@quiltdata/benchling-webhook 0.9.0-20251127T032721Z → 0.9.0-20251129T063536Z

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quiltdata/benchling-webhook",
-  "version": "0.9.0-20251127T032721Z",
+  "version": "0.9.0-20251129T063536Z",
   "description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
   "main": "dist/lib/index.js",
   "types": "dist/lib/index.d.ts",
@@ -18,8 +18,11 @@
     "build:clean": "rm -rf cdk.out dist */{*.js,*.d.ts}",
     "build:synth": "npx cdk synth",
     "build:typecheck": "tsc --noEmit",
-    "deploy:dev": "ts-node bin/cli.ts deploy --stage dev --profile dev",
-    "deploy:prod": "ts-node bin/cli.ts deploy --stage prod",
+    "build:lambda": "make lambda-bundle",
+    "build:lambda:check": "make check-bundle",
+    "build:lambda:clean": "make clean",
+    "deploy:dev": "make lambda-bundle && ts-node bin/cli.ts deploy --stage dev --profile dev",
+    "deploy:prod": "make lambda-bundle && ts-node bin/cli.ts deploy --stage prod",
     "deploy:notes": "bash scripts/release-notes.sh",
     "destroy": "ts-node bin/cli.ts destroy",
     "destroy:dev": "ts-node bin/cli.ts destroy --stage dev --profile dev",
@@ -48,6 +51,7 @@
     "test:native": "npm run launch -- --mode native --profile dev --test",
     "test:dev": "npm run deploy:dev && make -C docker test-deployed-dev PROFILE=dev",
     "test:prod": "make -C docker test-deployed-prod PROFILE=default",
+    "test:lambda-bundle": "bash scripts/test-lambda-bundle.sh",
     "test:python": "make -C docker test-unit",
     "test:ts": "cross-env NODE_ENV=test NODE_OPTIONS='--experimental-vm-modules' jest --maxWorkers=50%",
     "version": "ts-node scripts/version.ts",
@@ -97,6 +101,7 @@
   "dependencies": {
     "@aws-sdk/client-cloudformation": "^3.920.0",
     "@aws-sdk/client-cloudwatch-logs": "^3.933.0",
+    "@aws-sdk/client-ec2": "^3.940.0",
     "@aws-sdk/client-ecs": "^3.933.0",
     "@aws-sdk/client-elastic-load-balancing-v2": "^3.932.0",
     "@aws-sdk/client-s3": "^3.758.0",

package/dist/lib/rest-api-gateway.d.ts

@@ -1,32 +0,0 @@
-import * as apigateway from "aws-cdk-lib/aws-apigateway";
-import * as ec2 from "aws-cdk-lib/aws-ec2";
-import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";
-import * as servicediscovery from "aws-cdk-lib/aws-servicediscovery";
-import * as logs from "aws-cdk-lib/aws-logs";
-import * as lambda from "aws-cdk-lib/aws-lambda";
-import { Construct } from "constructs";
-import { ProfileConfig } from "./types/config";
-export interface RestApiGatewayProps {
-    readonly vpc: ec2.IVpc;
-    readonly cloudMapService: servicediscovery.IService;
-    readonly serviceSecurityGroup: ec2.ISecurityGroup;
-    readonly config: ProfileConfig;
-    readonly ecsService: elbv2.IApplicationLoadBalancerTarget | elbv2.INetworkLoadBalancerTarget;
-}
-export declare class RestApiGateway {
-    readonly api: apigateway.RestApi;
-    readonly vpcLink: apigateway.VpcLink;
-    readonly nlb: elbv2.NetworkLoadBalancer;
-    readonly logGroup: logs.ILogGroup;
-    readonly authorizer?: lambda.Function;
-    readonly authorizerLogGroup?: logs.ILogGroup;
-    constructor(scope: Construct, id: string, props: RestApiGatewayProps);
-    /**
-     * Build IAM resource policy for IP whitelisting
-     *
-     * If ipAllowList is empty, allow all IPs.
