@opentdf/sdk 0.1.0-beta.1701

package/dist/web/tdf3/src/tdf.js

@@ -0,0 +1,866 @@
+import axios from 'axios';
+import { unsigned } from './utils/buffer-crc32.js';
+import { exportSPKI, importX509 } from 'jose';
+import { DecoratedReadableStream } from './client/DecoratedReadableStream.js';
+import { pemToCryptoPublicKey, validateSecureUrl } from '../../src/utils.js';
+import * as assertions from './assertions.js';
+import { isRemote as isRemoteKeyAccess, Remote as KeyAccessRemote, Wrapped as KeyAccessWrapped, } from './models/index.js';
+import { base64 } from '../../src/encodings/index.js';
+import { ZipReader, ZipWriter, base64ToBuffer, isAppIdProviderCheck, keyMerge, buffToString, concatUint8, } from './utils/index.js';
+import { Binary } from './binary.js';
+import { OriginAllowList } from '../../src/access.js';
+import { ConfigurationError, DecryptError, InvalidFileError, IntegrityError, NetworkError, PermissionDeniedError, ServiceError, TdfError, UnauthenticatedError, UnsafeUrlError, UnsupportedFeatureError as UnsupportedError, } from '../../src/errors.js';
+import { htmlWrapperTemplate } from './templates/index.js';
+// configurable
+// TODO: remove dependencies from ciphers so that we can open-source instead of relying on other Virtru libs
+import { AesGcmCipher } from './ciphers/index.js';
+import { reqSignature, } from '../../src/auth/auth.js';
+// TODO: input validation on manifest JSON
+const DEFAULT_SEGMENT_SIZE = 1024 * 1024;
+/**
+ * If we have KAS url but not public key we can fetch it from KAS, fetching
+ * the value from `${kas}/kas_public_key`.
+ */
+export async function fetchKasPublicKey(kas, algorithm) {
+    if (!kas) {
+        throw new ConfigurationError('KAS definition not found');
+    }
+    // Logs insecure KAS. Secure is enforced in constructor
+    validateSecureUrl(kas);
+    const infoStatic = { url: kas, algorithm: algorithm || 'rsa:2048' };
+    const params = {};
+    if (algorithm) {
+        params.algorithm = algorithm;
+    }
+    const v2Url = `${kas}/v2/kas_public_key`;
+    try {
+        const response = await axios.get(v2Url, {
+            params: {
+                ...params,
+                v: '2',
+            },
+        });
+        const publicKey = typeof response.data === 'string'
+            ? await extractPemFromKeyString(response.data)
+            : response.data.publicKey;
+        return {
+            publicKey,
+            key: pemToCryptoPublicKey(publicKey),
+            ...infoStatic,
+            ...(typeof response.data !== 'string' && response.data.kid && { kid: response.data.kid }),
+        };
+    }
+    catch (cause) {
+        const status = cause?.response?.status;
+        switch (status) {
+            case 400:
+            case 404:
+                // KAS does not yet implement v2, maybe
+                break;
+            case 401:
+                throw new UnauthenticatedError(`[${v2Url}] requires auth`, cause);
+            case 403:
+                throw new PermissionDeniedError(`[${v2Url}] permission denied`, cause);
+            default:
+                if (status && status >= 400 && status < 500) {
+                    throw new ConfigurationError(`[${v2Url}] request error [${status}] [${cause.name}] [${cause.message}]`, cause);
+                }
+                throw new NetworkError(`[${v2Url}] error [${status}] [${cause.name}] [${cause.message}]`, cause);
+        }
+    }
+    // Retry with v1 params
+    const v1Url = `${kas}/kas_public_key`;
+    try {
+        const response = await axios.get(v1Url, {
+            params,
+        });
+        const publicKey = typeof response.data === 'string'
+            ? await extractPemFromKeyString(response.data)
+            : response.data.publicKey;
+        // future proof: allow v2 response even if not specified.
+        return {
+            publicKey,
+            key: pemToCryptoPublicKey(publicKey),
+            ...infoStatic,
+            ...(typeof response.data !== 'string' && response.data.kid && { kid: response.data.kid }),
+        };
+    }
+    catch (cause) {
+        const status = cause?.response?.status;
+        switch (status) {
+            case 401:
+                throw new UnauthenticatedError(`[${v1Url}] requires auth`, cause);
+            case 403:
+                throw new PermissionDeniedError(`[${v1Url}] permission denied`, cause);
+            default:
+                if (status && status >= 400 && status < 500) {
+                    throw new ConfigurationError(`[${v2Url}] request error [${status}] [${cause.name}] [${cause.message}]`, cause);
+                }
+                throw new NetworkError(`[${v1Url}] error [${status}] [${cause.name}] [${cause.message}]`, cause);
+        }
+    }
+}
+/**
+ *
+ * @param payload The TDF content to encode in HTML
+ * @param manifest A copy of the manifest
+ * @param transferUrl reader web-service start page
+ * @return utf-8 encoded HTML data
+ */
+export function wrapHtml(payload, manifest, transferUrl) {
+    const { origin } = new URL(transferUrl);
+    const exportManifest = typeof manifest === 'string' ? manifest : JSON.stringify(manifest);
+    const fullHtmlString = htmlWrapperTemplate({
+        transferUrl,
+        transferBaseUrl: origin,
+        manifest: base64.encode(exportManifest),
+        payload: buffToString(payload, 'base64'),
+    });
+    return new TextEncoder().encode(fullHtmlString);
+}
+export function unwrapHtml(htmlPayload) {
+    let html;
+    if (htmlPayload instanceof ArrayBuffer || ArrayBuffer.isView(htmlPayload)) {
+        html = new TextDecoder().decode(htmlPayload);
+    }
+    else {
+        html = htmlPayload.toString();
+    }
+    const payloadRe = /<input id=['"]?data-input['"]?[^>]*?value=['"]?([a-zA-Z0-9+/=]+)['"]?/;
+    const reResult = payloadRe.exec(html);
+    if (reResult === null) {
+        throw new InvalidFileError('Payload is missing');
+    }
+    const base64Payload = reResult[1];
+    try {
+        return base64ToBuffer(base64Payload);
+    }
+    catch (e) {
+        throw new InvalidFileError('There was a problem extracting the TDF3 payload', e);
+    }
+}
+export async function extractPemFromKeyString(keyString) {
+    let pem = keyString;
+    // Skip the public key extraction if we find that the KAS url provides a
+    // PEM-encoded key instead of certificate
+    if (keyString.includes('CERTIFICATE')) {
+        const cert = await importX509(keyString, 'RS256', { extractable: true });
+        pem = await exportSPKI(cert);
+    }
+    return pem;
+}
+/**
+ * Build a key access object and add it to the list. Can specify either
+ * a (url, publicKey) pair (legacy, deprecated) or an attribute URL (future).
+ * If all are missing then it attempts to use the default attribute. If that
+ * is missing it throws an error.
+ * @param  {Object} options
+ * @param  {String} options.type - enum representing how the object key is treated
+ * @param  {String} options.attributeUrl - URL of the attribute to use for pubKey and kasUrl. Omit to use default.
+ * @param  {String} options.url - directly set the KAS URL
+ * @param  {String} options.publicKey - directly set the (KAS) public key
+ * @param  {String?} options.kid - Key identifier of KAS public key
+ * @param  {String? Object?} options.metadata - Metadata. Appears to be dead code.
+ * @return {KeyAccess}- the key access object loaded
+ */
+export async function buildKeyAccess({ attributeSet, type, url, publicKey, kid, attributeUrl, metadata, sid = '', }) {
+    /** Internal function to keep it DRY */
+    function createKeyAccess(type, kasUrl, kasKeyIdentifier, pubKey, metadata) {
+        switch (type) {
+            case 'wrapped':
+                return new KeyAccessWrapped(kasUrl, kasKeyIdentifier, pubKey, metadata, sid);
+            case 'remote':
+                return new KeyAccessRemote(kasUrl, kasKeyIdentifier, pubKey, metadata, sid);
+            default:
+                throw new ConfigurationError(`buildKeyAccess: Key access type ${type} is unknown`);
+        }
+    }
+    // If an attributeUrl is provided try to load with that first.
+    if (attributeUrl && attributeSet) {
+        const attr = attributeSet.get(attributeUrl);
+        if (attr && attr.kasUrl && attr.pubKey) {
+            return createKeyAccess(type, attr.kasUrl, attr.kid, attr.pubKey, metadata);
+        }
+    }
+    // if url and pulicKey are specified load the key access object with them
+    if (url && publicKey) {
+        return createKeyAccess(type, url, kid, await extractPemFromKeyString(publicKey), metadata);
+    }
+    // Assume the default attribute is the source for kasUrl and pubKey
+    const defaultAttr = attributeSet?.getDefault();
+    if (defaultAttr) {
+        const { pubKey, kasUrl } = defaultAttr;
+        if (pubKey && kasUrl) {
+            return createKeyAccess(type, kasUrl, kid, await extractPemFromKeyString(pubKey), metadata);
+        }
+    }
+    // All failed. Raise an error.
+    throw new ConfigurationError('TDF.buildKeyAccess: No source for kasUrl or pubKey');
+}
+export function validatePolicyObject(policy) {
+    const missingFields = [];
+    if (!policy.uuid)
+        missingFields.push('uuid');
+    if (!policy.body)
+        missingFields.push('body', 'body.dissem');
+    if (policy.body && !policy.body.dissem)
+        missingFields.push('body.dissem');
+    if (missingFields.length) {
+        throw new ConfigurationError(`The given policy object requires the following properties: ${missingFields}`);
+    }
+}
+async function _generateManifest(keyInfo, encryptionInformation, policy, mimeType) {
+    // (maybe) Fields are quoted to avoid renaming
+    const payload = {
+        type: 'reference',
+        url: '0.payload',
+        protocol: 'zip',
+        isEncrypted: true,
+        schemaVersion: '3.0.0',
+        ...(mimeType && { mimeType }),
+    };
+    const encryptionInformationStr = await encryptionInformation.write(policy, keyInfo);
+    const assertions = [];
+    return {
+        payload,
+        // generate the manifest first, then insert integrity information into it
+        encryptionInformation: encryptionInformationStr,
+        assertions: assertions,
+    };
+}
+async function getSignature(unwrappedKeyBinary, payloadBinary, algorithmType, cryptoService) {
+    switch (algorithmType.toUpperCase()) {
+        case 'GMAC':
+            // use the auth tag baked into the encrypted payload
+            return buffToString(Uint8Array.from(payloadBinary.asByteArray()).slice(-16), 'hex');
+        case 'HS256':
+            // simple hmac is the default
+            return await cryptoService.hmac(buffToString(new Uint8Array(unwrappedKeyBinary.asArrayBuffer()), 'hex'), buffToString(new Uint8Array(payloadBinary.asArrayBuffer()), 'utf-8'));
+        default:
+            throw new ConfigurationError(`Unsupported signature alg [${algorithmType}]`);
+    }
+}
+function buildRequest(method, url, body) {
+    return {
+        headers: {},
+        method: method,
+        url: url,
+        body,
+    };
+}
+export async function upsert({ allowedKases, allowList, authProvider, entity, privateKey, unsavedManifest, ignoreType, }) {
+    const allowed = (() => {
+        if (allowList) {
+            return allowList;
+        }
+        if (!allowedKases) {
+            throw new ConfigurationError('Upsert cannot be done without allowlist');
+        }
+        return new OriginAllowList(allowedKases);
+    })();
+    const { keyAccess, policy } = unsavedManifest.encryptionInformation;
+    const isAppIdProvider = authProvider && isAppIdProviderCheck(authProvider);
+    if (authProvider === undefined) {
+        throw new ConfigurationError('Upsert cannot be done without auth provider');
+    }
+    return Promise.all(keyAccess.map(async (keyAccessObject) => {
+        // We only care about remote key access objects for the policy sync portion
+        const isRemote = isRemoteKeyAccess(keyAccessObject);
+        if (!ignoreType && !isRemote) {
+            return;
+        }
+        if (!allowed.allows(keyAccessObject.url)) {
+            throw new UnsafeUrlError(`Unexpected KAS url: [${keyAccessObject.url}]`);
+        }
+        const url = `${keyAccessObject.url}/${isAppIdProvider ? '' : 'v2/'}upsert`;
+        //TODO I dont' think we need a body at all for KAS requests
+        // Do we need ANY of this if it's already embedded in the EO in the Bearer OIDC token?
+        const body = {
+            keyAccess: keyAccessObject,
+            policy: unsavedManifest.encryptionInformation.policy,
+            entity: isAppIdProviderCheck(authProvider) ? entity : undefined,
+            authToken: undefined,
+            clientPayloadSignature: undefined,
+        };
+        if (isAppIdProviderCheck(authProvider)) {
+            body.authToken = await reqSignature({}, privateKey);
+        }
+        else {
+            body.clientPayloadSignature = await reqSignature(body, privateKey);
+        }
+        const httpReq = await authProvider.withCreds(buildRequest('POST', url, body));
+        try {
+            const response = await axios.post(httpReq.url, httpReq.body, {
+                headers: httpReq.headers,
+            });
+            // Remove additional properties which were needed to sync, but not that we want to save to
+            // the manifest
+            delete keyAccessObject.wrappedKey;
+            delete keyAccessObject.encryptedMetadata;
+            delete keyAccessObject.policyBinding;
+            if (isRemote) {
+                // Decode the policy and extract only the required info to save -- the uuid
+                const decodedPolicy = JSON.parse(base64.decode(policy));
+                unsavedManifest.encryptionInformation.policy = base64.encode(JSON.stringify({ uuid: decodedPolicy.uuid }));
+            }
+            return response.data;
+        }
+        catch (e) {
+            if (e.response) {
+                if (e.response.status >= 500) {
+                    throw new ServiceError('upsert failure', e);
+                }
+                else if (e.response.status === 403) {
+                    throw new PermissionDeniedError('upsert failure', e);
+                }
+                else if (e.response.status === 401) {
+                    throw new UnauthenticatedError('upsert auth failure', e);
+                }
+                else if (e.response.status === 400) {
+                    throw new ConfigurationError('upsert bad request; likely a configuration error', e);
+                }
+                else {
+                    throw new NetworkError('upsert server error', e);
+                }
+            }
+            else if (e.request) {
+                throw new NetworkError('upsert request failure', e);
+            }
+            throw new TdfError(`Unable to perform upsert operation on the KAS: [${e.name}: ${e.message}], response: [${e?.response?.body}]`, e);
+        }
+    }));
+}
+export async function writeStream(cfg) {
+    if (!cfg.authProvider) {
+        throw new ConfigurationError('No authorization middleware defined');
+    }
+    if (!cfg.contentStream) {
+        throw new ConfigurationError('No input stream defined');
+    }
+    // eslint-disable-next-line @typescript-eslint/no-this-alias
+    const segmentInfos = [];
+    cfg.byteLimit ??= Number.MAX_SAFE_INTEGER;
+    const entryInfos = [
+        {
+            filename: '0.payload',
+        },
+        {
+            filename: '0.manifest.json',
+        },
+    ];
+    let currentBuffer = new Uint8Array();
+    let totalByteCount = 0;
+    let bytesProcessed = 0;
+    let crcCounter = 0;
+    let fileByteCount = 0;
+    let aggregateHash = '';
+    const zipWriter = new ZipWriter();
+    const manifest = await _generateManifest(cfg.keyForManifest, cfg.encryptionInformation, cfg.policy, cfg.mimeType);
+    if (!manifest) {
+        // Set in encrypt; should never be reached.
