@sanctuary-framework/mcp-server 0.5.4 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/cli.cjs +7 -37
  2. package/dist/cli.cjs.map +1 -1
  3. package/dist/cli.js +7 -37
  4. package/dist/cli.js.map +1 -1
  5. package/dist/index.cjs +7 -37
  6. package/dist/index.cjs.map +1 -1
  7. package/dist/index.d.cts +1 -1
  8. package/dist/index.d.ts +1 -1
  9. package/dist/index.js +7 -37
  10. package/dist/index.js.map +1 -1
  11. package/package.json +1 -1
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/core/encoding.ts","../src/core/hashing.ts","../src/config.ts","../src/core/random.ts","../src/storage/filesystem.ts","../src/core/encryption.ts","../src/l1-cognitive/state-store.ts","../src/core/identity.ts","../src/core/key-derivation.ts","../src/router.ts","../src/l1-cognitive/tools.ts","../src/l2-operational/audit-log.ts","../src/l3-disclosure/commitments.ts","../src/l3-disclosure/policies.ts","../src/l3-disclosure/zk-proofs.ts","../src/l3-disclosure/tools.ts","../src/l4-reputation/reputation-store.ts","../src/l4-reputation/tools.ts","../src/l4-reputation/tiers.ts","../src/principal-policy/loader.ts","../src/principal-policy/baseline.ts","../src/principal-policy/approval-channel.ts","../src/principal-policy/dashboard-html.ts","../src/principal-policy/dashboard.ts","../src/principal-policy/webhook.ts","../src/security/injection-detector.ts","../src/principal-policy/gate.ts","../src/principal-policy/tools.ts","../src/shr/types.ts","../src/shr/generator.ts","../src/shr/verifier.ts","../src/shr/gateway-adapter.ts","../src/shr/tools.ts","../src/handshake/protocol.ts","../src/handshake/tools.ts","../src/federation/registry.ts","../src/federation/tools.ts","../src/bridge/tools.ts","../src/bridge/bridge.ts","../src/audit/detector.ts","../src/audit/analyzer.ts","../src/audit/tools.ts","../src/l2-operational/context-gate.ts","../src/l2-operational/context-gate-templates.ts","../src/l2-operational/context-gate-recommend.ts","../src/l2-operational/context-gate-enforcer.ts","../src/l2-operational/context-gate-tools.ts","../src/l2-operational/hardening.ts","../src/l2-operational/hardening-tools.ts","../src/index.ts","../src/storage/memory.ts"],"names":["sha256","hmac","require","createRequire","join","homedir","path","readFile","writeFile","nodeRandomBytes","mkdir","stat","unlink","readdir","gcm","ed25519","argon2id","hkdf","PKG_VERSION","Server","ListToolsRequestSchema","CallToolRequestSchema","RESERVED_NAMESPACE_PREFIXES","RistrettoPoint","hash","start","end","hashToString","stringToBytes","chmod","readFileSync","createHttpsServer","createHttpServer","randomBytes","os","platform","exec","createHmac","access","execSync","statSync","bytesToString","fromBase64url","constantTimeEqual"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAA,gBAAA,GAAA,EAAA;AAAA,QAAA,CAAA,gBAAA,EAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,WAAA,EAAA,MAAA,WAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,WAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAUO,SAAS,YAAY,KAAA,EAA2B;AACrD,EAAA,MAAM,SAAS,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,QAAQ,CAAA;AACnD,EAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACzE;AAKO,SAAS,cAAc,GAAA,EAAyB;AAErD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC9B,IAAA,MAAA,IAAU,GAAA;AAAA,EACZ;AACA,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA;AACxC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAKO,SAAS,cAAc,GAAA,EAAyB;AACrD,EAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,GAAG,CAAA;AACrC;AAKO,SAAS,cAAc,KAAA,EAA2B;AACvD,EAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA;AACvC;AAKO,SAAS,eAAe,MAAA,EAAkC;AAC/D,EAAA,MAAM,WAAA,GAAc,OAAO,MAAA,CAAO,CAAC,KAAK,GAAA,KAAQ,GAAA,GAAM,GAAA,CAAI,MAAA,EAAQ,CAAC,CAAA;AACnE,EAAA,MAAM,MAAA,GAAS,IAAI,UAAA,CAAW,WAAW,CAAA;AACzC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,OAAO,MAAA,EAAQ;AACxB,IAAA,MAAA,CAAO,GAAA,CAAI,KAAK,MAAM,CAAA;AACtB,IAAA,MAAA,IAAU,GAAA,CAAI,MAAA;AAAA,EAChB;AACA,EAAA,OAAO,MAAA;AACT;AAMO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACvE,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,IAAA,IAAQ,CAAA,CAAE,CAAC,CAAA,GAAK,CAAA,CAAE,CAAC,CAAA;AAAA,EACrB;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;AApEA,IAAA,aAAA,GAAA,KAAA,CAAA;AAAA,EAAA,sBAAA,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACAA,IAAA,eAAA,GAAA,EAAA;AAAA,QAAA,CAAA,eAAA,EAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,mBAAA,EAAA,MAAA,mBAAA;AAAA,EAAA,IAAA,EAAA,MAAA,IAAA;AAAA,EAAA,YAAA,EAAA,MAAA,YAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,iBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAcO,SAAS,KAAK,IAAA,EAA8B;AACjD,EAAA,OAAOA,cAAO,IAAI,CAAA;AACpB;AAKO,SAAS,aAAa,IAAA,EAA0B;AACrD,EAAA,OAAO,WAAA,CAAY,IAAA,CAAK,IAAI,CAAC,CAAA;AAC/B;AAKO,SAAS,UAAA,CAAW,KAAiB,IAAA,EAA8B;AACxE,EAAA,OAAOC,SAAA,CAAKD,aAAA,EAAQ,GAAA,EAAK,IAAI,CAAA;AAC/B;AA2BO,SAAS,gBACd,OAAA,EACmB;AACnB,EAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,CAAA,EAAG,OAAO,IAAA;AAG/B,EAAA,MAAM,aAAa,KAAA,CAAM,IAAA,CAAK,QAAQ,IAAA,EAAM,EAAE,IAAA,EAAK;AAGnD,EAAA,IAAI,KAAA,GAAsB,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,KAAQ;AAChD,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AACnC,IAAA,MAAM,QAAA,GAAW,WAAA;AAAA,MACf,cAAc,GAAG,CAAA;AAAA,MACjB,cAAc,WAAW;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,aAAa,QAAQ,CAAA;AAAA,MAC3B;AAAA,KACF;AAAA,EACF,CAAC,CAAA;AAGD,EAAA,OAAO,KAAA,CAAM,SAAS,CAAA,EAAG;AACvB,IAAA,MAAM,YAA0B,EAAC;AACjC,IAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ,KAAK,CAAA,EAAG;AACxC,MAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,MAAA,IAAI,CAAA,GAAI,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ;AACxB,QAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA;AACzB,QAAA,MAAM,UAAA,GAAa,WAAA;AAAA,UACjB,aAAA,CAAc,KAAK,IAAI,CAAA;AAAA,UACvB,aAAA,CAAc,MAAM,IAAI;AAAA,SAC1B;AACA,QAAA,SAAA,CAAU,IAAA,CAAK;AAAA,UACb,IAAA,EAAM,aAAa,UAAU,CAAA;AAAA,UAC7B,IAAA;AAAA,UACA;AAAA,SACD,CAAA;AAAA,MACH,CAAA,MAAO;AAEL,QAAA,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,MACrB;AAAA,IACF;AACA,IAAA,KAAA,GAAQ,SAAA;AAAA,EACV;AAEA,EAAA,OAAO,KAAA,CAAM,CAAC,CAAA,IAAK,IAAA;AACrB;AASO,SAAS,mBAAA,CACd,SACA,SAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,CAAI,SAAS,GAAG,OAAO,IAAA;AAEpC,EAAA,MAAM,aAAa,KAAA,CAAM,IAAA,CAAK,QAAQ,IAAA,EAAM,EAAE,IAAA,EAAK;AACnD,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,OAAA,CAAQ,SAAS,CAAA;AAChD,EAAA,IAAI,WAAA,KAAgB,IAAI,OAAO,IAAA;AAG/B,EAAA,MAAM,UAAA,GAAuB,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,KAAQ;AACnD,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AACnC,IAAA,MAAM,QAAA,GAAW,WAAA;AAAA,MACf,cAAc,GAAG,CAAA;AAAA,MACjB,cAAc,WAAW;AAAA,KAC3B;AACA,IAAA,OAAO,aAAa,QAAQ,CAAA;AAAA,EAC9B,CAAC,CAAA;AAED,EAAA,MAAM,OAA4B,EAAC;AACnC,EAAA,IAAI,YAAA,GAAe,WAAA;AACnB,EAAA,IAAI,YAAA,GAAe,UAAA;AAEnB,EAAA,OAAO,YAAA,CAAa,SAAS,CAAA,EAAG;AAC9B,IAAA,MAAM,YAAsB,EAAC;AAC7B,IAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,MAAA,EAAQ,KAAK,CAAA,EAAG;AAC/C,MAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,MAAA,IAAI,CAAA,GAAI,CAAA,GAAI,YAAA,CAAa,MAAA,EAAQ;AAC/B,QAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,GAAI,CAAC,CAAA;AAGhC,QAAA,IAAI,CAAA,KAAM,YAAA,IAAgB,CAAA,GAAI,CAAA,KAAM,YAAA,EAAc;AAChD,UAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,YAAA,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AAAA,UAC9C,CAAA,MAAO;AACL,YAAA,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,IAAA,EAAM,QAAA,EAAU,QAAQ,CAAA;AAAA,UAC5C;AAAA,QACF;AAEA,QAAA,MAAM,UAAA,GAAa,WAAA;AAAA,UACjB,cAAc,IAAI,CAAA;AAAA,UAClB,cAAc,KAAK;AAAA,SACrB;AACA,QAAA,SAAA,CAAU,IAAA,CAAK,YAAA,CAAa,UAAU,CAAC,CAAA;AAAA,MACzC,CAAA,MAAO;AAEL,QAAA,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,MACrB;AAAA,IACF;AACA,IAAA,YAAA,GAAe,IAAA,CAAK,KAAA,CAAM,YAAA,GAAe,CAAC,CAAA;AAC1C,IAAA,YAAA,GAAe,SAAA;AAAA,EACjB;AAEA,EAAA,MAAM,IAAA,GAAO,gBAAgB,OAAO,CAAA;AAEpC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,WAAW,WAAW,CAAA;AAAA,IAC5B,IAAA;AAAA,IACA,IAAA,EAAM,MAAM,IAAA,IAAQ;AAAA,GACtB;AACF;AAQO,SAAS,kBAAkB,KAAA,EAA6B;AAC7D,EAAA,IAAI,cAAc,KAAA,CAAM,IAAA;AAExB,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAM,IAAA,EAAM;AAC7B,IAAA,MAAM,IAAA,GACJ,IAAA,CAAK,QAAA,KAAa,MAAA,GAAS,KAAK,IAAA,GAAO,WAAA;AACzC,IAAA,MAAM,KAAA,GACJ,IAAA,CAAK,QAAA,KAAa,OAAA,GAAU,KAAK,IAAA,GAAO,WAAA;AAC1C,IAAA,MAAM,UAAA,GAAa,WAAA;AAAA,MACjB,cAAc,IAAI,CAAA;AAAA,MAClB,cAAc,KAAK;AAAA,KACrB;AACA,IAAA,WAAA,GAAc,aAAa,UAAU,CAAA;AAAA,EACvC;AAEA,EAAA,OAAO,gBAAgB,KAAA,CAAM,IAAA;AAC/B;AAMO,SAAS,kBAAkB,OAAA,EAAsC;AACtE,EAAA,MAAM,IAAA,GAAO,gBAAgB,OAAO,CAAA;AACpC,EAAA,OAAO,MAAM,IAAA,IAAQ,EAAA;AACvB;AA9MA,IAAA,YAAA,GAAA,KAAA,CAAA;AAAA,EAAA,qBAAA,GAAA;AASA,IAAA,aAAA,EAAA;AAAA,EAAA;AAAA,CAAA,CAAA;ACEA,IAAME,QAAAA,GAAUC,sBAAA,CAAc,2PAAe,CAAA;AAC7C,IAAM,EAAE,OAAA,EAAS,WAAA,EAAY,GAAID,SAAQ,iBAAiB,CAAA;AAGnD,IAAM,iBAAA,GAAoB,WAAA;AAqE1B,SAAS,aAAA,GAAiC;AAC/C,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,WAAA;AAAA,IACT,YAAA,EAAcE,SAAA,CAAKC,UAAA,EAAQ,EAAG,YAAY,CAAA;AAAA,IAC1C,KAAA,EAAO;AAAA,MACL,UAAA,EAAY,aAAA;AAAA,MACZ,cAAA,EAAgB,MAAA;AAAA,MAChB,cAAA,EAAgB,UAAA;AAAA,MAChB,SAAA,EAAW,eAAA;AAAA,MACX,iBAAA,EAAmB;AAAA,KACrB;AAAA,IACA,SAAA,EAAW;AAAA,MACT,WAAA,EAAa,eAAA;AAAA,MACb,WAAA,EAAa,IAAA;AAAA,MACb,eAAA,EAAiB;AAAA,QACf,aAAA,EAAe,GAAA;AAAA,QACf,cAAA,EAAgB,IAAA;AAAA,QAChB,eAAA,EAAiB;AAAA;AACnB,KACF;AAAA,IACA,UAAA,EAAY;AAAA,MACV,YAAA,EAAc,iBAAA;AAAA,MACd,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,gBAAA;AAAA,MACN,kBAAA,EAAoB,gBAAA;AAAA,MACpB,aAAA,EAAe,kBAAA;AAAA,MACf,mBAAmB;AAAC,KACtB;AAAA,IACA,SAAA,EAAW,OAAA;AAAA,IACX,SAAA,EAAW,IAAA;AAAA,IACX,SAAA,EAAW;AAAA,MACT,OAAA,EAAS,KAAA;AAAA,MACT,IAAA,EAAM,IAAA;AAAA,MACN,IAAA,EAAM;AAAA,KACR;AAAA,IACA,OAAA,EAAS;AAAA,MACP,OAAA,EAAS,KAAA;AAAA,MACT,GAAA,EAAK,EAAA;AAAA,MACL,MAAA,EAAQ,EAAA;AAAA,MACR,aAAA,EAAe,IAAA;AAAA,MACf,aAAA,EAAe;AAAA;AACjB,GACF;AACF;AAQA,eAAsB,WACpB,UAAA,EAC0B;AAC1B,EAAA,IAAI,SAAS,aAAA,EAAc;AAG3B,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,sBAAA,IAA0B,MAAA,CAAO,YAAA;AACjE,EAAA,MAAMC,MAAA,GAAO,UAAA,IAAcF,SAAA,CAAK,WAAA,EAAa,gBAAgB,CAAA;AAE7D,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAMG,iBAAA,CAASD,MAAA,EAAM,OAAO,CAAA;AACxC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AACjC,IAAA,MAAA,GAAS,SAAA,CAAU,QAAQ,UAAU,CAAA;AAAA,EACvC,SAAS,GAAA,EAAK;AAEZ,IAAA,IAAI,eAAe,KAAA,IAAS,GAAA,CAAI,OAAA,CAAQ,QAAA,CAAS,wBAAwB,CAAA,EAAG;AAC1E,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EAEF;AAGA,EAAA,IAAI,OAAA,CAAQ,IAAI,sBAAA,EAAwB;AACtC,IAAA,MAAA,CAAO,YAAA,GAAe,QAAQ,GAAA,CAAI,sBAAA;AAAA,EACpC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,mBAAA,EAAqB;AACnC,IAAA,MAAA,CAAO,SAAA,GAAY,QAAQ,GAAA,CAAI,mBAAA;AAAA,EACjC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,mBAAA,EAAqB;AACnC,IAAA,MAAA,CAAO,SAAA,GAAY,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,qBAAqB,EAAE,CAAA;AAAA,EACjE;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,2BAAA,KAAgC,MAAA,EAAQ;AACtD,IAAA,MAAA,CAAO,UAAU,OAAA,GAAU,IAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,2BAAA,KAAgC,OAAA,EAAS;AACvD,IAAA,MAAA,CAAO,UAAU,OAAA,GAAU,KAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,wBAAA,EAA0B;AACxC,IAAA,MAAA,CAAO,UAAU,IAAA,GAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,0BAA0B,EAAE,CAAA;AAAA,EAC3E;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,wBAAA,EAA0B;AACxC,IAAA,MAAA,CAAO,SAAA,CAAU,IAAA,GAAO,OAAA,CAAQ,GAAA,CAAI,wBAAA;AAAA,EACtC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,8BAAA,EAAgC;AAC9C,IAAA,MAAA,CAAO,SAAA,CAAU,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,8BAAA;AAAA,EAC5C;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,6BAAA,KAAkC,MAAA,EAAQ;AACxD,IAAA,MAAA,CAAO,UAAU,SAAA,GAAY,IAAA;AAAA,EAC/B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,6BAAA,KAAkC,OAAA,EAAS;AACzD,IAAA,MAAA,CAAO,UAAU,SAAA,GAAY,KAAA;AAAA,EAC/B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,4BAAA,IAAgC,OAAA,CAAQ,IAAI,2BAAA,EAA6B;AACvF,IAAA,MAAA,CAAO,UAAU,GAAA,GAAM;AAAA,MACrB,SAAA,EAAW,QAAQ,GAAA,CAAI,4BAAA;AAAA,MACvB,QAAA,EAAU,QAAQ,GAAA,CAAI;AAAA,KACxB;AAAA,EACF;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,yBAAA,KAA8B,MAAA,EAAQ;AACpD,IAAA,MAAA,CAAO,QAAQ,OAAA,GAAU,IAAA;AAAA,EAC3B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,yBAAA,KAA8B,OAAA,EAAS;AACrD,IAAA,MAAA,CAAO,QAAQ,OAAA,GAAU,KAAA;AAAA,EAC3B;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,qBAAA,EAAuB;AACrC,IAAA,MAAA,CAAO,OAAA,CAAQ,GAAA,GAAM,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAAA,EACnC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,wBAAA,EAA0B;AACxC,IAAA,MAAA,CAAO,OAAA,CAAQ,MAAA,GAAS,OAAA,CAAQ,GAAA,CAAI,wBAAA;AAAA,EACtC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,+BAAA,EAAiC;AAC/C,IAAA,MAAA,CAAO,QAAQ,aAAA,GAAgB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,iCAAiC,EAAE,CAAA;AAAA,EACzF;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,+BAAA,EAAiC;AAC/C,IAAA,MAAA,CAAO,OAAA,CAAQ,aAAA,GAAgB,OAAA,CAAQ,GAAA,CAAI,+BAAA;AAAA,EAC7C;AAIA,EAAA,MAAA,CAAO,OAAA,GAAU,WAAA;AAEjB,EAAA,cAAA,CAAe,MAAM,CAAA;AACrB,EAAA,OAAO,MAAA;AACT;AAKA,eAAsB,UAAA,CACpB,QACA,UAAA,EACe;AACf,EAAA,MAAMA,MAAA,GACUF,SAAA,CAAK,MAAA,CAAO,cAAc,gBAAgB,CAAA;AAC1D,EAAA,MAAMI,kBAAA,CAAUF,MAAA,EAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC,CAAA,EAAG,EAAE,IAAA,EAAM,GAAA,EAAO,CAAA;AACxE;AAOO,SAAS,eAAe,MAAA,EAA+B;AAC5D,EAAA,MAAM,SAAmB,EAAC;AAI1B,EAAA,MAAM,2CAA2B,IAAI,GAAA,CAAI,CAAC,YAAA,EAAc,MAAM,CAAC,CAAA;AAC/D,EAAA,IAAI,CAAC,wBAAA,CAAyB,GAAA,CAAI,MAAA,CAAO,KAAA,CAAM,cAAc,CAAA,EAAG;AAC9D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,uDAAuD,MAAA,CAAO,KAAA,CAAM,cAAc,CAAA,QAAA,EAC1E,CAAC,GAAG,wBAAwB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,uGAAA;AAAA,KAErE;AAAA,EACF;AAIA,EAAA,MAAM,yCAAyB,IAAI,GAAA,CAAI,CAAC,eAAA,EAAiB,QAAQ,CAAC,CAAA;AAClE,EAAA,IAAI,CAAC,sBAAA,CAAuB,GAAA,CAAI,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA,EAAG;AAC7D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,wDAAwD,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA,QAAA,EAC5E,CAAC,GAAG,sBAAsB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,+FAAA;AAAA,KAEnE;AAAA,EACF;AAIA,EAAA,MAAM,sBAAA,mBAAyB,IAAI,GAAA,CAAI,CAAC,iBAAiB,CAAC,CAAA;AAC1D,EAAA,IAAI,CAAC,sBAAA,CAAuB,GAAA,CAAI,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA,EAAG;AAC/D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,0DAA0D,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA,QAAA,EAChF,CAAC,GAAG,sBAAsB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,+FAAA;AAAA,KAEnE;AAAA,EACF;AAIA,EAAA,MAAM,2BAAA,mBAA8B,IAAI,GAAA,CAAI,CAAC,mBAAmB,CAAC,CAAA;AACjE,EAAA,IAAI,CAAC,2BAAA,CAA4B,GAAA,CAAI,MAAA,CAAO,UAAA,CAAW,cAAc,CAAA,EAAG;AACtE,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,4DAA4D,MAAA,CAAO,UAAA,CAAW,cAAc,CAAA,QAAA,EACpF,CAAC,GAAG,2BAA2B,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,4GAAA;AAAA,KAExE;AAAA,EACF;AAIA,EAAA,MAAM,yBAAA,mBAA4B,IAAI,GAAA,CAAI,CAAC,gBAAgB,CAAC,CAAA;AAC5D,EAAA,IAAI,CAAC,yBAAA,CAA0B,GAAA,CAAI,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA,EAAG;AAC1D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,kDAAkD,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA,QAAA,EAChE,CAAC,GAAG,yBAAyB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,8GAAA;AAAA,KAEtE;AAAA,EACF;AAEA,EAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACrB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA;AAAA,EAA+D,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAClF;AAAA,EACF;AACF;AAGA,SAAS,SAAA,CAAU,MAAc,QAAA,EAAmC;AAClE,EAAA,MAAM,MAAA,GAAkC,EAAE,GAAG,IAAA,EAAK;AAClD,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACnD,IAAA,IACE,UAAU,IAAA,IACV,OAAO,UAAU,QAAA,IACjB,CAAC,MAAM,OAAA,CAAQ,KAAK,CAAA,IACpB,OAAO,OAAO,GAAG,CAAA,KAAM,YACvB,MAAA,CAAO,GAAG,MAAM,IAAA,EAChB;AACA,MAAA,MAAA,CAAO,GAAG,CAAA,GAAI,SAAA;AAAA,QACZ,OAAO,GAAG,CAAA;AAAA,QACV;AAAA,OACF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,GAAG,CAAA,GAAI,KAAA;AAAA,IAChB;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;ACvTO,SAAS,YAAY,MAAA,EAA4B;AACtD,EAAA,IAAI,UAAU,CAAA,EAAG;AACf,IAAA,MAAM,IAAI,WAAW,yBAAyB,CAAA;AAAA,EAChD;AACA,EAAA,MAAM,GAAA,GAAMG,mBAAgB,MAAM,CAAA;AAClC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAKO,SAAS,UAAA,GAAyB;AACvC,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;AAKO,SAAS,YAAA,GAA2B;AACzC,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;AAKO,SAAS,iBAAA,GAAgC;AAC9C,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;;;ACvBO,IAAM,oBAAN,MAAkD;AAAA,EAC/C,QAAA;AAAA,EAER,YAAY,QAAA,EAAkB;AAC5B,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAAA,EAClB;AAAA,EAEQ,SAAA,CAAU,WAAmB,GAAA,EAAqB;AAExD,IAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,OAAA,CAAQ,iBAAA,EAAmB,GAAG,CAAA;AAC9D,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,kBAAA,EAAoB,GAAG,CAAA;AACnD,IAAA,OAAOL,UAAK,IAAA,CAAK,QAAA,EAAU,aAAA,EAAe,CAAA,EAAG,OAAO,CAAA,IAAA,CAAM,CAAA;AAAA,EAC5D;AAAA,EAEQ,cAAc,SAAA,EAA2B;AAC/C,IAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,OAAA,CAAQ,iBAAA,EAAmB,GAAG,CAAA;AAC9D,IAAA,OAAOA,SAAAA,CAAK,IAAA,CAAK,QAAA,EAAU,aAAa,CAAA;AAAA,EAC1C;AAAA,EAEA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAS,CAAA;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAG9C,IAAA,MAAMM,eAAM,OAAA,EAAS,EAAE,WAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAGrD,IAAA,MAAMF,mBAAU,QAAA,EAAU,IAAA,EAAM,EAAE,IAAA,EAAM,KAAO,CAAA;AAAA,EACjD;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,GAAA,EAAyC;AACrE,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAMD,iBAAAA,CAAS,QAAQ,CAAA;AACnC,MAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAAA,IAClE,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,IAAA;AAAA,MACT;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EACA,kBAAkB,IAAA,EACA;AAClB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAE9C,IAAA,IAAI;AACF,MAAA,IAAI,eAAA,EAAiB;AAEnB,QAAA,MAAM,QAAA,GAAW,MAAMI,aAAA,CAAK,QAAQ,CAAA;AACpC,QAAA,MAAM,OAAO,QAAA,CAAS,IAAA;AAGtB,QAAA,KAAA,IAAS,IAAA,GAAO,CAAA,EAAG,IAAA,GAAO,CAAA,EAAG,IAAA,EAAA,EAAQ;AACnC,UAAA,MAAM,UAAA,GAAa,YAAY,IAAI,CAAA;AACnC,UAAA,MAAMH,mBAAU,QAAA,EAAU,UAAA,EAAY,EAAE,IAAA,EAAM,KAAO,CAAA;AAAA,QACvD;AAAA,MACF;AAGA,MAAA,MAAMI,gBAAO,QAAQ,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,KAAA;AAAA,MACT;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,MAAA,EAA8C;AAC1E,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAS,CAAA;AAE5C,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAMC,gBAAA,CAAQ,OAAO,CAAA;AACnC,MAAA,MAAM,UAA8B,EAAC;AAErC,MAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,QAAA,IAAI,CAAC,IAAA,CAAK,QAAA,CAAS,MAAM,CAAA,EAAG;AAE5B,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,CAAA,CAAE,CAAA;AAC5B,QAAA,IAAI,MAAA,IAAU,CAAC,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AAEvC,QAAA,MAAM,QAAA,GAAWT,SAAAA,CAAK,OAAA,EAAS,IAAI,CAAA;AACnC,QAAA,MAAM,QAAA,GAAW,MAAMO,aAAA,CAAK,QAAQ,CAAA;AAEpC,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,GAAA;AAAA,UACA,SAAA;AAAA,UACA,YAAY,QAAA,CAAS,IAAA;AAAA,UACrB,WAAA,EAAa,QAAA,CAAS,KAAA,CAAM,WAAA;AAAY,SACzC,CAAA;AAAA,MACH;AAEA,MAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,GAAA,CAAI,aAAA,CAAc,CAAA,CAAE,GAAG,CAAC,CAAA;AAAA,IAC1D,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,EAAC;AAAA,MACV;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CAAO,SAAA,EAAmB,GAAA,EAA+B;AAC7D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAMA,cAAK,QAAQ,CAAA;AACnB,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,SAAA,GAA6B;AACjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AAEZ,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAa,MAAME,gBAAA,CAAQ,IAAA,CAAK,QAAQ,CAAA;AAC9C,MAAA,KAAA,MAAW,MAAM,UAAA,EAAY;AAC3B,QAAA,MAAM,MAAA,GAAST,SAAAA,CAAK,IAAA,CAAK,QAAA,EAAU,EAAE,CAAA;AACrC,QAAA,MAAM,MAAA,GAAS,MAAMO,aAAA,CAAK,MAAM,CAAA;AAChC,QAAA,IAAI,CAAC,MAAA,CAAO,WAAA,EAAY,EAAG;AAE3B,QAAA,MAAM,KAAA,GAAQ,MAAME,gBAAA,CAAQ,MAAM,CAAA;AAClC,QAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,UAAA,MAAM,QAAA,GAAWT,SAAAA,CAAK,MAAA,EAAQ,IAAI,CAAA;AAClC,UAAA,MAAM,QAAA,GAAW,MAAMO,aAAA,CAAK,QAAQ,CAAA;AACpC,UAAA,KAAA,IAAS,QAAA,CAAS,IAAA;AAAA,QACpB;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AC9JA,aAAA,EAAA;AAyBO,SAAS,OAAA,CACd,SAAA,EACA,GAAA,EACA,GAAA,EACkB;AAClB,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AAEA,EAAA,MAAM,KAAK,UAAA,EAAW;AACtB,EAAA,MAAM,MAAA,GAASG,UAAA,CAAI,GAAA,EAAK,EAAA,EAAI,GAAG,CAAA;AAE/B,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA;AAE3C,EAAA,OAAO;AAAA,IACL,CAAA,EAAG,CAAA;AAAA,IACH,GAAA,EAAK,aAAA;AAAA,IACL,EAAA,EAAI,YAAY,EAAE,CAAA;AAAA,IAClB,EAAA,EAAI,YAAY,UAAU,CAAA;AAAA,IAC1B,EAAA,EAAA,iBAAI,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GAC7B;AACF;AAWO,SAAS,OAAA,CACd,OAAA,EACA,GAAA,EACA,GAAA,EACY;AACZ,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AACA,EAAA,IAAI,OAAA,CAAQ,MAAM,CAAA,EAAG;AACnB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,OAAA,CAAQ,CAAC,CAAA,CAAE,CAAA;AAAA,EAC7D;AACA,EAAA,IAAI,OAAA,CAAQ,QAAQ,aAAA,EAAe;AACjC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,OAAA,CAAQ,GAAG,CAAA,CAAE,CAAA;AAAA,EACzD;AAEA,EAAA,MAAM,EAAA,GAAK,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AACnC,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AAC3C,EAAA,MAAM,MAAA,GAASA,UAAA,CAAI,GAAA,EAAK,EAAA,EAAI,GAAG,CAAA;AAG/B,EAAA,OAAO,MAAA,CAAO,QAAQ,UAAU,CAAA;AAClC;;;ACtEA,YAAA,EAAA;;;ACVA,aAAA,EAAA;AAEA,YAAA,EAAA;AAyCO,SAAS,eAAA,GAGd;AACA,EAAA,MAAM,UAAA,GAAa,YAAY,EAAE,CAAA;AACjC,EAAA,MAAM,SAAA,GAAYC,eAAA,CAAQ,YAAA,CAAa,UAAU,CAAA;AACjD,EAAA,OAAO,EAAE,WAAW,UAAA,EAAW;AACjC;AAMO,SAAS,eAAe,SAAA,EAA+B;AAE5D,EAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,CAAC,KAAM,CAAA,EAAM,GAAG,SAAS,CAAC,CAAA;AAI5D,EAAA,OAAO,CAAA,SAAA,EAAY,WAAA,CAAY,UAAU,CAAC,CAAA,CAAA;AAC5C;AAMO,SAAS,mBAAmB,SAAA,EAA+B;AAChE,EAAA,MAAM,OAAA,GAAU,KAAK,SAAS,CAAA;AAE9B,EAAA,OAAO,KAAA,CAAM,KAAK,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,EACnC,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAC,CAAA,CAC1C,IAAA,CAAK,EAAE,CAAA;AACZ;AAUO,SAAS,cAAA,CACd,KAAA,EACA,aAAA,EACA,aAAA,EACoE;AACpE,EAAA,MAAM,EAAE,SAAA,EAAW,UAAA,EAAW,GAAI,eAAA,EAAgB;AAClD,EAAA,MAAM,UAAA,GAAa,mBAAmB,SAAS,CAAA;AAC/C,EAAA,MAAM,GAAA,GAAM,eAAe,SAAS,CAAA;AACpC,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,mBAAA,GAAsB,OAAA,CAAQ,UAAA,EAAY,aAAa,CAAA;AAG7D,EAAA,UAAA,CAAW,KAAK,CAAC,CAAA;AAEjB,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,WAAA,EAAa,UAAA;AAAA,IACb,KAAA;AAAA,IACA,UAAA,EAAY,YAAY,SAAS,CAAA;AAAA,IACjC,GAAA;AAAA,IACA,UAAA,EAAY,GAAA;AAAA,IACZ,QAAA,EAAU,SAAA;AAAA,IACV,cAAA,EAAgB;AAAA,GAClB;AAEA,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,GAAG,cAAA;AAAA,IACH,qBAAA,EAAuB,mBAAA;AAAA,IACvB,kBAAkB;AAAC,GACrB;AAEA,EAAA,OAAO,EAAE,gBAAgB,cAAA,EAAe;AAC1C;AAUO,SAAS,IAAA,CACd,OAAA,EACA,mBAAA,EACA,aAAA,EACY;AAEZ,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,mBAAA,EAAqB,aAAa,CAAA;AAE7D,EAAA,IAAI;AACF,IAAA,OAAOA,eAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,UAAU,CAAA;AAAA,EACzC,CAAA,SAAE;AAEA,IAAA,UAAA,CAAW,KAAK,CAAC,CAAA;AAAA,EACnB;AACF;AAUO,SAAS,MAAA,CACd,OAAA,EACA,SAAA,EACA,SAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,OAAOA,eAAA,CAAQ,MAAA,CAAO,SAAA,EAAW,OAAA,EAAS,SAAS,CAAA;AAAA,EACrD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAYO,SAAS,UAAA,CACd,cAAA,EACA,aAAA,EACA,MAAA,EACmE;AACnE,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,UAAA,EAAY,aAAA,KAC3C,eAAA,EAAgB;AAClB,EAAA,MAAM,cAAA,GAAiB,eAAe,YAAY,CAAA;AAClD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,SAAA,GAAY,KAAK,SAAA,CAAU;AAAA,IAC/B,gBAAgB,cAAA,CAAe,UAAA;AAAA,IAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,IACxC,aAAa,cAAA,CAAe,WAAA;AAAA,IAC5B,MAAA;AAAA,IACA,UAAA,EAAY;AAAA,GACb,CAAA;AAGD,EAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AACrD,EAAA,MAAM,SAAA,GAAY,IAAA;AAAA,IAChB,UAAA;AAAA,IACA,cAAA,CAAe,qBAAA;AAAA,IACf;AAAA,GACF;AAEA,EAAA,MAAM,aAAA,GAA+B;AAAA,IACnC,gBAAgB,cAAA,CAAe,UAAA;AAAA,IAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,IACxC,aAAa,cAAA,CAAe,WAAA;AAAA,IAC5B,MAAA;AAAA,IACA,UAAA,EAAY,GAAA;AAAA,IACZ,SAAA,EAAW,YAAY,SAAS;AAAA,GAClC;AAGA,EAAA,MAAM,sBAAA,GAAyB,OAAA,CAAQ,aAAA,EAAe,aAAa,CAAA;AACnE,EAAA,aAAA,CAAc,KAAK,CAAC,CAAA;AAEpB,EAAA,MAAM,eAAA,GAAkC;AAAA,IACtC,GAAG,cAAA;AAAA,IACH,UAAA,EAAY,YAAY,YAAY,CAAA;AAAA,IACpC,GAAA,EAAK,cAAA;AAAA,IACL,qBAAA,EAAuB,sBAAA;AAAA,IACvB,gBAAA,EAAkB;AAAA,MAChB,GAAG,cAAA,CAAe,gBAAA;AAAA,MAClB;AAAA,QACE,gBAAgB,cAAA,CAAe,UAAA;AAAA,QAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,QACxC,cAAA,EAAgB,WAAA;AAAA,UACd,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,aAAa,CAAC;AAAA,SACxD;AAAA,QACA,UAAA,EAAY;AAAA;AACd;AACF,GACF;AAEA,EAAA,OAAO,EAAE,iBAAiB,aAAA,EAAc;AAC1C;ACtOA,aAAA,EAAA;AAGA,IAAM,kBAAA,GAAqB,KAAA;AAC3B,IAAM,gBAAA,GAAmB,CAAA;AACzB,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,kBAAA,GAAqB,EAAA;AAyB3B,eAAsB,eAAA,CACpB,YACA,cAAA,EAC2D;AAC3D,EAAA,MAAM,OAAO,cAAA,GACT,aAAA,CAAc,cAAA,CAAe,IAAI,IACjC,YAAA,EAAa;AAEjB,EAAA,MAAM,SAA8B,cAAA,IAAkB;AAAA,IACpD,GAAA,EAAK,UAAA;AAAA,IACL,IAAA,EAAM,YAAY,IAAI,CAAA;AAAA,IACtB,CAAA,EAAG,kBAAA;AAAA,IACH,CAAA,EAAG,gBAAA;AAAA,IACH,CAAA,EAAG,kBAAA;AAAA,IACH,CAAA,EAAG;AAAA,GACL;AAEA,EAAA,MAAM,OAAA,GAAU,MAAMC,iBAAA,CAAS;AAAA,IAC7B,QAAA,EAAU,UAAA;AAAA,IACV,IAAA;AAAA,IACA,aAAa,MAAA,CAAO,CAAA;AAAA,IACpB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,UAAA,EAAY;AAAA,GACb,CAAA;AAGD,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA;AACnC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,GAAG,CAAA,EAAA,EAAK;AACjC,IAAA,GAAA,CAAI,CAAC,CAAA,GAAI,QAAA,CAAS,OAAA,CAAQ,SAAA,CAAU,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,EAAG,EAAE,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,EAAE,KAAK,MAAA,EAAO;AACvB;AAYO,SAAS,kBAAA,CACd,WACA,SAAA,EACY;AACZ,EAAA,IAAI,SAAA,CAAU,WAAW,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAOC,SAAA;AAAA,IACLjB,aAAAA;AAAA,IACA,SAAA;AAAA,IACA,cAAc,wBAAwB,CAAA;AAAA;AAAA,IACtC,cAAc,SAAS,CAAA;AAAA;AAAA,IACvB;AAAA;AAAA,GACF;AACF;AAUO,SAAS,gBAAA,CACd,WACA,OAAA,EACY;AACZ,EAAA,IAAI,SAAA,CAAU,WAAW,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAOiB,SAAA;AAAA,IACLjB,aAAAA;AAAA,IACA,SAAA;AAAA,IACA,cAAc,sBAAsB,CAAA;AAAA,IACpC,cAAc,OAAO,CAAA;AAAA,IACrB;AAAA,GACF;AACF;;;AFtGA,aAAA,EAAA;AAYA,IAAM,2BAAA,GAA8B;AAAA,EAClC,aAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAiEO,IAAM,aAAN,MAAiB;AAAA,EACd,OAAA;AAAA,EACA,SAAA;AAAA;AAAA,EAGA,YAAA,uBAAmB,GAAA,EAAoB;AAAA;AAAA,EAGvC,aAAA,uBAAoB,GAAA,EAAiC;AAAA,EAE7D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AAAA,EAEQ,UAAA,CAAW,WAAmB,GAAA,EAAqB;AACzD,IAAA,OAAO,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBACZ,SAAA,EAC8B;AAC9B,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAAA,IACzC;AAGA,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,SAAS,CAAA;AACjD,IAAA,MAAM,OAAA,uBAAc,GAAA,EAAoB;AAExC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,MAAM,GAAG,CAAA;AACxD,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,IAAI;AACF,UAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC5D,UAAA,OAAA,CAAQ,GAAA,CAAI,KAAA,CAAM,GAAA,EAAK,UAAA,CAAW,cAAc,CAAA;AAChD,UAAA,IAAA,CAAK,YAAA,CAAa,GAAA;AAAA,YAChB,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,KAAA,CAAM,GAAG,CAAA;AAAA,YACpC,UAAA,CAAW;AAAA,WACb;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAA,EAAW,OAAO,CAAA;AACzC,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,KAAA,EACA,YACA,mBAAA,EACA,qBAAA,EACA,OAAA,GAAwB,EAAC,EACH;AACtB,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,CAAK,SAAA,EAAW,SAAS,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,cAAc,KAAK,CAAA;AAGrC,IAAA,MAAM,aAAA,GAAgB,aAAa,SAAS,CAAA;AAG5C,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,SAAA,EAAW,YAAY,CAAA;AAG/C,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAE,CAAA,IAAK,CAAA;AACpD,IAAA,MAAM,aAAa,cAAA,GAAiB,CAAA;AAGpC,IAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AAChD,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,eAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,IAAA,MAAM,UAAA,GAAyB;AAAA,MAC7B,CAAA,EAAG,CAAA;AAAA,MACH,OAAA;AAAA,MACA,GAAA,EAAK,UAAA;AAAA,MACL,GAAA,EAAK,YAAY,SAAS,CAAA;AAAA,MAC1B,GAAA,EAAK,UAAA;AAAA,MACL,cAAA,EAAgB,aAAA;AAAA,MAChB,QAAA,EAAU;AAAA,QACR,cAAc,OAAA,CAAQ,YAAA;AAAA,QACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,QACrB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,UAAA,EAAY;AAAA;AACd,KACF;AAGA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,UAAU,CAAC,CAAA;AAC3D,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,SAAA,EAAW,KAAK,UAAU,CAAA;AAGnD,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,UAAU,CAAA;AACpC,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,QAAA,CAAS,GAAA,CAAI,KAAK,aAAa,CAAA;AAG/B,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,GAAA;AAAA,MACA,SAAA;AAAA,MACA,OAAA,EAAS,UAAA;AAAA,MACT,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,YAAY,UAAA,CAAW,MAAA;AAAA,MACvB,cAAA,EAAgB;AAAA,KAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,IAAA,CACJ,SAAA,EACA,GAAA,EACA,eAAA,EACA,kBAAkB,IAAA,EACU;AAC5B,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,GAAG,CAAA;AAClD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI,UAAA;AACJ,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAE,CAAA;AAAA,IAC9D;AAEA,IAAA,IAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AACtB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,iCAAA,EAAoC,UAAA,CAAW,CAAC,CAAA,CAAE,CAAA;AAAA,IACpE;AAGA,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAE,CAAA;AAC9C,IAAA,IAAI,aAAA,KAAkB,MAAA,IAAa,UAAA,CAAW,GAAA,GAAM,aAAA,EAAe;AACjE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,sBAAA,EAAyB,SAAS,CAAA,CAAA,EAAI,GAAG,mBACtB,UAAA,CAAW,GAAG,iBAAiB,aAAa,CAAA;AAAA,OACjE;AAAA,IACF;AAGA,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,UAAA,CAAW,OAAA,CAAQ,EAAE,CAAA;AAC3D,MAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,UAAA,CAAW,GAAG,CAAA;AACnD,MAAA,MAAM,QAAA,GAAW,MAAA,CAAO,eAAA,EAAiB,cAAA,EAAgB,eAAe,CAAA;AACxE,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,kCAAA,EAAqC,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA;AAAA,SACvD;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,CAAK,SAAA,EAAW,SAAS,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,CAAW,OAAA,EAAS,YAAY,CAAA;AAC1D,IAAA,MAAM,KAAA,GAAQ,cAAc,SAAS,CAAA;AAGrC,IAAA,MAAM,YAAA,GAAe,aAAa,SAAS,CAAA;AAC3C,IAAA,IAAI,YAAA,KAAiB,WAAW,cAAA,EAAgB;AAC9C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,4BAAA,EAA+B,SAAS,CAAA,CAAA,EAAI,GAAG,cACjC,YAAY,CAAA,SAAA,EAAY,WAAW,cAAc,CAAA;AAAA,OACjE;AAAA,IACF;AAGA,IAAA,IAAI,kBAA4B,EAAC;AACjC,IAAA,IAAI,iBAAA,GAAoB,IAAA;AAExB,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,MAAA,MAAM,KAAA,GAAQ,mBAAA,CAAoB,QAAA,EAAU,GAAG,CAAA;AAC/C,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,iBAAA,GAAoB,kBAAkB,KAAK,CAAA;AAC3C,QAAA,eAAA,GAAkB,MAAM,IAAA,CAAK,GAAA;AAAA,UAC3B,CAAC,IAAA,KAAS,CAAA,EAAG,KAAK,QAAQ,CAAA,CAAA,EAAI,KAAK,IAAI,CAAA;AAAA,SACzC;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,UAAA,CAAW,GAAG,CAAA;AAExC,IAAA,OAAO;AAAA,MACL,GAAA;AAAA,MACA,SAAA;AAAA,MACA,KAAA;AAAA,MACA,SAAS,UAAA,CAAW,GAAA;AAAA,MACpB,kBAAA,EAAoB,iBAAA;AAAA,MACpB,YAAA,EAAc,eAAA;AAAA,MACd,UAAA,EAAY,WAAW,QAAA,CAAS,UAAA;AAAA,MAChC,YAAY,UAAA,CAAW;AAAA,KACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KACJ,SAAA,EACA,MAAA,EACA,MACA,KAAA,GAAQ,GAAA,EACR,SAAS,CAAA,EAWR;AACD,IAAA,MAAM,iBAAiB,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,MAAM,CAAA;AAChE,IAAA,MAAM,SAMD,EAAC;AAEN,IAAA,KAAA,MAAW,SAAS,cAAA,EAAgB;AAClC,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,MAAM,GAAG,CAAA;AACxD,MAAA,IAAI,CAAC,GAAA,EAAK;AAEV,MAAA,IAAI;AACF,QAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAG5D,QAAA,IAAI,IAAA,IAAQ,IAAA,CAAK,MAAA,GAAS,CAAA,EAAG;AAC3B,UAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,IAAA,IAAQ,EAAC;AAC/C,UAAA,MAAM,cAAA,GAAiB,KAAK,IAAA,CAAK,CAAC,MAAM,SAAA,CAAU,QAAA,CAAS,CAAC,CAAC,CAAA;AAC7D,UAAA,IAAI,CAAC,cAAA,EAAgB;AAAA,QACvB;AAEA,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,KAAK,KAAA,CAAM,GAAA;AAAA,UACX,SAAS,UAAA,CAAW,GAAA;AAAA,UACpB,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,UAAA,EAAY,WAAW,QAAA,CAAS,UAAA;AAAA,UAChC,IAAA,EAAM,UAAA,CAAW,QAAA,CAAS,IAAA,IAAQ;AAAC,SACpC,CAAA;AAAA,MACH,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,MAAA,CAAO,KAAA,CAAM,MAAA,EAAQ,SAAS,KAAK,CAAA;AAAA,MACzC,OAAO,MAAA,CAAO,MAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EAOC;AACD,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,QAAQ,MAAA,CAAO,SAAA,EAAW,KAAK,IAAI,CAAA;AAG9D,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,IAAA,CAAK,YAAA,CAAa,OAAO,EAAE,CAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,QAAA,CAAS,OAAO,GAAG,CAAA;AACnB,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,OAAA;AAAA,MACA,GAAA;AAAA,MACA,SAAA;AAAA,MACA,eAAA,EAAiB,UAAA;AAAA,MACjB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OACJ,SAAA,EAOC;AACD,IAAA,MAAM,qBAA+B,EAAC;AAEtC,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,kBAAA,CAAmB,KAAK,SAAS,CAAA;AAAA,IACnC,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,EAAA,IAAM,IAAA,CAAK,aAAA,CAAc,IAAA,EAAK,EAAG;AAC1C,QAAA,kBAAA,CAAmB,KAAK,EAAE,CAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,MAAM,aAGF,EAAC;AACL,IAAA,IAAI,SAAA,GAAY,CAAA;AAEhB,IAAA,KAAA,MAAW,MAAM,kBAAA,EAAoB;AACnC,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,EAAE,CAAA;AAC1C,MAAA,UAAA,CAAW,EAAE,IAAI,EAAC;AAElB,MAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,EAAA,EAAI,MAAM,GAAG,CAAA;AACjD,QAAA,IAAI,CAAC,GAAA,EAAK;AAEV,QAAA,IAAI;AACF,UAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC5D,UAAA,UAAA,CAAW,EAAE,EAAG,IAAA,CAAK,EAAE,KAAK,KAAA,CAAM,GAAA,EAAK,KAAA,EAAO,UAAA,EAAY,CAAA;AAC1D,UAAA,SAAA,EAAA;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,CAAU;AAAA,MAChC,wBAAA,EAA0B,CAAA;AAAA,MAC1B,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACpC,UAAA,EAAY,kBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,MAAM,WAAA,GAAc,cAAc,UAAU,CAAA;AAC5C,IAAA,MAAM,UAAA,GAAa,aAAa,WAAW,CAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQ,YAAY,WAAW,CAAA;AAAA,MAC/B,UAAA,EAAY,kBAAA;AAAA,MACZ,UAAA,EAAY,SAAA;AAAA,MACZ,WAAA,EAAa,UAAA;AAAA,MACb,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACtC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,YAAA,EACA,kBAAA,GAAuD,QACvD,iBAAA,EASC;AACD,IAAA,MAAM,WAAA,GAAc,cAAc,YAAY,CAAA;AAC9C,IAAA,MAAM,UAAA,GAAa,cAAc,WAAW,CAAA;AAC5C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,UAAU,CAAA;AAEpC,IAAA,IAAI,YAAA,GAAe,CAAA;AACnB,IAAA,IAAI,WAAA,GAAc,CAAA;AAClB,IAAA,IAAI,iBAAA,GAAoB,CAAA;AACxB,IAAA,IAAI,iBAAA,GAAoB,CAAA;AACxB,IAAA,IAAI,SAAA,GAAY,CAAA;AAChB,IAAA,MAAM,aAAuB,EAAC;AAE9B,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,MAAA,CAAO,OAAA;AAAA,MACjC,MAAA,CAAO;AAAA,KACT,EAAG;AAED,MAAA,IAAI,2BAAA,CAA4B,IAAA;AAAA,QAC9B,CAAC,MAAA,KAAW,EAAA,KAAO,UAAU,EAAA,CAAG,UAAA,CAAW,SAAS,GAAG;AAAA,OACzD,EAAG;AACD,QAAA,WAAA,IAAgB,OAAA,CAAsD,MAAA;AACtE,QAAA;AAAA,MACF;AACA,MAAA,UAAA,CAAW,KAAK,EAAE,CAAA;AAElB,MAAA,KAAA,MAAW,EAAE,GAAA,EAAK,KAAA,EAAM,IAAK,OAAA,EAAS;AAGpC,QAAA,MAAM,eAAA,GAAkB,iBAAA,CAAkB,KAAA,CAAM,GAAG,CAAA;AACnD,QAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,UAAA,iBAAA,EAAA;AACA,UAAA,WAAA,EAAA;AACA,UAAA;AAAA,QACF;AAGA,QAAA,IAAI;AACF,UAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,KAAA,CAAM,OAAA,CAAQ,EAAE,CAAA;AACtD,UAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,KAAA,CAAM,GAAG,CAAA;AAC9C,UAAA,MAAM,QAAA,GAAW,MAAA,CAAO,eAAA,EAAiB,cAAA,EAAgB,eAAe,CAAA;AACxE,UAAA,IAAI,CAAC,QAAA,EAAU;AACb,YAAA,iBAAA,EAAA;AACA,YAAA,WAAA,EAAA;AACA,YAAA;AAAA,UACF;AAAA,QACF,CAAA,CAAA,MAAQ;AAEN,UAAA,iBAAA,EAAA;AACA,UAAA,WAAA,EAAA;AACA,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,SAAS,MAAM,IAAA,CAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,GAAG,CAAA;AAEhD,QAAA,IAAI,MAAA,EAAQ;AACV,UAAA,SAAA,EAAA;AACA,UAAA,IAAI,uBAAuB,MAAA,EAAQ;AACjC,YAAA,WAAA,EAAA;AACA,YAAA;AAAA,UACF;AACA,UAAA,IAAI,uBAAuB,SAAA,EAAW;AAEpC,YAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,GAAG,CAAA;AAC3C,YAAA,IAAI,GAAA,EAAK;AACP,cAAA,IAAI;AACF,gBAAA,MAAM,gBAA4B,IAAA,CAAK,KAAA;AAAA,kBACrC,cAAc,GAAG;AAAA,iBACnB;AACA,gBAAA,IAAI,KAAA,CAAM,GAAA,IAAO,aAAA,CAAc,GAAA,EAAK;AAClC,kBAAA,WAAA,EAAA;AACA,kBAAA;AAAA,gBACF;AAAA,cACF,CAAA,CAAA,MAAQ;AAAA,cAER;AAAA,YACF;AAAA,UACF;AAAA,QAEF;AAGA,QAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACtD,QAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,EAAA,EAAI,KAAK,UAAU,CAAA;AAC5C,QAAA,YAAA,EAAA;AAGA,QAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,EAAA,EAAI,GAAG,CAAA;AAClC,QAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,KAAA,CAAM,GAAG,CAAA;AACnC,QAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,EAAE,CAAA;AACjD,QAAA,QAAA,CAAS,GAAA,CAAI,GAAA,EAAK,KAAA,CAAM,cAAc,CAAA;AAAA,MACxC;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,YAAA;AAAA,MACf,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA,MACrB,mBAAA,EAAqB,iBAAA;AAAA,MACrB,SAAA;AAAA,MACA,UAAA;AAAA,MACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACtC;AAAA,EACF;AACF;AGpmBA,IAAME,QAAAA,GAAUC,sBAAAA,CAAc,2PAAe,CAAA;AAC7C,IAAM,EAAE,OAAA,EAASe,YAAAA,EAAY,GAAIhB,SAAQ,iBAAiB,CAAA;AA2B1D,IAAM,gBAAA,GAAmB,OAAA;AAGzB,IAAM,gBAAA,GAAmB,OAAA;AAGzB,IAAM,aAAA,mBAAgB,IAAI,GAAA,CAAI,CAAC,QAAQ,CAAC,CAAA;AAoBxC,SAAS,YAAA,CACP,MACA,MAAA,EACmB;AACnB,EAAA,MAAM,SAA4B,EAAC;AACnC,EAAA,MAAM,UAAA,GAAc,MAAA,CAAO,UAAA,IAAc,EAAC;AAC1C,EAAA,MAAM,QAAA,GAAY,MAAA,CAAO,QAAA,IAAY,EAAC;AAGtC,EAAA,KAAA,MAAW,SAAS,QAAA,EAAU;AAC5B,IAAA,IAAI,KAAK,KAAK,CAAA,KAAM,UAAa,IAAA,CAAK,KAAK,MAAM,IAAA,EAAM;AACrD,MAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA,gBAAA,EAAmB,KAAK,gBAAgB,CAAA;AAAA,IACxE;AAAA,EACF;AAGA,EAAA,MAAM,cAAc,IAAI,GAAA,CAAI,MAAA,CAAO,IAAA,CAAK,UAAU,CAAC,CAAA;AACnD,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,IAAA,IAAI,CAAC,WAAA,CAAY,GAAA,CAAI,KAAK,CAAA,EAAG;AAC3B,MAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA,eAAA,EAAkB,KAAK,KAAK,CAAA;AAAA,IAC5D;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AACjD,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AAC3C,IAAA,MAAM,UAAA,GAAa,WAAW,KAAK,CAAA;AACnC,IAAA,IAAI,CAAC,UAAA,EAAY;AAEjB,IAAA,MAAM,SAAA,GAAY,SAAA,CAAU,KAAA,EAAO,KAAA,EAAO,UAAU,CAAA;AACpD,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAA,CAAO,KAAK,SAAS,CAAA;AACrB,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,MAAA,MAAM,QAAA,GAAW,aAAA,CAAc,GAAA,CAAI,KAAK,IAAI,gBAAA,GAAmB,gBAAA;AAE/D,MAAA,MAAM,aAAa,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA,CAAE,MAAA;AACnD,MAAA,IAAI,aAAa,QAAA,EAAU;AACzB,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,KAAA;AAAA,UACA,SAAS,CAAA,OAAA,EAAU,KAAK,CAAA,wBAAA,EAA2B,UAAU,YAAY,QAAQ,CAAA,OAAA;AAAA,SAClF,CAAA;AAAA,MACH;AAAA,IACF;AAGA,IAAA,IAAI,WAAW,IAAA,IAAQ,CAAC,WAAW,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA,EAAG;AACvD,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,KAAA;AAAA,QACA,OAAA,EAAS,UAAU,KAAK,CAAA,kBAAA,EAAqB,WAAW,IAAA,CAAK,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,OACxE,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAKA,SAAS,SAAA,CACP,KAAA,EACA,KAAA,EACA,MAAA,EACwB;AACxB,EAAA,IAAI,CAAC,MAAA,CAAO,IAAA,EAAM,OAAO,IAAA;AAEzB,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,SAAA;AACH,MAAA,IAAI,OAAO,UAAU,SAAA,EAAW;AAC9B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,sBAAA,EAAyB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MAClF;AACA,MAAA;AAAA,IACF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACrD,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,oBAAA,EAAuB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MAChF;AACA,MAAA;AAAA;AAEJ,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,YAAA,CACd,OACA,OAAA,EACQ;AACR,EAAA,MAAM,OAAO,OAAA,EAAS,IAAA;AAEtB,EAAA,MAAM,SAAS,IAAIiB,eAAA;AAAA,IACjB;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,OAAA,EAASD;AAAA,KACX;AAAA,IACA;AAAA,MACE,YAAA,EAAc;AAAA,QACZ,OAAO;AAAC;AACV;AACF,GACF;AAGA,EAAA,MAAA,CAAO,iBAAA,CAAkBE,iCAAwB,YAAY;AAC3D,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACvB,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,aAAa,CAAA,CAAE,WAAA;AAAA,QACf,aAAa,CAAA,CAAE;AAAA,OACjB,CAAE;AAAA,KACJ;AAAA,EACF,CAAC,CAAA;AAGD,EAAA,MAAA,CAAO,iBAAA,CAAkBC,8BAAA,EAAuB,OAAO,OAAA,KAAY;AACjE,IAAA,MAAM,EAAE,IAAA,EAAM,SAAA,EAAW,IAAA,KAAS,OAAA,CAAQ,MAAA;AAC1C,IAAA,MAAM,SAAA,GAAa,QAAQ,EAAC;AAE5B,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,SAAS,IAAI,CAAA;AAC9C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM,KAAK,SAAA,CAAU,EAAE,OAAO,CAAA,cAAA,EAAiB,IAAI,IAAI;AAAA;AACzD,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAKA,IAAA,MAAM,gBAAA,GAAmB,YAAA,CAAa,SAAA,EAAW,IAAA,CAAK,WAAW,CAAA;AACjE,IAAA,IAAI,gBAAA,CAAiB,SAAS,CAAA,EAAG;AAC/B,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,cACnB,KAAA,EAAO,mBAAA;AAAA,cACP,OAAA,EAAS,yCAAA;AAAA,cACT,UAAA,EAAY;AAAA,aACb;AAAA;AACH,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAKA,IAAA,IAAI,IAAA,EAAM;AACR,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,QAAA,CAAS,MAAM,SAAS,CAAA;AAClD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP;AAAA,cACE,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,gBACnB,KAAA,EAAO,yBAAA;AAAA,gBACP,mBAAmB,MAAA,CAAO;AAAA,eAC3B;AAAA;AACH,WACF;AAAA,UACA,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,IACrC,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,OAAA,GACJ,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,eAAA;AACvC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,SAAS;AAAA;AACzC,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAAA,EACF,CAAC,CAAA;AAED,EAAA,OAAO,MAAA;AACT;AAKO,SAAS,WACd,IAAA,EACoD;AACpD,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,CAAC,EAAE,IAAA,EAAM,MAAA,EAAiB,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,IAAA,EAAM,CAAC,CAAA,EAAG;AAAA,GAC1E;AACF;;;ACnRA,aAAA,EAAA;AAOA,aAAA,EAAA;AASA,IAAMC,4BAAAA,GAA8B;AAAA,EAClC,aAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAMA,SAAS,8BAA8B,SAAA,EAAkC;AACvE,EAAA,KAAA,MAAW,UAAUA,4BAAAA,EAA6B;AAChD,IAAA,IAAI,cAAc,MAAA,IAAU,SAAA,CAAU,UAAA,CAAW,MAAA,GAAS,GAAG,CAAA,EAAG;AAC9D,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,IAAA;AACT;AAGO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAA4B;AAAA,EAC7C,iBAAA,GAAmC,IAAA;AAAA,EAE3C,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AAAA,EAEA,IAAY,aAAA,GAA4B;AACtC,IAAA,OAAO,gBAAA,CAAiB,IAAA,CAAK,SAAA,EAAW,qBAAqB,CAAA;AAAA,EAC/D;AAAA;AAAA,EAGA,MAAM,IAAA,GAAsB;AAC1B,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,aAAa,CAAA;AACrD,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,aAAA,EAAe,MAAM,GAAG,CAAA;AAC5D,MAAA,IAAI,CAAC,GAAA,EAAK;AACV,MAAA,IAAI;AACF,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC/C,QAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,QAAA,MAAM,QAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,QAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,QAAQ,CAAA;AAClD,QAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,UAAA,IAAA,CAAK,oBAAoB,QAAA,CAAS,WAAA;AAAA,QACpC;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,KAAK,QAAA,EAAyC;AAClD,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AACzD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,QAAA,CAAS,WAAA;AAAA,MACT,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AACA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,QAAQ,CAAA;AAClD,IAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,MAAA,IAAA,CAAK,oBAAoB,QAAA,CAAS,WAAA;AAAA,IACpC;AAAA,EACF;AAAA,EAEA,IAAI,EAAA,EAAwC;AAC1C,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,EAAE,CAAA;AAAA,EAC/B;AAAA,EAEA,UAAA,GAAyC;AACvC,IAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,EAAmB,OAAO,MAAA;AACpC,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAA,CAAK,iBAAiB,CAAA;AAAA,EACnD;AAAA,EAEA,IAAA,GAAyB;AACvB,IAAA,OAAO,KAAA,CAAM,KAAK,IAAA,CAAK,UAAA,CAAW,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,EAAA,MAAQ;AAAA,MACvD,aAAa,EAAA,CAAG,WAAA;AAAA,MAChB,OAAO,EAAA,CAAG,KAAA;AAAA,MACV,YAAY,EAAA,CAAG,UAAA;AAAA,MACf,KAAK,EAAA,CAAG,GAAA;AAAA,MACR,YAAY,EAAA,CAAG,UAAA;AAAA,MACf,UAAU,EAAA,CAAG,QAAA;AAAA,MACb,gBAAgB,EAAA,CAAG;AAAA,KACrB,CAAE,CAAA;AAAA,EACJ;AACF,CAAA;AAKO,SAAS,aAAA,CACd,UAAA,EACA,OAAA,EACA,SAAA,EACA,eACA,QAAA,EAC+D;AAC/D,EAAA,MAAM,WAAA,GAAc,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC1D,EAAA,MAAM,cAAA,GAAiB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAGxE,EAAA,SAAS,gBAAgB,UAAA,EAAqC;AAC5D,IAAA,MAAM,KAAK,UAAA,GACP,WAAA,CAAY,IAAI,UAAU,CAAA,GAC1B,YAAY,UAAA,EAAW;AAC3B,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,UAAA,GACI,CAAA,oBAAA,EAAuB,UAAU,CAAA,CAAA,GACjC;AAAA,OACN;AAAA,IACF;AACA,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,oGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,EAAE,cAAA,EAAgB,cAAA,EAAe,GAAI,cAAA;AAAA,UACzC,KAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,MAAM,WAAA,CAAY,KAAK,cAAc,CAAA;AAErC,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,cAAA,CAAe,WAAA,EAAa;AAAA,UACpE;AAAA,SACD,CAAA;AAKD,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,cAAA,CAAe,WAAA;AAAA,UAC5B,YAAY,cAAA,CAAe,UAAA;AAAA,UAC3B,KAAK,cAAA,CAAe,GAAA;AAAA,UACpB,YAAY,cAAA,CAAe,UAAA;AAAA,UAC3B,UAAU,cAAA,CAAe,QAAA;AAAA,UACzB,gBAAgB,cAAA,CAAe,cAAA;AAAA,UAC/B,SAAA,EAAW;AAAA,SACZ,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EAAa,wCAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,UAAA,EAAY;AAAA,cACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA;AAAS;AAC1B;AACF;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,IAAI,UAAA,GAAa,YAAY,IAAA,EAAK;AAClC,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,UAAA,GAAa,UAAA,CAAW,MAAA;AAAA,YAAO,CAAC,CAAA,KAC9B,CAAA,CAAE,KAAA,CAAM,QAAA,CAAS,OAAO,KAAM;AAAA,WAChC;AAAA,QACF;AACA,QAAA,OAAO,UAAA,CAAW,EAAE,UAAA,EAAY,CAAA;AAAA,MAClC;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,gGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9B,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,aAAa,IAAA,CAAK,OAAA;AAGxB,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC;AAEA,QAAA,MAAM,SAAA,GAAY,IAAA;AAAA,UAChB,OAAA;AAAA,UACA,QAAA,CAAS,qBAAA;AAAA,UACT;AAAA,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAW,CAAA;AAE5D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,UAChC,SAAA,EAAW,SAAA;AAAA,UACX,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UAClC,YAAY,QAAA,CAAS,UAAA;AAAA,UACrB,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,wEAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,qBAAA,EAAsB;AAAA,UAChE,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAA,EAAW,WAAW;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,OAAA;AAGxB,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC;AAEA,QAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAmB,CAAA;AAGxD,QAAA,IAAI,SAAA;AACJ,QAAA,IAAI,KAAK,WAAA,EAAa;AACpB,UAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAqB,CAAA;AAC3D,UAAA,SAAA,GAAY,aAAA,CAAc,SAAS,UAAU,CAAA;AAAA,QAC/C,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,UAAA,SAAA,GAAY,aAAA,CAAc,KAAK,UAAoB,CAAA;AAAA,QACrD,CAAA,MAAO;AACL,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,KAAA,GAAQ,MAAA,CAAe,OAAA,EAAS,SAAA,EAAW,SAAS,CAAA;AAE1D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA;AAAS,SAC3B;AAAA,QACA,QAAA,EAAU,CAAC,aAAa;AAAA,OAC1B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAqB,CAAA;AAC3D,QAAA,MAAM,MAAA,GAAU,KAAK,MAAA,IAAqB,cAAA;AAE1C,QAAA,MAAM,EAAE,eAAA,EAAiB,aAAA,EAAc,GAAI,UAAA;AAAA,UACzC,QAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,MAAM,WAAA,CAAY,KAAK,eAAe,CAAA;AAEtC,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC9D;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,eAAA,CAAgB,WAAA;AAAA,UAC7B,gBAAgB,aAAA,CAAc,cAAA;AAAA,UAC9B,gBAAgB,aAAA,CAAc,cAAA;AAAA,UAC9B,SAAS,eAAA,CAAgB,GAAA;AAAA,UACzB,YAAY,aAAA,CAAc;AAAA,SAC3B,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,WAAA,EACE,6IAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,4BAAA,EAA6B;AAAA,UACjE,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,UAAA,EAAY;AAAA,cACV,YAAA,EAAc,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cAC/B,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cAC9B,IAAA,EAAM,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS;AAAE;AACnD,WACF;AAAA,UACA,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA;AAAS,SAChC;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAA,EAAO,OAAO;AAAA,OACxC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,gCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAMtB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,KAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,GAAA;AAAA,UACL,IAAA,CAAK,KAAA;AAAA,UACL,QAAA,CAAS,WAAA;AAAA,UACT,QAAA,CAAS,qBAAA;AAAA,UACT,cAAA;AAAA,UACA;AAAA,YACE,cAAc,QAAA,EAAU,YAAA;AAAA,YACxB,aAAa,QAAA,EAAU,WAAA;AAAA,YACvB,MAAM,QAAA,EAAU;AAAA;AAClB,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,aAAA,EAAe,QAAA,CAAS,WAAA,EAAa;AAAA,UAC1D,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK;AAAA,SACX,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,qGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACtB,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA;AAAK,SACrD;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAK;AAAA,OAC/B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,wCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,IAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,GAAA;AAAA,UACL,MAAA;AAAA;AAAA,UACA,KAAK,gBAAA,IAA+B;AAAA,SACtC;AAEA,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,WAAA;AAAA,YACP,WAAW,IAAA,CAAK,SAAA;AAAA,YAChB,KAAK,IAAA,CAAK;AAAA,WACX,CAAA;AAAA,QACH;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,YAAA,EAAc,MAAA,CAAO,UAAA,EAAY;AAAA,UACtD,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK;AAAA,SACX,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,gEAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACzB,IAAA,EAAM,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS,EAAE;AAAA,UACjD,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,GAAA,EAAI;AAAA,UACtC,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,CAAA;AAAE,SACvC;AAAA,QACA,QAAA,EAAU,CAAC,WAAW;AAAA,OACxB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,mCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,IAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,MAAA;AAAA,UACL,IAAA,CAAK,IAAA;AAAA,UACJ,KAAK,KAAA,IAAoB,GAAA;AAAA,UACzB,KAAK,MAAA,IAAqB;AAAA,SAC7B;AACA,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,oGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACtB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA;AAAS,SAC3B;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAK;AAAA,OAC/B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,0CAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK,GAAA;AAAA,UACV,QAAQ,IAAA,CAAK;AAAA,SACd,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,8DAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,cAAA;AAAe;AACpD,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,YAAY,MAAA,CAAO;AAAA,SACpB,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EAAa,4CAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,0BAAA,EAA2B;AAAA,UAClE,mBAAA,EAAqB;AAAA,YACnB,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,WAAA,EAAa,SAAS,CAAA;AAAA,YACrC,OAAA,EAAS;AAAA;AACX,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,CAAC,GAAA,KAAmC;AAC5D,UAAA,MAAM,QAAA,GAAW,WAAA,CAAY,GAAA,CAAI,GAAG,CAAA;AACpC,UAAA,IAAI,CAAC,UAAU,OAAO,IAAA;AACtB,UAAA,OAAO,aAAA,CAAc,SAAS,UAAU,CAAA;AAAA,QAC1C,CAAA;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK,MAAA;AAAA,UACJ,KAAK,mBAAA,IACJ,MAAA;AAAA,UACF;AAAA,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,eAAe,MAAA,CAAO;AAAA,SACvB,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,eAAA,EAAiB,WAAA,EAAY;AAC/C;;;AChnBA,aAAA,EAAA;AAWO,IAAM,WAAN,MAAe;AAAA,EACZ,OAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAwB,EAAC;AAAA,EACzB,OAAA,GAAU,CAAA;AAAA,EAElB,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,WAAW,CAAA;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,OACE,KAAA,EACA,SAAA,EACA,UAAA,EACA,OAAA,EACA,SAAgC,SAAA,EAC1B;AACN,IAAA,MAAM,KAAA,GAAoB;AAAA,MACxB,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA,EAAa,UAAA;AAAA,MACb,MAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAK,KAAK,CAAA;AAGvB,IAAA,IAAA,CAAK,YAAA,CAAa,KAAK,CAAA,CAAE,KAAA,CAAM,MAAM;AAAA,IAErC,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,aAAa,KAAA,EAAkC;AAC3D,IAAA,MAAM,MAAM,CAAA,EAAG,IAAA,CAAK,KAAK,CAAA,CAAA,EAAI,KAAK,OAAA,EAAS,CAAA,CAAA;AAC3C,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACtD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,QAAA;AAAA,MACA,GAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAA,EAK0C;AAEpD,IAAA,MAAM,KAAK,oBAAA,EAAqB;AAEhC,IAAA,IAAI,WAAW,IAAA,CAAK,OAAA;AAEpB,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AACxC,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,IAAI,IAAA,CAAK,CAAA,CAAE,SAAS,CAAA,IAAK;AAAA,OAClC;AAAA,IACF;AACA,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,QAAA,GAAW,SAAS,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,KAAA,KAAU,QAAQ,KAAK,CAAA;AAAA,IAC7D;AACA,IAAA,IAAI,QAAQ,cAAA,EAAgB;AAC1B,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,KAAc,OAAA,CAAQ;AAAA,OACjC;AAAA,IACF;AAEA,IAAA,MAAM,QAAQ,QAAA,CAAS,MAAA;AACvB,IAAA,MAAM,KAAA,GAAQ,QAAQ,KAAA,IAAS,EAAA;AAC/B,IAAA,MAAM,OAAA,GAAU,QAAA,CAAS,KAAA,CAAM,CAAC,KAAK,CAAA;AAErC,IAAA,OAAO,EAAE,SAAS,KAAA,EAAM;AAAA,EAC1B;AAAA,EAEA,MAAc,oBAAA,GAAsC;AAClD,IAAA,IAAI;AACF,MAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,QAAQ,CAAA;AACtD,MAAA,KAAA,MAAW,QAAQ,aAAA,EAAe;AAChC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,QAAA,EAAU,KAAK,GAAG,CAAA;AACtD,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,KAAA,GAAoB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAG7D,UAAA,MAAM,WAAA,GAAc,KAAK,OAAA,CAAQ,IAAA;AAAA,YAC/B,CAAC,CAAA,KACC,CAAA,CAAE,SAAA,KAAc,KAAA,CAAM,SAAA,IACtB,CAAA,CAAE,SAAA,KAAc,KAAA,CAAM,SAAA,IACtB,CAAA,CAAE,WAAA,KAAgB,KAAA,CAAM;AAAA,WAC5B;AACA,UAAA,IAAI,CAAC,WAAA,EAAa;AAChB,YAAA,IAAA,CAAK,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,UACzB;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAGA,MAAA,IAAA,CAAK,OAAA,CAAQ,IAAA;AAAA,QACX,CAAC,CAAA,EAAG,CAAA,KACF,IAAI,KAAK,CAAA,CAAE,SAAS,CAAA,CAAE,OAAA,KAAY,IAAI,IAAA,CAAK,CAAA,CAAE,SAAS,EAAE,OAAA;AAAQ,OACpE;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,OAAA,CAAQ,MAAA;AAAA,EACtB;AACF;;;ACtIA,YAAA,EAAA;AACA,aAAA,EAAA;AAKA,aAAA,EAAA;AA6BO,SAAS,gBAAA,CACd,OACA,cAAA,EACY;AAEZ,EAAA,MAAM,gBAAgB,cAAA,GAClB,aAAA,CAAc,cAAc,CAAA,GAC5B,YAAY,EAAE,CAAA;AAGlB,EAAA,MAAM,UAAA,GAAa,cAAc,KAAK,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,UAAA,EAAY,aAAa,CAAA;AACtD,EAAA,MAAM,cAAA,GAAiB,KAAK,QAAQ,CAAA;AAEpC,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,YAAY,cAAc,CAAA;AAAA,IACtC,eAAA,EAAiB,YAAY,aAAa,CAAA;AAAA,IAC1C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAUO,SAAS,gBAAA,CACd,UAAA,EACA,KAAA,EACA,cAAA,EACS;AACT,EAAA,MAAM,aAAA,GAAgB,cAAc,cAAc,CAAA;AAClD,EAAA,MAAM,UAAA,GAAa,cAAc,KAAK,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,UAAA,EAAY,aAAa,CAAA;AACtD,EAAA,MAAM,YAAA,GAAe,WAAA,CAAY,IAAA,CAAK,QAAQ,CAAC,CAAA;AAG/C,EAAA,OAAO,UAAA,KAAe,YAAA;AACxB;AAKO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,gBAAgB,CAAA;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CAAM,UAAA,EAAwB,KAAA,EAAgC;AAClE,IAAA,MAAM,EAAA,GAAK,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AAE3D,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,YAAY,UAAA,CAAW,UAAA;AAAA,MACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,MAC5B,KAAA;AAAA,MACA,cAAc,UAAA,CAAW,YAAA;AAAA,MACzB,QAAA,EAAU;AAAA,KACZ;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,cAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,EAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,EAAA,EAA8C;AACtD,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,gBAAgB,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,EAAA,EAA2B;AAC5C,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,EAAE,CAAA;AAChC,IAAA,IAAI,CAAC,MAAA,EAAQ;AAEb,IAAA,MAAA,CAAO,QAAA,GAAW,IAAA;AAClB,IAAA,MAAA,CAAO,WAAA,GAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAE5C,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,cAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF;;;ACpJA,aAAA,EAAA;AAgDO,SAAS,kBAAA,CACd,MAAA,EACA,OAAA,EACA,eAAA,EACsB;AACtB,EAAA,OAAO,eAAA,CAAgB,GAAA,CAAI,CAAC,KAAA,KAAU;AAEpC,IAAA,MAAM,SAAA,GAAY,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,OAAO,CAAA;AAChE,IAAA,MAAM,YAAA,GAAe,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,GAAG,CAAA;AAC/D,IAAA,MAAM,cAAc,SAAA,IAAa,YAAA;AAEjC,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,QAAQ,MAAA,CAAO,cAAA;AAAA,QACf,MAAA,EAAQ,4BAA4B,OAAO,CAAA,CAAA,CAAA;AAAA,QAC3C,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAA,CAAY,OAAO,CAAA,CAAA;AAGvC,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,UAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,4BAAA,EAA+B,QAAQ,CAAA,QAAA,CAAA;AAAA,QAC9D,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,EAAG;AAC9C,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,OAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,kCAAA,EAAqC,QAAQ,CAAA,QAAA,CAAA;AAAA,QACpE,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,UAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,iCAAA,EAAoC,QAAQ,CAAA,QAAA,CAAA;AAAA,QACnE,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,QAAQ,MAAA,CAAO,cAAA;AAAA,MACf,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,mBAAA,EAAsB,QAAQ,CAAA,uBAAA,CAAA;AAAA,MACrD,eAAA,EAAiB;AAAA,KACnB;AAAA,EACF,CAAC,CAAA;AACH;AAKO,IAAM,cAAN,MAAkB;AAAA,EACf,OAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA,uBAA8C,GAAA,EAAI;AAAA,EAE1D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,aAAa,CAAA;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,UAAA,EACA,KAAA,EACA,eACA,UAAA,EAC2B;AAC3B,IAAA,MAAM,QAAA,GAAW,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACjE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,SAAA,EAAW,QAAA;AAAA,MACX,WAAA,EAAa,UAAA;AAAA,MACb,KAAA;AAAA,MACA,cAAA,EAAgB,aAAA;AAAA,MAChB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY;AAAA,KACd;AAEA,IAAA,MAAM,IAAA,CAAK,QAAQ,MAAM,CAAA;AACzB,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAElC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,QAAA,EAAoD;AAE5D,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA,EAAG;AAC/B,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA;AAAA,IACnC;AAGA,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,aAAa,QAAQ,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,MAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,MAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAoC;AACxC,IAAA,MAAM,KAAK,OAAA,EAAQ;AACnB,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,QAAA,CAAS,QAAQ,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,OAAA,GAAyB;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,WAAW,CAAA;AACnD,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,IAAA,CAAK,GAAG,CAAA,EAAG;AACjC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,WAAA,EAAa,KAAK,GAAG,CAAA;AACzD,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,MAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,UAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,SAAA,EAAW,MAAM,CAAA;AAAA,QAC5C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAA,EAAyC;AAC7D,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,WAAA;AAAA,MACA,MAAA,CAAO,SAAA;AAAA,MACP,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF;AC/MA,aAAA,EAAA;AAKA,IAAM,IAAIC,sBAAA,CAAe,IAAA;AAOzB,IAAM,OAAA,GAAU,WAAA;AAAA,EACdvB,aAAAA,CAAO,aAAA,CAAc,qCAAqC,CAAC,CAAA;AAAA,EAC3DA,aAAAA,CAAO,aAAA,CAAc,qCAAqC,CAAC;AAC7D,CAAA;AACA,IAAM,CAAA,GAAIuB,sBAAA,CAAe,WAAA,CAAY,OAAO,CAAA;AA+D5C,SAAS,cAAc,CAAA,EAAuB;AAC5C,EAAA,MAAM,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,IAAI,GAAG,CAAA;AAC3C,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,EAAE,CAAA;AAC/B,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,EAAI,CAAA,EAAA,EAAK;AAC3B,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,QAAA,CAAS,GAAA,CAAI,KAAA,CAAM,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,EAAG,EAAE,CAAA;AAAA,EACrD;AACA,EAAA,OAAO,KAAA;AACT;AAGA,SAAS,cAAc,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,GAAA,IAAO,EAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAA;AAAA,EACvC;AACA,EAAA,OAAO,MAAA,CAAO,OAAO,GAAG,CAAA;AAC1B;AAGA,IAAM,KAAA,GAAQ,OAAO,8EAA8E,CAAA;AAGnG,SAAS,IAAI,CAAA,EAAmB;AAC9B,EAAA,OAAA,CAAS,CAAA,GAAI,QAAS,KAAA,IAAS,KAAA;AACjC;AAMA,SAAS,YAAA,CAAa,OAA4C,MAAA,EAAqD;AACrH,EAAA,MAAM,CAAA,GAAI,IAAI,MAAM,CAAA;AACpB,EAAA,IAAI,CAAA,KAAM,EAAA,EAAI,OAAOA,sBAAA,CAAe,IAAA;AACpC,EAAA,OAAO,KAAA,CAAM,SAAS,CAAC,CAAA;AACzB;AAGA,SAAS,YAAA,GAAuB;AAC9B,EAAA,MAAM,KAAA,GAAQ,YAAY,EAAE,CAAA;AAC5B,EAAA,OAAO,GAAA,CAAI,aAAA,CAAc,KAAK,CAAC,CAAA;AACjC;AAGA,SAAS,mBAAA,CAAoB,WAAmB,MAAA,EAA8B;AAC5E,EAAA,MAAM,WAAA,GAAc,cAAc,MAAM,CAAA;AACxC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,WAAA,EAAa,GAAG,MAAM,CAAA;AACnD,EAAA,MAAMC,KAAAA,GAAOxB,cAAO,QAAQ,CAAA;AAC5B,EAAA,OAAO,GAAA,CAAI,aAAA,CAAcwB,KAAI,CAAC,CAAA;AAChC;AAiBO,SAAS,yBAAyB,KAAA,EAAmC;AAC1E,EAAA,MAAM,CAAA,GAAI,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAC3B,EAAA,MAAM,IAAI,YAAA,EAAa;AAGvB,EAAA,MAAM,CAAA,GAAI,aAAa,CAAA,EAAG,CAAC,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,CAAC,CAAC,CAAA;AAEnD,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,WAAA,CAAY,CAAA,CAAE,UAAA,EAAY,CAAA;AAAA,IACtC,eAAA,EAAiB,WAAA,CAAY,aAAA,CAAc,CAAC,CAAC,CAAA;AAAA,IAC7C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAOO,SAAS,wBAAA,CACd,UAAA,EACA,KAAA,EACA,cAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAID,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,UAAU,CAAC,CAAA;AAC1D,IAAA,MAAM,CAAA,GAAI,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAC3B,IAAA,MAAM,CAAA,GAAI,aAAA,CAAc,aAAA,CAAc,cAAc,CAAC,CAAA;AAErD,IAAA,MAAM,QAAA,GAAW,aAAa,CAAA,EAAG,CAAC,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,CAAC,CAAC,CAAA;AAC1D,IAAA,OAAO,CAAA,CAAE,OAAO,QAAQ,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAsBO,SAAS,sBAAA,CACd,KAAA,EACA,cAAA,EACA,UAAA,EACoB;AACpB,EAAA,MAAM,CAAA,GAAI,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAC3B,EAAA,MAAM,CAAA,GAAI,aAAA,CAAc,aAAA,CAAc,cAAc,CAAC,CAAA;AAGrD,EAAA,MAAM,MAAM,YAAA,EAAa;AACzB,EAAA,MAAM,MAAM,YAAA,EAAa;AAGzB,EAAA,MAAM,CAAA,GAAI,aAAa,CAAA,EAAG,GAAG,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,GAAG,CAAC,CAAA;AAGvD,EAAA,MAAM,OAAA,GAAU,cAAc,UAAU,CAAA;AACxC,EAAA,MAAM,OAAA,GAAU,EAAE,UAAA,EAAW;AAC7B,EAAA,MAAM,CAAA,GAAI,mBAAA,CAAoB,qBAAA,EAAuB,OAAA,EAAS,OAAO,CAAA;AAGrE,EAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,CAAA,GAAI,CAAC,CAAA;AAC3B,EAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,CAAA,GAAI,CAAC,CAAA;AAE3B,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,+BAAA;AAAA,IACN,UAAA;AAAA,IACA,YAAA,EAAc,YAAY,OAAO,CAAA;AAAA,IACjC,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC1C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC1C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAOO,SAAS,uBAAuB,KAAA,EAAoC;AACzE,EAAA,IAAI;AACF,IAAA,MAAM,IAAIA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAChE,IAAA,MAAM,IAAIA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,YAAY,CAAC,CAAA;AAClE,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AACzD,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAGzD,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,aAAA,CAAc,MAAM,UAAU,CAAA;AAAA,MAC9B,aAAA,CAAc,MAAM,YAAY;AAAA,KAClC;AAGA,IAAA,MAAM,GAAA,GAAM,aAAa,CAAA,EAAG,GAAG,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,GAAG,CAAC,CAAA;AACzD,IAAA,MAAM,MAAM,CAAA,CAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,CAAC,CAAC,CAAA;AAEpC,IAAA,OAAO,GAAA,CAAI,OAAO,GAAG,CAAA;AAAA,EACvB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAkBO,SAAS,gBAAA,CACd,KAAA,EACA,cAAA,EACA,UAAA,EACA,KACA,GAAA,EACkC;AAClC,EAAA,IAAI,KAAA,GAAQ,GAAA,IAAO,KAAA,GAAQ,GAAA,EAAK;AAC9B,IAAA,OAAO,EAAE,OAAO,CAAA,MAAA,EAAS,KAAK,qBAAqB,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA,CAAA,EAAI;AAAA,EACpE;AAEA,EAAA,MAAM,QAAQ,GAAA,GAAM,GAAA;AACpB,EAAA,MAAM,UAAU,IAAA,CAAK,IAAA,CAAK,KAAK,IAAA,CAAK,KAAA,GAAQ,CAAC,CAAC,CAAA;AAC9C,EAAA,MAAM,UAAU,KAAA,GAAQ,GAAA;AACxB,EAAA,MAAM,CAAA,GAAI,aAAA,CAAc,aAAA,CAAc,cAAc,CAAC,CAAA;AAGrD,EAAA,MAAM,OAAiB,EAAC;AACxB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,IAAA,IAAA,CAAK,IAAA,CAAM,OAAA,IAAW,CAAA,GAAK,CAAC,CAAA;AAAA,EAC9B;AAGA,EAAA,MAAM,eAAyB,EAAC;AAChC,EAAA,MAAM,iBAA2B,EAAC;AAClC,EAAA,MAAM,YAAwC,EAAC;AAE/C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,IAAA,MAAM,QAAQ,YAAA,EAAa;AAC3B,IAAA,YAAA,CAAa,KAAK,KAAK,CAAA;AAGvB,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,GAAA,CAAI,OAAO,IAAA,CAAK,CAAC,CAAE,CAAC,CAAC,CAAA,CAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,KAAK,CAAC,CAAA;AAC7E,IAAA,cAAA,CAAe,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAC,CAAA;AAGjD,IAAA,MAAM,WAAW,cAAA,CAAe,IAAA,CAAK,CAAC,CAAA,EAAI,OAAO,GAAG,CAAA;AACpD,IAAA,SAAA,CAAU,KAAK,QAAQ,CAAA;AAAA,EACzB;AAIA,EAAA,MAAM,cAAc,YAAA,CAAa,MAAA;AAAA,IAC/B,CAAC,GAAA,EAAK,EAAA,EAAI,CAAA,KAAM,IAAI,GAAA,GAAM,GAAA,CAAI,MAAA,CAAO,CAAC,CAAA,IAAK,MAAA,CAAO,CAAC,CAAC,IAAI,EAAE,CAAA;AAAA,IAC1D;AAAA,GACF;AAEA,EAAA,MAAM,YAAA,GAAe,GAAA,CAAI,CAAA,GAAI,WAAW,CAAA;AAGxC,EAAA,MAAM,QAAQ,YAAA,EAAa;AAC3B,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AACnC,EAAA,MAAM,KAAA,GAAQ,mBAAA;AAAA,IACZ,2BAAA;AAAA,IACA,cAAc,UAAU,CAAA;AAAA,IACxB,MAAM,UAAA;AAAW,GACnB;AACA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,GAAQ,KAAA,GAAQ,YAAY,CAAA;AAE9C,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,6BAAA;AAAA,IACN,UAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,eAAA,EAAiB,cAAA;AAAA,IACjB,UAAA,EAAY,SAAA;AAAA,IACZ,SAAA,EAAW;AAAA,MACT,YAAA,EAAc,WAAA,CAAY,KAAA,CAAM,UAAA,EAAY,CAAA;AAAA,MAC5C,QAAA,EAAU,WAAA,CAAY,aAAA,CAAc,KAAK,CAAC;AAAA,KAC5C;AAAA,IACA,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAKO,SAAS,iBAAiB,KAAA,EAA8B;AAC7D,EAAA,IAAI;AACF,IAAA,MAAM,IAAIA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAChE,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,GAAA,GAAM,KAAA,CAAM,GAAA;AAChC,IAAA,MAAM,UAAU,IAAA,CAAK,IAAA,CAAK,KAAK,IAAA,CAAK,KAAA,GAAQ,CAAC,CAAC,CAAA;AAE9C,IAAA,IAAI,KAAA,CAAM,eAAA,CAAgB,MAAA,KAAW,OAAA,EAAS,OAAO,KAAA;AACrD,IAAA,IAAI,KAAA,CAAM,UAAA,CAAW,MAAA,KAAW,OAAA,EAAS,OAAO,KAAA;AAGhD,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,MAAA,MAAM,GAAA,GAAMA,uBAAe,OAAA,CAAQ,aAAA,CAAc,MAAM,eAAA,CAAgB,CAAC,CAAE,CAAC,CAAA;AAC3E,MAAA,IAAI,CAAC,cAAA,CAAe,KAAA,CAAM,WAAW,CAAC,CAAA,EAAI,GAAG,CAAA,EAAG;AAC9C,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AAIA,IAAA,IAAI,gBAAgBA,sBAAA,CAAe,IAAA;AACnC,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,MAAA,MAAM,GAAA,GAAMA,uBAAe,OAAA,CAAQ,aAAA,CAAc,MAAM,eAAA,CAAgB,CAAC,CAAE,CAAC,CAAA;AAC3E,MAAA,MAAM,SAAS,GAAA,CAAI,MAAA,CAAO,CAAC,CAAA,IAAK,MAAA,CAAO,CAAC,CAAC,CAAA;AACzC,MAAA,aAAA,GAAgB,aAAA,CAAc,GAAA,CAAI,YAAA,CAAa,GAAA,EAAK,MAAM,CAAC,CAAA;AAAA,IAC7D;AAGA,IAAA,MAAM,IAAA,GAAO,CAAA,CAAE,QAAA,CAAS,YAAA,CAAa,GAAG,GAAA,CAAI,MAAA,CAAO,KAAA,CAAM,GAAG,CAAC,CAAC,CAAC,CAAA,CAAE,SAAS,aAAa,CAAA;AAGvF,IAAA,MAAM,QAAQA,sBAAA,CAAe,OAAA,CAAQ,cAAc,KAAA,CAAM,SAAA,CAAU,YAAY,CAAC,CAAA;AAChF,IAAA,MAAM,QAAQ,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,SAAA,CAAU,QAAQ,CAAC,CAAA;AACnE,IAAA,MAAM,KAAA,GAAQ,mBAAA;AAAA,MACZ,2BAAA;AAAA,MACA,aAAA,CAAc,MAAM,UAAU,CAAA;AAAA,MAC9B,aAAA,CAAc,KAAA,CAAM,SAAA,CAAU,YAAY;AAAA,KAC5C;AAGA,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AACjC,IAAA,MAAM,MAAM,KAAA,CAAM,GAAA,CAAI,YAAA,CAAa,IAAA,EAAM,KAAK,CAAC,CAAA;AAC/C,IAAA,OAAO,GAAA,CAAI,OAAO,GAAG,CAAA;AAAA,EACvB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAQA,SAAS,cAAA,CACP,GAAA,EACA,QAAA,EACA,UAAA,EAC+B;AAC/B,EAAA,MAAM,OAAA,GAAU,WAAW,UAAA,EAAW;AAEtC,EAAA,IAAI,QAAQ,CAAA,EAAG;AAGb,IAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,CAAC,CAAA;AAGvC,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,MAAM,YAAA,EAAa;AAEzB,IAAA,MAAM,GAAA,GAAM,aAAa,CAAA,EAAG,GAAG,EAAE,QAAA,CAAS,YAAA,CAAa,SAAA,EAAW,GAAG,CAAC,CAAA;AAGtE,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AAG/B,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAI,UAAA,EAAW;AAAA,MACf,IAAI,UAAA;AAAW,KACjB;AACA,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,CAAA,GAAI,GAAG,CAAA;AACvB,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,GAAA,GAAM,QAAQ,CAAA;AAEpC,IAAA,OAAO;AAAA,MACL,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC1C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC;AAAA,KAC5C;AAAA,EACF,CAAA,MAAO;AAGL,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,MAAM,YAAA,EAAa;AAEzB,IAAA,MAAM,GAAA,GAAM,aAAa,CAAA,EAAG,GAAG,EAAE,QAAA,CAAS,YAAA,CAAa,UAAA,EAAY,GAAG,CAAC,CAAA;AAGvE,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AAG/B,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAI,UAAA,EAAW;AAAA,MACf,IAAI,UAAA;AAAW,KACjB;AACA,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,CAAA,GAAI,GAAG,CAAA;AACvB,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,GAAA,GAAM,QAAQ,CAAA;AAEpC,IAAA,OAAO;AAAA,MACL,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC1C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC;AAAA,KAC5C;AAAA,EACF;AACF;AAKA,SAAS,cAAA,CACP,OACA,UAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAU,WAAW,UAAA,EAAW;AACtC,IAAA,MAAM,MAAMA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,cAAc,CAAC,CAAA;AACtE,IAAA,MAAM,MAAMA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,cAAc,CAAC,CAAA;AACtE,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,WAAW,CAAC,CAAA;AAC1D,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,WAAW,CAAC,CAAA;AAC1D,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AACzD,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAGzD,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAI,UAAA,EAAW;AAAA,MACf,IAAI,UAAA;AAAW,KACjB;AACA,IAAA,IAAI,GAAA,CAAI,GAAA,GAAM,GAAG,CAAA,KAAM,GAAG,OAAO,KAAA;AAGjC,IAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AACjC,IAAA,MAAM,QAAQ,GAAA,CAAI,GAAA,CAAI,YAAA,CAAa,UAAA,EAAY,GAAG,CAAC,CAAA;AACnD,IAAA,IAAI,CAAC,KAAA,CAAM,MAAA,CAAO,KAAK,GAAG,OAAO,KAAA;AAGjC,IAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,CAAC,CAAA;AACvC,IAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AACjC,IAAA,MAAM,QAAQ,GAAA,CAAI,GAAA,CAAI,YAAA,CAAa,SAAA,EAAW,GAAG,CAAC,CAAA;AAClD,IAAA,IAAI,CAAC,KAAA,CAAM,MAAA,CAAO,KAAK,GAAG,OAAO,KAAA;AAEjC,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;;;ACzgBO,SAAS,aAAA,CACd,OAAA,EACA,SAAA,EACA,QAAA,EACyF;AACzF,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,CAAY,OAAA,EAAS,SAAS,CAAA;AAEtD,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,iLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAE5B,QAAA,MAAM,UAAA,GAAa,gBAAA,CAAiB,KAAA,EAAO,cAAc,CAAA;AAGzD,QAAA,MAAM,YAAA,GAAe,MAAM,eAAA,CAAgB,KAAA,CAAM,YAAY,KAAK,CAAA;AAElE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU;AAAA,UAClD,aAAA,EAAe,YAAA;AAAA,UACf,iBAAiB,UAAA,CAAW;AAAA,SAC7B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAA,EAAe,YAAA;AAAA,UACf,YAAY,UAAA,CAAW,UAAA;AAAA,UACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,UAC5B,cAAc,UAAA,CAAW,YAAA;AAAA,UACzB,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,0IAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAA,EAAc,OAAA,EAAS,iBAAiB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAE5B,QAAA,MAAM,KAAA,GAAQ,gBAAA,CAAiB,UAAA,EAAY,KAAA,EAAO,cAAc,CAAA;AAEhE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,QAAA,EAAU;AAAA,UAC9C,eAAA,EAAiB,UAAA;AAAA,UACjB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,UAAA;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,WAAA,EACE,kOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,OAAA;AAAA,YACN,WAAA,EAAa,yCAAA;AAAA,YACb,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACV,OAAA,EAAS;AAAA,kBACP,IAAA,EAAM,QAAA;AAAA,kBACN,WAAA,EACE;AAAA,iBACJ;AAAA,gBACA,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EAAa;AAAA,iBACf;AAAA,gBACA,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EAAa;AAAA,iBACf;AAAA,gBACA,cAAA,EAAgB;AAAA,kBACd,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA;AACJ,eACF;AAAA,cACA,QAAA,EAAU,CAAC,SAAA,EAAW,UAAA,EAAY,YAAY,gBAAgB;AAAA;AAChE,WACF;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,UAAA,EAAY,eAAe,CAAA;AAAA,YAClC,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAgB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,gBAAgB,IAAA,CAAK,cAAA;AAG3B,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAExB,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,UAAA;AAAA,UACA,KAAA;AAAA,UACA,aAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,UAAA,IAAc,QAAA,EAAU;AAAA,UACrE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa,UAAA;AAAA,UACb,aAAa,KAAA,CAAM;AAAA,SACpB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,WAAA,EAAa,OAAO,KAAA,CAAM,MAAA;AAAA,UAC1B,YAAY,MAAA,CAAO;AAAA,SACpB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,mIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,OAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACxB,WAAA,EAAa;AAAA,WACf;AAAA,UACA,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAA,EAAW,kBAAkB;AAAA,OAC1C;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,QAAA,MAAM,WAAW,IAAA,CAAK,SAAA;AAEtB,QAAA,IAAI,MAAA;AACJ,QAAA,IAAI,QAAA,EAAU;AACZ,UAAA,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAAA,QACzC,CAAA,MAAO;AACL,UAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,IAAA,EAAK;AAC3C,UAAA,MAAA,GAAS,WAAA,CAAY,CAAC,CAAA,IAAK,IAAA;AAAA,QAC7B;AAEA,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,SAAA,GAAY,kBAAA,CAAmB,MAAA,EAAQ,OAAA,EAAS,eAAe,CAAA;AAErE,QAAA,MAAM,cAAc,SAAA,CAAU,MAAA;AAAA,UAC5B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,aAAa,SAAA,CAAU,MAAA;AAAA,UAC3B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,gBAAgB,SAAA,CAAU,MAAA;AAAA,UAC9B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,eAAe,SAAA,CAAU,MAAA;AAAA,UAC7B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AAEF,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,qBAAA,EAAuB,QAAA,EAAU;AAAA,UACrD,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,OAAA;AAAA,UACA,kBAAkB,eAAA,CAAgB,MAAA;AAAA,UAClC,WAAA;AAAA,UACA,UAAA;AAAA,UACA,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,OAAA;AAAA,UACA,SAAA;AAAA,UACA,OAAA,EAAS;AAAA,YACP,cAAc,eAAA,CAAgB,MAAA;AAAA,YAC9B,QAAA,EAAU,UAAA;AAAA,YACV,QAAA,EAAU,WAAA;AAAA,YACV,KAAA,EAAO,aAAA;AAAA,YACP,aAAA,EAAe;AAAA,WACjB;AAAA,UACA,wBACE,WAAA,GAAc,CAAA,GACV,CAAA,YAAA,EAAe,WAAW,OAAO,eAAA,CAAgB,MAAM,CAAA,8BAAA,EAAiC,MAAA,CAAO,WAAW,CAAA,CAAA,CAAA,GAC1G,CAAA,IAAA,EAAO,gBAAgB,MAAM,CAAA,qCAAA,EAAwC,OAAO,WAAW,CAAA,CAAA;AAAA,SAC9F,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,WAAA,EACE,2NAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AAEnB,QAAA,IAAI,CAAC,MAAA,CAAO,SAAA,CAAU,KAAK,CAAA,EAAG;AAC5B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,2BAAA,EAA6B,CAAA;AAAA,QAC1D;AAEA,QAAA,MAAM,UAAA,GAAa,yBAAyB,KAAK,CAAA;AAEjD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,WAAA,EAAa,QAAA,EAAU;AAAA,UAC3C,iBAAiB,UAAA,CAAW,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI;AAAA,SACvD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,UAAA,CAAW,UAAA;AAAA,UACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,UAC5B,cAAc,UAAA,CAAW,YAAA;AAAA,UACzB,YAAA,EAAc,uBAAA;AAAA,UACd,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,WAAA,EACE,yMAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAA,EAAS,iBAAA,EAAmB,YAAY;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAC5B,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AAGxB,QAAA,IAAI,CAAC,wBAAA,CAAyB,UAAA,EAAY,KAAA,EAAO,cAAc,CAAA,EAAG;AAChE,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,KAAA,GAAQ,sBAAA,CAAuB,KAAA,EAAO,cAAA,EAAgB,UAAU,CAAA;AAEtE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,UAAA,EAAY,QAAA,EAAU;AAAA,UAC1C,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,UAAA,EAAY,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI;AAAA,SACvC,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,WAAA,EACE,wJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AAEnB,QAAA,MAAM,KAAA,GAAQ,uBAAuB,KAAK,CAAA;AAE1C,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,WAAA,EAAa,QAAA,EAAU;AAAA,UAC3C,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,kLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,UAAU,CAAC,OAAA,EAAS,iBAAA,EAAmB,YAAA,EAAc,OAAO,KAAK;AAAA,OACnE;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAC5B,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AACxB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AACjB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AAEjB,QAAA,MAAM,QAAQ,gBAAA,CAAiB,KAAA,EAAO,cAAA,EAAgB,UAAA,EAAY,KAAK,GAAG,CAAA;AAE1E,QAAA,IAAI,WAAW,KAAA,EAAO;AACpB,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,KAAA,CAAM,OAAO,CAAA;AAAA,QAC1C;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,gBAAA,EAAkB,QAAA,EAAU;AAAA,UAChD,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,KAAA,EAAO,CAAA,CAAA,EAAI,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA,CAAA;AAAA,UACtB,IAAA,EAAM,MAAM,eAAA,CAAgB;AAAA,SAC7B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,IAAA,EAAM,CAAA,mDAAA,EAAsD,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,uBAAA;AAAA,SACxE,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,+HAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AAEnB,QAAA,MAAM,KAAA,GAAQ,iBAAiB,KAAK,CAAA;AAEpC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,QAAA,EAAU;AAAA,UACjD,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,KAAA;AAAA,UACA,OAAO,CAAA,CAAA,EAAI,KAAA,CAAM,GAAG,CAAA,EAAA,EAAK,MAAM,GAAG,CAAA,CAAA;AAAA,SACnC,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,OAAO,EAAE,GAAA,EAAK,MAAM,GAAA,EAAK,GAAA,EAAK,MAAM,GAAA,EAAI;AAAA,UACxC,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,eAAA,EAAiB,WAAA,EAAY;AAC/C;;;ACxfA,aAAA,EAAA;AA2GA,SAAS,cAAc,MAAA,EAA0B;AAC/C,EAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,EAAG,OAAO,CAAA;AAChC,EAAA,MAAM,MAAA,GAAS,CAAC,GAAG,MAAM,CAAA,CAAE,KAAK,CAAC,CAAA,EAAG,CAAA,KAAM,CAAA,GAAI,CAAC,CAAA;AAC/C,EAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,SAAS,CAAC,CAAA;AACxC,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,GACzB,MAAA,CAAO,GAAG,CAAA,GAAA,CACT,MAAA,CAAO,GAAA,GAAM,CAAC,CAAA,GAAK,MAAA,CAAO,GAAG,CAAA,IAAM,CAAA;AAC1C;AAEA,SAAS,gBAAA,CACP,cACA,WAAA,EACiC;AACjC,EAAA,MAAM,SAA0C,EAAC;AAGjD,EAAA,MAAM,KAAA,GACJ,eACA,KAAA,CAAM,IAAA;AAAA,IACJ,IAAI,GAAA;AAAA,MACF,YAAA,CAAa,OAAA;AAAA,QAAQ,CAAC,CAAA,KACpB,MAAA,CAAO,KAAK,CAAA,CAAE,WAAA,CAAY,KAAK,OAAO;AAAA;AACxC;AACF,GACF;AAEF,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAS,YAAA,CACZ,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,IAAI,CAAC,CAAA,CAC3C,MAAA,CAAO,CAAC,CAAA,KAAmB,MAAM,MAAS,CAAA;AAE7C,IAAA,IAAI,MAAA,CAAO,WAAW,CAAA,EAAG;AACvB,MAAA,MAAA,CAAO,IAAI,CAAA,GAAI,EAAE,IAAA,EAAM,CAAA,EAAG,MAAA,EAAQ,CAAA,EAAG,GAAA,EAAK,CAAA,EAAG,GAAA,EAAK,CAAA,EAAG,KAAA,EAAO,CAAA,EAAE;AAC9D,MAAA;AAAA,IACF;AAEA,IAAA,MAAA,CAAO,IAAI,CAAA,GAAI;AAAA,MACb,IAAA,EAAM,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,EAAG,MAAM,CAAA,GAAI,CAAA,EAAG,CAAC,CAAA,GAAI,MAAA,CAAO,MAAA;AAAA,MACjD,MAAA,EAAQ,cAAc,MAAM,CAAA;AAAA,MAC5B,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,GAAG,MAAM,CAAA;AAAA,MACvB,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,GAAG,MAAM,CAAA;AAAA,MACvB,OAAO,MAAA,CAAO;AAAA,KAChB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAIO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,eAAe,CAAA;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OACJ,aAAA,EACA,eAAA,EACA,SACA,OAAA,EACA,QAAA,EACA,qBAAA,EACA,uBAAA,EACA,eAAA,EAC4B;AAC5B,IAAA,MAAM,aAAA,GAAgB,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACtE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,IAAA,MAAM,eAAA,GAAuC;AAAA,MAC3C,cAAA,EAAgB,aAAA;AAAA,MAChB,iBAAiB,QAAA,CAAS,GAAA;AAAA,MAC1B,gBAAA,EAAkB,eAAA;AAAA,MAClB,cAAc,OAAA,CAAQ,IAAA;AAAA,MACtB,gBAAgB,OAAA,CAAQ,MAAA;AAAA,MACxB,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,EAAC;AAAA,MAC7B,OAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,gBAAA,EAAkB;AAAA,KACpB;AAGA,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,eAAe,CAAC,CAAA;AAC/D,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,SAAA;AAAA,MACA,QAAA,CAAS,qBAAA;AAAA,MACT;AAAA,KACF;AAEA,IAAA,MAAM,WAAA,GAA2B;AAAA,MAC/B,cAAA,EAAgB,aAAA;AAAA,MAChB,MAAA,EAAQ,0BAAA;AAAA,MACR,IAAA,EAAM,eAAA;AAAA,MACN,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,MAChC,QAAQ,QAAA,CAAS;AAAA,KACnB;AAEA,IAAA,MAAM,MAAA,GAA4B;AAAA,MAChC,WAAA;AAAA,MACA,wBAAA,EAA0B,uBAAA;AAAA,MAC1B,sBAAA,EAAwB,CAAC,CAAC,uBAAA;AAAA,MAC1B,WAAA,EAAa;AAAA,KACf;AAGA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,aAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAAA,EAKmB;AAC7B,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAC/B,IAAA,IAAI,QAAA,GAAW,GAAA;AAEf,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,YAAY,OAAA,CAAQ;AAAA,OAChD;AAAA,IACF;AAEA,IAAA,IAAI,QAAQ,UAAA,EAAY;AACtB,MAAA,MAAME,SAAQ,IAAI,IAAA,CAAK,QAAQ,UAAA,CAAW,KAAK,EAAE,OAAA,EAAQ;AACzD,MAAA,MAAMC,OAAM,IAAI,IAAA,CAAK,QAAQ,UAAA,CAAW,GAAG,EAAE,OAAA,EAAQ;AACrD,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA,CAAO,CAAC,CAAA,KAAM;AAChC,QAAA,MAAM,CAAA,GAAI,IAAI,IAAA,CAAK,CAAA,CAAE,YAAY,IAAA,CAAK,SAAS,EAAE,OAAA,EAAQ;AACzD,QAAA,OAAO,CAAA,IAAKD,UAAS,CAAA,IAAKC,IAAAA;AAAA,MAC5B,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,IAAI,QAAQ,gBAAA,EAAkB;AAC5B,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,qBAAqB,OAAA,CAAQ;AAAA,OACzD;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,KAAA,CAAM,IAAA;AAAA,MACrB,IAAI,GAAA,CAAI,QAAA,CAAS,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,OAAO,CAAC;AAAA,KACzD;AAEA,IAAA,MAAM,aAAa,QAAA,CAAS,GAAA;AAAA,MAAI,CAAC,MAC/B,IAAI,IAAA,CAAK,EAAE,WAAA,CAAY,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA;AAAQ,KACjD;AACA,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAA,GAAS,CAAA,GAC9B,IAAI,KAAK,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA,CAAE,WAAA,sBAClC,IAAI,IAAA,IAAO,WAAA,EAAY;AAC3B,IAAA,MAAM,MAAM,UAAA,CAAW,MAAA,GAAS,CAAA,GAC5B,IAAI,KAAK,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA,CAAE,WAAA,sBAClC,IAAI,IAAA,IAAO,WAAA,EAAY;AAE3B,IAAA,OAAO;AAAA,MACL,oBAAoB,QAAA,CAAS,MAAA;AAAA,MAC7B,WAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,SAAS,QAAA,CAAS,MAAA;AAAA,QAChB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,QAAQ,QAAA,CAAS,MAAA;AAAA,QACf,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,UAAU,QAAA,CAAS,MAAA;AAAA,QACjB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,QAAA;AAAA,MACA,UAAA,EAAY,EAAE,KAAA,EAAO,GAAA,EAAI;AAAA,MACzB,iBAAA,EAAmB,gBAAA,CAAiB,QAAA,EAAU,OAAA,CAAQ,OAAO;AAAA,KAC/D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAA,CACJ,QAAA,EACA,qBAAA,EACA,OAAA,EAC2B;AAC3B,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAE7B,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,GAAA,GAAM,GAAA,CAAI,OAAO,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,eAAe,GAAA,CAAI,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,WAAW,CAAA;AACjD,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,OAAA,EAAS,kBAAA;AAAA,MACT,YAAA;AAAA,MACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACpC,cAAc,QAAA,CAAS;AAAA,KACzB;AAGA,IAAA,MAAM,WAAA,GAAc,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,UAAU,CAAC,CAAA;AAC5D,IAAA,MAAM,eAAA,GAAkB,IAAA;AAAA,MACtB,WAAA;AAAA,MACA,QAAA,CAAS,qBAAA;AAAA,MACT;AAAA,KACF;AAEA,IAAA,OAAO;AAAA,MACL,GAAG,UAAA;AAAA,MACH,gBAAA,EAAkB,YAAY,eAAe;AAAA,KAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAA,CACJ,MAAA,EACA,gBAAA,EACA,UAAA,EACoE;AACpE,IAAA,IAAI,QAAA,GAAW,CAAA;AACf,IAAA,IAAI,OAAA,GAAU,CAAA;AACd,IAAA,MAAM,QAAA,uBAAe,GAAA,EAAY;AAEjC,IAAA,KAAA,MAAW,WAAA,IAAe,OAAO,YAAA,EAAc;AAC7C,MAAA,IAAI,gBAAA,EAAkB;AACpB,QAAA,MAAM,SAAA,GAAY,UAAA,CAAW,GAAA,CAAI,WAAA,CAAY,MAAM,CAAA;AACnD,QAAA,IAAI,CAAC,SAAA,EAAW;AACd,UAAA,OAAA,EAAA;AACA,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,SAAA,GAAY,aAAA;AAAA,UAChB,IAAA,CAAK,SAAA,CAAU,WAAA,CAAY,IAAI;AAAA,SACjC;AACA,QAAA,MAAM,QAAA,GAAW,aAAA,CAAc,WAAA,CAAY,SAAS,CAAA;AAEpD,QAAA,IAAI,CAAC,MAAA,CAAO,SAAA,EAAW,QAAA,EAAU,SAAS,CAAA,EAAG;AAC3C,UAAA,OAAA,EAAA;AACA,UAAA;AAAA,QACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAA4B;AAAA,QAChC,WAAA;AAAA,QACA,sBAAA,EAAwB,KAAA;AAAA,QACxB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACtC;AAEA,MAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,MAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,QACjB,aAAA;AAAA,QACA,WAAA,CAAY,cAAA;AAAA,QACZ,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,OACzC;AAEA,MAAA,QAAA,EAAA;AACA,MAAA,QAAA,CAAS,GAAA,CAAI,WAAA,CAAY,IAAA,CAAK,OAAO,CAAA;AAAA,IACvC;AAEA,IAAA,OAAO;AAAA,MACL,QAAA;AAAA,MACA,OAAA;AAAA,MACA,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,QAAQ;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,YAAA,CACJ,gBAAA,EACA,eAAA,EACA,cAAA,EACA,YACA,gBAAA,EACiB;AACjB,IAAA,MAAM,QAAA,GAAW,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACjE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,iBAAiB,GAAI,CAAA;AAGhE,IAAA,MAAM,EAAE,YAAA,EAAAC,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,IAAA,MAAM,SAAA,GAAYA,aAAAA,CAAa,aAAA,CAAc,gBAAgB,CAAC,CAAA;AAE9D,IAAA,MAAM,MAAA,GAAiB;AAAA,MACrB,SAAA,EAAW,QAAA;AAAA,MACX,iBAAA,EAAmB,gBAAA;AAAA,MACnB,UAAA,EAAY,SAAA;AAAA,MACZ,iBAAA,EAAmB,gBAAA;AAAA,MACnB,gBAAA,EAAkB,eAAA;AAAA,MAClB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,IAAI,WAAA,EAAY;AAAA,MAC5B,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,MAClC,MAAA,EAAQ;AAAA,KACV;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,UAAA;AAAA,MACA,QAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAU,QAAA,EAA0C;AACxD,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,YAAY,QAAQ,CAAA;AACxD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAA,CACJ,iBAAA,EACA,UACA,KAAA,EACA,eAAA,EACA,uBACA,YAAA,EACoB;AACpB,IAAA,MAAM,WAAA,GAAc,CAAA,KAAA,EAAQ,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACrE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,aAAa,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,kBAAkB,GAAI,CAAA;AAElE,IAAA,MAAM,eAAA,GAAkB;AAAA,MACtB,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,iBAAA,CAAkB,GAAA;AAAA,MACjC,SAAA,EAAW,QAAA;AAAA,MACX,KAAA;AAAA,MACA,aAAA,EAAe,YAAA;AAAA,MACf,WAAA,EAAa,WAAW,WAAA,EAAY;AAAA,MACpC,SAAA,EAAW,IAAI,WAAA;AAAY,KAC7B;AAGA,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,eAAe,CAAC,CAAA;AAC/D,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,SAAA;AAAA,MACA,iBAAA,CAAkB,qBAAA;AAAA,MAClB;AAAA,KACF;AAEA,IAAA,MAAM,WAAA,GAAc,WAAA;AAAA,MAClB,aAAA;AAAA,QACE,KAAK,SAAA,CAAU;AAAA,UACb,GAAG,eAAA;AAAA,UACH,SAAA,EAAW,YAAY,SAAS;AAAA,SACjC;AAAA;AACH,KACF;AAEA,IAAA,MAAM,SAAA,GAAuB;AAAA,MAC3B,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,iBAAA,CAAkB,GAAA;AAAA,MACjC,SAAA,EAAW,QAAA;AAAA,MACX,KAAA;AAAA,MACA,aAAA,EAAe,YAAA;AAAA,MACf,WAAA,EAAa,WAAW,WAAA,EAAY;AAAA,MACpC,WAAA;AAAA,MACA,UAAA,EAAY,IAAI,WAAA;AAAY,KAC9B;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,CAAA;AAC1D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,WAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,SAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,sBAAsB,OAAA,EAGK;AAC/B,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAE7B,IAAA,IAAI,SAAS,OAAA,EAAS;AACpB,MAAA,GAAA,GAAM,GAAA,CAAI,OAAO,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,OAAA,KAAY,OAAA,CAAQ,OAAO,CAAA;AAAA,IACxE;AACA,IAAA,IAAI,SAAS,gBAAA,EAAkB;AAC7B,MAAA,GAAA,GAAM,GAAA,CAAI,MAAA;AAAA,QACR,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,qBAAqB,OAAA,CAAQ;AAAA,OACzD;AAAA,IACF;AAEA,IAAA,OAAO,GAAA;AAAA,EACT;AAAA;AAAA,EAIA,MAAc,OAAA,GAAwC;AACpD,IAAA,MAAM,UAA+B,EAAC;AAEtC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,aAAa,CAAA;AACrD,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,aAAA,EAAe,KAAK,GAAG,CAAA;AAC3D,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,OAAA,CAAQ,KAAK,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAC,CAAA;AAAA,QACnD,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;AC7jBA,aAAA,EAAA;;;ACcO,IAAM,YAAA,GAAgD;AAAA,EAC3D,oBAAA,EAAsB,CAAA;AAAA,EACtB,mBAAA,EAAqB,GAAA;AAAA,EACrB,eAAA,EAAiB,GAAA;AAAA,EACjB,YAAA,EAAc;AAChB;AAqBO,SAAS,WAAA,CACd,cAAA,EACA,gBAAA,EACA,oBAAA,EACc;AACd,EAAA,MAAM,SAAA,GAAY,gBAAA,CAAiB,GAAA,CAAI,cAAc,CAAA;AAErD,EAAA,IAAI,SAAA,IAAa,UAAU,QAAA,EAAU;AAEnC,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,SAAA,CAAU,UAAU,CAAA;AAC/C,IAAA,IAAI,SAAA,mBAAY,IAAI,IAAA,EAAK,EAAG;AAC1B,MAAA,OAAO;AAAA,QACL,kBAAkB,SAAA,CAAU,UAAA;AAAA,QAC5B,wBAAwB,SAAA,CAAU,YAAA;AAAA,QAClC,aAAa,SAAA,CAAU;AAAA,OACzB;AAAA,IACF;AAAA,EAEF;AAEA,EAAA,IAAI,oBAAA,EAAsB;AACxB,IAAA,OAAO,EAAE,kBAAkB,eAAA,EAAgB;AAAA,EAC7C;AAEA,EAAA,OAAO,EAAE,kBAAkB,YAAA,EAAa;AAC1C;AAKO,SAAS,2BAA2B,SAAA,EAAuC;AAChF,EAAA,QAAQ,SAAA;AAAW,IACjB,KAAK,oBAAA;AACH,MAAA,OAAO,oBAAA;AAAA,IACT,KAAK,mBAAA;AACH,MAAA,OAAO,mBAAA;AAAA,IACT;AACE,MAAA,OAAO,YAAA;AAAA;AAEb;AAsBO,SAAS,qBACd,YAAA,EACe;AACf,EAAA,IAAI,YAAA,CAAa,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAEtC,EAAA,IAAI,WAAA,GAAc,CAAA;AAClB,EAAA,IAAI,WAAA,GAAc,CAAA;AAElB,EAAA,KAAA,MAAW,KAAK,YAAA,EAAc;AAC5B,IAAA,MAAM,MAAA,GAAS,YAAA,CAAa,CAAA,CAAE,IAAI,CAAA;AAClC,IAAA,WAAA,IAAe,EAAE,KAAA,GAAQ,MAAA;AACzB,IAAA,WAAA,IAAe,MAAA;AAAA,EACjB;AAEA,EAAA,OAAO,WAAA,GAAc,CAAA,GAAI,WAAA,GAAc,WAAA,GAAc,IAAA;AACvD;AAKO,SAAS,iBACd,KAAA,EACiC;AACjC,EAAA,MAAM,IAAA,GAAwC;AAAA,IAC5C,oBAAA,EAAsB,CAAA;AAAA,IACtB,mBAAA,EAAqB,CAAA;AAAA,IACrB,eAAA,EAAiB,CAAA;AAAA,IACjB,YAAA,EAAc;AAAA,GAChB;AAEA,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAA,CAAK,IAAI,CAAA,EAAA;AAAA,EACX;AAEA,EAAA,OAAO,IAAA;AACT;;;AD9HO,SAAS,aAAA,CACd,OAAA,EACA,SAAA,EACA,eAAA,EACA,UACA,gBAAA,EAC+D;AAC/D,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,qBAAA,GAAwB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAE/E,EAAA,MAAM,SAAA,GAAY,gBAAA,oBAAoB,IAAI,GAAA,EAA6B;AAEvE,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,gIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,qBAAA;AAAA,YACb,UAAA,EAAY;AAAA,cACV,IAAA,EAAM;AAAA,gBACJ,IAAA,EAAM,QAAA;AAAA,gBACN,MAAM,CAAC,aAAA,EAAe,aAAA,EAAe,SAAA,EAAW,WAAW,QAAQ;AAAA,eACrE;AAAA,cACA,MAAA,EAAQ;AAAA,gBACN,IAAA,EAAM,QAAA;AAAA,gBACN,IAAA,EAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAU,UAAU;AAAA,eACrD;AAAA,cACA,OAAA,EAAS;AAAA,gBACP,IAAA,EAAM,QAAA;AAAA,gBACN,WAAA,EAAa;AAAA;AACf,aACF;AAAA,YACA,QAAA,EAAU,CAAC,MAAA,EAAQ,QAAQ;AAAA,WAC7B;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,iDAAA;AAAA,YACb,OAAA,EAAS;AAAA,WACX;AAAA,UACA,wBAAA,EAA0B;AAAA,YACxB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,gBAAA,EAAkB,kBAAA,EAAoB,SAAS;AAAA,OAC5D;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,OAAA,GAAW,KAAK,OAAA,IAAsB,SAAA;AAG5C,QAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,QAAA,MAAM,oBAAA,GAAuB,eAAA,CAAgB,IAAA,EAAK,CAAE,IAAA;AAAA,UAClD,CAAC,EAAA,KAAO,eAAA,CAAgB,IAAI,EAAA,CAAG,WAAW,GAAG,GAAA,KAAQ;AAAA,SACvD;AACA,QAAA,MAAM,QAAA,GAAW,WAAA,CAAY,eAAA,EAAiB,SAAA,EAAW,oBAAoB,CAAA;AAE7E,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,MAAA;AAAA,UACnC,IAAA,CAAK,cAAA;AAAA,UACL,eAAA;AAAA,UACA,OAAA;AAAA,UACA,OAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA,IAAA,CAAK,wBAAA;AAAA,UACL,QAAA,CAAS;AAAA,SACX;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC/D,gBAAgB,IAAA,CAAK,cAAA;AAAA,UACrB,cAAc,OAAA,CAAQ,IAAA;AAAA,UACtB,gBAAgB,OAAA,CAAQ,MAAA;AAAA,UACxB,OAAA;AAAA,UACA,kBAAkB,QAAA,CAAS;AAAA,SAC5B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAA,EAAgB,OAAO,WAAA,CAAY,cAAA;AAAA,UACnC,cAAA,EAAgB,MAAA,CAAO,WAAA,CAAY,IAAA,CAAK,cAAA;AAAA,UACxC,gBAAA,EAAkB,OAAO,WAAA,CAAY,SAAA;AAAA,UACrC,wBAAwB,MAAA,CAAO,sBAAA;AAAA,UAC/B,kBAAkB,QAAA,CAAS,gBAAA;AAAA,UAC3B,OAAA;AAAA,UACA,aAAa,MAAA,CAAO;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,6GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,sBAAA;AAAA,YACb,UAAA,EAAY;AAAA,cACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,gBAAA,EAAiB;AAAA,cACvD,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA;AAAe;AACrD,WACF;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,OAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACxB,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAAU,MAAM,eAAA,CAAgB,KAAA,CAAM;AAAA,UAC1C,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,YAAY,IAAA,CAAK,UAAA;AAAA,UAGjB,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAED,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU;AAAA,UAClD,oBAAoB,OAAA,CAAQ,kBAAA;AAAA,UAC5B,UAAU,OAAA,CAAQ;AAAA,SACnB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,OAAA;AAAA;AAAA,UAEA,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,kBAAkB,CAAA;AAAA,YACzB,OAAA,EAAS;AAAA,WACX;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,QAAA;AAAA,UACA,qBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,SAAA,CAAU,MAAM,CAAA;AACxC,QAAA,MAAM,YAAA,GAAe,WAAA;AAAA,UACnB,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,UAAU;AAAA,SACrC;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC/D,iBAAA,EAAmB,OAAO,YAAA,CAAa,MAAA;AAAA,UACvC,UAAU,KAAA,CAAM,IAAA;AAAA,YACd,IAAI,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC;AAAA;AACxD,SACD,CAAA;AAED,QAAA,MAAM,EAAE,YAAA,EAAAA,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,QAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAEhC,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA,EAAQ,YAAA;AAAA,UACR,iBAAA,EAAmB,OAAO,YAAA,CAAa,MAAA;AAAA,UACvC,UAAU,KAAA,CAAM,IAAA;AAAA,YACd,IAAI,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC;AAAA,WACxD;AAAA,UACA,WAAA,EAAaD,aAAAA,CAAaC,cAAAA,CAAc,UAAU,CAAC,CAAA;AAAA,UACnD,aAAa,MAAA,CAAO;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,6GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,MAAA;AAG1B,QAAA,MAAM,gBAAA,GAAmB,IAAA;AAEzB,QAAA,IAAI,MAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,cAAc,YAAY,CAAA;AAC9C,UAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY,CAAE,OAAO,WAAW,CAAA;AACvD,UAAA,MAAA,GAAS,IAAA,CAAK,MAAM,UAAU,CAAA;AAAA,QAChC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,UAAA,uBAAiB,GAAA,EAAwB;AAC/C,QAAA,KAAA,MAAW,GAAA,IAAO,eAAA,CAAgB,IAAA,EAAK,EAAG;AACxC,UAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,GAAA,CAAI,GAAA,CAAI,WAAW,CAAA;AACpD,UAAA,IAAI,QAAA,EAAU;AACZ,YAAA,UAAA,CAAW,IAAI,QAAA,CAAS,GAAA,EAAK,aAAA,CAAc,QAAA,CAAS,UAAU,CAAC,CAAA;AAAA,UACjE;AAAA,QACF;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,MAAA;AAAA,UACA,gBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,EAAU;AAAA,UACnD,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,UAAU,MAAA,CAAO;AAAA,SAClB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,uBAAuB,MAAA,CAAO,QAAA;AAAA,UAC9B,sBAAsB,MAAA,CAAO,OAAA;AAAA,UAC7B,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,qCAAA;AAAA,MACN,WAAA,EACE,qOAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAAU,MAAM,eAAA,CAAgB,KAAA,CAAM;AAAA,UAC1C,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAID,QAAA,MAAM,eAAA,GAAkB,MAAM,eAAA,CAAgB,qBAAA,CAAsB;AAAA,UAClE,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAED,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AAGpB,QAAA,MAAM,kBAAA,GAA0C,eAAA,CAC7C,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA,KAAM,MAAS,CAAA,CAC9D,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,UACX,KAAA,EAAO,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,QAAQ,MAAM,CAAA;AAAA,UACxC,IAAA,EAAO,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,gBAAA,IAAoB;AAAA,SAChD,CAAE,CAAA;AAEJ,QAAA,MAAM,aAAA,GAAgB,qBAAqB,kBAAkB,CAAA;AAG7D,QAAA,MAAM,QAAQ,eAAA,CAAgB,GAAA;AAAA,UAC5B,CAAC,CAAA,KAAO,CAAA,CAAE,WAAA,CAAY,KAAK,gBAAA,IAAoB;AAAA,SACjD;AACA,QAAA,MAAM,IAAA,GAAO,iBAAiB,KAAK,CAAA;AAEnC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,2BAAA,EAA6B,QAAA,EAAU;AAAA,UAC3D,MAAA;AAAA,UACA,mBAAmB,kBAAA,CAAmB,MAAA;AAAA,UACtC,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA;AAAA,UACA,cAAA,EAAgB,aAAA;AAAA,UAChB,mBAAmB,kBAAA,CAAmB,MAAA;AAAA,UACtC,iBAAA,EAAmB,IAAA;AAAA,UACnB,YAAA,EAAc,YAAA;AAAA,UACd,kBAAA,EAAoB;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,iHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,mBAAA,EAAqB,kBAAA,EAAoB,iBAAiB;AAAA,OACvE;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,IAAA,CAAK,iBAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,IAAA,CAAK,eAAA;AAAA,UACL,QAAA,CAAS,GAAA;AAAA,UACT,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,QAAA,CAAS,WAAA,EAAa;AAAA,UACrE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,iBAAiB,IAAA,CAAK;AAAA,SACvB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,QAAQ,MAAA,CAAO;AAAA,SAChB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,uCAAA;AAAA,MACN,WAAA,EACE,mIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,qBAAA,EAAuB;AAAA,YACrB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,aAAA,EAAe;AAAA,YACb,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU;AAAA,UACR,uBAAA;AAAA,UACA,mBAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,oBAAoB,eAAA,CAAgB,GAAA;AAAA,UACxC,IAAA,CAAK;AAAA,SACP;AACA,QAAA,MAAM,gBAAgB,eAAA,CAAgB,GAAA;AAAA,UACpC,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,oBAAA,EAAuB,IAAA,CAAK,qBAAqB,CAAA,YAAA;AAAA,WACzD,CAAA;AAAA,QACH;AACA,QAAA,IAAI,CAAC,aAAA,EAAe;AAClB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,gBAAA,EAAmB,IAAA,CAAK,iBAAiB,CAAA,YAAA;AAAA,WACjD,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,eAAA,CAAgB,eAAA;AAAA,UACtC,iBAAA;AAAA,UACA,aAAA,CAAc,GAAA;AAAA,UACd,IAAA,CAAK,KAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,qBAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,6BAAA;AAAA,UACA,iBAAA,CAAkB,WAAA;AAAA,UAClB;AAAA,YACE,cAAc,SAAA,CAAU,YAAA;AAAA,YACxB,WAAW,aAAA,CAAc,GAAA;AAAA,YACzB,OAAO,IAAA,CAAK;AAAA;AACd,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAc,SAAA,CAAU,YAAA;AAAA,UACxB,uBAAuB,SAAA,CAAU,WAAA;AAAA,UACjC,OAAO,SAAA,CAAU,KAAA;AAAA,UACjB,aAAa,SAAA,CAAU;AAAA,SACxB,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,eAAA,EAAgB;AAClC;AEtiBA,IAAM,aAAA,GAA6B;AAAA,EACjC,oBAAA,EAAsB,SAAA;AAAA,EACtB,gBAAA,EAAkB,SAAA;AAAA,EAClB,0BAAA,EAA4B,CAAA;AAAA,EAC5B,oBAAA,EAAsB,EAAA;AAAA,EACtB,mBAAA,EAAqB,EAAA;AAAA,EACrB,oBAAA,EAAsB;AACxB,CAAA;AAGA,IAAM,eAAA,GAAyC;AAAA,EAC7C,IAAA,EAAM,QAAA;AAAA,EACN,eAAA,EAAiB;AAAA;AAAA;AAGnB,CAAA;AAGO,IAAM,cAAA,GAAkC;AAAA,EAC7C,OAAA,EAAS,CAAA;AAAA,EACT,oBAAA,EAAsB;AAAA,IACpB,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,aAAA,EAAe,aAAA;AAAA,EACf,kBAAA,EAAoB;AAAA,IAClB,YAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,iBAAA;AAAA,IACA,eAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,kBAAA;AAAA,IACA,cAAA;AAAA,IACA,uBAAA;AAAA,IACA,qBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kBAAA;AAAA,IACA,yBAAA;AAAA,IACA,aAAA;AAAA,IACA,gBAAA;AAAA,IACA,mBAAA;AAAA,IACA,UAAA;AAAA,IACA,uBAAA;AAAA,IACA,yBAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,oBAAA;AAAA,IACA,kBAAA;AAAA,IACA,2BAAA;AAAA,IACA,kBAAA;AAAA,IACA,2BAAA;AAAA,IACA,mBAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,iBAAA;AAAA,IACA,yBAAA;AAAA,IACA,6BAAA;AAAA,IACA,wBAAA;AAAA,IACA,qBAAA;AAAA,IACA,4BAAA;AAAA,IACA,qBAAA;AAAA,IACA,qBAAA;AAAA,IACA,mBAAA;AAAA,IACA,oBAAA;AAAA,IACA,eAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,gBAAA,EAAkB;AACpB,CAAA;AAMO,SAAS,qBAAqB,QAAA,EAA0B;AAC7D,EAAA,OAAO,QAAA,CAAS,WAAW,YAAY,CAAA,GACnC,SAAS,KAAA,CAAM,YAAA,CAAa,MAAM,CAAA,GAClC,QAAA;AACN;AAYO,SAAS,YAAY,OAAA,EAAkC;AAC5D,EAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AACjC,IAAA,OAAO,eAAe,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,MAAM,SAAkC,EAAC;AACzC,EAAA,IAAI,UAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAA,GAA+B,IAAA;AACnC,EAAA,IAAI,aAAA,GAAgD,IAAA;AAEpD,EAAA,KAAA,MAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,CAAM,IAAI,CAAA,EAAG;AACzC,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AACjC,IAAA,IAAI,IAAA,CAAK,IAAA,EAAK,KAAM,EAAA,EAAI;AAExB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,GAAS,IAAA,CAAK,WAAU,CAAE,MAAA;AAC9C,IAAA,MAAM,QAAA,GAAW,KAAK,IAAA,EAAK;AAE3B,IAAA,IAAI,MAAA,KAAW,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAE1C,MAAA,IAAI,cAAc,WAAA,EAAa;AAC7B,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,WAAA;AAAA,MACvB,CAAA,MAAA,IAAW,cAAc,aAAA,EAAe;AACtC,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,aAAA;AAAA,MACvB;AAEA,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACrC,MAAA,MAAM,MAAM,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,QAAQ,EAAE,IAAA,EAAK;AAC7C,MAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,CAAM,QAAA,GAAW,CAAC,EAAE,IAAA,EAAK;AAEhD,MAAA,IAAI,KAAA,KAAU,EAAA,IAAM,KAAA,KAAU,GAAA,EAAK;AACjC,QAAA,UAAA,GAAa,GAAA;AACb,QAAA,WAAA,GAAc,IAAA;AACd,QAAA,aAAA,GAAgB,IAAA;AAAA,MAClB,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,WAAA,CAAY,KAAK,CAAA;AAC/B,QAAA,UAAA,GAAa,IAAA;AACb,QAAA,WAAA,GAAc,IAAA;AACd,QAAA,aAAA,GAAgB,IAAA;AAAA,MAClB;AAAA,IACF,WAAW,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,EAAG;AAElD,MAAA,IAAI,CAAC,WAAA,EAAa,WAAA,GAAc,EAAC;AACjC,MAAA,WAAA,CAAY,IAAA,CAAK,QAAA,CAAS,KAAA,CAAM,CAAC,CAAA,CAAE,IAAA,EAAK,CAAE,KAAA,CAAM,KAAK,CAAA,CAAE,CAAC,CAAE,CAAA;AAAA,IAC5D,WAAW,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAE/C,MAAA,IAAI,CAAC,aAAA,EAAe,aAAA,GAAgB,EAAC;AACrC,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACrC,MAAA,MAAM,MAAM,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,QAAQ,EAAE,IAAA,EAAK;AAC7C,MAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,CAAM,QAAA,GAAW,CAAC,EAAE,IAAA,EAAK;AAChD,MAAA,aAAA,CAAc,GAAG,IAAI,WAAA,CAAY,KAAA,CAAM,MAAM,KAAK,CAAA,CAAE,CAAC,CAAE,CAAA;AAAA,IACzD;AAAA,EACF;AAGA,EAAA,IAAI,cAAc,WAAA,EAAa;AAC7B,IAAA,MAAA,CAAO,UAAU,CAAA,GAAI,WAAA;AAAA,EACvB,CAAA,MAAA,IAAW,cAAc,aAAA,EAAe;AACtC,IAAA,MAAA,CAAO,UAAU,CAAA,GAAI,aAAA;AAAA,EACvB;AAEA,EAAA,OAAO,eAAe,MAAM,CAAA;AAC9B;AAEA,SAAS,YAAY,KAAA,EAA0C;AAC7D,EAAA,IAAI,KAAA,KAAU,QAAQ,OAAO,IAAA;AAC7B,EAAA,IAAI,KAAA,KAAU,SAAS,OAAO,KAAA;AAC9B,EAAA,MAAM,GAAA,GAAM,OAAO,KAAK,CAAA;AACxB,EAAA,IAAI,CAAC,KAAA,CAAM,GAAG,CAAA,IAAK,KAAA,KAAU,IAAI,OAAO,GAAA;AACxC,EAAA,OAAO,KAAA,CAAM,OAAA,CAAQ,cAAA,EAAgB,EAAE,CAAA;AACzC;AAEA,SAAS,eAAe,GAAA,EAA+C;AAIrE,EAAA,MAAM,SAAA,GAAa,GAAA,CAAI,kBAAA,IAAmC,EAAC;AAC3D,EAAA,MAAM,WAAA,GAAc;AAAA,IAClB,uBAAO,GAAA,CAAI,CAAC,GAAG,SAAA,EAAW,GAAG,cAAA,CAAe,kBAAkB,CAAC;AAAA,GACjE;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAU,IAAI,OAAA,IAAsB,CAAA;AAAA,IACpC,oBAAA,EACG,GAAA,CAAI,oBAAA,IAAqC,cAAA,CAAe,oBAAA;AAAA,IAC3D,aAAA,EAAe;AAAA,MACb,GAAG,aAAA;AAAA,MACH,GAAK,GAAA,CAAI,aAAA,IAA6C;AAAC,KACzD;AAAA,IACA,kBAAA,EAAoB,WAAA;AAAA,IACpB,mBAAmB,MAAM;AACvB,MAAA,MAAM,MAAA,GAAS;AAAA,QACb,GAAG,eAAA;AAAA,QACH,GAAK,GAAA,CAAI,gBAAA,IAAgD;AAAC,OAC5D;AAGA,MAAA,OAAO,MAAA,CAAO,SAAA;AACd,MAAA,OAAO,MAAA;AAAA,IACT,CAAA;AAAG,GACL;AACF;AAKA,SAAS,yBAAA,GAAoC;AAC3C,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AAsFT;AAOA,eAAsB,oBACpB,WAAA,EAC0B;AAC1B,EAAA,MAAM,UAAA,GAAaxB,SAAAA,CAAK,WAAA,EAAa,uBAAuB,CAAA;AAE5D,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAU,MAAMG,iBAAAA,CAAS,UAAA,EAAY,OAAO,CAAA;AAClD,IAAA,MAAM,MAAA,GAAS,YAAY,OAAO,CAAA;AAClC,IAAA,OAAO,MAAA,CAAO,OAAO,MAAM,CAAA;AAAA,EAC7B,CAAA,CAAA,MAAQ;AAEN,IAAA,MAAM,cAAc,yBAAA,EAA0B;AAC9C,IAAA,IAAI;AACF,MAAA,MAAMC,kBAAAA,CAAU,UAAA,EAAY,WAAA,EAAa,OAAO,CAAA;AAChD,MAAA,MAAMqB,cAAA,CAAM,YAAY,GAAK,CAAA;AAAA,IAC/B,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,OAAO,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,gBAAgB,CAAA;AAAA,EAC5C;AACF;;;ACvUA,aAAA,EAAA;AAGA,IAAM,kBAAA,GAAqB,YAAA;AAC3B,IAAM,YAAA,GAAe,kBAAA;AAEd,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EACA,OAAA;AAAA;AAAA,EAGA,WAAA,uBAAyC,GAAA,EAAI;AAAA;AAAA,EAG7C,WAAA,uBAAyC,GAAA,EAAI;AAAA;AAAA,EAG7C,aAAuB,EAAC;AAAA,EAEhC,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,oBAAoB,CAAA;AACrE,IAAA,IAAA,CAAK,OAAA,GAAU;AAAA,MACb,kBAAkB,EAAC;AAAA,MACnB,sBAAsB,EAAC;AAAA,MACvB,kBAAkB,EAAC;AAAA,MACnB,gBAAA,EAAkB,IAAA;AAAA,MAClB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAA,GAAsB;AAC1B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,oBAAoB,YAAY,CAAA;AACpE,MAAA,IAAI,CAAC,GAAA,EAAK;AAEV,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,KAAA,GAAwB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAGjE,MAAA,IAAA,CAAK,OAAA,CAAQ,gBAAA,GAAmB,KAAA,CAAM,gBAAA,IAAoB,EAAC;AAC3D,MAAA,IAAA,CAAK,OAAA,CAAQ,oBAAA,GAAuB,KAAA,CAAM,oBAAA,IAAwB,EAAC;AACnE,MAAA,IAAA,CAAK,QAAQ,gBAAA,GAAmB,KAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,CAAK,QAAQ,gBAAA,GAAmB,IAAA;AAAA,IAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAA,GAAsB;AAC1B,IAAA,IAAA,CAAK,OAAA,CAAQ,QAAA,GAAA,iBAAW,IAAI,IAAA,IAAO,WAAA,EAAY;AAC/C,IAAA,MAAM,aAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,OAAO,CAAC,CAAA;AAC7D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,kBAAA;AAAA,MACA,YAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,QAAA,EAAwB;AACrC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,IAAA,IAAA,CAAK,OAAA,CAAQ,iBAAiB,QAAQ,CAAA,GAAA,CACnC,KAAK,OAAA,CAAQ,gBAAA,CAAiB,QAAQ,CAAA,IAAK,CAAA,IAAK,CAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAA,EAAU,EAAE,CAAA;AAAA,IACnC;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC5C,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AAGf,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,CAAC,IAAK,MAAA,EAAQ;AAC/C,MAAA,MAAA,CAAO,KAAA,EAAM;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,SAAA,EAA4B;AAEhD,IAAA,IAAI,SAAA,CAAU,UAAA,CAAW,GAAG,CAAA,EAAG,OAAO,KAAA;AAEtC,IAAA,MAAM,QAAQ,CAAC,IAAA,CAAK,OAAA,CAAQ,gBAAA,CAAiB,SAAS,SAAS,CAAA;AAC/D,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,IAAA,CAAK,OAAA,CAAQ,gBAAA,CAAiB,IAAA,CAAK,SAAS,CAAA;AAAA,IAC9C;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAAoB,SAAA,EAA2B;AAC7C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAS,CAAA,EAAG;AACpC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAA,EAAW,EAAE,CAAA;AAAA,IACpC;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAS,CAAA;AAC7C,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AAGf,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,CAAC,IAAK,MAAA,EAAQ;AAC/C,MAAA,MAAA,CAAO,KAAA,EAAM;AAAA,IACf;AAEA,IAAA,OAAO,MAAA,CAAO,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,mBAAmB,GAAA,EAAsB;AACvC,IAAA,MAAM,QAAQ,CAAC,IAAA,CAAK,OAAA,CAAQ,oBAAA,CAAqB,SAAS,GAAG,CAAA;AAC7D,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,IAAA,CAAK,OAAA,CAAQ,oBAAA,CAAqB,IAAA,CAAK,GAAG,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAAqB;AACnB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,UAAA,CAAW,KAAK,GAAG,CAAA;AAGxB,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,IAAA,CAAK,WAAW,MAAA,GAAS,CAAA,IAAK,KAAK,UAAA,CAAW,CAAC,IAAK,MAAA,EAAQ;AACjE,MAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAAA,IACxB;AAEA,IAAA,OAAO,KAAK,UAAA,CAAW,MAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,QAAA,EAA0B;AACpC,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,GAAG,MAAA,IAAU,CAAA;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAA,GAA6B;AAC3B,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,KAAA,MAAW,MAAA,IAAU,IAAA,CAAK,WAAA,CAAY,MAAA,EAAO,EAAG;AAC9C,MAAA,KAAA,IAAS,MAAA,CAAO,MAAA;AAChB,MAAA,KAAA,EAAA;AAAA,IACF;AACA,IAAA,OAAO,KAAA,GAAQ,CAAA,GAAI,KAAA,GAAQ,KAAA,GAAQ,CAAA;AAAA,EACrC;AAAA;AAAA,EAGA,IAAI,cAAA,GAA0B;AAC5B,IAAA,OAAO,KAAK,OAAA,CAAQ,gBAAA;AAAA,EACtB;AAAA;AAAA,EAGA,UAAA,GAA6B;AAC3B,IAAA,OAAO,EAAE,GAAG,IAAA,CAAK,OAAA,EAAQ;AAAA,EAC3B;AACF;;;ACtKO,IAAM,wBAAN,MAAuD;AAAA,EAE5D,YAAY,OAAA,EAAgC;AAAA,EAC5C;AAAA,EAEA,MAAM,gBAAgB,OAAA,EAAqD;AAEzE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AACxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,GAAS,IAAI,CAAA;AAQlC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,MAAA;AAAA,MACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,UAAA,EAAY;AAAA,KACd;AAAA,EACF;AAAA,EAEQ,aAAa,OAAA,EAAkC;AACrD,IAAA,MAAM,SAAA,GACJ,OAAA,CAAQ,IAAA,KAAS,CAAA,GACb,wCAAA,GACA,2CAAA;AAEN,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,CAAA,CAChD,GAAA,CAAI,CAAC,CAAC,CAAA,EAAG,CAAC,CAAA,KAAM,CAAA,EAAA,EAAK,CAAC,CAAA,EAAA,EAAK,OAAO,CAAA,KAAM,QAAA,GAAW,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,CAAC,CAAC,CAAA,CAAE,CAAA,CAC1E,IAAA,CAAK,IAAI,CAAA;AAEZ,IAAA,OAAO;AAAA,MACL,EAAA;AAAA,MACA,0ZAAA;AAAA,MACA,gFAAA;AAAA,MACA,0ZAAA;AAAA,MACA,CAAA,oBAAA,EAAkB,OAAA,CAAQ,SAAA,CAAU,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MAC9C,CAAA,QAAA,EAAM,SAAA,CAAU,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MAC1B,CAAA,oBAAA,EAAkB,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,EAAE,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MACxD,gFAAA;AAAA,MACA,CAAA,8EAAA,CAAA;AAAA,MACA,GAAG,YAAA,CAAa,KAAA,CAAM,IAAI,CAAA,CAAE,GAAA;AAAA,QAC1B,CAAC,IAAA,KAAS,CAAA,UAAA,EAAQ,IAAA,CAAK,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA;AAAA,OACnC;AAAA,MACA,gFAAA;AAAA,MACA,gFAAA;AAAA,MACA,gFAAA;AAAA,MACA,0ZAAA;AAAA,MACA;AAAA,KACF,CAAE,KAAK,IAAI,CAAA;AAAA,EACb;AACF;AAKO,IAAM,0BAAN,MAAyD;AAAA,EACtD,QAAA;AAAA,EAER,YACE,QAAA,EACA;AACA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAAA,EAClB;AAAA,EAEA,MAAM,gBAAgB,OAAA,EAAqD;AACzE,IAAA,OAAO,IAAA,CAAK,SAAS,OAAO,CAAA;AAAA,EAC9B;AACF;AAKO,IAAM,qBAAN,MAAoD;AAAA,EACzD,MAAM,gBAAgB,QAAA,EAAsD;AAC1E,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,SAAA;AAAA,MACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,UAAA,EAAY;AAAA,KACd;AAAA,EACF;AACF;;;ACvGO,SAAS,kBAAkB,OAAA,EAEvB;AACT,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kDAAA,EAyH2C,QAAQ,aAAa,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAA,CAAA;AAoDzE;AAKO,SAAS,sBAAsB,OAAA,EAK3B;AACT,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA,0BAAA,EAivBmB,QAAQ,aAAa,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA,0BAAA,EAkHrB,QAAQ,cAAc,CAAA;AAAA;AAAA,yBAAA,EAEvB,QAAQ,SAAA,GAAY,IAAA,CAAK,UAAU,OAAA,CAAQ,SAAS,IAAI,MAAM,CAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA,OAAA,CAAA;AA8hBzF;;;ACzgDA,IAAM,qBAAA,GAAwB,IAAI,EAAA,GAAK,GAAA;AACvC,IAAM,oBAAA,GAAuB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAA;AAC5C,IAAM,YAAA,GAAe,GAAA;AAMrB,IAAM,oBAAA,GAAuB,GAAA;AAC7B,IAAM,kBAAA,GAAqB,GAAA;AAC3B,IAAM,oBAAA,GAAuB,EAAA;AAC7B,IAAM,sBAAA,GAAyB,GAAA;AAOxB,IAAM,2BAAN,MAA0D;AAAA,EACvD,MAAA;AAAA,EACA,OAAA,uBAA2C,GAAA,EAAI;AAAA,EAC/C,UAAA,uBAAiC,GAAA,EAAI;AAAA,EACrC,UAAA,GAAyD,IAAA;AAAA,EACzD,MAAA,GAAiC,IAAA;AAAA,EACjC,QAAA,GAAmC,IAAA;AAAA,EACnC,QAAA,GAA4B,IAAA;AAAA,EAC5B,aAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,MAAA;AAAA;AAAA,EAEA,YAAA;AAAA;AAAA,EAEA,QAAA,uBAA8C,GAAA,EAAI;AAAA,EAClD,mBAAA,GAA6D,IAAA;AAAA;AAAA,EAE7D,UAAA,uBAA8C,GAAA,EAAI;AAAA,EAE1D,YAAY,MAAA,EAAyB;AACnC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,YAAY,MAAA,CAAO,UAAA;AACxB,IAAA,IAAA,CAAK,SAAS,CAAC,EAAE,OAAO,GAAA,EAAK,SAAA,IAAa,OAAO,GAAA,EAAK,QAAA,CAAA;AAEtD,IAAA,MAAM,WAAA,GAAc,OAAO,IAAA,KAAS,WAAA,IAAe,OAAO,IAAA,KAAS,WAAA,IAAe,OAAO,IAAA,KAAS,KAAA;AAClG,IAAA,IAAA,CAAK,YAAA,GAAe,cAAc,oBAAA,GAAuB,qBAAA;AACzD,IAAA,IAAA,CAAK,gBAAgB,qBAAA,CAAsB;AAAA,MACzC,gBAAgB,MAAA,CAAO,eAAA;AAAA,MACvB,aAAA,EAAe,iBAAA;AAAA,MACf,WAAW,IAAA,CAAK;AAAA,KACjB,CAAA;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,iBAAA,CAAkB,EAAE,aAAA,EAAe,mBAAa,CAAA;AAEjE,IAAA,IAAA,CAAK,sBAAsB,WAAA,CAAY,MAAM,IAAA,CAAK,eAAA,IAAmB,GAAM,CAAA;AAAA,EAC7E;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAgB,IAAA,EAIP;AACP,IAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACnB,IAAA,IAAA,CAAK,WAAW,IAAA,CAAK,QAAA;AACrB,IAAA,IAAA,CAAK,WAAW,IAAA,CAAK,QAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,GAAuB;AAC3B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,UAAU,CAAC,GAAA,EAAsB,QAAwB,IAAA,CAAK,aAAA,CAAc,KAAK,GAAG,CAAA;AAE1F,MAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,GAAA,EAAK;AAClC,QAAA,MAAM,OAAA,GAAU;AAAA,UACd,IAAA,EAAMC,eAAA,CAAa,IAAA,CAAK,MAAA,CAAO,IAAI,SAAS,CAAA;AAAA,UAC5C,GAAA,EAAKA,eAAA,CAAa,IAAA,CAAK,MAAA,CAAO,IAAI,QAAQ;AAAA,SAC5C;AACA,QAAA,IAAA,CAAK,UAAA,GAAaC,kBAAA,CAAkB,OAAA,EAAS,OAAO,CAAA;AAAA,MACtD,CAAA,MAAO;AACL,QAAA,IAAA,CAAK,UAAA,GAAaC,kBAAiB,OAAO,CAAA;AAAA,MAC5C;AAEA,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,MAAA,MAAM,OAAA,GAAU,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,OAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA;AAErE,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,IAAA,CAAK,MAAA,CAAO,MAAM,IAAA,CAAK,MAAA,CAAO,MAAM,MAAM;AAE/D,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,kBAAiB,GAAI,OAAA;AAG9D,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,UACb;AAAA,iCAAA,EAAsC,OAAO;AAAA;AAAA,SAC/C;AACA,QAAA,IAAI,KAAK,SAAA,EAAW;AAClB,UAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,CAAC,CAAA,GAAI,KAAA,GAAQ,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,EAAE,CAAA;AACzE,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,YACb,iBAAiB,IAAI;AAAA;AAAA,WACvB;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,OAAO,KAAA,CAAM;AAAA,CAAI,CAAA;AAIzB,QAAA,MAAM,MAAA,GAAS,CAAC,EAAE,OAAA,CAAQ,GAAA,CAAI,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,EAAA,CAAA;AACvF,QAAA,MAAM,WAAA,GAAc,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,WAAA,IAAe,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,WAAA,IAAe,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,KAAA;AACjH,QAAA,MAAM,cAAA,GAAiB,CAAC,MAAA,KAAW,IAAA,CAAK,OAAO,SAAA,IAAa,WAAA,CAAA;AAC5D,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,IAAA,CAAK,cAAc,UAAU,CAAA;AAAA,QAC/B;AAEA,QAAA,OAAA,EAAQ;AAAA,MACV,CAAC,CAAA;AACD,MAAA,IAAA,CAAK,UAAA,CAAW,EAAA,CAAG,OAAA,EAAS,MAAM,CAAA;AAAA,IACpC,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAsB;AAE1B,IAAA,KAAA,MAAW,GAAG,OAAO,CAAA,IAAK,KAAK,OAAA,EAAS;AACtC,MAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAC1B,MAAA,OAAA,CAAQ,OAAA,CAAQ;AAAA,QACd,QAAA,EAAU,MAAA;AAAA,QACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACb,CAAA;AAAA,IACH;AACA,IAAA,IAAA,CAAK,QAAQ,KAAA,EAAM;AAGnB,IAAA,KAAA,MAAW,MAAA,IAAU,KAAK,UAAA,EAAY;AACpC,MAAA,MAAA,CAAO,GAAA,EAAI;AAAA,IACb;AACA,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAGtB,IAAA,IAAA,CAAK,SAAS,KAAA,EAAM;AACpB,IAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,MAAA,aAAA,CAAc,KAAK,mBAAmB,CAAA;AACtC,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAAA,IAC7B;AAGA,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAGtB,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC9B,QAAA,IAAA,CAAK,UAAA,CAAY,KAAA,CAAM,MAAM,OAAA,EAAS,CAAA;AAAA,MACxC,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,OAAA,EAAqD;AACzE,IAAA,MAAM,EAAA,GAAKC,kBAAAA,CAAY,CAAC,CAAA,CAAE,SAAS,KAAK,CAAA;AAGxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,MACb,CAAA,+BAAA,EAAkC,OAAA,CAAQ,SAAS,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA;AAAA;AAAA,KAC3E;AAEA,IAAA,OAAO,IAAI,OAAA,CAA0B,CAAC,OAAA,KAAY;AAEhD,MAAA,MAAM,KAAA,GAAQ,WAAW,MAAM;AAC7B,QAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,EAAE,CAAA;AACtB,QAAA,MAAM,QAAA,GAA6B;AAAA;AAAA,UAEjC,QAAA,EAAU,MAAA;AAAA,UACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UACnC,UAAA,EAAY;AAAA,SACd;AACA,QAAA,IAAA,CAAK,aAAa,kBAAA,EAAoB;AAAA,UACpC,UAAA,EAAY,EAAA;AAAA,UACZ,UAAU,QAAA,CAAS,QAAA;AAAA,UACnB,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA,OAAA,CAAQ,QAAQ,CAAA;AAAA,MAClB,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,eAAA,GAAkB,GAAI,CAAA;AAGrC,MAAA,MAAM,OAAA,GAA0B;AAAA,QAC9B,EAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AACA,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,EAAA,EAAI,OAAO,CAAA;AAG5B,MAAA,IAAA,CAAK,aAAa,iBAAA,EAAmB;AAAA,QACnC,UAAA,EAAY,EAAA;AAAA,QACZ,WAAW,OAAA,CAAQ,SAAA;AAAA,QACnB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,SAAS,OAAA,CAAQ,OAAA;AAAA,QACjB,WAAW,OAAA,CAAQ;AAAA,OACpB,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,SAAA,CAAU,GAAA,EAAsB,GAAA,EAAU,GAAA,EAA8B;AAC9E,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,EAAW,OAAO,IAAA;AAG5B,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,aAAA;AAC/B,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,MAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,KAAM,QAAA,IAAY,KAAA,CAAM,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,EAAW;AAC9E,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAIA,IAAA,MAAM,SAAA,GAAY,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,SAAS,CAAA;AAChD,IAAA,IAAI,SAAA,IAAa,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAChD,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,WAAA,CAAY,GAAA,EAAK,mBAAmB,CAAA;AAC/D,IAAA,IAAI,aAAA,IAAiB,IAAA,CAAK,eAAA,CAAgB,aAAa,CAAA,EAAG;AACxD,MAAA,OAAO,IAAA;AAAA,IACT;AAOA,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,yEAAA,EAAsE,CAAC,CAAA;AACvG,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,eAAA,CAAgB,KAAsB,GAAA,EAAmB;AAC/D,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,EAAW,OAAO,IAAA;AAE5B,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,aAAA;AAC/B,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,MAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,KAAM,QAAA,IAAY,KAAA,CAAM,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,EAAW;AAC9E,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,SAAS,CAAA;AAChD,IAAA,IAAI,SAAA,IAAa,IAAA,CAAK,eAAA,CAAgB,SAAS,GAAG,OAAO,IAAA;AAEzD,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,WAAA,CAAY,GAAA,EAAK,mBAAmB,CAAA;AAC/D,IAAA,IAAI,aAAA,IAAiB,IAAA,CAAK,eAAA,CAAgB,aAAa,GAAG,OAAO,IAAA;AAEjE,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAA,CAAY,KAAsB,IAAA,EAA6B;AACrE,IAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,MAAA;AAC3B,IAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,IAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA,EAAG;AACpC,MAAA,MAAM,CAAC,GAAA,EAAK,GAAG,IAAI,CAAA,GAAI,IAAA,CAAK,MAAM,GAAG,CAAA;AACrC,MAAA,IAAI,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,EAAM;AACxB,QAAA,OAAO,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA,EAAK;AAAA,MAC7B;AAAA,IACF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,aAAA,GAAwB;AAE9B,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,IAAA,IAAQ,YAAA,EAAc;AACtC,MAAA,IAAA,CAAK,eAAA,EAAgB;AAErB,MAAA,IAAI,IAAA,CAAK,QAAA,CAAS,IAAA,IAAQ,YAAA,EAAc;AACtC,QAAA,MAAM,SAAS,CAAC,GAAG,KAAK,QAAA,CAAS,OAAA,EAAS,CAAA,CAAE,IAAA;AAAA,UAC1C,CAAC,GAAG,CAAA,KAAM,CAAA,CAAE,CAAC,CAAA,CAAE,UAAA,GAAa,CAAA,CAAE,CAAC,CAAA,CAAE;AAAA,UACjC,CAAC,CAAA;AACH,QAAA,IAAI,QAAQ,IAAA,CAAK,QAAA,CAAS,MAAA,CAAO,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,MAC5C;AAAA,IACF;AAEA,IAAA,MAAM,EAAA,GAAKA,kBAAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AACzC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,QAAA,CAAS,IAAI,EAAA,EAAI;AAAA,MACpB,EAAA;AAAA,MACA,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY,MAAM,IAAA,CAAK;AAAA,KACxB,CAAA;AACD,IAAA,OAAO,EAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,SAAA,EAA4B;AAClD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AAC3C,IAAA,IAAI,CAAC,SAAS,OAAO,KAAA;AACrB,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,UAAA,EAAY;AACnC,MAAA,IAAA,CAAK,QAAA,CAAS,OAAO,SAAS,CAAA;AAC9B,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAA,GAAwB;AAC9B,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,KAAK,QAAA,EAAU;AACzC,MAAA,IAAI,GAAA,GAAM,QAAQ,UAAA,EAAY;AAC5B,QAAA,IAAA,CAAK,QAAA,CAAS,OAAO,EAAE,CAAA;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,GAAA,EAA8B;AAClD,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,MAAA,CAAO,aAAA,IAAiB,SAAA;AAEzC,IAAA,OAAO,KAAK,UAAA,CAAW,SAAS,IAAI,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA,GAAI,IAAA;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAA,CACN,GAAA,EACA,GAAA,EACA,IAAA,EACS;AACT,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA;AACnC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,cAAc,GAAA,GAAM,oBAAA;AAG1B,IAAA,IAAI,KAAA,GAAQ,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAI,CAAA;AACpC,IAAA,IAAI,CAAC,KAAA,EAAO;AAEV,MAAA,IAAI,IAAA,CAAK,UAAA,CAAW,IAAA,IAAQ,sBAAA,EAAwB;AAClD,QAAA,IAAA,CAAK,gBAAgB,GAAG,CAAA;AAAA,MAC1B;AACA,MAAA,KAAA,GAAQ,EAAE,OAAA,EAAS,EAAC,EAAG,SAAA,EAAW,EAAC,EAAE;AACrC,MAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAA,EAAM,KAAK,CAAA;AAAA,IACjC;AAGA,IAAA,KAAA,CAAM,UAAU,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,CAAA,CAAA,KAAK,IAAI,WAAW,CAAA;AACzD,IAAA,KAAA,CAAM,YAAY,KAAA,CAAM,SAAA,CAAU,MAAA,CAAO,CAAA,CAAA,KAAK,IAAI,WAAW,CAAA;AAE7D,IAAA,MAAM,KAAA,GAAQ,IAAA,KAAS,WAAA,GAAc,oBAAA,GAAuB,kBAAA;AAC5D,IAAA,MAAM,UAAA,GAAa,MAAM,IAAI,CAAA;AAE7B,IAAA,IAAI,UAAA,CAAW,UAAU,KAAA,EAAO;AAC9B,MAAA,MAAM,UAAA,GAAa,KAAK,IAAA,CAAA,CAAM,UAAA,CAAW,CAAC,CAAA,GAAK,oBAAA,GAAuB,OAAO,GAAI,CAAA;AACjF,MAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,QACjB,cAAA,EAAgB,kBAAA;AAAA,QAChB,eAAe,MAAA,CAAO,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,UAAU,CAAC;AAAA,OAC9C,CAAA;AACD,MAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAA,CAAU;AAAA,QACrB,KAAA,EAAO,qBAAA;AAAA,QACP,mBAAA,EAAqB,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,UAAU;AAAA,OAC5C,CAAC,CAAA;AACF,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,UAAA,CAAW,KAAK,GAAG,CAAA;AACnB,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,GAAA,EAAmB;AACzC,IAAA,MAAM,cAAc,GAAA,GAAM,oBAAA;AAC1B,IAAA,KAAA,MAAW,CAAC,IAAA,EAAM,KAAK,CAAA,IAAK,KAAK,UAAA,EAAY;AAC3C,MAAA,MAAM,SAAA,GACJ,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,GAAI,WAAW,CAAA,IACvC,KAAA,CAAM,SAAA,CAAU,IAAA,CAAK,CAAA,CAAA,KAAK,IAAI,WAAW,CAAA;AAC3C,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,IAAA,CAAK,UAAA,CAAW,OAAO,IAAI,CAAA;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAIQ,aAAA,CAAc,KAAsB,GAAA,EAA2B;AACrE,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAA,IAAO,GAAA,EAAK,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA,CAAE,CAAA;AAC/E,IAAA,MAAM,MAAA,GAAS,IAAI,MAAA,IAAU,KAAA;AAG7B,IAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,MAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,IAAA,MAAM,UAAA,GAAa,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,OAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA;AACxE,IAAA,IAAI,WAAW,UAAA,EAAY;AACzB,MAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,MAAM,CAAA;AAAA,IACrD;AAEA,IAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,oBAAoB,CAAA;AAClE,IAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,6BAA6B,CAAA;AAE3E,IAAA,IAAI,WAAW,SAAA,EAAW;AACxB,MAAA,GAAA,CAAI,UAAU,GAAG,CAAA;AACjB,MAAA,GAAA,CAAI,GAAA,EAAI;AACR,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,KAAW,MAAA,IAAU,GAAA,CAAI,QAAA,KAAa,eAAA,EAAiB;AACzD,MAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,SAAS,CAAA,EAAG;AAC/C,MAAA,IAAI;AACF,QAAA,IAAA,CAAK,qBAAA,CAAsB,KAAK,GAAG,CAAA;AAAA,MACrC,CAAA,CAAA,MAAQ;AACN,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uBAAA,EAAyB,CAAC,CAAA;AAAA,MAC5D;AACA,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,WAAW,KAAA,IAAS,GAAA,CAAI,QAAA,KAAa,GAAA,IAAO,KAAK,SAAA,EAAW;AAC9D,MAAA,IAAI,CAAC,IAAA,CAAK,eAAA,CAAgB,GAAA,EAAK,GAAG,CAAA,EAAG;AACnC,QAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,SAAS,CAAA,EAAG;AAC/C,QAAA,IAAA,CAAK,eAAe,GAAG,CAAA;AACvB,QAAA;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK,GAAA,EAAK,GAAG,CAAA,EAAG;AAGpC,IAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,SAAS,CAAA,EAAG;AAE/C,IAAA,IAAI;AACF,MAAA,IAAI,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,QAAA,KAAa,GAAA,EAAK;AAC5C,QAAA,IAAA,CAAK,eAAe,GAAG,CAAA;AAAA,MACzB,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,SAAA,EAAW;AACzD,QAAA,IAAA,CAAK,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA,MACzB,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,aAAA,EAAe;AAC7D,QAAA,IAAA,CAAK,aAAa,GAAG,CAAA;AAAA,MACvB,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,cAAA,EAAgB;AAC9D,QAAA,IAAA,CAAK,kBAAkB,GAAG,CAAA;AAAA,MAC5B,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,gBAAA,EAAkB;AAChE,QAAA,IAAA,CAAK,cAAA,CAAe,KAAK,GAAG,CAAA;AAAA,MAC9B,WAAW,MAAA,KAAW,MAAA,IAAU,IAAI,QAAA,CAAS,UAAA,CAAW,eAAe,CAAA,EAAG;AAExE,QAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,WAAW,CAAA,EAAG;AACjD,QAAA,MAAM,EAAA,GAAK,GAAA,CAAI,QAAA,CAAS,KAAA,CAAM,gBAAgB,MAAM,CAAA;AACpD,QAAA,IAAA,CAAK,cAAA,CAAe,EAAA,EAAI,SAAA,EAAW,GAAG,CAAA;AAAA,MACxC,WAAW,MAAA,KAAW,MAAA,IAAU,IAAI,QAAA,CAAS,UAAA,CAAW,YAAY,CAAA,EAAG;AAErE,QAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,WAAW,CAAA,EAAG;AACjD,QAAA,MAAM,EAAA,GAAK,GAAA,CAAI,QAAA,CAAS,KAAA,CAAM,aAAa,MAAM,CAAA;AACjD,QAAA,IAAA,CAAK,cAAA,CAAe,EAAA,EAAI,MAAA,EAAQ,GAAG,CAAA;AAAA,MACrC,CAAA,MAAO;AACL,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,WAAA,EAAa,CAAC,CAAA;AAAA,MAChD;AAAA,IACF,SAAS,GAAA,EAAK;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uBAAA,EAAyB,CAAC,CAAA;AAAA,IAC5D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaQ,qBAAA,CAAsB,KAAsB,GAAA,EAA2B;AAC7E,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AAEnB,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,UAAA,EAAY,SAAA,EAAW,CAAC,CAAA;AACjD,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,aAAA;AAC/B,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,+BAAA,EAAiC,CAAC,CAAA;AAClE,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,KAAM,QAAA,IAAY,KAAA,CAAM,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,EAAW;AAC9E,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,sBAAA,EAAwB,CAAC,CAAA;AACzD,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,KAAK,aAAA,EAAc;AACrC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,eAAe,GAAI,CAAA;AACtD,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc,CAAA,kBAAA,EAAqB,SAAS,CAAA,mCAAA,EAAsC,UAAU,CAAA;AAAA,KAC7F,CAAA;AACD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAA,CAAU;AAAA,MACrB,UAAA,EAAY,SAAA;AAAA,MACZ,kBAAA,EAAoB;AAAA,KACrB,CAAC,CAAA;AAAA,EACJ;AAAA,EAEQ,eAAe,GAAA,EAA2B;AAChD,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,0BAAA;AAAA,MAChB,eAAA,EAAiB;AAAA,KAClB,CAAA;AACD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAS,CAAA;AAAA,EACxB;AAAA,EAEQ,eAAe,GAAA,EAA2B;AAChD,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,0BAAA;AAAA,MAChB,eAAA,EAAiB;AAAA,KAClB,CAAA;AACD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,aAAa,CAAA;AAAA,EAC5B;AAAA,EAEQ,SAAA,CAAU,KAAsB,GAAA,EAA2B;AACjE,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,mBAAA;AAAA,MAChB,eAAA,EAAiB,UAAA;AAAA,MACjB,YAAA,EAAc;AAAA,KACf,CAAA;AAGD,IAAA,MAAM,WAAoC,EAAC;AAE3C,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,QAAA,CAAS,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAAA,IAC/C;AACA,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,QAAA,CAAS,MAAA,GAAS;AAAA,QAChB,oBAAA,EAAsB,KAAK,MAAA,CAAO,oBAAA;AAAA,QAClC,aAAA,EAAe,KAAK,MAAA,CAAO,aAAA;AAAA,QAC3B,kBAAA,EAAoB,KAAK,MAAA,CAAO,kBAAA;AAAA,QAChC,gBAAA,EAAkB;AAAA,UAChB,IAAA,EAAM,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAA;AAAA,UACnC,eAAA,EAAiB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,eAAA;AAAA,UAC9C,SAAA,EAAW;AAAA;AAAA;AACb,OACF;AAAA,IACF;AAGA,IAAA,MAAM,WAAA,GAAc,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MAChE,YAAY,CAAA,CAAE,EAAA;AAAA,MACd,SAAA,EAAW,EAAE,OAAA,CAAQ,SAAA;AAAA,MACrB,IAAA,EAAM,EAAE,OAAA,CAAQ,IAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,OAAA,CAAQ,MAAA;AAAA,MAClB,OAAA,EAAS,EAAE,OAAA,CAAQ,OAAA;AAAA,MACnB,SAAA,EAAW,EAAE,OAAA,CAAQ;AAAA,KACvB,CAAE,CAAA;AACF,IAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,MAAA,QAAA,CAAS,OAAA,GAAU,WAAA;AAAA,IACrB;AAEA,IAAA,GAAA,CAAI,KAAA,CAAM,CAAA;AAAA,MAAA,EAAsB,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC;;AAAA,CAAM,CAAA;AAE9D,IAAA,IAAA,CAAK,UAAA,CAAW,IAAI,GAAG,CAAA;AAEvB,IAAA,GAAA,CAAI,EAAA,CAAG,SAAS,MAAM;AACpB,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,GAAG,CAAA;AAAA,IAC5B,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,aAAa,GAAA,EAA2B;AAC9C,IAAA,MAAM,MAAA,GAAkC;AAAA,MACtC,aAAA,EAAe,KAAK,OAAA,CAAQ,IAAA;AAAA,MAC5B,iBAAA,EAAmB,KAAK,UAAA,CAAW;AAAA,KACrC;AAEA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,MAAA,CAAO,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAAA,IAC7C;AACA,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,MAAA,CAAO,MAAA,GAAS;AAAA,QACd,OAAA,EAAS,KAAK,MAAA,CAAO,OAAA;AAAA,QACrB,oBAAA,EAAsB,KAAK,MAAA,CAAO,oBAAA;AAAA,QAClC,aAAA,EAAe,KAAK,MAAA,CAAO,aAAA;AAAA,QAC3B,kBAAA,EAAoB,KAAK,MAAA,CAAO,kBAAA;AAAA,QAChC,gBAAA,EAAkB;AAAA,UAChB,IAAA,EAAM,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAA;AAAA,UACnC,eAAA,EAAiB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,eAAA;AAAA,UAC9C,SAAA,EAAW;AAAA;AAAA;AACb,OACF;AAAA,IACF;AAEA,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AAAA,EAChC;AAAA,EAEQ,kBAAkB,GAAA,EAA2B;AACnD,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACzD,IAAI,CAAA,CAAE,EAAA;AAAA,MACN,SAAA,EAAW,EAAE,OAAA,CAAQ,SAAA;AAAA,MACrB,IAAA,EAAM,EAAE,OAAA,CAAQ,IAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,OAAA,CAAQ,MAAA;AAAA,MAClB,OAAA,EAAS,EAAE,OAAA,CAAQ,OAAA;AAAA,MACnB,SAAA,EAAW,EAAE,OAAA,CAAQ,SAAA;AAAA,MACrB,YAAY,CAAA,CAAE;AAAA,KAChB,CAAE,CAAA;AAEF,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC,CAAA;AAAA,EAC9B;AAAA,EAEQ,cAAA,CAAe,KAAU,GAAA,EAA2B;AAC1D,IAAA,MAAM,KAAA,GAAQ,SAAS,GAAA,CAAI,YAAA,CAAa,IAAI,OAAO,CAAA,IAAK,MAAM,EAAE,CAAA;AAGhE,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,IAAA,CAAK,QAAA,CAAS,MAAM,EAAE,KAAA,EAAO,CAAA,CAAE,IAAA,CAAK,CAAC,OAAA,KAAY;AAC/C,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AAAA,MACjC,CAAC,CAAA,CAAE,KAAA,CAAM,MAAM;AACb,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,EAAE,CAAC,CAAA;AAAA,MAC5B,CAAC,CAAA;AAAA,IACH,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,EAAE,CAAC,CAAA;AAAA,IAC5B;AAAA,EACF;AAAA,EAEQ,cAAA,CAAe,EAAA,EAAY,QAAA,EAA8B,GAAA,EAA2B;AAC1F,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,EAAE,CAAA;AACnC,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uCAAA,EAAyC,CAAC,CAAA;AAC1E,MAAA;AAAA,IACF;AAGA,IAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAG1B,IAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,EAAE,CAAA;AAGtB,IAAA,MAAM,QAAA,GAA6B;AAAA,MACjC,QAAA;AAAA,MACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,UAAA,EAAY;AAAA,KACd;AAGA,IAAA,IAAA,CAAK,aAAa,kBAAA,EAAoB;AAAA,MACpC,UAAA,EAAY,EAAA;AAAA,MACZ,QAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAGD,IAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAExB,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAA,CAAU,EAAE,SAAS,IAAA,EAAM,QAAA,EAAU,CAAC,CAAA;AAAA,EACrD;AAAA;AAAA,EAIA,YAAA,CAAa,OAAe,IAAA,EAAqB;AAC/C,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK;AAAA,MAAA,EAAW,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC;;AAAA,CAAA;AAC9D,IAAA,KAAA,MAAW,MAAA,IAAU,KAAK,UAAA,EAAY;AACpC,MAAA,IAAI;AACF,QAAA,MAAA,CAAO,MAAM,OAAO,CAAA;AAAA,MACtB,CAAA,CAAA,MAAQ;AACN,QAAA,IAAA,CAAK,UAAA,CAAW,OAAO,MAAM,CAAA;AAAA,MAC/B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAAoB,KAAA,EAKX;AACP,IAAA,IAAA,CAAK,YAAA,CAAa,eAAe,KAAK,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,uBAAA,GAAgC;AAC9B,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,IAAA,CAAK,YAAA,CAAa,iBAAA,EAAmB,IAAA,CAAK,QAAA,CAAS,YAAY,CAAA;AAAA,IACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,IAAA,EAKT;AACP,IAAA,IAAA,CAAK,YAAA,CAAa,aAAa,IAAI,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,6BAA6B,IAAA,EAMpB;AACP,IAAA,IAAA,CAAK,YAAA,CAAa,yBAAyB,IAAI,CAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B,IAAA,EAAqC;AAC7D,IAAA,IAAA,CAAK,YAAA,CAAa,qBAAqB,IAAI,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,GAAA,EAAmB;AACvC,IAAA,MAAMC,OAAKC,WAAA,EAAS;AACpB,IAAA,IAAI,GAAA;AACJ,IAAA,IAAID,SAAO,QAAA,EAAU;AACnB,MAAA,GAAA,GAAM,SAAS,GAAG,CAAA,CAAA,CAAA;AAAA,IACpB,CAAA,MAAA,IAAWA,SAAO,OAAA,EAAS;AACzB,MAAA,GAAA,GAAM,aAAa,GAAG,CAAA,CAAA,CAAA;AAAA,IACxB,CAAA,MAAO;AACL,MAAA,GAAA,GAAM,aAAa,GAAG,CAAA,CAAA,CAAA;AAAA,IACxB;AACA,IAAAE,kBAAA,CAAK,GAAA,EAAK,CAAC,GAAA,KAAQ;AACjB,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,UACb,CAAA;;AAAA;AAAA,SACF;AAAA,MACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAA,GAA2B;AACzB,IAAA,MAAM,SAAA,GAAY,KAAK,aAAA,EAAc;AACrC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,IAAA,OAAO,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,UAAA,EAAa,SAAS,CAAA,CAAA;AAAA,EACpF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAqB;AACnB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,IAAA,OAAO,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,OAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA;AAAA,EAC9D;AAAA;AAAA,EAGA,IAAI,YAAA,GAAuB;AACzB,IAAA,OAAO,KAAK,OAAA,CAAQ,IAAA;AAAA,EACtB;AAAA;AAAA,EAGA,IAAI,WAAA,GAAsB;AACxB,IAAA,OAAO,KAAK,UAAA,CAAW,IAAA;AAAA,EACzB;AACF;ACrzBO,SAAS,WAAA,CAAY,MAAc,MAAA,EAAwB;AAChE,EAAA,OAAOC,iBAAA,CAAW,UAAU,MAAM,CAAA,CAAE,OAAO,IAAI,CAAA,CAAE,OAAO,KAAK,CAAA;AAC/D;AAKO,SAAS,eAAA,CACd,IAAA,EACA,SAAA,EACA,MAAA,EACS;AACT,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,IAAA,EAAM,MAAM,CAAA;AACzC,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,SAAA,CAAU,MAAA,EAAQ,OAAO,KAAA;AAEjD,EAAA,IAAI,QAAA,GAAW,CAAA;AACf,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,QAAQ,CAAA,EAAA,EAAK;AACxC,IAAA,QAAA,IAAY,SAAS,UAAA,CAAW,CAAC,CAAA,GAAI,SAAA,CAAU,WAAW,CAAC,CAAA;AAAA,EAC7D;AACA,EAAA,OAAO,QAAA,KAAa,CAAA;AACtB;AAIO,IAAM,yBAAN,MAAwD;AAAA,EACrD,MAAA;AAAA,EACA,OAAA,uBAAkD,GAAA,EAAI;AAAA,EACtD,cAAA,GAA6D,IAAA;AAAA,EAErE,YAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,GAAuB;AAC3B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,IAAA,CAAK,cAAA,GAAiBL,iBAAAA;AAAA,QAAiB,CAAC,GAAA,EAAK,GAAA,KAC3C,IAAA,CAAK,cAAA,CAAe,KAAK,GAAG;AAAA,OAC9B;AACA,MAAA,IAAA,CAAK,cAAA,CAAe,MAAA;AAAA,QAClB,KAAK,MAAA,CAAO,aAAA;AAAA,QACZ,KAAK,MAAA,CAAO,aAAA;AAAA,QACZ,MAAM;AACJ,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,YACb;AAAA,qCAAA,EAA0C,KAAK,MAAA,CAAO,aAAa,CAAA,CAAA,EAAI,IAAA,CAAK,OAAO,aAAa;AAAA,kBAAA,EACzE,IAAA,CAAK,OAAO,WAAW;;AAAA;AAAA,WAChD;AACA,UAAA,OAAA,EAAQ;AAAA,QACV;AAAA,OACF;AACA,MAAA,IAAA,CAAK,cAAA,CAAe,EAAA,CAAG,OAAA,EAAS,MAAM,CAAA;AAAA,IACxC,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAsB;AAE1B,IAAA,KAAA,MAAW,GAAG,OAAO,CAAA,IAAK,KAAK,OAAA,EAAS;AACtC,MAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAC1B,MAAA,OAAA,CAAQ,OAAA,CAAQ;AAAA,QACd,QAAA,EAAU,MAAA;AAAA,QACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACb,CAAA;AAAA,IACH;AACA,IAAA,IAAA,CAAK,QAAQ,KAAA,EAAM;AAEnB,IAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,MAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC9B,QAAA,IAAA,CAAK,cAAA,CAAgB,KAAA,CAAM,MAAM,OAAA,EAAS,CAAA;AAAA,MAC5C,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,OAAA,EAAqD;AACzE,IAAA,MAAM,EAAA,GAAKC,kBAAAA,CAAY,CAAC,CAAA,CAAE,SAAS,KAAK,CAAA;AAGxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,MACb,CAAA,mCAAA,EAAsC,OAAA,CAAQ,SAAS,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA;AAAA;AAAA,KAC/E;AAEA,IAAA,OAAO,IAAI,OAAA,CAA0B,CAAC,OAAA,KAAY;AAEhD,MAAA,MAAM,KAAA,GAAQ,WAAW,MAAM;AAC7B,QAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,EAAE,CAAA;AACtB,QAAA,MAAM,QAAA,GAA6B;AAAA;AAAA,UAEjC,QAAA,EAAU,MAAA;AAAA,UACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UACnC,UAAA,EAAY;AAAA,SACd;AACA,QAAA,OAAA,CAAQ,QAAQ,CAAA;AAAA,MAClB,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,eAAA,GAAkB,GAAI,CAAA;AAGrC,MAAA,MAAM,OAAA,GAAiC;AAAA,QACrC,EAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AACA,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,EAAA,EAAI,OAAO,CAAA;AAG5B,MAAA,MAAM,WAAA,GAAc,CAAA,OAAA,EAAU,IAAA,CAAK,MAAA,CAAO,aAAa,IAAI,IAAA,CAAK,MAAA,CAAO,aAAa,CAAA,iBAAA,EAAoB,EAAE,CAAA,CAAA;AAC1G,MAAA,MAAM,OAAA,GAA0B;AAAA,QAC9B,UAAA,EAAY,EAAA;AAAA,QACZ,WAAW,OAAA,CAAQ,SAAA;AAAA,QACnB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,SAAS,OAAA,CAAQ,OAAA;AAAA,QACjB,WAAW,OAAA,CAAQ,SAAA;AAAA,QACnB,YAAA,EAAc,WAAA;AAAA,QACd,eAAA,EAAiB,KAAK,MAAA,CAAO;AAAA,OAC/B;AAGA,MAAA,IAAA,CAAK,WAAA,CAAY,OAAO,CAAA,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACvC,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,UACb,wCAAwC,GAAA,YAAe,KAAA,GAAQ,IAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAAC;AAAA;AAAA,SAC1F;AAAA,MACF,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAAA;AAAA,EAIA,MAAc,YAAY,OAAA,EAAwC;AAChE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA;AACnC,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,IAAA,EAAM,IAAA,CAAK,OAAO,cAAc,CAAA;AAE9D,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,IAAA,CAAK,OAAO,WAAA,EAAa;AAAA,MACpD,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,uBAAA,EAAyB,SAAA;AAAA,QACzB,0BAA0B,OAAA,CAAQ;AAAA,OACpC;AAAA,MACA;AAAA,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,iBAAA,EAAoB,QAAA,CAAS,MAAM,CAAA,EAAA,EAAK,MAAM,QAAA,CAAS,IAAA,EAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAC,CAAA;AAAA,OAC/E;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAIQ,cAAA,CAAe,KAAsB,GAAA,EAA2B;AACtE,IAAA,MAAM,MAAM,IAAI,GAAA;AAAA,MACd,IAAI,GAAA,IAAO,GAAA;AAAA,MACX,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA;AAAA,KAC3C;AACA,IAAA,MAAM,MAAA,GAAS,IAAI,MAAA,IAAU,KAAA;AAG7B,IAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,GAAG,CAAA;AAChD,IAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,eAAe,CAAA;AAC7D,IAAA,GAAA,CAAI,SAAA;AAAA,MACF,8BAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAI,WAAW,SAAA,EAAW;AACxB,MAAA,GAAA,CAAI,UAAU,GAAG,CAAA;AACjB,MAAA,GAAA,CAAI,GAAA,EAAI;AACR,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,QAAA,KAAa,SAAA,EAAW;AAClD,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,GAAA;AAAA,QACF,KAAK,SAAA,CAAU;AAAA,UACb,MAAA,EAAQ,IAAA;AAAA,UACR,aAAA,EAAe,KAAK,OAAA,CAAQ;AAAA,SAC7B;AAAA,OACH;AACA,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,QAAA,CAAS,KAAA,CAAM,mCAAmC,CAAA;AACpE,IAAA,IAAI,MAAA,KAAW,MAAA,IAAU,CAAC,KAAA,EAAO;AAC/B,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,WAAA,EAAa,CAAC,CAAA;AAC9C,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,MAAM,CAAC,CAAA;AAGzB,IAAA,IAAI,aAAuB,EAAC;AAC5B,IAAA,GAAA,CAAI,GAAG,MAAA,EAAQ,CAAC,UAAkB,UAAA,CAAW,IAAA,CAAK,KAAK,CAAC,CAAA;AACxD,IAAA,GAAA,CAAI,EAAA,CAAG,OAAO,MAAM;AAClB,MAAA,MAAM,OAAO,MAAA,CAAO,MAAA,CAAO,UAAU,CAAA,CAAE,SAAS,OAAO,CAAA;AAGvD,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,uBAAuB,CAAA;AACrD,MAAA,IACE,OAAO,SAAA,KAAc,QAAA,IACrB,CAAC,eAAA,CAAgB,MAAM,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,cAAc,CAAA,EAC5D;AACA,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,qBAAqB;AAAA,SAC/C;AACA,QAAA;AAAA,MACF;AAGA,MAAA,IAAI,eAAA;AACJ,MAAA,IAAI;AACF,QAAA,eAAA,GAAkB,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MACnC,CAAA,CAAA,MAAQ;AACN,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,cAAA,EAAgB,CAAC,CAAA;AACjD,QAAA;AAAA,MACF;AAGA,MAAA,IACE,eAAA,CAAgB,QAAA,KAAa,SAAA,IAC7B,eAAA,CAAgB,aAAa,MAAA,EAC7B;AACA,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,KAAK,SAAA,CAAU;AAAA,YACb,KAAA,EAAO;AAAA,WACR;AAAA,SACH;AACA,QAAA;AAAA,MACF;AAGA,MAAA,IAAI,eAAA,CAAgB,eAAe,SAAA,EAAW;AAC5C,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uBAAuB;AAAA,SACjD;AACA,QAAA;AAAA,MACF;AAGA,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,SAAS,CAAA;AAC1C,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,KAAK,SAAA,CAAU;AAAA,YACb,KAAA,EAAO;AAAA,WACR;AAAA,SACH;AACA,QAAA;AAAA,MACF;AAGA,MAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAC1B,MAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,SAAS,CAAA;AAE7B,MAAA,MAAM,QAAA,GAA6B;AAAA,QACjC,UAAU,eAAA,CAAgB,QAAA;AAAA,QAC1B,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACd;AAEA,MAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAExB,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,GAAA;AAAA,QACF,KAAK,SAAA,CAAU;AAAA,UACb,OAAA,EAAS,IAAA;AAAA,UACT,UAAU,eAAA,CAAgB;AAAA,SAC3B;AAAA,OACH;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA,EAGA,IAAI,YAAA,GAAuB;AACzB,IAAA,OAAO,KAAK,OAAA,CAAQ,IAAA;AAAA,EACtB;AACF;;;ACpVA,IAAM,sBAAA,GAAyB;AAAA,EAC7B,sDAAA;AAAA,EACA,kBAAA;AAAA,EACA,yDAAA;AAAA,EACA,oCAAA;AAAA,EACA,sDAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,wBAAA,GAA2B;AAAA,EAC/B,yDAAA;AAAA,EACA,qDAAA;AAAA,EACA,kFAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,wBAAA,GAA2B;AAAA,EAC/B,cAAA;AAAA,EACA,cAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,WAAA,GAAc,wBAAA;AACpB,IAAM,aAAA,GAAgB,gDAAA;AAGtB,IAAM,gBAAA,GAAmB;AAAA,EACvB,QAAA;AAAA;AAAA,EACA,QAAA;AAAA;AAAA,EACA,QAAA;AAAA;AAAA,EACA;AAAA;AACF,CAAA;AAEO,IAAM,oBAAN,MAAwB;AAAA,EACrB,MAAA;AAAA,EACA,KAAA,GAAQ;AAAA,IACd,WAAA,EAAa,CAAA;AAAA,IACb,WAAA,EAAa,CAAA;AAAA,IACb,YAAA,EAAc,CAAA;AAAA,IACd,iBAAiB;AAAC,GACpB;AAAA,EAEA,WAAA,CAAY,MAAA,GAA2C,EAAC,EAAG;AACzD,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,OAAA,EAAS,OAAO,OAAA,IAAW,IAAA;AAAA,MAC3B,WAAA,EAAa,OAAO,WAAA,IAAe,QAAA;AAAA,MACnC,YAAA,EAAc,OAAO,YAAA,IAAgB,UAAA;AAAA,MACrC,eAAA,EAAiB,MAAA,CAAO,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,IAAA,CAAK,UAAkB,IAAA,EAAgD;AACrE,IAAA,IAAA,CAAK,KAAA,CAAM,WAAA,EAAA;AAEX,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,CAAA;AAAA,QACZ,SAAS,EAAC;AAAA,QACV,cAAA,EAAgB;AAAA,OAClB;AAAA,IACF;AAEA,IAAA,MAAM,UAA6B,EAAC;AACpC,IAAA,MAAM,OAAA,uBAAc,GAAA,EAAa;AAGjC,IAAA,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,EAAA,EAAI,QAAA,EAAU,SAAS,OAAO,CAAA;AAEnD,IAAA,MAAM,OAAA,GAAU,QAAQ,MAAA,GAAS,CAAA;AACjC,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,KAAA,CAAM,WAAA,EAAA;AAAA,IACb;AAEA,IAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AACzB,MAAA,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,GAAA,CAChC,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,IAAK,CAAA,IAAK,CAAA;AAAA,IAClD;AAEA,IAAA,MAAM,iBAAiB,IAAA,CAAK,qBAAA;AAAA,MAC1B,OAAA;AAAA,MACA,KAAK,MAAA,CAAO;AAAA,KACd;AAEA,IAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,MAAA,IAAA,CAAK,KAAA,CAAM,YAAA,EAAA;AAAA,IACb;AAEA,IAAA,OAAO;AAAA,MACL,OAAA;AAAA,MACA,UAAA,EAAY,IAAA,CAAK,iBAAA,CAAkB,OAAO,CAAA;AAAA,MAC1C,OAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,SAAA,CACN,KAAA,EACA,IAAA,EACA,QAAA,EACA,SACA,OAAA,EACM;AAEN,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,KAAK,CAAA,EAAG;AACxB,MAAA,OAAA,CAAQ,IAAI,KAAK,CAAA;AAAA,IACnB;AAEA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,MAAA,IAAA,CAAK,UAAA,CAAW,KAAA,EAAO,IAAA,EAAM,QAAA,EAAU,OAAO,CAAA;AAAA,IAChD,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC/B,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,QAAA,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,CAAC,CAAA,EAAG,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAA,EAAK,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA;AAAA,MACtE;AAAA,IACF,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,IAAY,UAAU,IAAA,EAAM;AACtD,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,GAAG,KAAK,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC9C,QAAA,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK,IAAA,GAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA,GAAK,GAAA,EAAK,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA;AAAA,MAC/E;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,UAAA,CACN,KAAA,EACA,IAAA,EACA,SAAA,EACA,OAAA,EACM;AAEN,IAAA,IAAI,IAAA,CAAK,WAAA,CAAY,IAAI,CAAA,EAAG;AAC1B,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,IAAA,IAAQ,MAAA;AAOzB,IAAA,MAAM,aAAa,IAAA,CAAK,oBAAA,CAAqB,KAAA,CAAM,SAAA,CAAU,MAAM,CAAC,CAAA;AAGpE,IAAA,IAAI,eAAe,KAAA,EAAO;AACxB,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,6BAAA;AAAA,QACT,QAAA;AAAA,QACA,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAKA,IAAA,KAAA,MAAW,WAAW,sBAAA,EAAwB;AAC5C,MAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,EAAG;AAC5B,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,IAAA,EAAM,eAAA;AAAA,UACN,SAAS,OAAA,CAAQ,MAAA;AAAA,UACjB,QAAA;AAAA,UACA,QAAA,EAAU;AAAA,SACX,CAAA;AACD,QAAA;AAAA,MACF;AAAA,IACF;AAKA,IAAA,KAAA,MAAW,WAAW,wBAAA,EAA0B;AAC9C,MAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,EAAG;AAC5B,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,IAAA,EAAM,iBAAA;AAAA,UACN,SAAS,OAAA,CAAQ,MAAA;AAAA,UACjB,QAAA;AAAA,UACA,QAAA,EAAU;AAAA,SACX,CAAA;AACD,QAAA;AAAA,MACF;AAAA,IACF;AAKA,IAAA,IAAI,CAAC,IAAA,CAAK,eAAA,CAAgB,IAAI,CAAA,EAAG;AAC/B,MAAA,KAAA,MAAW,WAAW,wBAAA,EAA0B;AAC9C,QAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,EAAG;AAC5B,UAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,YACX,IAAA,EAAM,2BAAA;AAAA,YACN,SAAS,OAAA,CAAQ,MAAA;AAAA,YACjB,QAAA;AAAA,YACA,QAAA,EAAU;AAAA,WACX,CAAA;AACD,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAKA,IAAA,IAAA,CAAK,qBAAA,CAAsB,KAAA,EAAO,QAAA,EAAU,OAAO,CAAA;AAKnD,IAAA,IAAA,CAAK,sBAAA,CAAuB,KAAA,EAAO,QAAA,EAAU,OAAO,CAAA;AAKpD,IAAA,IAAA,CAAK,oBAAA,CAAqB,KAAA,EAAO,QAAA,EAAU,OAAO,CAAA;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAA,CACN,KAAA,EACA,IAAA,EACA,OAAA,EACM;AAEN,IAAA,IACE,KAAA,CAAM,SAAS,EAAA,IACf,wBAAA,CAAyB,KAAK,KAAA,CAAM,IAAA,EAAM,CAAA,EAC1C;AACA,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,eAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,cAAA,GAAiB,CAAA;AACrB,IAAA,KAAA,MAAW,QAAQ,gBAAA,EAAkB;AACnC,MAAA,cAAA,IAAA,CAAmB,KAAA,CAAM,MAAM,IAAI,MAAA,CAAO,MAAM,GAAG,CAAC,CAAA,IAAK,EAAC,EAAG,MAAA;AAAA,IAC/D;AAEA,IAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,uBAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAIA,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,IAAA,CAAK,KAAK,CAAA;AACtC,IAAA,MAAM,MAAA,GAAS,2CAAA,CAA4C,IAAA,CAAK,KAAK,CAAA;AACrE,IAAA,MAAM,SAAA,GAAY,iBAAA,CAAkB,IAAA,CAAK,KAAK,CAAA;AAC9C,IAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,IAAA,CAAK,KAAK,CAAA;AAEhD,IAAA,MAAM,oBAAoB,CAAC,QAAA,EAAU,MAAA,EAAQ,SAAA,EAAW,WAAW,CAAA,CAAE,MAAA;AAAA,MACnE,CAAC,CAAA,KAAM;AAAA,KACT,CAAE,MAAA;AAEF,IAAA,IAAI,qBAAqB,CAAA,EAAG;AAC1B,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,yBAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,sBAAA,CACN,KAAA,EACA,IAAA,EACA,OAAA,EACM;AAEN,IAAA,IAAI,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA,EAAG;AAC7B,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,IAAA,CAAK,KAAK,CAAA,EAAG;AAC3B,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,mBAAA;AAAA,QACN,OAAA,EAAS,eAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,aAAA,CAAc,KAAK,KAAK,CAAA,IAAK,CAAC,IAAA,CAAK,gBAAA,CAAiB,IAAI,CAAA,EAAG;AAC7D,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,mBAAA;AAAA,QACN,OAAA,EAAS,iBAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAIA,IAAA,IAAI,KAAA,CAAM,MAAA,GAAS,EAAA,IAAM,KAAA,CAAM,MAAA,GAAS,OAAS,CAAC,IAAA,CAAK,iBAAA,CAAkB,IAAI,CAAA,EAAG;AAE9E,MAAA,MAAM,cAAA,GAAiB,uBAAA,CAAwB,IAAA,CAAK,KAAK,CAAA;AACzD,MAAA,MAAM,aAAA,GAAgB,0BAAA,CAA2B,IAAA,CAAK,KAAK,CAAA;AAE3D,MAAA,IAAI,kBAAkB,aAAA,EAAe;AACnC,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,IAAA,EAAM,mBAAA;AAAA,UACN,OAAA,EAAS,2BAAA;AAAA,UACT,UAAU,IAAA,IAAQ,MAAA;AAAA,UAClB,QAAA,EAAU;AAAA,SACX,CAAA;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAA,CACN,KAAA,EACA,IAAA,EACA,OAAA,EACM;AAEN,IAAA,IAAI,KAAA,CAAM,SAAS,KAAA,EAAO;AACxB,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,iBAAA;AAAA,QACN,OAAA,EAAS,cAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAKA,IAAA,IAAI,KAAA,CAAM,UAAU,GAAA,EAAK;AACvB,MAAA,MAAM,WAAA,GAAc,CAAC,EAAA,EAAI,EAAA,EAAI,EAAE,CAAA;AAC/B,MAAA,KAAA,MAAW,cAAc,WAAA,EAAa;AACpC,QAAA,IAAI,KAAA,CAAM,MAAA,GAAS,UAAA,GAAa,CAAA,EAAG;AACnC,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,SAAA,CAAU,CAAA,EAAG,UAAU,CAAA;AAC7C,QAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,QAAA,IAAI,GAAA,GAAM,CAAA;AACV,QAAA,OAAO,GAAA,IAAO,KAAA,CAAM,MAAA,GAAS,UAAA,EAAY;AACvC,UAAA,IAAI,MAAM,SAAA,CAAU,GAAA,EAAK,GAAA,GAAM,UAAU,MAAM,OAAA,EAAS;AACtD,YAAA,KAAA,EAAA;AACA,YAAA,GAAA,IAAO,UAAA;AAAA,UACT,CAAA,MAAO;AACL,YAAA,GAAA,EAAA;AAAA,UACF;AACA,UAAA,IAAI,SAAS,EAAA,EAAI;AAAA,QACnB;AACA,QAAA,IAAI,SAAS,EAAA,EAAI;AACf,UAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,YACX,IAAA,EAAM,iBAAA;AAAA,YACN,OAAA,EAAS,iBAAA;AAAA,YACT,UAAU,IAAA,IAAQ,MAAA;AAAA,YAClB,QAAA,EAAU;AAAA,WACX,CAAA;AACD,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,IAAA,EAAuB;AAEzC,IAAA,MAAM,SAAA,GAAY;AAAA,MAChB,aAAA;AAAA,MACA,eAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,UAAA;AAAA,MACA,eAAA;AAAA,MACA,gBAAA;AAAA,MACA,iBAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,eAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO,UAAU,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,IAAA,EAAuB;AAC7C,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,YAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,WAAW,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,IAAA,EAAuB;AAC5C,IAAA,MAAM,SAAA,GAAY;AAAA,MAChB,MAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,UAAU,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAiB,IAAA,EAAuB;AAC9C,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,QAAA;AAAA,MACA,UAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,YAAY,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,IAAA,EAAuB;AAC/C,IAAA,MAAM,gBAAA,GAAmB;AAAA,MACvB,OAAA;AAAA,MACA,UAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,iBAAiB,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,qBAAqB,KAAA,EAAuB;AAGlD,IAAA,MAAM,WAAA,GAAsC;AAAA;AAAA,MAE1C,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA;AAAA,MAEzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA;AAAA,MACV,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA;AAAA,MACV,QAAA,EAAU,GAAA;AAAA;AAAA,MACV,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU;AAAA;AAAA,KAC3B;AAEA,IAAA,IAAI,MAAA,GAAS,KAAA;AAGb,IAAA,IAAI,cAAA,CAAe,IAAA,CAAK,KAAK,CAAA,EAAG;AAC9B,MAAA,MAAM,QAAQ,EAAC;AACf,MAAA,KAAA,MAAW,MAAM,MAAA,EAAQ;AACvB,QAAA,KAAA,CAAM,IAAA,CAAK,WAAA,CAAY,EAAE,CAAA,IAAK,EAAE,CAAA;AAAA,MAClC;AACA,MAAA,MAAA,GAAS,KAAA,CAAM,KAAK,EAAE,CAAA;AAAA,IACxB;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,kBAAkB,OAAA,EAAoC;AAC5D,IAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,CAAA;AAEjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,IAAI,SAAA,GAAY,CAAA;AAEhB,IAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AACzB,MAAA,QAAQ,IAAI,QAAA;AAAU,QACpB,KAAK,MAAA;AACH,UAAA,SAAA,EAAA;AACA,UAAA,KAAA,IAAS,IAAA;AACT,UAAA;AAAA,QACF,KAAK,QAAA;AACH,UAAA,KAAA,IAAS,IAAA;AACT,UAAA;AAAA,QACF,KAAK,KAAA;AACH,UAAA,KAAA,IAAS,IAAA;AACT,UAAA;AAAA;AACJ,IACF;AAGA,IAAA,IAAI,YAAY,CAAA,EAAG;AACjB,MAAA,KAAA,IAAA,CAAU,YAAY,CAAA,IAAK,IAAA;AAAA,IAC7B;AAGA,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,CAAG,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAA,CACN,SACA,WAAA,EACgC;AAChC,IAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,OAAA;AAEjC,IAAA,MAAM,eAAe,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,MAAM,CAAA;AAChE,IAAA,MAAM,iBAAiB,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,QAAQ,CAAA;AAEpE,IAAA,QAAQ,WAAA;AAAa,MACnB,KAAK,KAAA;AAEH,QAAA,OAAO,YAAA,CAAa,MAAA,GAAS,CAAA,GAAI,UAAA,GAAa,OAAA;AAAA,MAEhD,KAAK,QAAA;AAEH,QAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,EAAG,OAAO,OAAA;AACpC,QAAA,OAAO,cAAA,CAAe,MAAA,GAAS,CAAA,GAAI,UAAA,GAAa,OAAA;AAAA,MAElD,KAAK,MAAA;AAEH,QAAA,IAAI,aAAa,MAAA,GAAS,CAAA,IAAK,cAAA,CAAe,MAAA,GAAS,GAAG,OAAO,OAAA;AACjE,QAAA,IAAI,cAAA,CAAe,MAAA,GAAS,CAAA,EAAG,OAAO,OAAA;AACtC,QAAA,OAAO,OAAA,CAAQ,MAAA,GAAS,CAAA,GAAI,UAAA,GAAa,OAAA;AAAA;AAC7C,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA,GAKE;AACA,IAAA,OAAO;AAAA,MACL,WAAA,EAAa,KAAK,KAAA,CAAM,WAAA;AAAA,MACxB,WAAA,EAAa,KAAK,KAAA,CAAM,WAAA;AAAA,MACxB,YAAA,EAAc,KAAK,KAAA,CAAM,YAAA;AAAA,MACzB,eAAA,EAAiB,EAAE,GAAG,IAAA,CAAK,MAAM,eAAA;AAAgB,KACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,WAAA,EAAa,CAAA;AAAA,MACb,WAAA,EAAa,CAAA;AAAA,MACb,YAAA,EAAc,CAAA;AAAA,MACd,iBAAiB;AAAC,KACpB;AAAA,EACF;AACF;;;ACxmBO,IAAM,eAAN,MAAmB;AAAA,EAChB,MAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,gBAAA;AAAA,EAER,YACE,MAAA,EACA,QAAA,EACA,OAAA,EACA,QAAA,EACA,mBACA,gBAAA,EACA;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,iBAAA,GAAoB,iBAAA,IAAqB,IAAI,iBAAA,EAAkB;AACpE,IAAA,IAAA,CAAK,gBAAA,GAAmB,gBAAA;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,QAAA,CACJ,QAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,SAAA,GAAY,qBAAqB,QAAQ,CAAA;AAG/C,IAAA,IAAA,CAAK,QAAA,CAAS,eAAe,SAAS,CAAA;AAGtC,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,iBAAA,CAAkB,IAAA,CAAK,UAAU,IAAI,CAAA;AAClE,IAAA,IAAI,gBAAgB,OAAA,EAAS;AAC3B,MAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,mBAAA,EAAsB,SAAS,IAAI,QAAA,EAAU;AAAA,QACtE,YAAY,eAAA,CAAgB,UAAA;AAAA,QAC5B,OAAA,EAAS,eAAA,CAAgB,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,UACzC,MAAM,CAAA,CAAE,IAAA;AAAA,UACR,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,UAAU,CAAA,CAAE;AAAA,SACd,CAAE,CAAA;AAAA,QACF,gBAAgB,eAAA,CAAgB;AAAA,OACjC,CAAA;AAGD,MAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,QAAA,IAAA,CAAK,gBAAA,CAAiB;AAAA,UACpB,QAAA;AAAA,UACA,MAAA,EAAQ,eAAA;AAAA,UACR,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACnC,CAAA;AAAA,MACH;AAEA,MAAA,IAAI,eAAA,CAAgB,mBAAmB,OAAA,EAAS;AAC9C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,IAAA,EAAM,CAAA;AAAA,UACN,MAAA,EAAQ,0CAA0C,SAAS,CAAA,eAAA,EAAA,CAAmB,gBAAgB,UAAA,GAAa,GAAA,EAAK,OAAA,CAAQ,CAAC,CAAC,CAAA,EAAA,CAAA;AAAA,UAC1H,iBAAA,EAAmB;AAAA,SACrB;AAAA,MACF;AAEA,MAAA,IAAI,eAAA,CAAgB,mBAAmB,UAAA,EAAY;AACjD,QAAA,OAAO,IAAA,CAAK,eAAA;AAAA,UACV,SAAA;AAAA,UACA,CAAA;AAAA,UACA,CAAA,wCAAA,EAA2C,SAAS,CAAA,eAAA,EAAA,CAAmB,eAAA,CAAgB,UAAA,GAAa,GAAA,EAAK,OAAA,CAAQ,CAAC,CAAC,CAAA,GAAA,EAAM,eAAA,CAAgB,OAAA,CAAQ,MAAM,CAAA,WAAA,CAAA;AAAA,UACvJ;AAAA,YACE,SAAA;AAAA,YACA,mBAAA,EAAqB;AAAA,cACnB,YAAY,eAAA,CAAgB,UAAA;AAAA,cAC5B,YAAA,EAAc,gBAAgB,OAAA,CAAQ,MAAA;AAAA,cACtC,YAAA,EAAc,CAAC,GAAG,IAAI,GAAA,CAAI,eAAA,CAAgB,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,IAAI,CAAC,CAAC;AAAA;AACrE;AACF,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,oBAAA,CAAqB,QAAA,CAAS,SAAS,CAAA,EAAG;AACxD,MAAA,OAAO,KAAK,eAAA,CAAgB,SAAA,EAAW,CAAA,EAAG,CAAA,CAAA,EAAI,SAAS,CAAA,kDAAA,CAAA,EAAsD;AAAA,QAC3G,SAAA;AAAA,QACA,YAAA,EAAc,IAAA,CAAK,aAAA,CAAc,IAAI;AAAA,OACtC,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAA,EAAW,IAAI,CAAA;AAClD,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAO,KAAK,eAAA,CAAgB,SAAA,EAAW,GAAG,OAAA,CAAQ,MAAA,EAAQ,QAAQ,OAAO,CAAA;AAAA,IAC3E;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,QAAA,CAAS,SAAS,CAAA,EAAG;AACtD,MAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,WAAA,EAAc,SAAS,IAAI,QAAA,EAAU;AAAA,QAC9D,IAAA,EAAM,CAAA;AAAA,QACN;AAAA,OACD,CAAA;AAED,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM,CAAA;AAAA,QACN,MAAA,EAAQ,4BAAA;AAAA,QACR,iBAAA,EAAmB;AAAA,OACrB;AAAA,IACF;AAKA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,kBAAA,EAAqB,SAAS,IAAI,QAAA,EAAU;AAAA,MACrE,IAAA,EAAM,CAAA;AAAA,MACN,SAAA;AAAA,MACA,OAAA,EAAS;AAAA,KACV,CAAA;AAED,IAAA,OAAO,IAAA,CAAK,eAAA;AAAA,MACV,SAAA;AAAA,MACA,CAAA;AAAA,MACA,IAAI,SAAS,CAAA,sFAAA,CAAA;AAAA,MACb,EAAE,SAAA,EAAW,YAAA,EAAc,IAAA;AAAK,KAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAA,CACN,WACA,IAAA,EAC6D;AAC7D,IAAA,MAAM,MAAA,GAAS,KAAK,MAAA,CAAO,aAAA;AAG3B,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,cAAA,IAAkB,MAAA,CAAO,yBAAyB,SAAA,EAAW;AAE7E,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,QAAA,CAAS,SAAS,CAAA,EAAG;AACvD,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,mBAAmB,SAAS,CAAA,6BAAA,CAAA;AAAA,UACpC,OAAA,EAAS,EAAE,SAAA,EAAW,gBAAA,EAAkB,IAAA;AAAK,SAC/C;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,yBAAyB,SAAA,EAAW;AAC7C,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,qBAAA,CAAsB,SAAS,CAAA;AAC3D,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,8BAA8B,SAAS,CAAA,2BAAA,CAAA;AAAA,YAC/C,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,SAAA;AAAA,cACA,gBAAA,EAAkB,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW,CAAE;AAAA;AAC/C,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAA,MAAA,IAAW,MAAA,CAAO,oBAAA,KAAyB,KAAA,EAAO;AAChD,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,IAAA,CAAK,QAAA,CAAS,sBAAsB,SAAS,CAAA;AAAA,MAC/C;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,qBAAqB,SAAA,EAAW;AACzC,MAAA,MAAM,eAAA,GACH,IAAA,CAAK,gBAAA,IAAgC,IAAA,CAAK,iBAAA;AAC7C,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmB,eAAe,CAAA;AAC9D,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,wCAAwC,eAAe,CAAA,CAAA,CAAA;AAAA,YAC/D,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,gBAAA,EAAkB,eAAA;AAAA,cAClB,oBAAA,EAAsB,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW,CAAE;AAAA;AACnD,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAA,MAAA,IAAW,MAAA,CAAO,gBAAA,KAAqB,KAAA,EAAO;AAC5C,MAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,IAAA,CAAK,QAAA,CAAS,mBAAmB,eAAe,CAAA;AAAA,MAClD;AAAA,IACF;AAGA,IAAA,IAAI,cAAc,eAAA,EAAiB;AACjC,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAC3C,MAAA,IAAI,SAAA,GAAY,OAAO,oBAAA,EAAsB;AAC3C,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,CAAA,mBAAA,EAAsB,SAAS,CAAA,qBAAA,EAAwB,OAAO,oBAAoB,CAAA,KAAA,CAAA;AAAA,UAC1F,OAAA,EAAS;AAAA,YACP,SAAA;AAAA,YACA,gBAAA,EAAkB,SAAA;AAAA,YAClB,OAAO,MAAA,CAAO;AAAA;AAChB,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,cAAc,YAAA,EAAc;AAC9B,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,mBAAA,CAAoB,SAAS,CAAA;AAC7D,QAAA,IAAI,SAAA,GAAY,OAAO,mBAAA,EAAqB;AAC1C,UAAA,OAAO;AAAA,YACL,QAAQ,CAAA,oBAAA,EAAuB,SAAS,gBAAgB,SAAS,CAAA,4BAAA,EAA+B,OAAO,mBAAmB,CAAA,CAAA,CAAA;AAAA,YAC1H,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,SAAA;AAAA,cACA,eAAA,EAAiB,SAAA;AAAA,cACjB,WAAW,MAAA,CAAO;AAAA;AACpB,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,WAAA,CAAY,SAAS,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,kBAAA,EAAmB;AACjD,IAAA,IACE,OAAA,GAAU,CAAA,IACV,QAAA,GAAW,OAAA,GAAU,OAAO,0BAAA,EAC5B;AACA,MAAA,OAAO;AAAA,QACL,MAAA,EAAQ,CAAA,kBAAA,EAAqB,SAAS,CAAA,KAAA,EAAQ,QAAQ,CAAA,MAAA,EAAS,MAAA,CAAO,0BAA0B,CAAA,mBAAA,EAAmB,OAAA,CAAQ,OAAA,CAAQ,CAAC,CAAC,CAAA,KAAA,CAAA;AAAA,QACrI,OAAA,EAAS;AAAA,UACP,SAAA;AAAA,UACA,YAAA,EAAc,QAAA;AAAA,UACd,YAAA,EAAc,OAAA;AAAA,UACd,YAAY,MAAA,CAAO;AAAA;AACrB,OACF;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,eAAA,CACZ,SAAA,EACA,IAAA,EACA,QACA,OAAA,EACqB;AACrB,IAAA,MAAM,OAAA,GAA2B;AAAA,MAC/B,SAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAA;AAAA,MACA,OAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,gBAAgB,OAAO,CAAA;AAG3D,IAAA,IAAA,CAAK,QAAA,CAAS,OAAO,IAAA,EAAM,CAAA,KAAA,EAAQ,SAAS,QAAQ,CAAA,CAAA,EAAI,SAAS,CAAA,CAAA,EAAI,QAAA,EAAU;AAAA,MAC7E,IAAA;AAAA,MACA,MAAA;AAAA,MACA,YAAY,QAAA,CAAS;AAAA,KACtB,CAAA;AAED,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,SAAS,QAAA,KAAa,SAAA;AAAA,MAC/B,IAAA;AAAA,MACA,QAAQ,QAAA,CAAS,QAAA,KAAa,YAC1B,CAAA,YAAA,EAAe,QAAA,CAAS,UAAU,CAAA,CAAA,GAClC,MAAA;AAAA,MACJ,iBAAA,EAAmB,IAAA;AAAA,MACnB,iBAAA,EAAmB;AAAA,KACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAc,IAAA,EAAwD;AAC5E,IAAA,MAAM,UAAmC,EAAC;AAC1C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAC/C,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,SAAS,GAAA,EAAK;AACnD,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAAA,MACvC,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,KAAA;AAAA,MACjB;AAAA,IACF;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA,EAGA,WAAA,GAA+B;AAC7B,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AAAA;AAAA,EAGA,oBAAA,GAA0C;AACxC,IAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,EACd;AACF;;;AC1UO,SAAS,0BAAA,CACd,MAAA,EACA,QAAA,EACA,QAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,WAAA,EACE,4HAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa,+CAAA;AAAA,YACb,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAA,GAAkB,KAAK,gBAAA,IAA+B,KAAA;AAE5D,QAAA,MAAM,IAAA,GAAgC;AAAA,UACpC,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,sBAAsB,MAAA,CAAO,oBAAA;AAAA,UAC7B,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,OAAO,gBAAA,CAAiB,IAAA;AAAA,YAC9B,eAAA,EAAiB,OAAO,gBAAA,CAAiB,eAAA;AAAA,YACzC,SAAA,EAAW;AAAA;AAAA;AACb,SACF;AAEA,QAAA,IAAI,eAAA,EAAiB;AACnB,UAAA,IAAA,CAAK,qBAAqB,MAAA,CAAO,kBAAA;AAAA,QACnC,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,wBAAA,GAA2B,OAAO,kBAAA,CAAmB,MAAA;AAC1D,UAAA,IAAA,CAAK,IAAA,GACH,qEAAA;AAAA,QACJ;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,QAAA,EAAU;AAAA,UACvD,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAED,QAAA,OAAO,WAAW,IAAI,CAAA;AAAA,MACxB;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,sKAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,OAAA,GAAU,SAAS,UAAA,EAAW;AAEpC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,QAAQ,CAAA;AAEzD,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,oBAAoB,OAAA,CAAQ,UAAA;AAAA,UAC5B,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,sBAAsB,OAAA,CAAQ,oBAAA;AAAA,UAC9B,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,UAAA,EAAY,QAAQ,QAAA,IAAY;AAAA,SACjC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AACF;;;ACgCO,SAAS,aAAa,GAAA,EAAuB;AAClD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,GAAA;AACpD,EAAA,IAAI,MAAM,OAAA,CAAQ,GAAG,GAAG,OAAO,GAAA,CAAI,IAAI,YAAY,CAAA;AACnD,EAAA,MAAM,SAAkC,EAAC;AACzC,EAAA,KAAA,MAAW,OAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,CAAE,MAAK,EAAG;AACpE,IAAA,MAAA,CAAO,GAAG,CAAA,GAAI,YAAA,CAAc,GAAA,CAAgC,GAAG,CAAC,CAAA;AAAA,EAClE;AACA,EAAA,OAAO,MAAA;AACT;AAKO,SAAS,uBAAuB,IAAA,EAAuB;AAC5D,EAAA,OAAO,IAAA,CAAK,SAAA,CAAU,YAAA,CAAa,IAAI,CAAC,CAAA;AAC1C;;;AC9HA,aAAA,EAAA;AAIA,IAAM,mBAAA,GAAsB,KAAK,EAAA,GAAK,GAAA;AAiB/B,SAAS,WAAA,CACd,YACA,IAAA,EACoB;AACpB,EAAA,MAAM,EAAE,MAAA,EAAQ,eAAA,EAAiB,SAAA,EAAW,YAAW,GAAI,IAAA;AAG3D,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,8DAAA;AAAA,EACT;AAEA,EAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,EAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,IAAK,cAAc,mBAAA,CAAoB,CAAA;AAG9E,EAAA,MAAM,eAAiC,EAAC;AAExC,EAAA,IAAI,MAAA,CAAO,SAAA,CAAU,WAAA,KAAgB,eAAA,EAAiB;AACpD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,wBAAA;AAAA,MACN,QAAA,EAAU,SAAA;AAAA,MACV,WAAA,EAAa,uCAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AACD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,2BAAA;AAAA,MACN,QAAA,EAAU,SAAA;AAAA,MACV,WAAA,EAAa,0DAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA,EAAmB;AACxD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,iBAAA;AAAA,MACN,QAAA,EAAU,MAAA;AAAA,MACV,WAAA,EAAa,wCAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAGA,EAAA,MAAM,IAAA,GAAgB;AAAA,IACpB,WAAA,EAAa,KAAA;AAAA,IACb,cAAA,EAAgB;AAAA,MACd,mBAAmB,MAAA,CAAO,OAAA;AAAA,MAC1B,YAAA,EAAc,QAAQ,QAAA,CAAS,IAAA;AAAA,MAC/B,YAAA,EAAc;AAAA,KAChB;AAAA,IACA,aAAa,QAAA,CAAS,WAAA;AAAA,IACtB,YAAA,EAAc,IAAI,WAAA,EAAY;AAAA,IAC9B,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,IAClC,MAAA,EAAQ;AAAA,MACN,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,UAAA,EAAY,OAAO,KAAA,CAAM,UAAA;AAAA,QACzB,WAAA,EAAa,MAAA;AAAA,QACb,SAAA,EAAW,OAAO,KAAA,CAAM,SAAA;AAAA,QACxB,aAAA,EAAe,OAAO,KAAA,CAAM,iBAAA;AAAA,QAC5B,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,MAAA,CAAO,SAAA,CAAU,WAAA,KAAgB,kBACrC,UAAA,GACA,QAAA;AAAA,QACJ,cAAA,EAAgB,OAAO,SAAA,CAAU,WAAA;AAAA,QACjC,qBAAA,EAAuB,OAAO,SAAA,CAAU;AAAA,OAC1C;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,oBACvC,UAAA,GACA,QAAA;AAAA,QACJ,YAAA,EAAc,OAAO,UAAA,CAAW,YAAA;AAAA,QAChC,oBAAA,EAAsB,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB;AAAA,OAC3D;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,eAAA,EAAiB,OAAO,UAAA,CAAW,IAAA;AAAA,QACnC,kBAAA,EAAoB,OAAO,UAAA,CAAW,kBAAA;AAAA,QACtC,mBAAA,EAAqB;AAAA;AACvB,KACF;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,SAAA,EAAW,IAAA;AAAA,MACX,YAAA,EAAc,IAAA;AAAA,MACd,iBAAA,EAAmB,IAAA;AAAA,MACnB,iBAAA,EAAmB;AAAA;AAAA,KACrB;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,SAAA,GAAY,uBAAuB,IAAI,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,cAAc,SAAS,CAAA;AAGvC,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,cAAA,GAAiB,IAAA;AAAA,IACrB,OAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,OAAO;AAAA,IACL,IAAA;AAAA,IACA,WAAW,QAAA,CAAS,UAAA;AAAA,IACpB,SAAA,EAAW,YAAY,cAAc;AAAA,GACvC;AACF;;;AC5IA,aAAA,EAAA;AASO,SAAS,SAAA,CACd,KACA,GAAA,EACuB;AACvB,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,WAAA,GAAc,GAAA,oBAAO,IAAI,IAAA,EAAK;AAGpC,EAAA,IAAI,CAAC,IAAI,IAAA,IAAQ,CAAC,IAAI,SAAA,IAAa,CAAC,IAAI,SAAA,EAAW;AACjD,IAAA,MAAA,CAAO,KAAK,6DAA6D,CAAA;AACzE,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA;AAAA,MACA,QAAA;AAAA,MACA,iBAAA,EAAmB,SAAA;AAAA,MACnB,eAAA,EAAiB,GAAA,CAAI,IAAA,EAAM,WAAA,IAAe,SAAA;AAAA,MAC1C,UAAA,EAAY,GAAA,CAAI,IAAA,EAAM,UAAA,IAAc;AAAA,KACtC;AAAA,EACF;AAEA,EAAA,IAAI,GAAA,CAAI,IAAA,CAAK,WAAA,KAAgB,KAAA,EAAO;AAClC,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,yBAAA,EAA4B,GAAA,CAAI,IAAA,CAAK,WAAW,CAAA,CAAE,CAAA;AAAA,EAChE;AAGA,EAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,KAAK,UAAU,CAAA;AAC9C,EAAA,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,EAAS,CAAA,EAAG;AAC9B,IAAA,MAAA,CAAO,KAAK,8BAA8B,CAAA;AAAA,EAC5C,CAAA,MAAA,IAAW,cAAc,SAAA,EAAW;AAClC,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,eAAA,EAAkB,GAAA,CAAI,IAAA,CAAK,UAAU,CAAA,CAAE,CAAA;AAAA,EACrD;AAEA,EAAA,MAAM,WAAA,GAAc,IAAI,IAAA,CAAK,GAAA,CAAI,KAAK,YAAY,CAAA;AAClD,EAAA,IAAI,KAAA,CAAM,WAAA,CAAY,OAAA,EAAS,CAAA,EAAG;AAChC,IAAA,MAAA,CAAO,KAAK,gCAAgC,CAAA;AAAA,EAC9C,CAAA,MAAA,IAAW,cAAc,WAAA,EAAa;AACpC,IAAA,QAAA,CAAS,KAAK,8DAAyD,CAAA;AAAA,EACzE;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAC7C,IAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAClD,IAAA,MAAM,SAAA,GAAY,sBAAA,CAAuB,GAAA,CAAI,IAAI,CAAA;AACjD,IAAA,MAAM,OAAA,GAAU,cAAc,SAAS,CAAA;AAEvC,IAAA,MAAM,cAAA,GAAiB,MAAA,CAAO,OAAA,EAAS,cAAA,EAAgB,SAAS,CAAA;AAChE,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAA,CAAO,KAAK,0DAAqD,CAAA;AAAA,IACnE;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,+BAAA,EAAmC,CAAA,CAAY,OAAO,CAAA,CAAE,CAAA;AAAA,EACtE;AAGA,EAAA,MAAM,EAAE,MAAA,EAAO,GAAI,GAAA,CAAI,IAAA;AACvB,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,EAAI;AACxD,IAAA,MAAA,CAAO,KAAK,uCAAuC,CAAA;AAAA,EACrD;AAGA,EAAA,MAAM,gBAAA,GAAmB,sBAAA,CAAuB,GAAA,CAAI,IAAI,CAAA;AAGxD,EAAA,KAAA,MAAW,CAAA,IAAK,GAAA,CAAI,IAAA,CAAK,YAAA,IAAgB,EAAC,EAAG;AAC3C,IAAA,IAAI,CAAA,CAAE,aAAa,UAAA,EAAY;AAC7B,MAAA,QAAA,CAAS,KAAK,CAAA,wBAAA,EAA2B,CAAA,CAAE,KAAK,CAAA,EAAA,EAAK,CAAA,CAAE,WAAW,CAAA,CAAE,CAAA;AAAA,IACtE;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,IACzB,MAAA;AAAA,IACA,QAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,eAAA,EAAiB,IAAI,IAAA,CAAK,WAAA;AAAA,IAC1B,UAAA,EAAY,IAAI,IAAA,CAAK;AAAA,GACvB;AACF;AAKA,SAAS,uBACP,IAAA,EACiC;AACjC,EAAA,MAAM,EAAE,EAAA,EAAI,EAAA,EAAI,EAAA,EAAI,EAAA,KAAO,IAAA,CAAK,MAAA;AAGhC,EAAA,IACE,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,EACd;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAGA,EAAA,IAAI,EAAA,CAAG,WAAW,QAAA,EAAU;AAC1B,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,IAAI,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,EAAA,CAAG,WAAW,UAAA,EAAY;AACtD,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,OAAO,SAAA;AACT;;;ACKA,IAAM,aAAA,GAAgB;AAAA,EACpB,EAAA,EAAI,GAAA;AAAA,EACJ,EAAA,EAAI,GAAA;AAAA,EACJ,EAAA,EAAI,GAAA;AAAA,EACJ,EAAA,EAAI;AACN,CAAA;AAEA,IAAM,kBAAA,GAAqB;AAAA,EACzB,QAAA,EAAU,EAAA;AAAA,EACV,OAAA,EAAS,EAAA;AAAA,EACT,IAAA,EAAM;AACR,CAAA;AAUO,SAAS,uBAAuB,GAAA,EAA0C;AAC/E,EAAA,MAAM,EAAE,IAAA,EAAM,SAAA,EAAW,SAAA,EAAU,GAAI,GAAA;AAGvC,EAAA,MAAM,WAAA,GAAc,qBAAqB,IAAI,CAAA;AAG7C,EAAA,MAAM,YAAA,GAAe,sBAAsB,WAAW,CAAA;AAGtD,EAAA,MAAM,UAAA,GAAa,oBAAoB,YAAY,CAAA;AAGnD,EAAA,MAAM,OAAA,GAAU,4BAA4B,IAAI,CAAA;AAGhD,EAAA,MAAM,YAAA,GAAe,qBAAA,CAAsB,IAAA,CAAK,YAAY,CAAA;AAG5D,EAAA,MAAM,WAAA,GAAc,gCAAA,CAAiC,IAAkB,CAAA;AAEvE,EAAA,OAAO;AAAA,IACL,aAAa,IAAA,CAAK,WAAA;AAAA,IAClB,cAAA,EAAgB,SAAA;AAAA,IAChB,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IACrC,oBAAoB,IAAA,CAAK,UAAA;AAAA,IACzB,aAAA,EAAe,YAAA;AAAA,IACf,uBAAA,EAAyB,UAAA;AAAA,IACzB,YAAA,EAAc;AAAA,MACZ,cAAc,WAAA,CAAY,EAAA;AAAA,MAC1B,gBAAgB,WAAA,CAAY,EAAA;AAAA,MAC5B,eAAe,WAAA,CAAY,EAAA;AAAA,MAC3B,eAAe,WAAA,CAAY;AAAA,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA;AAAA,MAC7B,cAAA,EAAgB,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA;AAAA,MAC/B,aAAA,EAAe,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA;AAAA,MAC9B,aAAA,EAAe,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG;AAAA,KAChC;AAAA,IACA,qBAAA,EAAuB,OAAA;AAAA,IACvB,YAAA;AAAA,IACA,uBAAA,EAAyB,WAAA;AAAA,IACzB,aAAA,EAAe,SAAA;AAAA,IACf,aAAA,EAAe;AAAA,GACjB;AACF;AAKA,SAAS,qBACP,IAAA,EAMA;AACA,EAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,EAAA,MAAM,eAAe,IAAA,CAAK,YAAA;AAE1B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAC5B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAC5B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAC5B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAG5B,EAAA,KAAA,MAAW,OAAO,YAAA,EAAc;AAC9B,IAAA,MAAM,MAAA,GACJ,kBAAA,CAAmB,GAAA,CAAI,QAA2C,CAAA,IAAK,EAAA;AAEzE,IAAA,IAAI,GAAA,CAAI,UAAU,IAAA,EAAM;AACtB,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC,CAAA,MAAA,IAAW,GAAA,CAAI,KAAA,KAAU,IAAA,EAAM;AAC7B,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC,CAAA,MAAA,IAAW,GAAA,CAAI,KAAA,KAAU,IAAA,EAAM;AAC7B,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC,CAAA,MAAA,IAAW,GAAA,CAAI,KAAA,KAAU,IAAA,EAAM;AAC7B,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC;AAAA,EACF;AAGA,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AACtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AACtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AACtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AAGtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAC/C,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAC/C,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAC/C,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAE/C,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAAA,IACtB,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAAA,IACtB,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAAA,IACtB,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO;AAAA,GACxB;AACF;AAKA,SAAS,sBAAsB,WAAA,EAKpB;AACT,EAAA,MAAM,OAAA,GAAA,CAAW,YAAY,EAAA,GAAK,WAAA,CAAY,KAAK,WAAA,CAAY,EAAA,GAAK,YAAY,EAAA,IAAM,CAAA;AACtF,EAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAC3B;AAKA,SAAS,oBACP,KAAA,EACiD;AACjD,EAAA,IAAI,KAAA,IAAS,IAAI,OAAO,MAAA;AACxB,EAAA,IAAI,KAAA,IAAS,IAAI,OAAO,UAAA;AACxB,EAAA,IAAI,KAAA,IAAS,IAAI,OAAO,UAAA;AACxB,EAAA,OAAO,YAAA;AACT;AAKA,SAAS,4BAA4B,IAAA,EAAkE;AACrG,EAAA,MAAM,EAAA,GAAK,KAAK,MAAA,CAAO,EAAA;AACvB,EAAA,MAAM,EAAA,GAAK,KAAK,MAAA,CAAO,EAAA;AACvB,EAAA,MAAM,EAAA,GAAK,KAAK,MAAA,CAAO,EAAA;AAGvB,EAAA,OAAO;AAAA,IACL,oBAAA,EAAsB,KAAK,YAAA,CAAa,SAAA;AAAA;AAAA,IACxC,qBAAA,EAAuB,KAAK,YAAA,CAAa,iBAAA;AAAA;AAAA,IACzC,kBAAA,EAAoB,EAAA,CAAG,UAAA,KAAe,MAAA,IAAU,GAAG,UAAA,KAAe,aAAA;AAAA,IAClE,0BAAA,EAA4B,KAAA;AAAA;AAAA,IAC5B,iBAAA,EAAmB,EAAA,CAAG,aAAA,KAAkB,SAAA,IAAa,GAAG,aAAA,KAAkB,MAAA;AAAA,IAC1E,sBAAA,EAAwB,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,GAAG,YAAA,KAAiB,iBAAA;AAAA,IACtE,6BAA6B,EAAA,CAAG,oBAAA;AAAA,IAChC,qBAAqB,EAAA,CAAG,mBAAA;AAAA,IACxB,iBAAA,EAAmB,KAAK,YAAA,CAAa;AAAA,GACvC;AACF;AAKA,SAAS,sBAAsB,YAAA,EAAsD;AACnF,EAAA,OAAO,YAAA,CAAa,GAAA,CAAI,CAAC,GAAA,KAAQ;AAC/B,IAAA,IAAI,WAAA,GAAc,EAAA;AAElB,IAAA,IAAI,GAAA,CAAI,SAAS,QAAA,EAAU;AACzB,MAAA,WAAA,GAAc,wDAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,wBAAA,EAA0B;AAChD,MAAA,WAAA,GAAc,2CAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,iBAAA,EAAmB;AACzC,MAAA,WAAA,GAAc,4DAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,cAAA,EAAgB;AACtC,MAAA,WAAA,GAAc,yCAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,2BAAA,EAA6B;AACnD,MAAA,WAAA,GAAc,kEAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,yBAAA,EAA2B;AACjD,MAAA,WAAA,GAAc,+CAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,kBAAA,EAAoB;AAC1C,MAAA,WAAA,GAAc,iDAAA;AAAA,IAChB,CAAA,MAAO;AACL,MAAA,WAAA,GAAc,8BAAA;AAAA,IAChB;AAEA,IAAA,OAAO;AAAA,MACL,OAAO,GAAA,CAAI,KAAA;AAAA,MACX,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,UAAU,GAAA,CAAI,QAAA;AAAA,MACd,aAAa,GAAA,CAAI,WAAA;AAAA,MACjB,oBAAA,EAAsB;AAAA,KACxB;AAAA,EACF,CAAC,CAAA;AACH;AAKA,SAAS,gCAAA,CACP,MACA,aAAA,EAC2B;AAC3B,EAAA,MAAM,cAAyC,EAAC;AAChD,EAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AAGpB,EAAA,IAAI,OAAO,EAAA,CAAG,MAAA,KAAW,cAAc,MAAA,CAAO,EAAA,CAAG,gBAAgB,MAAA,EAAQ;AACvE,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,gCAAA;AAAA,MACN,WAAA,EAAa,oEAAA;AAAA,MACb,SAAA,EAAW,mDAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,CAAG,cAAA,EAAgB;AAC7B,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,gBAAA;AAAA,MACN,WAAA,EAAa,iEAAA;AAAA,MACb,SAAA,EAAW,mDAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,OAAO,EAAA,CAAG,MAAA,KAAW,cAAc,MAAA,CAAO,EAAA,CAAG,mBAAmB,eAAA,EAAiB;AACnF,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,WAAA;AAAA,MACN,WAAA,EAAa,uEAAA;AAAA,MACb,SAAA,EAAW,6CAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,CAAG,qBAAA,EAAuB;AACpC,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,mBAAA;AAAA,MACN,WAAA,EAAa,wDAAA;AAAA,MACb,SAAA,EAAW,8DAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,OAAO,EAAA,CAAG,MAAA,KAAW,cAAc,CAAC,MAAA,CAAO,GAAG,oBAAA,EAAsB;AACtE,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,kBAAA;AAAA,MACN,WAAA,EAAa,6EAAA;AAAA,MACb,SAAA,EAAW,4EAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,YAAA,KAAiB,iBAAA,EAAmB;AAChD,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,kBAAA;AAAA,MACN,WAAA,EAAa,+EAAA;AAAA,MACb,SAAA,EAAW,yCAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY;AACnC,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,mBAAA;AAAA,MACN,WAAA,EAAa,qDAAA;AAAA,MACb,SAAA,EAAW,8BAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,CAAG,mBAAA,EAAqB;AAClC,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,gBAAA;AAAA,MACN,WAAA,EAAa,gEAAA;AAAA,MACb,SAAA,EAAW,+CAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,MAAM,WAAA,GAAc,qBAAqB,IAAI,CAAA;AAC7C,EAAA,MAAM,YAAA,GAAe,sBAAsB,WAAW,CAAA;AAEtD,EAAA,IAAI,eAAe,EAAA,EAAI;AACrB,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,kBAAA;AAAA,MACN,WAAA,EAAa,uFAAA;AAAA,MACb,SAAA,EAAW,gCAAgC,YAAY,CAAA,IAAA,CAAA;AAAA,MACvD,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,WAAA;AACT;AAyBO,SAAS,oBAAoB,GAAA,EAA6C;AAC/E,EAAA,MAAM,OAAA,GAAU,uBAAuB,GAAG,CAAA;AAE1C,EAAA,OAAO;AAAA,IACL,UAAU,OAAA,CAAQ,cAAA;AAAA,IAClB,mBAAmB,OAAA,CAAQ,aAAA;AAAA,IAC3B,aAAa,OAAA,CAAQ,uBAAA;AAAA,IACrB,YAAA,EAAc;AAAA,MACZ,EAAA,EAAI,QAAQ,YAAA,CAAa,YAAA;AAAA,MACzB,EAAA,EAAI,QAAQ,YAAA,CAAa,cAAA;AAAA,MACzB,EAAA,EAAI,QAAQ,YAAA,CAAa,aAAA;AAAA,MACzB,EAAA,EAAI,QAAQ,YAAA,CAAa;AAAA,KAC3B;AAAA,IACA,cAAc,OAAA,CAAQ,qBAAA;AAAA,IACtB,WAAA,EAAa,OAAA,CAAQ,uBAAA,CAAwB,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACvD,MAAM,CAAA,CAAE,IAAA;AAAA,MACR,aAAa,CAAA,CAAE;AAAA,KACjB,CAAE,CAAA;AAAA,IACF,YAAY,OAAA,CAAQ,kBAAA;AAAA,IACpB,WAAW,OAAA,CAAQ;AAAA,GACrB;AACF;;;ACzdO,SAAS,cAAA,CACd,MAAA,EACA,eAAA,EACA,SAAA,EACA,QAAA,EAC6B;AAC7B,EAAA,MAAM,aAAA,GAAqC;AAAA,IACzC,MAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,oOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,gBAAA,GACnB,IAAA,CAAK,gBAAA,GAA8B,KAAK,GAAA,GACzC,MAAA;AAEJ,QAAA,MAAM,MAAA,GAAS,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC;AAAA,UACjE,GAAG,aAAA;AAAA,UACH;AAAA,SACD,CAAA;AAED,QAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,EAAQ,CAAA;AAAA,QACrC;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,MAAA,CAAO,KAAK,WAAW,CAAA;AAE7D,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,wIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,KAAK;AAAA,OAClB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AACjB,QAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAE5B,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,YAAA;AAAA,UACA,MAAA,CAAO,eAAA;AAAA,UACP,MAAA;AAAA,UACA,MAAA,CAAO,QAAQ,SAAA,GAAY;AAAA,SAC7B;AAEA,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,2PAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,SAAS,CAAA;AAAA,YACxB,WAAA,EACE;AAAA,WACJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAU,KAAK,MAAA,IAAqB,MAAA;AAC1C,QAAA,MAAM,aAAa,IAAA,CAAK,gBAAA,GACnB,IAAA,CAAK,gBAAA,GAA8B,KAAK,GAAA,GACzC,MAAA;AAGJ,QAAA,MAAM,SAAA,GAAY,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC;AAAA,UACpE,GAAG,aAAA;AAAA,UACH;AAAA,SACD,CAAA;AAED,QAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,SAAA,EAAW,CAAA;AAAA,QACxC;AAGA,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI,WAAW,SAAA,EAAW;AACxB,UAAA,OAAA,GAAU,oBAAoB,SAAS,CAAA;AAAA,QACzC,CAAA,MAAO;AACL,UAAA,OAAA,GAAU,uBAAuB,SAAS,CAAA;AAAA,QAC5C;AAEA,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,oBAAA;AAAA,UACA,UAAU,IAAA,CAAK,WAAA;AAAA,UACf,MAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,OAAO,WAAW,OAAO,CAAA;AAAA,MAC3B;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;;;ACjJA,aAAA,EAAA;AAMA,SAAS,aAAA,GAAwB;AAC/B,EAAA,OAAO,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AACpC;AAMO,SAAS,kBACd,MAAA,EAC8D;AAC9D,EAAA,MAAM,QAAQ,aAAA,EAAc;AAC5B,EAAA,MAAM,SAAA,GAAY,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AAE7C,EAAA,MAAM,SAAA,GAAgC;AAAA,IACpC,gBAAA,EAAkB,KAAA;AAAA,IAClB,GAAA,EAAK,MAAA;AAAA,IACL,KAAA;AAAA,IACA,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AAEA,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,UAAA,EAAY,SAAA;AAAA,IACZ,IAAA,EAAM,WAAA;AAAA,IACN,KAAA,EAAO,WAAA;AAAA,IACP,SAAA,EAAW,KAAA;AAAA,IACX,OAAA,EAAS,MAAA;AAAA,IACT,cAAc,SAAA,CAAU;AAAA,GAC1B;AAEA,EAAA,OAAO,EAAE,WAAW,OAAA,EAAQ;AAC9B;AAMO,SAAS,kBAAA,CACd,SAAA,EACA,MAAA,EACA,eAAA,EACA,WACA,UAAA,EACgF;AAEhF,EAAA,IAAI,SAAA,CAAU,qBAAqB,KAAA,EAAO;AACxC,IAAA,OAAO,EAAE,KAAA,EAAO,CAAA,8BAAA,EAAiC,SAAA,CAAU,gBAAgB,CAAA,CAAA,EAAG;AAAA,EAChF;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,SAAA,CAAU,GAAG,CAAA;AACzC,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,OAAO,CAAA,mCAAA,EAAsC,SAAA,CAAU,OAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,EAAG;AAAA,EACtF;AAGA,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,EAAE,OAAO,mCAAA,EAAoC;AAAA,EACtD;AAGA,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,SAAA,CAAU,KAAK,CAAA;AAChD,EAAA,MAAM,cAAA,GAAiB,IAAA;AAAA,IACrB,UAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,iBAAiB,aAAA,EAAc;AAErC,EAAA,MAAM,QAAA,GAA8B;AAAA,IAClC,gBAAA,EAAkB,KAAA;AAAA,IAClB,GAAA,EAAK,MAAA;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,yBAAA,EAA2B,YAAY,cAAc,CAAA;AAAA,IACrD,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AAEA,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,UAAA,EAAY,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AAAA,IACvC,IAAA,EAAM,WAAA;AAAA,IACN,KAAA,EAAO,WAAA;AAAA,IACP,SAAA,EAAW,cAAA;AAAA,IACX,aAAa,SAAA,CAAU,KAAA;AAAA,IACvB,OAAA,EAAS,MAAA;AAAA,IACT,WAAW,SAAA,CAAU,GAAA;AAAA,IACrB,cAAc,SAAA,CAAU;AAAA,GAC1B;AAEA,EAAA,OAAO,EAAE,UAAU,OAAA,EAAQ;AAC7B;AAMO,SAAS,iBAAA,CACd,QAAA,EACA,OAAA,EACA,eAAA,EACA,WACA,UAAA,EACkF;AAElF,EAAA,IAAI,QAAA,CAAS,qBAAqB,KAAA,EAAO;AACvC,IAAA,OAAO,EAAE,KAAA,EAAO,CAAA,8BAAA,EAAiC,QAAA,CAAS,gBAAgB,CAAA,CAAA,EAAG;AAAA,EAC/E;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,QAAA,CAAS,GAAG,CAAA;AACxC,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,OAAO,CAAA,mCAAA,EAAsC,SAAA,CAAU,OAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,EAAG;AAAA,EACtF;AAGA,EAAA,MAAM,kBAAA,GAAqB,aAAA,CAAc,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AAC/D,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AACrD,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,QAAA,CAAS,yBAAyB,CAAA;AAE5E,EAAA,MAAM,mBAAA,GAAsB,MAAA;AAAA,IAC1B,aAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AACA,EAAA,IAAI,CAAC,mBAAA,EAAqB;AACxB,IAAA,OAAO,EAAE,OAAO,uEAAA,EAAmE;AAAA,EACrF;AAGA,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,EAAE,OAAO,mCAAA,EAAoC;AAAA,EACtD;AAGA,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,QAAA,CAAS,eAAe,CAAA;AAClE,EAAA,MAAM,uBAAA,GAA0B,IAAA;AAAA,IAC9B,mBAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,EAAA,MAAM,UAAA,GAAkC;AAAA,IACtC,gBAAA,EAAkB,KAAA;AAAA,IAClB,yBAAA,EAA2B,YAAY,uBAAuB,CAAA;AAAA,IAC9D,YAAA,EAAc;AAAA,GAChB;AAGA,EAAA,MAAM,mBAAmB,SAAA,CAAU,iBAAA;AACnC,EAAA,MAAM,SAAA,GAAY,gBAAgB,gBAAgB,CAAA;AAElD,EAAA,MAAM,MAAA,GAA0B;AAAA,IAC9B,iBAAiB,SAAA,CAAU,eAAA;AAAA,IAC3B,kBAAkB,QAAA,CAAS,GAAA;AAAA,IAC3B,QAAA,EAAU,IAAA;AAAA,IACV,iBAAA,EAAmB,gBAAA;AAAA,IACnB,UAAA,EAAY,SAAA;AAAA,IACZ,YAAA,EAAc,GAAA;AAAA,IACd,YAAY,SAAA,CAAU,UAAA;AAAA,IACtB,QAAQ;AAAC,GACX;AAEA,EAAA,OAAO,EAAE,YAAY,MAAA,EAAO;AAC9B;AAMO,SAAS,gBAAA,CACd,YACA,OAAA,EACiB;AACjB,EAAA,MAAM,SAAmB,EAAC;AAE1B,EAAA,IAAI,CAAC,QAAQ,SAAA,EAAW;AACtB,IAAA,OAAO;AAAA,MACL,eAAA,EAAiB,SAAA;AAAA,MACjB,kBAAkB,OAAA,CAAQ,OAAA;AAAA;AAAA,MAC1B,QAAA,EAAU,KAAA;AAAA,MACV,iBAAA,EAAmB,YAAA;AAAA,MACnB,UAAA,EAAY,YAAA;AAAA,MACZ,cAAc,UAAA,CAAW,YAAA;AAAA,MACzB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,MAAA,EAAQ,CAAC,mCAAmC;AAAA,KAC9C;AAAA,EACF;AAGA,EAAA,MAAM,kBAAA,GAAqB,aAAA,CAAc,OAAA,CAAQ,SAAA,CAAU,SAAS,CAAA;AACpE,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AACrD,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,UAAA,CAAW,yBAAyB,CAAA;AAE9E,EAAA,MAAM,mBAAA,GAAsB,MAAA;AAAA,IAC1B,aAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,mBAAA,EAAqB;AACxB,IAAA,MAAA,CAAO,KAAK,uEAAkE,CAAA;AAAA,EAChF;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,OAAA,CAAQ,SAAS,CAAA;AAC7C,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,MAAA,CAAO,IAAA,CAAK,GAAG,SAAA,CAAU,MAAM,CAAA;AAAA,EACjC;AAEA,EAAA,MAAM,QAAA,GAAW,OAAO,MAAA,KAAW,CAAA;AACnC,EAAA,MAAM,gBAAA,GAAqC,QAAA,GACtC,SAAA,CAAU,iBAAA,GACX,YAAA;AAEJ,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,OAAA,CAAQ,SAAA,CAAU,IAAA,CAAK,WAAA;AAAA,IACxC,kBAAkB,OAAA,CAAQ,SAAA;AAAA,IAC1B,QAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,UAAA,EAAY,gBAAgB,gBAAgB,CAAA;AAAA,IAC5C,cAAc,UAAA,CAAW,YAAA;AAAA,IACzB,UAAA,EAAY,OAAA,CAAQ,SAAA,CAAU,IAAA,CAAK,UAAA;AAAA,IACnC;AAAA,GACF;AACF;AAKA,SAAS,gBAAgB,KAAA,EAAoC;AAC3D,EAAA,QAAQ,KAAA;AAAO,IACb,KAAK,MAAA;AACH,MAAA,OAAO,oBAAA;AAAA,IACT,KAAK,UAAA;AACH,MAAA,OAAO,mBAAA;AAAA,IACT;AACE,MAAA,OAAO,YAAA;AAAA;AAEb;;;ACrPO,SAAS,oBAAA,CACd,MAAA,EACA,eAAA,EACA,SAAA,EACA,QAAA,EAC6E;AAE7E,EAAA,MAAM,QAAA,uBAAe,GAAA,EAA8B;AAEnD,EAAA,MAAM,gBAAA,uBAAuB,GAAA,EAA6B;AAE1D,EAAA,MAAM,OAAA,GAA+B;AAAA,IACnC,MAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,+LAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,GAAA,GAAM,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC,OAAO,CAAA;AACvE,QAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,GAAA,EAAK,CAAA;AAAA,QAClC;AAEA,QAAA,MAAM,EAAE,SAAA,EAAW,OAAA,EAAQ,GAAI,kBAAkB,GAAG,CAAA;AACpD,QAAA,QAAA,CAAS,GAAA,CAAI,OAAA,CAAQ,UAAA,EAAY,OAAO,CAAA;AAExC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,oBAAA,EAAsB,GAAA,CAAI,KAAK,WAAW,CAAA;AAEhE,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,SAAA;AAAA,UACA,YAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,oJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,WAAW;AAAA,OACxB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AAGvB,QAAA,MAAM,GAAA,GAAM,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC,OAAO,CAAA;AACvE,QAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,GAAA,EAAK,CAAA;AAAA,QAClC;AAEA,QAAA,MAAM,MAAA,GAAS,kBAAA;AAAA,UACb,SAAA;AAAA,UACA,GAAA;AAAA,UACA,eAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,UAAA,QAAA,CAAS,OAAO,IAAA,EAAM,mBAAA,EAAqB,IAAI,IAAA,CAAK,WAAA,EAAa,QAAW,SAAS,CAAA;AACrF,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA;AAAA,QAC3C;AAEA,QAAA,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,OAAA,CAAQ,UAAA,EAAY,OAAO,OAAO,CAAA;AAEtD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,GAAA,CAAI,KAAK,WAAW,CAAA;AAE/D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,UAAA,EAAY,OAAO,OAAA,CAAQ,UAAA;AAAA,UAC3B,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,YAAA,EACE,kJAAA;AAAA;AAAA,UAGF,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,wJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAA,EAAc,UAAU;AAAA,OACrC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,UAAA;AACvB,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAEtB,QAAA,MAAM,OAAA,GAAU,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACtC,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,4BAAA,EAA+B,SAAS,IAAI,CAAA;AAAA,QACzE;AACA,QAAA,IAAI,OAAA,CAAQ,UAAU,WAAA,EAAa;AACjC,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,qBAAA,EAAwB,OAAA,CAAQ,KAAK,CAAA,uBAAA;AAAA,WAC7C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,iBAAA;AAAA,UACb,QAAA;AAAA,UACA,OAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,UAAA,OAAA,CAAQ,KAAA,GAAQ,QAAA;AAChB,UAAA,QAAA,CAAS,MAAA,CAAO,MAAM,oBAAA,EAAsB,OAAA,CAAQ,QAAQ,IAAA,CAAK,WAAA,EAAa,QAAW,SAAS,CAAA;AAClG,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA;AAAA,QAC3C;AAEA,QAAA,OAAA,CAAQ,KAAA,GAAQ,WAAA;AAChB,QAAA,OAAA,CAAQ,YAAY,QAAA,CAAS,GAAA;AAC7B,QAAA,OAAA,CAAQ,cAAc,QAAA,CAAS,eAAA;AAC/B,QAAA,OAAA,CAAQ,SAAS,MAAA,CAAO,MAAA;AAGxB,QAAA,gBAAA,CAAiB,GAAA,CAAI,MAAA,CAAO,MAAA,CAAO,eAAA,EAAiB,OAAO,MAAM,CAAA;AAEjE,QAAA,QAAA,CAAS,OAAO,IAAA,EAAM,oBAAA,EAAsB,OAAA,CAAQ,OAAA,CAAQ,KAAK,WAAW,CAAA;AAE5E,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,QAAQ,MAAA,CAAO,MAAA;AAAA,UACf,YAAA,EACE,+JAAA;AAAA;AAAA,UAGF,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,2FAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAY;AAAA,OACzB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,UAAA;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AAExB,QAAA,MAAM,OAAA,GAAU,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACtC,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,4BAAA,EAA+B,SAAS,IAAI,CAAA;AAAA,QACzE;AAGA,QAAA,IAAI,cAAc,OAAA,CAAQ,IAAA,KAAS,WAAA,IAAe,OAAA,CAAQ,UAAU,WAAA,EAAa;AAC/E,UAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,UAAA,EAAY,OAAO,CAAA;AACnD,UAAA,OAAA,CAAQ,KAAA,GAAQ,MAAA,CAAO,QAAA,GAAW,WAAA,GAAc,QAAA;AAChD,UAAA,OAAA,CAAQ,MAAA,GAAS,MAAA;AAGjB,UAAA,IAAI,OAAO,QAAA,EAAU;AACnB,YAAA,gBAAA,CAAiB,GAAA,CAAI,MAAA,CAAO,eAAA,EAAiB,MAAM,CAAA;AAAA,UACrD;AAEA,UAAA,QAAA,CAAS,MAAA;AAAA,YACP,IAAA;AAAA,YACA,6BAAA;AAAA,YACA,OAAA,CAAQ,QAAQ,IAAA,CAAK,WAAA;AAAA,YACrB,MAAA;AAAA,YACA,MAAA,CAAO,WAAW,SAAA,GAAY;AAAA,WAChC;AAEA,UAAA,OAAO,UAAA,CAAW,EAAE,MAAA,EAAQ,CAAA;AAAA,QAC9B;AAGA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,MAAM,OAAA,CAAQ,IAAA;AAAA,UACd,OAAO,OAAA,CAAQ,KAAA;AAAA,UACf,cAAc,OAAA,CAAQ,YAAA;AAAA,UACtB,MAAA,EAAQ,QAAQ,MAAA,IAAU;AAAA,SAC3B,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,gBAAA,EAAiB;AACnC;;;AC1PA,IAAM,oBAAA,GAA+C;AAAA,EACnD,mBAAA,EAAqB,IAAA;AAAA,EACrB,kBAAA,EAAoB,IAAA;AAAA,EACpB,iBAAA,EAAmB,KAAA;AAAA,EACnB,mBAAA,EAAqB,CAAC,0BAA0B;AAClD,CAAA;AAEO,IAAM,qBAAN,MAAyB;AAAA,EACtB,KAAA,uBAAY,GAAA,EAA4B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMhD,qBAAA,CACE,MAAA,EACA,OAAA,EACA,YAAA,EACgB;AAChB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,OAAO,eAAe,CAAA;AACtD,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,IAAA,GAAuB;AAAA,MAC3B,SAAS,MAAA,CAAO,eAAA;AAAA,MAChB,QAAA,EAAU,OAAA;AAAA,MACV,UAAA,EAAY,UAAU,UAAA,IAAc,GAAA;AAAA,MACpC,gBAAgB,MAAA,CAAO,YAAA;AAAA,MACvB,UAAA,EAAY,0BAAA,CAA2B,MAAA,CAAO,UAAU,CAAA;AAAA,MACxD,gBAAA,EAAkB,MAAA;AAAA,MAClB,YAAA,EAAc;AAAA,QACZ,GAAG,oBAAA;AAAA,QACH,GAAI,QAAA,EAAU,YAAA,IAAgB,EAAC;AAAA,QAC/B,GAAI,gBAAgB;AAAC,OACvB;AAAA,MACA,MAAA,EAAQ,OAAO,QAAA,IAAY,IAAI,KAAK,MAAA,CAAO,UAAU,CAAA,mBAAI,IAAI,IAAA;AAAK,KACpE;AAGA,IAAA,IAAI,CAAC,KAAK,MAAA,EAAQ;AAChB,MAAA,IAAA,CAAK,UAAA,GAAa,eAAA;AAAA,IACpB;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,MAAA,CAAO,eAAA,EAAiB,IAAI,CAAA;AAC3C,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,MAAA,EAAuC;AAC7C,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,MAAM,CAAA;AAClC,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAGlB,IAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAI,IAAA,CAAK,IAAA,CAAK,iBAAiB,UAAU,CAAA,oBAAK,IAAI,IAAA,EAAK,EAAG;AAC3E,MAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AACd,MAAA,IAAA,CAAK,UAAA,GAAa,eAAA;AAAA,IACpB;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,MAAA,EAAsD;AAC9D,IAAA,MAAM,QAAQ,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAQ,CAAA;AAG5C,IAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,MAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAI,IAAA,CAAK,IAAA,CAAK,iBAAiB,UAAU,CAAA,oBAAK,IAAI,IAAA,EAAK,EAAG;AAC3E,QAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AACd,QAAA,IAAA,CAAK,UAAA,GAAa,eAAA;AAAA,MACpB;AAAA,IACF;AAEA,IAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,MAAA,OAAO,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,KAAM,EAAE,MAAM,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAA,CACE,MAAA,EACA,sBAAA,GAAiC,CAAA,EACjC,eAAA,EACqB;AACrB,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA;AAChC,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,MAAA;AAAA,QACT,gBAAA,EAAkB,YAAA;AAAA,QAClB,iBAAA,EAAmB,KAAA;AAAA,QACnB,wBAAA,EAA0B,CAAA;AAAA,QAC1B,WAAA,EAAa,MAAA;AAAA,QACb,OAAA,EAAS,CAAC,uCAAuC,CAAA;AAAA,QACjD,YAAA,EAAc;AAAA,OAChB;AAAA,IACF;AAEA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,IAAI,KAAA,GAAQ,CAAA;AAGZ,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,OAAA,CAAQ,KAAK,kCAAkC,CAAA;AAC/C,MAAA,KAAA,IAAS,CAAA;AAAA,IACX,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,KAAK,oCAAoC,CAAA;AACjD,MAAA,KAAA,IAAS,CAAA;AAAA,IACX;AAGA,IAAA,QAAQ,KAAK,UAAA;AAAY,MACvB,KAAK,oBAAA;AACH,QAAA,OAAA,CAAQ,KAAK,oDAA+C,CAAA;AAC5D,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA,MACF,KAAK,mBAAA;AACH,QAAA,OAAA,CAAQ,KAAK,6DAAwD,CAAA;AACrE,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA,MACF,KAAK,eAAA;AACH,QAAA,OAAA,CAAQ,KAAK,wDAAmD,CAAA;AAChE,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA,MACF,KAAK,YAAA;AACH,QAAA,OAAA,CAAQ,KAAK,wCAAmC,CAAA;AAChD,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA;AAIJ,IAAA,IAAI,yBAAyB,EAAA,EAAI;AAC/B,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,4BAAA,EAA+B,sBAAsB,CAAA,qBAAA,CAAuB,CAAA;AACzF,MAAA,KAAA,IAAS,CAAA;AAAA,IACX,CAAA,MAAA,IAAW,yBAAyB,CAAA,EAAG;AACrC,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,0BAAA,EAA6B,sBAAsB,CAAA,qBAAA,CAAuB,CAAA;AACvF,MAAA,KAAA,IAAS,CAAA;AAAA,IACX,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,KAAK,+BAA+B,CAAA;AAAA,IAC9C;AAGA,IAAA,IAAI,oBAAoB,MAAA,EAAW;AACjC,MAAA,IAAI,mBAAmB,EAAA,EAAI;AACzB,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,uBAAA,EAA0B,eAAe,CAAA,CAAA,CAAG,CAAA;AACzD,QAAA,KAAA,IAAS,CAAA;AAAA,MACX,CAAA,MAAA,IAAW,mBAAmB,EAAA,EAAI;AAChC,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,2BAAA,EAA8B,eAAe,CAAA,CAAA,CAAG,CAAA;AAC7D,QAAA,KAAA,IAAS,CAAA;AAAA,MACX,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,sBAAA,EAAyB,eAAe,CAAA,CAAA,CAAG,CAAA;AAAA,MAC1D;AAAA,IACF;AAGA,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAA,IAAS,GAAG,WAAA,GAAc,MAAA;AAAA,SAAA,IACrB,KAAA,IAAS,GAAG,WAAA,GAAc,QAAA;AAAA,SAAA,IAC1B,KAAA,IAAS,GAAG,WAAA,GAAc,KAAA;AAAA,SAC9B,WAAA,GAAc,MAAA;AAEnB,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,MAAA;AAAA,MACT,kBAAkB,IAAA,CAAK,UAAA;AAAA,MACvB,mBAAmB,IAAA,CAAK,MAAA;AAAA,MACxB,gBAAA,EAAkB,eAAA;AAAA,MAClB,wBAAA,EAA0B,sBAAA;AAAA,MAC1B,WAAA;AAAA,MACA,OAAA;AAAA,MACA,YAAA,EAAc;AAAA,KAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,MAAA,EAAyB;AAClC,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,MAAM,CAAA;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA,GAAoD;AAClD,IAAA,MAAM,OAAA,uBAAc,GAAA,EAA6B;AACjD,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,KAAK,KAAA,EAAO;AACnC,MAAA,IAAI,KAAK,MAAA,EAAQ;AACf,QAAA,OAAA,CAAQ,GAAA,CAAI,EAAA,EAAI,IAAA,CAAK,gBAAgB,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;ACzNO,SAAS,qBAAA,CACd,UACA,gBAAA,EAC2D;AAC3D,EAAA,MAAM,QAAA,GAAW,IAAI,kBAAA,EAAmB;AAExC,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,oLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,UAAA,EAAY,QAAQ,CAAA;AAAA,YACnC,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AAEpB,QAAA,QAAQ,MAAA;AAAQ,UACd,KAAK,MAAA,EAAQ;AACX,YAAA,MAAM,KAAA,GAAQ,SAAS,SAAA,CAAU;AAAA,cAC/B,aAAa,IAAA,CAAK;AAAA,aACnB,CAAA;AAED,YAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,QAAA,EAAU;AAAA,cACvD,YAAY,KAAA,CAAM;AAAA,aACnB,CAAA;AAED,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,gBACvB,SAAS,CAAA,CAAE,OAAA;AAAA,gBACX,UAAU,CAAA,CAAE,QAAA;AAAA,gBACZ,YAAY,CAAA,CAAE,UAAA;AAAA,gBACd,QAAQ,CAAA,CAAE,MAAA;AAAA,gBACV,YAAY,CAAA,CAAE,UAAA;AAAA,gBACd,gBAAgB,CAAA,CAAE,cAAA;AAAA,gBAClB,cAAc,CAAA,CAAE;AAAA,eAClB,CAAE,CAAA;AAAA,cACF,OAAO,KAAA,CAAM;AAAA,aACd,CAAA;AAAA,UACH;AAAA,UAEA,KAAK,UAAA,EAAY;AACf,YAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,YAAA,MAAM,UAAU,IAAA,CAAK,QAAA;AAErB,YAAA,IAAI,CAAC,MAAA,IAAU,CAAC,OAAA,EAAS;AACvB,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO;AAAA,eACR,CAAA;AAAA,YACH;AAGA,YAAA,MAAM,QAAA,GAAW,gBAAA,CAAiB,GAAA,CAAI,MAAM,CAAA;AAC5C,YAAA,IAAI,CAAC,QAAA,EAAU;AACb,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO,0CAA0C,MAAM,CAAA,mEAAA;AAAA,eAExD,CAAA;AAAA,YACH;AAEA,YAAA,IAAI,CAAC,SAAS,QAAA,EAAU;AACtB,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO,mBAAmB,MAAM,CAAA,sEAAA;AAAA,eAEjC,CAAA;AAAA,YACH;AAEA,YAAA,MAAM,IAAA,GAAO,QAAA,CAAS,qBAAA,CAAsB,QAAA,EAAU,OAAO,CAAA;AAE7D,YAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,0BAAA,EAA4B,QAAA,EAAU;AAAA,cAC1D,OAAA,EAAS,MAAA;AAAA,cACT,QAAA,EAAU,OAAA;AAAA,cACV,YAAY,IAAA,CAAK;AAAA,aAClB,CAAA;AAED,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,UAAA,EAAY,IAAA;AAAA,cACZ,SAAS,IAAA,CAAK,OAAA;AAAA,cACd,YAAY,IAAA,CAAK,UAAA;AAAA,cACjB,QAAQ,IAAA,CAAK,MAAA;AAAA,cACb,cAAc,IAAA,CAAK;AAAA,aACpB,CAAA;AAAA,UACH;AAAA,UAEA,KAAK,QAAA,EAAU;AACb,YAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,YAAA,IAAI,CAAC,MAAA,EAAQ;AACX,cAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,kCAAA,EAAoC,CAAA;AAAA,YACjE;AAEA,YAAA,MAAM,OAAA,GAAU,QAAA,CAAS,UAAA,CAAW,MAAM,CAAA;AAE1C,YAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,wBAAA,EAA0B,QAAA,EAAU;AAAA,cACxD,OAAA,EAAS,MAAA;AAAA,cACT;AAAA,aACD,CAAA;AAED,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,OAAA;AAAA,cACA,OAAA,EAAS;AAAA,aACV,CAAA;AAAA,UACH;AAAA,UAEA;AACE,YAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,gBAAA,EAAmB,MAAM,IAAI,CAAA;AAAA;AAC5D,MACF;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,qCAAA;AAAA,MACN,WAAA,EACE,sLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,wBAAA,EAA0B;AAAA,YACxB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,QAAA,MAAM,WAAA,GAAe,KAAK,wBAAA,IAAuC,CAAA;AACjE,QAAA,MAAM,WAAW,IAAA,CAAK,gBAAA;AAEtB,QAAA,MAAM,UAAA,GAAa,QAAA,CAAS,aAAA,CAAc,MAAA,EAAQ,aAAa,QAAQ,CAAA;AAEvE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,2BAAA,EAA6B,QAAA,EAAU;AAAA,UAC3D,OAAA,EAAS,MAAA;AAAA,UACT,aAAa,UAAA,CAAW,WAAA;AAAA,UACxB,kBAAkB,UAAA,CAAW;AAAA,SAC9B,CAAA;AAED,QAAA,OAAO,WAAW,UAAU,CAAA;AAAA,MAC9B;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,iIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,QAAA,GAAW,SAAS,SAAA,EAAU;AACpC,QAAA,MAAM,cAAc,QAAA,CAAS,SAAA,CAAU,EAAE,WAAA,EAAa,MAAM,CAAA;AAG5D,QAAA,MAAM,UAAA,GAAqC;AAAA,UACzC,oBAAA,EAAsB,CAAA;AAAA,UACtB,mBAAA,EAAqB,CAAA;AAAA,UACrB,eAAA,EAAiB,CAAA;AAAA,UACjB,YAAA,EAAc;AAAA,SAChB;AACA,QAAA,KAAA,MAAW,QAAQ,QAAA,EAAU;AAC3B,UAAA,UAAA,CAAW,KAAK,UAAU,CAAA,GAAA,CAAK,WAAW,IAAA,CAAK,UAAU,KAAK,CAAA,IAAK,CAAA;AAAA,QACrE;AAGA,QAAA,MAAM,SAAA,GAAY;AAAA,UAChB,mBAAA,EAAqB,YAAY,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,YAAA,CAAa,mBAAmB,CAAA,CAAE,MAAA;AAAA,UACnF,kBAAA,EAAoB,YAAY,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,YAAA,CAAa,kBAAkB,CAAA,CAAE,MAAA;AAAA,UACjF,iBAAA,EAAmB,YAAY,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,YAAA,CAAa,iBAAiB,CAAA,CAAE;AAAA,SACjF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,EAAU;AAAA,UACnD,aAAa,QAAA,CAAS,MAAA;AAAA,UACtB,cAAc,WAAA,CAAY;AAAA,SAC3B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,QAAA,CAAS,MAAA;AAAA,UACtB,cAAc,WAAA,CAAY,MAAA;AAAA,UAC1B,aAAA,EAAe,QAAA,CAAS,MAAA,GAAS,WAAA,CAAY,MAAA;AAAA,UAC7C,kBAAA,EAAoB,UAAA;AAAA,UACpB,mBAAA,EAAqB,SAAA;AAAA,UACrB,gBAAA,EAAkB,YAAY,MAAA,GAAS,CAAA;AAAA,UACvC,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,QAAA,EAAS;AAC3B;;;ACjOA,aAAA,EAAA;AAEA,aAAA,EAAA;;;ACCA,aAAA,EAAA;AAEA,YAAA,EAAA;AAgBO,SAAS,aAAa,OAAA,EAAuC;AAClE,EAAA,OAAO,aAAA,CAAc,eAAA,CAAgB,OAAO,CAAC,CAAA;AAC/C;AAUA,SAAS,gBAAgB,KAAA,EAAwB;AAC/C,EAAA,IAAI,KAAA,KAAU,MAAM,OAAO,MAAA;AAC3B,EAAA,IAAI,KAAA,KAAU,QAAW,OAAO,MAAA;AAChC,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,0CAA0C,KAAK,CAAA,6DAAA;AAAA,OAEjD;AAAA,IACF;AACA,IAAA,IAAI,MAAA,CAAO,EAAA,CAAG,KAAA,EAAO,EAAE,CAAA,EAAG;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AACA,IAAA,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAC1D,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,IAAA,OAAO,GAAA,GAAM,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,eAAA,CAAgB,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EAChE;AACA,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,GAAG,EAAE,IAAA,EAAK;AACnC,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,GAAA,CAAI,CAAC,MAAM,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA,GAAI,GAAA,GAAM,eAAA,CAAgB,GAAA,CAAI,CAAC,CAAC,CAAC,CAAA;AAC/E,EAAA,OAAO,GAAA,GAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AACjC;AAmBO,SAAS,sBAAA,CACd,OAAA,EACA,QAAA,EACA,qBAAA,EACA,kBAA2B,KAAA,EACT;AAClB,EAAA,MAAM,YAAA,GAAe,CAAA,OAAA,EAAU,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACxE,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,cAAA,GAAiB,aAAa,OAAO,CAAA;AAC3C,EAAA,MAAM,eAAA,GAAkB,IAAI,WAAA,EAAY,CAAE,OAAO,cAAc,CAAA;AAG/D,EAAA,MAAMjC,OAAAA,GAAS,iBAAiB,eAAe,CAAA;AAG/C,EAAA,IAAI,YAAA;AACJ,EAAA,IAAI,eAAA,IAAmB,OAAO,SAAA,CAAU,OAAA,CAAQ,MAAM,CAAA,IAAK,OAAA,CAAQ,UAAU,CAAA,EAAG;AAC9E,IAAA,MAAM,QAAA,GAAW,wBAAA,CAAyB,OAAA,CAAQ,MAAM,CAAA;AACxD,IAAA,YAAA,GAAe;AAAA,MACb,YAAY,QAAA,CAAS,UAAA;AAAA,MACrB,iBAAiB,QAAA,CAAS;AAAA,KAC5B;AAAA,EACF;AAIA,EAAA,MAAM,iBAAA,GAAoB;AAAA,IACxB,oBAAA,EAAsB,YAAA;AAAA,IACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,mBAAmBA,OAAAA,CAAO,UAAA;AAAA,IAC1B,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,eAAe,QAAA,CAAS,GAAA;AAAA,IACxB,YAAA,EAAc,GAAA;AAAA,IACd,cAAA,EAAgB;AAAA,GAClB;AAKA,EAAA,MAAM,YAAA,GAAe,aAAA,CAAc,eAAA,CAAgB,iBAAiB,CAAC,CAAA;AACrE,EAAA,MAAM,SAAA,GAAY,IAAA,CAAK,YAAA,EAAc,QAAA,CAAS,uBAAuB,qBAAqB,CAAA;AAE1F,EAAA,OAAO;AAAA,IACL,oBAAA,EAAsB,YAAA;AAAA,IACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,mBAAmBA,OAAAA,CAAO,UAAA;AAAA,IAC1B,iBAAiBA,OAAAA,CAAO,eAAA;AAAA,IACxB,eAAe,QAAA,CAAS,GAAA;AAAA,IACxB,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,IAChC,mBAAA,EAAqB,YAAA;AAAA,IACrB,YAAA,EAAc,GAAA;AAAA,IACd,cAAA,EAAgB;AAAA,GAClB;AACF;AAmBO,SAAS,sBAAA,CACd,UAAA,EACA,OAAA,EACA,kBAAA,EAC0B;AAC1B,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,kBAAkB,IAAI,WAAA,GAAc,MAAA,CAAO,YAAA,CAAa,OAAO,CAAC,CAAA;AACtE,EAAA,MAAM,WAAA,GAAc,gBAAA;AAAA,IAClB,UAAA,CAAW,iBAAA;AAAA,IACX,eAAA;AAAA,IACA,UAAA,CAAW;AAAA,GACb;AAKA,EAAA,MAAM,iBAAA,GAAoB;AAAA,IACxB,sBAAsB,UAAA,CAAW,oBAAA;AAAA,IACjC,YAAY,UAAA,CAAW,UAAA;AAAA,IACvB,mBAAmB,UAAA,CAAW,iBAAA;AAAA,IAC9B,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,eAAe,UAAA,CAAW,aAAA;AAAA,IAC1B,cAAc,UAAA,CAAW,YAAA;AAAA,IACzB,gBAAgB,UAAA,CAAW;AAAA,GAC7B;AACA,EAAA,MAAM,YAAA,GAAe,aAAA,CAAc,eAAA,CAAgB,iBAAiB,CAAC,CAAA;AACrE,EAAA,MAAM,QAAA,GAAW,aAAA,CAAc,UAAA,CAAW,SAAS,CAAA;AACnD,EAAA,MAAM,cAAA,GAAiB,MAAA,CAAO,YAAA,EAAc,QAAA,EAAU,kBAAkB,CAAA;AAGxE,EAAA,MAAM,cAAA,GAAiB,UAAA,CAAW,UAAA,KAAe,OAAA,CAAQ,UAAA;AAGzD,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,eAAA,CAAgB,OAAA,CAAQ,KAAK,CAAC,CAAA;AAC/D,EAAA,MAAM,iBAAA,GAAoB,WAAA,CAAY,IAAA,CAAK,UAAU,CAAC,CAAA;AACtD,EAAA,MAAM,cAAA,GAAiB,sBAAsB,OAAA,CAAQ,UAAA;AAGrD,EAAA,IAAI,aAAA;AACJ,EAAA,IAAI,WAAW,mBAAA,EAAqB;AAClC,IAAA,aAAA,GAAgB,wBAAA;AAAA,MACd,WAAW,mBAAA,CAAoB,UAAA;AAAA,MAC/B,OAAA,CAAQ,MAAA;AAAA,MACR,WAAW,mBAAA,CAAoB;AAAA,KACjC;AAAA,EACF;AAEA,EAAA,MAAM,QACJ,WAAA,IACA,cAAA,IACA,cAAA,IACA,cAAA,KACC,kBAAkB,MAAA,IAAa,aAAA,CAAA;AAElC,EAAA,OAAO;AAAA,IACL,KAAA;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,YAAA,EAAc,WAAA;AAAA,MACd,eAAA,EAAiB,cAAA;AAAA,MACjB,gBAAA,EAAkB,cAAA;AAAA,MAClB,gBAAA,EAAkB,cAAA;AAAA,MAClB,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,sBAAsB,UAAA,CAAW,oBAAA;AAAA,IACjC,WAAA,EAAa;AAAA,GACf;AACF;;;AD1MA,IAAM,cAAN,MAAkB;AAAA,EACR,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,oBAAoB,CAAA;AAAA,EACvE;AAAA,EAEA,MAAM,IAAA,CAAK,UAAA,EAA8B,OAAA,EAA0C;AACjF,IAAA,MAAM,MAAA,GAAS,EAAE,UAAA,EAAY,OAAA,EAAQ;AACrC,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,SAAA;AAAA,MACA,UAAA,CAAW,oBAAA;AAAA,MACX,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,YAAA,EAC6E;AAC7E,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,YAAY,CAAA;AAC3D,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF,CAAA;AAIO,SAAS,iBAAA,CACd,OAAA,EACA,SAAA,EACA,eAAA,EACA,UACA,gBAAA,EAC6B;AAC7B,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,CAAY,OAAA,EAAS,SAAS,CAAA;AACtD,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,qBAAA,GAAwB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAC/E,EAAA,MAAM,SAAA,GAAY,gBAAA,oBAAoB,IAAI,GAAA,EAA6B;AAGvE,EAAA,SAAS,gBAAgB,UAAA,EAAqC;AAC5D,IAAA,MAAM,KAAK,UAAA,GACP,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAC/B,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,UAAA,GACI,CAAA,UAAA,EAAa,UAAU,CAAA,WAAA,CAAA,GACvB;AAAA,OACN;AAAA,IACF;AACA,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,6aAAA;AAAA,MAMF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU;AAAA,UACR,YAAA;AAAA,UACA,kBAAA;AAAA,UACA,cAAA;AAAA,UACA,cAAA;AAAA,UACA,OAAA;AAAA,UACA,YAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAA4B;AAAA,UAChC,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,cAAc,IAAA,CAAK,YAAA;AAAA,UACnB,cAAc,IAAA,CAAK,YAAA;AAAA,UACnB,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,aAAa,IAAA,CAAK,WAAA;AAAA,UAClB,iBAAiB,IAAA,CAAK;AAAA,SACxB;AAEA,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,eAAA,GAAmB,KAAK,gBAAA,IAAgC,KAAA;AAE9D,QAAA,MAAM,gBAAA,GAAmB,sBAAA;AAAA,UACvB,OAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA;AAAA,SACF;AAGA,QAAA,MAAM,WAAA,CAAY,IAAA,CAAK,gBAAA,EAAkB,OAAO,CAAA;AAEhD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC3D,sBAAsB,gBAAA,CAAiB,oBAAA;AAAA,UACvC,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,cAAc,OAAA,CAAQ,YAAA,KAAiB,SAAS,GAAA,GAC5C,OAAA,CAAQ,eACR,OAAA,CAAQ;AAAA,SACb,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,sBAAsB,gBAAA,CAAiB,oBAAA;AAAA,UACvC,YAAY,gBAAA,CAAiB,UAAA;AAAA,UAC7B,mBAAmB,gBAAA,CAAiB,iBAAA;AAAA,UACpC,eAAe,gBAAA,CAAiB,aAAA;AAAA,UAChC,WAAW,gBAAA,CAAiB,SAAA;AAAA,UAC5B,mBAAA,EAAqB,iBAAiB,mBAAA,GAClC,EAAE,YAAY,gBAAA,CAAiB,mBAAA,CAAoB,YAAW,GAC9D,MAAA;AAAA,UACJ,cAAc,gBAAA,CAAiB,YAAA;AAAA,UAC/B,gBAAgB,gBAAA,CAAiB,cAAA;AAAA,UACjC,IAAA,EAAM;AAAA,SAGP,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,uUAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,oBAAA,EAAsB;AAAA,YACpB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,oBAAA,EAAsB;AAAA,YACpB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AAGJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,sBAAsB;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,oBAAA;AAC1B,QAAA,MAAM,oBAAoB,IAAA,CAAK,oBAAA;AAG/B,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AACjD,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,sBAAsB,YAAY,CAAA,WAAA;AAAA,WAC1C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,EAAE,UAAA,EAAY,gBAAA,EAAkB,OAAA,EAAQ,GAAI,MAAA;AAGlD,QAAA,IAAI,SAAA;AACJ,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,SAAA,GAAY,cAAc,iBAAiB,CAAA;AAAA,QAC7C,CAAA,MAAO;AAEL,UAAA,MAAM,eAAA,GAAkB,gBAAgB,IAAA,EAAK;AAC7C,UAAA,MAAM,KAAA,GAAQ,gBAAgB,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,GAAA,KAAQ,iBAAiB,aAAa,CAAA;AAClF,UAAA,IAAI,CAAC,KAAA,EAAO;AACV,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,CAAA,yCAAA,EAA4C,gBAAA,CAAiB,aAAa,CAAA,0DAAA;AAAA,aAElF,CAAA;AAAA,UACH;AACA,UAAA,SAAA,GAAY,aAAA,CAAc,MAAM,UAAU,CAAA;AAAA,QAC5C;AAEA,QAAA,MAAM,MAAA,GAAS,sBAAA,CAAuB,gBAAA,EAAkB,OAAA,EAAS,SAAS,CAAA;AAE1E,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,EAAU;AAAA,UAC/C,oBAAA,EAAsB,YAAA;AAAA,UACtB,YAAY,gBAAA,CAAiB,UAAA;AAAA,UAC7B,OAAO,MAAA,CAAO;AAAA,SACf,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,GAAG,MAAA;AAAA,UACH,YAAY,gBAAA,CAAiB,UAAA;AAAA,UAC7B,eAAe,gBAAA,CAAiB,aAAA;AAAA;AAAA,UAEhC,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,+WAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,oBAAA,EAAsB;AAAA,YACpB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAU,UAAU,CAAA;AAAA,YACnD,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,sBAAA,EAAwB,gBAAgB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,oBAAA;AAC1B,QAAA,MAAM,gBAAgB,IAAA,CAAK,cAAA;AAK3B,QAAA,MAAM,OAAA,GAAW,IAAA,CAAK,OAAA,IAAsC,EAAC;AAC7D,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAGxB,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AACjD,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,sBAAsB,YAAY,CAAA,WAAA;AAAA,WAC1C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,EAAE,SAAQ,GAAI,MAAA;AACpB,QAAA,MAAM,QAAA,GAAW,gBAAgB,UAAU,CAAA;AAG3C,QAAA,MAAM,kBACJ,OAAA,CAAQ,YAAA,KAAiB,SAAS,GAAA,GAC9B,OAAA,CAAQ,eACR,OAAA,CAAQ,YAAA;AAId,QAAA,MAAM,oBAAA,GAAuB,eAAA,CAAgB,IAAA,EAAK,CAAE,IAAA;AAAA,UAClD,CAAC,EAAA,KAAO,eAAA,CAAgB,IAAI,EAAA,CAAG,WAAW,GAAG,GAAA,KAAQ;AAAA,SACvD;AACA,QAAA,MAAM,QAAA,GAAyB,WAAA,CAAY,eAAA,EAAiB,SAAA,EAAW,oBAAoB,CAAA;AAC3F,QAAA,MAAM,OAAO,QAAA,CAAS,gBAAA;AAGtB,QAAA,MAAM,WAAA,GAAc;AAAA,UAClB,GAAG,OAAA;AAAA,UACH,oBAAoB,OAAA,CAAQ;AAAA,SAC9B;AAGA,QAAA,MAAM,WAAA,GAAc,MAAM,eAAA,CAAgB,MAAA;AAAA,UACxC,OAAA,CAAQ,UAAA;AAAA;AAAA,UACR,eAAA;AAAA,UACA;AAAA,YACE,IAAA,EAAM,aAAA;AAAA,YACN,MAAA,EAAQ,aAAA;AAAA,YACR,OAAA,EAAS;AAAA,WACX;AAAA,UACA,kBAAA;AAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA,MAAA;AAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC3D,oBAAA,EAAsB,YAAA;AAAA,UACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,cAAA,EAAgB,YAAY,WAAA,CAAY,cAAA;AAAA,UACxC,gBAAA,EAAkB,eAAA;AAAA,UAClB,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAED,QAAA,MAAM,MAAA,GAAS,aAAa,IAAI,CAAA;AAEhC,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAA,EAAgB,YAAY,WAAA,CAAY,cAAA;AAAA,UACxC,oBAAA,EAAsB,YAAA;AAAA,UACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,gBAAA,EAAkB,eAAA;AAAA,UAClB,cAAA,EAAgB,aAAA;AAAA,UAChB,gBAAA,EAAkB,IAAA;AAAA,UAClB,aAAa,WAAA,CAAY,WAAA;AAAA,UACzB,IAAA,EAAM,CAAA,+EAAA,EAC8B,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,EAAA;AAAA,SAC5D,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;AE9YA,SAAS,iBAAiB,GAAA,EAAsB;AAE9C,EAAA,IAAI,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,aAAA,EAAe,EAAE,CAAA;AAE3C,EAAA,OAAA,GAAU,OAAA,CAAQ,OAAA,CAAQ,mBAAA,EAAqB,EAAE,CAAA;AAEjD,EAAA,OAAA,GAAU,OAAA,CAAQ,OAAA,CAAQ,cAAA,EAAgB,IAAI,CAAA;AAC9C,EAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAC3B;AAKA,eAAe,WAAW,IAAA,EAAgC;AACxD,EAAA,IAAI;AACF,IAAA,MAAMsC,gBAAO,IAAI,CAAA;AACjB,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAKA,eAAe,aAAa,IAAA,EAAsC;AAChE,EAAA,IAAI;AACF,IAAA,OAAO,MAAM/B,iBAAAA,CAAS,IAAA,EAAM,OAAO,CAAA;AAAA,EACrC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMA,eAAsB,iBAAA,CACpB,QACA,QAAA,EACiC;AACjC,EAAA,MAAM,WAAA,GAAsC;AAAA,IAC1C,mBAAA,EAAqB,IAAA;AAAA;AAAA,IACrB,mBAAmB,MAAA,CAAO,OAAA;AAAA,IAC1B,iBAAA,EAAmB,KAAA;AAAA,IACnB,gBAAA,EAAkB,IAAA;AAAA,IAClB,eAAA,EAAiB,IAAA;AAAA,IACjB,cAAc,OAAA,CAAQ,OAAA;AAAA,IACtB,UAAU,CAAA,EAAG,OAAA,CAAQ,QAAQ,CAAA,CAAA,EAAI,QAAQ,IAAI,CAAA;AAAA,GAC/C;AAEA,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,WAAA;AAAA,EACT;AAGA,EAAA,MAAM,OAAOF,UAAAA,EAAQ;AACrB,EAAA,MAAM,kBAAA,GAAqBD,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,eAAe,CAAA;AAClE,EAAA,MAAM,eAAA,GAAkBA,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,MAAM,CAAA;AACtD,EAAA,MAAM,kBAAA,GAAqBA,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,aAAa,WAAW,CAAA;AAC3E,EAAA,MAAM,iBAAA,GAAoBA,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,aAAa,QAAQ,CAAA;AAEvE,EAAA,MAAM,YAAA,GAAe,MAAM,UAAA,CAAW,kBAAkB,CAAA;AACxD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,eAAe,CAAA;AAClD,EAAA,MAAM,YAAA,GAAe,MAAM,UAAA,CAAW,kBAAkB,CAAA;AACxD,EAAA,MAAM,eAAA,GAAkB,MAAM,UAAA,CAAW,iBAAiB,CAAA;AAG1D,EAAA,IAAI,YAAA,IAAgB,gBAAgB,eAAA,EAAiB;AACnD,IAAA,WAAA,CAAY,iBAAA,GAAoB,IAAA;AAChC,IAAA,WAAA,CAAY,kBAAkB,MAAM,mBAAA;AAAA,MAClC,kBAAA;AAAA,MACA,eAAA;AAAA,MACA,kBAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,WAAA;AACT;AAKA,eAAe,oBACb,UAAA,EACA,OAAA,EACA,WAAA,EACA,YAAA,EACA,WACA,YAAA,EAC8B;AAC9B,EAAA,MAAM,KAAA,GAA6B;AAAA,IACjC,WAAA,EAAa,eAAe,UAAA,GAAa,IAAA;AAAA,IACzC,wBAAA,EAA0B,KAAA;AAAA,IAC1B,qBAAA,EAAuB,KAAA;AAAA,IACvB,oBAAoB,EAAC;AAAA,IACrB,mBAAmB,EAAC;AAAA,IACpB,gBAAA,EAAkB,KAAA;AAAA;AAAA,IAClB,gBAAA,EAAkB,KAAA;AAAA,IAClB,iBAAA,EAAmB,KAAA;AAAA,IACnB,kBAAA,EAAoB,KAAA;AAAA,IACpB,iBAAA,EAAmB;AAAA,GACrB;AAGA,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAM,GAAA,GAAM,MAAM,YAAA,CAAa,UAAU,CAAA;AACzC,IAAA,IAAI,GAAA,EAAK;AACP,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,iBAAiB,GAAG,CAAA;AAOnC,QAAA,MAAM,QAAQ,MAAA,CAAO,KAAA;AACrB,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,MAAM,iBAAiB,KAAA,CAAM,gBAAA;AAC7B,UAAA,IAAI,cAAA,EAAgB;AAClB,YAAA,MAAM,OAAA,GAAU,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAC7C,YAAA,KAAA,CAAM,wBAAA,GAA2B,OAAA,CAAQ,QAAA,CAAS,iBAAiB,CAAA;AAAA,UACrE;AAAA,QACF;AAGA,QAAA,MAAM,QAAQ,MAAA,CAAO,KAAA;AACrB,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,MAAM,UAAU,KAAA,CAAM,OAAA;AACtB,UAAA,IAAI,OAAA,EAAS;AACX,YAAA,MAAM,eAAe,OAAA,CAAQ,KAAA;AAC7B,YAAA,IAAI,YAAA,EAAc;AAChB,cAAA,KAAA,CAAM,qBAAA,GAAwB,IAAA;AAC9B,cAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,YAAA,CAAa,KAAK,CAAA,EAAG;AACrC,gBAAA,KAAA,CAAM,kBAAA,GAAqB,aAAa,KAAA,CAAM,MAAA;AAAA,kBAC5C,CAAC,IAAA,KAAyB,OAAO,IAAA,KAAS;AAAA,iBAC5C;AAAA,cACF;AAEA,cAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,YAAA,CAAa,SAAS,CAAA,EAAG;AACzC,gBAAA,KAAA,CAAM,kBAAA,GAAqB;AAAA,kBACzB,GAAG,KAAA,CAAM,kBAAA;AAAA,kBACT,GAAG,aAAa,SAAA,CAAU,MAAA;AAAA,oBACxB,CAAC,IAAA,KAAyB,OAAO,IAAA,KAAS;AAAA;AAC5C,iBACF;AAAA,cACF;AACA,cAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,YAAA,CAAa,IAAI,CAAA,EAAG;AACpC,gBAAA,KAAA,CAAM,iBAAA,GAAoB,aAAa,IAAA,CAAK,MAAA;AAAA,kBAC1C,CAAC,IAAA,KAAyB,OAAO,IAAA,KAAS;AAAA,iBAC5C;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAGA,QAAA,MAAM,aAAa,MAAA,CAAO,UAAA;AAC1B,QAAA,IAAI,cAAc,MAAA,CAAO,IAAA,CAAK,UAAU,CAAA,CAAE,SAAS,CAAA,EAAG;AACpD,UAAA,KAAA,CAAM,iBAAA,GAAoB,IAAA;AAAA,QAC5B;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,MAAM,UAAA,GAAa,MAAM,YAAA,CAAa,OAAO,CAAA;AAC7C,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,cAAA,GAAiB;AAAA,QACrB,oBAAA;AAAA,QACA,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,qBAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,KAAA,CAAM,gBAAA,GAAmB,eAAe,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,UAAU,CAAC,CAAA;AACtE,MAAA,KAAA,CAAM,iBAAA,GAAoB,4BAAA,CAA6B,IAAA,CAAK,UAAU,CAAA;AAAA,IACxE;AAAA,EACF;AAGA,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,KAAA,CAAM,gBAAA,GAAmB,KAAA;AAAA,EAC3B;AAEA,EAAA,OAAO,KAAA;AACT;;;AC3LA,IAAM,qBAAA,GAAwB,EAAA;AAC9B,IAAM,yBAAA,GAA4B,EAAA;AAClC,IAAM,yBAAA,GAA4B,CAAA;AAClC,IAAM,iBAAA,GAAoB,CAAA;AAG1B,IAAM,kBAAA,GAAqB,EAAA;AAC3B,IAAM,cAAA,GAAiB,CAAA;AACvB,IAAM,oBAAA,GAAuB,CAAA;AAC7B,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,iBAAA,GAAoB,CAAA;AAC1B,IAAM,oBAAA,GAAuB,CAAA;AAM7B,IAAM,oBAAA,GAAuB,CAAA;AAC7B,IAAM,YAAA,GAAe,CAAA;AACrB,IAAM,sBAAA,GAAyB,CAAA;AAG/B,IAAM,sBAAA,GAAyB,CAAA;AAC/B,IAAM,sBAAA,GAAyB,CAAA;AAC/B,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,oBAAA,GAAuB,CAAA;AAG7B,IAAM,cAAA,GAAyC;AAAA,EAC7C,QAAA,EAAU,CAAA;AAAA,EACV,IAAA,EAAM,CAAA;AAAA,EACN,MAAA,EAAQ,CAAA;AAAA,EACR,GAAA,EAAK;AACP,CAAA;AAKA,IAAM,kBAAA,GAAoC;AAAA,EACxC,EAAA,EAAI,gBAAA;AAAA,EACJ,IAAA,EAAM,mDAAA;AAAA,EACN,IAAA,EAAM,YAAA;AAAA,EACN,WAAA,EACE;AAEJ,CAAA;AAEA,IAAM,yBAAA,GAA2C;AAAA,EAC/C,EAAA,EAAI,mBAAA;AAAA,EACJ,IAAA,EAAM,mDAAA;AAAA,EACN,IAAA,EAAM,YAAA;AAAA,EACN,WAAA,EACE,8KAAA;AAAA,EAEF,IAAA,EAAM;AAAA,IACJ,gBAAA;AAAA,IACA,gBAAA;AAAA,IACA;AAAA;AAEJ,CAAA;AAEA,IAAM,wBAAA,GAA0C;AAAA,EAC9C,EAAA,EAAI,oBAAA;AAAA,EACJ,IAAA,EAAM,6DAAA;AAAA,EACN,IAAA,EAAM,SAAA;AAAA,EACN,WAAA,EACE;AAEJ,CAAA;AAYA,IAAM,yBAAA,GAA2C;AAAA,EAC/C,EAAA,EAAI,uBAAA;AAAA,EACJ,IAAA,EAAM,gEAAA;AAAA,EACN,IAAA,EAAM,YAAA;AAAA,EACN,WAAA,EACE;AAGJ,CAAA;AAKO,SAAS,kBAAA,CACd,KACA,MAAA,EACwB;AACxB,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAA,EAAK,MAAM,CAAA;AAC/B,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAW,CAAA;AAC/B,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAW,CAAA;AAC/B,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAW,CAAA;AAE/B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAE1B,EAAA,MAAM,YAAA,GAAe,OAAA,GAAU,OAAA,GAAU,OAAA,GAAU,OAAA;AAEnD,EAAA,MAAM,gBAAA,GAAmB,gBAAgB,EAAA,GACrC,MAAA,GACA,gBAAgB,EAAA,GACd,SAAA,GACA,YAAA,IAAgB,EAAA,GACd,SAAA,GACA,MAAA;AAER,EAAA,MAAM,OAAO,YAAA,CAAa,GAAA,EAAK,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AAC7C,EAAA,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,cAAA,CAAe,CAAA,CAAE,QAAQ,CAAA,GAAI,cAAA,CAAe,CAAA,CAAE,QAAQ,CAAC,CAAA;AAE3E,EAAA,MAAM,kBAAkB,uBAAA,CAAwB,GAAA,EAAK,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AAEnE,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,KAAA;AAAA,IACT,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IACnC,WAAA,EAAa,GAAA;AAAA,IACb,MAAA,EAAQ;AAAA,MACN,YAAA,EAAc,EAAA;AAAA,MACd,cAAA,EAAgB,EAAA;AAAA,MAChB,uBAAA,EAAyB,EAAA;AAAA,MACzB,aAAA,EAAe;AAAA,KACjB;AAAA,IACA,aAAA,EAAe,YAAA;AAAA,IACf,iBAAA,EAAmB,gBAAA;AAAA,IACnB,IAAA;AAAA,IACA;AAAA,GACF;AACF;AAIA,SAAS,QAAA,CACP,KACA,MAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,MAAM,gBAAA,GAAmB,eAAA;AACzB,EAAA,MAAM,UAAA,GAAa,kBAAkB,MAAA,GAAkB,MAAA;AACvD,EAAA,MAAM,qBAAA,GAAwB,eAAA;AAC9B,EAAA,MAAM,qBAAA,GAAwB,eAAA;AAC9B,EAAA,MAAM,aAAA,GAAgB,eAAA;AAEtB,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,QAAA,CAAS,KAAK,6CAA6C,CAAA;AAC3D,IAAA,QAAA,CAAS,IAAA,CAAK,CAAA,gBAAA,EAAmB,MAAA,CAAO,KAAA,CAAM,cAAc,CAAA,CAAE,CAAA;AAC9D,IAAA,QAAA,CAAS,IAAA,CAAK,CAAA,mBAAA,EAAsB,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA,CAAE,CAAA;AACpE,IAAA,QAAA,CAAS,KAAK,uCAAuC,CAAA;AACrD,IAAA,QAAA,CAAS,KAAK,+BAA+B,CAAA;AAAA,EAC/C;AAEA,EAAA,IAAI,GAAA,CAAI,iBAAA,IAAqB,GAAA,CAAI,eAAA,EAAiB;AAChD,IAAA,IAAI,CAAC,GAAA,CAAI,eAAA,CAAgB,gBAAA,EAAkB;AACzC,MAAA,QAAA,CAAS,KAAK,oEAAoE,CAAA;AAAA,IACpF;AACA,IAAA,IAAI,GAAA,CAAI,gBAAgB,gBAAA,EAAkB;AACxC,MAAA,QAAA,CAAS,KAAK,uDAAuD,CAAA;AAAA,IACvE;AAAA,EACF;AAEA,EAAA,MAAM,SAAS,gBAAA,IAAoB,qBAAA,GAC/B,QAAA,GACA,gBAAA,IAAoB,wBAClB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,kBAAA,EAAoB,gBAAA;AAAA,IACpB,WAAA,EAAa,UAAA;AAAA,IACb,sBAAA,EAAwB,qBAAA;AAAA,IACxB,sBAAA,EAAwB,qBAAA;AAAA,IACxB,cAAA,EAAgB,aAAA;AAAA,IAChB;AAAA,GACF;AACF;AAEA,SAAS,QAAA,CACP,KACA,OAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,IAAI,YAAA,GAAiD,MAAA;AACrD,EAAA,IAAI,0BAAA,GAA6B,KAAA;AACjC,EAAA,IAAI,mBAAA,GAAsB,KAAA;AAC1B,EAAA,IAAI,gBAAA,GAAmB,KAAA;AACvB,EAAA,IAAI,cAAA,GAAuD,MAAA;AAC3D,EAAA,IAAI,aAAA,GAAgB,KAAA;AACpB,EAAA,IAAI,yBAAA,GAAoE,MAAA;AAExE,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,YAAA,GAAe,YAAA;AACf,IAAA,0BAAA,GAA6B,IAAA;AAC7B,IAAA,mBAAA,GAAsB,IAAA;AACtB,IAAA,gBAAA,GAAmB,IAAA;AACnB,IAAA,aAAA,GAAgB,IAAA;AAChB,IAAA,QAAA,CAAS,KAAK,yCAAyC,CAAA;AACvD,IAAA,QAAA,CAAS,KAAK,wDAAwD,CAAA;AACtE,IAAA,QAAA,CAAS,KAAK,8BAA8B,CAAA;AAC5C,IAAA,QAAA,CAAS,KAAK,8DAA8D,CAAA;AAAA,EAC9E;AAEA,EAAA,IAAI,GAAA,CAAI,iBAAA,IAAqB,GAAA,CAAI,eAAA,EAAiB;AAChD,IAAA,IAAI,GAAA,CAAI,gBAAgB,wBAAA,EAA0B;AAChD,MAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,QAAA,YAAA,GAAe,QAAA;AAAA,MACjB;AACA,MAAA,QAAA,CAAS,KAAK,6DAA6D,CAAA;AAAA,IAC7E;AACA,IAAA,IAAI,GAAA,CAAI,gBAAgB,qBAAA,EAAuB;AAC7C,MAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,QAAA,cAAA,GAAiB,OAAA;AAAA,MACnB;AACA,MAAA,QAAA,CAAS,IAAA;AAAA,QACP,CAAA,gCAAA,EAAmC,IAAI,eAAA,CAAgB,kBAAA,CAAmB,MAAM,CAAA,UAAA,EAC7E,GAAA,CAAI,eAAA,CAAgB,iBAAA,CAAkB,MAAM,CAAA,QAAA;AAAA,OACjD;AAAA,IACF;AAAA,EACF;AAKA,EAAA,yBAAA,GAA4B,MAAA;AAE5B,EAAA,MAAM,MAAA,GAAS,iBAAiB,YAAA,IAAgB,mBAAA,GAC5C,WACA,YAAA,KAAiB,MAAA,IAAU,mBACzB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,aAAA,EAAe,YAAA;AAAA,IACf,4BAAA,EAA8B,0BAAA;AAAA,IAC9B,qBAAA,EAAuB,mBAAA;AAAA,IACvB,kBAAA,EAAoB,gBAAA;AAAA,IACpB,eAAA,EAAiB,kBAAkB,iBAAA,GAAoB,cAAA;AAAA,IACvD,cAAA,EAAgB,aAAA;AAAA,IAChB,2BAAA,EAA6B,yBAAA;AAAA,IAC7B;AAAA,GACF;AACF;AAEA,SAAS,QAAA,CACP,KACA,OAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,IAAI,gBAAA,GAA+D,MAAA;AACnE,EAAA,IAAI,QAAA,GAAW,KAAA;AACf,EAAA,IAAI,yBAAA,GAA4B,KAAA;AAEhC,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,gBAAA,GAAmB,iBAAA;AACnB,IAAA,QAAA,GAAW,IAAA;AACX,IAAA,yBAAA,GAA4B,IAAA;AAC5B,IAAA,QAAA,CAAS,KAAK,8CAA8C,CAAA;AAC5D,IAAA,QAAA,CAAS,KAAK,8EAAyE,CAAA;AACvF,IAAA,QAAA,CAAS,KAAK,+EAA0E,CAAA;AACxF,IAAA,QAAA,CAAS,KAAK,4CAA4C,CAAA;AAC1D,IAAA,QAAA,CAAS,KAAK,gEAAgE,CAAA;AAAA,EAChF;AAEA,EAAA,MAAM,SAAS,gBAAA,KAAqB,iBAAA,IAAqB,WACrD,QAAA,GACA,gBAAA,KAAqB,SACnB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,qBAAA,EAAuB,QAAA;AAAA,IACvB,2BAAA,EAA6B,yBAAA;AAAA,IAC7B;AAAA,GACF;AACF;AAEA,SAAS,QAAA,CACP,KACA,OAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,MAAM,kBAAA,GAAqB,eAAA;AAC3B,EAAA,MAAM,gBAAA,GAAmB,eAAA;AACzB,EAAA,MAAM,cAAA,GAAiB,eAAA;AACvB,EAAA,MAAM,gBAAA,GAAmB,eAAA;AAEzB,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,QAAA,CAAS,KAAK,2CAA2C,CAAA;AACzD,IAAA,QAAA,CAAS,KAAK,oCAAoC,CAAA;AAClD,IAAA,QAAA,CAAS,KAAK,oCAAoC,CAAA;AAClD,IAAA,QAAA,CAAS,KAAK,2CAA2C,CAAA;AAAA,EAC3D,CAAA,MAAO;AACL,IAAA,QAAA,CAAS,KAAK,wCAAwC,CAAA;AAAA,EACxD;AAEA,EAAA,MAAM,SAAS,kBAAA,IAAsB,gBAAA,IAAoB,mBACrD,QAAA,GACA,kBAAA,IAAsB,mBACpB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,mBAAA,EAAqB,kBAAA;AAAA,IACrB,iBAAA,EAAmB,gBAAA;AAAA,IACnB,0BAAA,EAA4B,cAAA;AAAA,IAC5B,uBAAA,EAAyB,gBAAA;AAAA,IACzB;AAAA,GACF;AACF;AAIA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,EAAA,CAAG,oBAAoB,KAAA,IAAS,qBAAA;AACpC,EAAA,IAAI,EAAA,CAAG,wBAAwB,KAAA,IAAS,yBAAA;AACxC,EAAA,IAAI,EAAA,CAAG,wBAAwB,KAAA,IAAS,yBAAA;AACxC,EAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,IAAS,iBAAA;AAChC,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,EAAA,CAAG,aAAA,KAAkB,YAAA,EAAc,KAAA,IAAS,kBAAA;AAAA,OAAA,IACvC,EAAA,CAAG,aAAA,KAAkB,QAAA,EAAU,KAAA,IAAS,cAAA;AACjD,EAAA,IAAI,EAAA,CAAG,8BAA8B,KAAA,IAAS,oBAAA;AAC9C,EAAA,IAAI,EAAA,CAAG,uBAAuB,KAAA,IAAS,kBAAA;AACvC,EAAA,IAAI,EAAA,CAAG,eAAA,KAAoB,iBAAA,EAAmB,KAAA,IAAS,kBAAA;AAAA,OAAA,IAC9C,EAAA,CAAG,eAAA,KAAoB,OAAA,EAAS,KAAA,IAAS,CAAA;AAClD,EAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,IAAS,iBAAA;AAEhC,EAAA,IAAI,EAAA,CAAG,2BAAA,KAAgC,UAAA,EAAY,KAAA,IAAS,oBAAA;AAAA,OAAA,IACnD,EAAA,CAAG,2BAAA,KAAgC,OAAA,EAAS,KAAA,IAAS,CAAA;AAC9D,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AAGZ,EAAA,IAAI,EAAA,CAAG,iBAAA,KAAsB,iBAAA,EAAmB,KAAA,IAAS,oBAAA;AAAA,OAAA,IAChD,EAAA,CAAG,iBAAA,KAAsB,aAAA,EAAe,KAAA,IAAS,CAAA;AAC1D,EAAA,IAAI,EAAA,CAAG,uBAAuB,KAAA,IAAS,YAAA;AACvC,EAAA,IAAI,EAAA,CAAG,6BAA6B,KAAA,IAAS,sBAAA;AAC7C,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,EAAA,CAAG,qBAAqB,KAAA,IAAS,sBAAA;AACrC,EAAA,IAAI,EAAA,CAAG,mBAAmB,KAAA,IAAS,sBAAA;AACnC,EAAA,IAAI,EAAA,CAAG,4BAA4B,KAAA,IAAS,kBAAA;AAC5C,EAAA,IAAI,EAAA,CAAG,yBAAyB,KAAA,IAAS,oBAAA;AACzC,EAAA,OAAO,KAAA;AACT;AAIA,SAAS,YAAA,CACP,GAAA,EACA,EAAA,EACA,EAAA,EACA,IACA,EAAA,EACkB;AAClB,EAAA,MAAM,OAAyB,EAAC;AAChC,EAAA,MAAM,KAAK,GAAA,CAAI,eAAA;AAGf,EAAA,IAAI,EAAA,IAAM,CAAC,EAAA,CAAG,gBAAA,EAAkB;AAC9B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,kCAAA;AAAA,MACP,WAAA,EACE,mOAAA;AAAA,MAGF,kBAAA,EACE,6GAAA;AAAA,MAEF,kBAAA,EACE,4OAAA;AAAA,MAGF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,EAAA,IAAM,GAAG,gBAAA,EAAkB;AAC7B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,iCAAA;AAAA,MACP,WAAA,EACE,0HAAA;AAAA,MAEF,kBAAA,EACE,oFAAA;AAAA,MACF,kBAAA,EACE;AAAA,KAGH,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,sBAAA,EAAwB;AAC9B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,iCAAA;AAAA,MACP,WAAA,EACE,mKAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,2IAAA,GAEA,IAAA;AAAA,MACJ,kBAAA,EACE;AAAA,KAEH,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,EAAA,CAAG,aAAA,KAAkB,QAAA,IAAY,CAAC,GAAG,4BAAA,EAA8B;AACrE,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,6CAAA;AAAA,MACP,WAAA,EACE,qKAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,kWAAA,GAKA,IAAA;AAAA,MACJ,kBAAA,EACE,uPAAA;AAAA,MAGF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH,CAAA,MAAA,IAAW,EAAA,CAAG,aAAA,KAAkB,MAAA,EAAQ;AACtC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,kBAAA;AAAA,MACP,WAAA,EACE,2EAAA;AAAA,MACF,kBAAA,EAAoB,IAAA;AAAA,MACpB,kBAAA,EACE,yJAAA;AAAA,MAEF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,EAAA,CAAG,oBAAoB,OAAA,EAAS;AAClC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,QAAA;AAAA,MACV,KAAA,EAAO,sDAAA;AAAA,MACP,WAAA,EACE,6GAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,qPAAA,GAGA,IAAA;AAAA,MACJ,kBAAA,EACE,8IAAA;AAAA,MAEF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,cAAA,EAAgB;AACtB,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,gDAAA;AAAA,MACP,WAAA,EACE,oRAAA;AAAA,MAIF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,6LAAA,GAGA,IAAA;AAAA,MACJ,kBAAA,EACE,iRAAA;AAAA,MAIF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,kBAAA,EAAoB;AAC1B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,gBAAA;AAAA,MACP,WAAA,EACE,qHAAA;AAAA,MAEF,kBAAA,EAAoB,IAAA;AAAA,MACpB,kBAAA,EACE,0GAAA;AAAA,MAEF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,EAAA,CAAG,sBAAsB,MAAA,EAAQ;AACnC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,oCAAA;AAAA,MACP,WAAA,EACE,8NAAA;AAAA,MAGF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,oMAAA,GAGA,IAAA;AAAA,MACJ,kBAAA,EACE,uUAAA;AAAA,MAIF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,CAAC,GAAG,mBAAA,EAAqB;AAC3B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,wBAAA;AAAA,MACP,WAAA,EACE,+HAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,iJAAA,GAEA,IAAA;AAAA,MACJ,kBAAA,EACE;AAAA,KAGH,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,IAAA;AACT;AAIA,SAAS,uBAAA,CACP,GAAA,EACA,EAAA,EACA,EAAA,EACA,IACA,EAAA,EACkB;AAClB,EAAA,MAAM,OAAyB,EAAC;AAEhC,EAAA,IAAI,CAAC,GAAG,sBAAA,EAAwB;AAC9B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,+FAAA;AAAA,MACR,IAAA,EAAM,2BAAA;AAAA,MACN,MAAA,EAAQ,WAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,kBAAA,IAAuB,GAAA,CAAI,mBAAmB,CAAC,GAAA,CAAI,gBAAgB,gBAAA,EAAmB;AAC5F,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,8DAAA;AAAA,MACR,IAAA,EAAM,uBAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAA,CAAK,IAAA,CAAK;AAAA,IACR,QAAA,EAAU,CAAA;AAAA,IACV,MAAA,EAAQ,mEAAA;AAAA,IACR,IAAA,EAAM,wBAAA;AAAA,IACN,MAAA,EAAQ,WAAA;AAAA,IACR,MAAA,EAAQ;AAAA,GACT,CAAA;AAED,EAAA,IAAI,EAAA,CAAG,kBAAkB,YAAA,EAAc;AACrC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,oEAAA;AAAA,MACR,IAAA,EAAM,iCAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,cAAA,EAAgB;AACtB,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,iEAAA;AAAA,MACR,IAAA,EAAM,mCAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,iBAAA,EAAmB;AACzB,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,qEAAA;AAAA,MACR,IAAA,EAAM,6BAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,2BAAA,EAA6B;AACnC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,0DAAA;AAAA,MACR,IAAA,EAAM,iCAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,IAAA;AACT;AAOO,SAAS,kBAAkB,MAAA,EAAwC;AACxE,EAAA,MAAM,EAAE,aAAa,GAAA,EAAK,MAAA,EAAQ,eAAe,iBAAA,EAAmB,IAAA,EAAM,iBAAgB,GAAI,MAAA;AAE9F,EAAA,MAAM,QAAA,GAAW,eAAe,aAAa,CAAA;AAC7C,EAAA,MAAM,UAAA,GAAa,kBAAkB,WAAA,EAAY;AAEjD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,MAAA,IAAU,8RAAA;AACV,EAAA,MAAA,IAAU,8BAAA;AACV,EAAA,MAAA,IAAU,CAAA,aAAA,EAAgB,OAAO,UAAU;AAAA,CAAA;AAC3C,EAAA,MAAA,IAAU,8RAAA;AACV,EAAA,MAAA,IAAU,IAAA;AACV,EAAA,MAAA,IAAU,CAAA,iBAAA,EAAoB,aAAa,CAAA,QAAA,EAAW,QAAQ,KAAK,UAAU;AAAA,CAAA;AAC7E,EAAA,MAAA,IAAU,IAAA;AAGV,EAAA,MAAA,IAAU,kBAAA;AACV,EAAA,MAAA,IAAU,CAAA,oBAAA,EAAkB,GAAA,CAAI,iBAAA,IAAqB,GAAG,IAAI,OAAA,CAAQ,aAAA,IAAiB,GAAA,CAAI,iBAAA,IAAqB,IAAI,CAAC,CAAA,CAAA,EAAI,GAAA,CAAI,mBAAA,GAAsB,qBAAgB,kBAAa;AAAA,CAAA;AAE9K,EAAA,IAAI,IAAI,iBAAA,EAAmB;AACzB,IAAA,MAAA,IAAU,CAAA,kBAAA,EAAgB,OAAA,CAAQ,UAAU,CAAC,CAAA;AAAA,CAAA;AAC7C,IAAA,IAAI,IAAI,eAAA,EAAiB;AACvB,MAAA,MAAA,IAAU,CAAA,kCAAA,EAAgC,QAAQ,0BAA0B,CAAC,IAAI,GAAA,CAAI,eAAA,CAAgB,wBAAA,GAA2B,gBAAA,GAAc,iBAAY;AAAA,CAAA;AAC1J,MAAA,MAAA,IAAU,CAAA,iCAAA,EAA+B,QAAQ,yBAAyB,CAAC,IAAI,GAAA,CAAI,eAAA,CAAgB,qBAAA,GAAwB,eAAA,GAAa,iBAAY;AAAA,CAAA;AAAA,IACtJ;AAAA,EACF;AAEA,EAAA,MAAA,IAAU,IAAA;AAGV,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,YAAY,CAAA;AAC3C,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,cAAc,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,uBAAuB,CAAA;AACtD,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,aAAa,CAAA;AAE5C,EAAA,MAAA,IAAU,uBAAA;AACV,EAAA,MAAA,IAAU,kTAAA;AACV,EAAA,MAAA,IAAU,4EAAA;AACV,EAAA,MAAA,IAAU,kTAAA;AACV,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,YAAA,CAAa,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AAC/G,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,cAAA,CAAe,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AACjH,EAAA,IAAI,MAAA,CAAO,eAAe,cAAA,EAAgB;AACxC,IAAA,MAAA,IAAU,CAAA;AAAA,CAAA;AAAA,EACZ;AACA,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,uBAAA,CAAwB,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AAC1H,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,aAAA,CAAc,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AAChH,EAAA,MAAA,IAAU,kTAAA;AACV,EAAA,MAAA,IAAU,IAAA;AAGV,EAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,IAAA,MAAA,IAAU,CAAA,SAAA,EAAO,KAAK,MAAM,CAAA,gBAAA,EAAmB,KAAK,MAAA,KAAW,CAAA,GAAI,MAAM,EAAE,CAAA;AAAA,CAAA;AAC3E,IAAA,MAAA,IAAU,IAAA;AACV,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,MAAM,aAAA,GAAgB,CAAA,CAAA,EAAI,GAAA,CAAI,QAAA,CAAS,aAAa,CAAA,CAAA,CAAA;AACpD,MAAA,MAAA,IAAU,KAAK,aAAa,CAAA,CAAA,EAAI,IAAI,EAAE,CAAA,EAAA,EAAK,IAAI,KAAK;AAAA,CAAA;AAEpD,MAAA,MAAM,SAAA,GAAY,QAAA,CAAS,GAAA,CAAI,WAAA,EAAa,EAAE,CAAA;AAC9C,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,MAAA,IAAU,KAAK,IAAI;AAAA,CAAA;AAAA,MACrB;AACA,MAAA,IAAI,IAAI,cAAA,EAAgB;AACtB,QAAA,MAAM,KAAK,GAAA,CAAI,cAAA;AACf,QAAA,MAAM,MAAA,GAAS,EAAA,CAAG,IAAA,EAAM,MAAA,GAAS,CAAA,EAAA,EAAK,GAAG,IAAA,CAAK,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,GAAM,EAAA;AAC9D,QAAA,MAAA,IAAU,gCAA2B,EAAA,CAAG,IAAI,GAAG,MAAM,CAAA,EAAA,EAAK,GAAG,IAAI,CAAA;AAAA,CAAA;AAAA,MACnE;AACA,MAAA,MAAA,IAAU,iBAAY,GAAA,CAAI,kBAAA,CAAmB,MAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,CAAA;AAC1D,MAAA,IAAI,IAAI,kBAAA,EAAoB;AAC1B,QAAA,MAAA,IAAU,8BAAyB,GAAA,CAAI,kBAAA,CAAmB,MAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,CAAA;AAAA,MACzE;AACA,MAAA,MAAA,IAAU,IAAA;AAAA,IACZ;AAAA,EACF,CAAA,MAAO;AACL,IAAA,MAAA,IAAU,sCAAA;AACV,IAAA,MAAA,IAAU,IAAA;AAAA,EACZ;AAGA,EAAA,IAAI,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC9B,IAAA,MAAA,IAAU,wCAAA;AACV,IAAA,KAAA,MAAW,OAAO,eAAA,EAAiB;AACjC,MAAA,MAAM,WAAA,GAAc,IAAI,MAAA,KAAW,WAAA,GAC/B,cACA,GAAA,CAAI,MAAA,KAAW,YACb,OAAA,GACA,QAAA;AACN,MAAA,MAAA,IAAU,KAAK,GAAA,CAAI,QAAQ,MAAM,WAAW,CAAA,EAAA,EAAK,IAAI,MAAM,CAAA,CAAA;AAC3D,MAAA,IAAI,IAAI,IAAA,EAAM;AACZ,QAAA,MAAA,IAAU,CAAA,EAAA,EAAK,IAAI,IAAI,CAAA,CAAA;AAAA,MACzB;AACA,MAAA,MAAA,IAAU,IAAA;AAAA,IACZ;AACA,IAAA,MAAA,IAAU,IAAA;AAAA,EACZ;AAEA,EAAA,MAAA,IAAU,8RAAA;AAEV,EAAA,OAAO,MAAA;AACT;AAIA,SAAS,eAAe,KAAA,EAAuB;AAC7C,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,EAAE,CAAA;AACpC,EAAA,OAAO,GAAA,GAAM,SAAI,MAAA,CAAO,MAAM,IAAI,QAAA,CAAI,MAAA,CAAO,EAAA,GAAK,MAAM,CAAA,GAAI,GAAA;AAC9D;AAEA,SAAS,QAAQ,KAAA,EAAuB;AACtC,EAAA,MAAM,UAAA,GAAa,EAAA;AACnB,EAAA,MAAM,aAAa,IAAA,CAAK,GAAA,CAAI,GAAG,UAAA,GAAa,KAAA,CAAM,SAAS,CAAC,CAAA;AAC5D,EAAA,OAAO,GAAA,CAAI,OAAO,UAAU,CAAA;AAC9B;AAEA,SAAS,UAAU,MAAA,EAAwB;AACzC,EAAA,MAAM,KAAA,GAAQ,OAAO,WAAA,EAAY;AACjC,EAAA,OAAO,KAAA,GAAQ,IAAI,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAM,CAAC,CAAA;AACzD;AAEA,SAAS,QAAA,CAAS,OAAe,GAAA,EAAqB;AACpD,EAAA,MAAM,IAAA,GAAO,CAAA,EAAG,KAAK,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAC5B,EAAA,OAAO,GAAA,CAAI,OAAO,IAAA,CAAK,GAAA,CAAI,GAAG,CAAA,GAAI,IAAA,CAAK,MAAM,CAAC,CAAA,GAAI,IAAA;AACpD;AAEA,SAAS,QAAA,CAAS,MAAc,QAAA,EAA4B;AAC1D,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AAC5B,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,IAAI,OAAA,GAAU,EAAA;AACd,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAI,OAAA,CAAQ,SAAS,IAAA,CAAK,MAAA,GAAS,IAAI,QAAA,IAAY,OAAA,CAAQ,SAAS,CAAA,EAAG;AACrE,MAAA,KAAA,CAAM,KAAK,OAAO,CAAA;AAClB,MAAA,OAAA,GAAU,IAAA;AAAA,IACZ,CAAA,MAAO;AACL,MAAA,OAAA,GAAU,OAAA,CAAQ,MAAA,GAAS,CAAA,GAAI,OAAA,GAAU,MAAM,IAAA,GAAO,IAAA;AAAA,IACxD;AAAA,EACF;AACA,EAAA,IAAI,OAAA,CAAQ,MAAA,GAAS,CAAA,EAAG,KAAA,CAAM,KAAK,OAAO,CAAA;AAC1C,EAAA,OAAO,KAAA;AACT;;;ACl0BO,SAAS,iBACd,MAAA,EAC6B;AAC7B,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,0QAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA;AAEJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,KAAK,SAAA,KAAc,KAAA;AAGpC,QAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,MAAA,EAAQ,QAAQ,CAAA;AAGpD,QAAA,MAAM,MAAA,GAAS,kBAAA,CAAmB,GAAA,EAAK,MAAM,CAAA;AAG7C,QAAA,MAAM,MAAA,GAAS,kBAAkB,MAAM,CAAA;AAEvC,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP,EAAE,IAAA,EAAM,MAAA,EAAiB,IAAA,EAAM,MAAA,EAAO;AAAA,YACtC,EAAE,MAAM,MAAA,EAAiB,IAAA,EAAM,KAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC,CAAA;AAAE;AACjE,SACF;AAAA,MACF;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;;;AC1BA,aAAA,EAAA;AAEA,YAAA,EAAA;AA6EO,IAAM,kBAAA,GAAqB,GAAA;AAG3B,IAAM,gBAAA,GAAmB,EAAA;AAGzB,IAAM,sBAAA,GAAyB,GAAA;AAe/B,SAAS,aAAA,CACd,MAAA,EACA,QAAA,EACA,KAAA,EACmB;AAEnB,EAAA,MAAM,SAAA,GAAY,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,QAAQ,CAAA;AAClE,EAAA,MAAM,YAAA,GAAe,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,GAAG,CAAA;AAChE,EAAA,MAAM,cAAc,SAAA,IAAa,YAAA;AAEjC,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,MAAA,CAAO,cAAA,KAAmB,MAAA,GAAS,MAAA,GAAS,QAAA;AAAA,MACpD,MAAA,EAAQ,CAAA,0BAAA,EAA6B,QAAQ,CAAA,qBAAA,EAAwB,OAAO,cAAc,CAAA,CAAA;AAAA,KAC5F;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,MAAM,CAAA,EAAG;AAC7C,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,6BAAA,EAAgC,YAAY,QAAQ,CAAA,SAAA;AAAA,KAC7E;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,IAAI,CAAA,EAAG;AAC3C,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,gBAAA,EAAmB,YAAY,QAAQ,CAAA,SAAA;AAAA,KAChE;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,SAAS,CAAA,EAAG;AAChD,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,WAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,2BAAA,EAA8B,YAAY,QAAQ,CAAA,SAAA;AAAA,KAC3E;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,KAAK,CAAA,EAAG;AAC5C,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,iBAAA,EAAoB,YAAY,QAAQ,CAAA,SAAA;AAAA,KACjE;AAAA,EACF;AAGA,EAAA,OAAO;AAAA,IACL,KAAA;AAAA,IACA,MAAA,EAAQ,MAAA,CAAO,cAAA,KAAmB,MAAA,GAAS,MAAA,GAAS,QAAA;AAAA,IACpD,MAAA,EAAQ,UAAU,KAAK,CAAA,mBAAA,EAAsB,YAAY,QAAQ,CAAA,yBAAA,EAA4B,OAAO,cAAc,CAAA,CAAA;AAAA,GACpH;AACF;AAMO,SAAS,aAAA,CACd,MAAA,EACA,QAAA,EACA,OAAA,EACqB;AACrB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AAClC,EAAA,IAAI,MAAA,CAAO,SAAS,kBAAA,EAAoB;AACtC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,mBAAA,EAAsB,MAAA,CAAO,MAAM,CAAA,4BAAA,EAA+B,kBAAkB,CAAA;AAAA,KACtF;AAAA,EACF;AACA,EAAA,MAAM,YAAiC,EAAC;AACxC,EAAA,IAAI,OAAA,GAAU,CAAA;AACd,EAAA,IAAI,QAAA,GAAW,CAAA;AACf,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,IAAI,UAAA,GAAa,CAAA;AACjB,EAAA,IAAI,MAAA,GAAS,CAAA;AAEb,EAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,IAAA,MAAM,MAAA,GAAS,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,KAAK,CAAA;AAGpD,IAAA,IAAI,MAAA,CAAO,WAAW,MAAA,EAAQ;AAC5B,MAAA,MAAM,KAAA,GAAQ,OAAO,OAAA,CAAQ,KAAK,CAAA,KAAM,QAAA,GACpC,OAAA,CAAQ,KAAK,CAAA,GACb,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,KAAK,CAAC,CAAA;AACjC,MAAA,MAAA,CAAO,UAAA,GAAa,YAAA,CAAa,aAAA,CAAc,KAAK,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,SAAA,CAAU,KAAK,MAAM,CAAA;AAErB,IAAA,QAAQ,OAAO,MAAA;AAAQ,MACrB,KAAK,OAAA;AAAS,QAAA,OAAA,EAAA;AAAW,QAAA;AAAA,MACzB,KAAK,QAAA;AAAU,QAAA,QAAA,EAAA;AAAY,QAAA;AAAA,MAC3B,KAAK,MAAA;AAAQ,QAAA,MAAA,EAAA;AAAU,QAAA;AAAA,MACvB,KAAK,WAAA;AAAa,QAAA,UAAA,EAAA;AAAc,QAAA;AAAA,MAChC,KAAK,MAAA;AAAQ,QAAA,MAAA,EAAA;AAAU,QAAA;AAAA;AACzB,EACF;AAGA,EAAA,MAAM,YAAA,GAAe,YAAA;AAAA,IACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC;AAAA,GACvC;AAGA,EAAA,MAAM,iBAA0C,EAAC;AACjD,EAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AAChC,IAAA,QAAQ,SAAS,MAAA;AAAQ,MACvB,KAAK,OAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,OAAA,CAAQ,SAAS,KAAK,CAAA;AACvD,QAAA;AAAA,MACF,KAAK,QAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA;AACjC,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,CAAA,MAAA,EAAS,SAAS,UAAU,CAAA,CAAA,CAAA;AAC7D,QAAA;AAAA,MACF,KAAK,WAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,aAAA;AACjC,QAAA;AAGA;AACJ,EACF;AACA,EAAA,MAAM,YAAA,GAAe,YAAA;AAAA,IACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC;AAAA,GAC9C;AAEA,EAAA,OAAO;AAAA,IACL,WAAW,MAAA,CAAO,SAAA;AAAA,IAClB,QAAA;AAAA,IACA,cAAA,EAAgB,OAAA;AAAA,IAChB,eAAA,EAAiB,QAAA;AAAA,IACjB,aAAA,EAAe,MAAA;AAAA,IACf,iBAAA,EAAmB,UAAA;AAAA,IACnB,aAAA,EAAe,MAAA;AAAA,IACf,SAAA;AAAA,IACA,qBAAA,EAAuB,YAAA;AAAA,IACvB,qBAAA,EAAuB,YAAA;AAAA,IACvB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACtC;AACF;AAYO,SAAS,cAAA,CAAe,OAAe,QAAA,EAA6B;AACzE,EAAA,MAAM,eAAA,GAAkB,MAAM,WAAA,EAAY;AAC1C,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAC5B,IAAA,MAAM,iBAAA,GAAoB,QAAQ,WAAA,EAAY;AAC9C,IAAA,IAAI,iBAAA,KAAsB,iBAAiB,OAAO,IAAA;AAClD,IAAA,IAAI,iBAAA,CAAkB,QAAA,CAAS,GAAG,CAAA,IAAK,eAAA,CAAgB,UAAA,CAAW,iBAAA,CAAkB,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA,EAAG,OAAO,IAAA;AAC1G,IAAA,IAAI,iBAAA,CAAkB,UAAA,CAAW,GAAG,CAAA,IAAK,eAAA,CAAgB,QAAA,CAAS,iBAAA,CAAkB,KAAA,CAAM,CAAC,CAAC,CAAA,EAAG,OAAO,IAAA;AAAA,EACxG;AACA,EAAA,OAAO,KAAA;AACT;AAOO,IAAM,yBAAN,MAA6B;AAAA,EAC1B,OAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA,uBAA+C,GAAA,EAAI;AAAA,EAE3D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,iBAAiB,CAAA;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,UAAA,EACA,KAAA,EACA,eACA,UAAA,EAC4B;AAC5B,IAAA,MAAM,QAAA,GAAW,CAAA,GAAA,EAAM,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AAChE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,MAAA,GAA4B;AAAA,MAChC,SAAA,EAAW,QAAA;AAAA,MACX,WAAA,EAAa,UAAA;AAAA,MACb,KAAA;AAAA,MACA,cAAA,EAAgB,aAAA;AAAA,MAChB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY;AAAA,KACd;AAEA,IAAA,MAAM,IAAA,CAAK,QAAQ,MAAM,CAAA;AACzB,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAElC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,QAAA,EAAqD;AAC7D,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA,EAAG;AAC/B,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA;AAAA,IACnC;AAEA,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,0BAA0B,QAAQ,CAAA;AACtE,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,MAAA,GAA4B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACrE,MAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAqC;AACzC,IAAA,MAAM,KAAK,OAAA,EAAQ;AACnB,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,QAAA,CAAS,QAAQ,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,OAAA,GAAyB;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,wBAAwB,CAAA;AAChE,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,IAAA,CAAK,GAAG,CAAA,EAAG;AACjC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,wBAAA,EAA0B,KAAK,GAAG,CAAA;AACtE,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,MAAA,GAA4B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACrE,UAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,SAAA,EAAW,MAAM,CAAA;AAAA,QAC5C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAA,EAA0C;AAC9D,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,wBAAA;AAAA,MACA,MAAA,CAAO,SAAA;AAAA,MACP,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF;;;ACrWA,IAAM,qBAAA,GAAwB;AAAA,EAC5B,SAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,YAAA,GAAe;AAAA,EACnB,OAAA;AAAA,EACA,MAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,cAAA;AAAA,EACA,SAAA;AAAA,EACA,KAAA;AAAA,EACA,eAAA;AAAA,EACA,YAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,KAAA;AAAA,EACA,cAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,uBAAA,GAA0B;AAAA,EAC9B,QAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,MAAA;AAAA,EACA,aAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,WAAA,GAAc;AAAA,EAClB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,aAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,gBAAA,GAAmB;AAAA,EACvB,sBAAA;AAAA,EACA,iBAAA;AAAA,EACA,cAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,iBAAA,GAAyC;AAAA,EACpD,EAAA,EAAI,mBAAA;AAAA,EACJ,IAAA,EAAM,mBAAA;AAAA,EACN,WAAA,EACE,0EAAA;AAAA,EACF,QAAA,EACE,8HAAA;AAAA,EAEF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,WAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,MAAA;AAAA,QACA,kBAAA;AAAA,QACA,eAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG,gBAAA;AAAA,QACH,cAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC;AACd,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAEO,IAAM,kBAAA,GAA0C;AAAA,EACrD,EAAA,EAAI,oBAAA;AAAA,EACJ,IAAA,EAAM,oBAAA;AAAA,EACN,WAAA,EACE,4HAAA;AAAA,EAEF,QAAA,EACE,0HAAA;AAAA,EAEF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,WAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,MAAA;AAAA,QACA,kBAAA;AAAA,QACA,eAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,aAAA;AAAA,QACA,cAAA;AAAA,QACA,aAAA;AAAA,QACA,kBAAA;AAAA,QACA,cAAA;AAAA,QACA,iBAAA;AAAA,QACA,WAAA;AAAA,QACA,aAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,SAAA,EAAW,CAAC,GAAG,gBAAgB;AAAA;AACjC,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAEO,IAAM,cAAA,GAAsC;AAAA,EACjD,EAAA,EAAI,gBAAA;AAAA,EACJ,IAAA,EAAM,gBAAA;AAAA,EACN,WAAA,EACE,kGAAA;AAAA,EAEF,QAAA,EACE,0GAAA;AAAA,EAEF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,SAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,WAAA;AAAA,QACA,gBAAA;AAAA,QACA,WAAA;AAAA,QACA,WAAA;AAAA,QACA,aAAA;AAAA,QACA,QAAA;AAAA,QACA,YAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC,KACd;AAAA,IACA;AAAA,MACE,QAAA,EAAU,WAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,YAAA;AAAA,QACA,WAAA;AAAA,QACA,aAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC;AACd,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAEO,IAAM,eAAA,GAAuC;AAAA,EAClD,EAAA,EAAI,iBAAA;AAAA,EACJ,IAAA,EAAM,iBAAA;AAAA,EACN,WAAA,EACE,oGAAA;AAAA,EAEF,QAAA,EACE,uTAAA;AAAA,EAKF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,MAAA;AAAA,QACA,kBAAA;AAAA,QACA,OAAA;AAAA,QACA,cAAA;AAAA,QACA,YAAA;AAAA,QACA,iBAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,QAAA;AAAA,QACA,MAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC;AACd,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAKO,IAAM,SAAA,GAAiD;AAAA,EAC5D,mBAAA,EAAqB,iBAAA;AAAA,EACrB,oBAAA,EAAsB,kBAAA;AAAA,EACtB,gBAAA,EAAkB,cAAA;AAAA,EAClB,iBAAA,EAAmB;AACrB;AAGO,SAAS,eAAA,GAA4B;AAC1C,EAAA,OAAO,MAAA,CAAO,KAAK,SAAS,CAAA;AAC9B;AAGO,SAAS,YAAY,EAAA,EAA6C;AACvE,EAAA,OAAO,UAAU,EAAE,CAAA;AACrB;;;ACvPA,IAAM,oBAAA,GAAsC;AAAA;AAAA,EAE1C;AAAA,IACE,QAAA,EAAU;AAAA,MACR,SAAA;AAAA,MAAW,QAAA;AAAA,MAAU,YAAA;AAAA,MACrB,QAAA;AAAA,MAAU,YAAA;AAAA,MAAc,cAAA;AAAA,MACxB,UAAA;AAAA,MAAY,QAAA;AAAA,MAAU,MAAA;AAAA,MACtB,YAAA;AAAA,MAAc,aAAA;AAAA,MACd,aAAA;AAAA,MAAe,SAAA;AAAA,MACf,cAAA;AAAA,MACA,YAAA;AAAA,MACA,OAAA;AAAA,MAAS,cAAA;AAAA,MAAgB,eAAA;AAAA,MAAiB,cAAA;AAAA,MAC1C,YAAA;AAAA,MAAc,aAAA;AAAA,MAAe,eAAA;AAAA,MAC7B,gBAAA;AAAA,MAAkB,YAAA;AAAA,MAAc,aAAA;AAAA,MAChC,gBAAA;AAAA,MAAkB,eAAA;AAAA,MAClB;AAAA,KACF;AAAA,IACA,MAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAY,MAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,MAAA;AAAA,MAAQ,WAAA;AAAA,MAAa,YAAA;AAAA,MAAc,WAAA;AAAA,MAAa,cAAA;AAAA,MAChD,OAAA;AAAA,MAAS,eAAA;AAAA,MACT,OAAA;AAAA,MAAS,cAAA;AAAA,MAAgB,QAAA;AAAA,MACzB,SAAA;AAAA,MAAW,gBAAA;AAAA,MAAkB,iBAAA;AAAA,MAC7B,KAAA;AAAA,MAAO,iBAAA;AAAA,MACP,eAAA;AAAA,MAAiB,KAAA;AAAA,MAAO,UAAA;AAAA,MACxB,YAAA;AAAA,MAAc,IAAA;AAAA,MACd,UAAA;AAAA,MAAY,aAAA;AAAA,MAAe,aAAA;AAAA,MAC3B,aAAA;AAAA,MAAe,aAAA;AAAA,MAAe,KAAA;AAAA,MAC9B,cAAA;AAAA,MAAgB,gBAAA;AAAA,MAChB,UAAA;AAAA,MAAY,iBAAA;AAAA,MAAmB;AAAA,KACjC;AAAA,IACA,MAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAY,MAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,QAAA;AAAA,MAAU,cAAA;AAAA,MAAgB,kBAAA;AAAA,MAC1B,oBAAA;AAAA,MAAsB,iBAAA;AAAA,MAAmB,kBAAA;AAAA,MACzC,gBAAA;AAAA,MAAkB,aAAA;AAAA,MAClB,eAAA;AAAA,MAAiB,YAAA;AAAA,MACjB,MAAA;AAAA,MAAQ,aAAA;AAAA,MAAe,SAAA;AAAA,MACvB,eAAA;AAAA,MAAiB,gBAAA;AAAA,MAAkB,oBAAA;AAAA,MACnC,aAAA;AAAA,MAAe,kBAAA;AAAA,MAAoB,mBAAA;AAAA,MACnC,SAAA;AAAA,MAAW,OAAA;AAAA,MAAS;AAAA,KACtB;AAAA,IACA,MAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAY,MAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,SAAA;AAAA,MAAW,QAAA;AAAA,MACX,YAAA;AAAA,MAAc,WAAA;AAAA,MACd,UAAA;AAAA,MAAY,SAAA;AAAA,MACZ,aAAA;AAAA,MACA,iBAAA;AAAA,MACA,WAAA;AAAA,MAAa,UAAA;AAAA,MACb,YAAA;AAAA,MAAc,WAAA;AAAA,MACd,gBAAA;AAAA,MACA,UAAA;AAAA,MAAY,SAAA;AAAA,MACZ,YAAA;AAAA,MAAc;AAAA,KAChB;AAAA,IACA,MAAA,EAAQ,MAAA;AAAA,IACR,UAAA,EAAY,QAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,sBAAA;AAAA,MAAwB,cAAA;AAAA,MACxB,iBAAA;AAAA,MAAmB,UAAA;AAAA,MACnB,mBAAA;AAAA,MAAqB,gBAAA;AAAA,MACrB,gBAAA;AAAA,MACA,qBAAA;AAAA,MACA,WAAA;AAAA,MAAa;AAAA,KACf;AAAA,IACA,MAAA,EAAQ,WAAA;AAAA,IACR,UAAA,EAAY,QAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,MAAA;AAAA,MAAQ,kBAAA;AAAA,MACR,OAAA;AAAA,MAAS,eAAA;AAAA,MAAiB,cAAA;AAAA,MAC1B,QAAA;AAAA,MAAU,aAAA;AAAA,MACV,UAAA;AAAA,MAAY,kBAAA;AAAA,MACZ,aAAA;AAAA,MAAe,cAAA;AAAA,MACf,WAAA;AAAA,MAAa,MAAA;AAAA,MACb,cAAA;AAAA,MAAgB,WAAA;AAAA,MAChB,iBAAA;AAAA,MACA,aAAA;AAAA,MAAe,cAAA;AAAA,MACf,eAAA;AAAA,MAAiB,QAAA;AAAA,MACjB,cAAA;AAAA,MAAgB,aAAA;AAAA,MAChB,YAAA;AAAA,MAAc;AAAA,KAChB;AAAA,IACA,MAAA,EAAQ,OAAA;AAAA,IACR,UAAA,EAAY,QAAA;AAAA,IACZ,MAAA,EAAQ;AAAA;AAEZ,CAAA;AAOO,SAAS,cAAc,SAAA,EAAwC;AACpE,EAAA,MAAM,UAAA,GAAa,SAAA,CAAU,WAAA,EAAY,CAAE,IAAA,EAAK;AAEhD,EAAA,KAAA,MAAW,QAAQ,oBAAA,EAAsB;AACvC,IAAA,KAAA,MAAW,OAAA,IAAW,KAAK,QAAA,EAAU;AACnC,MAAA,IAAI,mBAAA,CAAoB,UAAA,EAAY,OAAO,CAAA,EAAG;AAC5C,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,SAAA;AAAA,UACP,oBAAoB,IAAA,CAAK,MAAA;AAAA,UACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,eAAA,EAAiB;AAAA,SACnB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,SAAA;AAAA,IACP,kBAAA,EAAoB,QAAA;AAAA,IACpB,MAAA,EAAQ,qEAAA;AAAA,IACR,UAAA,EAAY,KAAA;AAAA,IACZ,eAAA,EAAiB;AAAA,GACnB;AACF;AAKO,SAAS,eAAA,CACd,OAAA,EACA,QAAA,GAAmB,WAAA,EACG;AACtB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AAClC,EAAA,MAAM,eAAA,GAAyC,MAAA,CAAO,GAAA,CAAI,aAAa,CAAA;AACvE,EAAA,MAAM,WAAqB,EAAC;AAG5B,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,MAAMoB,QAAiB,EAAC;AACxB,EAAA,MAAM,YAAsB,EAAC;AAE7B,EAAA,KAAA,MAAW,KAAK,eAAA,EAAiB;AAC/B,IAAA,QAAQ,EAAE,kBAAA;AAAoB,MAC5B,KAAK,OAAA;AAAS,QAAA,KAAA,CAAM,IAAA,CAAK,EAAE,KAAK,CAAA;AAAG,QAAA;AAAA,MACnC,KAAK,QAAA;AAAU,QAAA,MAAA,CAAO,IAAA,CAAK,EAAE,KAAK,CAAA;AAAG,QAAA;AAAA,MACrC,KAAK,MAAA;AAAQ,QAAAA,KAAAA,CAAK,IAAA,CAAK,CAAA,CAAE,KAAK,CAAA;AAAG,QAAA;AAAA,MACjC,KAAK,WAAA;AAAa,QAAA,SAAA,CAAU,IAAA,CAAK,EAAE,KAAK,CAAA;AAAG,QAAA;AAAA;AAC7C,EACF;AAGA,EAAA,MAAM,gBAAgB,eAAA,CAAgB,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,eAAe,KAAK,CAAA;AAC1E,EAAA,IAAI,aAAA,CAAc,SAAS,CAAA,EAAG;AAC5B,IAAA,QAAA,CAAS,IAAA;AAAA,MACP,CAAA,EAAG,aAAA,CAAc,MAAM,CAAA,yEAAA,EACD,aAAA,CAAc,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,KAAK,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,wBAAA;AAAA,KAEpE;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,SAAS,GAAA,EAAM;AACpD,MAAA,MAAM,WAAW,eAAA,CAAgB,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,UAAU,GAAG,CAAA;AAC5D,MAAA,IAAI,QAAA,IAAY,QAAA,CAAS,kBAAA,KAAuB,OAAA,EAAS;AACvD,QAAA,QAAA,CAAS,IAAA;AAAA,UACP,CAAA,OAAA,EAAU,GAAG,CAAA,0BAAA,EAA6B,KAAA,CAAM,MAAM,CAAA,yEAAA;AAAA,SAExD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,QAAA;AAAA,IACA,eAAA;AAAA,IACA,mBAAmB,EAAE,KAAA,EAAO,MAAA,EAAQ,IAAA,EAAAA,OAAM,SAAA,EAAU;AAAA,IACpD,cAAA,EAAgB,QAAA;AAAA,IAChB,OAAA,EAAS;AAAA,MACP,cAAc,MAAA,CAAO,MAAA;AAAA,MACrB,OAAO,KAAA,CAAM,MAAA;AAAA,MACb,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,MAAMA,KAAAA,CAAK,MAAA;AAAA,MACX,WAAW,SAAA,CAAU;AAAA,KACvB;AAAA,IACA;AAAA,GACF;AACF;AAcA,SAAS,mBAAA,CAAoB,iBAAyB,OAAA,EAA0B;AAC9E,EAAA,IAAI,eAAA,KAAoB,SAAS,OAAO,IAAA;AAGxC,EAAA,IAAI,QAAQ,MAAA,IAAU,CAAA,IAAK,eAAA,CAAgB,QAAA,CAAS,OAAO,CAAA,EAAG;AAE5D,IAAA,MAAM,GAAA,GAAM,eAAA,CAAgB,OAAA,CAAQ,OAAO,CAAA;AAC3C,IAAA,MAAM,MAAA,GAAS,GAAA,KAAQ,CAAA,IAAK,eAAA,CAAgB,GAAA,GAAM,CAAC,CAAA,KAAM,GAAA,IAAO,eAAA,CAAgB,GAAA,GAAM,CAAC,CAAA,KAAM,GAAA;AAC7F,IAAA,MAAM,QAAQ,GAAA,GAAM,OAAA,CAAQ,MAAA,KAAW,eAAA,CAAgB,UACrD,eAAA,CAAgB,GAAA,GAAM,OAAA,CAAQ,MAAM,MAAM,GAAA,IAC1C,eAAA,CAAgB,GAAA,GAAM,OAAA,CAAQ,MAAM,CAAA,KAAM,GAAA;AAC5C,IAAA,OAAO,MAAA,IAAU,KAAA;AAAA,EACnB;AACA,EAAA,OAAO,KAAA;AACT;;;AC9RA,aAAA,EAAA;AACA,YAAA,EAAA;AAyBA,IAAM,0BAAA,GAA6B;AAAA,EACjC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA;AAAA,EACA,UAAA;AAAA,EACA,QAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA,EACA,KAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,cAAA;AAAA,EACA,cAAA;AAAA,EACA,KAAA;AAAA,EACA,KAAA;AAAA,EACA,aAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAoBO,IAAM,sBAAN,MAA0B;AAAA,EACvB,WAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA,GAAQ;AAAA,IACd,eAAA,EAAiB,CAAA;AAAA,IACjB,cAAA,EAAgB,CAAA;AAAA,IAChB,eAAA,EAAiB,CAAA;AAAA,IACjB,aAAA,EAAe,CAAA;AAAA,IACf,cAAA,EAAgB,CAAA;AAAA,IAChB,aAAA,EAAe;AAAA,GACjB;AAAA,EAEA,WAAA,CACE,WAAA,EACA,QAAA,EACA,MAAA,EACA;AACA,IAAA,IAAA,CAAK,WAAA,GAAc,WAAA;AACnB,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,WAAA,CAAY,UAAkB,eAAA,EAA2C;AACvE,IAAA,OAAO,OAAO,IAAA,KAAkC;AAE9C,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,QAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,MAC7B;AAGA,MAAA,IAAI,CAAC,IAAA,CAAK,YAAA,CAAa,QAAQ,CAAA,EAAG;AAChC,QAAA,IAAA,CAAK,KAAA,CAAM,cAAA,EAAA;AACX,QAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,MAC7B;AAEA,MAAA,IAAA,CAAK,KAAA,CAAM,eAAA,EAAA;AAGX,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,iBAAA,GACvB,MAAM,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,iBAAiB,CAAA,GACxD,IAAA;AAEJ,MAAA,IAAI,MAAA,EAAQ;AAEV,QAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,UACV,QAAA;AAAA,UACA,IAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF,CAAA,MAAO;AAEL,QAAA,OAAO,IAAA,CAAK,yBAAA;AAAA,UACV,QAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAAA,IACF,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAA,CACZ,QAAA,EACA,IAAA,EACA,iBACA,MAAA,EAC6D;AAE7D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,uBAAA,CAAwB,QAAQ,CAAA;AAGtD,IAAA,MAAM,MAAA,GAAS,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,IAAI,CAAA;AAGnD,IAAA,MAAM,YAAA,GAAe,OAAO,SAAA,CAAU,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,MAAM,CAAA;AAEvE,IAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,MAAA,IAAI,IAAA,CAAK,MAAA,CAAO,OAAA,KAAY,OAAA,EAAS;AACnC,QAAA,IAAA,CAAK,KAAA,CAAM,aAAA,EAAA;AACX,QAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,UACZ,IAAA;AAAA,UACA,6BAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,SAAA,EAAW,QAAA;AAAA,YACX,WAAW,MAAA,CAAO,SAAA;AAAA,YAClB,QAAA;AAAA,YACA,eAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,KAAK,CAAA;AAAA,YAC9C,uBAAuB,MAAA,CAAO;AAAA;AAChC,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA,EAAO,wBAAA;AAAA,UACP,OAAA,EAAS,oDAAA;AAAA,UACT,IAAA,EAAM,QAAA;AAAA,UACN,eAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,KAAK,CAAA;AAAA,UAC9C,cAAA,EACE;AAAA,SACH,CAAA;AAAA,MACH;AAAA,IAEF;AAGA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,iBAAA,CAAkB,IAAA,EAAM,OAAO,SAAS,CAAA;AAElE,IAAA,IAAI,IAAA,CAAK,OAAO,QAAA,EAAU;AAExB,MAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,QACZ,IAAA;AAAA,QACA,gCAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,QAAA;AAAA,UACX,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,QAAA;AAAA,UACA,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA;AAAA,UAChC,iBAAiB,MAAA,CAAO,eAAA;AAAA,UACxB,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,gBAAgB,YAAA,CAAa,MAAA;AAAA,UAC7B,uBAAuB,MAAA,CAAO;AAAA;AAChC,OACF;AACA,MAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,MAAA,CAAO,eAAA;AACrC,MAAA,IAAA,CAAK,KAAA,CAAM,iBAAiB,MAAA,CAAO,aAAA;AACnC,MAAA,IAAA,CAAK,KAAA,CAAM,kBAAkB,YAAA,CAAa,MAAA;AAE1C,MAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,IAC7B;AAGA,IAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,MACZ,IAAA;AAAA,MACA,8BAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,QACE,SAAA,EAAW,QAAA;AAAA,QACX,WAAW,MAAA,CAAO,SAAA;AAAA,QAClB,QAAA;AAAA,QACA,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA;AAAA,QAChC,iBAAiB,MAAA,CAAO,eAAA;AAAA,QACxB,eAAe,MAAA,CAAO,aAAA;AAAA,QACtB,gBAAgB,YAAA,CAAa,MAAA;AAAA,QAC7B,uBAAuB,MAAA,CAAO;AAAA;AAChC,KACF;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,MAAA,CAAO,eAAA;AACrC,IAAA,IAAA,CAAK,KAAA,CAAM,iBAAiB,MAAA,CAAO,aAAA;AACnC,IAAA,IAAA,CAAK,KAAA,CAAM,kBAAkB,YAAA,CAAa,MAAA;AAE1C,IAAA,OAAO,gBAAgB,YAAY,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,yBAAA,CACZ,QAAA,EACA,IAAA,EACA,eAAA,EAC6D;AAC7D,IAAA,MAAM,iBAA2B,EAAC;AAClC,IAAA,MAAM,YAAA,GAAe,YAAA;AAAA,MACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC;AAAA,KACpC;AAGA,IAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,MAAA,IAAI,cAAA,CAAe,KAAA,EAAO,0BAA0B,CAAA,EAAG;AACrD,QAAA,cAAA,CAAe,KAAK,KAAK,CAAA;AAAA,MAC3B;AAAA,IACF;AAEA,IAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAE/B,MAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,QACZ,IAAA;AAAA,QACA,oCAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,QAAA;AAAA,UACX,MAAA,EAAQ;AAAA;AACV,OACF;AACA,MAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,IAC7B;AAGA,IAAA,MAAM,eAAwC,EAAC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAC/C,MAAA,IAAI,cAAA,CAAe,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,QAAA,YAAA,CAAa,GAAG,CAAA,GAAI,YAAA;AAAA,MACtB,CAAA,MAAO;AACL,QAAA,YAAA,CAAa,GAAG,CAAA,GAAI,KAAA;AAAA,MACtB;AAAA,IACF;AAEA,IAAA,MAAM,YAAA,GAAe,YAAA;AAAA,MACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,YAAY,CAAC;AAAA,KAC5C;AAEA,IAAA,IAAI,IAAA,CAAK,OAAO,QAAA,EAAU;AACxB,MAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,QACZ,IAAA;AAAA,QACA,wCAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,QAAA;AAAA,UACX,iBAAiB,cAAA,CAAe,MAAA;AAAA,UAChC,eAAA,EAAiB,cAAA;AAAA,UACjB,qBAAA,EAAuB;AAAA;AACzB,OACF;AACA,MAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,cAAA,CAAe,MAAA;AAC7C,MAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,IAC7B;AAGA,IAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,MACZ,IAAA;AAAA,MACA,sCAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,QACE,SAAA,EAAW,QAAA;AAAA,QACX,iBAAiB,cAAA,CAAe,MAAA;AAAA,QAChC,eAAA,EAAiB,cAAA;AAAA,QACjB,qBAAA,EAAuB,YAAA;AAAA,QACvB,qBAAA,EAAuB;AAAA;AACzB,KACF;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,cAAA,CAAe,MAAA;AAE7C,IAAA,OAAO,gBAAgB,YAAY,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,QAAA,EAA2B;AACtC,IAAA,KAAA,MAAW,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,eAAA,EAAiB;AAEhD,MAAA,MAAM,aAAa,MAAA,CAAO,QAAA,CAAS,GAAG,CAAA,GAAI,SAAS,MAAA,GAAS,GAAA;AAC5D,MAAA,IAAI,QAAA,KAAa,WAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,IAAK,QAAA,CAAS,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3E,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,wBAAwB,QAAA,EAA0B;AACxD,IAAA,IAAI,SAAS,QAAA,CAAS,WAAW,KAAK,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AAC9D,MAAA,OAAO,WAAA;AAAA,IACT;AACA,IAAA,IAAI,SAAS,QAAA,CAAS,KAAK,KAAK,QAAA,CAAS,QAAA,CAAS,WAAW,CAAA,EAAG;AAC9D,MAAA,OAAO,SAAA;AAAA,IACT;AACA,IAAA,IAAI,SAAS,QAAA,CAAS,WAAW,KAAK,QAAA,CAAS,QAAA,CAAS,QAAQ,CAAA,EAAG;AACjE,MAAA,OAAO,WAAA;AAAA,IACT;AACA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAA,CACN,cACA,SAAA,EACyB;AACzB,IAAA,MAAM,WAAoC,EAAC;AAE3C,IAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AAChC,MAAA,QAAQ,SAAS,MAAA;AAAQ,QACvB,KAAK,OAAA;AACH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA,CAAa,SAAS,KAAK,CAAA;AACtD,UAAA;AAAA,QACF,KAAK,QAAA;AAEH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA;AAC3B,UAAA;AAAA,QACF,KAAK,MAAA;AACH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,QAAA,CAAS,UAAA;AACpC,UAAA;AAAA,QACF,KAAK,WAAA;AACH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA,CAAa,SAAS,KAAK,CAAA;AACtD,UAAA;AAGA;AACJ,IACF;AAEA,IAAA,OAAO,QAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,QAAA,EAAwB;AACvC,IAAA,IAAA,CAAK,OAAO,iBAAA,GAAoB,QAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA,GAA4B;AAC1B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAK,MAAA,CAAO,OAAA;AAAA,MACrB,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,MACtB,iBAAA,EAAmB,IAAA,CAAK,MAAA,CAAO,iBAAA,IAAqB,IAAA;AAAA,MACpD,KAAA,EAAO,EAAE,GAAG,IAAA,CAAK,KAAA;AAAM,KACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,OAAA,EAAwB;AACjC,IAAA,IAAA,CAAK,OAAO,OAAA,GAAU,OAAA;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,OAAA,EAAwB;AACjC,IAAA,IAAA,CAAK,OAAO,QAAA,GAAW,OAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,eAAA,EAAiB,CAAA;AAAA,MACjB,cAAA,EAAgB,CAAA;AAAA,MAChB,eAAA,EAAiB,CAAA;AAAA,MACjB,aAAA,EAAe,CAAA;AAAA,MACf,cAAA,EAAgB,CAAA;AAAA,MAChB,aAAA,EAAe;AAAA,KACjB;AAAA,EACF;AACF;;;ACraO,SAAS,sBAAA,CACd,OAAA,EACA,SAAA,EACA,QAAA,EAKA;AACA,EAAA,MAAM,WAAA,GAAc,IAAI,sBAAA,CAAuB,OAAA,EAAS,SAAS,CAAA;AAGjE,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,OAAA,EAAS,KAAA;AAAA;AAAA,IACT,eAAA,EAAiB,CAAC,YAAY,CAAA;AAAA;AAAA,IAC9B,QAAA,EAAU,KAAA;AAAA;AAAA,IACV,OAAA,EAAS;AAAA;AAAA,GACX;AACA,EAAA,MAAM,QAAA,GAAW,IAAI,mBAAA,CAAoB,WAAA,EAAa,UAAU,cAAc,CAAA;AAE9E,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAE9B;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,wgBAAA;AAAA,MASF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,OAAA;AAAA,YACN,WAAA,EACE,gRAAA;AAAA,YAIF,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACV,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,QAAA;AAAA,kBACN,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,KAAA,EAAO;AAAA,kBACL,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,MAAA,EAAQ;AAAA,kBACN,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,IAAA,EAAM;AAAA,kBACJ,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,SAAA,EAAW;AAAA,kBACT,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA;AAEJ,eACF;AAAA,cACA,QAAA,EAAU,CAAC,UAAA,EAAY,OAAA,EAAS,QAAQ;AAAA;AAC1C,WACF;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,QAAA,EAAU,MAAM,CAAA;AAAA,YACvB,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAA,EAAe,OAAO;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,IAAA,CAAK,KAAA;AACtB,QAAA,MAAM,aAAA,GAAiB,KAAK,cAAA,IAAwC,QAAA;AACpE,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAGxB,QAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC5B,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,eAAA,EAAiB,OAAA,EAAS,0BAA0B,CAAA;AAAA,QACjF;AACA,QAAA,IAAI,QAAA,CAAS,SAAS,gBAAA,EAAkB;AACtC,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,gBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,QAAA,CAAS,MAAM,8BAA8B,gBAAgB,CAAA;AAAA,WACrF,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,QAA2B,EAAC;AAClC,QAAA,KAAA,MAAW,KAAK,QAAA,EAAU;AACxB,UAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,CAAA,CAAE,KAAK,CAAA,GAAK,CAAA,CAAE,QAAqB,EAAC;AAChE,UAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,CAAA,CAAE,MAAM,CAAA,GAAK,CAAA,CAAE,SAAsB,EAAC;AACnE,UAAA,MAAMA,KAAAA,GAAO,MAAM,OAAA,CAAQ,CAAA,CAAE,IAAI,CAAA,GAAK,CAAA,CAAE,OAAoB,EAAC;AAC7D,UAAA,MAAM,SAAA,GAAY,MAAM,OAAA,CAAQ,CAAA,CAAE,SAAS,CAAA,GAAK,CAAA,CAAE,YAAyB,EAAC;AAE5E,UAAA,KAAA,MAAW,CAAC,MAAM,GAAG,CAAA,IAAK,CAAC,CAAC,OAAA,EAAS,KAAK,CAAA,EAAG,CAAC,UAAU,MAAM,CAAA,EAAG,CAAC,MAAA,EAAQA,KAAI,GAAG,CAAC,WAAA,EAAa,SAAS,CAAC,CAAA,EAAY;AACnH,YAAA,IAAI,GAAA,CAAI,SAAS,sBAAA,EAAwB;AACvC,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO,mBAAA;AAAA,gBACP,SAAS,CAAA,KAAA,EAAQ,IAAI,cAAc,GAAA,CAAI,MAAM,iCAAiC,sBAAsB,CAAA;AAAA,eACrG,CAAA;AAAA,YACH;AAAA,UACF;AAEA,UAAA,KAAA,CAAM,IAAA,CAAK;AAAA,YACT,QAAA,EAAW,EAAE,QAAA,IAAuC,GAAA;AAAA,YACpD,KAAA;AAAA,YACA,MAAA;AAAA,YACA,IAAA,EAAAA,KAAAA;AAAA,YACA;AAAA,WACD,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,UAAA;AAAA,UACA,KAAA;AAAA,UACA,aAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,UAAA,IAAc,QAAA,EAAU;AAAA,UACvE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa,UAAA;AAAA,UACb,YAAY,KAAA,CAAM,MAAA;AAAA,UAClB,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,OAAO,MAAA,CAAO,KAAA;AAAA,UACd,gBAAgB,MAAA,CAAO,cAAA;AAAA,UACvB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,OAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,uCAAA;AAAA,MACN,WAAA,EACE,6YAAA;AAAA,MAMF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAa;AAAA,OAC1B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAExB,QAAA,MAAM,QAAA,GAAW,YAAY,UAAU,CAAA;AACvC,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,qBAAqB,UAAU,CAAA,CAAA,CAAA;AAAA,YACxC,mBAAA,EAAqB,eAAA,EAAgB,CAAE,GAAA,CAAI,CAAC,EAAA,KAAO;AACjD,cAAA,MAAM,CAAA,GAAI,UAAU,EAAE,CAAA;AACtB,cAAA,OAAO,EAAE,EAAA,EAAI,IAAA,EAAM,EAAE,IAAA,EAAM,WAAA,EAAa,EAAE,WAAA,EAAY;AAAA,YACxD,CAAC;AAAA,WACF,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,QAAA,CAAS,IAAA;AAAA,UACT,QAAA,CAAS,KAAA;AAAA,UACT,QAAA,CAAS,cAAA;AAAA,UACT;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,6BAAA,EAA+B,UAAA,IAAc,QAAA,EAAU;AAAA,UAC3E,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa;AAAA,SACd,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,gBAAA,EAAkB,UAAA;AAAA,UAClB,aAAa,QAAA,CAAS,IAAA;AAAA,UACtB,aAAa,QAAA,CAAS,WAAA;AAAA,UACtB,UAAU,QAAA,CAAS,QAAA;AAAA,UACnB,OAAO,MAAA,CAAO,KAAA;AAAA,UACd,gBAAgB,MAAA,CAAO,cAAA;AAAA,UACvB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,OAAA,EACE;AAAA,SAGH,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,kCAAA;AAAA,MACN,WAAA,EACE,0TAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAGJ;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,QAAA,GAAY,KAAK,QAAA,IAAuB,WAAA;AAG9C,QAAA,MAAM,WAAA,GAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AACvC,QAAA,IAAI,WAAA,CAAY,SAAS,kBAAA,EAAoB;AAC3C,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,mBAAA;AAAA,YACP,OAAA,EAAS,CAAA,YAAA,EAAe,WAAA,CAAY,MAAM,+BAA+B,kBAAkB,CAAA;AAAA,WAC5F,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,cAAA,GAAiB,eAAA,CAAgB,OAAA,EAAS,QAAQ,CAAA;AAExD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,wBAAA,EAA0B,QAAA,EAAU;AAAA,UACxD,QAAA;AAAA,UACA,eAAA,EAAiB,eAAe,OAAA,CAAQ,YAAA;AAAA,UACxC,YAAA,EAAc,eAAe,OAAA,CAAQ,KAAA;AAAA,UACrC,aAAA,EAAe,eAAe,OAAA,CAAQ,MAAA;AAAA,UACtC,WAAA,EAAa,eAAe,OAAA,CAAQ,IAAA;AAAA,UACpC,gBAAA,EAAkB,eAAe,OAAA,CAAQ;AAAA,SAC1C,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,GAAG,cAAA;AAAA,UACH,UAAA,EACE,sPAAA;AAAA,UAIF,mBAAA,EAAqB,eAAA,EAAgB,CAAE,GAAA,CAAI,CAAC,EAAA,KAAO;AACjD,YAAA,MAAM,CAAA,GAAI,UAAU,EAAE,CAAA;AACtB,YAAA,OAAO,EAAE,EAAA,EAAI,IAAA,EAAM,EAAE,IAAA,EAAM,WAAA,EAAa,EAAE,WAAA,EAAY;AAAA,UACxD,CAAC;AAAA,SACF,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,mWAAA;AAAA,MAMF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AAIJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,UAAA,EAAY,SAAS;AAAA,OAC/C;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,WAAW,IAAA,CAAK,SAAA;AACtB,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AACtB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AAGrB,QAAA,MAAM,WAAA,GAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AACvC,QAAA,IAAI,WAAA,CAAY,SAAS,kBAAA,EAAoB;AAC3C,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,mBAAA;AAAA,YACP,OAAA,EAAS,CAAA,YAAA,EAAe,WAAA,CAAY,MAAM,+BAA+B,kBAAkB,CAAA;AAAA,WAC5F,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC7C,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,kBAAA;AAAA,YACP,OAAA,EAAS,2CAA2C,QAAQ,CAAA,CAAA;AAAA,WAC7D,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,OAAO,CAAA;AAGtD,QAAA,MAAM,YAAA,GAAe,OAAO,SAAA,CAAU,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,MAAM,CAAA;AACvE,QAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,UAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,MAAA,CAAO,eAAe,QAAA,EAAU;AAAA,YACzE,SAAA,EAAW,QAAA;AAAA,YACX,QAAA;AAAA,YACA,eAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,KAAK,CAAA;AAAA,YAC9C,uBAAuB,MAAA,CAAO;AAAA,WAC/B,CAAA;AAED,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,OAAA,EAAS,IAAA;AAAA,YACT,MAAA,EAAQ,kDAAA;AAAA,YACR,aAAA,EAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,cACtC,OAAO,CAAA,CAAE,KAAA;AAAA,cACT,QAAQ,CAAA,CAAE;AAAA,aACZ,CAAE,CAAA;AAAA,YACF,cAAA,EACE;AAAA,WAEH,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,cAAuC,EAAC;AAC9C,QAAA,KAAA,MAAW,QAAA,IAAY,OAAO,SAAA,EAAW;AACvC,UAAA,QAAQ,SAAS,MAAA;AAAQ,YACvB,KAAK,OAAA;AACH,cAAA,WAAA,CAAY,QAAA,CAAS,KAAK,CAAA,GAAI,OAAA,CAAQ,SAAS,KAAK,CAAA;AACpD,cAAA;AAAA,YACF,KAAK,QAAA;AAEH,cAAA;AAAA,YACF,KAAK,MAAA;AACH,cAAA,WAAA,CAAY,QAAA,CAAS,KAAK,CAAA,GAAI,QAAA,CAAS,UAAA;AACvC,cAAA;AAAA,YACF,KAAK,WAAA;AAEH,cAAA,WAAA,CAAY,QAAA,CAAS,KAAK,CAAA,GAAI,OAAA,CAAQ,SAAS,KAAK,CAAA;AACpD,cAAA;AAAA;AACJ,QACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,qBAAA,EAAuB,MAAA,CAAO,eAAe,QAAA,EAAU;AAAA,UAC3E,SAAA,EAAW,QAAA;AAAA,UACX,QAAA;AAAA,UACA,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,MAAA;AAAA,UACnC,gBAAgB,MAAA,CAAO,cAAA;AAAA,UACvB,iBAAiB,MAAA,CAAO,eAAA;AAAA,UACxB,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,mBAAmB,MAAA,CAAO,iBAAA;AAAA,UAC1B,uBAAuB,MAAA,CAAO,qBAAA;AAAA,UAC9B,uBAAuB,MAAA,CAAO;AAAA,SAC/B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,OAAA,EAAS,KAAA;AAAA,UACT,YAAA,EAAc,WAAA;AAAA,UACd,OAAA,EAAS;AAAA,YACP,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,MAAA;AAAA,YACnC,SAAS,MAAA,CAAO,cAAA;AAAA,YAChB,UAAU,MAAA,CAAO,eAAA;AAAA,YACjB,QAAQ,MAAA,CAAO,aAAA;AAAA,YACf,YAAY,MAAA,CAAO;AAAA,WACrB;AAAA,UACA,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,KAAA,EAAO;AAAA,YACL,uBAAuB,MAAA,CAAO,qBAAA;AAAA,YAC9B,uBAAuB,MAAA,CAAO,qBAAA;AAAA,YAC9B,aAAa,MAAA,CAAO;AAAA,WACtB;AAAA,UACA,QAAA,EACE,MAAA,CAAO,iBAAA,GAAoB,CAAA,GACvB,qIAAA,GAEA;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,sCAAA;AAAA,MACN,WAAA,EACE,8GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY,IAAA,EAAK;AAExC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,4BAAA,EAA8B,QAAA,EAAU;AAAA,UAC5D,cAAc,QAAA,CAAS;AAAA,SACxB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,QAAA,EAAU,QAAA,CAAS,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,YAC7B,WAAW,CAAA,CAAE,SAAA;AAAA,YACb,aAAa,CAAA,CAAE,WAAA;AAAA,YACf,UAAA,EAAY,EAAE,KAAA,CAAM,MAAA;AAAA,YACpB,WAAW,CAAA,CAAE,KAAA,CAAM,IAAI,CAAC,CAAA,KAAM,EAAE,QAAQ,CAAA;AAAA,YACxC,gBAAgB,CAAA,CAAE,cAAA;AAAA,YAClB,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,YAC9B,YAAY,CAAA,CAAE,UAAA;AAAA,YACd,YAAY,CAAA,CAAE;AAAA,WAChB,CAAE,CAAA;AAAA,UACF,OAAO,QAAA,CAAS,MAAA;AAAA,UAChB,OAAA,EACE,QAAA,CAAS,MAAA,KAAW,CAAA,GAChB,6FAAA,GAEA,CAAA,EAAG,QAAA,CAAS,MAAM,CAAA,gBAAA,EAAmB,QAAA,CAAS,MAAA,KAAW,CAAA,GAAI,WAAW,UAAU,CAAA,YAAA;AAAA,SACzF,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,wCAAA;AAAA,MACN,WAAA,EACE,kQAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,MAAA,GAAS,SAAS,SAAA,EAAU;AAElC,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,oCAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,SAAS,MAAA,CAAO,OAAA;AAAA,YAChB,UAAU,MAAA,CAAO,QAAA;AAAA,YACjB,mBAAmB,MAAA,CAAO;AAAA;AAC5B,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,eAAA,EAAiB,MAAA;AAAA,UACjB,WAAA,EACE,sBACC,MAAA,CAAO,OAAA,GAAU,YAAY,UAAA,CAAA,GAC9B,IAAA,IACC,MAAA,CAAO,QAAA,GACJ,wEAAA,GACA,kDAAA,CAAA;AAAA,UACN,QAAA,EACE,MAAA,CAAO,KAAA,CAAM,eAAA,GAAkB,CAAA,GAC3B,CAAA,KAAA,EAAQ,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,aAAA,EACjC,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,kGAAA,CAAA,GAE/B;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,2CAAA;AAAA,MACN,WAAA,EACE,+SAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA,WAGJ;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAGJ;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,OAAA,EAAS,QAAQ,CAAA;AAAA,YACxB,WAAA,EACE;AAAA,WAIJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAmC,EAAC;AAE1C,QAAA,IAAI,IAAA,CAAK,YAAY,MAAA,EAAW;AAC9B,UAAA,QAAA,CAAS,UAAA,CAAW,KAAK,OAAkB,CAAA;AAC3C,UAAA,OAAA,CAAQ,UAAU,IAAA,CAAK,OAAA;AAAA,QACzB;AAEA,QAAA,IAAI,IAAA,CAAK,aAAa,MAAA,EAAW;AAC/B,UAAA,QAAA,CAAS,UAAA,CAAW,KAAK,QAAmB,CAAA;AAC5C,UAAA,OAAA,CAAQ,WAAW,IAAA,CAAK,QAAA;AAAA,QAC1B;AAEA,QAAA,IAAI,IAAA,CAAK,sBAAsB,MAAA,EAAW;AACxC,UAAA,MAAM,WAAW,IAAA,CAAK,iBAAA;AACtB,UAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC7C,UAAA,IAAI,CAAC,MAAA,EAAQ;AACX,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,kBAAA;AAAA,cACP,OAAA,EAAS,2CAA2C,QAAQ,CAAA,CAAA;AAAA,aAC7D,CAAA;AAAA,UACH;AACA,UAAA,QAAA,CAAS,iBAAiB,QAAQ,CAAA;AAClC,UAAA,OAAA,CAAQ,iBAAA,GAAoB,QAAA;AAAA,QAC9B;AAEA,QAAA,IAAI,IAAA,CAAK,YAAY,MAAA,EAAW;AAC9B,UAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,UAAA,IAAI,MAAA,KAAW,OAAA,IAAW,MAAA,KAAW,QAAA,EAAU;AAC7C,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,iBAAA;AAAA,cACP,OAAA,EAAS;AAAA,aACV,CAAA;AAAA,UACH;AACA,UAAA,cAAA,CAAe,OAAA,GAAU,MAAA;AACzB,UAAA,OAAA,CAAQ,OAAA,GAAU,MAAA;AAAA,QACpB;AAEA,QAAA,IAAI,IAAA,CAAK,gBAAgB,IAAA,EAAM;AAC7B,UAAA,QAAA,CAAS,UAAA,EAAW;AACpB,UAAA,OAAA,CAAQ,WAAA,GAAc,IAAA;AAAA,QACxB;AAEA,QAAA,MAAM,SAAA,GAAY,SAAS,SAAA,EAAU;AAErC,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,iCAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,OAAA;AAAA,YACA,UAAA,EAAY;AAAA;AACd,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,UAAA,EAAY,IAAA;AAAA,UACZ,OAAA;AAAA,UACA,UAAA,EAAY,SAAA;AAAA,UACZ,SACE,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,MAAA,GAAS,IAC1B,iCAAA,GACA;AAAA,SACP,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,WAAA,EAAa,QAAA,EAAS;AACxC;ACxpBO,SAAS,qBAAA,GAAgD;AAC9D,EAAA,MAAM,MAAA,GAAS;AAAA,IACb,cAAc,SAAA,EAAU;AAAA,IACxB,cAAA,EAAgB,IAAA;AAAA;AAAA,IAChB,mBAAA,EAAqB,IAAA;AAAA;AAAA,IACrB,YAAA,EAAc;AAAA;AAAA,GAChB;AAEA,EAAA,MAAM,WAAA,GAAc,OAAO,MAAA,CAAO,MAAM,EAAE,MAAA,CAAO,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,MAAA;AAC3D,EAAA,MAAM,UAAU,WAAA,IAAe,CAAA,GAAI,MAAA,GAAS,WAAA,IAAe,IAAI,SAAA,GAAY,SAAA;AAE3E,EAAA,OAAO;AAAA,IACL,GAAG,MAAA;AAAA,IACH;AAAA,GACF;AACF;AAEA,SAAS,SAAA,GAAqB;AAC5B,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASe,uBAAS,yCAAA,EAA2C;AAAA,QACjE,QAAA,EAAU,OAAA;AAAA,QACV,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,QAAQ;AAAA,OACjC,EAAE,IAAA,EAAK;AACR,MAAA,OAAO,MAAA,KAAW,GAAA;AAAA,IACpB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AAEjC,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,KAAA;AACT;AA4BO,SAAS,qBAAA,GAAgD;AAC9D,EAAA,MAAM,cAAc,eAAA,EAAgB;AACpC,EAAA,MAAM,OAAO,QAAA,EAAS;AACtB,EAAA,MAAM,cAAc,aAAA,EAAc;AAElC,EAAA,IAAI,cAAA,GAAiC,MAAA;AACrC,EAAA,IAAI,aAAa,cAAA,GAAiB,UAAA;AAAA,OAAA,IACzB,MAAM,cAAA,GAAiB,UAAA;AAAA,OAAA,IACvB,aAAa,cAAA,GAAiB,OAAA;AAEvC,EAAA,MAAM,UAA6C,EAAC;AACpD,EAAA,IAAI,WAAA,IAAe,WAAA,KAAgB,IAAA,EAAM,OAAA,CAAQ,cAAA,GAAiB,WAAA;AAClE,EAAA,IAAI,IAAA,IAAQ,IAAA,KAAS,IAAA,EAAM,OAAA,CAAQ,OAAA,GAAU,IAAA;AAC7C,EAAA,IAAI,WAAA,IAAe,WAAA,KAAgB,IAAA,EAAM,OAAA,CAAQ,YAAA,GAAe,WAAA;AAEhE,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,cAAc,WAAA,KAAgB,KAAA;AAAA,IAC9B,OAAO,IAAA,KAAS,KAAA;AAAA,IAChB,cAAc,WAAA,KAAgB,KAAA;AAAA,IAC9B,MAAA,EAAQ,KAAA;AAAA,IACR;AAAA,GACF;AACF;AAEA,SAAS,eAAA,GAAoC;AAE3C,EAAA,IAAI;AAEF,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,WAAA,EAAa,OAAO,QAAA;AAGpC,IAAA,IAAI;AACF,MAAAC,WAAA,CAAS,aAAa,CAAA;AACtB,MAAA,OAAO,QAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAAA,IAER;AAGA,IAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,MAAA,MAAM,MAAA,GAASD,uBAAS,2CAAA,EAA6C;AAAA,QACnE,QAAA,EAAU;AAAA,OACX,CAAA;AACD,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,QAAA;AACtC,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACnC,MAAA,IAAI,MAAA,CAAO,SAAS,UAAU,CAAA,IAAK,OAAO,QAAA,CAAS,YAAY,GAAG,OAAO,YAAA;AAAA,IAC3E;AAGA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,SAAA,KAAc,QAAA,EAAU,OAAO,QAAA;AAG/C,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,YAAA,EAAc,OAAO,KAAA;AAErC,IAAA,OAAO,KAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAEA,SAAS,QAAA,GAA6B;AACpC,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,IAAI;AAEF,MAAA,MAAM,SAAA,GAAYA,uBAAS,yDAAA,EAA2D;AAAA,QACpF,QAAA,EAAU;AAAA,OACX,EAAE,WAAA,EAAY;AAEf,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,QAAA;AACzC,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,YAAY,CAAA,EAAG,OAAO,YAAA;AAC7C,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACtC,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACtC,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,SAAS,CAAA,EAAG,OAAO,SAAA;AAG1C,MAAA,MAAM,OAAA,GAAUA,uBAAS,6CAAA,EAA+C;AAAA,QACtE,QAAA,EAAU;AAAA,OACX,CAAA;AACD,MAAA,IAAI,OAAA,CAAQ,MAAA,GAAS,CAAA,EAAG,OAAO,UAAA;AAAA,IACjC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,IAAA,IAAI;AAEF,MAAA,MAAM,QAAA,GAAWA,sBAAA;AAAA,QACf,oFAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU;AAAA;AACZ,OACF;AACA,MAAA,IAAI,QAAA,CAAS,MAAA,GAAS,CAAA,EAAG,OAAO,UAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,aAAA,GAAkC;AAEzC,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,0BAAA,KAA+B,GAAA,EAAK,OAAO,aAAA;AAC3D,IAAA,IAAI,OAAA,CAAQ,IAAI,MAAA,IAAU,OAAA,CAAQ,IAAI,MAAA,CAAO,QAAA,CAAS,YAAY,CAAA,EAAG,OAAO,aAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAA,CAAQ,aAAa,SAAA,EAAW;AAGlC,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASA,uBAAS,kCAAA,EAAoC;AAAA,QAC1D,QAAA,EAAU;AAAA,OACX,CAAA;AACD,MAAA,IAAI,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG,OAAO,QAAA;AAAA,IAChC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,SAAA,KAAc,KAAA,EAAO,OAAO,KAAA;AAC5C,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAUA,uBAAS,mCAAA,EAAqC;AAAA,QAC5D,QAAA,EAAU;AAAA,OACX,EAAE,IAAA,EAAK;AACR,MAAA,IAAI,OAAA,KAAY,aAAa,OAAO,SAAA;AAAA,IACtC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAiBO,SAAS,2BAA2B,WAAA,EAAiD;AAC1F,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQC,YAAS,WAAW,CAAA;AAGlC,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,GAAO,QAAA,CAAS,OAAO,CAAC,CAAA;AAC3C,IAAA,MAAM,aAAa,IAAA,CAAK,QAAA,CAAS,CAAC,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAA;AAEnD,IAAA,MAAM,QAAA,GAAW,IAAA,KAAS,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA;AAC3C,IAAA,MAAM,aAAA,GAAA,CAAiB,IAAA,GAAO,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA,MAAO,CAAA;AACtD,IAAA,MAAM,cAAA,GAAA,CAAkB,IAAA,GAAO,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA,MAAO,CAAA;AACvD,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,MAAA,IAAS,IAAK,CAAA,CAAA;AACzC,IAAA,MAAM,kBAAA,GAAqB,MAAM,GAAA,KAAQ,UAAA;AAEzC,IAAA,IAAI,OAAA,GAA6C,QAAA;AACjD,IAAA,IAAI,aAAA,IAAiB,gBAAgB,OAAA,GAAU,UAAA;AAAA,SAAA,IACtC,CAAC,oBAAoB,OAAA,GAAU,SAAA;AAExC,IAAA,OAAO;AAAA,MACL,2BAAA,EAA6B,QAAA;AAAA,MAC7B,sBAAA,EAAwB,UAAA;AAAA,MACxB,qBAAA,EAAuB,kBAAA;AAAA,MACvB,cAAA,EAAgB,aAAA;AAAA,MAChB,eAAA,EAAiB,cAAA;AAAA,MACjB;AAAA,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO;AAAA,MACL,2BAAA,EAA6B,KAAA;AAAA,MAC7B,sBAAA,EAAwB,SAAA;AAAA,MACxB,qBAAA,EAAuB,KAAA;AAAA,MACvB,cAAA,EAAgB,KAAA;AAAA,MAChB,eAAA,EAAiB,KAAA;AAAA,MACjB,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AACF;AAgBO,SAAS,qBAAA,GAAgD;AAC9D,EAAA,OAAO;AAAA,IACL,kBAAA,EAAoB,IAAA;AAAA,IACpB,iBAAA,EAAmB,OAAA;AAAA,IACnB,eAAe;AAAC,GAClB;AACF;AAmBO,SAAS,kBAAkB,WAAA,EAAwC;AACxE,EAAA,MAAM,SAAS,qBAAA,EAAsB;AACrC,EAAA,MAAM,YAAY,qBAAA,EAAsB;AACxC,EAAA,MAAM,UAAA,GAAa,2BAA2B,WAAW,CAAA;AACzD,EAAA,MAAM,YAAY,qBAAA,EAAsB;AAGxC,EAAA,IAAI,YAAA,GAAe,CAAA;AACnB,EAAA,IAAI,WAAA,GAAc,CAAA;AAGlB,EAAA,IAAI,OAAO,YAAA,EAAc,YAAA,EAAA;AACzB,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,OAAO,cAAA,EAAgB,YAAA,EAAA;AAC3B,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,OAAO,mBAAA,EAAqB,YAAA,EAAA;AAChC,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,OAAO,YAAA,EAAc,YAAA,EAAA;AACzB,EAAA,WAAA,EAAA;AAGA,EAAA,IAAI,UAAU,YAAA,EAAc,YAAA,EAAA;AAC5B,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,UAAU,KAAA,EAAO,YAAA,EAAA;AACrB,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,UAAU,YAAA,EAAc,YAAA,EAAA;AAC5B,EAAA,WAAA,EAAA;AAGA,EAAA,IAAI,WAAW,2BAAA,EAA6B,YAAA,EAAA;AAC5C,EAAA,WAAA,EAAA;AAGA,EAA6E;AAC3E,IAAA,YAAA,EAAA;AAAA,EACF;AACA,EAAA,WAAA,EAAA;AAGA,EAAA,IAAI,iBAAiC,SAAA,CAAU,eAAA;AAG/C,EAAA,IACE,UAAA,CAAW,YAAY,UAAA,IACvB,MAAA,CAAO,YAAY,MAAA,IACnB,MAAA,CAAO,YAAY,SAAA,EACnB;AACA,IAAA,IAAI,mBAAmB,UAAA,EAAY;AACjC,MAAA,cAAA,GAAiB,OAAA;AAAA,IACnB,CAAA,MAAA,IAAW,mBAAmB,OAAA,EAAS;AACrC,MAAA,cAAA,GAAiB,MAAA;AAAA,IACnB;AAAA,EACF;AAGA,EAAA,MAAM,eAAyB,EAAC;AAChC,EAAA,IAAI,SAAA,CAAU,YAAA,IAAgB,SAAA,CAAU,KAAA,EAAO;AAC7C,IAAA,YAAA,CAAa,IAAA,CAAK,cAAc,SAAA,CAAU,OAAA,CAAQ,kBAAkB,SAAA,CAAU,OAAA,CAAQ,OAAA,IAAW,sBAAsB,CAAA,CAAE,CAAA;AAAA,EAC3H;AACA,EAAA,IAAI,OAAO,YAAA,EAAc;AACvB,IAAA,YAAA,CAAa,KAAK,cAAc,CAAA;AAAA,EAClC;AACA,EAAA,IAAI,WAAW,2BAAA,EAA6B;AAC1C,IAAA,YAAA,CAAa,KAAK,oCAAoC,CAAA;AAAA,EACxD;AAEA,EAAA,MAAM,UACJ,YAAA,CAAa,MAAA,GAAS,IAClB,YAAA,CAAa,IAAA,CAAK,IAAI,CAAA,GACtB,qCAAA;AAEN,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,iBAAA,EAAmB,MAAA;AAAA,IACnB,iBAAA,EAAmB,SAAA;AAAA,IACnB,sBAAA,EAAwB,UAAA;AAAA,IACxB,iBAAA,EAAmB,SAAA;AAAA,IACnB,aAAA,EAAe,YAAA;AAAA,IACf,YAAA,EAAc,WAAA;AAAA,IACd;AAAA,GACF;AACF;;;AC1YO,SAAS,sBAAA,CACd,aACA,QAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,wOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,2GAAA;AAAA,YAEF,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,cAAA,GAAkB,KAAK,eAAA,IAA+B,KAAA;AAC5D,QAAA,MAAM,MAAA,GAAS,kBAAkB,WAAW,CAAA;AAE5C,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,qBAAA;AAAA,UACA,QAAA;AAAA,UACA,EAAE,iBAAiB,cAAA;AAAe,SACpC;AAEA,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,iBAAiB,MAAA,CAAO,eAAA;AAAA,YACxB,SAAS,MAAA,CAAO,OAAA;AAAA,YAChB,eAAe,MAAA,CAAO,aAAA;AAAA,YACtB,cAAc,MAAA,CAAO,YAAA;AAAA,YACrB,iBAAA,EAAmB;AAAA,cACjB,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,cAAA,EAAgB,OAAO,iBAAA,CAAkB,cAAA;AAAA,cACzC,mBAAA,EAAqB,OAAO,iBAAA,CAAkB,mBAAA;AAAA,cAC9C,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,OAAA,EAAS,OAAO,iBAAA,CAAkB;AAAA,aACpC;AAAA,YACA,iBAAA,EAAmB;AAAA,cACjB,eAAA,EAAiB,OAAO,iBAAA,CAAkB,eAAA;AAAA,cAC1C,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,KAAA,EAAO,OAAO,iBAAA,CAAkB,KAAA;AAAA,cAChC,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,MAAA,EAAQ,OAAO,iBAAA,CAAkB,MAAA;AAAA,cACjC,OAAA,EAAS,OAAO,iBAAA,CAAkB;AAAA,aACpC;AAAA,YACA,sBAAA,EAAwB;AAAA,cACtB,2BAAA,EACE,OAAO,sBAAA,CAAuB,2BAAA;AAAA,cAChC,sBAAA,EAAwB,OAAO,sBAAA,CAAuB,sBAAA;AAAA,cACtD,qBAAA,EAAuB,OAAO,sBAAA,CAAuB,qBAAA;AAAA,cACrD,cAAA,EAAgB,OAAO,sBAAA,CAAuB,cAAA;AAAA,cAC9C,eAAA,EAAiB,OAAO,sBAAA,CAAuB,eAAA;AAAA,cAC/C,OAAA,EAAS,OAAO,sBAAA,CAAuB;AAAA,aACzC;AAAA,YACA,iBAAA,EAAmB;AAAA,cACjB,kBAAA,EAAoB,OAAO,iBAAA,CAAkB,kBAAA;AAAA,cAC7C,iBAAA,EAAmB,OAAO,iBAAA,CAAkB,iBAAA;AAAA,cAC5C,aAAA,EAAe,OAAO,iBAAA,CAAkB;AAAA;AAC1C,WACD,CAAA;AAAA,QACH,CAAA,MAAO;AACL,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,iBAAiB,MAAA,CAAO,eAAA;AAAA,YACxB,SAAS,MAAA,CAAO,OAAA;AAAA,YAChB,eAAe,MAAA,CAAO,aAAA;AAAA,YACtB,cAAc,MAAA,CAAO,YAAA;AAAA,YACrB,IAAA,EACE;AAAA,WAEH,CAAA;AAAA,QACH;AAAA,MACF;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,8QAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,0DAAA;AAAA,YACF,OAAA,EAAS;AAAA,WACX;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,4DAAA;AAAA,YACF,OAAA,EAAS;AAAA,WACX;AAAA,UACA,aAAA,EAAe;AAAA,YACb,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,wDAAA;AAAA,YACF,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAA,GAAmB,KAAK,gBAAA,IAAgC,IAAA;AAC9D,QAAA,MAAM,WAAA,GAAe,KAAK,YAAA,IAA4B,IAAA;AACtD,QAAA,MAAM,YAAA,GAAgB,KAAK,aAAA,IAA6B,IAAA;AAExD,QAAA,MAAM,MAAA,GAAS,kBAAkB,WAAW,CAAA;AAE5C,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,qBAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,gBAAA,EAAkB,eAAA;AAAA,YAClB,YAAA,EAAc,WAAA;AAAA,YACd,aAAA,EAAe;AAAA;AACjB,SACF;AAEA,QAAA,MAAM,OAAA,GAAmC;AAAA,UACvC,iBAAiB,MAAA,CAAO,eAAA;AAAA,UACxB,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC;AAEA,QAAA,IAAI,eAAA,EAAiB;AACnB,UAAA,MAAM,KAAK,MAAA,CAAO,sBAAA;AAClB,UAAA,OAAA,CAAQ,UAAA,GAAa;AAAA,YACnB,6BAA6B,EAAA,CAAG,2BAAA;AAAA,YAChC,cAAc,EAAA,CAAG,sBAAA;AAAA,YACjB,SAAA,EAAW,GAAG,OAAA,KAAY,QAAA;AAAA,YAC1B,MAAA,EACE,EAAA,CAAG,OAAA,KAAY,UAAA,GACX;AAAA,cACE;AAAA,aAEF,GACA,EAAA,CAAG,OAAA,KAAY,SAAA,GACb;AAAA,cACE;AAAA,gBAGF;AAAC,WACX;AAAA,QACF;AAEA,QAAA,IAAI,WAAA,EAAa;AACf,UAAA,MAAM,MAAM,MAAA,CAAO,iBAAA;AACnB,UAAA,MAAM,SAAmB,EAAC;AAC1B,UAAA,IAAI,CAAC,IAAI,YAAA,EAAc;AACrB,YAAA,MAAA,CAAO,IAAA;AAAA,cACL;AAAA,aAEF;AAAA,UACF;AACA,UAAA,OAAA,CAAQ,MAAA,GAAS;AAAA,YACf,cAAc,GAAA,CAAI,YAAA;AAAA,YAClB,gBAAgB,GAAA,CAAI,cAAA;AAAA,YACpB,wBAAwB,GAAA,CAAI,mBAAA;AAAA,YAC5B,yBAAyB,GAAA,CAAI,YAAA;AAAA,YAC7B,kBAAkB,GAAA,CAAI,OAAA;AAAA,YACtB;AAAA,WACF;AAAA,QACF;AAEA,QAAA,IAAI,YAAA,EAAc;AAChB,UAAA,MAAM,MAAM,MAAA,CAAO,iBAAA;AACnB,UAAA,OAAA,CAAQ,OAAA,GAAU;AAAA,YAChB,iBAAiB,GAAA,CAAI,eAAA;AAAA,YACrB,cAAc,GAAA,CAAI,YAAA;AAAA,YAClB,OAAO,GAAA,CAAI,KAAA;AAAA,YACX,WAAW,GAAA,CAAI,YAAA;AAAA,YACf,SAAS,GAAA,CAAI,MAAA;AAAA,YACb,aAAa,GAAA,CAAI,OAAA;AAAA,YACjB,cAAA,EACE,IAAI,eAAA,KAAoB,MAAA,GACpB,4EACA,GAAA,CAAI,eAAA,KAAoB,UACtB,8EAAA,GACA;AAAA,WACV;AAAA,QACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA,EAAQ,UAAA;AAAA,UACR;AAAA,SACD,CAAA;AAAA,MACH;AAAA;AACF,GACF;AACF;;;ACnLA,aAAA,EAAA;;;AC1BO,IAAM,gBAAN,MAA8C;AAAA,EAC3C,KAAA,uBAAY,GAAA,EAAuD;AAAA,EAEnE,UAAA,CAAW,WAAmB,GAAA,EAAqB;AACzD,IAAA,OAAO,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,IAAA,IAAA,CAAK,MAAM,GAAA,CAAI,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA,EAAG;AAAA,MAC9C,IAAA,EAAM,IAAI,UAAA,CAAW,IAAI,CAAA;AAAA;AAAA,MACzB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,GAAA,EAAyC;AACrE,IAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,CAAM,GAAA,CAAI,KAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAC,CAAA;AAC5D,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,IAAA,OAAO,IAAI,UAAA,CAAW,KAAA,CAAM,IAAI,CAAA;AAAA,EAClC;AAAA,EAEA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EACA,gBAAA,EACkB;AAClB,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA,CAAO,KAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAC,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,MAAA,EAA8C;AAC1E,IAAA,MAAM,UAA8B,EAAC;AACrC,IAAA,MAAM,QAAA,GAAW,GAAG,SAAS,CAAA,CAAA,CAAA;AAE7B,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,CAAA,IAAK,KAAK,KAAA,EAAO;AAC1C,MAAA,IAAI,CAAC,QAAA,CAAS,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,MAAA,MAAM,GAAA,GAAM,QAAA,CAAS,KAAA,CAAM,QAAA,CAAS,MAAM,CAAA;AAC1C,MAAA,IAAI,MAAA,IAAU,CAAC,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AAEvC,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,GAAA;AAAA,QACA,SAAA;AAAA,QACA,UAAA,EAAY,MAAM,IAAA,CAAK,MAAA;AAAA,QACvB,aAAa,KAAA,CAAM;AAAA,OACpB,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,GAAA,CAAI,aAAA,CAAc,CAAA,CAAE,GAAG,CAAC,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,MAAA,CAAO,SAAA,EAAmB,GAAA,EAA+B;AAC7D,IAAA,OAAO,KAAK,KAAA,CAAM,GAAA,CAAI,KAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAC,CAAA;AAAA,EACvD;AAAA,EAEA,MAAM,SAAA,GAA6B;AACjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,KAAA,MAAW,KAAA,IAAS,IAAA,CAAK,KAAA,CAAM,MAAA,EAAO,EAAG;AACvC,MAAA,KAAA,IAAS,MAAM,IAAA,CAAK,MAAA;AAAA,IACtB;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA,EAGA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AACF;;;AD3BA,eAAsB,sBAAsB,OAAA,EAIf;AAE3B,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,OAAA,EAAS,UAAU,CAAA;AAGnD,EAAA,MAAM9B,cAAAA,CAAM,OAAO,YAAA,EAAc,EAAE,WAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAGjE,EAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,iBAAA;AAAA,IACtC,CAAA,EAAG,OAAO,YAAY,CAAA,MAAA;AAAA,GACxB;AAGA,EAAA,IAAI,SAAA;AACJ,EAAA,IAAI,aAAA;AACJ,EAAA,IAAI,WAAA;AAEJ,EAAA,MAAM,UAAA,GAAa,OAAA,EAAS,UAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAEtD,EAAA,IAAI,UAAA,EAAY;AAEd,IAAA,aAAA,GAAgB,YAAA;AAGhB,IAAA,IAAI,cAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,SAAS,YAAY,CAAA;AACpD,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,MAAM,EAAE,aAAA,EAAA+B,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,QAAA,cAAA,GAAiB,IAAA,CAAK,KAAA,CAAMA,cAAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAChD;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,UAAA,EAAY,cAAc,CAAA;AAC/D,IAAA,SAAA,GAAY,MAAA,CAAO,GAAA;AAGnB,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,EAAE,aAAA,EAAAb,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,MAAA,MAAM,OAAA,CAAQ,KAAA;AAAA,QACZ,OAAA;AAAA,QACA,YAAA;AAAA,QACAA,cAAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,MAAM,CAAC;AAAA,OAC7C;AAAA,IACF;AAAA,EACF,CAAA,MAAO;AAEL,IAAA,aAAA,GAAgB,cAAA;AAEhB,IAAA,MAAM,EAAE,YAAA,EAAAD,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,IAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAe,aAAA,EAAAa,cAAAA,KAAkB,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAC/C,IAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,IAAA,MAAM,EAAE,iBAAA,EAAAC,kBAAAA,EAAkB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAGpC,IAAA,MAAM,YAAA,GAAe,MAAM,OAAA,CAAQ,IAAA,CAAK,SAAS,mBAAmB,CAAA;AACpE,IAAA,IAAI,YAAA,EAAc;AAEhB,MAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,sBAAA;AACnC,MAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAOF;AAAA,MACF;AAGA,MAAA,IAAI,gBAAA;AACJ,MAAA,IAAI;AACF,QAAA,gBAAA,GAAmBD,eAAc,cAAc,CAAA;AAAA,MACjD,CAAA,CAAA,MAAQ;AACN,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAEF;AAAA,MACF;AAEA,MAAA,IAAI,gBAAA,CAAiB,WAAW,EAAA,EAAI;AAClC,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAEF;AAAA,MACF;AAEA,MAAA,MAAM,YAAA,GAAef,cAAa,gBAAgB,CAAA;AAClD,MAAA,MAAM,UAAA,GAAac,eAAc,YAAY,CAAA;AAG7C,MAAA,MAAM,iBAAA,GAAoBb,eAAc,YAAY,CAAA;AACpD,MAAA,MAAM,eAAA,GAAkBA,eAAc,UAAU,CAAA;AAChD,MAAA,IAAI,CAACe,kBAAAA,CAAkB,iBAAA,EAAmB,eAAe,CAAA,EAAG;AAC1D,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAGF;AAAA,MACF;AAGA,MAAA,SAAA,GAAY,gBAAA;AAAA,IAEd,CAAA,MAAO;AAEL,MAAA,MAAM,kBAAA,GAAqB,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAO,CAAA;AACrD,MAAA,MAAM,eAAe,kBAAA,CAAmB,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,QAAQ,YAAY,CAAA;AACxE,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAGF;AAAA,MACF;AAGA,MAAA,SAAA,GAAY,iBAAA,EAAkB;AAC9B,MAAA,WAAA,GAAc,YAAY,SAAS,CAAA;AAEnC,MAAA,MAAM,OAAA,GAAUhB,cAAa,SAAS,CAAA;AACtC,MAAA,MAAM,OAAA,CAAQ,KAAA;AAAA,QACZ,OAAA;AAAA,QACA,mBAAA;AAAA,QACAC,eAAc,OAAO;AAAA,OACvB;AAAA,IACF;AAAA,EACF;AAGA,EAAA,MAAM,QAAA,GAAW,IAAI,QAAA,CAAS,OAAA,EAAS,SAAS,CAAA;AAGhD,EAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,OAAA,EAAS,SAAS,CAAA;AAGpD,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,EAAS,eAAA,EAAgB,GAAI,aAAA;AAAA,IAC1C,UAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,gBAAgB,IAAA,EAAK;AAG3B,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA,EAAK;AAAA,UACnD,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA,EAAK;AAAA,UACnD,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA;AAAK;AACpD,OACF;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,eAAyB,EAAC;AAGhC,QAAA,YAAA,CAAa,IAAA;AAAA,UACX;AAAA,SACF;AAGA,QAAA,IAAI,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA,EAAmB;AACxD,UAAA,YAAA,CAAa,IAAA;AAAA,YACX;AAAA,WACF;AAAA,QACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAA,EAAa;AAAA,YACX,gBAAA,EAAkB,OAAO,SAAA,CAAU,WAAA;AAAA,YACnC,QAAA,EAAU;AAAA,cACR,YAAY,OAAA,CAAQ,IAAA;AAAA,cACpB,aAAA,EAAe,KAAA;AAAA,cACf,QAAA,EAAU;AAAA,aACZ;AAAA,YACA,QAAA,EAAU;AAAA,cACR,IAAI,CAAA,EAAG,OAAA,CAAQ,QAAQ,CAAA,CAAA,EAAI,QAAQ,IAAI,CAAA,CAAA;AAAA,cACvC,OAAA,EAAS,CAAA,KAAA,EAAQ,OAAA,CAAQ,OAAO,CAAA,CAAA;AAAA,cAChC,mBAAmB,MAAA,CAAO,OAAA;AAAA,cAC1B,eAAA,EAAiB;AAAA,aACnB;AAAA,YACA,OAAA,EAAS;AAAA,cACP,mBAAA,EAAqB,IAAA;AAAA;AAAA,cACrB,iBAAiB,EAAC;AAAA,cAClB,iBAAA,EAAmB;AAAA,aACrB;AAAA,YACA,eAAA,EAAiB,SAAA;AAAA,YACjB,sBAAA,EAAwB;AAAA,cACtB,kBAAA,EAAoB,IAAA;AAAA,cACpB,qBAAA,EAAuB,KAAA;AAAA,cACvB,iBAAA,EAAmB,eAAA;AAAA,cACnB,mBAAA,EACE,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA;AAAA,cACrC,oBAAA,EAAsB,IAAA;AAAA,cACtB,aAAA,EAAe,KAAA;AAAA,cACf;AAAA;AACF,WACF;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,uEAAA;AAAA,MACF,aAAa,EAAE,IAAA,EAAM,QAAA,EAAU,UAAA,EAAY,EAAC,EAAE;AAAA,MAC9C,SAAS,YAAY;AACnB,QAAA,MAAM,gBAAA,GAAmB,MAAM,OAAA,CAAQ,SAAA,EAAU;AACjD,QAAA,MAAM,eAKD,EAAC;AAEN,QAAA,YAAA,CAAa,IAAA,CAAK;AAAA,UAChB,KAAA,EAAO,IAAA;AAAA,UACP,WAAA,EAAa,uCAAA;AAAA,UACb,QAAA,EAAU,SAAA;AAAA,UACV,UAAA,EAAY;AAAA,SACb,CAAA;AAED,QAAA,IAAI,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,iBAAA,EAAmB;AACxD,UAAA,YAAA,CAAa,IAAA,CAAK;AAAA,YAChB,KAAA,EAAO,IAAA;AAAA,YACP,WAAA,EAAa,wCAAA;AAAA,YACb,QAAA,EAAU,MAAA;AAAA,YACV,UAAA,EAAY;AAAA,WACb,CAAA;AAAA,QACH;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,QAAQ,YAAA,CAAa,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,UAAU,CAAA,GACtD,aAAA,GACA,YAAA,CAAa,KAAK,CAAC,CAAA,KAAM,EAAE,QAAA,KAAa,SAAS,IAC/C,UAAA,GACA,SAAA;AAAA,UACN,aAAA,EAAe,gBAAA;AAAA,UACf,MAAA,EAAQ;AAAA,YACN,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,oBAAA,EAAsB,aAAA;AAAA,cACtB,SAAA,EAAW,eAAA,CAAgB,IAAA,EAAK,CAAE,MAAA;AAAA,cAClC,eAAA,EAAiB,UAAA;AAAA,cACjB,oBAAA,EAAA,iBAAsB,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,aAC/C;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,UAAA;AAAA,cACR,cAAA,EAAgB,eAAA;AAAA,cAChB,qBAAA,EAAuB,IAAA;AAAA,cACvB,gBAAA,EAAA,iBAAkB,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,aAC3C;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EACE,MAAA,CAAO,UAAA,CAAW,YAAA,KAAiB,oBAC/B,UAAA,GACA,QAAA;AAAA,cACN,YAAA,EAAc,OAAO,UAAA,CAAW,YAAA;AAAA,cAChC,eAAA,EAAiB,CAAA;AAAA,cACjB,sBAAA,EAAwB;AAAA,aAC1B;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,IAAA,EAAM,OAAO,UAAA,CAAW,IAAA;AAAA,cACxB,iBAAA,EAAmB,CAAA;AAAA;AAAA,cACnB,qBAAA,EAAuB;AAAA;AACzB,WACF;AAAA,UACA,YAAA;AAAA,UACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EAAa,kCAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,oBAAA,EAAqB;AAAA,UAC3D,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,IAAA,EAAM,IAAA,EAAM,MAAM,IAAI;AAAA,WAC/B;AAAA,UACA,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACjC,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,EAAA;AAAG;AACvC,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,KAAA,CAAM;AAAA,UAClC,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,gBAAgB,IAAA,CAAK,cAAA;AAAA,UACrB,KAAA,EAAQ,KAAK,KAAA,IAAoB;AAAA,SAClC,CAAA;AACD,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAGA,EAAA,MAAM,YAAA,GAA+B;AAAA,IACnC,IAAA,EAAM,oBAAA;AAAA,IACN,WAAA,EACE,sHAAA;AAAA,IAEF,aAAa,EAAE,IAAA,EAAM,QAAA,EAAU,UAAA,EAAY,EAAC,EAAE;AAAA,IAC9C,SAAS,YAAY;AACnB,MAAA,OAAO,UAAA,CAAW;AAAA,QAChB,iBAAA,EAAmB,KAAA;AAAA,QACnB,cAAA,EAAgB;AAAA,UACd,IAAA,EAAM,iCAAA;AAAA,UACN,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,QAAA,EAAU,YAAA;AAAA,UACV,OAAA,EAAS;AAAA,SACX;AAAA,QACA,MAAA,EAAQ;AAAA,UACN,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,YAAA,EAAc,cAAc,CAAA;AAAA,YACzC,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,YAC1B,QAAA,EAAU,CAAC,SAAS,CAAA;AAAA,YACpB,UAAA,EAAY;AAAA,cACV,4BAAA,EAA8B,MAAA;AAAA,cAC9B,yBAAA,EAA2B,MAAA;AAAA,cAC3B,6BAAA,EAA+B,MAAA;AAAA,cAC/B,8BAAA,EAAgC,MAAA;AAAA,cAChC,wBAAA,EAA0B,MAAA;AAAA,cAC1B,sBAAA,EAAwB,MAAA;AAAA,cACxB,yBAAA,EAA2B;AAAA;AAC7B,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,sBAAA,EAAwB,gBAAgB,CAAA;AAAA,YACrD,eAAA,EAAiB,CAAC,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA;AAAA,YAC9C,UAAA,EAAY;AAAA,cACV,gCAAA,EAAkC,YAAA;AAAA,cAClC,2BAAA,EAA6B,eAAA;AAAA,cAC7B,kBAAA,EAAoB;AAAA;AACtB,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,aAAA,EAAe,kBAAkB,CAAA;AAAA,YAC9C,aAAA,EAAe,CAAC,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA;AAAA,YAC9C,UAAA,EAAY;AAAA,cACV,yBAAA,EAA2B,cAAA;AAAA,cAC3B,+BAAA,EAAiC;AAAA;AACnC,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,iBAAA,EAAmB,gBAAgB,CAAA;AAAA,YAChD,KAAA,EAAO,CAAC,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA;AAAA,YAC9B,UAAA,EAAY;AAAA,cACV,wBAAA,EAA0B,MAAA;AAAA,cAC1B,wBAAA,EAA0B,MAAA;AAAA,cAC1B,uBAAA,EAAyB,OAAA;AAAA,cACzB,0BAAA,EAA4B;AAAA;AAC9B;AACF,SACF;AAAA,QACA,WAAA,EAAa;AAAA,UACX,WAAA,EAAa,KAAA;AAAA,UACb,aAAA,EAAe,KAAA;AAAA,UACf,aAAA,EAAe,IAAA;AAAA,UACf,gBAAA,EAAkB;AAAA,SACpB;AAAA,QACA,WAAA,EAAa;AAAA,UACX,gEAAA;AAAA,UACA,8EAAA;AAAA,UACA,+DAAA;AAAA,UACA,0CAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA,IACH;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,KAAY,aAAA,CAAc,OAAA,EAAS,WAAW,QAAQ,CAAA;AAGrE,EAAA,MAAM,EAAE,KAAA,EAAO,QAAA,EAAS,GAAI,cAAA;AAAA,IAC1B,MAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACF;AAIA,EAAA,MAAM,EAAE,KAAA,EAAO,cAAA,EAAgB,gBAAA,EAAiB,GAAI,oBAAA;AAAA,IAClD,MAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,OAA2C,CAAA,GAAI,aAAA;AAAA,IAC5D,OAAA;AAAA,IACA,SAAA;AAAA,IACA,eAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,eAAA,EAAgB,GAAI,qBAAA;AAAA,IACjC,QAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,WAAA,EAAY,GAAI,iBAAA;AAAA,IAC7B,OAAA;AAAA,IACA,SAAA;AAAA,IACA,eAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,UAAA,EAAW,GAAI,iBAAiB,MAAM,CAAA;AAGrD,EAAA,MAAM,EAAE,OAAO,gBAAA,EAAkB,QAAA,EAAU,qBAAoB,GAC7D,sBAAA,CAAuB,OAAA,EAAS,SAAA,EAAW,QAAQ,CAAA;AAGrD,EAAA,MAAM,cAAA,GAAiB,sBAAA,CAAuB,MAAA,CAAO,YAAA,EAAc,QAAQ,CAAA;AAG3E,EAAA,MAAM,MAAA,GAAS,MAAM,mBAAA,CAAoB,MAAA,CAAO,YAAY,CAAA;AAC5D,EAAA,MAAM,QAAA,GAAW,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AACvD,EAAA,MAAM,SAAS,IAAA,EAAK;AAGpB,EAAA,IAAI,eAAA;AACJ,EAAA,IAAI,SAAA;AAEJ,EAAA,IAAI,MAAA,CAAO,UAAU,OAAA,EAAS;AAE5B,IAAA,IAAI,SAAA,GAAY,OAAO,SAAA,CAAU,UAAA;AACjC,IAAA,IAAI,cAAc,MAAA,EAAQ;AACxB,MAAA,MAAM,EAAE,WAAA,EAAa,EAAA,EAAG,GAAI,MAAM,OAAO,QAAa,CAAA;AACtD,MAAA,SAAA,GAAY,EAAA,CAAG,EAAE,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAAA,IACnC;AAEA,IAAA,SAAA,GAAY,IAAI,wBAAA,CAAyB;AAAA,MACvC,IAAA,EAAM,OAAO,SAAA,CAAU,IAAA;AAAA,MACvB,IAAA,EAAM,OAAO,SAAA,CAAU,IAAA;AAAA,MACvB,eAAA,EAAiB,OAAO,gBAAA,CAAiB,eAAA;AAAA;AAAA,MAEzC,UAAA,EAAY,SAAA;AAAA,MACZ,GAAA,EAAK,OAAO,SAAA,CAAU,GAAA;AAAA,MACtB,SAAA,EAAW,OAAO,SAAA,CAAU;AAAA,KAC7B,CAAA;AACD,IAAA,SAAA,CAAU,eAAA,CAAgB,EAAE,MAAA,EAAQ,QAAA,EAAU,UAAU,CAAA;AACxD,IAAA,MAAM,UAAU,KAAA,EAAM;AACtB,IAAA,eAAA,GAAkB,SAAA;AAAA,EACpB,CAAA,MAAA,IAAW,OAAO,OAAA,CAAQ,OAAA,IAAW,OAAO,OAAA,CAAQ,GAAA,IAAO,MAAA,CAAO,OAAA,CAAQ,MAAA,EAAQ;AAChF,IAAA,MAAM,OAAA,GAAU,IAAI,sBAAA,CAAuB;AAAA,MACzC,WAAA,EAAa,OAAO,OAAA,CAAQ,GAAA;AAAA,MAC5B,cAAA,EAAgB,OAAO,OAAA,CAAQ,MAAA;AAAA,MAC/B,aAAA,EAAe,OAAO,OAAA,CAAQ,aAAA;AAAA,MAC9B,aAAA,EAAe,OAAO,OAAA,CAAQ,aAAA;AAAA,MAC9B,eAAA,EAAiB,OAAO,gBAAA,CAAiB;AAAA;AAAA,KAE1C,CAAA;AACD,IAAA,MAAM,QAAQ,KAAA,EAAM;AACpB,IAAA,eAAA,GAAkB,OAAA;AAAA,EACpB,CAAA,MAAO;AACL,IAAA,eAAA,GAAkB,IAAI,qBAAA,CAAsB,MAAA,CAAO,gBAAgB,CAAA;AAAA,EACrE;AAGA,EAAA,MAAM,iBAAA,GAAoB,IAAI,iBAAA,CAAkB;AAAA,IAC9C,OAAA,EAAS,IAAA;AAAA,IACT,WAAA,EAAa,QAAA;AAAA,IACb,YAAA,EAAc;AAAA,GACf,CAAA;AAGD,EAAA,MAAM,gBAAA,GAAmB,SAAA,GACrB,CAAC,KAAA,KAAuH;AACtH,IAAA,SAAA,CAAW,aAAa,iBAAA,EAAmB;AAAA,MACzC,MAAM,KAAA,CAAM,QAAA;AAAA,MACZ,UAAA,EAAY,MAAM,MAAA,CAAO,UAAA;AAAA,MACzB,OAAA,EAAS,KAAA,CAAM,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,CAAA,MAAM;AAAA,QACtC,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,UAAU,CAAA,CAAE;AAAA,OACd,CAAE,CAAA;AAAA,MACF,cAAA,EAAgB,MAAM,MAAA,CAAO,cAAA;AAAA,MAC7B,WAAW,KAAA,CAAM;AAAA,KAClB,CAAA;AAAA,EACH,CAAA,GACA,MAAA;AAEJ,EAAA,MAAM,IAAA,GAAO,IAAI,YAAA,CAAa,MAAA,EAAQ,UAAU,eAAA,EAAiB,QAAA,EAAU,mBAAmB,gBAAgB,CAAA;AAG9G,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,MAAA,EAAQ,QAAA,EAAU,QAAQ,CAAA;AAGzE,EAAA,MAAM,iBAAmC,EAAC;AAC1C,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,cAAA,CAAe,IAAA,CAAK;AAAA,MAClB,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,8IAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,GAAA,GAAM,UAAW,gBAAA,EAAiB;AACxC,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP;AAAA,cACE,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,gBACnB,aAAA,EAAe,GAAA;AAAA,gBACf,QAAA,EAAU,UAAW,UAAA,EAAW;AAAA,gBAChC,IAAA,EAAM;AAAA,eACR,EAAG,MAAM,CAAC;AAAA;AACZ;AACF,SACF;AAAA,MACF;AAAA,KACD,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,QAAA,GAA6B;AAAA,IAC/B,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,WAAA;AAAA,IACH,GAAG,QAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH,GAAG,eAAA;AAAA,IACH,GAAG,WAAA;AAAA,IACH,GAAG,UAAA;AAAA,IACH,GAAG,gBAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH;AAAA,GACF;AAGA,EAAA,QAAA,GAAW,QAAA,CAAS,GAAA,CAAI,CAAC,IAAA,MAAU;AAAA,IACjC,GAAG,IAAA;AAAA,IACH,SAAS,mBAAA,CAAoB,WAAA,CAAY,IAAA,CAAK,IAAA,EAAM,KAAK,OAAO;AAAA,GAClE,CAAE,CAAA;AAGF,EAAA,MAAM,MAAA,GAAS,YAAA,CAAa,QAAA,EAAU,EAAE,MAAM,CAAA;AAG9C,EAAA,MAAM,WAAW,MAAM,CAAA;AAGvB,EAAA,MAAM,eAAe,MAAM;AACzB,IAAA,QAAA,CAAS,IAAA,EAAK,CAAE,KAAA,CAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EAChC,CAAA;AACA,EAAA,OAAA,CAAQ,EAAA,CAAG,UAAU,YAAY,CAAA;AACjC,EAAA,OAAA,CAAQ,EAAA,CAAG,WAAW,YAAY,CAAA;AAGlC,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,OAAA,CAAQ,KAAA;AAAA,MACN,CAAA;AAAA;AAAA;AAAA,sBAAA,EAGoB,WAAA,CAAY,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA;AAAA;AAAA;AAAA;AAAA,wWAAA;AAAA,KAK9C;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,QAAQ,MAAA,EAAO;AAC1B","file":"index.cjs","sourcesContent":["/**\n * Sanctuary MCP Server — Encoding Utilities\n *\n * Base64url encoding/decoding per RFC 4648 §5.\n * Used throughout Sanctuary for serializing binary data in JSON.\n */\n\n/**\n * Encode bytes to base64url string (no padding).\n */\nexport function toBase64url(bytes: Uint8Array): string {\n const base64 = Buffer.from(bytes).toString(\"base64\");\n return base64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/**\n * Decode base64url string to bytes.\n */\nexport function fromBase64url(str: string): Uint8Array {\n // Restore standard base64\n let base64 = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n // Add padding\n while (base64.length % 4 !== 0) {\n base64 += \"=\";\n }\n const buf = Buffer.from(base64, \"base64\");\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n/**\n * Encode a UTF-8 string to bytes.\n */\nexport function stringToBytes(str: string): Uint8Array {\n return new TextEncoder().encode(str);\n}\n\n/**\n * Decode bytes to a UTF-8 string.\n */\nexport function bytesToString(bytes: Uint8Array): string {\n return new TextDecoder().decode(bytes);\n}\n\n/**\n * Concatenate multiple Uint8Arrays.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n const totalLength = arrays.reduce((sum, arr) => sum + arr.length, 0);\n const result = new Uint8Array(totalLength);\n let offset = 0;\n for (const arr of arrays) {\n result.set(arr, offset);\n offset += arr.length;\n }\n return result;\n}\n\n/**\n * Constant-time comparison of two byte arrays.\n * Prevents timing attacks on signature/tag verification.\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++) {\n diff |= a[i]! ^ b[i]!;\n }\n return diff === 0;\n}\n","/**\n * Sanctuary MCP Server — Hashing and Merkle Trees\n *\n * SHA-256 hashing for integrity verification.\n * Merkle trees for namespace-level state integrity.\n */\n\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { hmac } from \"@noble/hashes/hmac\";\nimport { toBase64url, concatBytes, stringToBytes } from \"./encoding.js\";\n\n/**\n * Compute SHA-256 hash of data.\n */\nexport function hash(data: Uint8Array): Uint8Array {\n return sha256(data);\n}\n\n/**\n * Compute SHA-256 hash and return as base64url string.\n */\nexport function hashToString(data: Uint8Array): string {\n return toBase64url(hash(data));\n}\n\n/**\n * Compute HMAC-SHA256.\n */\nexport function hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array {\n return hmac(sha256, key, data);\n}\n\n// ─── Merkle Tree ─────────────────────────────────────────────────────────────\n\nexport interface MerkleNode {\n hash: string; // base64url SHA-256\n left?: MerkleNode;\n right?: MerkleNode;\n key?: string; // Leaf nodes store the state key\n}\n\nexport interface MerkleProof {\n leaf: string;\n path: Array<{\n hash: string;\n position: \"left\" | \"right\";\n }>;\n root: string;\n}\n\n/**\n * Build a Merkle tree from a set of key-hash pairs.\n * Keys are sorted lexicographically for deterministic ordering.\n *\n * @param entries - Map of state key → content hash (base64url)\n * @returns Root node of the Merkle tree\n */\nexport function buildMerkleTree(\n entries: Map<string, string>\n): MerkleNode | null {\n if (entries.size === 0) return null;\n\n // Sort keys for deterministic tree construction\n const sortedKeys = Array.from(entries.keys()).sort();\n\n // Create leaf nodes: H(key || content_hash)\n let nodes: MerkleNode[] = sortedKeys.map((key) => {\n const contentHash = entries.get(key)!;\n const leafData = concatBytes(\n stringToBytes(key),\n stringToBytes(contentHash)\n );\n return {\n hash: hashToString(leafData),\n key,\n };\n });\n\n // Build tree bottom-up\n while (nodes.length > 1) {\n const nextLevel: MerkleNode[] = [];\n for (let i = 0; i < nodes.length; i += 2) {\n const left = nodes[i]!;\n if (i + 1 < nodes.length) {\n const right = nodes[i + 1]!;\n const parentData = concatBytes(\n stringToBytes(left.hash),\n stringToBytes(right.hash)\n );\n nextLevel.push({\n hash: hashToString(parentData),\n left,\n right,\n });\n } else {\n // Odd node — promote directly\n nextLevel.push(left);\n }\n }\n nodes = nextLevel;\n }\n\n return nodes[0] ?? null;\n}\n\n/**\n * Generate a Merkle proof for a specific key.\n *\n * @param entries - All key-hash pairs in the namespace\n * @param targetKey - The key to generate a proof for\n * @returns MerkleProof or null if key not found\n */\nexport function generateMerkleProof(\n entries: Map<string, string>,\n targetKey: string\n): MerkleProof | null {\n if (!entries.has(targetKey)) return null;\n\n const sortedKeys = Array.from(entries.keys()).sort();\n const targetIndex = sortedKeys.indexOf(targetKey);\n if (targetIndex === -1) return null;\n\n // Create leaf hashes\n const leafHashes: string[] = sortedKeys.map((key) => {\n const contentHash = entries.get(key)!;\n const leafData = concatBytes(\n stringToBytes(key),\n stringToBytes(contentHash)\n );\n return hashToString(leafData);\n });\n\n const path: MerkleProof[\"path\"] = [];\n let currentIndex = targetIndex;\n let currentLevel = leafHashes;\n\n while (currentLevel.length > 1) {\n const nextLevel: string[] = [];\n for (let i = 0; i < currentLevel.length; i += 2) {\n const left = currentLevel[i]!;\n if (i + 1 < currentLevel.length) {\n const right = currentLevel[i + 1]!;\n\n // If our target is at this pair, record the sibling\n if (i === currentIndex || i + 1 === currentIndex) {\n if (currentIndex === i) {\n path.push({ hash: right, position: \"right\" });\n } else {\n path.push({ hash: left, position: \"left\" });\n }\n }\n\n const parentData = concatBytes(\n stringToBytes(left),\n stringToBytes(right)\n );\n nextLevel.push(hashToString(parentData));\n } else {\n // Odd node — promote directly, no sibling to record\n nextLevel.push(left);\n }\n }\n currentIndex = Math.floor(currentIndex / 2);\n currentLevel = nextLevel;\n }\n\n const root = buildMerkleTree(entries);\n\n return {\n leaf: leafHashes[targetIndex]!,\n path,\n root: root?.hash ?? \"\",\n };\n}\n\n/**\n * Verify a Merkle proof.\n *\n * @param proof - The proof to verify\n * @returns true if the proof is valid\n */\nexport function verifyMerkleProof(proof: MerkleProof): boolean {\n let currentHash = proof.leaf;\n\n for (const step of proof.path) {\n const left =\n step.position === \"left\" ? step.hash : currentHash;\n const right =\n step.position === \"right\" ? step.hash : currentHash;\n const parentData = concatBytes(\n stringToBytes(left),\n stringToBytes(right)\n );\n currentHash = hashToString(parentData);\n }\n\n return currentHash === proof.root;\n}\n\n/**\n * Compute the Merkle root for a set of entries.\n * Convenience function that builds the tree and returns just the root hash.\n */\nexport function computeMerkleRoot(entries: Map<string, string>): string {\n const tree = buildMerkleTree(entries);\n return tree?.hash ?? \"\";\n}\n","/**\n * Sanctuary MCP Server — Configuration\n *\n * Loads and validates server configuration from file or environment variables.\n */\n\nimport { readFile, writeFile } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport { createRequire } from \"node:module\";\n\nconst require = createRequire(import.meta.url);\nconst { version: PKG_VERSION } = require(\"../package.json\");\n\n/** Package version, exported for use by other modules (avoids duplicate require paths). */\nexport const SANCTUARY_VERSION = PKG_VERSION;\n\nexport interface SanctuaryConfig {\n version: string;\n storage_path: string;\n principal_id?: string;\n\n state: {\n encryption: \"aes-256-gcm\";\n key_protection: \"passphrase\" | \"hardware-key\" | \"none\";\n key_derivation: \"argon2id\";\n integrity: \"merkle-sha256\";\n identity_provider: \"ed25519\";\n };\n\n execution: {\n environment: \"local-process\" | \"docker\" | \"tee\";\n attestation: boolean;\n resource_limits: {\n max_memory_mb: number;\n max_storage_mb: number;\n max_cpu_percent: number;\n };\n };\n\n disclosure: {\n proof_system: \"groth16\" | \"plonk\" | \"commitment-only\";\n default_policy: \"minimum-necessary\" | \"withhold-all\";\n };\n\n reputation: {\n mode: \"self-custodied\" | \"service-mediated\";\n attestation_format: \"eas-compatible\";\n export_format: \"SANCTUARY_REP_V1\";\n service_endpoints: string[];\n };\n\n transport: \"stdio\" | \"http\";\n http_port: number;\n\n dashboard: {\n enabled: boolean;\n port: number;\n host: string;\n /** Bearer token for dashboard auth. If \"auto\", one is generated at startup. */\n auth_token?: string;\n /** Auto-open dashboard in default browser on startup. Default: true for localhost. */\n auto_open?: boolean;\n /** TLS cert/key paths for HTTPS dashboard. */\n tls?: {\n cert_path: string;\n key_path: string;\n };\n };\n\n webhook: {\n enabled: boolean;\n /** URL to POST approval requests to */\n url: string;\n /** Shared secret for HMAC-SHA256 signatures */\n secret: string;\n /** Port for callback listener (receives approval responses) */\n callback_port: number;\n /** Host for callback listener */\n callback_host: string;\n };\n}\n\n/** Default configuration */\nexport function defaultConfig(): SanctuaryConfig {\n return {\n version: PKG_VERSION,\n storage_path: join(homedir(), \".sanctuary\"),\n state: {\n encryption: \"aes-256-gcm\",\n key_protection: \"none\",\n key_derivation: \"argon2id\",\n integrity: \"merkle-sha256\",\n identity_provider: \"ed25519\",\n },\n execution: {\n environment: \"local-process\",\n attestation: true,\n resource_limits: {\n max_memory_mb: 512,\n max_storage_mb: 1024,\n max_cpu_percent: 50,\n },\n },\n disclosure: {\n proof_system: \"commitment-only\",\n default_policy: \"minimum-necessary\",\n },\n reputation: {\n mode: \"self-custodied\",\n attestation_format: \"eas-compatible\",\n export_format: \"SANCTUARY_REP_V1\",\n service_endpoints: [],\n },\n transport: \"stdio\",\n http_port: 3500,\n dashboard: {\n enabled: false,\n port: 3501,\n host: \"127.0.0.1\",\n },\n webhook: {\n enabled: false,\n url: \"\",\n secret: \"\",\n callback_port: 3502,\n callback_host: \"127.0.0.1\",\n },\n };\n}\n\n/**\n * Load configuration from file, falling back to defaults.\n *\n * Precedence (highest wins): CLI flags > env vars > config file > defaults\n * This matches the standard config precedence pattern used by most tools.\n */\nexport async function loadConfig(\n configPath?: string\n): Promise<SanctuaryConfig> {\n let config = defaultConfig();\n\n // Phase 1: Merge config file on top of defaults\n const storagePath = process.env.SANCTUARY_STORAGE_PATH ?? config.storage_path;\n const path = configPath ?? join(storagePath, \"sanctuary.json\");\n\n try {\n const raw = await readFile(path, \"utf-8\");\n const fileConfig = JSON.parse(raw);\n config = deepMerge(config, fileConfig);\n } catch (err) {\n // Re-throw validation errors — only swallow file-not-found\n if (err instanceof Error && err.message.includes(\"unimplemented features\")) {\n throw err;\n }\n // No config file — continue with defaults\n }\n\n // Phase 2: Apply env var overrides ON TOP of file config (env always wins)\n if (process.env.SANCTUARY_STORAGE_PATH) {\n config.storage_path = process.env.SANCTUARY_STORAGE_PATH;\n }\n if (process.env.SANCTUARY_TRANSPORT) {\n config.transport = process.env.SANCTUARY_TRANSPORT as \"stdio\" | \"http\";\n }\n if (process.env.SANCTUARY_HTTP_PORT) {\n config.http_port = parseInt(process.env.SANCTUARY_HTTP_PORT, 10);\n }\n if (process.env.SANCTUARY_DASHBOARD_ENABLED === \"true\") {\n config.dashboard.enabled = true;\n }\n if (process.env.SANCTUARY_DASHBOARD_ENABLED === \"false\") {\n config.dashboard.enabled = false;\n }\n if (process.env.SANCTUARY_DASHBOARD_PORT) {\n config.dashboard.port = parseInt(process.env.SANCTUARY_DASHBOARD_PORT, 10);\n }\n if (process.env.SANCTUARY_DASHBOARD_HOST) {\n config.dashboard.host = process.env.SANCTUARY_DASHBOARD_HOST;\n }\n if (process.env.SANCTUARY_DASHBOARD_AUTH_TOKEN) {\n config.dashboard.auth_token = process.env.SANCTUARY_DASHBOARD_AUTH_TOKEN;\n }\n if (process.env.SANCTUARY_DASHBOARD_AUTO_OPEN === \"true\") {\n config.dashboard.auto_open = true;\n }\n if (process.env.SANCTUARY_DASHBOARD_AUTO_OPEN === \"false\") {\n config.dashboard.auto_open = false;\n }\n if (process.env.SANCTUARY_DASHBOARD_TLS_CERT && process.env.SANCTUARY_DASHBOARD_TLS_KEY) {\n config.dashboard.tls = {\n cert_path: process.env.SANCTUARY_DASHBOARD_TLS_CERT,\n key_path: process.env.SANCTUARY_DASHBOARD_TLS_KEY,\n };\n }\n if (process.env.SANCTUARY_WEBHOOK_ENABLED === \"true\") {\n config.webhook.enabled = true;\n }\n if (process.env.SANCTUARY_WEBHOOK_ENABLED === \"false\") {\n config.webhook.enabled = false;\n }\n if (process.env.SANCTUARY_WEBHOOK_URL) {\n config.webhook.url = process.env.SANCTUARY_WEBHOOK_URL;\n }\n if (process.env.SANCTUARY_WEBHOOK_SECRET) {\n config.webhook.secret = process.env.SANCTUARY_WEBHOOK_SECRET;\n }\n if (process.env.SANCTUARY_WEBHOOK_CALLBACK_PORT) {\n config.webhook.callback_port = parseInt(process.env.SANCTUARY_WEBHOOK_CALLBACK_PORT, 10);\n }\n if (process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST) {\n config.webhook.callback_host = process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST;\n }\n\n // Phase 3: Always stamp the running version from package.json (Bug 2 fix —\n // sanctuary.json may store a stale version from first run)\n config.version = PKG_VERSION;\n\n validateConfig(config);\n return config;\n}\n\n/**\n * Save configuration to file.\n */\nexport async function saveConfig(\n config: SanctuaryConfig,\n configPath?: string\n): Promise<void> {\n const path =\n configPath ?? join(config.storage_path, \"sanctuary.json\");\n await writeFile(path, JSON.stringify(config, null, 2), { mode: 0o600 });\n}\n\n/**\n * Validate that config does not reference unimplemented features.\n * Throws a descriptive error if any unimplemented value is found.\n * This prevents silent security degradation (SEC-019).\n */\nexport function validateConfig(config: SanctuaryConfig): void {\n const errors: string[] = [];\n\n // Implemented key_protection values: \"passphrase\", \"none\"\n // Unimplemented: \"hardware-key\" (planned for future FIDO2/WebAuthn support)\n const implementedKeyProtection = new Set([\"passphrase\", \"none\"]);\n if (!implementedKeyProtection.has(config.state.key_protection)) {\n errors.push(\n `Unimplemented config value: state.key_protection = \"${config.state.key_protection}\". ` +\n `Only ${[...implementedKeyProtection].map(v => `\"${v}\"`).join(\", \")} are currently implemented. ` +\n `Using an unimplemented key protection mode would silently degrade security.