@oscharko-dev/keiko-model-gateway 0.2.0

package/dist/embedding.d.ts

@@ -0,0 +1,38 @@
+import type { EmbeddingModelIdentity, EmbeddingVectorMetric } from "@oscharko-dev/keiko-contracts";
+import type { OpenAIEmbeddingBatchOutcome, OpenAIEmbeddingBatchRequest, OpenAIEmbeddingRequest, OpenAIEmbeddingOutcome } from "./openai-embedding-adapter.js";
+import type { OutboundHttpEgressConfig } from "./types.js";
+export type EmbeddingFailureReason = "missing-credentials" | "unavailable" | "wrong-header" | "rate-limited" | "dimension-mismatch" | "timeout" | "cancelled" | "unsupported-model" | "proxy-unreachable" | "proxy-auth-required" | "proxy-egress-failed" | "proxy-blocked-by-policy" | "tls-ca-failure" | "invalid-response" | "incompatible-with-stored-identity";
+export interface EmbeddingIdentityWarning {
+    readonly code: "model-revision-changed";
+    readonly safeMessage: string;
+    readonly previousRevision?: string;
+    readonly currentRevision?: string;
+}
+export type EmbeddingCapabilityCheck = {
+    readonly ok: true;
+    readonly identity: EmbeddingModelIdentity;
+    readonly warning?: EmbeddingIdentityWarning;
+} | {
+    readonly ok: false;
+    readonly reason: EmbeddingFailureReason;
+    readonly safeMessage: string;
+};
+export interface EmbeddingProbeOptions {
+    readonly modelId: string;
+    readonly provider: string;
+    readonly vectorMetric: EmbeddingVectorMetric;
+    readonly expectedDimensions?: number;
+    readonly signal?: AbortSignal;
+    readonly timeoutMs?: number;
+}
+export interface OpenAIEmbeddingAdapter {
+    readonly endpoint: string;
+    readonly apiKey: string;
+    readonly apiKeyHeaderName?: string;
+    readonly egress?: OutboundHttpEgressConfig | undefined;
+    readonly request: (input: OpenAIEmbeddingRequest) => Promise<OpenAIEmbeddingOutcome>;
+    readonly requestBatch?: (input: OpenAIEmbeddingBatchRequest) => Promise<OpenAIEmbeddingBatchOutcome>;
+}
+export declare function verifyEmbeddingCapability(adapter: OpenAIEmbeddingAdapter, options: EmbeddingProbeOptions): Promise<EmbeddingCapabilityCheck>;
+export declare function assertCompatibleEmbeddingIdentity(stored: EmbeddingModelIdentity, current: EmbeddingModelIdentity): EmbeddingCapabilityCheck;
+//# sourceMappingURL=embedding.d.ts.map

package/dist/embedding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"embedding.d.ts","sourceRoot":"","sources":["../src/embedding.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AACnG,OAAO,KAAK,EACV,2BAA2B,EAC3B,2BAA2B,EAE3B,sBAAsB,EACtB,sBAAsB,EACvB,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAG3D,MAAM,MAAM,sBAAsB,GAC9B,qBAAqB,GACrB,aAAa,GACb,cAAc,GACd,cAAc,GACd,oBAAoB,GACpB,SAAS,GACT,WAAW,GACX,mBAAmB,GACnB,mBAAmB,GACnB,qBAAqB,GACrB,qBAAqB,GACrB,yBAAyB,GACzB,gBAAgB,GAChB,kBAAkB,GAClB,mCAAmC,CAAC;AAExC,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAC;IACxC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;CACnC;AAED,MAAM,MAAM,wBAAwB,GAChC;IACE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,CAAC;IAC1C,QAAQ,CAAC,OAAO,CAAC,EAAE,wBAAwB,CAAC;CAC7C,GACD;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,sBAAsB,CAAC;IAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC;AAElG,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,qBAAqB,CAAC;IAC7C,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC;IAC9B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAKD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,MAAM,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAAC;IACvD,QAAQ,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,sBAAsB,KAAK,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAIrF,QAAQ,CAAC,YAAY,CAAC,EAAE,CACtB,KAAK,EAAE,2BAA2B,KAC/B,OAAO,CAAC,2BAA2B,CAAC,CAAC;CAC3C;AAkED,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,sBAAsB,EAC/B,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,wBAAwB,CAAC,CAiCnC;AA4BD,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,sBAAsB,EAC9B,OAAO,EAAE,sBAAsB,GAC9B,wBAAwB,CAW1B"}