-     * Otherwise, only allow requests from specified IP addresses/CIDR blocks.
-     */
-    private buildResourcePolicy;
-}
-//# sourceMappingURL=rest-api-gateway.d.ts.map

package/dist/lib/rest-api-gateway.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"rest-api-gateway.d.ts","sourceRoot":"","sources":["../../lib/rest-api-gateway.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAC3C,OAAO,KAAK,KAAK,MAAM,wCAAwC,CAAC;AAChE,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AACrE,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,MAAM,WAAW,mBAAmB;IAChC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC;IACvB,QAAQ,CAAC,eAAe,EAAE,gBAAgB,CAAC,QAAQ,CAAC;IACpD,QAAQ,CAAC,oBAAoB,EAAE,GAAG,CAAC,cAAc,CAAC;IAClD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAC/B,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC,8BAA8B,GAAG,KAAK,CAAC,0BAA0B,CAAC;CAChG;AAED,qBAAa,cAAc;IACvB,SAAgB,GAAG,EAAE,UAAU,CAAC,OAAO,CAAC;IACxC,SAAgB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;IAC5C,SAAgB,GAAG,EAAE,KAAK,CAAC,mBAAmB,CAAC;IAC/C,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;IACzC,SAAgB,UAAU,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC7C,SAAgB,kBAAkB,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC;gBAExC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB;IAkMpE;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;CAmC9B"}

package/dist/lib/rest-api-gateway.js

@@ -1,257 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RestApiGateway = void 0;
-const cdk = __importStar(require("aws-cdk-lib"));
-const apigateway = __importStar(require("aws-cdk-lib/aws-apigateway"));
-const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
-const elbv2 = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2"));
-const logs = __importStar(require("aws-cdk-lib/aws-logs"));
-const lambda = __importStar(require("aws-cdk-lib/aws-lambda"));
-const iam = __importStar(require("aws-cdk-lib/aws-iam"));
-class RestApiGateway {
-    constructor(scope, id, props) {
-        // Access logs for REST API
-        this.logGroup = new logs.LogGroup(scope, "ApiGatewayAccessLogs", {
-            logGroupName: "/aws/apigateway/benchling-webhook-rest",
-            retention: logs.RetentionDays.ONE_WEEK,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
-        // Create Network Load Balancer for VPC Link integration
-        // REST API Gateway requires NLB (not ALB) for private integration
-        this.nlb = new elbv2.NetworkLoadBalancer(scope, "NetworkLoadBalancer", {
-            vpc: props.vpc,
-            internetFacing: false,
-            vpcSubnets: {
-                subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
-            },
-        });
-        // Create target group for ECS service
-        const targetGroup = new elbv2.NetworkTargetGroup(scope, "TargetGroup", {
-            vpc: props.vpc,
-            port: 8080,
-            protocol: elbv2.Protocol.TCP,
-            targetType: elbv2.TargetType.IP,
-            healthCheck: {
-                enabled: true,
-                protocol: elbv2.Protocol.HTTP,
-                path: "/health",
-                interval: cdk.Duration.seconds(30),
-                timeout: cdk.Duration.seconds(10),
-                healthyThresholdCount: 2,
-                unhealthyThresholdCount: 3,
-            },
-            deregistrationDelay: cdk.Duration.seconds(30),
-        });
-        // Add listener to NLB
-        this.nlb.addListener("Listener", {
-            port: 80,
-            protocol: elbv2.Protocol.TCP,
-            defaultTargetGroups: [targetGroup],
-        });
-        // Register ECS service with target group
-        if ("attachToNetworkTargetGroup" in props.ecsService) {
