@push.rocks/smartproxy 18.0.2 → 18.2.0

package/dist_ts/certificate/certificate-manager.js

@@ -0,0 +1,505 @@
+/**
+ * Unified certificate manager for SmartProxy
+ */
+import * as plugins from '../plugins.js';
+import * as path from 'path';
+import * as fs from 'fs/promises';
+import { CertificateError, CertificateErrors } from './models/certificate-errors.js';
+import { CertificateEvent } from './events/certificate-events.js';
+/**
+ * Unified certificate manager
+ */
+export class CertificateManager extends plugins.EventEmitter {
+    constructor(config) {
+        super();
+        this.certificateCache = new Map();
+        this.pendingRequests = new Map();
+        // Validate configuration
+        if (!config.certProvider) {
+            throw CertificateErrors.noCertProvider();
+        }
+        if (!config.acmeEmail) {
+            throw CertificateErrors.missingAcmeEmail();
+        }
+        // Set defaults
+        this.config = {
+            ...config,
+            storageDir: config.storageDir || './certs',
+            renewBeforeDays: config.renewBeforeDays || 30,
+            defaultCertPath: config.defaultCertPath || path.join(process.cwd(), 'assets/certs/cert.pem'),
+            defaultKeyPath: config.defaultKeyPath || path.join(process.cwd(), 'assets/certs/key.pem')
+        };
+        // Ensure storage directory exists
+        this.ensureStorageDir();
+    }
+    /**
+     * Initialize the certificate manager
+     */
+    async start() {
+        // Initialize ACME client
+        await this.initializeAcmeClient();
+        // Load stored certificates
+        await this.loadStoredCertificates();
+        // Start renewal timer
+        this.startRenewalTimer();
+    }
+    /**
+     * Stop the certificate manager
+     */
+    async stop() {
+        if (this.renewalTimer) {
+            clearInterval(this.renewalTimer);
+            this.renewalTimer = undefined;
+        }
+    }
+    /**
+     * Get a certificate for a domain (main entry point)
+     */
+    async getCertificate(domain) {
+        // Check cache first
+        const cached = this.certificateCache.get(domain);
+        if (cached && this.isCertificateValid(cached)) {
+            return cached;
+        }
+        // Check for pending request to avoid duplicates
+        const pending = this.pendingRequests.get(domain);
+        if (pending) {
+            return pending;
+        }
+        // Start new certificate request
+        const request = this.requestCertificate(domain);
+        this.pendingRequests.set(domain, request);
+        try {
+            const cert = await request;
+            this.pendingRequests.delete(domain);
+            return cert;
+        }
+        catch (error) {
+            this.pendingRequests.delete(domain);
+            throw error;
+        }
+    }
+    /**
+     * Request a new certificate
+     */
+    async requestCertificate(domain) {
+        let strategyType = 'static';
+        try {
+            // Get strategy from provider
+            let strategy;
+            try {
+                strategy = await this.config.certProvider(domain);
+            }
+            catch (providerError) {
+                throw CertificateErrors.invalidCertProvider(providerError);
+            }
+            // Track strategy type for error reporting
+            strategyType = strategy.type === 'skip' ? 'static' : strategy.type;
+            let certificate;
+            switch (strategy.type) {
+                case 'acme-http':
+                    certificate = await this.requestAcmeHttpCertificate(domain);
+                    break;
+                case 'acme-dns':
+                    certificate = await this.requestAcmeDnsCertificate(domain);
+                    break;
+                case 'static':
+                    certificate = {
+                        domain,
+                        certificate: strategy.cert,
+                        privateKey: strategy.key,
+                        expiresAt: strategy.expiresAt || new Date(Date.now() + 90 * 24 * 60 * 60 * 1000),
+                        source: 'static'
+                    };
+                    break;
+                case 'skip':
+                    throw CertificateErrors.certificateNotFound(domain);
+                default:
+                    throw CertificateErrors.invalidCertProvider(new Error('Unknown strategy type'));
+            }
+            // Cache and store
+            this.certificateCache.set(domain, certificate);
+            await this.storeCertificate(certificate);
+            // Emit success event
+            this.emit(CertificateEvent.OBTAINED, {
+                domain,
+                type: 'new',
+                expiresAt: certificate.expiresAt,
+                source: certificate.source,
+                certificate: certificate.certificate,
+                privateKey: certificate.privateKey
+            });
+            return certificate;
+        }
+        catch (error) {
+            const certError = error instanceof CertificateError
+                ? error
+                : new CertificateError({
+                    code: 'UNKNOWN_ERROR',
+                    message: error.message || 'Unknown error',
+                    domain,
+                    cause: error
+                });
+            this.emit(CertificateEvent.FAILED, {
+                domain,
+                error: certError,
+                strategy: strategyType
+            });
+            throw certError;
+        }
+    }
+    /**
