@pleri/olam-cli 0.1.173 → 0.1.175

package/dist/lib/auth-remote.d.ts

@@ -0,0 +1,130 @@
+/**
+ * auth-remote — HTTP helper for `olam auth --remote <url>` subcommands.
+ *
+ * Wraps fetch calls against the auth-worker's `/v1/*` endpoints.
+ *
+ * V1 dogfood note: CF Access cookie must be obtained manually via browser.
+ * A proper CLI-orchestrated SSO flow (CLI-as-OAuth-client) is deferred to v2.
+ * See e4/e5/e6 task notes in docs/plans/auth-worker-multitenant-vault/.
+ */
+export type FetchFn = typeof fetch;
+export interface RemoteClientOptions {
+    /** Auth-worker base URL, e.g. https://auth.example.workers.dev */
+    baseUrl: string;
+    /** CF_Authorization cookie value, obtained manually from browser DevTools. */
+    cfAuthCookie?: string;
+    /** Injected fetch for testing. Defaults to global fetch. */
+    fetchFn?: FetchFn;
+}
+export interface ServiceToken {
+    client_id: string;
+    label: string;
+    created_at?: string;
+}
+export interface AccountEntry {
+    id: string;
+    label?: string;
+    state?: string;
+    expiresIn?: string;
+}
+export interface AnthropicTokenIssueResponse {
+    secret: string;
+    token_hash: string;
+    label: string;
+    anthropic_base_url_hint?: string;
+}
+export interface AnthropicTokenEntry {
+    token_hash: string;
+    label: string;
+    issued_at?: string;
+    created_at?: string;
+    last_used_at?: string;
+}
+export interface OAuthStartResponse {
+    authorize_url: string;
+    state_id: string;
+}
+export interface HealthResponse {
+    status: string;
+    version?: string;
+}
+export interface DoctorCheckResult {
+    probe: string;
+    status: 'pass' | 'fail' | 'warn';
+    message: string;
+    remedy?: string;
+}
+/**
+ * GET /v1/health — worker liveness probe.
+ */
+export declare function remoteHealth(opts: RemoteClientOptions): Promise<HealthResponse>;
+/**
+ * POST /v1/oauth/start — begin an OAuth flow.
+ * Returns { authorize_url, state_id }.
+ */
+export declare function remoteOAuthStart(opts: RemoteClientOptions): Promise<OAuthStartResponse>;
+/**
+ * GET /v1/service-tokens — list bound service tokens.
+ */
+export declare function remoteListServiceTokens(opts: RemoteClientOptions): Promise<ServiceToken[]>;
+/**
+ * GET /v1/accounts — list registered accounts (Anthropic OAuth sessions).
+ */
+export declare function remoteListAccounts(opts: RemoteClientOptions): Promise<AccountEntry[]>;
+/**
+ * POST /v1/service-tokens/bind — bind a CF service token to a user sub.
+ */
+export declare function remoteBindServiceToken(opts: RemoteClientOptions, payload: {
+    client_id: string;
+    label: string;
+}): Promise<{
+    ok: boolean;
+}>;
+/**
+ * DELETE /v1/service-tokens/:client_id — revoke a service token.
+ */
+export declare function remoteDeleteServiceToken(opts: RemoteClientOptions, clientId: string): Promise<{
+    ok: boolean;
+}>;
+/**
+// ── g4: Anthropic proxy token helpers ────────────────────────────────────────
+
+export interface AnthropicTokenIssueResponse {
+  secret: string;
+  token_hash: string;
+  label: string;
+  anthropic_base_url_hint: string;
+}
+
+export interface AnthropicTokenEntry {
+  label: string;
+  token_hash: string;
+  issued_at?: string;
+  last_used_at?: string;
+}
+
+/**
+ * POST /v1/anthropic-tokens/issue — mint a new Anthropic proxy token.
+ * Returns { secret, token_hash, label, anthropic_base_url_hint }.