`\n );\n }\n\n // Implemented environment values: \"local-process\", \"docker\"\n // Unimplemented: \"tee\" (TEE-backed execution attestation not yet integrated)\n const implementedEnvironment = new Set([\"local-process\", \"docker\"]);\n if (!implementedEnvironment.has(config.execution.environment)) {\n errors.push(\n `Unimplemented config value: execution.environment = \"${config.execution.environment}\". ` +\n `Only ${[...implementedEnvironment].map(v => `\"${v}\"`).join(\", \")} are currently implemented. ` +\n `Using an unimplemented environment would silently degrade security.`\n );\n }\n\n // Implemented proof_system values: \"commitment-only\"\n // Unimplemented: \"groth16\", \"plonk\" (SNARK proof systems not yet available)\n const implementedProofSystem = new Set([\"commitment-only\"]);\n if (!implementedProofSystem.has(config.disclosure.proof_system)) {\n errors.push(\n `Unimplemented config value: disclosure.proof_system = \"${config.disclosure.proof_system}\". ` +\n `Only ${[...implementedProofSystem].map(v => `\"${v}\"`).join(\", \")} is currently implemented. ` +\n `Using an unimplemented proof system would silently degrade security.`\n );\n }\n\n // Implemented disclosure.default_policy values: \"minimum-necessary\"\n // Unimplemented: \"withhold-all\" (global withhold policy not yet implemented)\n const implementedDisclosurePolicy = new Set([\"minimum-necessary\"]);\n if (!implementedDisclosurePolicy.has(config.disclosure.default_policy)) {\n errors.push(\n `Unimplemented config value: disclosure.default_policy = \"${config.disclosure.default_policy}\". ` +\n `Only ${[...implementedDisclosurePolicy].map(v => `\"${v}\"`).join(\", \")} is currently implemented. ` +\n `Using an unimplemented disclosure policy would silently skip disclosure controls.`\n );\n }\n\n // Implemented reputation.mode values: \"self-custodied\"\n // Unimplemented: \"service-mediated\" (third-party reputation service not yet integrated)\n const implementedReputationMode = new Set([\"self-custodied\"]);\n if (!implementedReputationMode.has(config.reputation.mode)) {\n errors.push(\n `Unimplemented config value: reputation.mode = \"${config.reputation.mode}\". ` +\n `Only ${[...implementedReputationMode].map(v => `\"${v}\"`).join(\", \")} is currently implemented. ` +\n `Using an unimplemented reputation mode would silently skip reputation verification.`\n );\n }\n\n if (errors.length > 0) {\n throw new Error(\n `Sanctuary configuration references unimplemented features:\\n${errors.join(\"\\n\")}`\n );\n }\n}\n\n/** Deep merge two objects (target takes precedence) */\nfunction deepMerge(base: object, override: object): SanctuaryConfig {\n const result: Record<string, unknown> = { ...base };\n for (const [key, value] of Object.entries(override)) {\n if (\n value !== null &&\n typeof value === \"object\" &&\n !Array.isArray(value) &&\n typeof result[key] === \"object\" &&\n result[key] !== null\n ) {\n result[key] = deepMerge(\n result[key] as object,\n value as object\n );\n } else {\n result[key] = value;\n }\n }\n return result as unknown as SanctuaryConfig;\n}\n","/**\n * Sanctuary MCP Server — Secure Random Generation\n *\n * All randomness in Sanctuary flows through this module.\n * Uses crypto.getRandomValues (Web Crypto API) for CSPRNG.\n */\n\nimport { randomBytes as nodeRandomBytes } from \"node:crypto\";\n\n/**\n * Generate cryptographically secure random bytes.\n * Uses Node.js crypto module (backed by OpenSSL CSPRNG).\n */\nexport function randomBytes(length: number): Uint8Array {\n if (length <= 0) {\n throw new RangeError(\"Length must be positive\");\n }\n const buf = nodeRandomBytes(length);\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n/**\n * Generate a random IV for AES-256-GCM (12 bytes per NIST SP 800-38D).\n */\nexport function generateIV(): Uint8Array {\n return randomBytes(12);\n}\n\n/**\n * Generate a random salt for key derivation (32 bytes).\n */\nexport function generateSalt(): Uint8Array {\n return randomBytes(32);\n}\n\n/**\n * Generate a random 256-bit key (for recovery key generation).\n */\nexport function generateRandomKey(): Uint8Array {\n return randomBytes(32);\n}\n","/**\n * Sanctuary MCP Server — Filesystem Storage Backend\n *\n * Default storage backend using the local filesystem.\n * Files are stored as: {basePath}/{namespace}/{key}.enc\n *\n * Security invariants:\n * - Secure deletion overwrites file content with random bytes before unlinking\n * - Directory creation uses restrictive permissions (0o700)\n * - File creation uses restrictive permissions (0o600)\n */\n\nimport { mkdir, readFile, writeFile, unlink, readdir, stat } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { randomBytes } from \"../core/random.js\";\nimport type { StorageBackend, StorageEntryMeta } from \"./interface.js\";\n\nexport class FilesystemStorage implements StorageBackend {\n private basePath: string;\n\n constructor(basePath: string) {\n this.basePath = basePath;\n }\n\n private entryPath(namespace: string, key: string): string {\n // Sanitize namespace and key to prevent path traversal\n const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n const safeKey = key.replace(/[^a-zA-Z0-9_.-]/g, \"_\");\n return join(this.basePath, safeNamespace, `${safeKey}.enc`);\n }\n\n private namespacePath(namespace: string): string {\n const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n return join(this.basePath, safeNamespace);\n }\n\n async write(\n namespace: string,\n key: string,\n data: Uint8Array\n ): Promise<void> {\n const dirPath = this.namespacePath(namespace);\n const filePath = this.entryPath(namespace, key);\n\n // Create namespace directory with restrictive permissions\n await mkdir(dirPath, { recursive: true, mode: 0o700 });\n\n // Write file with restrictive permissions (owner read/write only)\n await writeFile(filePath, data, { mode: 0o600 });\n }\n\n async read(namespace: string, key: string): Promise<Uint8Array | null> {\n const filePath = this.entryPath(namespace, key);\n try {\n const buf = await readFile(filePath);\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return null;\n }\n throw err;\n }\n }\n\n async delete(\n namespace: string,\n key: string,\n secureOverwrite = true\n ): Promise<boolean> {\n const filePath = this.entryPath(namespace, key);\n\n try {\n if (secureOverwrite) {\n // Read the file to determine its size\n const fileStat = await stat(filePath);\n const size = fileStat.size;\n\n // Overwrite with random bytes (3 passes for defense in depth)\n for (let pass = 0; pass < 3; pass++) {\n const randomData = randomBytes(size);\n await writeFile(filePath, randomData, { mode: 0o600 });\n }\n }\n\n // Remove the file\n await unlink(filePath);\n return true;\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return false;\n }\n throw err;\n }\n }\n\n async list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]> {\n const dirPath = this.namespacePath(namespace);\n\n try {\n const files = await readdir(dirPath);\n const entries: StorageEntryMeta[] = [];\n\n for (const file of files) {\n if (!file.endsWith(\".enc\")) continue;\n\n const key = file.slice(0, -4); // Remove .enc extension\n if (prefix && !key.startsWith(prefix)) continue;\n\n const filePath = join(dirPath, file);\n const fileStat = await stat(filePath);\n\n entries.push({\n key,\n namespace,\n size_bytes: fileStat.size,\n modified_at: fileStat.mtime.toISOString(),\n });\n }\n\n return entries.sort((a, b) => a.key.localeCompare(b.key));\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return [];\n }\n throw err;\n }\n }\n\n async exists(namespace: string, key: string): Promise<boolean> {\n const filePath = this.entryPath(namespace, key);\n try {\n await stat(filePath);\n return true;\n } catch {\n return false;\n }\n }\n\n async totalSize(): Promise<number> {\n let total = 0;\n\n try {\n const namespaces = await readdir(this.basePath);\n for (const ns of namespaces) {\n const nsPath = join(this.basePath, ns);\n const nsStat = await stat(nsPath);\n if (!nsStat.isDirectory()) continue;\n\n const files = await readdir(nsPath);\n for (const file of files) {\n const filePath = join(nsPath, file);\n const fileStat = await stat(filePath);\n total += fileStat.size;\n }\n }\n } catch {\n // If base path doesn't exist yet, total is 0\n }\n\n return total;\n }\n}\n","/**\n * Sanctuary MCP Server — AES-256-GCM Encryption\n *\n * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).\n * This provides both confidentiality and integrity — a modified ciphertext will\n * fail authentication, detecting tampering.\n *\n * Security invariants:\n * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)\n * - The 16-byte authentication tag is always verified on decryption\n * - Keys are 256 bits (32 bytes)\n */\n\nimport { gcm } from \"@noble/ciphers/aes.js\";\nimport { generateIV } from \"./random.js\";\nimport { toBase64url, fromBase64url } from \"./encoding.js\";\n\n/** Encrypted payload structure stored on disk */\nexport interface EncryptedPayload {\n /** Format version */\n v: number;\n /** Algorithm identifier */\n alg: \"aes-256-gcm\";\n /** Initialization vector (base64url) */\n iv: string;\n /** Ciphertext (base64url) */\n ct: string;\n /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */\n /** Timestamp */\n ts: string;\n}\n\n/**\n * Encrypt plaintext bytes with AES-256-GCM.\n *\n * @param plaintext - Data to encrypt\n * @param key - 256-bit encryption key\n * @param aad - Optional additional authenticated data (authenticated but not encrypted)\n * @returns EncryptedPayload ready for JSON serialization\n */\nexport function encrypt(\n plaintext: Uint8Array,\n key: Uint8Array,\n aad?: Uint8Array\n): EncryptedPayload {\n if (key.length !== 32) {\n throw new Error(\"Key must be exactly 32 bytes (256 bits)\");\n }\n\n const iv = generateIV();\n const cipher = gcm(key, iv, aad);\n // @noble/ciphers gcm.encrypt appends the 16-byte auth tag to the ciphertext\n const ciphertext = cipher.encrypt(plaintext);\n\n return {\n v: 1,\n alg: \"aes-256-gcm\",\n iv: toBase64url(iv),\n ct: toBase64url(ciphertext),\n ts: new Date().toISOString(),\n };\n}\n\n/**\n * Decrypt an AES-256-GCM encrypted payload.\n *\n * @param payload - EncryptedPayload from encrypt()\n * @param key - 256-bit encryption key (must match the encryption key)\n * @param aad - Optional additional authenticated data (must match encryption AAD)\n * @returns Decrypted plaintext bytes\n * @throws If authentication tag verification fails (tampered data)\n */\nexport function decrypt(\n payload: EncryptedPayload,\n key: Uint8Array,\n aad?: Uint8Array\n): Uint8Array {\n if (key.length !== 32) {\n throw new Error(\"Key must be exactly 32 bytes (256 bits)\");\n }\n if (payload.v !== 1) {\n throw new Error(`Unsupported payload version: ${payload.v}`);\n }\n if (payload.alg !== \"aes-256-gcm\") {\n throw new Error(`Unsupported algorithm: ${payload.alg}`);\n }\n\n const iv = fromBase64url(payload.iv);\n const ciphertext = fromBase64url(payload.ct);\n const cipher = gcm(key, iv, aad);\n\n // gcm.decrypt verifies the auth tag and throws if tampered\n return cipher.decrypt(ciphertext);\n}\n\n/**\n * Re-encrypt data with a new key (for key rotation or export).\n * Decrypts with old key, re-encrypts with new key.\n */\nexport function reEncrypt(\n payload: EncryptedPayload,\n oldKey: Uint8Array,\n newKey: Uint8Array,\n aad?: Uint8Array\n): EncryptedPayload {\n const plaintext = decrypt(payload, oldKey, aad);\n return encrypt(plaintext, newKey, aad);\n}\n","/**\n * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore\n *\n * The encrypted state store is the foundation of Sanctuary.\n * Every read and write goes through here. All data is encrypted\n * with namespace-specific keys. All writes are signed by an identity.\n * All reads verify integrity via Merkle proofs.\n *\n * Security invariants:\n * - Plaintext never touches the filesystem\n * - Every write gets a unique IV\n * - Every write is signed (non-repudiation)\n * - Monotonic version numbers prevent rollback\n * - Merkle tree verifies namespace integrity\n * - Secure deletion overwrites before unlinking\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport {\n encrypt,\n decrypt,\n type EncryptedPayload,\n} from \"../core/encryption.js\";\nimport {\n hashToString,\n computeMerkleRoot,\n generateMerkleProof,\n verifyMerkleProof,\n} from \"../core/hashing.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { deriveNamespaceKey } from \"../core/key-derivation.js\";\nimport {\n toBase64url,\n fromBase64url,\n stringToBytes,\n bytesToString,\n} from \"../core/encoding.js\";\nimport type { EncryptedPayload as EncPayload } from \"../core/encryption.js\";\n\n/**\n * Reserved namespace prefixes — used by internal subsystems.\n * Imported bundles MUST NOT write to these namespaces.\n */\nconst RESERVED_NAMESPACE_PREFIXES = [\n \"_identities\",\n \"_policies\",\n \"_audit\",\n \"_meta\",\n \"_principal\",\n \"_commitments\",\n \"_reputation\",\n \"_escrow\",\n \"_guarantees\",\n \"_bridge\",\n \"_federation\",\n \"_handshake\",\n \"_shr\",\n] as const;\n\n/**\n * Check whether a namespace is reserved (internal subsystem use only).\n * External callers MUST NOT read, write, list, or import these namespaces.\n */\nexport function isReservedNamespace(namespace: string): boolean {\n return RESERVED_NAMESPACE_PREFIXES.some(\n (prefix) => namespace === prefix || namespace.startsWith(prefix + \"/\")\n );\n}\n\n/** On-disk format for an encrypted state entry */\nexport interface StateEntry {\n /** Format version */\n v: number;\n /** Encrypted payload */\n payload: EncryptedPayload;\n /** Version number (monotonically increasing) */\n ver: number;\n /** Signature over ciphertext by the writing identity (base64url) */\n sig: string;\n /** Identity that wrote this entry */\n kid: string;\n /** SHA-256 of the plaintext value (base64url, for client-side verification) */\n integrity_hash: string;\n /** Metadata */\n metadata: {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n written_at: string;\n };\n}\n\n/** Result of a state write operation */\nexport interface WriteResult {\n key: string;\n namespace: string;\n version: number;\n merkle_root: string;\n written_at: string;\n size_bytes: number;\n integrity_hash: string;\n}\n\n/** Result of a state read operation */\nexport interface ReadResult {\n key: string;\n namespace: string;\n value: string;\n version: number;\n integrity_verified: boolean;\n merkle_proof: string[];\n written_at: string;\n written_by: string;\n}\n\n/** Options for state write */\nexport interface WriteOptions {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n}\n\nexport class StateStore {\n private storage: StorageBackend;\n private masterKey: Uint8Array;\n\n // Cache of version numbers per namespace/key for anti-rollback\n private versionCache = new Map<string, number>();\n\n // Cache of content hashes per namespace for Merkle tree computation\n private contentHashes = new Map<string, Map<string, string>>();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.masterKey = masterKey;\n }\n\n private versionKey(namespace: string, key: string): string {\n return `${namespace}/${key}`;\n }\n\n /**\n * Get or initialize the content hash map for a namespace.\n */\n private async getNamespaceHashes(\n namespace: string\n ): Promise<Map<string, string>> {\n if (this.contentHashes.has(namespace)) {\n return this.contentHashes.get(namespace)!;\n }\n\n // Load existing entries to build the hash map\n const entries = await this.storage.list(namespace);\n const hashMap = new Map<string, string>();\n\n for (const entry of entries) {\n const raw = await this.storage.read(namespace, entry.key);\n if (raw) {\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n hashMap.set(entry.key, stateEntry.integrity_hash);\n this.versionCache.set(\n this.versionKey(namespace, entry.key),\n stateEntry.ver\n );\n } catch {\n // Corrupted entry — skip it\n }\n }\n }\n\n this.contentHashes.set(namespace, hashMap);\n return hashMap;\n }\n\n /**\n * Write encrypted state.\n *\n * @param namespace - Logical grouping\n * @param key - State key\n * @param value - Plaintext value (will be encrypted)\n * @param identityId - Identity performing the write\n * @param encryptedPrivateKey - Identity's encrypted private key (for signing)\n * @param identityEncryptionKey - Key to decrypt the identity's private key\n * @param options - Optional metadata\n */\n async write(\n namespace: string,\n key: string,\n value: string,\n identityId: string,\n encryptedPrivateKey: EncPayload,\n identityEncryptionKey: Uint8Array,\n options: WriteOptions = {}\n ): Promise<WriteResult> {\n const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);\n const plaintext = stringToBytes(value);\n\n // Compute integrity hash of plaintext\n const integrityHash = hashToString(plaintext);\n\n // Encrypt the value\n const payload = encrypt(plaintext, namespaceKey);\n\n // Determine version number (monotonically increasing)\n const vk = this.versionKey(namespace, key);\n const currentVersion = this.versionCache.get(vk) ?? 0;\n const newVersion = currentVersion + 1;\n\n // Sign the ciphertext (non-repudiation)\n const ciphertextBytes = fromBase64url(payload.ct);\n const signature = sign(\n ciphertextBytes,\n encryptedPrivateKey,\n identityEncryptionKey\n );\n\n const now = new Date().toISOString();\n\n // Construct the state entry\n const stateEntry: StateEntry = {\n v: 1,\n payload,\n ver: newVersion,\n sig: toBase64url(signature),\n kid: identityId,\n integrity_hash: integrityHash,\n metadata: {\n content_type: options.content_type,\n ttl_seconds: options.ttl_seconds,\n tags: options.tags,\n written_at: now,\n },\n };\n\n // Serialize and write to storage\n const serialized = stringToBytes(JSON.stringify(stateEntry));\n await this.storage.write(namespace, key, serialized);\n\n // Update caches\n this.versionCache.set(vk, newVersion);\n const nsHashes = await this.getNamespaceHashes(namespace);\n nsHashes.set(key, integrityHash);\n\n // Compute new Merkle root\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n key,\n namespace,\n version: newVersion,\n merkle_root: merkleRoot,\n written_at: now,\n size_bytes: serialized.length,\n integrity_hash: integrityHash,\n };\n }\n\n /**\n * Read and decrypt state.\n *\n * @param namespace - Logical grouping\n * @param key - State key\n * @param signerPublicKey - Expected signer's public key (for signature verification)\n * @param verifyIntegrity - Whether to verify Merkle proof (default: true)\n */\n async read(\n namespace: string,\n key: string,\n signerPublicKey?: Uint8Array,\n verifyIntegrity = true\n ): Promise<ReadResult | null> {\n const raw = await this.storage.read(namespace, key);\n if (!raw) return null;\n\n let stateEntry: StateEntry;\n try {\n stateEntry = JSON.parse(bytesToString(raw));\n } catch {\n throw new Error(`Corrupted state entry: ${namespace}/${key}`);\n }\n\n if (stateEntry.v !== 1) {\n throw new Error(`Unsupported state entry version: ${stateEntry.v}`);\n }\n\n // Anti-rollback check\n const vk = this.versionKey(namespace, key);\n const cachedVersion = this.versionCache.get(vk);\n if (cachedVersion !== undefined && stateEntry.ver < cachedVersion) {\n throw new Error(\n `Rollback detected for ${namespace}/${key}: ` +\n `found version ${stateEntry.ver}, expected >= ${cachedVersion}`\n );\n }\n\n // Verify signature if public key provided\n if (signerPublicKey) {\n const ciphertextBytes = fromBase64url(stateEntry.payload.ct);\n const signatureBytes = fromBase64url(stateEntry.sig);\n const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);\n if (!sigValid) {\n throw new Error(\n `Signature verification failed for ${namespace}/${key}`\n );\n }\n }\n\n // Decrypt\n const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);\n const plaintext = decrypt(stateEntry.payload, namespaceKey);\n const value = bytesToString(plaintext);\n\n // Verify integrity hash\n const computedHash = hashToString(plaintext);\n if (computedHash !== stateEntry.integrity_hash) {\n throw new Error(\n `Integrity hash mismatch for ${namespace}/${key}: ` +\n `computed ${computedHash}, stored ${stateEntry.integrity_hash}`\n );\n }\n\n // Merkle proof verification\n let merkleProofPath: string[] = [];\n let integrityVerified = true;\n\n if (verifyIntegrity) {\n const nsHashes = await this.getNamespaceHashes(namespace);\n const proof = generateMerkleProof(nsHashes, key);\n if (proof) {\n integrityVerified = verifyMerkleProof(proof);\n merkleProofPath = proof.path.map(\n (step) => `${step.position}:${step.hash}`\n );\n }\n }\n\n // Update version cache\n this.versionCache.set(vk, stateEntry.ver);\n\n return {\n key,\n namespace,\n value,\n version: stateEntry.ver,\n integrity_verified: integrityVerified,\n merkle_proof: merkleProofPath,\n written_at: stateEntry.metadata.written_at,\n written_by: stateEntry.kid,\n };\n }\n\n /**\n * List keys in a namespace (metadata only — no decryption).\n */\n async list(\n namespace: string,\n prefix?: string,\n tags?: string[],\n limit = 100,\n offset = 0\n ): Promise<{\n keys: Array<{\n key: string;\n version: number;\n size_bytes: number;\n written_at: string;\n tags: string[];\n }>;\n total: number;\n merkle_root: string;\n }> {\n const storageEntries = await this.storage.list(namespace, prefix);\n const result: Array<{\n key: string;\n version: number;\n size_bytes: number;\n written_at: string;\n tags: string[];\n }> = [];\n\n for (const entry of storageEntries) {\n const raw = await this.storage.read(namespace, entry.key);\n if (!raw) continue;\n\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n\n // Filter by tags if specified\n if (tags && tags.length > 0) {\n const entryTags = stateEntry.metadata.tags ?? [];\n const hasMatchingTag = tags.some((t) => entryTags.includes(t));\n if (!hasMatchingTag) continue;\n }\n\n result.push({\n key: entry.key,\n version: stateEntry.ver,\n size_bytes: entry.size_bytes,\n written_at: stateEntry.metadata.written_at,\n tags: stateEntry.metadata.tags ?? [],\n });\n } catch {\n // Skip corrupted entries\n }\n }\n\n const nsHashes = await this.getNamespaceHashes(namespace);\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n keys: result.slice(offset, offset + limit),\n total: result.length,\n merkle_root: merkleRoot,\n };\n }\n\n /**\n * Securely delete state (overwrite with random bytes before removal).\n */\n async delete(\n namespace: string,\n key: string\n ): Promise<{\n deleted: boolean;\n key: string;\n namespace: string;\n new_merkle_root: string;\n deleted_at: string;\n }> {\n const deleted = await this.storage.delete(namespace, key, true);\n\n // Update caches\n const vk = this.versionKey(namespace, key);\n this.versionCache.delete(vk);\n const nsHashes = await this.getNamespaceHashes(namespace);\n nsHashes.delete(key);\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n deleted,\n key,\n namespace,\n new_merkle_root: merkleRoot,\n deleted_at: new Date().toISOString(),\n };\n }\n\n /**\n * Export all state for a namespace as an encrypted bundle.\n */\n async export(\n namespace?: string\n ): Promise<{\n bundle: string;\n namespaces: string[];\n total_keys: number;\n bundle_hash: string;\n exported_at: string;\n }> {\n const namespacesToExport: string[] = [];\n\n if (namespace) {\n namespacesToExport.push(namespace);\n } else {\n // Discover all namespaces from the content hash cache\n for (const ns of this.contentHashes.keys()) {\n namespacesToExport.push(ns);\n }\n }\n\n const exportData: Record<\n string,\n Array<{ key: string; entry: StateEntry }>\n > = {};\n let totalKeys = 0;\n\n for (const ns of namespacesToExport) {\n const entries = await this.storage.list(ns);\n exportData[ns] = [];\n\n for (const entry of entries) {\n const raw = await this.storage.read(ns, entry.key);\n if (!raw) continue;\n\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n exportData[ns]!.push({ key: entry.key, entry: stateEntry });\n totalKeys++;\n } catch {\n // Skip corrupted entries\n }\n }\n }\n\n const bundleJson = JSON.stringify({\n sanctuary_export_version: 1,\n exported_at: new Date().toISOString(),\n namespaces: namespacesToExport,\n data: exportData,\n });\n\n const bundleBytes = stringToBytes(bundleJson);\n const bundleHash = hashToString(bundleBytes);\n\n return {\n bundle: toBase64url(bundleBytes),\n namespaces: namespacesToExport,\n total_keys: totalKeys,\n bundle_hash: bundleHash,\n exported_at: new Date().toISOString(),\n };\n }\n\n /**\n * Import a previously exported state bundle.\n */\n async import(\n bundleBase64: string,\n conflictResolution: \"skip\" | \"overwrite\" | \"version\" = \"skip\",\n publicKeyResolver: (kid: string) => Uint8Array | null\n ): Promise<{\n imported_keys: number;\n skipped_keys: number;\n skipped_invalid_sig: number;\n skipped_unknown_kid: number;\n conflicts: number;\n namespaces: string[];\n imported_at: string;\n }> {\n const bundleBytes = fromBase64url(bundleBase64);\n const bundleJson = bytesToString(bundleBytes);\n const bundle = JSON.parse(bundleJson);\n\n let importedKeys = 0;\n let skippedKeys = 0;\n let skippedInvalidSig = 0;\n let skippedUnknownKid = 0;\n let conflicts = 0;\n const namespaces: string[] = [];\n\n for (const [ns, entries] of Object.entries(\n bundle.data as Record<string, Array<{ key: string; entry: StateEntry }>>\n )) {\n // Namespace firewall: skip reserved namespaces during import\n if (RESERVED_NAMESPACE_PREFIXES.some(\n (prefix) => ns === prefix || ns.startsWith(prefix + \"/\")\n )) {\n skippedKeys += (entries as Array<{ key: string; entry: StateEntry }>).length;\n continue;\n }\n namespaces.push(ns);\n\n for (const { key, entry } of entries) {\n // Signature verification: mandatory for all imported entries\n // Resolve the signing identity\n const signerPublicKey = publicKeyResolver(entry.kid);\n if (!signerPublicKey) {\n skippedUnknownKid++;\n skippedKeys++;\n continue;\n }\n\n // Verify the signature against the ciphertext\n try {\n const ciphertextBytes = fromBase64url(entry.payload.ct);\n const signatureBytes = fromBase64url(entry.sig);\n const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);\n if (!sigValid) {\n skippedInvalidSig++;\n skippedKeys++;\n continue;\n }\n } catch {\n // Malformed signature or ciphertext — reject\n skippedInvalidSig++;\n skippedKeys++;\n continue;\n }\n\n const exists = await this.storage.exists(ns, key);\n\n if (exists) {\n conflicts++;\n if (conflictResolution === \"skip\") {\n skippedKeys++;\n continue;\n }\n if (conflictResolution === \"version\") {\n // Only overwrite if imported version is higher\n const raw = await this.storage.read(ns, key);\n if (raw) {\n try {\n const existingEntry: StateEntry = JSON.parse(\n bytesToString(raw)\n );\n if (entry.ver <= existingEntry.ver) {\n skippedKeys++;\n continue;\n }\n } catch {\n // Corrupted existing entry — overwrite\n }\n }\n }\n // conflictResolution === \"overwrite\" falls through\n }\n\n // Write the entry\n const serialized = stringToBytes(JSON.stringify(entry));\n await this.storage.write(ns, key, serialized);\n importedKeys++;\n\n // Update caches\n const vk = this.versionKey(ns, key);\n this.versionCache.set(vk, entry.ver);\n const nsHashes = await this.getNamespaceHashes(ns);\n nsHashes.set(key, entry.integrity_hash);\n }\n }\n\n return {\n imported_keys: importedKeys,\n skipped_keys: skippedKeys,\n skipped_invalid_sig: skippedInvalidSig,\n skipped_unknown_kid: skippedUnknownKid,\n conflicts,\n namespaces,\n imported_at: new Date().toISOString(),\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Ed25519 Identity Management\n *\n * Sovereign identity based on Ed25519 keypairs.\n * Private keys are always encrypted at rest — never stored in plaintext.\n *\n * Security invariants:\n * - Private keys never appear in any MCP tool response\n * - Private keys are encrypted with identity-specific keys derived from the master key\n * - Key rotation produces a signed rotation event (verifiable chain)\n */\n\nimport { ed25519 } from \"@noble/curves/ed25519\";\nimport { toBase64url } from \"./encoding.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"./encryption.js\";\nimport { hash } from \"./hashing.js\";\nimport { randomBytes } from \"./random.js\";\n\n/** Public identity information (safe to share) */\nexport interface PublicIdentity {\n identity_id: string;\n label: string;\n public_key: string; // base64url\n did: string; // did:key format\n created_at: string;\n key_type: \"ed25519\";\n key_protection: \"passphrase\" | \"hardware-key\" | \"recovery-key\";\n}\n\n/** Stored identity (private key is encrypted) */\nexport interface StoredIdentity extends PublicIdentity {\n encrypted_private_key: EncryptedPayload;\n /** Previous public keys (for rotation chain verification) */\n rotation_history: Array<{\n old_public_key: string;\n new_public_key: string;\n rotation_event: string; // base64url signed event\n rotated_at: string;\n }>;\n}\n\n/** Signed rotation event */\nexport interface RotationEvent {\n old_public_key: string;\n new_public_key: string;\n identity_id: string;\n reason: string;\n rotated_at: string;\n /** Signature over the event by the OLD key (proves the holder authorized rotation) */\n signature: string;\n}\n\n/**\n * Generate a new Ed25519 keypair.\n * Returns both the public identity info and the raw private key (for immediate encryption).\n */\nexport function generateKeypair(): {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n} {\n const privateKey = randomBytes(32);\n const publicKey = ed25519.getPublicKey(privateKey);\n return { publicKey, privateKey };\n}\n\n/**\n * Create a DID from an Ed25519 public key.\n * Uses the did:key method with the Ed25519 multicodec prefix (0xed01).\n */\nexport function publicKeyToDid(publicKey: Uint8Array): string {\n // Multicodec prefix for Ed25519: 0xed 0x01\n const multicodec = new Uint8Array([0xed, 0x01, ...publicKey]);\n // did:key uses base58btc multibase encoding, but for simplicity\n // we use the base64url representation which is equally valid\n // in the broader DID ecosystem\n return `did:key:z${toBase64url(multicodec)}`;\n}\n\n/**\n * Generate a unique identity ID.\n * Derived from the public key hash for deterministic mapping.\n */\nexport function generateIdentityId(publicKey: Uint8Array): string {\n const keyHash = hash(publicKey);\n // First 16 bytes of SHA-256(pubkey) as hex — short, unique, deterministic\n return Array.from(keyHash.slice(0, 16))\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Create a new identity with encrypted private key storage.\n *\n * @param label - Human-readable label\n * @param encryptionKey - Key to encrypt the private key with (from master key derivation)\n * @param keyProtection - How the master key is protected\n * @returns Public identity info and the stored identity (for persistence)\n */\nexport function createIdentity(\n label: string,\n encryptionKey: Uint8Array,\n keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\"\n): { publicIdentity: PublicIdentity; storedIdentity: StoredIdentity } {\n const { publicKey, privateKey } = generateKeypair();\n const identityId = generateIdentityId(publicKey);\n const did = publicKeyToDid(publicKey);\n const now = new Date().toISOString();\n\n // Encrypt the private key for storage\n const encryptedPrivateKey = encrypt(privateKey, encryptionKey);\n\n // Zero out the raw private key in memory\n privateKey.fill(0);\n\n const publicIdentity: PublicIdentity = {\n identity_id: identityId,\n label,\n public_key: toBase64url(publicKey),\n did,\n created_at: now,\n key_type: \"ed25519\",\n key_protection: keyProtection,\n };\n\n const storedIdentity: StoredIdentity = {\n ...publicIdentity,\n encrypted_private_key: encryptedPrivateKey,\n rotation_history: [],\n };\n\n return { publicIdentity, storedIdentity };\n}\n\n/**\n * Sign data with an identity's private key.\n *\n * @param payload - Data to sign (bytes)\n * @param encryptedPrivateKey - The encrypted private key from storage\n * @param encryptionKey - Key to decrypt the private key\n * @returns Ed25519 signature\n */\nexport function sign(\n payload: Uint8Array,\n encryptedPrivateKey: EncryptedPayload,\n encryptionKey: Uint8Array\n): Uint8Array {\n // Decrypt the private key\n const privateKey = decrypt(encryptedPrivateKey, encryptionKey);\n\n try {\n return ed25519.sign(payload, privateKey);\n } finally {\n // Zero out the private key from memory\n privateKey.fill(0);\n }\n}\n\n/**\n * Verify an Ed25519 signature.\n *\n * @param payload - Original data that was signed\n * @param signature - The signature to verify\n * @param publicKey - The signer's public key\n * @returns true if signature is valid\n */\nexport function verify(\n payload: Uint8Array,\n signature: Uint8Array,\n publicKey: Uint8Array\n): boolean {\n try {\n return ed25519.verify(signature, payload, publicKey);\n } catch {\n return false;\n }\n}\n\n/**\n * Rotate an identity's keys.\n * Generates a new keypair, signs a rotation event with the old key,\n * and returns the updated stored identity.\n *\n * @param storedIdentity - Current stored identity\n * @param encryptionKey - Key to decrypt/re-encrypt private keys\n * @param reason - Reason for rotation (audit trail)\n * @returns Updated stored identity with new keys and rotation history\n */\nexport function rotateKeys(\n storedIdentity: StoredIdentity,\n encryptionKey: Uint8Array,\n reason: string\n): { updatedIdentity: StoredIdentity; rotationEvent: RotationEvent } {\n const { publicKey: newPublicKey, privateKey: newPrivateKey } =\n generateKeypair();\n const newIdentityDid = publicKeyToDid(newPublicKey);\n const now = new Date().toISOString();\n\n // Create rotation event\n const eventData = JSON.stringify({\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n identity_id: storedIdentity.identity_id,\n reason,\n rotated_at: now,\n });\n\n // Sign the rotation event with the OLD key (proves authorization)\n const eventBytes = new TextEncoder().encode(eventData);\n const signature = sign(\n eventBytes,\n storedIdentity.encrypted_private_key,\n encryptionKey\n );\n\n const rotationEvent: RotationEvent = {\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n identity_id: storedIdentity.identity_id,\n reason,\n rotated_at: now,\n signature: toBase64url(signature),\n };\n\n // Encrypt the new private key\n const encryptedNewPrivateKey = encrypt(newPrivateKey, encryptionKey);\n newPrivateKey.fill(0);\n\n const updatedIdentity: StoredIdentity = {\n ...storedIdentity,\n public_key: toBase64url(newPublicKey),\n did: newIdentityDid,\n encrypted_private_key: encryptedNewPrivateKey,\n rotation_history: [\n ...storedIdentity.rotation_history,\n {\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n rotation_event: toBase64url(\n new TextEncoder().encode(JSON.stringify(rotationEvent))\n ),\n rotated_at: now,\n },\n ],\n };\n\n return { updatedIdentity, rotationEvent };\n}\n","/**\n * Sanctuary MCP Server — Key Derivation\n *\n * Two-tier key derivation:\n * 1. Master key from passphrase via Argon2id (memory-hard, GPU-resistant)\n * 2. Namespace keys from master key via HKDF-SHA256\n *\n * This ensures:\n * - Passphrase brute-force is expensive (Argon2id)\n * - Compromise of one namespace key doesn't expose others (HKDF domain separation)\n */\n\nimport { argon2id } from \"hash-wasm\";\nimport { hkdf } from \"@noble/hashes/hkdf\";\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { generateSalt } from \"./random.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"./encoding.js\";\n\n/** Argon2id parameters per OWASP recommendation (2024) */\nconst ARGON2_MEMORY_COST = 65536; // 64 MiB\nconst ARGON2_TIME_COST = 3; // 3 iterations\nconst ARGON2_PARALLELISM = 4; // 4 lanes\nconst ARGON2_HASH_LENGTH = 32; // 256-bit output\n\n/** Stored key derivation parameters (for re-deriving the master key) */\nexport interface KeyDerivationParams {\n /** Algorithm */\n alg: \"argon2id\";\n /** Salt (base64url) */\n salt: string;\n /** Memory cost in KiB */\n m: number;\n /** Time cost (iterations) */\n t: number;\n /** Parallelism */\n p: number;\n /** Output length in bytes */\n l: number;\n}\n\n/**\n * Derive a master key from a passphrase using Argon2id.\n *\n * @param passphrase - User's passphrase\n * @param existingParams - If re-deriving, use the stored params (same salt)\n * @returns The derived key and the parameters used (store the params, never the key)\n */\nexport async function deriveMasterKey(\n passphrase: string,\n existingParams?: KeyDerivationParams\n): Promise<{ key: Uint8Array; params: KeyDerivationParams }> {\n const salt = existingParams\n ? fromBase64url(existingParams.salt)\n : generateSalt();\n\n const params: KeyDerivationParams = existingParams ?? {\n alg: \"argon2id\",\n salt: toBase64url(salt),\n m: ARGON2_MEMORY_COST,\n t: ARGON2_TIME_COST,\n p: ARGON2_PARALLELISM,\n l: ARGON2_HASH_LENGTH,\n };\n\n const hashHex = await argon2id({\n password: passphrase,\n salt,\n parallelism: params.p,\n iterations: params.t,\n memorySize: params.m,\n hashLength: params.l,\n outputType: \"hex\",\n });\n\n // Convert hex to bytes\n const key = new Uint8Array(params.l);\n for (let i = 0; i < params.l; i++) {\n key[i] = parseInt(hashHex.substring(i * 2, i * 2 + 2), 16);\n }\n\n return { key, params };\n}\n\n/**\n * Derive a namespace-specific encryption key from the master key via HKDF-SHA256.\n *\n * Each namespace gets its own 256-bit key derived from the master key.\n * Compromise of one namespace key does not expose other namespaces.\n *\n * @param masterKey - The master key (from Argon2id or recovery key)\n * @param namespace - The namespace name (used as HKDF info)\n * @returns 256-bit namespace key\n */\nexport function deriveNamespaceKey(\n masterKey: Uint8Array,\n namespace: string\n): Uint8Array {\n if (masterKey.length !== 32) {\n throw new Error(\"Master key must be 32 bytes\");\n }\n\n return hkdf(\n sha256,\n masterKey,\n stringToBytes(\"sanctuary-namespace-v1\"), // salt (fixed, acts as domain separator)\n stringToBytes(namespace), // info (namespace name)\n 32 // output length: 256 bits\n );\n}\n\n/**\n * Derive a key for a specific purpose from the master key.\n * Used for identity key encryption, audit log encryption, etc.\n *\n * @param masterKey - The master key\n * @param purpose - Purpose string (e.g., \"identity-encryption\", \"audit-log\")\n * @returns 256-bit purpose-specific key\n */\nexport function derivePurposeKey(\n masterKey: Uint8Array,\n purpose: string\n): Uint8Array {\n if (masterKey.length !== 32) {\n throw new Error(\"Master key must be 32 bytes\");\n }\n\n return hkdf(\n sha256,\n masterKey,\n stringToBytes(\"sanctuary-purpose-v1\"),\n stringToBytes(purpose),\n 32\n );\n}\n","/**\n * Sanctuary MCP Server — Tool Router\n *\n * Routes sanctuary/* tool calls to their layer-specific handlers.\n * Every tool call passes through schema validation and the ApprovalGate\n * (if configured) before execution. Neither can be bypassed.\n *\n * This module is the abstraction boundary for MCP SDK version migration —\n * if the SDK API changes, only this module needs updating.\n */\n\nimport { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\nimport {\n CallToolRequestSchema,\n ListToolsRequestSchema,\n} from \"@modelcontextprotocol/sdk/types.js\";\nimport { createRequire } from \"node:module\";\nimport type { ApprovalGate } from \"./principal-policy/gate.js\";\n\nconst require = createRequire(import.meta.url);\nconst { version: PKG_VERSION } = require(\"../package.json\");\n\n/** Tool handler function signature */\nexport type ToolHandler = (\n args: Record<string, unknown>\n) => Promise<{ content: Array<{ type: \"text\"; text: string }> }>;\n\n/** Tool definition for registration */\nexport interface ToolDefinition {\n name: string;\n description: string;\n inputSchema: Record<string, unknown>;\n handler: ToolHandler;\n}\n\n/** Options for server creation */\nexport interface ServerOptions {\n /** Approval gate — if provided, every tool call is evaluated before execution */\n gate?: ApprovalGate;\n}\n\n// ── Schema Validation ──────────────────────────────────────────────────\n// Lightweight JSON Schema validation for tool arguments.\n// Enforces: required fields, type checks, unknown field rejection,\n// and size caps on string arguments (defense against DoS via oversized payloads).\n\n/** Maximum byte length for any single string argument (1 MB) */\nconst MAX_STRING_BYTES = 1_048_576;\n\n/** Maximum byte length for base64 bundle arguments (5 MB) */\nconst MAX_BUNDLE_BYTES = 5_242_880;\n\n/** Fields known to carry base64 bundles — get the larger size cap */\nconst BUNDLE_FIELDS = new Set([\"bundle\"]);\n\ninterface SchemaProperty {\n type?: string;\n properties?: Record<string, SchemaProperty>;\n required?: string[];\n items?: SchemaProperty;\n enum?: unknown[];\n default?: unknown;\n}\n\ninterface ValidationError {\n field: string;\n message: string;\n}\n\n/**\n * Validate tool arguments against the tool's declared inputSchema.\n * Returns an array of validation errors (empty = valid).\n */\nfunction validateArgs(\n args: Record<string, unknown>,\n schema: Record<string, unknown>\n): ValidationError[] {\n const errors: ValidationError[] = [];\n const properties = (schema.properties ?? {}) as Record<string, SchemaProperty>;\n const required = (schema.required ?? []) as string[];\n\n // Check required fields\n for (const field of required) {\n if (args[field] === undefined || args[field] === null) {\n errors.push({ field, message: `Required field \"${field}\" is missing` });\n }\n }\n\n // Check for unknown fields (reject extra fields not in schema)\n const knownFields = new Set(Object.keys(properties));\n for (const field of Object.keys(args)) {\n if (!knownFields.has(field)) {\n errors.push({ field, message: `Unknown field \"${field}\"` });\n }\n }\n\n // Type-check and size-check each provided field\n for (const [field, value] of Object.entries(args)) {\n if (value === undefined || value === null) continue;\n const propSchema = properties[field];\n if (!propSchema) continue; // Already flagged as unknown above\n\n const typeError = checkType(field, value, propSchema);\n if (typeError) {\n errors.push(typeError);\n continue;\n }\n\n // String size caps\n if (typeof value === \"string\") {\n const maxBytes = BUNDLE_FIELDS.has(field) ? MAX_BUNDLE_BYTES : MAX_STRING_BYTES;\n // Use byte length, not string length, for accurate size checking\n const byteLength = new TextEncoder().encode(value).length;\n if (byteLength > maxBytes) {\n errors.push({\n field,\n message: `Field \"${field}\" exceeds maximum size (${byteLength} bytes > ${maxBytes} bytes)`,\n });\n }\n }\n\n // Enum validation\n if (propSchema.enum && !propSchema.enum.includes(value)) {\n errors.push({\n field,\n message: `Field \"${field}\" must be one of: ${propSchema.enum.join(\", \")}`,\n });\n }\n }\n\n return errors;\n}\n\n/**\n * Check whether a value matches the declared JSON Schema type.\n */\nfunction checkType(\n field: string,\n value: unknown,\n schema: SchemaProperty\n): ValidationError | null {\n if (!schema.type) return null;\n\n switch (schema.type) {\n case \"string\":\n if (typeof value !== \"string\") {\n return { field, message: `Expected string for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"number\":\n if (typeof value !== \"number\") {\n return { field, message: `Expected number for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"boolean\":\n if (typeof value !== \"boolean\") {\n return { field, message: `Expected boolean for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"object\":\n if (typeof value !== \"object\" || Array.isArray(value)) {\n return { field, message: `Expected object for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"array\":\n if (!Array.isArray(value)) {\n return { field, message: `Expected array for \"${field}\", got ${typeof value}` };\n }\n break;\n }\n return null;\n}\n\n/**\n * Create the MCP server with all Sanctuary tools registered.\n * If an ApprovalGate is provided, it wraps every tool call.\n */\nexport function createServer(\n tools: ToolDefinition[],\n options?: ServerOptions\n): Server {\n const gate = options?.gate;\n\n const server = new Server(\n {\n name: \"sanctuary-mcp-server\",\n version: PKG_VERSION,\n },\n {\n capabilities: {\n tools: {},\n },\n }\n );\n\n // Register tool listing\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return {\n tools: tools.map((t) => ({\n name: t.name,\n description: t.description,\n inputSchema: t.inputSchema,\n })),\n };\n });\n\n // Register tool execution — validation + gate sit between router and handler\n server.setRequestHandler(CallToolRequestSchema, async (request) => {\n const { name, arguments: args } = request.params;\n const typedArgs = (args ?? {}) as Record<string, unknown>;\n\n const tool = tools.find((t) => t.name === name);\n if (!tool) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({ error: `Unknown tool: ${name}` }),\n },\n ],\n isError: true,\n };\n }\n\n // ── Schema Validation ────────────────────────────────────────────\n // Validate arguments against the tool's declared inputSchema.\n // This runs BEFORE the gate so that the gate sees normalized args.\n const validationErrors = validateArgs(typedArgs, tool.inputSchema);\n if (validationErrors.length > 0) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n error: \"validation_failed\",\n message: \"Tool arguments failed schema validation\",\n violations: validationErrors,\n }),\n },\n ],\n isError: true,\n };\n }\n\n // ── Approval Gate ──────────────────────────────────────────────\n // If a gate is configured, every tool call must pass through it.\n // Denied calls return a generic error that does not reveal policy.\n if (gate) {\n const result = await gate.evaluate(name, typedArgs);\n if (!result.allowed) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n error: \"Operation not permitted\",\n approval_required: result.approval_required,\n }),\n },\n ],\n isError: true,\n };\n }\n }\n\n try {\n return await tool.handler(typedArgs);\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"Unknown error\";\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({ error: message }),\n },\n ],\n isError: true,\n };\n }\n });\n\n return server;\n}\n\n/**\n * Helper to create a successful tool response.\n */\nexport function toolResult(\n data: object\n): { content: Array<{ type: \"text\"; text: string }> } {\n return {\n content: [{ type: \"text\" as const, text: JSON.stringify(data, null, 2) }],\n };\n}\n","/**\n * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions\n *\n * MCP tool wrappers for StateStore and IdentityRoot operations.\n * These tools are the public API that agents interact with.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { StateStore } from \"./state-store.js\";\nimport {\n createIdentity,\n rotateKeys,\n sign as identitySign,\n verify as identityVerify,\n type StoredIdentity,\n type PublicIdentity,\n} from \"../core/identity.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport {\n toBase64url,\n fromBase64url,\n stringToBytes,\n} from \"../core/encoding.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt } from \"../core/encryption.js\";\nimport { bytesToString } from \"../core/encoding.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\n/**\n * Reserved namespace prefixes — used by internal subsystems.\n * Agent-facing state tools MUST reject reads, writes, deletes, lists, and\n * imports to these namespaces. Internal subsystems access the StateStore\n * directly, bypassing these tool-level checks.\n */\nconst RESERVED_NAMESPACE_PREFIXES = [\n \"_identities\",\n \"_policies\",\n \"_audit\",\n \"_meta\",\n \"_principal\",\n \"_commitments\",\n \"_reputation\",\n \"_escrow\",\n \"_guarantees\",\n \"_bridge\",\n \"_federation\",\n \"_handshake\",\n \"_shr\",\n] as const;\n\n/**\n * Check whether a namespace is reserved for internal use.\n * Returns the matching reserved prefix, or null if the namespace is safe.\n */\nfunction getReservedNamespaceViolation(namespace: string): string | null {\n for (const prefix of RESERVED_NAMESPACE_PREFIXES) {\n if (namespace === prefix || namespace.startsWith(prefix + \"/\")) {\n return prefix;\n }\n }\n return null;\n}\n\n/** Manages all identities — provides storage and retrieval */\nexport class IdentityManager {\n private storage: StorageBackend;\n private masterKey: Uint8Array;\n private identities = new Map<string, StoredIdentity>();\n private primaryIdentityId: string | null = null;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.masterKey = masterKey;\n }\n\n private get encryptionKey(): Uint8Array {\n return derivePurposeKey(this.masterKey, \"identity-encryption\");\n }\n\n /** Load identities from storage on startup */\n async load(): Promise<void> {\n const entries = await this.storage.list(\"_identities\");\n for (const entry of entries) {\n const raw = await this.storage.read(\"_identities\", entry.key);\n if (!raw) continue;\n try {\n const encrypted = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const identity: StoredIdentity = JSON.parse(bytesToString(decrypted));\n this.identities.set(identity.identity_id, identity);\n if (!this.primaryIdentityId) {\n this.primaryIdentityId = identity.identity_id;\n }\n } catch {\n // Skip corrupted identities\n }\n }\n }\n\n /** Save an identity to storage */\n async save(identity: StoredIdentity): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(identity));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_identities\",\n identity.identity_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n this.identities.set(identity.identity_id, identity);\n if (!this.primaryIdentityId) {\n this.primaryIdentityId = identity.identity_id;\n }\n }\n\n get(id: string): StoredIdentity | undefined {\n return this.identities.get(id);\n }\n\n getDefault(): StoredIdentity | undefined {\n if (!this.primaryIdentityId) return undefined;\n return this.identities.get(this.primaryIdentityId);\n }\n\n list(): PublicIdentity[] {\n return Array.from(this.identities.values()).map((si) => ({\n identity_id: si.identity_id,\n label: si.label,\n public_key: si.public_key,\n did: si.did,\n created_at: si.created_at,\n key_type: si.key_type,\n key_protection: si.key_protection,\n }));\n }\n}\n\n/**\n * Create all L1 tool definitions.\n */\nexport function createL1Tools(\n stateStore: StateStore,\n storage: StorageBackend,\n masterKey: Uint8Array,\n keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\",\n auditLog?: AuditLog\n): { tools: ToolDefinition[]; identityManager: IdentityManager } {\n const identityMgr = new IdentityManager(storage, masterKey);\n const identityEncKey = derivePurposeKey(masterKey, \"identity-encryption\");\n\n // Helper to get identity or throw\n function resolveIdentity(identityId?: string): StoredIdentity {\n const id = identityId\n ? identityMgr.get(identityId)\n : identityMgr.getDefault();\n if (!id) {\n throw new Error(\n identityId\n ? `Identity not found: ${identityId}`\n : \"No default identity. Create one with sanctuary/identity_create.\"\n );\n }\n return id;\n }\n\n const tools: ToolDefinition[] = [\n // ── Identity Tools ──────────────────────────────────────────────────\n\n {\n name: \"sanctuary/identity_create\",\n description:\n \"Create a new sovereign identity (Ed25519 keypair). \" +\n \"The private key is encrypted and never exposed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n label: {\n type: \"string\",\n description: 'Human-readable label (e.g., \"my-agent\")',\n },\n },\n required: [\"label\"],\n },\n handler: async (args) => {\n const label = args.label as string;\n const { publicIdentity, storedIdentity } = createIdentity(\n label,\n identityEncKey,\n keyProtection\n );\n await identityMgr.save(storedIdentity);\n\n auditLog?.append(\"l1\", \"identity_create\", publicIdentity.identity_id, {\n label,\n });\n\n // If key_protection is \"none\", generate and show recovery key\n // (In practice, the recovery key is the master key itself,\n // which was generated at server init and shown once)\n return toolResult({\n identity_id: publicIdentity.identity_id,\n public_key: publicIdentity.public_key,\n did: publicIdentity.did,\n created_at: publicIdentity.created_at,\n key_type: publicIdentity.key_type,\n key_protection: publicIdentity.key_protection,\n backed_up: false,\n });\n },\n },\n\n {\n name: \"sanctuary/identity_list\",\n description: \"List all managed sovereign identities.\",\n inputSchema: {\n type: \"object\",\n properties: {\n filter: {\n type: \"object\",\n properties: {\n label: { type: \"string\" },\n },\n },\n },\n },\n handler: async (args) => {\n let identities = identityMgr.list();\n const filter = args.filter as { label?: string } | undefined;\n if (filter?.label) {\n identities = identities.filter((i) =>\n i.label.includes(filter.label!)\n );\n }\n return toolResult({ identities });\n },\n },\n\n {\n name: \"sanctuary/identity_sign\",\n description:\n \"Sign data with a managed identity. \" +\n \"The private key is decrypted in memory only during signing.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: { type: \"string\" },\n payload: {\n type: \"string\",\n description: \"Base64url-encoded data to sign\",\n },\n },\n required: [\"payload\"],\n },\n handler: async (args) => {\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const payloadStr = args.payload as string;\n\n // Accept either base64url-encoded bytes or plain text\n let payload: Uint8Array;\n try {\n payload = fromBase64url(payloadStr);\n } catch {\n payload = stringToBytes(payloadStr);\n }\n\n const signature = identitySign(\n payload,\n identity.encrypted_private_key,\n identityEncKey\n );\n\n auditLog?.append(\"l1\", \"identity_sign\", identity.identity_id);\n\n return toolResult({\n signature: toBase64url(signature),\n algorithm: \"Ed25519\",\n signed_at: new Date().toISOString(),\n public_key: identity.public_key,\n payload_encoding: \"base64url\",\n });\n },\n },\n\n {\n name: \"sanctuary/identity_verify\",\n description:\n \"Verify an Ed25519 signature. Provide either identity_id or public_key.\",\n inputSchema: {\n type: \"object\",\n properties: {\n payload: {\n type: \"string\",\n description: \"Original data (plain text or base64url-encoded)\",\n },\n signature: { type: \"string\", description: \"Base64url signature\" },\n identity_id: {\n type: \"string\",\n description: \"Identity ID to look up public key (alternative to public_key)\",\n },\n public_key: {\n type: \"string\",\n description: \"Base64url public key (alternative to identity_id)\",\n },\n },\n required: [\"payload\", \"signature\"],\n },\n handler: async (args) => {\n const payloadStr = args.payload as string;\n\n // Accept either base64url-encoded bytes or plain text\n let payload: Uint8Array;\n try {\n payload = fromBase64url(payloadStr);\n } catch {\n payload = stringToBytes(payloadStr);\n }\n\n const signature = fromBase64url(args.signature as string);\n\n // Resolve public key from identity_id or direct public_key param\n let publicKey: Uint8Array;\n if (args.identity_id) {\n const identity = resolveIdentity(args.identity_id as string);\n publicKey = fromBase64url(identity.public_key);\n } else if (args.public_key) {\n publicKey = fromBase64url(args.public_key as string);\n } else {\n return toolResult({\n error: \"Provide either identity_id or public_key for verification.\",\n });\n }\n\n const valid = identityVerify(payload, signature, publicKey);\n\n return toolResult({\n valid,\n verified_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/identity_rotate\",\n description:\n \"Rotate keys for an identity. Generates a new keypair and \" +\n \"signs a rotation event with the old key for verifiable chain.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: { type: \"string\" },\n reason: { type: \"string\" },\n },\n required: [\"identity_id\"],\n },\n handler: async (args) => {\n const identity = resolveIdentity(args.identity_id as string);\n const reason = (args.reason as string) ?? \"Key rotation\";\n\n const { updatedIdentity, rotationEvent } = rotateKeys(\n identity,\n identityEncKey,\n reason\n );\n await identityMgr.save(updatedIdentity);\n\n auditLog?.append(\"l1\", \"identity_rotate\", identity.identity_id, {\n reason,\n });\n\n return toolResult({\n identity_id: updatedIdentity.identity_id,\n old_public_key: rotationEvent.old_public_key,\n new_public_key: rotationEvent.new_public_key,\n new_did: updatedIdentity.did,\n rotated_at: rotationEvent.rotated_at,\n });\n },\n },\n\n // ── State Tools ─────────────────────────────────────────────────────\n\n {\n name: \"sanctuary/state_write\",\n description:\n \"Write encrypted state to the sovereign store. \" +\n \"Value is encrypted with a namespace-specific key. \" +\n \"The write is signed by the active identity.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: {\n type: \"string\",\n description: 'Logical grouping (e.g., \"memory\", \"config\")',\n },\n key: { type: \"string\", description: \"State key within namespace\" },\n value: {\n type: \"string\",\n description: \"Plaintext value (encrypted before storage)\",\n },\n metadata: {\n type: \"object\",\n properties: {\n content_type: { type: \"string\" },\n ttl_seconds: { type: \"number\" },\n tags: { type: \"array\", items: { type: \"string\" } },\n },\n },\n identity_id: { type: \"string\" },\n },\n required: [\"namespace\", \"key\", \"value\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject writes to reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Choose a different namespace.`,\n });\n }\n\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const metadata = args.metadata as {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n } | undefined;\n\n const result = await stateStore.write(\n args.namespace as string,\n args.key as string,\n args.value as string,\n identity.identity_id,\n identity.encrypted_private_key,\n identityEncKey,\n {\n content_type: metadata?.content_type,\n ttl_seconds: metadata?.ttl_seconds,\n tags: metadata?.tags,\n }\n );\n\n auditLog?.append(\"l1\", \"state_write\", identity.identity_id, {\n namespace: args.namespace,\n key: args.key,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_read\",\n description:\n \"Read and decrypt state from the sovereign store. \" +\n \"Verifies integrity via Merkle proof and signature.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n key: { type: \"string\" },\n verify_integrity: { type: \"boolean\", default: true },\n },\n required: [\"namespace\", \"key\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject reads from reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot read from reserved namespaces.`,\n });\n }\n\n const result = await stateStore.read(\n args.namespace as string,\n args.key as string,\n undefined, // Skip signature verification for now (would need writer's pubkey)\n args.verify_integrity as boolean ?? true\n );\n\n if (!result) {\n return toolResult({\n error: \"not_found\",\n namespace: args.namespace,\n key: args.key,\n });\n }\n\n auditLog?.append(\"l1\", \"state_read\", result.written_by, {\n namespace: args.namespace,\n key: args.key,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_list\",\n description:\n \"List keys in a namespace (metadata only — no decryption).\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n prefix: { type: \"string\" },\n tags: { type: \"array\", items: { type: \"string\" } },\n limit: { type: \"number\", default: 100 },\n offset: { type: \"number\", default: 0 },\n },\n required: [\"namespace\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject listing of reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot list reserved namespaces.`,\n });\n }\n\n const result = await stateStore.list(\n args.namespace as string,\n args.prefix as string | undefined,\n args.tags as string[] | undefined,\n (args.limit as number) ?? 100,\n (args.offset as number) ?? 0\n );\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_delete\",\n description:\n \"Securely delete state. Overwrites file with random bytes \" +\n \"before removal (right to deletion, S1.6).\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n key: { type: \"string\" },\n reason: { type: \"string\" },\n },\n required: [\"namespace\", \"key\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject deletes from reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot delete from reserved namespaces.`,\n });\n }\n\n const result = await stateStore.delete(\n args.namespace as string,\n args.key as string\n );\n\n auditLog?.append(\"l1\", \"state_delete\", \"principal\", {\n namespace: args.namespace,\n key: args.key,\n reason: args.reason,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_export\",\n description:\n \"Export state as an encrypted, portable bundle for migration.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n format: { type: \"string\", default: \"sanctuary-v1\" },\n },\n },\n handler: async (args) => {\n const result = await stateStore.export(\n args.namespace as string | undefined\n );\n\n auditLog?.append(\"l1\", \"state_export\", \"principal\", {\n namespaces: result.namespaces,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_import\",\n description: \"Import a previously exported state bundle.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bundle: { type: \"string\", description: \"Base64url-encoded bundle\" },\n conflict_resolution: {\n type: \"string\",\n enum: [\"skip\", \"overwrite\", \"version\"],\n default: \"skip\",\n },\n },\n required: [\"bundle\"],\n },\n handler: async (args) => {\n // Wire public key resolver for signature verification (SEC-005)\n const publicKeyResolver = (kid: string): Uint8Array | null => {\n const identity = identityMgr.get(kid);\n if (!identity) return null;\n return fromBase64url(identity.public_key);\n };\n\n const result = await stateStore.import(\n args.bundle as string,\n (args.conflict_resolution as \"skip\" | \"overwrite\" | \"version\") ??\n \"skip\",\n publicKeyResolver\n );\n\n auditLog?.append(\"l1\", \"state_import\", \"principal\", {\n imported_keys: result.imported_keys,\n });\n\n return toolResult(result);\n },\n },\n ];\n\n return { tools, identityManager: identityMgr };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Audit Log\n *\n * Append-only log of all sovereignty-relevant operations.\n * Stored encrypted under L1 sovereignty.\n *\n * Every tool invocation that modifies state, generates proofs,\n * or records reputation produces an audit entry. The human principal\n * can inspect what their agent has done.\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString } from \"../core/encoding.js\";\n\nexport interface AuditEntry {\n timestamp: string;\n layer: \"l1\" | \"l2\" | \"l3\" | \"l4\";\n operation: string;\n identity_id: string;\n result: \"success\" | \"failure\";\n details?: Record<string, unknown>;\n}\n\nexport class AuditLog {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private entries: AuditEntry[] = [];\n private counter = 0;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"audit-log\");\n }\n\n /**\n * Append an audit entry.\n */\n append(\n layer: AuditEntry[\"layer\"],\n operation: string,\n identityId: string,\n details?: Record<string, unknown>,\n result: \"success\" | \"failure\" = \"success\"\n ): void {\n const entry: AuditEntry = {\n timestamp: new Date().toISOString(),\n layer,\n operation,\n identity_id: identityId,\n result,\n details,\n };\n\n this.entries.push(entry);\n\n // Async persist (fire-and-forget for performance; entries are also in memory)\n this.persistEntry(entry).catch(() => {\n // Persistence failure is logged but doesn't block the operation\n });\n }\n\n private async persistEntry(entry: AuditEntry): Promise<void> {\n const key = `${Date.now()}-${this.counter++}`;\n const serialized = stringToBytes(JSON.stringify(entry));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_audit\",\n key,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n /**\n * Query the audit log with filtering.\n */\n async query(options: {\n since?: string;\n layer?: AuditEntry[\"layer\"];\n operation_type?: string;\n limit?: number;\n }): Promise<{ entries: AuditEntry[]; total: number }> {\n // First, try to load persisted entries we don't have in memory\n await this.loadPersistedEntries();\n\n let filtered = this.entries;\n\n if (options.since) {\n const sinceDate = new Date(options.since);\n filtered = filtered.filter(\n (e) => new Date(e.timestamp) >= sinceDate\n );\n }\n if (options.layer) {\n filtered = filtered.filter((e) => e.layer === options.layer);\n }\n if (options.operation_type) {\n filtered = filtered.filter(\n (e) => e.operation === options.operation_type\n );\n }\n\n const total = filtered.length;\n const limit = options.limit ?? 50;\n const entries = filtered.slice(-limit); // Most recent entries\n\n return { entries, total };\n }\n\n private async loadPersistedEntries(): Promise<void> {\n try {\n const storedEntries = await this.storage.list(\"_audit\");\n for (const meta of storedEntries) {\n const raw = await this.storage.read(\"_audit\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const entry: AuditEntry = JSON.parse(bytesToString(decrypted));\n\n // Deduplicate (check if we already have this timestamp+operation)\n const isDuplicate = this.entries.some(\n (e) =>\n e.timestamp === entry.timestamp &&\n e.operation === entry.operation &&\n e.identity_id === entry.identity_id\n );\n if (!isDuplicate) {\n this.entries.push(entry);\n }\n } catch {\n // Skip corrupted entries\n }\n }\n\n // Sort by timestamp\n this.entries.sort(\n (a, b) =>\n new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()\n );\n } catch {\n // Storage not available yet — that's fine\n }\n }\n\n /**\n * Get total number of entries.\n */\n get size(): number {\n return this.entries.length;\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes\n *\n * Cryptographic commitments allow an agent to commit to a value\n * without revealing it, then later prove what was committed.\n *\n * This is the MVS approach to selective disclosure — simpler than\n * full ZK proofs but still cryptographically sound. The commitment\n * is SHA-256(value || blinding_factor), which is:\n * - Hiding: the commitment reveals nothing about the value\n * - Binding: the committer cannot change the value after committing\n *\n * Security invariants:\n * - Blinding factors are cryptographically random (32 bytes)\n * - Commitments are stored encrypted under L1 sovereignty\n * - Revealed values are verified via constant-time comparison\n */\n\nimport { hash } from \"../core/hashing.js\";\nimport { toBase64url, fromBase64url, stringToBytes, concatBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { bytesToString } from \"../core/encoding.js\";\n\n/** A cryptographic commitment */\nexport interface Commitment {\n /** The commitment hash: SHA-256(value || blinding_factor) as base64url */\n commitment: string;\n /** The blinding factor (must be stored securely for later reveal) */\n blinding_factor: string;\n /** When the commitment was created */\n committed_at: string;\n}\n\n/** Stored commitment metadata (encrypted at rest) */\nexport interface StoredCommitment {\n commitment: string;\n blinding_factor: string;\n value: string;\n committed_at: string;\n revealed: boolean;\n revealed_at?: string;\n}\n\n/**\n * Create a cryptographic commitment to a value.\n *\n * @param value - The value to commit to\n * @param blindingFactor - Optional blinding factor (auto-generated if omitted)\n * @returns The commitment and blinding factor\n */\nexport function createCommitment(\n value: string,\n blindingFactor?: string\n): Commitment {\n // Generate or decode the blinding factor\n const blindingBytes = blindingFactor\n ? fromBase64url(blindingFactor)\n : randomBytes(32);\n\n // Commitment = SHA-256(value_bytes || blinding_bytes)\n const valueBytes = stringToBytes(value);\n const combined = concatBytes(valueBytes, blindingBytes);\n const commitmentHash = hash(combined);\n\n return {\n commitment: toBase64url(commitmentHash),\n blinding_factor: toBase64url(blindingBytes),\n committed_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a commitment against a revealed value and blinding factor.\n *\n * @param commitment - The original commitment hash\n * @param value - The revealed value\n * @param blindingFactor - The revealed blinding factor\n * @returns true if the reveal matches the commitment\n */\nexport function verifyCommitment(\n commitment: string,\n value: string,\n blindingFactor: string\n): boolean {\n const blindingBytes = fromBase64url(blindingFactor);\n const valueBytes = stringToBytes(value);\n const combined = concatBytes(valueBytes, blindingBytes);\n const expectedHash = toBase64url(hash(combined));\n\n // Use string comparison (the hash output is already fixed-length)\n return commitment === expectedHash;\n}\n\n/**\n * Commitment store — manages commitments encrypted under L1 sovereignty.\n */\nexport class CommitmentStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l3-commitments\");\n }\n\n /**\n * Store a commitment (encrypted) for later reference.\n */\n async store(commitment: Commitment, value: string): Promise<string> {\n const id = `cmt-${Date.now()}-${toBase64url(randomBytes(8))}`;\n\n const stored: StoredCommitment = {\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n value,\n committed_at: commitment.committed_at,\n revealed: false,\n };\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_commitments\",\n id,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return id;\n }\n\n /**\n * Retrieve a stored commitment by ID.\n */\n async get(id: string): Promise<StoredCommitment | null> {\n const raw = await this.storage.read(\"_commitments\", id);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n\n /**\n * Mark a commitment as revealed.\n */\n async markRevealed(id: string): Promise<void> {\n const stored = await this.get(id);\n if (!stored) return;\n\n stored.revealed = true;\n stored.revealed_at = new Date().toISOString();\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_commitments\",\n id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies\n *\n * Disclosure policies define what an agent will and will not disclose\n * in different interaction contexts. Policies are evaluated against\n * incoming disclosure requests to produce per-field decisions.\n *\n * This is the agent's \"privacy preferences\" layer — it codifies the\n * human principal's intent about what information can flow where.\n *\n * Security invariants:\n * - Policies are stored encrypted under L1 sovereignty\n * - Default action is always \"withhold\" unless explicitly overridden\n * - Policy evaluation is deterministic (same request → same decision)\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString, toBase64url } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\n\n/** A single disclosure rule within a policy */\nexport interface DisclosureRule {\n /** Interaction context this rule applies to */\n context: string; // \"negotiation\", \"commerce\", \"identity\", \"*\"\n /** Fields/claims the agent MAY disclose */\n disclose: string[];\n /** Fields/claims the agent MUST NOT disclose */\n withhold: string[];\n /** Fields that require proof rather than plain disclosure */\n proof_required: string[];\n}\n\n/** A complete disclosure policy */\nexport interface DisclosurePolicy {\n policy_id: string;\n policy_name: string;\n rules: DisclosureRule[];\n default_action: \"withhold\" | \"ask-principal\";\n identity_id?: string;\n created_at: string;\n updated_at: string;\n}\n\n/** Result of evaluating a disclosure request */\nexport interface DisclosureDecision {\n field: string;\n action: \"disclose\" | \"withhold\" | \"proof\" | \"ask-principal\";\n reason: string;\n applicable_rule: string;\n}\n\n/**\n * Evaluate a disclosure request against a policy.\n *\n * For each requested field, finds the most specific matching rule:\n * 1. Exact context match\n * 2. Wildcard \"*\" context\n * 3. Default action\n *\n * Within a matched rule:\n * - If field is in `withhold` → withhold (highest priority)\n * - If field is in `proof_required` → proof\n * - If field is in `disclose` → disclose\n * - Otherwise → default_action\n */\nexport function evaluateDisclosure(\n policy: DisclosurePolicy,\n context: string,\n requestedFields: string[]\n): DisclosureDecision[] {\n return requestedFields.map((field) => {\n // Find matching rules: exact context first, then wildcard\n const exactRule = policy.rules.find((r) => r.context === context);\n const wildcardRule = policy.rules.find((r) => r.context === \"*\");\n const matchedRule = exactRule ?? wildcardRule;\n\n if (!matchedRule) {\n return {\n field,\n action: policy.default_action,\n reason: `No rule matches context \"${context}\"`,\n applicable_rule: \"default\",\n };\n }\n\n const ruleName = `${matchedRule.context}`;\n\n // Withhold takes priority\n if (matchedRule.withhold.includes(field)) {\n return {\n field,\n action: \"withhold\" as const,\n reason: `Field \"${field}\" is explicitly withheld in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Proof required next\n if (matchedRule.proof_required.includes(field)) {\n return {\n field,\n action: \"proof\" as const,\n reason: `Field \"${field}\" requires cryptographic proof in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Explicit disclose\n if (matchedRule.disclose.includes(field)) {\n return {\n field,\n action: \"disclose\" as const,\n reason: `Field \"${field}\" is permitted for disclosure in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Not mentioned in the rule — fall to default\n return {\n field,\n action: policy.default_action,\n reason: `Field \"${field}\" not addressed in ${ruleName} rule; applying default`,\n applicable_rule: ruleName,\n };\n });\n}\n\n/**\n * Policy store — manages disclosure policies encrypted under L1 sovereignty.\n */\nexport class PolicyStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private policies: Map<string, DisclosurePolicy> = new Map();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l3-policies\");\n }\n\n /**\n * Create and store a new disclosure policy.\n */\n async create(\n policyName: string,\n rules: DisclosureRule[],\n defaultAction: \"withhold\" | \"ask-principal\",\n identityId?: string\n ): Promise<DisclosurePolicy> {\n const policyId = `pol-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n const policy: DisclosurePolicy = {\n policy_id: policyId,\n policy_name: policyName,\n rules,\n default_action: defaultAction,\n identity_id: identityId,\n created_at: now,\n updated_at: now,\n };\n\n await this.persist(policy);\n this.policies.set(policyId, policy);\n\n return policy;\n }\n\n /**\n * Get a policy by ID.\n */\n async get(policyId: string): Promise<DisclosurePolicy | null> {\n // Check in-memory cache first\n if (this.policies.has(policyId)) {\n return this.policies.get(policyId)!;\n }\n\n // Try to load from storage\n const raw = await this.storage.read(\"_policies\", policyId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: DisclosurePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policyId, policy);\n return policy;\n } catch {\n return null;\n }\n }\n\n /**\n * List all policies.\n */\n async list(): Promise<DisclosurePolicy[]> {\n await this.loadAll();\n return Array.from(this.policies.values());\n }\n\n /**\n * Load all persisted policies into memory.\n */\n private async loadAll(): Promise<void> {\n try {\n const entries = await this.storage.list(\"_policies\");\n for (const meta of entries) {\n if (this.policies.has(meta.key)) continue;\n const raw = await this.storage.read(\"_policies\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: DisclosurePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policy.policy_id, policy);\n } catch {\n // Skip corrupted policies\n }\n }\n } catch {\n // Storage not available\n }\n }\n\n private async persist(policy: DisclosurePolicy): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(policy));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_policies\",\n policy.policy_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Zero-Knowledge Proofs\n *\n * Upgrades the commitment-only L3 to support real zero-knowledge proofs.\n * Uses Ristretto255 (prime-order curve group, no cofactor issues) for:\n *\n * 1. Pedersen commitments: C = v*G + b*H (computationally hiding, perfectly binding)\n * 2. ZK proof of knowledge: Schnorr sigma protocol via Fiat-Shamir\n * 3. ZK range proofs: Prove value ∈ [min, max] without revealing it\n *\n * Ristretto255 is available via @noble/curves/ed25519, which we already depend on.\n * This is genuine zero-knowledge — proofs reveal nothing beyond the stated property.\n *\n * Architecture note:\n * The existing commitment scheme (SHA-256 based) remains available for backward\n * compatibility. The ZK proofs operate on a separate Pedersen commitment system\n * that provides algebraic structure for proper ZK properties.\n *\n * Security invariants:\n * - Generator H is derived via hash-to-curve (nothing-up-my-sleeve)\n * - Blinding factors are cryptographically random (32 bytes)\n * - Fiat-Shamir challenges use domain-separated hashing\n * - Range proofs use a bit-decomposition approach (sound but logarithmic size)\n */\n\nimport { RistrettoPoint } from \"@noble/curves/ed25519\";\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { randomBytes } from \"../core/random.js\";\nimport { toBase64url, fromBase64url, stringToBytes, concatBytes } from \"../core/encoding.js\";\n\n// ── Constants ───────────────────────────────────────────────────────────\n\n/** Generator G: the standard Ristretto255 base point */\nconst G = RistrettoPoint.BASE;\n\n/**\n * Generator H: derived via hash-to-curve so nobody knows the discrete log\n * relationship between G and H (nothing-up-my-sleeve construction).\n */\n/** Derive 64 bytes for hash-to-curve via double SHA-256 */\nconst H_INPUT = concatBytes(\n sha256(stringToBytes(\"sanctuary-pedersen-generator-H-v1-a\")),\n sha256(stringToBytes(\"sanctuary-pedersen-generator-H-v1-b\"))\n);\nconst H = RistrettoPoint.hashToCurve(H_INPUT);\n\n// ── Types ───────────────────────────────────────────────────────────────\n\n/** A Pedersen commitment: C = v*G + b*H */\nexport interface PedersenCommitment {\n /** The commitment point (encoded as base64url) */\n commitment: string;\n /** The blinding factor b (base64url, 32 bytes) — keep secret */\n blinding_factor: string;\n /** When the commitment was created */\n committed_at: string;\n}\n\n/** A non-interactive ZK proof of knowledge of a commitment's opening */\nexport interface ZKProofOfKnowledge {\n /** Proof type identifier */\n type: \"schnorr-pedersen-ristretto255\";\n /** The commitment this proof is for */\n commitment: string;\n /** Announcement point R (base64url) */\n announcement: string;\n /** Response scalar s_v (base64url) */\n response_v: string;\n /** Response scalar s_b (base64url) */\n response_b: string;\n /** Proof generated at */\n generated_at: string;\n}\n\n/** A ZK range proof: proves value ∈ [min, max] */\nexport interface ZKRangeProof {\n /** Proof type identifier */\n type: \"range-pedersen-ristretto255\";\n /** The commitment this proof is for */\n commitment: string;\n /** Minimum value (inclusive) */\n min: number;\n /** Maximum value (inclusive) */\n max: number;\n /** Bit commitments for the shifted value (v - min) */\n bit_commitments: string[];\n /** Proofs that each bit commitment is 0 or 1 */\n bit_proofs: Array<{\n announcement_0: string;\n announcement_1: string;\n challenge_0: string;\n challenge_1: string;\n response_0: string;\n response_1: string;\n }>;\n /** Sum proof: bit commitments sum to the value commitment */\n sum_proof: {\n announcement: string;\n response: string;\n };\n /** Proof generated at */\n generated_at: string;\n}\n\n// ── Helpers ─────────────────────────────────────────────────────────────\n\n/** Encode a bigint as a 32-byte big-endian Uint8Array */\nfunction bigintToBytes(n: bigint): Uint8Array {\n const hex = n.toString(16).padStart(64, \"0\");\n const bytes = new Uint8Array(32);\n for (let i = 0; i < 32; i++) {\n bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);\n }\n return bytes;\n}\n\n/** Decode a 32-byte big-endian Uint8Array to a bigint */\nfunction bytesToBigint(bytes: Uint8Array): bigint {\n let hex = \"\";\n for (const b of bytes) {\n hex += b.toString(16).padStart(2, \"0\");\n }\n return BigInt(\"0x\" + hex);\n}\n\n/** The Ristretto255 group order */\nconst ORDER = BigInt(\"7237005577332262213973186563042994240857116359379907606001950938285454250989\");\n\n/** Reduce a bigint modulo the group order */\nfunction mod(n: bigint): bigint {\n return ((n % ORDER) + ORDER) % ORDER;\n}\n\n/**\n * Safe scalar multiplication: handles the zero case\n * (noble/curves requires 1 <= scalar < n)\n */\nfunction safeMultiply(point: InstanceType<typeof RistrettoPoint>, scalar: bigint): InstanceType<typeof RistrettoPoint> {\n const s = mod(scalar);\n if (s === 0n) return RistrettoPoint.ZERO;\n return point.multiply(s);\n}\n\n/** Generate a random scalar in [1, ORDER-1] */\nfunction randomScalar(): bigint {\n const bytes = randomBytes(64); // Extra bytes for uniform distribution\n return mod(bytesToBigint(bytes));\n}\n\n/** Domain-separated Fiat-Shamir challenge hash */\nfunction fiatShamirChallenge(domain: string, ...points: Uint8Array[]): bigint {\n const domainBytes = stringToBytes(domain);\n const combined = concatBytes(domainBytes, ...points);\n const hash = sha256(combined);\n return mod(bytesToBigint(hash));\n}\n\n// ── Pedersen Commitments ────────────────────────────────────────────────\n\n/**\n * Create a Pedersen commitment to a numeric value.\n *\n * C = v*G + b*H\n *\n * Properties:\n * - Computationally hiding (under discrete log assumption)\n * - Perfectly binding (information-theoretic)\n * - Homomorphic: C(v1) + C(v2) = C(v1+v2) with adjusted blinding\n *\n * @param value - The value to commit to (integer)\n * @returns The commitment and blinding factor\n */\nexport function createPedersenCommitment(value: number): PedersenCommitment {\n const v = mod(BigInt(value));\n const b = randomScalar();\n\n // C = v*G + b*H\n const C = safeMultiply(G, v).add(safeMultiply(H, b));\n\n return {\n commitment: toBase64url(C.toRawBytes()),\n blinding_factor: toBase64url(bigintToBytes(b)),\n committed_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a Pedersen commitment against a revealed value and blinding factor.\n *\n * Recomputes C' = v*G + b*H and checks C' == C.\n */\nexport function verifyPedersenCommitment(\n commitment: string,\n value: number,\n blindingFactor: string\n): boolean {\n try {\n const C = RistrettoPoint.fromHex(fromBase64url(commitment));\n const v = mod(BigInt(value));\n const b = bytesToBigint(fromBase64url(blindingFactor));\n\n const expected = safeMultiply(G, v).add(safeMultiply(H, b));\n return C.equals(expected);\n } catch {\n return false;\n }\n}\n\n// ── ZK Proof of Knowledge ───────────────────────────────────────────────\n\n/**\n * Create a non-interactive ZK proof that you know the opening (v, b)\n * of a Pedersen commitment C = v*G + b*H.\n *\n * Schnorr sigma protocol with Fiat-Shamir transform:\n * 1. Pick random r_v, r_b\n * 2. Compute R = r_v*G + r_b*H (announcement)\n * 3. Compute e = H_FS(C || R) (challenge via Fiat-Shamir)\n * 4. Compute s_v = r_v + e*v, s_b = r_b + e*b (responses)\n * 5. Proof = (R, s_v, s_b)\n *\n * Zero-knowledge: the transcript (R, e, s_v, s_b) can be simulated\n * without knowing (v, b), so it reveals nothing.\n *\n * @param value - The committed value\n * @param blindingFactor - The blinding factor (base64url)\n * @param commitment - The commitment (base64url)\n */\nexport function createProofOfKnowledge(\n value: number,\n blindingFactor: string,\n commitment: string\n): ZKProofOfKnowledge {\n const v = mod(BigInt(value));\n const b = bytesToBigint(fromBase64url(blindingFactor));\n\n // Step 1: Random nonces\n const r_v = randomScalar();\n const r_b = randomScalar();\n\n // Step 2: Announcement\n const R = safeMultiply(G, r_v).add(safeMultiply(H, r_b));\n\n // Step 3: Fiat-Shamir challenge\n const C_bytes = fromBase64url(commitment);\n const R_bytes = R.toRawBytes();\n const e = fiatShamirChallenge(\"sanctuary-zk-pok-v1\", C_bytes, R_bytes);\n\n // Step 4: Responses\n const s_v = mod(r_v + e * v);\n const s_b = mod(r_b + e * b);\n\n return {\n type: \"schnorr-pedersen-ristretto255\",\n commitment,\n announcement: toBase64url(R_bytes),\n response_v: toBase64url(bigintToBytes(s_v)),\n response_b: toBase64url(bigintToBytes(s_b)),\n generated_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a ZK proof of knowledge of a commitment's opening.\n *\n * Check: s_v*G + s_b*H == R + e*C\n */\nexport function verifyProofOfKnowledge(proof: ZKProofOfKnowledge): boolean {\n try {\n const C = RistrettoPoint.fromHex(fromBase64url(proof.commitment));\n const R = RistrettoPoint.fromHex(fromBase64url(proof.announcement));\n const s_v = bytesToBigint(fromBase64url(proof.response_v));\n const s_b = bytesToBigint(fromBase64url(proof.response_b));\n\n // Recompute challenge\n const e = fiatShamirChallenge(\n \"sanctuary-zk-pok-v1\",\n fromBase64url(proof.commitment),\n fromBase64url(proof.announcement)\n );\n\n // Verify: s_v*G + s_b*H == R + e*C\n const lhs = safeMultiply(G, s_v).add(safeMultiply(H, s_b));\n const rhs = R.add(safeMultiply(C, e));\n\n return lhs.equals(rhs);\n } catch {\n return false;\n }\n}\n\n// ── ZK Range Proof ──────────────────────────────────────────────────────\n\n/**\n * Create a ZK range proof: prove value ∈ [min, max] without revealing value.\n *\n * Approach: bit-decomposition of (value - min) into n bits where 2^n > max - min.\n * Each bit gets a Pedersen commitment and a proof it's 0 or 1.\n * A sum proof shows the bit commitments reconstruct the original commitment\n * (shifted by min).\n *\n * @param value - The committed value\n * @param blindingFactor - The blinding factor (base64url)\n * @param commitment - The commitment (base64url)\n * @param min - Minimum value (inclusive)\n * @param max - Maximum value (inclusive)\n */\nexport function createRangeProof(\n value: number,\n blindingFactor: string,\n commitment: string,\n min: number,\n max: number\n): ZKRangeProof | { error: string } {\n if (value < min || value > max) {\n return { error: `Value ${value} is not in range [${min}, ${max}]` };\n }\n\n const range = max - min;\n const numBits = Math.ceil(Math.log2(range + 1));\n const shifted = value - min;\n const b = bytesToBigint(fromBase64url(blindingFactor));\n\n // Decompose shifted value into bits\n const bits: number[] = [];\n for (let i = 0; i < numBits; i++) {\n bits.push((shifted >> i) & 1);\n }\n\n // Create bit commitments with random blinding factors\n const bitBlindings: bigint[] = [];\n const bitCommitments: string[] = [];\n const bitProofs: ZKRangeProof[\"bit_proofs\"] = [];\n\n for (let i = 0; i < numBits; i++) {\n const bit_b = randomScalar();\n bitBlindings.push(bit_b);\n\n // Bit commitment: C_i = bit_i * G + bit_b_i * H\n const C_i = safeMultiply(G, mod(BigInt(bits[i]!))).add(safeMultiply(H, bit_b));\n bitCommitments.push(toBase64url(C_i.toRawBytes()));\n\n // Prove bit is 0 or 1 using an OR-proof (Sigma protocol)\n const bitProof = createBitProof(bits[i]!, bit_b, C_i);\n bitProofs.push(bitProof);\n }\n\n // Sum proof: show that sum(2^i * C_i) - min*G has blinding factor = b\n // sum(2^i * bit_b_i) should equal b (mod ORDER)\n const sumBlinding = bitBlindings.reduce(\n (acc, bi, i) => mod(acc + mod(BigInt(1) << BigInt(i)) * bi),\n 0n\n );\n // The difference in blinding: b - sumBlinding\n const blindingDiff = mod(b - sumBlinding);\n\n // Prove knowledge of blindingDiff as the blinding factor of the identity point\n const r_sum = randomScalar();\n const R_sum = safeMultiply(H, r_sum);\n const e_sum = fiatShamirChallenge(\n \"sanctuary-zk-range-sum-v1\",\n fromBase64url(commitment),\n R_sum.toRawBytes()\n );\n const s_sum = mod(r_sum + e_sum * blindingDiff);\n\n return {\n type: \"range-pedersen-ristretto255\",\n commitment,\n min,\n max,\n bit_commitments: bitCommitments,\n bit_proofs: bitProofs,\n sum_proof: {\n announcement: toBase64url(R_sum.toRawBytes()),\n response: toBase64url(bigintToBytes(s_sum)),\n },\n generated_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a ZK range proof.\n */\nexport function verifyRangeProof(proof: ZKRangeProof): boolean {\n try {\n const C = RistrettoPoint.fromHex(fromBase64url(proof.commitment));\n const range = proof.max - proof.min;\n const numBits = Math.ceil(Math.log2(range + 1));\n\n if (proof.bit_commitments.length !== numBits) return false;\n if (proof.bit_proofs.length !== numBits) return false;\n\n // Verify each bit proof\n for (let i = 0; i < numBits; i++) {\n const C_i = RistrettoPoint.fromHex(fromBase64url(proof.bit_commitments[i]!));\n if (!verifyBitProof(proof.bit_proofs[i]!, C_i)) {\n return false;\n }\n }\n\n // Verify sum proof: sum(2^i * C_i) + blindingDiff*H == C - min*G\n // Reconstruct: sum(2^i * C_i)\n let reconstructed = RistrettoPoint.ZERO;\n for (let i = 0; i < numBits; i++) {\n const C_i = RistrettoPoint.fromHex(fromBase64url(proof.bit_commitments[i]!));\n const weight = mod(BigInt(1) << BigInt(i));\n reconstructed = reconstructed.add(safeMultiply(C_i, weight));\n }\n\n // The difference: C - min*G - reconstructed should be blindingDiff*H\n const diff = C.subtract(safeMultiply(G, mod(BigInt(proof.min)))).subtract(reconstructed);\n\n // Verify the sum proof for diff\n const R_sum = RistrettoPoint.fromHex(fromBase64url(proof.sum_proof.announcement));\n const s_sum = bytesToBigint(fromBase64url(proof.sum_proof.response));\n const e_sum = fiatShamirChallenge(\n \"sanctuary-zk-range-sum-v1\",\n fromBase64url(proof.commitment),\n fromBase64url(proof.sum_proof.announcement)\n );\n\n // Check: s_sum*H == R_sum + e_sum*diff\n const lhs = safeMultiply(H, s_sum);\n const rhs = R_sum.add(safeMultiply(diff, e_sum));\n return lhs.equals(rhs);\n } catch {\n return false;\n }\n}\n\n// ── Bit Proof (OR-proof for 0 or 1) ────────────────────────────────────\n\n/**\n * Create an OR-proof that a Pedersen commitment contains either 0 or 1.\n * Uses the standard Cramer-Damgård-Schoenmakers (CDS) technique.\n */\nfunction createBitProof(\n bit: number,\n blinding: bigint,\n commitment: InstanceType<typeof RistrettoPoint>\n): ZKRangeProof[\"bit_proofs\"][0] {\n const C_bytes = commitment.toRawBytes();\n\n if (bit === 0) {\n // Real proof for 0, simulated for 1\n // For the simulated branch (bit=1): C - G\n const C_minus_G = commitment.subtract(G);\n\n // Simulate branch 1\n const e_1 = randomScalar();\n const s_1 = randomScalar();\n // R_1 = s_1*H - e_1*(C-G)\n const R_1 = safeMultiply(H, s_1).subtract(safeMultiply(C_minus_G, e_1));\n\n // Real branch 0\n const r_0 = randomScalar();\n const R_0 = safeMultiply(H, r_0);\n\n // Overall challenge\n const e = fiatShamirChallenge(\n \"sanctuary-zk-bit-v1\",\n C_bytes,\n R_0.toRawBytes(),\n R_1.toRawBytes()\n );\n const e_0 = mod(e - e_1);\n const s_0 = mod(r_0 + e_0 * blinding);\n\n return {\n announcement_0: toBase64url(R_0.toRawBytes()),\n announcement_1: toBase64url(R_1.toRawBytes()),\n challenge_0: toBase64url(bigintToBytes(e_0)),\n challenge_1: toBase64url(bigintToBytes(e_1)),\n response_0: toBase64url(bigintToBytes(s_0)),\n response_1: toBase64url(bigintToBytes(s_1)),\n };\n } else {\n // Real proof for 1, simulated for 0\n // Simulate branch 0\n const e_0 = randomScalar();\n const s_0 = randomScalar();\n // R_0 = s_0*H - e_0*C\n const R_0 = safeMultiply(H, s_0).subtract(safeMultiply(commitment, e_0));\n\n // Real branch 1: C - G, blinding is the same\n const r_1 = randomScalar();\n const R_1 = safeMultiply(H, r_1);\n\n // Overall challenge\n const e = fiatShamirChallenge(\n \"sanctuary-zk-bit-v1\",\n C_bytes,\n R_0.toRawBytes(),\n R_1.toRawBytes()\n );\n const e_1 = mod(e - e_0);\n const s_1 = mod(r_1 + e_1 * blinding);\n\n return {\n announcement_0: toBase64url(R_0.toRawBytes()),\n announcement_1: toBase64url(R_1.toRawBytes()),\n challenge_0: toBase64url(bigintToBytes(e_0)),\n challenge_1: toBase64url(bigintToBytes(e_1)),\n response_0: toBase64url(bigintToBytes(s_0)),\n response_1: toBase64url(bigintToBytes(s_1)),\n };\n }\n}\n\n/**\n * Verify an OR-proof that a commitment contains 0 or 1.\n */\nfunction verifyBitProof(\n proof: ZKRangeProof[\"bit_proofs\"][0],\n commitment: InstanceType<typeof RistrettoPoint>\n): boolean {\n try {\n const C_bytes = commitment.toRawBytes();\n const R_0 = RistrettoPoint.fromHex(fromBase64url(proof.announcement_0));\n const R_1 = RistrettoPoint.fromHex(fromBase64url(proof.announcement_1));\n const e_0 = bytesToBigint(fromBase64url(proof.challenge_0));\n const e_1 = bytesToBigint(fromBase64url(proof.challenge_1));\n const s_0 = bytesToBigint(fromBase64url(proof.response_0));\n const s_1 = bytesToBigint(fromBase64url(proof.response_1));\n\n // Check challenge split\n const e = fiatShamirChallenge(\n \"sanctuary-zk-bit-v1\",\n C_bytes,\n R_0.toRawBytes(),\n R_1.toRawBytes()\n );\n if (mod(e_0 + e_1) !== e) return false;\n\n // Verify branch 0: s_0*H == R_0 + e_0*C\n const lhs_0 = safeMultiply(H, s_0);\n const rhs_0 = R_0.add(safeMultiply(commitment, e_0));\n if (!lhs_0.equals(rhs_0)) return false;\n\n // Verify branch 1: s_1*H == R_1 + e_1*(C - G)\n const C_minus_G = commitment.subtract(G);\n const lhs_1 = safeMultiply(H, s_1);\n const rhs_1 = R_1.add(safeMultiply(C_minus_G, e_1));\n if (!lhs_1.equals(rhs_1)) return false;\n\n return true;\n } catch {\n return false;\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Tool Definitions\n *\n * MCP tool wrappers for commitment schemes and disclosure policies.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport {\n createCommitment,\n verifyCommitment,\n CommitmentStore,\n} from \"./commitments.js\";\nimport {\n evaluateDisclosure,\n PolicyStore,\n type DisclosureRule,\n} from \"./policies.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport {\n createPedersenCommitment,\n verifyPedersenCommitment,\n createProofOfKnowledge,\n verifyProofOfKnowledge,\n createRangeProof,\n verifyRangeProof,\n} from \"./zk-proofs.js\";\n\nexport function createL3Tools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[]; commitmentStore: CommitmentStore; policyStore: PolicyStore } {\n const commitmentStore = new CommitmentStore(storage, masterKey);\n const policyStore = new PolicyStore(storage, masterKey);\n\n const tools: ToolDefinition[] = [\n // ─── Commitment Schemes ───────────────────────────────────────────────\n\n {\n name: \"sanctuary/proof_commitment\",\n description:\n \"Create a cryptographic commitment to a value. \" +\n \"The commitment hides the value until you choose to reveal it. \" +\n \"Returns the commitment hash and a blinding factor (store securely).\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"string\",\n description: \"The value to commit to\",\n },\n blinding_factor: {\n type: \"string\",\n description:\n \"Optional base64url blinding factor (auto-generated if omitted)\",\n },\n },\n required: [\"value\"],\n },\n handler: async (args) => {\n const value = args.value as string;\n const blindingFactor = args.blinding_factor as string | undefined;\n\n const commitment = createCommitment(value, blindingFactor);\n\n // Store the commitment encrypted for reference\n const commitmentId = await commitmentStore.store(commitment, value);\n\n auditLog.append(\"l3\", \"proof_commitment\", \"system\", {\n commitment_id: commitmentId,\n commitment_hash: commitment.commitment,\n });\n\n return toolResult({\n commitment_id: commitmentId,\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n committed_at: commitment.committed_at,\n note: \"Store the blinding_factor securely. You will need it to reveal the committed value.\",\n });\n },\n },\n\n {\n name: \"sanctuary/proof_reveal\",\n description:\n \"Verify a previously committed value by revealing it with the blinding factor. \" +\n \"Returns whether the revealed value matches the commitment.\",\n inputSchema: {\n type: \"object\",\n properties: {\n commitment: {\n type: \"string\",\n description: \"The original commitment hash\",\n },\n value: {\n type: \"string\",\n description: \"The value being revealed\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from the original commitment\",\n },\n },\n required: [\"commitment\", \"value\", \"blinding_factor\"],\n },\n handler: async (args) => {\n const commitment = args.commitment as string;\n const value = args.value as string;\n const blindingFactor = args.blinding_factor as string;\n\n const valid = verifyCommitment(commitment, value, blindingFactor);\n\n auditLog.append(\"l3\", \"proof_reveal\", \"system\", {\n commitment_hash: commitment,\n valid,\n });\n\n return toolResult({\n valid,\n commitment,\n revealed_at: new Date().toISOString(),\n });\n },\n },\n\n // ─── Disclosure Policies ──────────────────────────────────────────────\n\n {\n name: \"sanctuary/disclosure_set_policy\",\n description:\n \"Define a disclosure policy that controls what an agent will and will not \" +\n \"disclose in different interaction contexts. Rules specify which fields may \" +\n \"be disclosed, which must be withheld, and which require cryptographic proof.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_name: {\n type: \"string\",\n description: \"Human-readable policy name\",\n },\n rules: {\n type: \"array\",\n description: \"Disclosure rules for different contexts\",\n items: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description:\n 'Interaction context: \"negotiation\", \"commerce\", \"identity\", \"*\" (wildcard)',\n },\n disclose: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the agent MAY disclose\",\n },\n withhold: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the agent MUST NOT disclose\",\n },\n proof_required: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields that require proof rather than plain disclosure\",\n },\n },\n required: [\"context\", \"disclose\", \"withhold\", \"proof_required\"],\n },\n },\n default_action: {\n type: \"string\",\n enum: [\"withhold\", \"ask-principal\"],\n description: \"What to do when no rule matches a field\",\n },\n identity_id: {\n type: \"string\",\n description: \"Optional identity this policy is bound to\",\n },\n },\n required: [\"policy_name\", \"rules\", \"default_action\"],\n },\n handler: async (args) => {\n const policyName = args.policy_name as string;\n const rules = args.rules as DisclosureRule[];\n const defaultAction = args.default_action as\n | \"withhold\"\n | \"ask-principal\";\n const identityId = args.identity_id as string | undefined;\n\n const policy = await policyStore.create(\n policyName,\n rules,\n defaultAction,\n identityId\n );\n\n auditLog.append(\"l3\", \"disclosure_set_policy\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n policy_name: policyName,\n rules_count: rules.length,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n rules_count: policy.rules.length,\n created_at: policy.created_at,\n });\n },\n },\n\n {\n name: \"sanctuary/disclosure_evaluate\",\n description:\n \"Evaluate a disclosure request against an active policy. \" +\n \"Returns per-field decisions: disclose, withhold, proof, or ask-principal.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description: \"The interaction context\",\n },\n requested_fields: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the counterparty is requesting\",\n },\n policy_id: {\n type: \"string\",\n description: \"Specific policy to evaluate (uses first available if omitted)\",\n },\n },\n required: [\"context\", \"requested_fields\"],\n },\n handler: async (args) => {\n const context = args.context as string;\n const requestedFields = args.requested_fields as string[];\n const policyId = args.policy_id as string | undefined;\n\n let policy;\n if (policyId) {\n policy = await policyStore.get(policyId);\n } else {\n const allPolicies = await policyStore.list();\n policy = allPolicies[0] ?? null;\n }\n\n if (!policy) {\n return toolResult({\n error: \"No disclosure policy found. Create one with disclosure_set_policy first.\",\n });\n }\n\n const decisions = evaluateDisclosure(policy, context, requestedFields);\n\n const withholding = decisions.filter(\n (d) => d.action === \"withhold\"\n ).length;\n const disclosing = decisions.filter(\n (d) => d.action === \"disclose\"\n ).length;\n const proofRequired = decisions.filter(\n (d) => d.action === \"proof\"\n ).length;\n const askPrincipal = decisions.filter(\n (d) => d.action === \"ask-principal\"\n ).length;\n\n auditLog.append(\"l3\", \"disclosure_evaluate\", \"system\", {\n policy_id: policy.policy_id,\n context,\n fields_requested: requestedFields.length,\n withholding,\n disclosing,\n proof_required: proofRequired,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n context,\n decisions,\n summary: {\n total_fields: requestedFields.length,\n disclose: disclosing,\n withhold: withholding,\n proof: proofRequired,\n ask_principal: askPrincipal,\n },\n overall_recommendation:\n withholding > 0\n ? `Withholding ${withholding} of ${requestedFields.length} requested fields per policy \"${policy.policy_name}\"`\n : `All ${requestedFields.length} fields may be disclosed per policy \"${policy.policy_name}\"`,\n });\n },\n },\n\n // ─── ZK Proof Tools ───────────────────────────────────────────────────\n\n {\n name: \"sanctuary/zk_commit\",\n description:\n \"Create a Pedersen commitment to a numeric value on Ristretto255. \" +\n \"Unlike SHA-256 commitments, Pedersen commitments support zero-knowledge proofs: \" +\n \"you can prove properties about the committed value without revealing it.\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"number\",\n description: \"The integer value to commit to\",\n },\n },\n required: [\"value\"],\n },\n handler: async (args) => {\n const value = args.value as number;\n\n if (!Number.isInteger(value)) {\n return toolResult({ error: \"Value must be an integer.\" });\n }\n\n const commitment = createPedersenCommitment(value);\n\n auditLog.append(\"l3\", \"zk_commit\", \"system\", {\n commitment_hash: commitment.commitment.slice(0, 16) + \"...\",\n });\n\n return toolResult({\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n committed_at: commitment.committed_at,\n proof_system: \"pedersen-ristretto255\",\n note: \"Store the blinding_factor securely. Use zk_prove to create proofs about this commitment.\",\n });\n },\n },\n\n {\n name: \"sanctuary/zk_prove\",\n description:\n \"Create a zero-knowledge proof of knowledge for a Pedersen commitment. \" +\n \"Proves you know the value and blinding factor without revealing either. \" +\n \"Uses a Schnorr sigma protocol with Fiat-Shamir transform.\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"number\",\n description: \"The committed value (integer)\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from zk_commit (base64url)\",\n },\n commitment: {\n type: \"string\",\n description: \"The Pedersen commitment (base64url)\",\n },\n },\n required: [\"value\", \"blinding_factor\", \"commitment\"],\n },\n handler: async (args) => {\n const value = args.value as number;\n const blindingFactor = args.blinding_factor as string;\n const commitment = args.commitment as string;\n\n // Verify the commitment first\n if (!verifyPedersenCommitment(commitment, value, blindingFactor)) {\n return toolResult({\n error: \"The provided value and blinding factor do not match the commitment.\",\n });\n }\n\n const proof = createProofOfKnowledge(value, blindingFactor, commitment);\n\n auditLog.append(\"l3\", \"zk_prove\", \"system\", {\n proof_type: proof.type,\n commitment: commitment.slice(0, 16) + \"...\",\n });\n\n return toolResult({\n proof,\n note: \"This proof demonstrates knowledge of the commitment opening without revealing the value.\",\n });\n },\n },\n\n {\n name: \"sanctuary/zk_verify\",\n description:\n \"Verify a zero-knowledge proof of knowledge for a Pedersen commitment. \" +\n \"Checks that the prover knows the commitment's opening without learning anything.\",\n inputSchema: {\n type: \"object\",\n properties: {\n proof: {\n type: \"object\",\n description: \"The ZK proof object from zk_prove\",\n },\n },\n required: [\"proof\"],\n },\n handler: async (args) => {\n const proof = args.proof as Parameters<typeof verifyProofOfKnowledge>[0];\n\n const valid = verifyProofOfKnowledge(proof);\n\n auditLog.append(\"l3\", \"zk_verify\", \"system\", {\n proof_type: proof.type,\n valid,\n });\n\n return toolResult({\n valid,\n proof_type: proof.type,\n commitment: proof.commitment,\n verified_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/zk_range_prove\",\n description:\n \"Create a zero-knowledge range proof: prove that a committed value is \" +\n \"within [min, max] without revealing the exact value. \" +\n \"Uses bit-decomposition with OR-proofs on Ristretto255.\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"number\",\n description: \"The committed value (integer)\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from zk_commit (base64url)\",\n },\n commitment: {\n type: \"string\",\n description: \"The Pedersen commitment (base64url)\",\n },\n min: {\n type: \"number\",\n description: \"Minimum of the range (inclusive)\",\n },\n max: {\n type: \"number\",\n description: \"Maximum of the range (inclusive)\",\n },\n },\n required: [\"value\", \"blinding_factor\", \"commitment\", \"min\", \"max\"],\n },\n handler: async (args) => {\n const value = args.value as number;\n const blindingFactor = args.blinding_factor as string;\n const commitment = args.commitment as string;\n const min = args.min as number;\n const max = args.max as number;\n\n const proof = createRangeProof(value, blindingFactor, commitment, min, max);\n\n if (\"error\" in proof) {\n return toolResult({ error: proof.error });\n }\n\n auditLog.append(\"l3\", \"zk_range_prove\", \"system\", {\n proof_type: proof.type,\n range: `[${min}, ${max}]`,\n bits: proof.bit_commitments.length,\n });\n\n return toolResult({\n proof,\n note: `This proof demonstrates the committed value is in [${min}, ${max}] without revealing it.`,\n });\n },\n },\n\n {\n name: \"sanctuary/zk_range_verify\",\n description:\n \"Verify a zero-knowledge range proof — confirms a committed value \" +\n \"is within the claimed range without learning the value.\",\n inputSchema: {\n type: \"object\",\n properties: {\n proof: {\n type: \"object\",\n description: \"The range proof object from zk_range_prove\",\n },\n },\n required: [\"proof\"],\n },\n handler: async (args) => {\n const proof = args.proof as Parameters<typeof verifyRangeProof>[0];\n\n const valid = verifyRangeProof(proof);\n\n auditLog.append(\"l3\", \"zk_range_verify\", \"system\", {\n proof_type: proof.type,\n valid,\n range: `[${proof.min}, ${proof.max}]`,\n });\n\n return toolResult({\n valid,\n proof_type: proof.type,\n range: { min: proof.min, max: proof.max },\n commitment: proof.commitment,\n verified_at: new Date().toISOString(),\n });\n },\n },\n ];\n\n return { tools, commitmentStore, policyStore };\n}\n","/**\n * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store\n *\n * Records interaction outcomes as signed attestations, queries aggregated\n * reputation data, and supports export/import for cross-platform portability.\n *\n * Attestation format is EAS-compatible (Ethereum Attestation Service) to\n * enable future on-chain anchoring without requiring blockchain for MVS.\n *\n * Security invariants:\n * - All attestations are signed by the recording identity\n * - Attestations are stored encrypted under L1 sovereignty\n * - Reputation queries return aggregates, never raw interaction data\n * - Export bundles include all signatures for independent verification\n * - Import verifies every signature before accepting attestations\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport {\n stringToBytes,\n bytesToString,\n toBase64url,\n fromBase64url,\n} from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\nimport type { SovereigntyTier } from \"./tiers.js\";\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/** Interaction outcome for recording */\nexport interface InteractionOutcome {\n type: \"transaction\" | \"negotiation\" | \"service\" | \"dispute\" | \"custom\";\n result: \"completed\" | \"partial\" | \"failed\" | \"disputed\";\n metrics?: Record<string, number>;\n}\n\n/** A signed attestation of an interaction */\nexport interface Attestation {\n attestation_id: string;\n schema: \"sanctuary-interaction-v1\";\n data: {\n interaction_id: string;\n participant_did: string;\n counterparty_did: string;\n outcome_type: string;\n outcome_result: string;\n metrics: Record<string, number>;\n context: string;\n timestamp: string;\n /** Sovereignty tier of the signer at time of recording */\n sovereignty_tier?: SovereigntyTier;\n };\n signature: string;\n signer: string;\n}\n\n/** Stored attestation (encrypted at rest) */\nexport interface StoredAttestation {\n attestation: Attestation;\n counterparty_attestation?: string;\n counterparty_confirmed: boolean;\n recorded_at: string;\n}\n\n/** Aggregated metric statistics */\nexport interface MetricAggregate {\n mean: number;\n median: number;\n min: number;\n max: number;\n count: number;\n}\n\n/** Reputation query result */\nexport interface ReputationSummary {\n total_interactions: number;\n completed: number;\n partial: number;\n failed: number;\n disputed: number;\n contexts: string[];\n time_range: { start: string; end: string };\n aggregate_metrics: Record<string, MetricAggregate>;\n}\n\n/** Portable reputation bundle */\nexport interface ReputationBundle {\n version: \"SANCTUARY_REP_V1\";\n attestations: Attestation[];\n exported_at: string;\n exporter_did: string;\n bundle_signature: string;\n}\n\n// ─── Escrow and Bootstrap ─────────────────────────────────────────────────\n\n/** Escrow for trust bootstrapping */\nexport interface Escrow {\n escrow_id: string;\n transaction_terms: string;\n terms_hash: string;\n collateral_amount?: number;\n counterparty_did: string;\n creator_did: string;\n created_at: string;\n expires_at: string;\n status: \"pending\" | \"active\" | \"released\" | \"disputed\" | \"expired\";\n}\n\n/** Principal guarantee for a new agent */\nexport interface Guarantee {\n guarantee_id: string;\n principal_did: string;\n agent_did: string;\n scope: string;\n max_liability?: number;\n valid_until: string;\n certificate: string; // Signed certificate\n created_at: string;\n}\n\n// ─── Helpers ──────────────────────────────────────────────────────────────\n\nfunction computeMedian(values: number[]): number {\n if (values.length === 0) return 0;\n const sorted = [...values].sort((a, b) => a - b);\n const mid = Math.floor(sorted.length / 2);\n return sorted.length % 2 !== 0\n ? sorted[mid]!\n : (sorted[mid - 1]! + sorted[mid]!) / 2;\n}\n\nfunction aggregateMetrics(\n attestations: StoredAttestation[],\n metricNames?: string[]\n): Record<string, MetricAggregate> {\n const result: Record<string, MetricAggregate> = {};\n\n // Collect all metric names if not specified\n const names =\n metricNames ??\n Array.from(\n new Set(\n attestations.flatMap((a) =>\n Object.keys(a.attestation.data.metrics)\n )\n )\n );\n\n for (const name of names) {\n const values = attestations\n .map((a) => a.attestation.data.metrics[name])\n .filter((v): v is number => v !== undefined);\n\n if (values.length === 0) {\n result[name] = { mean: 0, median: 0, min: 0, max: 0, count: 0 };\n continue;\n }\n\n result[name] = {\n mean: values.reduce((s, v) => s + v, 0) / values.length,\n median: computeMedian(values),\n min: Math.min(...values),\n max: Math.max(...values),\n count: values.length,\n };\n }\n\n return result;\n}\n\n// ─── Reputation Store ─────────────────────────────────────────────────────\n\nexport class ReputationStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l4-reputation\");\n }\n\n /**\n * Record an interaction outcome as a signed attestation.\n */\n async record(\n interactionId: string,\n counterpartyDid: string,\n outcome: InteractionOutcome,\n context: string,\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n counterpartyAttestation?: string,\n sovereigntyTier?: SovereigntyTier\n ): Promise<StoredAttestation> {\n const attestationId = `att-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n // Build the attestation data\n const attestationData: Attestation[\"data\"] = {\n interaction_id: interactionId,\n participant_did: identity.did,\n counterparty_did: counterpartyDid,\n outcome_type: outcome.type,\n outcome_result: outcome.result,\n metrics: outcome.metrics ?? {},\n context,\n timestamp: now,\n sovereignty_tier: sovereigntyTier,\n };\n\n // Sign the attestation data\n const dataBytes = stringToBytes(JSON.stringify(attestationData));\n const signature = sign(\n dataBytes,\n identity.encrypted_private_key,\n identityEncryptionKey\n );\n\n const attestation: Attestation = {\n attestation_id: attestationId,\n schema: \"sanctuary-interaction-v1\",\n data: attestationData,\n signature: toBase64url(signature),\n signer: identity.did,\n };\n\n const stored: StoredAttestation = {\n attestation,\n counterparty_attestation: counterpartyAttestation,\n counterparty_confirmed: !!counterpartyAttestation,\n recorded_at: now,\n };\n\n // Persist encrypted\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_reputation\",\n attestationId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return stored;\n }\n\n /**\n * Query reputation data with filtering.\n * Returns aggregates only — not raw interaction data.\n */\n async query(options: {\n context?: string;\n time_range?: { start: string; end: string };\n metrics?: string[];\n counterparty_did?: string;\n }): Promise<ReputationSummary> {\n const all = await this.loadAll();\n let filtered = all;\n\n if (options.context) {\n filtered = filtered.filter(\n (a) => a.attestation.data.context === options.context\n );\n }\n\n if (options.time_range) {\n const start = new Date(options.time_range.start).getTime();\n const end = new Date(options.time_range.end).getTime();\n filtered = filtered.filter((a) => {\n const t = new Date(a.attestation.data.timestamp).getTime();\n return t >= start && t <= end;\n });\n }\n\n if (options.counterparty_did) {\n filtered = filtered.filter(\n (a) => a.attestation.data.counterparty_did === options.counterparty_did\n );\n }\n\n const contexts = Array.from(\n new Set(filtered.map((a) => a.attestation.data.context))\n );\n\n const timestamps = filtered.map((a) =>\n new Date(a.attestation.data.timestamp).getTime()\n );\n const start = timestamps.length > 0\n ? new Date(Math.min(...timestamps)).toISOString()\n : new Date().toISOString();\n const end = timestamps.length > 0\n ? new Date(Math.max(...timestamps)).toISOString()\n : new Date().toISOString();\n\n return {\n total_interactions: filtered.length,\n completed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"completed\"\n ).length,\n partial: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"partial\"\n ).length,\n failed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"failed\"\n ).length,\n disputed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"disputed\"\n ).length,\n contexts,\n time_range: { start, end },\n aggregate_metrics: aggregateMetrics(filtered, options.metrics),\n };\n }\n\n /**\n * Export attestations as a portable reputation bundle.\n */\n async exportBundle(\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n context?: string\n ): Promise<ReputationBundle> {\n let all = await this.loadAll();\n\n if (context) {\n all = all.filter((a) => a.attestation.data.context === context);\n }\n\n const attestations = all.map((a) => a.attestation);\n const bundleData = {\n version: \"SANCTUARY_REP_V1\" as const,\n attestations,\n exported_at: new Date().toISOString(),\n exporter_did: identity.did,\n };\n\n // Sign the bundle\n const bundleBytes = stringToBytes(JSON.stringify(bundleData));\n const bundleSignature = sign(\n bundleBytes,\n identity.encrypted_private_key,\n identityEncryptionKey\n );\n\n return {\n ...bundleData,\n bundle_signature: toBase64url(bundleSignature),\n };\n }\n\n /**\n * Import attestations from a reputation bundle.\n * Verifies signatures if requested (default: true).\n *\n * @param publicKeys - Map of DID → public key bytes for signature verification\n */\n async importBundle(\n bundle: ReputationBundle,\n verifySignatures: boolean,\n publicKeys: Map<string, Uint8Array>\n ): Promise<{ imported: number; invalid: number; contexts: string[] }> {\n let imported = 0;\n let invalid = 0;\n const contexts = new Set<string>();\n\n for (const attestation of bundle.attestations) {\n if (verifySignatures) {\n const signerKey = publicKeys.get(attestation.signer);\n if (!signerKey) {\n invalid++;\n continue;\n }\n\n const dataBytes = stringToBytes(\n JSON.stringify(attestation.data)\n );\n const sigBytes = fromBase64url(attestation.signature);\n\n if (!verify(dataBytes, sigBytes, signerKey)) {\n invalid++;\n continue;\n }\n }\n\n // Store the imported attestation\n const stored: StoredAttestation = {\n attestation,\n counterparty_confirmed: false,\n recorded_at: new Date().toISOString(),\n };\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_reputation\",\n attestation.attestation_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n imported++;\n contexts.add(attestation.data.context);\n }\n\n return {\n imported,\n invalid,\n contexts: Array.from(contexts),\n };\n }\n\n // ─── Escrow ───────────────────────────────────────────────────────────\n\n /**\n * Create an escrow for trust bootstrapping.\n */\n async createEscrow(\n transactionTerms: string,\n counterpartyDid: string,\n timeoutSeconds: number,\n creatorDid: string,\n collateralAmount?: number\n ): Promise<Escrow> {\n const escrowId = `esc-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date();\n const expiresAt = new Date(now.getTime() + timeoutSeconds * 1000);\n\n // Hash the terms for tamper detection\n const { hashToString } = await import(\"../core/hashing.js\");\n const termsHash = hashToString(stringToBytes(transactionTerms));\n\n const escrow: Escrow = {\n escrow_id: escrowId,\n transaction_terms: transactionTerms,\n terms_hash: termsHash,\n collateral_amount: collateralAmount,\n counterparty_did: counterpartyDid,\n creator_did: creatorDid,\n created_at: now.toISOString(),\n expires_at: expiresAt.toISOString(),\n status: \"pending\",\n };\n\n const serialized = stringToBytes(JSON.stringify(escrow));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_escrows\",\n escrowId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return escrow;\n }\n\n /**\n * Get an escrow by ID.\n */\n async getEscrow(escrowId: string): Promise<Escrow | null> {\n const raw = await this.storage.read(\"_escrows\", escrowId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n\n // ─── Guarantees ─────────────────────────────────────────────────────\n\n /**\n * Create a principal's guarantee for a new agent.\n */\n async createGuarantee(\n principalIdentity: StoredIdentity,\n agentDid: string,\n scope: string,\n durationSeconds: number,\n identityEncryptionKey: Uint8Array,\n maxLiability?: number\n ): Promise<Guarantee> {\n const guaranteeId = `guar-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date();\n const validUntil = new Date(now.getTime() + durationSeconds * 1000);\n\n const certificateData = {\n guarantee_id: guaranteeId,\n principal_did: principalIdentity.did,\n agent_did: agentDid,\n scope,\n max_liability: maxLiability,\n valid_until: validUntil.toISOString(),\n issued_at: now.toISOString(),\n };\n\n // Sign the certificate with the principal's key\n const certBytes = stringToBytes(JSON.stringify(certificateData));\n const signature = sign(\n certBytes,\n principalIdentity.encrypted_private_key,\n identityEncryptionKey\n );\n\n const certificate = toBase64url(\n stringToBytes(\n JSON.stringify({\n ...certificateData,\n signature: toBase64url(signature),\n })\n )\n );\n\n const guarantee: Guarantee = {\n guarantee_id: guaranteeId,\n principal_did: principalIdentity.did,\n agent_did: agentDid,\n scope,\n max_liability: maxLiability,\n valid_until: validUntil.toISOString(),\n certificate,\n created_at: now.toISOString(),\n };\n\n const serialized = stringToBytes(JSON.stringify(guarantee));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_guarantees\",\n guaranteeId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return guarantee;\n }\n\n // ─── Tier-Aware Access ───────────────────────────────────────────────\n\n /**\n * Load attestations for tier-weighted scoring.\n * Applies basic context/counterparty filtering, returns full StoredAttestations\n * so callers can access sovereignty_tier from attestation data.\n */\n async loadAllForTierScoring(options?: {\n context?: string;\n counterparty_did?: string;\n }): Promise<StoredAttestation[]> {\n let all = await this.loadAll();\n\n if (options?.context) {\n all = all.filter((a) => a.attestation.data.context === options.context);\n }\n if (options?.counterparty_did) {\n all = all.filter(\n (a) => a.attestation.data.counterparty_did === options.counterparty_did\n );\n }\n\n return all;\n }\n\n // ─── Internal ─────────────────────────────────────────────────────────\n\n private async loadAll(): Promise<StoredAttestation[]> {\n const results: StoredAttestation[] = [];\n\n try {\n const entries = await this.storage.list(\"_reputation\");\n for (const meta of entries) {\n const raw = await this.storage.read(\"_reputation\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n results.push(JSON.parse(bytesToString(decrypted)));\n } catch {\n // Skip corrupted entries\n }\n }\n } catch {\n // Storage not available\n }\n\n return results;\n }\n}\n","/**\n * Sanctuary MCP Server — L4 Verifiable Reputation: Tool Definitions\n *\n * MCP tool wrappers for reputation recording, querying, export/import,\n * and trust bootstrapping (escrow + principal guarantees).\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { ReputationStore, type InteractionOutcome } from \"./reputation-store.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { toBase64url, fromBase64url } from \"../core/encoding.js\";\nimport {\n resolveTier,\n computeWeightedScore,\n tierDistribution,\n TIER_WEIGHTS,\n type TieredAttestation,\n type SovereigntyTier,\n} from \"./tiers.js\";\n\nexport function createL4Tools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n identityManager: IdentityManager,\n auditLog: AuditLog,\n handshakeResults?: Map<string, HandshakeResult>\n): { tools: ToolDefinition[]; reputationStore: ReputationStore } {\n const reputationStore = new ReputationStore(storage, masterKey);\n const identityEncryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n // Default to empty map if no handshake results provided\n const hsResults = handshakeResults ?? new Map<string, HandshakeResult>();\n\n const tools: ToolDefinition[] = [\n // ─── Reputation Recording ─────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_record\",\n description:\n \"Record an interaction outcome as a signed attestation. \" +\n \"Creates an EAS-compatible attestation signed by the specified identity.\",\n inputSchema: {\n type: \"object\",\n properties: {\n interaction_id: {\n type: \"string\",\n description: \"Unique interaction identifier\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Counterparty's DID\",\n },\n outcome: {\n type: \"object\",\n description: \"Interaction outcome\",\n properties: {\n type: {\n type: \"string\",\n enum: [\"transaction\", \"negotiation\", \"service\", \"dispute\", \"custom\"],\n },\n result: {\n type: \"string\",\n enum: [\"completed\", \"partial\", \"failed\", \"disputed\"],\n },\n metrics: {\n type: \"object\",\n description: \"Domain-specific metrics (e.g., fulfillment_rate, response_time_ms)\",\n },\n },\n required: [\"type\", \"result\"],\n },\n context: {\n type: \"string\",\n description: \"Category/domain for context-specific reputation\",\n default: \"general\",\n },\n counterparty_attestation: {\n type: \"string\",\n description: \"Counterparty's signed attestation of the same interaction\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign with (uses default if omitted)\",\n },\n },\n required: [\"interaction_id\", \"counterparty_did\", \"outcome\"],\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const outcome = args.outcome as InteractionOutcome;\n const context = (args.context as string) ?? \"general\";\n\n // Resolve sovereignty tier for the counterparty\n const counterpartyDid = args.counterparty_did as string;\n const hasSanctuaryIdentity = identityManager.list().some(\n (id) => identityManager.get(id.identity_id)?.did === counterpartyDid\n );\n const tierMeta = resolveTier(counterpartyDid, hsResults, hasSanctuaryIdentity);\n\n const stored = await reputationStore.record(\n args.interaction_id as string,\n counterpartyDid,\n outcome,\n context,\n identity,\n identityEncryptionKey,\n args.counterparty_attestation as string | undefined,\n tierMeta.sovereignty_tier\n );\n\n auditLog.append(\"l4\", \"reputation_record\", identity.identity_id, {\n interaction_id: args.interaction_id,\n outcome_type: outcome.type,\n outcome_result: outcome.result,\n context,\n sovereignty_tier: tierMeta.sovereignty_tier,\n });\n\n return toolResult({\n attestation_id: stored.attestation.attestation_id,\n interaction_id: stored.attestation.data.interaction_id,\n self_attestation: stored.attestation.signature,\n counterparty_confirmed: stored.counterparty_confirmed,\n sovereignty_tier: tierMeta.sovereignty_tier,\n context,\n recorded_at: stored.recorded_at,\n });\n },\n },\n\n // ─── Reputation Query ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_query\",\n description:\n \"Query aggregated reputation data with filtering. \" +\n \"Returns summary statistics, never raw interaction details.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description: \"Filter by context/domain\",\n },\n time_range: {\n type: \"object\",\n description: \"Filter by time range\",\n properties: {\n start: { type: \"string\", description: \"ISO 8601 start\" },\n end: { type: \"string\", description: \"ISO 8601 end\" },\n },\n },\n metrics: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Which metrics to aggregate\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Filter by counterparty\",\n },\n },\n },\n handler: async (args) => {\n const summary = await reputationStore.query({\n context: args.context as string | undefined,\n time_range: args.time_range as\n | { start: string; end: string }\n | undefined,\n metrics: args.metrics as string[] | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n auditLog.append(\"l4\", \"reputation_query\", \"system\", {\n total_interactions: summary.total_interactions,\n contexts: summary.contexts,\n });\n\n return toolResult({\n summary,\n // SEC-ADD-03: Tag response as containing counterparty-generated attestation data\n _content_trust: \"external\",\n });\n },\n },\n\n // ─── Reputation Export ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_export\",\n description:\n \"Export a portable reputation bundle (SANCTUARY_REP_V1). \" +\n \"Includes all signed attestations for independent verification.\",\n inputSchema: {\n type: \"object\",\n properties: {\n format: {\n type: \"string\",\n enum: [\"SANCTUARY_REP_V1\"],\n default: \"SANCTUARY_REP_V1\",\n },\n context: {\n type: \"string\",\n description: \"Export specific context only\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign the bundle with\",\n },\n },\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const context = args.context as string | undefined;\n const bundle = await reputationStore.exportBundle(\n identity,\n identityEncryptionKey,\n context\n );\n\n const bundleJson = JSON.stringify(bundle);\n const bundleBase64 = toBase64url(\n new TextEncoder().encode(bundleJson)\n );\n\n auditLog.append(\"l4\", \"reputation_export\", identity.identity_id, {\n attestation_count: bundle.attestations.length,\n contexts: Array.from(\n new Set(bundle.attestations.map((a) => a.data.context))\n ),\n });\n\n const { hashToString } = await import(\"../core/hashing.js\");\n const { stringToBytes } = await import(\"../core/encoding.js\");\n\n return toolResult({\n bundle: bundleBase64,\n attestation_count: bundle.attestations.length,\n contexts: Array.from(\n new Set(bundle.attestations.map((a) => a.data.context))\n ),\n bundle_hash: hashToString(stringToBytes(bundleJson)),\n exported_at: bundle.exported_at,\n });\n },\n },\n\n // ─── Reputation Import ────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_import\",\n description:\n \"Import a reputation bundle from another Sanctuary instance. \" +\n \"Verifies all attestation signatures by default.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bundle: {\n type: \"string\",\n description: \"Base64url-encoded reputation bundle\",\n },\n },\n required: [\"bundle\"],\n },\n handler: async (args) => {\n const bundleBase64 = args.bundle as string;\n // Signature verification is always enforced — no caller override.\n // Allowing callers to skip verification was a prompt-injection footgun.\n const verifySignatures = true;\n\n let bundle;\n try {\n const bundleBytes = fromBase64url(bundleBase64);\n const bundleJson = new TextDecoder().decode(bundleBytes);\n bundle = JSON.parse(bundleJson);\n } catch {\n return toolResult({\n error: \"Invalid bundle format. Expected base64url-encoded JSON.\",\n });\n }\n\n // Build public key map from known identities for verification\n const publicKeys = new Map<string, Uint8Array>();\n for (const pub of identityManager.list()) {\n const identity = identityManager.get(pub.identity_id);\n if (identity) {\n publicKeys.set(identity.did, fromBase64url(identity.public_key));\n }\n }\n\n const result = await reputationStore.importBundle(\n bundle,\n verifySignatures,\n publicKeys\n );\n\n auditLog.append(\"l4\", \"reputation_import\", \"system\", {\n imported: result.imported,\n invalid: result.invalid,\n contexts: result.contexts,\n });\n\n return toolResult({\n imported_attestations: result.imported,\n invalid_attestations: result.invalid,\n contexts: result.contexts,\n imported_at: new Date().toISOString(),\n });\n },\n },\n\n // ─── Sovereignty-Weighted Query ──────────────────────────────────\n\n {\n name: \"sanctuary/reputation_query_weighted\",\n description:\n \"Query reputation with sovereignty-weighted scoring. \" +\n \"Attestations from verified-sovereign agents carry full weight (1.0); \" +\n \"unverified attestations carry reduced weight (0.2). \" +\n \"Returns both the weighted score and tier distribution.\",\n inputSchema: {\n type: \"object\",\n properties: {\n metric: {\n type: \"string\",\n description: \"Which metric to compute the weighted score for\",\n },\n context: {\n type: \"string\",\n description: \"Filter by context/domain\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Filter by counterparty\",\n },\n },\n required: [\"metric\"],\n },\n handler: async (args) => {\n const summary = await reputationStore.query({\n context: args.context as string | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n // Get the raw attestations for tier-aware scoring\n // We use the internal loadAllForTierScoring method\n const allAttestations = await reputationStore.loadAllForTierScoring({\n context: args.context as string | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n const metric = args.metric as string;\n\n // Build tiered attestations for scoring\n const tieredAttestations: TieredAttestation[] = allAttestations\n .filter((a) => a.attestation.data.metrics[metric] !== undefined)\n .map((a) => ({\n value: a.attestation.data.metrics[metric]!,\n tier: (a.attestation.data.sovereignty_tier ?? \"unverified\") as SovereigntyTier,\n }));\n\n const weightedScore = computeWeightedScore(tieredAttestations);\n\n // Compute tier distribution\n const tiers = allAttestations.map(\n (a) => (a.attestation.data.sovereignty_tier ?? \"unverified\") as SovereigntyTier\n );\n const dist = tierDistribution(tiers);\n\n auditLog.append(\"l4\", \"reputation_query_weighted\", \"system\", {\n metric,\n attestation_count: tieredAttestations.length,\n weighted_score: weightedScore,\n });\n\n return toolResult({\n metric,\n weighted_score: weightedScore,\n attestation_count: tieredAttestations.length,\n tier_distribution: dist,\n tier_weights: TIER_WEIGHTS,\n unweighted_summary: summary,\n });\n },\n },\n\n // ─── Trust Bootstrap: Escrow ──────────────────────────────────────\n\n {\n name: \"sanctuary/bootstrap_create_escrow\",\n description:\n \"Create an escrow record for trust bootstrapping. \" +\n \"Allows new participants with no reputation to transact safely.\",\n inputSchema: {\n type: \"object\",\n properties: {\n transaction_terms: {\n type: \"string\",\n description: \"Description of the transaction\",\n },\n collateral_amount: {\n type: \"number\",\n description: \"Optional stake/collateral amount\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Counterparty's DID\",\n },\n timeout_seconds: {\n type: \"number\",\n description: \"Escrow timeout in seconds\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity creating the escrow\",\n },\n },\n required: [\"transaction_terms\", \"counterparty_did\", \"timeout_seconds\"],\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const escrow = await reputationStore.createEscrow(\n args.transaction_terms as string,\n args.counterparty_did as string,\n args.timeout_seconds as number,\n identity.did,\n args.collateral_amount as number | undefined\n );\n\n auditLog.append(\"l4\", \"bootstrap_create_escrow\", identity.identity_id, {\n escrow_id: escrow.escrow_id,\n counterparty_did: args.counterparty_did,\n timeout_seconds: args.timeout_seconds,\n });\n\n return toolResult({\n escrow_id: escrow.escrow_id,\n terms_hash: escrow.terms_hash,\n created_at: escrow.created_at,\n expires_at: escrow.expires_at,\n status: escrow.status,\n });\n },\n },\n\n // ─── Trust Bootstrap: Guarantee ───────────────────────────────────\n\n {\n name: \"sanctuary/bootstrap_provide_guarantee\",\n description:\n \"A principal provides a signed reputation guarantee for a new agent. \" +\n \"The guarantee certificate can be presented to counterparties.\",\n inputSchema: {\n type: \"object\",\n properties: {\n principal_identity_id: {\n type: \"string\",\n description: \"Identity of the guarantor (principal)\",\n },\n agent_identity_id: {\n type: \"string\",\n description: \"Identity of the agent being guaranteed\",\n },\n scope: {\n type: \"string\",\n description: \"What the guarantee covers\",\n },\n duration_seconds: {\n type: \"number\",\n description: \"How long the guarantee is valid\",\n },\n max_liability: {\n type: \"number\",\n description: \"Maximum liability amount\",\n },\n },\n required: [\n \"principal_identity_id\",\n \"agent_identity_id\",\n \"scope\",\n \"duration_seconds\",\n ],\n },\n handler: async (args) => {\n const principalIdentity = identityManager.get(\n args.principal_identity_id as string\n );\n const agentIdentity = identityManager.get(\n args.agent_identity_id as string\n );\n\n if (!principalIdentity) {\n return toolResult({\n error: `Principal identity \"${args.principal_identity_id}\" not found.`,\n });\n }\n if (!agentIdentity) {\n return toolResult({\n error: `Agent identity \"${args.agent_identity_id}\" not found.`,\n });\n }\n\n const guarantee = await reputationStore.createGuarantee(\n principalIdentity,\n agentIdentity.did,\n args.scope as string,\n args.duration_seconds as number,\n identityEncryptionKey,\n args.max_liability as number | undefined\n );\n\n auditLog.append(\n \"l4\",\n \"bootstrap_provide_guarantee\",\n principalIdentity.identity_id,\n {\n guarantee_id: guarantee.guarantee_id,\n agent_did: agentIdentity.did,\n scope: args.scope,\n }\n );\n\n return toolResult({\n guarantee_id: guarantee.guarantee_id,\n guarantee_certificate: guarantee.certificate,\n scope: guarantee.scope,\n valid_until: guarantee.valid_until,\n });\n },\n },\n ];\n\n return { tools, reputationStore };\n}\n","/**\n * Sanctuary MCP Server — Sovereignty-Gated Reputation Tiers\n *\n * Attestations carry a sovereignty_tier field reflecting the signer's\n * sovereignty posture at the time of recording. When querying or evaluating\n * reputation, attestations from verified-sovereign agents carry more weight\n * than those from unverified agents.\n *\n * Tier hierarchy (descending credibility):\n * 1. \"verified-sovereign\" — signer completed a handshake with full sovereignty\n * 2. \"verified-degraded\" — signer completed a handshake with degraded sovereignty\n * 3. \"self-attested\" — signer has a Sanctuary identity but no handshake verification\n * 4. \"unverified\" — no Sanctuary identity or sovereignty proof\n *\n * Weight multipliers are applied during reputation scoring. They are NOT\n * gatekeeping — unverified attestations still count, just less.\n */\n\nimport type { HandshakeResult, TrustTier } from \"../handshake/types.js\";\n\n// ── Tier Types ──────────────────────────────────────────────────────\n\nexport type SovereigntyTier =\n | \"verified-sovereign\"\n | \"verified-degraded\"\n | \"self-attested\"\n | \"unverified\";\n\n/** Weight multipliers for each tier */\nexport const TIER_WEIGHTS: Record<SovereigntyTier, number> = {\n \"verified-sovereign\": 1.0,\n \"verified-degraded\": 0.8,\n \"self-attested\": 0.5,\n \"unverified\": 0.2,\n};\n\n/** Tier metadata embedded in attestations */\nexport interface TierMetadata {\n sovereignty_tier: SovereigntyTier;\n /** If verified, the handshake that established it */\n handshake_completed_at?: string;\n /** Counterparty ID from handshake (if applicable) */\n verified_by?: string;\n}\n\n// ── Tier Resolution ─────────────────────────────────────────────────\n\n/**\n * Resolve the sovereignty tier for a counterparty based on handshake history.\n *\n * @param counterpartyId - The counterparty's instance ID\n * @param handshakeResults - Map of counterparty ID → most recent handshake result\n * @param hasSanctuaryIdentity - Whether the counterparty has a known Sanctuary identity\n * @returns TierMetadata for embedding in attestations\n */\nexport function resolveTier(\n counterpartyId: string,\n handshakeResults: Map<string, HandshakeResult>,\n hasSanctuaryIdentity: boolean\n): TierMetadata {\n const handshake = handshakeResults.get(counterpartyId);\n\n if (handshake && handshake.verified) {\n // Check if handshake has expired\n const expiresAt = new Date(handshake.expires_at);\n if (expiresAt > new Date()) {\n return {\n sovereignty_tier: handshake.trust_tier as SovereigntyTier,\n handshake_completed_at: handshake.completed_at,\n verified_by: handshake.counterparty_id,\n };\n }\n // Expired handshake — fall through to self-attested or unverified\n }\n\n if (hasSanctuaryIdentity) {\n return { sovereignty_tier: \"self-attested\" };\n }\n\n return { sovereignty_tier: \"unverified\" };\n}\n\n/**\n * Map a trust tier from a handshake result to a sovereignty tier.\n */\nexport function trustTierToSovereigntyTier(trustTier: TrustTier): SovereigntyTier {\n switch (trustTier) {\n case \"verified-sovereign\":\n return \"verified-sovereign\";\n case \"verified-degraded\":\n return \"verified-degraded\";\n default:\n return \"unverified\";\n }\n}\n\n// ── Weighted Scoring ────────────────────────────────────────────────\n\n/** An attestation with its tier for weighted scoring */\nexport interface TieredAttestation {\n /** The raw metric value */\n value: number;\n /** The sovereignty tier of the attestation signer */\n tier: SovereigntyTier;\n}\n\n/**\n * Compute a weighted reputation score from tiered attestations.\n *\n * Each attestation's contribution is multiplied by its tier weight.\n * The result is normalized by total weight (not count), so adding\n * low-tier attestations doesn't dilute high-tier ones.\n *\n * @param attestations - Array of value + tier pairs\n * @returns Weighted score, or null if no attestations\n */\nexport function computeWeightedScore(\n attestations: TieredAttestation[]\n): number | null {\n if (attestations.length === 0) return null;\n\n let weightedSum = 0;\n let totalWeight = 0;\n\n for (const a of attestations) {\n const weight = TIER_WEIGHTS[a.tier];\n weightedSum += a.value * weight;\n totalWeight += weight;\n }\n\n return totalWeight > 0 ? weightedSum / totalWeight : null;\n}\n\n/**\n * Compute a tier distribution summary for a set of attestations.\n */\nexport function tierDistribution(\n tiers: SovereigntyTier[]\n): Record<SovereigntyTier, number> {\n const dist: Record<SovereigntyTier, number> = {\n \"verified-sovereign\": 0,\n \"verified-degraded\": 0,\n \"self-attested\": 0,\n \"unverified\": 0,\n };\n\n for (const tier of tiers) {\n dist[tier]++;\n }\n\n return dist;\n}\n","/**\n * Sanctuary MCP Server — Principal Policy Loader\n *\n * Loads the Principal Policy from a YAML file at server startup.\n * The policy is immutable at runtime — no MCP tool can modify it.\n *\n * Security invariant:\n * - The policy is loaded ONCE at startup and frozen.\n * - No code path exists to modify the policy during a session.\n * - If no policy file exists, a sensible default is generated and saved.\n */\n\nimport { readFile, writeFile, chmod } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport type { PrincipalPolicy, Tier2Config, ApprovalChannelConfig } from \"./types.js\";\n\n/** Default Tier 2 anomaly configuration */\nconst DEFAULT_TIER2: Tier2Config = {\n new_namespace_access: \"approve\",\n new_counterparty: \"approve\",\n frequency_spike_multiplier: 5,\n max_signs_per_minute: 10,\n bulk_read_threshold: 20,\n first_session_policy: \"approve\",\n};\n\n/** Default approval channel */\nconst DEFAULT_CHANNEL: ApprovalChannelConfig = {\n type: \"stderr\",\n timeout_seconds: 300,\n // SEC-002: auto_deny is not configurable. Timeout always denies.\n // Field omitted intentionally — all channels hardcode deny on timeout.\n};\n\n/** Default Principal Policy — provides meaningful protection without configuration */\nexport const DEFAULT_POLICY: PrincipalPolicy = {\n version: 1,\n tier1_always_approve: [\n \"state_export\",\n \"state_import\",\n \"state_delete\",\n \"identity_rotate\",\n \"reputation_import\",\n \"reputation_export\",\n \"bootstrap_provide_guarantee\",\n \"decommission_certificate\",\n ],\n tier2_anomaly: DEFAULT_TIER2,\n tier3_always_allow: [\n \"state_read\",\n \"state_write\",\n \"state_list\",\n \"identity_create\",\n \"identity_list\",\n \"identity_sign\",\n \"identity_verify\",\n \"proof_commitment\",\n \"proof_reveal\",\n \"disclosure_set_policy\",\n \"disclosure_evaluate\",\n \"reputation_record\",\n \"reputation_query\",\n \"bootstrap_create_escrow\",\n \"exec_attest\",\n \"monitor_health\",\n \"monitor_audit_log\",\n \"manifest\",\n \"principal_policy_view\",\n \"principal_baseline_view\",\n \"shr_generate\",\n \"shr_verify\",\n \"handshake_initiate\",\n \"handshake_respond\",\n \"handshake_complete\",\n \"handshake_status\",\n \"reputation_query_weighted\",\n \"federation_peers\",\n \"federation_trust_evaluate\",\n \"federation_status\",\n \"zk_commit\",\n \"zk_prove\",\n \"zk_verify\",\n \"zk_range_prove\",\n \"zk_range_verify\",\n \"context_gate_set_policy\",\n \"context_gate_apply_template\",\n \"context_gate_recommend\",\n \"context_gate_filter\",\n \"context_gate_list_policies\",\n \"l2_hardening_status\",\n \"l2_verify_isolation\",\n \"sovereignty_audit\",\n \"shr_gateway_export\",\n \"bridge_commit\",\n \"bridge_verify\",\n \"bridge_attest\",\n ],\n approval_channel: DEFAULT_CHANNEL,\n};\n\n/**\n * Extract the operation name from a full MCP tool name.\n * \"sanctuary/state_export\" → \"state_export\"\n */\nexport function extractOperationName(toolName: string): string {\n return toolName.startsWith(\"sanctuary/\")\n ? toolName.slice(\"sanctuary/\".length)\n : toolName;\n}\n\n/**\n * Parse a YAML-like policy file into a PrincipalPolicy.\n *\n * We use a simple line-based parser rather than a YAML library\n * to avoid adding a dependency for a straightforward config format.\n * The policy file supports a subset of YAML: scalars, lists, and\n * one level of nesting.\n *\n * For robustness, we also accept JSON.\n */\nexport function parsePolicy(content: string): PrincipalPolicy {\n const trimmed = content.trim();\n\n // Try JSON first\n if (trimmed.startsWith(\"{\")) {\n const parsed = JSON.parse(trimmed);\n return validatePolicy(parsed);\n }\n\n // Simple YAML-subset parser\n const policy: Record<string, unknown> = {};\n let currentKey: string | null = null;\n let currentList: string[] | null = null;\n let currentObject: Record<string, unknown> | null = null;\n\n for (const rawLine of trimmed.split(\"\\n\")) {\n const line = rawLine.split(\"#\")[0]!; // Strip comments\n if (line.trim() === \"\") continue;\n\n const indent = line.length - line.trimStart().length;\n const stripped = line.trim();\n\n if (indent === 0 && stripped.includes(\":\")) {\n // Top-level key\n if (currentKey && currentList) {\n policy[currentKey] = currentList;\n } else if (currentKey && currentObject) {\n policy[currentKey] = currentObject;\n }\n\n const colonIdx = stripped.indexOf(\":\");\n const key = stripped.slice(0, colonIdx).trim();\n const value = stripped.slice(colonIdx + 1).trim();\n\n if (value === \"\" || value === \"|\") {\n currentKey = key;\n currentList = null;\n currentObject = null;\n } else {\n policy[key] = parseScalar(value);\n currentKey = null;\n currentList = null;\n currentObject = null;\n }\n } else if (indent > 0 && stripped.startsWith(\"- \")) {\n // List item\n if (!currentList) currentList = [];\n currentList.push(stripped.slice(2).trim().split(/\\s+/)[0]!); // Take first word (before comments)\n } else if (indent > 0 && stripped.includes(\":\")) {\n // Nested key-value\n if (!currentObject) currentObject = {};\n const colonIdx = stripped.indexOf(\":\");\n const key = stripped.slice(0, colonIdx).trim();\n const value = stripped.slice(colonIdx + 1).trim();\n currentObject[key] = parseScalar(value.split(/\\s+/)[0]!); // First word before comments\n }\n }\n\n // Flush last block\n if (currentKey && currentList) {\n policy[currentKey] = currentList;\n } else if (currentKey && currentObject) {\n policy[currentKey] = currentObject;\n }\n\n return validatePolicy(policy);\n}\n\nfunction parseScalar(value: string): string | number | boolean {\n if (value === \"true\") return true;\n if (value === \"false\") return false;\n const num = Number(value);\n if (!isNaN(num) && value !== \"\") return num;\n return value.replace(/^[\"']|[\"']$/g, \"\");\n}\n\nfunction validatePolicy(raw: Record<string, unknown>): PrincipalPolicy {\n // Merge tier3: user's list + any new defaults added in later versions.\n // This ensures upgrades automatically include new read-only tools\n // without requiring operators to manually edit their policy file.\n const userTier3 = (raw.tier3_always_allow as string[]) ?? [];\n const mergedTier3 = [\n ...new Set([...userTier3, ...DEFAULT_POLICY.tier3_always_allow]),\n ];\n\n return {\n version: (raw.version as number) ?? 1,\n tier1_always_approve:\n (raw.tier1_always_approve as string[]) ?? DEFAULT_POLICY.tier1_always_approve,\n tier2_anomaly: {\n ...DEFAULT_TIER2,\n ...((raw.tier2_anomaly as Record<string, unknown>) ?? {}),\n } as Tier2Config,\n tier3_always_allow: mergedTier3,\n approval_channel: (() => {\n const merged = {\n ...DEFAULT_CHANNEL,\n ...((raw.approval_channel as Record<string, unknown>) ?? {}),\n } as ApprovalChannelConfig;\n // SEC-002: Strip auto_deny from user-supplied policy.\n // Timeout always denies — this is not configurable.\n delete merged.auto_deny;\n return merged;\n })(),\n };\n}\n\n/**\n * Generate the default policy file content as YAML.\n */\nfunction generateDefaultPolicyYaml(): string {\n return `# Sanctuary Principal Policy v1\n# This file controls what your agent can do without asking.\n# Edit this file directly. Your agent cannot modify it.\n# Changes take effect on server restart.\n\nversion: 1\n\n# ─── Tier 1: Always Requires Approval ────────────────────────────────────\n# These operations ALWAYS require your explicit approval.\n# They are inherently high-risk regardless of context.\ntier1_always_approve:\n - state_export\n - state_import\n - state_delete\n - identity_rotate\n - reputation_import\n - reputation_export\n - bootstrap_provide_guarantee\n\n# ─── Tier 2: Behavioral Anomaly Detection ────────────────────────────────\n# Triggers approval when agent behavior deviates from its baseline.\n# Options for each setting: approve | log | allow\ntier2_anomaly:\n new_namespace_access: approve\n new_counterparty: approve\n frequency_spike_multiplier: 5\n max_signs_per_minute: 10\n bulk_read_threshold: 20\n first_session_policy: approve\n\n# ─── Tier 3: Always Allowed (Audit Only) ─────────────────────────────────\n# These operations never require approval but are always logged.\ntier3_always_allow:\n - state_read\n - state_write\n - state_list\n - identity_create\n - identity_list\n - identity_sign\n - identity_verify\n - proof_commitment\n - proof_reveal\n - disclosure_set_policy\n - disclosure_evaluate\n - reputation_record\n - reputation_query\n - bootstrap_create_escrow\n - exec_attest\n - monitor_health\n - monitor_audit_log\n - manifest\n - principal_policy_view\n - principal_baseline_view\n - shr_generate\n - shr_verify\n - handshake_initiate\n - handshake_respond\n - handshake_complete\n - handshake_status\n - reputation_query_weighted\n - federation_peers\n - federation_trust_evaluate\n - federation_status\n - zk_commit\n - zk_prove\n - zk_verify\n - zk_range_prove\n - zk_range_verify\n - context_gate_set_policy\n - context_gate_apply_template\n - context_gate_recommend\n - context_gate_filter\n - context_gate_list_policies\n - sovereignty_audit\n - shr_gateway_export\n - bridge_commit\n - bridge_verify\n - bridge_attest\n\n# ─── Approval Channel ────────────────────────────────────────────────────\n# How Sanctuary reaches you when approval is needed.\n# NOTE: Timeout always results in denial. This is not configurable (SEC-002).\napproval_channel:\n type: stderr\n timeout_seconds: 300\n`;\n}\n\n/**\n * Load the Principal Policy from disk.\n * If no policy file exists, generate the default and save it.\n * The returned policy is frozen — immutable at runtime.\n */\nexport async function loadPrincipalPolicy(\n storagePath: string\n): Promise<PrincipalPolicy> {\n const policyPath = join(storagePath, \"principal-policy.yaml\");\n\n try {\n const content = await readFile(policyPath, \"utf-8\");\n const policy = parsePolicy(content);\n return Object.freeze(policy);\n } catch {\n // No policy file — generate default\n const defaultYaml = generateDefaultPolicyYaml();\n try {\n await writeFile(policyPath, defaultYaml, \"utf-8\");\n await chmod(policyPath, 0o600);\n } catch {\n // Can't write — use default in memory\n }\n return Object.freeze({ ...DEFAULT_POLICY });\n }\n}\n","/**\n * Sanctuary MCP Server — Behavioral Baseline Tracker\n *\n * Tracks the agent's behavioral profile during a session and persists\n * it for cross-session anomaly detection. The baseline defines \"normal\"\n * so that deviations can trigger Tier 2 approval.\n *\n * Security invariants:\n * - Baseline is stored encrypted under L1 sovereignty\n * - Baseline changes are audit-logged\n * - Baseline is integrity-verified via L1 Merkle tree\n * - No MCP tool can directly modify the baseline\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString } from \"../core/encoding.js\";\nimport type { SessionProfile } from \"./types.js\";\n\nconst BASELINE_NAMESPACE = \"_principal\";\nconst BASELINE_KEY = \"session-baseline\";\n\nexport class BaselineTracker {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private profile: SessionProfile;\n\n /** Sliding window: timestamps of tool calls per tool name (last 60s) */\n private callWindows: Map<string, number[]> = new Map();\n\n /** Sliding window: read counts per namespace (last 60s) */\n private readWindows: Map<string, number[]> = new Map();\n\n /** Sliding window: sign call timestamps (last 60s) */\n private signWindow: number[] = [];\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"principal-baseline\");\n this.profile = {\n known_namespaces: [],\n known_counterparties: [],\n tool_call_counts: {},\n is_first_session: true,\n started_at: new Date().toISOString(),\n };\n }\n\n /**\n * Load the previous session's baseline from storage.\n * If none exists, this is a first session.\n */\n async load(): Promise<void> {\n try {\n const raw = await this.storage.read(BASELINE_NAMESPACE, BASELINE_KEY);\n if (!raw) return;\n\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const saved: SessionProfile = JSON.parse(bytesToString(decrypted));\n\n // Carry forward known namespaces and counterparties\n this.profile.known_namespaces = saved.known_namespaces ?? [];\n this.profile.known_counterparties = saved.known_counterparties ?? [];\n this.profile.is_first_session = false;\n } catch {\n // No prior baseline or corrupted — treat as first session\n this.profile.is_first_session = true;\n }\n }\n\n /**\n * Save the current baseline to storage (encrypted).\n * Called at session end or periodically.\n */\n async save(): Promise<void> {\n this.profile.saved_at = new Date().toISOString();\n const serialized = stringToBytes(JSON.stringify(this.profile));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n BASELINE_NAMESPACE,\n BASELINE_KEY,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n /**\n * Record a tool call for baseline tracking.\n * Returns anomaly information if applicable.\n */\n recordToolCall(toolName: string): void {\n const now = Date.now();\n\n // Track total call count\n this.profile.tool_call_counts[toolName] =\n (this.profile.tool_call_counts[toolName] ?? 0) + 1;\n\n // Track call rate (60-second sliding window)\n if (!this.callWindows.has(toolName)) {\n this.callWindows.set(toolName, []);\n }\n const window = this.callWindows.get(toolName)!;\n window.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (window.length > 0 && window[0]! < cutoff) {\n window.shift();\n }\n }\n\n /**\n * Record a namespace access.\n * @returns true if this is a new namespace (not in baseline)\n */\n recordNamespaceAccess(namespace: string): boolean {\n // Skip internal namespaces — these are Sanctuary's own storage\n if (namespace.startsWith(\"_\")) return false;\n\n const isNew = !this.profile.known_namespaces.includes(namespace);\n if (isNew) {\n this.profile.known_namespaces.push(namespace);\n }\n return isNew;\n }\n\n /**\n * Record a namespace read for bulk-read detection.\n * @returns the number of reads in the current 60-second window\n */\n recordNamespaceRead(namespace: string): number {\n const now = Date.now();\n\n if (!this.readWindows.has(namespace)) {\n this.readWindows.set(namespace, []);\n }\n const window = this.readWindows.get(namespace)!;\n window.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (window.length > 0 && window[0]! < cutoff) {\n window.shift();\n }\n\n return window.length;\n }\n\n /**\n * Record a counterparty DID interaction.\n * @returns true if this is a new counterparty (not in baseline)\n */\n recordCounterparty(did: string): boolean {\n const isNew = !this.profile.known_counterparties.includes(did);\n if (isNew) {\n this.profile.known_counterparties.push(did);\n }\n return isNew;\n }\n\n /**\n * Record a signing operation.\n * @returns the number of signs in the current 60-second window\n */\n recordSign(): number {\n const now = Date.now();\n this.signWindow.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (this.signWindow.length > 0 && this.signWindow[0]! < cutoff) {\n this.signWindow.shift();\n }\n\n return this.signWindow.length;\n }\n\n /**\n * Get the current call rate for a tool (calls per minute).\n */\n getCallRate(toolName: string): number {\n return this.callWindows.get(toolName)?.length ?? 0;\n }\n\n /**\n * Get the average call rate across all tools in the baseline.\n */\n getAverageCallRate(): number {\n let total = 0;\n let count = 0;\n for (const window of this.callWindows.values()) {\n total += window.length;\n count++;\n }\n return count > 0 ? total / count : 0;\n }\n\n /** Whether this is the first session */\n get isFirstSession(): boolean {\n return this.profile.is_first_session;\n }\n\n /** Get a read-only view of the current profile */\n getProfile(): SessionProfile {\n return { ...this.profile };\n }\n}\n","/**\n * Sanctuary MCP Server — Approval Channel\n *\n * Out-of-band communication with the human principal for operation approval.\n * The default channel uses stderr (outside MCP's stdin/stdout protocol),\n * ensuring the agent cannot intercept or forge approval responses.\n *\n * Security invariant:\n * - Approval prompts go through a channel the agent cannot access.\n * - Timeouts result in denial by default (fail closed).\n */\n\nimport type {\n ApprovalRequest,\n ApprovalResponse,\n ApprovalChannelConfig,\n} from \"./types.js\";\n\n/** Abstract approval channel interface */\nexport interface ApprovalChannel {\n requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;\n}\n\n/**\n * Stderr approval channel — non-interactive informational channel.\n *\n * In the MCP stdio model:\n * - stdin/stdout carry the MCP protocol (JSON-RPC)\n * - stderr is available for out-of-band human communication\n *\n * Because stdin is consumed by the MCP JSON-RPC transport, this channel\n * CANNOT read interactive human input. It is strictly informational:\n * the prompt is displayed so the human sees what is happening, and the\n * operation is denied immediately.\n *\n * SEC-002 + SEC-016 invariants:\n * - This channel ALWAYS denies. No configuration can change this.\n * - There is no timeout or async delay — denial is synchronous.\n * - The `auto_deny` config field is ignored (SEC-002).\n * - For interactive approval, use the dashboard or webhook channel.\n */\nexport class StderrApprovalChannel implements ApprovalChannel {\n\n constructor(_config: ApprovalChannelConfig) {\n }\n\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n // Format and emit the informational prompt\n const prompt = this.formatPrompt(request);\n process.stderr.write(prompt + \"\\n\");\n\n // SEC-016: No setTimeout, no async delay, no timing window.\n // The stderr channel cannot read human input (stdin is used by MCP protocol).\n // Deny immediately. This is strictly stronger than SEC-002's \"timeout always\n // denies\" invariant — there is no timeout to exploit at all.\n //\n // SEC-002: No configuration (including auto_deny: false) can change this.\n return {\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"stderr:non-interactive\",\n };\n }\n\n private formatPrompt(request: ApprovalRequest): string {\n const tierLabel =\n request.tier === 1\n ? \"Tier 1 — always requires approval\"\n : \"Tier 2 — behavioral anomaly detected\";\n\n const contextLines = Object.entries(request.context)\n .map(([k, v]) => ` ${k}: ${typeof v === \"string\" ? v : JSON.stringify(v)}`)\n .join(\"\\n\");\n\n return [\n \"\",\n \"╔══════════════════════════════════════════════════════════════════╗\",\n \"║ SANCTUARY: Operation Denied (non-interactive channel) ║\",\n \"╠══════════════════════════════════════════════════════════════════╣\",\n `║ Operation: ${request.operation.padEnd(50)}║`,\n `║ ${tierLabel.padEnd(62)}║`,\n `║ Reason: ${request.reason.slice(0, 50).padEnd(50)}║`,\n \"║ ║\",\n `║ Details: ║`,\n ...contextLines.split(\"\\n\").map(\n (line) => `║ ${line.padEnd(60)}║`\n ),\n \"║ ║\",\n \"║ Denied: stderr channel cannot accept input (SEC-016) ║\",\n \"║ Use dashboard or webhook channel for interactive approval. ║\",\n \"╚══════════════════════════════════════════════════════════════════╝\",\n \"\",\n ].join(\"\\n\");\n }\n}\n\n/**\n * Programmatic approval channel — for testing and API integration.\n */\nexport class CallbackApprovalChannel implements ApprovalChannel {\n private callback: (request: ApprovalRequest) => Promise<ApprovalResponse>;\n\n constructor(\n callback: (request: ApprovalRequest) => Promise<ApprovalResponse>\n ) {\n this.callback = callback;\n }\n\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n return this.callback(request);\n }\n}\n\n/**\n * Auto-approve channel — for testing. Approves everything.\n */\nexport class AutoApproveChannel implements ApprovalChannel {\n async requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse> {\n return {\n decision: \"approve\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Principal Dashboard HTML Template\n *\n * Embedded single-page HTML/CSS/JS for the Principal Dashboard.\n * No build step, no external dependencies, no CDN imports.\n * Served as a single HTML document by the DashboardApprovalChannel.\n *\n * Design: Dark, minimal, terminal-feel (Grafana dark mode aesthetic)\n * Architecture:\n * - Top status bar (fixed, always visible)\n * - Main content area: live activity feed (60%) + protection status sidebar (40%)\n * - Pending approvals: overlay panel that slides in from right when needed\n * - Threat panel: collapsible footer section\n * - SSE for real-time updates\n * - SEC-012: Auth via Authorization header + short-lived sessions\n */\n\n/**\n * Generate the login page HTML for unauthenticated browser access.\n * Provides a clean token input form that exchanges the token for a session cookie.\n */\nexport function generateLoginHTML(options: {\n serverVersion: string;\n}): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Sanctuary — Login</title>\n<link href=\"https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&display=swap\" rel=\"stylesheet\">\n<style>\n :root {\n --bg: #0d1117;\n --surface: #161b22;\n --border: #30363d;\n --text-primary: #e6edf3;\n --text-secondary: #8b949e;\n --green: #3fb950;\n --red: #f85149;\n --blue: #58a6ff;\n --mono: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;\n --sans: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;\n --radius: 6px;\n }\n * { box-sizing: border-box; margin: 0; padding: 0; }\n html, body { width: 100%; height: 100%; }\n body {\n font-family: var(--sans);\n background: var(--bg);\n color: var(--text-primary);\n display: flex;\n align-items: center;\n justify-content: center;\n }\n .login-container {\n width: 100%;\n max-width: 400px;\n padding: 40px 32px;\n background: var(--surface);\n border: 1px solid var(--border);\n border-radius: 12px;\n }\n .login-logo {\n text-align: center;\n font-size: 20px;\n font-weight: 700;\n letter-spacing: -0.5px;\n margin-bottom: 8px;\n }\n .login-logo span { color: var(--blue); }\n .login-version {\n text-align: center;\n font-size: 11px;\n color: var(--text-secondary);\n font-family: var(--mono);\n margin-bottom: 32px;\n }\n .login-label {\n display: block;\n font-size: 13px;\n font-weight: 600;\n color: var(--text-secondary);\n margin-bottom: 8px;\n }\n .login-input {\n width: 100%;\n padding: 10px 14px;\n background: var(--bg);\n border: 1px solid var(--border);\n border-radius: var(--radius);\n color: var(--text-primary);\n font-family: var(--mono);\n font-size: 14px;\n outline: none;\n transition: border-color 0.15s;\n }\n .login-input:focus { border-color: var(--blue); }\n .login-input::placeholder { color: var(--text-secondary); opacity: 0.5; }\n .login-btn {\n width: 100%;\n margin-top: 20px;\n padding: 10px;\n background: var(--blue);\n color: var(--bg);\n border: none;\n border-radius: var(--radius);\n font-size: 14px;\n font-weight: 600;\n cursor: pointer;\n transition: opacity 0.15s;\n font-family: var(--sans);\n }\n .login-btn:hover { opacity: 0.9; }\n .login-btn:disabled { opacity: 0.5; cursor: not-allowed; }\n .login-error {\n margin-top: 16px;\n padding: 10px 14px;\n background: rgba(248, 81, 73, 0.1);\n border: 1px solid var(--red);\n border-radius: var(--radius);\n font-size: 12px;\n color: var(--red);\n display: none;\n }\n .login-hint {\n margin-top: 24px;\n padding-top: 16px;\n border-top: 1px solid var(--border);\n font-size: 11px;\n color: var(--text-secondary);\n line-height: 1.5;\n }\n .login-hint code {\n font-family: var(--mono);\n background: var(--bg);\n padding: 1px 4px;\n border-radius: 3px;\n font-size: 10px;\n }\n</style>\n</head>\n<body>\n<div class=\"login-container\">\n <div class=\"login-logo\"><span>&#9670;</span> SANCTUARY</div>\n <div class=\"login-version\">Principal Dashboard v${options.serverVersion}</div>\n <form id=\"loginForm\" onsubmit=\"return handleLogin(event)\">\n <label class=\"login-label\" for=\"tokenInput\">Dashboard Auth Token</label>\n <input class=\"login-input\" type=\"password\" id=\"tokenInput\"\n placeholder=\"Enter your auth token\" autocomplete=\"off\" autofocus required>\n <button class=\"login-btn\" type=\"submit\" id=\"loginBtn\">Open Dashboard</button>\n </form>\n <div class=\"login-error\" id=\"loginError\"></div>\n <div class=\"login-hint\">\n Your token is set via <code>SANCTUARY_DASHBOARD_AUTH_TOKEN</code> environment variable,\n or check your server's startup output.\n </div>\n</div>\n<script>\nasync function handleLogin(e) {\n e.preventDefault();\n var btn = document.getElementById('loginBtn');\n var errEl = document.getElementById('loginError');\n var token = document.getElementById('tokenInput').value.trim();\n if (!token) return false;\n btn.disabled = true;\n btn.textContent = 'Authenticating...';\n errEl.style.display = 'none';\n try {\n var resp = await fetch('/auth/session', {\n method: 'POST',\n headers: { 'Authorization': 'Bearer ' + token }\n });\n if (!resp.ok) {\n var data = await resp.json().catch(function() { return {}; });\n throw new Error(data.error || 'Authentication failed');\n }\n var result = await resp.json();\n // Store token in sessionStorage for auto-renewal inside the dashboard\n try { sessionStorage.setItem('sanctuary_token', token); } catch(_) {}\n // Set session cookie\n var maxAge = result.expires_in_seconds || 300;\n document.cookie = 'sanctuary_session=' + result.session_id +\n '; path=/; SameSite=Strict; max-age=' + maxAge;\n // Reload to enter the dashboard\n window.location.reload();\n } catch (err) {\n errEl.textContent = err.message || 'Authentication failed. Check your token.';\n errEl.style.display = 'block';\n btn.disabled = false;\n btn.textContent = 'Open Dashboard';\n }\n return false;\n}\n</script>\n</body>\n</html>`;\n}\n\n/**\n * Generate the dashboard HTML with the given configuration.\n */\nexport function generateDashboardHTML(options: {\n timeoutSeconds: number;\n serverVersion: string;\n /** Auth token — used only in Authorization headers, never in URLs (SEC-012) */\n authToken?: string;\n}): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Sanctuary — Principal Dashboard</title>\n<link href=\"https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&display=swap\" rel=\"stylesheet\">\n<style>\n :root {\n --bg: #0d1117;\n --surface: #161b22;\n --border: #30363d;\n --text-primary: #e6edf3;\n --text-secondary: #8b949e;\n --green: #3fb950;\n --amber: #d29922;\n --red: #f85149;\n --blue: #58a6ff;\n --mono: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;\n --sans: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;\n --radius: 6px;\n }\n\n * {\n box-sizing: border-box;\n margin: 0;\n padding: 0;\n }\n\n html, body {\n width: 100%;\n height: 100%;\n overflow: hidden;\n }\n\n body {\n font-family: var(--sans);\n background: var(--bg);\n color: var(--text-primary);\n display: flex;\n flex-direction: column;\n }\n\n /* ── Top Status Bar (fixed) ─────────────────────────────────────── */\n\n .status-bar {\n position: fixed;\n top: 0;\n left: 0;\n right: 0;\n height: 56px;\n background: var(--surface);\n border-bottom: 1px solid var(--border);\n display: flex;\n align-items: center;\n padding: 0 20px;\n gap: 24px;\n z-index: 1000;\n }\n\n .status-bar-left {\n display: flex;\n align-items: center;\n gap: 12px;\n flex: 0 0 auto;\n }\n\n .sanctuary-logo {\n font-weight: 700;\n font-size: 16px;\n letter-spacing: -0.5px;\n color: var(--text-primary);\n }\n\n .sanctuary-logo span {\n color: var(--blue);\n }\n\n .version {\n font-size: 11px;\n color: var(--text-secondary);\n font-family: var(--mono);\n }\n\n .status-bar-center {\n flex: 1;\n display: flex;\n align-items: center;\n justify-content: center;\n }\n\n .sovereignty-badge {\n display: flex;\n align-items: center;\n gap: 8px;\n padding: 6px 12px;\n background: rgba(88, 166, 255, 0.1);\n border: 1px solid var(--blue);\n border-radius: 20px;\n font-size: 13px;\n font-weight: 600;\n }\n\n .sovereignty-score {\n display: flex;\n align-items: center;\n justify-content: center;\n width: 28px;\n height: 28px;\n border-radius: 50%;\n font-family: var(--mono);\n font-weight: 700;\n font-size: 12px;\n background: var(--blue);\n color: var(--bg);\n }\n\n .sovereignty-score.high {\n background: var(--green);\n }\n\n .sovereignty-score.medium {\n background: var(--amber);\n }\n\n .sovereignty-score.low {\n background: var(--red);\n }\n\n .status-bar-right {\n display: flex;\n align-items: center;\n gap: 16px;\n flex: 0 0 auto;\n }\n\n .protections-indicator {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 12px;\n color: var(--text-secondary);\n font-family: var(--mono);\n }\n\n .protections-indicator .count {\n color: var(--text-primary);\n font-weight: 600;\n }\n\n .uptime {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 12px;\n color: var(--text-secondary);\n font-family: var(--mono);\n }\n\n .status-dot {\n width: 8px;\n height: 8px;\n border-radius: 50%;\n background: var(--green);\n animation: pulse 2s ease-in-out infinite;\n }\n\n .status-dot.disconnected {\n background: var(--red);\n animation: none;\n }\n\n @keyframes pulse {\n 0%, 100% { opacity: 1; }\n 50% { opacity: 0.5; }\n }\n\n .pending-badge {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n min-width: 24px;\n height: 24px;\n padding: 0 6px;\n background: var(--red);\n color: white;\n border-radius: 12px;\n font-size: 11px;\n font-weight: 700;\n animation: pulse 1s ease-in-out infinite;\n }\n\n .pending-badge.hidden {\n display: none;\n }\n\n /* ── Main Layout ────────────────────────────────────────────────── */\n\n .main-container {\n flex: 1;\n display: flex;\n margin-top: 56px;\n overflow: hidden;\n }\n\n .activity-feed {\n flex: 3;\n display: flex;\n flex-direction: column;\n border-right: 1px solid var(--border);\n overflow: hidden;\n }\n\n .feed-header {\n padding: 16px 20px;\n border-bottom: 1px solid var(--border);\n display: flex;\n align-items: center;\n gap: 8px;\n font-size: 12px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n }\n\n .feed-header-dot {\n width: 6px;\n height: 6px;\n border-radius: 50%;\n background: var(--green);\n }\n\n .activity-list {\n flex: 1;\n overflow-y: auto;\n overflow-x: hidden;\n }\n\n .activity-item {\n padding: 12px 20px;\n border-bottom: 1px solid rgba(48, 54, 61, 0.5);\n font-size: 13px;\n font-family: var(--mono);\n cursor: pointer;\n transition: background 0.15s;\n display: flex;\n align-items: flex-start;\n gap: 10px;\n }\n\n .activity-item:hover {\n background: rgba(88, 166, 255, 0.05);\n }\n\n .activity-item-icon {\n flex: 0 0 auto;\n width: 16px;\n text-align: center;\n font-size: 12px;\n color: var(--text-secondary);\n margin-top: 1px;\n }\n\n .activity-item-content {\n flex: 1;\n min-width: 0;\n }\n\n .activity-time {\n color: var(--text-secondary);\n font-size: 11px;\n margin-bottom: 2px;\n }\n\n .activity-main {\n display: flex;\n gap: 8px;\n align-items: baseline;\n margin-bottom: 4px;\n }\n\n .activity-tier {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n width: 24px;\n height: 16px;\n font-size: 10px;\n font-weight: 700;\n border-radius: 3px;\n text-transform: uppercase;\n flex: 0 0 auto;\n }\n\n .activity-tier.t1 {\n background: rgba(248, 81, 73, 0.2);\n color: var(--red);\n }\n\n .activity-tier.t2 {\n background: rgba(210, 153, 34, 0.2);\n color: var(--amber);\n }\n\n .activity-tier.t3 {\n background: rgba(63, 185, 80, 0.2);\n color: var(--green);\n }\n\n .activity-tool {\n color: var(--text-primary);\n font-weight: 600;\n }\n\n .activity-outcome {\n color: var(--green);\n }\n\n .activity-outcome.denied {\n color: var(--red);\n }\n\n .activity-detail {\n font-size: 12px;\n color: var(--text-secondary);\n margin-left: 0;\n }\n\n .activity-item.expanded .activity-detail {\n display: block;\n margin-top: 8px;\n padding: 10px;\n background: rgba(88, 166, 255, 0.08);\n border-left: 2px solid var(--blue);\n border-radius: 4px;\n }\n\n .activity-empty {\n display: flex;\n flex-direction: column;\n align-items: center;\n justify-content: center;\n height: 100%;\n color: var(--text-secondary);\n }\n\n .activity-empty-icon {\n font-size: 32px;\n margin-bottom: 12px;\n }\n\n .activity-empty-text {\n font-size: 14px;\n }\n\n /* ── Protection Status Sidebar (40%) ────────────────────────────── */\n\n .protection-sidebar {\n flex: 2;\n display: flex;\n flex-direction: column;\n background: rgba(22, 27, 34, 0.5);\n overflow: hidden;\n }\n\n .sidebar-header {\n padding: 16px 20px;\n border-bottom: 1px solid var(--border);\n font-size: 12px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n display: flex;\n align-items: center;\n gap: 8px;\n }\n\n .sidebar-content {\n flex: 1;\n overflow-y: auto;\n padding: 16px 16px;\n display: grid;\n grid-template-columns: 1fr 1fr;\n gap: 12px;\n }\n\n .protection-card {\n background: var(--surface);\n border: 1px solid var(--border);\n border-radius: var(--radius);\n padding: 14px;\n display: flex;\n flex-direction: column;\n gap: 8px;\n }\n\n .protection-card-icon {\n font-size: 14px;\n }\n\n .protection-card-label {\n font-size: 11px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n }\n\n .protection-card-status {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 12px;\n font-weight: 600;\n }\n\n .protection-card-status.active {\n color: var(--green);\n }\n\n .protection-card-status.inactive {\n color: var(--text-secondary);\n }\n\n .protection-card-stat {\n font-size: 11px;\n color: var(--text-secondary);\n font-family: var(--mono);\n margin-top: 4px;\n }\n\n /* ── Pending Approvals Overlay ──────────────────────────────────── */\n\n .pending-overlay {\n position: fixed;\n top: 56px;\n right: 0;\n bottom: 0;\n width: 0;\n background: var(--surface);\n border-left: 1px solid var(--border);\n z-index: 999;\n overflow-y: auto;\n transition: width 0.3s ease-out;\n display: flex;\n flex-direction: column;\n }\n\n .pending-overlay.active {\n width: 380px;\n }\n\n @media (max-width: 1400px) {\n .pending-overlay.active {\n width: 100%;\n right: auto;\n left: 0;\n }\n }\n\n .pending-overlay-header {\n padding: 16px 20px;\n border-bottom: 1px solid var(--border);\n display: flex;\n align-items: center;\n justify-content: space-between;\n flex: 0 0 auto;\n }\n\n .pending-overlay-title {\n font-size: 13px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-primary);\n }\n\n .pending-overlay-close {\n background: none;\n border: none;\n color: var(--text-secondary);\n cursor: pointer;\n font-size: 18px;\n padding: 0;\n display: flex;\n align-items: center;\n justify-content: center;\n }\n\n .pending-overlay-close:hover {\n color: var(--text-primary);\n }\n\n .pending-list {\n flex: 1;\n overflow-y: auto;\n }\n\n .pending-item {\n padding: 16px 20px;\n border-bottom: 1px solid rgba(48, 54, 61, 0.5);\n display: flex;\n flex-direction: column;\n gap: 10px;\n }\n\n .pending-item-header {\n display: flex;\n align-items: center;\n gap: 8px;\n }\n\n .pending-item-op {\n font-family: var(--mono);\n font-size: 12px;\n font-weight: 600;\n color: var(--text-primary);\n flex: 1;\n }\n\n .pending-item-tier {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n width: 28px;\n height: 20px;\n font-size: 9px;\n font-weight: 700;\n border-radius: 3px;\n text-transform: uppercase;\n color: white;\n }\n\n .pending-item-tier.tier1 {\n background: var(--red);\n }\n\n .pending-item-tier.tier2 {\n background: var(--amber);\n }\n\n .pending-item-reason {\n font-size: 12px;\n color: var(--text-secondary);\n }\n\n .pending-item-timer {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 11px;\n font-family: var(--mono);\n color: var(--text-secondary);\n }\n\n .pending-item-timer-bar {\n flex: 1;\n height: 4px;\n background: rgba(48, 54, 61, 0.8);\n border-radius: 2px;\n overflow: hidden;\n }\n\n .pending-item-timer-fill {\n height: 100%;\n background: var(--blue);\n transition: width 0.1s linear;\n }\n\n .pending-item-timer.urgent .pending-item-timer-fill {\n background: var(--red);\n }\n\n .pending-item-actions {\n display: flex;\n gap: 8px;\n }\n\n .btn {\n flex: 1;\n padding: 8px 12px;\n border: none;\n border-radius: var(--radius);\n font-size: 12px;\n font-weight: 600;\n cursor: pointer;\n transition: all 0.15s;\n font-family: var(--sans);\n }\n\n .btn-approve {\n background: var(--green);\n color: var(--bg);\n }\n\n .btn-approve:hover {\n background: #4ecf5e;\n }\n\n .btn-deny {\n background: var(--red);\n color: white;\n }\n\n .btn-deny:hover {\n background: #f9605e;\n }\n\n /* ── Threat Panel (collapsible footer) ──────────────────────────── */\n\n .threat-panel {\n position: fixed;\n bottom: 0;\n left: 0;\n right: 0;\n background: var(--surface);\n border-top: 1px solid var(--border);\n max-height: 240px;\n z-index: 500;\n display: flex;\n flex-direction: column;\n transition: max-height 0.3s ease-out;\n }\n\n .threat-panel.collapsed {\n max-height: 40px;\n }\n\n .threat-header {\n padding: 12px 20px;\n cursor: pointer;\n display: flex;\n align-items: center;\n gap: 8px;\n font-size: 12px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n flex: 0 0 auto;\n }\n\n .threat-header:hover {\n background: rgba(88, 166, 255, 0.05);\n }\n\n .threat-icon {\n font-size: 14px;\n }\n\n .threat-content {\n flex: 1;\n overflow-y: auto;\n padding: 0 20px 12px;\n display: flex;\n flex-direction: column;\n gap: 10px;\n }\n\n .threat-item {\n padding: 8px 10px;\n background: rgba(248, 81, 73, 0.1);\n border-left: 2px solid var(--red);\n border-radius: 4px;\n font-size: 11px;\n color: var(--text-secondary);\n }\n\n .threat-item-type {\n font-weight: 600;\n color: var(--red);\n font-family: var(--mono);\n }\n\n .threat-empty {\n text-align: center;\n padding: 20px 10px;\n color: var(--text-secondary);\n font-size: 12px;\n }\n\n /* ── Scrollbars ────────────────────────────────────────────────── */\n\n ::-webkit-scrollbar {\n width: 6px;\n }\n\n ::-webkit-scrollbar-track {\n background: transparent;\n }\n\n ::-webkit-scrollbar-thumb {\n background: var(--border);\n border-radius: 3px;\n }\n\n ::-webkit-scrollbar-thumb:hover {\n background: rgba(88, 166, 255, 0.3);\n }\n\n /* ── Responsive ────────────────────────────────────────────────── */\n\n @media (max-width: 1200px) {\n .protection-sidebar {\n display: none;\n }\n\n .activity-feed {\n border-right: none;\n }\n }\n\n @media (max-width: 768px) {\n .status-bar {\n padding: 0 12px;\n gap: 12px;\n height: 48px;\n }\n\n .sanctuary-logo {\n font-size: 14px;\n }\n\n .status-bar-center {\n display: none;\n }\n\n .main-container {\n margin-top: 48px;\n }\n\n .activity-item {\n padding: 10px 12px;\n }\n\n .pending-overlay.active {\n width: 100%;\n }\n\n .threat-panel {\n max-height: 200px;\n }\n }\n</style>\n</head>\n<body>\n\n<!-- Status Bar (fixed, top) -->\n<div class=\"status-bar\">\n <div class=\"status-bar-left\">\n <div class=\"sanctuary-logo\"><span>◆</span> SANCTUARY</div>\n <div class=\"version\">v${options.serverVersion}</div>\n </div>\n <div class=\"status-bar-center\">\n <div class=\"sovereignty-badge\">\n <div class=\"sovereignty-score\" id=\"sovereigntyScore\">85</div>\n <span>Sovereignty Health</span>\n </div>\n </div>\n <div class=\"status-bar-right\">\n <div class=\"protections-indicator\">\n <span class=\"count\" id=\"activeProtections\">6</span>/6 protections\n </div>\n <div class=\"uptime\">\n <span id=\"uptimeText\">—</span>\n </div>\n <div class=\"status-dot\" id=\"statusDot\"></div>\n <div class=\"pending-badge hidden\" id=\"pendingBadge\">0</div>\n </div>\n</div>\n\n<!-- Main Layout -->\n<div class=\"main-container\">\n <!-- Activity Feed -->\n <div class=\"activity-feed\">\n <div class=\"feed-header\">\n <div class=\"feed-header-dot\"></div>\n Live Activity\n </div>\n <div class=\"activity-list\" id=\"activityList\">\n <div class=\"activity-empty\">\n <div class=\"activity-empty-icon\">→</div>\n <div class=\"activity-empty-text\">Waiting for activity...</div>\n </div>\n </div>\n </div>\n\n <!-- Protection Status Sidebar -->\n <div class=\"protection-sidebar\" id=\"protectionSidebar\">\n <div class=\"sidebar-header\">\n <span>◆</span> Protection Status\n </div>\n <div class=\"sidebar-content\">\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">🔐</div>\n <div class=\"protection-card-label\">Encryption</div>\n <div class=\"protection-card-status active\" id=\"encryptionStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"encryptionStat\">Ed25519</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">✓</div>\n <div class=\"protection-card-label\">Approval Gate</div>\n <div class=\"protection-card-status active\" id=\"approvalStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"approvalStat\">T1: 2 | T2: 3</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">🎯</div>\n <div class=\"protection-card-label\">Context Gating</div>\n <div class=\"protection-card-status active\" id=\"contextStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"contextStat\">12 filtered</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">⚠</div>\n <div class=\"protection-card-label\">Injection Detection</div>\n <div class=\"protection-card-status active\" id=\"injectionStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"injectionStat\">3 flags today</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">📊</div>\n <div class=\"protection-card-label\">Behavioral Baseline</div>\n <div class=\"protection-card-status active\" id=\"baselineStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"baselineStat\">0 anomalies</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">📋</div>\n <div class=\"protection-card-label\">Audit Trail</div>\n <div class=\"protection-card-status active\" id=\"auditStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"auditStat\">284 entries</div>\n </div>\n </div>\n </div>\n</div>\n\n<!-- Pending Approvals Overlay -->\n<div class=\"pending-overlay\" id=\"pendingOverlay\">\n <div class=\"pending-overlay-header\">\n <div class=\"pending-overlay-title\">Pending Approvals</div>\n <button class=\"pending-overlay-close\" onclick=\"closePendingOverlay()\">×</button>\n </div>\n <div class=\"pending-list\" id=\"pendingList\"></div>\n</div>\n\n<!-- Threat Panel (collapsible footer) -->\n<div class=\"threat-panel collapsed\" id=\"threatPanel\">\n <div class=\"threat-header\" onclick=\"toggleThreatPanel()\">\n <span class=\"threat-icon\">⚠</span>\n Recent Threats\n <span id=\"threatCount\" style=\"margin-left: auto; color: var(--red); font-weight: 700;\">0</span>\n </div>\n <div class=\"threat-content\" id=\"threatContent\">\n <div class=\"threat-empty\">No threats detected</div>\n </div>\n</div>\n\n<script>\n(function() {\n 'use strict';\n\n // ── Configuration ────────────────────────────────────────────────\n\n const TIMEOUT_SECONDS = ${options.timeoutSeconds};\n // AUTH_TOKEN: embedded token (for direct session access) or from sessionStorage (login page flow)\n const EMBEDDED_TOKEN = ${options.authToken ? JSON.stringify(options.authToken) : 'null'};\n const AUTH_TOKEN = EMBEDDED_TOKEN || (function() { try { return sessionStorage.getItem('sanctuary_token'); } catch(_) { return null; } })();\n const MAX_ACTIVITY_ITEMS = 100;\n const MAX_THREAT_ITEMS = 20;\n\n // ── State ────────────────────────────────────────────────────────\n\n let SESSION_ID = null;\n let evtSource = null;\n let startTime = Date.now();\n let activityCount = 0;\n let threatCount = 0;\n const pendingRequests = new Map();\n const activityItems = [];\n const threatItems = [];\n let sovereigntyScore = 85;\n let sessionRenewalTimer = null;\n\n // ── Auth Helpers (SEC-012) ───────────────────────────────────────\n\n function authHeaders() {\n const h = { 'Content-Type': 'application/json' };\n if (AUTH_TOKEN) h['Authorization'] = 'Bearer ' + AUTH_TOKEN;\n return h;\n }\n\n function sessionQuery(url) {\n if (!SESSION_ID) return url;\n const sep = url.includes('?') ? '&' : '?';\n return url + sep + 'session=' + SESSION_ID;\n }\n\n function setCookie(sessionId, maxAge) {\n document.cookie = 'sanctuary_session=' + sessionId +\n '; path=/; SameSite=Strict; max-age=' + maxAge;\n }\n\n async function exchangeSession() {\n if (!AUTH_TOKEN) return;\n try {\n const resp = await fetch('/auth/session', { method: 'POST', headers: authHeaders() });\n if (resp.ok) {\n const data = await resp.json();\n SESSION_ID = data.session_id;\n var ttl = data.expires_in_seconds || 300;\n // Update cookie with new session\n setCookie(SESSION_ID, ttl);\n // Schedule renewal at 80% of TTL\n if (sessionRenewalTimer) clearTimeout(sessionRenewalTimer);\n sessionRenewalTimer = setTimeout(function() {\n exchangeSession().then(function() { reconnectSSE(); });\n }, ttl * 800);\n } else if (resp.status === 401) {\n // Token invalid or expired — show non-destructive re-login overlay\n showSessionExpired();\n }\n } catch (e) {\n // Network error — retry in 30s\n if (sessionRenewalTimer) clearTimeout(sessionRenewalTimer);\n sessionRenewalTimer = setTimeout(function() {\n exchangeSession().then(function() { reconnectSSE(); });\n }, 30000);\n }\n }\n\n function showSessionExpired() {\n // Clear stored token\n try { sessionStorage.removeItem('sanctuary_token'); } catch(_) {}\n // Redirect to login page\n document.cookie = 'sanctuary_session=; path=/; max-age=0';\n window.location.reload();\n }\n\n // ── UI Utilities ─────────────────────────────────────────────────\n\n function esc(s) {\n const d = document.createElement('div');\n d.textContent = String(s || '');\n return d.innerHTML;\n }\n\n function closePendingOverlay() {\n document.getElementById('pendingOverlay').classList.remove('active');\n }\n\n function toggleThreatPanel() {\n document.getElementById('threatPanel').classList.toggle('collapsed');\n }\n\n function updateUptime() {\n const elapsed = Math.floor((Date.now() - startTime) / 1000);\n const hours = Math.floor(elapsed / 3600);\n const mins = Math.floor((elapsed % 3600) / 60);\n const secs = elapsed % 60;\n let uptimeStr = '';\n if (hours > 0) uptimeStr += hours + 'h ';\n if (mins > 0) uptimeStr += mins + 'm ';\n uptimeStr += secs + 's';\n document.getElementById('uptimeText').textContent = uptimeStr;\n }\n\n // ── Sovereignty Score ────────────────────────────────────────────\n\n function updateSovereigntyScore(score) {\n sovereigntyScore = Math.min(100, Math.max(0, score || 85));\n const badge = document.getElementById('sovereigntyScore');\n badge.textContent = sovereigntyScore;\n badge.className = 'sovereignty-score';\n if (sovereigntyScore >= 80) {\n badge.classList.add('high');\n } else if (sovereigntyScore >= 50) {\n badge.classList.add('medium');\n } else {\n badge.classList.add('low');\n }\n }\n\n // ── Activity Feed ────────────────────────────────────────────────\n\n function addActivityItem(data) {\n const {\n timestamp,\n tier,\n tool,\n outcome,\n detail,\n hasInjection,\n isContextGated\n } = data;\n\n const item = {\n id: 'activity-' + activityCount++,\n timestamp: timestamp || new Date().toISOString(),\n tier: tier || 1,\n tool: tool || 'unknown_tool',\n outcome: outcome || 'executed',\n detail: detail || '',\n hasInjection: !!hasInjection,\n isContextGated: !!isContextGated\n };\n\n activityItems.unshift(item);\n if (activityItems.length > MAX_ACTIVITY_ITEMS) {\n activityItems.pop();\n }\n\n renderActivityFeed();\n }\n\n function renderActivityFeed() {\n const list = document.getElementById('activityList');\n\n if (activityItems.length === 0) {\n list.innerHTML = '<div class=\"activity-empty\"><div class=\"activity-empty-icon\">→</div><div class=\"activity-empty-text\">Waiting for activity...</div></div>';\n return;\n }\n\n list.innerHTML = '';\n for (const item of activityItems) {\n const tr = document.createElement('div');\n tr.className = 'activity-item';\n tr.id = item.id;\n\n const time = new Date(item.timestamp);\n const timeStr = time.toLocaleTimeString();\n\n const tierClass = 't' + item.tier;\n const outcomeClass = item.outcome === 'denied' ? 'outcome denied' : 'outcome';\n\n let icon = '●';\n if (item.isContextGated) icon = '🎯';\n else if (item.hasInjection) icon = '⚠';\n else if (item.outcome === 'denied') icon = '✗';\n else icon = '✓';\n\n tr.innerHTML =\n '<div class=\"activity-item-icon\">' + esc(icon) + '</div>' +\n '<div class=\"activity-item-content\">' +\n '<div class=\"activity-time\">' + esc(timeStr) + '</div>' +\n '<div class=\"activity-main\">' +\n '<span class=\"activity-tier ' + tierClass + '\">T' + item.tier + '</span>' +\n '<span class=\"activity-tool\">' + esc(item.tool) + '</span>' +\n '<span class=\"activity-outcome ' + (outcomeClass === 'outcome denied' ? 'denied' : '') + '\">' + (item.outcome === 'denied' ? '✗ denied' : '✓ allowed') + '</span>' +\n '</div>' +\n '<div class=\"activity-detail\">' + esc(item.detail) + '</div>' +\n '</div>' +\n '';\n\n tr.addEventListener('click', () => {\n tr.classList.toggle('expanded');\n });\n\n list.appendChild(tr);\n }\n }\n\n // ── Pending Approvals ────────────────────────────────────────────\n\n function addPendingRequest(data) {\n const {\n request_id,\n operation,\n tier,\n reason,\n context,\n timestamp\n } = data;\n\n const pending = {\n id: request_id,\n operation: operation || 'unknown',\n tier: tier || 1,\n reason: reason || '',\n context: context || {},\n timestamp: timestamp || new Date().toISOString(),\n remaining: TIMEOUT_SECONDS\n };\n\n pendingRequests.set(request_id, pending);\n updatePendingUI();\n }\n\n function removePendingRequest(id) {\n pendingRequests.delete(id);\n updatePendingUI();\n }\n\n function updatePendingUI() {\n const count = pendingRequests.size;\n const badge = document.getElementById('pendingBadge');\n\n if (count > 0) {\n badge.classList.remove('hidden');\n badge.textContent = count;\n document.getElementById('pendingOverlay').classList.add('active');\n } else {\n badge.classList.add('hidden');\n document.getElementById('pendingOverlay').classList.remove('active');\n }\n\n renderPendingList();\n }\n\n function renderPendingList() {\n const list = document.getElementById('pendingList');\n list.innerHTML = '';\n\n for (const [id, req] of pendingRequests) {\n const item = document.createElement('div');\n item.className = 'pending-item';\n\n const tier = req.tier || 1;\n const tierClass = 'tier' + tier;\n const pct = Math.max(0, Math.min(100, (req.remaining / TIMEOUT_SECONDS) * 100));\n const isUrgent = req.remaining <= 30;\n\n item.innerHTML =\n '<div class=\"pending-item-header\">' +\n '<div class=\"pending-item-op\">' + esc(req.operation) + '</div>' +\n '<div class=\"pending-item-tier ' + tierClass + '\">T' + tier + '</div>' +\n '</div>' +\n '<div class=\"pending-item-reason\">' + esc(req.reason) + '</div>' +\n '<div class=\"pending-item-timer ' + (isUrgent ? 'urgent' : '') + '\">' +\n '<div class=\"pending-item-timer-bar\">' +\n '<div class=\"pending-item-timer-fill\" style=\"width: ' + pct + '%\"></div>' +\n '</div>' +\n '<span id=\"timer-' + id + '\">' + req.remaining + 's</span>' +\n '</div>' +\n '<div class=\"pending-item-actions\">' +\n '<button class=\"btn btn-approve\" onclick=\"handleApprove(\\'' + id + '\\')\">Approve</button>' +\n '<button class=\"btn btn-deny\" onclick=\"handleDeny(\\'' + id + '\\')\">Deny</button>' +\n '</div>' +\n '';\n\n list.appendChild(item);\n }\n }\n\n window.handleApprove = function(id) {\n fetch('/api/approve/' + id, { method: 'POST', headers: authHeaders() }).then(() => {\n removePendingRequest(id);\n }).catch(() => {});\n };\n\n window.handleDeny = function(id) {\n fetch('/api/deny/' + id, { method: 'POST', headers: authHeaders() }).then(() => {\n removePendingRequest(id);\n }).catch(() => {});\n };\n\n // ── Threats ──────────────────────────────────────────────────────\n\n function addThreat(data) {\n const {\n timestamp,\n severity,\n type,\n details\n } = data;\n\n const threat = {\n id: 'threat-' + threatCount++,\n timestamp: timestamp || new Date().toISOString(),\n severity: severity || 'medium',\n type: type || 'unknown',\n details: details || ''\n };\n\n threatItems.unshift(threat);\n if (threatItems.length > MAX_THREAT_ITEMS) {\n threatItems.pop();\n }\n\n if (threatCount > 0) {\n document.getElementById('threatPanel').classList.remove('collapsed');\n }\n\n renderThreats();\n }\n\n function renderThreats() {\n const content = document.getElementById('threatContent');\n const badge = document.getElementById('threatCount');\n\n if (threatItems.length === 0) {\n content.innerHTML = '<div class=\"threat-empty\">No threats detected</div>';\n badge.textContent = '0';\n return;\n }\n\n badge.textContent = threatItems.length;\n content.innerHTML = '';\n\n for (const threat of threatItems) {\n const div = document.createElement('div');\n div.className = 'threat-item';\n const time = new Date(threat.timestamp).toLocaleTimeString();\n div.innerHTML =\n '<div style=\"margin-bottom: 3px;\">' +\n '<span class=\"threat-item-type\">' + esc(threat.type) + '</span>' +\n '<span style=\"font-size: 10px; color: var(--text-secondary); margin-left: 6px;\">' + esc(time) + '</span>' +\n '</div>' +\n '<div>' + esc(threat.details) + '</div>' +\n '';\n content.appendChild(div);\n }\n }\n\n // ── SSE Connection ───────────────────────────────────────────────\n\n function reconnectSSE() {\n if (evtSource) evtSource.close();\n connect();\n }\n\n function connect() {\n evtSource = new EventSource(sessionQuery('/events'));\n\n evtSource.onopen = () => {\n document.getElementById('statusDot').classList.remove('disconnected');\n };\n\n evtSource.onerror = () => {\n document.getElementById('statusDot').classList.add('disconnected');\n };\n\n evtSource.addEventListener('init', (e) => {\n const data = JSON.parse(e.data);\n if (data.baseline) {\n updateBaseline(data.baseline);\n }\n if (data.policy) {\n updatePolicy(data.policy);\n }\n if (data.pending) {\n data.pending.forEach(addPendingRequest);\n }\n });\n\n evtSource.addEventListener('pending-request', (e) => {\n const data = JSON.parse(e.data);\n addPendingRequest(data);\n });\n\n evtSource.addEventListener('request-resolved', (e) => {\n const data = JSON.parse(e.data);\n removePendingRequest(data.request_id);\n });\n\n evtSource.addEventListener('tool-call', (e) => {\n const data = JSON.parse(e.data);\n addActivityItem({\n timestamp: data.timestamp,\n tier: data.tier || 1,\n tool: data.tool || 'unknown',\n outcome: data.outcome || 'executed',\n detail: data.detail || ''\n });\n });\n\n evtSource.addEventListener('context-gate-decision', (e) => {\n const data = JSON.parse(e.data);\n addActivityItem({\n timestamp: data.timestamp,\n tier: data.tier || 1,\n tool: data.tool || 'unknown',\n outcome: data.outcome || 'gated',\n detail: data.fields_filtered ? 'Filtered ' + data.fields_filtered + ' fields' : data.reason || '',\n isContextGated: true\n });\n });\n\n evtSource.addEventListener('injection-alert', (e) => {\n const data = JSON.parse(e.data);\n addActivityItem({\n timestamp: data.timestamp,\n tier: data.tier || 2,\n tool: data.tool || 'unknown',\n outcome: data.allowed ? 'allowed' : 'denied',\n detail: data.signal || 'Injection detected',\n hasInjection: true\n });\n addThreat({\n timestamp: data.timestamp,\n severity: data.severity || 'medium',\n type: 'Injection Alert',\n details: data.signal || 'Suspicious pattern detected'\n });\n });\n\n evtSource.addEventListener('protection-status', (e) => {\n const data = JSON.parse(e.data);\n updateProtectionStatus(data);\n });\n\n evtSource.addEventListener('audit-entry', (e) => {\n const data = JSON.parse(e.data);\n // Audit entries don't show in activity by default, but we could add them\n });\n\n evtSource.addEventListener('baseline-update', (e) => {\n const data = JSON.parse(e.data);\n updateBaseline(data);\n });\n }\n\n function updateBaseline(baseline) {\n if (!baseline) return;\n // Update baseline-derived stats if needed\n }\n\n function updatePolicy(policy) {\n if (!policy) return;\n // Update policy-derived stats\n if (policy.approval_channel) {\n // Policy info updated\n }\n }\n\n function updateProtectionStatus(status) {\n if (status.sovereignty_score !== undefined) {\n updateSovereigntyScore(status.sovereignty_score);\n }\n if (status.active_protections !== undefined) {\n document.getElementById('activeProtections').textContent = status.active_protections;\n }\n // Update individual protection cards\n if (status.encryption !== undefined) {\n const el = document.getElementById('encryptionStatus');\n el.className = 'protection-card-status ' + (status.encryption ? 'active' : 'inactive');\n el.textContent = status.encryption ? '✓ Active' : '✗ Inactive';\n }\n if (status.approval_gate !== undefined) {\n const el = document.getElementById('approvalStatus');\n el.className = 'protection-card-status ' + (status.approval_gate ? 'active' : 'inactive');\n el.textContent = status.approval_gate ? '✓ Active' : '✗ Inactive';\n }\n if (status.context_gating !== undefined) {\n const el = document.getElementById('contextStatus');\n el.className = 'protection-card-status ' + (status.context_gating ? 'active' : 'inactive');\n el.textContent = status.context_gating ? '✓ Active' : '✗ Inactive';\n }\n if (status.injection_detection !== undefined) {\n const el = document.getElementById('injectionStatus');\n el.className = 'protection-card-status ' + (status.injection_detection ? 'active' : 'inactive');\n el.textContent = status.injection_detection ? '✓ Active' : '✗ Inactive';\n }\n if (status.baseline !== undefined) {\n const el = document.getElementById('baselineStatus');\n el.className = 'protection-card-status ' + (status.baseline ? 'active' : 'inactive');\n el.textContent = status.baseline ? '✓ Active' : '✗ Inactive';\n }\n if (status.audit_trail !== undefined) {\n const el = document.getElementById('auditStatus');\n el.className = 'protection-card-status ' + (status.audit_trail ? 'active' : 'inactive');\n el.textContent = status.audit_trail ? '✓ Active' : '✗ Inactive';\n }\n }\n\n // ── Initialization ───────────────────────────────────────────────\n\n (async function init() {\n await exchangeSession();\n // Clean legacy ?token= from URL\n if (window.location.search.includes('token=')) {\n window.history.replaceState({}, '', window.location.pathname);\n }\n connect();\n\n // Start uptime ticker\n setInterval(updateUptime, 1000);\n updateUptime();\n\n // Pending request countdown timer\n setInterval(() => {\n for (const [id, req] of pendingRequests) {\n req.remaining = Math.max(0, req.remaining - 1);\n const el = document.getElementById('timer-' + id);\n if (el) {\n el.textContent = req.remaining + 's';\n }\n }\n }, 1000);\n\n // Load initial status\n try {\n const resp = await fetch('/api/status', { headers: authHeaders() });\n if (resp.ok) {\n const status = await resp.json();\n if (status.baseline) updateBaseline(status.baseline);\n if (status.policy) updatePolicy(status.policy);\n }\n } catch (e) {\n // Ignore\n }\n })();\n\n})();\n</script>\n\n</body>\n</html>`;\n}\n\n","/**\n * Sanctuary MCP Server — Principal Dashboard\n *\n * HTTP-based approval channel that serves a real-time web dashboard\n * for human principals to approve/deny agent operations.\n *\n * Architecture:\n * - Node.js built-in `http`/`https` modules (no Express or external deps)\n * - SSE (Server-Sent Events) for real-time push to browser\n * - Pending approval requests block the MCP tool call via Promise\n * - Human clicks approve/deny in browser → POST /api/approve/:id → Promise resolves\n * - Timeout fallback: auto-deny (or auto-approve) if no response\n *\n * Security invariants:\n * - Binds to 127.0.0.1 by default (localhost only)\n * - Optional bearer token authentication for non-localhost deployments\n * - Optional TLS (HTTPS) via cert/key paths\n * - All decisions are audit-logged\n * - Agent cannot access the dashboard (it runs outside MCP stdin/stdout)\n */\n\nimport { createServer as createHttpServer, type IncomingMessage, type ServerResponse } from \"node:http\";\nimport { createServer as createHttpsServer } from \"node:https\";\nimport { readFileSync } from \"node:fs\";\nimport { randomBytes } from \"node:crypto\";\nimport { exec } from \"node:child_process\";\nimport { platform } from \"node:os\";\nimport { SANCTUARY_VERSION as PKG_VERSION } from \"../config.js\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport type { ApprovalRequest, ApprovalResponse, PrincipalPolicy } from \"./types.js\";\nimport type { BaselineTracker } from \"./baseline.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateDashboardHTML, generateLoginHTML } from \"./dashboard-html.js\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\nexport interface DashboardConfig {\n port: number;\n host: string;\n timeout_seconds: number;\n /** SEC-002: auto_deny is always true. Field retained for interface compat but ignored. */\n auto_deny?: boolean;\n /** Bearer token for API authentication. If omitted, auth is disabled. */\n auth_token?: string;\n /** TLS configuration for HTTPS. If omitted, plain HTTP is used. */\n tls?: {\n cert_path: string;\n key_path: string;\n };\n /** Auto-open the dashboard in the default browser on startup. Default: true for localhost. */\n auto_open?: boolean;\n}\n\ninterface PendingRequest {\n id: string;\n request: ApprovalRequest;\n resolve: (response: ApprovalResponse) => void;\n timer: ReturnType<typeof setTimeout>;\n created_at: string;\n}\n\ntype SSEClient = ServerResponse;\n\n// ── Dashboard Approval Channel ──────────────────────────────────────────\n\n// ── Session Store ────────────────────────────────────────────────────\n// Short-lived sessions replace the long-lived auth token in URLs (SEC-012).\n\ninterface DashboardSession {\n id: string;\n created_at: number;\n expires_at: number;\n}\n\nconst SESSION_TTL_REMOTE_MS = 5 * 60 * 1000; // 5 minutes for remote/TLS\nconst SESSION_TTL_LOCAL_MS = 24 * 60 * 60 * 1000; // 24 hours for localhost\nconst MAX_SESSIONS = 1000;\n\n// ── Rate Limiting ───────────────────────────────────────────────────\n// Sliding-window rate limiting per remote address.\n// Decision endpoints (approve/deny) have a tighter limit than general API.