@push.rocks/smartproxy 18.1.0 → 19.0.0

package/dist_ts/proxies/smart-proxy/certificate-manager.d.ts

@@ -0,0 +1,116 @@
+import { NetworkProxy } from '../network-proxy/index.js';
+import type { IRouteConfig } from './models/route-types.js';
+export interface ICertStatus {
+    domain: string;
+    status: 'valid' | 'pending' | 'expired' | 'error';
+    expiryDate?: Date;
+    issueDate?: Date;
+    source: 'static' | 'acme';
+    error?: string;
+}
+export interface ICertificateData {
+    cert: string;
+    key: string;
+    ca?: string;
+    expiryDate: Date;
+    issueDate: Date;
+}
+export declare class SmartCertManager {
+    private routes;
+    private certDir;
+    private acmeOptions?;
+    private certStore;
+    private smartAcme;
+    private networkProxy;
+    private renewalTimer;
+    private pendingChallenges;
+    private challengeRoute;
+    private certStatus;
+    private updateRoutesCallback?;
+    constructor(routes: IRouteConfig[], certDir?: string, acmeOptions?: {
+        email?: string;
+        useProduction?: boolean;
+        port?: number;
+    });
+    setNetworkProxy(networkProxy: NetworkProxy): void;
+    /**
+     * Set callback for updating routes (used for challenge routes)
+     */
+    setUpdateRoutesCallback(callback: (routes: IRouteConfig[]) => Promise<void>): void;
+    /**
+     * Initialize certificate manager and provision certificates for all routes
+     */
+    initialize(): Promise<void>;
+    /**
+     * Provision certificates for all routes that need them
+     */
+    private provisionAllCertificates;
+    /**
+     * Provision certificate for a single route
+     */
+    provisionCertificate(route: IRouteConfig): Promise<void>;
+    /**
+     * Provision ACME certificate
+     */
+    private provisionAcmeCertificate;
+    /**
+     * Provision static certificate
+     */
+    private provisionStaticCertificate;
+    /**
+     * Apply certificate to NetworkProxy
+     */
+    private applyCertificate;
+    /**
+     * Extract domains from route configuration
+     */
+    private extractDomainsFromRoute;
+    /**
+     * Check if certificate is valid
+     */
+    private isCertificateValid;
+    /**
+     * Add challenge route to SmartProxy
+     */
+    private addChallengeRoute;
+    /**
+     * Remove challenge route from SmartProxy
+     */
+    private removeChallengeRoute;
+    /**
+     * Start renewal timer
+     */
+    private startRenewalTimer;
+    /**
+     * Check and renew certificates that are expiring
+     */
+    private checkAndRenewCertificates;
+    /**
+     * Update certificate status
+     */
+    private updateCertStatus;
+    /**
+     * Get certificate status for a route
+     */
+    getCertificateStatus(routeName: string): ICertStatus | undefined;
+    /**
+     * Force renewal of a certificate
+     */
+    renewCertificate(routeName: string): Promise<void>;
+    /**
+     * Setup challenge handler integration with SmartProxy routing
+     */
+    private setupChallengeHandler;
+    /**
+     * Stop certificate manager
+     */
+    stop(): Promise<void>;
+    /**
+     * Get ACME options (for recreating after route updates)
+     */
+    getAcmeOptions(): {
+        email?: string;
+        useProduction?: boolean;
+        port?: number;
+    } | undefined;
+}

package/dist_ts/proxies/smart-proxy/certificate-manager.js

@@ -0,0 +1,401 @@
+import * as plugins from '../../plugins.js';
+import { NetworkProxy } from '../network-proxy/index.js';
+import { CertStore } from './cert-store.js';
+export class SmartCertManager {
+    constructor(routes, certDir = './certs', acmeOptions) {
+        this.routes = routes;
+        this.certDir = certDir;
+        this.acmeOptions = acmeOptions;
+        this.smartAcme = null;
+        this.networkProxy = null;
+        this.renewalTimer = null;
+        this.pendingChallenges = new Map();
+        this.challengeRoute = null;
+        // Track certificate status by route name
+        this.certStatus = new Map();
+        this.certStore = new CertStore(certDir);
+    }
+    setNetworkProxy(networkProxy) {
+        this.networkProxy = networkProxy;
+    }
+    /**
+     * Set callback for updating routes (used for challenge routes)
+     */
+    setUpdateRoutesCallback(callback) {
+        this.updateRoutesCallback = callback;
+    }
+    /**
+     * Initialize certificate manager and provision certificates for all routes
+     */
+    async initialize() {
+        // Create certificate directory if it doesn't exist
+        await this.certStore.initialize();