+     * Request certificate via ACME HTTP-01
+     */
+    async requestAcmeHttpCertificate(domain) {
+        if (domain.includes('*')) {
+            throw CertificateErrors.wildcardNotSupported(domain);
+        }
+        try {
+            // Create ACME order
+            const order = await this.acmeClient.createOrder({
+                identifiers: [{ type: 'dns', value: domain }]
+            });
+            // Get authorization
+            const authorization = await this.acmeClient.getAuthorization(order.authorizations[0]);
+            const challenge = authorization.challenges.find(c => c.type === 'http-01');
+            if (!challenge) {
+                throw new Error('No HTTP-01 challenge available');
+            }
+            // Prepare challenge response
+            const keyAuthorization = await this.acmeClient.getChallengeKeyAuthorization(challenge);
+            // Set up HTTP responder (this would integrate with Port80Handler)
+            await this.setupHttpChallenge(challenge.token, keyAuthorization);
+            // Notify ACME server
+            await this.acmeClient.completeChallenge(challenge);
+            await this.acmeClient.waitForValidation(challenge);
+            // Generate CSR
+            const keypair = await this.generateKeypair();
+            const csr = await this.generateCsr(domain, keypair);
+            // Finalize order
+            await this.acmeClient.finalizeOrder(order, csr);
+            const cert = await this.acmeClient.getCertificate(order);
+            // Clean up challenge
+            await this.cleanupHttpChallenge(challenge.token);
+            return {
+                domain,
+                certificate: cert,
+                privateKey: keypair.privateKey,
+                expiresAt: this.extractExpiryDate(cert),
+                source: 'acme-http'
+            };
+        }
+        catch (error) {
+            throw CertificateErrors.acmeHttpChallengeFailed(domain, error);
+        }
+    }
+    /**
+     * Request certificate via ACME DNS-01
+     */
+    async requestAcmeDnsCertificate(domain) {
+        try {
+            // Create ACME order
+            const order = await this.acmeClient.createOrder({
+                identifiers: [{ type: 'dns', value: domain }]
+            });
+            // Get authorization
+            const authorization = await this.acmeClient.getAuthorization(order.authorizations[0]);
+            const challenge = authorization.challenges.find(c => c.type === 'dns-01');
+            if (!challenge) {
+                throw new Error('No DNS-01 challenge available');
+            }
+            // Get DNS record value
+            const keyAuthorization = await this.acmeClient.getChallengeKeyAuthorization(challenge);
+            const dnsRecord = this.acmeClient.keyAuthorizationToDns01(keyAuthorization);
+            // Note: Actual DNS record creation would be handled externally
+            console.log(`Please create DNS TXT record: _acme-challenge.${domain} = ${dnsRecord}`);
+            // In a real implementation, we'd wait for DNS propagation
+            // For now, this is a placeholder
+            await new Promise(resolve => setTimeout(resolve, 60000)); // Wait 60 seconds
+            // Notify ACME server
+            await this.acmeClient.completeChallenge(challenge);
+            await this.acmeClient.waitForValidation(challenge);
+            // Generate CSR
+            const keypair = await this.generateKeypair();
+            const csr = await this.generateCsr(domain, keypair);
+            // Finalize order
+            await this.acmeClient.finalizeOrder(order, csr);
+            const cert = await this.acmeClient.getCertificate(order);
+            return {
+                domain,
+                certificate: cert,
+                privateKey: keypair.privateKey,
+                expiresAt: this.extractExpiryDate(cert),
+                source: 'acme-dns'
+            };
+        }
+        catch (error) {
+            throw CertificateErrors.acmeDnsChallengeFailed(domain, error);
+        }
+    }
+    /**
+     * Renew a certificate
+     */
+    async renewCertificate(domain) {
+        const existing = this.certificateCache.get(domain);
+        if (!existing) {
+            throw CertificateErrors.certificateNotFound(domain);
+        }
+        try {
+            // Request new certificate
+            const renewed = await this.requestCertificate(domain);
+            // Emit renewal event
+            this.emit(CertificateEvent.OBTAINED, {
+                domain,
+                type: 'renewed',
+                expiresAt: renewed.expiresAt,
+                source: renewed.source,
+                certificate: renewed.certificate,
+                privateKey: renewed.privateKey
+            });
+            return renewed;
+        }
+        catch (error) {
+            throw error;
+        }
+    }
+    /**
+     * Check certificates for renewal
+     */
+    async checkForRenewals() {
+        for (const [domain, cert] of this.certificateCache.entries()) {
+            if (this.shouldRenew(cert)) {
+                try {
+                    await this.renewCertificate(domain);
+                }
+                catch (error) {
+                    console.error(`Failed to renew certificate for ${domain}:`, error);
+                }
+            }
+            else if (this.isExpiringSoon(cert)) {
+                this.emit(CertificateEvent.EXPIRING, {
+                    domain,
+                    expiresAt: cert.expiresAt,