package/dist/embedding.js

@@ -0,0 +1,118 @@
+// Embedding capability verification + identity compatibility for the Local
+// Knowledge Connector. Decides whether a configured embedding model is reachable
+// and whether its vector space remains compatible with a previously stored
+// embedding identity. Every failure path produces a `safeMessage` string that
+// MUST NOT contain API keys, full URLs, raw provider bodies, IPs, or the
+// user-supplied input. Probes are pure-ish: I/O is encapsulated in the injected
+// adapter function.
+const PROBE_INPUT = "ping";
+const SAFE_MESSAGES = Object.freeze({
+    "missing-credentials": "model gateway credentials are not configured",
+    unavailable: "model gateway is not reachable",
+    "wrong-header": "model gateway rejected the request — check API key configuration",
+    "rate-limited": "model gateway is rate-limited — retry after the configured backoff",
+    "dimension-mismatch": "embedding vector dimensions do not match the expected value",
+    timeout: "embedding probe timed out",
+    cancelled: "embedding probe was cancelled by the caller",
+    "unsupported-model": "embedding model is not available on the configured gateway",
+    "proxy-unreachable": "configured proxy is unreachable",
+    "proxy-auth-required": "configured proxy requires authentication",
+    "proxy-egress-failed": "configured proxy failed outbound egress",
+    "proxy-blocked-by-policy": "configured proxy blocked outbound egress",
+    "tls-ca-failure": "TLS certificate verification failed for outbound egress",
+    "invalid-response": "embedding response was malformed",
+    "incompatible-with-stored-identity": "embedding model identity changed — existing capsules are no longer compatible",
+});
+const ADAPTER_FAILURE_REASONS = Object.freeze({
+    "wrong-header": "wrong-header",
+    "rate-limited": "rate-limited",
+    "unsupported-model": "unsupported-model",
+    timeout: "timeout",
+    cancelled: "cancelled",
+    "invalid-response": "invalid-response",
+    "proxy-unreachable": "proxy-unreachable",
+    "proxy-auth-required": "proxy-auth-required",
+    "proxy-egress-failed": "proxy-egress-failed",
+    "proxy-blocked-by-policy": "proxy-blocked-by-policy",
+    "tls-ca-failure": "tls-ca-failure",
+    transport: "unavailable",
+});
+function fail(reason) {
+    return { ok: false, reason, safeMessage: SAFE_MESSAGES[reason] };
+}
+function reasonFromAdapter(kind) {
+    return ADAPTER_FAILURE_REASONS[kind];
+}
+function hasCredentials(adapter) {
+    return adapter.apiKey.trim().length > 0;
+}
+function buildIdentity(options, detectedModelId, detectedDimensions, modelRevision) {
+    return {
+        provider: options.provider,
+        modelId: detectedModelId,
+        vectorDimensions: detectedDimensions,
+        vectorMetric: options.vectorMetric,
+        ...(modelRevision !== undefined ? { modelRevision } : {}),
+    };
+}
+export async function verifyEmbeddingCapability(adapter, options) {
+    if (!hasCredentials(adapter)) {
+        return fail("missing-credentials");
+    }
+    const request = {
+        endpoint: adapter.endpoint,
+        apiKey: adapter.apiKey,
+        ...(adapter.apiKeyHeaderName !== undefined
+            ? { apiKeyHeaderName: adapter.apiKeyHeaderName }
+            : {}),
+        ...(adapter.egress !== undefined ? { egress: adapter.egress } : {}),
+        modelId: options.modelId,
+        input: PROBE_INPUT,
+        ...(options.signal !== undefined ? { signal: options.signal } : {}),
+        ...(options.timeoutMs !== undefined ? { timeoutMs: options.timeoutMs } : {}),
+    };
+    const outcome = await adapter.request(request);
+    if (!outcome.ok) {
+        return fail(reasonFromAdapter(outcome.kind));
+    }
+    const detected = outcome.value.vector.length;
+    if (detected === 0) {
+        return fail("invalid-response");
+    }
+    if (options.expectedDimensions !== undefined && options.expectedDimensions !== detected) {
+        return fail("dimension-mismatch");
+    }
+    return {
+        ok: true,
+        identity: buildIdentity(options, outcome.value.modelId, detected, outcome.value.modelRevision),
+    };
+}
+function structuralFieldsEqual(a, b) {
+    return (a.provider === b.provider &&
+        a.modelId === b.modelId &&
+        a.vectorDimensions === b.vectorDimensions &&
+        a.vectorMetric === b.vectorMetric);
+}
+function revisionDiffers(stored, current) {
+    return stored.modelRevision !== current.modelRevision;
+}
+function buildRevisionWarning(stored, current) {
+    return {
+        code: "model-revision-changed",
+        safeMessage: "embedding model revision changed — capsules remain compatible but should be re-validated",
+        ...(stored.modelRevision !== undefined ? { previousRevision: stored.modelRevision } : {}),
+        ...(current.modelRevision !== undefined ? { currentRevision: current.modelRevision } : {}),
+    };
+}
+export function assertCompatibleEmbeddingIdentity(stored, current) {
+    if (!structuralFieldsEqual(stored, current)) {
+        return fail("incompatible-with-stored-identity");
+    }
+    if (revisionDiffers(stored, current)) {
+        // Return the CURRENT identity (not stored) so the caller can persist the new revision
+        // and avoid a permanent warning on every subsequent compatibility check. The warning
+        // carries the previous revision for diagnostics. #192 Copilot finding.
+        return { ok: true, identity: current, warning: buildRevisionWarning(stored, current) };
+    }
+    return { ok: true, identity: stored };
+}