+        // Initialize SmartAcme if we have any ACME routes
+        const hasAcmeRoutes = this.routes.some(r => r.action.tls?.certificate === 'auto');
+        if (hasAcmeRoutes && this.acmeOptions?.email) {
+            // Create HTTP-01 challenge handler
+            const http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
+            // Set up challenge handler integration with our routing
+            this.setupChallengeHandler(http01Handler);
+            // Create SmartAcme instance with built-in MemoryCertManager and HTTP-01 handler
+            this.smartAcme = new plugins.smartacme.SmartAcme({
+                accountEmail: this.acmeOptions.email,
+                environment: this.acmeOptions.useProduction ? 'production' : 'integration',
+                certManager: new plugins.smartacme.certmanagers.MemoryCertManager(),
+                challengeHandlers: [http01Handler]
+            });
+            await this.smartAcme.start();
+        }
+        // Provision certificates for all routes
+        await this.provisionAllCertificates();
+        // Start renewal timer
+        this.startRenewalTimer();
+    }
+    /**
+     * Provision certificates for all routes that need them
+     */
+    async provisionAllCertificates() {
+        const certRoutes = this.routes.filter(r => r.action.tls?.mode === 'terminate' ||
+            r.action.tls?.mode === 'terminate-and-reencrypt');
+        for (const route of certRoutes) {
+            try {
+                await this.provisionCertificate(route);
+            }
+            catch (error) {
+                console.error(`Failed to provision certificate for route ${route.name}: ${error}`);
+            }
+        }
+    }
+    /**
+     * Provision certificate for a single route
+     */
+    async provisionCertificate(route) {
+        const tls = route.action.tls;
+        if (!tls || (tls.mode !== 'terminate' && tls.mode !== 'terminate-and-reencrypt')) {
+            return;
+        }
+        const domains = this.extractDomainsFromRoute(route);
+        if (domains.length === 0) {
+            console.warn(`Route ${route.name} has TLS termination but no domains`);
+            return;
+        }
+        const primaryDomain = domains[0];
+        if (tls.certificate === 'auto') {
+            // ACME certificate
+            await this.provisionAcmeCertificate(route, domains);
+        }
+        else if (typeof tls.certificate === 'object') {
+            // Static certificate
+            await this.provisionStaticCertificate(route, primaryDomain, tls.certificate);
+        }
+    }
+    /**
+     * Provision ACME certificate
+     */
+    async provisionAcmeCertificate(route, domains) {
+        if (!this.smartAcme) {
+            throw new Error('SmartAcme not initialized');
+        }
+        const primaryDomain = domains[0];
+        const routeName = route.name || primaryDomain;
+        // Check if we already have a valid certificate
+        const existingCert = await this.certStore.getCertificate(routeName);
+        if (existingCert && this.isCertificateValid(existingCert)) {
+            console.log(`Using existing valid certificate for ${primaryDomain}`);
+            await this.applyCertificate(primaryDomain, existingCert);
+            this.updateCertStatus(routeName, 'valid', 'acme', existingCert);
+            return;
+        }
+        console.log(`Requesting ACME certificate for ${domains.join(', ')}`);
+        this.updateCertStatus(routeName, 'pending', 'acme');
+        try {
+            // Add challenge route before requesting certificate
+            await this.addChallengeRoute();
+            try {
+                // Use smartacme to get certificate
+                const cert = await this.smartAcme.getCertificateForDomain(primaryDomain);
+                // SmartAcme's Cert object has these properties:
+                // - publicKey: The certificate PEM string  
+                // - privateKey: The private key PEM string
+                // - csr: Certificate signing request
+                // - validUntil: Timestamp in milliseconds
+                // - domainName: The domain name
+                const certData = {
+                    cert: cert.publicKey,
+                    key: cert.privateKey,
+                    ca: cert.publicKey, // Use same as cert for now
+                    expiryDate: new Date(cert.validUntil),
+                    issueDate: new Date(cert.created)
+                };