\n\nconst RATE_LIMIT_WINDOW_MS = 60_000; // 1-minute window\nconst RATE_LIMIT_GENERAL = 120; // max general API requests per window\nconst RATE_LIMIT_DECISIONS = 20; // max approve/deny decisions per window\nconst MAX_RATE_LIMIT_ENTRIES = 10_000; // cap the tracking map to prevent memory exhaustion\n\ninterface RateLimitEntry {\n general: number[]; // timestamps of general requests\n decisions: number[]; // timestamps of decision requests\n}\n\nexport class DashboardApprovalChannel implements ApprovalChannel {\n private config: DashboardConfig;\n private pending: Map<string, PendingRequest> = new Map();\n private sseClients: Set<SSEClient> = new Set();\n private httpServer: ReturnType<typeof createHttpServer> | null = null;\n private policy: PrincipalPolicy | null = null;\n private baseline: BaselineTracker | null = null;\n private auditLog: AuditLog | null = null;\n private dashboardHTML: string;\n private loginHTML: string;\n private authToken: string | undefined;\n private useTLS: boolean;\n /** Session TTL: longer for localhost, shorter for remote */\n private sessionTTLMs: number;\n /** SEC-012: Short-lived session store. Sessions replace URL query tokens. */\n private sessions: Map<string, DashboardSession> = new Map();\n private sessionCleanupTimer: ReturnType<typeof setInterval> | null = null;\n /** Rate limiting: per-IP request tracking */\n private rateLimits: Map<string, RateLimitEntry> = new Map();\n\n constructor(config: DashboardConfig) {\n this.config = config;\n this.authToken = config.auth_token;\n this.useTLS = !!(config.tls?.cert_path && config.tls?.key_path);\n // Localhost gets 24h sessions; remote/TLS gets 5min\n const isLocalhost = config.host === \"127.0.0.1\" || config.host === \"localhost\" || config.host === \"::1\";\n this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;\n this.dashboardHTML = generateDashboardHTML({\n timeoutSeconds: config.timeout_seconds,\n serverVersion: PKG_VERSION,\n authToken: this.authToken,\n });\n this.loginHTML = generateLoginHTML({ serverVersion: PKG_VERSION });\n // SEC-012: Periodic cleanup of expired sessions (every 60s)\n this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 60_000);\n }\n\n /**\n * Inject dependencies after construction.\n * Called from index.ts after all components are initialized.\n */\n setDependencies(deps: {\n policy: PrincipalPolicy;\n baseline: BaselineTracker;\n auditLog: AuditLog;\n }): void {\n this.policy = deps.policy;\n this.baseline = deps.baseline;\n this.auditLog = deps.auditLog;\n }\n\n /**\n * Start the HTTP(S) server for the dashboard.\n */\n async start(): Promise<void> {\n return new Promise((resolve, reject) => {\n const handler = (req: IncomingMessage, res: ServerResponse) => this.handleRequest(req, res);\n\n if (this.useTLS && this.config.tls) {\n const tlsOpts = {\n cert: readFileSync(this.config.tls.cert_path),\n key: readFileSync(this.config.tls.key_path),\n };\n this.httpServer = createHttpsServer(tlsOpts, handler);\n } else {\n this.httpServer = createHttpServer(handler);\n }\n\n const protocol = this.useTLS ? \"https\" : \"http\";\n const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;\n\n this.httpServer.listen(this.config.port, this.config.host, () => {\n // Generate a pre-authenticated one-click URL\n const sessionUrl = this.authToken ? this.createSessionUrl() : baseUrl;\n\n // Print dashboard URL\n process.stderr.write(\n `\\n Sanctuary Principal Dashboard: ${baseUrl}\\n`\n );\n if (this.authToken) {\n const hint = this.authToken.slice(0, 4) + \"...\" + this.authToken.slice(-4);\n process.stderr.write(\n ` Auth token: ${hint}\\n`\n );\n }\n process.stderr.write(`\\n`);\n\n // Auto-open in default browser (default: true for localhost)\n // Skip in test environments to avoid spawning browsers during CI/test runs\n const isTest = !!(process.env.VITEST || process.env.NODE_ENV === \"test\" || process.env.CI);\n const isLocalhost = this.config.host === \"127.0.0.1\" || this.config.host === \"localhost\" || this.config.host === \"::1\";\n const shouldAutoOpen = !isTest && (this.config.auto_open ?? isLocalhost);\n if (shouldAutoOpen) {\n this.openInBrowser(sessionUrl);\n }\n\n resolve();\n });\n this.httpServer.on(\"error\", reject);\n });\n }\n\n /**\n * Stop the HTTP server and clean up.\n */\n async stop(): Promise<void> {\n // Clear all pending requests\n for (const [, pending] of this.pending) {\n clearTimeout(pending.timer);\n pending.resolve({\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n });\n }\n this.pending.clear();\n\n // Close SSE connections\n for (const client of this.sseClients) {\n client.end();\n }\n this.sseClients.clear();\n\n // SEC-012: Clean up session state\n this.sessions.clear();\n if (this.sessionCleanupTimer) {\n clearInterval(this.sessionCleanupTimer);\n this.sessionCleanupTimer = null;\n }\n\n // Clean up rate limit tracking\n this.rateLimits.clear();\n\n // Close HTTP server\n if (this.httpServer) {\n return new Promise((resolve) => {\n this.httpServer!.close(() => resolve());\n });\n }\n }\n\n /**\n * Request approval from the human via the dashboard.\n * Blocks until the human approves/denies or timeout occurs.\n */\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n const id = randomBytes(8).toString(\"hex\");\n\n // Also write to stderr as a fallback notification\n process.stderr.write(\n `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) — open dashboard to respond\\n`\n );\n\n return new Promise<ApprovalResponse>((resolve) => {\n // Set up timeout\n const timer = setTimeout(() => {\n this.pending.delete(id);\n const response: ApprovalResponse = {\n // SEC-002: Timeout ALWAYS denies. No configuration can change this.\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"timeout\",\n };\n this.broadcastSSE(\"request-resolved\", {\n request_id: id,\n decision: response.decision,\n decided_by: \"timeout\",\n });\n resolve(response);\n }, this.config.timeout_seconds * 1000);\n\n // Store the pending request\n const pending: PendingRequest = {\n id,\n request,\n resolve,\n timer,\n created_at: new Date().toISOString(),\n };\n this.pending.set(id, pending);\n\n // Broadcast to all connected dashboards\n this.broadcastSSE(\"pending-request\", {\n request_id: id,\n operation: request.operation,\n tier: request.tier,\n reason: request.reason,\n context: request.context,\n timestamp: request.timestamp,\n });\n });\n }\n\n // ── Authentication ──────────────────────────────────────────────────\n\n /**\n * Verify bearer token authentication.\n *\n * SEC-012: The long-lived auth token is ONLY accepted via the Authorization\n * header — never in URL query strings. For SSE and page loads that cannot\n * set headers, a short-lived session token (obtained via POST /auth/session)\n * is accepted via ?session= query parameter.\n *\n * Returns true if auth passes, false if blocked (response already sent).\n */\n private checkAuth(req: IncomingMessage, url: URL, res: ServerResponse): boolean {\n if (!this.authToken) return true; // Auth disabled\n\n // Check Authorization: Bearer <token> header (primary auth method)\n const authHeader = req.headers.authorization;\n if (authHeader) {\n const parts = authHeader.split(\" \");\n if (parts.length === 2 && parts[0] === \"Bearer\" && parts[1] === this.authToken) {\n return true;\n }\n }\n\n // SEC-012: Check ?session= query parameter for short-lived session tokens\n // This replaces the old ?token= query parameter that exposed the long-lived token\n const sessionId = url.searchParams.get(\"session\");\n if (sessionId && this.validateSession(sessionId)) {\n return true;\n }\n\n // Check sanctuary_session cookie (set by login page flow)\n const cookieSession = this.parseCookie(req, \"sanctuary_session\");\n if (cookieSession && this.validateSession(cookieSession)) {\n return true;\n }\n\n // SEC-012: Long-lived token in ?token= query parameter is explicitly REJECTED.\n // This was the vulnerability — tokens in URLs leak to logs, history, and Referer headers.\n\n // For GET / requests from browsers, serve login page instead of JSON 401\n // (checked in handleRequest before checkAuth is called for this path)\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Unauthorized — use Authorization: Bearer header or a valid session\" }));\n return false;\n }\n\n /**\n * Check if a request is authenticated WITHOUT sending a response.\n * Used to decide between login page vs dashboard for GET /.\n */\n private isAuthenticated(req: IncomingMessage, url: URL): boolean {\n if (!this.authToken) return true;\n\n const authHeader = req.headers.authorization;\n if (authHeader) {\n const parts = authHeader.split(\" \");\n if (parts.length === 2 && parts[0] === \"Bearer\" && parts[1] === this.authToken) {\n return true;\n }\n }\n\n const sessionId = url.searchParams.get(\"session\");\n if (sessionId && this.validateSession(sessionId)) return true;\n\n const cookieSession = this.parseCookie(req, \"sanctuary_session\");\n if (cookieSession && this.validateSession(cookieSession)) return true;\n\n return false;\n }\n\n /**\n * Parse a specific cookie value from the request.\n */\n private parseCookie(req: IncomingMessage, name: string): string | null {\n const header = req.headers.cookie;\n if (!header) return null;\n for (const part of header.split(\";\")) {\n const [key, ...rest] = part.split(\"=\");\n if (key?.trim() === name) {\n return rest.join(\"=\").trim();\n }\n }\n return null;\n }\n\n // ── Session Management (SEC-012) ──────────────────────────────────\n\n /**\n * Create a short-lived session by exchanging the long-lived auth token\n * (provided in the Authorization header) for a session ID.\n */\n private createSession(): string {\n // Enforce max sessions to prevent memory exhaustion\n if (this.sessions.size >= MAX_SESSIONS) {\n this.cleanupSessions();\n // If still at limit after cleanup, evict the oldest session\n if (this.sessions.size >= MAX_SESSIONS) {\n const oldest = [...this.sessions.entries()].sort(\n (a, b) => a[1].created_at - b[1].created_at\n )[0];\n if (oldest) this.sessions.delete(oldest[0]);\n }\n }\n\n const id = randomBytes(32).toString(\"hex\");\n const now = Date.now();\n this.sessions.set(id, {\n id,\n created_at: now,\n expires_at: now + this.sessionTTLMs,\n });\n return id;\n }\n\n /**\n * Validate a session ID — must exist and not be expired.\n */\n private validateSession(sessionId: string): boolean {\n const session = this.sessions.get(sessionId);\n if (!session) return false;\n if (Date.now() > session.expires_at) {\n this.sessions.delete(sessionId);\n return false;\n }\n return true;\n }\n\n /**\n * Remove all expired sessions.\n */\n private cleanupSessions(): void {\n const now = Date.now();\n for (const [id, session] of this.sessions) {\n if (now > session.expires_at) {\n this.sessions.delete(id);\n }\n }\n }\n\n // ── Rate Limiting ─────────────────────────────────────────────────\n\n /**\n * Get the remote address from a request, normalizing IPv6-mapped IPv4.\n */\n private getRemoteAddr(req: IncomingMessage): string {\n const addr = req.socket.remoteAddress ?? \"unknown\";\n // Normalize ::ffff:127.0.0.1 → 127.0.0.1\n return addr.startsWith(\"::ffff:\") ? addr.slice(7) : addr;\n }\n\n /**\n * Check rate limit for a request. Returns true if allowed, false if rate-limited.\n * When rate-limited, sends a 429 response.\n */\n private checkRateLimit(\n req: IncomingMessage,\n res: ServerResponse,\n type: \"general\" | \"decisions\"\n ): boolean {\n const addr = this.getRemoteAddr(req);\n const now = Date.now();\n const windowStart = now - RATE_LIMIT_WINDOW_MS;\n\n // Get or create entry for this address\n let entry = this.rateLimits.get(addr);\n if (!entry) {\n // Cap the tracking map to prevent memory exhaustion\n if (this.rateLimits.size >= MAX_RATE_LIMIT_ENTRIES) {\n this.pruneRateLimits(now);\n }\n entry = { general: [], decisions: [] };\n this.rateLimits.set(addr, entry);\n }\n\n // Prune old timestamps from the window\n entry.general = entry.general.filter(t => t > windowStart);\n entry.decisions = entry.decisions.filter(t => t > windowStart);\n\n const limit = type === \"decisions\" ? RATE_LIMIT_DECISIONS : RATE_LIMIT_GENERAL;\n const timestamps = entry[type];\n\n if (timestamps.length >= limit) {\n const retryAfter = Math.ceil((timestamps[0]! + RATE_LIMIT_WINDOW_MS - now) / 1000);\n res.writeHead(429, {\n \"Content-Type\": \"application/json\",\n \"Retry-After\": String(Math.max(1, retryAfter)),\n });\n res.end(JSON.stringify({\n error: \"Rate limit exceeded\",\n retry_after_seconds: Math.max(1, retryAfter),\n }));\n return false;\n }\n\n timestamps.push(now);\n return true;\n }\n\n /**\n * Remove stale entries from the rate limit map.\n */\n private pruneRateLimits(now: number): void {\n const windowStart = now - RATE_LIMIT_WINDOW_MS;\n for (const [addr, entry] of this.rateLimits) {\n const hasRecent =\n entry.general.some(t => t > windowStart) ||\n entry.decisions.some(t => t > windowStart);\n if (!hasRecent) {\n this.rateLimits.delete(addr);\n }\n }\n }\n\n // ── HTTP Request Handler ────────────────────────────────────────────\n\n private handleRequest(req: IncomingMessage, res: ServerResponse): void {\n const url = new URL(req.url ?? \"/\", `http://${req.headers.host ?? \"localhost\"}`);\n const method = req.method ?? \"GET\";\n\n // CORS headers — restrict to same-origin; the dashboard is served by this server\n const origin = req.headers.origin;\n const protocol = this.useTLS ? \"https\" : \"http\";\n const selfOrigin = `${protocol}://${this.config.host}:${this.config.port}`;\n if (origin === selfOrigin) {\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n }\n // When no origin header (same-origin requests), no CORS header needed\n res.setHeader(\"Access-Control-Allow-Methods\", \"GET, POST, OPTIONS\");\n res.setHeader(\"Access-Control-Allow-Headers\", \"Content-Type, Authorization\");\n\n if (method === \"OPTIONS\") {\n res.writeHead(204);\n res.end();\n return;\n }\n\n // SEC-012: Session exchange does its own auth (header-only) — let it through before checkAuth\n if (method === \"POST\" && url.pathname === \"/auth/session\") {\n if (!this.checkRateLimit(req, res, \"general\")) return;\n try {\n this.handleSessionExchange(req, res);\n } catch {\n res.writeHead(500, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Internal server error\" }));\n }\n return;\n }\n\n // For GET /: serve login page if not authenticated (instead of JSON 401)\n if (method === \"GET\" && url.pathname === \"/\" && this.authToken) {\n if (!this.isAuthenticated(req, url)) {\n if (!this.checkRateLimit(req, res, \"general\")) return;\n this.serveLoginPage(res);\n return;\n }\n }\n\n // Authenticate all other non-OPTIONS requests\n if (!this.checkAuth(req, url, res)) return;\n\n // Rate limiting: apply general limit to all authenticated requests\n if (!this.checkRateLimit(req, res, \"general\")) return;\n\n try {\n if (method === \"GET\" && url.pathname === \"/\") {\n this.serveDashboard(res);\n } else if (method === \"GET\" && url.pathname === \"/events\") {\n this.handleSSE(req, res);\n } else if (method === \"GET\" && url.pathname === \"/api/status\") {\n this.handleStatus(res);\n } else if (method === \"GET\" && url.pathname === \"/api/pending\") {\n this.handlePendingList(res);\n } else if (method === \"GET\" && url.pathname === \"/api/audit-log\") {\n this.handleAuditLog(url, res);\n } else if (method === \"POST\" && url.pathname.startsWith(\"/api/approve/\")) {\n // Decision endpoints get an additional tighter rate limit\n if (!this.checkRateLimit(req, res, \"decisions\")) return;\n const id = url.pathname.slice(\"/api/approve/\".length);\n this.handleDecision(id, \"approve\", res);\n } else if (method === \"POST\" && url.pathname.startsWith(\"/api/deny/\")) {\n // Decision endpoints get an additional tighter rate limit\n if (!this.checkRateLimit(req, res, \"decisions\")) return;\n const id = url.pathname.slice(\"/api/deny/\".length);\n this.handleDecision(id, \"deny\", res);\n } else {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Not found\" }));\n }\n } catch (err) {\n res.writeHead(500, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Internal server error\" }));\n }\n }\n\n // ── Route Handlers ──────────────────────────────────────────────────\n\n /**\n * SEC-012: Exchange a long-lived auth token (in Authorization header)\n * for a short-lived session ID. The session ID can be used in URL\n * query parameters without exposing the long-lived credential.\n *\n * This endpoint performs its OWN auth check (header-only) because it\n * must reject query-parameter tokens and is called before the\n * normal checkAuth flow.\n */\n private handleSessionExchange(req: IncomingMessage, res: ServerResponse): void {\n if (!this.authToken) {\n // Auth disabled — sessions not needed\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ session_id: \"no-auth\" }));\n return;\n }\n\n // Only accept the long-lived token via Authorization header — NEVER from URL\n const authHeader = req.headers.authorization;\n if (!authHeader) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Authorization header required\" }));\n return;\n }\n\n const parts = authHeader.split(\" \");\n if (parts.length !== 2 || parts[0] !== \"Bearer\" || parts[1] !== this.authToken) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid bearer token\" }));\n return;\n }\n\n const sessionId = this.createSession();\n const ttlSeconds = Math.floor(this.sessionTTLMs / 1000);\n res.writeHead(200, {\n \"Content-Type\": \"application/json\",\n \"Set-Cookie\": `sanctuary_session=${sessionId}; Path=/; SameSite=Strict; Max-Age=${ttlSeconds}`,\n });\n res.end(JSON.stringify({\n session_id: sessionId,\n expires_in_seconds: ttlSeconds,\n }));\n }\n\n private serveLoginPage(res: ServerResponse): void {\n res.writeHead(200, {\n \"Content-Type\": \"text/html; charset=utf-8\",\n \"Cache-Control\": \"no-cache, no-store\",\n });\n res.end(this.loginHTML);\n }\n\n private serveDashboard(res: ServerResponse): void {\n res.writeHead(200, {\n \"Content-Type\": \"text/html; charset=utf-8\",\n \"Cache-Control\": \"no-cache\",\n });\n res.end(this.dashboardHTML);\n }\n\n private handleSSE(req: IncomingMessage, res: ServerResponse): void {\n res.writeHead(200, {\n \"Content-Type\": \"text/event-stream\",\n \"Cache-Control\": \"no-cache\",\n \"Connection\": \"keep-alive\",\n });\n\n // Send initial state\n const initData: Record<string, unknown> = {};\n\n if (this.baseline) {\n initData.baseline = this.baseline.getProfile();\n }\n if (this.policy) {\n initData.policy = {\n tier1_always_approve: this.policy.tier1_always_approve,\n tier2_anomaly: this.policy.tier2_anomaly,\n tier3_always_allow: this.policy.tier3_always_allow,\n approval_channel: {\n type: this.policy.approval_channel.type,\n timeout_seconds: this.policy.approval_channel.timeout_seconds,\n auto_deny: true, // SEC-002: hardcoded, not configurable\n },\n };\n }\n\n // Send any current pending requests\n const pendingList = Array.from(this.pending.values()).map((p) => ({\n request_id: p.id,\n operation: p.request.operation,\n tier: p.request.tier,\n reason: p.request.reason,\n context: p.request.context,\n timestamp: p.request.timestamp,\n }));\n if (pendingList.length > 0) {\n initData.pending = pendingList;\n }\n\n res.write(`event: init\\ndata: ${JSON.stringify(initData)}\\n\\n`);\n\n this.sseClients.add(res);\n\n req.on(\"close\", () => {\n this.sseClients.delete(res);\n });\n }\n\n private handleStatus(res: ServerResponse): void {\n const status: Record<string, unknown> = {\n pending_count: this.pending.size,\n connected_clients: this.sseClients.size,\n };\n\n if (this.baseline) {\n status.baseline = this.baseline.getProfile();\n }\n if (this.policy) {\n status.policy = {\n version: this.policy.version,\n tier1_always_approve: this.policy.tier1_always_approve,\n tier2_anomaly: this.policy.tier2_anomaly,\n tier3_always_allow: this.policy.tier3_always_allow,\n approval_channel: {\n type: this.policy.approval_channel.type,\n timeout_seconds: this.policy.approval_channel.timeout_seconds,\n auto_deny: true, // SEC-002: hardcoded, not configurable\n },\n };\n }\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify(status));\n }\n\n private handlePendingList(res: ServerResponse): void {\n const list = Array.from(this.pending.values()).map((p) => ({\n id: p.id,\n operation: p.request.operation,\n tier: p.request.tier,\n reason: p.request.reason,\n context: p.request.context,\n timestamp: p.request.timestamp,\n created_at: p.created_at,\n }));\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify(list));\n }\n\n private handleAuditLog(url: URL, res: ServerResponse): void {\n const limit = parseInt(url.searchParams.get(\"limit\") ?? \"50\", 10);\n\n // AuditLog.query is async, but for the dashboard we return what we can\n if (this.auditLog) {\n this.auditLog.query({ limit }).then((entries) => {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify(entries));\n }).catch(() => {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify([]));\n });\n } else {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify([]));\n }\n }\n\n private handleDecision(id: string, decision: \"approve\" | \"deny\", res: ServerResponse): void {\n const pending = this.pending.get(id);\n if (!pending) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Request not found or already resolved\" }));\n return;\n }\n\n // Clear timeout\n clearTimeout(pending.timer);\n\n // Remove from pending\n this.pending.delete(id);\n\n // Create response\n const response: ApprovalResponse = {\n decision,\n decided_at: new Date().toISOString(),\n decided_by: \"human\",\n };\n\n // Broadcast resolution to all dashboards\n this.broadcastSSE(\"request-resolved\", {\n request_id: id,\n decision,\n decided_by: \"human\",\n });\n\n // Resolve the waiting promise (unblocks the tool call)\n pending.resolve(response);\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ success: true, decision }));\n }\n\n // ── SSE Broadcasting ────────────────────────────────────────────────\n\n broadcastSSE(event: string, data: unknown): void {\n const message = `event: ${event}\\ndata: ${JSON.stringify(data)}\\n\\n`;\n for (const client of this.sseClients) {\n try {\n client.write(message);\n } catch {\n this.sseClients.delete(client);\n }\n }\n }\n\n /**\n * Broadcast an audit entry to connected dashboards.\n * Called externally when audit events happen.\n */\n broadcastAuditEntry(entry: {\n timestamp: string;\n layer: string;\n operation: string;\n identity_id: string;\n }): void {\n this.broadcastSSE(\"audit-entry\", entry);\n }\n\n /**\n * Broadcast a baseline update to connected dashboards.\n * Called externally after baseline changes.\n */\n broadcastBaselineUpdate(): void {\n if (this.baseline) {\n this.broadcastSSE(\"baseline-update\", this.baseline.getProfile());\n }\n }\n\n /**\n * Broadcast a tool call event to connected dashboards.\n * Called from the gate or router when a tool is invoked.\n */\n broadcastToolCall(data: {\n tool: string;\n tier: number;\n allowed: boolean;\n timestamp: string;\n }): void {\n this.broadcastSSE(\"tool-call\", data);\n }\n\n /**\n * Broadcast a context gate decision to connected dashboards.\n */\n broadcastContextGateDecision(data: {\n tool: string;\n fields_filtered: number;\n fields_total: number;\n action: string;\n timestamp: string;\n }): void {\n this.broadcastSSE(\"context-gate-decision\", data);\n }\n\n /**\n * Broadcast current protection status to connected dashboards.\n */\n broadcastProtectionStatus(data: Record<string, unknown>): void {\n this.broadcastSSE(\"protection-status\", data);\n }\n\n /**\n * Open a URL in the system's default browser.\n * Cross-platform: macOS (open), Linux (xdg-open), Windows (start).\n * Fails silently — dashboard still works via terminal URL.\n */\n private openInBrowser(url: string): void {\n const os = platform();\n let cmd: string;\n if (os === \"darwin\") {\n cmd = `open \"${url}\"`;\n } else if (os === \"win32\") {\n cmd = `start \"\" \"${url}\"`;\n } else {\n cmd = `xdg-open \"${url}\"`;\n }\n exec(cmd, (err) => {\n if (err) {\n process.stderr.write(\n ` (Could not auto-open browser. Open the URL above manually.)\\n\\n`\n );\n }\n });\n }\n\n /**\n * Create a pre-authenticated URL for the dashboard.\n * Used by the sanctuary_dashboard_open tool and at startup.\n */\n createSessionUrl(): string {\n const sessionId = this.createSession();\n const protocol = this.useTLS ? \"https\" : \"http\";\n return `${protocol}://${this.config.host}:${this.config.port}/?session=${sessionId}`;\n }\n\n /**\n * Get the base URL for the dashboard.\n */\n getBaseUrl(): string {\n const protocol = this.useTLS ? \"https\" : \"http\";\n return `${protocol}://${this.config.host}:${this.config.port}`;\n }\n\n /** Get the number of pending requests */\n get pendingCount(): number {\n return this.pending.size;\n }\n\n /** Get the number of connected SSE clients */\n get clientCount(): number {\n return this.sseClients.size;\n }\n}\n","/**\n * Sanctuary MCP Server — Webhook Approval Channel\n *\n * Sends approval requests to an external webhook URL and listens for\n * callback responses. Enables integration with Slack, Discord, PagerDuty,\n * or any HTTP-based approval workflow.\n *\n * Architecture:\n * - Outbound: POST approval request to configured webhook_url\n * - Inbound: HTTP callback server listens for POST /webhook/respond/:id\n * - HMAC-SHA256 signatures on both outbound and inbound payloads\n * - Timeout fallback: auto-deny (or auto-approve) if no callback received\n *\n * Security invariants:\n * - All outbound payloads signed with HMAC-SHA256 (webhook_secret)\n * - All inbound callbacks verified with same HMAC-SHA256 signature\n * - Callback server binds to configurable host (default 127.0.0.1)\n * - Replay protection via request ID + pending map (can't approve twice)\n * - All decisions are audit-logged\n */\n\nimport {\n createServer as createHttpServer,\n type IncomingMessage,\n type ServerResponse,\n} from \"node:http\";\nimport { createHmac, randomBytes } from \"node:crypto\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport type { ApprovalRequest, ApprovalResponse } from \"./types.js\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\nexport interface WebhookConfig {\n /** URL to POST approval requests to */\n webhook_url: string;\n /** Shared secret for HMAC-SHA256 signatures */\n webhook_secret: string;\n /** Port for the callback listener */\n callback_port: number;\n /** Host for the callback listener (default: 127.0.0.1) */\n callback_host: string;\n /** Seconds to wait for a callback before timeout */\n timeout_seconds: number;\n /** SEC-002: auto_deny is always true. Field retained for interface compat but ignored. */\n auto_deny?: boolean;\n}\n\ninterface PendingWebhookRequest {\n id: string;\n request: ApprovalRequest;\n resolve: (response: ApprovalResponse) => void;\n timer: ReturnType<typeof setTimeout>;\n created_at: string;\n}\n\n/** Outbound webhook payload */\nexport interface WebhookPayload {\n /** Unique request ID */\n request_id: string;\n /** The approval request details */\n operation: string;\n tier: 1 | 2;\n reason: string;\n context: Record<string, unknown>;\n timestamp: string;\n /** URL to POST the response back to */\n callback_url: string;\n /** Seconds until auto-resolution */\n timeout_seconds: number;\n}\n\n/** Inbound callback payload */\nexport interface WebhookCallbackPayload {\n /** The request ID being responded to */\n request_id: string;\n /** The decision */\n decision: \"approve\" | \"deny\";\n}\n\n// ── HMAC Helpers ────────────────────────────────────────────────────────\n\n/**\n * Generate HMAC-SHA256 signature for a payload.\n */\nexport function signPayload(body: string, secret: string): string {\n return createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n}\n\n/**\n * Verify HMAC-SHA256 signature. Uses timing-safe comparison.\n */\nexport function verifySignature(\n body: string,\n signature: string,\n secret: string\n): boolean {\n const expected = signPayload(body, secret);\n if (expected.length !== signature.length) return false;\n // Constant-time comparison\n let mismatch = 0;\n for (let i = 0; i < expected.length; i++) {\n mismatch |= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n }\n return mismatch === 0;\n}\n\n// ── Webhook Approval Channel ────────────────────────────────────────────\n\nexport class WebhookApprovalChannel implements ApprovalChannel {\n private config: WebhookConfig;\n private pending: Map<string, PendingWebhookRequest> = new Map();\n private callbackServer: ReturnType<typeof createHttpServer> | null = null;\n\n constructor(config: WebhookConfig) {\n this.config = config;\n }\n\n /**\n * Start the callback listener server.\n */\n async start(): Promise<void> {\n return new Promise((resolve, reject) => {\n this.callbackServer = createHttpServer((req, res) =>\n this.handleCallback(req, res)\n );\n this.callbackServer.listen(\n this.config.callback_port,\n this.config.callback_host,\n () => {\n process.stderr.write(\n `\\n Sanctuary Webhook Callback: http://${this.config.callback_host}:${this.config.callback_port}\\n` +\n ` Webhook target: ${this.config.webhook_url}\\n\\n`\n );\n resolve();\n }\n );\n this.callbackServer.on(\"error\", reject);\n });\n }\n\n /**\n * Stop the callback server and clean up pending requests.\n */\n async stop(): Promise<void> {\n // Resolve all pending as deny\n for (const [, pending] of this.pending) {\n clearTimeout(pending.timer);\n pending.resolve({\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n });\n }\n this.pending.clear();\n\n if (this.callbackServer) {\n return new Promise((resolve) => {\n this.callbackServer!.close(() => resolve());\n });\n }\n }\n\n /**\n * Request approval by POSTing to the webhook and waiting for a callback.\n */\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n const id = randomBytes(8).toString(\"hex\");\n\n // Also write to stderr as notification\n process.stderr.write(\n `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) — awaiting callback\\n`\n );\n\n return new Promise<ApprovalResponse>((resolve) => {\n // Set up timeout\n const timer = setTimeout(() => {\n this.pending.delete(id);\n const response: ApprovalResponse = {\n // SEC-002: Timeout ALWAYS denies. No configuration can change this.\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"timeout\",\n };\n resolve(response);\n }, this.config.timeout_seconds * 1000);\n\n // Store pending request\n const pending: PendingWebhookRequest = {\n id,\n request,\n resolve,\n timer,\n created_at: new Date().toISOString(),\n };\n this.pending.set(id, pending);\n\n // Build outbound payload\n const callbackUrl = `http://${this.config.callback_host}:${this.config.callback_port}/webhook/respond/${id}`;\n const payload: WebhookPayload = {\n request_id: id,\n operation: request.operation,\n tier: request.tier,\n reason: request.reason,\n context: request.context,\n timestamp: request.timestamp,\n callback_url: callbackUrl,\n timeout_seconds: this.config.timeout_seconds,\n };\n\n // Send the webhook (fire-and-forget — errors logged, not thrown)\n this.sendWebhook(payload).catch((err) => {\n process.stderr.write(\n `[Sanctuary] Webhook delivery failed: ${err instanceof Error ? err.message : String(err)}\\n`\n );\n });\n });\n }\n\n // ── Outbound Webhook ──────────────────────────────────────────────────\n\n private async sendWebhook(payload: WebhookPayload): Promise<void> {\n const body = JSON.stringify(payload);\n const signature = signPayload(body, this.config.webhook_secret);\n\n const response = await fetch(this.config.webhook_url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"X-Sanctuary-Signature\": signature,\n \"X-Sanctuary-Request-Id\": payload.request_id,\n },\n body,\n });\n\n if (!response.ok) {\n throw new Error(\n `Webhook returned ${response.status}: ${await response.text().catch(() => \"\")}`\n );\n }\n }\n\n // ── Inbound Callback Handler ──────────────────────────────────────────\n\n private handleCallback(req: IncomingMessage, res: ServerResponse): void {\n const url = new URL(\n req.url ?? \"/\",\n `http://${req.headers.host ?? \"localhost\"}`\n );\n const method = req.method ?? \"GET\";\n\n // CORS\n res.setHeader(\"Access-Control-Allow-Origin\", \"*\");\n res.setHeader(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\");\n res.setHeader(\n \"Access-Control-Allow-Headers\",\n \"Content-Type, X-Sanctuary-Signature\"\n );\n\n if (method === \"OPTIONS\") {\n res.writeHead(204);\n res.end();\n return;\n }\n\n // Health check\n if (method === \"GET\" && url.pathname === \"/health\") {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n status: \"ok\",\n pending_count: this.pending.size,\n })\n );\n return;\n }\n\n // Only accept POST /webhook/respond/:id\n const match = url.pathname.match(/^\\/webhook\\/respond\\/([a-f0-9]+)$/);\n if (method !== \"POST\" || !match) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Not found\" }));\n return;\n }\n\n const requestId = match[1];\n\n // Read and verify the body\n let bodyChunks: Buffer[] = [];\n req.on(\"data\", (chunk: Buffer) => bodyChunks.push(chunk));\n req.on(\"end\", () => {\n const body = Buffer.concat(bodyChunks).toString(\"utf-8\");\n\n // Verify HMAC signature\n const signature = req.headers[\"x-sanctuary-signature\"];\n if (\n typeof signature !== \"string\" ||\n !verifySignature(body, signature, this.config.webhook_secret)\n ) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({ error: \"Invalid signature\" })\n );\n return;\n }\n\n // Parse payload\n let callbackPayload: WebhookCallbackPayload;\n try {\n callbackPayload = JSON.parse(body);\n } catch {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid JSON\" }));\n return;\n }\n\n // Validate decision\n if (\n callbackPayload.decision !== \"approve\" &&\n callbackPayload.decision !== \"deny\"\n ) {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n error: 'Decision must be \"approve\" or \"deny\"',\n })\n );\n return;\n }\n\n // Validate request_id matches URL\n if (callbackPayload.request_id !== requestId) {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({ error: \"Request ID mismatch\" })\n );\n return;\n }\n\n // Find the pending request\n const pending = this.pending.get(requestId);\n if (!pending) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n error: \"Request not found or already resolved\",\n })\n );\n return;\n }\n\n // Clear timeout and resolve\n clearTimeout(pending.timer);\n this.pending.delete(requestId);\n\n const response: ApprovalResponse = {\n decision: callbackPayload.decision,\n decided_at: new Date().toISOString(),\n decided_by: \"human\",\n };\n\n pending.resolve(response);\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n success: true,\n decision: callbackPayload.decision,\n })\n );\n });\n }\n\n /** Get the number of pending requests */\n get pendingCount(): number {\n return this.pending.size;\n }\n}\n","/**\n * Sanctuary MCP Server — Prompt Injection Detection Layer\n *\n * Fast, zero-dependency detection of common prompt injection patterns.\n * Scans tool arguments for role override, security bypass, encoding evasion,\n * data exfiltration, and prompt stuffing signals.\n *\n * Security invariants:\n * - Always returns a result, never throws\n * - Typical scan completes in < 5ms\n * - False positives minimized via field-aware scanning\n * - Recursive scanning of nested objects/arrays\n */\n\nexport interface InjectionDetectorConfig {\n enabled: boolean;\n sensitivity: \"low\" | \"medium\" | \"high\";\n on_detection: \"escalate\" | \"block\" | \"log\";\n custom_patterns?: string[];\n}\n\nexport interface InjectionSignal {\n type: string;\n pattern: string;\n location: string;\n severity: \"low\" | \"medium\" | \"high\";\n}\n\nexport interface DetectionResult {\n flagged: boolean;\n confidence: number; // 0.0-1.0\n signals: InjectionSignal[];\n recommendation: \"allow\" | \"escalate\" | \"block\";\n}\n\n// Pattern definitions for each detection category\nconst ROLE_OVERRIDE_PATTERNS = [\n /ignore\\s+(?:(?:previous|prior|all)\\s+)?instructions/i,\n /you\\s+are\\s+now/i,\n /\\bsystem\\s*:\\s+(?!working|process|design|architecture)/i,\n /forget\\s+(?:everything|all|prior)/i,\n /disregard\\s+(?:the\\s+)?(?:previous\\s+)?instructions/i,\n /new\\s+instructions\\s*:/i,\n /updated?\\s+instructions\\s*:/i,\n];\n\nconst SECURITY_BYPASS_PATTERNS = [\n /skip\\s+(?:the\\s+)?(?:filter|gate|check|verify|approve)/i,\n /bypass\\s+(?:the\\s+)?(?:filter|gate|security|check)/i,\n /disable\\s+(?:the\\s+)?(?:filter|gate|approval|security|audit|log|encrypt|verify)/i,\n /do\\s+not\\s+(?:audit|log|encrypt|verify|approve|check|sign)/i,\n];\n\nconst TOOL_INVOCATION_PATTERNS = [\n /sanctuary\\//i,\n /concordia\\//i,\n /bridge_/i,\n /handshake_/i,\n];\n\nconst URL_PATTERN = /https?:\\/\\/[^\\s\"'<>]+/i;\nconst EMAIL_PATTERN = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/;\n\n// Zero-width characters that are used in evasion\nconst ZERO_WIDTH_CHARS = [\n \"\\u200B\", // Zero-width space\n \"\\u200C\", // Zero-width non-joiner\n \"\\u200D\", // Zero-width joiner\n \"\\uFEFF\", // Zero-width no-break space\n];\n\nexport class InjectionDetector {\n private config: InjectionDetectorConfig;\n private stats = {\n total_scans: 0,\n total_flags: 0,\n total_blocks: 0,\n signals_by_type: {} as Record<string, number>,\n };\n\n constructor(config: Partial<InjectionDetectorConfig> = {}) {\n this.config = {\n enabled: config.enabled ?? true,\n sensitivity: config.sensitivity ?? \"medium\",\n on_detection: config.on_detection ?? \"escalate\",\n custom_patterns: config.custom_patterns ?? [],\n };\n }\n\n /**\n * Scan tool arguments for injection signals.\n * @param toolName Full tool name (e.g., \"sanctuary/state_read\")\n * @param args Tool arguments\n * @returns DetectionResult with all detected signals\n */\n scan(toolName: string, args: Record<string, unknown>): DetectionResult {\n this.stats.total_scans++;\n\n if (!this.config.enabled) {\n return {\n flagged: false,\n confidence: 0,\n signals: [],\n recommendation: \"allow\",\n };\n }\n\n const signals: InjectionSignal[] = [];\n const visited = new Set<unknown>();\n\n // Recursively scan all string values\n this.scanValue(args, \"\", toolName, signals, visited);\n\n const flagged = signals.length > 0;\n if (flagged) {\n this.stats.total_flags++;\n }\n // Always accumulate signal types, even if not flagged (for visibility)\n for (const sig of signals) {\n this.stats.signals_by_type[sig.type] =\n (this.stats.signals_by_type[sig.type] ?? 0) + 1;\n }\n\n const recommendation = this.computeRecommendation(\n signals,\n this.config.sensitivity\n );\n\n if (recommendation === \"block\") {\n this.stats.total_blocks++;\n }\n\n return {\n flagged,\n confidence: this.computeConfidence(signals),\n signals,\n recommendation,\n };\n }\n\n /**\n * Recursively scan a value and all nested values.\n */\n private scanValue(\n value: unknown,\n path: string,\n toolName: string,\n signals: InjectionSignal[],\n visited: Set<unknown>\n ): void {\n // Prevent circular reference loops\n if (typeof value === \"object\" && value !== null) {\n if (visited.has(value)) return;\n visited.add(value);\n }\n\n if (typeof value === \"string\") {\n this.scanString(value, path, toolName, signals);\n } else if (Array.isArray(value)) {\n for (let i = 0; i < value.length; i++) {\n this.scanValue(value[i], `${path}[${i}]`, toolName, signals, visited);\n }\n } else if (typeof value === \"object\" && value !== null) {\n for (const [key, val] of Object.entries(value)) {\n this.scanValue(val, path ? `${path}.${key}` : key, toolName, signals, visited);\n }\n }\n }\n\n /**\n * Scan a single string for injection signals.\n */\n private scanString(\n value: string,\n path: string,\n _toolName: string,\n signals: InjectionSignal[]\n ): void {\n // Skip obviously safe fields\n if (this.isSafeField(path)) {\n return;\n }\n\n const location = path || \"root\";\n\n // SEC-032: Normalize Unicode before pattern matching.\n // Two-phase normalization:\n // 1. NFKC: maps fullwidth chars, ligatures, compatibility forms to canonical\n // 2. Confusable mapping: replaces common cross-script lookalikes (Cyrillic→Latin)\n // that NFKC doesn't cover (they're distinct codepoints, not compatibility equivalents)\n const normalized = this.normalizeConfusables(value.normalize(\"NFKC\"));\n\n // If normalization changed the string, that's itself a signal\n if (normalized !== value) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"unicode_normalization_delta\",\n location,\n severity: \"medium\",\n });\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // HIGH SEVERITY: Role Override\n // ─────────────────────────────────────────────────────────────────────\n for (const pattern of ROLE_OVERRIDE_PATTERNS) {\n if (pattern.test(normalized)) {\n signals.push({\n type: \"role_override\",\n pattern: pattern.source,\n location,\n severity: \"high\",\n });\n break; // Only report one match per field\n }\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // HIGH SEVERITY: Security Bypass\n // ─────────────────────────────────────────────────────────────────────\n for (const pattern of SECURITY_BYPASS_PATTERNS) {\n if (pattern.test(normalized)) {\n signals.push({\n type: \"security_bypass\",\n pattern: pattern.source,\n location,\n severity: \"high\",\n });\n break; // Only report one match per field\n }\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // MEDIUM SEVERITY: Tool Invocation in Strings\n // ─────────────────────────────────────────────────────────────────────\n if (!this.isToolNameField(path)) {\n for (const pattern of TOOL_INVOCATION_PATTERNS) {\n if (pattern.test(normalized)) {\n signals.push({\n type: \"tool_invocation_in_string\",\n pattern: pattern.source,\n location,\n severity: \"medium\",\n });\n break; // Only report one match per field\n }\n }\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // MEDIUM SEVERITY: Encoding Evasion\n // ─────────────────────────────────────────────────────────────────────\n this.detectEncodingEvasion(value, location, signals);\n\n // ─────────────────────────────────────────────────────────────────────\n // MEDIUM SEVERITY: Data Exfiltration\n // ─────────────────────────────────────────────────────────────────────\n this.detectDataExfiltration(value, location, signals);\n\n // ─────────────────────────────────────────────────────────────────────\n // LOW SEVERITY: Prompt Stuffing\n // ─────────────────────────────────────────────────────────────────────\n this.detectPromptStuffing(value, location, signals);\n }\n\n /**\n * Detect base64 strings and zero-width character evasion.\n */\n private detectEncodingEvasion(\n value: string,\n path: string,\n signals: InjectionSignal[]\n ): void {\n // Base64 detection: alphanumeric + / + = chars, at least 50 chars\n if (\n value.length > 50 &&\n /^[A-Za-z0-9+/]+={0,2}$/.test(value.trim())\n ) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"base64_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // Zero-width character detection\n let zeroWidthCount = 0;\n for (const char of ZERO_WIDTH_CHARS) {\n zeroWidthCount += (value.match(new RegExp(char, \"g\")) || []).length;\n }\n\n if (zeroWidthCount > 0) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"zero_width_characters\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // Unicode category mixing: presence of multiple distinct Unicode categories\n // suggests obfuscation (e.g., mixing CJK, Latin, Arabic, Cyrillic)\n const hasLatin = /[a-zA-Z]/.test(value);\n const hasCJK = /[\\u4E00-\\u9FFF\\u3040-\\u309F\\uAC00-\\uD7AF]/.test(value);\n const hasArabic = /[\\u0600-\\u06FF]/.test(value);\n const hasCyrillic = /[\\u0400-\\u04FF]/.test(value);\n\n const unicodeCategories = [hasLatin, hasCJK, hasArabic, hasCyrillic].filter(\n (x) => x\n ).length;\n\n if (unicodeCategories >= 3) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"unicode_category_mixing\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n }\n\n /**\n * Detect URLs and emails in fields that shouldn't have them.\n */\n private detectDataExfiltration(\n value: string,\n path: string,\n signals: InjectionSignal[]\n ): void {\n // Skip obviously safe fields\n if (this.isUrlSafeField(path)) {\n return;\n }\n\n // URL detection in non-url fields\n if (URL_PATTERN.test(value)) {\n signals.push({\n type: \"data_exfiltration\",\n pattern: \"url_in_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // Email detection in non-email fields\n if (EMAIL_PATTERN.test(value) && !this.isEmailSafeField(path)) {\n signals.push({\n type: \"data_exfiltration\",\n pattern: \"email_in_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // JSON/XML embedded in plain string fields\n // Only flag if it looks like deliberate embedding (not just a URL or normal text)\n if (value.length > 30 && value.length < 10000 && !this.isStructuredField(path)) {\n // Look for actual JSON/XML with content, not just edge cases\n const hasJsonContent = /\\{[^}]*\"[^\"]*\"[^}]*\\}/.test(value);\n const hasXmlContent = /<[^>]+>[\\s\\S]*?<\\/[^>]+>/.test(value);\n\n if (hasJsonContent || hasXmlContent) {\n signals.push({\n type: \"data_exfiltration\",\n pattern: \"structured_data_in_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n }\n }\n\n /**\n * Detect prompt stuffing: very large strings or high repetition.\n */\n private detectPromptStuffing(\n value: string,\n path: string,\n signals: InjectionSignal[]\n ): void {\n // Large string detection (> 10KB)\n if (value.length > 10240) {\n signals.push({\n type: \"prompt_stuffing\",\n pattern: \"large_string\",\n location: path || \"root\",\n severity: \"low\",\n });\n }\n\n // High repetition detection: same substring repeated 10+ times\n // SEC-031: Uses substring counting instead of regex to prevent ReDoS.\n // Checks a fixed set of window sizes (10, 20, 50) for O(n) performance.\n if (value.length >= 100) {\n const windowSizes = [10, 20, 50];\n for (const windowSize of windowSizes) {\n if (value.length < windowSize * 5) continue;\n const pattern = value.substring(0, windowSize);\n let count = 0;\n let idx = 0;\n while (idx <= value.length - windowSize) {\n if (value.substring(idx, idx + windowSize) === pattern) {\n count++;\n idx += windowSize; // Non-overlapping matches\n } else {\n idx++;\n }\n if (count >= 10) break; // Early exit\n }\n if (count >= 10) {\n signals.push({\n type: \"prompt_stuffing\",\n pattern: \"high_repetition\",\n location: path || \"root\",\n severity: \"low\",\n });\n break; // Only report once per field\n }\n }\n }\n }\n\n /**\n * Determine if this field is inherently safe from role override.\n */\n private isSafeField(path: string): boolean {\n // Fields that never contain user instructions\n const safePaths = [\n /\\.version$/i,\n /\\.timestamp$/i,\n /\\.id$/i,\n /\\.uuid$/i,\n /\\.hash$/i,\n /\\.signature$/i,\n /\\.public_key$/i,\n /\\.private_key$/i,\n /\\.did$/i,\n /\\.nonce$/i,\n /\\.salt$/i,\n /\\.iv$/i,\n /^ciphertext$/i,\n /^encrypted$/i,\n ];\n\n return safePaths.some((p) => p.test(path));\n }\n\n /**\n * Determine if this is a tool name field (where tool refs are expected).\n */\n private isToolNameField(path: string): boolean {\n const toolFields = [\n /tool_name/i,\n /\\.tool$/i,\n /^tool$/i,\n /operation/i,\n ];\n return toolFields.some((p) => p.test(path));\n }\n\n /**\n * Determine if this field is safe for URLs.\n */\n private isUrlSafeField(path: string): boolean {\n const urlFields = [\n /url/i,\n /endpoint/i,\n /webhook/i,\n /callback/i,\n ];\n return urlFields.some((p) => p.test(path));\n }\n\n /**\n * Determine if this field is safe for emails.\n */\n private isEmailSafeField(path: string): boolean {\n const emailFields = [\n /email/i,\n /contact/i,\n /recipient/i,\n /sender/i,\n /from/i,\n /to/i,\n ];\n return emailFields.some((p) => p.test(path));\n }\n\n /**\n * Determine if this field is safe for structured data (JSON/XML).\n */\n private isStructuredField(path: string): boolean {\n const structuredFields = [\n /data/i,\n /payload/i,\n /body/i,\n /json/i,\n /xml/i,\n ];\n return structuredFields.some((p) => p.test(path));\n }\n\n /**\n * SEC-032: Map common cross-script confusable characters to their Latin equivalents.\n * NFKC normalization handles fullwidth and compatibility forms, but does NOT map\n * Cyrillic/Greek lookalikes to Latin (they're distinct codepoints by design).\n * This covers the most common confusables used in injection evasion.\n */\n private normalizeConfusables(value: string): string {\n // Map of common confusable characters → Latin equivalents\n // Source: Unicode TR39 confusable mappings (subset covering injection-relevant chars)\n const confusables: Record<string, string> = {\n // Cyrillic → Latin\n \"\\u0410\": \"A\", \"\\u0430\": \"a\", // А а\n \"\\u0412\": \"B\", \"\\u0432\": \"b\", // В (not exact) в (not exact)\n \"\\u0421\": \"C\", \"\\u0441\": \"c\", // С с\n \"\\u0415\": \"E\", \"\\u0435\": \"e\", // Е е\n \"\\u041D\": \"H\", \"\\u043D\": \"h\", // Н (not exact) н (not exact)\n \"\\u041A\": \"K\", \"\\u043A\": \"k\", // К к (not exact)\n \"\\u041C\": \"M\", \"\\u043C\": \"m\", // М (not exact) м (not exact)\n \"\\u041E\": \"O\", \"\\u043E\": \"o\", // О о\n \"\\u0420\": \"P\", \"\\u0440\": \"p\", // Р р\n \"\\u0422\": \"T\", \"\\u0442\": \"t\", // Т (not exact) т (not exact)\n \"\\u0425\": \"X\", \"\\u0445\": \"x\", // Х х\n \"\\u0423\": \"Y\", \"\\u0443\": \"y\", // У (not exact) у\n // Greek → Latin\n \"\\u0391\": \"A\", \"\\u03B1\": \"a\", // Α α (not exact)\n \"\\u0392\": \"B\", \"\\u03B2\": \"b\", // Β β (not exact)\n \"\\u0395\": \"E\", \"\\u03B5\": \"e\", // Ε ε (not exact)\n \"\\u0397\": \"H\", // Η\n \"\\u0399\": \"I\", \"\\u03B9\": \"i\", // Ι ι\n \"\\u039A\": \"K\", \"\\u03BA\": \"k\", // Κ κ\n \"\\u039C\": \"M\", // Μ\n \"\\u039D\": \"N\", // Ν\n \"\\u039F\": \"O\", \"\\u03BF\": \"o\", // Ο ο\n \"\\u03A1\": \"P\", \"\\u03C1\": \"p\", // Ρ ρ (not exact)\n \"\\u03A4\": \"T\", \"\\u03C4\": \"t\", // Τ τ (not exact)\n \"\\u03A5\": \"Y\", \"\\u03C5\": \"y\", // Υ υ (not exact)\n \"\\u03A7\": \"X\", \"\\u03C7\": \"x\", // Χ χ (not exact)\n };\n\n let result = value;\n // Only scan if the string contains non-ASCII characters (fast path)\n // eslint-disable-next-line no-control-regex\n if (/[^\\x00-\\x7F]/.test(value)) {\n const chars = [];\n for (const ch of result) {\n chars.push(confusables[ch] ?? ch);\n }\n result = chars.join(\"\");\n }\n return result;\n }\n\n /**\n * Compute confidence score based on signals.\n * More high-severity signals = higher confidence.\n */\n private computeConfidence(signals: InjectionSignal[]): number {\n if (signals.length === 0) return 0;\n\n let score = 0;\n let highCount = 0;\n\n for (const sig of signals) {\n switch (sig.severity) {\n case \"high\":\n highCount++;\n score += 0.35;\n break;\n case \"medium\":\n score += 0.15;\n break;\n case \"low\":\n score += 0.05;\n break;\n }\n }\n\n // Each additional high-severity signal increases confidence\n if (highCount > 1) {\n score += (highCount - 1) * 0.15;\n }\n\n // Cap at 1.0\n return Math.min(score, 1.0);\n }\n\n /**\n * Compute recommendation based on signals and sensitivity.\n */\n private computeRecommendation(\n signals: InjectionSignal[],\n sensitivity: \"low\" | \"medium\" | \"high\"\n ): \"allow\" | \"escalate\" | \"block\" {\n if (signals.length === 0) return \"allow\";\n\n const highSeverity = signals.filter((s) => s.severity === \"high\");\n const mediumSeverity = signals.filter((s) => s.severity === \"medium\");\n\n switch (sensitivity) {\n case \"low\":\n // Only high-severity signals trigger escalation\n return highSeverity.length > 0 ? \"escalate\" : \"allow\";\n\n case \"medium\":\n // High-severity → block, medium → escalate, low → allow\n if (highSeverity.length > 0) return \"block\";\n return mediumSeverity.length > 0 ? \"escalate\" : \"allow\";\n\n case \"high\":\n // High-severity → block, medium → block, low → escalate\n if (highSeverity.length > 0 || mediumSeverity.length > 1) return \"block\";\n if (mediumSeverity.length > 0) return \"block\";\n return signals.length > 0 ? \"escalate\" : \"allow\";\n }\n }\n\n /**\n * Get statistics about scans performed.\n */\n getStats(): {\n total_scans: number;\n total_flags: number;\n total_blocks: number;\n signals_by_type: Record<string, number>;\n } {\n return {\n total_scans: this.stats.total_scans,\n total_flags: this.stats.total_flags,\n total_blocks: this.stats.total_blocks,\n signals_by_type: { ...this.stats.signals_by_type },\n };\n }\n\n /**\n * Reset statistics.\n */\n resetStats(): void {\n this.stats = {\n total_scans: 0,\n total_flags: 0,\n total_blocks: 0,\n signals_by_type: {},\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Approval Gate\n *\n * The three-tier approval gate sits between the MCP router and tool handlers.\n * Every tool call passes through the gate before execution.\n *\n * Evaluation order:\n * 1. Tier 1: Is this operation in the always-approve list? → Request approval.\n * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.\n * 3. Tier 3 / default: Allow with audit logging.\n *\n * Security invariants:\n * - The gate cannot be bypassed — it wraps every tool handler.\n * - Denial responses do not reveal policy details to the agent.\n * - All gate decisions (approve, deny, allow) are audit-logged.\n */\n\nimport type { PrincipalPolicy, GateResult, ApprovalRequest } from \"./types.js\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport { BaselineTracker } from \"./baseline.js\";\nimport { extractOperationName } from \"./loader.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { InjectionDetector, type DetectionResult } from \"../security/injection-detector.js\";\n\n/** Callback invoked when an injection is detected, for dashboard broadcasting */\nexport type InjectionAlertCallback = (alert: {\n toolName: string;\n result: DetectionResult;\n timestamp: string;\n}) => void;\n\nexport class ApprovalGate {\n private policy: PrincipalPolicy;\n private baseline: BaselineTracker;\n private channel: ApprovalChannel;\n private auditLog: AuditLog;\n private injectionDetector: InjectionDetector;\n private onInjectionAlert?: InjectionAlertCallback;\n\n constructor(\n policy: PrincipalPolicy,\n baseline: BaselineTracker,\n channel: ApprovalChannel,\n auditLog: AuditLog,\n injectionDetector?: InjectionDetector,\n onInjectionAlert?: InjectionAlertCallback\n ) {\n this.policy = policy;\n this.baseline = baseline;\n this.channel = channel;\n this.auditLog = auditLog;\n this.injectionDetector = injectionDetector ?? new InjectionDetector();\n this.onInjectionAlert = onInjectionAlert;\n }\n\n /**\n * Evaluate a tool call against the Principal Policy.\n *\n * @param toolName - Full MCP tool name (e.g., \"sanctuary/state_export\")\n * @param args - Tool call arguments (for context extraction)\n * @returns GateResult indicating whether the call is allowed\n */\n async evaluate(\n toolName: string,\n args: Record<string, unknown>\n ): Promise<GateResult> {\n const operation = extractOperationName(toolName);\n\n // Record the tool call in the baseline tracker\n this.baseline.recordToolCall(operation);\n\n // ── Pre-check: Prompt injection detection ────────────────────────\n const injectionResult = this.injectionDetector.scan(toolName, args);\n if (injectionResult.flagged) {\n this.auditLog.append(\"l2\", `injection_detected:${operation}`, \"system\", {\n confidence: injectionResult.confidence,\n signals: injectionResult.signals.map(s => ({\n type: s.type,\n location: s.location,\n severity: s.severity,\n })),\n recommendation: injectionResult.recommendation,\n });\n\n // Notify dashboard if callback is registered\n if (this.onInjectionAlert) {\n this.onInjectionAlert({\n toolName,\n result: injectionResult,\n timestamp: new Date().toISOString(),\n });\n }\n\n if (injectionResult.recommendation === \"block\") {\n return {\n allowed: false,\n tier: 1,\n reason: `Blocked: prompt injection detected in \"${operation}\" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%)`,\n approval_required: false,\n };\n }\n\n if (injectionResult.recommendation === \"escalate\") {\n return this.requestApproval(\n operation,\n 1,\n `Potential prompt injection detected in \"${operation}\" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%, ${injectionResult.signals.length} signal(s))`,\n {\n operation,\n injection_detection: {\n confidence: injectionResult.confidence,\n signal_count: injectionResult.signals.length,\n signal_types: [...new Set(injectionResult.signals.map(s => s.type))],\n },\n }\n );\n }\n }\n\n // ── Tier 1: Always requires approval ──────────────────────────────\n if (this.policy.tier1_always_approve.includes(operation)) {\n return this.requestApproval(operation, 1, `\"${operation}\" is a Tier 1 operation (always requires approval)`, {\n operation,\n args_summary: this.summarizeArgs(args),\n });\n }\n\n // ── Tier 2: Behavioral anomaly detection ──────────────────────────\n const anomaly = this.detectAnomaly(operation, args);\n if (anomaly) {\n return this.requestApproval(operation, 2, anomaly.reason, anomaly.context);\n }\n\n // ── Tier 3: Allow with audit logging (only for explicitly listed operations)\n if (this.policy.tier3_always_allow.includes(operation)) {\n this.auditLog.append(\"l2\", `gate_allow:${operation}`, \"system\", {\n tier: 3,\n operation,\n });\n\n return {\n allowed: true,\n tier: 3,\n reason: \"Operation allowed (Tier 3)\",\n approval_required: false,\n };\n }\n\n // ── Unlisted operation: default to Tier 1 (require approval) ─────\n // SEC-011: Operations not classified in any tier must not auto-allow.\n // Safe default is to require human approval.\n this.auditLog.append(\"l2\", `gate_unclassified:${operation}`, \"system\", {\n tier: 1,\n operation,\n warning: \"Operation is not classified in any policy tier — defaulting to Tier 1 (require approval)\",\n });\n\n return this.requestApproval(\n operation,\n 1,\n `\"${operation}\" is not classified in any policy tier — requires approval (SEC-011 safe default)`,\n { operation, unclassified: true }\n );\n }\n\n /**\n * Detect Tier 2 behavioral anomalies.\n */\n private detectAnomaly(\n operation: string,\n args: Record<string, unknown>\n ): { reason: string; context: Record<string, unknown> } | null {\n const config = this.policy.tier2_anomaly;\n\n // ── First session check ───────────────────────────────────────────\n if (this.baseline.isFirstSession && config.first_session_policy === \"approve\") {\n // On first session, only Tier 3 operations are auto-allowed\n if (!this.policy.tier3_always_allow.includes(operation)) {\n return {\n reason: `First session: \"${operation}\" has no established baseline`,\n context: { operation, is_first_session: true },\n };\n }\n }\n\n // ── New namespace access ──────────────────────────────────────────\n if (config.new_namespace_access === \"approve\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n const isNew = this.baseline.recordNamespaceAccess(namespace);\n if (isNew) {\n return {\n reason: `First access to namespace \"${namespace}\" (not in session baseline)`,\n context: {\n operation,\n namespace,\n known_namespaces: this.baseline.getProfile().known_namespaces,\n },\n };\n }\n }\n } else if (config.new_namespace_access === \"log\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n this.baseline.recordNamespaceAccess(namespace);\n }\n }\n\n // ── New counterparty ──────────────────────────────────────────────\n if (config.new_counterparty === \"approve\") {\n const counterpartyDid =\n (args.counterparty_did as string) ?? (args.agent_identity_id as string);\n if (counterpartyDid) {\n const isNew = this.baseline.recordCounterparty(counterpartyDid);\n if (isNew) {\n return {\n reason: `First interaction with counterparty \"${counterpartyDid}\"`,\n context: {\n operation,\n counterparty_did: counterpartyDid,\n known_counterparties: this.baseline.getProfile().known_counterparties,\n },\n };\n }\n }\n } else if (config.new_counterparty === \"log\") {\n const counterpartyDid = args.counterparty_did as string;\n if (counterpartyDid) {\n this.baseline.recordCounterparty(counterpartyDid);\n }\n }\n\n // ── Signing frequency ─────────────────────────────────────────────\n if (operation === \"identity_sign\") {\n const signCount = this.baseline.recordSign();\n if (signCount > config.max_signs_per_minute) {\n return {\n reason: `Signing frequency (${signCount}/min) exceeds limit (${config.max_signs_per_minute}/min)`,\n context: {\n operation,\n signs_per_minute: signCount,\n limit: config.max_signs_per_minute,\n },\n };\n }\n }\n\n // ── Bulk read detection ───────────────────────────────────────────\n if (operation === \"state_read\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n const readCount = this.baseline.recordNamespaceRead(namespace);\n if (readCount > config.bulk_read_threshold) {\n return {\n reason: `Bulk read detected: ${readCount} reads from \"${namespace}\" in 60 seconds (threshold: ${config.bulk_read_threshold})`,\n context: {\n operation,\n namespace,\n reads_in_window: readCount,\n threshold: config.bulk_read_threshold,\n },\n };\n }\n }\n }\n\n // ── Frequency spike ───────────────────────────────────────────────\n const callRate = this.baseline.getCallRate(operation);\n const avgRate = this.baseline.getAverageCallRate();\n if (\n avgRate > 0 &&\n callRate > avgRate * config.frequency_spike_multiplier\n ) {\n return {\n reason: `Frequency spike: \"${operation}\" at ${callRate}/min (${config.frequency_spike_multiplier}× above average ${avgRate.toFixed(1)}/min)`,\n context: {\n operation,\n current_rate: callRate,\n average_rate: avgRate,\n multiplier: config.frequency_spike_multiplier,\n },\n };\n }\n\n return null;\n }\n\n /**\n * Request approval from the human principal.\n */\n private async requestApproval(\n operation: string,\n tier: 1 | 2,\n reason: string,\n context: Record<string, unknown>\n ): Promise<GateResult> {\n const request: ApprovalRequest = {\n operation,\n tier,\n reason,\n context,\n timestamp: new Date().toISOString(),\n };\n\n const response = await this.channel.requestApproval(request);\n\n // Audit log the decision\n this.auditLog.append(\"l2\", `gate_${response.decision}:${operation}`, \"system\", {\n tier,\n reason,\n decided_by: response.decided_by,\n });\n\n return {\n allowed: response.decision === \"approve\",\n tier,\n reason: response.decision === \"approve\"\n ? `Approved by ${response.decided_by}`\n : reason,\n approval_required: true,\n approval_response: response,\n };\n }\n\n /**\n * Summarize tool arguments for the approval prompt.\n * Strips potentially large values to keep the prompt readable.\n */\n private summarizeArgs(args: Record<string, unknown>): Record<string, unknown> {\n const summary: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(args)) {\n if (typeof value === \"string\" && value.length > 100) {\n summary[key] = value.slice(0, 100) + \"...\";\n } else {\n summary[key] = value;\n }\n }\n return summary;\n }\n\n /** Get the baseline tracker for saving at session end */\n getBaseline(): BaselineTracker {\n return this.baseline;\n }\n\n /** Get the injection detector for stats/configuration access */\n getInjectionDetector(): InjectionDetector {\n return this.injectionDetector;\n }\n}\n","/**\n * Sanctuary MCP Server — Principal Policy MCP Tools\n *\n * Read-only tools that let the agent (and human) inspect the current\n * Principal Policy and behavioral baseline. These are Tier 3 operations —\n * always allowed, audit-logged, and cannot modify the policy or baseline.\n *\n * Security invariant:\n * - These tools are strictly read-only.\n * - No tool can modify the Principal Policy (it's frozen at startup).\n * - No tool can directly modify the behavioral baseline.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { PrincipalPolicy } from \"./types.js\";\nimport type { BaselineTracker } from \"./baseline.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\nexport function createPrincipalPolicyTools(\n policy: PrincipalPolicy,\n baseline: BaselineTracker,\n auditLog: AuditLog\n): ToolDefinition[] {\n return [\n {\n name: \"sanctuary/principal_policy_view\",\n description:\n \"View the current Principal Policy — the human-controlled rules \" +\n \"governing what operations require approval. Read-only.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_defaults: {\n type: \"boolean\",\n description: \"Include tier3_always_allow list (can be long)\",\n default: false,\n },\n },\n },\n handler: async (args) => {\n const includeDefaults = args.include_defaults as boolean ?? false;\n\n const view: Record<string, unknown> = {\n version: policy.version,\n tier1_always_approve: policy.tier1_always_approve,\n tier2_anomaly: policy.tier2_anomaly,\n approval_channel: {\n type: policy.approval_channel.type,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n auto_deny: true, // SEC-002: hardcoded, not configurable\n },\n };\n\n if (includeDefaults) {\n view.tier3_always_allow = policy.tier3_always_allow;\n } else {\n view.tier3_always_allow_count = policy.tier3_always_allow.length;\n view.note =\n \"Pass include_defaults: true to see the full tier3_always_allow list\";\n }\n\n auditLog.append(\"l2\", \"principal_policy_view\", \"system\", {\n include_defaults: includeDefaults,\n });\n\n return toolResult(view);\n },\n },\n\n {\n name: \"sanctuary/principal_baseline_view\",\n description:\n \"View the current behavioral baseline — the session profile used \" +\n \"for anomaly detection. Shows known namespaces, counterparties, \" +\n \"and tool call counts. Read-only.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const profile = baseline.getProfile();\n\n auditLog.append(\"l2\", \"principal_baseline_view\", \"system\");\n\n return toolResult({\n is_first_session: profile.is_first_session,\n session_started_at: profile.started_at,\n known_namespaces: profile.known_namespaces,\n known_counterparties: profile.known_counterparties,\n tool_call_counts: profile.tool_call_counts,\n last_saved: profile.saved_at ?? \"not yet saved\",\n });\n },\n },\n ];\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types\n *\n * Machine-readable, signed, versioned sovereignty capability advertisement.\n * An agent presents its SHR to counterparties to prove its sovereignty posture.\n * The SHR is signed by one of the instance's Ed25519 identities and can be\n * independently verified by any party without trusting the presenter.\n *\n * SHR version: 1.0\n */\n\n// ── Layer Status ─────────────────────────────────────────────────────\n\nexport type LayerStatus = \"active\" | \"degraded\" | \"inactive\";\nexport type DegradationSeverity = \"info\" | \"warning\" | \"critical\";\nexport type DegradationCode =\n | \"NO_TEE\"\n | \"PROCESS_ISOLATION_ONLY\"\n | \"COMMITMENT_ONLY\"\n | \"NO_ZK_PROOFS\"\n | \"SELF_REPORTED_ATTESTATION\"\n | \"NO_SELECTIVE_DISCLOSURE\"\n | \"BASIC_SYBIL_ONLY\";\n\n// ── SHR Body (signed content) ────────────────────────────────────────\n\nexport interface SHRLayerL1 {\n status: LayerStatus;\n encryption: string;\n key_custody: \"self\" | \"delegated\" | \"platform\";\n integrity: string;\n identity_type: string;\n state_portable: boolean;\n}\n\nexport interface SHRLayerL2 {\n status: LayerStatus;\n isolation_type: string;\n attestation_available: boolean;\n}\n\nexport interface SHRLayerL3 {\n status: LayerStatus;\n proof_system: string;\n selective_disclosure: boolean;\n}\n\nexport interface SHRLayerL4 {\n status: LayerStatus;\n reputation_mode: string;\n attestation_format: string;\n reputation_portable: boolean;\n}\n\nexport interface SHRDegradation {\n layer: \"l1\" | \"l2\" | \"l3\" | \"l4\";\n code: DegradationCode;\n severity: DegradationSeverity;\n description: string;\n mitigation?: string;\n}\n\nexport interface SHRCapabilities {\n handshake: boolean;\n shr_exchange: boolean;\n reputation_verify: boolean;\n encrypted_channel: boolean;\n}\n\n/**\n * The SHR body — the content that gets signed.\n * Canonical form: JSON with sorted keys, no whitespace.\n */\nexport interface SHRBody {\n shr_version: \"1.0\";\n implementation: {\n sanctuary_version: string;\n node_version: string;\n generated_by: string; // \"sanctuary-mcp-server\"\n };\n instance_id: string;\n generated_at: string;\n expires_at: string;\n layers: {\n l1: SHRLayerL1;\n l2: SHRLayerL2;\n l3: SHRLayerL3;\n l4: SHRLayerL4;\n };\n capabilities: SHRCapabilities;\n degradations: SHRDegradation[];\n}\n\n/**\n * The complete signed SHR — body + signature envelope.\n */\nexport interface SignedSHR {\n body: SHRBody;\n signed_by: string; // Public key (base64url)\n signature: string; // Ed25519 signature over canonical body (base64url)\n}\n\n// ── Verification result ──────────────────────────────────────────────\n\nexport interface SHRVerificationResult {\n valid: boolean;\n errors: string[];\n warnings: string[];\n sovereignty_level: \"full\" | \"degraded\" | \"minimal\";\n counterparty_id: string;\n expires_at: string;\n}\n\n// ── Canonical serialization ──────────────────────────────────────────\n\n/**\n * Produce a canonical JSON representation of an SHR body.\n * Sorted keys, no whitespace — deterministic for signing.\n */\nexport function canonicalize(body: SHRBody): string {\n return JSON.stringify(body, Object.keys(body).sort(), 0)\n .replace(/\\n/g, \"\");\n}\n\n/**\n * Deep-sort an object's keys for canonical JSON.\n * Handles nested objects and arrays.\n */\nexport function deepSortKeys(obj: unknown): unknown {\n if (obj === null || typeof obj !== \"object\") return obj;\n if (Array.isArray(obj)) return obj.map(deepSortKeys);\n const sorted: Record<string, unknown> = {};\n for (const key of Object.keys(obj as Record<string, unknown>).sort()) {\n sorted[key] = deepSortKeys((obj as Record<string, unknown>)[key]);\n }\n return sorted;\n}\n\n/**\n * Canonical serialization suitable for signing.\n */\nexport function canonicalizeForSigning(body: SHRBody): string {\n return JSON.stringify(deepSortKeys(body));\n}\n","/**\n * Sanctuary MCP Server — SHR Generator\n *\n * Generates a Sovereignty Health Report from current server state,\n * signs it with a specified identity, and returns the complete signed SHR.\n */\n\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type {\n SHRBody,\n SignedSHR,\n SHRDegradation,\n DegradationCode,\n} from \"./types.js\";\nimport { canonicalizeForSigning } from \"./types.js\";\nimport { sign } from \"../core/identity.js\";\nimport { toBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\n\n/** Default SHR validity window: 1 hour */\nconst DEFAULT_VALIDITY_MS = 60 * 60 * 1000;\n\nexport interface SHRGeneratorOptions {\n config: SanctuaryConfig;\n identityManager: IdentityManager;\n masterKey: Uint8Array;\n /** Override validity window (milliseconds). Default: 1 hour. */\n validityMs?: number;\n}\n\n/**\n * Generate and sign a Sovereignty Health Report.\n *\n * @param identityId - Which identity to sign with (defaults to primary)\n * @param opts - Generator dependencies\n * @returns The signed SHR, or an error string\n */\nexport function generateSHR(\n identityId: string | undefined,\n opts: SHRGeneratorOptions\n): SignedSHR | string {\n const { config, identityManager, masterKey, validityMs } = opts;\n\n // Resolve signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return \"No identity available for signing. Create an identity first.\";\n }\n\n const now = new Date();\n const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));\n\n // Assess degradations\n const degradations: SHRDegradation[] = [];\n\n if (config.execution.environment === \"local-process\") {\n degradations.push({\n layer: \"l2\",\n code: \"PROCESS_ISOLATION_ONLY\" as DegradationCode,\n severity: \"warning\",\n description: \"Process-level isolation only (no TEE)\",\n mitigation: \"TEE support planned for a future release\",\n });\n degradations.push({\n layer: \"l2\",\n code: \"SELF_REPORTED_ATTESTATION\" as DegradationCode,\n severity: \"warning\",\n description: \"Attestation is self-reported (no hardware root of trust)\",\n mitigation: \"TEE attestation planned for a future release\",\n });\n }\n\n if (config.disclosure.proof_system === \"commitment-only\") {\n degradations.push({\n layer: \"l3\",\n code: \"COMMITMENT_ONLY\" as DegradationCode,\n severity: \"info\",\n description: \"Commitment schemes only (no ZK proofs)\",\n mitigation: \"ZK proof support planned for future release\",\n });\n }\n\n // Build the SHR body\n const body: SHRBody = {\n shr_version: \"1.0\",\n implementation: {\n sanctuary_version: config.version,\n node_version: process.versions.node,\n generated_by: \"sanctuary-mcp-server\",\n },\n instance_id: identity.identity_id,\n generated_at: now.toISOString(),\n expires_at: expiresAt.toISOString(),\n layers: {\n l1: {\n status: \"active\",\n encryption: config.state.encryption,\n key_custody: \"self\",\n integrity: config.state.integrity,\n identity_type: config.state.identity_provider,\n state_portable: true,\n },\n l2: {\n status: config.execution.environment === \"local-process\"\n ? \"degraded\"\n : \"active\",\n isolation_type: config.execution.environment,\n attestation_available: config.execution.attestation,\n },\n l3: {\n status: config.disclosure.proof_system === \"commitment-only\"\n ? \"degraded\"\n : \"active\",\n proof_system: config.disclosure.proof_system,\n selective_disclosure: config.disclosure.proof_system !== \"commitment-only\",\n },\n l4: {\n status: \"active\",\n reputation_mode: config.reputation.mode,\n attestation_format: config.reputation.attestation_format,\n reputation_portable: true,\n },\n },\n capabilities: {\n handshake: true,\n shr_exchange: true,\n reputation_verify: true,\n encrypted_channel: false, // Not yet implemented\n },\n degradations,\n };\n\n // Canonical serialization for signing\n const canonical = canonicalizeForSigning(body);\n const payload = stringToBytes(canonical);\n\n // Sign with the identity's private key\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const signatureBytes = sign(\n payload,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n return {\n body,\n signed_by: identity.public_key,\n signature: toBase64url(signatureBytes),\n };\n}\n","/**\n * Sanctuary MCP Server — SHR Verifier\n *\n * Verifies a counterparty's Sovereignty Health Report:\n * - Signature validity (Ed25519 over canonical body)\n * - Temporal validity (not expired)\n * - Schema completeness\n * - Sovereignty level assessment\n */\n\nimport type { SignedSHR, SHRVerificationResult, SHRBody } from \"./types.js\";\nimport { canonicalizeForSigning } from \"./types.js\";\nimport { verify } from \"../core/identity.js\";\nimport { fromBase64url, stringToBytes } from \"../core/encoding.js\";\n\n/**\n * Verify a signed SHR.\n *\n * @param shr - The signed SHR to verify\n * @param now - Optional override for current time (for testing)\n * @returns Verification result with validity, errors, warnings, and sovereignty assessment\n */\nexport function verifySHR(\n shr: SignedSHR,\n now?: Date\n): SHRVerificationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n const currentTime = now ?? new Date();\n\n // 1. Schema validation\n if (!shr.body || !shr.signed_by || !shr.signature) {\n errors.push(\"Missing required SHR fields (body, signed_by, or signature)\");\n return {\n valid: false,\n errors,\n warnings,\n sovereignty_level: \"minimal\",\n counterparty_id: shr.body?.instance_id ?? \"unknown\",\n expires_at: shr.body?.expires_at ?? \"unknown\",\n };\n }\n\n if (shr.body.shr_version !== \"1.0\") {\n errors.push(`Unsupported SHR version: ${shr.body.shr_version}`);\n }\n\n // 2. Temporal validation\n const expiresAt = new Date(shr.body.expires_at);\n if (isNaN(expiresAt.getTime())) {\n errors.push(\"Invalid expires_at timestamp\");\n } else if (currentTime > expiresAt) {\n errors.push(`SHR expired at ${shr.body.expires_at}`);\n }\n\n const generatedAt = new Date(shr.body.generated_at);\n if (isNaN(generatedAt.getTime())) {\n errors.push(\"Invalid generated_at timestamp\");\n } else if (generatedAt > currentTime) {\n warnings.push(\"SHR generated_at is in the future — clock skew detected\");\n }\n\n // 3. Signature verification\n try {\n const publicKey = fromBase64url(shr.signed_by);\n const signatureBytes = fromBase64url(shr.signature);\n const canonical = canonicalizeForSigning(shr.body);\n const payload = stringToBytes(canonical);\n\n const signatureValid = verify(payload, signatureBytes, publicKey);\n if (!signatureValid) {\n errors.push(\"Invalid signature — SHR may have been tampered with\");\n }\n } catch (e) {\n errors.push(`Signature verification failed: ${(e as Error).message}`);\n }\n\n // 4. Layer completeness check\n const { layers } = shr.body;\n if (!layers.l1 || !layers.l2 || !layers.l3 || !layers.l4) {\n errors.push(\"Missing one or more layer definitions\");\n }\n\n // 5. Assess sovereignty level\n const sovereigntyLevel = assessSovereigntyLevel(shr.body);\n\n // 6. Add warnings for degradations\n for (const d of shr.body.degradations ?? []) {\n if (d.severity === \"critical\") {\n warnings.push(`Critical degradation in ${d.layer}: ${d.description}`);\n }\n }\n\n return {\n valid: errors.length === 0,\n errors,\n warnings,\n sovereignty_level: sovereigntyLevel,\n counterparty_id: shr.body.instance_id,\n expires_at: shr.body.expires_at,\n };\n}\n\n/**\n * Assess the overall sovereignty level from an SHR body.\n */\nfunction assessSovereigntyLevel(\n body: SHRBody\n): \"full\" | \"degraded\" | \"minimal\" {\n const { l1, l2, l3, l4 } = body.layers;\n\n // All active = full\n if (\n l1.status === \"active\" &&\n l2.status === \"active\" &&\n l3.status === \"active\" &&\n l4.status === \"active\"\n ) {\n return \"full\";\n }\n\n // L1 must be active for anything above minimal\n if (l1.status !== \"active\") {\n return \"minimal\";\n }\n\n // L1 active but others degraded = degraded\n if (l4.status === \"active\" || l4.status === \"degraded\") {\n return \"degraded\";\n }\n\n return \"minimal\";\n}\n","/**\n * Sanctuary MCP Server — Ping Identity Gateway Adapter\n *\n * Transforms Sovereignty Health Reports (SHRs) into authorization contexts\n * compatible with Ping Identity's Agent Gateway for runtime access decisions.\n *\n * The adapter generates:\n * 1. Overall sovereignty score (0-100)\n * 2. Per-layer capability assessments\n * 3. Authorization-relevant feature flags\n * 4. Recommended trust levels and constraints\n * 5. Authorization policy recommendations for the gateway\n */\n\nimport type { SignedSHR, SHRBody, SHRDegradation } from \"./types.js\";\n\n// ── Gateway Authorization Context ───────────────────────────────────────\n\n/**\n * A Ping Identity-compatible authorization context derived from an SHR.\n * This structure is designed to be passed to the Agent Gateway for\n * runtime access decisions.\n */\nexport interface PingAuthorizationContext {\n /** SHR version — for compatibility tracking */\n shr_version: string;\n\n /** Agent's Ed25519 public key (base64url) — for identity verification */\n agent_identity: string;\n\n /** When the context was generated (ISO 8601) */\n generated_at: string;\n\n /** When the underlying SHR expires (ISO 8601) */\n context_expires_at: string;\n\n /** Overall sovereignty score (0-100) */\n overall_score: number;\n\n /** Recommended trust level based on sovereignty posture */\n recommended_trust_level: \"full\" | \"elevated\" | \"standard\" | \"restricted\";\n\n /** Per-layer sovereignty scores */\n layer_scores: {\n l1_cognitive: number;\n l2_operational: number;\n l3_disclosure: number;\n l4_reputation: number;\n };\n\n /** Per-layer status: active, degraded, inactive */\n layer_status: {\n l1_cognitive: string;\n l2_operational: string;\n l3_disclosure: string;\n l4_reputation: string;\n };\n\n /** Authorization-relevant capability flags */\n authorization_signals: {\n /** Is human approval required for sensitive operations? */\n approval_gate_active: boolean;\n\n /** Is outbound data filtered by context gating? */\n context_gating_active: boolean;\n\n /** Is agent state encrypted at rest? */\n encryption_at_rest: boolean;\n\n /** Is anomaly detection / behavioral baseline active? */\n behavioral_baseline_active: boolean;\n\n /** Does the agent have cryptographic identity (Ed25519)? */\n identity_verified: boolean;\n\n /** Can the agent conduct zero-knowledge proofs? */\n zero_knowledge_capable: boolean;\n\n /** Is selective disclosure enabled? */\n selective_disclosure_active: boolean;\n\n /** Can the agent perform portable reputation verification? */\n reputation_portable: boolean;\n\n /** Can the agent conduct handshakes? */\n handshake_capable: boolean;\n };\n\n /** Degradations that affect authorization */\n degradations: GatewayDegradation[];\n\n /** Recommended authorization constraints */\n recommended_constraints: AuthorizationConstraint[];\n\n /** The underlying SHR signature for verification */\n shr_signature: string;\n\n /** Base64url-encoded public key that signed the SHR */\n shr_signed_by: string;\n}\n\n/**\n * A degradation reframed for authorization context.\n */\nexport interface GatewayDegradation {\n layer: string;\n code: string;\n severity: string;\n description: string;\n authorization_impact: string;\n}\n\n/**\n * An authorization constraint recommended based on the agent's sovereignty posture.\n */\nexport interface AuthorizationConstraint {\n /** Constraint type: read_only, requires_approval, restricted_scope, identity_verification_required, etc. */\n type: string;\n\n /** Human-readable description */\n description: string;\n\n /** Reason this constraint is recommended (which sovereignty gap drives it) */\n rationale: string;\n\n /** Priority: high, medium, low */\n priority: \"high\" | \"medium\" | \"low\";\n}\n\n// ── Layer Scoring Model ──────────────────────────────────────────────────\n\n/**\n * Layer-specific scoring weights and degradation impacts.\n *\n * Each layer starts at 100 points. Degradations subtract points based on severity.\n * \"critical\" = -40, \"warning\" = -25, \"info\" = -10.\n */\nconst LAYER_WEIGHTS = {\n l1: 100,\n l2: 100,\n l3: 100,\n l4: 100,\n};\n\nconst DEGRADATION_IMPACT = {\n critical: 40,\n warning: 25,\n info: 10,\n};\n\n// ── Public API ───────────────────────────────────────────────────────────\n\n/**\n * Transform an SHR into a Ping Identity Gateway authorization context.\n *\n * @param shr - The signed SHR to transform\n * @returns A PingAuthorizationContext ready for the Agent Gateway\n */\nexport function transformSHRForGateway(shr: SignedSHR): PingAuthorizationContext {\n const { body, signed_by, signature } = shr;\n\n // Calculate per-layer scores\n const layerScores = calculateLayerScores(body);\n\n // Calculate overall score (weighted average)\n const overallScore = calculateOverallScore(layerScores);\n\n // Determine recommended trust level\n const trustLevel = determineTrustLevel(overallScore);\n\n // Extract authorization signals from SHR\n const signals = extractAuthorizationSignals(body);\n\n // Transform degradations for authorization context\n const degradations = transformDegradations(body.degradations);\n\n // Generate recommended constraints\n const constraints = generateAuthorizationConstraints(body, degradations);\n\n return {\n shr_version: body.shr_version,\n agent_identity: signed_by,\n generated_at: new Date().toISOString(),\n context_expires_at: body.expires_at,\n overall_score: overallScore,\n recommended_trust_level: trustLevel,\n layer_scores: {\n l1_cognitive: layerScores.l1,\n l2_operational: layerScores.l2,\n l3_disclosure: layerScores.l3,\n l4_reputation: layerScores.l4,\n },\n layer_status: {\n l1_cognitive: body.layers.l1.status,\n l2_operational: body.layers.l2.status,\n l3_disclosure: body.layers.l3.status,\n l4_reputation: body.layers.l4.status,\n },\n authorization_signals: signals,\n degradations,\n recommended_constraints: constraints,\n shr_signature: signature,\n shr_signed_by: signed_by,\n };\n}\n\n/**\n * Calculate sovereignty scores for each layer based on the SHR.\n */\nfunction calculateLayerScores(\n body: SHRBody\n): {\n l1: number;\n l2: number;\n l3: number;\n l4: number;\n} {\n const layers = body.layers;\n const degradations = body.degradations;\n\n let l1Score = LAYER_WEIGHTS.l1;\n let l2Score = LAYER_WEIGHTS.l2;\n let l3Score = LAYER_WEIGHTS.l3;\n let l4Score = LAYER_WEIGHTS.l4;\n\n // Apply degradation penalties\n for (const deg of degradations) {\n const impact =\n DEGRADATION_IMPACT[deg.severity as keyof typeof DEGRADATION_IMPACT] || 10;\n\n if (deg.layer === \"l1\") {\n l1Score = Math.max(0, l1Score - impact);\n } else if (deg.layer === \"l2\") {\n l2Score = Math.max(0, l2Score - impact);\n } else if (deg.layer === \"l3\") {\n l3Score = Math.max(0, l3Score - impact);\n } else if (deg.layer === \"l4\") {\n l4Score = Math.max(0, l4Score - impact);\n }\n }\n\n // Bonus points for active status (if no degradations bring it below a threshold)\n if (layers.l1.status === \"active\" && l1Score > 50) l1Score = Math.min(100, l1Score + 5);\n if (layers.l2.status === \"active\" && l2Score > 50) l2Score = Math.min(100, l2Score + 5);\n if (layers.l3.status === \"active\" && l3Score > 50) l3Score = Math.min(100, l3Score + 5);\n if (layers.l4.status === \"active\" && l4Score > 50) l4Score = Math.min(100, l4Score + 5);\n\n // Inactive layers score 0\n if (layers.l1.status === \"inactive\") l1Score = 0;\n if (layers.l2.status === \"inactive\") l2Score = 0;\n if (layers.l3.status === \"inactive\") l3Score = 0;\n if (layers.l4.status === \"inactive\") l4Score = 0;\n\n return {\n l1: Math.round(l1Score),\n l2: Math.round(l2Score),\n l3: Math.round(l3Score),\n l4: Math.round(l4Score),\n };\n}\n\n/**\n * Calculate overall sovereignty score (0-100) as weighted average of layer scores.\n */\nfunction calculateOverallScore(layerScores: {\n l1: number;\n l2: number;\n l3: number;\n l4: number;\n}): number {\n const average = (layerScores.l1 + layerScores.l2 + layerScores.l3 + layerScores.l4) / 4;\n return Math.round(average);\n}\n\n/**\n * Determine recommended trust level based on overall score.\n */\nfunction determineTrustLevel(\n score: number\n): \"full\" | \"elevated\" | \"standard\" | \"restricted\" {\n if (score >= 80) return \"full\";\n if (score >= 60) return \"elevated\";\n if (score >= 40) return \"standard\";\n return \"restricted\";\n}\n\n/**\n * Extract authorization-relevant signals from the SHR.\n */\nfunction extractAuthorizationSignals(body: SHRBody): PingAuthorizationContext[\"authorization_signals\"] {\n const l1 = body.layers.l1;\n const l3 = body.layers.l3;\n const l4 = body.layers.l4;\n\n // Infer signals from layer configuration\n return {\n approval_gate_active: body.capabilities.handshake, // Handshake implies human loop capability\n context_gating_active: body.capabilities.encrypted_channel, // Proxy for gating capability\n encryption_at_rest: l1.encryption !== \"none\" && l1.encryption !== \"unencrypted\",\n behavioral_baseline_active: false, // Would need explicit field in SHR v1.1\n identity_verified: l1.identity_type === \"ed25519\" || l1.identity_type !== \"none\",\n zero_knowledge_capable: l3.status === \"active\" && l3.proof_system !== \"commitment-only\",\n selective_disclosure_active: l3.selective_disclosure,\n reputation_portable: l4.reputation_portable,\n handshake_capable: body.capabilities.handshake,\n };\n}\n\n/**\n * Transform degradations into authorization-aware format.\n */\nfunction transformDegradations(degradations: SHRDegradation[]): GatewayDegradation[] {\n return degradations.map((deg) => {\n let authzImpact = \"\";\n\n if (deg.code === \"NO_TEE\") {\n authzImpact = \"Restricted to read-only operations until TEE available\";\n } else if (deg.code === \"PROCESS_ISOLATION_ONLY\") {\n authzImpact = \"Requires additional identity verification\";\n } else if (deg.code === \"COMMITMENT_ONLY\") {\n authzImpact = \"Limited data sharing scope — no zero-knowledge proofs\";\n } else if (deg.code === \"NO_ZK_PROOFS\") {\n authzImpact = \"Cannot perform confidential disclosures\";\n } else if (deg.code === \"SELF_REPORTED_ATTESTATION\") {\n authzImpact = \"Attestation trust degraded — human verification recommended\";\n } else if (deg.code === \"NO_SELECTIVE_DISCLOSURE\") {\n authzImpact = \"Must share entire data context, cannot redact\";\n } else if (deg.code === \"BASIC_SYBIL_ONLY\") {\n authzImpact = \"Restrict to interactions with known agents only\";\n } else {\n authzImpact = \"Unknown authorization impact\";\n }\n\n return {\n layer: deg.layer,\n code: deg.code,\n severity: deg.severity,\n description: deg.description,\n authorization_impact: authzImpact,\n };\n });\n}\n\n/**\n * Generate recommended authorization constraints based on sovereignty posture.\n */\nfunction generateAuthorizationConstraints(\n body: SHRBody,\n _degradations: GatewayDegradation[]\n): AuthorizationConstraint[] {\n const constraints: AuthorizationConstraint[] = [];\n const layers = body.layers;\n\n // L1 (Cognitive Sovereignty) constraints\n if (layers.l1.status === \"degraded\" || layers.l1.key_custody !== \"self\") {\n constraints.push({\n type: \"identity_verification_required\",\n description: \"Additional identity verification required for sensitive operations\",\n rationale: \"L1 is degraded or key custody is not self-managed\",\n priority: \"high\",\n });\n }\n\n if (!layers.l1.state_portable) {\n constraints.push({\n type: \"location_bound\",\n description: \"Agent state is not portable — restrict to home environment\",\n rationale: \"State cannot be safely migrated across boundaries\",\n priority: \"medium\",\n });\n }\n\n // L2 (Operational Isolation) constraints\n if (layers.l2.status === \"degraded\" || layers.l2.isolation_type === \"local-process\") {\n constraints.push({\n type: \"read_only\",\n description: \"Restrict to read-only operations until operational isolation improves\",\n rationale: \"L2 isolation is process-level only (no TEE)\",\n priority: \"high\",\n });\n }\n\n if (!layers.l2.attestation_available) {\n constraints.push({\n type: \"requires_approval\",\n description: \"Human approval required for writes and sensitive reads\",\n rationale: \"No attestation available — self-reported integrity only\",\n priority: \"high\",\n });\n }\n\n // L3 (Selective Disclosure) constraints\n if (layers.l3.status === \"degraded\" || !layers.l3.selective_disclosure) {\n constraints.push({\n type: \"restricted_scope\",\n description: \"Limit data sharing to minimal required scope — no selective disclosure\",\n rationale: \"Agent cannot redact data or prove predicates without revealing all context\",\n priority: \"high\",\n });\n }\n\n if (layers.l3.proof_system === \"commitment-only\") {\n constraints.push({\n type: \"restricted_scope\",\n description: \"No zero-knowledge proofs available — entire state context may be visible\",\n rationale: \"Proof system is commitment-only (no ZK)\",\n priority: \"medium\",\n });\n }\n\n // L4 (Reputation) constraints\n if (layers.l4.status === \"degraded\") {\n constraints.push({\n type: \"known_agents_only\",\n description: \"Restrict interactions to known, pre-approved agents\",\n rationale: \"Reputation layer is degraded\",\n priority: \"medium\",\n });\n }\n\n if (!layers.l4.reputation_portable) {\n constraints.push({\n type: \"location_bound\",\n description: \"Reputation is not portable — restrict to home environment\",\n rationale: \"Cannot present reputation to external parties\",\n priority: \"low\",\n });\n }\n\n // Overall score-based constraints\n const layerScores = calculateLayerScores(body);\n const overallScore = calculateOverallScore(layerScores);\n\n if (overallScore < 40) {\n constraints.push({\n type: \"restricted_scope\",\n description: \"Overall sovereignty score below threshold — restrict to non-sensitive operations\",\n rationale: `Overall sovereignty score is ${overallScore}/100`,\n priority: \"high\",\n });\n }\n\n return constraints;\n}\n\n// ── Generic Gateway Export ───────────────────────────────────────────────\n\n/**\n * Generic authorization context (format-agnostic).\n * Used when format is \"generic\" instead of \"ping\".\n */\nexport interface GenericAuthorizationContext {\n agent_id: string;\n sovereignty_score: number;\n trust_level: string;\n layer_scores: Record<string, number>;\n capabilities: Record<string, boolean>;\n constraints: Array<{\n type: string;\n description: string;\n }>;\n expires_at: string;\n signature: string;\n}\n\n/**\n * Transform an SHR into a generic authorization context.\n */\nexport function transformSHRGeneric(shr: SignedSHR): GenericAuthorizationContext {\n const context = transformSHRForGateway(shr);\n\n return {\n agent_id: context.agent_identity,\n sovereignty_score: context.overall_score,\n trust_level: context.recommended_trust_level,\n layer_scores: {\n l1: context.layer_scores.l1_cognitive,\n l2: context.layer_scores.l2_operational,\n l3: context.layer_scores.l3_disclosure,\n l4: context.layer_scores.l4_reputation,\n },\n capabilities: context.authorization_signals,\n constraints: context.recommended_constraints.map((c) => ({\n type: c.type,\n description: c.description,\n })),\n expires_at: context.context_expires_at,\n signature: context.shr_signature,\n };\n}\n","/**\n * Sanctuary MCP Server — SHR MCP Tools\n *\n * MCP tool definitions for generating and verifying Sovereignty Health Reports.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateSHR, type SHRGeneratorOptions } from \"./generator.js\";\nimport { verifySHR } from \"./verifier.js\";\nimport type { SignedSHR } from \"./types.js\";\nimport { transformSHRForGateway, transformSHRGeneric } from \"./gateway-adapter.js\";\n\nexport function createSHRTools(\n config: SanctuaryConfig,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[] } {\n const generatorOpts: SHRGeneratorOptions = {\n config,\n identityManager,\n masterKey,\n };\n\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/shr_generate\",\n description:\n \"Generate a signed Sovereignty Health Report (SHR) — a machine-readable, \" +\n \"cryptographically signed advertisement of this instance's sovereignty posture. \" +\n \"Present this to counterparties to prove your sovereignty capabilities.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: {\n type: \"string\",\n description:\n \"Identity to sign the SHR with. Defaults to primary identity.\",\n },\n validity_minutes: {\n type: \"number\",\n description: \"How long the SHR is valid (minutes). Default: 60.\",\n },\n },\n },\n handler: async (args) => {\n const validityMs = args.validity_minutes\n ? (args.validity_minutes as number) * 60 * 1000\n : undefined;\n\n const result = generateSHR(args.identity_id as string | undefined, {\n ...generatorOpts,\n validityMs,\n });\n\n if (typeof result === \"string\") {\n return toolResult({ error: result });\n }\n\n auditLog.append(\"l2\", \"shr_generate\", result.body.instance_id);\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/shr_verify\",\n description:\n \"Verify a counterparty's Sovereignty Health Report (SHR). \" +\n \"Checks signature validity, temporal validity, and assesses sovereignty level.\",\n inputSchema: {\n type: \"object\",\n properties: {\n shr: {\n type: \"object\",\n description: \"The signed SHR to verify (full SignedSHR object).\",\n },\n },\n required: [\"shr\"],\n },\n handler: async (args) => {\n const shr = args.shr as unknown as SignedSHR;\n const result = verifySHR(shr);\n\n auditLog.append(\n \"l2\",\n \"shr_verify\",\n result.counterparty_id,\n undefined,\n result.valid ? \"success\" : \"failure\"\n );\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/shr_gateway_export\",\n description:\n \"Export this instance's Sovereignty Health Report formatted for \" +\n \"Ping Identity's Agent Gateway or other identity providers. \" +\n \"Transforms the SHR into an authorization context with sovereignty scores, \" +\n \"capability flags, and recommended access constraints.\",\n inputSchema: {\n type: \"object\",\n properties: {\n format: {\n type: \"string\",\n enum: [\"ping\", \"generic\"],\n description:\n \"Output format: 'ping' (Ping Identity Gateway format) or 'generic' (format-agnostic). Default: 'ping'.\",\n },\n identity_id: {\n type: \"string\",\n description:\n \"Identity to sign the SHR with. Defaults to primary identity.\",\n },\n validity_minutes: {\n type: \"number\",\n description: \"How long the SHR is valid (minutes). Default: 60.\",\n },\n },\n },\n handler: async (args) => {\n const format = (args.format as string) || \"ping\";\n const validityMs = args.validity_minutes\n ? (args.validity_minutes as number) * 60 * 1000\n : undefined;\n\n // Generate a fresh SHR\n const shrResult = generateSHR(args.identity_id as string | undefined, {\n ...generatorOpts,\n validityMs,\n });\n\n if (typeof shrResult === \"string\") {\n return toolResult({ error: shrResult });\n }\n\n // Transform for the requested format\n let context;\n if (format === \"generic\") {\n context = transformSHRGeneric(shrResult);\n } else {\n context = transformSHRForGateway(shrResult);\n }\n\n auditLog.append(\n \"l2\",\n \"shr_gateway_export\",\n shrResult.body.instance_id,\n undefined,\n \"success\"\n );\n\n return toolResult(context);\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Handshake Protocol\n *\n * Core handshake logic: initiate, respond, complete.\n * Nonce-based challenge-response prevents replay attacks.\n * SHR signatures are verified at each step.\n */\n\nimport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n HandshakeSession,\n SovereigntyLevel,\n TrustTier,\n} from \"./types.js\";\nimport type { SignedSHR } from \"../shr/types.js\";\nimport { verifySHR } from \"../shr/verifier.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\n\n/** Generate a cryptographic nonce for handshake */\nfunction generateNonce(): string {\n return toBase64url(randomBytes(32));\n}\n\n/**\n * Step 1: Initiate a handshake.\n * Generates a challenge containing our SHR and a nonce.\n */\nexport function initiateHandshake(\n ourSHR: SignedSHR\n): { challenge: HandshakeChallenge; session: HandshakeSession } {\n const nonce = generateNonce();\n const sessionId = toBase64url(randomBytes(16));\n\n const challenge: HandshakeChallenge = {\n protocol_version: \"1.0\",\n shr: ourSHR,\n nonce,\n initiated_at: new Date().toISOString(),\n };\n\n const session: HandshakeSession = {\n session_id: sessionId,\n role: \"initiator\",\n state: \"initiated\",\n our_nonce: nonce,\n our_shr: ourSHR,\n initiated_at: challenge.initiated_at,\n };\n\n return { challenge, session };\n}\n\n/**\n * Step 2: Respond to a handshake challenge.\n * Verifies the initiator's SHR, signs their nonce, generates our nonce.\n */\nexport function respondToHandshake(\n challenge: HandshakeChallenge,\n ourSHR: SignedSHR,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n identityId?: string\n): { response: HandshakeResponse; session: HandshakeSession } | { error: string } {\n // Validate protocol version\n if (challenge.protocol_version !== \"1.0\") {\n return { error: `Unsupported protocol version: ${challenge.protocol_version}` };\n }\n\n // Verify the initiator's SHR\n const shrResult = verifySHR(challenge.shr);\n if (!shrResult.valid) {\n return { error: `Initiator SHR verification failed: ${shrResult.errors.join(\", \")}` };\n }\n\n // Resolve signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return { error: \"No identity available for signing\" };\n }\n\n // Sign the initiator's nonce (proves we received it, prevents replay)\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const nonceBytes = stringToBytes(challenge.nonce);\n const nonceSignature = sign(\n nonceBytes,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n const responderNonce = generateNonce();\n\n const response: HandshakeResponse = {\n protocol_version: \"1.0\",\n shr: ourSHR,\n responder_nonce: responderNonce,\n initiator_nonce_signature: toBase64url(nonceSignature),\n responded_at: new Date().toISOString(),\n };\n\n const session: HandshakeSession = {\n session_id: toBase64url(randomBytes(16)),\n role: \"responder\",\n state: \"responded\",\n our_nonce: responderNonce,\n their_nonce: challenge.nonce,\n our_shr: ourSHR,\n their_shr: challenge.shr,\n initiated_at: challenge.initiated_at,\n };\n\n return { response, session };\n}\n\n/**\n * Step 3: Complete the handshake (initiator side).\n * Verifies the responder's SHR and nonce signature, signs responder's nonce.\n */\nexport function completeHandshake(\n response: HandshakeResponse,\n session: HandshakeSession,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n identityId?: string\n): { completion: HandshakeCompletion; result: HandshakeResult } | { error: string } {\n // Validate protocol version\n if (response.protocol_version !