+ */
+export declare function remoteIssueAnthropicToken(opts: RemoteClientOptions, label: string): Promise<AnthropicTokenIssueResponse>;
+/**
+ * GET /v1/anthropic-tokens — list issued Anthropic proxy tokens.
+ */
+export declare function remoteListAnthropicTokens(opts: RemoteClientOptions): Promise<AnthropicTokenEntry[]>;
+/**
+ * DELETE /v1/anthropic-tokens/:token_hash — revoke an Anthropic proxy token.
+ * Returns true on 200/204, false on 404.
+ */
+export declare function remoteRevokeAnthropicToken(opts: RemoteClientOptions, tokenHash: string): Promise<boolean>;
+/**
+ * runDoctorChecks — runs 4 diagnostic probes against the auth-worker.
+ * Returns an ordered array of DoctorCheckResult (pass/fail/warn + remedy).
+ *
+ * Probe 1: GET /v1/health → liveness
+ * Probe 2: CF Access JWKS reachable (derives team domain from worker URL)
+ * Probe 3: POST /v1/oauth/start → endpoint reachability
+ * Probe 4: ANTHROPIC_OAUTH_CLIENT_ID env present (config check)
+ */
+export declare function runDoctorChecks(opts: RemoteClientOptions): Promise<DoctorCheckResult[]>;
+//# sourceMappingURL=auth-remote.d.ts.map

package/dist/lib/auth-remote.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-remote.d.ts","sourceRoot":"","sources":["../../src/lib/auth-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC;AAEnC,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAsBD;;GAEG;AACH,wBAAsB,YAAY,CAChC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,cAAc,CAAC,CAWzB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CAa7B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CAWzB;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,YAAY,EAAE,CAAC,CAWzB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,mBAAmB,EACzB,OAAO,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAC5C,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAa1B;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,mBAAmB,EACzB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAW1B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,mBAAmB,EACzB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,2BAA2B,CAAC,CAatC;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAYhC;AAED;;;GAGG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,mBAAmB,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,iBAAiB,EAAE,CAAC,CA2G9B"}

package/dist/lib/auth-remote.js

@@ -0,0 +1,307 @@
+/**
+ * auth-remote — HTTP helper for `olam auth --remote <url>` subcommands.
+ *
+ * Wraps fetch calls against the auth-worker's `/v1/*` endpoints.
+ *
+ * V1 dogfood note: CF Access cookie must be obtained manually via browser.
+ * A proper CLI-orchestrated SSO flow (CLI-as-OAuth-client) is deferred to v2.
+ * See e4/e5/e6 task notes in docs/plans/auth-worker-multitenant-vault/.
+ */
+function normalizeBase(url) {
+    return url.replace(/\/+$/, '');
+}
+/**
+ * Build common headers for auth-worker requests.
+ * When cfAuthCookie is provided, forwards it so the worker's CF Access
+ * middleware can authenticate the request server-side.
+ */
+function buildHeaders(cookie) {
+    const headers = {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+    };
+    if (cookie) {
+        headers['Cookie'] = `CF_Authorization=${cookie}`;
+    }
+    return headers;
+}
+/**
+ * GET /v1/health — worker liveness probe.
+ */
+export async function remoteHealth(opts) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/health`;
+    const res = await fetchFn(url, {
+        method: 'GET',
+        headers: buildHeaders(cfAuthCookie),
+    });
+    if (!res.ok) {
+        throw new Error(`Health check failed: HTTP ${res.status}`);
+    }
+    return res.json();
+}
+/**
+ * POST /v1/oauth/start — begin an OAuth flow.
+ * Returns { authorize_url, state_id }.
+ */
+export async function remoteOAuthStart(opts) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/oauth/start`;
+    const res = await fetchFn(url, {
+        method: 'POST',
+        headers: buildHeaders(cfAuthCookie),
+        body: JSON.stringify({}),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => '');
+        throw new Error(`OAuth start failed: HTTP ${res.status}${body ? ` — ${body}` : ''}`);
+    }
+    return res.json();
+}
+/**
+ * GET /v1/service-tokens — list bound service tokens.
