@push.rocks/smartproxy 23.0.0 → 23.1.1

package/dist_ts/proxies/smart-proxy/certificate-manager.js

@@ -1,745 +0,0 @@
-import * as plugins from '../../plugins.js';
-import { HttpProxy } from '../http-proxy/index.js';
-import { CertStore } from './cert-store.js';
-import { logger } from '../../core/utils/logger.js';
-import { SocketHandlers } from './utils/route-helpers.js';
-export class SmartCertManager {
-    constructor(routes, certDir = './certs', acmeOptions, initialState) {
-        this.routes = routes;
-        this.certDir = certDir;
-        this.acmeOptions = acmeOptions;
-        this.initialState = initialState;
-        this.smartAcme = null;
-        this.httpProxy = null;
-        this.renewalTimer = null;
-        this.pendingChallenges = new Map();
-        this.challengeRoute = null;
-        // Track certificate status by route name
-        this.certStatus = new Map();
-        // Global ACME defaults from top-level configuration
-        this.globalAcmeDefaults = null;
-        // Flag to track if challenge route is currently active
-        this.challengeRouteActive = false;
-        // Flag to track if provisioning is in progress
-        this.isProvisioning = false;
-        // ACME state manager reference
-        this.acmeStateManager = null;
-        // Whether to fallback to ACME if custom provision fails
-        this.certProvisionFallbackToAcme = true;
-        this.certStore = new CertStore(certDir);
-        // Apply initial state if provided
-        if (initialState) {
-            this.challengeRouteActive = initialState.challengeRouteActive || false;
-        }
-    }
-    setHttpProxy(httpProxy) {
-        this.httpProxy = httpProxy;
-    }
-    /**
-     * Set the ACME state manager
-     */
-    setAcmeStateManager(stateManager) {
-        this.acmeStateManager = stateManager;
-    }
-    /**
-     * Set global ACME defaults from top-level configuration
-     */
-    setGlobalAcmeDefaults(defaults) {
-        this.globalAcmeDefaults = defaults;
-    }
-    /**
-     * Set custom certificate provision function
-     */
-    setCertProvisionFunction(fn) {
-        this.certProvisionFunction = fn;
-    }
-    /**
-     * Set whether to fallback to ACME if custom provision fails
-     */
-    setCertProvisionFallbackToAcme(fallback) {
-        this.certProvisionFallbackToAcme = fallback;
-    }
-    /**
-     * Update the routes array to keep it in sync with SmartProxy
-     * This prevents stale route data when adding/removing challenge routes
-     */
-    setRoutes(routes) {
-        this.routes = routes;
-    }
-    /**
-     * Set callback for updating routes (used for challenge routes)
-     */
-    setUpdateRoutesCallback(callback) {
-        this.updateRoutesCallback = callback;
-        try {
-            logger.log('debug', 'Route update callback set successfully', { component: 'certificate-manager' });
-        }
-        catch (error) {
-            // Silently handle logging errors
-            console.log('[DEBUG] Route update callback set successfully');
-        }
-    }
-    /**
-     * Initialize certificate manager and provision certificates for all routes
-     */
-    async initialize() {
-        // Create certificate directory if it doesn't exist
-        await this.certStore.initialize();
-        // Initialize SmartAcme if we have any ACME routes
-        const hasAcmeRoutes = this.routes.some(r => r.action.tls?.certificate === 'auto');
-        if (hasAcmeRoutes && this.acmeOptions?.email) {
-            // Create HTTP-01 challenge handler
-            const http01Handler = new plugins.smartacme.handlers.Http01MemoryHandler();
-            // Set up challenge handler integration with our routing
-            this.setupChallengeHandler(http01Handler);
-            // Create SmartAcme instance with built-in MemoryCertManager and HTTP-01 handler
-            this.smartAcme = new plugins.smartacme.SmartAcme({
-                accountEmail: this.acmeOptions.email,
-                environment: this.acmeOptions.useProduction ? 'production' : 'integration',
-                certManager: new plugins.smartacme.certmanagers.MemoryCertManager(),
-                challengeHandlers: [http01Handler]
-            });
-            await this.smartAcme.start();
-            // Add challenge route once at initialization if not already active
-            if (!this.challengeRouteActive) {
-                logger.log('info', 'Adding ACME challenge route during initialization', { component: 'certificate-manager' });
-                await this.addChallengeRoute();
-            }
-            else {
-                logger.log('info', 'Challenge route already active from previous instance', { component: 'certificate-manager' });
-            }
-        }
-        // Skip automatic certificate provisioning during initialization
-        // This will be called later after ports are listening
-        logger.log('info', 'Certificate manager initialized. Deferring certificate provisioning until after ports are listening.', { component: 'certificate-manager' });
-        // Start renewal timer
-        this.startRenewalTimer();
-    }
-    /**
-     * Provision certificates for all routes that need them
-     */
-    async provisionAllCertificates() {
-        const certRoutes = this.routes.filter(r => r.action.tls?.mode === 'terminate' ||
-            r.action.tls?.mode === 'terminate-and-reencrypt');
-        // Set provisioning flag to prevent concurrent operations
-        this.isProvisioning = true;
-        try {
-            for (const route of certRoutes) {
-                try {
-                    await this.provisionCertificate(route, true); // Allow concurrent since we're managing it here
-                }
-                catch (error) {
-                    logger.log('error', `Failed to provision certificate for route ${route.name}`, { routeName: route.name, error, component: 'certificate-manager' });
-                }
-            }
-        }
-        finally {
-            this.isProvisioning = false;
-        }
-    }
-    /**
-     * Provision certificate for a single route
-     */
-    async provisionCertificate(route, allowConcurrent = false) {
-        const tls = route.action.tls;
-        if (!tls || (tls.mode !== 'terminate' && tls.mode !== 'terminate-and-reencrypt')) {
-            return;
-        }
-        // Check if provisioning is already in progress (prevent concurrent provisioning)
-        if (!allowConcurrent && this.isProvisioning) {
-            logger.log('info', `Certificate provisioning already in progress, skipping ${route.name}`, { routeName: route.name, component: 'certificate-manager' });
-            return;
-        }
-        const domains = this.extractDomainsFromRoute(route);
-        if (domains.length === 0) {
-            logger.log('warn', `Route ${route.name} has TLS termination but no domains`, { routeName: route.name, component: 'certificate-manager' });
-            return;
-        }
-        const primaryDomain = domains[0];
-        if (tls.certificate === 'auto') {
-            // ACME certificate
-            await this.provisionAcmeCertificate(route, domains);
-        }
-        else if (typeof tls.certificate === 'object') {
-            // Static certificate
-            await this.provisionStaticCertificate(route, primaryDomain, tls.certificate);
-        }
-    }
-    /**
-     * Provision ACME certificate
-     */
-    async provisionAcmeCertificate(route, domains) {
-        const primaryDomain = domains[0];
-        const routeName = route.name || primaryDomain;
-        // Check if we already have a valid certificate
-        const existingCert = await this.certStore.getCertificate(routeName);
-        if (existingCert && this.isCertificateValid(existingCert)) {
-            logger.log('info', `Using existing valid certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-            await this.applyCertificate(primaryDomain, existingCert);
-            this.updateCertStatus(routeName, 'valid', existingCert.source || 'acme', existingCert);
-            return;
-        }
-        // Check for custom provision function first
-        if (this.certProvisionFunction) {
-            try {
-                logger.log('info', `Attempting custom certificate provision for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-                const result = await this.certProvisionFunction(primaryDomain);
-                if (result === 'http01') {
-                    logger.log('info', `Custom function returned 'http01', falling back to Let's Encrypt for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-                    // Continue with existing ACME logic below
-                }
-                else {
-                    // Use custom certificate
-                    const customCert = result;
-                    // Convert to internal certificate format
-                    const certData = {
-                        cert: customCert.publicKey,
-                        key: customCert.privateKey,
-                        ca: '',
-                        issueDate: new Date(),
-                        expiryDate: this.extractExpiryDate(customCert.publicKey),
-                        source: 'custom'
-                    };
-                    // Store and apply certificate