== \"1.0\") {\n return { error: `Unsupported protocol version: ${response.protocol_version}` };\n }\n\n // Verify the responder's SHR\n const shrResult = verifySHR(response.shr);\n if (!shrResult.valid) {\n return { error: `Responder SHR verification failed: ${shrResult.errors.join(\", \")}` };\n }\n\n // Verify the responder signed our nonce correctly\n const responderPublicKey = fromBase64url(response.shr.signed_by);\n const ourNonceBytes = stringToBytes(session.our_nonce);\n const nonceSignatureBytes = fromBase64url(response.initiator_nonce_signature);\n\n const nonceSignatureValid = verify(\n ourNonceBytes,\n nonceSignatureBytes,\n responderPublicKey\n );\n if (!nonceSignatureValid) {\n return { error: \"Responder's nonce signature is invalid — possible replay or MITM\" };\n }\n\n // Resolve our signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return { error: \"No identity available for signing\" };\n }\n\n // Sign the responder's nonce\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const responderNonceBytes = stringToBytes(response.responder_nonce);\n const responderNonceSignature = sign(\n responderNonceBytes,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n const now = new Date().toISOString();\n\n const completion: HandshakeCompletion = {\n protocol_version: \"1.0\",\n responder_nonce_signature: toBase64url(responderNonceSignature),\n completed_at: now,\n };\n\n // Determine sovereignty level and trust tier\n const sovereigntyLevel = shrResult.sovereignty_level as SovereigntyLevel;\n const trustTier = deriveTrustTier(sovereigntyLevel);\n\n const result: HandshakeResult = {\n counterparty_id: shrResult.counterparty_id,\n counterparty_shr: response.shr,\n verified: true,\n sovereignty_level: sovereigntyLevel,\n trust_tier: trustTier,\n completed_at: now,\n expires_at: shrResult.expires_at,\n errors: [],\n };\n\n return { completion, result };\n}\n\n/**\n * Step 4: Verify completion (responder side).\n * Verifies the initiator signed our nonce correctly.\n */\nexport function verifyCompletion(\n completion: HandshakeCompletion,\n session: HandshakeSession\n): HandshakeResult {\n const errors: string[] = [];\n\n if (!session.their_shr) {\n return {\n counterparty_id: \"unknown\",\n counterparty_shr: session.our_shr, // placeholder\n verified: false,\n sovereignty_level: \"unverified\",\n trust_tier: \"unverified\",\n completed_at: completion.completed_at,\n expires_at: new Date().toISOString(),\n errors: [\"No initiator SHR in session state\"],\n };\n }\n\n // Verify the initiator signed our nonce\n const initiatorPublicKey = fromBase64url(session.their_shr.signed_by);\n const ourNonceBytes = stringToBytes(session.our_nonce);\n const nonceSignatureBytes = fromBase64url(completion.responder_nonce_signature);\n\n const nonceSignatureValid = verify(\n ourNonceBytes,\n nonceSignatureBytes,\n initiatorPublicKey\n );\n\n if (!nonceSignatureValid) {\n errors.push(\"Initiator's nonce signature is invalid — possible replay or MITM\");\n }\n\n // Verify the initiator's SHR (may have been verified earlier, but check expiry)\n const shrResult = verifySHR(session.their_shr);\n if (!shrResult.valid) {\n errors.push(...shrResult.errors);\n }\n\n const verified = errors.length === 0;\n const sovereigntyLevel: SovereigntyLevel = verified\n ? (shrResult.sovereignty_level as SovereigntyLevel)\n : \"unverified\";\n\n return {\n counterparty_id: session.their_shr.body.instance_id,\n counterparty_shr: session.their_shr,\n verified,\n sovereignty_level: sovereigntyLevel,\n trust_tier: deriveTrustTier(sovereigntyLevel),\n completed_at: completion.completed_at,\n expires_at: session.their_shr.body.expires_at,\n errors,\n };\n}\n\n/**\n * Derive trust tier from sovereignty level.\n */\nfunction deriveTrustTier(level: SovereigntyLevel): TrustTier {\n switch (level) {\n case \"full\":\n return \"verified-sovereign\";\n case \"degraded\":\n return \"verified-degraded\";\n default:\n return \"unverified\";\n }\n}\n","/**\n * Sanctuary MCP Server — Handshake MCP Tools\n *\n * MCP tool definitions for the sovereignty handshake protocol.\n * Four tools map to the four protocol steps:\n * 1. handshake_initiate — Start a handshake\n * 2. handshake_respond — Respond to an incoming challenge\n * 3. handshake_complete — Complete a handshake (initiator side)\n * 4. handshake_status — Check status of handshake sessions\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateSHR, type SHRGeneratorOptions } from \"../shr/generator.js\";\nimport {\n initiateHandshake,\n respondToHandshake,\n completeHandshake,\n verifyCompletion,\n} from \"./protocol.js\";\nimport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n HandshakeSession,\n} from \"./types.js\";\n\nexport function createHandshakeTools(\n config: SanctuaryConfig,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[]; handshakeResults: Map<string, HandshakeResult> } {\n // In-memory session store (per server instance lifetime)\n const sessions = new Map<string, HandshakeSession>();\n // Completed handshake results indexed by counterparty ID — shared with L4 tier resolution\n const handshakeResults = new Map<string, HandshakeResult>();\n\n const shrOpts: SHRGeneratorOptions = {\n config,\n identityManager,\n masterKey,\n };\n\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/handshake_initiate\",\n description:\n \"Initiate a sovereignty handshake with a counterparty. \" +\n \"Generates a challenge containing this instance's signed SHR and a cryptographic nonce. \" +\n \"Send the returned challenge to the counterparty.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: {\n type: \"string\",\n description:\n \"Identity to use for the handshake. Defaults to primary identity.\",\n },\n },\n },\n handler: async (args) => {\n // Generate our SHR\n const shr = generateSHR(args.identity_id as string | undefined, shrOpts);\n if (typeof shr === \"string\") {\n return toolResult({ error: shr });\n }\n\n const { challenge, session } = initiateHandshake(shr);\n sessions.set(session.session_id, session);\n\n auditLog.append(\"l4\", \"handshake_initiate\", shr.body.instance_id);\n\n return toolResult({\n session_id: session.session_id,\n challenge,\n instructions:\n \"Send the 'challenge' object to the counterparty's sanctuary/handshake_respond tool. \" +\n \"When you receive their response, pass it to sanctuary/handshake_complete with this session_id.\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_respond\",\n description:\n \"Respond to an incoming sovereignty handshake challenge. \" +\n \"Verifies the initiator's SHR, signs their nonce, and returns our SHR with a counter-nonce.\",\n inputSchema: {\n type: \"object\",\n properties: {\n challenge: {\n type: \"object\",\n description: \"The HandshakeChallenge received from the initiator.\",\n },\n identity_id: {\n type: \"string\",\n description:\n \"Identity to use for the response. Defaults to primary identity.\",\n },\n },\n required: [\"challenge\"],\n },\n handler: async (args) => {\n const challenge = args.challenge as unknown as HandshakeChallenge;\n\n // Generate our SHR\n const shr = generateSHR(args.identity_id as string | undefined, shrOpts);\n if (typeof shr === \"string\") {\n return toolResult({ error: shr });\n }\n\n const result = respondToHandshake(\n challenge,\n shr,\n identityManager,\n masterKey,\n args.identity_id as string | undefined\n );\n\n if (\"error\" in result) {\n auditLog.append(\"l4\", \"handshake_respond\", shr.body.instance_id, undefined, \"failure\");\n return toolResult({ error: result.error });\n }\n\n sessions.set(result.session.session_id, result.session);\n\n auditLog.append(\"l4\", \"handshake_respond\", shr.body.instance_id);\n\n return toolResult({\n session_id: result.session.session_id,\n response: result.response,\n instructions:\n \"Send the 'response' object back to the initiator. \" +\n \"When you receive their completion, pass it to sanctuary/handshake_status with this session_id.\",\n // SEC-ADD-03: Tag response — contains SHR data that will be sent to counterparty\n _content_trust: \"external\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_complete\",\n description:\n \"Complete a sovereignty handshake (initiator side). \" +\n \"Verifies the responder's SHR and nonce signature, signs their nonce, and produces the final result.\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Session ID from handshake_initiate.\",\n },\n response: {\n type: \"object\",\n description: \"The HandshakeResponse received from the responder.\",\n },\n },\n required: [\"session_id\", \"response\"],\n },\n handler: async (args) => {\n const sessionId = args.session_id as string;\n const response = args.response as unknown as HandshakeResponse;\n\n const session = sessions.get(sessionId);\n if (!session) {\n return toolResult({ error: `No handshake session found: ${sessionId}` });\n }\n if (session.state !== \"initiated\") {\n return toolResult({\n error: `Session is in state '${session.state}', expected 'initiated'`,\n });\n }\n\n const result = completeHandshake(\n response,\n session,\n identityManager,\n masterKey\n );\n\n if (\"error\" in result) {\n session.state = \"failed\";\n auditLog.append(\"l4\", \"handshake_complete\", session.our_shr.body.instance_id, undefined, \"failure\");\n return toolResult({ error: result.error });\n }\n\n session.state = \"completed\";\n session.their_shr = response.shr;\n session.their_nonce = response.responder_nonce;\n session.result = result.result;\n\n // Store completed result for tier resolution\n handshakeResults.set(result.result.counterparty_id, result.result);\n\n auditLog.append(\"l4\", \"handshake_complete\", session.our_shr.body.instance_id);\n\n return toolResult({\n completion: result.completion,\n result: result.result,\n instructions:\n \"Send the 'completion' object to the responder so they can verify the handshake. \" +\n \"The 'result' object contains the verified counterparty status and trust tier.\",\n // SEC-ADD-03: Tag response as containing counterparty-controlled SHR data\n _content_trust: \"external\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_status\",\n description:\n \"Check the status of a handshake session, or verify a completion message (responder side).\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Session ID to check.\",\n },\n completion: {\n type: \"object\",\n description:\n \"Optional: HandshakeCompletion from the initiator (responder-side verification).\",\n },\n },\n required: [\"session_id\"],\n },\n handler: async (args) => {\n const sessionId = args.session_id as string;\n const completion = args.completion as unknown as HandshakeCompletion | undefined;\n\n const session = sessions.get(sessionId);\n if (!session) {\n return toolResult({ error: `No handshake session found: ${sessionId}` });\n }\n\n // If completion is provided, verify it (responder side)\n if (completion && session.role === \"responder\" && session.state === \"responded\") {\n const result = verifyCompletion(completion, session);\n session.state = result.verified ? \"completed\" : \"failed\";\n session.result = result;\n\n // Store completed result for tier resolution\n if (result.verified) {\n handshakeResults.set(result.counterparty_id, result);\n }\n\n auditLog.append(\n \"l4\",\n \"handshake_verify_completion\",\n session.our_shr.body.instance_id,\n undefined,\n result.verified ? \"success\" : \"failure\"\n );\n\n return toolResult({ result });\n }\n\n // Otherwise just return session status\n return toolResult({\n session_id: session.session_id,\n role: session.role,\n state: session.state,\n initiated_at: session.initiated_at,\n result: session.result ?? null,\n });\n },\n },\n ];\n\n return { tools, handshakeResults };\n}\n","/**\n * Sanctuary MCP Server — Federation Peer Registry\n *\n * Manages known federation peers. Peers are discovered through handshakes\n * and tracked for ongoing federation operations.\n *\n * The registry is the source of truth for:\n * - Who we've federated with\n * - Current trust status of each peer\n * - Peer capabilities (what operations they support)\n *\n * Security invariants:\n * - Peers are ONLY added through completed handshakes (not self-registration)\n * - Trust tiers degrade automatically when handshakes expire\n * - Peer data is stored encrypted under L1 sovereignty\n */\n\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { trustTierToSovereigntyTier } from \"../l4-reputation/tiers.js\";\nimport type {\n FederationPeer,\n FederationCapabilities,\n PeerTrustEvaluation,\n} from \"./types.js\";\n\n/** Default capabilities assumed for new peers */\nconst DEFAULT_CAPABILITIES: FederationCapabilities = {\n reputation_exchange: true,\n mutual_attestation: true,\n encrypted_channel: false,\n attestation_formats: [\"sanctuary-interaction-v1\"],\n};\n\nexport class FederationRegistry {\n private peers = new Map<string, FederationPeer>();\n\n /**\n * Register or update a peer from a completed handshake.\n * This is the ONLY way peers enter the registry.\n */\n registerFromHandshake(\n result: HandshakeResult,\n peerDid: string,\n capabilities?: Partial<FederationCapabilities>\n ): FederationPeer {\n const existing = this.peers.get(result.counterparty_id);\n const now = new Date().toISOString();\n\n const peer: FederationPeer = {\n peer_id: result.counterparty_id,\n peer_did: peerDid,\n first_seen: existing?.first_seen ?? now,\n last_handshake: result.completed_at,\n trust_tier: trustTierToSovereigntyTier(result.trust_tier),\n handshake_result: result,\n capabilities: {\n ...DEFAULT_CAPABILITIES,\n ...(existing?.capabilities ?? {}),\n ...(capabilities ?? {}),\n },\n active: result.verified && new Date(result.expires_at) > new Date(),\n };\n\n // If already expired at registration time, degrade trust tier\n if (!peer.active) {\n peer.trust_tier = \"self-attested\";\n }\n\n this.peers.set(result.counterparty_id, peer);\n return peer;\n }\n\n /**\n * Get a peer by instance ID.\n * Automatically updates active status based on handshake expiry.\n */\n getPeer(peerId: string): FederationPeer | null {\n const peer = this.peers.get(peerId);\n if (!peer) return null;\n\n // Check if handshake has expired\n if (peer.active && new Date(peer.handshake_result.expires_at) <= new Date()) {\n peer.active = false;\n peer.trust_tier = \"self-attested\"; // Degrade to self-attested when expired\n }\n\n return peer;\n }\n\n /**\n * List all known peers, optionally filtered by status.\n */\n listPeers(filter?: { active_only?: boolean }): FederationPeer[] {\n const peers = Array.from(this.peers.values());\n\n // Update active status before filtering\n for (const peer of peers) {\n if (peer.active && new Date(peer.handshake_result.expires_at) <= new Date()) {\n peer.active = false;\n peer.trust_tier = \"self-attested\";\n }\n }\n\n if (filter?.active_only) {\n return peers.filter((p) => p.active);\n }\n\n return peers;\n }\n\n /**\n * Evaluate trust for a federation peer.\n *\n * Trust assessment considers:\n * - Handshake status (current vs expired)\n * - Sovereignty tier (verified-sovereign vs degraded vs unverified)\n * - Reputation data (if available)\n * - Mutual attestation history\n */\n evaluateTrust(\n peerId: string,\n mutualAttestationCount: number = 0,\n reputationScore?: number\n ): PeerTrustEvaluation {\n const peer = this.getPeer(peerId);\n const now = new Date().toISOString();\n\n if (!peer) {\n return {\n peer_id: peerId,\n sovereignty_tier: \"unverified\",\n handshake_current: false,\n mutual_attestation_count: 0,\n trust_level: \"none\",\n factors: [\"Peer not found in federation registry\"],\n evaluated_at: now,\n };\n }\n\n const factors: string[] = [];\n let score = 0;\n\n // Factor 1: Handshake status\n if (peer.active) {\n factors.push(\"Active handshake (trust current)\");\n score += 3;\n } else {\n factors.push(\"Handshake expired (trust degraded)\");\n score += 1;\n }\n\n // Factor 2: Sovereignty tier\n switch (peer.trust_tier) {\n case \"verified-sovereign\":\n factors.push(\"Verified sovereign — full sovereignty posture\");\n score += 4;\n break;\n case \"verified-degraded\":\n factors.push(\"Verified degraded — sovereignty with known limitations\");\n score += 3;\n break;\n case \"self-attested\":\n factors.push(\"Self-attested — claims not independently verified\");\n score += 1;\n break;\n case \"unverified\":\n factors.push(\"Unverified — no sovereignty proof\");\n score += 0;\n break;\n }\n\n // Factor 3: Mutual attestation history\n if (mutualAttestationCount > 10) {\n factors.push(`Strong attestation history (${mutualAttestationCount} mutual attestations)`);\n score += 3;\n } else if (mutualAttestationCount > 0) {\n factors.push(`Some attestation history (${mutualAttestationCount} mutual attestations)`);\n score += 1;\n } else {\n factors.push(\"No mutual attestation history\");\n }\n\n // Factor 4: Reputation score\n if (reputationScore !== undefined) {\n if (reputationScore >= 80) {\n factors.push(`High reputation score (${reputationScore})`);\n score += 2;\n } else if (reputationScore >= 50) {\n factors.push(`Moderate reputation score (${reputationScore})`);\n score += 1;\n } else {\n factors.push(`Low reputation score (${reputationScore})`);\n }\n }\n\n // Map score to trust level\n let trust_level: \"high\" | \"medium\" | \"low\" | \"none\";\n if (score >= 9) trust_level = \"high\";\n else if (score >= 5) trust_level = \"medium\";\n else if (score >= 2) trust_level = \"low\";\n else trust_level = \"none\";\n\n return {\n peer_id: peerId,\n sovereignty_tier: peer.trust_tier,\n handshake_current: peer.active,\n reputation_score: reputationScore,\n mutual_attestation_count: mutualAttestationCount,\n trust_level,\n factors,\n evaluated_at: now,\n };\n }\n\n /**\n * Remove a peer from the registry.\n */\n removePeer(peerId: string): boolean {\n return this.peers.delete(peerId);\n }\n\n /**\n * Get the handshake results map (for tier resolution integration).\n */\n getHandshakeResults(): Map<string, HandshakeResult> {\n const results = new Map<string, HandshakeResult>();\n for (const [id, peer] of this.peers) {\n if (peer.active) {\n results.set(id, peer.handshake_result);\n }\n }\n return results;\n }\n}\n","/**\n * Sanctuary MCP Server — Federation MCP Tools\n *\n * MCP tool definitions for MCP-to-MCP federation.\n * Three tools cover the core federation operations:\n * 1. federation_peers — List and manage known federation peers\n * 2. federation_trust_evaluate — Evaluate trust for a peer\n * 3. federation_exchange_reputation — Exchange reputation data with a peer\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { FederationRegistry } from \"./registry.js\";\n\nexport function createFederationTools(\n auditLog: AuditLog,\n handshakeResults: Map<string, HandshakeResult>\n): { tools: ToolDefinition[]; registry: FederationRegistry } {\n const registry = new FederationRegistry();\n\n const tools: ToolDefinition[] = [\n // ─── Peer Management ──────────────────────────────────────────────\n\n {\n name: \"sanctuary/federation_peers\",\n description:\n \"List known federation peers, register a peer from a completed handshake, \" +\n \"or remove a peer. Every peer MUST enter through a verified handshake — \" +\n \"no self-registration allowed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n action: {\n type: \"string\",\n enum: [\"list\", \"register\", \"remove\"],\n description: \"Operation to perform on the peer registry\",\n },\n peer_id: {\n type: \"string\",\n description: \"Peer instance ID (required for register/remove)\",\n },\n peer_did: {\n type: \"string\",\n description: \"Peer DID (required for register)\",\n },\n active_only: {\n type: \"boolean\",\n description: \"When listing, only show peers with active handshakes\",\n },\n },\n required: [\"action\"],\n },\n handler: async (args) => {\n const action = args.action as string;\n\n switch (action) {\n case \"list\": {\n const peers = registry.listPeers({\n active_only: args.active_only as boolean | undefined,\n });\n\n auditLog.append(\"l4\", \"federation_peers_list\", \"system\", {\n peer_count: peers.length,\n });\n\n return toolResult({\n peers: peers.map((p) => ({\n peer_id: p.peer_id,\n peer_did: p.peer_did,\n trust_tier: p.trust_tier,\n active: p.active,\n first_seen: p.first_seen,\n last_handshake: p.last_handshake,\n capabilities: p.capabilities,\n })),\n total: peers.length,\n });\n }\n\n case \"register\": {\n const peerId = args.peer_id as string;\n const peerDid = args.peer_did as string;\n\n if (!peerId || !peerDid) {\n return toolResult({\n error: \"Both peer_id and peer_did are required for registration.\",\n });\n }\n\n // Peer MUST have a completed handshake\n const hsResult = handshakeResults.get(peerId);\n if (!hsResult) {\n return toolResult({\n error: `No completed handshake found for peer \"${peerId}\". ` +\n \"Complete a sovereignty handshake first using handshake_initiate.\",\n });\n }\n\n if (!hsResult.verified) {\n return toolResult({\n error: `Handshake with \"${peerId}\" was not verified. ` +\n \"Only verified handshakes can establish federation.\",\n });\n }\n\n const peer = registry.registerFromHandshake(hsResult, peerDid);\n\n auditLog.append(\"l4\", \"federation_peer_register\", \"system\", {\n peer_id: peerId,\n peer_did: peerDid,\n trust_tier: peer.trust_tier,\n });\n\n return toolResult({\n registered: true,\n peer_id: peer.peer_id,\n trust_tier: peer.trust_tier,\n active: peer.active,\n capabilities: peer.capabilities,\n });\n }\n\n case \"remove\": {\n const peerId = args.peer_id as string;\n if (!peerId) {\n return toolResult({ error: \"peer_id is required for removal.\" });\n }\n\n const removed = registry.removePeer(peerId);\n\n auditLog.append(\"l4\", \"federation_peer_remove\", \"system\", {\n peer_id: peerId,\n removed,\n });\n\n return toolResult({\n removed,\n peer_id: peerId,\n });\n }\n\n default:\n return toolResult({ error: `Unknown action: ${action}` });\n }\n },\n },\n\n // ─── Trust Evaluation ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/federation_trust_evaluate\",\n description:\n \"Evaluate the trust level of a federation peer. \" +\n \"Considers handshake status, sovereignty tier, reputation score, \" +\n \"and mutual attestation history. Returns a composite trust assessment.\",\n inputSchema: {\n type: \"object\",\n properties: {\n peer_id: {\n type: \"string\",\n description: \"Peer instance ID to evaluate\",\n },\n mutual_attestation_count: {\n type: \"number\",\n description: \"Number of mutual attestations with this peer (0 if unknown)\",\n },\n reputation_score: {\n type: \"number\",\n description: \"Peer's weighted reputation score (from reputation_query_weighted)\",\n },\n },\n required: [\"peer_id\"],\n },\n handler: async (args) => {\n const peerId = args.peer_id as string;\n const mutualCount = (args.mutual_attestation_count as number) ?? 0;\n const repScore = args.reputation_score as number | undefined;\n\n const evaluation = registry.evaluateTrust(peerId, mutualCount, repScore);\n\n auditLog.append(\"l4\", \"federation_trust_evaluate\", \"system\", {\n peer_id: peerId,\n trust_level: evaluation.trust_level,\n sovereignty_tier: evaluation.sovereignty_tier,\n });\n\n return toolResult(evaluation);\n },\n },\n\n // ─── Federation Status ────────────────────────────────────────────\n\n {\n name: \"sanctuary/federation_status\",\n description:\n \"Overview of federation state: total peers, active connections, \" +\n \"trust distribution, and readiness for cross-instance operations.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const allPeers = registry.listPeers();\n const activePeers = registry.listPeers({ active_only: true });\n\n // Trust tier distribution\n const tierCounts: Record<string, number> = {\n \"verified-sovereign\": 0,\n \"verified-degraded\": 0,\n \"self-attested\": 0,\n \"unverified\": 0,\n };\n for (const peer of allPeers) {\n tierCounts[peer.trust_tier] = (tierCounts[peer.trust_tier] ?? 0) + 1;\n }\n\n // Capability summary\n const capCounts = {\n reputation_exchange: activePeers.filter((p) => p.capabilities.reputation_exchange).length,\n mutual_attestation: activePeers.filter((p) => p.capabilities.mutual_attestation).length,\n encrypted_channel: activePeers.filter((p) => p.capabilities.encrypted_channel).length,\n };\n\n auditLog.append(\"l4\", \"federation_status\", \"system\", {\n total_peers: allPeers.length,\n active_peers: activePeers.length,\n });\n\n return toolResult({\n total_peers: allPeers.length,\n active_peers: activePeers.length,\n expired_peers: allPeers.length - activePeers.length,\n trust_distribution: tierCounts,\n capability_coverage: capCounts,\n federation_ready: activePeers.length > 0,\n checked_at: new Date().toISOString(),\n });\n },\n },\n ];\n\n return { tools, registry };\n}\n","/**\n * Sanctuary MCP Server — Concordia Bridge: Tool Definitions\n *\n * MCP tool wrappers for the Concordia-Sanctuary bridge.\n * Three tools:\n * sanctuary/bridge_commit — Bind a negotiation outcome to a Sanctuary commitment\n * sanctuary/bridge_verify — Verify a commitment against a revealed outcome\n * sanctuary/bridge_attest — Record a negotiation as a reputation attestation\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { ReputationStore } from \"../l4-reputation/reputation-store.js\";\nimport { resolveTier, TIER_WEIGHTS, type TierMetadata } from \"../l4-reputation/tiers.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { bytesToString } from \"../core/encoding.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\n\nimport {\n createBridgeCommitment,\n verifyBridgeCommitment,\n} from \"./bridge.js\";\nimport type {\n ConcordiaOutcome,\n BridgeCommitment,\n} from \"./types.js\";\n\n// ─── Bridge Store ────────────────────────────────────────────────────────\n// Persists bridge commitments encrypted at rest for later verification\n// and attestation linking.\n\nclass BridgeStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"bridge-commitments\");\n }\n\n async save(commitment: BridgeCommitment, outcome: ConcordiaOutcome): Promise<void> {\n const record = { commitment, outcome };\n const serialized = stringToBytes(JSON.stringify(record));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_bridge\",\n commitment.bridge_commitment_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n async get(\n commitmentId: string\n ): Promise<{ commitment: BridgeCommitment; outcome: ConcordiaOutcome } | null> {\n const raw = await this.storage.read(\"_bridge\", commitmentId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n}\n\n// ─── Tool Factory ────────────────────────────────────────────────────────\n\nexport function createBridgeTools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n identityManager: IdentityManager,\n auditLog: AuditLog,\n handshakeResults?: Map<string, HandshakeResult>\n): { tools: ToolDefinition[] } {\n const bridgeStore = new BridgeStore(storage, masterKey);\n const reputationStore = new ReputationStore(storage, masterKey);\n const identityEncryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const hsResults = handshakeResults ?? new Map<string, HandshakeResult>();\n\n // Helper to resolve identity\n function resolveIdentity(identityId?: string): StoredIdentity {\n const id = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n if (!id) {\n throw new Error(\n identityId\n ? `Identity \"${identityId}\" not found`\n : \"No identity available. Create one with identity_create first.\"\n );\n }\n return id;\n }\n\n const tools: ToolDefinition[] = [\n // ─── bridge_commit ─────────────────────────────────────────────────\n\n {\n name: \"sanctuary/bridge_commit\",\n description:\n \"Create a cryptographic commitment binding a Concordia negotiation outcome \" +\n \"to Sanctuary's L3 proof layer. The commitment includes a SHA-256 hash of \" +\n \"the canonical outcome (hiding + binding), an Ed25519 signature by the \" +\n \"committer's identity, and an optional Pedersen commitment on the round \" +\n \"count for zero-knowledge range proofs. This is the Sanctuary side of the \" +\n \"Concordia bridge — call this when a Concordia `accept` fires.\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Concordia session identifier\",\n },\n protocol_version: {\n type: \"string\",\n description: 'Concordia protocol version (e.g., \"concordia-v1\")',\n },\n proposer_did: {\n type: \"string\",\n description: \"DID of the party who proposed the accepted terms\",\n },\n acceptor_did: {\n type: \"string\",\n description: \"DID of the party who accepted\",\n },\n terms: {\n type: \"object\",\n description: \"The accepted terms (opaque to Sanctuary, meaningful to Concordia)\",\n },\n terms_hash: {\n type: \"string\",\n description: \"SHA-256 hash of the canonical terms serialization (computed by Concordia)\",\n },\n rounds: {\n type: \"number\",\n description: \"Number of negotiation rounds (propose/counter cycles)\",\n },\n accepted_at: {\n type: \"string\",\n description: \"ISO 8601 timestamp when accept was issued\",\n },\n session_receipt: {\n type: \"string\",\n description: \"Optional: signed Concordia session receipt\",\n },\n identity_id: {\n type: \"string\",\n description: \"Sanctuary identity to sign the commitment (uses default if omitted)\",\n },\n include_pedersen: {\n type: \"boolean\",\n description: \"Include a Pedersen commitment on round count for ZK range proofs\",\n },\n },\n required: [\n \"session_id\",\n \"protocol_version\",\n \"proposer_did\",\n \"acceptor_did\",\n \"terms\",\n \"terms_hash\",\n \"rounds\",\n \"accepted_at\",\n ],\n },\n handler: async (args) => {\n const outcome: ConcordiaOutcome = {\n session_id: args.session_id as string,\n protocol_version: args.protocol_version as string,\n proposer_did: args.proposer_did as string,\n acceptor_did: args.acceptor_did as string,\n terms: args.terms as Record<string, unknown>,\n terms_hash: args.terms_hash as string,\n rounds: args.rounds as number,\n accepted_at: args.accepted_at as string,\n session_receipt: args.session_receipt as string | undefined,\n };\n\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const includePedersen = (args.include_pedersen as boolean) ?? false;\n\n const bridgeCommitment = createBridgeCommitment(\n outcome,\n identity,\n identityEncryptionKey,\n includePedersen\n );\n\n // Persist the commitment and outcome for later verification/attestation\n await bridgeStore.save(bridgeCommitment, outcome);\n\n auditLog.append(\"l3\", \"bridge_commit\", identity.identity_id, {\n bridge_commitment_id: bridgeCommitment.bridge_commitment_id,\n session_id: outcome.session_id,\n counterparty: outcome.proposer_did === identity.did\n ? outcome.acceptor_did\n : outcome.proposer_did,\n });\n\n return toolResult({\n bridge_commitment_id: bridgeCommitment.bridge_commitment_id,\n session_id: bridgeCommitment.session_id,\n sha256_commitment: bridgeCommitment.sha256_commitment,\n committer_did: bridgeCommitment.committer_did,\n signature: bridgeCommitment.signature,\n pedersen_commitment: bridgeCommitment.pedersen_commitment\n ? { commitment: bridgeCommitment.pedersen_commitment.commitment }\n : undefined,\n committed_at: bridgeCommitment.committed_at,\n bridge_version: bridgeCommitment.bridge_version,\n note: \"Bridge commitment created. The blinding factor is stored encrypted. \" +\n \"Use bridge_verify to verify the commitment against the revealed outcome. \" +\n \"Use bridge_attest to link this negotiation to your reputation.\",\n });\n },\n },\n\n // ─── bridge_verify ───────────────────────────────────────────────────\n\n {\n name: \"sanctuary/bridge_verify\",\n description:\n \"Verify a bridge commitment against a revealed Concordia negotiation outcome. \" +\n \"Checks SHA-256 commitment validity, Ed25519 signature, session ID match, \" +\n \"terms hash integrity, and Pedersen commitment (if present). Use this to \" +\n \"confirm that a counterparty's claimed negotiation outcome matches what was \" +\n \"cryptographically committed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bridge_commitment_id: {\n type: \"string\",\n description: \"The bridge commitment ID to verify\",\n },\n committer_public_key: {\n type: \"string\",\n description:\n \"The committer's Ed25519 public key (base64url). \" +\n \"Required if verifying a counterparty's commitment. \" +\n \"Omit to auto-resolve from local identities.\",\n },\n },\n required: [\"bridge_commitment_id\"],\n },\n handler: async (args) => {\n const commitmentId = args.bridge_commitment_id as string;\n const externalPublicKey = args.committer_public_key as string | undefined;\n\n // Load the stored commitment and outcome\n const record = await bridgeStore.get(commitmentId);\n if (!record) {\n return toolResult({\n error: `Bridge commitment \"${commitmentId}\" not found`,\n });\n }\n\n const { commitment: storedCommitment, outcome } = record;\n\n // Resolve the committer's public key\n let publicKey: Uint8Array;\n if (externalPublicKey) {\n publicKey = fromBase64url(externalPublicKey);\n } else {\n // Try to find the committer in local identities\n const localIdentities = identityManager.list();\n const match = localIdentities.find((i) => i.did === storedCommitment.committer_did);\n if (!match) {\n return toolResult({\n error: `Cannot resolve public key for committer \"${storedCommitment.committer_did}\". ` +\n \"Provide committer_public_key for external verification.\",\n });\n }\n publicKey = fromBase64url(match.public_key);\n }\n\n const result = verifyBridgeCommitment(storedCommitment, outcome, publicKey);\n\n auditLog.append(\"l3\", \"bridge_verify\", \"system\", {\n bridge_commitment_id: commitmentId,\n session_id: storedCommitment.session_id,\n valid: result.valid,\n });\n\n return toolResult({\n ...result,\n session_id: storedCommitment.session_id,\n committer_did: storedCommitment.committer_did,\n // SEC-ADD-03: Tag response as containing counterparty-controlled data\n _content_trust: \"external\",\n });\n },\n },\n\n // ─── bridge_attest ───────────────────────────────────────────────────\n\n {\n name: \"sanctuary/bridge_attest\",\n description:\n \"Record a Concordia negotiation as a Sanctuary L4 reputation attestation, \" +\n \"linked to a bridge commitment. This completes the bridge: the commitment \" +\n \"(L3) proves the terms were agreed, and the attestation (L4) feeds the \" +\n \"sovereignty-weighted reputation score. The attestation is automatically \" +\n \"tagged with the counterparty's sovereignty tier from any completed handshake.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bridge_commitment_id: {\n type: \"string\",\n description: \"The bridge commitment ID to link\",\n },\n outcome_result: {\n type: \"string\",\n enum: [\"completed\", \"partial\", \"failed\", \"disputed\"],\n description: \"Negotiation outcome for reputation scoring\",\n },\n metrics: {\n type: \"object\",\n description:\n \"Optional metrics (e.g., rounds, response_time_ms, terms_complexity)\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign the attestation (uses default if omitted)\",\n },\n },\n required: [\"bridge_commitment_id\", \"outcome_result\"],\n },\n handler: async (args) => {\n const commitmentId = args.bridge_commitment_id as string;\n const outcomeResult = args.outcome_result as\n | \"completed\"\n | \"partial\"\n | \"failed\"\n | \"disputed\";\n const metrics = (args.metrics as Record<string, number>) ?? {};\n const identityId = args.identity_id as string | undefined;\n\n // Load the stored commitment and outcome\n const record = await bridgeStore.get(commitmentId);\n if (!record) {\n return toolResult({\n error: `Bridge commitment \"${commitmentId}\" not found`,\n });\n }\n\n const { outcome } = record;\n const identity = resolveIdentity(identityId);\n\n // Determine counterparty DID\n const counterpartyDid =\n outcome.proposer_did === identity.did\n ? outcome.acceptor_did\n : outcome.proposer_did;\n\n // Resolve sovereignty tier from handshake results\n // Check if the counterparty has a known Sanctuary identity\n const hasSanctuaryIdentity = identityManager.list().some(\n (id) => identityManager.get(id.identity_id)?.did === counterpartyDid\n );\n const tierMeta: TierMetadata = resolveTier(counterpartyDid, hsResults, hasSanctuaryIdentity);\n const tier = tierMeta.sovereignty_tier;\n\n // Include bridge-specific metrics alongside user-provided ones\n const fullMetrics = {\n ...metrics,\n negotiation_rounds: outcome.rounds,\n };\n\n // Record the reputation attestation\n const attestation = await reputationStore.record(\n outcome.session_id, // interaction_id = concordia session\n counterpartyDid,\n {\n type: \"negotiation\",\n result: outcomeResult,\n metrics: fullMetrics,\n },\n \"concordia-bridge\", // context\n identity,\n identityEncryptionKey,\n undefined, // counterparty_attestation\n tier\n );\n\n auditLog.append(\"l4\", \"bridge_attest\", identity.identity_id, {\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n attestation_id: attestation.attestation.attestation_id,\n counterparty_did: counterpartyDid,\n sovereignty_tier: tier,\n });\n\n const weight = TIER_WEIGHTS[tier];\n\n return toolResult({\n attestation_id: attestation.attestation.attestation_id,\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n counterparty_did: counterpartyDid,\n outcome_result: outcomeResult,\n sovereignty_tier: tier,\n attested_at: attestation.recorded_at,\n note: `Negotiation recorded as reputation attestation. ` +\n `Counterparty sovereignty tier: ${tier} (weight: ${weight}).`,\n });\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — Concordia Bridge: Core Module\n *\n * Implements the Sanctuary side of the Concordia bridge:\n * 1. bridge_commit — Create a cryptographic commitment binding a negotiation outcome\n * 2. bridge_verify — Verify a commitment against a revealed outcome\n * 3. bridge_attest — Link a negotiation to L4 reputation via the commitment\n *\n * The bridge composes L3 (selective disclosure) and L4 (verifiable reputation)\n * to serve negotiation-specific needs. It introduces no new cryptographic\n * primitives — everything delegates to the existing L3 commitment/ZK layer\n * and L4 reputation store.\n *\n * Non-dependency principle: this module can be used without Concordia\n * running. Any system that provides a ConcordiaOutcome-shaped object\n * can create bridge commitments. Concordia is the expected caller, but\n * the interface is protocol-agnostic.\n */\n\nimport { createCommitment, verifyCommitment } from \"../l3-disclosure/commitments.js\";\nimport { createPedersenCommitment, verifyPedersenCommitment } from \"../l3-disclosure/zk-proofs.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { hash } from \"../core/hashing.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\nimport type {\n ConcordiaOutcome,\n BridgeCommitment,\n BridgeVerificationResult,\n} from \"./types.js\";\n\n// ─── Canonical Serialization ─────────────────────────────────────────────\n// Deterministic JSON serialization of the ConcordiaOutcome for commitment.\n// Keys are sorted to ensure identical outcomes produce identical bytes.\n\n/**\n * Produce a canonical byte representation of a ConcordiaOutcome.\n * Sorts all keys recursively to ensure determinism.\n */\nexport function canonicalize(outcome: ConcordiaOutcome): Uint8Array {\n return stringToBytes(stableStringify(outcome));\n}\n\n/**\n * Recursively sort object keys for deterministic JSON.\n *\n * Security hardening: rejects non-finite numbers (NaN, Infinity, -Infinity)\n * which are not representable in JSON and would produce `null`, breaking\n * commitment determinism. Also rejects `undefined` values in arrays\n * (object `undefined` values are already excluded by Object.keys).\n */\nfunction stableStringify(value: unknown): string {\n if (value === null) return \"null\";\n if (value === undefined) return \"null\";\n if (typeof value === \"number\") {\n if (!Number.isFinite(value)) {\n throw new Error(\n `Cannot canonicalize non-finite number: ${value}. ` +\n `NaN, Infinity, and -Infinity are not representable in JSON.`\n );\n }\n if (Object.is(value, -0)) {\n throw new Error(\n \"Cannot canonicalize negative zero (-0). \" +\n \"Use 0 instead for deterministic cross-language serialization.\"\n );\n }\n return JSON.stringify(value);\n }\n if (typeof value !== \"object\") return JSON.stringify(value);\n if (Array.isArray(value)) {\n return \"[\" + value.map((v) => stableStringify(v)).join(\",\") + \"]\";\n }\n const obj = value as Record<string, unknown>;\n const keys = Object.keys(obj).sort();\n const pairs = keys.map((k) => JSON.stringify(k) + \":\" + stableStringify(obj[k]));\n return \"{\" + pairs.join(\",\") + \"}\";\n}\n\n// ─── Bridge Commit ───────────────────────────────────────────────────────\n\n/**\n * Create a cryptographic commitment binding a Concordia negotiation outcome\n * to Sanctuary's L3 proof layer.\n *\n * Creates:\n * 1. A SHA-256 commitment over the canonical outcome (always)\n * 2. A Pedersen commitment over the round count (optional, for ZK range proofs)\n * 3. An Ed25519 signature over the commitment by the committer's identity\n *\n * @param outcome - The Concordia negotiation outcome to bind\n * @param identity - The Sanctuary identity creating the commitment\n * @param identityEncryptionKey - Key to decrypt the identity's private key\n * @param includePedersen - Whether to create a Pedersen commitment on round count\n * @returns The bridge commitment\n */\nexport function createBridgeCommitment(\n outcome: ConcordiaOutcome,\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n includePedersen: boolean = false\n): BridgeCommitment {\n const commitmentId = `bridge-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n // 1. Canonical serialization of the outcome\n const canonicalBytes = canonicalize(outcome);\n const canonicalString = new TextDecoder().decode(canonicalBytes);\n\n // 2. SHA-256 commitment: hash(canonical || blinding_factor)\n const sha256 = createCommitment(canonicalString);\n\n // 3. Pedersen commitment on round count (optional)\n let pedersenData: BridgeCommitment[\"pedersen_commitment\"] | undefined;\n if (includePedersen && Number.isInteger(outcome.rounds) && outcome.rounds >= 0) {\n const pedersen = createPedersenCommitment(outcome.rounds);\n pedersenData = {\n commitment: pedersen.commitment,\n blinding_factor: pedersen.blinding_factor,\n };\n }\n\n // 4. Build the commitment payload for signing\n // Includes terms_hash so the signature binds the commitment to the specific terms\n const commitmentPayload = {\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n sha256_commitment: sha256.commitment,\n terms_hash: outcome.terms_hash,\n committer_did: identity.did,\n committed_at: now,\n bridge_version: \"sanctuary-concordia-bridge-v1\" as const,\n };\n\n // 5. Sign the commitment with the identity's Ed25519 key\n // Uses stableStringify (not JSON.stringify) for deterministic key ordering\n // across languages — required for cross-repo signature verification (SEC-003).\n const payloadBytes = stringToBytes(stableStringify(commitmentPayload));\n const signature = sign(payloadBytes, identity.encrypted_private_key, identityEncryptionKey);\n\n return {\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n sha256_commitment: sha256.commitment,\n blinding_factor: sha256.blinding_factor,\n committer_did: identity.did,\n signature: toBase64url(signature),\n pedersen_commitment: pedersenData,\n committed_at: now,\n bridge_version: \"sanctuary-concordia-bridge-v1\",\n };\n}\n\n// ─── Bridge Verify ───────────────────────────────────────────────────────\n\n/**\n * Verify a bridge commitment against a revealed Concordia outcome.\n *\n * Checks:\n * 1. SHA-256 commitment matches the canonical outcome + blinding factor\n * 2. Ed25519 signature is valid for the committer's public key\n * 3. Session IDs match\n * 4. Terms hash matches (Concordia's own hash of the terms)\n * 5. Pedersen commitment matches round count (if present)\n *\n * @param commitment - The bridge commitment to verify\n * @param outcome - The revealed Concordia outcome\n * @param committerPublicKey - The committer's Ed25519 public key\n * @returns Verification result with per-check detail\n */\nexport function verifyBridgeCommitment(\n commitment: BridgeCommitment,\n outcome: ConcordiaOutcome,\n committerPublicKey: Uint8Array\n): BridgeVerificationResult {\n const now = new Date().toISOString();\n\n // 1. SHA-256 commitment check\n const canonicalString = new TextDecoder().decode(canonicalize(outcome));\n const sha256Match = verifyCommitment(\n commitment.sha256_commitment,\n canonicalString,\n commitment.blinding_factor\n );\n\n // 2. Signature check (must match the signing payload exactly)\n // Uses stableStringify (not JSON.stringify) for deterministic key ordering\n // across languages — required for cross-repo signature verification (SEC-003).\n const commitmentPayload = {\n bridge_commitment_id: commitment.bridge_commitment_id,\n session_id: commitment.session_id,\n sha256_commitment: commitment.sha256_commitment,\n terms_hash: outcome.terms_hash,\n committer_did: commitment.committer_did,\n committed_at: commitment.committed_at,\n bridge_version: commitment.bridge_version,\n };\n const payloadBytes = stringToBytes(stableStringify(commitmentPayload));\n const sigBytes = fromBase64url(commitment.signature);\n const signatureValid = verify(payloadBytes, sigBytes, committerPublicKey);\n\n // 3. Session ID match\n const sessionIdMatch = commitment.session_id === outcome.session_id;\n\n // 4. Terms hash match — verify Concordia's terms_hash against the actual terms\n const termsBytes = stringToBytes(stableStringify(outcome.terms));\n const computedTermsHash = toBase64url(hash(termsBytes));\n const termsHashMatch = computedTermsHash === outcome.terms_hash;\n\n // 5. Pedersen match (if present)\n let pedersenMatch: boolean | undefined;\n if (commitment.pedersen_commitment) {\n pedersenMatch = verifyPedersenCommitment(\n commitment.pedersen_commitment.commitment,\n outcome.rounds,\n commitment.pedersen_commitment.blinding_factor\n );\n }\n\n const valid =\n sha256Match &&\n signatureValid &&\n sessionIdMatch &&\n termsHashMatch &&\n (pedersenMatch === undefined || pedersenMatch);\n\n return {\n valid,\n checks: {\n sha256_match: sha256Match,\n signature_valid: signatureValid,\n session_id_match: sessionIdMatch,\n terms_hash_match: termsHashMatch,\n pedersen_match: pedersenMatch,\n },\n bridge_commitment_id: commitment.bridge_commitment_id,\n verified_at: now,\n };\n}\n","/**\n * Sanctuary MCP Server — Environment Detector\n *\n * Read-only environment fingerprinting. Probes the local filesystem to detect\n * what sovereignty infrastructure is installed (Sanctuary config, OpenClaw, etc.).\n *\n * IMPORTANT: This module is strictly read-only. It MUST NOT write, create, modify,\n * or delete any files or make any network requests.\n */\n\nimport { readFile, access } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { EnvironmentFingerprint, OpenClawConfigAudit } from \"./types.js\";\n\n/**\n * Strip single-line comments (// ...), block comments, and trailing commas\n * from a JSON5-ish string so it can be parsed by JSON.parse.\n */\nfunction lenientJsonParse(raw: string): unknown {\n // Remove single-line comments\n let cleaned = raw.replace(/\\/\\/[^\\n]*/g, \"\");\n // Remove block comments\n cleaned = cleaned.replace(/\\/\\*[\\s\\S]*?\\*\\//g, \"\");\n // Remove trailing commas before } or ]\n cleaned = cleaned.replace(/,\\s*([\\]}])/g, \"$1\");\n return JSON.parse(cleaned);\n}\n\n/**\n * Check if a file exists (read-only).\n */\nasync function fileExists(path: string): Promise<boolean> {\n try {\n await access(path);\n return true;\n } catch {\n return false;\n }\n}\n\n/**\n * Safely read a file, returning null if it doesn't exist or can't be read.\n */\nasync function safeReadFile(path: string): Promise<string | null> {\n try {\n return await readFile(path, \"utf-8\");\n } catch {\n return null;\n }\n}\n\n/**\n * Detect the local environment and produce a fingerprint.\n * This function is strictly read-only.\n */\nexport async function detectEnvironment(\n config: SanctuaryConfig,\n deepScan: boolean\n): Promise<EnvironmentFingerprint> {\n const fingerprint: EnvironmentFingerprint = {\n sanctuary_installed: true, // We're running inside Sanctuary\n sanctuary_version: config.version,\n openclaw_detected: false,\n openclaw_version: null,\n openclaw_config: null,\n node_version: process.version,\n platform: `${process.platform}-${process.arch}`,\n };\n\n if (!deepScan) {\n return fingerprint;\n }\n\n // Detect OpenClaw\n const home = homedir();\n const openclawConfigPath = join(home, \".openclaw\", \"openclaw.json\");\n const openclawEnvPath = join(home, \".openclaw\", \".env\");\n const openclawMemoryPath = join(home, \".openclaw\", \"workspace\", \"MEMORY.md\");\n const openclawMemoryDir = join(home, \".openclaw\", \"workspace\", \"memory\");\n\n const configExists = await fileExists(openclawConfigPath);\n const envExists = await fileExists(openclawEnvPath);\n const memoryExists = await fileExists(openclawMemoryPath);\n const memoryDirExists = await fileExists(openclawMemoryDir);\n\n // OpenClaw is detected if its config file or workspace exists\n if (configExists || memoryExists || memoryDirExists) {\n fingerprint.openclaw_detected = true;\n fingerprint.openclaw_config = await auditOpenClawConfig(\n openclawConfigPath,\n openclawEnvPath,\n openclawMemoryPath,\n configExists,\n envExists,\n memoryExists\n );\n }\n\n return fingerprint;\n}\n\n/**\n * Audit OpenClaw configuration (read-only).\n */\nasync function auditOpenClawConfig(\n configPath: string,\n envPath: string,\n _memoryPath: string,\n configExists: boolean,\n envExists: boolean,\n memoryExists: boolean\n): Promise<OpenClawConfigAudit> {\n const audit: OpenClawConfigAudit = {\n config_path: configExists ? configPath : null,\n require_approval_enabled: false,\n sandbox_policy_active: false,\n sandbox_allow_list: [],\n sandbox_deny_list: [],\n memory_encrypted: false, // Stock OpenClaw never encrypts memory\n env_file_exposed: false,\n gateway_token_set: false,\n dm_pairing_enabled: false,\n mcp_bridge_active: false,\n };\n\n // Parse OpenClaw config\n if (configExists) {\n const raw = await safeReadFile(configPath);\n if (raw) {\n try {\n const parsed = lenientJsonParse(raw) as Record<string, unknown>;\n\n // Check for version\n // OpenClaw may store version at top level\n // (We don't set openclaw_version on the fingerprint here — caller does that)\n\n // Check hooks for requireApproval\n const hooks = parsed.hooks as Record<string, unknown> | undefined;\n if (hooks) {\n const beforeToolCall = hooks.before_tool_call;\n if (beforeToolCall) {\n const hookStr = JSON.stringify(beforeToolCall);\n audit.require_approval_enabled = hookStr.includes(\"requireApproval\");\n }\n }\n\n // Check sandbox policy\n const tools = parsed.tools as Record<string, unknown> | undefined;\n if (tools) {\n const sandbox = tools.sandbox as Record<string, unknown> | undefined;\n if (sandbox) {\n const sandboxTools = sandbox.tools as Record<string, unknown> | undefined;\n if (sandboxTools) {\n audit.sandbox_policy_active = true;\n if (Array.isArray(sandboxTools.allow)) {\n audit.sandbox_allow_list = sandboxTools.allow.filter(\n (item): item is string => typeof item === \"string\"\n );\n }\n // Also check alsoAllow (OpenClaw v2026.3.28+)\n if (Array.isArray(sandboxTools.alsoAllow)) {\n audit.sandbox_allow_list = [\n ...audit.sandbox_allow_list,\n ...sandboxTools.alsoAllow.filter(\n (item): item is string => typeof item === \"string\"\n ),\n ];\n }\n if (Array.isArray(sandboxTools.deny)) {\n audit.sandbox_deny_list = sandboxTools.deny.filter(\n (item): item is string => typeof item === \"string\"\n );\n }\n }\n }\n }\n\n // Check for MCP bridge\n const mcpServers = parsed.mcpServers as Record<string, unknown> | undefined;\n if (mcpServers && Object.keys(mcpServers).length > 0) {\n audit.mcp_bridge_active = true;\n }\n } catch {\n // Config exists but couldn't be parsed — leave defaults\n }\n }\n }\n\n // Check .env for plaintext secrets\n if (envExists) {\n const envContent = await safeReadFile(envPath);\n if (envContent) {\n const secretPatterns = [\n /[A-Z_]*API_KEY\\s*=/,\n /[A-Z_]*TOKEN\\s*=/,\n /[A-Z_]*SECRET\\s*=/,\n /[A-Z_]*PASSWORD\\s*=/,\n /[A-Z_]*PRIVATE_KEY\\s*=/,\n ];\n audit.env_file_exposed = secretPatterns.some((p) => p.test(envContent));\n audit.gateway_token_set = /OPENCLAW_GATEWAY_TOKEN\\s*=/.test(envContent);\n }\n }\n\n // Memory is always plaintext in stock OpenClaw\n if (memoryExists) {\n audit.memory_encrypted = false;\n }\n\n return audit;\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Gap Analyzer\n *\n * Analyzes an environment fingerprint against Sanctuary's four-layer sovereignty\n * model and produces a scored gap analysis with prioritized recommendations.\n *\n * Scoring is deterministic: same environment state → same score, every time.\n */\n\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type {\n EnvironmentFingerprint,\n SovereigntyAuditResult,\n L1AuditResult,\n L2AuditResult,\n L3AuditResult,\n L4AuditResult,\n SovereigntyGap,\n IncidentClass,\n Recommendation,\n} from \"./types.js\";\n\n// ── Scoring Constants ───────────────────────────────────────────────────\n\n// L1: 35 points max\nconst L1_ENCRYPTION_AT_REST = 10;\nconst L1_IDENTITY_CRYPTOGRAPHIC = 10;\nconst L1_INTEGRITY_VERIFICATION = 8;\nconst L1_STATE_PORTABLE = 7;\n\n// L2: 30 points max (increased from 25 to accommodate hardening)\nconst L2_THREE_TIER_GATE = 10;\nconst L2_BINARY_GATE = 3;\nconst L2_ANOMALY_DETECTION = 5;\nconst L2_ENCRYPTED_AUDIT = 4;\nconst L2_TOOL_SANDBOXING = 2;\nconst L2_CONTEXT_GATING = 4;\nconst L2_PROCESS_HARDENING = 5;\n\n// L3: 20 points max\n// Note: Schnorr + range proofs ARE genuine zero-knowledge proofs.\n// Non-interactive Fiat-Shamir is superior to interactive protocols for MCP servers\n// (no round-trip latency, offline-verifiable, replay-resistant via domain separation).\nconst L3_COMMITMENT_SCHEME = 8;\nconst L3_ZK_PROOFS = 7;\nconst L3_DISCLOSURE_POLICIES = 5;\n\n// L4: 20 points max\nconst L4_PORTABLE_REPUTATION = 6;\nconst L4_SIGNED_ATTESTATIONS = 6;\nconst L4_SYBIL_DETECTION = 4;\nconst L4_SOVEREIGNTY_GATED = 4;\n\n// Severity ordering for gap sorting\nconst SEVERITY_ORDER: Record<string, number> = {\n critical: 0,\n high: 1,\n medium: 2,\n low: 3,\n};\n\n// ── Incident Class Catalog ─────────────────────────────────────────────\n// Real-world incidents mapped to the sovereignty gaps they exploited.\n\nconst INCIDENT_META_SEV1: IncidentClass = {\n id: \"META-SEV1-2026\",\n name: \"Meta Sev 1: Unauthorized autonomous data exposure\",\n date: \"2026-03-18\",\n description:\n \"AI agent autonomously posted proprietary code, business strategies, and user datasets \" +\n \"to an internal forum without human approval. Two-hour exposure window.\",\n};\n\nconst INCIDENT_OPENCLAW_SANDBOX: IncidentClass = {\n id: \"OPENCLAW-CVE-2026\",\n name: \"OpenClaw sandbox escape via privilege inheritance\",\n date: \"2026-03-18\",\n description:\n \"Nine CVEs in four days. Child processes inherited sandbox.mode=off from parent, \" +\n \"bypassing runtime confinement. 42,900+ internet-exposed instances, 15,200 vulnerable to RCE.\",\n cves: [\n \"CVE-2026-32048\",\n \"CVE-2026-32915\",\n \"CVE-2026-32918\",\n ],\n};\n\nconst INCIDENT_CONTEXT_LEAKAGE: IncidentClass = {\n id: \"CONTEXT-LEAK-CLASS\",\n name: \"Context leakage: Full state exposure to inference providers\",\n date: \"2026-03\",\n description:\n \"Agents send full context — conversation history, memory, secrets, internal reasoning — \" +\n \"to remote LLM providers on every inference call with no filtering mechanism.\",\n};\n\n/** Exported for use in custom gap analysis extensions. */\nexport const INCIDENT_META_INBOX: IncidentClass = {\n id: \"META-INBOX-2026\",\n name: \"Meta inbox deletion: Safety instructions stripped by context compaction\",\n date: \"2026-03\",\n description:\n \"OpenClaw agent instructed to 'always ask before taking actions' began deleting inbox \" +\n \"autonomously after context window compaction silently stripped the safety instruction.\",\n};\n\nconst INCIDENT_CLAUDE_CODE_LEAK: IncidentClass = {\n id: \"CLAUDE-CODE-LEAK-2026\",\n name: \"Claude Code source leak: 512K lines exposed via npm source map\",\n date: \"2026-03-31\",\n description:\n \"Anthropic accidentally shipped a 59.8 MB source map in npm package v2.1.88, exposing \" +\n \"the full Claude Code TypeScript source — 1,900 files, internal model codenames, \" +\n \"unreleased features, OAuth flows, and multi-agent coordination logic.\",\n};\n\n/**\n * Analyze sovereignty posture and produce a full audit result.\n */\nexport function analyzeSovereignty(\n env: EnvironmentFingerprint,\n config: SanctuaryConfig\n): SovereigntyAuditResult {\n const l1 = assessL1(env, config);\n const l2 = assessL2(env, config);\n const l3 = assessL3(env, config);\n const l4 = assessL4(env, config);\n\n const l1Score = scoreL1(l1);\n const l2Score = scoreL2(l2);\n const l3Score = scoreL3(l3);\n const l4Score = scoreL4(l4);\n\n const overallScore = l1Score + l2Score + l3Score + l4Score;\n\n const sovereigntyLevel = overallScore >= 80\n ? \"full\"\n : overallScore >= 50\n ? \"partial\"\n : overallScore >= 20\n ? \"minimal\"\n : \"none\";\n\n const gaps = generateGaps(env, l1, l2, l3, l4);\n gaps.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);\n\n const recommendations = generateRecommendations(env, l1, l2, l3, l4);\n\n return {\n version: \"1.0\",\n audited_at: new Date().toISOString(),\n environment: env,\n layers: {\n l1_cognitive: l1,\n l2_operational: l2,\n l3_selective_disclosure: l3,\n l4_reputation: l4,\n },\n overall_score: overallScore,\n sovereignty_level: sovereigntyLevel,\n gaps,\n recommendations,\n };\n}\n\n// ── Layer Assessment ────────────────────────────────────────────────────\n\nfunction assessL1(\n env: EnvironmentFingerprint,\n config: SanctuaryConfig\n): L1AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n const encryptionAtRest = sanctuaryActive;\n const keyCustody = sanctuaryActive ? \"self\" as const : \"none\" as const;\n const integrityVerification = sanctuaryActive;\n const identityCryptographic = sanctuaryActive;\n const statePortable = sanctuaryActive;\n\n if (sanctuaryActive) {\n findings.push(\"AES-256-GCM encryption active for all state\");\n findings.push(`Key derivation: ${config.state.key_derivation}`);\n findings.push(`Identity provider: ${config.state.identity_provider}`);\n findings.push(\"Merkle integrity verification enabled\");\n findings.push(\"State export/import available\");\n }\n\n if (env.openclaw_detected && env.openclaw_config) {\n if (!env.openclaw_config.memory_encrypted) {\n findings.push(\"OpenClaw agent memory (MEMORY.md, daily notes) stored in plaintext\");\n }\n if (env.openclaw_config.env_file_exposed) {\n findings.push(\"OpenClaw .env file contains plaintext API keys/tokens\");\n }\n }\n\n const status = encryptionAtRest && identityCryptographic\n ? \"active\"\n : encryptionAtRest || identityCryptographic\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n encryption_at_rest: encryptionAtRest,\n key_custody: keyCustody,\n integrity_verification: integrityVerification,\n identity_cryptographic: identityCryptographic,\n state_portable: statePortable,\n findings,\n };\n}\n\nfunction assessL2(\n env: EnvironmentFingerprint,\n _config: SanctuaryConfig\n): L2AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n let approvalGate: \"three-tier\" | \"binary\" | \"none\" = \"none\";\n let behavioralAnomalyDetection = false;\n let auditTrailEncrypted = false;\n let auditTrailExists = false;\n let toolSandboxing: \"policy-enforced\" | \"basic\" | \"none\" = \"none\";\n let contextGating = false;\n let processIsolationHardening: \"full\" | \"hardened\" | \"basic\" | \"none\" = \"none\";\n\n if (sanctuaryActive) {\n approvalGate = \"three-tier\";\n behavioralAnomalyDetection = true;\n auditTrailEncrypted = true;\n auditTrailExists = true;\n contextGating = true;\n findings.push(\"Three-tier Principal Policy gate active\");\n findings.push(\"Behavioral anomaly detection (BaselineTracker) enabled\");\n findings.push(\"Encrypted audit trail active\");\n findings.push(\"Context gating available (sanctuary/context_gate_set_policy)\");\n }\n\n if (env.openclaw_detected && env.openclaw_config) {\n if (env.openclaw_config.require_approval_enabled) {\n if (!sanctuaryActive) {\n approvalGate = \"binary\";\n }\n findings.push(\"OpenClaw requireApproval hook enabled (binary approve/deny)\");\n }\n if (env.openclaw_config.sandbox_policy_active) {\n if (!sanctuaryActive) {\n toolSandboxing = \"basic\";\n }\n findings.push(\n `OpenClaw sandbox policy active (${env.openclaw_config.sandbox_allow_list.length} allowed, ` +\n `${env.openclaw_config.sandbox_deny_list.length} denied)`\n );\n }\n }\n\n // L2 hardening is optional and can be verified via tools at runtime\n // This assessment assumes default \"none\"; actual hardening is measured\n // by the l2_hardening_status and l2_verify_isolation tools\n processIsolationHardening = \"none\";\n\n const status = approvalGate === \"three-tier\" && auditTrailEncrypted\n ? \"active\"\n : approvalGate !== \"none\" || auditTrailExists\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n approval_gate: approvalGate,\n behavioral_anomaly_detection: behavioralAnomalyDetection,\n audit_trail_encrypted: auditTrailEncrypted,\n audit_trail_exists: auditTrailExists,\n tool_sandboxing: sanctuaryActive ? \"policy-enforced\" : toolSandboxing,\n context_gating: contextGating,\n process_isolation_hardening: processIsolationHardening,\n findings,\n };\n}\n\nfunction assessL3(\n env: EnvironmentFingerprint,\n _config: SanctuaryConfig\n): L3AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n let commitmentScheme: \"pedersen+sha256\" | \"sha256-only\" | \"none\" = \"none\";\n let zkProofs = false;\n let selectiveDisclosurePolicy = false;\n\n if (sanctuaryActive) {\n commitmentScheme = \"pedersen+sha256\";\n zkProofs = true; // Schnorr proofs + range proofs\n selectiveDisclosurePolicy = true;\n findings.push(\"SHA-256 + Pedersen commitment schemes active\");\n findings.push(\"Schnorr zero-knowledge proofs (Fiat-Shamir) enabled — genuine ZK proofs\");\n findings.push(\"Range proofs (bit-decomposition + OR-proofs) enabled — genuine ZK proofs\");\n findings.push(\"Selective disclosure policies configurable\");\n findings.push(\"Non-interactive proofs with replay-resistant domain separation\");\n }\n\n const status = commitmentScheme === \"pedersen+sha256\" && zkProofs\n ? \"active\"\n : commitmentScheme !== \"none\"\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n commitment_scheme: commitmentScheme,\n zero_knowledge_proofs: zkProofs,\n selective_disclosure_policy: selectiveDisclosurePolicy,\n findings,\n };\n}\n\nfunction assessL4(\n env: EnvironmentFingerprint,\n _config: SanctuaryConfig\n): L4AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n const reputationPortable = sanctuaryActive;\n const reputationSigned = sanctuaryActive;\n const sybilDetection = sanctuaryActive;\n const sovereigntyGated = sanctuaryActive;\n\n if (sanctuaryActive) {\n findings.push(\"Signed EAS-compatible attestations active\");\n findings.push(\"Reputation export/import available\");\n findings.push(\"Sybil detection heuristics enabled\");\n findings.push(\"Sovereignty-gated reputation tiers active\");\n } else {\n findings.push(\"No portable reputation system detected\");\n }\n\n const status = reputationPortable && reputationSigned && sovereigntyGated\n ? \"active\"\n : reputationPortable || reputationSigned\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n reputation_portable: reputationPortable,\n reputation_signed: reputationSigned,\n reputation_sybil_detection: sybilDetection,\n sovereignty_gated_tiers: sovereigntyGated,\n findings,\n };\n}\n\n// ── Scoring ─────────────────────────────────────────────────────────────\n\nfunction scoreL1(l1: L1AuditResult): number {\n let score = 0;\n if (l1.encryption_at_rest) score += L1_ENCRYPTION_AT_REST;\n if (l1.identity_cryptographic) score += L1_IDENTITY_CRYPTOGRAPHIC;\n if (l1.integrity_verification) score += L1_INTEGRITY_VERIFICATION;\n if (l1.state_portable) score += L1_STATE_PORTABLE;\n return score;\n}\n\nfunction scoreL2(l2: L2AuditResult): number {\n let score = 0;\n if (l2.approval_gate === \"three-tier\") score += L2_THREE_TIER_GATE;\n else if (l2.approval_gate === \"binary\") score += L2_BINARY_GATE;\n if (l2.behavioral_anomaly_detection) score += L2_ANOMALY_DETECTION;\n if (l2.audit_trail_encrypted) score += L2_ENCRYPTED_AUDIT;\n if (l2.tool_sandboxing === \"policy-enforced\") score += L2_TOOL_SANDBOXING;\n else if (l2.tool_sandboxing === \"basic\") score += 1;\n if (l2.context_gating) score += L2_CONTEXT_GATING;\n // Software-based process hardening without TEE\n if (l2.process_isolation_hardening === \"hardened\") score += L2_PROCESS_HARDENING;\n else if (l2.process_isolation_hardening === \"basic\") score += 2;\n return score;\n}\n\nfunction scoreL3(l3: L3AuditResult): number {\n let score = 0;\n // Pedersen commitments + Schnorr/range proofs = genuine zero-knowledge proofs\n // Full L3 = 20 points (8 commitment + 7 proofs + 5 policies)\n if (l3.commitment_scheme === \"pedersen+sha256\") score += L3_COMMITMENT_SCHEME;\n else if (l3.commitment_scheme === \"sha256-only\") score += 4;\n if (l3.zero_knowledge_proofs) score += L3_ZK_PROOFS;\n if (l3.selective_disclosure_policy) score += L3_DISCLOSURE_POLICIES;\n return score;\n}\n\nfunction scoreL4(l4: L4AuditResult): number {\n let score = 0;\n if (l4.reputation_portable) score += L4_PORTABLE_REPUTATION;\n if (l4.reputation_signed) score += L4_SIGNED_ATTESTATIONS;\n if (l4.reputation_sybil_detection) score += L4_SYBIL_DETECTION;\n if (l4.sovereignty_gated_tiers) score += L4_SOVEREIGNTY_GATED;\n return score;\n}\n\n// ── Gap Generation ──────────────────────────────────────────────────────\n\nfunction generateGaps(\n env: EnvironmentFingerprint,\n l1: L1AuditResult,\n l2: L2AuditResult,\n l3: L3AuditResult,\n l4: L4AuditResult\n): SovereigntyGap[] {\n const gaps: SovereigntyGap[] = [];\n const oc = env.openclaw_config;\n\n // L1 gaps\n if (oc && !oc.memory_encrypted) {\n gaps.push({\n id: \"GAP-L1-001\",\n layer: \"L1\",\n severity: \"critical\",\n title: \"Agent memory stored in plaintext\",\n description:\n \"Your agent's memory (MEMORY.md, daily notes, SQLite index) is stored in plaintext \" +\n \"at ~/.openclaw/workspace/. Any process with file access can read your agent's full \" +\n \"context — preferences, decisions, conversation history.\",\n openclaw_relevance:\n \"Stock OpenClaw stores all agent memory in plaintext files. \" +\n \"There is no built-in encryption for agent state.\",\n sanctuary_solution:\n \"Sanctuary encrypts all state at rest with AES-256-GCM using a key derived from \" +\n \"Argon2id, making state opaque to any process that doesn't hold the master key. \" +\n \"Use sanctuary/state_write to migrate sensitive state to the encrypted store.\",\n incident_class: INCIDENT_META_SEV1,\n });\n }\n\n if (oc && oc.env_file_exposed) {\n gaps.push({\n id: \"GAP-L1-002\",\n layer: \"L1\",\n severity: \"critical\",\n title: \"Plaintext API keys in .env file\",\n description:\n \"Your .env file contains plaintext API keys and tokens. These secrets are readable \" +\n \"by any process with filesystem access.\",\n openclaw_relevance:\n \"OpenClaw stores API keys (LLM providers, gateway tokens) in a plaintext .env file.\",\n sanctuary_solution:\n \"Sanctuary's encrypted state store can hold secrets under the same AES-256-GCM \" +\n \"envelope as all other state, tied to your self-custodied identity. \" +\n \"Use sanctuary/state_write with namespace 'secrets'.\",\n });\n }\n\n if (!l1.identity_cryptographic) {\n gaps.push({\n id: \"GAP-L1-003\",\n layer: \"L1\",\n severity: \"critical\",\n title: \"No cryptographic agent identity\",\n description:\n \"Your agent has no cryptographic identity. It cannot prove it is who it claims \" +\n \"to be to any counterparty, sign messages, or participate in sovereignty handshakes.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw has no cryptographic agent identity. Agent identity is implicit \" +\n \"(tied to the process/session), not cryptographically verifiable.\"\n : null,\n sanctuary_solution:\n \"Sanctuary provides Ed25519 self-custodied identity with key rotation and delegation. \" +\n \"Use sanctuary/identity_create to establish your cryptographic identity.\",\n });\n }\n\n // L2 gaps\n if (l2.approval_gate === \"binary\" && !l2.behavioral_anomaly_detection) {\n gaps.push({\n id: \"GAP-L2-001\",\n layer: \"L2\",\n severity: \"high\",\n title: \"Binary approval gate (no anomaly detection)\",\n description:\n \"Your approval gate provides binary approve/deny gating without behavioral anomaly \" +\n \"detection. Routine operations require the same manual approval as sensitive ones.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw's requireApproval hook provides binary approve/deny gating. \" +\n \"Sanctuary's three-tier Principal Policy adds behavioral anomaly detection \" +\n \"(auto-escalation when agent behavior deviates from baseline), encrypted audit \" +\n \"trails, and graduated approval tiers — so routine operations auto-proceed while \" +\n \"sensitive operations require explicit consent.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's three-tier Principal Policy gate auto-allows routine operations (Tier 3), \" +\n \"escalates anomalous behavior (Tier 2), and always requires human approval for \" +\n \"irreversible operations (Tier 1). Use sanctuary/principal_policy_view to inspect.\",\n incident_class: INCIDENT_META_SEV1,\n });\n } else if (l2.approval_gate === \"none\") {\n gaps.push({\n id: \"GAP-L2-001\",\n layer: \"L2\",\n severity: \"critical\",\n title: \"No approval gate\",\n description:\n \"No approval gate is configured. All tool calls execute without oversight.\",\n openclaw_relevance: null,\n sanctuary_solution:\n \"Sanctuary's Principal Policy evaluates every tool call before execution. \" +\n \"Enable it to get three-tier approval gating with behavioral anomaly detection.\",\n incident_class: INCIDENT_META_SEV1,\n });\n }\n\n if (l2.tool_sandboxing === \"basic\") {\n gaps.push({\n id: \"GAP-L2-002\",\n layer: \"L2\",\n severity: \"medium\",\n title: \"Basic tool sandboxing (no cryptographic attestation)\",\n description:\n \"Your tool sandbox enforces allow/deny lists but provides no cryptographic \" +\n \"attestation of execution context.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw's sandbox tool policy (tools.sandbox.tools) enforces allow/deny lists. \" +\n \"Sanctuary adds cryptographic attestation of execution context — a verifiable proof \" +\n \"that an operation ran within policy, not just that a policy was configured.\"\n : null,\n sanctuary_solution:\n \"Sanctuary provides cryptographic execution attestation via sanctuary/exec_attest \" +\n \"and policy-enforced sandboxing with encrypted audit trails.\",\n incident_class: INCIDENT_OPENCLAW_SANDBOX,\n });\n }\n\n if (!l2.context_gating) {\n gaps.push({\n id: \"GAP-L2-003\",\n layer: \"L2\",\n severity: \"high\",\n title: \"No context gating for outbound inference calls\",\n description:\n \"Your agent sends its full context — conversation history, memory, preferences, \" +\n \"internal reasoning — to remote LLM providers on every inference call. There is \" +\n \"no mechanism to filter what leaves the sovereignty boundary. The provider sees \" +\n \"everything the agent knows.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw sends full agent context (including MEMORY.md, tool results, and \" +\n \"conversation history) to the configured LLM provider with every API call. \" +\n \"There is no built-in context filtering.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's context gating (sanctuary/context_gate_set_policy + \" +\n \"sanctuary/context_gate_filter) lets you define per-provider policies that \" +\n \"control exactly what context flows outbound. Redact secrets, hash identifiers, \" +\n \"and send only minimum-necessary context for each call.\",\n incident_class: INCIDENT_CONTEXT_LEAKAGE,\n });\n }\n\n if (!l2.audit_trail_exists) {\n gaps.push({\n id: \"GAP-L2-004\",\n layer: \"L2\",\n severity: \"high\",\n title: \"No audit trail\",\n description:\n \"No audit trail exists for tool call history. There is no record of what operations \" +\n \"were executed, when, or by whom.\",\n openclaw_relevance: null,\n sanctuary_solution:\n \"Sanctuary maintains an encrypted audit log of all operations, queryable via \" +\n \"sanctuary/monitor_audit_log.\",\n incident_class: INCIDENT_CLAUDE_CODE_LEAK,\n });\n }\n\n // L3 gaps\n if (l3.commitment_scheme === \"none\") {\n gaps.push({\n id: \"GAP-L3-001\",\n layer: \"L3\",\n severity: \"high\",\n title: \"No selective disclosure capability\",\n description:\n \"Your agent has no cryptographic mechanism to prove facts about its state without \" +\n \"revealing the state itself. Every disclosure is all-or-nothing: no commitments, no \" +\n \"zero-knowledge proofs, no selective disclosure policies.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw has no selective disclosure mechanism. When your agent shares information, \" +\n \"it shares everything or nothing — there is no way to prove a claim without \" +\n \"revealing the underlying data.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's L3 provides SHA-256 + Pedersen commitments with genuine zero-knowledge \" +\n \"proofs (Schnorr + range proofs via Fiat-Shamir transform). Your agent can prove it \" +\n \"has a valid credential, sufficient reputation, or a completed transaction without \" +\n \"exposing the underlying data. Use sanctuary/zk_commit and sanctuary/zk_prove.\",\n incident_class: INCIDENT_META_SEV1,\n });\n }\n\n // L4 gaps\n if (!l4.reputation_portable) {\n gaps.push({\n id: \"GAP-L4-001\",\n layer: \"L4\",\n severity: \"high\",\n title: \"No portable reputation\",\n description:\n \"Your agent's reputation is platform-locked. If you move to a different harness \" +\n \"or platform, your track record doesn't follow.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw has no reputation system. Your agent's track record exists only in \" +\n \"conversation history, which is not structured, signed, or portable.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's L4 provides signed EAS-compatible attestations that are self-custodied, \" +\n \"portable, and cryptographically verifiable. Your reputation is yours, not your \" +\n \"platform's. Use sanctuary/reputation_record to start building portable reputation.\",\n });\n }\n\n return gaps;\n}\n\n// ── Recommendation Generation ───────────────────────────────────────────\n\nfunction generateRecommendations(\n env: EnvironmentFingerprint,\n l1: L1AuditResult,\n l2: L2AuditResult,\n l3: L3AuditResult,\n l4: L4AuditResult\n): Recommendation[] {\n const recs: Recommendation[] = [];\n\n if (!l1.identity_cryptographic) {\n recs.push({\n priority: 1,\n action: \"Create a cryptographic identity — your agent's foundation for all sovereignty operations\",\n tool: \"sanctuary/identity_create\",\n effort: \"immediate\",\n impact: \"critical\",\n });\n }\n\n if (!l1.encryption_at_rest || (env.openclaw_config && !env.openclaw_config.memory_encrypted)) {\n recs.push({\n priority: 2,\n action: \"Migrate plaintext agent state to Sanctuary's encrypted store\",\n tool: \"sanctuary/state_write\",\n effort: \"minutes\",\n impact: \"critical\",\n });\n }\n\n recs.push({\n priority: 3,\n action: \"Generate a Sovereignty Health Report to present to counterparties\",\n tool: \"sanctuary/shr_generate\",\n effort: \"immediate\",\n impact: \"high\",\n });\n\n if (l2.approval_gate !== \"three-tier\") {\n recs.push({\n priority: 4,\n action: \"Enable the three-tier Principal Policy gate for graduated approval\",\n tool: \"sanctuary/principal_policy_view\",\n effort: \"minutes\",\n impact: \"high\",\n });\n }\n\n if (!l2.context_gating) {\n recs.push({\n priority: 5,\n action: \"Configure context gating to control what flows to LLM providers\",\n tool: \"sanctuary/context_gate_set_policy\",\n effort: \"minutes\",\n impact: \"high\",\n });\n }\n\n if (!l4.reputation_signed) {\n recs.push({\n priority: 6,\n action: \"Start recording reputation attestations from completed interactions\",\n tool: \"sanctuary/reputation_record\",\n effort: \"minutes\",\n impact: \"medium\",\n });\n }\n\n if (!l3.selective_disclosure_policy) {\n recs.push({\n priority: 7,\n action: \"Configure selective disclosure policies for data sharing\",\n tool: \"sanctuary/disclosure_set_policy\",\n effort: \"hours\",\n impact: \"medium\",\n });\n }\n\n return recs;\n}\n\n// ── Report Formatting ───────────────────────────────────────────────────\n\n/**\n * Format the audit result as a human-readable report.\n */\nexport function formatAuditReport(result: SovereigntyAuditResult): string {\n const { environment: env, layers, overall_score, sovereignty_level, gaps, recommendations } = result;\n\n const scoreBar = formatScoreBar(overall_score);\n const levelLabel = sovereignty_level.toUpperCase();\n\n let report = \"\";\n report += \"═══════════════════════════════════════════════\\n\";\n report += \" SOVEREIGNTY AUDIT REPORT\\n\";\n report += ` Generated: ${result.audited_at}\\n`;\n report += \"═══════════════════════════════════════════════\\n\";\n report += \"\\n\";\n report += ` Overall Score: ${overall_score} / 100 ${scoreBar} ${levelLabel}\\n`;\n report += \"\\n\";\n\n // Environment section\n report += \" Environment:\\n\";\n report += ` • Sanctuary v${env.sanctuary_version ?? \"?\"} ${padDots(\"Sanctuary v\" + (env.sanctuary_version ?? \"?\"))} ${env.sanctuary_installed ? \"✓ installed\" : \"✗ not found\"}\\n`;\n\n if (env.openclaw_detected) {\n report += ` • OpenClaw ${padDots(\"OpenClaw\")} ✓ detected\\n`;\n if (env.openclaw_config) {\n report += ` • OpenClaw requireApproval ${padDots(\"OpenClaw requireApproval\")} ${env.openclaw_config.require_approval_enabled ? \"✓ enabled\" : \"✗ disabled\"}\\n`;\n report += ` • OpenClaw sandbox policy ${padDots(\"OpenClaw sandbox policy\")} ${env.openclaw_config.sandbox_policy_active ? \"✓ active\" : \"✗ inactive\"}\\n`;\n }\n }\n\n report += \"\\n\";\n\n // Layer assessment table\n const l1Score = scoreL1(layers.l1_cognitive);\n const l2Score = scoreL2(layers.l2_operational);\n const l3Score = scoreL3(layers.l3_selective_disclosure);\n const l4Score = scoreL4(layers.l4_reputation);\n\n report += \" Layer Assessment:\\n\";\n report += \" ┌─────────────────────────────┬──────────┬───────┐\\n\";\n report += \" │ Layer │ Status │ Score │\\n\";\n report += \" ├─────────────────────────────┼──────────┼───────┤\\n\";\n report += ` │ L1 Cognitive Sovereignty │ ${padStatus(layers.l1_cognitive.status)} │ ${padScore(l1Score, 35)} │\\n`;\n report += ` │ L2 Operational Isolation │ ${padStatus(layers.l2_operational.status)} │ ${padScore(l2Score, 25)} │\\n`;\n if (layers.l2_operational.context_gating) {\n report += ` │ └ Context Gating │ ACTIVE │ │\\n`;\n }\n report += ` │ L3 Selective Disclosure │ ${padStatus(layers.l3_selective_disclosure.status)} │ ${padScore(l3Score, 20)} │\\n`;\n report += ` │ L4 Verifiable Reputation │ ${padStatus(layers.l4_reputation.status)} │ ${padScore(l4Score, 20)} │\\n`;\n report += \" └─────────────────────────────┴──────────┴───────┘\\n\";\n report += \"\\n\";\n\n // Gaps\n if (gaps.length > 0) {\n report += ` ⚠ ${gaps.length} SOVEREIGNTY GAP${gaps.length !== 1 ? \"S\" : \"\"} FOUND\\n`;\n report += \"\\n\";\n for (const gap of gaps) {\n const severityLabel = `[${gap.severity.toUpperCase()}]`;\n report += ` ${severityLabel} ${gap.id}: ${gap.title}\\n`;\n // Wrap description to ~70 chars\n const descLines = wordWrap(gap.description, 66);\n for (const line of descLines) {\n report += ` ${line}\\n`;\n }\n if (gap.incident_class) {\n const ic = gap.incident_class;\n const cveStr = ic.cves?.length ? ` (${ic.cves.join(\", \")})` : \"\";\n report += ` → Incident precedent: ${ic.name}${cveStr} [${ic.date}]\\n`;\n }\n report += ` → Fix: ${gap.sanctuary_solution.split(\".\")[0]}.\\n`;\n if (gap.openclaw_relevance) {\n report += ` → OpenClaw context: ${gap.openclaw_relevance.split(\".\")[0]}.\\n`;\n }\n report += \"\\n\";\n }\n } else {\n report += \" ✓ NO SOVEREIGNTY GAPS FOUND\\n\";\n report += \"\\n\";\n }\n\n // Recommendations\n if (recommendations.length > 0) {\n report += \" RECOMMENDED NEXT STEPS (in order):\\n\";\n for (const rec of recommendations) {\n const effortLabel = rec.effort === \"immediate\"\n ? \"immediate\"\n : rec.effort === \"minutes\"\n ? \"5 min\"\n : \"30 min\";\n report += ` ${rec.priority}. [${effortLabel}] ${rec.action}`;\n if (rec.tool) {\n report += `: ${rec.tool}`;\n }\n report += \"\\n\";\n }\n report += \"\\n\";\n }\n\n report += \"═══════════════════════════════════════════════\\n\";\n\n return report;\n}\n\n// ── Helpers ─────────────────────────────────────────────────────────────\n\nfunction formatScoreBar(score: number): string {\n const filled = Math.round(score / 10);\n return \"[\" + \"■\".repeat(filled) + \"░\".repeat(10 - filled) + \"]\";\n}\n\nfunction padDots(label: string): string {\n const totalWidth = 30;\n const dotsNeeded = Math.max(2, totalWidth - label.length - 4);\n return \".\".repeat(dotsNeeded);\n}\n\nfunction padStatus(status: string): string {\n const label = status.toUpperCase();\n return label + \" \".repeat(Math.max(0, 8 - label.length));\n}\n\nfunction padScore(score: number, max: number): string {\n const text = `${score}/${max}`;\n return \" \".repeat(Math.max(0, 5 - text.length)) + text;\n}\n\nfunction wordWrap(text: string, maxWidth: number): string[] {\n const words = text.split(\" \");\n const lines: string[] = [];\n let current = \"\";\n for (const word of words) {\n if (current.length + word.length + 1 > maxWidth && current.length > 0) {\n lines.push(current);\n current = word;\n } else {\n current = current.length > 0 ? current + \" \" + word : word;\n }\n }\n if (current.length > 0) lines.push(current);\n return lines;\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Audit MCP Tool\n *\n * Registers the sanctuary/sovereignty_audit tool that inspects the local\n * environment, detects sovereignty protections (including OpenClaw-specific\n * configurations), and produces a structured gap analysis report.\n *\n * This tool is Tier 3 (auto-allow) — it is read-only and diagnostic.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport { detectEnvironment } from \"./detector.js\";\nimport { analyzeSovereignty, formatAuditReport } from \"./analyzer.js\";\n\nexport function createAuditTools(\n config: SanctuaryConfig\n): { tools: ToolDefinition[] } {\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/sovereignty_audit\",\n description:\n \"Audit your agent's sovereignty posture. Inspects the local environment for \" +\n \"encryption, identity, approval gates, selective disclosure, and reputation — \" +\n \"including OpenClaw-specific configurations. Returns a scored gap analysis with \" +\n \"prioritized recommendations.\",\n inputSchema: {\n type: \"object\",\n properties: {\n deep_scan: {\n type: \"boolean\",\n description:\n \"If true (default), also scans for OpenClaw config, .env files, and \" +\n \"memory files. Set to false for a Sanctuary-only assessment.\",\n },\n },\n },\n handler: async (args) => {\n const deepScan = args.deep_scan !== false; // Default true\n\n // Detect environment (read-only)\n const env = await detectEnvironment(config, deepScan);\n\n // Analyze sovereignty posture\n const result = analyzeSovereignty(env, config);\n\n // Format human-readable report\n const report = formatAuditReport(result);\n\n return {\n content: [\n { type: \"text\" as const, text: report },\n { type: \"text\" as const, text: JSON.stringify(result, null, 2) },\n ],\n };\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Context Gating\n *\n * Context gating controls what information leaves the sovereignty boundary\n * when an agent makes outbound calls — especially inference calls to remote\n * LLM providers. This is the \"minimum-necessary context\" enforcement layer.\n *\n * The problem: When an agent sends a request to a remote LLM provider (Claude,\n * GPT, etc.), most harnesses send the agent's full context — conversation\n * history, memory, tool results, preferences, internal reasoning. The agent\n * has no control over what the provider sees.\n *\n * Context gating lets the agent define:\n * - Provider categories (inference, tool-api, logging, analytics, etc.)\n * - What fields/categories of context may flow to each provider type\n * - What must always be redacted (secrets, internal reasoning, PII, etc.)\n * - What requires transformation (hashing, summarizing, anonymizing)\n *\n * This sits in L2 (Operational Isolation) because it controls information\n * flow at the execution boundary. L3 (Selective Disclosure) handles agent-\n * to-agent trust negotiation with cryptographic proofs; context gating\n * handles agent-to-infrastructure information flow.\n *\n * Security invariants:\n * - Redact rules take absolute priority (like withhold in L3)\n * - Policies are stored encrypted under L1 sovereignty\n * - Every filter operation is audit-logged with a content hash\n * (what was sent, what was redacted — without storing the content itself)\n * - Default policy: redact everything not explicitly allowed\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString, toBase64url } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { hashToString } from \"../core/hashing.js\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\n/** Provider categories that context may flow to */\nexport type ProviderCategory =\n | \"inference\" // Remote LLM API calls (Claude, GPT, etc.)\n | \"tool-api\" // External tool/API calls (web search, database, etc.)\n | \"logging\" // Telemetry and logging services\n | \"analytics\" // Usage analytics and metrics\n | \"peer-agent\" // Other agents (falls through to L3 disclosure for crypto)\n | \"custom\"; // User-defined category\n\n/** Actions that can be taken on a context field */\nexport type ContextAction =\n | \"allow\" // Field passes through unchanged\n | \"redact\" // Field is completely removed (replaced with \"[REDACTED]\")\n | \"hash\" // Field value is replaced with its SHA-256 hash\n | \"summarize\" // Field is marked for summarization (advisory — agent should compress)\n | \"deny\"; // Entire request should be blocked if this field is present\n\n/** A rule within a context-gating policy */\nexport interface ContextGateRule {\n /** Provider category this rule applies to */\n provider: ProviderCategory | \"*\";\n /** Fields/patterns that may pass through */\n allow: string[];\n /** Fields/patterns that must be redacted (highest priority) */\n redact: string[];\n /** Fields/patterns that should be hashed */\n hash: string[];\n /** Fields/patterns that should be summarized (advisory) */\n summarize: string[];\n}\n\n/** A complete context-gating policy */\nexport interface ContextGatePolicy {\n policy_id: string;\n policy_name: string;\n rules: ContextGateRule[];\n /** Default action when no rule matches a field */\n default_action: \"redact\" | \"deny\";\n /** Identity this policy is bound to (optional) */\n identity_id?: string;\n created_at: string;\n updated_at: string;\n}\n\n/** Result of filtering a single field */\nexport interface FieldFilterResult {\n field: string;\n action: ContextAction;\n reason: string;\n /** If action is \"hash\", contains the hash */\n hash_value?: string;\n}\n\n/** Result of a full context filter operation */\nexport interface ContextFilterResult {\n policy_id: string;\n provider: ProviderCategory | string;\n fields_allowed: number;\n fields_redacted: number;\n fields_hashed: number;\n fields_summarized: number;\n fields_denied: number;\n decisions: FieldFilterResult[];\n /** SHA-256 hash of the original context (for audit trail) */\n original_context_hash: string;\n /** SHA-256 hash of the filtered output (for audit trail) */\n filtered_context_hash: string;\n filtered_at: string;\n}\n\n// ── Size Limits ─────────────────────────────────────────────────────────\n\n/** Maximum number of top-level fields in a context object */\nexport const MAX_CONTEXT_FIELDS = 1000;\n\n/** Maximum number of rules in a policy */\nexport const MAX_POLICY_RULES = 50;\n\n/** Maximum number of patterns in a single rule array (allow, redact, hash, summarize) */\nexport const MAX_PATTERNS_PER_ARRAY = 500;\n\n// ── Policy Evaluation ───────────────────────────────────────────────────\n\n/**\n * Evaluate a context field against a policy for a given provider.\n *\n * Priority order (same as L3 disclosure):\n * 1. Redact (blocks — highest priority)\n * 2. Deny (blocks entire request)\n * 3. Hash (transforms)\n * 4. Summarize (advisory transform)\n * 5. Allow (passes through)\n * 6. Default action\n */\nexport function evaluateField(\n policy: ContextGatePolicy,\n provider: ProviderCategory | string,\n field: string\n): FieldFilterResult {\n // Find matching rules: exact provider first, then wildcard\n const exactRule = policy.rules.find((r) => r.provider === provider);\n const wildcardRule = policy.rules.find((r) => r.provider === \"*\");\n const matchedRule = exactRule ?? wildcardRule;\n\n if (!matchedRule) {\n return {\n field,\n action: policy.default_action === \"deny\" ? \"deny\" : \"redact\",\n reason: `No rule matches provider \"${provider}\"; applying default (${policy.default_action})`,\n };\n }\n\n // Redact takes absolute priority\n if (matchesPattern(field, matchedRule.redact)) {\n return {\n field,\n action: \"redact\",\n reason: `Field \"${field}\" is explicitly redacted for ${matchedRule.provider} provider`,\n };\n }\n\n // Hash\n if (matchesPattern(field, matchedRule.hash)) {\n return {\n field,\n action: \"hash\",\n reason: `Field \"${field}\" is hashed for ${matchedRule.provider} provider`,\n };\n }\n\n // Summarize (advisory)\n if (matchesPattern(field, matchedRule.summarize)) {\n return {\n field,\n action: \"summarize\",\n reason: `Field \"${field}\" should be summarized for ${matchedRule.provider} provider`,\n };\n }\n\n // Allow\n if (matchesPattern(field, matchedRule.allow)) {\n return {\n field,\n action: \"allow\",\n reason: `Field \"${field}\" is allowed for ${matchedRule.provider} provider`,\n };\n }\n\n // Not mentioned — fall to default\n return {\n field,\n action: policy.default_action === \"deny\" ? \"deny\" : \"redact\",\n reason: `Field \"${field}\" not addressed in ${matchedRule.provider} rule; applying default (${policy.default_action})`,\n };\n}\n\n/**\n * Filter a full context object against a policy for a given provider.\n * Returns per-field decisions and content hashes for the audit trail.\n */\nexport function filterContext(\n policy: ContextGatePolicy,\n provider: ProviderCategory | string,\n context: Record<string, unknown>\n): ContextFilterResult {\n const fields = Object.keys(context);\n if (fields.length > MAX_CONTEXT_FIELDS) {\n throw new Error(\n `Context object has ${fields.length} fields, exceeding limit of ${MAX_CONTEXT_FIELDS}`\n );\n }\n const decisions: FieldFilterResult[] = [];\n let allowed = 0;\n let redacted = 0;\n let hashed = 0;\n let summarized = 0;\n let denied = 0;\n\n for (const field of fields) {\n const result = evaluateField(policy, provider, field);\n\n // If hash action, compute the hash\n if (result.action === \"hash\") {\n const value = typeof context[field] === \"string\"\n ? context[field] as string\n : JSON.stringify(context[field]);\n result.hash_value = hashToString(stringToBytes(value));\n }\n\n decisions.push(result);\n\n switch (result.action) {\n case \"allow\": allowed++; break;\n case \"redact\": redacted++; break;\n case \"hash\": hashed++; break;\n case \"summarize\": summarized++; break;\n case \"deny\": denied++; break;\n }\n }\n\n // Compute content hashes for audit trail\n const originalHash = hashToString(\n stringToBytes(JSON.stringify(context))\n );\n\n // Build filtered output for hash computation\n const filteredOutput: Record<string, unknown> = {};\n for (const decision of decisions) {\n switch (decision.action) {\n case \"allow\":\n filteredOutput[decision.field] = context[decision.field];\n break;\n case \"redact\":\n filteredOutput[decision.field] = \"[REDACTED]\";\n break;\n case \"hash\":\n filteredOutput[decision.field] = `[HASH:${decision.hash_value}]`;\n break;\n case \"summarize\":\n filteredOutput[decision.field] = \"[SUMMARIZE]\";\n break;\n case \"deny\":\n // Field excluded entirely\n break;\n }\n }\n const filteredHash = hashToString(\n stringToBytes(JSON.stringify(filteredOutput))\n );\n\n return {\n policy_id: policy.policy_id,\n provider,\n fields_allowed: allowed,\n fields_redacted: redacted,\n fields_hashed: hashed,\n fields_summarized: summarized,\n fields_denied: denied,\n decisions,\n original_context_hash: originalHash,\n filtered_context_hash: filteredHash,\n filtered_at: new Date().toISOString(),\n };\n}\n\n// ── Pattern Matching ────────────────────────────────────────────────────\n\n/**\n * Check if a field name matches any pattern in a list.\n * Supports:\n * - Exact match: \"conversation_history\"\n * - Wildcard prefix: \"secret_*\" matches \"secret_key\", \"secret_token\"\n * - Wildcard suffix: \"*_pii\" matches \"name_pii\", \"email_pii\"\n * - Full wildcard: \"*\" matches everything\n */\nexport function matchesPattern(field: string, patterns: string[]): boolean {\n const normalizedField = field.toLowerCase();\n for (const pattern of patterns) {\n if (pattern === \"*\") return true;\n const normalizedPattern = pattern.toLowerCase();\n if (normalizedPattern === normalizedField) return true;\n if (normalizedPattern.endsWith(\"*\") && normalizedField.startsWith(normalizedPattern.slice(0, -1))) return true;\n if (normalizedPattern.startsWith(\"*\") && normalizedField.endsWith(normalizedPattern.slice(1))) return true;\n }\n return false;\n}\n\n// ── Policy Store ────────────────────────────────────────────────────────\n\n/**\n * Context gate policy store — encrypted under L1 sovereignty.\n */\nexport class ContextGatePolicyStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private policies: Map<string, ContextGatePolicy> = new Map();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l2-context-gate\");\n }\n\n /**\n * Create and store a new context-gating policy.\n */\n async create(\n policyName: string,\n rules: ContextGateRule[],\n defaultAction: \"redact\" | \"deny\",\n identityId?: string\n ): Promise<ContextGatePolicy> {\n const policyId = `cg-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n const policy: ContextGatePolicy = {\n policy_id: policyId,\n policy_name: policyName,\n rules,\n default_action: defaultAction,\n identity_id: identityId,\n created_at: now,\n updated_at: now,\n };\n\n await this.persist(policy);\n this.policies.set(policyId, policy);\n\n return policy;\n }\n\n /**\n * Get a policy by ID.\n */\n async get(policyId: string): Promise<ContextGatePolicy | null> {\n if (this.policies.has(policyId)) {\n return this.policies.get(policyId)!;\n }\n\n const raw = await this.storage.read(\"_context_gate_policies\", policyId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: ContextGatePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policyId, policy);\n return policy;\n } catch {\n return null;\n }\n }\n\n /**\n * List all context-gating policies.\n */\n async list(): Promise<ContextGatePolicy[]> {\n await this.loadAll();\n return Array.from(this.policies.values());\n }\n\n /**\n * Load all persisted policies into memory.\n */\n private async loadAll(): Promise<void> {\n try {\n const entries = await this.storage.list(\"_context_gate_policies\");\n for (const meta of entries) {\n if (this.policies.has(meta.key)) continue;\n const raw = await this.storage.read(\"_context_gate_policies\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: ContextGatePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policy.policy_id, policy);\n } catch {\n // Skip corrupted policies\n }\n }\n } catch {\n // Storage not available\n }\n }\n\n private async persist(policy: ContextGatePolicy): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(policy));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_context_gate_policies\",\n policy.policy_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L2 Context Gating: Starter Policy Templates\n *\n * Pre-built policies for common use cases. These are starting points —\n * users should customize them for their specific context structure.\n *\n * Templates:\n *\n * inference-minimal\n * Only the current task and query reach the LLM. Everything else\n * is redacted. Secrets, PII, memory, reasoning, and history are\n * all blocked. IDs are hashed. Maximum privacy, minimum context.\n *\n * inference-standard\n * Task, query, and tool results pass through. Conversation history\n * is flagged for summarization (compress before sending). Secrets,\n * PII, and internal reasoning are redacted. IDs are hashed.\n * Balanced: the LLM has enough context to be useful without seeing\n * everything the agent knows.\n *\n * logging-strict\n * Redacts everything for logging/analytics providers. Only\n * operation names and timestamps pass through. Use this for\n * telemetry services where you want usage metrics without\n * content exposure.\n *\n * tool-api-scoped\n * Allows tool-specific parameters and the current task, redacts\n * memory, history, secrets, and PII. Hashes IDs. For outbound\n * calls to external APIs (search, database, etc.) where you need\n * to send query parameters but not your agent's full state.\n */\n\nimport type { ContextGateRule } from \"./context-gate.js\";\n\n/** A template definition ready to be applied via the policy store */\nexport interface ContextGateTemplate {\n /** Machine-readable template ID */\n id: string;\n /** Human-readable name */\n name: string;\n /** One-line description */\n description: string;\n /** When to use this template */\n use_when: string;\n /** The rules that make up this template */\n rules: ContextGateRule[];\n /** Default action for unmatched fields */\n default_action: \"redact\" | \"deny\";\n}\n\n// ── Shared Patterns ─────────────────────────────────────────────────────\n// These field patterns appear across multiple templates. Keeping them\n// as named constants makes the security-critical redact lists auditable.\n\n/** Fields that must ALWAYS be redacted regardless of provider */\nconst ALWAYS_REDACT_SECRETS = [\n \"api_key\",\n \"secret_*\",\n \"*_secret\",\n \"*_token\",\n \"*_key\",\n \"password\",\n \"*_password\",\n \"credential\",\n \"*_credential\",\n \"private_key\",\n \"recovery_key\",\n \"passphrase\",\n \"auth_*\",\n];\n\n/** Fields containing personally identifiable information */\nconst PII_PATTERNS = [\n \"*_pii\",\n \"name\",\n \"full_name\",\n \"email\",\n \"email_address\",\n \"phone\",\n \"phone_number\",\n \"address\",\n \"ssn\",\n \"date_of_birth\",\n \"ip_address\",\n \"credit_card\",\n \"card_number\",\n \"cvv\",\n \"bank_account\",\n \"account_number\",\n \"routing_number\",\n];\n\n/** Fields containing agent internal state */\nconst INTERNAL_STATE_PATTERNS = [\n \"memory\",\n \"agent_memory\",\n \"internal_reasoning\",\n \"internal_state\",\n \"reasoning_trace\",\n \"chain_of_thought\",\n \"private_notes\",\n \"soul\",\n \"personality\",\n \"system_prompt\",\n];\n\n/** ID fields that should be hashed rather than sent in plaintext */\nconst ID_PATTERNS = [\n \"user_id\",\n \"session_id\",\n \"agent_id\",\n \"identity_id\",\n \"conversation_id\",\n \"thread_id\",\n];\n\n/** History/context fields that are large and should be summarized */\nconst HISTORY_PATTERNS = [\n \"conversation_history\",\n \"message_history\",\n \"chat_history\",\n \"context_window\",\n \"previous_messages\",\n];\n\n// ── Templates ───────────────────────────────────────────────────────────\n\nexport const INFERENCE_MINIMAL: ContextGateTemplate = {\n id: \"inference-minimal\",\n name: \"Inference Minimal\",\n description:\n \"Maximum privacy. Only the current task and query reach the LLM provider.\",\n use_when:\n \"You want the strictest possible context control for inference calls. \" +\n \"The LLM sees only what it needs for the immediate task.\",\n rules: [\n {\n provider: \"inference\",\n allow: [\n \"task\",\n \"task_description\",\n \"current_query\",\n \"query\",\n \"prompt\",\n \"question\",\n \"instruction\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n \"tool_results\",\n \"previous_results\",\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n ],\n default_action: \"redact\",\n};\n\nexport const INFERENCE_STANDARD: ContextGateTemplate = {\n id: \"inference-standard\",\n name: \"Inference Standard\",\n description:\n \"Balanced privacy. Task, query, and tool results pass through. \" +\n \"History flagged for summarization. Secrets and PII redacted.\",\n use_when:\n \"You need the LLM to have enough context for multi-step tasks \" +\n \"while keeping secrets, PII, and internal reasoning private.\",\n rules: [\n {\n provider: \"inference\",\n allow: [\n \"task\",\n \"task_description\",\n \"current_query\",\n \"query\",\n \"prompt\",\n \"question\",\n \"instruction\",\n \"tool_results\",\n \"tool_output\",\n \"previous_results\",\n \"current_step\",\n \"remaining_steps\",\n \"objective\",\n \"constraints\",\n \"format\",\n \"output_format\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [...HISTORY_PATTERNS],\n },\n ],\n default_action: \"redact\",\n};\n\nexport const LOGGING_STRICT: ContextGateTemplate = {\n id: \"logging-strict\",\n name: \"Logging Strict\",\n description:\n \"Redacts all content for logging and analytics providers. \" +\n \"Only operation metadata passes through.\",\n use_when:\n \"You send telemetry to logging or analytics services and want \" +\n \"usage metrics without any content exposure.