@sanctuary-framework/mcp-server 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/LICENSE +190 -0
  2. package/README.md +210 -0
  3. package/dist/cli.cjs +4451 -0
  4. package/dist/cli.cjs.map +1 -0
  5. package/dist/cli.d.cts +1 -0
  6. package/dist/cli.d.ts +1 -0
  7. package/dist/cli.js +4449 -0
  8. package/dist/cli.js.map +1 -0
  9. package/dist/index.cjs +4524 -0
  10. package/dist/index.cjs.map +1 -0
  11. package/dist/index.d.cts +1207 -0
  12. package/dist/index.d.ts +1207 -0
  13. package/dist/index.js +4502 -0
  14. package/dist/index.js.map +1 -0
  15. package/package.json +71 -0
package/dist/cli.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/core/encoding.ts","../src/core/hashing.ts","../src/config.ts","../src/core/random.ts","../src/storage/filesystem.ts","../src/core/encryption.ts","../src/l1-cognitive/state-store.ts","../src/core/identity.ts","../src/core/key-derivation.ts","../src/router.ts","../src/l1-cognitive/tools.ts","../src/l2-operational/audit-log.ts","../src/l3-disclosure/commitments.ts","../src/l3-disclosure/policies.ts","../src/l3-disclosure/tools.ts","../src/l4-reputation/reputation-store.ts","../src/l4-reputation/tools.ts","../src/principal-policy/loader.ts","../src/principal-policy/baseline.ts","../src/principal-policy/approval-channel.ts","../src/principal-policy/gate.ts","../src/principal-policy/tools.ts","../src/shr/types.ts","../src/shr/generator.ts","../src/shr/verifier.ts","../src/shr/tools.ts","../src/handshake/protocol.ts","../src/handshake/tools.ts","../src/index.ts","../src/cli.ts"],"names":["nodeRandomBytes","join","writeFile","readFile","sha256","RESERVED_NAMESPACE_PREFIXES","start","end","hashToString","stringToBytes","mkdir","bytesToString"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAA,gBAAA,GAAA,EAAA;AAAA,QAAA,CAAA,gBAAA,EAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,WAAA,EAAA,MAAA,WAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,WAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAUO,SAAS,YAAY,KAAA,EAA2B;AACrD,EAAA,MAAM,SAAS,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,QAAQ,CAAA;AACnD,EAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACzE;AAKO,SAAS,cAAc,GAAA,EAAyB;AAErD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC9B,IAAA,MAAA,IAAU,GAAA;AAAA,EACZ;AACA,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA;AACxC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAKO,SAAS,cAAc,GAAA,EAAyB;AACrD,EAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,GAAG,CAAA;AACrC;AAKO,SAAS,cAAc,KAAA,EAA2B;AACvD,EAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA;AACvC;AAKO,SAAS,eAAe,MAAA,EAAkC;AAC/D,EAAA,MAAM,WAAA,GAAc,OAAO,MAAA,CAAO,CAAC,KAAK,GAAA,KAAQ,GAAA,GAAM,GAAA,CAAI,MAAA,EAAQ,CAAC,CAAA;AACnE,EAAA,MAAM,MAAA,GAAS,IAAI,UAAA,CAAW,WAAW,CAAA;AACzC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,OAAO,MAAA,EAAQ;AACxB,IAAA,MAAA,CAAO,GAAA,CAAI,KAAK,MAAM,CAAA;AACtB,IAAA,MAAA,IAAU,GAAA,CAAI,MAAA;AAAA,EAChB;AACA,EAAA,OAAO,MAAA;AACT;AAMO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACvE,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,IAAA,IAAQ,CAAA,CAAE,CAAC,CAAA,GAAK,CAAA,CAAE,CAAC,CAAA;AAAA,EACrB;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;AApEA,IAAA,aAAA,GAAA,KAAA,CAAA;AAAA,EAAA,sBAAA,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACAA,IAAA,eAAA,GAAA,EAAA;AAAA,QAAA,CAAA,eAAA,EAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,mBAAA,EAAA,MAAA,mBAAA;AAAA,EAAA,IAAA,EAAA,MAAA,IAAA;AAAA,EAAA,YAAA,EAAA,MAAA,YAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,iBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAcO,SAAS,KAAK,IAAA,EAA8B;AACjD,EAAA,OAAO,OAAO,IAAI,CAAA;AACpB;AAKO,SAAS,aAAa,IAAA,EAA0B;AACrD,EAAA,OAAO,WAAA,CAAY,IAAA,CAAK,IAAI,CAAC,CAAA;AAC/B;AAKO,SAAS,UAAA,CAAW,KAAiB,IAAA,EAA8B;AACxE,EAAA,OAAO,IAAA,CAAK,MAAA,EAAQ,GAAA,EAAK,IAAI,CAAA;AAC/B;AA2BO,SAAS,gBACd,OAAA,EACmB;AACnB,EAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,CAAA,EAAG,OAAO,IAAA;AAG/B,EAAA,MAAM,aAAa,KAAA,CAAM,IAAA,CAAK,QAAQ,IAAA,EAAM,EAAE,IAAA,EAAK;AAGnD,EAAA,IAAI,KAAA,GAAsB,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,KAAQ;AAChD,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AACnC,IAAA,MAAM,QAAA,GAAW,WAAA;AAAA,MACf,cAAc,GAAG,CAAA;AAAA,MACjB,cAAc,WAAW;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,aAAa,QAAQ,CAAA;AAAA,MAC3B;AAAA,KACF;AAAA,EACF,CAAC,CAAA;AAGD,EAAA,OAAO,KAAA,CAAM,SAAS,CAAA,EAAG;AACvB,IAAA,MAAM,YAA0B,EAAC;AACjC,IAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ,KAAK,CAAA,EAAG;AACxC,MAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,MAAA,IAAI,CAAA,GAAI,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ;AACxB,QAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA;AACzB,QAAA,MAAM,UAAA,GAAa,WAAA;AAAA,UACjB,aAAA,CAAc,KAAK,IAAI,CAAA;AAAA,UACvB,aAAA,CAAc,MAAM,IAAI;AAAA,SAC1B;AACA,QAAA,SAAA,CAAU,IAAA,CAAK;AAAA,UACb,IAAA,EAAM,aAAa,UAAU,CAAA;AAAA,UAC7B,IAAA;AAAA,UACA;AAAA,SACD,CAAA;AAAA,MACH,CAAA,MAAO;AAEL,QAAA,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,MACrB;AAAA,IACF;AACA,IAAA,KAAA,GAAQ,SAAA;AAAA,EACV;AAEA,EAAA,OAAO,KAAA,CAAM,CAAC,CAAA,IAAK,IAAA;AACrB;AASO,SAAS,mBAAA,CACd,SACA,SAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,CAAI,SAAS,GAAG,OAAO,IAAA;AAEpC,EAAA,MAAM,aAAa,KAAA,CAAM,IAAA,CAAK,QAAQ,IAAA,EAAM,EAAE,IAAA,EAAK;AACnD,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,OAAA,CAAQ,SAAS,CAAA;AAChD,EAAA,IAAI,WAAA,KAAgB,IAAI,OAAO,IAAA;AAG/B,EAAA,MAAM,UAAA,GAAuB,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,KAAQ;AACnD,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AACnC,IAAA,MAAM,QAAA,GAAW,WAAA;AAAA,MACf,cAAc,GAAG,CAAA;AAAA,MACjB,cAAc,WAAW;AAAA,KAC3B;AACA,IAAA,OAAO,aAAa,QAAQ,CAAA;AAAA,EAC9B,CAAC,CAAA;AAED,EAAA,MAAM,OAA4B,EAAC;AACnC,EAAA,IAAI,YAAA,GAAe,WAAA;AACnB,EAAA,IAAI,YAAA,GAAe,UAAA;AAEnB,EAAA,OAAO,YAAA,CAAa,SAAS,CAAA,EAAG;AAC9B,IAAA,MAAM,YAAsB,EAAC;AAC7B,IAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,MAAA,EAAQ,KAAK,CAAA,EAAG;AAC/C,MAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,MAAA,IAAI,CAAA,GAAI,CAAA,GAAI,YAAA,CAAa,MAAA,EAAQ;AAC/B,QAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,GAAI,CAAC,CAAA;AAGhC,QAAA,IAAI,CAAA,KAAM,YAAA,IAAgB,CAAA,GAAI,CAAA,KAAM,YAAA,EAAc;AAChD,UAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,YAAA,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AAAA,UAC9C,CAAA,MAAO;AACL,YAAA,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,IAAA,EAAM,QAAA,EAAU,QAAQ,CAAA;AAAA,UAC5C;AAAA,QACF;AAEA,QAAA,MAAM,UAAA,GAAa,WAAA;AAAA,UACjB,cAAc,IAAI,CAAA;AAAA,UAClB,cAAc,KAAK;AAAA,SACrB;AACA,QAAA,SAAA,CAAU,IAAA,CAAK,YAAA,CAAa,UAAU,CAAC,CAAA;AAAA,MACzC,CAAA,MAAO;AAEL,QAAA,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,MACrB;AAAA,IACF;AACA,IAAA,YAAA,GAAe,IAAA,CAAK,KAAA,CAAM,YAAA,GAAe,CAAC,CAAA;AAC1C,IAAA,YAAA,GAAe,SAAA;AAAA,EACjB;AAEA,EAAA,MAAM,IAAA,GAAO,gBAAgB,OAAO,CAAA;AAEpC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,WAAW,WAAW,CAAA;AAAA,IAC5B,IAAA;AAAA,IACA,IAAA,EAAM,MAAM,IAAA,IAAQ;AAAA,GACtB;AACF;AAQO,SAAS,kBAAkB,KAAA,EAA6B;AAC7D,EAAA,IAAI,cAAc,KAAA,CAAM,IAAA;AAExB,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAM,IAAA,EAAM;AAC7B,IAAA,MAAM,IAAA,GACJ,IAAA,CAAK,QAAA,KAAa,MAAA,GAAS,KAAK,IAAA,GAAO,WAAA;AACzC,IAAA,MAAM,KAAA,GACJ,IAAA,CAAK,QAAA,KAAa,OAAA,GAAU,KAAK,IAAA,GAAO,WAAA;AAC1C,IAAA,MAAM,UAAA,GAAa,WAAA;AAAA,MACjB,cAAc,IAAI,CAAA;AAAA,MAClB,cAAc,KAAK;AAAA,KACrB;AACA,IAAA,WAAA,GAAc,aAAa,UAAU,CAAA;AAAA,EACvC;AAEA,EAAA,OAAO,gBAAgB,KAAA,CAAM,IAAA;AAC/B;AAMO,SAAS,kBAAkB,OAAA,EAAsC;AACtE,EAAA,MAAM,IAAA,GAAO,gBAAgB,OAAO,CAAA;AACpC,EAAA,OAAO,MAAM,IAAA,IAAQ,EAAA;AACvB;AA9MA,IAAA,YAAA,GAAA,KAAA,CAAA;AAAA,EAAA,qBAAA,GAAA;AASA,IAAA,aAAA,EAAA;AAAA,EAAA;AAAA,CAAA,CAAA;ACyCO,SAAS,aAAA,GAAiC;AAC/C,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,OAAA;AAAA,IACT,YAAA,EAAc,IAAA,CAAK,OAAA,EAAQ,EAAG,YAAY,CAAA;AAAA,IAC1C,KAAA,EAAO;AAAA,MACL,UAAA,EAAY,aAAA;AAAA,MACZ,cAAA,EAAgB,MAAA;AAAA,MAChB,cAAA,EAAgB,UAAA;AAAA,MAChB,SAAA,EAAW,eAAA;AAAA,MACX,iBAAA,EAAmB;AAAA,KACrB;AAAA,IACA,SAAA,EAAW;AAAA,MACT,WAAA,EAAa,eAAA;AAAA,MACb,WAAA,EAAa,IAAA;AAAA,MACb,eAAA,EAAiB;AAAA,QACf,aAAA,EAAe,GAAA;AAAA,QACf,cAAA,EAAgB,IAAA;AAAA,QAChB,eAAA,EAAiB;AAAA;AACnB,KACF;AAAA,IACA,UAAA,EAAY;AAAA,MACV,YAAA,EAAc,iBAAA;AAAA,MACd,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,gBAAA;AAAA,MACN,kBAAA,EAAoB,gBAAA;AAAA,MACpB,aAAA,EAAe,kBAAA;AAAA,MACf,mBAAmB;AAAC,KACtB;AAAA,IACA,SAAA,EAAW,OAAA;AAAA,IACX,SAAA,EAAW;AAAA,GACb;AACF;AAKA,eAAsB,WACpB,UAAA,EAC0B;AAC1B,EAAA,MAAM,SAAS,aAAA,EAAc;AAG7B,EAAA,IAAI,OAAA,CAAQ,IAAI,sBAAA,EAAwB;AACtC,IAAA,MAAA,CAAO,YAAA,GAAe,QAAQ,GAAA,CAAI,sBAAA;AAAA,EACpC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,mBAAA,EAAqB;AACnC,IAAA,MAAA,CAAO,SAAA,GAAY,QAAQ,GAAA,CAAI,mBAAA;AAAA,EACjC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,mBAAA,EAAqB;AACnC,IAAA,MAAA,CAAO,SAAA,GAAY,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,qBAAqB,EAAE,CAAA;AAAA,EACjE;AAGA,EAAA,MAAM,IAAA,GACJ,UAAA,IAAc,IAAA,CAAK,MAAA,CAAO,cAAc,gBAAgB,CAAA;AAE1D,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAM,QAAA,CAAS,IAAA,EAAM,OAAO,CAAA;AACxC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AACjC,IAAA,OAAO,SAAA,CAAU,QAAQ,UAAU,CAAA;AAAA,EACrC,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAKA,eAAsB,UAAA,CACpB,QACA,UAAA,EACe;AACf,EAAA,MAAM,IAAA,GACU,IAAA,CAAK,MAAA,CAAO,cAAc,gBAAgB,CAAA;AAC1D,EAAA,MAAM,SAAA,CAAU,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC,CAAA,EAAG,EAAE,IAAA,EAAM,GAAA,EAAO,CAAA;AACxE;AAGA,SAAS,SAAA,CAAU,MAAc,QAAA,EAAmC;AAClE,EAAA,MAAM,MAAA,GAAkC,EAAE,GAAG,IAAA,EAAK;AAClD,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACnD,IAAA,IACE,UAAU,IAAA,IACV,OAAO,UAAU,QAAA,IACjB,CAAC,MAAM,OAAA,CAAQ,KAAK,CAAA,IACpB,OAAO,OAAO,GAAG,CAAA,KAAM,YACvB,MAAA,CAAO,GAAG,MAAM,IAAA,EAChB;AACA,MAAA,MAAA,CAAO,GAAG,CAAA,GAAI,SAAA;AAAA,QACZ,OAAO,GAAG,CAAA;AAAA,QACV;AAAA,OACF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,GAAG,CAAA,GAAI,KAAA;AAAA,IAChB;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;ACzIO,SAAS,YAAY,MAAA,EAA4B;AACtD,EAAA,IAAI,UAAU,CAAA,EAAG;AACf,IAAA,MAAM,IAAI,WAAW,yBAAyB,CAAA;AAAA,EAChD;AACA,EAAA,MAAM,GAAA,GAAMA,cAAgB,MAAM,CAAA;AAClC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAKO,SAAS,UAAA,GAAyB;AACvC,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;AAKO,SAAS,YAAA,GAA2B;AACzC,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;AAKO,SAAS,iBAAA,GAAgC;AAC9C,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;;;ACvBO,IAAM,oBAAN,MAAkD;AAAA,EAC/C,QAAA;AAAA,EAER,YAAY,QAAA,EAAkB;AAC5B,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAAA,EAClB;AAAA,EAEQ,SAAA,CAAU,WAAmB,GAAA,EAAqB;AAExD,IAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,OAAA,CAAQ,iBAAA,EAAmB,GAAG,CAAA;AAC9D,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,kBAAA,EAAoB,GAAG,CAAA;AACnD,IAAA,OAAOC,KAAK,IAAA,CAAK,QAAA,EAAU,aAAA,EAAe,CAAA,EAAG,OAAO,CAAA,IAAA,CAAM,CAAA;AAAA,EAC5D;AAAA,EAEQ,cAAc,SAAA,EAA2B;AAC/C,IAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,OAAA,CAAQ,iBAAA,EAAmB,GAAG,CAAA;AAC9D,IAAA,OAAOA,IAAAA,CAAK,IAAA,CAAK,QAAA,EAAU,aAAa,CAAA;AAAA,EAC1C;AAAA,EAEA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAS,CAAA;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAG9C,IAAA,MAAM,MAAM,OAAA,EAAS,EAAE,WAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAGrD,IAAA,MAAMC,UAAU,QAAA,EAAU,IAAA,EAAM,EAAE,IAAA,EAAM,KAAO,CAAA;AAAA,EACjD;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,GAAA,EAAyC;AACrE,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAMC,QAAAA,CAAS,QAAQ,CAAA;AACnC,MAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAAA,IAClE,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,IAAA;AAAA,MACT;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EACA,kBAAkB,IAAA,EACA;AAClB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAE9C,IAAA,IAAI;AACF,MAAA,IAAI,eAAA,EAAiB;AAEnB,QAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,QAAQ,CAAA;AACpC,QAAA,MAAM,OAAO,QAAA,CAAS,IAAA;AAGtB,QAAA,KAAA,IAAS,IAAA,GAAO,CAAA,EAAG,IAAA,GAAO,CAAA,EAAG,IAAA,EAAA,EAAQ;AACnC,UAAA,MAAM,UAAA,GAAa,YAAY,IAAI,CAAA;AACnC,UAAA,MAAMD,UAAU,QAAA,EAAU,UAAA,EAAY,EAAE,IAAA,EAAM,KAAO,CAAA;AAAA,QACvD;AAAA,MACF;AAGA,MAAA,MAAM,OAAO,QAAQ,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,KAAA;AAAA,MACT;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,MAAA,EAA8C;AAC1E,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAS,CAAA;AAE5C,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,OAAO,CAAA;AACnC,MAAA,MAAM,UAA8B,EAAC;AAErC,MAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,QAAA,IAAI,CAAC,IAAA,CAAK,QAAA,CAAS,MAAM,CAAA,EAAG;AAE5B,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,CAAA,CAAE,CAAA;AAC5B,QAAA,IAAI,MAAA,IAAU,CAAC,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AAEvC,QAAA,MAAM,QAAA,GAAWD,IAAAA,CAAK,OAAA,EAAS,IAAI,CAAA;AACnC,QAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,QAAQ,CAAA;AAEpC,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,GAAA;AAAA,UACA,SAAA;AAAA,UACA,YAAY,QAAA,CAAS,IAAA;AAAA,UACrB,WAAA,EAAa,QAAA,CAAS,KAAA,CAAM,WAAA;AAAY,SACzC,CAAA;AAAA,MACH;AAEA,MAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,GAAA,CAAI,aAAA,CAAc,CAAA,CAAE,GAAG,CAAC,CAAA;AAAA,IAC1D,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,EAAC;AAAA,MACV;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CAAO,SAAA,EAAmB,GAAA,EAA+B;AAC7D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,QAAQ,CAAA;AACnB,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,SAAA,GAA6B;AACjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AAEZ,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAa,MAAM,OAAA,CAAQ,IAAA,CAAK,QAAQ,CAAA;AAC9C,MAAA,KAAA,MAAW,MAAM,UAAA,EAAY;AAC3B,QAAA,MAAM,MAAA,GAASA,IAAAA,CAAK,IAAA,CAAK,QAAA,EAAU,EAAE,CAAA;AACrC,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAM,CAAA;AAChC,QAAA,IAAI,CAAC,MAAA,CAAO,WAAA,EAAY,EAAG;AAE3B,QAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,MAAM,CAAA;AAClC,QAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,UAAA,MAAM,QAAA,GAAWA,IAAAA,CAAK,MAAA,EAAQ,IAAI,CAAA;AAClC,UAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,QAAQ,CAAA;AACpC,UAAA,KAAA,IAAS,QAAA,CAAS,IAAA;AAAA,QACpB;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AACF,CAAA;AC9JA,aAAA,EAAA;AAyBO,SAAS,OAAA,CACd,SAAA,EACA,GAAA,EACA,GAAA,EACkB;AAClB,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AAEA,EAAA,MAAM,KAAK,UAAA,EAAW;AACtB,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,GAAA,EAAK,EAAA,EAAI,GAAG,CAAA;AAE/B,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA;AAE3C,EAAA,OAAO;AAAA,IACL,CAAA,EAAG,CAAA;AAAA,IACH,GAAA,EAAK,aAAA;AAAA,IACL,EAAA,EAAI,YAAY,EAAE,CAAA;AAAA,IAClB,EAAA,EAAI,YAAY,UAAU,CAAA;AAAA,IAC1B,EAAA,EAAA,iBAAI,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GAC7B;AACF;AAWO,SAAS,OAAA,CACd,OAAA,EACA,GAAA,EACA,GAAA,EACY;AACZ,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AACA,EAAA,IAAI,OAAA,CAAQ,MAAM,CAAA,EAAG;AACnB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,OAAA,CAAQ,CAAC,CAAA,CAAE,CAAA;AAAA,EAC7D;AACA,EAAA,IAAI,OAAA,CAAQ,QAAQ,aAAA,EAAe;AACjC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,OAAA,CAAQ,GAAG,CAAA,CAAE,CAAA;AAAA,EACzD;AAEA,EAAA,MAAM,EAAA,GAAK,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AACnC,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AAC3C,EAAA,MAAM,MAAA,GAAS,GAAA,CAAI,GAAA,EAAK,EAAA,EAAI,GAAG,CAAA;AAG/B,EAAA,OAAO,MAAA,CAAO,QAAQ,UAAU,CAAA;AAClC;;;ACtEA,YAAA,EAAA;;;ACVA,aAAA,EAAA;AAEA,YAAA,EAAA;AAyCO,SAAS,eAAA,GAGd;AACA,EAAA,MAAM,UAAA,GAAa,YAAY,EAAE,CAAA;AACjC,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,YAAA,CAAa,UAAU,CAAA;AACjD,EAAA,OAAO,EAAE,WAAW,UAAA,EAAW;AACjC;AAMO,SAAS,eAAe,SAAA,EAA+B;AAE5D,EAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,CAAC,KAAM,CAAA,EAAM,GAAG,SAAS,CAAC,CAAA;AAI5D,EAAA,OAAO,CAAA,SAAA,EAAY,WAAA,CAAY,UAAU,CAAC,CAAA,CAAA;AAC5C;AAMO,SAAS,mBAAmB,SAAA,EAA+B;AAChE,EAAA,MAAM,OAAA,GAAU,KAAK,SAAS,CAAA;AAE9B,EAAA,OAAO,KAAA,CAAM,KAAK,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,EACnC,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAC,CAAA,CAC1C,IAAA,CAAK,EAAE,CAAA;AACZ;AAUO,SAAS,cAAA,CACd,KAAA,EACA,aAAA,EACA,aAAA,EACoE;AACpE,EAAA,MAAM,EAAE,SAAA,EAAW,UAAA,EAAW,GAAI,eAAA,EAAgB;AAClD,EAAA,MAAM,UAAA,GAAa,mBAAmB,SAAS,CAAA;AAC/C,EAAA,MAAM,GAAA,GAAM,eAAe,SAAS,CAAA;AACpC,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,mBAAA,GAAsB,OAAA,CAAQ,UAAA,EAAY,aAAa,CAAA;AAG7D,EAAA,UAAA,CAAW,KAAK,CAAC,CAAA;AAEjB,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,WAAA,EAAa,UAAA;AAAA,IACb,KAAA;AAAA,IACA,UAAA,EAAY,YAAY,SAAS,CAAA;AAAA,IACjC,GAAA;AAAA,IACA,UAAA,EAAY,GAAA;AAAA,IACZ,QAAA,EAAU,SAAA;AAAA,IACV,cAAA,EAAgB;AAAA,GAClB;AAEA,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,GAAG,cAAA;AAAA,IACH,qBAAA,EAAuB,mBAAA;AAAA,IACvB,kBAAkB;AAAC,GACrB;AAEA,EAAA,OAAO,EAAE,gBAAgB,cAAA,EAAe;AAC1C;AAUO,SAAS,IAAA,CACd,OAAA,EACA,mBAAA,EACA,aAAA,EACY;AAEZ,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,mBAAA,EAAqB,aAAa,CAAA;AAE7D,EAAA,IAAI;AACF,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,UAAU,CAAA;AAAA,EACzC,CAAA,SAAE;AAEA,IAAA,UAAA,CAAW,KAAK,CAAC,CAAA;AAAA,EACnB;AACF;AAUO,SAAS,MAAA,CACd,OAAA,EACA,SAAA,EACA,SAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,OAAO,OAAA,CAAQ,MAAA,CAAO,SAAA,EAAW,OAAA,EAAS,SAAS,CAAA;AAAA,EACrD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAYO,SAAS,UAAA,CACd,cAAA,EACA,aAAA,EACA,MAAA,EACmE;AACnE,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,UAAA,EAAY,aAAA,KAC3C,eAAA,EAAgB;AAClB,EAAA,MAAM,cAAA,GAAiB,eAAe,YAAY,CAAA;AAClD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,SAAA,GAAY,KAAK,SAAA,CAAU;AAAA,IAC/B,gBAAgB,cAAA,CAAe,UAAA;AAAA,IAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,IACxC,aAAa,cAAA,CAAe,WAAA;AAAA,IAC5B,MAAA;AAAA,IACA,UAAA,EAAY;AAAA,GACb,CAAA;AAGD,EAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AACrD,EAAA,MAAM,SAAA,GAAY,IAAA;AAAA,IAChB,UAAA;AAAA,IACA,cAAA,CAAe,qBAAA;AAAA,IACf;AAAA,GACF;AAEA,EAAA,MAAM,aAAA,GAA+B;AAAA,IACnC,gBAAgB,cAAA,CAAe,UAAA;AAAA,IAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,IACxC,aAAa,cAAA,CAAe,WAAA;AAAA,IAC5B,MAAA;AAAA,IACA,UAAA,EAAY,GAAA;AAAA,IACZ,SAAA,EAAW,YAAY,SAAS;AAAA,GAClC;AAGA,EAAA,MAAM,sBAAA,GAAyB,OAAA,CAAQ,aAAA,EAAe,aAAa,CAAA;AACnE,EAAA,aAAA,CAAc,KAAK,CAAC,CAAA;AAEpB,EAAA,MAAM,eAAA,GAAkC;AAAA,IACtC,GAAG,cAAA;AAAA,IACH,UAAA,EAAY,YAAY,YAAY,CAAA;AAAA,IACpC,GAAA,EAAK,cAAA;AAAA,IACL,qBAAA,EAAuB,sBAAA;AAAA,IACvB,gBAAA,EAAkB;AAAA,MAChB,GAAG,cAAA,CAAe,gBAAA;AAAA,MAClB;AAAA,QACE,gBAAgB,cAAA,CAAe,UAAA;AAAA,QAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,QACxC,cAAA,EAAgB,WAAA;AAAA,UACd,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,aAAa,CAAC;AAAA,SACxD;AAAA,QACA,UAAA,EAAY;AAAA;AACd;AACF,GACF;AAEA,EAAA,OAAO,EAAE,iBAAiB,aAAA,EAAc;AAC1C;ACtOA,aAAA,EAAA;AAGA,IAAM,kBAAA,GAAqB,KAAA;AAC3B,IAAM,gBAAA,GAAmB,CAAA;AACzB,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,kBAAA,GAAqB,EAAA;AAyB3B,eAAsB,eAAA,CACpB,YACA,cAAA,EAC2D;AAC3D,EAAA,MAAM,OAAO,cAAA,GACT,aAAA,CAAc,cAAA,CAAe,IAAI,IACjC,YAAA,EAAa;AAEjB,EAAA,MAAM,SAA8B,cAAA,IAAkB;AAAA,IACpD,GAAA,EAAK,UAAA;AAAA,IACL,IAAA,EAAM,YAAY,IAAI,CAAA;AAAA,IACtB,CAAA,EAAG,kBAAA;AAAA,IACH,CAAA,EAAG,gBAAA;AAAA,IACH,CAAA,EAAG,kBAAA;AAAA,IACH,CAAA,EAAG;AAAA,GACL;AAEA,EAAA,MAAM,OAAA,GAAU,MAAM,QAAA,CAAS;AAAA,IAC7B,QAAA,EAAU,UAAA;AAAA,IACV,IAAA;AAAA,IACA,aAAa,MAAA,CAAO,CAAA;AAAA,IACpB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,UAAA,EAAY;AAAA,GACb,CAAA;AAGD,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA;AACnC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,GAAG,CAAA,EAAA,EAAK;AACjC,IAAA,GAAA,CAAI,CAAC,CAAA,GAAI,QAAA,CAAS,OAAA,CAAQ,SAAA,CAAU,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,EAAG,EAAE,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,EAAE,KAAK,MAAA,EAAO;AACvB;AAYO,SAAS,kBAAA,CACd,WACA,SAAA,EACY;AACZ,EAAA,IAAI,SAAA,CAAU,WAAW,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAO,IAAA;AAAA,IACLG,MAAAA;AAAA,IACA,SAAA;AAAA,IACA,cAAc,wBAAwB,CAAA;AAAA;AAAA,IACtC,cAAc,SAAS,CAAA;AAAA;AAAA,IACvB;AAAA;AAAA,GACF;AACF;AAUO,SAAS,gBAAA,CACd,WACA,OAAA,EACY;AACZ,EAAA,IAAI,SAAA,CAAU,WAAW,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAO,IAAA;AAAA,IACLA,MAAAA;AAAA,IACA,SAAA;AAAA,IACA,cAAc,sBAAsB,CAAA;AAAA,IACpC,cAAc,OAAO,CAAA;AAAA,IACrB;AAAA,GACF;AACF;;;AFtGA,aAAA,EAAA;AAYA,IAAM,2BAAA,GAA8B;AAAA,EAClC,aAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF,CAAA;AAuDO,IAAM,aAAN,MAAiB;AAAA,EACd,OAAA;AAAA,EACA,SAAA;AAAA;AAAA,EAGA,YAAA,uBAAmB,GAAA,EAAoB;AAAA;AAAA,EAGvC,aAAA,uBAAoB,GAAA,EAAiC;AAAA,EAE7D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AAAA,EAEQ,UAAA,CAAW,WAAmB,GAAA,EAAqB;AACzD,IAAA,OAAO,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBACZ,SAAA,EAC8B;AAC9B,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAAA,IACzC;AAGA,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,SAAS,CAAA;AACjD,IAAA,MAAM,OAAA,uBAAc,GAAA,EAAoB;AAExC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,MAAM,GAAG,CAAA;AACxD,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,IAAI;AACF,UAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC5D,UAAA,OAAA,CAAQ,GAAA,CAAI,KAAA,CAAM,GAAA,EAAK,UAAA,CAAW,cAAc,CAAA;AAChD,UAAA,IAAA,CAAK,YAAA,CAAa,GAAA;AAAA,YAChB,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,KAAA,CAAM,GAAG,CAAA;AAAA,YACpC,UAAA,CAAW;AAAA,WACb;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAA,EAAW,OAAO,CAAA;AACzC,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,KAAA,EACA,YACA,mBAAA,EACA,qBAAA,EACA,OAAA,GAAwB,EAAC,EACH;AACtB,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,CAAK,SAAA,EAAW,SAAS,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,cAAc,KAAK,CAAA;AAGrC,IAAA,MAAM,aAAA,GAAgB,aAAa,SAAS,CAAA;AAG5C,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,SAAA,EAAW,YAAY,CAAA;AAG/C,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAE,CAAA,IAAK,CAAA;AACpD,IAAA,MAAM,aAAa,cAAA,GAAiB,CAAA;AAGpC,IAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AAChD,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,eAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,IAAA,MAAM,UAAA,GAAyB;AAAA,MAC7B,CAAA,EAAG,CAAA;AAAA,MACH,OAAA;AAAA,MACA,GAAA,EAAK,UAAA;AAAA,MACL,GAAA,EAAK,YAAY,SAAS,CAAA;AAAA,MAC1B,GAAA,EAAK,UAAA;AAAA,MACL,cAAA,EAAgB,aAAA;AAAA,MAChB,QAAA,EAAU;AAAA,QACR,cAAc,OAAA,CAAQ,YAAA;AAAA,QACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,QACrB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,UAAA,EAAY;AAAA;AACd,KACF;AAGA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,UAAU,CAAC,CAAA;AAC3D,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,SAAA,EAAW,KAAK,UAAU,CAAA;AAGnD,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,UAAU,CAAA;AACpC,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,QAAA,CAAS,GAAA,CAAI,KAAK,aAAa,CAAA;AAG/B,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,GAAA;AAAA,MACA,SAAA;AAAA,MACA,OAAA,EAAS,UAAA;AAAA,MACT,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,YAAY,UAAA,CAAW,MAAA;AAAA,MACvB,cAAA,EAAgB;AAAA,KAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,IAAA,CACJ,SAAA,EACA,GAAA,EACA,eAAA,EACA,kBAAkB,IAAA,EACU;AAC5B,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,GAAG,CAAA;AAClD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI,UAAA;AACJ,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAE,CAAA;AAAA,IAC9D;AAEA,IAAA,IAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AACtB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,iCAAA,EAAoC,UAAA,CAAW,CAAC,CAAA,CAAE,CAAA;AAAA,IACpE;AAGA,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAE,CAAA;AAC9C,IAAA,IAAI,aAAA,KAAkB,MAAA,IAAa,UAAA,CAAW,GAAA,GAAM,aAAA,EAAe;AACjE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,sBAAA,EAAyB,SAAS,CAAA,CAAA,EAAI,GAAG,mBACtB,UAAA,CAAW,GAAG,iBAAiB,aAAa,CAAA;AAAA,OACjE;AAAA,IACF;AAGA,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,UAAA,CAAW,OAAA,CAAQ,EAAE,CAAA;AAC3D,MAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,UAAA,CAAW,GAAG,CAAA;AACnD,MAAA,MAAM,QAAA,GAAW,MAAA,CAAO,eAAA,EAAiB,cAAA,EAAgB,eAAe,CAAA;AACxE,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,kCAAA,EAAqC,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA;AAAA,SACvD;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,CAAK,SAAA,EAAW,SAAS,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,CAAW,OAAA,EAAS,YAAY,CAAA;AAC1D,IAAA,MAAM,KAAA,GAAQ,cAAc,SAAS,CAAA;AAGrC,IAAA,MAAM,YAAA,GAAe,aAAa,SAAS,CAAA;AAC3C,IAAA,IAAI,YAAA,KAAiB,WAAW,cAAA,EAAgB;AAC9C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,4BAAA,EAA+B,SAAS,CAAA,CAAA,EAAI,GAAG,cACjC,YAAY,CAAA,SAAA,EAAY,WAAW,cAAc,CAAA;AAAA,OACjE;AAAA,IACF;AAGA,IAAA,IAAI,kBAA4B,EAAC;AACjC,IAAA,IAAI,iBAAA,GAAoB,IAAA;AAExB,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,MAAA,MAAM,KAAA,GAAQ,mBAAA,CAAoB,QAAA,EAAU,GAAG,CAAA;AAC/C,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,iBAAA,GAAoB,kBAAkB,KAAK,CAAA;AAC3C,QAAA,eAAA,GAAkB,MAAM,IAAA,CAAK,GAAA;AAAA,UAC3B,CAAC,IAAA,KAAS,CAAA,EAAG,KAAK,QAAQ,CAAA,CAAA,EAAI,KAAK,IAAI,CAAA;AAAA,SACzC;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,UAAA,CAAW,GAAG,CAAA;AAExC,IAAA,OAAO;AAAA,MACL,GAAA;AAAA,MACA,SAAA;AAAA,MACA,KAAA;AAAA,MACA,SAAS,UAAA,CAAW,GAAA;AAAA,MACpB,kBAAA,EAAoB,iBAAA;AAAA,MACpB,YAAA,EAAc,eAAA;AAAA,MACd,UAAA,EAAY,WAAW,QAAA,CAAS,UAAA;AAAA,MAChC,YAAY,UAAA,CAAW;AAAA,KACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KACJ,SAAA,EACA,MAAA,EACA,MACA,KAAA,GAAQ,GAAA,EACR,SAAS,CAAA,EAWR;AACD,IAAA,MAAM,iBAAiB,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,MAAM,CAAA;AAChE,IAAA,MAAM,SAMD,EAAC;AAEN,IAAA,KAAA,MAAW,SAAS,cAAA,EAAgB;AAClC,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,MAAM,GAAG,CAAA;AACxD,MAAA,IAAI,CAAC,GAAA,EAAK;AAEV,MAAA,IAAI;AACF,QAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAG5D,QAAA,IAAI,IAAA,IAAQ,IAAA,CAAK,MAAA,GAAS,CAAA,EAAG;AAC3B,UAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,IAAA,IAAQ,EAAC;AAC/C,UAAA,MAAM,cAAA,GAAiB,KAAK,IAAA,CAAK,CAAC,MAAM,SAAA,CAAU,QAAA,CAAS,CAAC,CAAC,CAAA;AAC7D,UAAA,IAAI,CAAC,cAAA,EAAgB;AAAA,QACvB;AAEA,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,KAAK,KAAA,CAAM,GAAA;AAAA,UACX,SAAS,UAAA,CAAW,GAAA;AAAA,UACpB,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,UAAA,EAAY,WAAW,QAAA,CAAS,UAAA;AAAA,UAChC,IAAA,EAAM,UAAA,CAAW,QAAA,CAAS,IAAA,IAAQ;AAAC,SACpC,CAAA;AAAA,MACH,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,MAAA,CAAO,KAAA,CAAM,MAAA,EAAQ,SAAS,KAAK,CAAA;AAAA,MACzC,OAAO,MAAA,CAAO,MAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EAOC;AACD,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,QAAQ,MAAA,CAAO,SAAA,EAAW,KAAK,IAAI,CAAA;AAG9D,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,IAAA,CAAK,YAAA,CAAa,OAAO,EAAE,CAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,QAAA,CAAS,OAAO,GAAG,CAAA;AACnB,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,OAAA;AAAA,MACA,GAAA;AAAA,MACA,SAAA;AAAA,MACA,eAAA,EAAiB,UAAA;AAAA,MACjB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OACJ,SAAA,EAOC;AACD,IAAA,MAAM,qBAA+B,EAAC;AAEtC,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,kBAAA,CAAmB,KAAK,SAAS,CAAA;AAAA,IACnC,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,EAAA,IAAM,IAAA,CAAK,aAAA,CAAc,IAAA,EAAK,EAAG;AAC1C,QAAA,kBAAA,CAAmB,KAAK,EAAE,CAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,MAAM,aAGF,EAAC;AACL,IAAA,IAAI,SAAA,GAAY,CAAA;AAEhB,IAAA,KAAA,MAAW,MAAM,kBAAA,EAAoB;AACnC,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,EAAE,CAAA;AAC1C,MAAA,UAAA,CAAW,EAAE,IAAI,EAAC;AAElB,MAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,EAAA,EAAI,MAAM,GAAG,CAAA;AACjD,QAAA,IAAI,CAAC,GAAA,EAAK;AAEV,QAAA,IAAI;AACF,UAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC5D,UAAA,UAAA,CAAW,EAAE,EAAG,IAAA,CAAK,EAAE,KAAK,KAAA,CAAM,GAAA,EAAK,KAAA,EAAO,UAAA,EAAY,CAAA;AAC1D,UAAA,SAAA,EAAA;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,CAAU;AAAA,MAChC,wBAAA,EAA0B,CAAA;AAAA,MAC1B,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACpC,UAAA,EAAY,kBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,MAAM,WAAA,GAAc,cAAc,UAAU,CAAA;AAC5C,IAAA,MAAM,UAAA,GAAa,aAAa,WAAW,CAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQ,YAAY,WAAW,CAAA;AAAA,MAC/B,UAAA,EAAY,kBAAA;AAAA,MACZ,UAAA,EAAY,SAAA;AAAA,MACZ,WAAA,EAAa,UAAA;AAAA,MACb,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACtC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,YAAA,EACA,kBAAA,GAAuD,MAAA,EAOtD;AACD,IAAA,MAAM,WAAA,GAAc,cAAc,YAAY,CAAA;AAC9C,IAAA,MAAM,UAAA,GAAa,cAAc,WAAW,CAAA;AAC5C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,UAAU,CAAA;AAEpC,IAAA,IAAI,YAAA,GAAe,CAAA;AACnB,IAAA,IAAI,WAAA,GAAc,CAAA;AAClB,IAAA,IAAI,SAAA,GAAY,CAAA;AAChB,IAAA,MAAM,aAAuB,EAAC;AAE9B,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,MAAA,CAAO,OAAA;AAAA,MACjC,MAAA,CAAO;AAAA,KACT,EAAG;AAED,MAAA,IAAI,2BAAA,CAA4B,IAAA;AAAA,QAC9B,CAAC,MAAA,KAAW,EAAA,KAAO,UAAU,EAAA,CAAG,UAAA,CAAW,SAAS,GAAG;AAAA,OACzD,EAAG;AACD,QAAA,WAAA,IAAgB,OAAA,CAAsD,MAAA;AACtE,QAAA;AAAA,MACF;AACA,MAAA,UAAA,CAAW,KAAK,EAAE,CAAA;AAElB,MAAA,KAAA,MAAW,EAAE,GAAA,EAAK,KAAA,EAAM,IAAK,OAAA,EAAS;AACpC,QAAA,MAAM,SAAS,MAAM,IAAA,CAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,GAAG,CAAA;AAEhD,QAAA,IAAI,MAAA,EAAQ;AACV,UAAA,SAAA,EAAA;AACA,UAAA,IAAI,uBAAuB,MAAA,EAAQ;AACjC,YAAA,WAAA,EAAA;AACA,YAAA;AAAA,UACF;AACA,UAAA,IAAI,uBAAuB,SAAA,EAAW;AAEpC,YAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,GAAG,CAAA;AAC3C,YAAA,IAAI,GAAA,EAAK;AACP,cAAA,IAAI;AACF,gBAAA,MAAM,gBAA4B,IAAA,CAAK,KAAA;AAAA,kBACrC,cAAc,GAAG;AAAA,iBACnB;AACA,gBAAA,IAAI,KAAA,CAAM,GAAA,IAAO,aAAA,CAAc,GAAA,EAAK;AAClC,kBAAA,WAAA,EAAA;AACA,kBAAA;AAAA,gBACF;AAAA,cACF,CAAA,CAAA,MAAQ;AAAA,cAER;AAAA,YACF;AAAA,UACF;AAAA,QAEF;AAGA,QAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACtD,QAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,EAAA,EAAI,KAAK,UAAU,CAAA;AAC5C,QAAA,YAAA,EAAA;AAGA,QAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,EAAA,EAAI,GAAG,CAAA;AAClC,QAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,KAAA,CAAM,GAAG,CAAA;AACnC,QAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,EAAE,CAAA;AACjD,QAAA,QAAA,CAAS,GAAA,CAAI,GAAA,EAAK,KAAA,CAAM,cAAc,CAAA;AAAA,MACxC;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,YAAA;AAAA,MACf,YAAA,EAAc,WAAA;AAAA,MACd,SAAA;AAAA,MACA,UAAA;AAAA,MACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACtC;AAAA,EACF;AACF,CAAA;AG7hBA,IAAM,gBAAA,GAAmB,OAAA;AAGzB,IAAM,gBAAA,GAAmB,OAAA;AAGzB,IAAM,aAAA,mBAAgB,IAAI,GAAA,CAAI,CAAC,QAAQ,CAAC,CAAA;AAoBxC,SAAS,YAAA,CACP,MACA,MAAA,EACmB;AACnB,EAAA,MAAM,SAA4B,EAAC;AACnC,EAAA,MAAM,UAAA,GAAc,MAAA,CAAO,UAAA,IAAc,EAAC;AAC1C,EAAA,MAAM,QAAA,GAAY,MAAA,CAAO,QAAA,IAAY,EAAC;AAGtC,EAAA,KAAA,MAAW,SAAS,QAAA,EAAU;AAC5B,IAAA,IAAI,KAAK,KAAK,CAAA,KAAM,UAAa,IAAA,CAAK,KAAK,MAAM,IAAA,EAAM;AACrD,MAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA,gBAAA,EAAmB,KAAK,gBAAgB,CAAA;AAAA,IACxE;AAAA,EACF;AAGA,EAAA,MAAM,cAAc,IAAI,GAAA,CAAI,MAAA,CAAO,IAAA,CAAK,UAAU,CAAC,CAAA;AACnD,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,IAAA,IAAI,CAAC,WAAA,CAAY,GAAA,CAAI,KAAK,CAAA,EAAG;AAC3B,MAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA,eAAA,EAAkB,KAAK,KAAK,CAAA;AAAA,IAC5D;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AACjD,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AAC3C,IAAA,MAAM,UAAA,GAAa,WAAW,KAAK,CAAA;AACnC,IAAA,IAAI,CAAC,UAAA,EAAY;AAEjB,IAAA,MAAM,SAAA,GAAY,SAAA,CAAU,KAAA,EAAO,KAAA,EAAO,UAAU,CAAA;AACpD,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAA,CAAO,KAAK,SAAS,CAAA;AACrB,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,MAAA,MAAM,QAAA,GAAW,aAAA,CAAc,GAAA,CAAI,KAAK,IAAI,gBAAA,GAAmB,gBAAA;AAE/D,MAAA,MAAM,aAAa,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA,CAAE,MAAA;AACnD,MAAA,IAAI,aAAa,QAAA,EAAU;AACzB,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,KAAA;AAAA,UACA,SAAS,CAAA,OAAA,EAAU,KAAK,CAAA,wBAAA,EAA2B,UAAU,YAAY,QAAQ,CAAA,OAAA;AAAA,SAClF,CAAA;AAAA,MACH;AAAA,IACF;AAGA,IAAA,IAAI,WAAW,IAAA,IAAQ,CAAC,WAAW,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA,EAAG;AACvD,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,KAAA;AAAA,QACA,OAAA,EAAS,UAAU,KAAK,CAAA,kBAAA,EAAqB,WAAW,IAAA,CAAK,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,OACxE,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAKA,SAAS,SAAA,CACP,KAAA,EACA,KAAA,EACA,MAAA,EACwB;AACxB,EAAA,IAAI,CAAC,MAAA,CAAO,IAAA,EAAM,OAAO,IAAA;AAEzB,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,SAAA;AACH,MAAA,IAAI,OAAO,UAAU,SAAA,EAAW;AAC9B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,sBAAA,EAAyB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MAClF;AACA,MAAA;AAAA,IACF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACrD,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,oBAAA,EAAuB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MAChF;AACA,MAAA;AAAA;AAEJ,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,YAAA,CACd,OACA,OAAA,EACQ;AACR,EAAA,MAAM,OAAO,OAAA,EAAS,IAAA;AAEtB,EAAA,MAAM,SAAS,IAAI,MAAA;AAAA,IACjB;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,OAAA,EAAS;AAAA,KACX;AAAA,IACA;AAAA,MACE,YAAA,EAAc;AAAA,QACZ,OAAO;AAAC;AACV;AACF,GACF;AAGA,EAAA,MAAA,CAAO,iBAAA,CAAkB,wBAAwB,YAAY;AAC3D,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACvB,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,aAAa,CAAA,CAAE,WAAA;AAAA,QACf,aAAa,CAAA,CAAE;AAAA,OACjB,CAAE;AAAA,KACJ;AAAA,EACF,CAAC,CAAA;AAGD,EAAA,MAAA,CAAO,iBAAA,CAAkB,qBAAA,EAAuB,OAAO,OAAA,KAAY;AACjE,IAAA,MAAM,EAAE,IAAA,EAAM,SAAA,EAAW,IAAA,KAAS,OAAA,CAAQ,MAAA;AAC1C,IAAA,MAAM,SAAA,GAAa,QAAQ,EAAC;AAE5B,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,SAAS,IAAI,CAAA;AAC9C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM,KAAK,SAAA,CAAU,EAAE,OAAO,CAAA,cAAA,EAAiB,IAAI,IAAI;AAAA;AACzD,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAKA,IAAA,MAAM,gBAAA,GAAmB,YAAA,CAAa,SAAA,EAAW,IAAA,CAAK,WAAW,CAAA;AACjE,IAAA,IAAI,gBAAA,CAAiB,SAAS,CAAA,EAAG;AAC/B,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,cACnB,KAAA,EAAO,mBAAA;AAAA,cACP,OAAA,EAAS,yCAAA;AAAA,cACT,UAAA,EAAY;AAAA,aACb;AAAA;AACH,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAKA,IAAA,IAAI,IAAA,EAAM;AACR,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,QAAA,CAAS,MAAM,SAAS,CAAA;AAClD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP;AAAA,cACE,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,gBACnB,KAAA,EAAO,yBAAA;AAAA,gBACP,mBAAmB,MAAA,CAAO;AAAA,eAC3B;AAAA;AACH,WACF;AAAA,UACA,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,IACrC,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,OAAA,GACJ,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,eAAA;AACvC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,SAAS;AAAA;AACzC,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAAA,EACF,CAAC,CAAA;AAED,EAAA,OAAO,MAAA;AACT;AAKO,SAAS,WACd,IAAA,EACoD;AACpD,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,CAAC,EAAE,IAAA,EAAM,MAAA,EAAiB,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,IAAA,EAAM,CAAC,CAAA,EAAG;AAAA,GAC1E;AACF;;;AC/QA,aAAA,EAAA;AAOA,aAAA,EAAA;AAQA,IAAMC,4BAAAA,GAA8B;AAAA,EAClC,aAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF,CAAA;AAMA,SAAS,8BAA8B,SAAA,EAAkC;AACvE,EAAA,KAAA,MAAW,UAAUA,4BAAAA,EAA6B;AAChD,IAAA,IAAI,cAAc,MAAA,IAAU,SAAA,CAAU,UAAA,CAAW,MAAA,GAAS,GAAG,CAAA,EAAG;AAC9D,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,IAAA;AACT;AAGO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAA4B;AAAA,EAC7C,iBAAA,GAAmC,IAAA;AAAA,EAE3C,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AAAA,EAEA,IAAY,aAAA,GAA4B;AACtC,IAAA,OAAO,gBAAA,CAAiB,IAAA,CAAK,SAAA,EAAW,qBAAqB,CAAA;AAAA,EAC/D;AAAA;AAAA,EAGA,MAAM,IAAA,GAAsB;AAC1B,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,aAAa,CAAA;AACrD,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,aAAA,EAAe,MAAM,GAAG,CAAA;AAC5D,MAAA,IAAI,CAAC,GAAA,EAAK;AACV,MAAA,IAAI;AACF,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC/C,QAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,QAAA,MAAM,QAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,QAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,QAAQ,CAAA;AAClD,QAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,UAAA,IAAA,CAAK,oBAAoB,QAAA,CAAS,WAAA;AAAA,QACpC;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,KAAK,QAAA,EAAyC;AAClD,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AACzD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,QAAA,CAAS,WAAA;AAAA,MACT,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AACA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,QAAQ,CAAA;AAClD,IAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,MAAA,IAAA,CAAK,oBAAoB,QAAA,CAAS,WAAA;AAAA,IACpC;AAAA,EACF;AAAA,EAEA,IAAI,EAAA,EAAwC;AAC1C,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,EAAE,CAAA;AAAA,EAC/B;AAAA,EAEA,UAAA,GAAyC;AACvC,IAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,EAAmB,OAAO,MAAA;AACpC,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAA,CAAK,iBAAiB,CAAA;AAAA,EACnD;AAAA,EAEA,IAAA,GAAyB;AACvB,IAAA,OAAO,KAAA,CAAM,KAAK,IAAA,CAAK,UAAA,CAAW,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,EAAA,MAAQ;AAAA,MACvD,aAAa,EAAA,CAAG,WAAA;AAAA,MAChB,OAAO,EAAA,CAAG,KAAA;AAAA,MACV,YAAY,EAAA,CAAG,UAAA;AAAA,MACf,KAAK,EAAA,CAAG,GAAA;AAAA,MACR,YAAY,EAAA,CAAG,UAAA;AAAA,MACf,UAAU,EAAA,CAAG,QAAA;AAAA,MACb,gBAAgB,EAAA,CAAG;AAAA,KACrB,CAAE,CAAA;AAAA,EACJ;AACF,CAAA;AAKO,SAAS,aAAA,CACd,UAAA,EACA,OAAA,EACA,SAAA,EACA,eACA,QAAA,EAC+D;AAC/D,EAAA,MAAM,WAAA,GAAc,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC1D,EAAA,MAAM,cAAA,GAAiB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAGxE,EAAA,SAAS,gBAAgB,UAAA,EAAqC;AAC5D,IAAA,MAAM,KAAK,UAAA,GACP,WAAA,CAAY,IAAI,UAAU,CAAA,GAC1B,YAAY,UAAA,EAAW;AAC3B,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,UAAA,GACI,CAAA,oBAAA,EAAuB,UAAU,CAAA,CAAA,GACjC;AAAA,OACN;AAAA,IACF;AACA,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,oGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,EAAE,cAAA,EAAgB,cAAA,EAAe,GAAI,cAAA;AAAA,UACzC,KAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,MAAM,WAAA,CAAY,KAAK,cAAc,CAAA;AAErC,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,cAAA,CAAe,WAAA,EAAa;AAAA,UACpE;AAAA,SACD,CAAA;AAKD,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,cAAA,CAAe,WAAA;AAAA,UAC5B,YAAY,cAAA,CAAe,UAAA;AAAA,UAC3B,KAAK,cAAA,CAAe,GAAA;AAAA,UACpB,YAAY,cAAA,CAAe,UAAA;AAAA,UAC3B,UAAU,cAAA,CAAe,QAAA;AAAA,UACzB,gBAAgB,cAAA,CAAe,cAAA;AAAA,UAC/B,SAAA,EAAW;AAAA,SACZ,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EAAa,wCAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,UAAA,EAAY;AAAA,cACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA;AAAS;AAC1B;AACF;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,IAAI,UAAA,GAAa,YAAY,IAAA,EAAK;AAClC,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,UAAA,GAAa,UAAA,CAAW,MAAA;AAAA,YAAO,CAAC,CAAA,KAC9B,CAAA,CAAE,KAAA,CAAM,QAAA,CAAS,OAAO,KAAM;AAAA,WAChC;AAAA,QACF;AACA,QAAA,OAAO,UAAA,CAAW,EAAE,UAAA,EAAY,CAAA;AAAA,MAClC;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,gGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9B,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,aAAa,IAAA,CAAK,OAAA;AAGxB,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC;AAEA,QAAA,MAAM,SAAA,GAAY,IAAA;AAAA,UAChB,OAAA;AAAA,UACA,QAAA,CAAS,qBAAA;AAAA,UACT;AAAA,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAW,CAAA;AAE5D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,UAChC,SAAA,EAAW,SAAA;AAAA,UACX,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UAClC,YAAY,QAAA,CAAS,UAAA;AAAA,UACrB,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,wEAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,qBAAA,EAAsB;AAAA,UAChE,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAA,EAAW,WAAW;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,OAAA;AAGxB,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC;AAEA,QAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAmB,CAAA;AAGxD,QAAA,IAAI,SAAA;AACJ,QAAA,IAAI,KAAK,WAAA,EAAa;AACpB,UAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAqB,CAAA;AAC3D,UAAA,SAAA,GAAY,aAAA,CAAc,SAAS,UAAU,CAAA;AAAA,QAC/C,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,UAAA,SAAA,GAAY,aAAA,CAAc,KAAK,UAAoB,CAAA;AAAA,QACrD,CAAA,MAAO;AACL,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,KAAA,GAAQ,MAAA,CAAe,OAAA,EAAS,SAAA,EAAW,SAAS,CAAA;AAE1D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA;AAAS,SAC3B;AAAA,QACA,QAAA,EAAU,CAAC,aAAa;AAAA,OAC1B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAqB,CAAA;AAC3D,QAAA,MAAM,MAAA,GAAU,KAAK,MAAA,IAAqB,cAAA;AAE1C,QAAA,MAAM,EAAE,eAAA,EAAiB,aAAA,EAAc,GAAI,UAAA;AAAA,UACzC,QAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,MAAM,WAAA,CAAY,KAAK,eAAe,CAAA;AAEtC,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC9D;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,eAAA,CAAgB,WAAA;AAAA,UAC7B,gBAAgB,aAAA,CAAc,cAAA;AAAA,UAC9B,gBAAgB,aAAA,CAAc,cAAA;AAAA,UAC9B,SAAS,eAAA,CAAgB,GAAA;AAAA,UACzB,YAAY,aAAA,CAAc;AAAA,SAC3B,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,WAAA,EACE,6IAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,4BAAA,EAA6B;AAAA,UACjE,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,UAAA,EAAY;AAAA,cACV,YAAA,EAAc,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cAC/B,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cAC9B,IAAA,EAAM,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS;AAAE;AACnD,WACF;AAAA,UACA,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA;AAAS,SAChC;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAA,EAAO,OAAO;AAAA,OACxC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,gCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAMtB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,KAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,GAAA;AAAA,UACL,IAAA,CAAK,KAAA;AAAA,UACL,QAAA,CAAS,WAAA;AAAA,UACT,QAAA,CAAS,qBAAA;AAAA,UACT,cAAA;AAAA,UACA;AAAA,YACE,cAAc,QAAA,EAAU,YAAA;AAAA,YACxB,aAAa,QAAA,EAAU,WAAA;AAAA,YACvB,MAAM,QAAA,EAAU;AAAA;AAClB,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,aAAA,EAAe,QAAA,CAAS,WAAA,EAAa;AAAA,UAC1D,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK;AAAA,SACX,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,qGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACtB,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA;AAAK,SACrD;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAK;AAAA,OAC/B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,IAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,GAAA;AAAA,UACL,MAAA;AAAA;AAAA,UACA,KAAK,gBAAA,IAA+B;AAAA,SACtC;AAEA,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,WAAA;AAAA,YACP,WAAW,IAAA,CAAK,SAAA;AAAA,YAChB,KAAK,IAAA,CAAK;AAAA,WACX,CAAA;AAAA,QACH;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,YAAA,EAAc,MAAA,CAAO,UAAA,EAAY;AAAA,UACtD,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK;AAAA,SACX,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,gEAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACzB,IAAA,EAAM,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS,EAAE;AAAA,UACjD,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,GAAA,EAAI;AAAA,UACtC,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,CAAA;AAAE,SACvC;AAAA,QACA,QAAA,EAAU,CAAC,WAAW;AAAA,OACxB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,IAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,MAAA;AAAA,UACL,IAAA,CAAK,IAAA;AAAA,UACJ,KAAK,KAAA,IAAoB,GAAA;AAAA,UACzB,KAAK,MAAA,IAAqB;AAAA,SAC7B;AACA,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,oGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACtB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA;AAAS,SAC3B;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAK;AAAA,OAC/B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,0CAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK,GAAA;AAAA,UACV,QAAQ,IAAA,CAAK;AAAA,SACd,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,8DAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,cAAA;AAAe;AACpD,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,YAAY,MAAA,CAAO;AAAA,SACpB,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EAAa,4CAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,0BAAA,EAA2B;AAAA,UAClE,mBAAA,EAAqB;AAAA,YACnB,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,WAAA,EAAa,SAAS,CAAA;AAAA,YACrC,OAAA,EAAS;AAAA;AACX,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK,MAAA;AAAA,UACJ,KAAK,mBAAA,IACJ;AAAA,SACJ;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,eAAe,MAAA,CAAO;AAAA,SACvB,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,eAAA,EAAiB,WAAA,EAAY;AAC/C;;;ACjlBA,aAAA,EAAA;AAWO,IAAM,WAAN,MAAe;AAAA,EACZ,OAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAwB,EAAC;AAAA,EACzB,OAAA,GAAU,CAAA;AAAA,EAElB,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,WAAW,CAAA;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,OACE,KAAA,EACA,SAAA,EACA,UAAA,EACA,OAAA,EACA,SAAgC,SAAA,EAC1B;AACN,IAAA,MAAM,KAAA,GAAoB;AAAA,MACxB,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA,EAAa,UAAA;AAAA,MACb,MAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAK,KAAK,CAAA;AAGvB,IAAA,IAAA,CAAK,YAAA,CAAa,KAAK,CAAA,CAAE,KAAA,CAAM,MAAM;AAAA,IAErC,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,aAAa,KAAA,EAAkC;AAC3D,IAAA,MAAM,MAAM,CAAA,EAAG,IAAA,CAAK,KAAK,CAAA,CAAA,EAAI,KAAK,OAAA,EAAS,CAAA,CAAA;AAC3C,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACtD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,QAAA;AAAA,MACA,GAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAA,EAK0C;AAEpD,IAAA,MAAM,KAAK,oBAAA,EAAqB;AAEhC,IAAA,IAAI,WAAW,IAAA,CAAK,OAAA;AAEpB,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AACxC,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,IAAI,IAAA,CAAK,CAAA,CAAE,SAAS,CAAA,IAAK;AAAA,OAClC;AAAA,IACF;AACA,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,QAAA,GAAW,SAAS,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,KAAA,KAAU,QAAQ,KAAK,CAAA;AAAA,IAC7D;AACA,IAAA,IAAI,QAAQ,cAAA,EAAgB;AAC1B,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,KAAc,OAAA,CAAQ;AAAA,OACjC;AAAA,IACF;AAEA,IAAA,MAAM,QAAQ,QAAA,CAAS,MAAA;AACvB,IAAA,MAAM,KAAA,GAAQ,QAAQ,KAAA,IAAS,EAAA;AAC/B,IAAA,MAAM,OAAA,GAAU,QAAA,CAAS,KAAA,CAAM,CAAC,KAAK,CAAA;AAErC,IAAA,OAAO,EAAE,SAAS,KAAA,EAAM;AAAA,EAC1B;AAAA,EAEA,MAAc,oBAAA,GAAsC;AAClD,IAAA,IAAI;AACF,MAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,QAAQ,CAAA;AACtD,MAAA,KAAA,MAAW,QAAQ,aAAA,EAAe;AAChC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,QAAA,EAAU,KAAK,GAAG,CAAA;AACtD,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,KAAA,GAAoB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAG7D,UAAA,MAAM,WAAA,GAAc,KAAK,OAAA,CAAQ,IAAA;AAAA,YAC/B,CAAC,CAAA,KACC,CAAA,CAAE,SAAA,KAAc,KAAA,CAAM,SAAA,IACtB,CAAA,CAAE,SAAA,KAAc,KAAA,CAAM,SAAA,IACtB,CAAA,CAAE,WAAA,KAAgB,KAAA,CAAM;AAAA,WAC5B;AACA,UAAA,IAAI,CAAC,WAAA,EAAa;AAChB,YAAA,IAAA,CAAK,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,UACzB;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAGA,MAAA,IAAA,CAAK,OAAA,CAAQ,IAAA;AAAA,QACX,CAAC,CAAA,EAAG,CAAA,KACF,IAAI,KAAK,CAAA,CAAE,SAAS,CAAA,CAAE,OAAA,KAAY,IAAI,IAAA,CAAK,CAAA,CAAE,SAAS,EAAE,OAAA;AAAQ,OACpE;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,OAAA,CAAQ,MAAA;AAAA,EACtB;AACF,CAAA;;;ACtIA,YAAA,EAAA;AACA,aAAA,EAAA;AAKA,aAAA,EAAA;AA6BO,SAAS,gBAAA,CACd,OACA,cAAA,EACY;AAEZ,EAAA,MAAM,gBAAgB,cAAA,GAClB,aAAA,CAAc,cAAc,CAAA,GAC5B,YAAY,EAAE,CAAA;AAGlB,EAAA,MAAM,UAAA,GAAa,cAAc,KAAK,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,UAAA,EAAY,aAAa,CAAA;AACtD,EAAA,MAAM,cAAA,GAAiB,KAAK,QAAQ,CAAA;AAEpC,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,YAAY,cAAc,CAAA;AAAA,IACtC,eAAA,EAAiB,YAAY,aAAa,CAAA;AAAA,IAC1C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAUO,SAAS,gBAAA,CACd,UAAA,EACA,KAAA,EACA,cAAA,EACS;AACT,EAAA,MAAM,aAAA,GAAgB,cAAc,cAAc,CAAA;AAClD,EAAA,MAAM,UAAA,GAAa,cAAc,KAAK,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,UAAA,EAAY,aAAa,CAAA;AACtD,EAAA,MAAM,YAAA,GAAe,WAAA,CAAY,IAAA,CAAK,QAAQ,CAAC,CAAA;AAG/C,EAAA,OAAO,UAAA,KAAe,YAAA;AACxB;AAKO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,gBAAgB,CAAA;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CAAM,UAAA,EAAwB,KAAA,EAAgC;AAClE,IAAA,MAAM,EAAA,GAAK,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AAE3D,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,YAAY,UAAA,CAAW,UAAA;AAAA,MACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,MAC5B,KAAA;AAAA,MACA,cAAc,UAAA,CAAW,YAAA;AAAA,MACzB,QAAA,EAAU;AAAA,KACZ;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,cAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,EAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,EAAA,EAA8C;AACtD,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,gBAAgB,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,EAAA,EAA2B;AAC5C,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,EAAE,CAAA;AAChC,IAAA,IAAI,CAAC,MAAA,EAAQ;AAEb,IAAA,MAAA,CAAO,QAAA,GAAW,IAAA;AAClB,IAAA,MAAA,CAAO,WAAA,GAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAE5C,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,cAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF,CAAA;;;ACpJA,aAAA,EAAA;AAgDO,SAAS,kBAAA,CACd,MAAA,EACA,OAAA,EACA,eAAA,EACsB;AACtB,EAAA,OAAO,eAAA,CAAgB,GAAA,CAAI,CAAC,KAAA,KAAU;AAEpC,IAAA,MAAM,SAAA,GAAY,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,OAAO,CAAA;AAChE,IAAA,MAAM,YAAA,GAAe,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,GAAG,CAAA;AAC/D,IAAA,MAAM,cAAc,SAAA,IAAa,YAAA;AAEjC,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,QAAQ,MAAA,CAAO,cAAA;AAAA,QACf,MAAA,EAAQ,4BAA4B,OAAO,CAAA,CAAA,CAAA;AAAA,QAC3C,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAA,CAAY,OAAO,CAAA,CAAA;AAGvC,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,UAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,4BAAA,EAA+B,QAAQ,CAAA,QAAA,CAAA;AAAA,QAC9D,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,EAAG;AAC9C,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,OAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,kCAAA,EAAqC,QAAQ,CAAA,QAAA,CAAA;AAAA,QACpE,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,UAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,iCAAA,EAAoC,QAAQ,CAAA,QAAA,CAAA;AAAA,QACnE,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,QAAQ,MAAA,CAAO,cAAA;AAAA,MACf,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,mBAAA,EAAsB,QAAQ,CAAA,uBAAA,CAAA;AAAA,MACrD,eAAA,EAAiB;AAAA,KACnB;AAAA,EACF,CAAC,CAAA;AACH;AAKO,IAAM,cAAN,MAAkB;AAAA,EACf,OAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA,uBAA8C,GAAA,EAAI;AAAA,EAE1D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,aAAa,CAAA;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,UAAA,EACA,KAAA,EACA,eACA,UAAA,EAC2B;AAC3B,IAAA,MAAM,QAAA,GAAW,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACjE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,SAAA,EAAW,QAAA;AAAA,MACX,WAAA,EAAa,UAAA;AAAA,MACb,KAAA;AAAA,MACA,cAAA,EAAgB,aAAA;AAAA,MAChB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY;AAAA,KACd;AAEA,IAAA,MAAM,IAAA,CAAK,QAAQ,MAAM,CAAA;AACzB,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAElC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,QAAA,EAAoD;AAE5D,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA,EAAG;AAC/B,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA;AAAA,IACnC;AAGA,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,aAAa,QAAQ,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,MAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,MAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAoC;AACxC,IAAA,MAAM,KAAK,OAAA,EAAQ;AACnB,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,QAAA,CAAS,QAAQ,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,OAAA,GAAyB;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,WAAW,CAAA;AACnD,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,IAAA,CAAK,GAAG,CAAA,EAAG;AACjC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,WAAA,EAAa,KAAK,GAAG,CAAA;AACzD,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,MAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,UAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,SAAA,EAAW,MAAM,CAAA;AAAA,QAC5C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAA,EAAyC;AAC7D,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,WAAA;AAAA,MACA,MAAA,CAAO,SAAA;AAAA,MACP,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF,CAAA;;;ACtNO,SAAS,aAAA,CACd,OAAA,EACA,SAAA,EACA,QAAA,EACyF;AACzF,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,CAAY,OAAA,EAAS,SAAS,CAAA;AAEtD,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,iLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAE5B,QAAA,MAAM,UAAA,GAAa,gBAAA,CAAiB,KAAA,EAAO,cAAc,CAAA;AAGzD,QAAA,MAAM,YAAA,GAAe,MAAM,eAAA,CAAgB,KAAA,CAAM,YAAY,KAAK,CAAA;AAElE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU;AAAA,UAClD,aAAA,EAAe,YAAA;AAAA,UACf,iBAAiB,UAAA,CAAW;AAAA,SAC7B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAA,EAAe,YAAA;AAAA,UACf,YAAY,UAAA,CAAW,UAAA;AAAA,UACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,UAC5B,cAAc,UAAA,CAAW,YAAA;AAAA,UACzB,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,0IAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAA,EAAc,OAAA,EAAS,iBAAiB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAE5B,QAAA,MAAM,KAAA,GAAQ,gBAAA,CAAiB,UAAA,EAAY,KAAA,EAAO,cAAc,CAAA;AAEhE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,QAAA,EAAU;AAAA,UAC9C,eAAA,EAAiB,UAAA;AAAA,UACjB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,UAAA;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,WAAA,EACE,kOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,OAAA;AAAA,YACN,WAAA,EAAa,yCAAA;AAAA,YACb,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACV,OAAA,EAAS;AAAA,kBACP,IAAA,EAAM,QAAA;AAAA,kBACN,WAAA,EACE;AAAA,iBACJ;AAAA,gBACA,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EAAa;AAAA,iBACf;AAAA,gBACA,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EAAa;AAAA,iBACf;AAAA,gBACA,cAAA,EAAgB;AAAA,kBACd,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA;AACJ,eACF;AAAA,cACA,QAAA,EAAU,CAAC,SAAA,EAAW,UAAA,EAAY,YAAY,gBAAgB;AAAA;AAChE,WACF;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,UAAA,EAAY,eAAe,CAAA;AAAA,YAClC,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAgB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,gBAAgB,IAAA,CAAK,cAAA;AAG3B,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAExB,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,UAAA;AAAA,UACA,KAAA;AAAA,UACA,aAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,UAAA,IAAc,QAAA,EAAU;AAAA,UACrE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa,UAAA;AAAA,UACb,aAAa,KAAA,CAAM;AAAA,SACpB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,WAAA,EAAa,OAAO,KAAA,CAAM,MAAA;AAAA,UAC1B,YAAY,MAAA,CAAO;AAAA,SACpB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,mIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,OAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACxB,WAAA,EAAa;AAAA,WACf;AAAA,UACA,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAA,EAAW,kBAAkB;AAAA,OAC1C;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,QAAA,MAAM,WAAW,IAAA,CAAK,SAAA;AAEtB,QAAA,IAAI,MAAA;AACJ,QAAA,IAAI,QAAA,EAAU;AACZ,UAAA,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAAA,QACzC,CAAA,MAAO;AACL,UAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,IAAA,EAAK;AAC3C,UAAA,MAAA,GAAS,WAAA,CAAY,CAAC,CAAA,IAAK,IAAA;AAAA,QAC7B;AAEA,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,SAAA,GAAY,kBAAA,CAAmB,MAAA,EAAQ,OAAA,EAAS,eAAe,CAAA;AAErE,QAAA,MAAM,cAAc,SAAA,CAAU,MAAA;AAAA,UAC5B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,aAAa,SAAA,CAAU,MAAA;AAAA,UAC3B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,gBAAgB,SAAA,CAAU,MAAA;AAAA,UAC9B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,eAAe,SAAA,CAAU,MAAA;AAAA,UAC7B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AAEF,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,qBAAA,EAAuB,QAAA,EAAU;AAAA,UACrD,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,OAAA;AAAA,UACA,kBAAkB,eAAA,CAAgB,MAAA;AAAA,UAClC,WAAA;AAAA,UACA,UAAA;AAAA,UACA,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,OAAA;AAAA,UACA,SAAA;AAAA,UACA,OAAA,EAAS;AAAA,YACP,cAAc,eAAA,CAAgB,MAAA;AAAA,YAC9B,QAAA,EAAU,UAAA;AAAA,YACV,QAAA,EAAU,WAAA;AAAA,YACV,KAAA,EAAO,aAAA;AAAA,YACP,aAAA,EAAe;AAAA,WACjB;AAAA,UACA,wBACE,WAAA,GAAc,CAAA,GACV,CAAA,YAAA,EAAe,WAAW,OAAO,eAAA,CAAgB,MAAM,CAAA,8BAAA,EAAiC,MAAA,CAAO,WAAW,CAAA,CAAA,CAAA,GAC1G,CAAA,IAAA,EAAO,gBAAgB,MAAM,CAAA,qCAAA,EAAwC,OAAO,WAAW,CAAA,CAAA;AAAA,SAC9F,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,eAAA,EAAiB,WAAA,EAAY;AAC/C;;;ACrRA,aAAA,EAAA;AAwGA,SAAS,cAAc,MAAA,EAA0B;AAC/C,EAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,EAAG,OAAO,CAAA;AAChC,EAAA,MAAM,MAAA,GAAS,CAAC,GAAG,MAAM,CAAA,CAAE,KAAK,CAAC,CAAA,EAAG,CAAA,KAAM,CAAA,GAAI,CAAC,CAAA;AAC/C,EAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,SAAS,CAAC,CAAA;AACxC,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,GACzB,MAAA,CAAO,GAAG,CAAA,GAAA,CACT,MAAA,CAAO,GAAA,GAAM,CAAC,CAAA,GAAK,MAAA,CAAO,GAAG,CAAA,IAAM,CAAA;AAC1C;AAEA,SAAS,gBAAA,CACP,cACA,WAAA,EACiC;AACjC,EAAA,MAAM,SAA0C,EAAC;AAGjD,EAAA,MAAM,KAAA,GACJ,eACA,KAAA,CAAM,IAAA;AAAA,IACJ,IAAI,GAAA;AAAA,MACF,YAAA,CAAa,OAAA;AAAA,QAAQ,CAAC,CAAA,KACpB,MAAA,CAAO,KAAK,CAAA,CAAE,WAAA,CAAY,KAAK,OAAO;AAAA;AACxC;AACF,GACF;AAEF,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAS,YAAA,CACZ,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,IAAI,CAAC,CAAA,CAC3C,MAAA,CAAO,CAAC,CAAA,KAAmB,MAAM,MAAS,CAAA;AAE7C,IAAA,IAAI,MAAA,CAAO,WAAW,CAAA,EAAG;AACvB,MAAA,MAAA,CAAO,IAAI,CAAA,GAAI,EAAE,IAAA,EAAM,CAAA,EAAG,MAAA,EAAQ,CAAA,EAAG,GAAA,EAAK,CAAA,EAAG,GAAA,EAAK,CAAA,EAAG,KAAA,EAAO,CAAA,EAAE;AAC9D,MAAA;AAAA,IACF;AAEA,IAAA,MAAA,CAAO,IAAI,CAAA,GAAI;AAAA,MACb,IAAA,EAAM,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,EAAG,MAAM,CAAA,GAAI,CAAA,EAAG,CAAC,CAAA,GAAI,MAAA,CAAO,MAAA;AAAA,MACjD,MAAA,EAAQ,cAAc,MAAM,CAAA;AAAA,MAC5B,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,GAAG,MAAM,CAAA;AAAA,MACvB,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,GAAG,MAAM,CAAA;AAAA,MACvB,OAAO,MAAA,CAAO;AAAA,KAChB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAIO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,eAAe,CAAA;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OACJ,aAAA,EACA,eAAA,EACA,SACA,OAAA,EACA,QAAA,EACA,uBACA,uBAAA,EAC4B;AAC5B,IAAA,MAAM,aAAA,GAAgB,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACtE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,IAAA,MAAM,eAAA,GAAkB;AAAA,MACtB,cAAA,EAAgB,aAAA;AAAA,MAChB,iBAAiB,QAAA,CAAS,GAAA;AAAA,MAC1B,gBAAA,EAAkB,eAAA;AAAA,MAClB,cAAc,OAAA,CAAQ,IAAA;AAAA,MACtB,gBAAgB,OAAA,CAAQ,MAAA;AAAA,MACxB,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,EAAC;AAAA,MAC7B,OAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACb;AAGA,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,eAAe,CAAC,CAAA;AAC/D,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,SAAA;AAAA,MACA,QAAA,CAAS,qBAAA;AAAA,MACT;AAAA,KACF;AAEA,IAAA,MAAM,WAAA,GAA2B;AAAA,MAC/B,cAAA,EAAgB,aAAA;AAAA,MAChB,MAAA,EAAQ,0BAAA;AAAA,MACR,IAAA,EAAM,eAAA;AAAA,MACN,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,MAChC,QAAQ,QAAA,CAAS;AAAA,KACnB;AAEA,IAAA,MAAM,MAAA,GAA4B;AAAA,MAChC,WAAA;AAAA,MACA,wBAAA,EAA0B,uBAAA;AAAA,MAC1B,sBAAA,EAAwB,CAAC,CAAC,uBAAA;AAAA,MAC1B,WAAA,EAAa;AAAA,KACf;AAGA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,aAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAAA,EAKmB;AAC7B,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAC/B,IAAA,IAAI,QAAA,GAAW,GAAA;AAEf,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,YAAY,OAAA,CAAQ;AAAA,OAChD;AAAA,IACF;AAEA,IAAA,IAAI,QAAQ,UAAA,EAAY;AACtB,MAAA,MAAMC,SAAQ,IAAI,IAAA,CAAK,QAAQ,UAAA,CAAW,KAAK,EAAE,OAAA,EAAQ;AACzD,MAAA,MAAMC,OAAM,IAAI,IAAA,CAAK,QAAQ,UAAA,CAAW,GAAG,EAAE,OAAA,EAAQ;AACrD,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA,CAAO,CAAC,CAAA,KAAM;AAChC,QAAA,MAAM,CAAA,GAAI,IAAI,IAAA,CAAK,CAAA,CAAE,YAAY,IAAA,CAAK,SAAS,EAAE,OAAA,EAAQ;AACzD,QAAA,OAAO,CAAA,IAAKD,UAAS,CAAA,IAAKC,IAAAA;AAAA,MAC5B,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,IAAI,QAAQ,gBAAA,EAAkB;AAC5B,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,qBAAqB,OAAA,CAAQ;AAAA,OACzD;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,KAAA,CAAM,IAAA;AAAA,MACrB,IAAI,GAAA,CAAI,QAAA,CAAS,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,OAAO,CAAC;AAAA,KACzD;AAEA,IAAA,MAAM,aAAa,QAAA,CAAS,GAAA;AAAA,MAAI,CAAC,MAC/B,IAAI,IAAA,CAAK,EAAE,WAAA,CAAY,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA;AAAQ,KACjD;AACA,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAA,GAAS,CAAA,GAC9B,IAAI,KAAK,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA,CAAE,WAAA,sBAClC,IAAI,IAAA,IAAO,WAAA,EAAY;AAC3B,IAAA,MAAM,MAAM,UAAA,CAAW,MAAA,GAAS,CAAA,GAC5B,IAAI,KAAK,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA,CAAE,WAAA,sBAClC,IAAI,IAAA,IAAO,WAAA,EAAY;AAE3B,IAAA,OAAO;AAAA,MACL,oBAAoB,QAAA,CAAS,MAAA;AAAA,MAC7B,WAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,SAAS,QAAA,CAAS,MAAA;AAAA,QAChB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,QAAQ,QAAA,CAAS,MAAA;AAAA,QACf,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,UAAU,QAAA,CAAS,MAAA;AAAA,QACjB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,QAAA;AAAA,MACA,UAAA,EAAY,EAAE,KAAA,EAAO,GAAA,EAAI;AAAA,MACzB,iBAAA,EAAmB,gBAAA,CAAiB,QAAA,EAAU,OAAA,CAAQ,OAAO;AAAA,KAC/D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAA,CACJ,QAAA,EACA,qBAAA,EACA,OAAA,EAC2B;AAC3B,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAE7B,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,GAAA,GAAM,GAAA,CAAI,OAAO,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,eAAe,GAAA,CAAI,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,WAAW,CAAA;AACjD,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,OAAA,EAAS,kBAAA;AAAA,MACT,YAAA;AAAA,MACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACpC,cAAc,QAAA,CAAS;AAAA,KACzB;AAGA,IAAA,MAAM,WAAA,GAAc,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,UAAU,CAAC,CAAA;AAC5D,IAAA,MAAM,eAAA,GAAkB,IAAA;AAAA,MACtB,WAAA;AAAA,MACA,QAAA,CAAS,qBAAA;AAAA,MACT;AAAA,KACF;AAEA,IAAA,OAAO;AAAA,MACL,GAAG,UAAA;AAAA,MACH,gBAAA,EAAkB,YAAY,eAAe;AAAA,KAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAA,CACJ,MAAA,EACA,gBAAA,EACA,UAAA,EACoE;AACpE,IAAA,IAAI,QAAA,GAAW,CAAA;AACf,IAAA,IAAI,OAAA,GAAU,CAAA;AACd,IAAA,MAAM,QAAA,uBAAe,GAAA,EAAY;AAEjC,IAAA,KAAA,MAAW,WAAA,IAAe,OAAO,YAAA,EAAc;AAC7C,MAAA,IAAI,gBAAA,EAAkB;AACpB,QAAA,MAAM,SAAA,GAAY,UAAA,CAAW,GAAA,CAAI,WAAA,CAAY,MAAM,CAAA;AACnD,QAAA,IAAI,CAAC,SAAA,EAAW;AACd,UAAA,OAAA,EAAA;AACA,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,SAAA,GAAY,aAAA;AAAA,UAChB,IAAA,CAAK,SAAA,CAAU,WAAA,CAAY,IAAI;AAAA,SACjC;AACA,QAAA,MAAM,QAAA,GAAW,aAAA,CAAc,WAAA,CAAY,SAAS,CAAA;AAEpD,QAAA,IAAI,CAAC,MAAA,CAAO,SAAA,EAAW,QAAA,EAAU,SAAS,CAAA,EAAG;AAC3C,UAAA,OAAA,EAAA;AACA,UAAA;AAAA,QACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAA4B;AAAA,QAChC,WAAA;AAAA,QACA,sBAAA,EAAwB,KAAA;AAAA,QACxB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACtC;AAEA,MAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,MAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,QACjB,aAAA;AAAA,QACA,WAAA,CAAY,cAAA;AAAA,QACZ,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,OACzC;AAEA,MAAA,QAAA,EAAA;AACA,MAAA,QAAA,CAAS,GAAA,CAAI,WAAA,CAAY,IAAA,CAAK,OAAO,CAAA;AAAA,IACvC;AAEA,IAAA,OAAO;AAAA,MACL,QAAA;AAAA,MACA,OAAA;AAAA,MACA,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,QAAQ;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,YAAA,CACJ,gBAAA,EACA,eAAA,EACA,cAAA,EACA,YACA,gBAAA,EACiB;AACjB,IAAA,MAAM,QAAA,GAAW,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACjE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,iBAAiB,GAAI,CAAA;AAGhE,IAAA,MAAM,EAAE,YAAA,EAAAC,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,IAAA,MAAM,SAAA,GAAYA,aAAAA,CAAa,aAAA,CAAc,gBAAgB,CAAC,CAAA;AAE9D,IAAA,MAAM,MAAA,GAAiB;AAAA,MACrB,SAAA,EAAW,QAAA;AAAA,MACX,iBAAA,EAAmB,gBAAA;AAAA,MACnB,UAAA,EAAY,SAAA;AAAA,MACZ,iBAAA,EAAmB,gBAAA;AAAA,MACnB,gBAAA,EAAkB,eAAA;AAAA,MAClB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,IAAI,WAAA,EAAY;AAAA,MAC5B,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,MAClC,MAAA,EAAQ;AAAA,KACV;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,UAAA;AAAA,MACA,QAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAU,QAAA,EAA0C;AACxD,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,YAAY,QAAQ,CAAA;AACxD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAA,CACJ,iBAAA,EACA,UACA,KAAA,EACA,eAAA,EACA,uBACA,YAAA,EACoB;AACpB,IAAA,MAAM,WAAA,GAAc,CAAA,KAAA,EAAQ,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACrE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,aAAa,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,kBAAkB,GAAI,CAAA;AAElE,IAAA,MAAM,eAAA,GAAkB;AAAA,MACtB,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,iBAAA,CAAkB,GAAA;AAAA,MACjC,SAAA,EAAW,QAAA;AAAA,MACX,KAAA;AAAA,MACA,aAAA,EAAe,YAAA;AAAA,MACf,WAAA,EAAa,WAAW,WAAA,EAAY;AAAA,MACpC,SAAA,EAAW,IAAI,WAAA;AAAY,KAC7B;AAGA,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,eAAe,CAAC,CAAA;AAC/D,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,SAAA;AAAA,MACA,iBAAA,CAAkB,qBAAA;AAAA,MAClB;AAAA,KACF;AAEA,IAAA,MAAM,WAAA,GAAc,WAAA;AAAA,MAClB,aAAA;AAAA,QACE,KAAK,SAAA,CAAU;AAAA,UACb,GAAG,eAAA;AAAA,UACH,SAAA,EAAW,YAAY,SAAS;AAAA,SACjC;AAAA;AACH,KACF;AAEA,IAAA,MAAM,SAAA,GAAuB;AAAA,MAC3B,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,iBAAA,CAAkB,GAAA;AAAA,MACjC,SAAA,EAAW,QAAA;AAAA,MACX,KAAA;AAAA,MACA,aAAA,EAAe,YAAA;AAAA,MACf,WAAA,EAAa,WAAW,WAAA,EAAY;AAAA,MACpC,WAAA;AAAA,MACA,UAAA,EAAY,IAAI,WAAA;AAAY,KAC9B;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,CAAA;AAC1D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,WAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,SAAA;AAAA,EACT;AAAA;AAAA,EAIA,MAAc,OAAA,GAAwC;AACpD,IAAA,MAAM,UAA+B,EAAC;AAEtC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,aAAa,CAAA;AACrD,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,aAAA,EAAe,KAAK,GAAG,CAAA;AAC3D,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,OAAA,CAAQ,KAAK,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAC,CAAA;AAAA,QACnD,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF,CAAA;;;AChiBA,aAAA,EAAA;AAEO,SAAS,aAAA,CACd,OAAA,EACA,SAAA,EACA,eAAA,EACA,QAAA,EAC+D;AAC/D,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,qBAAA,GAAwB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAE/E,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,gIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,qBAAA;AAAA,YACb,UAAA,EAAY;AAAA,cACV,IAAA,EAAM;AAAA,gBACJ,IAAA,EAAM,QAAA;AAAA,gBACN,MAAM,CAAC,aAAA,EAAe,aAAA,EAAe,SAAA,EAAW,WAAW,QAAQ;AAAA,eACrE;AAAA,cACA,MAAA,EAAQ;AAAA,gBACN,IAAA,EAAM,QAAA;AAAA,gBACN,IAAA,EAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAU,UAAU;AAAA,eACrD;AAAA,cACA,OAAA,EAAS;AAAA,gBACP,IAAA,EAAM,QAAA;AAAA,gBACN,WAAA,EAAa;AAAA;AACf,aACF;AAAA,YACA,QAAA,EAAU,CAAC,MAAA,EAAQ,QAAQ;AAAA,WAC7B;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,iDAAA;AAAA,YACb,OAAA,EAAS;AAAA,WACX;AAAA,UACA,wBAAA,EAA0B;AAAA,YACxB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,gBAAA,EAAkB,kBAAA,EAAoB,SAAS;AAAA,OAC5D;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,OAAA,GAAW,KAAK,OAAA,IAAsB,SAAA;AAE5C,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,MAAA;AAAA,UACnC,IAAA,CAAK,cAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,OAAA;AAAA,UACA,OAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC/D,gBAAgB,IAAA,CAAK,cAAA;AAAA,UACrB,cAAc,OAAA,CAAQ,IAAA;AAAA,UACtB,gBAAgB,OAAA,CAAQ,MAAA;AAAA,UACxB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAA,EAAgB,OAAO,WAAA,CAAY,cAAA;AAAA,UACnC,cAAA,EAAgB,MAAA,CAAO,WAAA,CAAY,IAAA,CAAK,cAAA;AAAA,UACxC,gBAAA,EAAkB,OAAO,WAAA,CAAY,SAAA;AAAA,UACrC,wBAAwB,MAAA,CAAO,sBAAA;AAAA,UAC/B,OAAA;AAAA,UACA,aAAa,MAAA,CAAO;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,6GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,sBAAA;AAAA,YACb,UAAA,EAAY;AAAA,cACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,gBAAA,EAAiB;AAAA,cACvD,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA;AAAe;AACrD,WACF;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,OAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACxB,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAAU,MAAM,eAAA,CAAgB,KAAA,CAAM;AAAA,UAC1C,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,YAAY,IAAA,CAAK,UAAA;AAAA,UAGjB,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAED,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU;AAAA,UAClD,oBAAoB,OAAA,CAAQ,kBAAA;AAAA,UAC5B,UAAU,OAAA,CAAQ;AAAA,SACnB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB;AAAA,SACD,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,kBAAkB,CAAA;AAAA,YACzB,OAAA,EAAS;AAAA,WACX;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,QAAA;AAAA,UACA,qBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,SAAA,CAAU,MAAM,CAAA;AACxC,QAAA,MAAM,YAAA,GAAe,WAAA;AAAA,UACnB,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,UAAU;AAAA,SACrC;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC/D,iBAAA,EAAmB,OAAO,YAAA,CAAa,MAAA;AAAA,UACvC,UAAU,KAAA,CAAM,IAAA;AAAA,YACd,IAAI,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC;AAAA;AACxD,SACD,CAAA;AAED,QAAA,MAAM,EAAE,YAAA,EAAAA,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,QAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAEhC,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA,EAAQ,YAAA;AAAA,UACR,iBAAA,EAAmB,OAAO,YAAA,CAAa,MAAA;AAAA,UACvC,UAAU,KAAA,CAAM,IAAA;AAAA,YACd,IAAI,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC;AAAA,WACxD;AAAA,UACA,WAAA,EAAaD,aAAAA,CAAaC,cAAAA,CAAc,UAAU,CAAC,CAAA;AAAA,UACnD,aAAa,MAAA,CAAO;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,6GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,MAAA;AAG1B,QAAA,MAAM,gBAAA,GAAmB,IAAA;AAEzB,QAAA,IAAI,MAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,cAAc,YAAY,CAAA;AAC9C,UAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY,CAAE,OAAO,WAAW,CAAA;AACvD,UAAA,MAAA,GAAS,IAAA,CAAK,MAAM,UAAU,CAAA;AAAA,QAChC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,UAAA,uBAAiB,GAAA,EAAwB;AAC/C,QAAA,KAAA,MAAW,GAAA,IAAO,eAAA,CAAgB,IAAA,EAAK,EAAG;AACxC,UAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,GAAA,CAAI,GAAA,CAAI,WAAW,CAAA;AACpD,UAAA,IAAI,QAAA,EAAU;AACZ,YAAA,UAAA,CAAW,IAAI,QAAA,CAAS,GAAA,EAAK,aAAA,CAAc,QAAA,CAAS,UAAU,CAAC,CAAA;AAAA,UACjE;AAAA,QACF;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,MAAA;AAAA,UACA,gBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,EAAU;AAAA,UACnD,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,UAAU,MAAA,CAAO;AAAA,SAClB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,uBAAuB,MAAA,CAAO,QAAA;AAAA,UAC9B,sBAAsB,MAAA,CAAO,OAAA;AAAA,UAC7B,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,iHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,mBAAA,EAAqB,kBAAA,EAAoB,iBAAiB;AAAA,OACvE;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,IAAA,CAAK,iBAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,IAAA,CAAK,eAAA;AAAA,UACL,QAAA,CAAS,GAAA;AAAA,UACT,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,QAAA,CAAS,WAAA,EAAa;AAAA,UACrE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,iBAAiB,IAAA,CAAK;AAAA,SACvB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,QAAQ,MAAA,CAAO;AAAA,SAChB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,uCAAA;AAAA,MACN,WAAA,EACE,mIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,qBAAA,EAAuB;AAAA,YACrB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,aAAA,EAAe;AAAA,YACb,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU;AAAA,UACR,uBAAA;AAAA,UACA,mBAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,oBAAoB,eAAA,CAAgB,GAAA;AAAA,UACxC,IAAA,CAAK;AAAA,SACP;AACA,QAAA,MAAM,gBAAgB,eAAA,CAAgB,GAAA;AAAA,UACpC,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,oBAAA,EAAuB,IAAA,CAAK,qBAAqB,CAAA,YAAA;AAAA,WACzD,CAAA;AAAA,QACH;AACA,QAAA,IAAI,CAAC,aAAA,EAAe;AAClB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,gBAAA,EAAmB,IAAA,CAAK,iBAAiB,CAAA,YAAA;AAAA,WACjD,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,eAAA,CAAgB,eAAA;AAAA,UACtC,iBAAA;AAAA,UACA,aAAA,CAAc,GAAA;AAAA,UACd,IAAA,CAAK,KAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,qBAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,6BAAA;AAAA,UACA,iBAAA,CAAkB,WAAA;AAAA,UAClB;AAAA,YACE,cAAc,SAAA,CAAU,YAAA;AAAA,YACxB,WAAW,aAAA,CAAc,GAAA;AAAA,YACzB,OAAO,IAAA,CAAK;AAAA;AACd,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAc,SAAA,CAAU,YAAA;AAAA,UACxB,uBAAuB,SAAA,CAAU,WAAA;AAAA,UACjC,OAAO,SAAA,CAAU,KAAA;AAAA,UACjB,aAAa,SAAA,CAAU;AAAA,SACxB,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,eAAA,EAAgB;AAClC;ACncA,IAAM,aAAA,GAA6B;AAAA,EACjC,oBAAA,EAAsB,SAAA;AAAA,EACtB,gBAAA,EAAkB,SAAA;AAAA,EAClB,0BAAA,EAA4B,CAAA;AAAA,EAC5B,oBAAA,EAAsB,EAAA;AAAA,EACtB,mBAAA,EAAqB,EAAA;AAAA,EACrB,oBAAA,EAAsB;AACxB,CAAA;AAGA,IAAM,eAAA,GAAyC;AAAA,EAC7C,IAAA,EAAM,QAAA;AAAA,EACN,eAAA,EAAiB,GAAA;AAAA,EACjB,SAAA,EAAW;AACb,CAAA;AAGO,IAAM,cAAA,GAAkC;AAAA,EAC7C,OAAA,EAAS,CAAA;AAAA,EACT,oBAAA,EAAsB;AAAA,IACpB,cAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,aAAA,EAAe,aAAA;AAAA,EACf,kBAAA,EAAoB;AAAA,IAClB,YAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,eAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,kBAAA;AAAA,IACA,cAAA;AAAA,IACA,uBAAA;AAAA,IACA,qBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kBAAA;AAAA,IACA,mBAAA;AAAA,IACA,yBAAA;AAAA,IACA,aAAA;AAAA,IACA,gBAAA;AAAA,IACA,mBAAA;AAAA,IACA,UAAA;AAAA,IACA,uBAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,gBAAA,EAAkB;AACpB,CAAA;AAMO,SAAS,qBAAqB,QAAA,EAA0B;AAC7D,EAAA,OAAO,QAAA,CAAS,WAAW,YAAY,CAAA,GACnC,SAAS,KAAA,CAAM,YAAA,CAAa,MAAM,CAAA,GAClC,QAAA;AACN;AAYO,SAAS,YAAY,OAAA,EAAkC;AAC5D,EAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AACjC,IAAA,OAAO,eAAe,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,MAAM,SAAkC,EAAC;AACzC,EAAA,IAAI,UAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAA,GAA+B,IAAA;AACnC,EAAA,IAAI,aAAA,GAAgD,IAAA;AAEpD,EAAA,KAAA,MAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,CAAM,IAAI,CAAA,EAAG;AACzC,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AACjC,IAAA,IAAI,IAAA,CAAK,IAAA,EAAK,KAAM,EAAA,EAAI;AAExB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,GAAS,IAAA,CAAK,WAAU,CAAE,MAAA;AAC9C,IAAA,MAAM,QAAA,GAAW,KAAK,IAAA,EAAK;AAE3B,IAAA,IAAI,MAAA,KAAW,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAE1C,MAAA,IAAI,cAAc,WAAA,EAAa;AAC7B,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,WAAA;AAAA,MACvB,CAAA,MAAA,IAAW,cAAc,aAAA,EAAe;AACtC,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,aAAA;AAAA,MACvB;AAEA,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACrC,MAAA,MAAM,MAAM,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,QAAQ,EAAE,IAAA,EAAK;AAC7C,MAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,CAAM,QAAA,GAAW,CAAC,EAAE,IAAA,EAAK;AAEhD,MAAA,IAAI,KAAA,KAAU,EAAA,IAAM,KAAA,KAAU,GAAA,EAAK;AACjC,QAAA,UAAA,GAAa,GAAA;AACb,QAAA,WAAA,GAAc,IAAA;AACd,QAAA,aAAA,GAAgB,IAAA;AAAA,MAClB,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,WAAA,CAAY,KAAK,CAAA;AAC/B,QAAA,UAAA,GAAa,IAAA;AACb,QAAA,WAAA,GAAc,IAAA;AACd,QAAA,aAAA,GAAgB,IAAA;AAAA,MAClB;AAAA,IACF,WAAW,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,EAAG;AAElD,MAAA,IAAI,CAAC,WAAA,EAAa,WAAA,GAAc,EAAC;AACjC,MAAA,WAAA,CAAY,IAAA,CAAK,QAAA,CAAS,KAAA,CAAM,CAAC,CAAA,CAAE,IAAA,EAAK,CAAE,KAAA,CAAM,KAAK,CAAA,CAAE,CAAC,CAAE,CAAA;AAAA,IAC5D,WAAW,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAE/C,MAAA,IAAI,CAAC,aAAA,EAAe,aAAA,GAAgB,EAAC;AACrC,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACrC,MAAA,MAAM,MAAM,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,QAAQ,EAAE,IAAA,EAAK;AAC7C,MAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,CAAM,QAAA,GAAW,CAAC,EAAE,IAAA,EAAK;AAChD,MAAA,aAAA,CAAc,GAAG,IAAI,WAAA,CAAY,KAAA,CAAM,MAAM,KAAK,CAAA,CAAE,CAAC,CAAE,CAAA;AAAA,IACzD;AAAA,EACF;AAGA,EAAA,IAAI,cAAc,WAAA,EAAa;AAC7B,IAAA,MAAA,CAAO,UAAU,CAAA,GAAI,WAAA;AAAA,EACvB,CAAA,MAAA,IAAW,cAAc,aAAA,EAAe;AACtC,IAAA,MAAA,CAAO,UAAU,CAAA,GAAI,aAAA;AAAA,EACvB;AAEA,EAAA,OAAO,eAAe,MAAM,CAAA;AAC9B;AAEA,SAAS,YAAY,KAAA,EAA0C;AAC7D,EAAA,IAAI,KAAA,KAAU,QAAQ,OAAO,IAAA;AAC7B,EAAA,IAAI,KAAA,KAAU,SAAS,OAAO,KAAA;AAC9B,EAAA,MAAM