-                    await this.certStore.saveCertificate(routeName, certData);
-                    await this.applyCertificate(primaryDomain, certData);
-                    this.updateCertStatus(routeName, 'valid', 'custom', certData);
-                    logger.log('info', `Custom certificate applied for ${primaryDomain}`, {
-                        domain: primaryDomain,
-                        expiryDate: certData.expiryDate,
-                        component: 'certificate-manager'
-                    });
-                    return;
-                }
-            }
-            catch (error) {
-                logger.log('error', `Custom cert provision failed for ${primaryDomain}: ${error.message}`, {
-                    domain: primaryDomain,
-                    error: error.message,
-                    component: 'certificate-manager'
-                });
-                // Check if we should fallback to ACME
-                if (!this.certProvisionFallbackToAcme) {
-                    throw error;
-                }
-                logger.log('info', `Falling back to Let's Encrypt for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-            }
-        }
-        if (!this.smartAcme) {
-            throw new Error('SmartAcme not initialized. This usually means no ACME email was provided. ' +
-                'Please ensure you have configured ACME with an email address either:\n' +
-                '1. In the top-level "acme" configuration\n' +
-                '2. In the route\'s "tls.acme" configuration');
-        }
-        // Apply renewal threshold from global defaults or route config
-        const renewThreshold = route.action.tls?.acme?.renewBeforeDays ||
-            this.globalAcmeDefaults?.renewThresholdDays ||
-            30;
-        logger.log('info', `Requesting ACME certificate for ${domains.join(', ')} (renew ${renewThreshold} days before expiry)`, { domains: domains.join(', '), renewThreshold, component: 'certificate-manager' });
-        this.updateCertStatus(routeName, 'pending', 'acme');
-        try {
-            // Challenge route should already be active from initialization
-            // No need to add it for each certificate
-            // Determine if we should request a wildcard certificate
-            // Only request wildcards if:
-            // 1. The primary domain is not already a wildcard
-            // 2. The domain has multiple parts (can have subdomains)
-            // 3. We have DNS-01 challenge support (required for wildcards)
-            const hasDnsChallenge = this.smartAcme.challengeHandlers?.some((handler) => handler.getSupportedTypes && handler.getSupportedTypes().includes('dns-01'));
-            const shouldIncludeWildcard = !primaryDomain.startsWith('*.') &&
-                primaryDomain.includes('.') &&
-                primaryDomain.split('.').length >= 2 &&
-                hasDnsChallenge;
-            if (shouldIncludeWildcard) {
-                logger.log('info', `Requesting wildcard certificate for ${primaryDomain} (DNS-01 available)`, { domain: primaryDomain, challengeType: 'DNS-01', component: 'certificate-manager' });
-            }
-            // Use smartacme to get certificate with optional wildcard
-            const cert = await this.smartAcme.getCertificateForDomain(primaryDomain, shouldIncludeWildcard ? { includeWildcard: true } : undefined);
-            // SmartAcme's Cert object has these properties:
-            // - publicKey: The certificate PEM string  
-            // - privateKey: The private key PEM string
-            // - csr: Certificate signing request
-            // - validUntil: Timestamp in milliseconds
-            // - domainName: The domain name
-            const certData = {
-                cert: cert.publicKey,
-                key: cert.privateKey,
-                ca: cert.publicKey, // Use same as cert for now
-                expiryDate: new Date(cert.validUntil),
-                issueDate: new Date(cert.created),
-                source: 'acme'
-            };
-            await this.certStore.saveCertificate(routeName, certData);
-            await this.applyCertificate(primaryDomain, certData);
-            this.updateCertStatus(routeName, 'valid', 'acme', certData);
-            logger.log('info', `Successfully provisioned ACME certificate for ${primaryDomain}`, { domain: primaryDomain, component: 'certificate-manager' });
-        }
-        catch (error) {
-            logger.log('error', `Failed to provision ACME certificate for ${primaryDomain}: ${error.message}`, { domain: primaryDomain, error: error.message, component: 'certificate-manager' });
-            this.updateCertStatus(routeName, 'error', 'acme', undefined, error.message);
-            throw error;
-        }
-    }
-    /**
-     * Provision static certificate
-     */
-    async provisionStaticCertificate(route, domain, certConfig) {
-        const routeName = route.name || domain;
-        try {
-            let key = certConfig.key;
-            let cert = certConfig.cert;
-            // Load from files if paths are provided
-            const smartFileFactory = plugins.smartfile.SmartFileFactory.nodeFs();
-            if (certConfig.keyFile) {
-                const keyFile = await smartFileFactory.fromFilePath(certConfig.keyFile);
-                key = keyFile.contents.toString();
-            }
-            if (certConfig.certFile) {
-                const certFile = await smartFileFactory.fromFilePath(certConfig.certFile);
-                cert = certFile.contents.toString();
-            }
-            // Parse certificate to get dates
-            const expiryDate = this.extractExpiryDate(cert);
-            const issueDate = new Date(); // Current date as issue date
-            const certData = {
-                cert,
-                key,
-                expiryDate,
-                issueDate,
-                source: 'static'
-            };
-            // Save to store for consistency
-            await this.certStore.saveCertificate(routeName, certData);
-            await this.applyCertificate(domain, certData);
-            this.updateCertStatus(routeName, 'valid', 'static', certData);
-            logger.log('info', `Successfully loaded static certificate for ${domain}`, { domain, component: 'certificate-manager' });
-        }
-        catch (error) {
-            logger.log('error', `Failed to provision static certificate for ${domain}: ${error.message}`, { domain, error: error.message, component: 'certificate-manager' });
-            this.updateCertStatus(routeName, 'error', 'static', undefined, error.message);
-            throw error;
-        }
-    }
-    /**
-     * Apply certificate to HttpProxy
-     */
-    async applyCertificate(domain, certData) {
-        if (!this.httpProxy) {
-            logger.log('warn', `HttpProxy not set, cannot apply certificate for domain ${domain}`, { domain, component: 'certificate-manager' });
-            return;
-        }
-        // Apply certificate to HttpProxy
-        this.httpProxy.updateCertificate(domain, certData.cert, certData.key);
-        // Also apply for wildcard if it's a subdomain
-        if (domain.includes('.') && !domain.startsWith('*.')) {
-            const parts = domain.split('.');
-            if (parts.length >= 2) {
-                const wildcardDomain = `*.${parts.slice(-2).join('.')}`;
-                this.httpProxy.updateCertificate(wildcardDomain, certData.cert, certData.key);
-            }
-        }
-    }
-    /**
-     * Extract domains from route configuration
-     */
-    extractDomainsFromRoute(route) {
-        if (!route.match.domains) {
-            return [];
-        }
-        const domains = Array.isArray(route.match.domains)
-            ? route.match.domains
-            : [route.match.domains];
-        // Filter out wildcards and patterns
-        return domains.filter(d => !d.includes('*') &&
-            !d.includes('{') &&
-            d.includes('.'));
-    }
-    /**
-     * Check if certificate is valid
-     */
-    isCertificateValid(cert) {
-        const now = new Date();
-        // Use renewal threshold from global defaults or fallback to 30 days
-        const renewThresholdDays = this.globalAcmeDefaults?.renewThresholdDays || 30;
-        const expiryThreshold = new Date(now.getTime() + renewThresholdDays * 24 * 60 * 60 * 1000);
-        return cert.expiryDate > expiryThreshold;
-    }
-    /**
-     * Extract expiry date from a PEM certificate
-     */
-    extractExpiryDate(_certPem) {
-        // For now, we'll default to 90 days for custom certificates
-        // In production, you might want to use a proper X.509 parser
-        // or require the custom cert provider to include expiry info
-        logger.log('info', 'Using default 90-day expiry for custom certificate', {
-            component: 'certificate-manager'
-        });
-        return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000);
-    }
-    /**
-     * Add challenge route to SmartProxy
-     *
-     * This method adds a special route for ACME HTTP-01 challenges, which typically uses port 80.
-     * Since we may already be listening on port 80 for regular routes, we need to be
-     * careful about how we add this route to avoid binding conflicts.