+ */
+export async function remoteListServiceTokens(opts) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/service-tokens`;
+    const res = await fetchFn(url, {
+        method: 'GET',
+        headers: buildHeaders(cfAuthCookie),
+    });
+    if (!res.ok) {
+        throw new Error(`List service-tokens failed: HTTP ${res.status}`);
+    }
+    return res.json();
+}
+/**
+ * GET /v1/accounts — list registered accounts (Anthropic OAuth sessions).
+ */
+export async function remoteListAccounts(opts) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/accounts`;
+    const res = await fetchFn(url, {
+        method: 'GET',
+        headers: buildHeaders(cfAuthCookie),
+    });
+    if (!res.ok) {
+        throw new Error(`List accounts failed: HTTP ${res.status}`);
+    }
+    return res.json();
+}
+/**
+ * POST /v1/service-tokens/bind — bind a CF service token to a user sub.
+ */
+export async function remoteBindServiceToken(opts, payload) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/service-tokens/bind`;
+    const res = await fetchFn(url, {
+        method: 'POST',
+        headers: buildHeaders(cfAuthCookie),
+        body: JSON.stringify(payload),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => '');
+        throw new Error(`Bind service-token failed: HTTP ${res.status}${body ? ` — ${body}` : ''}`);
+    }
+    return { ok: true };
+}
+/**
+ * DELETE /v1/service-tokens/:client_id — revoke a service token.
+ */
+export async function remoteDeleteServiceToken(opts, clientId) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/service-tokens/${encodeURIComponent(clientId)}`;
+    const res = await fetchFn(url, {
+        method: 'DELETE',
+        headers: buildHeaders(cfAuthCookie),
+    });
+    if (!res.ok) {
+        throw new Error(`Delete service-token failed: HTTP ${res.status}`);
+    }
+    return { ok: true };
+}
+/**
+// ── g4: Anthropic proxy token helpers ────────────────────────────────────────
+
+export interface AnthropicTokenIssueResponse {
+  secret: string;
+  token_hash: string;
+  label: string;
+  anthropic_base_url_hint: string;
+}
+
+export interface AnthropicTokenEntry {
+  label: string;
+  token_hash: string;
+  issued_at?: string;
+  last_used_at?: string;
+}
+
+/**
+ * POST /v1/anthropic-tokens/issue — mint a new Anthropic proxy token.
+ * Returns { secret, token_hash, label, anthropic_base_url_hint }.
+ */
+export async function remoteIssueAnthropicToken(opts, label) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/anthropic-tokens/issue`;
+    const res = await fetchFn(url, {
+        method: 'POST',
+        headers: buildHeaders(cfAuthCookie),
+        body: JSON.stringify({ label }),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => '');
+        throw new Error(`Issue anthropic-token failed: HTTP ${res.status}${body ? ` — ${body}` : ''}`);
+    }
+    return res.json();
+}
+/**
+ * GET /v1/anthropic-tokens — list issued Anthropic proxy tokens.
+ */
+export async function remoteListAnthropicTokens(opts) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/anthropic-tokens`;
+    const res = await fetchFn(url, {
+        method: 'GET',
+        headers: buildHeaders(cfAuthCookie),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => '');
+        throw new Error(`List anthropic-tokens failed: HTTP ${res.status}${body ? ` — ${body}` : ''}`);
+    }
+    return res.json();
+}
+/**
+ * DELETE /v1/anthropic-tokens/:token_hash — revoke an Anthropic proxy token.
+ * Returns true on 200/204, false on 404.
+ */
+export async function remoteRevokeAnthropicToken(opts, tokenHash) {
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const url = `${normalizeBase(baseUrl)}/v1/anthropic-tokens/${encodeURIComponent(tokenHash)}`;
+    const res = await fetchFn(url, {
+        method: 'DELETE',
+        headers: buildHeaders(cfAuthCookie),
+    });
+    if (res.status === 404)
+        return false;
+    if (!res.ok) {
+        throw new Error(`Revoke anthropic-token failed: HTTP ${res.status}`);
+    }
+    return true;
+}
+/**
+ * runDoctorChecks — runs 4 diagnostic probes against the auth-worker.