,GAAA,GAAM,OAAO,KAAK,CAAA;AACxB,EAAA,IAAI,CAAC,KAAA,CAAM,GAAG,CAAA,IAAK,KAAA,KAAU,IAAI,OAAO,GAAA;AACxC,EAAA,OAAO,KAAA,CAAM,OAAA,CAAQ,cAAA,EAAgB,EAAE,CAAA;AACzC;AAEA,SAAS,eAAe,GAAA,EAA+C;AACrE,EAAA,OAAO;AAAA,IACL,OAAA,EAAU,IAAI,OAAA,IAAsB,CAAA;AAAA,IACpC,oBAAA,EACG,GAAA,CAAI,oBAAA,IAAqC,cAAA,CAAe,oBAAA;AAAA,IAC3D,aAAA,EAAe;AAAA,MACb,GAAG,aAAA;AAAA,MACH,GAAK,GAAA,CAAI,aAAA,IAA6C;AAAC,KACzD;AAAA,IACA,kBAAA,EACG,GAAA,CAAI,kBAAA,IAAmC,cAAA,CAAe,kBAAA;AAAA,IACzD,gBAAA,EAAkB;AAAA,MAChB,GAAG,eAAA;AAAA,MACH,GAAK,GAAA,CAAI,gBAAA,IAAgD;AAAC;AAC5D,GACF;AACF;AAKA,SAAS,yBAAA,GAAoC;AAC3C,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AA6DT;AAOA,eAAsB,oBACpB,WAAA,EAC0B;AAC1B,EAAA,MAAM,UAAA,GAAaR,IAAAA,CAAK,WAAA,EAAa,uBAAuB,CAAA;AAE5D,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAU,MAAME,QAAAA,CAAS,UAAA,EAAY,OAAO,CAAA;AAClD,IAAA,MAAM,MAAA,GAAS,YAAY,OAAO,CAAA;AAClC,IAAA,OAAO,MAAA,CAAO,OAAO,MAAM,CAAA;AAAA,EAC7B,CAAA,CAAA,MAAQ;AAEN,IAAA,MAAM,cAAc,yBAAA,EAA0B;AAC9C,IAAA,IAAI;AACF,MAAA,MAAMD,SAAAA,CAAU,UAAA,EAAY,WAAA,EAAa,OAAO,CAAA;AAChD,MAAA,MAAM,KAAA,CAAM,YAAY,GAAK,CAAA;AAAA,IAC/B,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,OAAO,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,gBAAgB,CAAA;AAAA,EAC5C;AACF;;;ACpQA,aAAA,EAAA;AAGA,IAAM,kBAAA,GAAqB,YAAA;AAC3B,IAAM,YAAA,GAAe,kBAAA;AAEd,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EACA,OAAA;AAAA;AAAA,EAGA,WAAA,uBAAyC,GAAA,EAAI;AAAA;AAAA,EAG7C,WAAA,uBAAyC,GAAA,EAAI;AAAA;AAAA,EAG7C,aAAuB,EAAC;AAAA,EAEhC,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,oBAAoB,CAAA;AACrE,IAAA,IAAA,CAAK,OAAA,GAAU;AAAA,MACb,kBAAkB,EAAC;AAAA,MACnB,sBAAsB,EAAC;AAAA,MACvB,kBAAkB,EAAC;AAAA,MACnB,gBAAA,EAAkB,IAAA;AAAA,MAClB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAA,GAAsB;AAC1B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,oBAAoB,YAAY,CAAA;AACpE,MAAA,IAAI,CAAC,GAAA,EAAK;AAEV,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,KAAA,GAAwB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAGjE,MAAA,IAAA,CAAK,OAAA,CAAQ,gBAAA,GAAmB,KAAA,CAAM,gBAAA,IAAoB,EAAC;AAC3D,MAAA,IAAA,CAAK,OAAA,CAAQ,oBAAA,GAAuB,KAAA,CAAM,oBAAA,IAAwB,EAAC;AACnE,MAAA,IAAA,CAAK,QAAQ,gBAAA,GAAmB,KAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,CAAK,QAAQ,gBAAA,GAAmB,IAAA;AAAA,IAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAA,GAAsB;AAC1B,IAAA,IAAA,CAAK,OAAA,CAAQ,QAAA,GAAA,iBAAW,IAAI,IAAA,IAAO,WAAA,EAAY;AAC/C,IAAA,MAAM,aAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,OAAO,CAAC,CAAA;AAC7D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,kBAAA;AAAA,MACA,YAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,QAAA,EAAwB;AACrC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,IAAA,IAAA,CAAK,OAAA,CAAQ,iBAAiB,QAAQ,CAAA,GAAA,CACnC,KAAK,OAAA,CAAQ,gBAAA,CAAiB,QAAQ,CAAA,IAAK,CAAA,IAAK,CAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAA,EAAU,EAAE,CAAA;AAAA,IACnC;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC5C,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AAGf,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,CAAC,IAAK,MAAA,EAAQ;AAC/C,MAAA,MAAA,CAAO,KAAA,EAAM;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,SAAA,EAA4B;AAEhD,IAAA,IAAI,SAAA,CAAU,UAAA,CAAW,GAAG,CAAA,EAAG,OAAO,KAAA;AAEtC,IAAA,MAAM,QAAQ,CAAC,IAAA,CAAK,OAAA,CAAQ,gBAAA,CAAiB,SAAS,SAAS,CAAA;AAC/D,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,IAAA,CAAK,OAAA,CAAQ,gBAAA,CAAiB,IAAA,CAAK,SAAS,CAAA;AAAA,IAC9C;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAAoB,SAAA,EAA2B;AAC7C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAS,CAAA,EAAG;AACpC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAA,EAAW,EAAE,CAAA;AAAA,IACpC;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAS,CAAA;AAC7C,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AAGf,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,CAAC,IAAK,MAAA,EAAQ;AAC/C,MAAA,MAAA,CAAO,KAAA,EAAM;AAAA,IACf;AAEA,IAAA,OAAO,MAAA,CAAO,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,mBAAmB,GAAA,EAAsB;AACvC,IAAA,MAAM,QAAQ,CAAC,IAAA,CAAK,OAAA,CAAQ,oBAAA,CAAqB,SAAS,GAAG,CAAA;AAC7D,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,IAAA,CAAK,OAAA,CAAQ,oBAAA,CAAqB,IAAA,CAAK,GAAG,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAAqB;AACnB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,UAAA,CAAW,KAAK,GAAG,CAAA;AAGxB,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,IAAA,CAAK,WAAW,MAAA,GAAS,CAAA,IAAK,KAAK,UAAA,CAAW,CAAC,IAAK,MAAA,EAAQ;AACjE,MAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAAA,IACxB;AAEA,IAAA,OAAO,KAAK,UAAA,CAAW,MAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,QAAA,EAA0B;AACpC,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,GAAG,MAAA,IAAU,CAAA;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAA,GAA6B;AAC3B,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,KAAA,MAAW,MAAA,IAAU,IAAA,CAAK,WAAA,CAAY,MAAA,EAAO,EAAG;AAC9C,MAAA,KAAA,IAAS,MAAA,CAAO,MAAA;AAChB,MAAA,KAAA,EAAA;AAAA,IACF;AACA,IAAA,OAAO,KAAA,GAAQ,CAAA,GAAI,KAAA,GAAQ,KAAA,GAAQ,CAAA;AAAA,EACrC;AAAA;AAAA,EAGA,IAAI,cAAA,GAA0B;AAC5B,IAAA,OAAO,KAAK,OAAA,CAAQ,gBAAA;AAAA,EACtB;AAAA;AAAA,EAGA,UAAA,GAA6B;AAC3B,IAAA,OAAO,EAAE,GAAG,IAAA,CAAK,OAAA,EAAQ;AAAA,EAC3B;AACF,CAAA;;;AC1KO,IAAM,wBAAN,MAAuD;AAAA,EACpD,MAAA;AAAA,EAER,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA,EAEA,MAAM,gBAAgB,OAAA,EAAqD;AAEzE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AACxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,GAAS,IAAI,CAAA;AASlC,IAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,GAAG,CAAC,CAAA;AAEvD,IAAA,IAAI,IAAA,CAAK,OAAO,SAAA,EAAW;AACzB,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,MAAA;AAAA,QACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACd;AAAA,IACF,CAAA,MAAO;AACL,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,SAAA;AAAA,QACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACd;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,aAAa,OAAA,EAAkC;AACrD,IAAA,MAAM,SAAA,GACJ,OAAA,CAAQ,IAAA,KAAS,CAAA,GACb,wCAAA,GACA,2CAAA;AAEN,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,CAAA,CAChD,GAAA,CAAI,CAAC,CAAC,CAAA,EAAG,CAAC,CAAA,KAAM,CAAA,EAAA,EAAK,CAAC,CAAA,EAAA,EAAK,OAAO,CAAA,KAAM,QAAA,GAAW,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,CAAC,CAAC,CAAA,CAAE,CAAA,CAC1E,IAAA,CAAK,IAAI,CAAA;AAEZ,IAAA,OAAO;AAAA,MACL,EAAA;AAAA,MACA,0ZAAA;AAAA,MACA,gFAAA;AAAA,MACA,0ZAAA;AAAA,MACA,CAAA,oBAAA,EAAkB,OAAA,CAAQ,SAAA,CAAU,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MAC9C,CAAA,QAAA,EAAM,SAAA,CAAU,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MAC1B,CAAA,oBAAA,EAAkB,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,EAAE,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MACxD,gFAAA;AAAA,MACA,CAAA,8EAAA,CAAA;AAAA,MACA,GAAG,YAAA,CAAa,KAAA,CAAM,IAAI,CAAA,CAAE,GAAA;AAAA,QAC1B,CAAC,IAAA,KAAS,CAAA,UAAA,EAAQ,IAAA,CAAK,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA;AAAA,OACnC;AAAA,MACA,gFAAA;AAAA,MACA,IAAA,CAAK,MAAA,CAAO,SAAA,GACR,+EAAA,GACA,+EAAA;AAAA,MACJ,0ZAAA;AAAA,MACA;AAAA,KACF,CAAE,KAAK,IAAI,CAAA;AAAA,EACb;AACF,CAAA;;;ACjFO,IAAM,eAAN,MAAmB;AAAA,EAChB,MAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EAER,WAAA,CACE,MAAA,EACA,QAAA,EACA,OAAA,EACA,QAAA,EACA;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,QAAA,CACJ,QAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,SAAA,GAAY,qBAAqB,QAAQ,CAAA;AAG/C,IAAA,IAAA,CAAK,QAAA,CAAS,eAAe,SAAS,CAAA;AAGtC,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,oBAAA,CAAqB,QAAA,CAAS,SAAS,CAAA,EAAG;AACxD,MAAA,OAAO,KAAK,eAAA,CAAgB,SAAA,EAAW,CAAA,EAAG,CAAA,CAAA,EAAI,SAAS,CAAA,kDAAA,CAAA,EAAsD;AAAA,QAC3G,SAAA;AAAA,QACA,YAAA,EAAc,IAAA,CAAK,aAAA,CAAc,IAAI;AAAA,OACtC,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAA,EAAW,IAAI,CAAA;AAClD,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAO,KAAK,eAAA,CAAgB,SAAA,EAAW,GAAG,OAAA,CAAQ,MAAA,EAAQ,QAAQ,OAAO,CAAA;AAAA,IAC3E;AAGA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,WAAA,EAAc,SAAS,IAAI,QAAA,EAAU;AAAA,MAC9D,IAAA,EAAM,CAAA;AAAA,MACN;AAAA,KACD,CAAA;AAED,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT,IAAA,EAAM,CAAA;AAAA,MACN,MAAA,EAAQ,4BAAA;AAAA,MACR,iBAAA,EAAmB;AAAA,KACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAA,CACN,WACA,IAAA,EAC6D;AAC7D,IAAA,MAAM,MAAA,GAAS,KAAK,MAAA,CAAO,aAAA;AAG3B,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,cAAA,IAAkB,MAAA,CAAO,yBAAyB,SAAA,EAAW;AAE7E,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,QAAA,CAAS,SAAS,CAAA,EAAG;AACvD,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,mBAAmB,SAAS,CAAA,6BAAA,CAAA;AAAA,UACpC,OAAA,EAAS,EAAE,SAAA,EAAW,gBAAA,EAAkB,IAAA;AAAK,SAC/C;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,yBAAyB,SAAA,EAAW;AAC7C,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,qBAAA,CAAsB,SAAS,CAAA;AAC3D,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,8BAA8B,SAAS,CAAA,2BAAA,CAAA;AAAA,YAC/C,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,SAAA;AAAA,cACA,gBAAA,EAAkB,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW,CAAE;AAAA;AAC/C,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAA,MAAA,IAAW,MAAA,CAAO,oBAAA,KAAyB,KAAA,EAAO;AAChD,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,IAAA,CAAK,QAAA,CAAS,sBAAsB,SAAS,CAAA;AAAA,MAC/C;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,qBAAqB,SAAA,EAAW;AACzC,MAAA,MAAM,eAAA,GACH,IAAA,CAAK,gBAAA,IAAgC,IAAA,CAAK,iBAAA;AAC7C,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmB,eAAe,CAAA;AAC9D,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,wCAAwC,eAAe,CAAA,CAAA,CAAA;AAAA,YAC/D,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,gBAAA,EAAkB,eAAA;AAAA,cAClB,oBAAA,EAAsB,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW,CAAE;AAAA;AACnD,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAA,MAAA,IAAW,MAAA,CAAO,gBAAA,KAAqB,KAAA,EAAO;AAC5C,MAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,IAAA,CAAK,QAAA,CAAS,mBAAmB,eAAe,CAAA;AAAA,MAClD;AAAA,IACF;AAGA,IAAA,IAAI,cAAc,eAAA,EAAiB;AACjC,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAC3C,MAAA,IAAI,SAAA,GAAY,OAAO,oBAAA,EAAsB;AAC3C,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,CAAA,mBAAA,EAAsB,SAAS,CAAA,qBAAA,EAAwB,OAAO,oBAAoB,CAAA,KAAA,CAAA;AAAA,UAC1F,OAAA,EAAS;AAAA,YACP,SAAA;AAAA,YACA,gBAAA,EAAkB,SAAA;AAAA,YAClB,OAAO,MAAA,CAAO;AAAA;AAChB,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,cAAc,YAAA,EAAc;AAC9B,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,mBAAA,CAAoB,SAAS,CAAA;AAC7D,QAAA,IAAI,SAAA,GAAY,OAAO,mBAAA,EAAqB;AAC1C,UAAA,OAAO;AAAA,YACL,QAAQ,CAAA,oBAAA,EAAuB,SAAS,gBAAgB,SAAS,CAAA,4BAAA,EAA+B,OAAO,mBAAmB,CAAA,CAAA,CAAA;AAAA,YAC1H,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,SAAA;AAAA,cACA,eAAA,EAAiB,SAAA;AAAA,cACjB,WAAW,MAAA,CAAO;AAAA;AACpB,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,WAAA,CAAY,SAAS,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,kBAAA,EAAmB;AACjD,IAAA,IACE,OAAA,GAAU,CAAA,IACV,QAAA,GAAW,OAAA,GAAU,OAAO,0BAAA,EAC5B;AACA,MAAA,OAAO;AAAA,QACL,MAAA,EAAQ,CAAA,kBAAA,EAAqB,SAAS,CAAA,KAAA,EAAQ,QAAQ,CAAA,MAAA,EAAS,MAAA,CAAO,0BAA0B,CAAA,mBAAA,EAAmB,OAAA,CAAQ,OAAA,CAAQ,CAAC,CAAC,CAAA,KAAA,CAAA;AAAA,QACrI,OAAA,EAAS;AAAA,UACP,SAAA;AAAA,UACA,YAAA,EAAc,QAAA;AAAA,UACd,YAAA,EAAc,OAAA;AAAA,UACd,YAAY,MAAA,CAAO;AAAA;AACrB,OACF;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,eAAA,CACZ,SAAA,EACA,IAAA,EACA,QACA,OAAA,EACqB;AACrB,IAAA,MAAM,OAAA,GAA2B;AAAA,MAC/B,SAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAA;AAAA,MACA,OAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,gBAAgB,OAAO,CAAA;AAG3D,IAAA,IAAA,CAAK,QAAA,CAAS,OAAO,IAAA,EAAM,CAAA,KAAA,EAAQ,SAAS,QAAQ,CAAA,CAAA,EAAI,SAAS,CAAA,CAAA,EAAI,QAAA,EAAU;AAAA,MAC7E,IAAA;AAAA,MACA,MAAA;AAAA,MACA,YAAY,QAAA,CAAS;AAAA,KACtB,CAAA;AAED,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,SAAS,QAAA,KAAa,SAAA;AAAA,MAC/B,IAAA;AAAA,MACA,QAAQ,QAAA,CAAS,QAAA,KAAa,YAC1B,CAAA,YAAA,EAAe,QAAA,CAAS,UAAU,CAAA,CAAA,GAClC,MAAA;AAAA,MACJ,iBAAA,EAAmB,IAAA;AAAA,MACnB,iBAAA,EAAmB;AAAA,KACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAc,IAAA,EAAwD;AAC5E,IAAA,MAAM,UAAmC,EAAC;AAC1C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAC/C,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,SAAS,GAAA,EAAK;AACnD,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAAA,MACvC,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,KAAA;AAAA,MACjB;AAAA,IACF;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA,EAGA,WAAA,GAA+B;AAC7B,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AACF,CAAA;;;ACrPO,SAAS,0BAAA,CACd,MAAA,EACA,QAAA,EACA,QAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,WAAA,EACE,4HAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa,+CAAA;AAAA,YACb,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAA,GAAkB,KAAK,gBAAA,IAA+B,KAAA;AAE5D,QAAA,MAAM,IAAA,GAAgC;AAAA,UACpC,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,sBAAsB,MAAA,CAAO,oBAAA;AAAA,UAC7B,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,OAAO,gBAAA,CAAiB,IAAA;AAAA,YAC9B,eAAA,EAAiB,OAAO,gBAAA,CAAiB,eAAA;AAAA,YACzC,SAAA,EAAW,OAAO,gBAAA,CAAiB;AAAA;AACrC,SACF;AAEA,QAAA,IAAI,eAAA,EAAiB;AACnB,UAAA,IAAA,CAAK,qBAAqB,MAAA,CAAO,kBAAA;AAAA,QACnC,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,wBAAA,GAA2B,OAAO,kBAAA,CAAmB,MAAA;AAC1D,UAAA,IAAA,CAAK,IAAA,GACH,qEAAA;AAAA,QACJ;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,QAAA,EAAU;AAAA,UACvD,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAED,QAAA,OAAO,WAAW,IAAI,CAAA;AAAA,MACxB;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,sKAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,OAAA,GAAU,SAAS,UAAA,EAAW;AAEpC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,QAAQ,CAAA;AAEzD,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,oBAAoB,OAAA,CAAQ,UAAA;AAAA,UAC5B,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,sBAAsB,OAAA,CAAQ,oBAAA;AAAA,UAC9B,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,UAAA,EAAY,QAAQ,QAAA,IAAY;AAAA,SACjC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AACF;;;AC2BO,SAAS,aAAa,GAAA,EAAuB;AAClD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,GAAA;AACpD,EAAA,IAAI,MAAM,OAAA,CAAQ,GAAG,GAAG,OAAO,GAAA,CAAI,IAAI,YAAY,CAAA;AACnD,EAAA,MAAM,SAAkC,EAAC;AACzC,EAAA,KAAA,MAAW,OAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,CAAE,MAAK,EAAG;AACpE,IAAA,MAAA,CAAO,GAAG,CAAA,GAAI,YAAA,CAAc,GAAA,CAAgC,GAAG,CAAC,CAAA;AAAA,EAClE;AACA,EAAA,OAAO,MAAA;AACT;AAKO,SAAS,uBAAuB,IAAA,EAAuB;AAC5D,EAAA,OAAO,IAAA,CAAK,SAAA,CAAU,YAAA,CAAa,IAAI,CAAC,CAAA;AAC1C;;;ACzHA,aAAA,EAAA;AAIA,IAAM,mBAAA,GAAsB,KAAK,EAAA,GAAK,GAAA;AAiB/B,SAAS,WAAA,CACd,YACA,IAAA,EACoB;AACpB,EAAA,MAAM,EAAE,MAAA,EAAQ,eAAA,EAAiB,SAAA,EAAW,YAAW,GAAI,IAAA;AAG3D,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,8DAAA;AAAA,EACT;AAEA,EAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,EAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,IAAK,cAAc,mBAAA,CAAoB,CAAA;AAG9E,EAAA,MAAM,eAAiC,EAAC;AAExC,EAAA,IAAI,MAAA,CAAO,SAAA,CAAU,WAAA,KAAgB,eAAA,EAAiB;AACpD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,wBAAA;AAAA,MACN,QAAA,EAAU,SAAA;AAAA,MACV,WAAA,EAAa,uCAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AACD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,2BAAA;AAAA,MACN,QAAA,EAAU,SAAA;AAAA,MACV,WAAA,EAAa,0DAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA,EAAmB;AACxD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,iBAAA;AAAA,MACN,QAAA,EAAU,MAAA;AAAA,MACV,WAAA,EAAa,wCAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAGA,EAAA,MAAM,IAAA,GAAgB;AAAA,IACpB,WAAA,EAAa,KAAA;AAAA,IACb,aAAa,QAAA,CAAS,WAAA;AAAA,IACtB,YAAA,EAAc,IAAI,WAAA,EAAY;AAAA,IAC9B,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,IAClC,MAAA,EAAQ;AAAA,MACN,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,UAAA,EAAY,OAAO,KAAA,CAAM,UAAA;AAAA,QACzB,WAAA,EAAa,MAAA;AAAA,QACb,SAAA,EAAW,OAAO,KAAA,CAAM,SAAA;AAAA,QACxB,aAAA,EAAe,OAAO,KAAA,CAAM,iBAAA;AAAA,QAC5B,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,MAAA,CAAO,SAAA,CAAU,WAAA,KAAgB,kBACrC,UAAA,GACA,QAAA;AAAA,QACJ,cAAA,EAAgB,OAAO,SAAA,CAAU,WAAA;AAAA,QACjC,qBAAA,EAAuB,OAAO,SAAA,CAAU;AAAA,OAC1C;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,oBACvC,UAAA,GACA,QAAA;AAAA,QACJ,YAAA,EAAc,OAAO,UAAA,CAAW,YAAA;AAAA,QAChC,oBAAA,EAAsB,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB;AAAA,OAC3D;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,eAAA,EAAiB,OAAO,UAAA,CAAW,IAAA;AAAA,QACnC,kBAAA,EAAoB,OAAO,UAAA,CAAW,kBAAA;AAAA,QACtC,mBAAA,EAAqB;AAAA;AACvB,KACF;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,SAAA,EAAW,IAAA;AAAA,MACX,YAAA,EAAc,IAAA;AAAA,MACd,iBAAA,EAAmB,IAAA;AAAA,MACnB,iBAAA,EAAmB;AAAA;AAAA,KACrB;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,SAAA,GAAY,uBAAuB,IAAI,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,cAAc,SAAS,CAAA;AAGvC,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,cAAA,GAAiB,IAAA;AAAA,IACrB,OAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,OAAO;AAAA,IACL,IAAA;AAAA,IACA,WAAW,QAAA,CAAS,UAAA;AAAA,IACpB,SAAA,EAAW,YAAY,cAAc;AAAA,GACvC;AACF;;;ACvIA,aAAA,EAAA;AASO,SAAS,SAAA,CACd,KACA,GAAA,EACuB;AACvB,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,WAAA,GAAqB,gBAAA,IAAI,IAAA,EAAK;AAGpC,EAAA,IAAI,CAAC,IAAI,IAAA,IAAQ,CAAC,IAAI,SAAA,IAAa,CAAC,IAAI,SAAA,EAAW;AACjD,IAAA,MAAA,CAAO,KAAK,6DAA6D,CAAA;AACzE,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA;AAAA,MACA,QAAA;AAAA,MACA,iBAAA,EAAmB,SAAA;AAAA,MACnB,eAAA,EAAiB,GAAA,CAAI,IAAA,EAAM,WAAA,IAAe,SAAA;AAAA,MAC1C,UAAA,EAAY,GAAA,CAAI,IAAA,EAAM,UAAA,IAAc;AAAA,KACtC;AAAA,EACF;AAEA,EAAA,IAAI,GAAA,CAAI,IAAA,CAAK,WAAA,KAAgB,KAAA,EAAO;AAClC,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,yBAAA,EAA4B,GAAA,CAAI,IAAA,CAAK,WAAW,CAAA,CAAE,CAAA;AAAA,EAChE;AAGA,EAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,KAAK,UAAU,CAAA;AAC9C,EAAA,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,EAAS,CAAA,EAAG;AAC9B,IAAA,MAAA,CAAO,KAAK,8BAA8B,CAAA;AAAA,EAC5C,CAAA,MAAA,IAAW,cAAc,SAAA,EAAW;AAClC,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,eAAA,EAAkB,GAAA,CAAI,IAAA,CAAK,UAAU,CAAA,CAAE,CAAA;AAAA,EACrD;AAEA,EAAA,MAAM,WAAA,GAAc,IAAI,IAAA,CAAK,GAAA,CAAI,KAAK,YAAY,CAAA;AAClD,EAAA,IAAI,KAAA,CAAM,WAAA,CAAY,OAAA,EAAS,CAAA,EAAG;AAChC,IAAA,MAAA,CAAO,KAAK,gCAAgC,CAAA;AAAA,EAC9C,CAAA,MAAA,IAAW,cAAc,WAAA,EAAa;AACpC,IAAA,QAAA,CAAS,KAAK,8DAAyD,CAAA;AAAA,EACzE;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAC7C,IAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAClD,IAAA,MAAM,SAAA,GAAY,sBAAA,CAAuB,GAAA,CAAI,IAAI,CAAA;AACjD,IAAA,MAAM,OAAA,GAAU,cAAc,SAAS,CAAA;AAEvC,IAAA,MAAM,cAAA,GAAiB,MAAA,CAAO,OAAA,EAAS,cAAA,EAAgB,SAAS,CAAA;AAChE,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAA,CAAO,KAAK,0DAAqD,CAAA;AAAA,IACnE;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,+BAAA,EAAmC,CAAA,CAAY,OAAO,CAAA,CAAE,CAAA;AAAA,EACtE;AAGA,EAAA,MAAM,EAAE,MAAA,EAAO,GAAI,GAAA,CAAI,IAAA;AACvB,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,EAAI;AACxD,IAAA,MAAA,CAAO,KAAK,uCAAuC,CAAA;AAAA,EACrD;AAGA,EAAA,MAAM,gBAAA,GAAmB,sBAAA,CAAuB,GAAA,CAAI,IAAI,CAAA;AAGxD,EAAA,KAAA,MAAW,CAAA,IAAK,GAAA,CAAI,IAAA,CAAK,YAAA,IAAgB,EAAC,EAAG;AAC3C,IAAA,IAAI,CAAA,CAAE,aAAa,UAAA,EAAY;AAC7B,MAAA,QAAA,CAAS,KAAK,CAAA,wBAAA,EAA2B,CAAA,CAAE,KAAK,CAAA,EAAA,EAAK,CAAA,CAAE,WAAW,CAAA,CAAE,CAAA;AAAA,IACtE;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,IACzB,MAAA;AAAA,IACA,QAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,eAAA,EAAiB,IAAI,IAAA,CAAK,WAAA;AAAA,IAC1B,UAAA,EAAY,IAAI,IAAA,CAAK;AAAA,GACvB;AACF;AAKA,SAAS,uBACP,IAAA,EACiC;AACjC,EAAA,MAAM,EAAE,EAAA,EAAI,EAAA,EAAI,EAAA,EAAI,EAAA,KAAO,IAAA,CAAK,MAAA;AAGhC,EAAA,IACE,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,EACd;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAGA,EAAA,IAAI,EAAA,CAAG,WAAW,QAAA,EAAU;AAC1B,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,IAAI,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,EAAA,CAAG,WAAW,UAAA,EAAY;AACtD,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,OAAO,SAAA;AACT;;;ACrHO,SAAS,cAAA,CACd,MAAA,EACA,eAAA,EACA,SAAA,EACA,QAAA,EAC6B;AAC7B,EAAA,MAAM,aAAA,GAAqC;AAAA,IACzC,MAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,oOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,gBAAA,GACnB,IAAA,CAAK,gBAAA,GAA8B,KAAK,GAAA,GACzC,MAAA;AAEJ,QAAA,MAAM,MAAA,GAAS,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC;AAAA,UACjE,GAAG,aAAA;AAAA,UACH;AAAA,SACD,CAAA;AAED,QAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,EAAQ,CAAA;AAAA,QACrC;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,MAAA,CAAO,KAAK,WAAW,CAAA;AAE7D,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,wIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,KAAK;AAAA,OAClB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AACjB,QAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAE5B,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,YAAA;AAAA,UACA,MAAA,CAAO,eAAA;AAAA,UACP,MAAA;AAAA,UACA,MAAA,CAAO,QAAQ,SAAA,GAAY;AAAA,SAC7B;AAEA,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;;;ACjFA,aAAA,EAAA;AAMA,SAAS,aAAA,GAAwB;AAC/B,EAAA,OAAO,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AACpC;AAMO,SAAS,kBACd,MAAA,EAC8D;AAC9D,EAAA,MAAM,QAAQ,aAAA,EAAc;AAC5B,EAAA,MAAM,SAAA,GAAY,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AAE7C,EAAA,MAAM,SAAA,GAAgC;AAAA,IACpC,gBAAA,EAAkB,KAAA;AAAA,IAClB,GAAA,EAAK,MAAA;AAAA,IACL,KAAA;AAAA,IACA,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AAEA,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,UAAA,EAAY,SAAA;AAAA,IACZ,IAAA,EAAM,WAAA;AAAA,IACN,KAAA,EAAO,WAAA;AAAA,IACP,SAAA,EAAW,KAAA;AAAA,IACX,OAAA,EAAS,MAAA;AAAA,IACT,cAAc,SAAA,CAAU;AAAA,GAC1B;AAEA,EAAA,OAAO,EAAE,WAAW,OAAA,EAAQ;AAC9B;AAMO,SAAS,kBAAA,CACd,SAAA,EACA,MAAA,EACA,eAAA,EACA,WACA,UAAA,EACgF;AAEhF,EAAA,IAAI,SAAA,CAAU,qBAAqB,KAAA,EAAO;AACxC,IAAA,OAAO,EAAE,KAAA,EAAO,CAAA,8BAAA,EAAiC,SAAA,CAAU,gBAAgB,CAAA,CAAA,EAAG;AAAA,EAChF;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,SAAA,CAAU,GAAG,CAAA;AACzC,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,OAAO,CAAA,mCAAA,EAAsC,SAAA,CAAU,OAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,EAAG;AAAA,EACtF;AAGA,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,EAAE,OAAO,mCAAA,EAAoC;AAAA,EACtD;AAGA,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,SAAA,CAAU,KAAK,CAAA;AAChD,EAAA,MAAM,cAAA,GAAiB,IAAA;AAAA,IACrB,UAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,iBAAiB,aAAA,EAAc;AAErC,EAAA,MAAM,QAAA,GAA8B;AAAA,IAClC,gBAAA,EAAkB,KAAA;AAAA,IAClB,GAAA,EAAK,MAAA;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,yBAAA,EAA2B,YAAY,cAAc,CAAA;AAAA,IACrD,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AAEA,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,UAAA,EAAY,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AAAA,IACvC,IAAA,EAAM,WAAA;AAAA,IACN,KAAA,EAAO,WAAA;AAAA,IACP,SAAA,EAAW,cAAA;AAAA,IACX,aAAa,SAAA,CAAU,KAAA;AAAA,IACvB,OAAA,EAAS,MAAA;AAAA,IACT,WAAW,SAAA,CAAU,GAAA;AAAA,IACrB,cAAc,SAAA,CAAU;AAAA,GAC1B;AAEA,EAAA,OAAO,EAAE,UAAU,OAAA,EAAQ;AAC7B;AAMO,SAAS,iBAAA,CACd,QAAA,EACA,OAAA,EACA,eAAA,EACA,WACA,UAAA,EACkF;AAElF,EAAA,IAAI,QAAA,CAAS,qBAAqB,KAAA,EAAO;AACvC,IAAA,OAAO,EAAE,KAAA,EAAO,CAAA,8BAAA,EAAiC,QAAA,CAAS,gBAAgB,CAAA,CAAA,EAAG;AAAA,EAC/E;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,QAAA,CAAS,GAAG,CAAA;AACxC,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,OAAO,CAAA,mCAAA,EAAsC,SAAA,CAAU,OAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,EAAG;AAAA,EACtF;AAGA,EAAA,MAAM,kBAAA,GAAqB,aAAA,CAAc,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AAC/D,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AACrD,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,QAAA,CAAS,yBAAyB,CAAA;AAE5E,EAAA,MAAM,mBAAA,GAAsB,MAAA;AAAA,IAC1B,aAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AACA,EAAA,IAAI,CAAC,mBAAA,EAAqB;AACxB,IAAA,OAAO,EAAE,OAAO,uEAAA,EAAmE;AAAA,EACrF;AAGA,EAAA,MAAM,WAEF,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,EAAE,OAAO,mCAAA,EAAoC;AAAA,EACtD;AAGA,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,QAAA,CAAS,eAAe,CAAA;AAClE,EAAA,MAAM,uBAAA,GAA0B,IAAA;AAAA,IAC9B,mBAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,EAAA,MAAM,UAAA,GAAkC;AAAA,IACtC,gBAAA,EAAkB,KAAA;AAAA,IAClB,yBAAA,EAA2B,YAAY,uBAAuB,CAAA;AAAA,IAC9D,YAAA,EAAc;AAAA,GAChB;AAGA,EAAA,MAAM,mBAAmB,SAAA,CAAU,iBAAA;AACnC,EAAA,MAAM,SAAA,GAAY,gBAAgB,gBAAgB,CAAA;AAElD,EAAA,MAAM,MAAA,GAA0B;AAAA,IAC9B,iBAAiB,SAAA,CAAU,eAAA;AAAA,IAC3B,kBAAkB,QAAA,CAAS,GAAA;AAAA,IAC3B,QAAA,EAAU,IAAA;AAAA,IACV,iBAAA,EAAmB,gBAAA;AAAA,IACnB,UAAA,EAAY,SAAA;AAAA,IACZ,YAAA,EAAc,GAAA;AAAA,IACd,YAAY,SAAA,CAAU,UAAA;AAAA,IACtB,QAAQ;AAAC,GACX;AAEA,EAAA,OAAO,EAAE,YAAY,MAAA,EAAO;AAC9B;AAMO,SAAS,gBAAA,CACd,YACA,OAAA,EACiB;AACjB,EAAA,MAAM,SAAmB,EAAC;AAE1B,EAAA,IAAI,CAAC,QAAQ,SAAA,EAAW;AACtB,IAAA,OAAO;AAAA,MACL,eAAA,EAAiB,SAAA;AAAA,MACjB,kBAAkB,OAAA,CAAQ,OAAA;AAAA;AAAA,MAC1B,QAAA,EAAU,KAAA;AAAA,MACV,iBAAA,EAAmB,YAAA;AAAA,MACnB,UAAA,EAAY,YAAA;AAAA,MACZ,cAAc,UAAA,CAAW,YAAA;AAAA,MACzB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,MAAA,EAAQ,CAAC,mCAAmC;AAAA,KAC9C;AAAA,EACF;AAGA,EAAA,MAAM,kBAAA,GAAqB,aAAA,CAAc,OAAA,CAAQ,SAAA,CAAU,SAAS,CAAA;AACpE,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AACrD,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,UAAA,CAAW,yBAAyB,CAAA;AAE9E,EAAA,MAAM,mBAAA,GAAsB,MAAA;AAAA,IAC1B,aAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,mBAAA,EAAqB;AACxB,IAAA,MAAA,CAAO,KAAK,uEAAkE,CAAA;AAAA,EAChF;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,OAAA,CAAQ,SAAS,CAAA;AAC7C,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,MAAA,CAAO,IAAA,CAAK,GAAG,SAAA,CAAU,MAAM,CAAA;AAAA,EACjC;AAEA,EAAA,MAAM,QAAA,GAAW,OAAO,MAAA,KAAW,CAAA;AACnC,EAAA,MAAM,gBAAA,GAAqC,QAAA,GACtC,SAAA,CAAU,iBAAA,GACX,YAAA;AAEJ,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,OAAA,CAAQ,SAAA,CAAU,IAAA,CAAK,WAAA;AAAA,IACxC,kBAAkB,OAAA,CAAQ,SAAA;AAAA,IAC1B,QAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,UAAA,EAAY,gBAAgB,gBAAgB,CAAA;AAAA,IAC5C,cAAc,UAAA,CAAW,YAAA;AAAA,IACzB,UAAA,EAAY,OAAA,CAAQ,SAAA,CAAU,IAAA,CAAK,UAAA;AAAA,IACnC;AAAA,GACF;AACF;AAKA,SAAS,gBAAgB,KAAA,EAAoC;AAC3D,EAAA,QAAQ,KAAA;AAAO,IACb,KAAK,MAAA;AACH,MAAA,OAAO,oBAAA;AAAA,IACT,KAAK,UAAA;AACH,MAAA,OAAO,mBAAA;AAAA,IACT;AACE,MAAA,OAAO,YAAA;AAAA;AAEb;;;ACtPO,SAAS,oBAAA,CACd,MAAA,EACA,eAAA,EACA,SAAA,EACA,QAAA,EAC6B;AAE7B,EAAA,MAAM,QAAA,uBAAe,GAAA,EAA8B;AAEnD,EAAA,MAAM,OAAA,GAA+B;AAAA,IACnC,MAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,+LAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,GAAA,GAAM,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC,OAAO,CAAA;AACvE,QAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,GAAA,EAAK,CAAA;AAAA,QAClC;AAEA,QAAA,MAAM,EAAE,SAAA,EAAW,OAAA,EAAQ,GAAI,kBAAkB,GAAG,CAAA;AACpD,QAAA,QAAA,CAAS,GAAA,CAAI,OAAA,CAAQ,UAAA,EAAY,OAAO,CAAA;AAExC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,oBAAA,EAAsB,GAAA,CAAI,KAAK,WAAW,CAAA;AAEhE,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,SAAA;AAAA,UACA,YAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,oJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,WAAW;AAAA,OACxB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AAGvB,QAAA,MAAM,GAAA,GAAM,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC,OAAO,CAAA;AACvE,QAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,GAAA,EAAK,CAAA;AAAA,QAClC;AAEA,QAAA,MAAM,MAAA,GAAS,kBAAA;AAAA,UACb,SAAA;AAAA,UACA,GAAA;AAAA,UACA,eAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,UAAA,QAAA,CAAS,OAAO,IAAA,EAAM,mBAAA,EAAqB,IAAI,IAAA,CAAK,WAAA,EAAa,QAAW,SAAS,CAAA;AACrF,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA;AAAA,QAC3C;AAEA,QAAA,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,OAAA,CAAQ,UAAA,EAAY,OAAO,OAAO,CAAA;AAEtD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,GAAA,CAAI,KAAK,WAAW,CAAA;AAE/D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,UAAA,EAAY,OAAO,OAAA,CAAQ,UAAA;AAAA,UAC3B,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,YAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,wJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAA,EAAc,UAAU;AAAA,OACrC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,UAAA;AACvB,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAEtB,QAAA,MAAM,OAAA,GAAU,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACtC,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,4BAAA,EAA+B,SAAS,IAAI,CAAA;AAAA,QACzE;AACA,QAAA,IAAI,OAAA,CAAQ,UAAU,WAAA,EAAa;AACjC,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,qBAAA,EAAwB,OAAA,CAAQ,KAAK,CAAA,uBAAA;AAAA,WAC7C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,iBAAA;AAAA,UACb,QAAA;AAAA,UACA,OAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,UAAA,OAAA,CAAQ,KAAA,GAAQ,QAAA;AAChB,UAAA,QAAA,CAAS,MAAA,CAAO,MAAM,oBAAA,EAAsB,OAAA,CAAQ,QAAQ,IAAA,CAAK,WAAA,EAAa,QAAW,SAAS,CAAA;AAClG,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA;AAAA,QAC3C;AAEA,QAAA,OAAA,CAAQ,KAAA,GAAQ,WAAA;AAChB,QAAA,OAAA,CAAQ,YAAY,QAAA,CAAS,GAAA;AAC7B,QAAA,OAAA,CAAQ,cAAc,QAAA,CAAS,eAAA;AAC/B,QAAA,OAAA,CAAQ,SAAS,MAAA,CAAO,MAAA;AAExB,QAAA,QAAA,CAAS,OAAO,IAAA,EAAM,oBAAA,EAAsB,OAAA,CAAQ,OAAA,CAAQ,KAAK,WAAW,CAAA;AAE5E,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,QAAQ,MAAA,CAAO,MAAA;AAAA,UACf,YAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,2FAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAY;AAAA,OACzB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,UAAA;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AAExB,QAAA,MAAM,OAAA,GAAU,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACtC,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,4BAAA,EAA+B,SAAS,IAAI,CAAA;AAAA,QACzE;AAGA,QAAA,IAAI,cAAc,OAAA,CAAQ,IAAA,KAAS,WAAA,IAAe,OAAA,CAAQ,UAAU,WAAA,EAAa;AAC/E,UAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,UAAA,EAAY,OAAO,CAAA;AACnD,UAAA,OAAA,CAAQ,KAAA,GAAQ,MAAA,CAAO,QAAA,GAAW,WAAA,GAAc,QAAA;AAChD,UAAA,OAAA,CAAQ,MAAA,GAAS,MAAA;AAEjB,UAAA,QAAA,CAAS,MAAA;AAAA,YACP,IAAA;AAAA,YACA,6BAAA;AAAA,YACA,OAAA,CAAQ,QAAQ,IAAA,CAAK,WAAA;AAAA,YACrB,MAAA;AAAA,YACA,MAAA,CAAO,WAAW,SAAA,GAAY;AAAA,WAChC;AAEA,UAAA,OAAO,UAAA,CAAW,EAAE,MAAA,EAAQ,CAAA;AAAA,QAC9B;AAGA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,MAAM,OAAA,CAAQ,IAAA;AAAA,UACd,OAAO,OAAA,CAAQ,KAAA;AAAA,UACf,cAAc,OAAA,CAAQ,YAAA;AAAA,UACtB,MAAA,EAAQ,QAAQ,MAAA,IAAU;AAAA,SAC3B,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;;;AC1OA,aAAA,EAAA;AAeA,eAAsB,sBAAsB,OAAA,EAIf;AAE3B,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,OAAA,EAAS,UAAU,CAAA;AAGnD,EAAA,MAAMQ,KAAAA,CAAM,OAAO,YAAA,EAAc,EAAE,WAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAGjE,EAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,iBAAA;AAAA,IACtC,CAAA,EAAG,OAAO,YAAY,CAAA,MAAA;AAAA,GACxB;AAGA,EAAA,IAAI,SAAA;AACJ,EAAA,IAAI,aAAA;AACJ,EAAA,IAAI,WAAA;AAEJ,EAAA,MAAM,UAAA,GAAa,OAAA,EAAS,UAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAEtD,EAAA,IAAI,UAAA,EAAY;AAEd,IAAA,aAAA,GAAgB,YAAA;AAGhB,IAAA,IAAI,cAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,SAAS,YAAY,CAAA;AACpD,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,QAAA,cAAA,GAAiB,IAAA,CAAK,KAAA,CAAMA,cAAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAChD;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,UAAA,EAAY,cAAc,CAAA;AAC/D,IAAA,SAAA,GAAY,MAAA,CAAO,GAAA;AAGnB,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,EAAE,aAAA,EAAAF,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,MAAA,MAAM,OAAA,CAAQ,KAAA;AAAA,QACZ,OAAA;AAAA,QACA,YAAA;AAAA,QACAA,cAAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,MAAM,CAAC;AAAA,OAC7C;AAAA,IACF;AAAA,EACF,CAAA,MAAO;AAEL,IAAA,aAAA,GAAgB,cAAA;AAGhB,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,IAAA,CAAK,SAAS,mBAAmB,CAAA;AAChE,IAAA,IAAI,QAAA,EAAU;AAIZ,MAAA,SAAA,GAAY,iBAAA,EAAkB;AAC9B,MAAA,WAAA,GAAc,YAAY,SAAS,CAAA;AAAA,IACrC,CAAA,MAAO;AACL,MAAA,SAAA,GAAY,iBAAA,EAAkB;AAC9B,MAAA,WAAA,GAAc,YAAY,SAAS,CAAA;AAGnC,MAAA,MAAM,EAAE,YAAA,EAAAD,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,MAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,MAAA,MAAM,OAAA,GAAUD,cAAa,SAAS,CAAA;AACtC,MAAA,MAAM,OAAA,CAAQ,KAAA;AAAA,QACZ,OAAA;AAAA,QACA,mBAAA;AAAA,QACAC,eAAc,OAAO;AAAA,OACvB;AAAA,IACF;AAAA,EACF;AAGA,EAAA,MAAM,QAAA,GAAW,IAAI,QAAA,CAAS,OAAA,EAAS,SAAS,CAAA;AAGhD,EAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,OAAA,EAAS,SAAS,CAAA;AAGpD,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,EAAS,eAAA,EAAgB,GAAI,aAAA;AAAA,IAC1C,UAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,gBAAgB,IAAA,EAAK;AAG3B,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA,EAAK;AAAA,UACnD,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA,EAAK;AAAA,UACnD,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA;AAAK;AACpD,OACF;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,eAAyB,EAAC;AAGhC,QAAA,YAAA,CAAa,IAAA;AAAA,UACX;AAAA,SACF;AAGA,QAAA,IAAI,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA,EAAmB;AACxD,UAAA,YAAA,CAAa,IAAA;AAAA,YACX;AAAA,WACF;AAAA,QACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAA,EAAa;AAAA,YACX,gBAAA,EAAkB,OAAO,SAAA,CAAU,WAAA;AAAA,YACnC,QAAA,EAAU;AAAA,cACR,YAAY,OAAA,CAAQ,IAAA;AAAA,cACpB,aAAA,EAAe,KAAA;AAAA,cACf,QAAA,EAAU;AAAA,aACZ;AAAA,YACA,QAAA,EAAU;AAAA,cACR,IAAI,CAAA,EAAG,OAAA,CAAQ,QAAQ,CAAA,CAAA,EAAI,QAAQ,IAAI,CAAA,CAAA;AAAA,cACvC,OAAA,EAAS,CAAA,KAAA,EAAQ,OAAA,CAAQ,OAAO,CAAA,CAAA;AAAA,cAChC,mBAAmB,MAAA,CAAO,OAAA;AAAA,cAC1B,eAAA,EAAiB;AAAA,aACnB;AAAA,YACA,OAAA,EAAS;AAAA,cACP,mBAAA,EAAqB,IAAA;AAAA;AAAA,cACrB,iBAAiB,EAAC;AAAA,cAClB,iBAAA,EAAmB;AAAA,aACrB;AAAA,YACA,eAAA,EAAiB,SAAA;AAAA,YACjB,sBAAA,EAAwB;AAAA,cACtB,kBAAA,EAAoB,IAAA;AAAA,cACpB,qBAAA,EAAuB,KAAA;AAAA,cACvB,iBAAA,EAAmB,eAAA;AAAA,cACnB,mBAAA,EACE,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA;AAAA,cACrC,oBAAA,EAAsB,IAAA;AAAA,cACtB,aAAA,EAAe,KAAA;AAAA,cACf;AAAA;AACF,WACF;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,uEAAA;AAAA,MACF,aAAa,EAAE,IAAA,EAAM,QAAA,EAAU,UAAA,EAAY,EAAC,EAAE;AAAA,MAC9C,SAAS,YAAY;AACnB,QAAA,MAAM,gBAAA,GAAmB,MAAM,OAAA,CAAQ,SAAA,EAAU;AACjD,QAAA,MAAM,eAKD,EAAC;AAEN,QAAA,YAAA,CAAa,IAAA,CAAK;AAAA,UAChB,KAAA,EAAO,IAAA;AAAA,UACP,WAAA,EAAa,uCAAA;AAAA,UACb,QAAA,EAAU,SAAA;AAAA,UACV,UAAA,EAAY;AAAA,SACb,CAAA;AAED,QAAA,IAAI,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA,EAAmB;AACxD,UAAA,YAAA,CAAa,IAAA,CAAK;AAAA,YAChB,KAAA,EAAO,IAAA;AAAA,YACP,WAAA,EAAa,wCAAA;AAAA,YACb,QAAA,EAAU,MAAA;AAAA,YACV,UAAA,EAAY;AAAA,WACb,CAAA;AAAA,QACH;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,QAAQ,YAAA,CAAa,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,UAAU,CAAA,GACtD,aAAA,GACA,YAAA,CAAa,KAAK,CAAC,CAAA,KAAM,EAAE,QAAA,KAAa,SAAS,IAC/C,UAAA,GACA,SAAA;AAAA,UACN,aAAA,EAAe,gBAAA;AAAA,UACf,MAAA,EAAQ;AAAA,YACN,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,oBAAA,EAAsB,aAAA;AAAA,cACtB,SAAA,EAAW,eAAA,CAAgB,IAAA,EAAK,CAAE,MAAA;AAAA,cAClC,eAAA,EAAiB,UAAA;AAAA,cACjB,oBAAA,EAAA,iBAAsB,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,aAC/C;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,UAAA;AAAA,cACR,cAAA,EAAgB,eAAA;AAAA,cAChB,qBAAA,EAAuB,IAAA;AAAA,cACvB,gBAAA,EAAA,iBAAkB,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,aAC3C;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EACE,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,oBAC/B,UAAA,GACA,QAAA;AAAA,cACN,YAAA,EAAc,OAAO,UAAA,CAAW,YAAA;AAAA,cAChC,eAAA,EAAiB,CAAA;AAAA,cACjB,sBAAA,EAAwB;AAAA,aAC1B;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,IAAA,EAAM,OAAO,UAAA,CAAW,IAAA;AAAA,cACxB,iBAAA,EAAmB,CAAA;AAAA;AAAA,cACnB,qBAAA,EAAuB;AAAA;AACzB,WACF;AAAA,UACA,YAAA;AAAA,UACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EAAa,kCAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,oBAAA,EAAqB;AAAA,UAC3D,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,IAAA,EAAM,IAAA,EAAM,MAAM,IAAI;AAAA,WAC/B;AAAA,UACA,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACjC,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,EAAA;AAAG;AACvC,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,KAAA,CAAM;AAAA,UAClC,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,gBAAgB,IAAA,CAAK,cAAA;AAAA,UACrB,KAAA,EAAQ,KAAK,KAAA,IAAoB;AAAA,SAClC,CAAA;AACD,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAGA,EAAA,MAAM,YAAA,GAA+B;AAAA,IACnC,IAAA,EAAM,oBAAA;AAAA,IACN,WAAA,EACE,sHAAA;AAAA,IAEF,aAAa,EAAE,IAAA,EAAM,QAAA,EAAU,UAAA,EAAY,EAAC,EAAE;AAAA,IAC9C,SAAS,YAAY;AACnB,MAAA,OAAO,UAAA,CAAW;AAAA,QAChB,iBAAA,EAAmB,KAAA;AAAA,QACnB,cAAA,EAAgB;AAAA,UACd,IAAA,EAAM,iCAAA;AAAA,UACN,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,QAAA,EAAU,YAAA;AAAA,UACV,OAAA,EAAS;AAAA,SACX;AAAA,QACA,MAAA,EAAQ;AAAA,UACN,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,YAAA,EAAc,cAAc,CAAA;AAAA,YACzC,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,YAC1B,QAAA,EAAU,CAAC,SAAS,CAAA;AAAA,YACpB,UAAA,EAAY;AAAA,cACV,4BAAA,EAA8B,MAAA;AAAA,cAC9B,yBAAA,EAA2B,MAAA;AAAA,cAC3B,6BAAA,EAA+B,MAAA;AAAA,cAC/B,8BAAA,EAAgC,MAAA;AAAA,cAChC,wBAAA,EAA0B,MAAA;AAAA,cAC1B,sBAAA,EAAwB,MAAA;AAAA,cACxB,yBAAA,EAA2B;AAAA;AAC7B,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,sBAAA,EAAwB,gBAAgB,CAAA;AAAA,YACrD,eAAA,EAAiB,CAAC,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA;AAAA,YAC9C,UAAA,EAAY;AAAA,cACV,gCAAA,EAAkC,YAAA;AAAA,cAClC,2BAAA,EAA6B,eAAA;AAAA,cAC7B,kBAAA,EAAoB;AAAA;AACtB,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,aAAA,EAAe,kBAAkB,CAAA;AAAA,YAC9C,aAAA,EAAe,CAAC,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA;AAAA,YAC9C,UAAA,EAAY;AAAA,cACV,yBAAA,EAA2B,cAAA;AAAA,cAC3B,+BAAA,EAAiC;AAAA;AACnC,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,iBAAA,EAAmB,gBAAgB,CAAA;AAAA,YAChD,KAAA,EAAO,CAAC,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA;AAAA,YAC9B,UAAA,EAAY;AAAA,cACV,wBAAA,EAA0B,MAAA;AAAA,cAC1B,wBAAA,EAA0B,MAAA;AAAA,cAC1B,uBAAA,EAAyB,OAAA;AAAA,cACzB,0BAAA,EAA4B;AAAA;AAC9B;AACF,SACF;AAAA,QACA,WAAA,EAAa;AAAA,UACX,WAAA,EAAa,KAAA;AAAA,UACb,aAAA,EAAe,KAAA;AAAA,UACf,aAAA,EAAe,IAAA;AAAA,UACf,gBAAA,EAAkB;AAAA,SACpB;AAAA,QACA,WAAA,EAAa;AAAA,UACX,gEAAA;AAAA,UACA,oEAAA;AAAA,UACA,+DAAA;AAAA,UACA,0CAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA,IACH;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,KAAY,aAAA,CAAc,OAAA,EAAS,WAAW,QAAQ,CAAA;AAGrE,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,EAAQ,GAAI,aAAA;AAAA,IACzB,OAAA;AAAA,IACA,SAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,MAAA,GAAS,MAAM,mBAAA,CAAoB,MAAA,CAAO,YAAY,CAAA;AAC5D,EAAA,MAAM,QAAA,GAAW,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AACvD,EAAA,MAAM,SAAS,IAAA,EAAK;AAEpB,EAAA,MAAM,eAAA,GAAkB,IAAI,qBAAA,CAAsB,MAAA,CAAO,gBAAgB,CAAA;AACzE,EAAA,MAAM,OAAO,IAAI,YAAA,CAAa,MAAA,EAAQ,QAAA,EAAU,iBAAiB,QAAQ,CAAA;AAGzE,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,MAAA,EAAQ,QAAA,EAAU,QAAQ,CAAA;AAGzE,EAAA,MAAM,EAAE,KAAA,EAAO,QAAA,EAAS,GAAI,cAAA;AAAA,IAC1B,MAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,cAAA,EAAe,GAAI,oBAAA;AAAA,IAChC,MAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,QAAA,GAA6B;AAAA,IACjC,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,WAAA;AAAA,IACH,GAAG,QAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH;AAAA,GACF;AAGA,EAAA,MAAM,MAAA,GAAS,YAAA,CAAa,QAAA,EAAU,EAAE,MAAM,CAAA;AAG9C,EAAA,MAAM,WAAW,MAAM,CAAA;AAGvB,EAAA,MAAM,eAAe,MAAM;AACzB,IAAA,QAAA,CAAS,IAAA,EAAK,CAAE,KAAA,CAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EAChC,CAAA;AACA,EAAA,OAAA,CAAQ,EAAA,CAAG,UAAU,YAAY,CAAA;AACjC,EAAA,OAAA,CAAQ,EAAA,CAAG,WAAW,YAAY,CAAA;AAGlC,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,OAAA,CAAQ,KAAA;AAAA,MACN,CAAA;AAAA;AAAA;AAAA,sBAAA,EAGoB,WAAA,CAAY,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA;AAAA;AAAA;AAAA;AAAA,wWAAA;AAAA,KAK9C;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,QAAQ,MAAA,EAAO;AAC1B;;;ACpcA,eAAe,IAAA,GAAsB;AACnC,EAAA,MAAM,UAAA,GAAa,QAAQ,GAAA,CAAI,oBAAA;AAE/B,EAAA,MAAM,EAAE,QAAQ,MAAA,EAAO,GAAI,MAAM,qBAAA,CAAsB,EAAE,YAAY,CAAA;AAErE,EAAA,IAAI,MAAA,CAAO,cAAc,OAAA,EAAS;AAChC,IAAA,MAAM,SAAA,GAAY,IAAI,oBAAA,EAAqB;AAC3C,IAAA,MAAM,MAAA,CAAO,QAAQ,SAAS,CAAA;AAC9B,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,sBAAA,EAAyB,MAAA,CAAO,OAAO,CAAA,gBAAA,CAAkB,CAAA;AACvE,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,SAAA,EAAY,MAAA,CAAO,YAAY,CAAA,CAAE,CAAA;AAC/C,IAAA,OAAA,CAAQ,MAAM,uBAAuB,CAAA;AAAA,EACvC,CAAA,MAAO;AAEL,IAAA,OAAA,CAAQ,MAAM,gDAAgD,CAAA;AAC9D,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AACF;AAEA,IAAA,EAAK,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACpB,EAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,GAAG,CAAA;AAC1D,EAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAChB,CAAC,CAAA","file":"cli.js","sourcesContent":["/**\n * Sanctuary MCP Server — Encoding Utilities\n *\n * Base64url encoding/decoding per RFC 4648 §5.\n * Used throughout Sanctuary for serializing binary data in JSON.\n */\n\n/**\n * Encode bytes to base64url string (no padding).\n */\nexport function toBase64url(bytes: Uint8Array): string {\n const base64 = Buffer.from(bytes).toString(\"base64\");\n return base64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/**\n * Decode base64url string to bytes.\n */\nexport function fromBase64url(str: string): Uint8Array {\n // Restore standard base64\n let base64 = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n // Add padding\n while (base64.length % 4 !== 0) {\n base64 += \"=\";\n }\n const buf = Buffer.from(base64, \"base64\");\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n/**\n * Encode a UTF-8 string to bytes.\n */\nexport function stringToBytes(str: string): Uint8Array {\n return new TextEncoder().encode(str);\n}\n\n/**\n * Decode bytes to a UTF-8 string.\n */\nexport function bytesToString(bytes: Uint8Array): string {\n return new TextDecoder().decode(bytes);\n}\n\n/**\n * Concatenate multiple Uint8Arrays.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n const totalLength = arrays.reduce((sum, arr) => sum + arr.length, 0);\n const result = new Uint8Array(totalLength);\n let offset = 0;\n for (const arr of arrays) {\n result.set(arr, offset);\n offset += arr.length;\n }\n return result;\n}\n\n/**\n * Constant-time comparison of two byte arrays.\n * Prevents timing attacks on signature/tag verification.\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++) {\n diff |= a[i]! ^ b[i]!;\n }\n return diff === 0;\n}\n","/**\n * Sanctuary MCP Server — Hashing and Merkle Trees\n *\n * SHA-256 hashing for integrity verification.\n * Merkle trees for namespace-level state integrity.\n */\n\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { hmac } from \"@noble/hashes/hmac\";\nimport { toBase64url, concatBytes, stringToBytes } from \"./encoding.js\";\n\n/**\n * Compute SHA-256 hash of data.\n */\nexport function hash(data: Uint8Array): Uint8Array {\n return sha256(data);\n}\n\n/**\n * Compute SHA-256 hash and return as base64url string.\n */\nexport function hashToString(data: Uint8Array): string {\n return toBase64url(hash(data));\n}\n\n/**\n * Compute HMAC-SHA256.\n */\nexport function hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array {\n return hmac(sha256, key, data);\n}\n\n// ─── Merkle Tree ─────────────────────────────────────────────────────────────\n\nexport interface MerkleNode {\n hash: string; // base64url SHA-256\n left?: MerkleNode;\n right?: MerkleNode;\n key?: string; // Leaf nodes store the state key\n}\n\nexport interface MerkleProof {\n leaf: string;\n path: Array<{\n hash: string;\n position: \"left\" | \"right\";\n }>;\n root: string;\n}\n\n/**\n * Build a Merkle tree from a set of key-hash pairs.\n * Keys are sorted lexicographically for deterministic ordering.\n *\n * @param entries - Map of state key → content hash (base64url)\n * @returns Root node of the Merkle tree\n */\nexport function buildMerkleTree(\n entries: Map<string, string>\n): MerkleNode | null {\n if (entries.size === 0) return null;\n\n // Sort keys for deterministic tree construction\n const sortedKeys = Array.from(entries.keys()).sort();\n\n // Create leaf nodes: H(key || content_hash)\n let nodes: MerkleNode[] = sortedKeys.map((key) => {\n const contentHash = entries.get(key)!;\n const leafData = concatBytes(\n stringToBytes(key),\n stringToBytes(contentHash)\n );\n return {\n hash: hashToString(leafData),\n key,\n };\n });\n\n // Build tree bottom-up\n while (nodes.length > 1) {\n const nextLevel: MerkleNode[] = [];\n for (let i = 0; i < nodes.length; i += 2) {\n const left = nodes[i]!;\n if (i + 1 < nodes.length) {\n const right = nodes[i + 1]!;\n const parentData = concatBytes(\n stringToBytes(left.hash),\n stringToBytes(right.hash)\n );\n nextLevel.push({\n hash: hashToString(parentData),\n left,\n right,\n });\n } else {\n // Odd node — promote directly\n nextLevel.push(left);\n }\n }\n nodes = nextLevel;\n }\n\n return nodes[0] ?? null;\n}\n\n/**\n * Generate a Merkle proof for a specific key.\n *\n * @param entries - All key-hash pairs in the namespace\n * @param targetKey - The key to generate a proof for\n * @returns MerkleProof or null if key not found\n */\nexport function generateMerkleProof(\n entries: Map<string, string>,\n targetKey: string\n): MerkleProof | null {\n if (!entries.has(targetKey)) return null;\n\n const sortedKeys = Array.from(entries.keys()).sort();\n const targetIndex = sortedKeys.indexOf(targetKey);\n if (targetIndex === -1) return null;\n\n // Create leaf hashes\n const leafHashes: string[] = sortedKeys.map((key) => {\n const contentHash = entries.get(key)!;\n const leafData = concatBytes(\n stringToBytes(key),\n stringToBytes(contentHash)\n );\n return hashToString(leafData);\n });\n\n const path: MerkleProof[\"path\"] = [];\n let currentIndex = targetIndex;\n let currentLevel = leafHashes;\n\n while (currentLevel.length > 1) {\n const nextLevel: string[] = [];\n for (let i = 0; i < currentLevel.length; i += 2) {\n const left = currentLevel[i]!;\n if (i + 1 < currentLevel.length) {\n const right = currentLevel[i + 1]!;\n\n // If our target is at this pair, record the sibling\n if (i === currentIndex || i + 1 === currentIndex) {\n if (currentIndex === i) {\n path.push({ hash: right, position: \"right\" });\n } else {\n path.push({ hash: left, position: \"left\" });\n }\n }\n\n const parentData = concatBytes(\n stringToBytes(left),\n stringToBytes(right)\n );\n nextLevel.push(hashToString(parentData));\n } else {\n // Odd node — promote directly, no sibling to record\n nextLevel.push(left);\n }\n }\n currentIndex = Math.floor(currentIndex / 2);\n currentLevel = nextLevel;\n }\n\n const root = buildMerkleTree(entries);\n\n return {\n leaf: leafHashes[targetIndex]!,\n path,\n root: root?.hash ?? \"\",\n };\n}\n\n/**\n * Verify a Merkle proof.\n *\n * @param proof - The proof to verify\n * @returns true if the proof is valid\n */\nexport function verifyMerkleProof(proof: MerkleProof): boolean {\n let currentHash = proof.leaf;\n\n for (const step of proof.path) {\n const left =\n step.position === \"left\" ? step.hash : currentHash;\n const right =\n step.position === \"right\" ? step.hash : currentHash;\n const parentData = concatBytes(\n stringToBytes(left),\n stringToBytes(right)\n );\n currentHash = hashToString(parentData);\n }\n\n return currentHash === proof.root;\n}\n\n/**\n * Compute the Merkle root for a set of entries.\n * Convenience function that builds the tree and returns just the root hash.\n */\nexport function computeMerkleRoot(entries: Map<string, string>): string {\n const tree = buildMerkleTree(entries);\n return tree?.hash ?? \"\";\n}\n","/**\n * Sanctuary MCP Server — Configuration\n *\n * Loads and validates server configuration from file or environment variables.\n */\n\nimport { readFile, writeFile } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\n\nexport interface SanctuaryConfig {\n version: string;\n storage_path: string;\n principal_id?: string;\n\n state: {\n encryption: \"aes-256-gcm\";\n key_protection: \"passphrase\" | \"hardware-key\" | \"none\";\n key_derivation: \"argon2id\";\n integrity: \"merkle-sha256\";\n identity_provider: \"ed25519\";\n };\n\n execution: {\n environment: \"local-process\" | \"docker\" | \"tee\";\n attestation: boolean;\n resource_limits: {\n max_memory_mb: number;\n max_storage_mb: number;\n max_cpu_percent: number;\n };\n };\n\n disclosure: {\n proof_system: \"groth16\" | \"plonk\" | \"commitment-only\";\n default_policy: \"minimum-necessary\" | \"withhold-all\";\n };\n\n reputation: {\n mode: \"self-custodied\" | \"service-mediated\";\n attestation_format: \"eas-compatible\";\n export_format: \"SANCTUARY_REP_V1\";\n service_endpoints: string[];\n };\n\n transport: \"stdio\" | \"http\";\n http_port: number;\n}\n\n/** Default configuration */\nexport function defaultConfig(): SanctuaryConfig {\n return {\n version: \"0.2.0\",\n storage_path: join(homedir(), \".sanctuary\"),\n state: {\n encryption: \"aes-256-gcm\",\n key_protection: \"none\",\n key_derivation: \"argon2id\",\n integrity: \"merkle-sha256\",\n identity_provider: \"ed25519\",\n },\n execution: {\n environment: \"local-process\",\n attestation: true,\n resource_limits: {\n max_memory_mb: 512,\n max_storage_mb: 1024,\n max_cpu_percent: 50,\n },\n },\n disclosure: {\n proof_system: \"commitment-only\",\n default_policy: \"minimum-necessary\",\n },\n reputation: {\n mode: \"self-custodied\",\n attestation_format: \"eas-compatible\",\n export_format: \"SANCTUARY_REP_V1\",\n service_endpoints: [],\n },\n transport: \"stdio\",\n http_port: 3500,\n };\n}\n\n/**\n * Load configuration from file, falling back to defaults.\n */\nexport async function loadConfig(\n configPath?: string\n): Promise<SanctuaryConfig> {\n const config = defaultConfig();\n\n // Override from environment\n if (process.env.SANCTUARY_STORAGE_PATH) {\n config.storage_path = process.env.SANCTUARY_STORAGE_PATH;\n }\n if (process.env.SANCTUARY_TRANSPORT) {\n config.transport = process.env.SANCTUARY_TRANSPORT as \"stdio\" | \"http\";\n }\n if (process.env.SANCTUARY_HTTP_PORT) {\n config.http_port = parseInt(process.env.SANCTUARY_HTTP_PORT, 10);\n }\n\n // Override from config file\n const path =\n configPath ?? join(config.storage_path, \"sanctuary.json\");\n\n try {\n const raw = await readFile(path, \"utf-8\");\n const fileConfig = JSON.parse(raw);\n return deepMerge(config, fileConfig);\n } catch {\n // No config file — use defaults\n return config;\n }\n}\n\n/**\n * Save configuration to file.\n */\nexport async function saveConfig(\n config: SanctuaryConfig,\n configPath?: string\n): Promise<void> {\n const path =\n configPath ?? join(config.storage_path, \"sanctuary.json\");\n await writeFile(path, JSON.stringify(config, null, 2), { mode: 0o600 });\n}\n\n/** Deep merge two objects (target takes precedence) */\nfunction deepMerge(base: object, override: object): SanctuaryConfig {\n const result: Record<string, unknown> = { ...base };\n for (const [key, value] of Object.entries(override)) {\n if (\n value !== null &&\n typeof value === \"object\" &&\n !Array.isArray(value) &&\n typeof result[key] === \"object\" &&\n result[key] !== null\n ) {\n result[key] = deepMerge(\n result[key] as object,\n value as object\n );\n } else {\n result[key] = value;\n }\n }\n return result as unknown as SanctuaryConfig;\n}\n","/**\n * Sanctuary MCP Server — Secure Random Generation\n *\n * All randomness in Sanctuary flows through this module.\n * Uses crypto.getRandomValues (Web Crypto API) for CSPRNG.\n */\n\nimport { randomBytes as nodeRandomBytes } from \"node:crypto\";\n\n/**\n * Generate cryptographically secure random bytes.\n * Uses Node.js crypto module (backed by OpenSSL CSPRNG).\n */\nexport function randomBytes(length: number): Uint8Array {\n if (length <= 0) {\n throw new RangeError(\"Length must be positive\");\n }\n const buf = nodeRandomBytes(length);\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n/**\n * Generate a random IV for AES-256-GCM (12 bytes per NIST SP 800-38D).\n */\nexport function generateIV(): Uint8Array {\n return randomBytes(12);\n}\n\n/**\n * Generate a random salt for key derivation (32 bytes).\n */\nexport function generateSalt(): Uint8Array {\n return randomBytes(32);\n}\n\n/**\n * Generate a random 256-bit key (for recovery key generation).\n */\nexport function generateRandomKey(): Uint8Array {\n return randomBytes(32);\n}\n","/**\n * Sanctuary MCP Server — Filesystem Storage Backend\n *\n * Default storage backend using the local filesystem.\n * Files are stored as: {basePath}/{namespace}/{key}.enc\n *\n * Security invariants:\n * - Secure deletion overwrites file content with random bytes before unlinking\n * - Directory creation uses restrictive permissions (0o700)\n * - File creation uses restrictive permissions (0o600)\n */\n\nimport { mkdir, readFile, writeFile, unlink, readdir, stat } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { randomBytes } from \"../core/random.js\";\nimport type { StorageBackend, StorageEntryMeta } from \"./interface.js\";\n\nexport class FilesystemStorage implements StorageBackend {\n private basePath: string;\n\n constructor(basePath: string) {\n this.basePath = basePath;\n }\n\n private entryPath(namespace: string, key: string): string {\n // Sanitize namespace and key to prevent path traversal\n const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n const safeKey = key.replace(/[^a-zA-Z0-9_.-]/g, \"_\");\n return join(this.basePath, safeNamespace, `${safeKey}.enc`);\n }\n\n private namespacePath(namespace: string): string {\n const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n return join(this.basePath, safeNamespace);\n }\n\n async write(\n namespace: string,\n key: string,\n data: Uint8Array\n ): Promise<void> {\n const dirPath = this.namespacePath(namespace);\n const filePath = this.entryPath(namespace, key);\n\n // Create namespace directory with restrictive permissions\n await mkdir(dirPath, { recursive: true, mode: 0o700 });\n\n // Write file with restrictive permissions (owner read/write only)\n await writeFile(filePath, data, { mode: 0o600 });\n }\n\n async read(namespace: string, key: string): Promise<Uint8Array | null> {\n const filePath = this.entryPath(namespace, key);\n try {\n const buf = await readFile(filePath);\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return null;\n }\n throw err;\n }\n }\n\n async delete(\n namespace: string,\n key: string,\n secureOverwrite = true\n ): Promise<boolean> {\n const filePath = this.entryPath(namespace, key);\n\n try {\n if (secureOverwrite) {\n // Read the file to determine its size\n const fileStat = await stat(filePath);\n const size = fileStat.size;\n\n // Overwrite with random bytes (3 passes for defense in depth)\n for (let pass = 0; pass < 3; pass++) {\n const randomData = randomBytes(size);\n await writeFile(filePath, randomData, { mode: 0o600 });\n }\n }\n\n // Remove the file\n await unlink(filePath);\n return true;\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return false;\n }\n throw err;\n }\n }\n\n async list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]> {\n const dirPath = this.namespacePath(namespace);\n\n try {\n const files = await readdir(dirPath);\n const entries: StorageEntryMeta[] = [];\n\n for (const file of files) {\n if (!file.endsWith(\".enc\")) continue;\n\n const key = file.slice(0, -4); // Remove .enc extension\n if (prefix && !key.startsWith(prefix)) continue;\n\n const filePath = join(dirPath, file);\n const fileStat = await stat(filePath);\n\n entries.push({\n key,\n namespace,\n size_bytes: fileStat.size,\n modified_at: fileStat.mtime.toISOString(),\n });\n }\n\n return entries.sort((a, b) => a.key.localeCompare(b.key));\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return [];\n }\n throw err;\n }\n }\n\n async exists(namespace: string, key: string): Promise<boolean> {\n const filePath = this.entryPath(namespace, key);\n try {\n await stat(filePath);\n return true;\n } catch {\n return false;\n }\n }\n\n async totalSize(): Promise<number> {\n let total = 0;\n\n try {\n const namespaces = await readdir(this.basePath);\n for (const ns of namespaces) {\n const nsPath = join(this.basePath, ns);\n const nsStat = await stat(nsPath);\n if (!nsStat.isDirectory()) continue;\n\n const files = await readdir(nsPath);\n for (const file of files) {\n const filePath = join(nsPath, file);\n const fileStat = await stat(filePath);\n total += fileStat.size;\n }\n }\n } catch {\n // If base path doesn't exist yet, total is 0\n }\n\n return total;\n }\n}\n","/**\n * Sanctuary MCP Server — AES-256-GCM Encryption\n *\n * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).\n * This provides both confidentiality and integrity — a modified ciphertext will\n * fail authentication, detecting tampering.\n *\n * Security invariants:\n * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)\n * - The 16-byte authentication tag is always verified on decryption\n * - Keys are 256 bits (32 bytes)\n */\n\nimport { gcm } from \"@noble/ciphers/aes.js\";\nimport { generateIV } from \"./random.js\";\nimport { toBase64url, fromBase64url } from \"./encoding.js\";\n\n/** Encrypted payload structure stored on disk */\nexport interface EncryptedPayload {\n /** Format version */\n v: number;\n /** Algorithm identifier */\n alg: \"aes-256-gcm\";\n /** Initialization vector (base64url) */\n iv: string;\n /** Ciphertext (base64url) */\n ct: string;\n /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */\n /** Timestamp */\n ts: string;\n}\n\n/**\n * Encrypt plaintext bytes with AES-256-GCM.\n *\n * @param plaintext - Data to encrypt\n * @param key - 256-bit encryption key\n * @param aad - Optional additional authenticated data (authenticated but not encrypted)\n * @returns EncryptedPayload ready for JSON serialization\n */\nexport function encrypt(\n plaintext: Uint8Array,\n key: Uint8Array,\n aad?: Uint8Array\n): EncryptedPayload {\n if (key.length !== 32) {\n throw new Error(\"Key must be exactly 32 bytes (256 bits)\");\n }\n\n const iv = generateIV();\n const cipher = gcm(key, iv, aad);\n // @noble/ciphers gcm.encrypt appends the 16-byte auth tag to the ciphertext\n const ciphertext = cipher.encrypt(plaintext);\n\n return {\n v: 1,\n alg: \"aes-256-gcm\",\n iv: toBase64url(iv),\n ct: toBase64url(ciphertext),\n ts: new Date().toISOString(),\n };\n}\n\n/**\n * Decrypt an AES-256-GCM encrypted payload.\n *\n * @param payload - EncryptedPayload from encrypt()\n * @param key - 256-bit encryption key (must match the encryption key)\n * @param aad - Optional additional authenticated data (must match encryption AAD)\n * @returns Decrypted plaintext bytes\n * @throws If authentication tag verification fails (tampered data)\n */\nexport function decrypt(\n payload: EncryptedPayload,\n key: Uint8Array,\n aad?: Uint8Array\n): Uint8Array {\n if (key.length !== 32) {\n throw new Error(\"Key must be exactly 32 bytes (256 bits)\");\n }\n if (payload.v !== 1) {\n throw new Error(`Unsupported payload version: ${payload.v}`);\n }\n if (payload.alg !== \"aes-256-gcm\") {\n throw new Error(`Unsupported algorithm: ${payload.alg}`);\n }\n\n const iv = fromBase64url(payload.iv);\n const ciphertext = fromBase64url(payload.ct);\n const cipher = gcm(key, iv, aad);\n\n // gcm.decrypt verifies the auth tag and throws if tampered\n return cipher.decrypt(ciphertext);\n}\n\n/**\n * Re-encrypt data with a new key (for key rotation or export).\n * Decrypts with old key, re-encrypts with new key.\n */\nexport function reEncrypt(\n payload: EncryptedPayload,\n oldKey: Uint8Array,\n newKey: Uint8Array,\n aad?: Uint8Array\n): EncryptedPayload {\n const plaintext = decrypt(payload, oldKey, aad);\n return encrypt(plaintext, newKey, aad);\n}\n","/**\n * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore\n *\n * The encrypted state store is the foundation of Sanctuary.\n * Every read and write goes through here. All data is encrypted\n * with namespace-specific keys. All writes are signed by an identity.\n * All reads verify integrity via Merkle proofs.\n *\n * Security invariants:\n * - Plaintext never touches the filesystem\n * - Every write gets a unique IV\n * - Every write is signed (non-repudiation)\n * - Monotonic version numbers prevent rollback\n * - Merkle tree verifies namespace integrity\n * - Secure deletion overwrites before unlinking\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport {\n encrypt,\n decrypt,\n type EncryptedPayload,\n} from \"../core/encryption.js\";\nimport {\n hashToString,\n computeMerkleRoot,\n generateMerkleProof,\n verifyMerkleProof,\n} from \"../core/hashing.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { deriveNamespaceKey } from \"../core/key-derivation.js\";\nimport {\n toBase64url,\n fromBase64url,\n stringToBytes,\n bytesToString,\n} from \"../core/encoding.js\";\nimport type { EncryptedPayload as EncPayload } from \"../core/encryption.js\";\n\n/**\n * Reserved namespace prefixes — used by internal subsystems.\n * Imported bundles MUST NOT write to these namespaces.\n */\nconst RESERVED_NAMESPACE_PREFIXES = [\n \"_identities\",\n \"_policies\",\n \"_audit\",\n \"_meta\",\n \"_principal\",\n \"_commitments\",\n \"_reputation\",\n \"_escrow\",\n \"_guarantees\",\n] as const;\n\n/** On-disk format for an encrypted state entry */\nexport interface StateEntry {\n /** Format version */\n v: number;\n /** Encrypted payload */\n payload: EncryptedPayload;\n /** Version number (monotonically increasing) */\n ver: number;\n /** Signature over ciphertext by the writing identity (base64url) */\n sig: string;\n /** Identity that wrote this entry */\n kid: string;\n /** SHA-256 of the plaintext value (base64url, for client-side verification) */\n integrity_hash: string;\n /** Metadata */\n metadata: {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n written_at: string;\n };\n}\n\n/** Result of a state write operation */\nexport interface WriteResult {\n key: string;\n namespace: string;\n version: number;\n merkle_root: string;\n written_at: string;\n size_bytes: number;\n integrity_hash: string;\n}\n\n/** Result of a state read operation */\nexport interface ReadResult {\n key: string;\n namespace: string;\n value: string;\n version: number;\n integrity_verified: boolean;\n merkle_proof: string[];\n written_at: string;\n written_by: string;\n}\n\n/** Options for state write */\nexport interface WriteOptions {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n}\n\nexport class StateStore {\n private storage: StorageBackend;\n private masterKey: Uint8Array;\n\n // Cache of version numbers per namespace/key for anti-rollback\n private versionCache = new Map<string, number>();\n\n // Cache of content hashes per namespace for Merkle tree computation\n private contentHashes = new Map<string, Map<string, string>>();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.masterKey = masterKey;\n }\n\n private versionKey(namespace: string, key: string): string {\n return `${namespace}/${key}`;\n }\n\n /**\n * Get or initialize the content hash map for a namespace.\n */\n private async getNamespaceHashes(\n namespace: string\n ): Promise<Map<string, string>> {\n if (this.contentHashes.has(namespace)) {\n return this.contentHashes.get(namespace)!;\n }\n\n // Load existing entries to build the hash map\n const entries = await this.storage.list(namespace);\n const hashMap = new Map<string, string>();\n\n for (const entry of entries) {\n const raw = await this.storage.read(namespace, entry.key);\n if (raw) {\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n hashMap.set(entry.key, stateEntry.integrity_hash);\n this.versionCache.set(\n this.versionKey(namespace, entry.key),\n stateEntry.ver\n );\n } catch {\n // Corrupted entry — skip it\n }\n }\n }\n\n this.contentHashes.set(namespace, hashMap);\n return hashMap;\n }\n\n /**\n * Write encrypted state.\n *\n * @param namespace - Logical grouping\n * @param key - State key\n * @param value - Plaintext value (will be encrypted)\n * @param identityId - Identity performing the write\n * @param encryptedPrivateKey - Identity's encrypted private key (for signing)\n * @param identityEncryptionKey - Key to decrypt the identity's private key\n * @param options - Optional metadata\n */\n async write(\n namespace: string,\n key: string,\n value: string,\n identityId: string,\n encryptedPrivateKey: EncPayload,\n identityEncryptionKey: Uint8Array,\n options: WriteOptions = {}\n ): Promise<WriteResult> {\n const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);\n const plaintext = stringToBytes(value);\n\n // Compute integrity hash of plaintext\n const integrityHash = hashToString(plaintext);\n\n // Encrypt the value\n const payload = encrypt(plaintext, namespaceKey);\n\n // Determine version number (monotonically increasing)\n const vk = this.versionKey(namespace, key);\n const currentVersion = this.versionCache.get(vk) ?? 0;\n const newVersion = currentVersion + 1;\n\n // Sign the ciphertext (non-repudiation)\n const ciphertextBytes = fromBase64url(payload.ct);\n const signature = sign(\n ciphertextBytes,\n encryptedPrivateKey,\n identityEncryptionKey\n );\n\n const now = new Date().toISOString();\n\n // Construct the state entry\n const stateEntry: StateEntry = {\n v: 1,\n payload,\n ver: newVersion,\n sig: toBase64url(signature),\n kid: identityId,\n integrity_hash: integrityHash,\n metadata: {\n content_type: options.content_type,\n ttl_seconds: options.ttl_seconds,\n tags: options.tags,\n written_at: now,\n },\n };\n\n // Serialize and write to storage\n const serialized = stringToBytes(JSON.stringify(stateEntry));\n await this.storage.write(namespace, key, serialized);\n\n // Update caches\n this.versionCache.set(vk, newVersion);\n const nsHashes = await this.getNamespaceHashes(namespace);\n nsHashes.set(key, integrityHash);\n\n // Compute new Merkle root\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n key,\n namespace,\n version: newVersion,\n merkle_root: merkleRoot,\n written_at: now,\n size_bytes: serialized.length,\n integrity_hash: integrityHash,\n };\n }\n\n /**\n * Read and decrypt state.\n *\n * @param namespace - Logical grouping\n * @param key - State key\n * @param signerPublicKey - Expected signer's public key (for signature verification)\n * @param verifyIntegrity - Whether to verify Merkle proof (default: true)\n */\n async read(\n namespace: string,\n key: string,\n signerPublicKey?: Uint8Array,\n verifyIntegrity = true\n ): Promise<ReadResult | null> {\n const raw = await this.storage.read(namespace, key);\n if (!raw) return null;\n\n let stateEntry: StateEntry;\n try {\n stateEntry = JSON.parse(bytesToString(raw));\n } catch {\n throw new Error(`Corrupted state entry: ${namespace}/${key}`);\n }\n\n if (stateEntry.v !== 1) {\n throw new Error(`Unsupported state entry version: ${stateEntry.v}`);\n }\n\n // Anti-rollback check\n const vk = this.versionKey(namespace, key);\n const cachedVersion = this.versionCache.get(vk);\n if (cachedVersion !== undefined && stateEntry.ver < cachedVersion) {\n throw new Error(\n `Rollback detected for ${namespace}/${key}: ` +\n `found version ${stateEntry.ver}, expected >= ${cachedVersion}`\n );\n }\n\n // Verify signature if public key provided\n if (signerPublicKey) {\n const ciphertextBytes = fromBase64url(stateEntry.payload.ct);\n const signatureBytes = fromBase64url(stateEntry.sig);\n const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);\n if (!sigValid) {\n throw new Error(\n `Signature verification failed for ${namespace}/${key}`\n );\n }\n }\n\n // Decrypt\n const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);\n const plaintext = decrypt(stateEntry.payload, namespaceKey);\n const value = bytesToString(plaintext);\n\n // Verify integrity hash\n const computedHash = hashToString(plaintext);\n if (computedHash !== stateEntry.integrity_hash) {\n throw new Error(\n `Integrity hash mismatch for ${namespace}/${key}: ` +\n `computed ${computedHash}, stored ${stateEntry.integrity_hash}`\n );\n }\n\n // Merkle proof verification\n let merkleProofPath: string[] = [];\n let integrityVerified = true;\n\n if (verifyIntegrity) {\n const nsHashes = await this.getNamespaceHashes(namespace);\n const proof = generateMerkleProof(nsHashes, key);\n if (proof) {\n integrityVerified = verifyMerkleProof(proof);\n merkleProofPath = proof.path.map(\n (step) => `${step.position}:${step.hash}`\n );\n }\n }\n\n // Update version cache\n this.versionCache.set(vk, stateEntry.ver);\n\n return {\n key,\n namespace,\n value,\n version: stateEntry.ver,\n integrity_verified: integrityVerified,\n merkle_proof: merkleProofPath,\n written_at: stateEntry.metadata.written_at,\n written_by: stateEntry.kid,\n };\n }\n\n /**\n * List keys in a namespace (metadata only — no decryption).\n */\n async list(\n namespace: string,\n prefix?: string,\n tags?: string[],\n limit = 100,\n offset = 0\n ): Promise<{\n keys: Array<{\n key: string;\n version: number;\n size_bytes: number;\n written_at: string;\n tags: string[];\n }>;\n total: number;\n merkle_root: string;\n }> {\n const storageEntries = await this.storage.list(namespace, prefix);\n const result: Array<{\n key: string;\n version: number;\n size_bytes: number;\n written_at: string;\n tags: string[];\n }> = [];\n\n for (const entry of storageEntries) {\n const raw = await this.storage.read(namespace, entry.key);\n if (!raw) continue;\n\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n\n // Filter by tags if specified\n if (tags && tags.length > 0) {\n const entryTags = stateEntry.metadata.tags ?? [];\n const hasMatchingTag = tags.some((t) => entryTags.includes(t));\n if (!hasMatchingTag) continue;\n }\n\n result.push({\n key: entry.key,\n version: stateEntry.ver,\n size_bytes: entry.size_bytes,\n written_at: stateEntry.metadata.written_at,\n tags: stateEntry.metadata.tags ?? [],\n });\n } catch {\n // Skip corrupted entries\n }\n }\n\n const nsHashes = await this.getNamespaceHashes(namespace);\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n keys: result.slice(offset, offset + limit),\n total: result.length,\n merkle_root: merkleRoot,\n };\n }\n\n /**\n * Securely delete state (overwrite with random bytes before removal).\n */\n async delete(\n namespace: string,\n key: string\n ): Promise<{\n deleted: boolean;\n key: string;\n namespace: string;\n new_merkle_root: string;\n deleted_at: string;\n }> {\n const deleted = await this.storage.delete(namespace, key, true);\n\n // Update caches\n const vk = this.versionKey(namespace, key);\n this.versionCache.delete(vk);\n const nsHashes = await this.getNamespaceHashes(namespace);\n nsHashes.delete(key);\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n deleted,\n key,\n namespace,\n new_merkle_root: merkleRoot,\n deleted_at: new Date().toISOString(),\n };\n }\n\n /**\n * Export all state for a namespace as an encrypted bundle.\n */\n async export(\n namespace?: string\n ): Promise<{\n bundle: string;\n namespaces: string[];\n total_keys: number;\n bundle_hash: string;\n exported_at: string;\n }> {\n const namespacesToExport: string[] = [];\n\n if (namespace) {\n namespacesToExport.push(namespace);\n } else {\n // Discover all namespaces from the content hash cache\n for (const ns of this.contentHashes.keys()) {\n namespacesToExport.push(ns);\n }\n }\n\n const exportData: Record<\n string,\n Array<{ key: string; entry: StateEntry }>\n > = {};\n let totalKeys = 0;\n\n for (const ns of namespacesToExport) {\n const entries = await this.storage.list(ns);\n exportData[ns] = [];\n\n for (const entry of entries) {\n const raw = await this.storage.read(ns, entry.key);\n if (!raw) continue;\n\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n exportData[ns]!.push({ key: entry.key, entry: stateEntry });\n totalKeys++;\n } catch {\n // Skip corrupted entries\n }\n }\n }\n\n const bundleJson = JSON.stringify({\n sanctuary_export_version: 1,\n exported_at: new Date().toISOString(),\n namespaces: namespacesToExport,\n data: exportData,\n });\n\n const bundleBytes = stringToBytes(bundleJson);\n const bundleHash = hashToString(bundleBytes);\n\n return {\n bundle: toBase64url(bundleBytes),\n namespaces: namespacesToExport,\n total_keys: totalKeys,\n bundle_hash: bundleHash,\n exported_at: new Date().toISOString(),\n };\n }\n\n /**\n * Import a previously exported state bundle.\n */\n async import(\n bundleBase64: string,\n conflictResolution: \"skip\" | \"overwrite\" | \"version\" = \"skip\"\n ): Promise<{\n imported_keys: number;\n skipped_keys: number;\n conflicts: number;\n namespaces: string[];\n imported_at: string;\n }> {\n const bundleBytes = fromBase64url(bundleBase64);\n const bundleJson = bytesToString(bundleBytes);\n const bundle = JSON.parse(bundleJson);\n\n let importedKeys = 0;\n let skippedKeys = 0;\n let conflicts = 0;\n const namespaces: string[] = [];\n\n for (const [ns, entries] of Object.entries(\n bundle.data as Record<string, Array<{ key: string; entry: StateEntry }>>\n )) {\n // Namespace firewall: skip reserved namespaces during import\n if (RESERVED_NAMESPACE_PREFIXES.some(\n (prefix) => ns === prefix || ns.startsWith(prefix + \"/\")\n )) {\n skippedKeys += (entries as Array<{ key: string; entry: StateEntry }>).length;\n continue;\n }\n namespaces.push(ns);\n\n for (const { key, entry } of entries) {\n const exists = await this.storage.exists(ns, key);\n\n if (exists) {\n conflicts++;\n if (conflictResolution === \"skip\") {\n skippedKeys++;\n continue;\n }\n if (conflictResolution === \"version\") {\n // Only overwrite if imported version is higher\n const raw = await this.storage.read(ns, key);\n if (raw) {\n try {\n const existingEntry: StateEntry = JSON.parse(\n bytesToString(raw)\n );\n if (entry.ver <= existingEntry.ver) {\n skippedKeys++;\n continue;\n }\n } catch {\n // Corrupted existing entry — overwrite\n }\n }\n }\n // conflictResolution === \"overwrite\" falls through\n }\n\n // Write the entry\n const serialized = stringToBytes(JSON.stringify(entry));\n await this.storage.write(ns, key, serialized);\n importedKeys++;\n\n // Update caches\n const vk = this.versionKey(ns, key);\n this.versionCache.set(vk, entry.ver);\n const nsHashes = await this.getNamespaceHashes(ns);\n nsHashes.set(key, entry.integrity_hash);\n }\n }\n\n return {\n imported_keys: importedKeys,\n skipped_keys: skippedKeys,\n conflicts,\n namespaces,\n imported_at: new Date().toISOString(),\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Ed25519 Identity Management\n *\n * Sovereign identity based on Ed25519 keypairs.\n * Private keys are always encrypted at rest — never stored in plaintext.\n *\n * Security invariants:\n * - Private keys never appear in any MCP tool response\n * - Private keys are encrypted with identity-specific keys derived from the master key\n * - Key rotation produces a signed rotation event (verifiable chain)\n */\n\nimport { ed25519 } from \"@noble/curves/ed25519\";\nimport { toBase64url } from \"./encoding.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"./encryption.js\";\nimport { hash } from \"./hashing.js\";\nimport { randomBytes } from \"./random.js\";\n\n/** Public identity information (safe to share) */\nexport interface PublicIdentity {\n identity_id: string;\n label: string;\n public_key: string; // base64url\n did: string; // did:key format\n created_at: string;\n key_type: \"ed25519\";\n key_protection: \"passphrase\" | \"hardware-key\" | \"recovery-key\";\n}\n\n/** Stored identity (private key is encrypted) */\nexport interface StoredIdentity extends PublicIdentity {\n encrypted_private_key: EncryptedPayload;\n /** Previous public keys (for rotation chain verification) */\n rotation_history: Array<{\n old_public_key: string;\n new_public_key: string;\n rotation_event: string; // base64url signed event\n rotated_at: string;\n }>;\n}\n\n/** Signed rotation event */\nexport interface RotationEvent {\n old_public_key: string;\n new_public_key: string;\n identity_id: string;\n reason: string;\n rotated_at: string;\n /** Signature over the event by the OLD key (proves the holder authorized rotation) */\n signature: string;\n}\n\n/**\n * Generate a new Ed25519 keypair.\n * Returns both the public identity info and the raw private key (for immediate encryption).