+        throw new ConfigurationError('internal: please use "loadTDFStream" first to load a manifest.');
+    }
+    const pkKeyLike = cfg.dpopKeys.privateKey;
+    // For all remote key access objects, sync its policy
+    const upsertResponse = await upsert({
+        allowedKases: cfg.allowList ? undefined : cfg.allowedKases,
+        allowList: cfg.allowList,
+        authProvider: cfg.authProvider,
+        entity: cfg.entity,
+        privateKey: pkKeyLike,
+        unsavedManifest: manifest,
+    });
+    // determine default segment size by writing empty buffer
+    const { segmentSizeDefault } = cfg;
+    const encryptedBlargh = await cfg.encryptionInformation.encrypt(Binary.fromArrayBuffer(new ArrayBuffer(segmentSizeDefault)), cfg.keyForEncryption.unwrappedKeyBinary);
+    const payloadBuffer = new Uint8Array(encryptedBlargh.payload.asByteArray());
+    const encryptedSegmentSizeDefault = payloadBuffer.length;
+    // start writing the content
+    entryInfos[0].filename = '0.payload';
+    entryInfos[0].offset = totalByteCount;
+    const sourceReader = cfg.contentStream.getReader();
+    /*
+    TODO: Code duplication should be addressed
+    - RCA operations require that the write stream has already finished executing it's .on('end') handler before being returned,
+      thus both handlers are wrapped in a encompassing promise when we have an RCA source. We should investigate
+      if this causes O(n) promises to be loaded into memory.
+    - LFS operations can have the write stream returned immediately after both .on('end') and .on('data') handlers
+      have been defined, thus not requiring the handlers to be wrapped in a promise.
+    */
+    const underlingSource = {
+        start: (controller) => {
+            controller.enqueue(getHeader(entryInfos[0].filename));
+            _countChunk(getHeader(entryInfos[0].filename));
+            crcCounter = 0;
+            fileByteCount = 0;
+        },
+        pull: async (controller) => {
+            let isDone;
+            while (currentBuffer.length < segmentSizeDefault && !isDone) {
+                const { value, done } = await sourceReader.read();
+                isDone = done;
+                if (value) {
+                    currentBuffer = concatUint8([currentBuffer, value]);
+                }
+            }
+            while (currentBuffer.length >= segmentSizeDefault &&
+                !!controller.desiredSize &&
+                controller.desiredSize > 0) {
+                const segment = currentBuffer.slice(0, segmentSizeDefault);
+                const encryptedSegment = await _encryptAndCountSegment(segment);
+                controller.enqueue(encryptedSegment);
+                currentBuffer = currentBuffer.slice(segmentSizeDefault);
+            }
+            const isFinalChunkLeft = isDone && currentBuffer.length;
+            if (isFinalChunkLeft) {
+                const encryptedSegment = await _encryptAndCountSegment(currentBuffer);
+                controller.enqueue(encryptedSegment);
+                currentBuffer = new Uint8Array();
+            }
+            if (isDone && currentBuffer.length === 0) {
+                entryInfos[0].crcCounter = crcCounter;
+                entryInfos[0].fileByteCount = fileByteCount;
+                const payloadDataDescriptor = zipWriter.writeDataDescriptor(crcCounter, fileByteCount);
+                controller.enqueue(payloadDataDescriptor);
+                _countChunk(payloadDataDescriptor);
+                // prepare the manifest
+                entryInfos[1].filename = '0.manifest.json';
+                entryInfos[1].offset = totalByteCount;
+                controller.enqueue(getHeader(entryInfos[1].filename));
+                _countChunk(getHeader(entryInfos[1].filename));
+                crcCounter = 0;
+                fileByteCount = 0;
+                // hash the concat of all hashes
+                const payloadSigStr = await getSignature(cfg.keyForEncryption.unwrappedKeyBinary, Binary.fromString(aggregateHash), cfg.integrityAlgorithm, cfg.cryptoService);
+                manifest.encryptionInformation.integrityInformation.rootSignature.sig =
+                    base64.encode(payloadSigStr);
+                manifest.encryptionInformation.integrityInformation.rootSignature.alg =
+                    cfg.integrityAlgorithm;
+                manifest.encryptionInformation.integrityInformation.segmentSizeDefault = segmentSizeDefault;
+                manifest.encryptionInformation.integrityInformation.encryptedSegmentSizeDefault =
+                    encryptedSegmentSizeDefault;
+                manifest.encryptionInformation.integrityInformation.segmentHashAlg =
+                    cfg.segmentIntegrityAlgorithm;
+                manifest.encryptionInformation.integrityInformation.segments = segmentInfos;
+                manifest.encryptionInformation.method.isStreamable = true;
+                const signedAssertions = [];
+                if (cfg.assertionConfigs && cfg.assertionConfigs.length > 0) {
+                    await Promise.all(cfg.assertionConfigs.map(async (assertionConfig) => {
+                        // Create assertion using the assertionConfig values
+                        const signingKey = assertionConfig.signingKey ?? {
+                            alg: 'HS256',
+                            key: new Uint8Array(cfg.keyForEncryption.unwrappedKeyBinary.asArrayBuffer()),
+                        };
+                        const assertion = await assertions.CreateAssertion(aggregateHash, {
+                            ...assertionConfig,
+                            signingKey,
+                        });
+                        // Add signed assertion to the signedAssertions array
+                        signedAssertions.push(assertion);
+                    }));
+                }
+                manifest.assertions = signedAssertions;
+                // write the manifest
+                const manifestBuffer = new TextEncoder().encode(JSON.stringify(manifest));
+                controller.enqueue(manifestBuffer);
+                _countChunk(manifestBuffer);
+                entryInfos[1].crcCounter = crcCounter;
+                entryInfos[1].fileByteCount = fileByteCount;
+                const manifestDataDescriptor = zipWriter.writeDataDescriptor(crcCounter, fileByteCount);
+                controller.enqueue(manifestDataDescriptor);
+                _countChunk(manifestDataDescriptor);
+                // write the central directory out
+                const centralDirectoryByteCount = totalByteCount;
+                for (let i = 0; i < entryInfos.length; i++) {
+                    const entryInfo = entryInfos[i];
+                    const result = zipWriter.writeCentralDirectoryRecord(entryInfo.fileByteCount || 0, entryInfo.filename, entryInfo.offset || 0, entryInfo.crcCounter || 0, 2175008768);
+                    controller.enqueue(result);
+                    _countChunk(result);
+                }
+                const endOfCentralDirectoryByteCount = totalByteCount - centralDirectoryByteCount;
+                const finalChunk = zipWriter.writeEndOfCentralDirectoryRecord(entryInfos.length, endOfCentralDirectoryByteCount, centralDirectoryByteCount);
+                controller.enqueue(finalChunk);
+                _countChunk(finalChunk);
+                controller.close();
+            }
+        },
+    };
+    const plaintextStream = new DecoratedReadableStream(underlingSource);
+    plaintextStream.manifest = manifest;
+    if (upsertResponse) {
+        plaintextStream.upsertResponse = upsertResponse;
+        plaintextStream.tdfSize = totalByteCount;
+        plaintextStream.algorithm = manifest.encryptionInformation.method.algorithm;
+    }
+    return plaintextStream;
+    // nested helper fn's
+    function getHeader(filename) {
+        return zipWriter.getLocalFileHeader(filename, 0, 0, 0);
+    }
+    function _countChunk(chunk) {
+        if (typeof chunk === 'string') {
+            chunk = new TextEncoder().encode(chunk);
+        }
+        totalByteCount += chunk.length;
+        if (totalByteCount > cfg.byteLimit) {
+            throw new ConfigurationError(`Safe byte limit (${cfg.byteLimit}) exceeded`);
+        }
+        //new Uint8Array(chunk.buffer, chunk.byteOffset, chunk.byteLength);
+        crcCounter = unsigned(chunk, crcCounter);
+        fileByteCount += chunk.length;
+    }
+    async function _encryptAndCountSegment(chunk) {
+        bytesProcessed += chunk.length;
+        cfg.progressHandler?.(bytesProcessed);
+        // Don't pass in an IV here. The encrypt function will generate one for you, ensuring that each segment has a unique IV.
+        const encryptedResult = await cfg.encryptionInformation.encrypt(Binary.fromArrayBuffer(chunk.buffer), cfg.keyForEncryption.unwrappedKeyBinary);
+        const payloadBuffer = new Uint8Array(encryptedResult.payload.asByteArray());
+        const payloadSigStr = await getSignature(cfg.keyForEncryption.unwrappedKeyBinary, encryptedResult.payload, cfg.segmentIntegrityAlgorithm, cfg.cryptoService);
+        // combined string of all hashes for root signature
+        aggregateHash += payloadSigStr;
+        segmentInfos.push({
+            hash: base64.encode(payloadSigStr),
+            segmentSize: chunk.length === segmentSizeDefault ? undefined : chunk.length,
+            encryptedSegmentSize: payloadBuffer.length === encryptedSegmentSizeDefault ? undefined : payloadBuffer.length,
+        });
+        const result = new Uint8Array(encryptedResult.payload.asByteArray());
+        _countChunk(result);
+        return result;
+    }
+}
+// load the TDF as a stream in memory, for further use in reading and key syncing
+export async function loadTDFStream(chunker) {
+    const zipReader = new ZipReader(chunker);