-     */
-    async addChallengeRoute() {
-        // Check with state manager first - avoid duplication
-        if (this.acmeStateManager && this.acmeStateManager.isChallengeRouteActive()) {
-            try {
-                logger.log('info', 'Challenge route already active in global state, skipping', { component: 'certificate-manager' });
-            }
-            catch (error) {
-                // Silently handle logging errors
-                console.log('[INFO] Challenge route already active in global state, skipping');
-            }
-            this.challengeRouteActive = true;
-            return;
-        }
-        if (this.challengeRouteActive) {
-            try {
-                logger.log('info', 'Challenge route already active locally, skipping', { component: 'certificate-manager' });
-            }
-            catch (error) {
-                // Silently handle logging errors
-                console.log('[INFO] Challenge route already active locally, skipping');
-            }
-            return;
-        }
-        if (!this.updateRoutesCallback) {
-            throw new Error('No route update callback set');
-        }
-        if (!this.challengeRoute) {
-            throw new Error('Challenge route not initialized');
-        }
-        // Get the challenge port
-        const challengePort = this.globalAcmeDefaults?.port || 80;
-        // Check if any existing routes are already using this port
-        // This helps us determine if we need to create a new binding or can reuse existing one
-        const portInUseByRoutes = this.routes.some(route => {
-            const routePorts = Array.isArray(route.match.ports) ? route.match.ports : [route.match.ports];
-            return routePorts.some(p => {
-                // Handle both number and port range objects
-                if (typeof p === 'number') {
-                    return p === challengePort;
-                }
-                else if (typeof p === 'object' && 'from' in p && 'to' in p) {
-                    // Port range case - check if challengePort is in range
-                    return challengePort >= p.from && challengePort <= p.to;
-                }
-                return false;
-            });
-        });
-        try {
-            // Log whether port is already in use by other routes
-            if (portInUseByRoutes) {
-                try {
-                    logger.log('info', `Port ${challengePort} is already used by another route, merging ACME challenge route`, {
-                        port: challengePort,
-                        component: 'certificate-manager'
-                    });
-                }
-                catch (error) {
-                    // Silently handle logging errors
-                    console.log(`[INFO] Port ${challengePort} is already used by another route, merging ACME challenge route`);
-                }
-            }
-            else {
-                try {
-                    logger.log('info', `Adding new ACME challenge route on port ${challengePort}`, {
-                        port: challengePort,
-                        component: 'certificate-manager'
-                    });
-                }
-                catch (error) {
-                    // Silently handle logging errors
-                    console.log(`[INFO] Adding new ACME challenge route on port ${challengePort}`);
-                }
-            }
-            // Add the challenge route to the existing routes
-            const challengeRoute = this.challengeRoute;
-            const updatedRoutes = [...this.routes, challengeRoute];
-            // With the re-ordering of start(), port binding should already be done
-            // This updateRoutes call should just add the route without binding again
-            await this.updateRoutesCallback(updatedRoutes);
-            // Keep local routes in sync after updating
-            this.routes = updatedRoutes;
-            this.challengeRouteActive = true;
-            // Register with state manager
-            if (this.acmeStateManager) {
-                this.acmeStateManager.addChallengeRoute(challengeRoute);
-            }
-            try {
-                logger.log('info', 'ACME challenge route successfully added', { component: 'certificate-manager' });
-            }
-            catch (error) {
-                // Silently handle logging errors
-                console.log('[INFO] ACME challenge route successfully added');
-            }
-        }
-        catch (error) {
-            // Enhanced error handling based on error type
-            if (error.code === 'EADDRINUSE') {
-                try {
-                    logger.log('warn', `Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`, {
-                        port: challengePort,
-                        error: error.message,
-                        component: 'certificate-manager'
-                    });
-                }
-                catch (logError) {
-                    // Silently handle logging errors
-                    console.log(`[WARN] Challenge port ${challengePort} is unavailable - it's already in use by another process. Consider configuring a different ACME port.`);
-                }
-                // Provide a more informative and actionable error message
-                throw new Error(`ACME HTTP-01 challenge port ${challengePort} is already in use by another process. ` +
-                    `Please configure a different port using the acme.port setting (e.g., 8080).`);
-            }
-            else if (error.message && error.message.includes('EADDRINUSE')) {
-                // Some Node.js versions embed the error code in the message rather than the code property
-                try {
-                    logger.log('warn', `Port ${challengePort} conflict detected: ${error.message}`, {
-                        port: challengePort,
-                        component: 'certificate-manager'
-                    });
-                }
-                catch (logError) {
-                    // Silently handle logging errors
-                    console.log(`[WARN] Port ${challengePort} conflict detected: ${error.message}`);
-                }
-                // More detailed error message with suggestions
-                throw new Error(`ACME HTTP challenge port ${challengePort} conflict detected. ` +
-                    `To resolve this issue, try one of these approaches:\n` +
-                    `1. Configure a different port in ACME settings (acme.port)\n` +
-                    `2. Add a regular route that uses port ${challengePort} before initializing the certificate manager\n` +
-                    `3. Stop any other services that might be using port ${challengePort}`);
-            }
-            // Log and rethrow other types of errors
-            try {
-                logger.log('error', `Failed to add challenge route: ${error.message}`, {
-                    error: error.message,
-                    component: 'certificate-manager'
-                });
-            }
-            catch (logError) {
-                // Silently handle logging errors
-                console.log(`[ERROR] Failed to add challenge route: ${error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Remove challenge route from SmartProxy
-     */
-    async removeChallengeRoute() {
-        if (!this.challengeRouteActive) {
-            try {
-                logger.log('info', 'Challenge route not active, skipping removal', { component: 'certificate-manager' });
-            }
-            catch (error) {
-                // Silently handle logging errors
-                console.log('[INFO] Challenge route not active, skipping removal');
-            }
-            return;
-        }
-        if (!this.updateRoutesCallback) {
-            return;
-        }
-        try {