-            props.ecsService.attachToNetworkTargetGroup(targetGroup);
-        }
-        // Create VPC Link with NLB as target
-        this.vpcLink = new apigateway.VpcLink(scope, "VpcLink", {
-            targets: [this.nlb],
-            vpcLinkName: "benchling-webhook-vpclink",
-            description: "VPC Link for Benchling Webhook REST API",
-        });
-        // Parse IP allowlist from config
-        const ipAllowList = props.config.security?.webhookAllowList
-            ?.split(",")
-            .map((ip) => ip.trim())
-            .filter((ip) => ip.length > 0) || [];
-        const verificationEnabled = props.config.security?.enableVerification !== false;
-        const benchlingSecretArn = props.config.benchling.secretArn;
-        if (!benchlingSecretArn) {
-            throw new Error("Benchling secret ARN is required to configure the Lambda authorizer");
-        }
-        // Build resource policy for IP whitelisting
-        const resourcePolicy = this.buildResourcePolicy(ipAllowList);
-        // Lambda authorizer for webhook verification
-        this.authorizerLogGroup = new logs.LogGroup(scope, "WebhookAuthorizerLogGroup", {
-            retention: logs.RetentionDays.ONE_WEEK,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
-        const authorizerCode = process.env.NODE_ENV === "test"
-            ? lambda.Code.fromInline("def handler(event, context):\n    return {}")
-            : lambda.Code.fromAsset(".", {
-                bundling: {
-                    image: lambda.Runtime.PYTHON_3_11.bundlingImage,
-                    command: [
-                        "bash",
-                        "-c",
-                        [
-                            "pip install -q -r /asset-input/lambda/authorizer/requirements.txt -t /asset-output",
-                            "cp /asset-input/docker/src/lambda_authorizer.py /asset-output/index.py",
-                        ].join(" && "),
-                    ],
-                },
-            });
-        this.authorizer = new lambda.Function(scope, "WebhookAuthorizerFunction", {
-            runtime: lambda.Runtime.PYTHON_3_11,
-            handler: "index.handler",
-            memorySize: 128,
-            timeout: cdk.Duration.seconds(10),
-            description: "Benchling webhook signature verification (defense-in-depth)",
-            environment: {
-                BENCHLING_SECRET_ARN: benchlingSecretArn,
-            },
-            code: authorizerCode,
-            logGroup: this.authorizerLogGroup,
-        });
-        this.authorizer.addToRolePolicy(new iam.PolicyStatement({
-            actions: ["secretsmanager:GetSecretValue"],
-            resources: [benchlingSecretArn],
-        }));
-        const requestAuthorizer = verificationEnabled
-            ? new apigateway.RequestAuthorizer(scope, "WebhookRequestAuthorizer", {
-                handler: this.authorizer,
-                identitySources: [
-                    apigateway.IdentitySource.header("webhook-id"),
-                    apigateway.IdentitySource.header("webhook-signature"),
-                    apigateway.IdentitySource.header("webhook-timestamp"),
-                ],
-                resultsCacheTtl: cdk.Duration.seconds(0),
-            })
-            : undefined;
-        // Create REST API
-        this.api = new apigateway.RestApi(scope, "BenchlingWebhookRestAPI", {
-            restApiName: "BenchlingWebhookRestAPI",
-            description: "REST API for Benchling webhook integration with IP whitelisting (v1.0.0+)",
-            policy: resourcePolicy,
-            deployOptions: {
-                stageName: "prod",
-                accessLogDestination: new apigateway.LogGroupLogDestination(this.logGroup),