package/dist/gateway.d.ts

@@ -0,0 +1,23 @@
+import type { Clock, CircuitBreakerStatus, GatewayConfig, GatewayRequest, GatewayStreamChunk, NormalizedResponse, ProviderAdapter } from "./types.js";
+export interface GatewayDeps {
+    readonly adapter?: ProviderAdapter | undefined;
+    readonly clock?: Clock | undefined;
+}
+export declare class Gateway {
+    private readonly config;
+    private readonly clock;
+    private readonly adapter;
+    private readonly providers;
+    private readonly breakers;
+    constructor(config: GatewayConfig, deps?: GatewayDeps);
+    chat(request: GatewayRequest): Promise<NormalizedResponse>;
+    chatStream(request: GatewayRequest): AsyncGenerator<GatewayStreamChunk>;
+    private streamFrom;
+    private enrich;
+    circuitStatus(modelId: string): CircuitBreakerStatus;
+    private invoke;
+    private route;
+    private breakerFor;
+    private adapterFor;
+}
+//# sourceMappingURL=gateway.d.ts.map

package/dist/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EACV,KAAK,EACL,oBAAoB,EACpB,aAAa,EACb,cAAc,EACd,kBAAkB,EAGlB,kBAAkB,EAClB,eAAe,EAChB,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,OAAO,CAAC,EAAE,eAAe,GAAG,SAAS,CAAC;IAC/C,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,GAAG,SAAS,CAAC;CACpC;AAOD,qBAAa,OAAO;IAOhB,OAAO,CAAC,QAAQ,CAAC,MAAM;IANzB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA8B;IACtD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAA2C;IACrE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqC;gBAG3C,MAAM,EAAE,aAAa,EACtC,IAAI,GAAE,WAAgB;IAOlB,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA+BzD,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,cAAc,CAAC,kBAAkB,CAAC;YAuB/D,UAAU;IAczB,OAAO,CAAC,MAAM;IAiBd,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,oBAAoB;YAYtC,MAAM;IAoBpB,OAAO,CAAC,KAAK;IAiBb,OAAO,CAAC,UAAU;IAUlB,OAAO,CAAC,UAAU;CAUnB"}