+                    daysRemaining: this.getDaysRemaining(cert)
+                });
+            }
+        }
+    }
+    /**
+     * Initialize ACME client
+     */
+    async initializeAcmeClient() {
+        // ACME client initialization placeholder
+        // In a real implementation, this would use an ACME library
+        console.log(`Initializing ACME client for ${this.config.acmeServer} environment`);
+    }
+    /**
+     * Load stored certificates from disk
+     */
+    async loadStoredCertificates() {
+        try {
+            const files = await fs.readdir(this.config.storageDir);
+            const certFiles = files.filter(f => f.endsWith('.json'));
+            for (const file of certFiles) {
+                try {
+                    const content = await fs.readFile(path.join(this.config.storageDir, file), 'utf-8');
+                    const cert = JSON.parse(content);
+                    cert.expiresAt = new Date(cert.expiresAt);
+                    if (this.isCertificateValid(cert)) {
+                        this.certificateCache.set(cert.domain, cert);
+                    }
+                }
+                catch (error) {
+                    console.error(`Failed to load certificate ${file}:`, error);
+                }
+            }
+        }
+        catch (error) {
+            console.error('Failed to load certificates:', error);
+        }
+    }
+    /**
+     * Store certificate to disk
+     */
+    async storeCertificate(cert) {
+        const filename = `${cert.domain}.json`;
+        const filepath = path.join(this.config.storageDir, filename);
+        try {
+            await fs.writeFile(filepath, JSON.stringify(cert, null, 2));
+            // Also save individual cert and key files
+            await fs.writeFile(path.join(this.config.storageDir, `${cert.domain}.crt`), cert.certificate);
+            await fs.writeFile(path.join(this.config.storageDir, `${cert.domain}.key`), cert.privateKey);
+            // Set proper permissions on key file
+            await fs.chmod(path.join(this.config.storageDir, `${cert.domain}.key`), 0o600);
+        }
+        catch (error) {
+            throw CertificateErrors.storageError('write', filepath, error);
+        }
+    }
+    /**
+     * Ensure storage directory exists
+     */
+    async ensureStorageDir() {
+        try {
+            await fs.mkdir(this.config.storageDir, { recursive: true });
+        }
+        catch (error) {
+            console.error('Failed to create storage directory:', error);
+        }
+    }
+    /**
+     * Get or create ACME account key
+     */
+    async getOrCreateAccountKey() {
+        const keyPath = path.join(this.config.storageDir, 'account.key');
+        try {
+            return await fs.readFile(keyPath, 'utf-8');
+        }
+        catch {
+            // Generate new key - placeholder
+            const dummyKey = '-----BEGIN PRIVATE KEY-----\nDUMMY_KEY_FOR_TESTING\n-----END PRIVATE KEY-----';
+            await fs.writeFile(keyPath, dummyKey);
+            await fs.chmod(keyPath, 0o600);
+            return dummyKey;
+        }
+    }
+    /**
+     * Generate keypair for certificate
+     */
+    async generateKeypair() {
+        // Keypair generation placeholder
+        return {
+            privateKey: '-----BEGIN PRIVATE KEY-----\nDUMMY_PRIVATE_KEY\n-----END PRIVATE KEY-----',
+            publicKey: '-----BEGIN PUBLIC KEY-----\nDUMMY_PUBLIC_KEY\n-----END PUBLIC KEY-----'
+        };
+    }
+    /**
+     * Generate CSR for domain
+     */
+    async generateCsr(domain, keypair) {
+        // CSR generation placeholder
+        return `-----BEGIN CERTIFICATE REQUEST-----\nDUMMY_CSR_FOR_${domain}\n-----END CERTIFICATE REQUEST-----`;
+    }
+    /**
+     * Extract expiry date from certificate
+     */
+    extractExpiryDate(certPem) {
+        // Certificate expiry extraction placeholder
+        // In a real implementation, this would parse the certificate
+        return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000); // 90 days from now
+    }
+    /**
+     * Check if certificate is valid
+     */
+    isCertificateValid(cert) {
+        return cert.expiresAt > new Date();
+    }
+    /**
+     * Check if certificate should be renewed
+     */
+    shouldRenew(cert) {
+        const daysRemaining = this.getDaysRemaining(cert);
+        return daysRemaining <= this.config.renewBeforeDays;
+    }
+    /**
+     * Check if certificate is expiring soon
+     */
+    isExpiringSoon(cert) {
+        const daysRemaining = this.getDaysRemaining(cert);
+        return daysRemaining <= this.config.renewBeforeDays + 7; // Warn 7 days before renewal
+    }
+    /**
+     * Get days remaining until expiry
+     */
+    getDaysRemaining(cert) {
+        const now = new Date();
+        const diff = cert.expiresAt.getTime() - now.getTime();
+        return Math.floor(diff / (1000 * 60 * 60 * 24));
+    }
+    /**
+     * Start renewal timer
+     */
+    startRenewalTimer() {
+        // Check every 6 hours
+        this.renewalTimer = setInterval(() => {
+            this.checkForRenewals().catch(error => {
+                console.error('Renewal check failed:', error);
+            });
+        }, 6 * 60 * 60 * 1000);
+        // Also check immediately
+        this.checkForRenewals().catch(error => {
+            console.error('Initial renewal check failed:', error);
+        });
+    }
+    /**
+     * Get default certificate for SNI fallback
+     */
+    async getDefaultCertificate() {
+        try {