+    const centralDirectory = await zipReader.getCentralDirectory();
+    const manifest = await zipReader.getManifest(centralDirectory, '0.manifest.json');
+    return { manifest, zipReader, centralDirectory };
+}
+export function splitLookupTableFactory(keyAccess, allowedKases) {
+    const allowed = (k) => allowedKases.allows(k.url);
+    const splitIds = new Set(keyAccess.map(({ sid }) => sid ?? ''));
+    const accessibleSplits = new Set(keyAccess.filter(allowed).map(({ sid }) => sid));
+    if (splitIds.size > accessibleSplits.size) {
+        const disallowedKases = new Set(keyAccess.filter((k) => !allowed(k)).map(({ url }) => url));
+        throw new UnsafeUrlError(`Unreconstructable key - disallowed KASes include: ${JSON.stringify([
+            ...disallowedKases,
+        ])} from splitIds ${JSON.stringify([...splitIds])}`, ...disallowedKases);
+    }
+    const splitPotentials = Object.fromEntries([...splitIds].map((s) => [s, {}]));
+    for (const kao of keyAccess) {
+        const disjunction = splitPotentials[kao.sid ?? ''];
+        if (kao.url in disjunction) {
+            throw new InvalidFileError(`TODO: Fallback to no split ids. Repetition found for [${kao.url}] on split [${kao.sid}]`);
+        }
+        if (allowed(kao)) {
+            disjunction[kao.url] = kao;
+        }
+    }
+    return splitPotentials;
+}
+async function unwrapKey({ manifest, allowedKases, authProvider, dpopKeys, entity, cryptoService, }) {
+    if (authProvider === undefined) {
+        throw new ConfigurationError('upsert requires auth provider; must be configured in client constructor');
+    }
+    const { keyAccess } = manifest.encryptionInformation;
+    const splitPotentials = splitLookupTableFactory(keyAccess, allowedKases);
+    const isAppIdProvider = authProvider && isAppIdProviderCheck(authProvider);
+    async function tryKasRewrap(keySplitInfo) {
+        const url = `${keySplitInfo.url}/${isAppIdProvider ? '' : 'v2/'}rewrap`;
+        const ephemeralEncryptionKeys = await cryptoService.cryptoToPemPair(await cryptoService.generateKeyPair());
+        const clientPublicKey = ephemeralEncryptionKeys.publicKey;
+        const requestBodyStr = JSON.stringify({
+            algorithm: 'RS256',
+            keyAccess: keySplitInfo,
+            policy: manifest.encryptionInformation.policy,
+            clientPublicKey,
+        });
+        const jwtPayload = { requestBody: requestBodyStr };
+        const signedRequestToken = await reqSignature(isAppIdProvider ? {} : jwtPayload, dpopKeys.privateKey);
+        let requestBody;
+        if (isAppIdProvider) {
+            requestBody = {
+                keyAccess: keySplitInfo,
+                policy: manifest.encryptionInformation.policy,
+                entity: {
+                    ...entity,
+                    publicKey: clientPublicKey,
+                },
+                authToken: signedRequestToken,
+            };
+        }
+        else {
+            requestBody = {
+                signedRequestToken,
+            };
+        }
+        const httpReq = await authProvider.withCreds(buildRequest('POST', url, requestBody));
+        const { data: { entityWrappedKey, metadata }, } = await axios.post(httpReq.url, httpReq.body, { headers: httpReq.headers });
+        const key = Binary.fromString(base64.decode(entityWrappedKey));
+        const decryptedKeyBinary = await cryptoService.decryptWithPrivateKey(key, ephemeralEncryptionKeys.privateKey);
+        return {
+            key: new Uint8Array(decryptedKeyBinary.asByteArray()),
+            metadata,
+        };
+    }
+    // Get unique split IDs to determine if we have an OR or AND condition
+    const splitIds = new Set(Object.keys(splitPotentials));
+    // If we have only one split ID, it's an OR condition
+    if (splitIds.size === 1) {
+        const [splitId] = splitIds;
+        const potentials = splitPotentials[splitId];
+        try {
+            // OR condition: Try all KAS servers for this split, take first success
+            const result = await Promise.any(Object.values(potentials).map(async (keySplitInfo) => {
+                try {
+                    return await tryKasRewrap(keySplitInfo);
+                }
+                catch (e) {
+                    // Rethrow with more context
+                    throw handleRewrapError(e);
+                }
+            }));
+            const reconstructedKey = keyMerge([result.key]);
+            return {
+                reconstructedKeyBinary: Binary.fromArrayBuffer(reconstructedKey),
+                metadata: result.metadata,
+            };
+        }
+        catch (error) {
+            if (error instanceof AggregateError) {
+                // All KAS servers failed
+                throw error.errors[0]; // Throw the first error since we've already wrapped them
+            }
+            throw error;
+        }
+    }
+    else {
+        // AND condition: We need successful results from all different splits
+        const splitResults = await Promise.all(Object.entries(splitPotentials).map(async ([splitId, potentials]) => {
+            if (!potentials || !Object.keys(potentials).length) {
+                throw new UnsafeUrlError(`Unreconstructable key - no valid KAS found for split ${JSON.stringify(splitId)}`, '');
+            }
+            try {
+                // For each split, try all potential KAS servers until one succeeds
+                return await Promise.any(Object.values(potentials).map(async (keySplitInfo) => {
+                    try {
+                        return await tryKasRewrap(keySplitInfo);
+                    }
+                    catch (e) {
+                        throw handleRewrapError(e);
+                    }
+                }));
+            }
+            catch (error) {
+                if (error instanceof AggregateError) {
+                    // All KAS servers for this split failed
+                    throw error.errors[0]; // Throw the first error since we've already wrapped them
+                }
+                throw error;
+            }
+        }));
+        // Merge all the split keys
+        const reconstructedKey = keyMerge(splitResults.map((r) => r.key));
+        return {
+            reconstructedKeyBinary: Binary.fromArrayBuffer(reconstructedKey),
+            metadata: splitResults[0].metadata, // Use metadata from first split
+        };
+    }
+}
+function handleRewrapError(error) {
+    if (axios.isAxiosError(error)) {
+        if (error.response?.status && error.response?.status >= 500) {
+            return new ServiceError('rewrap failure', error);
+        }
+        else if (error.response?.status === 403) {
+            return new PermissionDeniedError('rewrap failure', error);
+        }
+        else if (error.response?.status === 401) {
+            return new UnauthenticatedError('rewrap auth failure', error);
+        }
+        else if (error.response?.status === 400) {
+            return new InvalidFileError('rewrap bad request; could indicate an invalid policy binding or a configuration error', error);
+        }
+        else {
+            return new NetworkError('rewrap server error', error);
+        }
+    }
+    else {
+        if (error.name === 'InvalidAccessError' || error.name === 'OperationError') {
+            return new DecryptError('unable to unwrap key from kas', error);
+        }
+        return new InvalidFileError(`Unable to decrypt the response from KAS: [${error.name}: ${error.message}]`, error);
+    }
+}
+async function decryptChunk(encryptedChunk, reconstructedKeyBinary, hash, cipher, segmentIntegrityAlgorithm, cryptoService) {
+    if (segmentIntegrityAlgorithm !== 'GMAC' && segmentIntegrityAlgorithm !== 'HS256') {
+    }
+    const segmentHashStr = await getSignature(reconstructedKeyBinary, Binary.fromArrayBuffer(encryptedChunk.buffer), segmentIntegrityAlgorithm, cryptoService);
+    if (hash !== btoa(segmentHashStr)) {
+        throw new IntegrityError('Failed integrity check on segment hash');
+    }
+    return await cipher.decrypt(encryptedChunk, reconstructedKeyBinary);
+}
+async function updateChunkQueue(chunkMap, centralDirectory, zipReader, reconstructedKeyBinary, cipher, segmentIntegrityAlgorithm, cryptoService) {
+    const chunksInOneDownload = 500;
+    let requests = [];
+    const maxLength = 3;
+    for (let i = 0; i < chunkMap.length; i += chunksInOneDownload) {
+        if (requests.length === maxLength) {
+            await Promise.all(requests);
+            requests = [];
+        }
+        requests.push((async () => {
+            let buffer;
+            const slice = chunkMap.slice(i, i + chunksInOneDownload);
+            try {
+                const bufferSize = slice.reduce((currentVal, { encryptedSegmentSize }) => currentVal + encryptedSegmentSize, 0);
+                buffer = await zipReader.getPayloadSegment(centralDirectory, '0.payload', slice[0].encryptedOffset, bufferSize);
+            }
+            catch (e) {
+                if (e instanceof InvalidFileError) {
+                    throw e;
+                }
+                throw new NetworkError('unable to fetch payload segment', e);
+            }
+            if (buffer) {
+                sliceAndDecrypt({
+                    buffer,
+                    cryptoService,
+                    reconstructedKeyBinary,
+                    slice,
+                    cipher,
+                    segmentIntegrityAlgorithm,
+                });
+            }
+        })());
+    }
+}
+export async function sliceAndDecrypt({ buffer, reconstructedKeyBinary, slice, cipher, cryptoService, segmentIntegrityAlgorithm, }) {
+    for (const index in slice) {
+        const { encryptedOffset, encryptedSegmentSize, _resolve, _reject } = slice[index];