+                await this.certStore.saveCertificate(routeName, certData);
+                await this.applyCertificate(primaryDomain, certData);
+                this.updateCertStatus(routeName, 'valid', 'acme', certData);
+                console.log(`Successfully provisioned ACME certificate for ${primaryDomain}`);
+            }
+            catch (error) {
+                console.error(`Failed to provision ACME certificate for ${primaryDomain}: ${error}`);
+                this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
+                throw error;
+            }
+            finally {
+                // Always remove challenge route after provisioning
+                await this.removeChallengeRoute();
+            }
+        }
+        catch (error) {
+            // Handle outer try-catch from adding challenge route
+            console.error(`Failed to setup ACME challenge for ${primaryDomain}: ${error}`);
+            this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
+            throw error;
+        }
+    }
+    /**
+     * Provision static certificate
+     */
+    async provisionStaticCertificate(route, domain, certConfig) {
+        const routeName = route.name || domain;
+        try {
+            let key = certConfig.key;
+            let cert = certConfig.cert;
+            // Load from files if paths are provided
+            if (certConfig.keyFile) {
+                const keyFile = await plugins.smartfile.SmartFile.fromFilePath(certConfig.keyFile);
+                key = keyFile.contents.toString();
+            }
+            if (certConfig.certFile) {
+                const certFile = await plugins.smartfile.SmartFile.fromFilePath(certConfig.certFile);
+                cert = certFile.contents.toString();
+            }
+            // Parse certificate to get dates
+            // Parse certificate to get dates - for now just use defaults
+            // TODO: Implement actual certificate parsing if needed
+            const certInfo = { validTo: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000), validFrom: new Date() };
+            const certData = {
+                cert,
+                key,
+                expiryDate: certInfo.validTo,
+                issueDate: certInfo.validFrom
+            };
+            // Save to store for consistency
+            await this.certStore.saveCertificate(routeName, certData);
+            await this.applyCertificate(domain, certData);
+            this.updateCertStatus(routeName, 'valid', 'static', certData);
+            console.log(`Successfully loaded static certificate for ${domain}`);
+        }
+        catch (error) {
+            console.error(`Failed to provision static certificate for ${domain}: ${error}`);
+            this.updateCertStatus(routeName, 'error', 'static', undefined, error.message);
+            throw error;
+        }
+    }
+    /**
+     * Apply certificate to NetworkProxy
+     */
+    async applyCertificate(domain, certData) {
+        if (!this.networkProxy) {
+            console.warn('NetworkProxy not set, cannot apply certificate');
+            return;
+        }
+        // Apply certificate to NetworkProxy
+        this.networkProxy.updateCertificate(domain, certData.cert, certData.key);
+        // Also apply for wildcard if it's a subdomain
+        if (domain.includes('.') && !domain.startsWith('*.')) {
+            const parts = domain.split('.');
+            if (parts.length >= 2) {
+                const wildcardDomain = `*.${parts.slice(-2).join('.')}`;
+                this.networkProxy.updateCertificate(wildcardDomain, certData.cert, certData.key);
+            }
+        }
+    }
+    /**
+     * Extract domains from route configuration
+     */
+    extractDomainsFromRoute(route) {
+        if (!route.match.domains) {
+            return [];
+        }
+        const domains = Array.isArray(route.match.domains)
+            ? route.match.domains
+            : [route.match.domains];
+        // Filter out wildcards and patterns
+        return domains.filter(d => !d.includes('*') &&
+            !d.includes('{') &&
+            d.includes('.'));
+    }
+    /**
+     * Check if certificate is valid
+     */
+    isCertificateValid(cert) {
+        const now = new Date();
+        const expiryThreshold = new Date(now.getTime() + 30 * 24 * 60 * 60 * 1000); // 30 days
+        return cert.expiryDate > expiryThreshold;
+    }
+    /**
+     * Add challenge route to SmartProxy
+     */
+    async addChallengeRoute() {
+        if (!this.updateRoutesCallback) {