+ * Returns an ordered array of DoctorCheckResult (pass/fail/warn + remedy).
+ *
+ * Probe 1: GET /v1/health → liveness
+ * Probe 2: CF Access JWKS reachable (derives team domain from worker URL)
+ * Probe 3: POST /v1/oauth/start → endpoint reachability
+ * Probe 4: ANTHROPIC_OAUTH_CLIENT_ID env present (config check)
+ */
+export async function runDoctorChecks(opts) {
+    const results = [];
+    const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+    const base = normalizeBase(baseUrl);
+    // Probe 1: /v1/health
+    try {
+        const h = await remoteHealth({ baseUrl, cfAuthCookie, fetchFn });
+        results.push({
+            probe: 'worker-health',
+            status: 'pass',
+            message: `Worker alive${h.version ? ` (version=${h.version})` : ''}`,
+        });
+    }
+    catch (err) {
+        results.push({
+            probe: 'worker-health',
+            status: 'fail',
+            message: err instanceof Error ? err.message : 'Health check failed',
+            remedy: `Verify the worker is deployed and reachable at ${base}`,
+        });
+    }
+    // Probe 2: CF Access JWKS
+    // Extract team domain from the worker URL host segment.
+    // e.g. https://auth.example.workers.dev → team = "example"
+    // For custom domains like auth.myteam.example.com, we look for the last
+    // two segments of the authority. In practice workers.dev domains expose team name.
+    let jwksUrl;
+    try {
+        const parsed = new URL(baseUrl);
+        // heuristic: take the second-to-last part of the hostname before TLD pair
+        const parts = parsed.hostname.split('.');
+        // e.g. auth.myteam.cloudflareaccess.com or myteam.cloudflareaccess.com
+        // Best-effort: use the host as the team domain search key
+        const team = parts.length >= 3 ? parts[parts.length - 3] : parts[0];
+        jwksUrl = `https://${team}.cloudflareaccess.com/cdn-cgi/access/certs`;
+    }
+    catch {
+        jwksUrl = `${base}/.well-known/jwks.json`;
+    }
+    try {
+        const res = await fetchFn(jwksUrl, { method: 'GET' });
+        if (res.ok) {
+            results.push({
+                probe: 'cf-access-jwks',
+                status: 'pass',
+                message: `CF Access JWKS reachable at ${jwksUrl}`,
+            });
+        }
+        else {
+            results.push({
+                probe: 'cf-access-jwks',
+                status: 'warn',
+                message: `CF Access JWKS returned HTTP ${res.status}`,
+                remedy: `Verify Cloudflare Access is configured for your zone. JWKS checked: ${jwksUrl}`,
+            });
+        }
+    }
+    catch (err) {
+        results.push({
+            probe: 'cf-access-jwks',
+            status: 'warn',
+            message: `CF Access JWKS unreachable: ${err instanceof Error ? err.message : String(err)}`,
+            remedy: `Check network access to ${jwksUrl}. CF Access may not be configured for this zone.`,
+        });
+    }
+    // Probe 3: POST /v1/oauth/start
+    try {
+        await remoteOAuthStart({ baseUrl, cfAuthCookie, fetchFn });
+        results.push({
+            probe: 'oauth-start',
+            status: 'pass',
+            message: 'OAuth start endpoint is reachable',
+        });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        // 403 means CF Access is enforcing SSO but the endpoint exists — that's a warn.
+        const status = msg.includes('HTTP 403') ? 'warn' : 'fail';
+        results.push({
+            probe: 'oauth-start',
+            status,
+            message: `OAuth start: ${msg}`,
+            remedy: status === 'warn'
+                ? 'Open the worker URL in a browser to complete CF Access SSO, then re-run with --cookie.'