package/dist/gateway.js

@@ -0,0 +1,144 @@
+// Orchestrator: routes a request through the capability registry, then through the
+// circuit breaker, bounded retry, and the provider adapter. Usage metadata
+// (request id, latency, cost class) is owned by the gateway, not the provider, so
+// the audit ledger (issue #10) has a reliable typed target on every response.
+import { randomUUID } from "node:crypto";
+import { CancelledError, UnknownModelError } from "@oscharko-dev/keiko-security/errors/gateway";
+import { findConfiguredCapability } from "./model-selection.js";
+import { OpenAiAdapter } from "./openai-adapter.js";
+import { CircuitBreaker, executeWithRetry, systemClock } from "./resilience.js";
+export class Gateway {
+    config;
+    clock;
+    adapter;
+    providers;
+    breakers = new Map();
+    constructor(config, deps = {}) {
+        this.config = config;
+        this.clock = deps.clock ?? systemClock;
+        this.adapter = deps.adapter;
+        this.providers = new Map(config.providers.map((p) => [p.modelId, p]));
+    }
+    async chat(request) {
+        const route = this.route(request.modelId);
+        const breaker = this.breakerFor(route.provider);
+        const requestId = randomUUID();
+        const start = this.clock.now();
+        const adapter = this.adapterFor(requestId, route.capability);
+        const result = await executeWithRetry((attemptTimeoutMs) => this.invoke(breaker, adapter, request, {
+            ...route.provider,
+            ...(attemptTimeoutMs === undefined ? {} : { timeoutMs: attemptTimeoutMs }),
+        }), route.provider, this.clock, request.cancellationSignal);
+        return {
+            ...result,
+            usage: {
+                ...result.usage,
+                requestId,
+                latencyMs: Math.max(1, this.clock.now() - start),
+                costClass: route.capability.costClass,
+            },
+        };
+    }
+    // Streaming counterpart of chat(). Routes identically and guards with the circuit
+    // breaker, but is NOT wrapped in executeWithRetry: a mid-stream retry would replay
+    // already-emitted tokens. An adapter without a streaming variant falls back to a
+    // single delta+done synthesised from its buffered call().
+    async *chatStream(request) {
+        const route = this.route(request.modelId);
+        const breaker = this.breakerFor(route.provider);
+        breaker.assertAllowed();
+        const requestId = randomUUID();
+        const start = this.clock.now();
+        const adapter = this.adapterFor(requestId, route.capability);
+        try {
+            for await (const chunk of this.streamFrom(adapter, request, route.provider)) {
+                yield chunk.type === "done"
+                    ? { type: "done", response: this.enrich(chunk.response, requestId, start, route) }
+                    : chunk;
+            }
+            breaker.recordSuccess();
+        }
+        catch (error) {
+            // A client-initiated cancel is not a provider fault — skip the breaker.
+            if (!(error instanceof CancelledError)) {
+                breaker.recordFailure();
+            }
+            throw error;
+        }
+    }
+    async *streamFrom(adapter, request, provider) {
+        if (adapter.callStream !== undefined) {
+            yield* adapter.callStream(request, provider);
+            return;
+        }
+        const response = await adapter.call(request, provider);
+        yield { type: "delta", token: response.content };
+        yield { type: "done", response };
+    }
+    enrich(response, requestId, start, route) {
+        return {
+            ...response,
+            usage: {
+                ...response.usage,
+                requestId,
+                latencyMs: Math.max(1, this.clock.now() - start),
+                costClass: route.capability.costClass,
+            },
+        };
+    }
+    circuitStatus(modelId) {
+        const breaker = this.breakers.get(modelId);
+        return (breaker?.status(modelId) ?? {
+            modelId,
+            state: "closed",
+            consecutiveFailures: 0,
+            openedAt: null,
+        });
+    }
+    async invoke(breaker, adapter, request, provider) {
+        breaker.assertAllowed();
+        try {
+            const response = await adapter.call(request, provider);
+            breaker.recordSuccess();
+            return response;
+        }
+        catch (error) {
+            // A client-initiated cancel is not a provider fault — skip the breaker.
+            if (!(error instanceof CancelledError)) {
+                breaker.recordFailure();
+            }
+            throw error;
+        }
+    }
+    route(modelId) {
+        const provider = this.providers.get(modelId);
+        if (provider === undefined) {
+            throw new UnknownModelError(`no provider configured for model '${modelId}'`);
+        }
+        const capability = findConfiguredCapability(this.config, modelId);
+        if (capability === undefined) {
+            throw new UnknownModelError(`model '${modelId}' has no capability metadata`);
+        }
+        if (capability.kind !== "chat") {
+            throw new UnknownModelError(`model '${modelId}' has kind '${capability.kind}'; the chat path requires a chat model`);
+        }
+        return { provider, capability };
+    }
+    breakerFor(provider) {
+        const existing = this.breakers.get(provider.modelId);
+        if (existing !== undefined) {
+            return existing;
+        }
+        const breaker = new CircuitBreaker(provider.modelId, this.config.circuitBreaker, this.clock);
+        this.breakers.set(provider.modelId, breaker);
+        return breaker;
+    }
+    adapterFor(requestId, capability) {
+        return (this.adapter ??
+            new OpenAiAdapter({
+                requestId,
+                costClass: capability.costClass,
+                now: this.clock.now,
+            }));
+    }
+}