+            throw new Error('No route update callback set');
+        }
+        if (!this.challengeRoute) {
+            throw new Error('Challenge route not initialized');
+        }
+        const challengeRoute = this.challengeRoute;
+        const updatedRoutes = [...this.routes, challengeRoute];
+        await this.updateRoutesCallback(updatedRoutes);
+    }
+    /**
+     * Remove challenge route from SmartProxy
+     */
+    async removeChallengeRoute() {
+        if (!this.updateRoutesCallback) {
+            return;
+        }
+        const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
+        await this.updateRoutesCallback(filteredRoutes);
+    }
+    /**
+     * Start renewal timer
+     */
+    startRenewalTimer() {
+        // Check for renewals every 12 hours
+        this.renewalTimer = setInterval(() => {
+            this.checkAndRenewCertificates();
+        }, 12 * 60 * 60 * 1000);
+        // Also do an immediate check
+        this.checkAndRenewCertificates();
+    }
+    /**
+     * Check and renew certificates that are expiring
+     */
+    async checkAndRenewCertificates() {
+        for (const route of this.routes) {
+            if (route.action.tls?.certificate === 'auto') {
+                const routeName = route.name || this.extractDomainsFromRoute(route)[0];
+                const cert = await this.certStore.getCertificate(routeName);
+                if (cert && !this.isCertificateValid(cert)) {
+                    console.log(`Certificate for ${routeName} needs renewal`);
+                    try {
+                        await this.provisionCertificate(route);
+                    }
+                    catch (error) {
+                        console.error(`Failed to renew certificate for ${routeName}: ${error}`);
+                    }
+                }
+            }
+        }
+    }
+    /**
+     * Update certificate status
+     */
+    updateCertStatus(routeName, status, source, certData, error) {
+        this.certStatus.set(routeName, {
+            domain: routeName,
+            status,
+            source,
+            expiryDate: certData?.expiryDate,
+            issueDate: certData?.issueDate,
+            error
+        });
+    }
+    /**
+     * Get certificate status for a route
+     */
+    getCertificateStatus(routeName) {
+        return this.certStatus.get(routeName);
+    }
+    /**
+     * Force renewal of a certificate
+     */
+    async renewCertificate(routeName) {
+        const route = this.routes.find(r => r.name === routeName);
+        if (!route) {
+            throw new Error(`Route ${routeName} not found`);
+        }
+        // Remove existing certificate to force renewal
+        await this.certStore.deleteCertificate(routeName);
+        await this.provisionCertificate(route);
+    }
+    /**
+     * Setup challenge handler integration with SmartProxy routing
+     */
+    setupChallengeHandler(http01Handler) {
+        // Create a challenge route that delegates to SmartAcme's HTTP-01 handler
+        const challengeRoute = {
+            name: 'acme-challenge',
+            priority: 1000, // High priority
+            match: {
+                ports: 80,
+                path: '/.well-known/acme-challenge/*'
+            },
+            action: {
+                type: 'static',
+                handler: async (context) => {
+                    // Extract the token from the path
+                    const token = context.path?.split('/').pop();
+                    if (!token) {
+                        return { status: 404, body: 'Not found' };
+                    }
+                    // Create mock request/response objects for SmartAcme
+                    const mockReq = {
+                        url: context.path,
+                        method: 'GET',
+                        headers: context.headers || {}
+                    };
+                    let responseData = null;
+                    const mockRes = {
+                        statusCode: 200,
+                        setHeader: (name, value) => { },
+                        end: (data) => {
+                            responseData = data;
+                        }
+                    };
+                    // Use SmartAcme's handler
+                    const handled = await new Promise((resolve) => {
+                        http01Handler.handleRequest(mockReq, mockRes, () => {
+                            resolve(false);
+                        });
+                        // Give it a moment to process
+                        setTimeout(() => resolve(true), 100);
+                    });
+                    if (handled && responseData) {
+                        return {
+                            status: mockRes.statusCode,
+                            headers: { 'Content-Type': 'text/plain' },
+                            body: responseData
+                        };
+                    }
+                    else {
+                        return { status: 404, body: 'Not found' };
+                    }
+                }
+            }
+        };
+        // Store the challenge route to add it when needed
+        this.challengeRoute = challengeRoute;
+    }
+    /**
+     * Stop certificate manager
+     */
+    async stop() {
+        if (this.renewalTimer) {
+            clearInterval(this.renewalTimer);
+            this.renewalTimer = null;
+        }
+        if (this.smartAcme) {
+            await this.smartAcme.stop();
+        }
+        // Remove any active challenge routes
+        if (this.pendingChallenges.size > 0) {
+            this.pendingChallenges.clear();
+            await this.removeChallengeRoute();
+        }
+    }
+    /**
+     * Get ACME options (for recreating after route updates)
+     */
+    getAcmeOptions() {
+        return this.acmeOptions;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2VydGlmaWNhdGUtbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3Byb3hpZXMvc21hcnQtcHJveHkvY2VydGlmaWNhdGUtbWFuYWdlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGtCQUFrQixDQUFDO0FBQzVDLE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUV6RCxPQUFPLEVBQUUsU0FBUyxFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFtQjVDLE1BQU0sT0FBTyxnQkFBZ0I7SUFjM0IsWUFDVSxNQUFzQixFQUN0QixVQUFrQixTQUFTLEVBQzNCLFdBSVA7UUFOTyxXQUFNLEdBQU4sTUFBTSxDQUFnQjtRQUN0QixZQUFPLEdBQVAsT0FBTyxDQUFvQjtRQUMzQixnQkFBVyxHQUFYLFdBQVcsQ0FJbEI7UUFuQkssY0FBUyxHQUF1QyxJQUFJLENBQUM7UUFDckQsaUJBQVksR0FBd0IsSUFBSSxDQUFDO1FBQ3pDLGlCQUFZLEdBQTBCLElBQUksQ0FBQztRQUMzQyxzQkFBaUIsR0FBd0IsSUFBSSxHQUFHLEVBQUUsQ0FBQztRQUNuRCxtQkFBYyxHQUF3QixJQUFJLENBQUM7UUFFbkQseUNBQXlDO1FBQ2pDLGVBQVUsR0FBNkIsSUFBSSxHQUFHLEVBQUUsQ0FBQztRQWN2RCxJQUFJLENBQUMsU0FBUyxHQUFHLElBQUksU0FBUyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzFDLENBQUM7SUFFTSxlQUFlLENBQUMsWUFBMEI7UUFDL0MsSUFBSSxDQUFDLFlBQVksR0FBRyxZQUFZLENBQUM7SUFDbkMsQ0FBQztJQUVEOztPQUVHO0lBQ0ksdUJBQXVCLENBQUMsUUFBbUQ7UUFDaEYsSUFBSSxDQUFDLG9CQUFvQixHQUFHLFFBQVEsQ0FBQztJQUN2QyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsVUFBVTtRQUNyQixtREFBbUQ7UUFDbkQsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBRWxDLGtEQUFrRDtRQUNsRCxNQUFNLGFBQWEsR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUN6QyxDQUFDLENBQUMsTUFBTSxDQUFDLEdBQUcsRUFBRSxXQUFXLEtBQUssTUFBTSxDQUNyQyxDQUFDO1FBRUYsSUFBSSxhQUFhLElBQUksSUFBSSxDQUFDLFdBQVcsRUFBRSxLQUFLLEVBQUUsQ0FBQztZQUM3QyxtQ0FBbUM7WUFDbkMsTUFBTSxhQUFhLEdBQUcsSUFBSSxPQUFPLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxtQkFBbUIsRUFBRSxDQUFDO1lBRTNFLHdEQUF3RDtZQUN4RCxJQUFJLENBQUMscUJBQXFCLENBQUMsYUFBYSxDQUFDLENBQUM7WUFFMUMsZ0ZBQWdGO1lBQ2hGLElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxPQUFPLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQztnQkFDL0MsWUFBWSxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUMsS0FBSztnQkFDcEMsV0FBVyxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLGFBQWE7Z0JBQzFFLFdBQVcsRUFBRSxJQUFJLE9BQU8sQ0FBQyxTQUFTLENBQUMsWUFBWSxDQUFDLGlCQUFpQixFQUFFO2dCQUNuRSxpQkFBaUIsRUFBRSxDQUFDLGFBQWEsQ0FBQzthQUNuQyxDQUFDLENBQUM7WUFFSCxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDL0IsQ0FBQztRQUVELHdDQUF3QztRQUN4QyxNQUFNLElBQUksQ0FBQyx3QkFBd0IsRUFBRSxDQUFDO1FBRXRDLHNCQUFzQjtRQUN0QixJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztJQUMzQixDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMsd0JBQXdCO1FBQ3BDLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQ3hDLENBQUMsQ0FBQyxNQUFNLENBQUMsR0FBRyxFQUFFLElBQUksS0FBSyxXQUFXO1lBQ2xDLENBQUMsQ0FBQyxNQUFNLENBQUMsR0FBRyxFQUFFLElBQUksS0FBSyx5QkFBeUIsQ0FDakQsQ0FBQztRQUVGLEtBQUssTUFBTSxLQUFLLElBQUksVUFBVSxFQUFFLENBQUM7WUFDL0IsSUFBSSxDQUFDO2dCQUNILE1BQU0sSUFBSSxDQUFDLG9CQUFvQixDQUFDLEtBQUssQ0FBQyxDQUFDO1lBQ3pDLENBQUM7WUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO2dCQUNmLE9BQU8sQ0FBQyxLQUFLLENBQUMsNkNBQTZDLEtBQUssQ0FBQyxJQUFJLEtBQUssS0FBSyxFQUFFLENBQUMsQ0FBQztZQUNyRixDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxLQUFtQjtRQUNuRCxNQUFNLEdBQUcsR0FBRyxLQUFLLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQztRQUM3QixJQUFJLENBQUMsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLElBQUksS0FBSyxXQUFXLElBQUksR0FBRyxDQUFDLElBQUksS0FBSyx5QkFBeUIsQ0FBQyxFQUFFLENBQUM7WUFDakYsT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsdUJBQXVCLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDcEQsSUFBSSxPQUFPLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ3pCLE9BQU8sQ0FBQyxJQUFJLENBQUMsU0FBUyxLQUFLLENBQUMsSUFBSSxxQ0FBcUMsQ0FBQyxDQUFDO1lBQ3ZFLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRWpDLElBQUksR0FBRyxDQUFDLFdBQVcsS0FBSyxNQUFNLEVBQUUsQ0FBQztZQUMvQixtQkFBbUI7WUFDbkIsTUFBTSxJQUFJLENBQUMsd0JBQXdCLENBQUMsS0FBSyxFQUFFLE9BQU8sQ0FBQyxDQUFDO1FBQ3RELENBQUM7YUFBTSxJQUFJLE9BQU8sR0FBRyxDQUFDLFdBQVcsS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUMvQyxxQkFBcUI7WUFDckIsTUFBTSxJQUFJLENBQUMsMEJBQTBCLENBQUMsS0FBSyxFQUFFLGFBQWEsRUFBRSxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDL0UsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyx3QkFBd0IsQ0FDcEMsS0FBbUIsRUFDbkIsT0FBaUI7UUFFakIsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUNwQixNQUFNLElBQUksS0FBSyxDQUFDLDJCQUEyQixDQUFDLENBQUM7UUFDL0MsQ0FBQztRQUVELE1BQU0sYUFBYSxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNqQyxNQUFNLFNBQVMsR0FBRyxLQUFLLENBQUMsSUFBSSxJQUFJLGFBQWEsQ0FBQztRQUU5QywrQ0FBK0M7UUFDL0MsTUFBTSxZQUFZLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGNBQWMsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUNwRSxJQUFJLFlBQVksSUFBSSxJQUFJLENBQUMsa0JBQWtCLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQztZQUMxRCxPQUFPLENBQUMsR0FBRyxDQUFDLHdDQUF3QyxhQUFhLEVBQUUsQ0FBQyxDQUFDO1lBQ3JFLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLGFBQWEsRUFBRSxZQUFZLENBQUMsQ0FBQztZQUN6RCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsU0FBUyxFQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsWUFBWSxDQUFDLENBQUM7WUFDaEUsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPLENBQUMsR0FBRyxDQUFDLG1DQUFtQyxPQUFPLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUNyRSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsU0FBUyxFQUFFLFNBQVMsRUFBRSxNQUFNLENBQUMsQ0FBQztRQUVwRCxJQUFJLENBQUM7WUFDSCxvREFBb0Q7WUFDcEQsTUFBTSxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUUvQixJQUFJLENBQUM7Z0JBQ0gsbUNBQW1DO2dCQUNuQyxNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsdUJBQXVCLENBQUMsYUFBYSxDQUFDLENBQUM7Z0JBRTNFLGdEQUFnRDtnQkFDaEQsNENBQTRDO2dCQUM1QywyQ0FBMkM7Z0JBQzNDLHFDQUFxQztnQkFDckMsMENBQTBDO2dCQUMxQyxnQ0FBZ0M7Z0JBQ2hDLE1BQU0sUUFBUSxHQUFxQjtvQkFDakMsSUFBSSxFQUFFLElBQUksQ0FBQyxTQUFTO29CQUNwQixHQUFHLEVBQUUsSUFBSSxDQUFDLFVBQVU7b0JBQ3BCLEVBQUUsRUFBRSxJQUFJLENBQUMsU0FBUyxFQUFFLDJCQUEyQjtvQkFDL0MsVUFBVSxFQUFFLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUM7b0JBQ3JDLFNBQVMsRUFBRSxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDO2lCQUNsQyxDQUFDO2dCQUVGLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxlQUFlLENBQUMsU0FBUyxFQUFFLFFBQVEsQ0FBQyxDQUFDO2dCQUMxRCxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxhQUFhLEVBQUUsUUFBUSxDQUFDLENBQUM7Z0JBQ3JELElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxTQUFTLEVBQUUsT0FBTyxFQUFFLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztnQkFFMUQsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpREFBaUQsYUFBYSxFQUFFLENBQUMsQ0FBQztZQUNoRixDQUFDO1lBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztnQkFDZixPQUFPLENBQUMsS0FBSyxDQUFDLDRDQUE0QyxhQUFhLEtBQUssS0FBSyxFQUFFLENBQUMsQ0FBQztnQkFDckYsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLFNBQVMsRUFBRSxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7Z0JBQzVFLE1BQU0sS0FBSyxDQUFDO1lBQ2QsQ0FBQztvQkFBUyxDQUFDO2dCQUNULG1EQUFtRDtnQkFDbkQsTUFBTSxJQUFJLENBQUMsb0JBQW9CLEVBQUUsQ0FBQztZQUNwQyxDQUFDO1FBQ0gsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDZixxREFBcUQ7WUFDckQsT0FBTyxDQUFDLEtBQUssQ0FBQyxzQ0FBc0MsYUFBYSxLQUFLLEtBQUssRUFBRSxDQUFDLENBQUM7WUFDL0UsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLFNBQVMsRUFBRSxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDNUUsTUFBTSxLQUFLLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLDBCQUEwQixDQUN0QyxLQUFtQixFQUNuQixNQUFjLEVBQ2QsVUFBOEU7UUFFOUUsTUFBTSxTQUFTLEdBQUcsS0FBSyxDQUFDLElBQUksSUFBSSxNQUFNLENBQUM7UUFFdkMsSUFBSSxDQUFDO1lBQ0gsSUFBSSxHQUFHLEdBQVcsVUFBVSxDQUFDLEdBQUcsQ0FBQztZQUNqQyxJQUFJLElBQUksR0FBVyxVQUFVLENBQUMsSUFBSSxDQUFDO1lBRW5DLHdDQUF3QztZQUN4QyxJQUFJLFVBQVUsQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDdkIsTUFBTSxPQUFPLEdBQUcsTUFBTSxPQUFPLENBQUMsU0FBUyxDQUFDLFNBQVMsQ0FBQyxZQUFZLENBQUMsVUFBVSxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUNuRixHQUFHLEdBQUcsT0FBTyxDQUFDLFFBQVEsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNwQyxDQUFDO1lBQ0QsSUFBSSxVQUFVLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBQ3hCLE1BQU0sUUFBUSxHQUFHLE1BQU0sT0FBTyxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsWUFBWSxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQztnQkFDckYsSUFBSSxHQUFHLFFBQVEsQ0FBQyxRQUFRLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDdEMsQ0FBQztZQUVELGlDQUFpQztZQUNqQyw2REFBNkQ7WUFDN0QsdURBQXVEO1lBQ3ZELE1BQU0sUUFBUSxHQUFHLEVBQUUsT0FBTyxFQUFFLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLEVBQUUsU0FBUyxFQUFFLElBQUksSUFBSSxFQUFFLEVBQUUsQ0FBQztZQUVyRyxNQUFNLFFBQVEsR0FBcUI7Z0JBQ2pDLElBQUk7Z0JBQ0osR0FBRztnQkFDSCxVQUFVLEVBQUUsUUFBUSxDQUFDLE9BQU87Z0JBQzVCLFNBQVMsRUFBRSxRQUFRLENBQUMsU0FBUzthQUM5QixDQUFDO1lBRUYsZ0NBQWdDO1lBQ2hDLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxlQUFlLENBQUMsU0FBUyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQzFELE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztZQUM5QyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsU0FBUyxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUM7WUFFOUQsT0FBTyxDQUFDLEdBQUcsQ0FBQyw4Q0FBOEMsTUFBTSxFQUFFLENBQUMsQ0FBQztRQUN0RSxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE9BQU8sQ0FBQyxLQUFLLENBQUMsOENBQThDLE1BQU0sS0FBSyxLQUFLLEVBQUUsQ0FBQyxDQUFDO1lBQ2hGLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxTQUFTLEVBQUUsT0FBTyxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1lBQzlFLE1BQU0sS0FBSyxDQUFDO1FBQ2QsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxNQUFjLEVBQUUsUUFBMEI7UUFDdkUsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUN2QixPQUFPLENBQUMsSUFBSSxDQUFDLGdEQUFnRCxDQUFDLENBQUM7WUFDL0QsT0FBTztRQUNULENBQUM7UUFFRCxvQ0FBb0M7UUFDcEMsSUFBSSxDQUFDLFlBQVksQ0FBQyxpQkFBaUIsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLElBQUksRUFBRSxRQUFRLENBQUMsR0FBRyxDQUFDLENBQUM7UUFFekUsOENBQThDO1FBQzlDLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztZQUNyRCxNQUFNLEtBQUssR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQ2hDLElBQUksS0FBSyxDQUFDLE1BQU0sSUFBSSxDQUFDLEVBQUUsQ0FBQztnQkFDdEIsTUFBTSxjQUFjLEdBQUcsS0FBSyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7Z0JBQ3hELElBQUksQ0FBQyxZQUFZLENBQUMsaUJBQWlCLENBQUMsY0FBYyxFQUFFLFFBQVEsQ0FBQyxJQUFJLEVBQUUsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQ25GLENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssdUJBQXVCLENBQUMsS0FBbUI7UUFDakQsSUFBSSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDekIsT0FBTyxFQUFFLENBQUM7UUFDWixDQUFDO1FBRUQsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQztZQUNoRCxDQUFDLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxPQUFPO1lBQ3JCLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFMUIsb0NBQW9DO1FBQ3BDLE9BQU8sT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUN4QixDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDO1lBQ2hCLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7WUFDaEIsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FDaEIsQ0FBQztJQUNKLENBQUM7SUFFRDs7T0FFRztJQUNLLGtCQUFrQixDQUFDLElBQXNCO1FBQy9DLE1BQU0sR0FBRyxHQUFHLElBQUksSUFBSSxFQUFFLENBQUM7UUFDdkIsTUFBTSxlQUFlLEdBQUcsSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUMsQ0FBQyxDQUFDLFVBQVU7UUFFdEYsT0FBTyxJQUFJLENBQUMsVUFBVSxHQUFHLGVBQWUsQ0FBQztJQUMzQyxDQUFDO0lBR0Q7O09BRUc7SUFDSyxLQUFLLENBQUMsaUJBQWlCO1FBQzdCLElBQUksQ0FBQyxJQUFJLENBQUMsb0JBQW9CLEVBQUUsQ0FBQztZQUMvQixNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7UUFDbEQsQ0FBQztRQUVELElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDekIsTUFBTSxJQUFJLEtBQUssQ0FBQyxpQ0FBaUMsQ0FBQyxDQUFDO1FBQ3JELENBQUM7UUFDRCxNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsY0FBYyxDQUFDO1FBRTNDLE1BQU0sYUFBYSxHQUFHLENBQUMsR0FBRyxJQUFJLENBQUMsTUFBTSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQ3ZELE1BQU0sSUFBSSxDQUFDLG9CQUFvQixDQUFDLGFBQWEsQ0FBQyxDQUFDO0lBQ2pELENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxvQkFBb0I7UUFDaEMsSUFBSSxDQUFDLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO1lBQy9CLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxLQUFLLGdCQUFnQixDQUFDLENBQUM7UUFDNUUsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVEOztPQUVHO0lBQ0ssaUJBQWlCO1FBQ3ZCLG9DQUFvQztRQUNwQyxJQUFJLENBQUMsWUFBWSxHQUFHLFdBQVcsQ0FBQyxHQUFHLEVBQUU7WUFDbkMsSUFBSSxDQUFDLHlCQUF5QixFQUFFLENBQUM7UUFDbkMsQ0FBQyxFQUFFLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDO1FBRXhCLDZCQUE2QjtRQUM3QixJQUFJLENBQUMseUJBQXlCLEVBQUUsQ0FBQztJQUNuQyxDQUFDO0lBRUQ7O09BRUc7SUFDSyxLQUFLLENBQUMseUJBQXlCO1FBQ3JDLEtBQUssTUFBTSxLQUFLLElBQUksSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ2hDLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsV0FBVyxLQUFLLE1BQU0sRUFBRSxDQUFDO2dCQUM3QyxNQUFNLFNBQVMsR0FBRyxLQUFLLENBQUMsSUFBSSxJQUFJLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFDdkUsTUFBTSxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGNBQWMsQ0FBQyxTQUFTLENBQUMsQ0FBQztnQkFFNUQsSUFBSSxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsa0JBQWtCLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztvQkFDM0MsT0FBTyxDQUFDLEdBQUcsQ0FBQyxtQkFBbUIsU0FBUyxnQkFBZ0IsQ0FBQyxDQUFDO29CQUMxRCxJQUFJLENBQUM7d0JBQ0gsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsS0FBSyxDQUFDLENBQUM7b0JBQ3pDLENBQUM7b0JBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQzt3QkFDZixPQUFPLENBQUMsS0FBSyxDQUFDLG1DQUFtQyxTQUFTLEtBQUssS0FBSyxFQUFFLENBQUMsQ0FBQztvQkFDMUUsQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSyxnQkFBZ0IsQ0FDdEIsU0FBaUIsRUFDakIsTUFBNkIsRUFDN0IsTUFBNkIsRUFDN0IsUUFBMkIsRUFDM0IsS0FBYztRQUVkLElBQUksQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLFNBQVMsRUFBRTtZQUM3QixNQUFNLEVBQUUsU0FBUztZQUNqQixNQUFNO1lBQ04sTUFBTTtZQUNOLFVBQVUsRUFBRSxRQUFRLEVBQUUsVUFBVTtZQUNoQyxTQUFTLEVBQUUsUUFBUSxFQUFFLFNBQVM7WUFDOUIsS0FBSztTQUNOLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7T0FFRztJQUNJLG9CQUFvQixDQUFDLFNBQWlCO1FBQzNDLE9BQU8sSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLENBQUM7SUFDeEMsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGdCQUFnQixDQUFDLFNBQWlCO1FBQzdDLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLElBQUksS0FBSyxTQUFTLENBQUMsQ0FBQztRQUMxRCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDWCxNQUFNLElBQUksS0FBSyxDQUFDLFNBQVMsU0FBUyxZQUFZLENBQUMsQ0FBQztRQUNsRCxDQUFDO1FBRUQsK0NBQStDO1FBQy9DLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxpQkFBaUIsQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUNsRCxNQUFNLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUN6QyxDQUFDO0lBRUQ7O09BRUc7SUFDSyxxQkFBcUIsQ0FBQyxhQUE2RDtRQUN6Rix5RUFBeUU7UUFDekUsTUFBTSxjQUFjLEdBQWlCO1lBQ25DLElBQUksRUFBRSxnQkFBZ0I7WUFDdEIsUUFBUSxFQUFFLElBQUksRUFBRyxnQkFBZ0I7WUFDakMsS0FBSyxFQUFFO2dCQUNMLEtBQUssRUFBRSxFQUFFO2dCQUNULElBQUksRUFBRSwrQkFBK0I7YUFDdEM7WUFDRCxNQUFNLEVBQUU7Z0JBQ04sSUFBSSxFQUFFLFFBQVE7Z0JBQ2QsT0FBTyxFQUFFLEtBQUssRUFBRSxPQUFPLEVBQUUsRUFBRTtvQkFDekIsa0NBQWtDO29CQUNsQyxNQUFNLEtBQUssR0FBRyxPQUFPLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQztvQkFDN0MsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO3dCQUNYLE9BQU8sRUFBRSxNQUFNLEVBQUUsR0FBRyxFQUFFLElBQUksRUFBRSxXQUFXLEVBQUUsQ0FBQztvQkFDNUMsQ0FBQztvQkFFRCxxREFBcUQ7b0JBQ3JELE1BQU0sT0FBTyxHQUFHO3dCQUNkLEdBQUcsRUFBRSxPQUFPLENBQUMsSUFBSTt3QkFDakIsTUFBTSxFQUFFLEtBQUs7d0JBQ2IsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPLElBQUksRUFBRTtxQkFDL0IsQ0FBQztvQkFFRixJQUFJLFlBQVksR0FBUSxJQUFJLENBQUM7b0JBQzdCLE1BQU0sT0FBTyxHQUFHO3dCQUNkLFVBQVUsRUFBRSxHQUFHO3dCQUNmLFNBQVMsRUFBRSxDQUFDLElBQVksRUFBRSxLQUFhLEVBQUUsRUFBRSxHQUFFLENBQUM7d0JBQzlDLEdBQUcsRUFBRSxDQUFDLElBQVMsRUFBRSxFQUFFOzRCQUNqQixZQUFZLEdBQUcsSUFBSSxDQUFDO3dCQUN0QixDQUFDO3FCQUNGLENBQUM7b0JBRUYsMEJBQTBCO29CQUMxQixNQUFNLE9BQU8sR0FBRyxNQUFNLElBQUksT0FBTyxDQUFVLENBQUMsT0FBTyxFQUFFLEVBQUU7d0JBQ3JELGFBQWEsQ0FBQyxhQUFhLENBQUMsT0FBYyxFQUFFLE9BQWMsRUFBRSxHQUFHLEVBQUU7NEJBQy9ELE9BQU8sQ0FBQyxLQUFLLENBQUMsQ0FBQzt3QkFDakIsQ0FBQyxDQUFDLENBQUM7d0JBQ0gsOEJBQThCO3dCQUM5QixVQUFVLENBQUMsR0FBRyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxFQUFFLEdBQUcsQ0FBQyxDQUFDO29CQUN2QyxDQUFDLENBQUMsQ0FBQztvQkFFSCxJQUFJLE9BQU8sSUFBSSxZQUFZLEVBQUUsQ0FBQzt3QkFDNUIsT0FBTzs0QkFDTCxNQUFNLEVBQUUsT0FBTyxDQUFDLFVBQVU7NEJBQzFCLE9BQU8sRUFBRSxFQUFFLGNBQWMsRUFBRSxZQUFZLEVBQUU7NEJBQ3pDLElBQUksRUFBRSxZQUFZO3lCQUNuQixDQUFDO29CQUNKLENBQUM7eUJBQU0sQ0FBQzt3QkFDTixPQUFPLEVBQUUsTUFBTSxFQUFFLEdBQUcsRUFBRSxJQUFJLEVBQUUsV0FBVyxFQUFFLENBQUM7b0JBQzVDLENBQUM7Z0JBQ0gsQ0FBQzthQUNGO1NBQ0YsQ0FBQztRQUVGLGtEQUFrRDtRQUNsRCxJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztJQUN2QyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsSUFBSTtRQUNmLElBQUksSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ3RCLGFBQWEsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUM7WUFDakMsSUFBSSxDQUFDLFlBQVksR0FBRyxJQUFJLENBQUM7UUFDM0IsQ0FBQztRQUVELElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ25CLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUM5QixDQUFDO1FBRUQscUNBQXFDO1FBQ3JDLElBQUksSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUNwQyxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDL0IsTUFBTSxJQUFJLENBQUMsb0JBQW9CLEVBQUUsQ0FBQztRQUNwQyxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxXQUFXLENBQUM7SUFDMUIsQ0FBQztDQUNGIn0=