+        const offset = slice[0].encryptedOffset === 0 ? encryptedOffset : encryptedOffset % slice[0].encryptedOffset;
+        const encryptedChunk = new Uint8Array(buffer.slice(offset, offset + encryptedSegmentSize));
+        try {
+            const result = await decryptChunk(encryptedChunk, reconstructedKeyBinary, slice[index]['hash'], cipher, segmentIntegrityAlgorithm, cryptoService);
+            slice[index].decryptedChunk = result;
+            if (_resolve) {
+                _resolve(null);
+            }
+        }
+        catch (e) {
+            if (_reject) {
+                _reject(e);
+            }
+            else {
+                throw e;
+            }
+        }
+    }
+}
+export async function readStream(cfg) {
+    let { allowList } = cfg;
+    if (!allowList) {
+        if (!cfg.allowedKases) {
+            throw new ConfigurationError('Upsert cannot be done without allowlist');
+        }
+        allowList = new OriginAllowList(cfg.allowedKases);
+    }
+    const { manifest, zipReader, centralDirectory } = await loadTDFStream(cfg.chunker);
+    if (!manifest) {
+        throw new InvalidFileError('Missing manifest data');
+    }
+    cfg.keyMiddleware ??= async (key) => key;
+    const { encryptedSegmentSizeDefault: defaultSegmentSize, rootSignature, segmentHashAlg, segments, } = manifest.encryptionInformation.integrityInformation;
+    const { metadata, reconstructedKeyBinary } = await unwrapKey({
+        manifest,
+        authProvider: cfg.authProvider,
+        allowedKases: allowList,
+        dpopKeys: cfg.dpopKeys,
+        entity: cfg.entity,
+        cryptoService: cfg.cryptoService,
+    });
+    // async function unwrapKey(manifest: Manifest, allowedKases: string[], authProvider: AuthProvider | AppIdAuthProvider, publicKey: string, privateKey: string, entity: EntityObject) {
+    const keyForDecryption = await cfg.keyMiddleware(reconstructedKeyBinary);
+    const encryptedSegmentSizeDefault = defaultSegmentSize || DEFAULT_SEGMENT_SIZE;
+    // check the combined string of hashes
+    const aggregateHash = segments.map(({ hash }) => base64.decode(hash)).join('');
+    const integrityAlgorithm = rootSignature.alg;
+    if (integrityAlgorithm !== 'GMAC' && integrityAlgorithm !== 'HS256') {
+        throw new UnsupportedError(`Unsupported integrity alg [${integrityAlgorithm}]`);
+    }
+    const payloadSigStr = await getSignature(keyForDecryption, Binary.fromString(aggregateHash), integrityAlgorithm, cfg.cryptoService);
+    if (manifest.encryptionInformation.integrityInformation.rootSignature.sig !==
+        base64.encode(payloadSigStr)) {
+        throw new IntegrityError('Failed integrity check on root signature');
+    }
+    if (!cfg.noVerifyAssertions) {
+        for (const assertion of manifest.assertions || []) {
+            // Create a default assertion key
+            let assertionKey = {
+                alg: 'HS256',
+                key: new Uint8Array(reconstructedKeyBinary.asArrayBuffer()),
+            };
+            if (cfg.assertionVerificationKeys) {
+                const foundKey = cfg.assertionVerificationKeys.Keys[assertion.id];
+                if (foundKey) {
+                    assertionKey = foundKey;
+                }
+            }
+            await assertions.verify(assertion, aggregateHash, assertionKey);
+        }
+    }
+    let mapOfRequestsOffset = 0;
+    const chunkMap = new Map(segments.map(({ hash, encryptedSegmentSize = encryptedSegmentSizeDefault }) => {
+        const result = (() => {
+            let _resolve, _reject;
+            const chunk = {
+                hash,
+                encryptedOffset: mapOfRequestsOffset,
+                encryptedSegmentSize,
+                promise: new Promise((resolve, reject) => {
+                    _resolve = resolve;
+                    _reject = reject;
+                }),
+            };
+            chunk._resolve = _resolve;
+            chunk._reject = _reject;
+            return chunk;
+        })();
+        mapOfRequestsOffset += encryptedSegmentSize || encryptedSegmentSizeDefault;
+        return [hash, result];
+    }));
+    const cipher = new AesGcmCipher(cfg.cryptoService);
+    const segmentIntegrityAlg = segmentHashAlg || integrityAlgorithm;
+    if (segmentIntegrityAlg !== 'GMAC' && segmentIntegrityAlg !== 'HS256') {
+        throw new UnsupportedError(`Unsupported segment hash alg [${segmentIntegrityAlg}]`);
+    }
+    // Not waiting for Promise to resolve
+    updateChunkQueue(Array.from(chunkMap.values()), centralDirectory, zipReader, keyForDecryption, cipher, segmentIntegrityAlg, cfg.cryptoService);
+    let progress = 0;
+    const underlyingSource = {
+        pull: async (controller) => {
+            if (chunkMap.size === 0) {
+                controller.close();
+                return;
+            }
+            const [hash, chunk] = chunkMap.entries().next().value;
+            if (!chunk.decryptedChunk) {
+                await chunk.promise;
+            }
+            const decryptedSegment = chunk.decryptedChunk;
+            controller.enqueue(new Uint8Array(decryptedSegment.payload.asByteArray()));
+            progress += chunk.encryptedSegmentSize;
+            cfg.progressHandler?.(progress);
+            chunk.decryptedChunk = null;
+            chunkMap.delete(hash);
+        },
+        ...(cfg.fileStreamServiceWorker && { fileStreamServiceWorker: cfg.fileStreamServiceWorker }),
+    };
+    const outputStream = new DecoratedReadableStream(underlyingSource);
+    outputStream.manifest = manifest;
+    outputStream.emit('manifest', manifest);
+    outputStream.metadata = metadata;
+    outputStream.emit('rewrap', metadata);
+    return outputStream;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidGRmLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vdGRmMy9zcmMvdGRmLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBcUIsTUFBTSxPQUFPLENBQUM7QUFDMUMsT0FBTyxFQUFFLFFBQVEsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQ25ELE9BQU8sRUFBRSxVQUFVLEVBQUUsVUFBVSxFQUFFLE1BQU0sTUFBTSxDQUFDO0FBQzlDLE9BQU8sRUFBRSx1QkFBdUIsRUFBRSxNQUFNLHFDQUFxQyxDQUFDO0FBRTlFLE9BQU8sRUFBRSxvQkFBb0IsRUFBRSxpQkFBaUIsRUFBRSxNQUFNLG9CQUFvQixDQUFDO0FBRzdFLE9BQU8sS0FBSyxVQUFVLE1BQU0saUJBQWlCLENBQUM7QUFFOUMsT0FBTyxFQUVMLFFBQVEsSUFBSSxpQkFBaUIsRUFLN0IsTUFBTSxJQUFJLGVBQWUsRUFHekIsT0FBTyxJQUFJLGdCQUFnQixHQUk1QixNQUFNLG1CQUFtQixDQUFDO0FBQzNCLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSw4QkFBOEIsQ0FBQztBQUN0RCxPQUFPLEVBRUwsU0FBUyxFQUNULFNBQVMsRUFDVCxjQUFjLEVBQ2Qsb0JBQW9CLEVBQ3BCLFFBQVEsRUFDUixZQUFZLEVBQ1osV0FBVyxHQUNaLE1BQU0sa0JBQWtCLENBQUM7QUFDMUIsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUNyQyxPQUFPLEVBQTJDLGVBQWUsRUFBRSxNQUFNLHFCQUFxQixDQUFDO0FBQy9GLE9BQU8sRUFDTCxrQkFBa0IsRUFDbEIsWUFBWSxFQUNaLGdCQUFnQixFQUNoQixjQUFjLEVBQ2QsWUFBWSxFQUNaLHFCQUFxQixFQUNyQixZQUFZLEVBQ1osUUFBUSxFQUNSLG9CQUFvQixFQUNwQixjQUFjLEVBQ2QsdUJBQXVCLElBQUksZ0JBQWdCLEdBQzVDLE1BQU0scUJBQXFCLENBQUM7QUFDN0IsT0FBTyxFQUFFLG1CQUFtQixFQUFFLE1BQU0sc0JBQXNCLENBQUM7QUFFM0QsZUFBZTtBQUNmLDRHQUE0RztBQUM1RyxPQUFPLEVBQUUsWUFBWSxFQUFFLE1BQU0sb0JBQW9CLENBQUM7QUFDbEQsT0FBTyxFQUtMLFlBQVksR0FDYixNQUFNLHdCQUF3QixDQUFDO0FBTWhDLDBDQUEwQztBQUMxQyxNQUFNLG9CQUFvQixHQUFHLElBQUksR0FBRyxJQUFJLENBQUM7QUFnSXpDOzs7R0FHRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsaUJBQWlCLENBQ3JDLEdBQVcsRUFDWCxTQUFpQztJQUVqQyxJQUFJLENBQUMsR0FBRyxFQUFFO1FBQ1IsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDBCQUEwQixDQUFDLENBQUM7S0FDMUQ7SUFDRCx1REFBdUQ7SUFDdkQsaUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDdkIsTUFBTSxVQUFVLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLFNBQVMsRUFBRSxTQUFTLElBQUksVUFBVSxFQUFFLENBQUM7SUFDcEUsTUFBTSxNQUFNLEdBQXVCLEVBQUUsQ0FBQztJQUN0QyxJQUFJLFNBQVMsRUFBRTtRQUNiLE1BQU0sQ0FBQyxTQUFTLEdBQUcsU0FBUyxDQUFDO0tBQzlCO0lBQ0QsTUFBTSxLQUFLLEdBQUcsR0FBRyxHQUFHLG9CQUFvQixDQUFDO0lBQ3pDLElBQUk7UUFDRixNQUFNLFFBQVEsR0FBd0MsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLEtBQUssRUFBRTtZQUMzRSxNQUFNLEVBQUU7Z0JBQ04sR0FBRyxNQUFNO2dCQUNULENBQUMsRUFBRSxHQUFHO2FBQ1A7U0FDRixDQUFDLENBQUM7UUFDSCxNQUFNLFNBQVMsR0FDYixPQUFPLFFBQVEsQ0FBQyxJQUFJLEtBQUssUUFBUTtZQUMvQixDQUFDLENBQUMsTUFBTSx1QkFBdUIsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQzlDLENBQUMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQztRQUM5QixPQUFPO1lBQ0wsU0FBUztZQUNULEdBQUcsRUFBRSxvQkFBb0IsQ0FBQyxTQUFTLENBQUM7WUFDcEMsR0FBRyxVQUFVO1lBQ2IsR0FBRyxDQUFDLE9BQU8sUUFBUSxDQUFDLElBQUksS0FBSyxRQUFRLElBQUksUUFBUSxDQUFDLElBQUksQ0FBQyxHQUFHLElBQUksRUFBRSxHQUFHLEVBQUUsUUFBUSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztTQUMxRixDQUFDO0tBQ0g7SUFBQyxPQUFPLEtBQUssRUFBRTtRQUNkLE1BQU0sTUFBTSxHQUFHLEtBQUssRUFBRSxRQUFRLEVBQUUsTUFBTSxDQUFDO1FBQ3ZDLFFBQVEsTUFBTSxFQUFFO1lBQ2QsS0FBSyxHQUFHLENBQUM7WUFDVCxLQUFLLEdBQUc7Z0JBQ04sdUNBQXVDO2dCQUN2QyxNQUFNO1lBQ1IsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxvQkFBb0IsQ0FBQyxJQUFJLEtBQUssaUJBQWlCLEVBQUUsS0FBSyxDQUFDLENBQUM7WUFDcEUsS0FBSyxHQUFHO2dCQUNOLE1BQU0sSUFBSSxxQkFBcUIsQ0FBQyxJQUFJLEtBQUsscUJBQXFCLEVBQUUsS0FBSyxDQUFDLENBQUM7WUFDekU7Z0JBQ0UsSUFBSSxNQUFNLElBQUksTUFBTSxJQUFJLEdBQUcsSUFBSSxNQUFNLEdBQUcsR0FBRyxFQUFFO29CQUMzQyxNQUFNLElBQUksa0JBQWtCLENBQzFCLElBQUksS0FBSyxvQkFBb0IsTUFBTSxNQUFNLEtBQUssQ0FBQyxJQUFJLE1BQU0sS0FBSyxDQUFDLE9BQU8sR0FBRyxFQUN6RSxLQUFLLENBQ04sQ0FBQztpQkFDSDtnQkFDRCxNQUFNLElBQUksWUFBWSxDQUNwQixJQUFJLEtBQUssWUFBWSxNQUFNLE1BQU0sS0FBSyxDQUFDLElBQUksTUFBTSxLQUFLLENBQUMsT0FBTyxHQUFHLEVBQ2pFLEtBQUssQ0FDTixDQUFDO1NBQ0w7S0FDRjtJQUNELHVCQUF1QjtJQUN2QixNQUFNLEtBQUssR0FBRyxHQUFHLEdBQUcsaUJBQWlCLENBQUM7SUFDdEMsSUFBSTtRQUNGLE1BQU0sUUFBUSxHQUF3QyxNQUFNLEtBQUssQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFO1lBQzNFLE1BQU07U0FDUCxDQUFDLENBQUM7UUFDSCxNQUFNLFNBQVMsR0FDYixPQUFPLFFBQVEsQ0FBQyxJQUFJLEtBQUssUUFBUTtZQUMvQixDQUFDLENBQUMsTUFBTSx1QkFBdUIsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQzlDLENBQUMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQztRQUM5Qix5REFBeUQ7UUFDekQsT0FBTztZQUNMLFNBQVM7WUFDVCxHQUFHLEVBQUUsb0JBQW9CLENBQUMsU0FBUyxDQUFDO1lBQ3BDLEdBQUcsVUFBVTtZQUNiLEdBQUcsQ0FBQyxPQUFPLFFBQVEsQ0FBQyxJQUFJLEtBQUssUUFBUSxJQUFJLFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxJQUFJLEVBQUUsR0FBRyxFQUFFLFFBQVEsQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7U0FDMUYsQ0FBQztLQUNIO0lBQUMsT0FBTyxLQUFLLEVBQUU7UUFDZCxNQUFNLE1BQU0sR0FBRyxLQUFLLEVBQUUsUUFBUSxFQUFFLE1BQU0sQ0FBQztRQUN2QyxRQUFRLE1BQU0sRUFBRTtZQUNkLEtBQUssR0FBRztnQkFDTixNQUFNLElBQUksb0JBQW9CLENBQUMsSUFBSSxLQUFLLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxDQUFDO1lBQ3BFLEtBQUssR0FBRztnQkFDTixNQUFNLElBQUkscUJBQXFCLENBQUMsSUFBSSxLQUFLLHFCQUFxQixFQUFFLEtBQUssQ0FBQyxDQUFDO1lBQ3pFO2dCQUNFLElBQUksTUFBTSxJQUFJLE1BQU0sSUFBSSxHQUFHLElBQUksTUFBTSxHQUFHLEdBQUcsRUFBRTtvQkFDM0MsTUFBTSxJQUFJLGtCQUFrQixDQUMxQixJQUFJLEtBQUssb0JBQW9CLE1BQU0sTUFBTSxLQUFLLENBQUMsSUFBSSxNQUFNLEtBQUssQ0FBQyxPQUFPLEdBQUcsRUFDekUsS0FBSyxDQUNOLENBQUM7aUJBQ0g7Z0JBQ0QsTUFBTSxJQUFJLFlBQVksQ0FDcEIsSUFBSSxLQUFLLFlBQVksTUFBTSxNQUFNLEtBQUssQ0FBQyxJQUFJLE1BQU0sS0FBSyxDQUFDLE9BQU8sR0FBRyxFQUNqRSxLQUFLLENBQ04sQ0FBQztTQUNMO0tBQ0Y7QUFDSCxDQUFDO0FBQ0Q7Ozs7OztHQU1HO0FBQ0gsTUFBTSxVQUFVLFFBQVEsQ0FDdEIsT0FBbUIsRUFDbkIsUUFBMkIsRUFDM0IsV0FBbUI7SUFFbkIsTUFBTSxFQUFFLE1BQU0sRUFBRSxHQUFHLElBQUksR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQ3hDLE1BQU0sY0FBYyxHQUFXLE9BQU8sUUFBUSxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxDQUFDO0lBRWxHLE1BQU0sY0FBYyxHQUFHLG1CQUFtQixDQUFDO1FBQ3pDLFdBQVc7UUFDWCxlQUFlLEVBQUUsTUFBTTtRQUN2QixRQUFRLEVBQUUsTUFBTSxDQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUM7UUFDdkMsT0FBTyxFQUFFLFlBQVksQ0FBQyxPQUFPLEVBQUUsUUFBUSxDQUFDO0tBQ3pDLENBQUMsQ0FBQztJQUVILE9BQU8sSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUFDLENBQUM7QUFDbEQsQ0FBQztBQUVELE1BQU0sVUFBVSxVQUFVLENBQUMsV0FBdUQ7SUFDaEYsSUFBSSxJQUFJLENBQUM7SUFDVCxJQUFJLFdBQVcsWUFBWSxXQUFXLElBQUksV0FBVyxDQUFDLE1BQU0sQ0FBQyxXQUFXLENBQUMsRUFBRTtRQUN6RSxJQUFJLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDLENBQUM7S0FDOUM7U0FBTTtRQUNMLElBQUksR0FBRyxXQUFXLENBQUMsUUFBUSxFQUFFLENBQUM7S0FDL0I7SUFDRCxNQUFNLFNBQVMsR0FBRyx1RUFBdUUsQ0FBQztJQUMxRixNQUFNLFFBQVEsR0FBRyxTQUFTLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQ3RDLElBQUksUUFBUSxLQUFLLElBQUksRUFBRTtRQUNyQixNQUFNLElBQUksZ0JBQWdCLENBQUMsb0JBQW9CLENBQUMsQ0FBQztLQUNsRDtJQUNELE1BQU0sYUFBYSxHQUFHLFFBQVEsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNsQyxJQUFJO1FBQ0YsT0FBTyxjQUFjLENBQUMsYUFBYSxDQUFDLENBQUM7S0FDdEM7SUFBQyxPQUFPLENBQUMsRUFBRTtRQUNWLE1BQU0sSUFBSSxnQkFBZ0IsQ0FBQyxpREFBaUQsRUFBRSxDQUFDLENBQUMsQ0FBQztLQUNsRjtBQUNILENBQUM7QUFFRCxNQUFNLENBQUMsS0FBSyxVQUFVLHVCQUF1QixDQUFDLFNBQWlCO0lBQzdELElBQUksR0FBRyxHQUFXLFNBQVMsQ0FBQztJQUU1Qix3RUFBd0U7SUFDeEUseUNBQXlDO0lBQ3pDLElBQUksU0FBUyxDQUFDLFFBQVEsQ0FBQyxhQUFhLENBQUMsRUFBRTtRQUNyQyxNQUFNLElBQUksR0FBRyxNQUFNLFVBQVUsQ0FBQyxTQUFTLEVBQUUsT0FBTyxFQUFFLEVBQUUsV0FBVyxFQUFFLElBQUksRUFBRSxDQUFDLENBQUM7UUFDekUsR0FBRyxHQUFHLE1BQU0sVUFBVSxDQUFDLElBQUksQ0FBQyxDQUFDO0tBQzlCO0lBRUQsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQ7Ozs7Ozs7Ozs7Ozs7R0FhRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsY0FBYyxDQUFDLEVBQ25DLFlBQVksRUFDWixJQUFJLEVBQ0osR0FBRyxFQUNILFNBQVMsRUFDVCxHQUFHLEVBQ0gsWUFBWSxFQUNaLFFBQVEsRUFDUixHQUFHLEdBQUcsRUFBRSxHQUNPO0lBQ2YsdUNBQXVDO0lBQ3ZDLFNBQVMsZUFBZSxDQUN0QixJQUFtQixFQUNuQixNQUFjLEVBQ2QsZ0JBQW9DLEVBQ3BDLE1BQWMsRUFDZCxRQUFtQjtRQUVuQixRQUFRLElBQUksRUFBRTtZQUNaLEtBQUssU0FBUztnQkFDWixPQUFPLElBQUksZ0JBQWdCLENBQUMsTUFBTSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsR0FBRyxDQUFDLENBQUM7WUFDL0UsS0FBSyxRQUFRO2dCQUNYLE9BQU8sSUFBSSxlQUFlLENBQUMsTUFBTSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsR0FBRyxDQUFDLENBQUM7WUFDOUU7Z0JBQ0UsTUFBTSxJQUFJLGtCQUFrQixDQUFDLG1DQUFtQyxJQUFJLGFBQWEsQ0FBQyxDQUFDO1NBQ3RGO0lBQ0gsQ0FBQztJQUVELDhEQUE4RDtJQUM5RCxJQUFJLFlBQVksSUFBSSxZQUFZLEVBQUU7UUFDaEMsTUFBTSxJQUFJLEdBQUcsWUFBWSxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUM1QyxJQUFJLElBQUksSUFBSSxJQUFJLENBQUMsTUFBTSxJQUFJLElBQUksQ0FBQyxNQUFNLEVBQUU7WUFDdEMsT0FBTyxlQUFlLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLEdBQUcsRUFBRSxJQUFJLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDO1NBQzVFO0tBQ0Y7SUFFRCx5RUFBeUU7SUFDekUsSUFBSSxHQUFHLElBQUksU0FBUyxFQUFFO1FBQ3BCLE9BQU8sZUFBZSxDQUFDLElBQUksRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLE1BQU0sdUJBQXVCLENBQUMsU0FBUyxDQUFDLEVBQUUsUUFBUSxDQUFDLENBQUM7S0FDNUY7SUFFRCxtRUFBbUU7SUFDbkUsTUFBTSxXQUFXLEdBQUcsWUFBWSxFQUFFLFVBQVUsRUFBRSxDQUFDO0lBQy9DLElBQUksV0FBVyxFQUFFO1FBQ2YsTUFBTSxFQUFFLE1BQU0sRUFBRSxNQUFNLEVBQUUsR0FBRyxXQUFXLENBQUM7UUFDdkMsSUFBSSxNQUFNLElBQUksTUFBTSxFQUFFO1lBQ3BCLE9BQU8sZUFBZSxDQUFDLElBQUksRUFBRSxNQUFNLEVBQUUsR0FBRyxFQUFFLE1BQU0sdUJBQXVCLENBQUMsTUFBTSxDQUFDLEVBQUUsUUFBUSxDQUFDLENBQUM7U0FDNUY7S0FDRjtJQUNELDhCQUE4QjtJQUM5QixNQUFNLElBQUksa0JBQWtCLENBQUMsb0RBQW9ELENBQUMsQ0FBQztBQUNyRixDQUFDO0FBRUQsTUFBTSxVQUFVLG9CQUFvQixDQUFDLE1BQWM7SUFDakQsTUFBTSxhQUFhLEdBQWEsRUFBRSxDQUFDO0lBRW5DLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSTtRQUFFLGFBQWEsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDN0MsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJO1FBQUUsYUFBYSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsYUFBYSxDQUFDLENBQUM7SUFDNUQsSUFBSSxNQUFNLENBQUMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxNQUFNO1FBQUUsYUFBYSxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsQ0FBQztJQUUxRSxJQUFJLGFBQWEsQ0FBQyxNQUFNLEVBQUU7UUFDeEIsTUFBTSxJQUFJLGtCQUFrQixDQUMxQiw4REFBOEQsYUFBYSxFQUFFLENBQzlFLENBQUM7S0FDSDtBQUNILENBQUM7QUFFRCxLQUFLLFVBQVUsaUJBQWlCLENBQzlCLE9BQWdCLEVBQ2hCLHFCQUErQixFQUMvQixNQUFjLEVBQ2QsUUFBNEI7SUFFNUIsOENBQThDO0lBQzlDLE1BQU0sT0FBTyxHQUFHO1FBQ2QsSUFBSSxFQUFFLFdBQVc7UUFDakIsR0FBRyxFQUFFLFdBQVc7UUFDaEIsUUFBUSxFQUFFLEtBQUs7UUFDZixXQUFXLEVBQUUsSUFBSTtRQUNqQixhQUFhLEVBQUUsT0FBTztRQUN0QixHQUFHLENBQUMsUUFBUSxJQUFJLEVBQUUsUUFBUSxFQUFFLENBQUM7S0FDOUIsQ0FBQztJQUVGLE1BQU0sd0JBQXdCLEdBQUcsTUFBTSxxQkFBcUIsQ0FBQyxLQUFLLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ3BGLE1BQU0sVUFBVSxHQUEyQixFQUFFLENBQUM7SUFDOUMsT0FBTztRQUNMLE9BQU87UUFDUCx5RUFBeUU7UUFDekUscUJBQXFCLEVBQUUsd0JBQXdCO1FBQy9DLFVBQVUsRUFBRSxVQUFVO0tBQ3ZCLENBQUM7QUFDSixDQUFDO0FBRUQsS0FBSyxVQUFVLFlBQVksQ0FDekIsa0JBQTBCLEVBQzFCLGFBQXFCLEVBQ3JCLGFBQWlDLEVBQ2pDLGFBQTRCO0lBRTVCLFFBQVEsYUFBYSxDQUFDLFdBQVcsRUFBRSxFQUFFO1FBQ25DLEtBQUssTUFBTTtZQUNULG9EQUFvRDtZQUNwRCxPQUFPLFlBQVksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3RGLEtBQUssT0FBTztZQUNWLDZCQUE2QjtZQUM3QixPQUFPLE1BQU0sYUFBYSxDQUFDLElBQUksQ0FDN0IsWUFBWSxDQUFDLElBQUksVUFBVSxDQUFDLGtCQUFrQixDQUFDLGFBQWEsRUFBRSxDQUFDLEVBQUUsS0FBSyxDQUFDLEVBQ3ZFLFlBQVksQ0FBQyxJQUFJLFVBQVUsQ0FBQyxhQUFhLENBQUMsYUFBYSxFQUFFLENBQUMsRUFBRSxPQUFPLENBQUMsQ0FDckUsQ0FBQztRQUNKO1lBQ0UsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDhCQUE4QixhQUFhLEdBQUcsQ0FBQyxDQUFDO0tBQ2hGO0FBQ0gsQ0FBQztBQUVELFNBQVMsWUFBWSxDQUFDLE1BQWtCLEVBQUUsR0FBVyxFQUFFLElBQWM7SUFDbkUsT0FBTztRQUNMLE9BQU8sRUFBRSxFQUFFO1FBQ1gsTUFBTSxFQUFFLE1BQU07UUFDZCxHQUFHLEVBQUUsR0FBRztRQUNSLElBQUk7S0FDTCxDQUFDO0FBQ0osQ0FBQztBQUVELE1BQU0sQ0FBQyxLQUFLLFVBQVUsTUFBTSxDQUFDLEVBQzNCLFlBQVksRUFDWixTQUFTLEVBQ1QsWUFBWSxFQUNaLE1BQU0sRUFDTixVQUFVLEVBQ1YsZUFBZSxFQUNmLFVBQVUsR0FDVTtJQUNwQixNQUFNLE9BQU8sR0FBRyxDQUFDLEdBQUcsRUFBRTtRQUNwQixJQUFJLFNBQVMsRUFBRTtZQUNiLE9BQU8sU0FBUyxDQUFDO1NBQ2xCO1FBQ0QsSUFBSSxDQUFDLFlBQVksRUFBRTtZQUNqQixNQUFNLElBQUksa0JBQWtCLENBQUMseUNBQXlDLENBQUMsQ0FBQztTQUN6RTtRQUNELE9BQU8sSUFBSSxlQUFlLENBQUMsWUFBWSxDQUFDLENBQUM7SUFDM0MsQ0FBQyxDQUFDLEVBQUUsQ0FBQztJQUNMLE1BQU0sRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLEdBQUcsZUFBZSxDQUFDLHFCQUFxQixDQUFDO0lBQ3BFLE1BQU0sZUFBZSxHQUFHLFlBQVksSUFBSSxvQkFBb0IsQ0FBQyxZQUFZLENBQUMsQ0FBQztJQUMzRSxJQUFJLFlBQVksS0FBSyxTQUFTLEVBQUU7UUFDOUIsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDZDQUE2QyxDQUFDLENBQUM7S0FDN0U7SUFDRCxPQUFPLE9BQU8sQ0FBQyxHQUFHLENBQ2hCLFNBQVMsQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFLGVBQWUsRUFBRSxFQUFFO1FBQ3RDLDJFQUEyRTtRQUMzRSxNQUFNLFFBQVEsR0FBRyxpQkFBaUIsQ0FBQyxlQUFlLENBQUMsQ0FBQztRQUNwRCxJQUFJLENBQUMsVUFBVSxJQUFJLENBQUMsUUFBUSxFQUFFO1lBQzVCLE9BQU87U0FDUjtRQUVELElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsRUFBRTtZQUN4QyxNQUFNLElBQUksY0FBYyxDQUFDLHdCQUF3QixlQUFlLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQztTQUMxRTtRQUVELE1BQU0sR0FBRyxHQUFHLEdBQUcsZUFBZSxDQUFDLEdBQUcsSUFBSSxlQUFlLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsS0FBSyxRQUFRLENBQUM7UUFFM0UsMkRBQTJEO1FBQzNELHNGQUFzRjtRQUN0RixNQUFNLElBQUksR0FBNEI7WUFDcEMsU0FBUyxFQUFFLGVBQWU7WUFDMUIsTUFBTSxFQUFFLGVBQWUsQ0FBQyxxQkFBcUIsQ0FBQyxNQUFNO1lBQ3BELE1BQU0sRUFBRSxvQkFBb0IsQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxTQUFTO1lBQy9ELFNBQVMsRUFBRSxTQUFTO1lBQ3BCLHNCQUFzQixFQUFFLFNBQVM7U0FDbEMsQ0FBQztRQUVGLElBQUksb0JBQW9CLENBQUMsWUFBWSxDQUFDLEVBQUU7WUFDdEMsSUFBSSxDQUFDLFNBQVMsR0FBRyxNQUFNLFlBQVksQ0FBQyxFQUFFLEVBQUUsVUFBVSxDQUFDLENBQUM7U0FDckQ7YUFBTTtZQUNMLElBQUksQ0FBQyxzQkFBc0IsR0FBRyxNQUFNLFlBQVksQ0FBQyxJQUFJLEVBQUUsVUFBVSxDQUFDLENBQUM7U0FDcEU7UUFDRCxNQUFNLE9BQU8sR0FBRyxNQUFNLFlBQVksQ0FBQyxTQUFTLENBQUMsWUFBWSxDQUFDLE1BQU0sRUFBRSxHQUFHLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUU5RSxJQUFJO1lBQ0YsTUFBTSxRQUFRLEdBQUcsTUFBTSxLQUFLLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLElBQUksRUFBRTtnQkFDM0QsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPO2FBQ3pCLENBQUMsQ0FBQztZQUVILDBGQUEwRjtZQUMxRixlQUFlO1lBQ2YsT0FBTyxlQUFlLENBQUMsVUFBVSxDQUFDO1lBQ2xDLE9BQU8sZUFBZSxDQUFDLGlCQUFpQixDQUFDO1lBQ3pDLE9BQU8sZUFBZSxDQUFDLGFBQWEsQ0FBQztZQUVyQyxJQUFJLFFBQVEsRUFBRTtnQkFDWiwyRUFBMkU7Z0JBQzNFLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO2dCQUN4RCxlQUFlLENBQUMscUJBQXFCLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQyxNQUFNLENBQzFELElBQUksQ0FBQyxTQUFTLENBQUMsRUFBRSxJQUFJLEVBQUUsYUFBYSxDQUFDLElBQUksRUFBRSxDQUFDLENBQzdDLENBQUM7YUFDSDtZQUNELE9BQU8sUUFBUSxDQUFDLElBQUksQ0FBQztTQUN0QjtRQUFDLE9BQU8sQ0FBQyxFQUFFO1lBQ1YsSUFBSSxDQUFDLENBQUMsUUFBUSxFQUFFO2dCQUNkLElBQUksQ0FBQyxDQUFDLFFBQVEsQ0FBQyxNQUFNLElBQUksR0FBRyxFQUFFO29CQUM1QixNQUFNLElBQUksWUFBWSxDQUFDLGdCQUFnQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUM3QztxQkFBTSxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxLQUFLLEdBQUcsRUFBRTtvQkFDcEMsTUFBTSxJQUFJLHFCQUFxQixDQUFDLGdCQUFnQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUN0RDtxQkFBTSxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxLQUFLLEdBQUcsRUFBRTtvQkFDcEMsTUFBTSxJQUFJLG9CQUFvQixDQUFDLHFCQUFxQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUMxRDtxQkFBTSxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsTUFBTSxLQUFLLEdBQUcsRUFBRTtvQkFDcEMsTUFBTSxJQUFJLGtCQUFrQixDQUFDLGtEQUFrRCxFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUNyRjtxQkFBTTtvQkFDTCxNQUFNLElBQUksWUFBWSxDQUFDLHFCQUFxQixFQUFFLENBQUMsQ0FBQyxDQUFDO2lCQUNsRDthQUNGO2lCQUFNLElBQUksQ0FBQyxDQUFDLE9BQU8sRUFBRTtnQkFDcEIsTUFBTSxJQUFJLFlBQVksQ0FBQyx3QkFBd0IsRUFBRSxDQUFDLENBQUMsQ0FBQzthQUNyRDtZQUNELE1BQU0sSUFBSSxRQUFRLENBQ2hCLG1EQUFtRCxDQUFDLENBQUMsSUFBSSxLQUFLLENBQUMsQ0FBQyxPQUFPLGlCQUFpQixDQUFDLEVBQUUsUUFBUSxFQUFFLElBQUksR0FBRyxFQUM1RyxDQUFDLENBQ0YsQ0FBQztTQUNIO0lBQ0gsQ0FBQyxDQUFDLENBQ0gsQ0FBQztBQUNKLENBQUM7QUFFRCxNQUFNLENBQUMsS0FBSyxVQUFVLFdBQVcsQ0FBQyxHQUF5QjtJQUN6RCxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksRUFBRTtRQUNyQixNQUFNLElBQUksa0JBQWtCLENBQUMscUNBQXFDLENBQUMsQ0FBQztLQUNyRTtJQUNELElBQUksQ0FBQyxHQUFHLENBQUMsYUFBYSxFQUFFO1FBQ3RCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO0tBQ3pEO0lBRUQsNERBQTREO0lBQzVELE1BQU0sWUFBWSxHQUFjLEVBQUUsQ0FBQztJQUVuQyxHQUFHLENBQUMsU0FBUyxLQUFLLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQztJQUUxQyxNQUFNLFVBQVUsR0FBZ0I7UUFDOUI7WUFDRSxRQUFRLEVBQUUsV0FBVztTQUN0QjtRQUNEO1lBQ0UsUUFBUSxFQUFFLGlCQUFpQjtTQUM1QjtLQUNGLENBQUM7SUFFRixJQUFJLGFBQWEsR0FBRyxJQUFJLFVBQVUsRUFBRSxDQUFDO0lBRXJDLElBQUksY0FBYyxHQUFHLENBQUMsQ0FBQztJQUN2QixJQUFJLGNBQWMsR0FBRyxDQUFDLENBQUM7SUFDdkIsSUFBSSxVQUFVLEdBQUcsQ0FBQyxDQUFDO0lBQ25CLElBQUksYUFBYSxHQUFHLENBQUMsQ0FBQztJQUN0QixJQUFJLGFBQWEsR0FBRyxFQUFFLENBQUM7SUFFdkIsTUFBTSxTQUFTLEdBQUcsSUFBSSxTQUFTLEVBQUUsQ0FBQztJQUNsQyxNQUFNLFFBQVEsR0FBRyxNQUFNLGlCQUFpQixDQUN0QyxHQUFHLENBQUMsY0FBYyxFQUNsQixHQUFHLENBQUMscUJBQXFCLEVBQ3pCLEdBQUcsQ0FBQyxNQUFNLEVBQ1YsR0FBRyxDQUFDLFFBQVEsQ0FDYixDQUFDO0lBRUYsSUFBSSxDQUFDLFFBQVEsRUFBRTtRQUNiLDJDQUEyQztRQUMzQyxNQUFNLElBQUksa0JBQWtCLENBQUMsZ0VBQWdFLENBQUMsQ0FBQztLQUNoRztJQUNELE1BQU0sU0FBUyxHQUFHLEdBQUcsQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDO0lBRTFDLHFEQUFxRDtJQUNyRCxNQUFNLGNBQWMsR0FBRyxNQUFNLE1BQU0sQ0FBQztRQUNsQyxZQUFZLEVBQUUsR0FBRyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsWUFBWTtRQUMxRCxTQUFTLEVBQUUsR0FBRyxDQUFDLFNBQVM7UUFDeEIsWUFBWSxFQUFFLEdBQUcsQ0FBQyxZQUFZO1FBQzlCLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTTtRQUNsQixVQUFVLEVBQUUsU0FBUztRQUNyQixlQUFlLEVBQUUsUUFBUTtLQUMxQixDQUFDLENBQUM7SUFFSCx5REFBeUQ7SUFDekQsTUFBTSxFQUFFLGtCQUFrQixFQUFFLEdBQUcsR0FBRyxDQUFDO0lBQ25DLE1BQU0sZUFBZSxHQUFHLE1BQU0sR0FBRyxDQUFDLHFCQUFxQixDQUFDLE9BQU8sQ0FDN0QsTUFBTSxDQUFDLGVBQWUsQ0FBQyxJQUFJLFdBQVcsQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDLEVBQzNELEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxrQkFBa0IsQ0FDeEMsQ0FBQztJQUNGLE1BQU0sYUFBYSxHQUFHLElBQUksVUFBVSxDQUFDLGVBQWUsQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztJQUM1RSxNQUFNLDJCQUEyQixHQUFHLGFBQWEsQ0FBQyxNQUFNLENBQUM7SUFFekQsNEJBQTRCO0lBQzVCLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLEdBQUcsV0FBVyxDQUFDO0lBQ3JDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLEdBQUcsY0FBYyxDQUFDO0lBQ3RDLE1BQU0sWUFBWSxHQUFHLEdBQUcsQ0FBQyxhQUFhLENBQUMsU0FBUyxFQUFFLENBQUM7SUFFbkQ7Ozs7Ozs7TUFPRTtJQUNGLE1BQU0sZUFBZSxHQUFHO1FBQ3RCLEtBQUssRUFBRSxDQUFDLFVBQTJDLEVBQUUsRUFBRTtZQUNyRCxVQUFVLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztZQUN0RCxXQUFXLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDO1lBQy9DLFVBQVUsR0FBRyxDQUFDLENBQUM7WUFDZixhQUFhLEdBQUcsQ0FBQyxDQUFDO1FBQ3BCLENBQUM7UUFFRCxJQUFJLEVBQUUsS0FBSyxFQUFFLFVBQTJDLEVBQUUsRUFBRTtZQUMxRCxJQUFJLE1BQU0sQ0FBQztZQUVYLE9BQU8sYUFBYSxDQUFDLE1BQU0sR0FBRyxrQkFBa0IsSUFBSSxDQUFDLE1BQU0sRUFBRTtnQkFDM0QsTUFBTSxFQUFFLEtBQUssRUFBRSxJQUFJLEVBQUUsR0FBRyxNQUFNLFlBQVksQ0FBQyxJQUFJLEVBQUUsQ0FBQztnQkFDbEQsTUFBTSxHQUFHLElBQUksQ0FBQztnQkFDZCxJQUFJLEtBQUssRUFBRTtvQkFDVCxhQUFhLEdBQUcsV0FBVyxDQUFDLENBQUMsYUFBYSxFQUFFLEtBQUssQ0FBQyxDQUFDLENBQUM7aUJBQ3JEO2FBQ0Y7WUFFRCxPQUNFLGFBQWEsQ0FBQyxNQUFNLElBQUksa0JBQWtCO2dCQUMxQyxDQUFDLENBQUMsVUFBVSxDQUFDLFdBQVc7Z0JBQ3hCLFVBQVUsQ0FBQyxXQUFXLEdBQUcsQ0FBQyxFQUMxQjtnQkFDQSxNQUFNLE9BQU8sR0FBRyxhQUFhLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxrQkFBa0IsQ0FBQyxDQUFDO2dCQUMzRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sdUJBQXVCLENBQUMsT0FBTyxDQUFDLENBQUM7Z0JBQ2hFLFVBQVUsQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztnQkFFckMsYUFBYSxHQUFHLGFBQWEsQ0FBQyxLQUFLLENBQUMsa0JBQWtCLENBQUMsQ0FBQzthQUN6RDtZQUVELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFJLGFBQWEsQ0FBQyxNQUFNLENBQUM7WUFFeEQsSUFBSSxnQkFBZ0IsRUFBRTtnQkFDcEIsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLHVCQUF1QixDQUFDLGFBQWEsQ0FBQyxDQUFDO2dCQUN0RSxVQUFVLENBQUMsT0FBTyxDQUFDLGdCQUFnQixDQUFDLENBQUM7Z0JBQ3JDLGFBQWEsR0FBRyxJQUFJLFVBQVUsRUFBRSxDQUFDO2FBQ2xDO1lBRUQsSUFBSSxNQUFNLElBQUksYUFBYSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUU7Z0JBQ3hDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxVQUFVLEdBQUcsVUFBVSxDQUFDO2dCQUN0QyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsYUFBYSxHQUFHLGFBQWEsQ0FBQztnQkFDNUMsTUFBTSxxQkFBcUIsR0FBRyxTQUFTLENBQUMsbUJBQW1CLENBQUMsVUFBVSxFQUFFLGFBQWEsQ0FBQyxDQUFDO2dCQUV2RixVQUFVLENBQUMsT0FBTyxDQUFDLHFCQUFxQixDQUFDLENBQUM7Z0JBQzFDLFdBQVcsQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO2dCQUVuQyx1QkFBdUI7Z0JBQ3ZCLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLEdBQUcsaUJBQWlCLENBQUM7Z0JBQzNDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLEdBQUcsY0FBYyxDQUFDO2dCQUN0QyxVQUFVLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztnQkFDdEQsV0FBVyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztnQkFDL0MsVUFBVSxHQUFHLENBQUMsQ0FBQztnQkFDZixhQUFhLEdBQUcsQ0FBQyxDQUFDO2dCQUVsQixnQ0FBZ0M7Z0JBQ2hDLE1BQU0sYUFBYSxHQUFHLE1BQU0sWUFBWSxDQUN0QyxHQUFHLENBQUMsZ0JBQWdCLENBQUMsa0JBQWtCLEVBQ3ZDLE1BQU0sQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLEVBQ2hDLEdBQUcsQ0FBQyxrQkFBa0IsRUFDdEIsR0FBRyxDQUFDLGFBQWEsQ0FDbEIsQ0FBQztnQkFDRixRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsYUFBYSxDQUFDLEdBQUc7b0JBQ25FLE1BQU0sQ0FBQyxNQUFNLENBQUMsYUFBYSxDQUFDLENBQUM7Z0JBQy9CLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQyxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsR0FBRztvQkFDbkUsR0FBRyxDQUFDLGtCQUFrQixDQUFDO2dCQUV6QixRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsa0JBQWtCLEdBQUcsa0JBQWtCLENBQUM7Z0JBQzVGLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQyxvQkFBb0IsQ0FBQywyQkFBMkI7b0JBQzdFLDJCQUEyQixDQUFDO2dCQUM5QixRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsY0FBYztvQkFDaEUsR0FBRyxDQUFDLHlCQUF5QixDQUFDO2dCQUNoQyxRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsUUFBUSxHQUFHLFlBQVksQ0FBQztnQkFFNUUsUUFBUSxDQUFDLHFCQUFxQixDQUFDLE1BQU0sQ0FBQyxZQUFZLEdBQUcsSUFBSSxDQUFDO2dCQUUxRCxNQUFNLGdCQUFnQixHQUEyQixFQUFFLENBQUM7Z0JBQ3BELElBQUksR0FBRyxDQUFDLGdCQUFnQixJQUFJLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFO29CQUMzRCxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQ2YsR0FBRyxDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsZUFBZSxFQUFFLEVBQUU7d0JBQ2pELG9EQUFvRDt3QkFDcEQsTUFBTSxVQUFVLEdBQWlCLGVBQWUsQ0FBQyxVQUFVLElBQUk7NEJBQzdELEdBQUcsRUFBRSxPQUFPOzRCQUNaLEdBQUcsRUFBRSxJQUFJLFVBQVUsQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLENBQUMsa0JBQWtCLENBQUMsYUFBYSxFQUFFLENBQUM7eUJBQzdFLENBQUM7d0JBQ0YsTUFBTSxTQUFTLEdBQUcsTUFBTSxVQUFVLENBQUMsZUFBZSxDQUFDLGFBQWEsRUFBRTs0QkFDaEUsR0FBRyxlQUFlOzRCQUNsQixVQUFVO3lCQUNYLENBQUMsQ0FBQzt3QkFFSCxxREFBcUQ7d0JBQ3JELGdCQUFnQixDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQztvQkFDbkMsQ0FBQyxDQUFDLENBQ0gsQ0FBQztpQkFDSDtnQkFFRCxRQUFRLENBQUMsVUFBVSxHQUFHLGdCQUFnQixDQUFDO2dCQUV2QyxxQkFBcUI7Z0JBQ3JCLE1BQU0sY0FBYyxHQUFHLElBQUksV0FBVyxFQUFFLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztnQkFDMUUsVUFBVSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsQ0FBQztnQkFDbkMsV0FBVyxDQUFDLGNBQWMsQ0FBQyxDQUFDO2dCQUM1QixVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsVUFBVSxHQUFHLFVBQVUsQ0FBQztnQkFDdEMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLGFBQWEsR0FBRyxhQUFhLENBQUM7Z0JBQzVDLE1BQU0sc0JBQXNCLEdBQUcsU0FBUyxDQUFDLG1CQUFtQixDQUFDLFVBQVUsRUFBRSxhQUFhLENBQUMsQ0FBQztnQkFDeEYsVUFBVSxDQUFDLE9BQU8sQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO2dCQUMzQyxXQUFXLENBQUMsc0JBQXNCLENBQUMsQ0FBQztnQkFFcEMsa0NBQWtDO2dCQUNsQyxNQUFNLHlCQUF5QixHQUFHLGNBQWMsQ0FBQztnQkFDakQsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLFVBQVUsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLEVBQUU7b0JBQzFDLE1BQU0sU0FBUyxHQUFHLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztvQkFDaEMsTUFBTSxNQUFNLEdBQUcsU0FBUyxDQUFDLDJCQUEyQixDQUNsRCxTQUFTLENBQUMsYUFBYSxJQUFJLENBQUMsRUFDNUIsU0FBUyxDQUFDLFFBQVEsRUFDbEIsU0FBUyxDQUFDLE1BQU0sSUFBSSxDQUFDLEVBQ3JCLFNBQVMsQ0FBQyxVQUFVLElBQUksQ0FBQyxFQUN6QixVQUFVLENBQ1gsQ0FBQztvQkFDRixVQUFVLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDO29CQUMzQixXQUFXLENBQUMsTUFBTSxDQUFDLENBQUM7aUJBQ3JCO2dCQUNELE1BQU0sOEJBQThCLEdBQUcsY0FBYyxHQUFHLHlCQUF5QixDQUFDO2dCQUNsRixNQUFNLFVBQVUsR0FBRyxTQUFTLENBQUMsZ0NBQWdDLENBQzNELFVBQVUsQ0FBQyxNQUFNLEVBQ2pCLDhCQUE4QixFQUM5Qix5QkFBeUIsQ0FDMUIsQ0FBQztnQkFDRixVQUFVLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxDQUFDO2dCQUMvQixXQUFXLENBQUMsVUFBVSxDQUFDLENBQUM7Z0JBRXhCLFVBQVUsQ0FBQyxLQUFLLEVBQUUsQ0FBQzthQUNwQjtRQUNILENBQUM7S0FDRixDQUFDO0lBRUYsTUFBTSxlQUFlLEdBQUcsSUFBSSx1QkFBdUIsQ0FBQyxlQUFlLENBQUMsQ0FBQztJQUNyRSxlQUFlLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztJQUVwQyxJQUFJLGNBQWMsRUFBRTtRQUNsQixlQUFlLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNoRCxlQUFlLENBQUMsT0FBTyxHQUFHLGNBQWMsQ0FBQztRQUN