package/dist/http.d.ts

@@ -0,0 +1,24 @@
+import type { OutboundHttpEgressConfig } from "./types.js";
+export type { OutboundHttpEgressConfig } from "./types.js";
+export declare const MAX_RESPONSE_BYTES = 10000000;
+export interface GatewayFetchOptions extends RequestInit {
+    readonly fetchImpl?: typeof fetch | undefined;
+    readonly useCaFallback?: boolean | undefined;
+    readonly egress?: OutboundHttpEgressConfig | undefined;
+    readonly timeoutMs?: number | undefined;
+    readonly maxResponseBytes?: number | undefined;
+}
+export type OutboundHttpEgressErrorCode = "PROXY_UNREACHABLE" | "PROXY_AUTH_REQUIRED" | "PROXY_EGRESS_FAILED" | "PROXY_BLOCKED_BY_POLICY" | "TLS_CA_FAILURE";
+export declare class OutboundHttpEgressError extends Error {
+    readonly code: OutboundHttpEgressErrorCode;
+    constructor(code: OutboundHttpEgressErrorCode, message: string);
+}
+export declare function isMissingIssuerError(error: unknown): boolean;
+export declare function isRecoverableTlsTrustError(error: unknown): boolean;
+export declare function gatewayTrustedCaCertificates(caBundlePath?: string): readonly string[];
+export declare function _resetWarnedCaBundlePaths(): void;
+export declare function streamingResponseFromNode(res: import("node:http").IncomingMessage, onCancel: () => void, maxBytes?: number): Response;
+export declare function gatewayFetch(url: string, options?: GatewayFetchOptions): Promise<Response>;
+export declare function readJsonCapped(response: Response, maxBytes?: number): Promise<unknown>;
+export declare function readSseStream(response: Response, maxBytes?: number): AsyncGenerator;
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE3D,YAAY,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAG3D,eAAO,MAAM,kBAAkB,WAAa,CAAC;AAE7C,MAAM,WAAW,mBAAoB,SAAQ,WAAW;IACtD,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,GAAG,SAAS,CAAC;IAC9C,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IAC7C,QAAQ,CAAC,MAAM,CAAC,EAAE,wBAAwB,GAAG,SAAS,CAAC;IAIvD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAExC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAChD;AAED,MAAM,MAAM,2BAA2B,GACnC,mBAAmB,GACnB,qBAAqB,GACrB,qBAAqB,GACrB,yBAAyB,GACzB,gBAAgB,CAAC;AAErB,qBAAa,uBAAwB,SAAQ,KAAK;IAChD,QAAQ,CAAC,IAAI,EAAE,2BAA2B,CAAC;gBAE/B,IAAI,EAAE,2BAA2B,EAAE,OAAO,EAAE,MAAM;CAK/D;AAsCD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAO5D;AASD,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAOlE;AAoDD,wBAAgB,4BAA4B,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAUrF;AAGD,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAmBD,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,OAAO,WAAW,EAAE,eAAe,EACxC,QAAQ,EAAE,MAAM,IAAI,EACpB,QAAQ,GAAE,MAA2B,GACpC,QAAQ,CAqCV;AAufD,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,QAAQ,CAAC,CAoBnB;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,QAAQ,EAClB,QAAQ,GAAE,MAA2B,GACpC,OAAO,CAAC,OAAO,CAAC,CAoBlB;AAoCD,wBAAuB,aAAa,CAClC,QAAQ,EAAE,QAAQ,EAClB,QAAQ,GAAE,MAA2B,GACpC,cAAc,CA2BhB"}