-            const filteredRoutes = this.routes.filter(r => r.name !== 'acme-challenge');
-            await this.updateRoutesCallback(filteredRoutes);
-            // Keep local routes in sync after updating
-            this.routes = filteredRoutes;
-            this.challengeRouteActive = false;
-            // Remove from state manager
-            if (this.acmeStateManager) {
-                this.acmeStateManager.removeChallengeRoute('acme-challenge');
-            }
-            try {
-                logger.log('info', 'ACME challenge route successfully removed', { component: 'certificate-manager' });
-            }
-            catch (error) {
-                // Silently handle logging errors
-                console.log('[INFO] ACME challenge route successfully removed');
-            }
-        }
-        catch (error) {
-            try {
-                logger.log('error', `Failed to remove challenge route: ${error.message}`, { error: error.message, component: 'certificate-manager' });
-            }
-            catch (logError) {
-                // Silently handle logging errors
-                console.log(`[ERROR] Failed to remove challenge route: ${error.message}`);
-            }
-            // Reset the flag even on error to avoid getting stuck
-            this.challengeRouteActive = false;
-            throw error;
-        }
-    }
-    /**
-     * Start renewal timer
-     */
-    startRenewalTimer() {
-        // Check for renewals every 12 hours
-        this.renewalTimer = setInterval(() => {
-            this.checkAndRenewCertificates();
-        }, 12 * 60 * 60 * 1000);
-        // Unref the timer so it doesn't keep the process alive
-        if (this.renewalTimer.unref) {
-            this.renewalTimer.unref();
-        }
-        // Also do an immediate check
-        this.checkAndRenewCertificates();
-    }
-    /**
-     * Check and renew certificates that are expiring
-     */
-    async checkAndRenewCertificates() {
-        for (const route of this.routes) {
-            if (route.action.tls?.certificate === 'auto') {
-                const routeName = route.name || this.extractDomainsFromRoute(route)[0];
-                const cert = await this.certStore.getCertificate(routeName);
-                if (cert && !this.isCertificateValid(cert)) {
-                    logger.log('info', `Certificate for ${routeName} needs renewal`, { routeName, component: 'certificate-manager' });
-                    try {
-                        await this.provisionCertificate(route);
-                    }
-                    catch (error) {
-                        logger.log('error', `Failed to renew certificate for ${routeName}: ${error.message}`, { routeName, error: error.message, component: 'certificate-manager' });
-                    }
-                }
-            }
-        }
-    }
-    /**
-     * Update certificate status
-     */
-    updateCertStatus(routeName, status, source, certData, error) {
-        this.certStatus.set(routeName, {
-            domain: routeName,
-            status,
-            source,
-            expiryDate: certData?.expiryDate,
-            issueDate: certData?.issueDate,
-            error
-        });
-    }
-    /**
-     * Get certificate status for a route
-     */
-    getCertificateStatus(routeName) {
-        return this.certStatus.get(routeName);
-    }
-    /**
-     * Force renewal of a certificate
-     */
-    async renewCertificate(routeName) {
-        const route = this.routes.find(r => r.name === routeName);
-        if (!route) {
-            throw new Error(`Route ${routeName} not found`);
-        }
-        // Remove existing certificate to force renewal
-        await this.certStore.deleteCertificate(routeName);
-        await this.provisionCertificate(route);
-    }
-    /**
-     * Setup challenge handler integration with SmartProxy routing
-     */
-    setupChallengeHandler(http01Handler) {
-        // Use challenge port from global config or default to 80
-        const challengePort = this.globalAcmeDefaults?.port || 80;
-        // Create a challenge route that delegates to SmartAcme's HTTP-01 handler
-        const challengeRoute = {
-            name: 'acme-challenge',
-            priority: 1000, // High priority
-            match: {
-                ports: challengePort,
-                path: '/.well-known/acme-challenge/*'
-            },
-            action: {
-                type: 'socket-handler',
-                socketHandler: SocketHandlers.httpServer((req, res) => {
-                    // Extract the token from the path
-                    const token = req.url?.split('/').pop();
-                    if (!token) {
-                        res.status(404);
-                        res.send('Not found');
-                        return;
-                    }
-                    // Create mock request/response objects for SmartAcme
-                    let responseData = null;
-                    const mockReq = {
-                        url: req.url,
-                        method: req.method,
-                        headers: req.headers
-                    };
-                    const mockRes = {
-                        statusCode: 200,
-                        setHeader: (name, value) => { },
-                        end: (data) => {
-                            responseData = data;
-                        }
-                    };
-                    // Use SmartAcme's handler
-                    const handleAcme = () => {
-                        http01Handler.handleRequest(mockReq, mockRes, () => {
-                            // Not handled by ACME
-                            res.status(404);
-                            res.send('Not found');
-                        });
-                        // Give it a moment to process, then send response
-                        setTimeout(() => {
-                            if (responseData) {
-                                res.header('Content-Type', 'text/plain');
-                                res.send(String(responseData));
-                            }
-                            else {
-                                res.status(404);
-                                res.send('Not found');
-                            }
-                        }, 100);
-                    };
-                    handleAcme();
-                })
-            }
-        };
-        // Store the challenge route to add it when needed
-        this.challengeRoute = challengeRoute;
-    }
-    /**
-     * Stop certificate manager
-     */
-    async stop() {
-        if (this.renewalTimer) {
-            clearInterval(this.renewalTimer);
-            this.renewalTimer = null;
-        }
-        // Always remove challenge route on shutdown
-        if (this.challengeRoute) {
-            logger.log('info', 'Removing ACME challenge route during shutdown', { component: 'certificate-manager' });
-            await this.removeChallengeRoute();
-        }
-        if (this.smartAcme) {
-            await this.smartAcme.stop();
-        }
-        // Clear any pending challenges
-        if (this.pendingChallenges.size > 0) {
-            this.pendingChallenges.clear();
-        }
-    }
-    /**
-     * Get ACME options (for recreating after route updates)
-     */
-    getAcmeOptions() {
-        return this.acmeOptions;
-    }
-    /**
-     * Get certificate manager state
-     */
-    getState() {
-        return {
-            challengeRouteActive: this.challengeRouteActive
-        };
-    }