\n */\nexport function generateKeypair(): {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n} {\n const privateKey = randomBytes(32);\n const publicKey = ed25519.getPublicKey(privateKey);\n return { publicKey, privateKey };\n}\n\n/**\n * Create a DID from an Ed25519 public key.\n * Uses the did:key method with the Ed25519 multicodec prefix (0xed01).\n */\nexport function publicKeyToDid(publicKey: Uint8Array): string {\n // Multicodec prefix for Ed25519: 0xed 0x01\n const multicodec = new Uint8Array([0xed, 0x01, ...publicKey]);\n // did:key uses base58btc multibase encoding, but for simplicity\n // we use the base64url representation which is equally valid\n // in the broader DID ecosystem\n return `did:key:z${toBase64url(multicodec)}`;\n}\n\n/**\n * Generate a unique identity ID.\n * Derived from the public key hash for deterministic mapping.\n */\nexport function generateIdentityId(publicKey: Uint8Array): string {\n const keyHash = hash(publicKey);\n // First 16 bytes of SHA-256(pubkey) as hex — short, unique, deterministic\n return Array.from(keyHash.slice(0, 16))\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Create a new identity with encrypted private key storage.\n *\n * @param label - Human-readable label\n * @param encryptionKey - Key to encrypt the private key with (from master key derivation)\n * @param keyProtection - How the master key is protected\n * @returns Public identity info and the stored identity (for persistence)\n */\nexport function createIdentity(\n label: string,\n encryptionKey: Uint8Array,\n keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\"\n): { publicIdentity: PublicIdentity; storedIdentity: StoredIdentity } {\n const { publicKey, privateKey } = generateKeypair();\n const identityId = generateIdentityId(publicKey);\n const did = publicKeyToDid(publicKey);\n const now = new Date().toISOString();\n\n // Encrypt the private key for storage\n const encryptedPrivateKey = encrypt(privateKey, encryptionKey);\n\n // Zero out the raw private key in memory\n privateKey.fill(0);\n\n const publicIdentity: PublicIdentity = {\n identity_id: identityId,\n label,\n public_key: toBase64url(publicKey),\n did,\n created_at: now,\n key_type: \"ed25519\",\n key_protection: keyProtection,\n };\n\n const storedIdentity: StoredIdentity = {\n ...publicIdentity,\n encrypted_private_key: encryptedPrivateKey,\n rotation_history: [],\n };\n\n return { publicIdentity, storedIdentity };\n}\n\n/**\n * Sign data with an identity's private key.\n *\n * @param payload - Data to sign (bytes)\n * @param encryptedPrivateKey - The encrypted private key from storage\n * @param encryptionKey - Key to decrypt the private key\n * @returns Ed25519 signature\n */\nexport function sign(\n payload: Uint8Array,\n encryptedPrivateKey: EncryptedPayload,\n encryptionKey: Uint8Array\n): Uint8Array {\n // Decrypt the private key\n const privateKey = decrypt(encryptedPrivateKey, encryptionKey);\n\n try {\n return ed25519.sign(payload, privateKey);\n } finally {\n // Zero out the private key from memory\n privateKey.fill(0);\n }\n}\n\n/**\n * Verify an Ed25519 signature.\n *\n * @param payload - Original data that was signed\n * @param signature - The signature to verify\n * @param publicKey - The signer's public key\n * @returns true if signature is valid\n */\nexport function verify(\n payload: Uint8Array,\n signature: Uint8Array,\n publicKey: Uint8Array\n): boolean {\n try {\n return ed25519.verify(signature, payload, publicKey);\n } catch {\n return false;\n }\n}\n\n/**\n * Rotate an identity's keys.\n * Generates a new keypair, signs a rotation event with the old key,\n * and returns the updated stored identity.\n *\n * @param storedIdentity - Current stored identity\n * @param encryptionKey - Key to decrypt/re-encrypt private keys\n * @param reason - Reason for rotation (audit trail)\n * @returns Updated stored identity with new keys and rotation history\n */\nexport function rotateKeys(\n storedIdentity: StoredIdentity,\n encryptionKey: Uint8Array,\n reason: string\n): { updatedIdentity: StoredIdentity; rotationEvent: RotationEvent } {\n const { publicKey: newPublicKey, privateKey: newPrivateKey } =\n generateKeypair();\n const newIdentityDid = publicKeyToDid(newPublicKey);\n const now = new Date().toISOString();\n\n // Create rotation event\n const eventData = JSON.stringify({\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n identity_id: storedIdentity.identity_id,\n reason,\n rotated_at: now,\n });\n\n // Sign the rotation event with the OLD key (proves authorization)\n const eventBytes = new TextEncoder().encode(eventData);\n const signature = sign(\n eventBytes,\n storedIdentity.encrypted_private_key,\n encryptionKey\n );\n\n const rotationEvent: RotationEvent = {\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n identity_id: storedIdentity.identity_id,\n reason,\n rotated_at: now,\n signature: toBase64url(signature),\n };\n\n // Encrypt the new private key\n const encryptedNewPrivateKey = encrypt(newPrivateKey, encryptionKey);\n newPrivateKey.fill(0);\n\n const updatedIdentity: StoredIdentity = {\n ...storedIdentity,\n public_key: toBase64url(newPublicKey),\n did: newIdentityDid,\n encrypted_private_key: encryptedNewPrivateKey,\n rotation_history: [\n ...storedIdentity.rotation_history,\n {\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n rotation_event: toBase64url(\n new TextEncoder().encode(JSON.stringify(rotationEvent))\n ),\n rotated_at: now,\n },\n ],\n };\n\n return { updatedIdentity, rotationEvent };\n}\n","/**\n * Sanctuary MCP Server — Key Derivation\n *\n * Two-tier key derivation:\n * 1. Master key from passphrase via Argon2id (memory-hard, GPU-resistant)\n * 2. Namespace keys from master key via HKDF-SHA256\n *\n * This ensures:\n * - Passphrase brute-force is expensive (Argon2id)\n * - Compromise of one namespace key doesn't expose others (HKDF domain separation)\n */\n\nimport { argon2id } from \"hash-wasm\";\nimport { hkdf } from \"@noble/hashes/hkdf\";\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { generateSalt } from \"./random.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"./encoding.js\";\n\n/** Argon2id parameters per OWASP recommendation (2024) */\nconst ARGON2_MEMORY_COST = 65536; // 64 MiB\nconst ARGON2_TIME_COST = 3; // 3 iterations\nconst ARGON2_PARALLELISM = 4; // 4 lanes\nconst ARGON2_HASH_LENGTH = 32; // 256-bit output\n\n/** Stored key derivation parameters (for re-deriving the master key) */\nexport interface KeyDerivationParams {\n /** Algorithm */\n alg: \"argon2id\";\n /** Salt (base64url) */\n salt: string;\n /** Memory cost in KiB */\n m: number;\n /** Time cost (iterations) */\n t: number;\n /** Parallelism */\n p: number;\n /** Output length in bytes */\n l: number;\n}\n\n/**\n * Derive a master key from a passphrase using Argon2id.\n *\n * @param passphrase - User's passphrase\n * @param existingParams - If re-deriving, use the stored params (same salt)\n * @returns The derived key and the parameters used (store the params, never the key)\n */\nexport async function deriveMasterKey(\n passphrase: string,\n existingParams?: KeyDerivationParams\n): Promise<{ key: Uint8Array; params: KeyDerivationParams }> {\n const salt = existingParams\n ? fromBase64url(existingParams.salt)\n : generateSalt();\n\n const params: KeyDerivationParams = existingParams ?? {\n alg: \"argon2id\",\n salt: toBase64url(salt),\n m: ARGON2_MEMORY_COST,\n t: ARGON2_TIME_COST,\n p: ARGON2_PARALLELISM,\n l: ARGON2_HASH_LENGTH,\n };\n\n const hashHex = await argon2id({\n password: passphrase,\n salt,\n parallelism: params.p,\n iterations: params.t,\n memorySize: params.m,\n hashLength: params.l,\n outputType: \"hex\",\n });\n\n // Convert hex to bytes\n const key = new Uint8Array(params.l);\n for (let i = 0; i < params.l; i++) {\n key[i] = parseInt(hashHex.substring(i * 2, i * 2 + 2), 16);\n }\n\n return { key, params };\n}\n\n/**\n * Derive a namespace-specific encryption key from the master key via HKDF-SHA256.\n *\n * Each namespace gets its own 256-bit key derived from the master key.\n * Compromise of one namespace key does not expose other namespaces.\n *\n * @param masterKey - The master key (from Argon2id or recovery key)\n * @param namespace - The namespace name (used as HKDF info)\n * @returns 256-bit namespace key\n */\nexport function deriveNamespaceKey(\n masterKey: Uint8Array,\n namespace: string\n): Uint8Array {\n if (masterKey.length !== 32) {\n throw new Error(\"Master key must be 32 bytes\");\n }\n\n return hkdf(\n sha256,\n masterKey,\n stringToBytes(\"sanctuary-namespace-v1\"), // salt (fixed, acts as domain separator)\n stringToBytes(namespace), // info (namespace name)\n 32 // output length: 256 bits\n );\n}\n\n/**\n * Derive a key for a specific purpose from the master key.\n * Used for identity key encryption, audit log encryption, etc.\n *\n * @param masterKey - The master key\n * @param purpose - Purpose string (e.g., \"identity-encryption\", \"audit-log\")\n * @returns 256-bit purpose-specific key\n */\nexport function derivePurposeKey(\n masterKey: Uint8Array,\n purpose: string\n): Uint8Array {\n if (masterKey.length !== 32) {\n throw new Error(\"Master key must be 32 bytes\");\n }\n\n return hkdf(\n sha256,\n masterKey,\n stringToBytes(\"sanctuary-purpose-v1\"),\n stringToBytes(purpose),\n 32\n );\n}\n","/**\n * Sanctuary MCP Server — Tool Router\n *\n * Routes sanctuary/* tool calls to their layer-specific handlers.\n * Every tool call passes through schema validation and the ApprovalGate\n * (if configured) before execution. Neither can be bypassed.\n *\n * This module is the abstraction boundary for MCP SDK version migration —\n * if the SDK API changes, only this module needs updating.\n */\n\nimport { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\nimport {\n CallToolRequestSchema,\n ListToolsRequestSchema,\n} from \"@modelcontextprotocol/sdk/types.js\";\nimport type { ApprovalGate } from \"./principal-policy/gate.js\";\n\n/** Tool handler function signature */\nexport type ToolHandler = (\n args: Record<string, unknown>\n) => Promise<{ content: Array<{ type: \"text\"; text: string }> }>;\n\n/** Tool definition for registration */\nexport interface ToolDefinition {\n name: string;\n description: string;\n inputSchema: Record<string, unknown>;\n handler: ToolHandler;\n}\n\n/** Options for server creation */\nexport interface ServerOptions {\n /** Approval gate — if provided, every tool call is evaluated before execution */\n gate?: ApprovalGate;\n}\n\n// ── Schema Validation ──────────────────────────────────────────────────\n// Lightweight JSON Schema validation for tool arguments.\n// Enforces: required fields, type checks, unknown field rejection,\n// and size caps on string arguments (defense against DoS via oversized payloads).\n\n/** Maximum byte length for any single string argument (1 MB) */\nconst MAX_STRING_BYTES = 1_048_576;\n\n/** Maximum byte length for base64 bundle arguments (5 MB) */\nconst MAX_BUNDLE_BYTES = 5_242_880;\n\n/** Fields known to carry base64 bundles — get the larger size cap */\nconst BUNDLE_FIELDS = new Set([\"bundle\"]);\n\ninterface SchemaProperty {\n type?: string;\n properties?: Record<string, SchemaProperty>;\n required?: string[];\n items?: SchemaProperty;\n enum?: unknown[];\n default?: unknown;\n}\n\ninterface ValidationError {\n field: string;\n message: string;\n}\n\n/**\n * Validate tool arguments against the tool's declared inputSchema.\n * Returns an array of validation errors (empty = valid).\n */\nfunction validateArgs(\n args: Record<string, unknown>,\n schema: Record<string, unknown>\n): ValidationError[] {\n const errors: ValidationError[] = [];\n const properties = (schema.properties ?? {}) as Record<string, SchemaProperty>;\n const required = (schema.required ?? []) as string[];\n\n // Check required fields\n for (const field of required) {\n if (args[field] === undefined || args[field] === null) {\n errors.push({ field, message: `Required field \"${field}\" is missing` });\n }\n }\n\n // Check for unknown fields (reject extra fields not in schema)\n const knownFields = new Set(Object.keys(properties));\n for (const field of Object.keys(args)) {\n if (!knownFields.has(field)) {\n errors.push({ field, message: `Unknown field \"${field}\"` });\n }\n }\n\n // Type-check and size-check each provided field\n for (const [field, value] of Object.entries(args)) {\n if (value === undefined || value === null) continue;\n const propSchema = properties[field];\n if (!propSchema) continue; // Already flagged as unknown above\n\n const typeError = checkType(field, value, propSchema);\n if (typeError) {\n errors.push(typeError);\n continue;\n }\n\n // String size caps\n if (typeof value === \"string\") {\n const maxBytes = BUNDLE_FIELDS.has(field) ? MAX_BUNDLE_BYTES : MAX_STRING_BYTES;\n // Use byte length, not string length, for accurate size checking\n const byteLength = new TextEncoder().encode(value).length;\n if (byteLength > maxBytes) {\n errors.push({\n field,\n message: `Field \"${field}\" exceeds maximum size (${byteLength} bytes > ${maxBytes} bytes)`,\n });\n }\n }\n\n // Enum validation\n if (propSchema.enum && !propSchema.enum.includes(value)) {\n errors.push({\n field,\n message: `Field \"${field}\" must be one of: ${propSchema.enum.join(\", \")}`,\n });\n }\n }\n\n return errors;\n}\n\n/**\n * Check whether a value matches the declared JSON Schema type.\n */\nfunction checkType(\n field: string,\n value: unknown,\n schema: SchemaProperty\n): ValidationError | null {\n if (!schema.type) return null;\n\n switch (schema.type) {\n case \"string\":\n if (typeof value !== \"string\") {\n return { field, message: `Expected string for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"number\":\n if (typeof value !== \"number\") {\n return { field, message: `Expected number for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"boolean\":\n if (typeof value !== \"boolean\") {\n return { field, message: `Expected boolean for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"object\":\n if (typeof value !== \"object\" || Array.isArray(value)) {\n return { field, message: `Expected object for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"array\":\n if (!Array.isArray(value)) {\n return { field, message: `Expected array for \"${field}\", got ${typeof value}` };\n }\n break;\n }\n return null;\n}\n\n/**\n * Create the MCP server with all Sanctuary tools registered.\n * If an ApprovalGate is provided, it wraps every tool call.\n */\nexport function createServer(\n tools: ToolDefinition[],\n options?: ServerOptions\n): Server {\n const gate = options?.gate;\n\n const server = new Server(\n {\n name: \"sanctuary-mcp-server\",\n version: \"0.2.0\",\n },\n {\n capabilities: {\n tools: {},\n },\n }\n );\n\n // Register tool listing\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return {\n tools: tools.map((t) => ({\n name: t.name,\n description: t.description,\n inputSchema: t.inputSchema,\n })),\n };\n });\n\n // Register tool execution — validation + gate sit between router and handler\n server.setRequestHandler(CallToolRequestSchema, async (request) => {\n const { name, arguments: args } = request.params;\n const typedArgs = (args ?? {}) as Record<string, unknown>;\n\n const tool = tools.find((t) => t.name === name);\n if (!tool) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({ error: `Unknown tool: ${name}` }),\n },\n ],\n isError: true,\n };\n }\n\n // ── Schema Validation ────────────────────────────────────────────\n // Validate arguments against the tool's declared inputSchema.\n // This runs BEFORE the gate so that the gate sees normalized args.\n const validationErrors = validateArgs(typedArgs, tool.inputSchema);\n if (validationErrors.length > 0) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n error: \"validation_failed\",\n message: \"Tool arguments failed schema validation\",\n violations: validationErrors,\n }),\n },\n ],\n isError: true,\n };\n }\n\n // ── Approval Gate ──────────────────────────────────────────────\n // If a gate is configured, every tool call must pass through it.\n // Denied calls return a generic error that does not reveal policy.\n if (gate) {\n const result = await gate.evaluate(name, typedArgs);\n if (!result.allowed) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n error: \"Operation not permitted\",\n approval_required: result.approval_required,\n }),\n },\n ],\n isError: true,\n };\n }\n }\n\n try {\n return await tool.handler(typedArgs);\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"Unknown error\";\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({ error: message }),\n },\n ],\n isError: true,\n };\n }\n });\n\n return server;\n}\n\n/**\n * Helper to create a successful tool response.\n */\nexport function toolResult(\n data: object\n): { content: Array<{ type: \"text\"; text: string }> } {\n return {\n content: [{ type: \"text\" as const, text: JSON.stringify(data, null, 2) }],\n };\n}\n","/**\n * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions\n *\n * MCP tool wrappers for StateStore and IdentityRoot operations.\n * These tools are the public API that agents interact with.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { StateStore } from \"./state-store.js\";\nimport {\n createIdentity,\n rotateKeys,\n sign as identitySign,\n verify as identityVerify,\n type StoredIdentity,\n type PublicIdentity,\n} from \"../core/identity.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport {\n toBase64url,\n fromBase64url,\n stringToBytes,\n} from \"../core/encoding.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt } from \"../core/encryption.js\";\nimport { bytesToString } from \"../core/encoding.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\n/**\n * Reserved namespace prefixes — used by internal subsystems.\n * Agent-facing state tools MUST reject writes/deletes/imports to these namespaces.\n * Reads are allowed (transparency), but mutations are firewalled.\n */\nconst RESERVED_NAMESPACE_PREFIXES = [\n \"_identities\",\n \"_policies\",\n \"_audit\",\n \"_meta\",\n \"_principal\",\n \"_commitments\",\n \"_reputation\",\n \"_escrow\",\n \"_guarantees\",\n] as const;\n\n/**\n * Check whether a namespace is reserved for internal use.\n * Returns the matching reserved prefix, or null if the namespace is safe.\n */\nfunction getReservedNamespaceViolation(namespace: string): string | null {\n for (const prefix of RESERVED_NAMESPACE_PREFIXES) {\n if (namespace === prefix || namespace.startsWith(prefix + \"/\")) {\n return prefix;\n }\n }\n return null;\n}\n\n/** Manages all identities — provides storage and retrieval */\nexport class IdentityManager {\n private storage: StorageBackend;\n private masterKey: Uint8Array;\n private identities = new Map<string, StoredIdentity>();\n private primaryIdentityId: string | null = null;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.masterKey = masterKey;\n }\n\n private get encryptionKey(): Uint8Array {\n return derivePurposeKey(this.masterKey, \"identity-encryption\");\n }\n\n /** Load identities from storage on startup */\n async load(): Promise<void> {\n const entries = await this.storage.list(\"_identities\");\n for (const entry of entries) {\n const raw = await this.storage.read(\"_identities\", entry.key);\n if (!raw) continue;\n try {\n const encrypted = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const identity: StoredIdentity = JSON.parse(bytesToString(decrypted));\n this.identities.set(identity.identity_id, identity);\n if (!this.primaryIdentityId) {\n this.primaryIdentityId = identity.identity_id;\n }\n } catch {\n // Skip corrupted identities\n }\n }\n }\n\n /** Save an identity to storage */\n async save(identity: StoredIdentity): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(identity));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_identities\",\n identity.identity_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n this.identities.set(identity.identity_id, identity);\n if (!this.primaryIdentityId) {\n this.primaryIdentityId = identity.identity_id;\n }\n }\n\n get(id: string): StoredIdentity | undefined {\n return this.identities.get(id);\n }\n\n getDefault(): StoredIdentity | undefined {\n if (!this.primaryIdentityId) return undefined;\n return this.identities.get(this.primaryIdentityId);\n }\n\n list(): PublicIdentity[] {\n return Array.from(this.identities.values()).map((si) => ({\n identity_id: si.identity_id,\n label: si.label,\n public_key: si.public_key,\n did: si.did,\n created_at: si.created_at,\n key_type: si.key_type,\n key_protection: si.key_protection,\n }));\n }\n}\n\n/**\n * Create all L1 tool definitions.\n */\nexport function createL1Tools(\n stateStore: StateStore,\n storage: StorageBackend,\n masterKey: Uint8Array,\n keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\",\n auditLog?: AuditLog\n): { tools: ToolDefinition[]; identityManager: IdentityManager } {\n const identityMgr = new IdentityManager(storage, masterKey);\n const identityEncKey = derivePurposeKey(masterKey, \"identity-encryption\");\n\n // Helper to get identity or throw\n function resolveIdentity(identityId?: string): StoredIdentity {\n const id = identityId\n ? identityMgr.get(identityId)\n : identityMgr.getDefault();\n if (!id) {\n throw new Error(\n identityId\n ? `Identity not found: ${identityId}`\n : \"No default identity. Create one with sanctuary/identity_create.\"\n );\n }\n return id;\n }\n\n const tools: ToolDefinition[] = [\n // ── Identity Tools ──────────────────────────────────────────────────\n\n {\n name: \"sanctuary/identity_create\",\n description:\n \"Create a new sovereign identity (Ed25519 keypair). \" +\n \"The private key is encrypted and never exposed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n label: {\n type: \"string\",\n description: 'Human-readable label (e.g., \"my-agent\")',\n },\n },\n required: [\"label\"],\n },\n handler: async (args) => {\n const label = args.label as string;\n const { publicIdentity, storedIdentity } = createIdentity(\n label,\n identityEncKey,\n keyProtection\n );\n await identityMgr.save(storedIdentity);\n\n auditLog?.append(\"l1\", \"identity_create\", publicIdentity.identity_id, {\n label,\n });\n\n // If key_protection is \"none\", generate and show recovery key\n // (In practice, the recovery key is the master key itself,\n // which was generated at server init and shown once)\n return toolResult({\n identity_id: publicIdentity.identity_id,\n public_key: publicIdentity.public_key,\n did: publicIdentity.did,\n created_at: publicIdentity.created_at,\n key_type: publicIdentity.key_type,\n key_protection: publicIdentity.key_protection,\n backed_up: false,\n });\n },\n },\n\n {\n name: \"sanctuary/identity_list\",\n description: \"List all managed sovereign identities.\",\n inputSchema: {\n type: \"object\",\n properties: {\n filter: {\n type: \"object\",\n properties: {\n label: { type: \"string\" },\n },\n },\n },\n },\n handler: async (args) => {\n let identities = identityMgr.list();\n const filter = args.filter as { label?: string } | undefined;\n if (filter?.label) {\n identities = identities.filter((i) =>\n i.label.includes(filter.label!)\n );\n }\n return toolResult({ identities });\n },\n },\n\n {\n name: \"sanctuary/identity_sign\",\n description:\n \"Sign data with a managed identity. \" +\n \"The private key is decrypted in memory only during signing.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: { type: \"string\" },\n payload: {\n type: \"string\",\n description: \"Base64url-encoded data to sign\",\n },\n },\n required: [\"payload\"],\n },\n handler: async (args) => {\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const payloadStr = args.payload as string;\n\n // Accept either base64url-encoded bytes or plain text\n let payload: Uint8Array;\n try {\n payload = fromBase64url(payloadStr);\n } catch {\n payload = stringToBytes(payloadStr);\n }\n\n const signature = identitySign(\n payload,\n identity.encrypted_private_key,\n identityEncKey\n );\n\n auditLog?.append(\"l1\", \"identity_sign\", identity.identity_id);\n\n return toolResult({\n signature: toBase64url(signature),\n algorithm: \"Ed25519\",\n signed_at: new Date().toISOString(),\n public_key: identity.public_key,\n payload_encoding: \"base64url\",\n });\n },\n },\n\n {\n name: \"sanctuary/identity_verify\",\n description:\n \"Verify an Ed25519 signature. Provide either identity_id or public_key.\",\n inputSchema: {\n type: \"object\",\n properties: {\n payload: {\n type: \"string\",\n description: \"Original data (plain text or base64url-encoded)\",\n },\n signature: { type: \"string\", description: \"Base64url signature\" },\n identity_id: {\n type: \"string\",\n description: \"Identity ID to look up public key (alternative to public_key)\",\n },\n public_key: {\n type: \"string\",\n description: \"Base64url public key (alternative to identity_id)\",\n },\n },\n required: [\"payload\", \"signature\"],\n },\n handler: async (args) => {\n const payloadStr = args.payload as string;\n\n // Accept either base64url-encoded bytes or plain text\n let payload: Uint8Array;\n try {\n payload = fromBase64url(payloadStr);\n } catch {\n payload = stringToBytes(payloadStr);\n }\n\n const signature = fromBase64url(args.signature as string);\n\n // Resolve public key from identity_id or direct public_key param\n let publicKey: Uint8Array;\n if (args.identity_id) {\n const identity = resolveIdentity(args.identity_id as string);\n publicKey = fromBase64url(identity.public_key);\n } else if (args.public_key) {\n publicKey = fromBase64url(args.public_key as string);\n } else {\n return toolResult({\n error: \"Provide either identity_id or public_key for verification.\",\n });\n }\n\n const valid = identityVerify(payload, signature, publicKey);\n\n return toolResult({\n valid,\n verified_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/identity_rotate\",\n description:\n \"Rotate keys for an identity. Generates a new keypair and \" +\n \"signs a rotation event with the old key for verifiable chain.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: { type: \"string\" },\n reason: { type: \"string\" },\n },\n required: [\"identity_id\"],\n },\n handler: async (args) => {\n const identity = resolveIdentity(args.identity_id as string);\n const reason = (args.reason as string) ?? \"Key rotation\";\n\n const { updatedIdentity, rotationEvent } = rotateKeys(\n identity,\n identityEncKey,\n reason\n );\n await identityMgr.save(updatedIdentity);\n\n auditLog?.append(\"l1\", \"identity_rotate\", identity.identity_id, {\n reason,\n });\n\n return toolResult({\n identity_id: updatedIdentity.identity_id,\n old_public_key: rotationEvent.old_public_key,\n new_public_key: rotationEvent.new_public_key,\n new_did: updatedIdentity.did,\n rotated_at: rotationEvent.rotated_at,\n });\n },\n },\n\n // ── State Tools ─────────────────────────────────────────────────────\n\n {\n name: \"sanctuary/state_write\",\n description:\n \"Write encrypted state to the sovereign store. \" +\n \"Value is encrypted with a namespace-specific key. \" +\n \"The write is signed by the active identity.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: {\n type: \"string\",\n description: 'Logical grouping (e.g., \"memory\", \"config\")',\n },\n key: { type: \"string\", description: \"State key within namespace\" },\n value: {\n type: \"string\",\n description: \"Plaintext value (encrypted before storage)\",\n },\n metadata: {\n type: \"object\",\n properties: {\n content_type: { type: \"string\" },\n ttl_seconds: { type: \"number\" },\n tags: { type: \"array\", items: { type: \"string\" } },\n },\n },\n identity_id: { type: \"string\" },\n },\n required: [\"namespace\", \"key\", \"value\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject writes to reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Choose a different namespace.`,\n });\n }\n\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const metadata = args.metadata as {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n } | undefined;\n\n const result = await stateStore.write(\n args.namespace as string,\n args.key as string,\n args.value as string,\n identity.identity_id,\n identity.encrypted_private_key,\n identityEncKey,\n {\n content_type: metadata?.content_type,\n ttl_seconds: metadata?.ttl_seconds,\n tags: metadata?.tags,\n }\n );\n\n auditLog?.append(\"l1\", \"state_write\", identity.identity_id, {\n namespace: args.namespace,\n key: args.key,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_read\",\n description:\n \"Read and decrypt state from the sovereign store. \" +\n \"Verifies integrity via Merkle proof and signature.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n key: { type: \"string\" },\n verify_integrity: { type: \"boolean\", default: true },\n },\n required: [\"namespace\", \"key\"],\n },\n handler: async (args) => {\n const result = await stateStore.read(\n args.namespace as string,\n args.key as string,\n undefined, // Skip signature verification for now (would need writer's pubkey)\n args.verify_integrity as boolean ?? true\n );\n\n if (!result) {\n return toolResult({\n error: \"not_found\",\n namespace: args.namespace,\n key: args.key,\n });\n }\n\n auditLog?.append(\"l1\", \"state_read\", result.written_by, {\n namespace: args.namespace,\n key: args.key,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_list\",\n description:\n \"List keys in a namespace (metadata only — no decryption).\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n prefix: { type: \"string\" },\n tags: { type: \"array\", items: { type: \"string\" } },\n limit: { type: \"number\", default: 100 },\n offset: { type: \"number\", default: 0 },\n },\n required: [\"namespace\"],\n },\n handler: async (args) => {\n const result = await stateStore.list(\n args.namespace as string,\n args.prefix as string | undefined,\n args.tags as string[] | undefined,\n (args.limit as number) ?? 100,\n (args.offset as number) ?? 0\n );\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_delete\",\n description:\n \"Securely delete state. Overwrites file with random bytes \" +\n \"before removal (right to deletion, S1.6).\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n key: { type: \"string\" },\n reason: { type: \"string\" },\n },\n required: [\"namespace\", \"key\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject deletes from reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot delete from reserved namespaces.`,\n });\n }\n\n const result = await stateStore.delete(\n args.namespace as string,\n args.key as string\n );\n\n auditLog?.append(\"l1\", \"state_delete\", \"principal\", {\n namespace: args.namespace,\n key: args.key,\n reason: args.reason,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_export\",\n description:\n \"Export state as an encrypted, portable bundle for migration.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n format: { type: \"string\", default: \"sanctuary-v1\" },\n },\n },\n handler: async (args) => {\n const result = await stateStore.export(\n args.namespace as string | undefined\n );\n\n auditLog?.append(\"l1\", \"state_export\", \"principal\", {\n namespaces: result.namespaces,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_import\",\n description: \"Import a previously exported state bundle.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bundle: { type: \"string\", description: \"Base64url-encoded bundle\" },\n conflict_resolution: {\n type: \"string\",\n enum: [\"skip\", \"overwrite\", \"version\"],\n default: \"skip\",\n },\n },\n required: [\"bundle\"],\n },\n handler: async (args) => {\n const result = await stateStore.import(\n args.bundle as string,\n (args.conflict_resolution as \"skip\" | \"overwrite\" | \"version\") ??\n \"skip\"\n );\n\n auditLog?.append(\"l1\", \"state_import\", \"principal\", {\n imported_keys: result.imported_keys,\n });\n\n return toolResult(result);\n },\n },\n ];\n\n return { tools, identityManager: identityMgr };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Audit Log\n *\n * Append-only log of all sovereignty-relevant operations.\n * Stored encrypted under L1 sovereignty.\n *\n * Every tool invocation that modifies state, generates proofs,\n * or records reputation produces an audit entry. The human principal\n * can inspect what their agent has done.\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString } from \"../core/encoding.js\";\n\nexport interface AuditEntry {\n timestamp: string;\n layer: \"l1\" | \"l2\" | \"l3\" | \"l4\";\n operation: string;\n identity_id: string;\n result: \"success\" | \"failure\";\n details?: Record<string, unknown>;\n}\n\nexport class AuditLog {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private entries: AuditEntry[] = [];\n private counter = 0;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"audit-log\");\n }\n\n /**\n * Append an audit entry.\n */\n append(\n layer: AuditEntry[\"layer\"],\n operation: string,\n identityId: string,\n details?: Record<string, unknown>,\n result: \"success\" | \"failure\" = \"success\"\n ): void {\n const entry: AuditEntry = {\n timestamp: new Date().toISOString(),\n layer,\n operation,\n identity_id: identityId,\n result,\n details,\n };\n\n this.entries.push(entry);\n\n // Async persist (fire-and-forget for performance; entries are also in memory)\n this.persistEntry(entry).catch(() => {\n // Persistence failure is logged but doesn't block the operation\n });\n }\n\n private async persistEntry(entry: AuditEntry): Promise<void> {\n const key = `${Date.now()}-${this.counter++}`;\n const serialized = stringToBytes(JSON.stringify(entry));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_audit\",\n key,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n /**\n * Query the audit log with filtering.\n */\n async query(options: {\n since?: string;\n layer?: AuditEntry[\"layer\"];\n operation_type?: string;\n limit?: number;\n }): Promise<{ entries: AuditEntry[]; total: number }> {\n // First, try to load persisted entries we don't have in memory\n await this.loadPersistedEntries();\n\n let filtered = this.entries;\n\n if (options.since) {\n const sinceDate = new Date(options.since);\n filtered = filtered.filter(\n (e) => new Date(e.timestamp) >= sinceDate\n );\n }\n if (options.layer) {\n filtered = filtered.filter((e) => e.layer === options.layer);\n }\n if (options.operation_type) {\n filtered = filtered.filter(\n (e) => e.operation === options.operation_type\n );\n }\n\n const total = filtered.length;\n const limit = options.limit ?? 50;\n const entries = filtered.slice(-limit); // Most recent entries\n\n return { entries, total };\n }\n\n private async loadPersistedEntries(): Promise<void> {\n try {\n const storedEntries = await this.storage.list(\"_audit\");\n for (const meta of storedEntries) {\n const raw = await this.storage.read(\"_audit\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const entry: AuditEntry = JSON.parse(bytesToString(decrypted));\n\n // Deduplicate (check if we already have this timestamp+operation)\n const isDuplicate = this.entries.some(\n (e) =>\n e.timestamp === entry.timestamp &&\n e.operation === entry.operation &&\n e.identity_id === entry.identity_id\n );\n if (!isDuplicate) {\n this.entries.push(entry);\n }\n } catch {\n // Skip corrupted entries\n }\n }\n\n // Sort by timestamp\n this.entries.sort(\n (a, b) =>\n new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()\n );\n } catch {\n // Storage not available yet — that's fine\n }\n }\n\n /**\n * Get total number of entries.\n */\n get size(): number {\n return this.entries.length;\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes\n *\n * Cryptographic commitments allow an agent to commit to a value\n * without revealing it, then later prove what was committed.\n *\n * This is the MVS approach to selective disclosure — simpler than\n * full ZK proofs but still cryptographically sound. The commitment\n * is SHA-256(value || blinding_factor), which is:\n * - Hiding: the commitment reveals nothing about the value\n * - Binding: the committer cannot change the value after committing\n *\n * Security invariants:\n * - Blinding factors are cryptographically random (32 bytes)\n * - Commitments are stored encrypted under L1 sovereignty\n * - Revealed values are verified via constant-time comparison\n */\n\nimport { hash } from \"../core/hashing.js\";\nimport { toBase64url, fromBase64url, stringToBytes, concatBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { bytesToString } from \"../core/encoding.js\";\n\n/** A cryptographic commitment */\nexport interface Commitment {\n /** The commitment hash: SHA-256(value || blinding_factor) as base64url */\n commitment: string;\n /** The blinding factor (must be stored securely for later reveal) */\n blinding_factor: string;\n /** When the commitment was created */\n committed_at: string;\n}\n\n/** Stored commitment metadata (encrypted at rest) */\nexport interface StoredCommitment {\n commitment: string;\n blinding_factor: string;\n value: string;\n committed_at: string;\n revealed: boolean;\n revealed_at?: string;\n}\n\n/**\n * Create a cryptographic commitment to a value.\n *\n * @param value - The value to commit to\n * @param blindingFactor - Optional blinding factor (auto-generated if omitted)\n * @returns The commitment and blinding factor\n */\nexport function createCommitment(\n value: string,\n blindingFactor?: string\n): Commitment {\n // Generate or decode the blinding factor\n const blindingBytes = blindingFactor\n ? fromBase64url(blindingFactor)\n : randomBytes(32);\n\n // Commitment = SHA-256(value_bytes || blinding_bytes)\n const valueBytes = stringToBytes(value);\n const combined = concatBytes(valueBytes, blindingBytes);\n const commitmentHash = hash(combined);\n\n return {\n commitment: toBase64url(commitmentHash),\n blinding_factor: toBase64url(blindingBytes),\n committed_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a commitment against a revealed value and blinding factor.