+            const [cert, key] = await Promise.all([
+                fs.readFile(this.config.defaultCertPath, 'utf-8'),
+                fs.readFile(this.config.defaultKeyPath, 'utf-8')
+            ]);
+            return { cert, key };
+        }
+        catch (error) {
+            throw new CertificateError({
+                code: 'DEFAULT_CERT_ERROR',
+                message: 'Failed to load default certificate',
+                solution: 'Ensure default certificate files exist at configured paths',
+                cause: error
+            });
+        }
+    }
+    /**
+     * Set up HTTP challenge responder
+     */
+    async setupHttpChallenge(token, keyAuthorization) {
+        // This would integrate with Port80Handler
+        // For now, it's a placeholder
+        console.log(`HTTP Challenge: /.well-known/acme-challenge/${token} = ${keyAuthorization}`);
+    }
+    /**
+     * Clean up HTTP challenge
+     */
+    async cleanupHttpChallenge(token) {
+        // This would integrate with Port80Handler
+        // For now, it's a placeholder
+        console.log(`Cleanup HTTP Challenge: ${token}`);
+    }
+    /**
+     * Type assertion for event emitter
+     */
+    on(event, listener) {
+        return super.on(event, listener);
+    }
+    off(event, listener) {
+        return super.off(event, listener);
+    }
+    emit(event, data) {
+        return super.emit(event, data);
+    }
+    /**
+     * Update routes (placeholder for future implementation)
+     */
+    async updateRoutes(routes) {
+        // Process routes to extract certificate requirements
+        for (const route of routes) {
+            if (route.action.type === 'forward' &&
+                route.action.tls?.mode === 'terminate' &&
+                route.action.tls?.certificate === 'auto' &&
+                route.match.domains) {
+                const domains = Array.isArray(route.match.domains)
+                    ? route.match.domains
+                    : [route.match.domains];
+                for (const domain of domains) {
+                    // Trigger certificate retrieval for auto domains
+                    this.getCertificate(domain).catch(err => {
+                        console.error(`Failed to get certificate for ${domain}:`, err);
+                    });
+                }
+            }
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2VydGlmaWNhdGUtbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3RzL2NlcnRpZmljYXRlL2NlcnRpZmljYXRlLW1hbmFnZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7O0dBRUc7QUFFSCxPQUFPLEtBQUssT0FBTyxNQUFNLGVBQWUsQ0FBQztBQUN6QyxPQUFPLEtBQUssSUFBSSxNQUFNLE1BQU0sQ0FBQztBQUM3QixPQUFPLEtBQUssRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUVsQyxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsaUJBQWlCLEVBQUUsTUFBTSxnQ0FBZ0MsQ0FBQztBQUNyRixPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSxnQ0FBZ0MsQ0FBQztBQStCbEU7O0dBRUc7QUFDSCxNQUFNLE9BQU8sa0JBQW1CLFNBQVEsT0FBTyxDQUFDLFlBQVk7SUFPMUQsWUFBWSxNQUFnQztRQUMxQyxLQUFLLEVBQUUsQ0FBQztRQU5GLHFCQUFnQixHQUFHLElBQUksR0FBRyxFQUE2QixDQUFDO1FBR3hELG9CQUFlLEdBQUcsSUFBSSxHQUFHLEVBQXNDLENBQUM7UUFLdEUseUJBQXlCO1FBQ3pCLElBQUksQ0FBQyxNQUFNLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDekIsTUFBTSxpQkFBaUIsQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUMzQyxDQUFDO1FBRUQsSUFBSSxDQUFDLE1BQU0sQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUN0QixNQUFNLGlCQUFpQixDQUFDLGdCQUFnQixFQUFFLENBQUM7UUFDN0MsQ0FBQztRQUVELGVBQWU7UUFDZixJQUFJLENBQUMsTUFBTSxHQUFHO1lBQ1osR0FBRyxNQUFNO1lBQ1QsVUFBVSxFQUFFLE1BQU0sQ0FBQyxVQUFVLElBQUksU0FBUztZQUMxQyxlQUFlLEVBQUUsTUFBTSxDQUFDLGVBQWUsSUFBSSxFQUFFO1lBQzdDLGVBQWUsRUFBRSxNQUFNLENBQUMsZUFBZSxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsRUFBRSxFQUFFLHVCQUF1QixDQUFDO1lBQzVGLGNBQWMsRUFBRSxNQUFNLENBQUMsY0FBYyxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsRUFBRSxFQUFFLHNCQUFzQixDQUFDO1NBQzFGLENBQUM7UUFFRixrQ0FBa0M7UUFDbEMsSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7SUFDMUIsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLEtBQUs7UUFDaEIseUJBQXlCO1FBQ3pCLE1BQU0sSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7UUFFbEMsMkJBQTJCO1FBQzNCLE1BQU0sSUFBSSxDQUFDLHNCQUFzQixFQUFFLENBQUM7UUFFcEMsc0JBQXNCO1FBQ3RCLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO0lBQzNCLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxJQUFJO1FBQ2YsSUFBSSxJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDdEIsYUFBYSxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUNqQyxJQUFJLENBQUMsWUFBWSxHQUFHLFNBQVMsQ0FBQztRQUNoQyxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGNBQWMsQ0FBQyxNQUFjO1FBQ3hDLG9CQUFvQjtRQUNwQixNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ2pELElBQUksTUFBTSxJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQzlDLE9BQU8sTUFBTSxDQUFDO1FBQ2hCLENBQUM7UUFFRCxnREFBZ0Q7UUFDaEQsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDakQsSUFBSSxPQUFPLEVBQUUsQ0FBQztZQUNaLE9BQU8sT0FBTyxDQUFDO1FBQ2pCLENBQUM7UUFFRCxnQ0FBZ0M7UUFDaEMsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ2hELElBQUksQ0FBQyxlQUFlLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsQ0FBQztRQUUxQyxJQUFJLENBQUM7WUFDSCxNQUFNLElBQUksR0FBRyxNQUFNLE9BQU8sQ0FBQztZQUMzQixJQUFJLENBQUMsZUFBZSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUNwQyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsSUFBSSxDQUFDLGVBQWUsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUM7WUFDcEMsTUFBTSxLQUFLLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGtCQUFrQixDQUFDLE1BQWM7UUFDN0MsSUFBSSxZQUFZLEdBQXdDLFFBQVEsQ0FBQztRQUVqRSxJQUFJLENBQUM7WUFDSCw2QkFBNkI7WUFDN0