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2VydGlmaWNhdGUtbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3Byb3hpZXMvc21hcnQtcHJveHkvY2VydGlmaWNhdGUtbWFuYWdlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGtCQUFrQixDQUFDO0FBQzVDLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSx3QkFBd0IsQ0FBQztBQUduRCxPQUFPLEVBQUUsU0FBUyxFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFFNUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLDRCQUE0QixDQUFDO0FBQ3BELE9BQU8sRUFBRSxjQUFjLEVBQUUsTUFBTSwwQkFBMEIsQ0FBQztBQW9CMUQsTUFBTSxPQUFPLGdCQUFnQjtJQWdDM0IsWUFDVSxNQUFzQixFQUN0QixVQUFrQixTQUFTLEVBQzNCLFdBSVAsRUFDTyxZQUVQO1FBVE8sV0FBTSxHQUFOLE1BQU0sQ0FBZ0I7UUFDdEIsWUFBTyxHQUFQLE9BQU8sQ0FBb0I7UUFDM0IsZ0JBQVcsR0FBWCxXQUFXLENBSWxCO1FBQ08saUJBQVksR0FBWixZQUFZLENBRW5CO1FBeENLLGNBQVMsR0FBdUMsSUFBSSxDQUFDO1FBQ3JELGNBQVMsR0FBcUIsSUFBSSxDQUFDO1FBQ25DLGlCQUFZLEdBQTBCLElBQUksQ0FBQztRQUMzQyxzQkFBaUIsR0FBd0IsSUFBSSxHQUFHLEVBQUUsQ0FBQztRQUNuRCxtQkFBYyxHQUF3QixJQUFJLENBQUM7UUFFbkQseUNBQXlDO1FBQ2pDLGVBQVUsR0FBNkIsSUFBSSxHQUFHLEVBQUUsQ0FBQztRQUV6RCxvREFBb0Q7UUFDNUMsdUJBQWtCLEdBQXdCLElBQUksQ0FBQztRQUt2RCx1REFBdUQ7UUFDL0MseUJBQW9CLEdBQVksS0FBSyxDQUFDO1FBRTlDLCtDQUErQztRQUN2QyxtQkFBYyxHQUFZLEtBQUssQ0FBQztRQUV4QywrQkFBK0I7UUFDdkIscUJBQWdCLEdBQTRCLElBQUksQ0FBQztRQUt6RCx3REFBd0Q7UUFDaEQsZ0NBQTJCLEdBQVksSUFBSSxDQUFDO1FBY2xELElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxTQUFTLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFeEMsa0NBQWtDO1FBQ2xDLElBQUksWUFBWSxFQUFFLENBQUM7WUFDakIsSUFBSSxDQUFDLG9CQUFvQixHQUFHLFlBQVksQ0FBQyxvQkFBb0IsSUFBSSxLQUFLLENBQUM7UUFDekUsQ0FBQztJQUNILENBQUM7SUFFTSxZQUFZLENBQUMsU0FBb0I7UUFDdEMsSUFBSSxDQUFDLFNBQVMsR0FBRyxTQUFTLENBQUM7SUFDN0IsQ0FBQztJQUdEOztPQUVHO0lBQ0ksbUJBQW1CLENBQUMsWUFBOEI7UUFDdkQsSUFBSSxDQUFDLGdCQUFnQixHQUFHLFlBQVksQ0FBQztJQUN2QyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxxQkFBcUIsQ0FBQyxRQUFzQjtRQUNqRCxJQUFJLENBQUMsa0JBQWtCLEdBQUcsUUFBUSxDQUFDO0lBQ3JDLENBQUM7SUFFRDs7T0FFRztJQUNJLHdCQUF3QixDQUFDLEVBQXlFO1FBQ3ZHLElBQUksQ0FBQyxxQkFBcUIsR0FBRyxFQUFFLENBQUM7SUFDbEMsQ0FBQztJQUVEOztPQUVHO0lBQ0ksOEJBQThCLENBQUMsUUFBaUI7UUFDckQsSUFBSSxDQUFDLDJCQUEyQixHQUFHLFFBQVEsQ0FBQztJQUM5QyxDQUFDO0lBRUQ7OztPQUdHO0lBQ0ksU0FBUyxDQUFDLE1BQXNCO1FBQ3JDLElBQUksQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDO0lBQ3ZCLENBQUM7SUFFRDs7T0FFRztJQUNJLHVCQUF1QixDQUFDLFFBQW1EO1FBQ2hGLElBQUksQ0FBQyxvQkFBb0IsR0FBRyxRQUFRLENBQUM7UUFDckMsSUFBSSxDQUFDO1lBQ0gsTUFBTSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsd0NBQXdDLEVBQUUsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1FBQ3RHLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsaUNBQWlDO1lBQ2pDLE9BQU8sQ0FBQyxHQUFHLENBQUMsZ0RBQWdELENBQUMsQ0FBQztRQUNoRSxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLFVBQVU7UUFDckIsbURBQW1EO1FBQ25ELE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUVsQyxrREFBa0Q7UUFDbEQsTUFBTSxhQUFhLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FDekMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsV0FBVyxLQUFLLE1BQU0sQ0FDckMsQ0FBQztRQUVGLElBQUksYUFBYSxJQUFJLElBQUksQ0FBQyxXQUFXLEVBQUUsS0FBSyxFQUFFLENBQUM7WUFDN0MsbUNBQW1DO1lBQ25DLE1BQU0sYUFBYSxHQUFHLElBQUksT0FBTyxDQUFDLFNBQVMsQ0FBQyxRQUFRLENBQUMsbUJBQW1CLEVBQUUsQ0FBQztZQUUzRSx3REFBd0Q7WUFDeEQsSUFBSSxDQUFDLHFCQUFxQixDQUFDLGFBQWEsQ0FBQyxDQUFDO1lBRTFDLGdGQUFnRjtZQUNoRixJQUFJLENBQUMsU0FBUyxHQUFHLElBQUksT0FBTyxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUM7Z0JBQy9DLFlBQVksRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLEtBQUs7Z0JBQ3BDLFdBQVcsRUFBRSxJQUFJLENBQUMsV0FBVyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQyxhQUFhO2dCQUMxRSxXQUFXLEVBQUUsSUFBSSxPQUFPLENBQUMsU0FBUyxDQUFDLFlBQVksQ0FBQyxpQkFBaUIsRUFBRTtnQkFDbkUsaUJBQWlCLEVBQUUsQ0FBQyxhQUFhLENBQUM7YUFDbkMsQ0FBQyxDQUFDO1lBRUgsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssRUFBRSxDQUFDO1lBRTdCLG1FQUFtRTtZQUNuRSxJQUFJLENBQUMsSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7Z0JBQy9CLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG1EQUFtRCxFQUFFLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztnQkFDOUcsTUFBTSxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUNqQyxDQUFDO2lCQUFNLENBQUM7Z0JBQ04sTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsdURBQXVELEVBQUUsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQ3BILENBQUM7UUFDSCxDQUFDO1FBRUQsZ0VBQWdFO1FBQ2hFLHNEQUFzRDtRQUN0RCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxzR0FBc0csRUFBRSxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7UUFFakssc0JBQXNCO1FBQ3RCLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO0lBQzNCLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyx3QkFBd0I7UUFDbkMsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FDeEMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsSUFBSSxLQUFLLFdBQVc7WUFDbEMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsSUFBSSxLQUFLLHlCQUF5QixDQUNqRCxDQUFDO1FBRUYseURBQXlEO1FBQ3pELElBQUksQ0FBQyxjQUFjLEdBQUcsSUFBSSxDQUFDO1FBRTNCLElBQUksQ0FBQztZQUNILEtBQUssTUFBTSxLQUFLLElBQUksVUFBVSxFQUFFLENBQUM7Z0JBQy9CLElBQUksQ0FBQztvQkFDSCxNQUFNLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBQyxnREFBZ0Q7Z0JBQ2hHLENBQUM7Z0JBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztvQkFDZixNQUFNLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSw2Q0FBNkMsS0FBSyxDQUFDLElBQUksRUFBRSxFQUFFLEVBQUUsU0FBUyxFQUFFLEtBQUssQ0FBQyxJQUFJLEVBQUUsS0FBSyxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7Z0JBQ3JKLENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztnQkFBUyxDQUFDO1lBQ1QsSUFBSSxDQUFDLGNBQWMsR0FBRyxLQUFLLENBQUM7UUFDOUIsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxLQUFtQixFQUFFLGtCQUEyQixLQUFLO1FBQ3JGLE1BQU0sR0FBRyxHQUFHLEtBQUssQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDO1FBQzdCLElBQUksQ0FBQyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxLQUFLLFdBQVcsSUFBSSxHQUFHLENBQUMsSUFBSSxLQUFLLHlCQUF5QixDQUFDLEVBQUUsQ0FBQztZQUNqRixPQUFPO1FBQ1QsQ0FBQztRQUVELGlGQUFpRjtRQUNqRixJQUFJLENBQUMsZUFBZSxJQUFJLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUM1QyxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwwREFBMEQsS0FBSyxDQUFDLElBQUksRUFBRSxFQUFFLEVBQUUsU0FBUyxFQUFFLEtBQUssQ0FBQyxJQUFJLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUN4SixPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNwRCxJQUFJLE9BQU8sQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDekIsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsU0FBUyxLQUFLLENBQUMsSUFBSSxxQ0FBcUMsRUFBRSxFQUFFLFNBQVMsRUFBRSxLQUFLLENBQUMsSUFBSSxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7WUFDMUksT0FBTztRQUNULENBQUM7UUFFRCxNQUFNLGFBQWEsR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFakMsSUFBSSxHQUFHLENBQUMsV0FBVyxLQUFLLE1BQU0sRUFBRSxDQUFDO1lBQy9CLG1CQUFtQjtZQUNuQixNQUFNLElBQUksQ0FBQyx3QkFBd0IsQ0FBQyxLQUFLLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFDdEQsQ0FBQzthQUFNLElBQUksT0FBTyxHQUFHLENBQUMsV0FBVyxLQUFLLFFBQVEsRUFBRSxDQUFDO1lBQy9DLHFCQUFxQjtZQUNyQixNQUFNLElBQUksQ0FBQywwQkFBMEIsQ0FBQyxLQUFLLEVBQUUsYUFBYSxFQUFFLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMvRSxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLHdCQUF3QixDQUNwQyxLQUFtQixFQUNuQixPQUFpQjtRQUVqQixNQUFNLGFBQWEsR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDakMsTUFBTSxTQUFTLEdBQUcsS0FBSyxDQUFDLElBQUksSUFBSSxhQUFhLENBQUM7UUFFOUMsK0NBQStDO1FBQy9DLE1BQU0sWUFBWSxHQUFHLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxjQUFjLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDcEUsSUFBSSxZQUFZLElBQUksSUFBSSxDQUFDLGtCQUFrQixDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7WUFDMUQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsd0NBQXdDLGFBQWEsRUFBRSxFQUFFLEVBQUUsTUFBTSxFQUFFLGFBQWEsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQ3pJLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLGFBQWEsRUFBRSxZQUFZLENBQUMsQ0FBQztZQUN6RCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsU0FBUyxFQUFFLE9BQU8sRUFBRSxZQUFZLENBQUMsTUFBTSxJQUFJLE1BQU0sRUFBRSxZQUFZLENBQUMsQ0FBQztZQUN2RixPQUFPO1FBQ1QsQ0FBQztRQUVELDRDQUE0QztRQUM1QyxJQUFJLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO1lBQy9CLElBQUksQ0FBQztnQkFDSCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSwrQ0FBK0MsYUFBYSxFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsYUFBYSxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7Z