\n *\n * @param commitment - The original commitment hash\n * @param value - The revealed value\n * @param blindingFactor - The revealed blinding factor\n * @returns true if the reveal matches the commitment\n */\nexport function verifyCommitment(\n commitment: string,\n value: string,\n blindingFactor: string\n): boolean {\n const blindingBytes = fromBase64url(blindingFactor);\n const valueBytes = stringToBytes(value);\n const combined = concatBytes(valueBytes, blindingBytes);\n const expectedHash = toBase64url(hash(combined));\n\n // Use string comparison (the hash output is already fixed-length)\n return commitment === expectedHash;\n}\n\n/**\n * Commitment store — manages commitments encrypted under L1 sovereignty.\n */\nexport class CommitmentStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l3-commitments\");\n }\n\n /**\n * Store a commitment (encrypted) for later reference.\n */\n async store(commitment: Commitment, value: string): Promise<string> {\n const id = `cmt-${Date.now()}-${toBase64url(randomBytes(8))}`;\n\n const stored: StoredCommitment = {\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n value,\n committed_at: commitment.committed_at,\n revealed: false,\n };\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_commitments\",\n id,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return id;\n }\n\n /**\n * Retrieve a stored commitment by ID.\n */\n async get(id: string): Promise<StoredCommitment | null> {\n const raw = await this.storage.read(\"_commitments\", id);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n\n /**\n * Mark a commitment as revealed.\n */\n async markRevealed(id: string): Promise<void> {\n const stored = await this.get(id);\n if (!stored) return;\n\n stored.revealed = true;\n stored.revealed_at = new Date().toISOString();\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_commitments\",\n id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies\n *\n * Disclosure policies define what an agent will and will not disclose\n * in different interaction contexts. Policies are evaluated against\n * incoming disclosure requests to produce per-field decisions.\n *\n * This is the agent's \"privacy preferences\" layer — it codifies the\n * human principal's intent about what information can flow where.\n *\n * Security invariants:\n * - Policies are stored encrypted under L1 sovereignty\n * - Default action is always \"withhold\" unless explicitly overridden\n * - Policy evaluation is deterministic (same request → same decision)\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString, toBase64url } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\n\n/** A single disclosure rule within a policy */\nexport interface DisclosureRule {\n /** Interaction context this rule applies to */\n context: string; // \"negotiation\", \"commerce\", \"identity\", \"*\"\n /** Fields/claims the agent MAY disclose */\n disclose: string[];\n /** Fields/claims the agent MUST NOT disclose */\n withhold: string[];\n /** Fields that require proof rather than plain disclosure */\n proof_required: string[];\n}\n\n/** A complete disclosure policy */\nexport interface DisclosurePolicy {\n policy_id: string;\n policy_name: string;\n rules: DisclosureRule[];\n default_action: \"withhold\" | \"ask-principal\";\n identity_id?: string;\n created_at: string;\n updated_at: string;\n}\n\n/** Result of evaluating a disclosure request */\nexport interface DisclosureDecision {\n field: string;\n action: \"disclose\" | \"withhold\" | \"proof\" | \"ask-principal\";\n reason: string;\n applicable_rule: string;\n}\n\n/**\n * Evaluate a disclosure request against a policy.\n *\n * For each requested field, finds the most specific matching rule:\n * 1. Exact context match\n * 2. Wildcard \"*\" context\n * 3. Default action\n *\n * Within a matched rule:\n * - If field is in `withhold` → withhold (highest priority)\n * - If field is in `proof_required` → proof\n * - If field is in `disclose` → disclose\n * - Otherwise → default_action\n */\nexport function evaluateDisclosure(\n policy: DisclosurePolicy,\n context: string,\n requestedFields: string[]\n): DisclosureDecision[] {\n return requestedFields.map((field) => {\n // Find matching rules: exact context first, then wildcard\n const exactRule = policy.rules.find((r) => r.context === context);\n const wildcardRule = policy.rules.find((r) => r.context === \"*\");\n const matchedRule = exactRule ?? wildcardRule;\n\n if (!matchedRule) {\n return {\n field,\n action: policy.default_action,\n reason: `No rule matches context \"${context}\"`,\n applicable_rule: \"default\",\n };\n }\n\n const ruleName = `${matchedRule.context}`;\n\n // Withhold takes priority\n if (matchedRule.withhold.includes(field)) {\n return {\n field,\n action: \"withhold\" as const,\n reason: `Field \"${field}\" is explicitly withheld in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Proof required next\n if (matchedRule.proof_required.includes(field)) {\n return {\n field,\n action: \"proof\" as const,\n reason: `Field \"${field}\" requires cryptographic proof in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Explicit disclose\n if (matchedRule.disclose.includes(field)) {\n return {\n field,\n action: \"disclose\" as const,\n reason: `Field \"${field}\" is permitted for disclosure in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Not mentioned in the rule — fall to default\n return {\n field,\n action: policy.default_action,\n reason: `Field \"${field}\" not addressed in ${ruleName} rule; applying default`,\n applicable_rule: ruleName,\n };\n });\n}\n\n/**\n * Policy store — manages disclosure policies encrypted under L1 sovereignty.\n */\nexport class PolicyStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private policies: Map<string, DisclosurePolicy> = new Map();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l3-policies\");\n }\n\n /**\n * Create and store a new disclosure policy.\n */\n async create(\n policyName: string,\n rules: DisclosureRule[],\n defaultAction: \"withhold\" | \"ask-principal\",\n identityId?: string\n ): Promise<DisclosurePolicy> {\n const policyId = `pol-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n const policy: DisclosurePolicy = {\n policy_id: policyId,\n policy_name: policyName,\n rules,\n default_action: defaultAction,\n identity_id: identityId,\n created_at: now,\n updated_at: now,\n };\n\n await this.persist(policy);\n this.policies.set(policyId, policy);\n\n return policy;\n }\n\n /**\n * Get a policy by ID.\n */\n async get(policyId: string): Promise<DisclosurePolicy | null> {\n // Check in-memory cache first\n if (this.policies.has(policyId)) {\n return this.policies.get(policyId)!;\n }\n\n // Try to load from storage\n const raw = await this.storage.read(\"_policies\", policyId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: DisclosurePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policyId, policy);\n return policy;\n } catch {\n return null;\n }\n }\n\n /**\n * List all policies.\n */\n async list(): Promise<DisclosurePolicy[]> {\n await this.loadAll();\n return Array.from(this.policies.values());\n }\n\n /**\n * Load all persisted policies into memory.\n */\n private async loadAll(): Promise<void> {\n try {\n const entries = await this.storage.list(\"_policies\");\n for (const meta of entries) {\n if (this.policies.has(meta.key)) continue;\n const raw = await this.storage.read(\"_policies\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: DisclosurePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policy.policy_id, policy);\n } catch {\n // Skip corrupted policies\n }\n }\n } catch {\n // Storage not available\n }\n }\n\n private async persist(policy: DisclosurePolicy): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(policy));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_policies\",\n policy.policy_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Tool Definitions\n *\n * MCP tool wrappers for commitment schemes and disclosure policies.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport {\n createCommitment,\n verifyCommitment,\n CommitmentStore,\n} from \"./commitments.js\";\nimport {\n evaluateDisclosure,\n PolicyStore,\n type DisclosureRule,\n} from \"./policies.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\nexport function createL3Tools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[]; commitmentStore: CommitmentStore; policyStore: PolicyStore } {\n const commitmentStore = new CommitmentStore(storage, masterKey);\n const policyStore = new PolicyStore(storage, masterKey);\n\n const tools: ToolDefinition[] = [\n // ─── Commitment Schemes ───────────────────────────────────────────────\n\n {\n name: \"sanctuary/proof_commitment\",\n description:\n \"Create a cryptographic commitment to a value. \" +\n \"The commitment hides the value until you choose to reveal it. \" +\n \"Returns the commitment hash and a blinding factor (store securely).\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"string\",\n description: \"The value to commit to\",\n },\n blinding_factor: {\n type: \"string\",\n description:\n \"Optional base64url blinding factor (auto-generated if omitted)\",\n },\n },\n required: [\"value\"],\n },\n handler: async (args) => {\n const value = args.value as string;\n const blindingFactor = args.blinding_factor as string | undefined;\n\n const commitment = createCommitment(value, blindingFactor);\n\n // Store the commitment encrypted for reference\n const commitmentId = await commitmentStore.store(commitment, value);\n\n auditLog.append(\"l3\", \"proof_commitment\", \"system\", {\n commitment_id: commitmentId,\n commitment_hash: commitment.commitment,\n });\n\n return toolResult({\n commitment_id: commitmentId,\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n committed_at: commitment.committed_at,\n note: \"Store the blinding_factor securely. You will need it to reveal the committed value.\",\n });\n },\n },\n\n {\n name: \"sanctuary/proof_reveal\",\n description:\n \"Verify a previously committed value by revealing it with the blinding factor. \" +\n \"Returns whether the revealed value matches the commitment.\",\n inputSchema: {\n type: \"object\",\n properties: {\n commitment: {\n type: \"string\",\n description: \"The original commitment hash\",\n },\n value: {\n type: \"string\",\n description: \"The value being revealed\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from the original commitment\",\n },\n },\n required: [\"commitment\", \"value\", \"blinding_factor\"],\n },\n handler: async (args) => {\n const commitment = args.commitment as string;\n const value = args.value as string;\n const blindingFactor = args.blinding_factor as string;\n\n const valid = verifyCommitment(commitment, value, blindingFactor);\n\n auditLog.append(\"l3\", \"proof_reveal\", \"system\", {\n commitment_hash: commitment,\n valid,\n });\n\n return toolResult({\n valid,\n commitment,\n revealed_at: new Date().toISOString(),\n });\n },\n },\n\n // ─── Disclosure Policies ──────────────────────────────────────────────\n\n {\n name: \"sanctuary/disclosure_set_policy\",\n description:\n \"Define a disclosure policy that controls what an agent will and will not \" +\n \"disclose in different interaction contexts. Rules specify which fields may \" +\n \"be disclosed, which must be withheld, and which require cryptographic proof.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_name: {\n type: \"string\",\n description: \"Human-readable policy name\",\n },\n rules: {\n type: \"array\",\n description: \"Disclosure rules for different contexts\",\n items: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description:\n 'Interaction context: \"negotiation\", \"commerce\", \"identity\", \"*\" (wildcard)',\n },\n disclose: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the agent MAY disclose\",\n },\n withhold: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the agent MUST NOT disclose\",\n },\n proof_required: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields that require proof rather than plain disclosure\",\n },\n },\n required: [\"context\", \"disclose\", \"withhold\", \"proof_required\"],\n },\n },\n default_action: {\n type: \"string\",\n enum: [\"withhold\", \"ask-principal\"],\n description: \"What to do when no rule matches a field\",\n },\n identity_id: {\n type: \"string\",\n description: \"Optional identity this policy is bound to\",\n },\n },\n required: [\"policy_name\", \"rules\", \"default_action\"],\n },\n handler: async (args) => {\n const policyName = args.policy_name as string;\n const rules = args.rules as DisclosureRule[];\n const defaultAction = args.default_action as\n | \"withhold\"\n | \"ask-principal\";\n const identityId = args.identity_id as string | undefined;\n\n const policy = await policyStore.create(\n policyName,\n rules,\n defaultAction,\n identityId\n );\n\n auditLog.append(\"l3\", \"disclosure_set_policy\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n policy_name: policyName,\n rules_count: rules.length,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n rules_count: policy.rules.length,\n created_at: policy.created_at,\n });\n },\n },\n\n {\n name: \"sanctuary/disclosure_evaluate\",\n description:\n \"Evaluate a disclosure request against an active policy. \" +\n \"Returns per-field decisions: disclose, withhold, proof, or ask-principal.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description: \"The interaction context\",\n },\n requested_fields: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the counterparty is requesting\",\n },\n policy_id: {\n type: \"string\",\n description: \"Specific policy to evaluate (uses first available if omitted)\",\n },\n },\n required: [\"context\", \"requested_fields\"],\n },\n handler: async (args) => {\n const context = args.context as string;\n const requestedFields = args.requested_fields as string[];\n const policyId = args.policy_id as string | undefined;\n\n let policy;\n if (policyId) {\n policy = await policyStore.get(policyId);\n } else {\n const allPolicies = await policyStore.list();\n policy = allPolicies[0] ?? null;\n }\n\n if (!policy) {\n return toolResult({\n error: \"No disclosure policy found. Create one with disclosure_set_policy first.\",\n });\n }\n\n const decisions = evaluateDisclosure(policy, context, requestedFields);\n\n const withholding = decisions.filter(\n (d) => d.action === \"withhold\"\n ).length;\n const disclosing = decisions.filter(\n (d) => d.action === \"disclose\"\n ).length;\n const proofRequired = decisions.filter(\n (d) => d.action === \"proof\"\n ).length;\n const askPrincipal = decisions.filter(\n (d) => d.action === \"ask-principal\"\n ).length;\n\n auditLog.append(\"l3\", \"disclosure_evaluate\", \"system\", {\n policy_id: policy.policy_id,\n context,\n fields_requested: requestedFields.length,\n withholding,\n disclosing,\n proof_required: proofRequired,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n context,\n decisions,\n summary: {\n total_fields: requestedFields.length,\n disclose: disclosing,\n withhold: withholding,\n proof: proofRequired,\n ask_principal: askPrincipal,\n },\n overall_recommendation:\n withholding > 0\n ? `Withholding ${withholding} of ${requestedFields.length} requested fields per policy \"${policy.policy_name}\"`\n : `All ${requestedFields.length} fields may be disclosed per policy \"${policy.policy_name}\"`,\n });\n },\n },\n ];\n\n return { tools, commitmentStore, policyStore };\n}\n","/**\n * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store\n *\n * Records interaction outcomes as signed attestations, queries aggregated\n * reputation data, and supports export/import for cross-platform portability.\n *\n * Attestation format is EAS-compatible (Ethereum Attestation Service) to\n * enable future on-chain anchoring without requiring blockchain for MVS.\n *\n * Security invariants:\n * - All attestations are signed by the recording identity\n * - Attestations are stored encrypted under L1 sovereignty\n * - Reputation queries return aggregates, never raw interaction data\n * - Export bundles include all signatures for independent verification\n * - Import verifies every signature before accepting attestations\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport {\n stringToBytes,\n bytesToString,\n toBase64url,\n fromBase64url,\n} from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/** Interaction outcome for recording */\nexport interface InteractionOutcome {\n type: \"transaction\" | \"negotiation\" | \"service\" | \"dispute\" | \"custom\";\n result: \"completed\" | \"partial\" | \"failed\" | \"disputed\";\n metrics?: Record<string, number>;\n}\n\n/** A signed attestation of an interaction */\nexport interface Attestation {\n attestation_id: string;\n schema: \"sanctuary-interaction-v1\";\n data: {\n interaction_id: string;\n participant_did: string;\n counterparty_did: string;\n outcome_type: string;\n outcome_result: string;\n metrics: Record<string, number>;\n context: string;\n timestamp: string;\n };\n signature: string;\n signer: string;\n}\n\n/** Stored attestation (encrypted at rest) */\nexport interface StoredAttestation {\n attestation: Attestation;\n counterparty_attestation?: string;\n counterparty_confirmed: boolean;\n recorded_at: string;\n}\n\n/** Aggregated metric statistics */\nexport interface MetricAggregate {\n mean: number;\n median: number;\n min: number;\n max: number;\n count: number;\n}\n\n/** Reputation query result */\nexport interface ReputationSummary {\n total_interactions: number;\n completed: number;\n partial: number;\n failed: number;\n disputed: number;\n contexts: string[];\n time_range: { start: string; end: string };\n aggregate_metrics: Record<string, MetricAggregate>;\n}\n\n/** Portable reputation bundle */\nexport interface ReputationBundle {\n version: \"SANCTUARY_REP_V1\";\n attestations: Attestation[];\n exported_at: string;\n exporter_did: string;\n bundle_signature: string;\n}\n\n// ─── Escrow and Bootstrap ─────────────────────────────────────────────────\n\n/** Escrow for trust bootstrapping */\nexport interface Escrow {\n escrow_id: string;\n transaction_terms: string;\n terms_hash: string;\n collateral_amount?: number;\n counterparty_did: string;\n creator_did: string;\n created_at: string;\n expires_at: string;\n status: \"pending\" | \"active\" | \"released\" | \"disputed\" | \"expired\";\n}\n\n/** Principal guarantee for a new agent */\nexport interface Guarantee {\n guarantee_id: string;\n principal_did: string;\n agent_did: string;\n scope: string;\n max_liability?: number;\n valid_until: string;\n certificate: string; // Signed certificate\n created_at: string;\n}\n\n// ─── Helpers ──────────────────────────────────────────────────────────────\n\nfunction computeMedian(values: number[]): number {\n if (values.length === 0) return 0;\n const sorted = [...values].sort((a, b) => a - b);\n const mid = Math.floor(sorted.length / 2);\n return sorted.length % 2 !== 0\n ? sorted[mid]!\n : (sorted[mid - 1]! + sorted[mid]!) / 2;\n}\n\nfunction aggregateMetrics(\n attestations: StoredAttestation[],\n metricNames?: string[]\n): Record<string, MetricAggregate> {\n const result: Record<string, MetricAggregate> = {};\n\n // Collect all metric names if not specified\n const names =\n metricNames ??\n Array.from(\n new Set(\n attestations.flatMap((a) =>\n Object.keys(a.attestation.data.metrics)\n )\n )\n );\n\n for (const name of names) {\n const values = attestations\n .map((a) => a.attestation.data.metrics[name])\n .filter((v): v is number => v !== undefined);\n\n if (values.length === 0) {\n result[name] = { mean: 0, median: 0, min: 0, max: 0, count: 0 };\n continue;\n }\n\n result[name] = {\n mean: values.reduce((s, v) => s + v, 0) / values.length,\n median: computeMedian(values),\n min: Math.min(...values),\n max: Math.max(...values),\n count: values.length,\n };\n }\n\n return result;\n}\n\n// ─── Reputation Store ─────────────────────────────────────────────────────\n\nexport class ReputationStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l4-reputation\");\n }\n\n /**\n * Record an interaction outcome as a signed attestation.\n */\n async record(\n interactionId: string,\n counterpartyDid: string,\n outcome: InteractionOutcome,\n context: string,\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n counterpartyAttestation?: string\n ): Promise<StoredAttestation> {\n const attestationId = `att-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n // Build the attestation data\n const attestationData = {\n interaction_id: interactionId,\n participant_did: identity.did,\n counterparty_did: counterpartyDid,\n outcome_type: outcome.type,\n outcome_result: outcome.result,\n metrics: outcome.metrics ?? {},\n context,\n timestamp: now,\n };\n\n // Sign the attestation data\n const dataBytes = stringToBytes(JSON.stringify(attestationData));\n const signature = sign(\n dataBytes,\n identity.encrypted_private_key,\n identityEncryptionKey\n );\n\n const attestation: Attestation = {\n attestation_id: attestationId,\n schema: \"sanctuary-interaction-v1\",\n data: attestationData,\n signature: toBase64url(signature),\n signer: identity.did,\n };\n\n const stored: StoredAttestation = {\n attestation,\n counterparty_attestation: counterpartyAttestation,\n counterparty_confirmed: !!counterpartyAttestation,\n recorded_at: now,\n };\n\n // Persist encrypted\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_reputation\",\n attestationId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return stored;\n }\n\n /**\n * Query reputation data with filtering.\n * Returns aggregates only — not raw interaction data.\n */\n async query(options: {\n context?: string;\n time_range?: { start: string; end: string };\n metrics?: string[];\n counterparty_did?: string;\n }): Promise<ReputationSummary> {\n const all = await this.loadAll();\n let filtered = all;\n\n if (options.context) {\n filtered = filtered.filter(\n (a) => a.attestation.data.context === options.context\n );\n }\n\n if (options.time_range) {\n const start = new Date(options.time_range.start).getTime();\n const end = new Date(options.time_range.end).getTime();\n filtered = filtered.filter((a) => {\n const t = new Date(a.attestation.data.timestamp).getTime();\n return t >= start && t <= end;\n });\n }\n\n if (options.counterparty_did) {\n filtered = filtered.filter(\n (a) => a.attestation.data.counterparty_did === options.counterparty_did\n );\n }\n\n const contexts = Array.from(\n new Set(filtered.map((a) => a.attestation.data.context))\n );\n\n const timestamps = filtered.map((a) =>\n new Date(a.attestation.data.timestamp).getTime()\n );\n const start = timestamps.length > 0\n ? new Date(Math.min(...timestamps)).toISOString()\n : new Date().toISOString();\n const end = timestamps.length > 0\n ? new Date(Math.max(...timestamps)).toISOString()\n : new Date().toISOString();\n\n return {\n total_interactions: filtered.length,\n completed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"completed\"\n ).length,\n partial: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"partial\"\n ).length,\n failed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"failed\"\n ).length,\n disputed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"disputed\"\n ).length,\n contexts,\n time_range: { start, end },\n aggregate_metrics: aggregateMetrics(filtered, options.metrics),\n };\n }\n\n /**\n * Export attestations as a portable reputation bundle.\n */\n async exportBundle(\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n context?: string\n ): Promise<ReputationBundle> {\n let all = await this.loadAll();\n\n if (context) {\n all = all.filter((a) => a.attestation.data.context === context);\n }\n\n const attestations = all.map((a) => a.attestation);\n const bundleData = {\n version: \"SANCTUARY_REP_V1\" as const,\n attestations,\n exported_at: new Date().toISOString(),\n exporter_did: identity.did,\n };\n\n // Sign the bundle\n const bundleBytes = stringToBytes(JSON.stringify(bundleData));\n const bundleSignature = sign(\n bundleBytes,\n identity.encrypted_private_key,\n identityEncryptionKey\n );\n\n return {\n ...bundleData,\n bundle_signature: toBase64url(bundleSignature),\n };\n }\n\n /**\n * Import attestations from a reputation bundle.\n * Verifies signatures if requested (default: true).\n *\n * @param publicKeys - Map of DID → public key bytes for signature verification\n */\n async importBundle(\n bundle: ReputationBundle,\n verifySignatures: boolean,\n publicKeys: Map<string, Uint8Array>\n ): Promise<{ imported: number; invalid: number; contexts: string[] }> {\n let imported = 0;\n let invalid = 0;\n const contexts = new Set<string>();\n\n for (const attestation of bundle.attestations) {\n if (verifySignatures) {\n const signerKey = publicKeys.get(attestation.signer);\n if (!signerKey) {\n invalid++;\n continue;\n }\n\n const dataBytes = stringToBytes(\n JSON.stringify(attestation.data)\n );\n const sigBytes = fromBase64url(attestation.signature);\n\n if (!verify(dataBytes, sigBytes, signerKey)) {\n invalid++;\n continue;\n }\n }\n\n // Store the imported attestation\n const stored: StoredAttestation = {\n attestation,\n counterparty_confirmed: false,\n recorded_at: new Date().toISOString(),\n };\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_reputation\",\n attestation.attestation_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n imported++;\n contexts.add(attestation.data.context);\n }\n\n return {\n imported,\n invalid,\n contexts: Array.from(contexts),\n };\n }\n\n // ─── Escrow ───────────────────────────────────────────────────────────\n\n /**\n * Create an escrow for trust bootstrapping.\n */\n async createEscrow(\n transactionTerms: string,\n counterpartyDid: string,\n timeoutSeconds: number,\n creatorDid: string,\n collateralAmount?: number\n ): Promise<Escrow> {\n const escrowId = `esc-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date();\n const expiresAt = new Date(now.getTime() + timeoutSeconds * 1000);\n\n // Hash the terms for tamper detection\n const { hashToString } = await import(\"../core/hashing.js\");\n const termsHash = hashToString(stringToBytes(transactionTerms));\n\n const escrow: Escrow = {\n escrow_id: escrowId,\n transaction_terms: transactionTerms,\n terms_hash: termsHash,\n collateral_amount: collateralAmount,\n counterparty_did: counterpartyDid,\n creator_did: creatorDid,\n created_at: now.toISOString(),\n expires_at: expiresAt.toISOString(),\n status: \"pending\",\n };\n\n const serialized = stringToBytes(JSON.stringify(escrow));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_escrows\",\n escrowId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return escrow;\n }\n\n /**\n * Get an escrow by ID.\n */\n async getEscrow(escrowId: string): Promise<Escrow | null> {\n const raw = await this.storage.read(\"_escrows\", escrowId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n\n // ─── Guarantees ─────────────────────────────────────────────────────\n\n /**\n * Create a principal's guarantee for a new agent.\n */\n async createGuarantee(\n principalIdentity: StoredIdentity,\n agentDid: string,\n scope: string,\n durationSeconds: number,\n identityEncryptionKey: Uint8Array,\n maxLiability?: number\n ): Promise<Guarantee> {\n const guaranteeId = `guar-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date();\n const validUntil = new Date(now.getTime() + durationSeconds * 1000);\n\n const certificateData = {\n guarantee_id: guaranteeId,\n principal_did: principalIdentity.did,\n agent_did: agentDid,\n scope,\n max_liability: maxLiability,\n valid_until: validUntil.toISOString(),\n issued_at: now.toISOString(),\n };\n\n // Sign the certificate with the principal's key\n const certBytes = stringToBytes(JSON.stringify(certificateData));\n const signature = sign(\n certBytes,\n principalIdentity.encrypted_private_key,\n identityEncryptionKey\n );\n\n const certificate = toBase64url(\n stringToBytes(\n JSON.stringify({\n ...certificateData,\n signature: toBase64url(signature),\n })\n )\n );\n\n const guarantee: Guarantee = {\n guarantee_id: guaranteeId,\n principal_did: principalIdentity.did,\n agent_did: agentDid,\n scope,\n max_liability: maxLiability,\n valid_until: validUntil.toISOString(),\n certificate,\n created_at: now.toISOString(),\n };\n\n const serialized = stringToBytes(JSON.stringify(guarantee));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_guarantees\",\n guaranteeId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return guarantee;\n }\n\n // ─── Internal ─────────────────────────────────────────────────────────\n\n private async loadAll(): Promise<StoredAttestation[]> {\n const results: StoredAttestation[] = [];\n\n try {\n const entries = await this.storage.list(\"_reputation\");\n for (const meta of entries) {\n const raw = await this.storage.read(\"_reputation\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n results.push(JSON.parse(bytesToString(decrypted)));\n } catch {\n // Skip corrupted entries\n }\n }\n } catch {\n // Storage not available\n }\n\n return results;\n }\n}\n","/**\n * Sanctuary MCP Server — L4 Verifiable Reputation: Tool Definitions\n *\n * MCP tool wrappers for reputation recording, querying, export/import,\n * and trust bootstrapping (escrow + principal guarantees).\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { ReputationStore, type InteractionOutcome } from \"./reputation-store.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { toBase64url, fromBase64url } from \"../core/encoding.js\";\n\nexport function createL4Tools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n identityManager: IdentityManager,\n auditLog: AuditLog\n): { tools: ToolDefinition[]; reputationStore: ReputationStore } {\n const reputationStore = new ReputationStore(storage, masterKey);\n const identityEncryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n\n const tools: ToolDefinition[] = [\n // ─── Reputation Recording ─────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_record\",\n description:\n \"Record an interaction outcome as a signed attestation. \" +\n \"Creates an EAS-compatible attestation signed by the specified identity.\",\n inputSchema: {\n type: \"object\",\n properties: {\n interaction_id: {\n type: \"string\",\n description: \"Unique interaction identifier\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Counterparty's DID\",\n },\n outcome: {\n type: \"object\",\n description: \"Interaction outcome\",\n properties: {\n type: {\n type: \"string\",\n enum: [\"transaction\", \"negotiation\", \"service\", \"dispute\", \"custom\"],\n },\n result: {\n type: \"string\",\n enum: [\"completed\", \"partial\", \"failed\", \"disputed\"],\n },\n metrics: {\n type: \"object\",\n description: \"Domain-specific metrics (e.g., fulfillment_rate, response_time_ms)\",\n },\n },\n required: [\"type\", \"result\"],\n },\n context: {\n type: \"string\",\n description: \"Category/domain for context-specific reputation\",\n default: \"general\",\n },\n counterparty_attestation: {\n type: \"string\",\n description: \"Counterparty's signed attestation of the same interaction\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign with (uses default if omitted)\",\n },\n },\n required: [\"interaction_id\", \"counterparty_did\", \"outcome\"],\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const outcome = args.outcome as InteractionOutcome;\n const context = (args.context as string) ?? \"general\";\n\n const stored = await reputationStore.record(\n args.interaction_id as string,\n args.counterparty_did as string,\n outcome,\n context,\n identity,\n identityEncryptionKey,\n args.counterparty_attestation as string | undefined\n );\n\n auditLog.append(\"l4\", \"reputation_record\", identity.identity_id, {\n interaction_id: args.interaction_id,\n outcome_type: outcome.type,\n outcome_result: outcome.result,\n context,\n });\n\n return toolResult({\n attestation_id: stored.attestation.attestation_id,\n interaction_id: stored.attestation.data.interaction_id,\n self_attestation: stored.attestation.signature,\n counterparty_confirmed: stored.counterparty_confirmed,\n context,\n recorded_at: stored.recorded_at,\n });\n },\n },\n\n // ─── Reputation Query ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_query\",\n description:\n \"Query aggregated reputation data with filtering. \" +\n \"Returns summary statistics, never raw interaction details.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description: \"Filter by context/domain\",\n },\n time_range: {\n type: \"object\",\n description: \"Filter by time range\",\n properties: {\n start: { type: \"string\", description: \"ISO 8601 start\" },\n end: { type: \"string\", description: \"ISO 8601 end\" },\n },\n },\n metrics: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Which metrics to aggregate\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Filter by counterparty\",\n },\n },\n },\n handler: async (args) => {\n const summary = await reputationStore.query({\n context: args.context as string | undefined,\n time_range: args.time_range as\n | { start: string; end: string }\n | undefined,\n metrics: args.metrics as string[] | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n auditLog.append(\"l4\", \"reputation_query\", \"system\", {\n total_interactions: summary.total_interactions,\n contexts: summary.contexts,\n });\n\n return toolResult({\n summary,\n });\n },\n },\n\n // ─── Reputation Export ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_export\",\n description:\n \"Export a portable reputation bundle (SANCTUARY_REP_V1). \" +\n \"Includes all signed attestations for independent verification.\",\n inputSchema: {\n type: \"object\",\n properties: {\n format: {\n type: \"string\",\n enum: [\"SANCTUARY_REP_V1\"],\n default: \"SANCTUARY_REP_V1\",\n },\n context: {\n type: \"string\",\n description: \"Export specific context only\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign the bundle with\",\n },\n },\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const context = args.context as string | undefined;\n const bundle = await reputationStore.exportBundle(\n identity,\n identityEncryptionKey,\n context\n );\n\n const bundleJson = JSON.stringify(bundle);\n const bundleBase64 = toBase64url(\n new TextEncoder().encode(bundleJson)\n );\n\n auditLog.append(\"l4\", \"reputation_export\", identity.identity_id, {\n attestation_count: bundle.attestations.length,\n contexts: Array.from(\n new Set(bundle.attestations.map((a) => a.data.context))\n ),\n });\n\n const { hashToString } = await import(\"../core/hashing.js\");\n const { stringToBytes } = await import(\"../core/encoding.js\");\n\n return toolResult({\n bundle: bundleBase64,\n attestation_count: bundle.attestations.length,\n contexts: Array.from(\n new Set(bundle.attestations.map((a) => a.data.context))\n ),\n bundle_hash: hashToString(stringToBytes(bundleJson)),\n exported_at: bundle.exported_at,\n });\n },\n },\n\n // ─── Reputation Import ────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_import\",\n description:\n \"Import a reputation bundle from another Sanctuary instance. \" +\n \"Verifies all attestation signatures by default.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bundle: {\n type: \"string\",\n description: \"Base64url-encoded reputation bundle\",\n },\n },\n required: [\"bundle\"],\n },\n handler: async (args) => {\n const bundleBase64 = args.bundle as string;\n // Signature verification is always enforced — no caller override.\n // Allowing callers to skip verification was a prompt-injection footgun.\n const verifySignatures = true;\n\n let bundle;\n try {\n const bundleBytes = fromBase64url(bundleBase64);\n const bundleJson = new TextDecoder().decode(bundleBytes);\n bundle = JSON.parse(bundleJson);\n } catch {\n return toolResult({\n error: \"Invalid bundle format. Expected base64url-encoded JSON.\",\n });\n }\n\n // Build public key map from known identities for verification\n const publicKeys = new Map<string, Uint8Array>();\n for (const pub of identityManager.list()) {\n const identity = identityManager.get(pub.identity_id);\n if (identity) {\n publicKeys.set(identity.did, fromBase64url(identity.public_key));\n }\n }\n\n const result = await reputationStore.importBundle(\n bundle,\n verifySignatures,\n publicKeys\n );\n\n auditLog.append(\"l4\", \"reputation_import\", \"system\", {\n imported: result.imported,\n invalid: result.invalid,\n contexts: result.contexts,\n });\n\n return toolResult({\n imported_attestations: result.imported,\n invalid_attestations: result.invalid,\n contexts: result.contexts,\n imported_at: new Date().toISOString(),\n });\n },\n },\n\n // ─── Trust Bootstrap: Escrow ──────────────────────────────────────\n\n {\n name: \"sanctuary/bootstrap_create_escrow\",\n description:\n \"Create an escrow record for trust bootstrapping. \" +\n \"Allows new participants with no reputation to transact safely.