUFVLENBQUM7Z0JBQ3RDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxhQUFhLEdBQUcsYUFBYSxDQUFDO2dCQUM1QyxNQUFNLHFCQUFxQixHQUFHLFNBQVMsQ0FBQyxtQkFBbUIsQ0FBQyxVQUFVLEVBQUUsYUFBYSxDQUFDLENBQUM7Z0JBRXZGLFVBQVUsQ0FBQyxPQUFPLENBQUMscUJBQXFCLENBQUMsQ0FBQztnQkFDMUMsV0FBVyxDQUFDLHFCQUFxQixDQUFDLENBQUM7Z0JBRW5DLHVCQUF1QjtnQkFDdkIsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsR0FBRyxpQkFBaUIsQ0FBQztnQkFDM0MsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sR0FBRyxjQUFjLENBQUM7Z0JBQ3RDLFVBQVUsQ0FBQyxPQUFPLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDO2dCQUN0RCxXQUFXLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDO2dCQUMvQyxVQUFVLEdBQUcsQ0FBQyxDQUFDO2dCQUNmLGFBQWEsR0FBRyxDQUFDLENBQUM7Z0JBRWxCLGdDQUFnQztnQkFDaEMsTUFBTSxhQUFhLEdBQUcsTUFBTSxZQUFZLENBQ3RDLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxrQkFBa0IsRUFDdkMsa0JBQU0sQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLEVBQ2hDLEdBQUcsQ0FBQyxrQkFBa0IsRUFDdEIsR0FBRyxDQUFDLGFBQWEsQ0FDbEIsQ0FBQztnQkFDRixRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsYUFBYSxDQUFDLEdBQUc7b0JBQ25FLGlCQUFNLENBQUMsTUFBTSxDQUFDLGFBQWEsQ0FBQyxDQUFDO2dCQUMvQixRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsYUFBYSxDQUFDLEdBQUc7b0JBQ25FLEdBQUcsQ0FBQyxrQkFBa0IsQ0FBQztnQkFFekIsUUFBUSxDQUFDLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDLGtCQUFrQixHQUFHLGtCQUFrQixDQUFDO2dCQUM1RixRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsMkJBQTJCO29CQUM3RSwyQkFBMkIsQ0FBQztnQkFDOUIsUUFBUSxDQUFDLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDLGNBQWM7b0JBQ2hFLEdBQUcsQ0FBQyx5QkFBeUIsQ0FBQztnQkFDaEMsUUFBUSxDQUFDLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDLFFBQVEsR0FBRyxZQUFZLENBQUM7Z0JBRTVFLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQyxNQUFNLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQztnQkFFMUQsTUFBTSxnQkFBZ0IsR0FBMkIsRUFBRSxDQUFDO2dCQUNwRCxJQUFJLEdBQUcsQ0FBQyxnQkFBZ0IsSUFBSSxHQUFHLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRTtvQkFDM0QsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUNmLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFLGVBQWUsRUFBRSxFQUFFO3dCQUNqRCxvREFBb0Q7d0JBQ3BELE1BQU0sVUFBVSxHQUFpQixlQUFlLENBQUMsVUFBVSxJQUFJOzRCQUM3RCxHQUFHLEVBQUUsT0FBTzs0QkFDWixHQUFHLEVBQUUsSUFBSSxVQUFVLENBQUMsR0FBRyxDQUFDLGdCQUFnQixDQUFDLGtCQUFrQixDQUFDLGFBQWEsRUFBRSxDQUFDO3lCQUM3RSxDQUFDO3dCQUNGLE1BQU0sU0FBUyxHQUFHLE1BQU0sVUFBVSxDQUFDLGVBQWUsQ0FBQyxhQUFhLEVBQUU7NEJBQ2hFLEdBQUcsZUFBZTs0QkFDbEIsVUFBVTt5QkFDWCxDQUFDLENBQUM7d0JBRUgscURBQXFEO3dCQUNyRCxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUM7b0JBQ25DLENBQUMsQ0FBQyxDQUNILENBQUM7aUJBQ0g7Z0JBRUQsUUFBUSxDQUFDLFVBQVUsR0FBRyxnQkFBZ0IsQ0FBQztnQkFFdkMscUJBQXFCO2dCQUNyQixNQUFNLGNBQWMsR0FBRyxJQUFJLFdBQVcsRUFBRSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUM7Z0JBQzFFLFVBQVUsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDLENBQUM7Z0JBQ25DLFdBQVcsQ0FBQyxjQUFjLENBQUMsQ0FBQztnQkFDNUIsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFVBQVUsR0FBRyxVQUFVLENBQUM7Z0JBQ3RDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxhQUFhLEdBQUcsYUFBYSxDQUFDO2dCQUM1QyxNQUFNLHNCQUFzQixHQUFHLFNBQVMsQ0FBQyxtQkFBbUIsQ0FBQyxVQUFVLEVBQUUsYUFBYSxDQUFDLENBQUM7Z0JBQ3hGLFVBQVUsQ0FBQyxPQUFPLENBQUMsc0JBQXNCLENBQUMsQ0FBQztnQkFDM0MsV0FBVyxDQUFDLHNCQUFzQixDQUFDLENBQUM7Z0JBRXBDLGtDQUFrQztnQkFDbEMsTUFBTSx5QkFBeUIsR0FBRyxjQUFjLENBQUM7Z0JBQ2pELEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxVQUFVLENBQUMsTUFBTSxFQUFFLENBQUMsRUFBRSxFQUFFO29CQUMxQyxNQUFNLFNBQVMsR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7b0JBQ2hDLE1BQU0sTUFBTSxHQUFHLFNBQVMsQ0FBQywyQkFBMkIsQ0FDbEQsU0FBUyxDQUFDLGFBQWEsSUFBSSxDQUFDLEVBQzVCLFNBQVMsQ0FBQyxRQUFRLEVBQ2xCLFNBQVMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUNyQixTQUFTLENBQUMsVUFBVSxJQUFJLENBQUMsRUFDekIsVUFBVSxDQUNYLENBQUM7b0JBQ0YsVUFBVSxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQztvQkFDM0IsV0FBVyxDQUFDLE1BQU0sQ0FBQyxDQUFDO2lCQUNyQjtnQkFDRCxNQUFNLDhCQUE4QixHQUFHLGNBQWMsR0FBRyx5QkFBeUIsQ0FBQztnQkFDbEYsTUFBTSxVQUFVLEdBQUcsU0FBUyxDQUFDLGdDQUFnQyxDQUMzRCxVQUFVLENBQUMsTUFBTSxFQUNqQiw4QkFBOEIsRUFDOUIseUJBQXlCLENBQzFCLENBQUM7Z0JBQ0YsVUFBVSxDQUFDLE9BQU8sQ0FBQyxVQUFVLENBQUMsQ0FBQztnQkFDL0IsV0FBVyxDQUFDLFVBQVUsQ0FBQyxDQUFDO2dCQUV4QixVQUFVLENBQUMsS0FBSyxFQUFFLENBQUM7YUFDcEI7UUFDSCxDQUFDO0tBQ0YsQ0FBQztJQUVGLE1BQU0sZUFBZSxHQUFHLElBQUksb0RBQXVCLENBQUMsZUFBZSxDQUFDLENBQUM7SUFDckUsZUFBZSxDQUFDLFFBQVEsR0FBRyxRQUFRLENBQUM7SUFFcEMsSUFBSSxjQUFjLEVBQUU7UUFDbEIsZUFBZSxDQUFDLGNBQWMsR0FBRyxjQUFjLENBQUM7UUFDaEQsZUFBZSxDQUFDLE9BQU8sR0FBRyxjQUFjLENBQUM7UUFDekMsZUFBZSxDQUFDLFNBQVMsR0FBRyxRQUFRLENBQUMscUJBQXFCLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQztLQUM3RTtJQUVELE9BQU8sZUFBZSxDQUFDO0lBRXZCLHFCQUFxQjtJQUNyQixTQUFTLFNBQVMsQ0FBQyxRQUFnQjtRQUNqQyxPQUFPLFNBQVMsQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUN6RCxDQUFDO0lBRUQsU0FBUyxXQUFXLENBQUMsS0FBMEI7UUFDN0MsSUFBSSxPQUFPLEtBQUssS0FBSyxRQUFRLEVBQUU7WUFDN0IsS0FBSyxHQUFHLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO1NBQ3pDO1FBQ0QsY0FBYyxJQUFJLEtBQUssQ0FBQyxNQUFNLENBQUM7UUFDL0IsSUFBSSxjQUFjLEdBQUcsR0FBRyxDQUFDLFNBQVMsRUFBRTtZQUNsQyxNQUFNLElBQUksOEJBQWtCLENBQUMsb0JBQW9CLEdBQUcsQ0FBQyxTQUFTLFlBQVksQ0FBQyxDQUFDO1NBQzdFO1FBQ0QsbUVBQW1FO1FBQ25FLFVBQVUsR0FBRyxJQUFBLDBCQUFRLEVBQUMsS0FBSyxFQUFFLFVBQVUsQ0FBQyxDQUFDO1FBQ3pDLGFBQWEsSUFBSSxLQUFLLENBQUMsTUFBTSxDQUFDO0lBQ2hDLENBQUM7SUFFRCxLQUFLLFVBQVUsdUJBQXVCLENBQUMsS0FBaUI7UUFDdEQsY0FBYyxJQUFJLEtBQUssQ0FBQyxNQUFNLENBQUM7UUFDL0IsR0FBRyxDQUFDLGVBQWUsRUFBRSxDQUFDLGNBQWMsQ0FBQyxDQUFDO1FBRXRDLHdIQUF3SDtRQUN4SCxNQUFNLGVBQWUsR0FBRyxNQUFNLEdBQUcsQ0FBQyxxQkFBcUIsQ0FBQyxPQUFPLENBQzdELGtCQUFNLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsRUFDcEMsR0FBRyxDQUFDLGdCQUFnQixDQUFDLGtCQUFrQixDQUN4QyxDQUFDO1FBQ0YsTUFBTSxhQUFhLEdBQUcsSUFBSSxVQUFVLENBQUMsZUFBZSxDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDO1FBQzVFLE1BQU0sYUFBYSxHQUFHLE1BQU0sWUFBWSxDQUN0QyxHQUFHLENBQUMsZ0JBQWdCLENBQUMsa0JBQWtCLEVBQ3ZDLGVBQWUsQ0FBQyxPQUFPLEVBQ3ZCLEdBQUcsQ0FBQyx5QkFBeUIsRUFDN0IsR0FBRyxDQUFDLGFBQWEsQ0FDbEIsQ0FBQztRQUVGLG1EQUFtRDtRQUNuRCxhQUFhLElBQUksYUFBYSxDQUFDO1FBRS9CLFlBQVksQ0FBQyxJQUFJLENBQUM7WUFDaEIsSUFBSSxFQUFFLGlCQUFNLENBQUMsTUFBTSxDQUFDLGFBQWEsQ0FBQztZQUNsQyxXQUFXLEVBQUUsS0FBSyxDQUFDLE1BQU0sS0FBSyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsTUFBTTtZQUMzRSxvQkFBb0IsRUFDbEIsYUFBYSxDQUFDLE1BQU0sS0FBSywyQkFBMkIsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxhQUFhLENBQUMsTUFBTTtTQUMxRixDQUFDLENBQUM7UUFDSCxNQUFNLE1BQU0sR0FBRyxJQUFJLFVBQVUsQ0FBQyxlQUFlLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxDQUFDLENBQUM7UUFDckUsV0FBVyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBRXBCLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7QUFDSCxDQUFDO0FBaFJELGtDQWdSQztBQUVELGlGQUFpRjtBQUMxRSxLQUFLLFVBQVUsYUFBYSxDQUNqQyxPQUFnQjtJQUVoQixNQUFNLFNBQVMsR0FBRyxJQUFJLG9CQUFTLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDekMsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLFNBQVMsQ0FBQyxtQkFBbUIsRUFBRSxDQUFDO0lBQy9ELE1BQU0sUUFBUSxHQUFHLE1BQU0sU0FBUyxDQUFDLFdBQVcsQ0FBQyxnQkFBZ0IsRUFBRSxpQkFBaUIsQ0FBQyxDQUFDO0lBQ2xGLE9BQU8sRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLGdCQUFnQixFQUFFLENBQUM7QUFDbkQsQ0FBQztBQVBELHNDQU9DO0FBRUQsU0FBZ0IsdUJBQXVCLENBQ3JDLFNBQTRCLEVBQzVCLFlBQTZCO0lBRTdCLE1BQU0sT0FBTyxHQUFHLENBQUMsQ0FBa0IsRUFBRSxFQUFFLENBQUMsWUFBWSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDbkUsTUFBTSxRQUFRLEdBQUcsSUFBSSxHQUFHLENBQUMsU0FBUyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsR0FBRyxFQUFFLEVBQUUsRUFBRSxDQUFDLEdBQUcsSUFBSSxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBRWhFLE1BQU0sZ0JBQWdCLEdBQUcsSUFBSSxHQUFHLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO0lBQ2xGLElBQUksUUFBUSxDQUFDLElBQUksR0FBRyxnQkFBZ0IsQ0FBQyxJQUFJLEVBQUU7UUFDekMsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBQzVGLE1BQU0sSUFBSSwwQkFBYyxDQUN0QixxREFBcUQsSUFBSSxDQUFDLFNBQVMsQ0FBQztZQUNsRSxHQUFHLGVBQWU7U0FDbkIsQ0FBQyxrQkFBa0IsSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEdBQUcsUUFBUSxDQUFDLENBQUMsRUFBRSxFQUNuRCxHQUFHLGVBQWUsQ0FDbkIsQ0FBQztLQUNIO0lBQ0QsTUFBTSxlQUFlLEdBQW9ELE1BQU0sQ0FBQyxXQUFXLENBQ3pGLENBQUMsR0FBRyxRQUFRLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQ2xDLENBQUM7SUFDRixLQUFLLE1BQU0sR0FBRyxJQUFJLFNBQVMsRUFBRTtRQUMzQixNQUFNLFdBQVcsR0FBRyxlQUFlLENBQUMsR0FBRyxDQUFDLEdBQUcsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUNuRCxJQUFJLEdBQUcsQ0FBQyxHQUFHLElBQUksV0FBVyxFQUFFO1lBQzFCLE1BQU0sSUFBSSw0QkFBZ0IsQ0FDeEIseURBQXlELEdBQUcsQ0FBQyxHQUFHLGVBQWUsR0FBRyxDQUFDLEdBQUcsR0FBRyxDQUMxRixDQUFDO1NBQ0g7UUFDRCxJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsRUFBRTtZQUNoQixXQUFXLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEdBQUcsQ0FBQztTQUM1QjtLQUNGO0lBQ0QsT0FBTyxlQUFlLENBQUM7QUFDekIsQ0FBQztBQWhDRCwwREFnQ0M7QUFFRCxLQUFLLFVBQVUsU0FBUyxDQUFDLEVBQ3ZCLFFBQVEsRUFDUixZQUFZLEVBQ1osWUFBWSxFQUNaLFFBQVEsRUFDUixNQUFNLEVBQ04sYUFBYSxHQVFkO0lBQ0MsSUFBSSxZQUFZLEtBQUssU0FBUyxFQUFFO1FBQzlCLE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIseUVBQXlFLENBQzFFLENBQUM7S0FDSDtJQUNELE1BQU0sRUFBRSxTQUFTLEVBQUUsR0FBRyxRQUFRLENBQUMscUJBQXFCLENBQUM7SUFDckQsTUFBTSxlQUFlLEdBQUcsdUJBQXVCLENBQUMsU0FBUyxFQUFFLFlBQVksQ0FBQyxDQUFDO0lBQ3pFLE1BQU0sZUFBZSxHQUFHLFlBQVksSUFBSSxJQUFBLCtCQUFvQixFQUFDLFlBQVksQ0FBQyxDQUFDO0lBRTNFLEtBQUssVUFBVSxZQUFZLENBQUMsWUFBNkI7UUFDdkQsTUFBTSxHQUFHLEdBQUcsR0FBRyxZQUFZLENBQUMsR0FBRyxJQUFJLGVBQWUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxLQUFLLFFBQVEsQ0FBQztRQUN4RSxNQUFNLHVCQUF1QixHQUFHLE1BQU0sYUFBYSxDQUFDLGVBQWUsQ0FDakUsTUFBTSxhQUFhLENBQUMsZUFBZSxFQUFFLENBQ3RDLENBQUM7UUFDRixNQUFNLGVBQWUsR0FBRyx1QkFBdUIsQ0FBQyxTQUFTLENBQUM7UUFFMUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQztZQUNwQyxTQUFTLEVBQUUsT0FBTztZQUNsQixTQUFTLEVBQUUsWUFBWTtZQUN2QixNQUFNLEVBQUUsUUFBUSxDQUFDLHFCQUFxQixDQUFDLE1BQU07WUFDN0MsZUFBZTtTQUNoQixDQUFDLENBQUM7UUFFSCxNQUFNLFVBQVUsR0FBRyxFQUFFLFdBQVcsRUFBRSxjQUFjLEVBQUUsQ0FBQztRQUNuRCxNQUFNLGtCQUFrQixHQUFHLE1BQU0sSUFBQSxzQkFBWSxFQUMzQyxlQUFlLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsVUFBVSxFQUNqQyxRQUFRLENBQUMsVUFBVSxDQUNwQixDQUFDO1FBRUYsSUFBSSxXQUFXLENBQUM7UUFDaEIsSUFBSSxlQUFlLEVBQUU7WUFDbkIsV0FBVyxHQUFHO2dCQUNaLFNBQVMsRUFBRSxZQUFZO2dCQUN2QixNQUFNLEVBQUUsUUFBUSxDQUFDLHFCQUFxQixDQUFDLE1BQU07Z0JBQzdDLE1BQU0sRUFBRTtvQkFDTixHQUFHLE1BQU07b0JBQ1QsU0FBUyxFQUFFLGVBQWU7aUJBQzNCO2dCQUNELFNBQVMsRUFBRSxrQkFBa0I7YUFDOUIsQ0FBQztTQUNIO2FBQU07WUFDTCxXQUFXLEdBQUc7Z0JBQ1osa0JBQWtCO2FBQ25CLENBQUM7U0FDSDtRQUVELE1BQU0sT0FBTyxHQUFHLE1BQU0sWUFBWSxDQUFDLFNBQVMsQ0FBQyxZQUFZLENBQUMsTUFBTSxFQUFFLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1FBQ3JGLE1BQU0sRUFDSixJQUFJLEVBQUUsRUFBRSxnQkFBZ0IsRUFBRSxRQUFRLEVBQUUsR0FDckMsR0FBRyxNQUFNLGVBQUssQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsSUFBSSxFQUFFLEVBQUUsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBRTlFLE1BQU0sR0FBRyxHQUFHLGtCQUFNLENBQUMsVUFBVSxDQUFDLGlCQUFNLENBQUMsTUFBTSxDQUFDLGdCQUFnQixDQUFDLENBQUMsQ0FBQztRQUMvRCxNQUFNLGtCQUFrQixHQUFHLE1BQU0sYUFBYSxDQUFDLHFCQUFxQixDQUNsRSxHQUFHLEVBQ0gsdUJBQXVCLENBQUMsVUFBVSxDQUNuQyxDQUFDO1FBRUYsT0FBTztZQUNMLEdBQUcsRUFBRSxJQUFJLFVBQVUsQ0FBQyxrQkFBa0IsQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNyRCxRQUFRO1NBQ1QsQ0FBQztJQUNKLENBQUM7SUFFRCxzRUFBc0U7SUFDdEUsTUFBTSxRQUFRLEdBQUcsSUFBSSxHQUFHLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFDO0lBRXZELHFEQUFxRDtJQUNyRCxJQUFJLFFBQVEsQ0FBQyxJQUFJLEtBQUssQ0FBQyxFQUFFO1FBQ3ZCLE1BQU0sQ0FBQyxPQUFPLENBQUMsR0FBRyxRQUFRLENBQUM7UUFDM0IsTUFBTSxVQUFVLEdBQUcsZUFBZSxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBRTVDLElBQUk7WUFDRix1RUFBdUU7WUFDdkUsTUFBTSxNQUFNLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUM5QixNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsWUFBWSxFQUFFLEVBQUU7Z0JBQ25ELElBQUk7b0JBQ0YsT0FBTyxNQUFNLFlBQVksQ0FBQyxZQUFZLENBQUMsQ0FBQztpQkFDekM7Z0JBQUMsT0FBTyxDQUFDLEVBQUU7b0JBQ1YsNEJBQTRCO29CQUM1QixNQUFNLGlCQUFpQixDQUFDLENBQXVCLENBQUMsQ0FBQztpQkFDbEQ7WUFDSCxDQUFDLENBQUMsQ0FDSCxDQUFDO1lBRUYsTUFBTSxnQkFBZ0IsR0FBRyxJQUFBLG1CQUFRLEVBQUMsQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztZQUNoRCxPQUFPO2dCQUNMLHNCQUFzQixFQUFFLGtCQUFNLENBQUMsZUFBZSxDQUFDLGdCQUFnQixDQUFDO2dCQUNoRSxRQUFRLEVBQUUsTUFBTSxDQUFDLFFBQVE7YUFDMUIsQ0FBQztTQUNIO1FBQUMsT0FBTyxLQUFLLEVBQUU7WUFDZCxJQUFJLEtBQUssWUFBWSxjQUFjLEVBQUU7Z0JBQ25DLHlCQUF5QjtnQkFDekIsTUFBTSxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMseURBQXlEO2FBQ2pGO1lBQ0QsTUFBTSxLQUFLLENBQUM7U0FDYjtLQUNGO1NBQU07UUFDTCxzRUFBc0U7UUFDdEUsTUFBTSxZQUFZLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUNwQyxNQUFNLENBQUMsT0FBTyxDQUFDLGVBQWUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDLEVBQUUsRUFBRTtZQUNsRSxJQUFJLENBQUMsVUFBVSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQyxNQUFNLEVBQUU7Z0JBQ2xELE1BQU0sSUFBSSwwQkFBYyxDQUN0Qix3REFBd0QsSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsRUFBRSxFQUNqRixFQUFFLENBQ0gsQ0FBQzthQUNIO1lBRUQsSUFBSTtnQkFDRixtRUFBbUU7Z0JBQ25FLE9BQU8sTUFBTSxPQUFPLENBQUMsR0FBRyxDQUN0QixNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsWUFBWSxFQUFFLEVBQUU7b0JBQ25ELElBQUk7d0JBQ0YsT0FBTyxNQUFNLFlBQVksQ0FBQyxZQUFZLENBQUMsQ0FBQztxQkFDekM7b0JBQUMsT0FBTyxDQUFDLEVBQUU7d0JBQ1YsTUFBTSxpQkFBaUIsQ0FBQyxDQUF1QixDQUFDLENBQUM7cUJBQ2xEO2dCQUNILENBQUMsQ0FBQyxDQUNILENBQUM7YUFDSDtZQUFDLE9BQU8sS0FBSyxFQUFFO2dCQUNkLElBQUksS0FBSyxZQUFZLGNBQWMsRUFBRTtvQkFDbkMsd0NBQXdDO29CQUN4QyxNQUFNLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyx5REFBeUQ7aUJBQ2pGO2dCQUNELE1BQU0sS0FBSyxDQUFDO2FBQ2I7UUFDSCxDQUFDLENBQUMsQ0FDSCxDQUFDO1FBRUYsMkJBQTJCO1FBQzNCLE1BQU0sZ0JBQWdCLEdBQUcsSUFBQSxtQkFBUSxFQUFDLFlBQVksQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBQ2xFLE9BQU87WUFDTCxzQkFBc0IsRUFBRSxrQkFBTSxDQUFDLGVBQWUsQ0FBQyxnQkFBZ0IsQ0FBQztZQUNoRSxRQUFRLEVBQUUsWUFBWSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsRUFBRSxnQ0FBZ0M7U0FDckUsQ0FBQztLQUNIO0FBQ0gsQ0FBQztBQUVELFNBQVMsaUJBQWlCLENBQUMsS0FBeUI7SUFDbEQsSUFBSSxlQUFLLENBQUMsWUFBWSxDQUFDLEtBQUssQ0FBQyxFQUFFO1FBQzdCLElBQUksS0FBSyxDQUFDLFFBQVEsRUFBRSxNQUFNLElBQUksS0FBSyxDQUFDLFFBQVEsRUFBRSxNQUFNLElBQUksR0FBRyxFQUFFO1lBQzNELE9BQU8sSUFBSSx3QkFBWSxDQUFDLGdCQUFnQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQ2xEO2FBQU0sSUFBSSxLQUFLLENBQUMsUUFBUSxFQUFFLE1BQU0sS0FBSyxHQUFHLEVBQUU7WUFDekMsT0FBTyxJQUFJLGlDQUFxQixDQUFDLGdCQUFnQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQzNEO2FBQU0sSUFBSSxLQUFLLENBQUMsUUFBUSxFQUFFLE1BQU0sS0FBSyxHQUFHLEVBQUU7WUFDekMsT0FBTyxJQUFJLGdDQUFvQixDQUFDLHFCQUFxQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQy9EO2FBQU0sSUFBSSxLQUFLLENBQUMsUUFBUSxFQUFFLE1BQU0sS0FBSyxHQUFHLEVBQUU7WUFDekMsT0FBTyxJQUFJLDRCQUFnQixDQUN6Qix1RkFBdUYsRUFDdkYsS0FBSyxDQUNOLENBQUM7U0FDSDthQUFNO1lBQ0wsT0FBTyxJQUFJLHdCQUFZLENBQUMscUJBQXFCLEVBQUUsS0FBSyxDQUFDLENBQUM7U0FDdkQ7S0FDRjtTQUFNO1FBQ0wsSUFBSSxLQUFLLENBQUMsSUFBSSxLQUFLLG9CQUFvQixJQUFJLEtBQUssQ0FBQyxJQUFJLEtBQUssZ0JBQWdCLEVBQUU7WUFDMUUsT0FBTyxJQUFJLHdCQUFZLENBQUMsK0JBQStCLEVBQUUsS0FBSyxDQUFDLENBQUM7U0FDakU7UUFDRCxPQUFPLElBQUksNEJBQWdCLENBQ3pCLDZDQUE2QyxLQUFLLENBQUMsSUFBSSxLQUFLLEtBQUssQ0FBQyxPQUFPLEdBQUcsRUFDNUUsS0FBSyxDQUNOLENBQUM7S0FDSDtBQUNILENBQUM7QUFFRCxLQUFLLFVBQVUsWUFBWSxDQUN6QixjQUEwQixFQUMxQixzQkFBOEIsRUFDOUIsSUFBWSxFQUNaLE1BQXVCLEVBQ3ZCLHlCQUE2QyxFQUM3QyxhQUE0QjtJQUU1QixJQUFJLHlCQUF5QixLQUFLLE1BQU0sSUFBSSx5QkFBeUIsS0FBSyxPQUFPLEVBQUU7S0FDbEY7SUFDRCxNQUFNLGNBQWMsR0FBRyxNQUFNLFlBQVksQ0FDdkMsc0JBQXNCLEVBQ3RCLGtCQUFNLENBQUMsZUFBZSxDQUFDLGNBQWMsQ0FBQyxNQUFNLENBQUMsRUFDN0MseUJBQXlCLEVBQ3pCLGFBQWEsQ0FDZCxDQUFDO0lBQ0YsSUFBSSxJQUFJLEtBQUssSUFBSSxDQUFDLGNBQWMsQ0FBQyxFQUFFO1FBQ2pDLE1BQU0sSUFBSSwwQkFBYyxDQUFDLHdDQUF3QyxDQUFDLENBQUM7S0FDcEU7SUFDRCxPQUFPLE1BQU0sTUFBTSxDQUFDLE9BQU8sQ0FBQyxjQUFjLEVBQUUsc0JBQXNCLENBQUMsQ0FBQztBQUN0RSxDQUFDO0FBRUQsS0FBSyxVQUFVLGdCQUFnQixDQUM3QixRQUFpQixFQUNqQixnQkFBb0MsRUFDcEMsU0FBb0IsRUFDcEIsc0JBQThCLEVBQzlCLE1BQXVCLEVBQ3ZCLHlCQUE2QyxFQUM3QyxhQUE0QjtJQUU1QixNQUFNLG1CQUFtQixHQUFHLEdBQUcsQ0FBQztJQUNoQyxJQUFJLFFBQVEsR0FBRyxFQUFFLENBQUM7SUFDbEIsTUFBTSxTQUFTLEdBQUcsQ0FBQyxDQUFDO0lBRXBCLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxRQUFRLENBQUMsTUFBTSxFQUFFLENBQUMsSUFBSSxtQkFBbUIsRUFBRTtRQUM3RCxJQUFJLFFBQVEsQ0FBQyxNQUFNLEtBQUssU0FBUyxFQUFFO1lBQ2pDLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUM1QixRQUFRLEdBQUcsRUFBRSxDQUFDO1NBQ2Y7UUFDRCxRQUFRLENBQUMsSUFBSSxDQUNYLENBQUMsS0FBSyxJQUFJLEVBQUU7WUFDVixJQUFJLE1BQXlCLENBQUM7WUFFOUIsTUFBTSxLQUFLLEdBQUcsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxHQUFHLG1CQUFtQixDQUFDLENBQUM7WUFDekQsSUFBSTtnQkFDRixNQUFNLFVBQVUsR0FBRyxLQUFLLENBQUMsTUFBTSxDQUM3QixDQUFDLFVBQVUsRUFBRSxFQUFFLG9CQUFvQixFQUFFLEVBQUUsRUFBRSxDQUFDLFVBQVUsR0FBSSxvQkFBK0IsRUFDdkYsQ0FBQyxDQUNGLENBQUM7Z0JBQ0YsTUFBTSxHQUFHLE1BQU0sU0FBUyxDQUFDLGlCQUFpQixDQUN4QyxnQkFBZ0IsRUFDaEIsV0FBVyxFQUNYLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxlQUFlLEVBQ3hCLFVBQVUsQ0FDWCxDQUFDO2FBQ0g7WUFBQyxPQUFPLENBQUMsRUFBRTtnQkFDVixJQUFJLENBQUMsWUFBWSw0QkFBZ0IsRUFBRTtvQkFDakMsTUFBTSxDQUFDLENBQUM7aUJBQ1Q7Z0JBQ0QsTUFBTSxJQUFJLHdCQUFZLENBQUMsaUNBQWlDLEVBQUUsQ0FBQyxDQUFDLENBQUM7YUFDOUQ7WUFDRCxJQUFJLE1BQU0sRUFBRTtnQkFDVixlQUFlLENBQUM7b0JBQ2QsTUFBTTtvQkFDTixhQUFhO29CQUNiLHNCQUFzQjtvQkFDdEIsS0FBSztvQkFDTCxNQUFNO29CQUNOLHlCQUF5QjtpQkFDMUIsQ0FBQyxDQUFDO2FBQ0o7UUFDSCxDQUFDLENBQUMsRUFBRSxDQUNMLENBQUM7S0FDSDtBQUNILENBQUM7QUFFTSxLQUFLLFVBQVUsZUFBZSxDQUFDLEVBQ3BDLE1BQU0sRUFDTixzQkFBc0IsRUFDdEIsS0FBSyxFQUNMLE1BQU0sRUFDTixhQUFhLEVBQ2IseUJBQXlCLEdBUTFCO0lBQ0MsS0FBSyxNQUFNLEtBQUssSUFBSSxLQUFLLEVBQUU7UUFDekIsTUFBTSxFQUFFLGVBQWUsRUFBRSxvQkFBb0IsRUFBRSxRQUFRLEVBQUUsT0FBTyxFQUFFLEdBQUcsS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBRWxGLE1BQU0sTUFBTSxHQUNWLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxlQUFlLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFDLGVBQWUsR0FBRyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsZUFBZSxDQUFDO1FBQ2hHLE1BQU0sY0FBYyxHQUFHLElBQUksVUFBVSxDQUNuQyxNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sRUFBRSxNQUFNLEdBQUksb0JBQStCLENBQUMsQ0FDaEUsQ0FBQztRQUVGLElBQUk7WUFDRixNQUFNLE1BQU0sR0FBRyxNQUFNLFlBQVksQ0FDL0IsY0FBYyxFQUNkLHNCQUFzQixFQUN0QixLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsTUFBTSxDQUFDLEVBQ3BCLE1BQU0sRUFDTix5QkFBeUIsRUFDekIsYUFBYSxDQUNkLENBQUM7WUFDRixLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsY0FBYyxHQUFHLE1BQU0sQ0FBQztZQUNyQyxJQUFJLFFBQVEsRUFBRTtnQkFDWixRQUFRLENBQUMsSUFBSSxDQUFDLENBQUM7YUFDaEI7U0FDRjtRQUFDLE9BQU8sQ0FBQyxFQUFFO1lBQ1YsSUFBSSxPQUFPLEVBQUU7Z0JBQ1gsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDO2FBQ1o7aUJBQU07Z0JBQ0wsTUFBTSxDQUFDLENBQUM7YUFDVDtTQUNGO0tBQ0Y7QUFDSCxDQUFDO0FBN0NELDBDQTZDQztBQUVNLEtBQUssVUFBVSxVQUFVLENBQUMsR0FBeUI7SUFDeEQsSUFBSSxFQUFFLFNBQVMsRUFBRSxHQUFHLEdBQUcsQ0FBQztJQUN4QixJQUFJLENBQUMsU0FBUyxFQUFFO1FBQ2QsSUFBSSxDQUFDLEdBQUcsQ0FBQyxZQUFZLEVBQUU7WUFDckIsTUFBTSxJQUFJLDhCQUFrQixDQUFDLHlDQUF5QyxDQUFDLENBQUM7U0FDekU7UUFDRCxTQUFTLEdBQUcsSUFBSSwyQkFBZSxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQztLQUNuRDtJQUNELE1BQU0sRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLGdCQUFnQixFQUFFLEdBQUcsTUFBTSxhQUFhLENBQUMsR0FBRyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQ25GLElBQUksQ0FBQyxRQUFRLEVBQUU7UUFDYixNQUFNLElBQUksNEJBQWdCLENBQUMsdUJBQXVCLENBQUMsQ0FBQztLQUNyRDtJQUNELEdBQUcsQ0FBQyxhQUFhLEtBQUssS0FBSyxFQUFFLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDO0lBRXpDLE1BQU0sRUFDSiwyQkFBMkIsRUFBRSxrQkFBa0IsRUFDL0MsYUFBYSxFQUNiLGNBQWMsRUFDZCxRQUFRLEdBQ1QsR0FBRyxRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUM7SUFDeEQsTUFBTSxFQUFFLFFBQVEsRUFBRSxzQkFBc0IsRUFBRSxHQUFHLE1BQU0sU0FBUyxDQUFDO1FBQzNELFFBQVE7UUFDUixZQUFZLEVBQUUsR0FBRyxDQUFDLFlBQVk7UUFDOUIsWUFBWSxFQUFFLFNBQVM7UUFDdkIsUUFBUSxFQUFFLEdBQUcsQ0FBQyxRQUFRO1FBQ3RCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTTtRQUNsQixhQUFhLEVBQUUsR0FBRyxDQUFDLGFBQWE7S0FDakMsQ0FBQyxDQUFDO0lBQ0gsc0xBQXNMO0lBQ3RMLE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxHQUFHLENBQUMsYUFBYSxDQUFDLHNCQUFzQixDQUFDLENBQUM7SUFDekUsTUFBTSwyQkFBMkIsR0FBRyxrQkFBa0IsSUFBSSxvQkFBb0IsQ0FBQztJQUUvRSxzQ0FBc0M7SUFDdEMsTUFBTSxhQUFhLEdBQUcsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsSUFBSSxFQUFFLEVBQUUsRUFBRSxDQUFDLGlCQUFNLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQy9FLE1BQU0sa0JBQWtCLEdBQUcsYUFBYSxDQUFDLEdBQUcsQ0FBQztJQUM3QyxJQUFJLGtCQUFrQixLQUFLLE1BQU0sSUFBSSxrQkFBa0IsS0FBSyxPQUFPLEVBQUU7UUFDbkUsTUFBTSxJQUFJLG1DQUFnQixDQUFDLDhCQUE4QixrQkFBa0IsR0FBRyxDQUFDLENBQUM7S0FDakY7SUFDRCxNQUFNLGFBQWEsR0FBRyxNQUFNLFlBQVksQ0FDdEMsZ0JBQWdCLEVBQ2hCLGtCQUFNLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQyxFQUNoQyxrQkFBa0IsRUFDbEIsR0FBRyxDQUFDLGFBQWEsQ0FDbEIsQ0FBQztJQUVGLElBQ0UsUUFBUSxDQUFDLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDLGFBQWEsQ0FBQyxHQUFHO1FBQ3JFLGlCQUFNLENBQUMsTUFBTSxDQUFDLGFBQWEsQ0FBQyxFQUM1QjtRQUNBLE1BQU0sSUFBSSwwQkFBYyxDQUFDLDBDQUEwQyxDQUFDLENBQUM7S0FDdEU7SUFFRCxJQUFJLENBQUMsR0FBRyxDQUFDLGtCQUFrQixFQUFFO1FBQzNCLEtBQUssTUFBTSxTQUFTLElBQUksUUFBUSxDQUFDLFVBQVUsSUFBSSxFQUFFLEVBQUU7WUFDakQsaUNBQWlDO1lBQ2pDLElBQUksWUFBWSxHQUFpQjtnQkFDL0IsR0FBRyxFQUFFLE9BQU87Z0JBQ1osR0FBRyxFQUFFLElBQUksVUFBVSxDQUFDLHNCQUFzQixDQUFDLGFBQWEsRUFBRSxDQUFDO2FBQzVELENBQUM7WUFFRixJQUFJLEdBQUcsQ0FBQyx5QkFBeUIsRUFBRTtnQkFDakMsTUFBTSxRQUFRLEdBQUcsR0FBRyxDQUFDLHlCQUF5QixDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDLENBQUM7Z0JBQ2xFLElBQUksUUFBUSxFQUFFO29CQUNaLFlBQVksR0FBRyxRQUFRLENBQUM7aUJBQ3pCO2FBQ0Y7WUFDRCxNQUFNLFVBQVUsQ0FBQyxNQUFNLENBQUMsU0FBUyxFQUFFLGFBQWEsRUFBRSxZQUFZLENBQUMsQ0FBQztTQUNqRTtLQUNGO0lBRUQsSUFBSSxtQkFBbUIsR0FBRyxDQUFDLENBQUM7SUFDNUIsTUFBTSxRQUFRLEdBQUcsSUFBSSxHQUFHLENBQ3RCLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLElBQUksRUFBRSxvQkFBb0IsR0FBRywyQkFBMkIsRUFBRSxFQUFFLEVBQUU7UUFDNUUsTUFBTSxNQUFNLEdBQUcsQ0FBQyxHQUFHLEVBQUU7WUFDbkIsSUFBSSxRQUFRLEVBQUUsT0FBTyxDQUFDO1lBQ3RCLE1BQU0sS0FBSyxHQUFVO2dCQUNuQixJQUFJO2dCQUNKLGVBQWUsRUFBRSxtQkFBbUI7Z0JBQ3BDLG9CQUFvQjtnQkFDcEIsT0FBTyxFQUFFLElBQUksT0FBTyxDQUFDLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxFQUFFO29CQUN2QyxRQUFRLEdBQUcsT0FBTyxDQUFDO29CQUNuQixPQUFPLEdBQUcsTUFBTSxDQUFDO2dCQUNuQixDQUFDLENBQUM7YUFDSCxDQUFDO1lBQ0YsS0FBSyxDQUFDLFFBQVEsR0FBRyxRQUFRLENBQUM7WUFDMUIsS0FBSyxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7WUFDeEIsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ0wsbUJBQW1CLElBQUksb0JBQW9CLElBQUksMkJBQTJCLENBQUM7UUFDM0UsT0FBTyxDQUFDLElBQUksRUFBRSxNQUFNLENBQUMsQ0FBQztJQUN4QixDQUFDLENBQUMsQ0FDSCxDQUFDO0lBRUYsTUFBTSxNQUFNLEdBQUcsSUFBSSx1QkFBWSxDQUFDLEdBQUcsQ0FBQyxhQUFhLENBQUMsQ0FBQztJQUNuRCxNQUFNLG1CQUFtQixHQUFHLGNBQWMsSUFBSSxrQkFBa0IsQ0FBQztJQUNqRSxJQUFJLG1CQUFtQixLQUFLLE1BQU0sSUFBSSxtQkFBbUIsS0FBSyxPQUFPLEVBQUU7UUFDckUsTUFBTSxJQUFJLG1DQUFnQixDQUFDLGlDQUFpQyxtQkFBbUIsR0FBRyxDQUFDLENBQUM7S0FDckY7SUFFRCxxQ0FBcUM7SUFDckMsZ0JBQWdCLENBQ2QsS0FBSyxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsTUFBTSxFQUFFLENBQUMsRUFDN0IsZ0JBQWdCLEVBQ2hCLFNBQVMsRUFDVCxnQkFBZ0IsRUFDaEIsTUFBTSxFQUNOLG1CQUFtQixFQUNuQixHQUFHLENBQUMsYUFBYSxDQUNsQixDQUFDO0lBRUYsSUFBSSxRQUFRLEdBQUcsQ0FBQyxDQUFDO0lBQ2pCLE1BQU0sZ0JBQWdCLEdBQUc7UUFDdkIsSUFBSSxFQUFFLEtBQUssRUFBRSxVQUEyQyxFQUFFLEVBQUU7WUFDMUQsSUFBSSxRQUFRLENBQUMsSUFBSSxLQUFLLENBQUMsRUFBRTtnQkFDdkIsVUFBVSxDQUFDLEtBQUssRUFBRSxDQUFDO2dCQUNuQixPQUFPO2FBQ1I7WUFFRCxNQUFNLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxHQUFHLFFBQVEsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxLQUFLLENBQUM7WUFDdEQsSUFBSSxDQUFDLEtBQUssQ0FBQyxjQUFjLEVBQUU7Z0JBQ3pCLE1BQU0sS0FBSyxDQUFDLE9BQU8sQ0FBQzthQUNyQjtZQUNELE1BQU0sZ0JBQWdCLEdBQUcsS0FBSyxDQUFDLGNBQWMsQ0FBQztZQUU5QyxVQUFVLENBQUMsT0FBTyxDQUFDLElBQUksVUFBVSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUM7WUFDM0UsUUFBUSxJQUFJLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQztZQUN2QyxHQUFHLENBQUMsZUFBZSxFQUFFLENBQUMsUUFBUSxDQUFDLENBQUM7WUFFaEMsS0FBSyxDQUFDLGNBQWMsR0FBRyxJQUFJLENBQUM7WUFDNUIsUUFBUSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN4QixDQUFDO1FBQ0QsR0FBRyxDQUFDLEdBQUcsQ0FBQyx1QkFBdUIsSUFBSSxFQUFFLHVCQUF1QixFQUFFLEdBQUcsQ0FBQyx1QkFBdUIsRUFBRSxDQUFDO0tBQzdGLENBQUM7SUFFRixNQUFNLFlBQVksR0FBRyxJQUFJLG9EQUF1QixDQUFDLGdCQUFnQixDQUFDLENBQUM7SUFFbkUsWUFBWSxDQUFDLFFBQVEsR0FBRyxRQUFRLENBQUM7SUFDakMsWUFBWSxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDeEMsWUFBWSxDQUFDLFFBQVEsR0FBRyxRQUFRLENBQUM7SUFDakMsWUFBWSxDQUFDLElBQUksQ0FBQyxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDdEMsT0FBTyxZQUFZLENBQUM7QUFDdEIsQ0FBQztBQTdJRCxnQ0E2SUMifQ==