0JBQ2hKLE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLHFCQUFxQixDQUFDLGFBQWEsQ0FBQyxDQUFDO2dCQUUvRCxJQUFJLE1BQU0sS0FBSyxRQUFRLEVBQUUsQ0FBQztvQkFDeEIsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsd0VBQXdFLGFBQWEsRUFBRSxFQUFFLEVBQUUsTUFBTSxFQUFFLGFBQWEsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO29CQUN6SywwQ0FBMEM7Z0JBQzVDLENBQUM7cUJBQU0sQ0FBQztvQkFDTix5QkFBeUI7b0JBQ3pCLE1BQU0sVUFBVSxHQUFHLE1BQXVDLENBQUM7b0JBRTNELHlDQUF5QztvQkFDekMsTUFBTSxRQUFRLEdBQXFCO3dCQUNqQyxJQUFJLEVBQUUsVUFBVSxDQUFDLFNBQVM7d0JBQzFCLEdBQUcsRUFBRSxVQUFVLENBQUMsVUFBVTt3QkFDMUIsRUFBRSxFQUFFLEVBQUU7d0JBQ04sU0FBUyxFQUFFLElBQUksSUFBSSxFQUFFO3dCQUNyQixVQUFVLEVBQUUsSUFBSSxDQUFDLGlCQUFpQixDQUFDLFVBQVUsQ0FBQyxTQUFTLENBQUM7d0JBQ3hELE1BQU0sRUFBRSxRQUFRO3FCQUNqQixDQUFDO29CQUVGLDhCQUE4QjtvQkFDOUIsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGVBQWUsQ0FBQyxTQUFTLEVBQUUsUUFBUSxDQUFDLENBQUM7b0JBQzFELE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLGFBQWEsRUFBRSxRQUFRLENBQUMsQ0FBQztvQkFDckQsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsRUFBRSxPQUFPLEVBQUUsUUFBUSxFQUFFLFFBQVEsQ0FBQyxDQUFDO29CQUU5RCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxrQ0FBa0MsYUFBYSxFQUFFLEVBQUU7d0JBQ3BFLE1BQU0sRUFBRSxhQUFhO3dCQUNyQixVQUFVLEVBQUUsUUFBUSxDQUFDLFVBQVU7d0JBQy9CLFNBQVMsRUFBRSxxQkFBcUI7cUJBQ2pDLENBQUMsQ0FBQztvQkFDSCxPQUFPO2dCQUNULENBQUM7WUFDSCxDQUFDO1lBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztnQkFDZixNQUFNLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxvQ0FBb0MsYUFBYSxLQUFLLEtBQUssQ0FBQyxPQUFPLEVBQUUsRUFBRTtvQkFDekYsTUFBTSxFQUFFLGFBQWE7b0JBQ3JCLEtBQUssRUFBRSxLQUFLLENBQUMsT0FBTztvQkFDcEIsU0FBUyxFQUFFLHFCQUFxQjtpQkFDakMsQ0FBQyxDQUFDO2dCQUNILHNDQUFzQztnQkFDdEMsSUFBSSxDQUFDLElBQUksQ0FBQywyQkFBMkIsRUFBRSxDQUFDO29CQUN0QyxNQUFNLEtBQUssQ0FBQztnQkFDZCxDQUFDO2dCQUNELE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLHFDQUFxQyxhQUFhLEVBQUUsRUFBRSxFQUFFLE1BQU0sRUFBRSxhQUFhLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUN4SSxDQUFDO1FBQ0gsQ0FBQztRQUVELElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDcEIsTUFBTSxJQUFJLEtBQUssQ0FDYiw0RUFBNEU7Z0JBQzVFLHdFQUF3RTtnQkFDeEUsNENBQTRDO2dCQUM1Qyw2Q0FBNkMsQ0FDOUMsQ0FBQztRQUNKLENBQUM7UUFFRCwrREFBK0Q7UUFDL0QsTUFBTSxjQUFjLEdBQUcsS0FBSyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLGVBQWU7WUFDekMsSUFBSSxDQUFDLGtCQUFrQixFQUFFLGtCQUFrQjtZQUMzQyxFQUFFLENBQUM7UUFFeEIsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsbUNBQW1DLE9BQU8sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsY0FBYyxzQkFBc0IsRUFBRSxFQUFFLE9BQU8sRUFBRSxPQUFPLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFLGNBQWMsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1FBQzVNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxTQUFTLEVBQUUsU0FBUyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRXBELElBQUksQ0FBQztZQUNILCtEQUErRDtZQUMvRCx5Q0FBeUM7WUFFekMsd0RBQXdEO1lBQ3hELDZCQUE2QjtZQUM3QixrREFBa0Q7WUFDbEQseURBQXlEO1lBQ3pELCtEQUErRDtZQUMvRCxNQUFNLGVBQWUsR0FBSSxJQUFJLENBQUMsU0FBaUIsQ0FBQyxpQkFBaUIsRUFBRSxJQUFJLENBQUMsQ0FBQyxPQUFZLEVBQUUsRUFBRSxDQUN2RixPQUFPLENBQUMsaUJBQWlCLElBQUksT0FBTyxDQUFDLGlCQUFpQixFQUFFLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxDQUM1RSxDQUFDO1lBRUYsTUFBTSxxQkFBcUIsR0FBRyxDQUFDLGFBQWEsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDO2dCQUMvQixhQUFhLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQztnQkFDM0IsYUFBYSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxNQUFNLElBQUksQ0FBQztnQkFDcEMsZUFBZSxDQUFDO1lBRTlDLElBQUkscUJBQXFCLEVBQUUsQ0FBQztnQkFDMUIsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsdUNBQXVDLGFBQWEscUJBQXFCLEVBQUUsRUFBRSxNQUFNLEVBQUUsYUFBYSxFQUFFLGFBQWEsRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUN0TCxDQUFDO1lBRUQsMERBQTBEO1lBQzFELE1BQU0sSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyx1QkFBdUIsQ0FDdkQsYUFBYSxFQUNiLHFCQUFxQixDQUFDLENBQUMsQ0FBQyxFQUFFLGVBQWUsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUM5RCxDQUFDO1lBRUYsZ0RBQWdEO1lBQ2hELDRDQUE0QztZQUM1QywyQ0FBMkM7WUFDM0MscUNBQXFDO1lBQ3JDLDBDQUEwQztZQUMxQyxnQ0FBZ0M7WUFDaEMsTUFBTSxRQUFRLEdBQXFCO2dCQUNqQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFNBQVM7Z0JBQ3BCLEdBQUcsRUFBRSxJQUFJLENBQUMsVUFBVTtnQkFDcEIsRUFBRSxFQUFFLElBQUksQ0FBQyxTQUFTLEVBQUUsMkJBQTJCO2dCQUMvQyxVQUFVLEVBQUUsSUFBSSxJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQztnQkFDckMsU0FBUyxFQUFFLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7Z0JBQ2pDLE1BQU0sRUFBRSxNQUFNO2FBQ2YsQ0FBQztZQUVGLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxlQUFlLENBQUMsU0FBUyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQzFELE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDLGFBQWEsRUFBRSxRQUFRLENBQUMsQ0FBQztZQUNyRCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsU0FBUyxFQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUM7WUFFNUQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsaURBQWlELGFBQWEsRUFBRSxFQUFFLEVBQUUsTUFBTSxFQUFFLGFBQWEsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1FBQ3BKLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsTUFBTSxDQUFDLEdBQUcsQ0FBQyxPQUFPLEVBQUUsNENBQTRDLGFBQWEsS0FBSyxLQUFLLENBQUMsT0FBTyxFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsYUFBYSxFQUFFLEtBQUssRUFBRSxLQUFLLENBQUMsT0FBTyxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7WUFDdEwsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsRUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLFNBQVMsRUFBRSxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDNUUsTUFBTSxLQUFLLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLDBCQUEwQixDQUN0QyxLQUFtQixFQUNuQixNQUFjLEVBQ2QsVUFBOEU7UUFFOUUsTUFBTSxTQUFTLEdBQUcsS0FBSyxDQUFDLElBQUksSUFBSSxNQUFNLENBQUM7UUFFdkMsSUFBSSxDQUFDO1lBQ0gsSUFBSSxHQUFHLEdBQVcsVUFBVSxDQUFDLEdBQUcsQ0FBQztZQUNqQyxJQUFJLElBQUksR0FBVyxVQUFVLENBQUMsSUFBSSxDQUFDO1lBRW5DLHdDQUF3QztZQUN4QyxNQUFNLGdCQUFnQixHQUFHLE9BQU8sQ0FBQyxTQUFTLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDckUsSUFBSSxVQUFVLENBQUMsT0FBTyxFQUFFLENBQUM7Z0JBQ3ZCLE1BQU0sT0FBTyxHQUFHLE1BQU0sZ0JBQWdCLENBQUMsWUFBWSxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQztnQkFDeEUsR0FBRyxHQUFHLE9BQU8sQ0FBQyxRQUFRLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDcEMsQ0FBQztZQUNELElBQUksVUFBVSxDQUFDLFFBQVEsRUFBRSxDQUFDO2dCQUN4QixNQUFNLFFBQVEsR0FBRyxNQUFNLGdCQUFnQixDQUFDLFlBQVksQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUM7Z0JBQzFFLElBQUksR0FBRyxRQUFRLENBQUMsUUFBUSxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ3RDLENBQUM7WUFFRCxpQ0FBaUM7WUFDakMsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxDQUFDO1lBQ2hELE1BQU0sU0FBUyxHQUFHLElBQUksSUFBSSxFQUFFLENBQUMsQ0FBQyw2QkFBNkI7WUFFM0QsTUFBTSxRQUFRLEdBQXFCO2dCQUNqQyxJQUFJO2dCQUNKLEdBQUc7Z0JBQ0gsVUFBVTtnQkFDVixTQUFTO2dCQUNULE1BQU0sRUFBRSxRQUFRO2FBQ2pCLENBQUM7WUFFRixnQ0FBZ0M7WUFDaEMsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGVBQWUsQ0FBQyxTQUFTLEVBQUUsUUFBUSxDQUFDLENBQUM7WUFDMUQsTUFBTSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQzlDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxTQUFTLEVBQUUsT0FBTyxFQUFFLFFBQVEsRUFBRSxRQUFRLENBQUMsQ0FBQztZQUU5RCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSw4Q0FBOEMsTUFBTSxFQUFFLEVBQUUsRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztRQUMzSCxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLDhDQUE4QyxNQUFNLEtBQUssS0FBSyxDQUFDLE9BQU8sRUFBRSxFQUFFLEVBQUUsTUFBTSxFQUFFLEtBQUssRUFBRSxLQUFLLENBQUMsT0FBTyxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7WUFDbEssSUFBSSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsRUFBRSxPQUFPLEVBQUUsUUFBUSxFQUFFLFNBQVMsRUFBRSxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7WUFDOUUsTUFBTSxLQUFLLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGdCQUFnQixDQUFDLE1BQWMsRUFBRSxRQUEwQjtRQUN2RSxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ3BCLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLDBEQUEwRCxNQUFNLEVBQUUsRUFBRSxFQUFFLE1BQU0sRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQ3JJLE9BQU87UUFDVCxDQUFDO1FBRUQsaUNBQWlDO1FBQ2pDLElBQUksQ0FBQyxTQUFTLENBQUMsaUJBQWlCLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxJQUFJLEVBQUUsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBRXRFLDhDQUE4QztRQUM5QyxJQUFJLE1BQU0sQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDckQsTUFBTSxLQUFLLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNoQyxJQUFJLEtBQUssQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFLENBQUM7Z0JBQ3RCLE1BQU0sY0FBYyxHQUFHLEtBQUssS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO2dCQUN4RCxJQUFJLENBQUMsU0FBUyxDQUFDLGlCQUFpQixDQUFDLGNBQWMsRUFBRSxRQUFRLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQztZQUNoRixDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLHVCQUF1QixDQUFDLEtBQW1CO1FBQ2pELElBQUksQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3pCLE9BQU8sRUFBRSxDQUFDO1FBQ1osQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUM7WUFDaEQsQ0FBQyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsT0FBTztZQUNyQixDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBRTFCLG9DQUFvQztRQUNwQyxPQUFPLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FDeEIsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQztZQUNoQixDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDO1lBQ2hCLENBQUMsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLENBQ2hCLENBQUM7SUFDSixDQUFDO0lBRUQ7O09BRUc7SUFDSyxrQkFBa0IsQ0FBQyxJQUFzQjtRQUMvQyxNQUFNLEdBQUcsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1FBRXZCLG9FQUFvRTtRQUNwRSxNQUFNLGtCQUFrQixHQUFHLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxrQkFBa0IsSUFBSSxFQUFFLENBQUM7UUFDN0UsTUFBTSxlQUFlLEdBQUcsSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxHQUFHLGtCQUFrQixHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDO1FBRTNGLE9BQU8sSUFBSSxDQUFDLFVBQVUsR0FBRyxlQUFlLENBQUM7SUFDM0MsQ0FBQztJQUVEOztPQUVHO0lBQ0ssaUJBQWlCLENBQUMsUUFBZ0I7UUFDeEMsNERBQTREO1FBQzVELDZEQUE2RDtRQUM3RCw2REFBNkQ7UUFDN0QsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsb0RBQW9ELEVBQUU7WUFDdkUsU0FBUyxFQUFFLHFCQUFxQjtTQUNqQyxDQUFDLENBQUM7UUFDSCxPQUFPLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLENBQUM7SUFDekQsQ0FBQztJQUdEOzs7Ozs7T0FNRztJQUNLLEtBQUssQ0FBQyxpQkFBaUI7UUFDN0IscURBQXFEO1FBQ3JELElBQUksSUFBSSxDQUFDLGdCQUFnQixJQUFJLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxzQkFBc0IsRUFBRSxFQUFFLENBQUM7WUFDNUUsSUFBSSxDQUFDO2dCQUNILE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLDBEQUEwRCxFQUFFLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUN2SCxDQUFDO1lBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztnQkFDZixpQ0FBaUM7Z0JBQ2pDLE9BQU8sQ0FBQyxHQUFHLENBQUMsaUVBQWlFLENBQUMsQ0FBQztZQUNqRixDQUFDO1lBQ0QsSUFBSSxDQUFDLG9CQUFvQixHQUFHLElBQUksQ0FBQztZQUNqQyxPQUFPO1FBQ1QsQ0FBQztRQUVELElBQUksSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7WUFDOUIsSUFBSSxDQUFDO2dCQUNILE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLGtEQUFrRCxFQUFFLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUMvRyxDQUFDO1lBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztnQkFDZixpQ0FBaUM7Z0JBQ2pDLE9BQU8sQ0FBQyxHQUFHLENBQUMseURBQXlELENBQUMsQ0FBQztZQUN6RSxDQUFDO1lBQ0QsT0FBTztRQUNULENBQUM7UUFFRCxJQUFJLENBQUMsSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7WUFDL0IsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO1FBQ2xELENBQUM7UUFFRCxJQUFJLENBQUMsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3pCLE1BQU0sSUFBSSxLQUFLLENBQUMsaUNBQWlDLENBQUMsQ0FBQztRQUNyRCxDQUFDO1FBRUQseUJBQXlCO1FBQ3pCLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxJQUFJLElBQUksRUFBRSxDQUFDO1FBRTFELDJEQUEyRDtRQUMzRCx1RkFBdUY7UUFDdkYsTUFBTSxpQkFBaUIsR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRTtZQUNqRCxNQUFNLFVBQVUsR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7WUFDOUYsT0FBTyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFO2dCQUN6Qiw0Q0FBNEM7Z0JBQzVDLElBQUksT0FBTyxDQUFDLEtBQUssUUFBUSxFQUFFLENBQUM7b0JBQzFCLE9BQU8sQ0FBQyxLQUFLLGFBQWEsQ0FBQztnQkFDN0IsQ0FBQztxQkFBTSxJQUFJLE9BQU8sQ0FBQyxLQUFLLFFBQVEsSUFBSSxNQUFNLElBQUksQ0FBQyxJQUFJLElBQUksSUFBSSxDQUFDLEVBQUUsQ0FBQztvQkFDN0QsdURBQXVEO29CQUN2RCxPQUFPLGFBQWEsSUFBSSxDQUFDLENBQUMsSUFBSSxJQUFJLGFBQWEsSUFBSSxDQUFDLENBQUMsRUFBRSxDQUFDO2dCQUMxRCxDQUFDO2dCQUNELE9BQU8sS0FBSyxDQUFDO1lBQ2YsQ0FBQyxDQUFDLENBQUM7UUFDTCxDQUFDLENBQUMsQ0FBQztRQUVILElBQUksQ0FBQztZQUNILHFEQUFxRDtZQUNyRCxJQUFJLGlCQUFpQixFQUFFLENBQUM7Z0JBQ3RCLElBQUksQ0FBQztvQkFDSCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxRQUFRLGFBQWEsaUVBQWlFLEVBQUU7d0JBQ3pHLElBQUksRUFBRSxhQUFhO3dCQUNuQixTQUFTLEVBQUUscUJBQXFCO3FCQUNqQyxDQUFDLENBQUM7Z0JBQ0wsQ0FBQztnQkFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO29CQUNmLGlDQUFpQztvQkFDakMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxlQUFlLGFBQWEsaUVBQWlFLENBQUMsQ0FBQztnQkFDN0csQ0FBQztZQUNILENBQUM7aUJBQU0sQ0FBQztnQkFDTixJQUFJLENBQUM7b0JBQ0gsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsMkNBQTJDLGFBQWEsRUFBRSxFQUFFO3dCQUM3RSxJQUFJLEVBQUUsYUFBYTt3QkFDbkIsU0FBUyxFQUFFLHFCQUFxQjtxQkFDakMsQ0FBQyxDQUFDO2dCQUNMLENBQUM7Z0JBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztvQkFDZixpQ0FBaUM7b0JBQ2pDLE9BQU8sQ0FBQyxHQUFHLENBQUMsa0RBQWtELGFBQWEsRUFBRSxDQUFDLENBQUM7Z0JBQ2pGLENBQUM7WUFDSCxDQUFDO1lBRUQsaURBQWlEO1lBQ2pELE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxjQUFjLENBQUM7WUFDM0MsTUFBTSxhQUFhLEdBQUcsQ0FBQyxHQUFHLElBQUksQ0FBQyxNQUFNLEVBQUUsY0FBYyxDQUFDLENBQUM7WUFFdkQsdUVBQXVFO1lBQ3ZFLHlFQUF5RTtZQUN6RSxNQUFNLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxhQUFhLENBQUMsQ0FBQztZQUMvQywyQ0FBMkM7WUFDM0MsSUFBSSxDQUFDLE1BQU0sR0FBRyxhQUFhLENBQUM7WUFDNUIsSUFBSSxDQUFDLG9CQUFvQixHQUFHLElBQUksQ0FBQztZQUVqQyw4QkFBOEI7WUFDOUIsSUFBSSxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDMUIsSUFBSSxDQUFDLGdCQUFnQixDQUFDLGlCQUFpQixDQUFDLGNBQWMsQ0FBQyxDQUFDO1lBQzFELENBQUM7WUFFRCxJQUFJLENBQUM7Z0JBQ0gsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUseUNBQXlDLEVBQUUsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQ3RHLENBQUM7WUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO2dCQUNmLGlDQUFpQztnQkFDakMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxnREFBZ0QsQ0FBQyxDQUFDO1lBQ2hFLENBQUM7UUFDSCxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLDhDQUE4QztZQUM5QyxJQUFLLEtBQWEsQ0FBQyxJQUFJLEtBQUssWUFBWSxFQUFFLENBQUM7Z0JBQ3pDLElBQUksQ0FBQztvQkFDSCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxrQkFBa0IsYUFBYSx1R0FBdUcsRUFBRTt3QkFDekosSUFBSSxFQUFFLGFBQWE7d0JBQ25CLEtBQUssRUFBRyxLQUFlLENBQUMsT0FBTzt3QkFDL0IsU0FBUyxFQUFFLHFCQUFxQjtxQkFDakMsQ0FBQyxDQUFDO2dCQUNMLENBQUM7Z0JBQUMsT0FBTyxRQUFRLEVBQUUsQ0FBQztvQkFDbEIsaUNBQWlDO29CQUNqQyxPQUFPLENBQUMsR0FBRyxDQUFDLHlCQUF5QixhQUFhLHVHQUF1RyxDQUFDLENBQUM7Z0JBQzdKLENBQUM7Z0JBRUQsMERBQTBEO2dCQUMxRCxNQUFNLElBQUksS0FBSyxDQUNiLCtCQUErQixhQUFhLHlDQUF5QztvQkFDckYsNkVBQTZFLENBQzlFLENBQUM7WUFDSixDQUFDO2lCQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDO2dCQUNqRSwwRkFBMEY7Z0JBQzFGLElBQUksQ0FBQztvQkFDSCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxRQUFRLGFBQWEsdUJBQXVCLEtBQUssQ0FBQyxPQUFPLEVBQUUsRUFBRTt3QkFDOUUsSUFBSSxFQUFFLGFBQWE7d0JBQ25CLFNBQVMsRUFBRSxxQkFBcUI7cUJBQ2pDLENBQUMsQ0FBQztnQkFDTCxDQUFDO2dCQUFDLE9BQU8sUUFBUSxFQUFFLENBQUM7b0JBQ2xCLGlDQUFpQztvQkFDakMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxlQUFlLGFBQWEsdUJBQXVCLEtBQUssQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO2dCQUNsRixDQUFDO2dCQUVELCtDQUErQztnQkFDL0MsTUFBTSxJQUFJLEtBQUssQ0FDYiw0QkFBNEIsYUFBYSxzQkFBc0I7b0JBQy9ELHVEQUF1RDtvQkFDdkQsOERBQThEO29CQUM5RCx5Q0FBeUMsYUFBYSxnREFBZ0Q7b0JBQ3RHLHVEQUF1RCxhQUFhLEVBQUUsQ0FDdkUsQ0FBQztZQUNKLENBQUM7WUFFRCx3Q0FBd0M7WUFDeEMsSUFBSSxDQUFDO2dCQUNILE1BQU0sQ0FBQyxHQUFHLENBQUMsT0FBTyxFQUFFLGtDQUFtQyxLQUFlLENBQUMsT0FBTyxFQUFFLEVBQUU7b0JBQ2hGLEtBQUssRUFBRyxLQUFlLENBQUMsT0FBTztvQkFDL0IsU0FBUyxFQUFFLHFCQUFxQjtpQkFDakMsQ0FBQyxDQUFDO1lBQ0wsQ0FBQztZQUFDLE9BQU8sUUFBUSxFQUFFLENBQUM7Z0JBQ2xCLGlDQUFpQztnQkFDakMsT0FBTyxDQUFDLEdBQUcsQ0FBQywwQ0FBMkMsS0FBZSxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7WUFDcEYsQ0FBQztZQUNELE1BQU0sS0FBSyxDQUFDO1FBQ2QsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyxvQkFBb0I7UUFDaEMsSUFBSSxDQUFDLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO1lBQy9CLElBQUksQ0FBQztnQkFDSCxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSw4Q0FBOEMsRUFBRSxFQUFFLFNBQVMsRUFBRSxxQkFBcUIsRUFBRSxDQUFDLENBQUM7WUFDM0csQ0FBQztZQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7Z0JBQ2YsaUNBQWlDO2dCQUNqQyxPQUFPLENBQUMsR0FBRyxDQUFDLHFEQUFxRCxDQUFDLENBQUM7WUFDckUsQ0FBQztZQUNELE9BQU87UUFDVCxDQUFDO1FBRUQsSUFBSSxDQUFDLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO1lBQy9CLE9BQU87UUFDVCxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxLQUFLLGdCQUFnQixDQUFDLENBQUM7WUFDNUUsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsY0FBYyxDQUFDLENBQUM7WUFDaEQsMkNBQTJDO1lBQzNDLElBQUksQ0FBQyxNQUFNLEdBQUcsY0FBYyxDQUFDO1lBQzdCLElBQUksQ0FBQyxvQkFBb0IsR0FBRyxLQUFLLENBQUM7WUFFbEMsNEJBQTRCO1lBQzVCLElBQUksSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7Z0JBQzFCLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxvQkFBb0IsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1lBQy9ELENBQUM7WUFFRCxJQUFJLENBQUM7Z0JBQ0gsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsMkNBQTJDLEVBQUUsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQ3hHLENBQUM7WUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO2dCQUNmLGlDQUFpQztnQkFDakMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxrREFBa0QsQ0FBQyxDQUFDO1lBQ2xFLENBQUM7UUFDSCxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLElBQUksQ0FBQztnQkFDSCxNQUFNLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxxQ0FBcUMsS0FBSyxDQUFDLE9BQU8sRUFBRSxFQUFFLEVBQUUsS0FBSyxFQUFFLEtBQUssQ0FBQyxPQUFPLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUN4SSxDQUFDO1lBQUMsT0FBTyxRQUFRLEVBQUUsQ0FBQztnQkFDbEIsaUNBQWlDO2dCQUNqQyxPQUFPLENBQUMsR0FBRyxDQUFDLDZDQUE2QyxLQUFLLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUM1RSxDQUFDO1lBQ0Qsc0RBQXNEO1lBQ3RELElBQUksQ0FBQyxvQkFBb0IsR0FBRyxLQUFLLENBQUM7WUFDbEMsTUFBTSxLQUFLLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ssaUJBQWlCO1FBQ3ZCLG9DQUFvQztRQUNwQyxJQUFJLENBQUMsWUFBWSxHQUFHLFdBQVcsQ0FBQyxHQUFHLEVBQUU7WUFDbkMsSUFBSSxDQUFDLHlCQUF5QixFQUFFLENBQUM7UUFDbkMsQ0FBQyxFQUFFLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDO1FBRXhCLHVEQUF1RDtRQUN2RCxJQUFJLElBQUksQ0FBQyxZQUFZLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDNUIsSUFBSSxDQUFDLFlBQVksQ0FBQyxLQUFLLEVBQUUsQ0FBQztRQUM1QixDQUFDO1FBRUQsNkJBQTZCO1FBQzdCLElBQUksQ0FBQyx5QkFBeUIsRUFBRSxDQUFDO0lBQ25DLENBQUM7SUFFRDs7T0FFRztJQUNLLEtBQUssQ0FBQyx5QkFBeUI7UUFDckMsS0FBSyxNQUFNLEtBQUssSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDaEMsSUFBSSxLQUFLLENBQUMsTUFBTSxDQUFDLEdBQUcsRUFBRSxXQUFXLEtBQUssTUFBTSxFQUFFLENBQUM7Z0JBQzdDLE1BQU0sU0FBUyxHQUFHLEtBQUssQ0FBQyxJQUFJLElBQUksSUFBSSxDQUFDLHVCQUF1QixDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO2dCQUN2RSxNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsY0FBYyxDQUFDLFNBQVMsQ0FBQyxDQUFDO2dCQUU1RCxJQUFJLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO29CQUMzQyxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSxtQkFBbUIsU0FBUyxnQkFBZ0IsRUFBRSxFQUFFLFNBQVMsRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO29CQUNsSCxJQUFJLENBQUM7d0JBQ0gsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsS0FBSyxDQUFDLENBQUM7b0JBQ3pDLENBQUM7b0JBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQzt3QkFDZixNQUFNLENBQUMsR0FBRyxDQUFDLE9BQU8sRUFBRSxtQ0FBbUMsU0FBUyxLQUFLLEtBQUssQ0FBQyxPQUFPLEVBQUUsRUFBRSxFQUFFLFNBQVMsRUFBRSxLQUFLLEVBQUUsS0FBSyxDQUFDLE9BQU8sRUFBRSxTQUFTLEVBQUUscUJBQXFCLEVBQUUsQ0FBQyxDQUFDO29CQUMvSixDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLGdCQUFnQixDQUN0QixTQUFpQixFQUNqQixNQUE2QixFQUM3QixNQUE2QixFQUM3QixRQUEyQixFQUMzQixLQUFjO1FBRWQsSUFBSSxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsU0FBUyxFQUFFO1lBQzdCLE1BQU0sRUFBRSxTQUFTO1lBQ2pCLE1BQU07WUFDTixNQUFNO1lBQ04sVUFBVSxFQUFFLFFBQVEsRUFBRSxVQUFVO1lBQ2hDLFNBQVMsRUFBRSxRQUFRLEVBQUUsU0FBUztZQUM5QixLQUFLO1NBQ04sQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVEOztPQUVHO0lBQ0ksb0JBQW9CLENBQUMsU0FBaUI7UUFDM0MsT0FBTyxJQUFJLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsZ0JBQWdCLENBQUMsU0FBaUI7UUFDN0MsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxLQUFLLFNBQVMsQ0FBQyxDQUFDO1FBQzFELElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztZQUNYLE1BQU0sSUFBSSxLQUFLLENBQUMsU0FBUyxTQUFTLFlBQVksQ0FBQyxDQUFDO1FBQ2xELENBQUM7UUFFRCwrQ0FBK0M7UUFDL0MsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGlCQUFpQixDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ2xELE1BQU0sSUFBSSxDQUFDLG9CQUFvQixDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3pDLENBQUM7SUFFRDs7T0FFRztJQUNLLHFCQUFxQixDQUFDLGFBQTZEO1FBQ3pGLHlEQUF5RDtRQUN6RCxNQUFNLGFBQWEsR0FBRyxJQUFJLENBQUMsa0JBQWtCLEVBQUUsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUUxRCx5RUFBeUU7UUFDekUsTUFBTSxjQUFjLEdBQWlCO1lBQ25DLElBQUksRUFBRSxnQkFBZ0I7WUFDdEIsUUFBUSxFQUFFLElBQUksRUFBRyxnQkFBZ0I7WUFDakMsS0FBSyxFQUFFO2dCQUNMLEtBQUssRUFBRSxhQUFhO2dCQUNwQixJQUFJLEVBQUUsK0JBQStCO2FBQ3RDO1lBQ0QsTUFBTSxFQUFFO2dCQUNOLElBQUksRUFBRSxnQkFBZ0I7Z0JBQ3RCLGFBQWEsRUFBRSxjQUFjLENBQUMsVUFBVSxDQUFDLENBQUMsR0FBRyxFQUFFLEdBQUcsRUFBRSxFQUFFO29CQUNwRCxrQ0FBa0M7b0JBQ2xDLE1BQU0sS0FBSyxHQUFHLEdBQUcsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxDQUFDO29CQUN4QyxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7d0JBQ1gsR0FBRyxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQzt3QkFDaEIsR0FBRyxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQzt3QkFDdEIsT0FBTztvQkFDVCxDQUFDO29CQUVELHFEQUFxRDtvQkFDckQsSUFBSSxZQUFZLEdBQVEsSUFBSSxDQUFDO29CQUM3QixNQUFNLE9BQU8sR0FBRzt3QkFDZCxHQUFHLEVBQUUsR0FBRyxDQUFDLEdBQUc7d0JBQ1osTUFBTSxFQUFFLEdBQUcsQ0FBQyxNQUFNO3dCQUNsQixPQUFPLEVBQUUsR0FBRyxDQUFDLE9BQU87cUJBQ3JCLENBQUM7b0JBRUYsTUFBTSxPQUFPLEdBQUc7d0JBQ2QsVUFBVSxFQUFFLEdBQUc7d0JBQ2YsU0FBUyxFQUFFLENBQUMsSUFBWSxFQUFFLEtBQWEsRUFBRSxFQUFFLEdBQUUsQ0FBQzt3QkFDOUMsR0FBRyxFQUFFLENBQUMsSUFBUyxFQUFFLEVBQUU7NEJBQ2pCLFlBQVksR0FBRyxJQUFJLENBQUM7d0JBQ3RCLENBQUM7cUJBQ0YsQ0FBQztvQkFFRiwwQkFBMEI7b0JBQzFCLE1BQU0sVUFBVSxHQUFHLEdBQUcsRUFBRTt3QkFDdEIsYUFBYSxDQUFDLGFBQWEsQ0FBQyxPQUFjLEVBQUUsT0FBYyxFQUFFLEdBQUcsRUFBRTs0QkFDL0Qsc0JBQXNCOzRCQUN0QixHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDOzRCQUNoQixHQUFHLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO3dCQUN4QixDQUFDLENBQUMsQ0FBQzt3QkFFSCxrREFBa0Q7d0JBQ2xELFVBQVUsQ0FBQyxHQUFHLEVBQUU7NEJBQ2QsSUFBSSxZQUFZLEVBQUUsQ0FBQztnQ0FDakIsR0FBRyxDQUFDLE1BQU0sQ0FBQyxjQUFjLEVBQUUsWUFBWSxDQUFDLENBQUM7Z0NBQ3pDLEdBQUcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUM7NEJBQ2pDLENBQUM7aUNBQU0sQ0FBQztnQ0FDTixHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO2dDQUNoQixHQUFHLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDOzRCQUN4QixDQUFDO3dCQUNILENBQUMsRUFBRSxHQUFHLENBQUMsQ0FBQztvQkFDVixDQUFDLENBQUM7b0JBRUYsVUFBVSxFQUFFLENBQUM7Z0JBQ2YsQ0FBQyxDQUFDO2FBQ0g7U0FDRixDQUFDO1FBRUYsa0RBQWtEO1FBQ2xELElBQUksQ0FBQyxjQUFjLEdBQUcsY0FBYyxDQUFDO0lBQ3ZDLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxJQUFJO1FBQ2YsSUFBSSxJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDdEIsYUFBYSxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUNqQyxJQUFJLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQztRQUMzQixDQUFDO1FBRUQsNENBQTRDO1FBQzVDLElBQUksSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3hCLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLCtDQUErQyxFQUFFLEVBQUUsU0FBUyxFQUFFLHFCQUFxQixFQUFFLENBQUMsQ0FBQztZQUMxRyxNQUFNLElBQUksQ0FBQyxvQkFBb0IsRUFBRSxDQUFDO1FBQ3BDLENBQUM7UUFFRCxJQUFJLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUNuQixNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDOUIsQ0FBQztRQUVELCtCQUErQjtRQUMvQixJQUFJLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDcEMsSUFBSSxDQUFDLGlCQUFpQixDQUFDLEtBQUssRUFBRSxDQUFDO1FBQ2pDLENBQUM7SUFDSCxDQUFDO0lBRUQ7O09BRUc7SUFDSSxjQUFjO1FBQ25CLE9BQU8sSUFBSSxDQUFDLFdBQVcsQ0FBQztJQUMxQixDQUFDO0lBRUQ7O09BRUc7SUFDSSxRQUFRO1FBQ2IsT0FBTztZQUNMLG9CQUFvQixFQUFFLElBQUksQ0FBQyxvQkFBb0I7U0FDaEQsQ0FBQztJQUNKLENBQUM7Q0FDRiJ9