IsSUFBSSxRQUE2QixDQUFDO1lBQ2xDLElBQUksQ0FBQztnQkFDSCxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUNwRCxDQUFDO1lBQUMsT0FBTyxhQUFhLEVBQUUsQ0FBQztnQkFDdkIsTUFBTSxpQkFBaUIsQ0FBQyxtQkFBbUIsQ0FBQyxhQUFhLENBQUMsQ0FBQztZQUM3RCxDQUFDO1lBRUQsMENBQTBDO1lBQzFDLFlBQVksR0FBRyxRQUFRLENBQUMsSUFBSSxLQUFLLE1BQU0sQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBRW5FLElBQUksV0FBOEIsQ0FBQztZQUVuQyxRQUFRLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztnQkFDdEIsS0FBSyxXQUFXO29CQUNkLFdBQVcsR0FBRyxNQUFNLElBQUksQ0FBQywwQkFBMEIsQ0FBQyxNQUFNLENBQUMsQ0FBQztvQkFDNUQsTUFBTTtnQkFFUixLQUFLLFVBQVU7b0JBQ2IsV0FBVyxHQUFHLE1BQU0sSUFBSSxDQUFDLHlCQUF5QixDQUFDLE1BQU0sQ0FBQyxDQUFDO29CQUMzRCxNQUFNO2dCQUVSLEtBQUssUUFBUTtvQkFDWCxXQUFXLEdBQUc7d0JBQ1osTUFBTTt3QkFDTixXQUFXLEVBQUUsUUFBUSxDQUFDLElBQUk7d0JBQzFCLFVBQVUsRUFBRSxRQUFRLENBQUMsR0FBRzt3QkFDeEIsU0FBUyxFQUFFLFFBQVEsQ0FBQyxTQUFTLElBQUksSUFBSSxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7d0JBQ2hGLE1BQU0sRUFBRSxRQUFRO3FCQUNqQixDQUFDO29CQUNGLE1BQU07Z0JBRVIsS0FBSyxNQUFNO29CQUNULE1BQU0saUJBQWlCLENBQUMsbUJBQW1CLENBQUMsTUFBTSxDQUFDLENBQUM7Z0JBRXREO29CQUNFLE1BQU0saUJBQWlCLENBQUMsbUJBQW1CLENBQUMsSUFBSSxLQUFLLENBQUMsdUJBQXVCLENBQUMsQ0FBQyxDQUFDO1lBQ3BGLENBQUM7WUFFRCxrQkFBa0I7WUFDbEIsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsV0FBVyxDQUFDLENBQUM7WUFDL0MsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLENBQUM7WUFFekMscUJBQXFCO1lBQ3JCLElBQUksQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsUUFBUSxFQUFFO2dCQUNuQyxNQUFNO2dCQUNOLElBQUksRUFBRSxLQUFLO2dCQUNYLFNBQVMsRUFBRSxXQUFXLENBQUMsU0FBUztnQkFDaEMsTUFBTSxFQUFFLFdBQVcsQ0FBQyxNQUFNO2dCQUMxQixXQUFXLEVBQUUsV0FBVyxDQUFDLFdBQVc7Z0JBQ3BDLFVBQVUsRUFBRSxXQUFXLENBQUMsVUFBVTthQUNuQyxDQUFDLENBQUM7WUFFSCxPQUFPLFdBQVcsQ0FBQztRQUVyQixDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sU0FBUyxHQUFHLEtBQUssWUFBWSxnQkFBZ0I7Z0JBQ2pELENBQUMsQ0FBQyxLQUFLO2dCQUNQLENBQUMsQ0FBQyxJQUFJLGdCQUFnQixDQUFDO29CQUNuQixJQUFJLEVBQUUsZUFBZTtvQkFDckIsT0FBTyxFQUFFLEtBQUssQ0FBQyxPQUFPLElBQUksZUFBZTtvQkFDekMsTUFBTTtvQkFDTixLQUFLLEVBQUUsS0FBSztpQkFDYixDQUFDLENBQUM7WUFFUCxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sRUFBRTtnQkFDakMsTUFBTTtnQkFDTixLQUFLLEVBQUUsU0FBUztnQkFDaEIsUUFBUSxFQUFFLFlBQVk7YUFDdkIsQ0FBQyxDQUFDO1lBRUgsTUFBTSxTQUFTLENBQUM7UUFDbEIsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxNQUFjO1FBQ3JELElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQ3pCLE1BQU0saUJBQWlCLENBQUMsb0JBQW9CLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDdkQsQ0FBQztRQUVELElBQUksQ0FBQztZQUNILG9CQUFvQjtZQUNwQixNQUFNLEtBQUssR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsV0FBVyxDQUFDO2dCQUM5QyxXQUFXLEVBQUUsQ0FBQyxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxDQUFDO2FBQzlDLENBQUMsQ0FBQztZQUVILG9CQUFvQjtZQUNwQixNQUFNLGFBQWEsR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsZ0JBQWdCLENBQUMsS0FBSyxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3RGLE1BQU0sU0FBUyxHQUFHLGFBQWEsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLElBQUksS0FBSyxTQUFTLENBQUMsQ0FBQztZQUUzRSxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7Z0JBQ2YsTUFBTSxJQUFJLEtBQUssQ0FBQyxnQ0FBZ0MsQ0FBQyxDQUFDO1lBQ3BELENBQUM7WUFFRCw2QkFBNkI7WUFDN0IsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsNEJBQTRCLENBQUMsU0FBUyxDQUFDLENBQUM7WUFFdkYsa0VBQWtFO1lBQ2xFLE1BQU0sSUFBSSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxLQUFLLEVBQUUsZ0JBQWdCLENBQUMsQ0FBQztZQUVqRSxxQkFBcUI7WUFDckIsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLGlCQUFpQixDQUFDLFNBQVMsQ0FBQyxDQUFDO1lBQ25ELE1BQU0sSUFBSSxDQUFDLFVBQVUsQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUVuRCxlQUFlO1lBQ2YsTUFBTSxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsZUFBZSxFQUFFLENBQUM7WUFDN0MsTUFBTSxHQUFHLEdBQUcsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsQ0FBQztZQUVwRCxpQkFBaUI7WUFDakIsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7WUFDaEQsTUFBTSxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsVUFBVSxDQUFDLGNBQWMsQ0FBQyxLQUFLLENBQUMsQ0FBQztZQUV6RCxxQkFBcUI7WUFDckIsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxDQUFDO1lBRWpELE9BQU87Z0JBQ0wsTUFBTTtnQkFDTixXQUFXLEVBQUUsSUFBSTtnQkFDakIsVUFBVSxFQUFFLE9BQU8sQ0FBQyxVQUFVO2dCQUM5QixTQUFTLEVBQUUsSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQztnQkFDdkMsTUFBTSxFQUFFLFdBQVc7YUFDcEIsQ0FBQztRQUVKLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsTUFBTSxpQkFBaUIsQ0FBQyx1QkFBdUIsQ0FBQyxNQUFNLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDakUsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxNQUFjO1FBQ3BELElBQUksQ0FBQztZQUNILG9CQUFvQjtZQUNwQixNQUFNLEtBQUssR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsV0FBVyxDQUFDO2dCQUM5QyxXQUFXLEVBQUUsQ0FBQyxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxDQUFDO2FBQzlDLENBQUMsQ0FBQztZQUVILG9CQUFvQjtZQUNwQixNQUFNLGFBQWEsR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsZ0JBQWdCLENBQUMsS0FBSyxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3RGLE1BQU0sU0FBUyxHQUFHLGFBQWEsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLElBQUksS0FBSyxRQUFRLENBQUMsQ0FBQztZQUUxRSxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7Z0JBQ2YsTUFBTSxJQUFJLEtBQUssQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO1lBQ25ELENBQUM7WUFFRCx1QkFBdUI7WUFDdkIsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsNEJBQTRCLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDdkYsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyx1QkFBdUIsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1lBRTVFLCtEQUErRDtZQUMvRCxPQUFPLENBQUMsR0FBRyxDQUFDLGlEQUFpRCxNQUFNLE1BQU0sU0FBUyxFQUFFLENBQUMsQ0FBQztZQUV0RiwwREFBMEQ7WUFDMUQsaUNBQWlDO1lBQ2pDLE1BQU0sSUFBSSxPQUFPLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQyxVQUFVLENBQUMsT0FBTyxFQUFFLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxrQkFBa0I7WUFFNUUscUJBQXFCO1lBQ3JCLE1BQU0sSUFBSSxDQUFDLFVBQVUsQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUNuRCxNQUFNLElBQUksQ0FBQyxVQUFVLENBQUMsaUJBQWlCLENBQUMsU0FBUyxDQUFDLENBQUM7WUFFbkQsZUFBZTtZQUNmLE1BQU0sT0FBTyxHQUFHLE1BQU0sSUFBSSxDQUFDLGVBQWUsRUFBRSxDQUFDO1lBQzdDLE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLFdBQVcsQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLENBQUM7WUFFcEQsaUJBQWlCO1lBQ2pCLE1BQU0sSUFBSSxDQUFDLFVBQVUsQ0FBQyxhQUFhLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDO1lBQ2hELE1BQU0sSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLFVBQVUsQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDLENBQUM7WUFFekQsT0FBTztnQkFDTCxNQUFNO2dCQUNOLFdBQVcsRUFBRSxJQUFJO2dCQUNqQixVQUFVLEVBQUUsT0FBTyxDQUFDLFVBQVU7Z0JBQzlCLFNBQVMsRUFBRSxJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDO2dCQUN2QyxNQUFNLEVBQUUsVUFBVTthQUNuQixDQUFDO1FBRUosQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDZixNQUFNLGlCQUFpQixDQUFDLHNCQUFzQixDQUFDLE1BQU0sRUFBRSxLQUFLLENBQUMsQ0FBQztRQUNoRSxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGdCQUFnQixDQUFDLE1BQWM7UUFDMUMsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNuRCxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDZCxNQUFNLGlCQUFpQixDQUFDLG1CQUFtQixDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3RELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCwwQkFBMEI7WUFDMUIsTUFBTSxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsa0JBQWtCLENBQUMsTUFBTSxDQUFDLENBQUM7WUFFdEQscUJBQXFCO1lBQ3JCLElBQUksQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsUUFBUSxFQUFFO2dCQUNuQyxNQUFNO2dCQUNOLElBQUksRUFBRSxTQUFTO2dCQUNmLFNBQVMsRUFBRSxPQUFPLENBQUMsU0FBUztnQkFDNUIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxNQUFNO2dCQUN0QixXQUFXLEVBQUUsT0FBTyxDQUFDLFdBQVc7Z0JBQ2hDLFVBQVUsRUFBRSxPQUFPLENBQUMsVUFBVTthQUMvQixDQUFDLENBQUM7WUFFSCxPQUFPLE9BQU8sQ0FBQztRQUVqQixDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sS0FBSyxDQUFDO1FBQ2QsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxnQkFBZ0I7UUFDNUIsS0FBSyxNQUFNLENBQUMsTUFBTSxFQUFFLElBQUksQ0FBQyxJQUFJLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDO1lBQzdELElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO2dCQUMzQixJQUFJLENBQUM7b0JBQ0gsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLENBQUM7Z0JBQ3RDLENBQUM7Z0JBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztvQkFDZixPQUFPLENBQUMsS0FBSyxDQUFDLG1DQUFtQyxNQUFNLEdBQUcsRUFBRSxLQUFLLENBQUMsQ0FBQztnQkFDckUsQ0FBQztZQUNILENBQUM7aUJBQU0sSUFBSSxJQUFJLENBQUMsY0FBYyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7Z0JBQ3JDLElBQUksQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsUUFBUSxFQUFFO29CQUNuQyxNQUFNO29CQUNOLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztvQkFDekIsYUFBYSxFQUFFLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUM7aUJBQzNDLENBQUMsQ0FBQztZQUNMLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLG9CQUFvQjtRQUNoQyx5Q0FBeUM7UUFDekMsMkRBQTJEO1FBQzNELE9BQU8sQ0FBQyxHQUFHLENBQUMsZ0NBQWdDLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxjQUFjLENBQUMsQ0FBQztJQUNwRixDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsc0JBQXNCO1FBQ2xDLElBQUksQ0FBQztZQUNILE1BQU0sS0FBSyxHQUFHLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1lBQ3ZELE1BQU0sU0FBUyxHQUFHLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7WUFFekQsS0FBSyxNQUFNLElBQUksSUFBSSxTQUFTLEVBQUUsQ0FBQztnQkFDN0IsSUFBSSxDQUFDO29CQUNILE1BQU0sT0FBTyxHQUFHLE1BQU0sRUFBRSxDQUFDLFFBQVEsQ0FDL0IsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsRUFDdkMsT0FBTyxDQUNSLENBQUM7b0JBQ0YsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQXNCLENBQUM7b0JBQ3RELElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDO29CQUUxQyxJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO3dCQUNsQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLENBQUM7b0JBQy9DLENBQUM7Z0JBQ0gsQ0FBQztnQkFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO29CQUNmLE9BQU8sQ0FBQyxLQUFLLENBQUMsOEJBQThCLElBQUksR0FBRyxFQUFFLEtBQUssQ0FBQyxDQUFDO2dCQUM5RCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsT0FBTyxDQUFDLEtBQUssQ0FBQyw4QkFBOEIsRUFBRSxLQUFLLENBQUMsQ0FBQztRQUN2RCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGdCQUFnQixDQUFDLElBQXVCO1FBQ3BELE1BQU0sUUFBUSxHQUFHLEdBQUcsSUFBSSxDQUFDLE1BQU0sT0FBTyxDQUFDO1FBQ3ZDLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxVQUFVLEVBQUUsUUFBUSxDQUFDLENBQUM7UUFFN0QsSUFBSSxDQUFDO1lBQ0gsTUFBTSxFQUFFLENBQUMsU0FBUyxDQUFDLFFBQVEsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUU1RCwwQ0FBMEM7WUFDMUMsTUFBTSxFQUFFLENBQUMsU0FBUyxDQUNoQixJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxFQUFFLEdBQUcsSUFBSSxDQUFDLE1BQU0sTUFBTSxDQUFDLEVBQ3ZELElBQUksQ0FBQyxXQUFXLENBQ2pCLENBQUM7WUFDRixNQUFNLEVBQUUsQ0FBQyxTQUFTLENBQ2hCLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxVQUFVLEVBQUUsR0FBRyxJQUFJLENBQUMsTUFBTSxNQUFNLENBQUMsRUFDdkQsSUFBSSxDQUFDLFVBQVUsQ0FDaEIsQ0FBQztZQUVGLHFDQUFxQztZQUNyQyxNQUFNLEVBQUUsQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVUsRUFBRSxHQUFHLElBQUksQ0FBQyxNQUFNLE1BQU0sQ0FBQyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBRWpGLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsTUFBTSxpQkFBaUIsQ0FBQyxZQUFZLENBQUMsT0FBTyxFQUFFLFFBQVEsRUFBRSxLQUFLLENBQUMsQ0FBQztRQUNqRSxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGdCQUFnQjtRQUM1QixJQUFJLENBQUM7WUFDSCxNQUFNLEVBQUUsQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxVQUFVLEVBQUUsRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUM5RCxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE9BQU8sQ0FBQyxLQUFLLENBQUMscUNBQXFDLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDOUQsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxxQkFBcUI7UUFDakMsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVUsRUFBRSxhQUFhLENBQUMsQ0FBQztRQUVqRSxJQUFJLENBQUM7WUFDSCxPQUFPLE1BQU0sRUFBRSxDQUFDLFFBQVEsQ0FBQyxPQUFPLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFDN0MsQ0FBQztRQUFDLE1BQU0sQ0FBQztZQUNQLGlDQUFpQztZQUNqQyxNQUFNLFFBQVEsR0FBRywrRUFBK0UsQ0FBQztZQUVqRyxNQUFNLEVBQUUsQ0FBQyxTQUFTLENBQUMsT0FBTyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQ3RDLE1BQU0sRUFBRSxDQUFDLEtBQUssQ0FBQyxPQUFPLEVBQUUsS0FBSyxDQUFDLENBQUM7WUFFL0IsT0FBTyxRQUFRLENBQUM7UUFDbEIsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxlQUFlO1FBQzNCLGlDQUFpQztRQUNqQyxPQUFPO1lBQ0wsVUFBVSxFQUFFLDJFQUEyRTtZQUN2RixTQUFTLEVBQUUsd0VBQXdFO1NBQ3BGLENBQUM7SUFDSixDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsV0FBVyxDQUFDLE1BQWMsRUFBRSxPQUErQjtRQUN2RSw2QkFBNkI7UUFDN0IsT0FBTyxzREFBc0QsTUFBTSxxQ0FBcUMsQ0FBQztJQUMzRyxDQUFDO0lBRUQ7O09BRUc7SUFDSyxpQkFBaUIsQ0FBQyxPQUFlO1FBQ3ZDLDRDQUE0QztRQUM1Qyw2REFBNkQ7UUFDN0QsT0FBTyxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDLENBQUMsbUJBQW1CO0lBQzdFLENBQUM7SUFFRDs7T0FFRztJQUNLLGtCQUFrQixDQUFDLElBQXVCO1FBQ2hELE9BQU8sSUFBSSxDQUFDLFNBQVMsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO0lBQ3JDLENBQUM7SUFFRDs7T0FFRztJQUNLLFdBQVcsQ0FBQyxJQUF1QjtRQUN6QyxNQUFNLGFBQWEsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDbEQsT0FBTyxhQUFhLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxlQUFlLENBQUM7SUFDdEQsQ0FBQztJQUVEOztPQUVHO0lBQ0ssY0FBYyxDQUFDLElBQXVCO1FBQzVDLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNsRCxPQUFPLGFBQWEsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLGVBQWUsR0FBRyxDQUFDLENBQUMsQ0FBQyw2QkFBNkI7SUFDeEYsQ0FBQztJQUVEOztPQUVHO0lBQ0ssZ0JBQWdCLENBQUMsSUFBdUI7UUFDOUMsTUFBTSxHQUFHLEdBQUcsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUN2QixNQUFNLElBQUksR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sRUFBRSxHQUFHLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUN0RCxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxHQUFHLENBQUMsSUFBSSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQztJQUNsRCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxpQkFBaUI7UUFDdkIsc0JBQXNCO1FBQ3RCLElBQUksQ0FBQyxZQUFZLEdBQUcsV0FBVyxDQUFDLEdBQUcsRUFBRTtZQUNuQyxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLEVBQUU7Z0JBQ3BDLE9BQU8sQ0FBQyxLQUFLLENBQUMsdUJBQXVCLEVBQUUsS0FBSyxDQUFDLENBQUM7WUFDaEQsQ0FBQyxDQUFDLENBQUM7UUFDTCxDQUFDLEVBQUUsQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLENBQUM7UUFFdkIseUJBQXlCO1FBQ3pCLElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsRUFBRTtZQUNwQyxPQUFPLENBQUMsS0FBSyxDQUFDLCtCQUErQixFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3hELENBQUMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLHFCQUFxQjtRQUNoQyxJQUFJLENBQUM7WUFDSCxNQUFNLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztnQkFDcEMsRUFBRSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLGVBQWUsRUFBRSxPQUFPLENBQUM7Z0JBQ2pELEVBQUUsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxjQUFjLEVBQUUsT0FBTyxDQUFDO2FBQ2pELENBQUMsQ0FBQztZQUVILE9BQU8sRUFBRSxJQUFJLEVBQUUsR0FBRyxFQUFFLENBQUM7UUFDdkIsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDZixNQUFNLElBQUksZ0JBQWdCLENBQUM7Z0JBQ3pCLElBQUksRUFBRSxvQkFBb0I7Z0JBQzFCLE9BQU8sRUFBRSxvQ0FBb0M7Z0JBQzdDLFFBQVEsRUFBRSw0REFBNEQ7Z0JBQ3RFLEtBQUssRUFBRSxLQUFLO2FBQ2IsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxLQUFhLEVBQUUsZ0JBQXdCO1FBQ3RFLDBDQUEwQztRQUMxQyw4QkFBOEI7UUFDOUIsT0FBTyxDQUFDLEdBQUcsQ0FBQywrQ0FBK0MsS0FBSyxNQUFNLGdCQUFnQixFQUFFLENBQUMsQ0FBQztJQUM1RixDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsb0JBQW9CLENBQUMsS0FBYTtRQUM5QywwQ0FBMEM7UUFDMUMsOEJBQThCO1FBQzlCLE9BQU8sQ0FBQyxHQUFHLENBQUMsMkJBQTJCLEtBQUssRUFBRSxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVEOztPQUVHO0lBQ0ksRUFBRSxDQUNQLEtBQVEsRUFDUixRQUFnRDtRQUVoRCxPQUFPLEtBQUssQ0FBQyxFQUFFLENBQUMsS0FBSyxFQUFFLFFBQVEsQ0FBQyxDQUFDO0lBQ25DLENBQUM7SUFFTSxHQUFHLENBQ1IsS0FBUSxFQUNSLFFBQWdEO1FBRWhELE9BQU8sS0FBSyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsUUFBUSxDQUFDLENBQUM7SUFDcEMsQ0FBQztJQUVNLElBQUksQ0FDVCxLQUFRLEVBQ1IsSUFBNEI7UUFFNUIsT0FBTyxLQUFLLENBQUMsSUFBSSxDQUFDLEtBQUssRUFBRSxJQUFJLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsWUFBWSxDQUFDLE1BQXNCO1FBQzlDLHFEQUFxRDtRQUNyRCxLQUFLLE1BQU0sS0FBSyxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQzNCLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQyxJQUFJLEtBQUssU0FBUztnQkFDL0IsS0FBSyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsSUFBSSxLQUFLLFdBQVc7Z0JBQ3RDLEtBQUssQ0FBQyxNQUFNLENBQUMsR0FBRyxFQUFFLFdBQVcsS0FBSyxNQUFNO2dCQUN4QyxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQU8sRUFBRSxDQUFDO2dCQUV4QixNQUFNLE9BQU8sR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDO29CQUNoRCxDQUFDLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxPQUFPO29CQUNyQixDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUUxQixLQUFLLE1BQU0sTUFBTSxJQUFJLE9BQU8sRUFBRSxDQUFDO29CQUM3QixpREFBaUQ7b0JBQ2pELElBQUksQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxFQUFFO3dCQUN0QyxPQUFPLENBQUMsS0FBSyxDQUFDLGlDQUFpQyxNQUFNLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztvQkFDakUsQ0FBQyxDQUFDLENBQUM7Z0JBQ0wsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=

package/dist_ts/certificate/events/simplified-events.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Simplified certificate event system
+ */