6QyxlQUFlLENBQUMsU0FBUyxHQUFHLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDO0tBQzdFO0lBRUQsT0FBTyxlQUFlLENBQUM7SUFFdkIscUJBQXFCO0lBQ3JCLFNBQVMsU0FBUyxDQUFDLFFBQWdCO1FBQ2pDLE9BQU8sU0FBUyxDQUFDLGtCQUFrQixDQUFDLFFBQVEsRUFBRSxDQUFDLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQ3pELENBQUM7SUFFRCxTQUFTLFdBQVcsQ0FBQyxLQUEwQjtRQUM3QyxJQUFJLE9BQU8sS0FBSyxLQUFLLFFBQVEsRUFBRTtZQUM3QixLQUFLLEdBQUcsSUFBSSxXQUFXLEVBQUUsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7U0FDekM7UUFDRCxjQUFjLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQztRQUMvQixJQUFJLGNBQWMsR0FBRyxHQUFHLENBQUMsU0FBUyxFQUFFO1lBQ2xDLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxvQkFBb0IsR0FBRyxDQUFDLFNBQVMsWUFBWSxDQUFDLENBQUM7U0FDN0U7UUFDRCxtRUFBbUU7UUFDbkUsVUFBVSxHQUFHLFFBQVEsQ0FBQyxLQUFLLEVBQUUsVUFBVSxDQUFDLENBQUM7UUFDekMsYUFBYSxJQUFJLEtBQUssQ0FBQyxNQUFNLENBQUM7SUFDaEMsQ0FBQztJQUVELEtBQUssVUFBVSx1QkFBdUIsQ0FBQyxLQUFpQjtRQUN0RCxjQUFjLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQztRQUMvQixHQUFHLENBQUMsZUFBZSxFQUFFLENBQUMsY0FBYyxDQUFDLENBQUM7UUFFdEMsd0hBQXdIO1FBQ3hILE1BQU0sZUFBZSxHQUFHLE1BQU0sR0FBRyxDQUFDLHFCQUFxQixDQUFDLE9BQU8sQ0FDN0QsTUFBTSxDQUFDLGVBQWUsQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLEVBQ3BDLEdBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxrQkFBa0IsQ0FDeEMsQ0FBQztRQUNGLE1BQU0sYUFBYSxHQUFHLElBQUksVUFBVSxDQUFDLGVBQWUsQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztRQUM1RSxNQUFNLGFBQWEsR0FBRyxNQUFNLFlBQVksQ0FDdEMsR0FBRyxDQUFDLGdCQUFnQixDQUFDLGtCQUFrQixFQUN2QyxlQUFlLENBQUMsT0FBTyxFQUN2QixHQUFHLENBQUMseUJBQXlCLEVBQzdCLEdBQUcsQ0FBQyxhQUFhLENBQ2xCLENBQUM7UUFFRixtREFBbUQ7UUFDbkQsYUFBYSxJQUFJLGFBQWEsQ0FBQztRQUUvQixZQUFZLENBQUMsSUFBSSxDQUFDO1lBQ2hCLElBQUksRUFBRSxNQUFNLENBQUMsTUFBTSxDQUFDLGFBQWEsQ0FBQztZQUNsQyxXQUFXLEVBQUUsS0FBSyxDQUFDLE1BQU0sS0FBSyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsTUFBTTtZQUMzRSxvQkFBb0IsRUFDbEIsYUFBYSxDQUFDLE1BQU0sS0FBSywyQkFBMkIsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxhQUFhLENBQUMsTUFBTTtTQUMxRixDQUFDLENBQUM7UUFDSCxNQUFNLE1BQU0sR0FBRyxJQUFJLFVBQVUsQ0FBQyxlQUFlLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxDQUFDLENBQUM7UUFDckUsV0FBVyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBRXBCLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7QUFDSCxDQUFDO0FBRUQsaUZBQWlGO0FBQ2pGLE1BQU0sQ0FBQyxLQUFLLFVBQVUsYUFBYSxDQUNqQyxPQUFnQjtJQUVoQixNQUFNLFNBQVMsR0FBRyxJQUFJLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUN6QyxNQUFNLGdCQUFnQixHQUFHLE1BQU0sU0FBUyxDQUFDLG1CQUFtQixFQUFFLENBQUM7SUFDL0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxTQUFTLENBQUMsV0FBVyxDQUFDLGdCQUFnQixFQUFFLGlCQUFpQixDQUFDLENBQUM7SUFDbEYsT0FBTyxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsZ0JBQWdCLEVBQUUsQ0FBQztBQUNuRCxDQUFDO0FBRUQsTUFBTSxVQUFVLHVCQUF1QixDQUNyQyxTQUE0QixFQUM1QixZQUE2QjtJQUU3QixNQUFNLE9BQU8sR0FBRyxDQUFDLENBQWtCLEVBQUUsRUFBRSxDQUFDLFlBQVksQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ25FLE1BQU0sUUFBUSxHQUFHLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEdBQUcsRUFBRSxFQUFFLEVBQUUsQ0FBQyxHQUFHLElBQUksRUFBRSxDQUFDLENBQUMsQ0FBQztJQUVoRSxNQUFNLGdCQUFnQixHQUFHLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxHQUFHLEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztJQUNsRixJQUFJLFFBQVEsQ0FBQyxJQUFJLEdBQUcsZ0JBQWdCLENBQUMsSUFBSSxFQUFFO1FBQ3pDLE1BQU0sZUFBZSxHQUFHLElBQUksR0FBRyxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxHQUFHLEVBQUUsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztRQUM1RixNQUFNLElBQUksY0FBYyxDQUN0QixxREFBcUQsSUFBSSxDQUFDLFNBQVMsQ0FBQztZQUNsRSxHQUFHLGVBQWU7U0FDbkIsQ0FBQyxrQkFBa0IsSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEdBQUcsUUFBUSxDQUFDLENBQUMsRUFBRSxFQUNuRCxHQUFHLGVBQWUsQ0FDbkIsQ0FBQztLQUNIO0lBQ0QsTUFBTSxlQUFlLEdBQW9ELE1BQU0sQ0FBQyxXQUFXLENBQ3pGLENBQUMsR0FBRyxRQUFRLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQ2xDLENBQUM7SUFDRixLQUFLLE1BQU0sR0FBRyxJQUFJLFNBQVMsRUFBRTtRQUMzQixNQUFNLFdBQVcsR0FBRyxlQUFlLENBQUMsR0FBRyxDQUFDLEdBQUcsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUNuRCxJQUFJLEdBQUcsQ0FBQyxHQUFHLElBQUksV0FBVyxFQUFFO1lBQzFCLE1BQU0sSUFBSSxnQkFBZ0IsQ0FDeEIseURBQXlELEdBQUcsQ0FBQyxHQUFHLGVBQWUsR0FBRyxDQUFDLEdBQUcsR0FBRyxDQUMxRixDQUFDO1NBQ0g7UUFDRCxJQUFJLE9BQU8sQ0FBQyxHQUFHLENBQUMsRUFBRTtZQUNoQixXQUFXLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEdBQUcsQ0FBQztTQUM1QjtLQUNGO0lBQ0QsT0FBTyxlQUFlLENBQUM7QUFDekIsQ0FBQztBQUVELEtBQUssVUFBVSxTQUFTLENBQUMsRUFDdkIsUUFBUSxFQUNSLFlBQVksRUFDWixZQUFZLEVBQ1osUUFBUSxFQUNSLE1BQU0sRUFDTixhQUFhLEdBUWQ7SUFDQyxJQUFJLFlBQVksS0FBSyxTQUFTLEVBQUU7UUFDOUIsTUFBTSxJQUFJLGtCQUFrQixDQUMxQix5RUFBeUUsQ0FDMUUsQ0FBQztLQUNIO0lBQ0QsTUFBTSxFQUFFLFNBQVMsRUFBRSxHQUFHLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQztJQUNyRCxNQUFNLGVBQWUsR0FBRyx1QkFBdUIsQ0FBQyxTQUFTLEVBQUUsWUFBWSxDQUFDLENBQUM7SUFDekUsTUFBTSxlQUFlLEdBQUcsWUFBWSxJQUFJLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxDQUFDO0lBRTNFLEtBQUssVUFBVSxZQUFZLENBQUMsWUFBNkI7UUFDdkQsTUFBTSxHQUFHLEdBQUcsR0FBRyxZQUFZLENBQUMsR0FBRyxJQUFJLGVBQWUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxLQUFLLFFBQVEsQ0FBQztRQUN4RSxNQUFNLHVCQUF1QixHQUFHLE1BQU0sYUFBYSxDQUFDLGVBQWUsQ0FDakUsTUFBTSxhQUFhLENBQUMsZUFBZSxFQUFFLENBQ3RDLENBQUM7UUFDRixNQUFNLGVBQWUsR0FBRyx1QkFBdUIsQ0FBQyxTQUFTLENBQUM7UUFFMUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLFNBQVMsQ0FBQztZQUNwQyxTQUFTLEVBQUUsT0FBTztZQUNsQixTQUFTLEVBQUUsWUFBWTtZQUN2QixNQUFNLEVBQUUsUUFBUSxDQUFDLHFCQUFxQixDQUFDLE1BQU07WUFDN0MsZUFBZTtTQUNoQixDQUFDLENBQUM7UUFFSCxNQUFNLFVBQVUsR0FBRyxFQUFFLFdBQVcsRUFBRSxjQUFjLEVBQUUsQ0FBQztRQUNuRCxNQUFNLGtCQUFrQixHQUFHLE1BQU0sWUFBWSxDQUMzQyxlQUFlLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsVUFBVSxFQUNqQyxRQUFRLENBQUMsVUFBVSxDQUNwQixDQUFDO1FBRUYsSUFBSSxXQUFXLENBQUM7UUFDaEIsSUFBSSxlQUFlLEVBQUU7WUFDbkIsV0FBVyxHQUFHO2dCQUNaLFNBQVMsRUFBRSxZQUFZO2dCQUN2QixNQUFNLEVBQUUsUUFBUSxDQUFDLHFCQUFxQixDQUFDLE1BQU07Z0JBQzdDLE1BQU0sRUFBRTtvQkFDTixHQUFHLE1BQU07b0JBQ1QsU0FBUyxFQUFFLGVBQWU7aUJBQzNCO2dCQUNELFNBQVMsRUFBRSxrQkFBa0I7YUFDOUIsQ0FBQztTQUNIO2FBQU07WUFDTCxXQUFXLEdBQUc7Z0JBQ1osa0JBQWtCO2FBQ25CLENBQUM7U0FDSDtRQUVELE1BQU0sT0FBTyxHQUFHLE1BQU0sWUFBWSxDQUFDLFNBQVMsQ0FBQyxZQUFZLENBQUMsTUFBTSxFQUFFLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1FBQ3JGLE1BQU0sRUFDSixJQUFJLEVBQUUsRUFBRSxnQkFBZ0IsRUFBRSxRQUFRLEVBQUUsR0FDckMsR0FBRyxNQUFNLEtBQUssQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsSUFBSSxFQUFFLEVBQUUsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBRTlFLE1BQU0sR0FBRyxHQUFHLE1BQU0sQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDLENBQUM7UUFDL0QsTUFBTSxrQkFBa0IsR0FBRyxNQUFNLGFBQWEsQ0FBQyxxQkFBcUIsQ0FDbEUsR0FBRyxFQUNILHVCQUF1QixDQUFDLFVBQVUsQ0FDbkMsQ0FBQztRQUVGLE9BQU87WUFDTCxHQUFHLEVBQUUsSUFBSSxVQUFVLENBQUMsa0JBQWtCLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDckQsUUFBUTtTQUNULENBQUM7SUFDSixDQUFDO0lBRUQsc0VBQXNFO0lBQ3RFLE1BQU0sUUFBUSxHQUFHLElBQUksR0FBRyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQztJQUV2RCxxREFBcUQ7SUFDckQsSUFBSSxRQUFRLENBQUMsSUFBSSxLQUFLLENBQUMsRUFBRTtRQUN2QixNQUFNLENBQUMsT0FBTyxDQUFDLEdBQUcsUUFBUSxDQUFDO1FBQzNCLE1BQU0sVUFBVSxHQUFHLGVBQWUsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUU1QyxJQUFJO1lBQ0YsdUVBQXVFO1lBQ3ZFLE1BQU0sTUFBTSxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FDOUIsTUFBTSxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFLFlBQVksRUFBRSxFQUFFO2dCQUNuRCxJQUFJO29CQUNGLE9BQU8sTUFBTSxZQUFZLENBQUMsWUFBWSxDQUFDLENBQUM7aUJBQ3pDO2dCQUFDLE9BQU8sQ0FBQyxFQUFFO29CQUNWLDRCQUE0QjtvQkFDNUIsTUFBTSxpQkFBaUIsQ0FBQyxDQUF1QixDQUFDLENBQUM7aUJBQ2xEO1lBQ0gsQ0FBQyxDQUFDLENBQ0gsQ0FBQztZQUVGLE1BQU0sZ0JBQWdCLEdBQUcsUUFBUSxDQUFDLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7WUFDaEQsT0FBTztnQkFDTCxzQkFBc0IsRUFBRSxNQUFNLENBQUMsZUFBZSxDQUFDLGdCQUFnQixDQUFDO2dCQUNoRSxRQUFRLEVBQUUsTUFBTSxDQUFDLFFBQVE7YUFDMUIsQ0FBQztTQUNIO1FBQUMsT0FBTyxLQUFLLEVBQUU7WUFDZCxJQUFJLEtBQUssWUFBWSxjQUFjLEVBQUU7Z0JBQ25DLHlCQUF5QjtnQkFDekIsTUFBTSxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMseURBQXlEO2FBQ2pGO1lBQ0QsTUFBTSxLQUFLLENBQUM7U0FDYjtLQUNGO1NBQU07UUFDTCxzRUFBc0U7UUFDdEUsTUFBTSxZQUFZLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUNwQyxNQUFNLENBQUMsT0FBTyxDQUFDLGVBQWUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxPQUFPLEVBQUUsVUFBVSxDQUFDLEVBQUUsRUFBRTtZQUNsRSxJQUFJLENBQUMsVUFBVSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQyxNQUFNLEVBQUU7Z0JBQ2xELE1BQU0sSUFBSSxjQUFjLENBQ3RCLHdEQUF3RCxJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQyxFQUFFLEVBQ2pGLEVBQUUsQ0FDSCxDQUFDO2FBQ0g7WUFFRCxJQUFJO2dCQUNGLG1FQUFtRTtnQkFDbkUsT0FBTyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQ3RCLE1BQU0sQ0FBQyxNQUFNLENBQUMsVUFBVSxDQUFDLENBQUMsR0FBRyxDQUFDLEtBQUssRUFBRSxZQUFZLEVBQUUsRUFBRTtvQkFDbkQsSUFBSTt3QkFDRixPQUFPLE1BQU0sWUFBWSxDQUFDLFlBQVksQ0FBQyxDQUFDO3FCQUN6QztvQkFBQyxPQUFPLENBQUMsRUFBRTt3QkFDVixNQUFNLGlCQUFpQixDQUFDLENBQXVCLENBQUMsQ0FBQztxQkFDbEQ7Z0JBQ0gsQ0FBQyxDQUFDLENBQ0gsQ0FBQzthQUNIO1lBQUMsT0FBTyxLQUFLLEVBQUU7Z0JBQ2QsSUFBSSxLQUFLLFlBQVksY0FBYyxFQUFFO29CQUNuQyx3Q0FBd0M7b0JBQ3hDLE1BQU0sS0FBSyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLHlEQUF5RDtpQkFDakY7Z0JBQ0QsTUFBTSxLQUFLLENBQUM7YUFDYjtRQUNILENBQUMsQ0FBQyxDQUNILENBQUM7UUFFRiwyQkFBMkI7UUFDM0IsTUFBTSxnQkFBZ0IsR0FBRyxRQUFRLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7UUFDbEUsT0FBTztZQUNMLHNCQUFzQixFQUFFLE1BQU0sQ0FBQyxlQUFlLENBQUMsZ0JBQWdCLENBQUM7WUFDaEUsUUFBUSxFQUFFLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLEVBQUUsZ0NBQWdDO1NBQ3JFLENBQUM7S0FDSDtBQUNILENBQUM7QUFFRCxTQUFTLGlCQUFpQixDQUFDLEtBQXlCO0lBQ2xELElBQUksS0FBSyxDQUFDLFlBQVksQ0FBQyxLQUFLLENBQUMsRUFBRTtRQUM3QixJQUFJLEtBQUssQ0FBQyxRQUFRLEVBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyxRQUFRLEVBQUUsTUFBTSxJQUFJLEdBQUcsRUFBRTtZQUMzRCxPQUFPLElBQUksWUFBWSxDQUFDLGdCQUFnQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQ2xEO2FBQU0sSUFBSSxLQUFLLENBQUMsUUFBUSxFQUFFLE1BQU0sS0FBSyxHQUFHLEVBQUU7WUFDekMsT0FBTyxJQUFJLHFCQUFxQixDQUFDLGdCQUFnQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQzNEO2FBQU0sSUFBSSxLQUFLLENBQUMsUUFBUSxFQUFFLE1BQU0sS0FBSyxHQUFHLEVBQUU7WUFDekMsT0FBTyxJQUFJLG9CQUFvQixDQUFDLHFCQUFxQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQy9EO2FBQU0sSUFBSSxLQUFLLENBQUMsUUFBUSxFQUFFLE1BQU0sS0FBSyxHQUFHLEVBQUU7WUFDekMsT0FBTyxJQUFJLGdCQUFnQixDQUN6Qix1RkFBdUYsRUFDdkYsS0FBSyxDQUNOLENBQUM7U0FDSDthQUFNO1lBQ0wsT0FBTyxJQUFJLFlBQVksQ0FBQyxxQkFBcUIsRUFBRSxLQUFLLENBQUMsQ0FBQztTQUN2RDtLQUNGO1NBQU07UUFDTCxJQUFJLEtBQUssQ0FBQyxJQUFJLEtBQUssb0JBQW9CLElBQUksS0FBSyxDQUFDLElBQUksS0FBSyxnQkFBZ0IsRUFBRTtZQUMxRSxPQUFPLElBQUksWUFBWSxDQUFDLCtCQUErQixFQUFFLEtBQUssQ0FBQyxDQUFDO1NBQ2pFO1FBQ0QsT0FBTyxJQUFJLGdCQUFnQixDQUN6Qiw2Q0FBNkMsS0FBSyxDQUFDLElBQUksS0FBSyxLQUFLLENBQUMsT0FBTyxHQUFHLEVBQzVFLEtBQUssQ0FDTixDQUFDO0tBQ0g7QUFDSCxDQUFDO0FBRUQsS0FBSyxVQUFVLFlBQVksQ0FDekIsY0FBMEIsRUFDMUIsc0JBQThCLEVBQzlCLElBQVksRUFDWixNQUF1QixFQUN2Qix5QkFBNkMsRUFDN0MsYUFBNEI7SUFFNUIsSUFBSSx5QkFBeUIsS0FBSyxNQUFNLElBQUkseUJBQXlCLEtBQUssT0FBTyxFQUFFO0tBQ2xGO0lBQ0QsTUFBTSxjQUFjLEdBQUcsTUFBTSxZQUFZLENBQ3ZDLHNCQUFzQixFQUN0QixNQUFNLENBQUMsZUFBZSxDQUFDLGNBQWMsQ0FBQyxNQUFNLENBQUMsRUFDN0MseUJBQXlCLEVBQ3pCLGFBQWEsQ0FDZCxDQUFDO0lBQ0YsSUFBSSxJQUFJLEtBQUssSUFBSSxDQUFDLGNBQWMsQ0FBQyxFQUFFO1FBQ2pDLE1BQU0sSUFBSSxjQUFjLENBQUMsd0NBQXdDLENBQUMsQ0FBQztLQUNwRTtJQUNELE9BQU8sTUFBTSxNQUFNLENBQUMsT0FBTyxDQUFDLGNBQWMsRUFBRSxzQkFBc0IsQ0FBQyxDQUFDO0FBQ3RFLENBQUM7QUFFRCxLQUFLLFVBQVUsZ0JBQWdCLENBQzdCLFFBQWlCLEVBQ2pCLGdCQUFvQyxFQUNwQyxTQUFvQixFQUNwQixzQkFBOEIsRUFDOUIsTUFBdUIsRUFDdkIseUJBQTZDLEVBQzdDLGFBQTRCO0lBRTVCLE1BQU0sbUJBQW1CLEdBQUcsR0FBRyxDQUFDO0lBQ2hDLElBQUksUUFBUSxHQUFHLEVBQUUsQ0FBQztJQUNsQixNQUFNLFNBQVMsR0FBRyxDQUFDLENBQUM7SUFFcEIsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxJQUFJLG1CQUFtQixFQUFFO1FBQzdELElBQUksUUFBUSxDQUFDLE1BQU0sS0FBSyxTQUFTLEVBQUU7WUFDakMsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQzVCLFFBQVEsR0FBRyxFQUFFLENBQUM7U0FDZjtRQUNELFFBQVEsQ0FBQyxJQUFJLENBQ1gsQ0FBQyxLQUFLLElBQUksRUFBRTtZQUNWLElBQUksTUFBeUIsQ0FBQztZQUU5QixNQUFNLEtBQUssR0FBRyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDLEdBQUcsbUJBQW1CLENBQUMsQ0FBQztZQUN6RCxJQUFJO2dCQUNGLE1BQU0sVUFBVSxHQUFHLEtBQUssQ0FBQyxNQUFNLENBQzdCLENBQUMsVUFBVSxFQUFFLEVBQUUsb0JBQW9CLEVBQUUsRUFBRSxFQUFFLENBQUMsVUFBVSxHQUFJLG9CQUErQixFQUN2RixDQUFDLENBQ0YsQ0FBQztnQkFDRixNQUFNLEdBQUcsTUFBTSxTQUFTLENBQUMsaUJBQWlCLENBQ3hDLGdCQUFnQixFQUNoQixXQUFXLEVBQ1gsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLGVBQWUsRUFDeEIsVUFBVSxDQUNYLENBQUM7YUFDSDtZQUFDLE9BQU8sQ0FBQyxFQUFFO2dCQUNWLElBQUksQ0FBQyxZQUFZLGdCQUFnQixFQUFFO29CQUNqQyxNQUFNLENBQUMsQ0FBQztpQkFDVDtnQkFDRCxNQUFNLElBQUksWUFBWSxDQUFDLGlDQUFpQyxFQUFFLENBQUMsQ0FBQyxDQUFDO2FBQzlEO1lBQ0QsSUFBSSxNQUFNLEVBQUU7Z0JBQ1YsZUFBZSxDQUFDO29CQUNkLE1BQU07b0JBQ04sYUFBYTtvQkFDYixzQkFBc0I7b0JBQ3RCLEtBQUs7b0JBQ0wsTUFBTTtvQkFDTix5QkFBeUI7aUJBQzFCLENBQUMsQ0FBQzthQUNKO1FBQ0gsQ0FBQyxDQUFDLEVBQUUsQ0FDTCxDQUFDO0tBQ0g7QUFDSCxDQUFDO0FBRUQsTUFBTSxDQUFDLEtBQUssVUFBVSxlQUFlLENBQUMsRUFDcEMsTUFBTSxFQUNOLHNCQUFzQixFQUN0QixLQUFLLEVBQ0wsTUFBTSxFQUNOLGFBQWEsRUFDYix5QkFBeUIsR0FRMUI7SUFDQyxLQUFLLE1BQU0sS0FBSyxJQUFJLEtBQUssRUFBRTtRQUN6QixNQUFNLEVBQUUsZUFBZSxFQUFFLG9CQUFvQixFQUFFLFFBQVEsRUFBRSxPQUFPLEVBQUUsR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFbEYsTUFBTSxNQUFNLEdBQ1YsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLGVBQWUsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsZUFBZSxHQUFHLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxlQUFlLENBQUM7UUFDaEcsTUFBTSxjQUFjLEdBQUcsSUFBSSxVQUFVLENBQ25DLE1BQU0sQ0FBQyxLQUFLLENBQUMsTUFBTSxFQUFFLE1BQU0sR0FBSSxvQkFBK0IsQ0FBQyxDQUNoRSxDQUFDO1FBRUYsSUFBSTtZQUNGLE1BQU0sTUFBTSxHQUFHLE1BQU0sWUFBWSxDQUMvQixjQUFjLEVBQ2Qsc0JBQXNCLEVBQ3RCLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQyxNQUFNLENBQUMsRUFDcEIsTUFBTSxFQUNOLHlCQUF5QixFQUN6QixhQUFhLENBQ2QsQ0FBQztZQUNGLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQyxjQUFjLEdBQUcsTUFBTSxDQUFDO1lBQ3JDLElBQUksUUFBUSxFQUFFO2dCQUNaLFFBQVEsQ0FBQyxJQUFJLENBQUMsQ0FBQzthQUNoQjtTQUNGO1FBQUMsT0FBTyxDQUFDLEVBQUU7WUFDVixJQUFJLE9BQU8sRUFBRTtnQkFDWCxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUM7YUFDWjtpQkFBTTtnQkFDTCxNQUFNLENBQUMsQ0FBQzthQUNUO1NBQ0Y7S0FDRjtBQUNILENBQUM7QUFFRCxNQUFNLENBQUMsS0FBSyxVQUFVLFVBQVUsQ0FBQyxHQUF5QjtJQUN4RCxJQUFJLEVBQUUsU0FBUyxFQUFFLEdBQUcsR0FBRyxDQUFDO0lBQ3hCLElBQUksQ0FBQyxTQUFTLEVBQUU7UUFDZCxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksRUFBRTtZQUNyQixNQUFNLElBQUksa0JBQWtCLENBQUMseUNBQXlDLENBQUMsQ0FBQztTQUN6RTtRQUNELFNBQVMsR0FBRyxJQUFJLGVBQWUsQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLENBQUM7S0FDbkQ7SUFDRCxNQUFNLEVBQUUsUUFBUSxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxHQUFHLE1BQU0sYUFBYSxDQUFDLEdBQUcsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUNuRixJQUFJLENBQUMsUUFBUSxFQUFFO1FBQ2IsTUFBTSxJQUFJLGdCQUFnQixDQUFDLHVCQUF1QixDQUFDLENBQUM7S0FDckQ7SUFDRCxHQUFHLENBQUMsYUFBYSxLQUFLLEtBQUssRUFBRSxHQUFHLEVBQUUsRUFBRSxDQUFDLEdBQUcsQ0FBQztJQUV6QyxNQUFNLEVBQ0osMkJBQTJCLEVBQUUsa0JBQWtCLEVBQy9DLGFBQWEsRUFDYixjQUFjLEVBQ2QsUUFBUSxHQUNULEdBQUcsUUFBUSxDQUFDLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDO0lBQ3hELE1BQU0sRUFBRSxRQUFRLEVBQUUsc0JBQXNCLEVBQUUsR0FBRyxNQUFNLFNBQVMsQ0FBQztRQUMzRCxRQUFRO1FBQ1IsWUFBWSxFQUFFLEdBQUcsQ0FBQyxZQUFZO1FBQzlCLFlBQVksRUFBRSxTQUFTO1FBQ3ZCLFFBQVEsRUFBRSxHQUFHLENBQUMsUUFBUTtRQUN0QixNQUFNLEVBQUUsR0FBRyxDQUFDLE1BQU07UUFDbEIsYUFBYSxFQUFFLEdBQUcsQ0FBQyxhQUFhO0tBQ2pDLENBQUMsQ0FBQztJQUNILHNMQUFzTDtJQUN0TCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sR0FBRyxDQUFDLGFBQWEsQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO0lBQ3pFLE1BQU0sMkJBQTJCLEdBQUcsa0JBQWtCLElBQUksb0JBQW9CLENBQUM7SUFFL0Usc0NBQXNDO0lBQ3RDLE1BQU0sYUFBYSxHQUFHLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLElBQUksRUFBRSxFQUFFLEVBQUUsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQy9FLE1BQU0sa0JBQWtCLEdBQUcsYUFBYSxDQUFDLEdBQUcsQ0FBQztJQUM3QyxJQUFJLGtCQUFrQixLQUFLLE1BQU0sSUFBSSxrQkFBa0IsS0FBSyxPQUFPLEVBQUU7UUFDbkUsTUFBTSxJQUFJLGdCQUFnQixDQUFDLDhCQUE4QixrQkFBa0IsR0FBRyxDQUFDLENBQUM7S0FDakY7SUFDRCxNQUFNLGFBQWEsR0FBRyxNQUFNLFlBQVksQ0FDdEMsZ0JBQWdCLEVBQ2hCLE1BQU0sQ0FBQyxVQUFVLENBQUMsYUFBYSxDQUFDLEVBQ2hDLGtCQUFrQixFQUNsQixHQUFHLENBQUMsYUFBYSxDQUNsQixDQUFDO0lBRUYsSUFDRSxRQUFRLENBQUMscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsYUFBYSxDQUFDLEdBQUc7UUFDckUsTUFBTSxDQUFDLE1BQU0sQ0FBQyxhQUFhLENBQUMsRUFDNUI7UUFDQSxNQUFNLElBQUksY0FBYyxDQUFDLDBDQUEwQyxDQUFDLENBQUM7S0FDdEU7SUFFRCxJQUFJLENBQUMsR0FBRyxDQUFDLGtCQUFrQixFQUFFO1FBQzNCLEtBQUssTUFBTSxTQUFTLElBQUksUUFBUSxDQUFDLFVBQVUsSUFBSSxFQUFFLEVBQUU7WUFDakQsaUNBQWlDO1lBQ2pDLElBQUksWUFBWSxHQUFpQjtnQkFDL0IsR0FBRyxFQUFFLE9BQU87Z0JBQ1osR0FBRyxFQUFFLElBQUksVUFBVSxDQUFDLHNCQUFzQixDQUFDLGFBQWEsRUFBRSxDQUFDO2FBQzVELENBQUM7WUFFRixJQUFJLEdBQUcsQ0FBQyx5QkFBeUIsRUFBRTtnQkFDakMsTUFBTSxRQUFRLEdBQUcsR0FBRyxDQUFDLHlCQUF5QixDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDLENBQUM7Z0JBQ2xFLElBQUksUUFBUSxFQUFFO29CQUNaLFlBQVksR0FBRyxRQUFRLENBQUM7aUJBQ3pCO2FBQ0Y7WUFDRCxNQUFNLFVBQVUsQ0FBQyxNQUFNLENBQUMsU0FBUyxFQUFFLGFBQWEsRUFBRSxZQUFZLENBQUMsQ0FBQztTQUNqRTtLQUNGO0lBRUQsSUFBSSxtQkFBbUIsR0FBRyxDQUFDLENBQUM7SUFDNUIsTUFBTSxRQUFRLEdBQUcsSUFBSSxHQUFHLENBQ3RCLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLElBQUksRUFBRSxvQkFBb0IsR0FBRywyQkFBMkIsRUFBRSxFQUFFLEVBQUU7UUFDNUUsTUFBTSxNQUFNLEdBQUcsQ0FBQyxHQUFHLEVBQUU7WUFDbkIsSUFBSSxRQUFRLEVBQUUsT0FBTyxDQUFDO1lBQ3RCLE1BQU0sS0FBSyxHQUFVO2dCQUNuQixJQUFJO2dCQUNKLGVBQWUsRUFBRSxtQkFBbUI7Z0JBQ3BDLG9CQUFvQjtnQkFDcEIsT0FBTyxFQUFFLElBQUksT0FBTyxDQUFDLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxFQUFFO29CQUN2QyxRQUFRLEdBQUcsT0FBTyxDQUFDO29CQUNuQixPQUFPLEdBQUcsTUFBTSxDQUFDO2dCQUNuQixDQUFDLENBQUM7YUFDSCxDQUFDO1lBQ0YsS0FBSyxDQUFDLFFBQVEsR0FBRyxRQUFRLENBQUM7WUFDMUIsS0FBSyxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7WUFDeEIsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ0wsbUJBQW1CLElBQUksb0JBQW9CLElBQUksMkJBQTJCLENBQUM7UUFDM0UsT0FBTyxDQUFDLElBQUksRUFBRSxNQUFNLENBQUMsQ0FBQztJQUN4QixDQUFDLENBQUMsQ0FDSCxDQUFDO0lBRUYsTUFBTSxNQUFNLEdBQUcsSUFBSSxZQUFZLENBQUMsR0FBRyxDQUFDLGFBQWEsQ0FBQyxDQUFDO0lBQ25ELE1BQU0sbUJBQW1CLEdBQUcsY0FBYyxJQUFJLGtCQUFrQixDQUFDO0lBQ2pFLElBQUksbUJBQW1CLEtBQUssTUFBTSxJQUFJLG1CQUFtQixLQUFLLE9BQU8sRUFBRTtRQUNyRSxNQUFNLElBQUksZ0JBQWdCLENBQUMsaUNBQWlDLG1CQUFtQixHQUFHLENBQUMsQ0FBQztLQUNyRjtJQUVELHFDQUFxQztJQUNyQyxnQkFBZ0IsQ0FDZCxLQUFLLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUM3QixnQkFBZ0IsRUFDaEIsU0FBUyxFQUNULGdCQUFnQixFQUNoQixNQUFNLEVBQ04sbUJBQW1CLEVBQ25CLEdBQUcsQ0FBQyxhQUFhLENBQ2xCLENBQUM7SUFFRixJQUFJLFFBQVEsR0FBRyxDQUFDLENBQUM7SUFDakIsTUFBTSxnQkFBZ0IsR0FBRztRQUN2QixJQUFJLEVBQUUsS0FBSyxFQUFFLFVBQTJDLEVBQUUsRUFBRTtZQUMxRCxJQUFJLFFBQVEsQ0FBQyxJQUFJLEtBQUssQ0FBQyxFQUFFO2dCQUN2QixVQUFVLENBQUMsS0FBSyxFQUFFLENBQUM7Z0JBQ25CLE9BQU87YUFDUjtZQUVELE1BQU0sQ0FBQyxJQUFJLEVBQUUsS0FBSyxDQUFDLEdBQUcsUUFBUSxDQUFDLE9BQU8sRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDLEtBQUssQ0FBQztZQUN0RCxJQUFJLENBQUMsS0FBSyxDQUFDLGNBQWMsRUFBRTtnQkFDekIsTUFBTSxLQUFLLENBQUMsT0FBTyxDQUFDO2FBQ3JCO1lBQ0QsTUFBTSxnQkFBZ0IsR0FBRyxLQUFLLENBQUMsY0FBYyxDQUFDO1lBRTlDLFVBQVUsQ0FBQyxPQUFPLENBQUMsSUFBSSxVQUFVLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLFdBQVcsRUFBRSxDQUFDLENBQUMsQ0FBQztZQUMzRSxRQUFRLElBQUksS0FBSyxDQUFDLG9CQUFvQixDQUFDO1lBQ3ZDLEdBQUcsQ0FBQyxlQUFlLEVBQUUsQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUVoQyxLQUFLLENBQUMsY0FBYyxHQUFHLElBQUksQ0FBQztZQUM1QixRQUFRLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDO1FBQ3hCLENBQUM7UUFDRCxHQUFHLENBQUMsR0FBRyxDQUFDLHVCQUF1QixJQUFJLEVBQUUsdUJBQXVCLEVBQUUsR0FBRyxDQUFDLHVCQUF1QixFQUFFLENBQUM7S0FDN0YsQ0FBQztJQUVGLE1BQU0sWUFBWSxHQUFHLElBQUksdUJBQXVCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztJQUVuRSxZQUFZLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztJQUNqQyxZQUFZLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxRQUFRLENBQUMsQ0FBQztJQUN4QyxZQUFZLENBQUMsUUFBUSxHQUFHLFFBQVEsQ0FBQztJQUNqQyxZQUFZLENBQUMsSUFBSSxDQUFDLFFBQVEsRUFBRSxRQUFRLENBQUMsQ0FBQztJQUN0QyxPQUFPLFlBQVksQ0FBQztBQUN0QixDQUFDIn0=