-                accessLogFormat: apigateway.AccessLogFormat.jsonWithStandardFields({
-                    caller: true,
-                    httpMethod: true,
-                    ip: true,
-                    protocol: true,
-                    requestTime: true,
-                    resourcePath: true,
-                    responseLength: true,
-                    status: true,
-                    user: true,
-                }),
-                loggingLevel: apigateway.MethodLoggingLevel.INFO,
-                dataTraceEnabled: true,
-            },
-            endpointConfiguration: {
-                types: [apigateway.EndpointType.REGIONAL],
-            },
-        });
-        const createIntegration = (path) => new apigateway.Integration({
-            type: apigateway.IntegrationType.HTTP_PROXY,
-            integrationHttpMethod: "ANY",
-            uri: `http://${this.nlb.loadBalancerDnsName}:80${path}`,
-            options: {
-                connectionType: apigateway.ConnectionType.VPC_LINK,
-                vpcLink: this.vpcLink,
-            },
-        });
-        const webhookMethodOptions = requestAuthorizer
-            ? {
-                authorizer: requestAuthorizer,
-                authorizationType: apigateway.AuthorizationType.CUSTOM,
-            }
-            : undefined;
-        // Webhook endpoints secured by Lambda authorizer
-        const eventResource = this.api.root.addResource("event");
-        eventResource.addMethod("ANY", createIntegration("/event"), webhookMethodOptions);
-        const lifecycleResource = this.api.root.addResource("lifecycle");
-        lifecycleResource.addMethod("ANY", createIntegration("/lifecycle"), webhookMethodOptions);
-        const canvasResource = this.api.root.addResource("canvas");
-        canvasResource.addMethod("ANY", createIntegration("/canvas"), webhookMethodOptions);
-        // Health endpoints remain unauthenticated
-        const healthResource = this.api.root.addResource("health");
-        healthResource.addMethod("GET", createIntegration("/health"));
-        healthResource.addResource("ready").addMethod("GET", createIntegration("/health/ready"));
-        healthResource.addResource("live").addMethod("GET", createIntegration("/health/live"));
-        // Output IP filtering status
-        if (ipAllowList.length > 0) {
-            console.log(`IP Whitelisting enabled: ${ipAllowList.length} CIDR blocks`);
-            ipAllowList.forEach((ip) => console.log(`  - ${ip}`));
-        }
-        else {
-            console.log("IP Whitelisting disabled: all IPs allowed");
-        }
-    }
-    /**
-     * Build IAM resource policy for IP whitelisting
-     *
-     * If ipAllowList is empty, allow all IPs.
-     * Otherwise, only allow requests from specified IP addresses/CIDR blocks.
-     */
-    buildResourcePolicy(ipAllowList) {
-        if (ipAllowList.length === 0) {
-            // No IP filtering - allow all
-            return undefined;
-        }
-        return new iam.PolicyDocument({
-            statements: [
-                // Allow requests from whitelisted IPs
-                new iam.PolicyStatement({
-                    effect: iam.Effect.ALLOW,
-                    principals: [new iam.AnyPrincipal()],
-                    actions: ["execute-api:Invoke"],
-                    resources: ["execute-api:/*"],
-                    conditions: {
-                        IpAddress: {
-                            "aws:SourceIp": ipAllowList,
-                        },
-                    },
-                }),
-                // Explicitly deny requests from non-whitelisted IPs
-                new iam.PolicyStatement({
-                    effect: iam.Effect.DENY,
-                    principals: [new iam.AnyPrincipal()],