\",\n inputSchema: {\n type: \"object\",\n properties: {\n transaction_terms: {\n type: \"string\",\n description: \"Description of the transaction\",\n },\n collateral_amount: {\n type: \"number\",\n description: \"Optional stake/collateral amount\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Counterparty's DID\",\n },\n timeout_seconds: {\n type: \"number\",\n description: \"Escrow timeout in seconds\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity creating the escrow\",\n },\n },\n required: [\"transaction_terms\", \"counterparty_did\", \"timeout_seconds\"],\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const escrow = await reputationStore.createEscrow(\n args.transaction_terms as string,\n args.counterparty_did as string,\n args.timeout_seconds as number,\n identity.did,\n args.collateral_amount as number | undefined\n );\n\n auditLog.append(\"l4\", \"bootstrap_create_escrow\", identity.identity_id, {\n escrow_id: escrow.escrow_id,\n counterparty_did: args.counterparty_did,\n timeout_seconds: args.timeout_seconds,\n });\n\n return toolResult({\n escrow_id: escrow.escrow_id,\n terms_hash: escrow.terms_hash,\n created_at: escrow.created_at,\n expires_at: escrow.expires_at,\n status: escrow.status,\n });\n },\n },\n\n // ─── Trust Bootstrap: Guarantee ───────────────────────────────────\n\n {\n name: \"sanctuary/bootstrap_provide_guarantee\",\n description:\n \"A principal provides a signed reputation guarantee for a new agent. \" +\n \"The guarantee certificate can be presented to counterparties.\",\n inputSchema: {\n type: \"object\",\n properties: {\n principal_identity_id: {\n type: \"string\",\n description: \"Identity of the guarantor (principal)\",\n },\n agent_identity_id: {\n type: \"string\",\n description: \"Identity of the agent being guaranteed\",\n },\n scope: {\n type: \"string\",\n description: \"What the guarantee covers\",\n },\n duration_seconds: {\n type: \"number\",\n description: \"How long the guarantee is valid\",\n },\n max_liability: {\n type: \"number\",\n description: \"Maximum liability amount\",\n },\n },\n required: [\n \"principal_identity_id\",\n \"agent_identity_id\",\n \"scope\",\n \"duration_seconds\",\n ],\n },\n handler: async (args) => {\n const principalIdentity = identityManager.get(\n args.principal_identity_id as string\n );\n const agentIdentity = identityManager.get(\n args.agent_identity_id as string\n );\n\n if (!principalIdentity) {\n return toolResult({\n error: `Principal identity \"${args.principal_identity_id}\" not found.`,\n });\n }\n if (!agentIdentity) {\n return toolResult({\n error: `Agent identity \"${args.agent_identity_id}\" not found.`,\n });\n }\n\n const guarantee = await reputationStore.createGuarantee(\n principalIdentity,\n agentIdentity.did,\n args.scope as string,\n args.duration_seconds as number,\n identityEncryptionKey,\n args.max_liability as number | undefined\n );\n\n auditLog.append(\n \"l4\",\n \"bootstrap_provide_guarantee\",\n principalIdentity.identity_id,\n {\n guarantee_id: guarantee.guarantee_id,\n agent_did: agentIdentity.did,\n scope: args.scope,\n }\n );\n\n return toolResult({\n guarantee_id: guarantee.guarantee_id,\n guarantee_certificate: guarantee.certificate,\n scope: guarantee.scope,\n valid_until: guarantee.valid_until,\n });\n },\n },\n ];\n\n return { tools, reputationStore };\n}\n","/**\n * Sanctuary MCP Server — Principal Policy Loader\n *\n * Loads the Principal Policy from a YAML file at server startup.\n * The policy is immutable at runtime — no MCP tool can modify it.\n *\n * Security invariant:\n * - The policy is loaded ONCE at startup and frozen.\n * - No code path exists to modify the policy during a session.\n * - If no policy file exists, a sensible default is generated and saved.\n */\n\nimport { readFile, writeFile, chmod } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport type { PrincipalPolicy, Tier2Config, ApprovalChannelConfig } from \"./types.js\";\n\n/** Default Tier 2 anomaly configuration */\nconst DEFAULT_TIER2: Tier2Config = {\n new_namespace_access: \"approve\",\n new_counterparty: \"approve\",\n frequency_spike_multiplier: 5,\n max_signs_per_minute: 10,\n bulk_read_threshold: 20,\n first_session_policy: \"approve\",\n};\n\n/** Default approval channel */\nconst DEFAULT_CHANNEL: ApprovalChannelConfig = {\n type: \"stderr\",\n timeout_seconds: 300,\n auto_deny: true,\n};\n\n/** Default Principal Policy — provides meaningful protection without configuration */\nexport const DEFAULT_POLICY: PrincipalPolicy = {\n version: 1,\n tier1_always_approve: [\n \"state_export\",\n \"state_import\",\n \"identity_rotate\",\n \"reputation_import\",\n \"bootstrap_provide_guarantee\",\n ],\n tier2_anomaly: DEFAULT_TIER2,\n tier3_always_allow: [\n \"state_read\",\n \"state_write\",\n \"state_list\",\n \"state_delete\",\n \"identity_create\",\n \"identity_list\",\n \"identity_sign\",\n \"identity_verify\",\n \"proof_commitment\",\n \"proof_reveal\",\n \"disclosure_set_policy\",\n \"disclosure_evaluate\",\n \"reputation_record\",\n \"reputation_query\",\n \"reputation_export\",\n \"bootstrap_create_escrow\",\n \"exec_attest\",\n \"monitor_health\",\n \"monitor_audit_log\",\n \"manifest\",\n \"principal_policy_view\",\n \"principal_baseline_view\",\n ],\n approval_channel: DEFAULT_CHANNEL,\n};\n\n/**\n * Extract the operation name from a full MCP tool name.\n * \"sanctuary/state_export\" → \"state_export\"\n */\nexport function extractOperationName(toolName: string): string {\n return toolName.startsWith(\"sanctuary/\")\n ? toolName.slice(\"sanctuary/\".length)\n : toolName;\n}\n\n/**\n * Parse a YAML-like policy file into a PrincipalPolicy.\n *\n * We use a simple line-based parser rather than a YAML library\n * to avoid adding a dependency for a straightforward config format.\n * The policy file supports a subset of YAML: scalars, lists, and\n * one level of nesting.\n *\n * For robustness, we also accept JSON.\n */\nexport function parsePolicy(content: string): PrincipalPolicy {\n const trimmed = content.trim();\n\n // Try JSON first\n if (trimmed.startsWith(\"{\")) {\n const parsed = JSON.parse(trimmed);\n return validatePolicy(parsed);\n }\n\n // Simple YAML-subset parser\n const policy: Record<string, unknown> = {};\n let currentKey: string | null = null;\n let currentList: string[] | null = null;\n let currentObject: Record<string, unknown> | null = null;\n\n for (const rawLine of trimmed.split(\"\\n\")) {\n const line = rawLine.split(\"#\")[0]!; // Strip comments\n if (line.trim() === \"\") continue;\n\n const indent = line.length - line.trimStart().length;\n const stripped = line.trim();\n\n if (indent === 0 && stripped.includes(\":\")) {\n // Top-level key\n if (currentKey && currentList) {\n policy[currentKey] = currentList;\n } else if (currentKey && currentObject) {\n policy[currentKey] = currentObject;\n }\n\n const colonIdx = stripped.indexOf(\":\");\n const key = stripped.slice(0, colonIdx).trim();\n const value = stripped.slice(colonIdx + 1).trim();\n\n if (value === \"\" || value === \"|\") {\n currentKey = key;\n currentList = null;\n currentObject = null;\n } else {\n policy[key] = parseScalar(value);\n currentKey = null;\n currentList = null;\n currentObject = null;\n }\n } else if (indent > 0 && stripped.startsWith(\"- \")) {\n // List item\n if (!currentList) currentList = [];\n currentList.push(stripped.slice(2).trim().split(/\\s+/)[0]!); // Take first word (before comments)\n } else if (indent > 0 && stripped.includes(\":\")) {\n // Nested key-value\n if (!currentObject) currentObject = {};\n const colonIdx = stripped.indexOf(\":\");\n const key = stripped.slice(0, colonIdx).trim();\n const value = stripped.slice(colonIdx + 1).trim();\n currentObject[key] = parseScalar(value.split(/\\s+/)[0]!); // First word before comments\n }\n }\n\n // Flush last block\n if (currentKey && currentList) {\n policy[currentKey] = currentList;\n } else if (currentKey && currentObject) {\n policy[currentKey] = currentObject;\n }\n\n return validatePolicy(policy);\n}\n\nfunction parseScalar(value: string): string | number | boolean {\n if (value === \"true\") return true;\n if (value === \"false\") return false;\n const num = Number(value);\n if (!isNaN(num) && value !== \"\") return num;\n return value.replace(/^[\"']|[\"']$/g, \"\");\n}\n\nfunction validatePolicy(raw: Record<string, unknown>): PrincipalPolicy {\n return {\n version: (raw.version as number) ?? 1,\n tier1_always_approve:\n (raw.tier1_always_approve as string[]) ?? DEFAULT_POLICY.tier1_always_approve,\n tier2_anomaly: {\n ...DEFAULT_TIER2,\n ...((raw.tier2_anomaly as Record<string, unknown>) ?? {}),\n } as Tier2Config,\n tier3_always_allow:\n (raw.tier3_always_allow as string[]) ?? DEFAULT_POLICY.tier3_always_allow,\n approval_channel: {\n ...DEFAULT_CHANNEL,\n ...((raw.approval_channel as Record<string, unknown>) ?? {}),\n } as ApprovalChannelConfig,\n };\n}\n\n/**\n * Generate the default policy file content as YAML.\n */\nfunction generateDefaultPolicyYaml(): string {\n return `# Sanctuary Principal Policy v1\n# This file controls what your agent can do without asking.\n# Edit this file directly. Your agent cannot modify it.\n# Changes take effect on server restart.\n\nversion: 1\n\n# ─── Tier 1: Always Requires Approval ────────────────────────────────────\n# These operations ALWAYS require your explicit approval.\n# They are inherently high-risk regardless of context.\ntier1_always_approve:\n - state_export\n - state_import\n - identity_rotate\n - reputation_import\n - bootstrap_provide_guarantee\n\n# ─── Tier 2: Behavioral Anomaly Detection ────────────────────────────────\n# Triggers approval when agent behavior deviates from its baseline.\n# Options for each setting: approve | log | allow\ntier2_anomaly:\n new_namespace_access: approve\n new_counterparty: approve\n frequency_spike_multiplier: 5\n max_signs_per_minute: 10\n bulk_read_threshold: 20\n first_session_policy: approve\n\n# ─── Tier 3: Always Allowed (Audit Only) ─────────────────────────────────\n# These operations never require approval but are always logged.\ntier3_always_allow:\n - state_read\n - state_write\n - state_list\n - state_delete\n - identity_create\n - identity_list\n - identity_sign\n - identity_verify\n - proof_commitment\n - proof_reveal\n - disclosure_set_policy\n - disclosure_evaluate\n - reputation_record\n - reputation_query\n - reputation_export\n - bootstrap_create_escrow\n - exec_attest\n - monitor_health\n - monitor_audit_log\n - manifest\n - principal_policy_view\n - principal_baseline_view\n\n# ─── Approval Channel ────────────────────────────────────────────────────\n# How Sanctuary reaches you when approval is needed.\napproval_channel:\n type: stderr\n timeout_seconds: 300\n auto_deny: true\n`;\n}\n\n/**\n * Load the Principal Policy from disk.\n * If no policy file exists, generate the default and save it.\n * The returned policy is frozen — immutable at runtime.\n */\nexport async function loadPrincipalPolicy(\n storagePath: string\n): Promise<PrincipalPolicy> {\n const policyPath = join(storagePath, \"principal-policy.yaml\");\n\n try {\n const content = await readFile(policyPath, \"utf-8\");\n const policy = parsePolicy(content);\n return Object.freeze(policy);\n } catch {\n // No policy file — generate default\n const defaultYaml = generateDefaultPolicyYaml();\n try {\n await writeFile(policyPath, defaultYaml, \"utf-8\");\n await chmod(policyPath, 0o600);\n } catch {\n // Can't write — use default in memory\n }\n return Object.freeze({ ...DEFAULT_POLICY });\n }\n}\n","/**\n * Sanctuary MCP Server — Behavioral Baseline Tracker\n *\n * Tracks the agent's behavioral profile during a session and persists\n * it for cross-session anomaly detection. The baseline defines \"normal\"\n * so that deviations can trigger Tier 2 approval.\n *\n * Security invariants:\n * - Baseline is stored encrypted under L1 sovereignty\n * - Baseline changes are audit-logged\n * - Baseline is integrity-verified via L1 Merkle tree\n * - No MCP tool can directly modify the baseline\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString } from \"../core/encoding.js\";\nimport type { SessionProfile } from \"./types.js\";\n\nconst BASELINE_NAMESPACE = \"_principal\";\nconst BASELINE_KEY = \"session-baseline\";\n\nexport class BaselineTracker {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private profile: SessionProfile;\n\n /** Sliding window: timestamps of tool calls per tool name (last 60s) */\n private callWindows: Map<string, number[]> = new Map();\n\n /** Sliding window: read counts per namespace (last 60s) */\n private readWindows: Map<string, number[]> = new Map();\n\n /** Sliding window: sign call timestamps (last 60s) */\n private signWindow: number[] = [];\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"principal-baseline\");\n this.profile = {\n known_namespaces: [],\n known_counterparties: [],\n tool_call_counts: {},\n is_first_session: true,\n started_at: new Date().toISOString(),\n };\n }\n\n /**\n * Load the previous session's baseline from storage.\n * If none exists, this is a first session.\n */\n async load(): Promise<void> {\n try {\n const raw = await this.storage.read(BASELINE_NAMESPACE, BASELINE_KEY);\n if (!raw) return;\n\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const saved: SessionProfile = JSON.parse(bytesToString(decrypted));\n\n // Carry forward known namespaces and counterparties\n this.profile.known_namespaces = saved.known_namespaces ?? [];\n this.profile.known_counterparties = saved.known_counterparties ?? [];\n this.profile.is_first_session = false;\n } catch {\n // No prior baseline or corrupted — treat as first session\n this.profile.is_first_session = true;\n }\n }\n\n /**\n * Save the current baseline to storage (encrypted).\n * Called at session end or periodically.\n */\n async save(): Promise<void> {\n this.profile.saved_at = new Date().toISOString();\n const serialized = stringToBytes(JSON.stringify(this.profile));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n BASELINE_NAMESPACE,\n BASELINE_KEY,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n /**\n * Record a tool call for baseline tracking.\n * Returns anomaly information if applicable.\n */\n recordToolCall(toolName: string): void {\n const now = Date.now();\n\n // Track total call count\n this.profile.tool_call_counts[toolName] =\n (this.profile.tool_call_counts[toolName] ?? 0) + 1;\n\n // Track call rate (60-second sliding window)\n if (!this.callWindows.has(toolName)) {\n this.callWindows.set(toolName, []);\n }\n const window = this.callWindows.get(toolName)!;\n window.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (window.length > 0 && window[0]! < cutoff) {\n window.shift();\n }\n }\n\n /**\n * Record a namespace access.\n * @returns true if this is a new namespace (not in baseline)\n */\n recordNamespaceAccess(namespace: string): boolean {\n // Skip internal namespaces — these are Sanctuary's own storage\n if (namespace.startsWith(\"_\")) return false;\n\n const isNew = !this.profile.known_namespaces.includes(namespace);\n if (isNew) {\n this.profile.known_namespaces.push(namespace);\n }\n return isNew;\n }\n\n /**\n * Record a namespace read for bulk-read detection.\n * @returns the number of reads in the current 60-second window\n */\n recordNamespaceRead(namespace: string): number {\n const now = Date.now();\n\n if (!this.readWindows.has(namespace)) {\n this.readWindows.set(namespace, []);\n }\n const window = this.readWindows.get(namespace)!;\n window.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (window.length > 0 && window[0]! < cutoff) {\n window.shift();\n }\n\n return window.length;\n }\n\n /**\n * Record a counterparty DID interaction.\n * @returns true if this is a new counterparty (not in baseline)\n */\n recordCounterparty(did: string): boolean {\n const isNew = !this.profile.known_counterparties.includes(did);\n if (isNew) {\n this.profile.known_counterparties.push(did);\n }\n return isNew;\n }\n\n /**\n * Record a signing operation.\n * @returns the number of signs in the current 60-second window\n */\n recordSign(): number {\n const now = Date.now();\n this.signWindow.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (this.signWindow.length > 0 && this.signWindow[0]! < cutoff) {\n this.signWindow.shift();\n }\n\n return this.signWindow.length;\n }\n\n /**\n * Get the current call rate for a tool (calls per minute).\n */\n getCallRate(toolName: string): number {\n return this.callWindows.get(toolName)?.length ?? 0;\n }\n\n /**\n * Get the average call rate across all tools in the baseline.\n */\n getAverageCallRate(): number {\n let total = 0;\n let count = 0;\n for (const window of this.callWindows.values()) {\n total += window.length;\n count++;\n }\n return count > 0 ? total / count : 0;\n }\n\n /** Whether this is the first session */\n get isFirstSession(): boolean {\n return this.profile.is_first_session;\n }\n\n /** Get a read-only view of the current profile */\n getProfile(): SessionProfile {\n return { ...this.profile };\n }\n}\n","/**\n * Sanctuary MCP Server — Approval Channel\n *\n * Out-of-band communication with the human principal for operation approval.\n * The default channel uses stderr (outside MCP's stdin/stdout protocol),\n * ensuring the agent cannot intercept or forge approval responses.\n *\n * Security invariant:\n * - Approval prompts go through a channel the agent cannot access.\n * - Timeouts result in denial by default (fail closed).\n */\n\nimport type {\n ApprovalRequest,\n ApprovalResponse,\n ApprovalChannelConfig,\n} from \"./types.js\";\n\n/** Abstract approval channel interface */\nexport interface ApprovalChannel {\n requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;\n}\n\n/**\n * Stderr approval channel — writes prompts to stderr, waits for response.\n *\n * In the MCP stdio model:\n * - stdin/stdout carry the MCP protocol (JSON-RPC)\n * - stderr is available for out-of-band human communication\n *\n * Since many harnesses do not support interactive stdin during tool calls,\n * this channel uses a timeout-based model: the prompt is displayed, and\n * if no response is received within the timeout, the default action applies.\n *\n * For MVS, the channel auto-resolves based on the auto_deny setting.\n * Interactive stdin reading is deferred to a future version with harness support.\n */\nexport class StderrApprovalChannel implements ApprovalChannel {\n private config: ApprovalChannelConfig;\n\n constructor(config: ApprovalChannelConfig) {\n this.config = config;\n }\n\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n // Format and emit the approval prompt\n const prompt = this.formatPrompt(request);\n process.stderr.write(prompt + \"\\n\");\n\n // For MVS: auto-resolve after a brief pause to ensure stderr is flushed.\n // Full interactive approval (reading stdin) requires harness support\n // that most MCP hosts don't yet provide.\n //\n // The prompt is still displayed — the human sees what's happening.\n // Auto-deny means unapproved operations fail safely.\n // Auto-allow means the prompt is informational (log mode).\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n if (this.config.auto_deny) {\n return {\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"timeout\",\n };\n } else {\n return {\n decision: \"approve\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n };\n }\n }\n\n private formatPrompt(request: ApprovalRequest): string {\n const tierLabel =\n request.tier === 1\n ? \"Tier 1 — always requires approval\"\n : \"Tier 2 — behavioral anomaly detected\";\n\n const contextLines = Object.entries(request.context)\n .map(([k, v]) => ` ${k}: ${typeof v === \"string\" ? v : JSON.stringify(v)}`)\n .join(\"\\n\");\n\n return [\n \"\",\n \"╔══════════════════════════════════════════════════════════════════╗\",\n \"║ SANCTUARY: Approval Required ║\",\n \"╠══════════════════════════════════════════════════════════════════╣\",\n `║ Operation: ${request.operation.padEnd(50)}║`,\n `║ ${tierLabel.padEnd(62)}║`,\n `║ Reason: ${request.reason.slice(0, 50).padEnd(50)}║`,\n \"║ ║\",\n `║ Details: ║`,\n ...contextLines.split(\"\\n\").map(\n (line) => `║ ${line.padEnd(60)}║`\n ),\n \"║ ║\",\n this.config.auto_deny\n ? \"║ Auto-denying (configure approval_channel.auto_deny to change) ║\"\n : \"║ Auto-approving (informational mode) ║\",\n \"╚══════════════════════════════════════════════════════════════════╝\",\n \"\",\n ].join(\"\\n\");\n }\n}\n\n/**\n * Programmatic approval channel — for testing and API integration.\n */\nexport class CallbackApprovalChannel implements ApprovalChannel {\n private callback: (request: ApprovalRequest) => Promise<ApprovalResponse>;\n\n constructor(\n callback: (request: ApprovalRequest) => Promise<ApprovalResponse>\n ) {\n this.callback = callback;\n }\n\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n return this.callback(request);\n }\n}\n\n/**\n * Auto-approve channel — for testing. Approves everything.\n */\nexport class AutoApproveChannel implements ApprovalChannel {\n async requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse> {\n return {\n decision: \"approve\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Approval Gate\n *\n * The three-tier approval gate sits between the MCP router and tool handlers.\n * Every tool call passes through the gate before execution.\n *\n * Evaluation order:\n * 1. Tier 1: Is this operation in the always-approve list? → Request approval.\n * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.\n * 3. Tier 3 / default: Allow with audit logging.\n *\n * Security invariants:\n * - The gate cannot be bypassed — it wraps every tool handler.\n * - Denial responses do not reveal policy details to the agent.\n * - All gate decisions (approve, deny, allow) are audit-logged.\n */\n\nimport type { PrincipalPolicy, GateResult, ApprovalRequest } from \"./types.js\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport { BaselineTracker } from \"./baseline.js\";\nimport { extractOperationName } from \"./loader.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\nexport class ApprovalGate {\n private policy: PrincipalPolicy;\n private baseline: BaselineTracker;\n private channel: ApprovalChannel;\n private auditLog: AuditLog;\n\n constructor(\n policy: PrincipalPolicy,\n baseline: BaselineTracker,\n channel: ApprovalChannel,\n auditLog: AuditLog\n ) {\n this.policy = policy;\n this.baseline = baseline;\n this.channel = channel;\n this.auditLog = auditLog;\n }\n\n /**\n * Evaluate a tool call against the Principal Policy.\n *\n * @param toolName - Full MCP tool name (e.g., \"sanctuary/state_export\")\n * @param args - Tool call arguments (for context extraction)\n * @returns GateResult indicating whether the call is allowed\n */\n async evaluate(\n toolName: string,\n args: Record<string, unknown>\n ): Promise<GateResult> {\n const operation = extractOperationName(toolName);\n\n // Record the tool call in the baseline tracker\n this.baseline.recordToolCall(operation);\n\n // ── Tier 1: Always requires approval ──────────────────────────────\n if (this.policy.tier1_always_approve.includes(operation)) {\n return this.requestApproval(operation, 1, `\"${operation}\" is a Tier 1 operation (always requires approval)`, {\n operation,\n args_summary: this.summarizeArgs(args),\n });\n }\n\n // ── Tier 2: Behavioral anomaly detection ──────────────────────────\n const anomaly = this.detectAnomaly(operation, args);\n if (anomaly) {\n return this.requestApproval(operation, 2, anomaly.reason, anomaly.context);\n }\n\n // ── Tier 3: Allow with audit logging ──────────────────────────────\n this.auditLog.append(\"l2\", `gate_allow:${operation}`, \"system\", {\n tier: 3,\n operation,\n });\n\n return {\n allowed: true,\n tier: 3,\n reason: \"Operation allowed (Tier 3)\",\n approval_required: false,\n };\n }\n\n /**\n * Detect Tier 2 behavioral anomalies.\n */\n private detectAnomaly(\n operation: string,\n args: Record<string, unknown>\n ): { reason: string; context: Record<string, unknown> } | null {\n const config = this.policy.tier2_anomaly;\n\n // ── First session check ───────────────────────────────────────────\n if (this.baseline.isFirstSession && config.first_session_policy === \"approve\") {\n // On first session, only Tier 3 operations are auto-allowed\n if (!this.policy.tier3_always_allow.includes(operation)) {\n return {\n reason: `First session: \"${operation}\" has no established baseline`,\n context: { operation, is_first_session: true },\n };\n }\n }\n\n // ── New namespace access ──────────────────────────────────────────\n if (config.new_namespace_access === \"approve\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n const isNew = this.baseline.recordNamespaceAccess(namespace);\n if (isNew) {\n return {\n reason: `First access to namespace \"${namespace}\" (not in session baseline)`,\n context: {\n operation,\n namespace,\n known_namespaces: this.baseline.getProfile().known_namespaces,\n },\n };\n }\n }\n } else if (config.new_namespace_access === \"log\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n this.baseline.recordNamespaceAccess(namespace);\n }\n }\n\n // ── New counterparty ──────────────────────────────────────────────\n if (config.new_counterparty === \"approve\") {\n const counterpartyDid =\n (args.counterparty_did as string) ?? (args.agent_identity_id as string);\n if (counterpartyDid) {\n const isNew = this.baseline.recordCounterparty(counterpartyDid);\n if (isNew) {\n return {\n reason: `First interaction with counterparty \"${counterpartyDid}\"`,\n context: {\n operation,\n counterparty_did: counterpartyDid,\n known_counterparties: this.baseline.getProfile().known_counterparties,\n },\n };\n }\n }\n } else if (config.new_counterparty === \"log\") {\n const counterpartyDid = args.counterparty_did as string;\n if (counterpartyDid) {\n this.baseline.recordCounterparty(counterpartyDid);\n }\n }\n\n // ── Signing frequency ─────────────────────────────────────────────\n if (operation === \"identity_sign\") {\n const signCount = this.baseline.recordSign();\n if (signCount > config.max_signs_per_minute) {\n return {\n reason: `Signing frequency (${signCount}/min) exceeds limit (${config.max_signs_per_minute}/min)`,\n context: {\n operation,\n signs_per_minute: signCount,\n limit: config.max_signs_per_minute,\n },\n };\n }\n }\n\n // ── Bulk read detection ───────────────────────────────────────────\n if (operation === \"state_read\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n const readCount = this.baseline.recordNamespaceRead(namespace);\n if (readCount > config.bulk_read_threshold) {\n return {\n reason: `Bulk read detected: ${readCount} reads from \"${namespace}\" in 60 seconds (threshold: ${config.bulk_read_threshold})`,\n context: {\n operation,\n namespace,\n reads_in_window: readCount,\n threshold: config.bulk_read_threshold,\n },\n };\n }\n }\n }\n\n // ── Frequency spike ───────────────────────────────────────────────\n const callRate = this.baseline.getCallRate(operation);\n const avgRate = this.baseline.getAverageCallRate();\n if (\n avgRate > 0 &&\n callRate > avgRate * config.frequency_spike_multiplier\n ) {\n return {\n reason: `Frequency spike: \"${operation}\" at ${callRate}/min (${config.frequency_spike_multiplier}× above average ${avgRate.toFixed(1)}/min)`,\n context: {\n operation,\n current_rate: callRate,\n average_rate: avgRate,\n multiplier: config.frequency_spike_multiplier,\n },\n };\n }\n\n return null;\n }\n\n /**\n * Request approval from the human principal.\n */\n private async requestApproval(\n operation: string,\n tier: 1 | 2,\n reason: string,\n context: Record<string, unknown>\n ): Promise<GateResult> {\n const request: ApprovalRequest = {\n operation,\n tier,\n reason,\n context,\n timestamp: new Date().toISOString(),\n };\n\n const response = await this.channel.requestApproval(request);\n\n // Audit log the decision\n this.auditLog.append(\"l2\", `gate_${response.decision}:${operation}`, \"system\", {\n tier,\n reason,\n decided_by: response.decided_by,\n });\n\n return {\n allowed: response.decision === \"approve\",\n tier,\n reason: response.decision === \"approve\"\n ? `Approved by ${response.decided_by}`\n : reason,\n approval_required: true,\n approval_response: response,\n };\n }\n\n /**\n * Summarize tool arguments for the approval prompt.\n * Strips potentially large values to keep the prompt readable.\n */\n private summarizeArgs(args: Record<string, unknown>): Record<string, unknown> {\n const summary: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(args)) {\n if (typeof value === \"string\" && value.length > 100) {\n summary[key] = value.slice(0, 100) + \"...\";\n } else {\n summary[key] = value;\n }\n }\n return summary;\n }\n\n /** Get the baseline tracker for saving at session end */\n getBaseline(): BaselineTracker {\n return this.baseline;\n }\n}\n","/**\n * Sanctuary MCP Server — Principal Policy MCP Tools\n *\n * Read-only tools that let the agent (and human) inspect the current\n * Principal Policy and behavioral baseline. These are Tier 3 operations —\n * always allowed, audit-logged, and cannot modify the policy or baseline.\n *\n * Security invariant:\n * - These tools are strictly read-only.\n * - No tool can modify the Principal Policy (it's frozen at startup).\n * - No tool can directly modify the behavioral baseline.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { PrincipalPolicy } from \"./types.js\";\nimport type { BaselineTracker } from \"./baseline.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\nexport function createPrincipalPolicyTools(\n policy: PrincipalPolicy,\n baseline: BaselineTracker,\n auditLog: AuditLog\n): ToolDefinition[] {\n return [\n {\n name: \"sanctuary/principal_policy_view\",\n description:\n \"View the current Principal Policy — the human-controlled rules \" +\n \"governing what operations require approval. Read-only.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_defaults: {\n type: \"boolean\",\n description: \"Include tier3_always_allow list (can be long)\",\n default: false,\n },\n },\n },\n handler: async (args) => {\n const includeDefaults = args.include_defaults as boolean ?? false;\n\n const view: Record<string, unknown> = {\n version: policy.version,\n tier1_always_approve: policy.tier1_always_approve,\n tier2_anomaly: policy.tier2_anomaly,\n approval_channel: {\n type: policy.approval_channel.type,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n auto_deny: policy.approval_channel.auto_deny,\n },\n };\n\n if (includeDefaults) {\n view.tier3_always_allow = policy.tier3_always_allow;\n } else {\n view.tier3_always_allow_count = policy.tier3_always_allow.length;\n view.note =\n \"Pass include_defaults: true to see the full tier3_always_allow list\";\n }\n\n auditLog.append(\"l2\", \"principal_policy_view\", \"system\", {\n include_defaults: includeDefaults,\n });\n\n return toolResult(view);\n },\n },\n\n {\n name: \"sanctuary/principal_baseline_view\",\n description:\n \"View the current behavioral baseline — the session profile used \" +\n \"for anomaly detection. Shows known namespaces, counterparties, \" +\n \"and tool call counts. Read-only.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const profile = baseline.getProfile();\n\n auditLog.append(\"l2\", \"principal_baseline_view\", \"system\");\n\n return toolResult({\n is_first_session: profile.is_first_session,\n session_started_at: profile.started_at,\n known_namespaces: profile.known_namespaces,\n known_counterparties: profile.known_counterparties,\n tool_call_counts: profile.tool_call_counts,\n last_saved: profile.saved_at ?? \"not yet saved\",\n });\n },\n },\n ];\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types\n *\n * Machine-readable, signed, versioned sovereignty capability advertisement.\n * An agent presents its SHR to counterparties to prove its sovereignty posture.\n * The SHR is signed by one of the instance's Ed25519 identities and can be\n * independently verified by any party without trusting the presenter.\n *\n * SHR version: 1.0\n */\n\n// ── Layer Status ─────────────────────────────────────────────────────\n\nexport type LayerStatus = \"active\" | \"degraded\" | \"inactive\";\nexport type DegradationSeverity = \"info\" | \"warning\" | \"critical\";\nexport type DegradationCode =\n | \"NO_TEE\"\n | \"PROCESS_ISOLATION_ONLY\"\n | \"COMMITMENT_ONLY\"\n | \"NO_ZK_PROOFS\"\n | \"SELF_REPORTED_ATTESTATION\"\n | \"NO_SELECTIVE_DISCLOSURE\"\n | \"BASIC_SYBIL_ONLY\";\n\n// ── SHR Body (signed content) ────────────────────────────────────────\n\nexport interface SHRLayerL1 {\n status: LayerStatus;\n encryption: string;\n key_custody: \"self\" | \"delegated\" | \"platform\";\n integrity: string;\n identity_type: string;\n state_portable: boolean;\n}\n\nexport interface SHRLayerL2 {\n status: LayerStatus;\n isolation_type: string;\n attestation_available: boolean;\n}\n\nexport interface SHRLayerL3 {\n status: LayerStatus;\n proof_system: string;\n selective_disclosure: boolean;\n}\n\nexport interface SHRLayerL4 {\n status: LayerStatus;\n reputation_mode: string;\n attestation_format: string;\n reputation_portable: boolean;\n}\n\nexport interface SHRDegradation {\n layer: \"l1\" | \"l2\" | \"l3\" | \"l4\";\n code: DegradationCode;\n severity: DegradationSeverity;\n description: string;\n mitigation?: string;\n}\n\nexport interface SHRCapabilities {\n handshake: boolean;\n shr_exchange: boolean;\n reputation_verify: boolean;\n encrypted_channel: boolean;\n}\n\n/**\n * The SHR body — the content that gets signed.\n * Canonical form: JSON with sorted keys, no whitespace.\n */\nexport interface SHRBody {\n shr_version: \"1.0\";\n instance_id: string;\n generated_at: string;\n expires_at: string;\n layers: {\n l1: SHRLayerL1;\n l2: SHRLayerL2;\n l3: SHRLayerL3;\n l4: SHRLayerL4;\n };\n capabilities: SHRCapabilities;\n degradations: SHRDegradation[];\n}\n\n/**\n * The complete signed SHR — body + signature envelope.\n */\nexport interface SignedSHR {\n body: SHRBody;\n signed_by: string; // Public key (base64url)\n signature: string; // Ed25519 signature over canonical body (base64url)\n}\n\n// ── Verification result ──────────────────────────────────────────────\n\nexport interface SHRVerificationResult {\n valid: boolean;\n errors: string[];\n warnings: string[];\n sovereignty_level: \"full\" | \"degraded\" | \"minimal\";\n counterparty_id: string;\n expires_at: string;\n}\n\n// ── Canonical serialization ──────────────────────────────────────────\n\n/**\n * Produce a canonical JSON representation of an SHR body.\n * Sorted keys, no whitespace — deterministic for signing.\n */\nexport function canonicalize(body: SHRBody): string {\n return JSON.stringify(body, Object.keys(body).sort(), 0)\n .replace(/\\n/g, \"\");\n}\n\n/**\n * Deep-sort an object's keys for canonical JSON.\n * Handles nested objects and arrays.\n */\nexport function deepSortKeys(obj: unknown): unknown {\n if (obj === null || typeof obj !== \"object\") return obj;\n if (Array.isArray(obj)) return obj.map(deepSortKeys);\n const sorted: Record<string, unknown> = {};\n for (const key of Object.keys(obj as Record<string, unknown>).sort()) {\n sorted[key] = deepSortKeys((obj as Record<string, unknown>)[key]);\n }\n return sorted;\n}\n\n/**\n * Canonical serialization suitable for signing.\n */\nexport function canonicalizeForSigning(body: SHRBody): string {\n return JSON.stringify(deepSortKeys(body));\n}\n","/**\n * Sanctuary MCP Server — SHR Generator\n *\n * Generates a Sovereignty Health Report from current server state,\n * signs it with a specified identity, and returns the complete signed SHR.\n */\n\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type {\n SHRBody,\n SignedSHR,\n SHRDegradation,\n DegradationCode,\n} from \"./types.js\";\nimport { canonicalizeForSigning } from \"./types.js\";\nimport { sign } from \"../core/identity.js\";\nimport { toBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\n\n/** Default SHR validity window: 1 hour */\nconst DEFAULT_VALIDITY_MS = 60 * 60 * 1000;\n\nexport interface SHRGeneratorOptions {\n config: SanctuaryConfig;\n identityManager: IdentityManager;\n masterKey: Uint8Array;\n /** Override validity window (milliseconds). Default: 1 hour. */\n validityMs?: number;\n}\n\n/**\n * Generate and sign a Sovereignty Health Report.\n *\n * @param identityId - Which identity to sign with (defaults to primary)\n * @param opts - Generator dependencies\n * @returns The signed SHR, or an error string\n */\nexport function generateSHR(\n identityId: string | undefined,\n opts: SHRGeneratorOptions\n): SignedSHR | string {\n const { config, identityManager, masterKey, validityMs } = opts;\n\n // Resolve signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return \"No identity available for signing. Create an identity first.\";\n }\n\n const now = new Date();\n const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));\n\n // Assess degradations\n const degradations: SHRDegradation[] = [];\n\n if (config.execution.environment === \"local-process\") {\n degradations.push({\n layer: \"l2\",\n code: \"PROCESS_ISOLATION_ONLY\" as DegradationCode,\n severity: \"warning\",\n description: \"Process-level isolation only (no TEE)\",\n mitigation: \"TEE support planned for v0.3.0\",\n });\n degradations.push({\n layer: \"l2\",\n code: \"SELF_REPORTED_ATTESTATION\" as DegradationCode,\n severity: \"warning\",\n description: \"Attestation is self-reported (no hardware root of trust)\",\n mitigation: \"TEE attestation planned for v0.3.0\",\n });\n }\n\n if (config.disclosure.proof_system === \"commitment-only\") {\n degradations.push({\n layer: \"l3\",\n code: \"COMMITMENT_ONLY\" as DegradationCode,\n severity: \"info\",\n description: \"Commitment schemes only (no ZK proofs)\",\n mitigation: \"ZK proof support planned for future release\",\n });\n }\n\n // Build the SHR body\n const body: SHRBody = {\n shr_version: \"1.0\",\n instance_id: identity.identity_id,\n generated_at: now.toISOString(),\n expires_at: expiresAt.toISOString(),\n layers: {\n l1: {\n status: \"active\",\n encryption: config.state.encryption,\n key_custody: \"self\",\n integrity: config.state.integrity,\n identity_type: config.state.identity_provider,\n state_portable: true,\n },\n l2: {\n status: config.execution.environment === \"local-process\"\n ? \"degraded\"\n : \"active\",\n isolation_type: config.execution.environment,\n attestation_available: config.execution.attestation,\n },\n l3: {\n status: config.disclosure.proof_system === \"commitment-only\"\n ? \"degraded\"\n : \"active\",\n proof_system: config.disclosure.proof_system,\n selective_disclosure: config.disclosure.proof_system !