+                : `Check that /v1/oauth/start is deployed at ${base}`,
+        });
+    }
+    // Probe 4: ANTHROPIC_OAUTH_CLIENT_ID env
+    const clientId = process.env['ANTHROPIC_OAUTH_CLIENT_ID'];
+    if (clientId) {
+        results.push({
+            probe: 'env-client-id',
+            status: 'pass',
+            message: `ANTHROPIC_OAUTH_CLIENT_ID is set (length=${clientId.length})`,
+        });
+    }
+    else {
+        results.push({
+            probe: 'env-client-id',
+            status: 'warn',
+            message: 'ANTHROPIC_OAUTH_CLIENT_ID is not set in the environment',
+            remedy: 'Set ANTHROPIC_OAUTH_CLIENT_ID in your shell profile (the Anthropic OAuth app client ID).',
+        });
+    }
+    return results;
+}
+//# sourceMappingURL=auth-remote.js.map

package/dist/lib/auth-remote.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-remote.js","sourceRoot":"","sources":["../../src/lib/auth-remote.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA0DH,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,SAAS,YAAY,CAAC,MAAe;IACnC,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;QAClC,MAAM,EAAE,kBAAkB;KAC3B,CAAC;IACF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,QAAQ,CAAC,GAAG,oBAAoB,MAAM,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAyB;IAEzB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,YAAY,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAA6B,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAyB;IAEzB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;QACnC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;KACzB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvF,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAAiC,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,IAAyB;IAEzB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC1D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,oCAAoC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAA6B,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAyB;IAEzB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,cAAc,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAA6B,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAyB,EACzB,OAA6C;IAE7C,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,yBAAyB,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;QACnC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC9F,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAyB,EACzB,QAAgB;IAEhB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,sBAAsB,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC1F,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAyB,EACzB,KAAa;IAEb,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,4BAA4B,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;QACnC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;KAChC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjG,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAA0C,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAyB;IAEzB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,sBAAsB,CAAC;IAC5D,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjG,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAAoC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,IAAyB,EACzB,SAAiB;IAEjB,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,wBAAwB,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;IAC7F,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;QAC7B,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,YAAY,CAAC,YAAY,CAAC;KACpC,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,uCAAuC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAyB;IAEzB,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC;IACxD,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAEpC,sBAAsB;IACtB,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,YAAY,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,eAAe,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;SACrE,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB;YACnE,MAAM,EAAE,kDAAkD,IAAI,EAAE;SACjE,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,wDAAwD;IACxD,2DAA2D;IAC3D,wEAAwE;IACxE,mFAAmF;IACnF,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,0EAA0E;QAC1E,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACpE,OAAO,GAAG,WAAW,IAAI,4CAA4C,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,GAAG,IAAI,wBAAwB,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACtD,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,gBAAgB;gBACvB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,+BAA+B,OAAO,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,gBAAgB;gBACvB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,gCAAgC,GAAG,CAAC,MAAM,EAAE;gBACrD,MAAM,EAAE,uEAAuE,OAAO,EAAE;aACzF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,gBAAgB;YACvB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;YAC1F,MAAM,EAAE,2BAA2B,OAAO,kDAAkD;SAC7F,CAAC,CAAC;IACL,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC;QACH,MAAM,gBAAgB,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,aAAa;YACpB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,mCAAmC;SAC7C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,gFAAgF;QAChF,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,aAAa;YACpB,MAAM;YACN,OAAO,EAAE,gBAAgB,GAAG,EAAE;YAC9B,MAAM,EACJ,MAAM,KAAK,MAAM;gBACf,CAAC,CAAC,wFAAwF;gBAC1F,CAAC,CAAC,6CAA6C,IAAI,EAAE;SAC1D,CAAC,CAAC;IACL,CAAC;IAED,yCAAyC;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC1D,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,4CAA4C,QAAQ,CAAC,MAAM,GAAG;SACxE,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,yDAAyD;YAClE,MAAM,EACJ,0FAA0F;SAC7F,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}