-                    actions: ["execute-api:Invoke"],
-                    resources: ["execute-api:/*"],
-                    conditions: {
-                        NotIpAddress: {
-                            "aws:SourceIp": ipAllowList,
-                        },
-                    },
-                }),
-            ],
-        });
-    }
-}
-exports.RestApiGateway = RestApiGateway;
-//# sourceMappingURL=rest-api-gateway.js.map

package/dist/lib/rest-api-gateway.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"rest-api-gateway.js","sourceRoot":"","sources":["../../lib/rest-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,uEAAyD;AACzD,yDAA2C;AAC3C,8EAAgE;AAEhE,2DAA6C;AAC7C,+DAAiD;AACjD,yDAA2C;AAY3C,MAAa,cAAc;IAQvB,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA0B;QAChE,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE;YAC7D,YAAY,EAAE,wCAAwC;YACtD,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,wDAAwD;QACxD,kEAAkE;QAClE,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,KAAK,EAAE,qBAAqB,EAAE;YACnE,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,cAAc,EAAE,KAAK;YACrB,UAAU,EAAE;gBACR,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,mBAAmB;aACjD;SACJ,CAAC,CAAC;QAEH,sCAAsC;QACtC,MAAM,WAAW,GAAG,IAAI,KAAK,CAAC,kBAAkB,CAAC,KAAK,EAAE,aAAa,EAAE;YACnE,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,IAAI,EAAE,IAAI;YACV,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YAC5B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;YAC/B,WAAW,EAAE;gBACT,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;gBAC7B,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,qBAAqB,EAAE,CAAC;gBACxB,uBAAuB,EAAE,CAAC;aAC7B;YACD,mBAAmB,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;SAChD,CAAC,CAAC;QAEH,sBAAsB;QACtB,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE;YAC7B,IAAI,EAAE,EAAE;YACR,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YAC5B,mBAAmB,EAAE,CAAC,WAAW,CAAC;SACrC,CAAC,CAAC;QAEH,yCAAyC;QACzC,IAAI,4BAA4B,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;YACnD,KAAK,CAAC,UAAU,CAAC,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAC7D,CAAC;QAED,qCAAqC;QACrC,IAAI,CAAC,OAAO,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE;YACpD,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC;YACnB,WAAW,EAAE,2BAA2B;YACxC,WAAW,EAAE,yCAAyC;SACzD,CAAC,CAAC;QAEH,iCAAiC;QACjC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB;YACvD,EAAE,KAAK,CAAC,GAAG,CAAC;aACX,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;aACtB,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAEzC,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,kBAAkB,KAAK,KAAK,CAAC;QAChF,MAAM,kBAAkB,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC;QAC5D,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;QAC3F,CAAC;QAED,4CAA4C;QAC5C,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAE7D,6CAA6C;QAC7C,IAAI,CAAC,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,2BAA2B,EAAE;YAC5E,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM;YAClD,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,6CAA6C,CAAC;YACvE,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACzB,QAAQ,EAAE;oBACN,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,aAAa;oBAC/C,OAAO,EAAE;wBACL,MAAM;wBACN,IAAI;wBACJ;4BACI,oFAAoF;4BACpF,wEAAwE;yBAC3E,CAAC,IAAI,CAAC,MAAM,CAAC;qBACjB;iBACJ;aACJ,CAAC,CAAC;QAEP,IAAI,CAAC,UAAU,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,2BAA2B,EAAE;YACtE,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW;YACnC,OAAO,EAAE,eAAe;YACxB,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,WAAW,EAAE,6DAA6D;YAC1E,WAAW,EAAE;gBACT,oBAAoB,EAAE,kBAAkB;aAC3C;YACD,IAAI,EAAE,cAAc;YACpB,QAAQ,EAAE,IAAI,CAAC,kBAAkB;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,eAAe,CAC3B,IAAI,GAAG,CAAC,eAAe,CAAC;YACpB,OAAO,EAAE,CAAC,+BAA+B,CAAC;YAC1C,SAAS,EAAE,CAAC,kBAAkB,CAAC;SAClC,CAAC,CACL,CAAC;QAEF,MAAM,iBAAiB,GAAG,mBAAmB;YACzC,CAAC,CAAC,IAAI,UAAU,CAAC,iBAAiB,CAAC,KAAK,EAAE,0BAA0B,EAAE;gBAClE,OAAO,EAAE,IAAI,CAAC,UAAU;gBACxB,eAAe,EAAE;oBACb,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,YAAY,CAAC;oBAC9C,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,mBAAmB,CAAC;oBACrD,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,mBAAmB,CAAC;iBACxD;gBACD,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;aAC3C,CAAC;YACF,CAAC,CAAC,SAAS,CAAC;QAEhB,kBAAkB;QAClB,IAAI,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,EAAE;YAChE,WAAW,EAAE,yBAAyB;YACtC,WAAW,EAAE,2EAA2E;YACxF,MAAM,EAAE,cAAc;YACtB,aAAa,EAAE;gBACX,SAAS,EAAE,MAAM;gBACjB,oBAAoB,EAAE,IAAI,UAAU,CAAC,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC1E,eAAe,EAAE,UAAU,CAAC,eAAe,CAAC,sBAAsB,CAAC;oBAC/D,MAAM,EAAE,IAAI;oBACZ,UAAU,EAAE,IAAI;oBAChB,EAAE,EAAE,IAAI;oBACR,QAAQ,EAAE,IAAI;oBACd,WAAW,EAAE,IAAI;oBACjB,YAAY,EAAE,IAAI;oBAClB,cAAc,EAAE,IAAI;oBACpB,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,IAAI;iBACb,CAAC;gBACF,YAAY,EAAE,UAAU,CAAC,kBAAkB,CAAC,IAAI;gBAChD,gBAAgB,EAAE,IAAI;aACzB;YACD,qBAAqB,EAAE;gBACnB,KAAK,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,QAAQ,CAAC;aAC5C;SACJ,CAAC,CAAC;QAEH,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAA0B,EAAE,CAC/D,IAAI,UAAU,CAAC,WAAW,CAAC;YACvB,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC,UAAU;YAC3C,qBAAqB,EAAE,KAAK;YAC5B,GAAG,EAAE,UAAU,IAAI,CAAC,GAAG,CAAC,mBAAmB,MAAM,IAAI,EAAE;YACvD,OAAO,EAAE;gBACL,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,QAAQ;gBAClD,OAAO,EAAE,IAAI,CAAC,OAAO;aACxB;SACJ,CAAC,CAAC;QAEP,MAAM,oBAAoB,GAAG,iBAAiB;YAC1C,CAAC,CAAC;gBACE,UAAU,EAAE,iBAAiB;gBAC7B,iBAAiB,EAAE,UAAU,CAAC,iBAAiB,CAAC,MAAM;aACzD;YACD,CAAC,CAAC,SAAS,CAAC;QAEhB,iDAAiD;QACjD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACzD,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,QAAQ,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAElF,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QACjE,iBAAiB,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,YAAY,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAE1F,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC3D,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,SAAS,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAEpF,0CAA0C;QAC1C,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC3D,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9D,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,eAAe,CAAC,CAAC,CAAC;QACzF,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,cAAc,CAAC,CAAC,CAAC;QAEvF,6BAA6B;QAC7B,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,4BAA4B,WAAW,CAAC,MAAM,cAAc,CAAC,CAAC;YAC1E,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QAC1D,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QAC7D,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACK,mBAAmB,CAAC,WAAqB;QAC7C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,8BAA8B;YAC9B,OAAO,SAAS,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,GAAG,CAAC,cAAc,CAAC;YAC1B,UAAU,EAAE;gBACR,sCAAsC;gBACtC,IAAI,GAAG,CAAC,eAAe,CAAC;oBACpB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK;oBACxB,UAAU,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;oBACpC,OAAO,EAAE,CAAC,oBAAoB,CAAC;oBAC/B,SAAS,EAAE,CAAC,gBAAgB,CAAC;oBAC7B,UAAU,EAAE;wBACR,SAAS,EAAE;4BACP,cAAc,EAAE,WAAW;yBAC9B;qBACJ;iBACJ,CAAC;gBACF,oDAAoD;gBACpD,IAAI,GAAG,CAAC,eAAe,CAAC;oBACpB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;oBACpC,OAAO,EAAE,CAAC,oBAAoB,CAAC;oBAC/B,SAAS,EAAE,CAAC,gBAAgB,CAAC;oBAC7B,UAAU,EAAE;wBACR,YAAY,EAAE;4BACV,cAAc,EAAE,WAAW;yBAC9B;qBACJ;iBACJ,CAAC;aACL;SACJ,CAAC,CAAC;IACP,CAAC;CACJ;AAnPD,wCAmPC"}