== \"commitment-only\",\n },\n l4: {\n status: \"active\",\n reputation_mode: config.reputation.mode,\n attestation_format: config.reputation.attestation_format,\n reputation_portable: true,\n },\n },\n capabilities: {\n handshake: true,\n shr_exchange: true,\n reputation_verify: true,\n encrypted_channel: false, // Not yet implemented\n },\n degradations,\n };\n\n // Canonical serialization for signing\n const canonical = canonicalizeForSigning(body);\n const payload = stringToBytes(canonical);\n\n // Sign with the identity's private key\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const signatureBytes = sign(\n payload,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n return {\n body,\n signed_by: identity.public_key,\n signature: toBase64url(signatureBytes),\n };\n}\n","/**\n * Sanctuary MCP Server — SHR Verifier\n *\n * Verifies a counterparty's Sovereignty Health Report:\n * - Signature validity (Ed25519 over canonical body)\n * - Temporal validity (not expired)\n * - Schema completeness\n * - Sovereignty level assessment\n */\n\nimport type { SignedSHR, SHRVerificationResult, SHRBody } from \"./types.js\";\nimport { canonicalizeForSigning } from \"./types.js\";\nimport { verify } from \"../core/identity.js\";\nimport { fromBase64url, stringToBytes } from \"../core/encoding.js\";\n\n/**\n * Verify a signed SHR.\n *\n * @param shr - The signed SHR to verify\n * @param now - Optional override for current time (for testing)\n * @returns Verification result with validity, errors, warnings, and sovereignty assessment\n */\nexport function verifySHR(\n shr: SignedSHR,\n now?: Date\n): SHRVerificationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n const currentTime = now ?? new Date();\n\n // 1. Schema validation\n if (!shr.body || !shr.signed_by || !shr.signature) {\n errors.push(\"Missing required SHR fields (body, signed_by, or signature)\");\n return {\n valid: false,\n errors,\n warnings,\n sovereignty_level: \"minimal\",\n counterparty_id: shr.body?.instance_id ?? \"unknown\",\n expires_at: shr.body?.expires_at ?? \"unknown\",\n };\n }\n\n if (shr.body.shr_version !== \"1.0\") {\n errors.push(`Unsupported SHR version: ${shr.body.shr_version}`);\n }\n\n // 2. Temporal validation\n const expiresAt = new Date(shr.body.expires_at);\n if (isNaN(expiresAt.getTime())) {\n errors.push(\"Invalid expires_at timestamp\");\n } else if (currentTime > expiresAt) {\n errors.push(`SHR expired at ${shr.body.expires_at}`);\n }\n\n const generatedAt = new Date(shr.body.generated_at);\n if (isNaN(generatedAt.getTime())) {\n errors.push(\"Invalid generated_at timestamp\");\n } else if (generatedAt > currentTime) {\n warnings.push(\"SHR generated_at is in the future — clock skew detected\");\n }\n\n // 3. Signature verification\n try {\n const publicKey = fromBase64url(shr.signed_by);\n const signatureBytes = fromBase64url(shr.signature);\n const canonical = canonicalizeForSigning(shr.body);\n const payload = stringToBytes(canonical);\n\n const signatureValid = verify(payload, signatureBytes, publicKey);\n if (!signatureValid) {\n errors.push(\"Invalid signature — SHR may have been tampered with\");\n }\n } catch (e) {\n errors.push(`Signature verification failed: ${(e as Error).message}`);\n }\n\n // 4. Layer completeness check\n const { layers } = shr.body;\n if (!layers.l1 || !layers.l2 || !layers.l3 || !layers.l4) {\n errors.push(\"Missing one or more layer definitions\");\n }\n\n // 5. Assess sovereignty level\n const sovereigntyLevel = assessSovereigntyLevel(shr.body);\n\n // 6. Add warnings for degradations\n for (const d of shr.body.degradations ?? []) {\n if (d.severity === \"critical\") {\n warnings.push(`Critical degradation in ${d.layer}: ${d.description}`);\n }\n }\n\n return {\n valid: errors.length === 0,\n errors,\n warnings,\n sovereignty_level: sovereigntyLevel,\n counterparty_id: shr.body.instance_id,\n expires_at: shr.body.expires_at,\n };\n}\n\n/**\n * Assess the overall sovereignty level from an SHR body.\n */\nfunction assessSovereigntyLevel(\n body: SHRBody\n): \"full\" | \"degraded\" | \"minimal\" {\n const { l1, l2, l3, l4 } = body.layers;\n\n // All active = full\n if (\n l1.status === \"active\" &&\n l2.status === \"active\" &&\n l3.status === \"active\" &&\n l4.status === \"active\"\n ) {\n return \"full\";\n }\n\n // L1 must be active for anything above minimal\n if (l1.status !== \"active\") {\n return \"minimal\";\n }\n\n // L1 active but others degraded = degraded\n if (l4.status === \"active\" || l4.status === \"degraded\") {\n return \"degraded\";\n }\n\n return \"minimal\";\n}\n","/**\n * Sanctuary MCP Server — SHR MCP Tools\n *\n * MCP tool definitions for generating and verifying Sovereignty Health Reports.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateSHR, type SHRGeneratorOptions } from \"./generator.js\";\nimport { verifySHR } from \"./verifier.js\";\nimport type { SignedSHR } from \"./types.js\";\n\nexport function createSHRTools(\n config: SanctuaryConfig,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[] } {\n const generatorOpts: SHRGeneratorOptions = {\n config,\n identityManager,\n masterKey,\n };\n\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/shr_generate\",\n description:\n \"Generate a signed Sovereignty Health Report (SHR) — a machine-readable, \" +\n \"cryptographically signed advertisement of this instance's sovereignty posture. \" +\n \"Present this to counterparties to prove your sovereignty capabilities.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: {\n type: \"string\",\n description:\n \"Identity to sign the SHR with. Defaults to primary identity.\",\n },\n validity_minutes: {\n type: \"number\",\n description: \"How long the SHR is valid (minutes). Default: 60.\",\n },\n },\n },\n handler: async (args) => {\n const validityMs = args.validity_minutes\n ? (args.validity_minutes as number) * 60 * 1000\n : undefined;\n\n const result = generateSHR(args.identity_id as string | undefined, {\n ...generatorOpts,\n validityMs,\n });\n\n if (typeof result === \"string\") {\n return toolResult({ error: result });\n }\n\n auditLog.append(\"l2\", \"shr_generate\", result.body.instance_id);\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/shr_verify\",\n description:\n \"Verify a counterparty's Sovereignty Health Report (SHR). \" +\n \"Checks signature validity, temporal validity, and assesses sovereignty level.\",\n inputSchema: {\n type: \"object\",\n properties: {\n shr: {\n type: \"object\",\n description: \"The signed SHR to verify (full SignedSHR object).\",\n },\n },\n required: [\"shr\"],\n },\n handler: async (args) => {\n const shr = args.shr as unknown as SignedSHR;\n const result = verifySHR(shr);\n\n auditLog.append(\n \"l2\",\n \"shr_verify\",\n result.counterparty_id,\n undefined,\n result.valid ? \"success\" : \"failure\"\n );\n\n return toolResult(result);\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Handshake Protocol\n *\n * Core handshake logic: initiate, respond, complete.\n * Nonce-based challenge-response prevents replay attacks.\n * SHR signatures are verified at each step.\n */\n\nimport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n HandshakeSession,\n SovereigntyLevel,\n TrustTier,\n} from \"./types.js\";\nimport type { SignedSHR } from \"../shr/types.js\";\nimport { verifySHR } from \"../shr/verifier.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\n\n/** Generate a cryptographic nonce for handshake */\nfunction generateNonce(): string {\n return toBase64url(randomBytes(32));\n}\n\n/**\n * Step 1: Initiate a handshake.\n * Generates a challenge containing our SHR and a nonce.\n */\nexport function initiateHandshake(\n ourSHR: SignedSHR\n): { challenge: HandshakeChallenge; session: HandshakeSession } {\n const nonce = generateNonce();\n const sessionId = toBase64url(randomBytes(16));\n\n const challenge: HandshakeChallenge = {\n protocol_version: \"1.0\",\n shr: ourSHR,\n nonce,\n initiated_at: new Date().toISOString(),\n };\n\n const session: HandshakeSession = {\n session_id: sessionId,\n role: \"initiator\",\n state: \"initiated\",\n our_nonce: nonce,\n our_shr: ourSHR,\n initiated_at: challenge.initiated_at,\n };\n\n return { challenge, session };\n}\n\n/**\n * Step 2: Respond to a handshake challenge.\n * Verifies the initiator's SHR, signs their nonce, generates our nonce.\n */\nexport function respondToHandshake(\n challenge: HandshakeChallenge,\n ourSHR: SignedSHR,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n identityId?: string\n): { response: HandshakeResponse; session: HandshakeSession } | { error: string } {\n // Validate protocol version\n if (challenge.protocol_version !== \"1.0\") {\n return { error: `Unsupported protocol version: ${challenge.protocol_version}` };\n }\n\n // Verify the initiator's SHR\n const shrResult = verifySHR(challenge.shr);\n if (!shrResult.valid) {\n return { error: `Initiator SHR verification failed: ${shrResult.errors.join(\", \")}` };\n }\n\n // Resolve signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return { error: \"No identity available for signing\" };\n }\n\n // Sign the initiator's nonce (proves we received it, prevents replay)\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const nonceBytes = stringToBytes(challenge.nonce);\n const nonceSignature = sign(\n nonceBytes,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n const responderNonce = generateNonce();\n\n const response: HandshakeResponse = {\n protocol_version: \"1.0\",\n shr: ourSHR,\n responder_nonce: responderNonce,\n initiator_nonce_signature: toBase64url(nonceSignature),\n responded_at: new Date().toISOString(),\n };\n\n const session: HandshakeSession = {\n session_id: toBase64url(randomBytes(16)),\n role: \"responder\",\n state: \"responded\",\n our_nonce: responderNonce,\n their_nonce: challenge.nonce,\n our_shr: ourSHR,\n their_shr: challenge.shr,\n initiated_at: challenge.initiated_at,\n };\n\n return { response, session };\n}\n\n/**\n * Step 3: Complete the handshake (initiator side).\n * Verifies the responder's SHR and nonce signature, signs responder's nonce.\n */\nexport function completeHandshake(\n response: HandshakeResponse,\n session: HandshakeSession,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n identityId?: string\n): { completion: HandshakeCompletion; result: HandshakeResult } | { error: string } {\n // Validate protocol version\n if (response.protocol_version !== \"1.0\") {\n return { error: `Unsupported protocol version: ${response.protocol_version}` };\n }\n\n // Verify the responder's SHR\n const shrResult = verifySHR(response.shr);\n if (!shrResult.valid) {\n return { error: `Responder SHR verification failed: ${shrResult.errors.join(\", \")}` };\n }\n\n // Verify the responder signed our nonce correctly\n const responderPublicKey = fromBase64url(response.shr.signed_by);\n const ourNonceBytes = stringToBytes(session.our_nonce);\n const nonceSignatureBytes = fromBase64url(response.initiator_nonce_signature);\n\n const nonceSignatureValid = verify(\n ourNonceBytes,\n nonceSignatureBytes,\n responderPublicKey\n );\n if (!nonceSignatureValid) {\n return { error: \"Responder's nonce signature is invalid — possible replay or MITM\" };\n }\n\n // Resolve our signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return { error: \"No identity available for signing\" };\n }\n\n // Sign the responder's nonce\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const responderNonceBytes = stringToBytes(response.responder_nonce);\n const responderNonceSignature = sign(\n responderNonceBytes,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n const now = new Date().toISOString();\n\n const completion: HandshakeCompletion = {\n protocol_version: \"1.0\",\n responder_nonce_signature: toBase64url(responderNonceSignature),\n completed_at: now,\n };\n\n // Determine sovereignty level and trust tier\n const sovereigntyLevel = shrResult.sovereignty_level as SovereigntyLevel;\n const trustTier = deriveTrustTier(sovereigntyLevel);\n\n const result: HandshakeResult = {\n counterparty_id: shrResult.counterparty_id,\n counterparty_shr: response.shr,\n verified: true,\n sovereignty_level: sovereigntyLevel,\n trust_tier: trustTier,\n completed_at: now,\n expires_at: shrResult.expires_at,\n errors: [],\n };\n\n return { completion, result };\n}\n\n/**\n * Step 4: Verify completion (responder side).\n * Verifies the initiator signed our nonce correctly.\n */\nexport function verifyCompletion(\n completion: HandshakeCompletion,\n session: HandshakeSession\n): HandshakeResult {\n const errors: string[] = [];\n\n if (!session.their_shr) {\n return {\n counterparty_id: \"unknown\",\n counterparty_shr: session.our_shr, // placeholder\n verified: false,\n sovereignty_level: \"unverified\",\n trust_tier: \"unverified\",\n completed_at: completion.completed_at,\n expires_at: new Date().toISOString(),\n errors: [\"No initiator SHR in session state\"],\n };\n }\n\n // Verify the initiator signed our nonce\n const initiatorPublicKey = fromBase64url(session.their_shr.signed_by);\n const ourNonceBytes = stringToBytes(session.our_nonce);\n const nonceSignatureBytes = fromBase64url(completion.responder_nonce_signature);\n\n const nonceSignatureValid = verify(\n ourNonceBytes,\n nonceSignatureBytes,\n initiatorPublicKey\n );\n\n if (!nonceSignatureValid) {\n errors.push(\"Initiator's nonce signature is invalid — possible replay or MITM\");\n }\n\n // Verify the initiator's SHR (may have been verified earlier, but check expiry)\n const shrResult = verifySHR(session.their_shr);\n if (!shrResult.valid) {\n errors.push(...shrResult.errors);\n }\n\n const verified = errors.length === 0;\n const sovereigntyLevel: SovereigntyLevel = verified\n ? (shrResult.sovereignty_level as SovereigntyLevel)\n : \"unverified\";\n\n return {\n counterparty_id: session.their_shr.body.instance_id,\n counterparty_shr: session.their_shr,\n verified,\n sovereignty_level: sovereigntyLevel,\n trust_tier: deriveTrustTier(sovereigntyLevel),\n completed_at: completion.completed_at,\n expires_at: session.their_shr.body.expires_at,\n errors,\n };\n}\n\n/**\n * Derive trust tier from sovereignty level.\n */\nfunction deriveTrustTier(level: SovereigntyLevel): TrustTier {\n switch (level) {\n case \"full\":\n return \"verified-sovereign\";\n case \"degraded\":\n return \"verified-degraded\";\n default:\n return \"unverified\";\n }\n}\n","/**\n * Sanctuary MCP Server — Handshake MCP Tools\n *\n * MCP tool definitions for the sovereignty handshake protocol.\n * Four tools map to the four protocol steps:\n * 1. handshake_initiate — Start a handshake\n * 2. handshake_respond — Respond to an incoming challenge\n * 3. handshake_complete — Complete a handshake (initiator side)\n * 4. handshake_status — Check status of handshake sessions\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateSHR, type SHRGeneratorOptions } from \"../shr/generator.js\";\nimport {\n initiateHandshake,\n respondToHandshake,\n completeHandshake,\n verifyCompletion,\n} from \"./protocol.js\";\nimport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeSession,\n} from \"./types.js\";\n\nexport function createHandshakeTools(\n config: SanctuaryConfig,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[] } {\n // In-memory session store (per server instance lifetime)\n const sessions = new Map<string, HandshakeSession>();\n\n const shrOpts: SHRGeneratorOptions = {\n config,\n identityManager,\n masterKey,\n };\n\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/handshake_initiate\",\n description:\n \"Initiate a sovereignty handshake with a counterparty. \" +\n \"Generates a challenge containing this instance's signed SHR and a cryptographic nonce. \" +\n \"Send the returned challenge to the counterparty.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: {\n type: \"string\",\n description:\n \"Identity to use for the handshake. Defaults to primary identity.\",\n },\n },\n },\n handler: async (args) => {\n // Generate our SHR\n const shr = generateSHR(args.identity_id as string | undefined, shrOpts);\n if (typeof shr === \"string\") {\n return toolResult({ error: shr });\n }\n\n const { challenge, session } = initiateHandshake(shr);\n sessions.set(session.session_id, session);\n\n auditLog.append(\"l4\", \"handshake_initiate\", shr.body.instance_id);\n\n return toolResult({\n session_id: session.session_id,\n challenge,\n instructions:\n \"Send the 'challenge' object to the counterparty's sanctuary/handshake_respond tool. \" +\n \"When you receive their response, pass it to sanctuary/handshake_complete with this session_id.\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_respond\",\n description:\n \"Respond to an incoming sovereignty handshake challenge. \" +\n \"Verifies the initiator's SHR, signs their nonce, and returns our SHR with a counter-nonce.\",\n inputSchema: {\n type: \"object\",\n properties: {\n challenge: {\n type: \"object\",\n description: \"The HandshakeChallenge received from the initiator.\",\n },\n identity_id: {\n type: \"string\",\n description:\n \"Identity to use for the response. Defaults to primary identity.\",\n },\n },\n required: [\"challenge\"],\n },\n handler: async (args) => {\n const challenge = args.challenge as unknown as HandshakeChallenge;\n\n // Generate our SHR\n const shr = generateSHR(args.identity_id as string | undefined, shrOpts);\n if (typeof shr === \"string\") {\n return toolResult({ error: shr });\n }\n\n const result = respondToHandshake(\n challenge,\n shr,\n identityManager,\n masterKey,\n args.identity_id as string | undefined\n );\n\n if (\"error\" in result) {\n auditLog.append(\"l4\", \"handshake_respond\", shr.body.instance_id, undefined, \"failure\");\n return toolResult({ error: result.error });\n }\n\n sessions.set(result.session.session_id, result.session);\n\n auditLog.append(\"l4\", \"handshake_respond\", shr.body.instance_id);\n\n return toolResult({\n session_id: result.session.session_id,\n response: result.response,\n instructions:\n \"Send the 'response' object back to the initiator. \" +\n \"When you receive their completion, pass it to sanctuary/handshake_status with this session_id.\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_complete\",\n description:\n \"Complete a sovereignty handshake (initiator side). \" +\n \"Verifies the responder's SHR and nonce signature, signs their nonce, and produces the final result.\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Session ID from handshake_initiate.\",\n },\n response: {\n type: \"object\",\n description: \"The HandshakeResponse received from the responder.\",\n },\n },\n required: [\"session_id\", \"response\"],\n },\n handler: async (args) => {\n const sessionId = args.session_id as string;\n const response = args.response as unknown as HandshakeResponse;\n\n const session = sessions.get(sessionId);\n if (!session) {\n return toolResult({ error: `No handshake session found: ${sessionId}` });\n }\n if (session.state !== \"initiated\") {\n return toolResult({\n error: `Session is in state '${session.state}', expected 'initiated'`,\n });\n }\n\n const result = completeHandshake(\n response,\n session,\n identityManager,\n masterKey\n );\n\n if (\"error\" in result) {\n session.state = \"failed\";\n auditLog.append(\"l4\", \"handshake_complete\", session.our_shr.body.instance_id, undefined, \"failure\");\n return toolResult({ error: result.error });\n }\n\n session.state = \"completed\";\n session.their_shr = response.shr;\n session.their_nonce = response.responder_nonce;\n session.result = result.result;\n\n auditLog.append(\"l4\", \"handshake_complete\", session.our_shr.body.instance_id);\n\n return toolResult({\n completion: result.completion,\n result: result.result,\n instructions:\n \"Send the 'completion' object to the responder so they can verify the handshake. \" +\n \"The 'result' object contains the verified counterparty status and trust tier.\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_status\",\n description:\n \"Check the status of a handshake session, or verify a completion message (responder side).\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Session ID to check.\",\n },\n completion: {\n type: \"object\",\n description:\n \"Optional: HandshakeCompletion from the initiator (responder-side verification).\",\n },\n },\n required: [\"session_id\"],\n },\n handler: async (args) => {\n const sessionId = args.session_id as string;\n const completion = args.completion as unknown as HandshakeCompletion | undefined;\n\n const session = sessions.get(sessionId);\n if (!session) {\n return toolResult({ error: `No handshake session found: ${sessionId}` });\n }\n\n // If completion is provided, verify it (responder side)\n if (completion && session.role === \"responder\" && session.state === \"responded\") {\n const result = verifyCompletion(completion, session);\n session.state = result.verified ? \"completed\" : \"failed\";\n session.result = result;\n\n auditLog.append(\n \"l4\",\n \"handshake_verify_completion\",\n session.our_shr.body.instance_id,\n undefined,\n result.verified ? \"success\" : \"failure\"\n );\n\n return toolResult({ result });\n }\n\n // Otherwise just return session status\n return toolResult({\n session_id: session.session_id,\n role: session.role,\n state: session.state,\n initiated_at: session.initiated_at,\n result: session.result ?? null,\n });\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — Main Entry Point\n *\n * Initializes and exports the Sanctuary MCP server.\n * Wires together: config → storage → crypto core → L1-L4 tools → MCP server\n */\n\nimport { mkdir } from \"node:fs/promises\";\nimport { loadConfig, saveConfig, type SanctuaryConfig } from \"./config.js\";\nimport { FilesystemStorage } from \"./storage/filesystem.js\";\nimport type { StorageBackend } from \"./storage/interface.js\";\nimport { StateStore } from \"./l1-cognitive/state-store.js\";\nimport { createL1Tools } from \"./l1-cognitive/tools.js\";\nimport { AuditLog } from \"./l2-operational/audit-log.js\";\nimport { createL3Tools } from \"./l3-disclosure/tools.js\";\nimport { createL4Tools } from \"./l4-reputation/tools.js\";\nimport { loadPrincipalPolicy } from \"./principal-policy/loader.js\";\nimport { BaselineTracker } from \"./principal-policy/baseline.js\";\nimport { StderrApprovalChannel } from \"./principal-policy/approval-channel.js\";\nimport { ApprovalGate } from \"./principal-policy/gate.js\";\nimport { createPrincipalPolicyTools } from \"./principal-policy/tools.js\";\nimport { createServer, type ToolDefinition } from \"./router.js\";\nimport { toolResult } from \"./router.js\";\nimport { createSHRTools } from \"./shr/tools.js\";\nimport { createHandshakeTools } from \"./handshake/tools.js\";\nimport { deriveMasterKey, type KeyDerivationParams } from \"./core/key-derivation.js\";\nimport { generateRandomKey } from \"./core/random.js\";\nimport { toBase64url } from \"./core/encoding.js\";\n\nimport type { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\n\nexport interface SanctuaryServer {\n server: Server;\n config: SanctuaryConfig;\n}\n\n/**\n * Initialize the Sanctuary MCP Server.\n *\n * @param options - Configuration overrides and initialization options\n * @returns The configured MCP server, ready to connect to a transport\n */\nexport async function createSanctuaryServer(options?: {\n configPath?: string;\n passphrase?: string;\n storage?: StorageBackend;\n}): Promise<SanctuaryServer> {\n // 1. Load configuration\n const config = await loadConfig(options?.configPath);\n\n // 2. Ensure storage directory exists\n await mkdir(config.storage_path, { recursive: true, mode: 0o700 });\n\n // 3. Initialize storage backend\n const storage = options?.storage ?? new FilesystemStorage(\n `${config.storage_path}/state`\n );\n\n // 4. Derive or generate master key\n let masterKey: Uint8Array;\n let keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\";\n let recoveryKey: string | undefined;\n\n const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;\n\n if (passphrase) {\n // Passphrase path: derive master key via Argon2id\n keyProtection = \"passphrase\";\n\n // Check for existing derivation params\n let existingParams: KeyDerivationParams | undefined;\n try {\n const raw = await storage.read(\"_meta\", \"key-params\");\n if (raw) {\n const { bytesToString } = await import(\"./core/encoding.js\");\n existingParams = JSON.parse(bytesToString(raw));\n }\n } catch {\n // No existing params — first run\n }\n\n const result = await deriveMasterKey(passphrase, existingParams);\n masterKey = result.key;\n\n // Store derivation params (not the key!) for re-derivation\n if (!existingParams) {\n const { stringToBytes } = await import(\"./core/encoding.js\");\n await storage.write(\n \"_meta\",\n \"key-params\",\n stringToBytes(JSON.stringify(result.params))\n );\n }\n } else {\n // Recovery key path: generate random master key\n keyProtection = \"recovery-key\";\n\n // Check if we already have a stored (encrypted) master key reference\n const existing = await storage.read(\"_meta\", \"recovery-key-hash\");\n if (existing) {\n // Existing installation — we need the recovery key to proceed\n // For now, generate a new key (first-run scenario)\n // TODO: prompt for recovery key on subsequent runs\n masterKey = generateRandomKey();\n recoveryKey = toBase64url(masterKey);\n } else {\n masterKey = generateRandomKey();\n recoveryKey = toBase64url(masterKey);\n\n // Store a hash of the recovery key so we can verify it later\n const { hashToString } = await import(\"./core/hashing.js\");\n const { stringToBytes } = await import(\"./core/encoding.js\");\n const keyHash = hashToString(masterKey);\n await storage.write(\n \"_meta\",\n \"recovery-key-hash\",\n stringToBytes(keyHash)\n );\n }\n }\n\n // 5. Initialize audit log\n const auditLog = new AuditLog(storage, masterKey);\n\n // 6. Initialize state store\n const stateStore = new StateStore(storage, masterKey);\n\n // 7. Create L1 tools\n const { tools: l1Tools, identityManager } = createL1Tools(\n stateStore,\n storage,\n masterKey,\n keyProtection,\n auditLog\n );\n\n // 8. Load existing identities\n await identityManager.load();\n\n // 9. Create L2 monitoring tools\n const l2Tools: ToolDefinition[] = [\n {\n name: \"sanctuary/exec_attest\",\n description:\n \"Generate an attestation of the current execution environment, \" +\n \"including sovereignty assessment and degradation report.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_hardware: { type: \"boolean\", default: true },\n include_software: { type: \"boolean\", default: true },\n include_network: { type: \"boolean\", default: true },\n },\n },\n handler: async () => {\n const degradations: string[] = [];\n\n // L2 is self-reported in MVS\n degradations.push(\n \"L2 isolation is process-level only; no TEE available\"\n );\n\n // L3 is commitment-only in MVS\n if (config.disclosure.proof_system === \"commitment-only\") {\n degradations.push(\n \"L3 proofs are commitment-based only; ZK proofs not yet available\"\n );\n }\n\n return toolResult({\n attestation: {\n environment_type: config.execution.environment,\n hardware: {\n cpu_vendor: process.arch,\n tee_available: false,\n tee_type: undefined,\n },\n software: {\n os: `${process.platform}-${process.arch}`,\n runtime: `node-${process.version}`,\n sanctuary_version: config.version,\n mcp_sdk_version: \"1.26.0\",\n },\n network: {\n internet_accessible: true, // Conservative assumption\n listening_ports: [],\n egress_restricted: false,\n },\n isolation_level: \"process\",\n sovereignty_assessment: {\n l1_state_encrypted: true,\n l2_execution_isolated: false,\n l2_isolation_type: \"process-level\",\n l3_proofs_available:\n config.disclosure.proof_system !== \"commitment-only\",\n l4_reputation_active: true,\n overall_level: \"mvs\",\n degradations,\n },\n },\n attested_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/monitor_health\",\n description:\n \"Sanctuary Health Report (SHR) — standardized sovereignty status.\",\n inputSchema: { type: \"object\", properties: {} },\n handler: async () => {\n const storageSizeBytes = await storage.totalSize();\n const degradations: Array<{\n layer: string;\n description: string;\n severity: string;\n mitigation: string;\n }> = [];\n\n degradations.push({\n layer: \"l2\",\n description: \"Process-level isolation only (no TEE)\",\n severity: \"warning\",\n mitigation: \"TEE support planned for v0.3.0\",\n });\n\n if (config.disclosure.proof_system === \"commitment-only\") {\n degradations.push({\n layer: \"l3\",\n description: \"Commitment schemes only (no ZK proofs)\",\n severity: \"info\",\n mitigation: \"ZK proof support planned for v0.2.0\",\n });\n }\n\n return toolResult({\n status: degradations.some((d) => d.severity === \"critical\")\n ? \"compromised\"\n : degradations.some((d) => d.severity === \"warning\")\n ? \"degraded\"\n : \"healthy\",\n storage_bytes: storageSizeBytes,\n layers: {\n l1: {\n status: \"active\",\n encryption_algorithm: \"aes-256-gcm\",\n key_count: identityManager.list().length,\n state_integrity: \"verified\",\n last_integrity_check: new Date().toISOString(),\n },\n l2: {\n status: \"degraded\",\n isolation_type: \"process-level\",\n attestation_available: true,\n last_attestation: new Date().toISOString(),\n },\n l3: {\n status:\n config.disclosure.proof_system === \"commitment-only\"\n ? \"degraded\"\n : \"active\",\n proof_system: config.disclosure.proof_system,\n circuits_loaded: 0,\n proofs_generated_total: 0,\n },\n l4: {\n status: \"active\",\n mode: config.reputation.mode,\n interaction_count: 0, // TODO: track from reputation store\n reputation_exportable: true,\n },\n },\n degradations,\n checked_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/monitor_audit_log\",\n description: \"Query the sovereignty audit log.\",\n inputSchema: {\n type: \"object\",\n properties: {\n since: { type: \"string\", description: \"ISO 8601 timestamp\" },\n layer: {\n type: \"string\",\n enum: [\"l1\", \"l2\", \"l3\", \"l4\"],\n },\n operation_type: { type: \"string\" },\n limit: { type: \"number\", default: 50 },\n },\n },\n handler: async (args) => {\n const result = await auditLog.query({\n since: args.since as string | undefined,\n layer: args.layer as \"l1\" | \"l2\" | \"l3\" | \"l4\" | undefined,\n operation_type: args.operation_type as string | undefined,\n limit: (args.limit as number) ?? 50,\n });\n return toolResult(result);\n },\n },\n ];\n\n // 10. Create SIM manifest tool\n const manifestTool: ToolDefinition = {\n name: \"sanctuary/manifest\",\n description:\n \"Generate the Sanctuary Interface Manifest (SIM) — \" +\n \"a machine-readable declaration of this server's capabilities.\",\n inputSchema: { type: \"object\", properties: {} },\n handler: async () => {\n return toolResult({\n sanctuary_version: \"0.2\",\n implementation: {\n name: \"@sanctuary-framework/mcp-server\",\n version: config.version,\n language: \"typescript\",\n license: \"Apache-2.0\",\n },\n layers: {\n l1: {\n implemented: true,\n interfaces: [\"StateStore\", \"IdentityRoot\"],\n encryption: [\"aes-256-gcm\"],\n identity: [\"ed25519\"],\n properties: {\n \"S1.1_participant_held_keys\": \"full\",\n \"S1.2_encryption_at_rest\": \"full\",\n \"S1.3_integrity_verification\": \"full\",\n \"S1.4_selective_state_sharing\": \"full\",\n \"S1.5_state_portability\": \"full\",\n \"S1.6_deletion_rights\": \"full\",\n \"S1.7_identity_anchoring\": \"partial\",\n },\n },\n l2: {\n implemented: true,\n interfaces: [\"ExecutionEnvironment\", \"RuntimeMonitor\"],\n isolation_types: [config.execution.environment],\n properties: {\n \"S2.1_execution_confidentiality\": \"documented\",\n \"S2.2_verifiable_execution\": \"self-reported\",\n \"S2.5_attestation\": \"self-reported\",\n },\n },\n l3: {\n implemented: true,\n interfaces: [\"ProofEngine\", \"DisclosurePolicy\"],\n proof_systems: [config.disclosure.proof_system],\n properties: {\n \"S3.1_minimum_disclosure\": \"policy-based\",\n \"S3.3_proof_without_revelation\": \"commitment\",\n },\n },\n l4: {\n implemented: true,\n interfaces: [\"ReputationStore\", \"TrustBootstrap\"],\n modes: [config.reputation.mode],\n properties: {\n \"S4.1_earned_reputation\": \"full\",\n \"S4.2_participant_owned\": \"full\",\n \"S4.5_sybil_resistance\": \"basic\",\n \"S4.7_trust_bootstrapping\": \"full\",\n },\n },\n },\n composition: {\n sim_version: \"1.0\",\n spf_supported: false,\n shr_supported: true,\n delegation_depth: 1,\n },\n limitations: [\n \"L1 identity uses ed25519 only; KERI support planned for v0.2.0\",\n \"L2 isolation is process-level only; TEE support planned for v0.3.0\",\n \"L3 uses commitment schemes only; ZK proofs planned for v0.2.0\",\n \"L4 Sybil resistance is escrow-based only\",\n \"Spec license: CC-BY-4.0 | Code license: Apache-2.0\",\n ],\n });\n },\n };\n\n // 11. Create L3 tools\n const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);\n\n // 12. Create L4 tools\n const { tools: l4Tools } = createL4Tools(\n storage,\n masterKey,\n identityManager,\n auditLog\n );\n\n // 13. Load Principal Policy and create approval gate\n const policy = await loadPrincipalPolicy(config.storage_path);\n const baseline = new BaselineTracker(storage, masterKey);\n await baseline.load();\n\n const approvalChannel = new StderrApprovalChannel(policy.approval_channel);\n const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog);\n\n // 14. Create Principal Policy tools (read-only)\n const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);\n\n // 15. Create SHR tools (machine-readable sovereignty health report)\n const { tools: shrTools } = createSHRTools(\n config,\n identityManager,\n masterKey,\n auditLog\n );\n\n // 16. Create Handshake tools (sovereignty handshake protocol)\n const { tools: handshakeTools } = createHandshakeTools(\n config,\n identityManager,\n masterKey,\n auditLog\n );\n\n // 17. Assemble all tools\n const allTools: ToolDefinition[] = [\n ...l1Tools,\n ...l2Tools,\n ...l3Tools,\n ...l4Tools,\n ...policyTools,\n ...shrTools,\n ...handshakeTools,\n manifestTool,\n ];\n\n // 18. Create MCP server with approval gate\n const server = createServer(allTools, { gate });\n\n // 19. Save config if this is first run\n await saveConfig(config);\n\n // 20. Register baseline save on process exit\n const saveBaseline = () => {\n baseline.save().catch(() => {});\n };\n process.on(\"SIGINT\", saveBaseline);\n process.on(\"SIGTERM\", saveBaseline);\n\n // 21. Log the recovery key if generated (shown once, never again)\n if (recoveryKey) {\n console.error(\n \"╔══════════════════════════════════════════════════════════╗\\n\" +\n \"║ SANCTUARY: First Run — Recovery Key Generated ║\\n\" +\n \"║ ║\\n\" +\n `║ Recovery Key: ${recoveryKey.slice(0, 20)}... ║\\n` +\n \"║ ║\\n\" +\n \"║ SAVE THIS KEY. It will not be shown again. ║\\n\" +\n \"║ Without it, your encrypted state is unrecoverable. ║\\n\" +\n \"╚══════════════════════════════════════════════════════════╝\"\n );\n }\n\n return { server, config };\n}\n\nexport { loadConfig, type SanctuaryConfig } from \"./config.js\";\nexport { StateStore } from \"./l1-cognitive/state-store.js\";\nexport { AuditLog } from \"./l2-operational/audit-log.js\";\nexport { CommitmentStore } from \"./l3-disclosure/commitments.js\";\nexport { PolicyStore } from \"./l3-disclosure/policies.js\";\nexport { ReputationStore } from \"./l4-reputation/reputation-store.js\";\nexport { MemoryStorage } from \"./storage/memory.js\";\nexport { FilesystemStorage } from \"./storage/filesystem.js\";\nexport { ApprovalGate } from \"./principal-policy/gate.js\";\nexport { BaselineTracker } from \"./principal-policy/baseline.js\";\nexport { loadPrincipalPolicy } from \"./principal-policy/loader.js\";\nexport type { PrincipalPolicy, GateResult } from \"./principal-policy/types.js\";\nexport {\n StderrApprovalChannel,\n CallbackApprovalChannel,\n AutoApproveChannel,\n} from \"./principal-policy/approval-channel.js\";\nexport { generateSHR } from \"./shr/generator.js\";\nexport { verifySHR } from \"./shr/verifier.js\";\nexport type { SignedSHR, SHRBody, SHRVerificationResult } from \"./shr/types.js\";\nexport {\n initiateHandshake,\n respondToHandshake,\n completeHandshake,\n verifyCompletion,\n} from \"./handshake/protocol.js\";\nexport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n} from \"./handshake/types.js\";\n","#!/usr/bin/env node\n/**\n * Sanctuary MCP Server — CLI Entry Point\n *\n * Starts the Sanctuary MCP server and connects it to the appropriate transport.\n * Usage: npx @sanctuary-framework/mcp-server\n */\n\nimport { StdioServerTransport } from \"@modelcontextprotocol/sdk/server/stdio.js\";\nimport { createSanctuaryServer } from \"./index.js\";\n\nasync function main(): Promise<void> {\n const passphrase = process.env.SANCTUARY_PASSPHRASE;\n\n const { server, config } = await createSanctuaryServer({ passphrase });\n\n if (config.transport === \"stdio\") {\n const transport = new StdioServerTransport();\n await server.connect(transport);\n console.error(`Sanctuary MCP Server v${config.version} running (stdio)`);\n console.error(`Storage: ${config.storage_path}`);\n console.error(\"Tools: all registered\");\n } else {\n // HTTP transport — future implementation\n console.error(\"HTTP transport not yet implemented. Use stdio.\");\n process.exit(1);\n }\n}\n\nmain().catch((err) => {\n console.error(\"Sanctuary MCP Server failed to start:\", err);\n process.exit(1);\n});\n"]}