+import type { CertificateError } from '../models/certificate-errors.js';
+/**
+ * Certificate event types - only the essentials
+ */
+export declare enum CertificateEvent {
+    OBTAINED = "certificate:obtained",
+    FAILED = "certificate:failed",
+    EXPIRING = "certificate:expiring"
+}
+/**
+ * Certificate obtained event data
+ */
+export interface CertificateObtainedEvent {
+    domain: string;
+    type: 'new' | 'renewed';
+    expiresAt: Date;
+    source: 'acme-http' | 'acme-dns' | 'static';
+    certificate: string;
+    privateKey: string;
+}
+/**
+ * Certificate failed event data
+ */
+export interface CertificateFailedEvent {
+    domain: string;
+    error: CertificateError;
+    attemptNumber?: number;
+    willRetry?: boolean;
+}
+/**
+ * Certificate expiring event data
+ */
+export interface CertificateExpiringEvent {
+    domain: string;
+    expiresAt: Date;
+    daysRemaining: number;
+}
+/**
+ * Combined event map for TypeScript typing
+ */
+export interface CertificateEventMap {
+    [CertificateEvent.OBTAINED]: CertificateObtainedEvent;
+    [CertificateEvent.FAILED]: CertificateFailedEvent;
+    [CertificateEvent.EXPIRING]: CertificateExpiringEvent;
+}
+/**
+ * Type-safe event emitter interface
+ */
+export interface ICertificateEventEmitter {
+    on<K extends keyof CertificateEventMap>(event: K, listener: (data: CertificateEventMap[K]) => void): this;
+    off<K extends keyof CertificateEventMap>(event: K, listener: (data: CertificateEventMap[K]) => void): this;
+    emit<K extends keyof CertificateEventMap>(event: K, data: CertificateEventMap[K]): boolean;
+}

package/dist_ts/certificate/events/simplified-events.js

@@ -0,0 +1,13 @@
+/**
+ * Simplified certificate event system
+ */
+/**
+ * Certificate event types - only the essentials
+ */
+export var CertificateEvent;
+(function (CertificateEvent) {
+    CertificateEvent["OBTAINED"] = "certificate:obtained";
+    CertificateEvent["FAILED"] = "certificate:failed";
+    CertificateEvent["EXPIRING"] = "certificate:expiring";
+})(CertificateEvent || (CertificateEvent = {}));
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2ltcGxpZmllZC1ldmVudHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9jZXJ0aWZpY2F0ZS9ldmVudHMvc2ltcGxpZmllZC1ldmVudHMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7O0dBRUc7QUFJSDs7R0FFRztBQUNILE1BQU0sQ0FBTixJQUFZLGdCQUlYO0FBSkQsV0FBWSxnQkFBZ0I7SUFDMUIscURBQWlDLENBQUE7SUFDakMsaURBQTZCLENBQUE7SUFDN0IscURBQWlDLENBQUE7QUFDbkMsQ0FBQyxFQUpXLGdCQUFnQixLQUFoQixnQkFBZ0IsUUFJM0IifQ==

package/dist_ts/certificate/models/certificate-errors.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Structured error types for certificate management
+ */
+export interface CertificateErrorDetails {
+    code: string;
+    message: string;
+    solution?: string;
+    domain?: string;
+    challengeType?: 'http' | 'dns';
+    details?: Record<string, any>;
+    cause?: Error;
+}
+/**
+ * Certificate-specific error class with structured information
+ */
+export declare class CertificateError extends Error {
+    readonly code: string;
+    readonly solution?: string;
+    readonly domain?: string;
+    readonly challengeType?: 'http' | 'dns';
+    readonly details?: Record<string, any>;
+    readonly cause?: Error;
+    constructor(details: CertificateErrorDetails);
+    /**
+     * Convert error to JSON for logging
+     */
+    toJSON(): Record<string, any>;
+}
+/**
+ * Common certificate error codes
+ */
+export declare const CertificateErrorCodes: {
+    readonly NO_CERT_PROVIDER: "NO_CERT_PROVIDER";
+    readonly INVALID_CERT_PROVIDER: "INVALID_CERT_PROVIDER";
+    readonly MISSING_ACME_EMAIL: "MISSING_ACME_EMAIL";
+    readonly ACME_HTTP_CHALLENGE_FAILED: "ACME_HTTP_CHALLENGE_FAILED";
+    readonly ACME_DNS_CHALLENGE_FAILED: "ACME_DNS_CHALLENGE_FAILED";
+    readonly ACME_RATE_LIMITED: "ACME_RATE_LIMITED";
+    readonly ACME_ACCOUNT_ERROR: "ACME_ACCOUNT_ERROR";
+    readonly ACME_VALIDATION_ERROR: "ACME_VALIDATION_ERROR";
+    readonly CERTIFICATE_EXPIRED: "CERTIFICATE_EXPIRED";
+    readonly CERTIFICATE_INVALID: "CERTIFICATE_INVALID";
+    readonly CERTIFICATE_NOT_FOUND: "CERTIFICATE_NOT_FOUND";
+    readonly CERTIFICATE_PARSE_ERROR: "CERTIFICATE_PARSE_ERROR";
+    readonly STORAGE_READ_ERROR: "STORAGE_READ_ERROR";
+    readonly STORAGE_WRITE_ERROR: "STORAGE_WRITE_ERROR";
+    readonly STORAGE_PERMISSION_ERROR: "STORAGE_PERMISSION_ERROR";
+    readonly NETWORK_TIMEOUT: "NETWORK_TIMEOUT";
+    readonly NETWORK_UNREACHABLE: "NETWORK_UNREACHABLE";
+    readonly DNS_RESOLUTION_FAILED: "DNS_RESOLUTION_FAILED";
+    readonly INVALID_DOMAIN: "INVALID_DOMAIN";
+    readonly WILDCARD_NOT_SUPPORTED: "WILDCARD_NOT_SUPPORTED";
+    readonly DOMAIN_NOT_CONFIGURED: "DOMAIN_NOT_CONFIGURED";
+};
+/**
+ * Helper functions for creating common certificate errors
+ */
+export declare const CertificateErrors: {
+    noCertProvider: () => CertificateError;
+    invalidCertProvider: (error: Error) => CertificateError;
+    missingAcmeEmail: () => CertificateError;
+    acmeHttpChallengeFailed: (domain: string, details?: any) => CertificateError;
+    acmeDnsChallengeFailed: (domain: string, details?: any) => CertificateError;
+    acmeRateLimited: (domain: string, resetTime?: Date) => CertificateError;
+    certificateExpired: (domain: string, expiredAt: Date) => CertificateError;
+    certificateNotFound: (domain: string) => CertificateError;
+    wildcardNotSupported: (domain: string) => CertificateError;
+    storageError: (operation: "read" | "write", path: string, error: Error) => CertificateError;
+};