\",\n rules: [\n {\n provider: \"logging\",\n allow: [\n \"operation\",\n \"operation_name\",\n \"tool_name\",\n \"timestamp\",\n \"duration_ms\",\n \"status\",\n \"error_code\",\n \"event_type\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n {\n provider: \"analytics\",\n allow: [\n \"event_type\",\n \"timestamp\",\n \"duration_ms\",\n \"status\",\n \"tool_name\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n ],\n default_action: \"redact\",\n};\n\nexport const TOOL_API_SCOPED: ContextGateTemplate = {\n id: \"tool-api-scoped\",\n name: \"Tool API Scoped\",\n description:\n \"Allows tool-specific parameters for external API calls. \" +\n \"Redacts memory, history, secrets, and PII.\",\n use_when:\n \"Your agent calls external APIs (search, database, web) and you \" +\n \"want to send query parameters without full agent context. \" +\n \"Note: 'headers' and 'body' are redacted by default because they \" +\n \"frequently carry authorization tokens. Add them to 'allow' only \" +\n \"if you verify they contain no credentials for your use case.\",\n rules: [\n {\n provider: \"tool-api\",\n allow: [\n \"task\",\n \"task_description\",\n \"query\",\n \"search_query\",\n \"tool_input\",\n \"tool_parameters\",\n \"url\",\n \"endpoint\",\n \"method\",\n \"filter\",\n \"sort\",\n \"limit\",\n \"offset\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n ],\n default_action: \"redact\",\n};\n\n// ── Template Registry ───────────────────────────────────────────────────\n\n/** All available templates, keyed by ID */\nexport const TEMPLATES: Record<string, ContextGateTemplate> = {\n \"inference-minimal\": INFERENCE_MINIMAL,\n \"inference-standard\": INFERENCE_STANDARD,\n \"logging-strict\": LOGGING_STRICT,\n \"tool-api-scoped\": TOOL_API_SCOPED,\n};\n\n/** List all available template IDs */\nexport function listTemplateIds(): string[] {\n return Object.keys(TEMPLATES);\n}\n\n/** Get a template by ID (returns undefined if not found) */\nexport function getTemplate(id: string): ContextGateTemplate | undefined {\n return TEMPLATES[id];\n}\n","/**\n * Sanctuary MCP Server — L2 Context Gating: Policy Recommendation Engine\n *\n * Analyzes a sample context object and recommends a context-gating policy\n * based on field name heuristics. The agent (or human) can then review,\n * adjust, and apply the recommendation.\n *\n * This is deliberately conservative: when in doubt, it recommends redact.\n * A false redaction is a usability issue; a false allow is a privacy leak.\n *\n * Classification heuristics:\n * - Known secret patterns → redact (highest confidence)\n * - Known PII patterns → redact (high confidence)\n * - Known internal state patterns → redact (high confidence)\n * - Known ID patterns → hash (medium confidence)\n * - Known history patterns → summarize (medium confidence)\n * - Known task/query patterns → allow (medium confidence)\n * - Everything else → redact (conservative default)\n *\n * WARNING: Fields like 'tool_results' and 'tool_output' are classified as\n * \"allow\" (medium confidence) but may contain sensitive data from external\n * API responses, including auth tokens, user data, or PII. Always review\n * recommendations before applying — the heuristic classifies by field NAME,\n * not field CONTENT.\n */\n\n/** Classification result for a single field */\nexport interface FieldClassification {\n field: string;\n recommended_action: \"allow\" | \"redact\" | \"hash\" | \"summarize\";\n reason: string;\n confidence: \"high\" | \"medium\" | \"low\";\n /** Pattern that matched, if any */\n matched_pattern: string | null;\n}\n\n/** Full recommendation result */\nexport interface PolicyRecommendation {\n provider: string;\n classifications: FieldClassification[];\n recommended_rules: {\n allow: string[];\n redact: string[];\n hash: string[];\n summarize: string[];\n };\n default_action: \"redact\";\n summary: {\n total_fields: number;\n allow: number;\n redact: number;\n hash: number;\n summarize: number;\n };\n warnings: string[];\n}\n\n// ── Pattern Definitions ─────────────────────────────────────────────────\n// Each pattern set maps field name patterns to a classification.\n// Order matters: earlier sets have higher priority.\n\ninterface PatternRule {\n /** Patterns to match against field names (lowercase) */\n patterns: string[];\n /** Action to recommend */\n action: \"allow\" | \"redact\" | \"hash\" | \"summarize\";\n /** Confidence level */\n confidence: \"high\" | \"medium\" | \"low\";\n /** Human-readable reason */\n reason: string;\n}\n\nconst CLASSIFICATION_RULES: PatternRule[] = [\n // ── Secrets (always redact, high confidence) ─────────────────────\n {\n patterns: [\n \"api_key\", \"apikey\", \"api_secret\",\n \"secret\", \"secret_key\", \"secret_token\",\n \"password\", \"passwd\", \"pass\",\n \"credential\", \"credentials\",\n \"private_key\", \"privkey\",\n \"recovery_key\",\n \"passphrase\",\n \"token\", \"access_token\", \"refresh_token\", \"bearer_token\",\n \"auth_token\", \"auth_header\", \"authorization\",\n \"encryption_key\", \"master_key\", \"signing_key\",\n \"webhook_secret\", \"client_secret\",\n \"connection_string\",\n ],\n action: \"redact\",\n confidence: \"high\",\n reason: \"Matches known secret/credential pattern\",\n },\n\n // ── PII (always redact, high confidence) ─────────────────────────\n {\n patterns: [\n \"name\", \"full_name\", \"first_name\", \"last_name\", \"display_name\",\n \"email\", \"email_address\",\n \"phone\", \"phone_number\", \"mobile\",\n \"address\", \"street_address\", \"mailing_address\",\n \"ssn\", \"social_security\",\n \"date_of_birth\", \"dob\", \"birthday\",\n \"ip_address\", \"ip\",\n \"location\", \"geolocation\", \"coordinates\",\n \"credit_card\", \"card_number\", \"cvv\",\n \"bank_account\", \"routing_number\",\n \"passport\", \"drivers_license\", \"license_number\",\n ],\n action: \"redact\",\n confidence: \"high\",\n reason: \"Matches known PII pattern\",\n },\n\n // ── Internal agent state (redact, high confidence) ───────────────\n {\n patterns: [\n \"memory\", \"agent_memory\", \"long_term_memory\",\n \"internal_reasoning\", \"reasoning_trace\", \"chain_of_thought\",\n \"internal_state\", \"agent_state\",\n \"private_notes\", \"scratchpad\",\n \"soul\", \"personality\", \"persona\",\n \"system_prompt\", \"system_message\", \"system_instruction\",\n \"preferences\", \"user_preferences\", \"agent_preferences\",\n \"beliefs\", \"goals\", \"motivations\",\n ],\n action: \"redact\",\n confidence: \"high\",\n reason: \"Matches known internal agent state pattern\",\n },\n\n // ── IDs (hash, medium confidence) ────────────────────────────────\n {\n patterns: [\n \"user_id\", \"userid\",\n \"session_id\", \"sessionid\",\n \"agent_id\", \"agentid\",\n \"identity_id\",\n \"conversation_id\",\n \"thread_id\", \"threadid\",\n \"request_id\", \"requestid\",\n \"correlation_id\",\n \"trace_id\", \"traceid\",\n \"account_id\", \"accountid\",\n ],\n action: \"hash\",\n confidence: \"medium\",\n reason: \"Matches known identifier pattern — hash preserves correlation without exposing value\",\n },\n\n // ── History (summarize, medium confidence) ───────────────────────\n {\n patterns: [\n \"conversation_history\", \"chat_history\",\n \"message_history\", \"messages\",\n \"previous_messages\", \"prior_messages\",\n \"context_window\",\n \"interaction_history\",\n \"audit_log\", \"event_log\",\n ],\n action: \"summarize\",\n confidence: \"medium\",\n reason: \"Matches known history/log pattern — summarize to reduce exposure\",\n },\n\n // ── Task/query (allow, medium confidence) ────────────────────────\n {\n patterns: [\n \"task\", \"task_description\",\n \"query\", \"current_query\", \"search_query\",\n \"prompt\", \"user_prompt\",\n \"question\", \"current_question\",\n \"instruction\", \"instructions\",\n \"objective\", \"goal\",\n \"current_step\", \"next_step\",\n \"remaining_steps\",\n \"constraints\", \"requirements\",\n \"output_format\", \"format\",\n \"tool_results\", \"tool_output\",\n \"tool_input\", \"tool_parameters\",\n ],\n action: \"allow\",\n confidence: \"medium\",\n reason: \"Matches known task/query pattern — likely needed for inference\",\n },\n];\n\n// ── Classification Engine ───────────────────────────────────────────────\n\n/**\n * Classify a single field name and return a recommendation.\n */\nexport function classifyField(fieldName: string): FieldClassification {\n const normalized = fieldName.toLowerCase().trim();\n\n for (const rule of CLASSIFICATION_RULES) {\n for (const pattern of rule.patterns) {\n if (matchesFieldPattern(normalized, pattern)) {\n return {\n field: fieldName,\n recommended_action: rule.action,\n reason: rule.reason,\n confidence: rule.confidence,\n matched_pattern: pattern,\n };\n }\n }\n }\n\n // No pattern matched — conservative default\n return {\n field: fieldName,\n recommended_action: \"redact\",\n reason: \"No known pattern matched — defaulting to redact (conservative)\",\n confidence: \"low\",\n matched_pattern: null,\n };\n}\n\n/**\n * Analyze a full context object and recommend a policy.\n */\nexport function recommendPolicy(\n context: Record<string, unknown>,\n provider: string = \"inference\"\n): PolicyRecommendation {\n const fields = Object.keys(context);\n const classifications: FieldClassification[] = fields.map(classifyField);\n const warnings: string[] = [];\n\n // Build rule lists\n const allow: string[] = [];\n const redact: string[] = [];\n const hash: string[] = [];\n const summarize: string[] = [];\n\n for (const c of classifications) {\n switch (c.recommended_action) {\n case \"allow\": allow.push(c.field); break;\n case \"redact\": redact.push(c.field); break;\n case \"hash\": hash.push(c.field); break;\n case \"summarize\": summarize.push(c.field); break;\n }\n }\n\n // Generate warnings\n const lowConfidence = classifications.filter((c) => c.confidence === \"low\");\n if (lowConfidence.length > 0) {\n warnings.push(\n `${lowConfidence.length} field(s) could not be classified by pattern and will ` +\n `default to redact: ${lowConfidence.map((c) => c.field).join(\", \")}. ` +\n `Review these manually.`\n );\n }\n\n // Check for fields that look like they might contain large content\n for (const [key, value] of Object.entries(context)) {\n if (typeof value === \"string\" && value.length > 5000) {\n const existing = classifications.find((c) => c.field === key);\n if (existing && existing.recommended_action === \"allow\") {\n warnings.push(\n `Field \"${key}\" is allowed but contains ${value.length} characters. ` +\n `Consider summarizing it to reduce context size and exposure.`\n );\n }\n }\n }\n\n return {\n provider,\n classifications,\n recommended_rules: { allow, redact, hash, summarize },\n default_action: \"redact\",\n summary: {\n total_fields: fields.length,\n allow: allow.length,\n redact: redact.length,\n hash: hash.length,\n summarize: summarize.length,\n },\n warnings,\n };\n}\n\n// ── Pattern Matching ────────────────────────────────────────────────────\n\n/**\n * Match a normalized field name against a pattern.\n * Supports exact match and substring containment for compound field names.\n *\n * Examples:\n * - \"api_key\" matches field \"api_key\" (exact)\n * - \"api_key\" matches field \"openai_api_key\" (contains)\n * - \"secret\" matches field \"client_secret\" (contains)\n * - \"password\" matches field \"db_password\" (contains)\n */\nfunction matchesFieldPattern(normalizedField: string, pattern: string): boolean {\n if (normalizedField === pattern) return true;\n // Check if the pattern appears as a complete word boundary segment\n // e.g., \"api_key\" should match \"openai_api_key\" but \"key\" alone shouldn't match \"keyboard\"\n if (pattern.length >= 3 && normalizedField.includes(pattern)) {\n // Verify it's at a word boundary (start/end of string, or adjacent to _ or -)\n const idx = normalizedField.indexOf(pattern);\n const before = idx === 0 || normalizedField[idx - 1] === \"_\" || normalizedField[idx - 1] === \"-\";\n const after = idx + pattern.length === normalizedField.length ||\n normalizedField[idx + pattern.length] === \"_\" ||\n normalizedField[idx + pattern.length] === \"-\";\n return before && after;\n }\n return false;\n}\n","/**\n * Sanctuary MCP Server — L2 Context Gating: Automatic Enforcer\n *\n * The context gate enforcer wraps tool handlers to automatically filter\n * their arguments before execution. Unlike context_gate_filter (which agents\n * call voluntarily), the enforcer runs automatically on every tool call\n * when enabled.\n *\n * This enforces minimum-necessary-context by default and makes bypassing\n * context protection explicit (requires reconfiguration).\n *\n * Security invariants:\n * - The enforcer wraps every tool handler when enabled\n * - Filtering decisions are audit-logged\n * - Default action on missing policy: fallback to built-in sensitive patterns\n * - Denied fields block the entire request (with logged reason)\n * - Redacted fields are stripped from tool arguments\n * - log_only mode logs what would be filtered but passes original args\n */\n\nimport type { ToolHandler } from \"../router.js\";\nimport type { ContextGatePolicyStore } from \"./context-gate.js\";\nimport { filterContext, matchesPattern, type ContextGatePolicy } from \"./context-gate.js\";\nimport type { AuditLog } from \"./audit-log.js\";\nimport { stringToBytes } from \"../core/encoding.js\";\nimport { hashToString } from \"../core/hashing.js\";\nimport { toolResult } from \"../router.js\";\n\n// ── Configuration ───────────────────────────────────────────────────────\n\nexport interface EnforcerConfig {\n /** Enable/disable automatic filtering (default: true) */\n enabled: boolean;\n /** Policy ID to use when no specific one is set */\n default_policy_id?: string;\n /** Tool name prefixes to skip filtering (e.g., [\"sanctuary/\"] to skip system tools) */\n bypass_prefixes: string[];\n /** Log but don't filter — for gradual rollout (default: false) */\n log_only: boolean;\n /** What to do when a field triggers deny action: \"block\" or \"redact\" */\n on_deny: \"block\" | \"redact\";\n}\n\n// ── Built-in Sensitive Field Patterns ───────────────────────────────────\n\n/**\n * Built-in patterns for sensitive fields.\n * Used as fallback when no explicit policy is configured.\n * These are applied even without a policy to provide baseline protection.\n */\nconst BUILTIN_SENSITIVE_PATTERNS = [\n \"*_key\",\n \"*_token\",\n \"*_secret\",\n \"api_key\",\n \"access_token\",\n \"refresh_token\",\n \"password\",\n \"passwd\",\n \"credential*\",\n \"auth_*\",\n \"ssn\",\n \"social_security*\",\n \"tax_id*\",\n \"credit_card*\",\n \"card_number*\",\n \"cvv\",\n \"cvc\",\n \"private_key\",\n \"secret_key\",\n \"master_key\",\n];\n\n// ── Enforcer Status ─────────────────────────────────────────────────────\n\nexport interface EnforcerStatus {\n enabled: boolean;\n log_only: boolean;\n default_policy_id: string | null;\n stats: {\n calls_inspected: number;\n calls_bypassed: number;\n fields_redacted: number;\n fields_hashed: number;\n fields_blocked: number;\n calls_blocked: number;\n };\n}\n\n// ── Enforcer Implementation ─────────────────────────────────────────────\n\nexport class ContextGateEnforcer {\n private policyStore: ContextGatePolicyStore;\n private auditLog: AuditLog;\n private config: EnforcerConfig;\n private stats = {\n calls_inspected: 0,\n calls_bypassed: 0,\n fields_redacted: 0,\n fields_hashed: 0,\n fields_blocked: 0,\n calls_blocked: 0,\n };\n\n constructor(\n policyStore: ContextGatePolicyStore,\n auditLog: AuditLog,\n config: EnforcerConfig\n ) {\n this.policyStore = policyStore;\n this.auditLog = auditLog;\n this.config = config;\n }\n\n /**\n * Wrap a tool handler to apply automatic context gating.\n *\n * The wrapped handler:\n * 1. Checks if tool should be filtered (based on bypass_prefixes)\n * 2. If not filtering, calls original handler directly\n * 3. If filtering:\n * a. Gets the active policy or falls back to built-in patterns\n * b. Calls filterContext() with tool arguments\n * c. If any field triggered \"deny\" and on_deny is \"block\", returns error\n * d. If on_deny is \"redact\", replaces denied fields with \"[REDACTED]\"\n * e. Calls original handler with filtered arguments\n * f. Logs the filtering decision\n * 4. In log_only mode: runs filter, logs what would happen, passes original args\n */\n wrapHandler(toolName: string, originalHandler: ToolHandler): ToolHandler {\n return async (args: Record<string, unknown>) => {\n // If enforcer is disabled, pass through\n if (!this.config.enabled) {\n return originalHandler(args);\n }\n\n // Check if tool should be filtered\n if (!this.shouldFilter(toolName)) {\n this.stats.calls_bypassed++;\n return originalHandler(args);\n }\n\n this.stats.calls_inspected++;\n\n // Get the active policy or null if none exists\n const policy = this.config.default_policy_id\n ? await this.policyStore.get(this.config.default_policy_id)\n : null;\n\n if (policy) {\n // Use explicit policy\n return this.filterWithPolicy(\n toolName,\n args,\n originalHandler,\n policy\n );\n } else {\n // Fall back to built-in sensitive pattern matching\n return this.filterWithBuiltinPatterns(\n toolName,\n args,\n originalHandler\n );\n }\n };\n }\n\n /**\n * Filter tool arguments using an explicit policy.\n */\n private async filterWithPolicy(\n toolName: string,\n args: Record<string, unknown>,\n originalHandler: ToolHandler,\n policy: ContextGatePolicy\n ): Promise<{ content: Array<{ type: \"text\"; text: string }> }> {\n // Provider category for the tool (default to \"tool-api\")\n const provider = this.extractProviderCategory(toolName);\n\n // Filter the context\n const result = filterContext(policy, provider, args);\n\n // Check for denied fields\n const deniedFields = result.decisions.filter((d) => d.action === \"deny\");\n\n if (deniedFields.length > 0) {\n if (this.config.on_deny === \"block\") {\n this.stats.calls_blocked++;\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_block\",\n \"system\",\n {\n tool_name: toolName,\n policy_id: policy.policy_id,\n provider,\n denied_fields: deniedFields.map((d) => d.field),\n original_context_hash: result.original_context_hash,\n }\n );\n\n return toolResult({\n error: \"context_gating_blocked\",\n message: \"Tool call contains fields that trigger deny action\",\n tool: toolName,\n denied_fields: deniedFields.map((d) => d.field),\n recommendation:\n \"Remove the denied fields from context or update the context-gating policy.\",\n });\n }\n // If on_deny is \"redact\", continue with filtered args below\n }\n\n // Build filtered arguments\n const filteredArgs = this.buildFilteredArgs(args, result.decisions);\n\n if (this.config.log_only) {\n // Log but pass original args\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_log_only\",\n \"system\",\n {\n tool_name: toolName,\n policy_id: policy.policy_id,\n provider,\n fields_total: Object.keys(args).length,\n fields_redacted: result.fields_redacted,\n fields_hashed: result.fields_hashed,\n fields_blocked: deniedFields.length,\n original_context_hash: result.original_context_hash,\n }\n );\n this.stats.fields_redacted += result.fields_redacted;\n this.stats.fields_hashed += result.fields_hashed;\n this.stats.fields_blocked += deniedFields.length;\n\n return originalHandler(args);\n }\n\n // Execute handler with filtered arguments\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_filter\",\n \"system\",\n {\n tool_name: toolName,\n policy_id: policy.policy_id,\n provider,\n fields_total: Object.keys(args).length,\n fields_redacted: result.fields_redacted,\n fields_hashed: result.fields_hashed,\n fields_blocked: deniedFields.length,\n original_context_hash: result.original_context_hash,\n }\n );\n\n this.stats.fields_redacted += result.fields_redacted;\n this.stats.fields_hashed += result.fields_hashed;\n this.stats.fields_blocked += deniedFields.length;\n\n return originalHandler(filteredArgs);\n }\n\n /**\n * Filter tool arguments using built-in sensitive patterns.\n * This provides baseline protection when no explicit policy is configured.\n */\n private async filterWithBuiltinPatterns(\n toolName: string,\n args: Record<string, unknown>,\n originalHandler: ToolHandler\n ): Promise<{ content: Array<{ type: \"text\"; text: string }> }> {\n const fieldsToRedact: string[] = [];\n const originalHash = hashToString(\n stringToBytes(JSON.stringify(args))\n );\n\n // Check each field against built-in patterns\n for (const field of Object.keys(args)) {\n if (matchesPattern(field, BUILTIN_SENSITIVE_PATTERNS)) {\n fieldsToRedact.push(field);\n }\n }\n\n if (fieldsToRedact.length === 0) {\n // No sensitive fields detected — pass through\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_builtin_pass\",\n \"system\",\n {\n tool_name: toolName,\n reason: \"No sensitive field patterns detected\",\n }\n );\n return originalHandler(args);\n }\n\n // Build filtered arguments\n const filteredArgs: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(args)) {\n if (fieldsToRedact.includes(key)) {\n filteredArgs[key] = \"[REDACTED]\";\n } else {\n filteredArgs[key] = value;\n }\n }\n\n const filteredHash = hashToString(\n stringToBytes(JSON.stringify(filteredArgs))\n );\n\n if (this.config.log_only) {\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_builtin_log_only\",\n \"system\",\n {\n tool_name: toolName,\n fields_redacted: fieldsToRedact.length,\n redacted_fields: fieldsToRedact,\n original_context_hash: originalHash,\n }\n );\n this.stats.fields_redacted += fieldsToRedact.length;\n return originalHandler(args);\n }\n\n // Execute handler with filtered arguments\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_builtin_filter\",\n \"system\",\n {\n tool_name: toolName,\n fields_redacted: fieldsToRedact.length,\n redacted_fields: fieldsToRedact,\n original_context_hash: originalHash,\n filtered_context_hash: filteredHash,\n }\n );\n\n this.stats.fields_redacted += fieldsToRedact.length;\n\n return originalHandler(filteredArgs);\n }\n\n /**\n * Check if a tool should be filtered based on bypass prefixes.\n *\n * SEC-033: Uses exact namespace component matching, not bare startsWith().\n * A prefix of \"sanctuary/\" matches \"sanctuary/state_read\" but NOT\n * \"sanctuary_evil/steal_data\" (no slash boundary confusion). The prefix\n * must match exactly up to its length, and the prefix must end with \"/\"\n * to enforce namespace boundaries (if it doesn't, we add one for safety).\n */\n shouldFilter(toolName: string): boolean {\n for (const prefix of this.config.bypass_prefixes) {\n // Ensure prefix ends with \"/\" to enforce namespace boundaries\n const safePrefix = prefix.endsWith(\"/\") ? prefix : prefix + \"/\";\n if (toolName === safePrefix.slice(0, -1) || toolName.startsWith(safePrefix)) {\n return false;\n }\n }\n return true;\n }\n\n /**\n * Extract provider category from tool name.\n * Default: \"tool-api\". Override for specific patterns.\n */\n private extractProviderCategory(toolName: string): string {\n if (toolName.includes(\"inference\") || toolName.includes(\"llm\")) {\n return \"inference\";\n }\n if (toolName.includes(\"log\") || toolName.includes(\"telemetry\")) {\n return \"logging\";\n }\n if (toolName.includes(\"analytics\") || toolName.includes(\"metric\")) {\n return \"analytics\";\n }\n return \"tool-api\";\n }\n\n /**\n * Build filtered arguments from filter decisions.\n */\n private buildFilteredArgs(\n originalArgs: Record<string, unknown>,\n decisions: Array<{ field: string; action: string; hash_value?: string }>\n ): Record<string, unknown> {\n const filtered: Record<string, unknown> = {};\n\n for (const decision of decisions) {\n switch (decision.action) {\n case \"allow\":\n filtered[decision.field] = originalArgs[decision.field];\n break;\n case \"redact\":\n // Include field with redacted value\n filtered[decision.field] = \"[REDACTED]\";\n break;\n case \"hash\":\n filtered[decision.field] = decision.hash_value;\n break;\n case \"summarize\":\n filtered[decision.field] = originalArgs[decision.field];\n break;\n case \"deny\":\n // Field excluded — denied\n break;\n }\n }\n\n return filtered;\n }\n\n /**\n * Set the active policy ID.\n */\n setDefaultPolicy(policyId: string): void {\n this.config.default_policy_id = policyId;\n }\n\n /**\n * Get current enforcer status and stats.\n */\n getStatus(): EnforcerStatus {\n return {\n enabled: this.config.enabled,\n log_only: this.config.log_only,\n default_policy_id: this.config.default_policy_id ?? null,\n stats: { ...this.stats },\n };\n }\n\n /**\n * Toggle enforcer enabled state.\n */\n setEnabled(enabled: boolean): void {\n this.config.enabled = enabled;\n }\n\n /**\n * Toggle log_only mode.\n */\n setLogOnly(logOnly: boolean): void {\n this.config.log_only = logOnly;\n }\n\n /**\n * Reset stats counters.\n */\n resetStats(): void {\n this.stats = {\n calls_inspected: 0,\n calls_bypassed: 0,\n fields_redacted: 0,\n fields_hashed: 0,\n fields_blocked: 0,\n calls_blocked: 0,\n };\n }\n}\n\n/**\n * Export built-in patterns for testing and reference.\n */\nexport { BUILTIN_SENSITIVE_PATTERNS };\n","/**\n * Sanctuary MCP Server — L2 Context Gating Tools\n *\n * MCP tools for configuring and applying context-gating policies.\n * These tools let agents control what context flows to remote providers\n * (LLM APIs, tool APIs, logging services) during outbound calls.\n *\n * Tools:\n * - sanctuary/context_gate_set_policy — Define a context-gating policy\n * - sanctuary/context_gate_apply_template — Apply a starter template\n * - sanctuary/context_gate_filter — Filter context through a policy\n * - sanctuary/context_gate_recommend — Analyze context and recommend a policy\n * - sanctuary/context_gate_list_policies — List all context-gating policies\n *\n * All operations are audit-logged. Policies are encrypted at rest.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { AuditLog } from \"./audit-log.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport {\n ContextGatePolicyStore,\n filterContext,\n MAX_POLICY_RULES,\n MAX_PATTERNS_PER_ARRAY,\n MAX_CONTEXT_FIELDS,\n type ContextGateRule,\n type ProviderCategory,\n} from \"./context-gate.js\";\nimport {\n TEMPLATES,\n listTemplateIds,\n getTemplate,\n} from \"./context-gate-templates.js\";\nimport { recommendPolicy } from \"./context-gate-recommend.js\";\nimport {\n ContextGateEnforcer,\n type EnforcerConfig,\n} from \"./context-gate-enforcer.js\";\n\n/**\n * Create the context-gating MCP tools.\n */\nexport function createContextGateTools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): {\n tools: ToolDefinition[];\n policyStore: ContextGatePolicyStore;\n enforcer: ContextGateEnforcer;\n} {\n const policyStore = new ContextGatePolicyStore(storage, masterKey);\n\n // Create the automatic enforcer\n const enforcerConfig: EnforcerConfig = {\n enabled: false, // Off by default; agents must explicitly enable it\n bypass_prefixes: [\"sanctuary/\"], // Skip internal tools by default\n log_only: false, // Filter immediately\n on_deny: \"block\", // Block requests with denied fields\n };\n const enforcer = new ContextGateEnforcer(policyStore, auditLog, enforcerConfig);\n\n const tools: ToolDefinition[] = [\n // ── Set Policy ──────────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_set_policy\",\n description:\n \"Create a context-gating policy that controls what information flows to \" +\n \"remote providers (LLM APIs, tool APIs, logging services). \" +\n \"Each rule specifies a provider category and which context fields to \" +\n \"allow, redact, hash, or flag for summarization. \" +\n \"Redact rules take absolute priority — if a field is in both 'allow' and \" +\n \"'redact', it is redacted. Default action applies to any field not \" +\n \"mentioned in any rule. \" +\n \"Use this to prevent your full agent context from being sent to remote \" +\n \"LLM providers during inference calls.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_name: {\n type: \"string\",\n description:\n \"Human-readable name for this policy (e.g., 'inference-minimal', \" +\n \"'tool-api-strict')\",\n },\n rules: {\n type: \"array\",\n description:\n \"Array of rules. Each rule has: provider (inference|tool-api|logging|\" +\n \"analytics|peer-agent|custom|*), allow (fields to pass through), \" +\n \"redact (fields to remove — highest priority), hash (fields to \" +\n \"replace with SHA-256 hash), summarize (fields to flag for compression).\",\n items: {\n type: \"object\",\n properties: {\n provider: {\n type: \"string\",\n description:\n \"Provider category: inference, tool-api, logging, analytics, \" +\n \"peer-agent, custom, or * for all\",\n },\n allow: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to allow through (e.g., 'task_description', \" +\n \"'current_query', 'tool_*')\",\n },\n redact: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to redact (e.g., 'conversation_history', \" +\n \"'secret_*', '*_pii'). Takes absolute priority.\",\n },\n hash: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to replace with SHA-256 hash (e.g., 'user_id', \" +\n \"'session_id')\",\n },\n summarize: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to flag for summarization (advisory — agent \" +\n \"should compress these before sending)\",\n },\n },\n required: [\"provider\", \"allow\", \"redact\"],\n },\n },\n default_action: {\n type: \"string\",\n enum: [\"redact\", \"deny\"],\n description:\n \"Action for fields not matched by any rule. 'redact' removes the \" +\n \"field value; 'deny' blocks the entire request. Default: 'redact'.\",\n },\n identity_id: {\n type: \"string\",\n description: \"Bind this policy to a specific identity (optional)\",\n },\n },\n required: [\"policy_name\", \"rules\"],\n },\n handler: async (args) => {\n const policyName = args.policy_name as string;\n const rawRules = args.rules as Array<Record<string, unknown>>;\n const defaultAction = (args.default_action as \"redact\" | \"deny\") ?? \"redact\";\n const identityId = args.identity_id as string | undefined;\n\n // Validate rule count\n if (!Array.isArray(rawRules)) {\n return toolResult({ error: \"invalid_rules\", message: \"rules must be an array\" });\n }\n if (rawRules.length > MAX_POLICY_RULES) {\n return toolResult({\n error: \"too_many_rules\",\n message: `Policy has ${rawRules.length} rules, exceeding limit of ${MAX_POLICY_RULES}`,\n });\n }\n\n // Validate and normalize rules\n const rules: ContextGateRule[] = [];\n for (const r of rawRules) {\n const allow = Array.isArray(r.allow) ? (r.allow as string[]) : [];\n const redact = Array.isArray(r.redact) ? (r.redact as string[]) : [];\n const hash = Array.isArray(r.hash) ? (r.hash as string[]) : [];\n const summarize = Array.isArray(r.summarize) ? (r.summarize as string[]) : [];\n\n for (const [name, arr] of [[\"allow\", allow], [\"redact\", redact], [\"hash\", hash], [\"summarize\", summarize]] as const) {\n if (arr.length > MAX_PATTERNS_PER_ARRAY) {\n return toolResult({\n error: \"too_many_patterns\",\n message: `Rule ${name} array has ${arr.length} patterns, exceeding limit of ${MAX_PATTERNS_PER_ARRAY}`,\n });\n }\n }\n\n rules.push({\n provider: (r.provider as ProviderCategory | \"*\") ?? \"*\",\n allow,\n redact,\n hash,\n summarize,\n });\n }\n\n const policy = await policyStore.create(\n policyName,\n rules,\n defaultAction,\n identityId\n );\n\n auditLog.append(\"l2\", \"context_gate_set_policy\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n policy_name: policyName,\n rule_count: rules.length,\n default_action: defaultAction,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n rules: policy.rules,\n default_action: policy.default_action,\n created_at: policy.created_at,\n message:\n \"Context-gating policy created. Use sanctuary/context_gate_filter \" +\n \"to apply this policy before making outbound calls.\",\n });\n },\n },\n\n // ── Apply Template ───────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_apply_template\",\n description:\n \"Apply a starter context-gating template. Available templates: \" +\n \"inference-minimal (strictest — only task and query pass through), \" +\n \"inference-standard (balanced — adds tool results, summarizes history), \" +\n \"logging-strict (redacts all content for telemetry services), \" +\n \"tool-api-scoped (allows tool parameters, redacts agent state). \" +\n \"Templates are starting points — customize after applying.\",\n inputSchema: {\n type: \"object\",\n properties: {\n template_id: {\n type: \"string\",\n description:\n \"Template to apply: inference-minimal, inference-standard, \" +\n \"logging-strict, or tool-api-scoped\",\n },\n identity_id: {\n type: \"string\",\n description: \"Bind this policy to a specific identity (optional)\",\n },\n },\n required: [\"template_id\"],\n },\n handler: async (args) => {\n const templateId = args.template_id as string;\n const identityId = args.identity_id as string | undefined;\n\n const template = getTemplate(templateId);\n if (!template) {\n return toolResult({\n error: \"template_not_found\",\n message: `Unknown template \"${templateId}\"`,\n available_templates: listTemplateIds().map((id) => {\n const t = TEMPLATES[id]!;\n return { id, name: t.name, description: t.description };\n }),\n });\n }\n\n const policy = await policyStore.create(\n template.name,\n template.rules,\n template.default_action,\n identityId\n );\n\n auditLog.append(\"l2\", \"context_gate_apply_template\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n template_id: templateId,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n template_applied: templateId,\n policy_name: template.name,\n description: template.description,\n use_when: template.use_when,\n rules: policy.rules,\n default_action: policy.default_action,\n created_at: policy.created_at,\n message:\n \"Template applied. Use sanctuary/context_gate_filter with this \" +\n \"policy_id to filter context before outbound calls. \" +\n \"Customize rules with sanctuary/context_gate_set_policy if needed.\",\n });\n },\n },\n\n // ── Recommend Policy ────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_recommend\",\n description:\n \"Analyze a sample context object and recommend a context-gating \" +\n \"policy based on field name heuristics. Classifies each field as \" +\n \"allow, redact, hash, or summarize with confidence levels. \" +\n \"Returns a ready-to-apply rule set. When in doubt, recommends \" +\n \"redact (conservative). Review the recommendations before applying.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"object\",\n description:\n \"A sample context object to analyze. Each top-level key \" +\n \"will be classified. Values are inspected for size warnings \" +\n \"but not stored.\",\n },\n provider: {\n type: \"string\",\n description:\n \"Provider category to generate rules for. Default: 'inference'.\",\n },\n },\n required: [\"context\"],\n },\n handler: async (args) => {\n const context = args.context as Record<string, unknown>;\n const provider = (args.provider as string) ?? \"inference\";\n\n // Validate context size\n const contextKeys = Object.keys(context);\n if (contextKeys.length > MAX_CONTEXT_FIELDS) {\n return toolResult({\n error: \"context_too_large\",\n message: `Context has ${contextKeys.length} fields, exceeding limit of ${MAX_CONTEXT_FIELDS}`,\n });\n }\n\n const recommendation = recommendPolicy(context, provider);\n\n auditLog.append(\"l2\", \"context_gate_recommend\", \"system\", {\n provider,\n fields_analyzed: recommendation.summary.total_fields,\n fields_allow: recommendation.summary.allow,\n fields_redact: recommendation.summary.redact,\n fields_hash: recommendation.summary.hash,\n fields_summarize: recommendation.summary.summarize,\n });\n\n return toolResult({\n ...recommendation,\n next_steps:\n \"Review the classifications above. If they look correct, you can \" +\n \"apply them directly with sanctuary/context_gate_set_policy using \" +\n \"the recommended_rules. Or start with a template via \" +\n \"sanctuary/context_gate_apply_template and customize from there.\",\n available_templates: listTemplateIds().map((id) => {\n const t = TEMPLATES[id]!;\n return { id, name: t.name, description: t.description };\n }),\n });\n },\n },\n\n // ── Filter Context ──────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_filter\",\n description:\n \"Filter agent context through a gating policy before sending to a \" +\n \"remote provider. Returns per-field decisions (allow, redact, hash, \" +\n \"summarize) and content hashes for the audit trail. \" +\n \"Call this BEFORE making any outbound API call to ensure you are only \" +\n \"sending the minimum necessary context. \" +\n \"The filtered output tells you exactly what can be sent safely.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_id: {\n type: \"string\",\n description: \"ID of the context-gating policy to apply\",\n },\n provider: {\n type: \"string\",\n description:\n \"Provider category for this call: inference, tool-api, logging, \" +\n \"analytics, peer-agent, or custom\",\n },\n context: {\n type: \"object\",\n description:\n \"The context object to filter. Each top-level key is evaluated \" +\n \"against the policy. Example keys: task_description, \" +\n \"conversation_history, user_preferences, api_keys, memory, \" +\n \"internal_reasoning\",\n },\n },\n required: [\"policy_id\", \"provider\", \"context\"],\n },\n handler: async (args) => {\n const policyId = args.policy_id as string;\n const provider = args.provider as ProviderCategory | string;\n const context = args.context as Record<string, unknown>;\n\n // Validate context size\n const contextKeys = Object.keys(context);\n if (contextKeys.length > MAX_CONTEXT_FIELDS) {\n return toolResult({\n error: \"context_too_large\",\n message: `Context has ${contextKeys.length} fields, exceeding limit of ${MAX_CONTEXT_FIELDS}`,\n });\n }\n\n const policy = await policyStore.get(policyId);\n if (!policy) {\n return toolResult({\n error: \"policy_not_found\",\n message: `No context-gating policy found with ID \"${policyId}\"`,\n });\n }\n\n const result = filterContext(policy, provider, context);\n\n // Check for any denied fields — if so, the entire request should be blocked\n const deniedFields = result.decisions.filter((d) => d.action === \"deny\");\n if (deniedFields.length > 0) {\n auditLog.append(\"l2\", \"context_gate_deny\", policy.identity_id ?? \"system\", {\n policy_id: policyId,\n provider,\n denied_fields: deniedFields.map((d) => d.field),\n original_context_hash: result.original_context_hash,\n });\n\n return toolResult({\n blocked: true,\n reason: \"Context contains fields that trigger deny action\",\n denied_fields: deniedFields.map((d) => ({\n field: d.field,\n reason: d.reason,\n })),\n recommendation:\n \"Remove the denied fields from context before retrying, or \" +\n \"update the policy to handle these fields differently.\",\n });\n }\n\n // Build the filtered context that is safe to send\n const safeContext: Record<string, unknown> = {};\n for (const decision of result.decisions) {\n switch (decision.action) {\n case \"allow\":\n safeContext[decision.field] = context[decision.field];\n break;\n case \"redact\":\n // Field excluded from safe context\n break;\n case \"hash\":\n safeContext[decision.field] = decision.hash_value;\n break;\n case \"summarize\":\n // Include but mark for summarization\n safeContext[decision.field] = context[decision.field];\n break;\n }\n }\n\n auditLog.append(\"l2\", \"context_gate_filter\", policy.identity_id ?? \"system\", {\n policy_id: policyId,\n provider,\n fields_total: Object.keys(context).length,\n fields_allowed: result.fields_allowed,\n fields_redacted: result.fields_redacted,\n fields_hashed: result.fields_hashed,\n fields_summarized: result.fields_summarized,\n original_context_hash: result.original_context_hash,\n filtered_context_hash: result.filtered_context_hash,\n });\n\n return toolResult({\n blocked: false,\n safe_context: safeContext,\n summary: {\n total_fields: Object.keys(context).length,\n allowed: result.fields_allowed,\n redacted: result.fields_redacted,\n hashed: result.fields_hashed,\n summarized: result.fields_summarized,\n },\n decisions: result.decisions,\n audit: {\n original_context_hash: result.original_context_hash,\n filtered_context_hash: result.filtered_context_hash,\n filtered_at: result.filtered_at,\n },\n guidance:\n result.fields_summarized > 0\n ? \"Some fields are marked for summarization. Consider compressing \" +\n \"them before sending to reduce context size and information exposure.\"\n : undefined,\n });\n },\n },\n\n // ── List Policies ───────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_list_policies\",\n description:\n \"List all configured context-gating policies. Returns policy IDs, \" +\n \"names, rule summaries, and default actions.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const policies = await policyStore.list();\n\n auditLog.append(\"l2\", \"context_gate_list_policies\", \"system\", {\n policy_count: policies.length,\n });\n\n return toolResult({\n policies: policies.map((p) => ({\n policy_id: p.policy_id,\n policy_name: p.policy_name,\n rule_count: p.rules.length,\n providers: p.rules.map((r) => r.provider),\n default_action: p.default_action,\n identity_id: p.identity_id ?? null,\n created_at: p.created_at,\n updated_at: p.updated_at,\n })),\n count: policies.length,\n message:\n policies.length === 0\n ? \"No context-gating policies configured. Use \" +\n \"sanctuary/context_gate_set_policy to create one.\"\n : `${policies.length} context-gating ${policies.length === 1 ? \"policy\" : \"policies\"} configured.`,\n });\n },\n },\n\n // ── Enforcer Status ─────────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_enforcer_status\",\n description:\n \"Get the status of the automatic context gate enforcer, including \" +\n \"enabled/disabled state, log_only mode, active policy, and statistics. \" +\n \"The enforcer automatically filters tool arguments when enabled. \" +\n \"Use this to monitor what the enforcer has been filtering.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const status = enforcer.getStatus();\n\n auditLog.append(\n \"l2\",\n \"context_gate_enforcer_status_query\",\n \"system\",\n {\n enabled: status.enabled,\n log_only: status.log_only,\n default_policy_id: status.default_policy_id,\n }\n );\n\n return toolResult({\n enforcer_status: status,\n description:\n \"The enforcer is \" +\n (status.enabled ? \"enabled\" : \"disabled\") +\n \". \" +\n (status.log_only\n ? \"Currently in log_only mode — filtering is logged but not applied.\"\n : \"Filtering is actively applied to tool arguments.\"),\n guidance:\n status.stats.calls_inspected > 0\n ? `Over ${status.stats.calls_inspected} tool calls, ` +\n `${status.stats.fields_redacted} sensitive fields were redacted. ` +\n `Use sanctuary/context_gate_enforcer_configure to adjust settings.`\n : \"No tool calls have been inspected yet.\",\n });\n },\n },\n\n // ── Enforcer Configuration ──────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_enforcer_configure\",\n description:\n \"Configure the automatic context gate enforcer. Control whether it \" +\n \"filters tool arguments, toggle log_only mode for gradual rollout, \" +\n \"set the active policy, and choose what to do when denied fields are \" +\n \"encountered (block the request or redact the field). \" +\n \"Use this to enable automatic context protection.\",\n inputSchema: {\n type: \"object\",\n properties: {\n enabled: {\n type: \"boolean\",\n description:\n \"Enable or disable the automatic enforcer. When disabled, \" +\n \"no filtering occurs. Default: leave unchanged.\",\n },\n log_only: {\n type: \"boolean\",\n description:\n \"Enable log_only mode: filter decisions are logged but original \" +\n \"args are passed to handlers. Useful for monitoring before \" +\n \"enabling actual filtering. Default: leave unchanged.\",\n },\n default_policy_id: {\n type: \"string\",\n description:\n \"Set the default context-gating policy to use for filtering. \" +\n \"If not set, the enforcer uses built-in sensitive field patterns. \" +\n \"Default: leave unchanged.\",\n },\n on_deny: {\n type: \"string\",\n enum: [\"block\", \"redact\"],\n description:\n \"Action to take when a field triggers the deny action: \" +\n \"'block' returns an error and prevents the call, \" +\n \"'redact' replaces the denied field with [REDACTED] and continues. \" +\n \"Default: leave unchanged.\",\n },\n reset_stats: {\n type: \"boolean\",\n description:\n \"Reset the enforcer statistics counters to zero. Default: false.\",\n },\n },\n },\n handler: async (args) => {\n const changes: Record<string, unknown> = {};\n\n if (args.enabled !== undefined) {\n enforcer.setEnabled(args.enabled as boolean);\n changes.enabled = args.enabled;\n }\n\n if (args.log_only !== undefined) {\n enforcer.setLogOnly(args.log_only as boolean);\n changes.log_only = args.log_only;\n }\n\n if (args.default_policy_id !== undefined) {\n const policyId = args.default_policy_id as string;\n const policy = await policyStore.get(policyId);\n if (!policy) {\n return toolResult({\n error: \"policy_not_found\",\n message: `No context-gating policy found with ID \"${policyId}\"`,\n });\n }\n enforcer.setDefaultPolicy(policyId);\n changes.default_policy_id = policyId;\n }\n\n if (args.on_deny !== undefined) {\n const onDeny = args.on_deny as \"block\" | \"redact\";\n if (onDeny !== \"block\" && onDeny !== \"redact\") {\n return toolResult({\n error: \"invalid_on_deny\",\n message: \"on_deny must be 'block' or 'redact'\",\n });\n }\n enforcerConfig.on_deny = onDeny;\n changes.on_deny = onDeny;\n }\n\n if (args.reset_stats === true) {\n enforcer.resetStats();\n changes.reset_stats = true;\n }\n\n const newStatus = enforcer.getStatus();\n\n auditLog.append(\n \"l2\",\n \"context_gate_enforcer_configure\",\n \"system\",\n {\n changes,\n new_status: newStatus,\n }\n );\n\n return toolResult({\n configured: true,\n changes,\n new_status: newStatus,\n message:\n Object.keys(changes).length > 0\n ? \"Enforcer configuration updated.\"\n : \"No changes made (no configuration parameters provided).\",\n });\n },\n },\n ];\n\n return { tools, policyStore, enforcer };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Process Hardening\n *\n * Provides process-level isolation verification without requiring hardware TEE.\n * Implements software-based L2 hardening checks including:\n * - Memory protection (ASLR, stack canaries, secure buffer handling)\n * - Process isolation verification (container, VM, sandbox detection)\n * - Runtime integrity monitoring\n * - Filesystem permission verification\n *\n * These checks allow agents running on machines without TEE to achieve\n * \"Hardened\" L2 status (between \"Degraded\" and \"Full\").\n */\n\nimport { execSync } from \"node:child_process\";\nimport { statSync } from \"node:fs\";\n\n// ── Memory Protection Status ───────────────────────────────────────\n\nexport interface MemoryProtectionStatus {\n aslr_enabled: boolean;\n stack_canaries: boolean;\n secure_buffer_zeros: boolean;\n argon2id_kdf: boolean;\n overall: \"full\" | \"partial\" | \"minimal\" | \"none\";\n}\n\n/**\n * Verify memory protection mechanisms are in place.\n */\nexport function checkMemoryProtection(): MemoryProtectionStatus {\n const checks = {\n aslr_enabled: checkASLR(),\n stack_canaries: true, // Enabled by default in Node.js runtime\n secure_buffer_zeros: true, // We use crypto.randomBytes and explicit zeroing\n argon2id_kdf: true, // Master key derivation uses Argon2id\n };\n\n const activeCount = Object.values(checks).filter((v) => v).length;\n const overall = activeCount >= 4 ? \"full\" : activeCount >= 3 ? \"partial\" : \"minimal\";\n\n return {\n ...checks,\n overall,\n };\n}\n\nfunction checkASLR(): boolean {\n if (process.platform === \"linux\") {\n try {\n const result = execSync(\"cat /proc/sys/kernel/randomize_va_space\", {\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"ignore\"],\n }).trim();\n return result === \"2\"; // 2 = full ASLR enabled\n } catch {\n return false;\n }\n }\n if (process.platform === \"darwin\") {\n // macOS enables ASLR by default for all processes; no direct check needed\n return true;\n }\n return false;\n}\n\n// ── Process Isolation Status ───────────────────────────────────────\n\nexport type IsolationLevel = \"full\" | \"hardened\" | \"basic\" | \"none\";\n\nexport interface ProcessIsolationStatus {\n isolation_level: IsolationLevel;\n is_container: boolean;\n is_vm: boolean;\n is_sandboxed: boolean;\n is_tee: boolean;\n details: {\n container_type?: string;\n vm_type?: string;\n sandbox_type?: string;\n };\n}\n\n/**\n * Verify process-level isolation through environment detection.\n *\n * Returns the isolation level:\n * - \"full\": Running in TEE (not available for software-only check)\n * - \"hardened\": Container or VM detected\n * - \"basic\": Sandboxed process (macOS sandbox, pledge on OpenBSD, etc.)\n * - \"none\": Regular user process\n */\nexport function checkProcessIsolation(): ProcessIsolationStatus {\n const isContainer = detectContainer();\n const isVM = detectVM();\n const isSandboxed = detectSandbox();\n\n let isolationLevel: IsolationLevel = \"none\";\n if (isContainer) isolationLevel = \"hardened\";\n else if (isVM) isolationLevel = \"hardened\";\n else if (isSandboxed) isolationLevel = \"basic\";\n\n const details: ProcessIsolationStatus[\"details\"] = {};\n if (isContainer && isContainer !== true) details.container_type = isContainer;\n if (isVM && isVM !== true) details.vm_type = isVM;\n if (isSandboxed && isSandboxed !== true) details.sandbox_type = isSandboxed;\n\n return {\n isolation_level: isolationLevel,\n is_container: isContainer !== false,\n is_vm: isVM !== false,\n is_sandboxed: isSandboxed !== false,\n is_tee: false,\n details,\n };\n}\n\nfunction detectContainer(): string | boolean {\n // Check for containerization markers\n try {\n // Docker\n if (process.env.DOCKER_HOST) return \"docker\";\n\n // Check /.dockerenv\n try {\n statSync(\"/.dockerenv\");\n return \"docker\";\n } catch {\n // Not a file\n }\n\n // Check /proc/1/cgroup for container references\n if (process.platform === \"linux\") {\n const cgroup = execSync(\"cat /proc/1/cgroup 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n });\n if (cgroup.includes(\"docker\")) return \"docker\";\n if (cgroup.includes(\"lxc\")) return \"lxc\";\n if (cgroup.includes(\"kubepods\") || cgroup.includes(\"kubernetes\")) return \"kubernetes\";\n }\n\n // Podman\n if (process.env.container === \"podman\") return \"podman\";\n\n // OCI container runtime indicators\n if (process.env.CONTAINER_ID) return \"oci\";\n\n return false;\n } catch {\n return false;\n }\n}\n\nfunction detectVM(): string | boolean {\n if (process.platform === \"linux\") {\n try {\n // Check for common hypervisor signatures\n const dmidecode = execSync(\"dmidecode -s system-product-name 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n }).toLowerCase();\n\n if (dmidecode.includes(\"vmware\")) return \"vmware\";\n if (dmidecode.includes(\"virtualbox\")) return \"virtualbox\";\n if (dmidecode.includes(\"kvm\")) return \"kvm\";\n if (dmidecode.includes(\"xen\")) return \"xen\";\n if (dmidecode.includes(\"hyper-v\")) return \"hyper-v\";\n\n // Check cpuinfo for virtualization\n const cpuinfo = execSync(\"grep -i hypervisor /proc/cpuinfo || echo ''\", {\n encoding: \"utf-8\",\n });\n if (cpuinfo.length > 0) return \"detected\";\n } catch {\n // dmidecode might not be available; not a failure\n }\n }\n\n if (process.platform === \"darwin\") {\n try {\n // Check for Parallels, VMware, VirtualBox on macOS\n const bootargs = execSync(\n \"nvram boot-args 2>/dev/null | grep -i 'parallels\\\\|vmware\\\\|virtualbox' || echo ''\",\n {\n encoding: \"utf-8\",\n }\n );\n if (bootargs.length > 0) return \"detected\";\n } catch {\n // nvram not accessible; skip\n }\n }\n\n return false;\n}\n\nfunction detectSandbox(): string | boolean {\n // macOS App Sandbox\n if (process.platform === \"darwin\") {\n if (process.env.APP_SANDBOX_READ_ONLY_HOME === \"1\") return \"app-sandbox\";\n if (process.env.TMPDIR && process.env.TMPDIR.includes(\"AppSandbox\")) return \"app-sandbox\";\n }\n\n // pledge(2) on OpenBSD (process restrictions)\n if (process.platform === \"openbsd\") {\n // No easy way to check pledge status from userspace\n // Assume if running on OpenBSD, pledge is a possibility\n try {\n const pledge = execSync(\"pledge -v 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n });\n if (pledge.length > 0) return \"pledge\";\n } catch {\n // pledge not available\n }\n }\n\n // SELinux/AppArmor contexts\n if (process.platform === \"linux\") {\n if (process.env.container === \"lxc\") return \"lxc\";\n try {\n const context = execSync(\"getenforce 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n }).trim();\n if (context === \"Enforcing\") return \"selinux\";\n } catch {\n // SELinux not available\n }\n }\n\n return false;\n}\n\n// ── Filesystem Permission Verification ───────────────────────────\n\nexport interface FilesystemPermissionStatus {\n sanctuary_storage_protected: boolean;\n sanctuary_storage_mode: string;\n owner_is_current_user: boolean;\n group_readable: boolean;\n others_readable: boolean;\n overall: \"secure\" | \"warning\" | \"insecure\";\n}\n\n/**\n * Verify filesystem permissions on Sanctuary storage directory.\n * Expects storage to be mode 0o700 (rwx------)\n */\nexport function checkFilesystemPermissions(storagePath: string): FilesystemPermissionStatus {\n try {\n const stats = statSync(storagePath);\n\n // Extract permission bits\n const mode = stats.mode & parseInt(\"777\", 8);\n const modeString = mode.toString(8).padStart(3, \"0\");\n\n const isSecure = mode === parseInt(\"700\", 8); // rwx------\n const groupReadable = (mode & parseInt(\"040\", 8)) !== 0;\n const othersReadable = (mode & parseInt(\"007\", 8)) !== 0;\n const currentUid = process.getuid?.() || -1;\n const ownerIsCurrentUser = stats.uid === currentUid;\n\n let overall: \"secure\" | \"warning\" | \"insecure\" = \"secure\";\n if (groupReadable || othersReadable) overall = \"insecure\";\n else if (!ownerIsCurrentUser) overall = \"warning\";\n\n return {\n sanctuary_storage_protected: isSecure,\n sanctuary_storage_mode: modeString,\n owner_is_current_user: ownerIsCurrentUser,\n group_readable: groupReadable,\n others_readable: othersReadable,\n overall,\n };\n } catch {\n // If we can't stat the directory, report it as a warning\n return {\n sanctuary_storage_protected: false,\n sanctuary_storage_mode: \"unknown\",\n owner_is_current_user: false,\n group_readable: false,\n others_readable: false,\n overall: \"warning\",\n };\n }\n}\n\n// ── Runtime Integrity Monitoring ──────────────────────────────────\n\nexport interface RuntimeIntegrityStatus {\n config_hash_stable: boolean;\n environment_state: \"clean\" | \"modified\" | \"unknown\";\n discrepancies: string[];\n}\n\n/**\n * Monitor runtime integrity by checking for unexpected modifications.\n * Currently a stub that reports \"clean\" state.\n *\n * Future enhancement: hash config at startup, verify at runtime.\n */\nexport function checkRuntimeIntegrity(): RuntimeIntegrityStatus {\n return {\n config_hash_stable: true,\n environment_state: \"clean\",\n discrepancies: [],\n };\n}\n\n// ── Overall L2 Hardening Status ────────────────────────────────────\n\nexport interface L2HardeningStatus {\n hardening_level: IsolationLevel;\n memory_protection: MemoryProtectionStatus;\n process_isolation: ProcessIsolationStatus;\n filesystem_permissions: FilesystemPermissionStatus;\n runtime_integrity: RuntimeIntegrityStatus;\n checks_passed: number;\n checks_total: number;\n summary: string;\n}\n\n/**\n * Comprehensive L2 hardening assessment.\n * Combines all hardening checks into a single hardening level.\n */\nexport function assessL2Hardening(storagePath: string): L2HardeningStatus {\n const memory = checkMemoryProtection();\n const isolation = checkProcessIsolation();\n const filesystem = checkFilesystemPermissions(storagePath);\n const integrity = checkRuntimeIntegrity();\n\n // Count passed checks\n let checksPassed = 0;\n let checksTotal = 0;\n\n // Memory protection\n if (memory.aslr_enabled) checksPassed++;\n checksTotal++;\n if (memory.stack_canaries) checksPassed++;\n checksTotal++;\n if (memory.secure_buffer_zeros) checksPassed++;\n checksTotal++;\n if (memory.argon2id_kdf) checksPassed++;\n checksTotal++;\n\n // Process isolation\n if (isolation.is_container) checksPassed++;\n checksTotal++;\n if (isolation.is_vm) checksPassed++;\n checksTotal++;\n if (isolation.is_sandboxed) checksPassed++;\n checksTotal++;\n\n // Filesystem permissions\n if (filesystem.sanctuary_storage_protected) checksPassed++;\n checksTotal++;\n\n // Runtime integrity\n if (integrity.config_hash_stable && integrity.environment_state === \"clean\") {\n checksPassed++;\n }\n checksTotal++;\n\n // Determine overall hardening level\n let hardeningLevel: IsolationLevel = isolation.isolation_level;\n\n // If filesystem or memory protection is weak, degrade hardening level\n if (\n filesystem.overall === \"insecure\" ||\n memory.overall === \"none\" ||\n memory.overall === \"minimal\"\n ) {\n if (hardeningLevel === \"hardened\") {\n hardeningLevel = \"basic\";\n } else if (hardeningLevel === \"basic\") {\n hardeningLevel = \"none\";\n }\n }\n\n // Generate summary\n const summaryParts: string[] = [];\n if (isolation.is_container || isolation.is_vm) {\n summaryParts.push(`Running in ${isolation.details.container_type || isolation.details.vm_type || \"isolated environment\"}`);\n }\n if (memory.aslr_enabled) {\n summaryParts.push(\"ASLR enabled\");\n }\n if (filesystem.sanctuary_storage_protected) {\n summaryParts.push(\"Storage permissions secured (0700)\");\n }\n\n const summary =\n summaryParts.length > 0\n ? summaryParts.join(\"; \")\n : \"No process-level hardening detected\";\n\n return {\n hardening_level: hardeningLevel,\n memory_protection: memory,\n process_isolation: isolation,\n filesystem_permissions: filesystem,\n runtime_integrity: integrity,\n checks_passed: checksPassed,\n checks_total: checksTotal,\n summary,\n };\n}\n","/**\n * Sanctuary MCP Server — L2 Hardening Tools\n *\n * MCP tools for checking and verifying L2 operational isolation hardening.\n * These are Tier 3 tools — always allowed, read-only status checks.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { assessL2Hardening } from \"./hardening.js\";\nimport type { AuditLog } from \"./audit-log.js\";\n\nexport function createL2HardeningTools(\n storagePath: string,\n auditLog: AuditLog\n): ToolDefinition[] {\n return [\n {\n name: \"sanctuary/l2_hardening_status\",\n description:\n \"L2 Process Hardening Status — Verify software-based operational isolation. \" +\n \"Reports memory protection, process isolation level, filesystem permissions, \" +\n \"and overall hardening assessment. Read-only. Tier 3 — always allowed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_details: {\n type: \"boolean\",\n description:\n \"If true, include detailed check results for memory, process, and filesystem. \" +\n \"If false, show summary only.\",\n default: false,\n },\n },\n },\n handler: async (args) => {\n const includeDetails = (args.include_details as boolean) ?? false;\n const status = assessL2Hardening(storagePath);\n\n auditLog.append(\n \"l2\",\n \"l2_hardening_status\",\n \"system\",\n { include_details: includeDetails }\n );\n\n if (includeDetails) {\n return toolResult({\n hardening_level: status.hardening_level,\n summary: status.summary,\n checks_passed: status.checks_passed,\n checks_total: status.checks_total,\n memory_protection: {\n aslr_enabled: status.memory_protection.aslr_enabled,\n stack_canaries: status.memory_protection.stack_canaries,\n secure_buffer_zeros: status.memory_protection.secure_buffer_zeros,\n argon2id_kdf: status.memory_protection.argon2id_kdf,\n overall: status.memory_protection.overall,\n },\n process_isolation: {\n isolation_level: status.process_isolation.isolation_level,\n is_container: status.process_isolation.is_container,\n is_vm: status.process_isolation.is_vm,\n is_sandboxed: status.process_isolation.is_sandboxed,\n is_tee: status.process_isolation.is_tee,\n details: status.process_isolation.details,\n },\n filesystem_permissions: {\n sanctuary_storage_protected:\n status.filesystem_permissions.sanctuary_storage_protected,\n sanctuary_storage_mode: status.filesystem_permissions.sanctuary_storage_mode,\n owner_is_current_user: status.filesystem_permissions.owner_is_current_user,\n group_readable: status.filesystem_permissions.group_readable,\n others_readable: status.filesystem_permissions.others_readable,\n overall: status.filesystem_permissions.overall,\n },\n runtime_integrity: {\n config_hash_stable: status.runtime_integrity.config_hash_stable,\n environment_state: status.runtime_integrity.environment_state,\n discrepancies: status.runtime_integrity.discrepancies,\n },\n });\n } else {\n return toolResult({\n hardening_level: status.hardening_level,\n summary: status.summary,\n checks_passed: status.checks_passed,\n checks_total: status.checks_total,\n note:\n \"Pass include_details: true to see full breakdown of memory, \" +\n \"process isolation, and filesystem checks.\",\n });\n }\n },\n },\n\n {\n name: \"sanctuary/l2_verify_isolation\",\n description:\n \"Verify L2 process isolation at runtime. Checks whether the Sanctuary server \" +\n \"is running in an isolated environment (container, VM, sandbox) and validates \" +\n \"filesystem and memory protections. Reports isolation level and any issues. \" +\n \"Read-only. Tier 3 — always allowed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n check_filesystem: {\n type: \"boolean\",\n description:\n \"If true, verify Sanctuary storage directory permissions.\",\n default: true,\n },\n check_memory: {\n type: \"boolean\",\n description:\n \"If true, verify memory protection mechanisms (ASLR, etc.).\",\n default: true,\n },\n check_process: {\n type: \"boolean\",\n description:\n \"If true, detect container, VM, or sandbox environment.\",\n default: true,\n },\n },\n },\n handler: async (args) => {\n const checkFilesystem = (args.check_filesystem as boolean) ?? true;\n const checkMemory = (args.check_memory as boolean) ?? true;\n const checkProcess = (args.check_process as boolean) ?? true;\n\n const status = assessL2Hardening(storagePath);\n\n auditLog.append(\n \"l2\",\n \"l2_verify_isolation\",\n \"system\",\n {\n check_filesystem: checkFilesystem,\n check_memory: checkMemory,\n check_process: checkProcess,\n }\n );\n\n const results: Record<string, unknown> = {\n isolation_level: status.hardening_level,\n timestamp: new Date().toISOString(),\n };\n\n if (checkFilesystem) {\n const fs = status.filesystem_permissions;\n results.filesystem = {\n sanctuary_storage_protected: fs.sanctuary_storage_protected,\n storage_mode: fs.sanctuary_storage_mode,\n is_secure: fs.overall === \"secure\",\n issues:\n fs.overall === \"insecure\"\n ? [\n \"Storage directory is readable by group or others. \" +\n \"Recommend: chmod 700 on Sanctuary storage path.\",\n ]\n : fs.overall === \"warning\"\n ? [\n \"Storage directory not owned by current user. \" +\n \"Verify correct user is running Sanctuary.\",\n ]\n : [],\n };\n }\n\n if (checkMemory) {\n const mem = status.memory_protection;\n const issues: string[] = [];\n if (!mem.aslr_enabled) {\n issues.push(\n \"ASLR not detected. On Linux, enable with: \" +\n \"echo 2 | sudo tee /proc/sys/kernel/randomize_va_space\"\n );\n }\n results.memory = {\n aslr_enabled: mem.aslr_enabled,\n stack_canaries: mem.stack_canaries,\n secure_buffer_handling: mem.secure_buffer_zeros,\n argon2id_key_derivation: mem.argon2id_kdf,\n protection_level: mem.overall,\n issues,\n };\n }\n\n if (checkProcess) {\n const iso = status.process_isolation;\n results.process = {\n isolation_level: iso.isolation_level,\n in_container: iso.is_container,\n in_vm: iso.is_vm,\n sandboxed: iso.is_sandboxed,\n has_tee: iso.is_tee,\n environment: iso.details,\n recommendation:\n iso.isolation_level === \"none\"\n ? \"Consider running Sanctuary in a container or VM for improved isolation.\"\n : iso.isolation_level === \"basic\"\n ? \"Basic isolation detected. Container or VM would provide stronger guarantees.\"\n : \"Running in isolated environment — process-level isolation is strong.\",\n };\n }\n\n return toolResult({\n status: \"verified\",\n results,\n });\n },\n },\n ];\n}\n","/**\n * Sanctuary MCP Server — Main Entry Point\n *\n * Initializes and exports the Sanctuary MCP server.\n * Wires together: config → storage → crypto core → L1-L4 tools → MCP server\n */\n\nimport { mkdir } from \"node:fs/promises\";\nimport { loadConfig, saveConfig, type SanctuaryConfig } from \"./config.js\";\nimport { FilesystemStorage } from \"./storage/filesystem.js\";\nimport type { StorageBackend } from \"./storage/interface.js\";\nimport { StateStore } from \"./l1-cognitive/state-store.js\";\nimport { createL1Tools } from \"./l1-cognitive/tools.js\";\nimport { AuditLog } from \"./l2-operational/audit-log.js\";\nimport { createL3Tools } from \"./l3-disclosure/tools.js\";\nimport { createL4Tools } from \"./l4-reputation/tools.js\";\nimport { loadPrincipalPolicy } from \"./principal-policy/loader.js\";\nimport { BaselineTracker } from \"./principal-policy/baseline.js\";\nimport { StderrApprovalChannel } from \"./principal-policy/approval-channel.js\";\nimport { DashboardApprovalChannel } from \"./principal-policy/dashboard.js\";\nimport { WebhookApprovalChannel } from \"./principal-policy/webhook.js\";\nimport { ApprovalGate } from \"./principal-policy/gate.js\";\nimport { createPrincipalPolicyTools } from \"./principal-policy/tools.js\";\nimport { createServer, type ToolDefinition } from \"./router.js\";\nimport { toolResult } from \"./router.js\";\nimport { createSHRTools } from \"./shr/tools.js\";\nimport { createHandshakeTools } from \"./handshake/tools.js\";\nimport { createFederationTools } from \"./federation/tools.js\";\nimport { createBridgeTools } from \"./bridge/tools.js\";\nimport { createAuditTools } from \"./audit/tools.js\";\nimport { createContextGateTools } from \"./l2-operational/context-gate-tools.js\";\nimport { createL2HardeningTools } from \"./l2-operational/hardening-tools.js\";\nimport { InjectionDetector } from \"./security/injection-detector.js\";\nimport { deriveMasterKey, type KeyDerivationParams } from \"./core/key-derivation.js\";\nimport { generateRandomKey } from \"./core/random.js\";\nimport { toBase64url } from \"./core/encoding.js\";\n\nimport type { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\n\nexport interface SanctuaryServer {\n server: Server;\n config: SanctuaryConfig;\n}\n\n/**\n * Initialize the Sanctuary MCP Server.\n *\n * @param options - Configuration overrides and initialization options\n * @returns The configured MCP server, ready to connect to a transport\n */\nexport async function createSanctuaryServer(options?: {\n configPath?: string;\n passphrase?: string;\n storage?: StorageBackend;\n}): Promise<SanctuaryServer> {\n // 1. Load configuration\n const config = await loadConfig(options?.configPath);\n\n // 2. Ensure storage directory exists\n await mkdir(config.storage_path, { recursive: true, mode: 0o700 });\n\n // 3. Initialize storage backend\n const storage = options?.storage ?? new FilesystemStorage(\n `${config.storage_path}/state`\n );\n\n // 4. Derive or generate master key\n let masterKey: Uint8Array;\n let keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\";\n let recoveryKey: string | undefined;\n\n const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;\n\n if (passphrase) {\n // Passphrase path: derive master key via Argon2id\n keyProtection = \"passphrase\";\n\n // Check for existing derivation params\n let existingParams: KeyDerivationParams | undefined;\n try {\n const raw = await storage.read(\"_meta\", \"key-params\");\n if (raw) {\n const { bytesToString } = await import(\"./core/encoding.js\");\n existingParams = JSON.parse(bytesToString(raw));\n }\n } catch {\n // No existing params — first run\n }\n\n const result = await deriveMasterKey(passphrase, existingParams);\n masterKey = result.key;\n\n // Store derivation params (not the key!) for re-derivation\n if (!existingParams) {\n const { stringToBytes } = await import(\"./core/encoding.js\");\n await storage.write(\n \"_meta\",\n \"key-params\",\n stringToBytes(JSON.stringify(result.params))\n );\n }\n } else {\n // Recovery key path\n keyProtection = \"recovery-key\";\n\n const { hashToString } = await import(\"./core/hashing.js\");\n const { stringToBytes, bytesToString } = await import(\"./core/encoding.js\");\n const { fromBase64url } = await import(\"./core/encoding.js\");\n const { constantTimeEqual } = await import(\"./core/encoding.js\");\n\n // Check if we already have a stored recovery key hash (existing installation)\n const existingHash = await storage.read(\"_meta\", \"recovery-key-hash\");\n if (existingHash) {\n // Existing installation — require the recovery key to proceed\n const envRecoveryKey = process.env.SANCTUARY_RECOVERY_KEY;\n if (!envRecoveryKey) {\n throw new Error(\n \"Sanctuary: Existing encrypted data found but no credentials provided.\\n\" +\n \"This installation was previously set up with a recovery key.\\n\\n\" +\n \"To start the server, provide one of:\\n\" +\n \" - SANCTUARY_PASSPHRASE (if you later configured a passphrase)\\n\" +\n \" - SANCTUARY_RECOVERY_KEY (the recovery key shown at first run)\\n\\n\" +\n \"Without the correct credentials, encrypted state cannot be accessed.\\n\" +\n \"Refusing to start to prevent silent data loss.\"\n );\n }\n\n // Decode and verify the recovery key against the stored hash\n let recoveryKeyBytes: Uint8Array;\n try {\n recoveryKeyBytes = fromBase64url(envRecoveryKey);\n } catch {\n throw new Error(\n \"Sanctuary: SANCTUARY_RECOVERY_KEY is not valid base64url. \" +\n \"The recovery key should be the exact string shown at first run.\"\n );\n }\n\n if (recoveryKeyBytes.length !== 32) {\n throw new Error(\n \"Sanctuary: SANCTUARY_RECOVERY_KEY has incorrect length. \" +\n \"The recovery key should be the exact string shown at first run.\"\n );\n }\n\n const providedHash = hashToString(recoveryKeyBytes);\n const storedHash = bytesToString(existingHash);\n\n // Constant-time comparison to prevent timing attacks on the hash\n const providedHashBytes = stringToBytes(providedHash);\n const storedHashBytes = stringToBytes(storedHash);\n if (!constantTimeEqual(providedHashBytes, storedHashBytes)) {\n throw new Error(\n \"Sanctuary: Recovery key does not match the stored key hash.\\n\" +\n \"The recovery key provided via SANCTUARY_RECOVERY_KEY is incorrect.\\n\" +\n \"Use the exact recovery key that was displayed at first run.\"\n );\n }\n\n // Recovery key verified — use it as the master key\n masterKey = recoveryKeyBytes;\n // Do NOT set recoveryKey — this is not a first run, no banner should display\n } else {\n // First run — but check for orphaned encrypted data as a safety net\n const existingNamespaces = await storage.list(\"_meta\");\n const hasKeyParams = existingNamespaces.some(e => e.key === \"key-params\");\n if (hasKeyParams) {\n throw new Error(\n \"Sanctuary: Found existing key derivation parameters but no recovery key hash.\\n\" +\n \"This indicates a corrupted or incomplete installation.\\n\" +\n \"If you previously used a passphrase, set SANCTUARY_PASSPHRASE to start.\"\n );\n }\n\n // Genuine first run: generate random master key and store its hash\n masterKey = generateRandomKey();\n recoveryKey = toBase64url(masterKey);\n\n const keyHash = hashToString(masterKey);\n await storage.write(\n \"_meta\",\n \"recovery-key-hash\",\n stringToBytes(keyHash)\n );\n }\n }\n\n // 5. Initialize audit log\n const auditLog = new AuditLog(storage, masterKey);\n\n // 6. Initialize state store\n const stateStore = new StateStore(storage, masterKey);\n\n // 7. Create L1 tools\n const { tools: l1Tools, identityManager } = createL1Tools(\n stateStore,\n storage,\n masterKey,\n keyProtection,\n auditLog\n );\n\n // 8. Load existing identities\n await identityManager.load();\n\n // 9. Create L2 monitoring tools\n const l2Tools: ToolDefinition[] = [\n {\n name: \"sanctuary/exec_attest\",\n description:\n \"Generate an attestation of the current execution environment, \" +\n \"including sovereignty assessment and degradation report.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_hardware: { type: \"boolean\", default: true },\n include_software: { type: \"boolean\", default: true },\n include_network: { type: \"boolean\", default: true },\n },\n },\n handler: async () => {\n const degradations: string[] = [];\n\n // L2 is self-reported in MVS\n degradations.push(\n \"L2 isolation is process-level only; no TEE available\"\n );\n\n // L3 is commitment-only in MVS\n if (config.disclosure.proof_system === \"commitment-only\") {\n degradations.push(\n \"L3 proofs are commitment-based only; ZK proofs not yet available\"\n );\n }\n\n return toolResult({\n attestation: {\n environment_type: config.execution.environment,\n hardware: {\n cpu_vendor: process.arch,\n tee_available: false,\n tee_type: undefined,\n },\n software: {\n os: `${process.platform}-${process.arch}`,\n runtime: `node-${process.version}`,\n sanctuary_version: config.version,\n mcp_sdk_version: \"1.26.0\",\n },\n network: {\n internet_accessible: true, // Conservative assumption\n listening_ports: [],\n egress_restricted: false,\n },\n isolation_level: \"process\",\n sovereignty_assessment: {\n l1_state_encrypted: true,\n l2_execution_isolated: false,\n l2_isolation_type: \"process-level\",\n l3_proofs_available:\n config.disclosure.proof_system !== \"commitment-only\",\n l4_reputation_active: true,\n overall_level: \"mvs\",\n degradations,\n },\n },\n attested_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/monitor_health\",\n description:\n \"Sanctuary Health Report (SHR) — standardized sovereignty status.\",\n inputSchema: { type: \"object\", properties: {} },\n handler: async () => {\n const storageSizeBytes = await storage.totalSize();\n const degradations: Array<{\n layer: string;\n description: string;\n severity: string;\n mitigation: string;\n }> = [];\n\n degradations.push({\n layer: \"l2\",\n description: \"Process-level isolation only (no TEE)\",\n severity: \"warning\",\n mitigation: \"TEE support planned for a future release\",\n });\n\n if (config.disclosure.proof_system === \"commitment-only\") {\n degradations.push({\n layer: \"l3\",\n description: \"Commitment schemes only (no ZK proofs)\",\n severity: \"info\",\n mitigation: \"ZK proof support planned for v0.2.0\",\n });\n }\n\n return toolResult({\n status: degradations.some((d) => d.severity === \"critical\")\n ? \"compromised\"\n : degradations.some((d) => d.severity === \"warning\")\n ? \"degraded\"\n : \"healthy\",\n storage_bytes: storageSizeBytes,\n layers: {\n l1: {\n status: \"active\",\n encryption_algorithm: \"aes-256-gcm\",\n key_count: identityManager.list().length,\n state_integrity: \"verified\",\n last_integrity_check: new Date().toISOString(),\n },\n l2: {\n status: \"degraded\",\n isolation_type: \"process-level\",\n attestation_available: true,\n last_attestation: new Date().toISOString(),\n },\n l3: {\n status:\n config.disclosure.proof_system === \"commitment-only\"\n ? \"degraded\"\n : \"active\",\n proof_system: config.disclosure.proof_system,\n circuits_loaded: 0,\n proofs_generated_total: 0,\n },\n l4: {\n status: \"active\",\n mode: config.reputation.mode,\n interaction_count: 0, // TODO: track from reputation store\n reputation_exportable: true,\n },\n },\n degradations,\n checked_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/monitor_audit_log\",\n description: \"Query the sovereignty audit log.\",\n inputSchema: {\n type: \"object\",\n properties: {\n since: { type: \"string\", description: \"ISO 8601 timestamp\" },\n layer: {\n type: \"string\",\n enum: [\"l1\", \"l2\", \"l3\", \"l4\"],\n },\n operation_type: { type: \"string\" },\n limit: { type: \"number\", default: 50 },\n },\n },\n handler: async (args) => {\n const result = await auditLog.query({\n since: args.since as string | undefined,\n layer: args.layer as \"l1\" | \"l2\" | \"l3\" | \"l4\" | undefined,\n operation_type: args.operation_type as string | undefined,\n limit: (args.limit as number) ?? 50,\n });\n return toolResult(result);\n },\n },\n ];\n\n // 10. Create SIM manifest tool\n const manifestTool: ToolDefinition = {\n name: \"sanctuary/manifest\",\n description:\n \"Generate the Sanctuary Interface Manifest (SIM) — \" +\n \"a machine-readable declaration of this server's capabilities.\",\n inputSchema: { type: \"object\", properties: {} },\n handler: async () => {\n return toolResult({\n sanctuary_version: \"0.2\",\n implementation: {\n name: \"@sanctuary-framework/mcp-server\",\n version: config.version,\n language: \"typescript\",\n license: \"Apache-2.0\",\n },\n layers: {\n l1: {\n implemented: true,\n interfaces: [\"StateStore\", \"IdentityRoot\"],\n encryption: [\"aes-256-gcm\"],\n identity: [\"ed25519\"],\n properties: {\n \"S1.1_participant_held_keys\": \"full\",\n \"S1.2_encryption_at_rest\": \"full\",\n \"S1.3_integrity_verification\": \"full\",\n \"S1.4_selective_state_sharing\": \"full\",\n \"S1.5_state_portability\": \"full\",\n \"S1.6_deletion_rights\": \"full\",\n \"S1.7_identity_anchoring\": \"partial\",\n },\n },\n l2: {\n implemented: true,\n interfaces: [\"ExecutionEnvironment\", \"RuntimeMonitor\"],\n isolation_types: [config.execution.environment],\n properties: {\n \"S2.1_execution_confidentiality\": \"documented\",\n \"S2.2_verifiable_execution\": \"self-reported\",\n \"S2.5_attestation\": \"self-reported\",\n },\n },\n l3: {\n implemented: true,\n interfaces: [\"ProofEngine\", \"DisclosurePolicy\"],\n proof_systems: [config.disclosure.proof_system],\n properties: {\n \"S3.1_minimum_disclosure\": \"policy-based\",\n \"S3.3_proof_without_revelation\": \"commitment\",\n },\n },\n l4: {\n implemented: true,\n interfaces: [\"ReputationStore\", \"TrustBootstrap\"],\n modes: [config.reputation.mode],\n properties: {\n \"S4.1_earned_reputation\": \"full\",\n \"S4.2_participant_owned\": \"full\",\n \"S4.5_sybil_resistance\": \"basic\",\n \"S4.7_trust_bootstrapping\": \"full\",\n },\n },\n },\n composition: {\n sim_version: \"1.0\",\n spf_supported: false,\n shr_supported: true,\n delegation_depth: 1,\n },\n limitations: [\n \"L1 identity uses ed25519 only; KERI support planned for v0.2.0\",\n \"L2 isolation is process-level only; TEE support planned for a future release\",\n \"L3 uses commitment schemes only; ZK proofs planned for v0.2.0\",\n \"L4 Sybil resistance is escrow-based only\",\n \"Spec license: CC-BY-4.0 | Code license: Apache-2.0\",\n ],\n });\n },\n };\n\n // 11. Create L3 tools\n const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);\n\n // 12. Create SHR tools (machine-readable sovereignty health report)\n const { tools: shrTools } = createSHRTools(\n config,\n identityManager,\n masterKey,\n auditLog\n );\n\n // 13. Create Handshake tools (sovereignty handshake protocol)\n // Must be created before L4 so handshakeResults can feed tier resolution\n const { tools: handshakeTools, handshakeResults } = createHandshakeTools(\n config,\n identityManager,\n masterKey,\n auditLog\n );\n\n // 14. Create L4 tools (reputation with sovereignty-gated tiers)\n const { tools: l4Tools, reputationStore: _reputationStore } = createL4Tools(\n storage,\n masterKey,\n identityManager,\n auditLog,\n handshakeResults\n );\n\n // 14b. Create Federation tools (MCP-to-MCP)\n const { tools: federationTools } = createFederationTools(\n auditLog,\n handshakeResults\n );\n\n // 14c. Create Bridge tools (Concordia integration)\n const { tools: bridgeTools } = createBridgeTools(\n storage,\n masterKey,\n identityManager,\n auditLog,\n handshakeResults\n );\n\n // 14d. Create Sovereignty Audit tools (read-only diagnostic)\n const { tools: auditTools } = createAuditTools(config);\n\n // 14e. Create Context Gating tools (L2 outbound context control)\n const { tools: contextGateTools, enforcer: contextGateEnforcer } =\n createContextGateTools(storage, masterKey, auditLog);\n\n // 14f. Create L2 Process Hardening tools\n const hardeningTools = createL2HardeningTools(config.storage_path, auditLog);\n\n // 15. Load Principal Policy and create approval gate\n const policy = await loadPrincipalPolicy(config.storage_path);\n const baseline = new BaselineTracker(storage, masterKey);\n await baseline.load();\n\n // Choose approval channel: dashboard (web UI), webhook (external), or stderr (auto-deny)\n let approvalChannel: StderrApprovalChannel | DashboardApprovalChannel | WebhookApprovalChannel;\n let dashboard: DashboardApprovalChannel | undefined;\n\n if (config.dashboard.enabled) {\n // Resolve auth token: \"auto\" generates a random 32-byte hex token\n let authToken = config.dashboard.auth_token;\n if (authToken === \"auto\") {\n const { randomBytes: rb } = await import(\"node:crypto\");\n authToken = rb(32).toString(\"hex\");\n }\n\n dashboard = new DashboardApprovalChannel({\n port: config.dashboard.port,\n host: config.dashboard.host,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n // SEC-002: auto_deny removed — timeout always denies\n auth_token: authToken,\n tls: config.dashboard.tls,\n auto_open: config.dashboard.auto_open,\n });\n dashboard.setDependencies({ policy, baseline, auditLog });\n await dashboard.start();\n approvalChannel = dashboard;\n } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {\n const webhook = new WebhookApprovalChannel({\n webhook_url: config.webhook.url,\n webhook_secret: config.webhook.secret,\n callback_port: config.webhook.callback_port,\n callback_host: config.webhook.callback_host,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n // SEC-002: auto_deny removed — timeout always denies\n });\n await webhook.start();\n approvalChannel = webhook;\n } else {\n approvalChannel = new StderrApprovalChannel(policy.approval_channel);\n }\n\n // 15b. Create injection detector\n const injectionDetector = new InjectionDetector({\n enabled: true,\n sensitivity: \"medium\",\n on_detection: \"escalate\",\n });\n\n // Wire injection alerts to dashboard SSE if dashboard is active\n const onInjectionAlert = dashboard\n ? (alert: { toolName: string; result: import(\"./security/injection-detector.js\").DetectionResult; timestamp: string }) => {\n dashboard!.broadcastSSE(\"injection-alert\", {\n tool: alert.toolName,\n confidence: alert.result.confidence,\n signals: alert.result.signals.map(s => ({\n type: s.type,\n location: s.location,\n severity: s.severity,\n })),\n recommendation: alert.result.recommendation,\n timestamp: alert.timestamp,\n });\n }\n : undefined;\n\n const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog, injectionDetector, onInjectionAlert);\n\n // 16. Create Principal Policy tools (read-only)\n const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);\n\n // 16b. Dashboard open tool — generates a pre-authenticated URL\n const dashboardTools: ToolDefinition[] = [];\n if (dashboard) {\n dashboardTools.push({\n name: \"sanctuary/dashboard_open\",\n description:\n \"Generate a one-click URL to open the Principal Dashboard in a browser. \" +\n \"Returns a pre-authenticated link — no manual token entry needed.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const url = dashboard!.createSessionUrl();\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n dashboard_url: url,\n base_url: dashboard!.getBaseUrl(),\n note: \"Click the dashboard_url to open the Principal Dashboard. The session is pre-authenticated.\",\n }, null, 2),\n },\n ],\n };\n },\n });\n }\n\n // 17. Assemble all tools\n let allTools: ToolDefinition[] = [\n ...l1Tools,\n ...l2Tools,\n ...l3Tools,\n ...l4Tools,\n ...policyTools,\n ...shrTools,\n ...handshakeTools,\n ...federationTools,\n ...bridgeTools,\n ...auditTools,\n ...contextGateTools,\n ...hardeningTools,\n ...dashboardTools,\n manifestTool,\n ];\n\n // 17a. Wrap all tool handlers with context gate enforcer\n allTools = allTools.map((tool) => ({\n ...tool,\n handler: contextGateEnforcer.wrapHandler(tool.name, tool.handler),\n }));\n\n // 18. Create MCP server with approval gate\n const server = createServer(allTools, { gate });\n\n // 19. Save config if this is first run\n await saveConfig(config);\n\n // 20. Register baseline save on process exit\n const saveBaseline = () => {\n baseline.save().catch(() => {});\n };\n process.on(\"SIGINT\", saveBaseline);\n process.on(\"SIGTERM\", saveBaseline);\n\n // 21. Log the recovery key if generated (shown once, never again)\n if (recoveryKey) {\n console.error(\n \"╔══════════════════════════════════════════════════════════╗\\n\" +\n \"║ SANCTUARY: First Run — Recovery Key Generated ║\\n\" +\n \"║ ║\\n\" +\n `║ Recovery Key: ${recoveryKey.slice(0, 20)}... ║\\n` +\n \"║ ║\\n\" +\n \"║ SAVE THIS KEY. It will not be shown again. ║\\n\" +\n \"║ Without it, your encrypted state is unrecoverable. ║\\n\" +\n \"╚══════════════════════════════════════════════════════════╝\"\n );\n }\n\n return { server, config };\n}\n\nexport { loadConfig, type SanctuaryConfig } from \"./config.js\";\nexport { StateStore } from \"./l1-cognitive/state-store.js\";\nexport { AuditLog } from \"./l2-operational/audit-log.js\";\nexport { CommitmentStore } from \"./l3-disclosure/commitments.js\";\nexport {\n createPedersenCommitment,\n verifyPedersenCommitment,\n createProofOfKnowledge,\n verifyProofOfKnowledge,\n createRangeProof,\n verifyRangeProof,\n} from \"./l3-disclosure/zk-proofs.js\";\nexport type {\n PedersenCommitment,\n ZKProofOfKnowledge,\n ZKRangeProof,\n} from \"./l3-disclosure/zk-proofs.js\";\nexport { PolicyStore } from \"./l3-disclosure/policies.js\";\nexport { ReputationStore } from \"./l4-reputation/reputation-store.js\";\nexport {\n resolveTier,\n computeWeightedScore,\n tierDistribution,\n TIER_WEIGHTS,\n} from \"./l4-reputation/tiers.js\";\nexport type { SovereigntyTier, TierMetadata, TieredAttestation } from \"./l4-reputation/tiers.js\";\nexport { FederationRegistry } from \"./federation/registry.js\";\nexport type {\n FederationPeer,\n FederationCapabilities,\n PeerTrustEvaluation,\n} from \"./federation/types.js\";\nexport { ContextGatePolicyStore } from \"./l2-operational/context-gate.js\";\nexport {\n TEMPLATES as CONTEXT_GATE_TEMPLATES,\n getTemplate,\n listTemplateIds,\n} from \"./l2-operational/context-gate-templates.js\";\nexport type { ContextGateTemplate } from \"./l2-operational/context-gate-templates.js\";\nexport {\n classifyField,\n recommendPolicy,\n} from \"./l2-operational/context-gate-recommend.js\";\nexport type {\n FieldClassification,\n PolicyRecommendation,\n} from \"./l2-operational/context-gate-recommend.js\";\nexport {\n evaluateField,\n filterContext,\n} from \"./l2-operational/context-gate.js\";\nexport type {\n ContextGatePolicy,\n ContextGateRule,\n ContextFilterResult,\n FieldFilterResult,\n ProviderCategory,\n ContextAction,\n} from \"./l2-operational/context-gate.js\";\nexport { InjectionDetector } from \"./security/injection-detector.js\";\nexport type {\n InjectionDetectorConfig,\n DetectionResult,\n InjectionSignal,\n} from \"./security/injection-detector.js\";\nexport { ContextGateEnforcer } from \"./l2-operational/context-gate-enforcer.js\";\nexport type { EnforcerConfig } from \"./l2-operational/context-gate-enforcer.js\";\nexport { MemoryStorage } from \"./storage/memory.js\";\nexport { FilesystemStorage } from \"./storage/filesystem.js\";\nexport { ApprovalGate } from \"./principal-policy/gate.js\";\nexport { BaselineTracker } from \"./principal-policy/baseline.js\";\nexport { loadPrincipalPolicy } from \"./principal-policy/loader.js\";\nexport type { PrincipalPolicy, GateResult } from \"./principal-policy/types.js\";\nexport {\n StderrApprovalChannel,\n CallbackApprovalChannel,\n AutoApproveChannel,\n} from \"./principal-policy/approval-channel.js\";\nexport { DashboardApprovalChannel } from \"./principal-policy/dashboard.js\";\nexport type { DashboardConfig } from \"./principal-policy/dashboard.js\";\nexport { WebhookApprovalChannel, signPayload, verifySignature } from \"./principal-policy/webhook.js\";\nexport type { WebhookConfig, WebhookPayload, WebhookCallbackPayload } from \"./principal-policy/webhook.js\";\nexport { generateSHR } from \"./shr/generator.js\";\nexport { verifySHR } from \"./shr/verifier.js\";\nexport type { SignedSHR, SHRBody, SHRVerificationResult } from \"./shr/types.js\";\nexport {\n initiateHandshake,\n respondToHandshake,\n completeHandshake,\n verifyCompletion,\n} from \"./handshake/protocol.js\";\nexport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n} from \"./handshake/types.js\";\nexport {\n createBridgeCommitment,\n verifyBridgeCommitment,\n canonicalize,\n} from \"./bridge/bridge.js\";\nexport type {\n ConcordiaOutcome,\n BridgeCommitment,\n BridgeVerificationResult,\n BridgeAttestationRequest,\n BridgeAttestationResult,\n} from \"./bridge/types.js\";\n","/**\n * Sanctuary MCP Server — In-Memory Storage Backend\n *\n * Used for testing. Implements the same interface as filesystem storage\n * but stores everything in memory. Data does not persist across restarts.\n */\n\nimport type { StorageBackend, StorageEntryMeta } from \"./interface.js\";\n\nexport class MemoryStorage implements StorageBackend {\n private store = new Map<string, { data: Uint8Array; modified_at: string }>();\n\n private storageKey(namespace: string, key: string): string {\n return `${namespace}/${key}`;\n }\n\n async write(\n namespace: string,\n key: string,\n data: Uint8Array\n ): Promise<void> {\n this.store.set(this.storageKey(namespace, key), {\n data: new Uint8Array(data), // Copy to prevent external mutation\n modified_at: new Date().toISOString(),\n });\n }\n\n async read(namespace: string, key: string): Promise<Uint8Array | null> {\n const entry = this.store.get(this.storageKey(namespace, key));\n if (!entry) return null;\n return new Uint8Array(entry.data); // Copy to prevent external mutation\n }\n\n async delete(\n namespace: string,\n key: string,\n _secureOverwrite?: boolean\n ): Promise<boolean> {\n return this.store.delete(this.storageKey(namespace, key));\n }\n\n async list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]> {\n const entries: StorageEntryMeta[] = [];\n const nsPrefix = `${namespace}/`;\n\n for (const [storeKey, entry] of this.store) {\n if (!storeKey.startsWith(nsPrefix)) continue;\n const key = storeKey.slice(nsPrefix.length);\n if (prefix && !key.startsWith(prefix)) continue;\n\n entries.push({\n key,\n namespace,\n size_bytes: entry.data.length,\n modified_at: entry.modified_at,\n });\n }\n\n return entries.sort((a, b) => a.key.localeCompare(b.key));\n }\n\n async exists(namespace: string, key: string): Promise<boolean> {\n return this.store.has(this.storageKey(namespace, key));\n }\n\n async totalSize(): Promise<number> {\n let total = 0;\n for (const entry of this.store.values()) {\n total += entry.data.length;\n }\n return total;\n }\n\n /** Clear all stored data (useful in tests) */\n clear(): void {\n this.store.clear();\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/core/encoding.ts","../src/core/hashing.ts","../src/config.ts","../src/core/random.ts","../src/storage/filesystem.ts","../src/core/encryption.ts","../src/l1-cognitive/state-store.ts","../src/core/identity.ts","../src/core/key-derivation.ts","../src/router.ts","../src/l1-cognitive/tools.ts","../src/l2-operational/audit-log.ts","../src/l3-disclosure/commitments.ts","../src/l3-disclosure/policies.ts","../src/l3-disclosure/zk-proofs.ts","../src/l3-disclosure/tools.ts","../src/l4-reputation/reputation-store.ts","../src/l4-reputation/tools.ts","../src/l4-reputation/tiers.ts","../src/principal-policy/loader.ts","../src/principal-policy/baseline.ts","../src/principal-policy/approval-channel.ts","../src/principal-policy/dashboard-html.ts","../src/principal-policy/dashboard.ts","../src/principal-policy/webhook.ts","../src/security/injection-detector.ts","../src/principal-policy/gate.ts","../src/principal-policy/tools.ts","../src/shr/types.ts","../src/shr/generator.ts","../src/shr/verifier.ts","../src/shr/gateway-adapter.ts","../src/shr/tools.ts","../src/handshake/protocol.ts","../src/handshake/tools.ts","../src/federation/registry.ts","../src/federation/tools.ts","../src/bridge/tools.ts","../src/bridge/bridge.ts","../src/audit/detector.ts","../src/audit/analyzer.ts","../src/audit/tools.ts","../src/l2-operational/context-gate.ts","../src/l2-operational/context-gate-templates.ts","../src/l2-operational/context-gate-recommend.ts","../src/l2-operational/context-gate-enforcer.ts","../src/l2-operational/context-gate-tools.ts","../src/l2-operational/hardening.ts","../src/l2-operational/hardening-tools.ts","../src/index.ts","../src/storage/memory.ts"],"names":["sha256","hmac","require","createRequire","join","homedir","path","readFile","writeFile","nodeRandomBytes","mkdir","stat","unlink","readdir","gcm","ed25519","argon2id","hkdf","PKG_VERSION","Server","ListToolsRequestSchema","CallToolRequestSchema","RESERVED_NAMESPACE_PREFIXES","RistrettoPoint","hash","start","end","hashToString","stringToBytes","chmod","readFileSync","createHttpsServer","createHttpServer","randomBytes","os","platform","exec","createHmac","access","execSync","statSync","bytesToString","fromBase64url","constantTimeEqual"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAA,gBAAA,GAAA,EAAA;AAAA,QAAA,CAAA,gBAAA,EAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,WAAA,EAAA,MAAA,WAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,aAAA,EAAA,MAAA,aAAA;AAAA,EAAA,WAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAUO,SAAS,YAAY,KAAA,EAA2B;AACrD,EAAA,MAAM,SAAS,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,QAAQ,CAAA;AACnD,EAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACzE;AAKO,SAAS,cAAc,GAAA,EAAyB;AAErD,EAAA,IAAI,MAAA,GAAS,IAAI,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAErD,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,EAAG;AAC9B,IAAA,MAAA,IAAU,GAAA;AAAA,EACZ;AACA,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA;AACxC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAKO,SAAS,cAAc,GAAA,EAAyB;AACrD,EAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,GAAG,CAAA;AACrC;AAKO,SAAS,cAAc,KAAA,EAA2B;AACvD,EAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA;AACvC;AAKO,SAAS,eAAe,MAAA,EAAkC;AAC/D,EAAA,MAAM,WAAA,GAAc,OAAO,MAAA,CAAO,CAAC,KAAK,GAAA,KAAQ,GAAA,GAAM,GAAA,CAAI,MAAA,EAAQ,CAAC,CAAA;AACnE,EAAA,MAAM,MAAA,GAAS,IAAI,UAAA,CAAW,WAAW,CAAA;AACzC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,OAAO,MAAA,EAAQ;AACxB,IAAA,MAAA,CAAO,GAAA,CAAI,KAAK,MAAM,CAAA;AACtB,IAAA,MAAA,IAAU,GAAA,CAAI,MAAA;AAAA,EAChB;AACA,EAAA,OAAO,MAAA;AACT;AAMO,SAAS,iBAAA,CAAkB,GAAe,CAAA,EAAwB;AACvE,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,IAAA,IAAQ,CAAA,CAAE,CAAC,CAAA,GAAK,CAAA,CAAE,CAAC,CAAA;AAAA,EACrB;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;AApEA,IAAA,aAAA,GAAA,KAAA,CAAA;AAAA,EAAA,sBAAA,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACAA,IAAA,eAAA,GAAA,EAAA;AAAA,QAAA,CAAA,eAAA,EAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,iBAAA,EAAA,MAAA,iBAAA;AAAA,EAAA,mBAAA,EAAA,MAAA,mBAAA;AAAA,EAAA,IAAA,EAAA,MAAA,IAAA;AAAA,EAAA,YAAA,EAAA,MAAA,YAAA;AAAA,EAAA,UAAA,EAAA,MAAA,UAAA;AAAA,EAAA,iBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAcO,SAAS,KAAK,IAAA,EAA8B;AACjD,EAAA,OAAOA,cAAO,IAAI,CAAA;AACpB;AAKO,SAAS,aAAa,IAAA,EAA0B;AACrD,EAAA,OAAO,WAAA,CAAY,IAAA,CAAK,IAAI,CAAC,CAAA;AAC/B;AAKO,SAAS,UAAA,CAAW,KAAiB,IAAA,EAA8B;AACxE,EAAA,OAAOC,SAAA,CAAKD,aAAA,EAAQ,GAAA,EAAK,IAAI,CAAA;AAC/B;AA2BO,SAAS,gBACd,OAAA,EACmB;AACnB,EAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,CAAA,EAAG,OAAO,IAAA;AAG/B,EAAA,MAAM,aAAa,KAAA,CAAM,IAAA,CAAK,QAAQ,IAAA,EAAM,EAAE,IAAA,EAAK;AAGnD,EAAA,IAAI,KAAA,GAAsB,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,KAAQ;AAChD,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AACnC,IAAA,MAAM,QAAA,GAAW,WAAA;AAAA,MACf,cAAc,GAAG,CAAA;AAAA,MACjB,cAAc,WAAW;AAAA,KAC3B;AACA,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,aAAa,QAAQ,CAAA;AAAA,MAC3B;AAAA,KACF;AAAA,EACF,CAAC,CAAA;AAGD,EAAA,OAAO,KAAA,CAAM,SAAS,CAAA,EAAG;AACvB,IAAA,MAAM,YAA0B,EAAC;AACjC,IAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ,KAAK,CAAA,EAAG;AACxC,MAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,MAAA,IAAI,CAAA,GAAI,CAAA,GAAI,KAAA,CAAM,MAAA,EAAQ;AACxB,QAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA;AACzB,QAAA,MAAM,UAAA,GAAa,WAAA;AAAA,UACjB,aAAA,CAAc,KAAK,IAAI,CAAA;AAAA,UACvB,aAAA,CAAc,MAAM,IAAI;AAAA,SAC1B;AACA,QAAA,SAAA,CAAU,IAAA,CAAK;AAAA,UACb,IAAA,EAAM,aAAa,UAAU,CAAA;AAAA,UAC7B,IAAA;AAAA,UACA;AAAA,SACD,CAAA;AAAA,MACH,CAAA,MAAO;AAEL,QAAA,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,MACrB;AAAA,IACF;AACA,IAAA,KAAA,GAAQ,SAAA;AAAA,EACV;AAEA,EAAA,OAAO,KAAA,CAAM,CAAC,CAAA,IAAK,IAAA;AACrB;AASO,SAAS,mBAAA,CACd,SACA,SAAA,EACoB;AACpB,EAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,CAAI,SAAS,GAAG,OAAO,IAAA;AAEpC,EAAA,MAAM,aAAa,KAAA,CAAM,IAAA,CAAK,QAAQ,IAAA,EAAM,EAAE,IAAA,EAAK;AACnD,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,OAAA,CAAQ,SAAS,CAAA;AAChD,EAAA,IAAI,WAAA,KAAgB,IAAI,OAAO,IAAA;AAG/B,EAAA,MAAM,UAAA,GAAuB,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,KAAQ;AACnD,IAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AACnC,IAAA,MAAM,QAAA,GAAW,WAAA;AAAA,MACf,cAAc,GAAG,CAAA;AAAA,MACjB,cAAc,WAAW;AAAA,KAC3B;AACA,IAAA,OAAO,aAAa,QAAQ,CAAA;AAAA,EAC9B,CAAC,CAAA;AAED,EAAA,MAAM,OAA4B,EAAC;AACnC,EAAA,IAAI,YAAA,GAAe,WAAA;AACnB,EAAA,IAAI,YAAA,GAAe,UAAA;AAEnB,EAAA,OAAO,YAAA,CAAa,SAAS,CAAA,EAAG;AAC9B,IAAA,MAAM,YAAsB,EAAC;AAC7B,IAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,MAAA,EAAQ,KAAK,CAAA,EAAG;AAC/C,MAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,MAAA,IAAI,CAAA,GAAI,CAAA,GAAI,YAAA,CAAa,MAAA,EAAQ;AAC/B,QAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,GAAI,CAAC,CAAA;AAGhC,QAAA,IAAI,CAAA,KAAM,YAAA,IAAgB,CAAA,GAAI,CAAA,KAAM,YAAA,EAAc;AAChD,UAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,YAAA,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AAAA,UAC9C,CAAA,MAAO;AACL,YAAA,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,IAAA,EAAM,QAAA,EAAU,QAAQ,CAAA;AAAA,UAC5C;AAAA,QACF;AAEA,QAAA,MAAM,UAAA,GAAa,WAAA;AAAA,UACjB,cAAc,IAAI,CAAA;AAAA,UAClB,cAAc,KAAK;AAAA,SACrB;AACA,QAAA,SAAA,CAAU,IAAA,CAAK,YAAA,CAAa,UAAU,CAAC,CAAA;AAAA,MACzC,CAAA,MAAO;AAEL,QAAA,SAAA,CAAU,KAAK,IAAI,CAAA;AAAA,MACrB;AAAA,IACF;AACA,IAAA,YAAA,GAAe,IAAA,CAAK,KAAA,CAAM,YAAA,GAAe,CAAC,CAAA;AAC1C,IAAA,YAAA,GAAe,SAAA;AAAA,EACjB;AAEA,EAAA,MAAM,IAAA,GAAO,gBAAgB,OAAO,CAAA;AAEpC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,WAAW,WAAW,CAAA;AAAA,IAC5B,IAAA;AAAA,IACA,IAAA,EAAM,MAAM,IAAA,IAAQ;AAAA,GACtB;AACF;AAQO,SAAS,kBAAkB,KAAA,EAA6B;AAC7D,EAAA,IAAI,cAAc,KAAA,CAAM,IAAA;AAExB,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAM,IAAA,EAAM;AAC7B,IAAA,MAAM,IAAA,GACJ,IAAA,CAAK,QAAA,KAAa,MAAA,GAAS,KAAK,IAAA,GAAO,WAAA;AACzC,IAAA,MAAM,KAAA,GACJ,IAAA,CAAK,QAAA,KAAa,OAAA,GAAU,KAAK,IAAA,GAAO,WAAA;AAC1C,IAAA,MAAM,UAAA,GAAa,WAAA;AAAA,MACjB,cAAc,IAAI,CAAA;AAAA,MAClB,cAAc,KAAK;AAAA,KACrB;AACA,IAAA,WAAA,GAAc,aAAa,UAAU,CAAA;AAAA,EACvC;AAEA,EAAA,OAAO,gBAAgB,KAAA,CAAM,IAAA;AAC/B;AAMO,SAAS,kBAAkB,OAAA,EAAsC;AACtE,EAAA,MAAM,IAAA,GAAO,gBAAgB,OAAO,CAAA;AACpC,EAAA,OAAO,MAAM,IAAA,IAAQ,EAAA;AACvB;AA9MA,IAAA,YAAA,GAAA,KAAA,CAAA;AAAA,EAAA,qBAAA,GAAA;AASA,IAAA,aAAA,EAAA;AAAA,EAAA;AAAA,CAAA,CAAA;ACEA,IAAME,QAAAA,GAAUC,sBAAA,CAAc,2PAAe,CAAA;AAC7C,IAAM,EAAE,OAAA,EAAS,WAAA,EAAY,GAAID,SAAQ,iBAAiB,CAAA;AAGnD,IAAM,iBAAA,GAAoB,WAAA;AAqE1B,SAAS,aAAA,GAAiC;AAC/C,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,WAAA;AAAA,IACT,YAAA,EAAcE,SAAA,CAAKC,UAAA,EAAQ,EAAG,YAAY,CAAA;AAAA,IAC1C,KAAA,EAAO;AAAA,MACL,UAAA,EAAY,aAAA;AAAA,MACZ,cAAA,EAAgB,MAAA;AAAA,MAChB,cAAA,EAAgB,UAAA;AAAA,MAChB,SAAA,EAAW,eAAA;AAAA,MACX,iBAAA,EAAmB;AAAA,KACrB;AAAA,IACA,SAAA,EAAW;AAAA,MACT,WAAA,EAAa,eAAA;AAAA,MACb,WAAA,EAAa,IAAA;AAAA,MACb,eAAA,EAAiB;AAAA,QACf,aAAA,EAAe,GAAA;AAAA,QACf,cAAA,EAAgB,IAAA;AAAA,QAChB,eAAA,EAAiB;AAAA;AACnB,KACF;AAAA,IACA,UAAA,EAAY;AAAA,MACV,YAAA,EAAc,kBAAA;AAAA,MACd,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,gBAAA;AAAA,MACN,kBAAA,EAAoB,gBAAA;AAAA,MACpB,aAAA,EAAe,kBAAA;AAAA,MACf,mBAAmB;AAAC,KACtB;AAAA,IACA,SAAA,EAAW,OAAA;AAAA,IACX,SAAA,EAAW,IAAA;AAAA,IACX,SAAA,EAAW;AAAA,MACT,OAAA,EAAS,KAAA;AAAA,MACT,IAAA,EAAM,IAAA;AAAA,MACN,IAAA,EAAM;AAAA,KACR;AAAA,IACA,OAAA,EAAS;AAAA,MACP,OAAA,EAAS,KAAA;AAAA,MACT,GAAA,EAAK,EAAA;AAAA,MACL,MAAA,EAAQ,EAAA;AAAA,MACR,aAAA,EAAe,IAAA;AAAA,MACf,aAAA,EAAe;AAAA;AACjB,GACF;AACF;AAQA,eAAsB,WACpB,UAAA,EAC0B;AAC1B,EAAA,IAAI,SAAS,aAAA,EAAc;AAG3B,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,sBAAA,IAA0B,MAAA,CAAO,YAAA;AACjE,EAAA,MAAMC,MAAA,GAAO,UAAA,IAAcF,SAAA,CAAK,WAAA,EAAa,gBAAgB,CAAA;AAE7D,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,MAAMG,iBAAA,CAASD,MAAA,EAAM,OAAO,CAAA;AACxC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AACjC,IAAA,MAAA,GAAS,SAAA,CAAU,QAAQ,UAAU,CAAA;AAAA,EACvC,SAAS,GAAA,EAAK;AAEZ,IAAA,IAAI,eAAe,KAAA,IAAS,GAAA,CAAI,OAAA,CAAQ,QAAA,CAAS,wBAAwB,CAAA,EAAG;AAC1E,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EAEF;AAGA,EAAA,IAAI,OAAA,CAAQ,IAAI,sBAAA,EAAwB;AACtC,IAAA,MAAA,CAAO,YAAA,GAAe,QAAQ,GAAA,CAAI,sBAAA;AAAA,EACpC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,mBAAA,EAAqB;AACnC,IAAA,MAAA,CAAO,SAAA,GAAY,QAAQ,GAAA,CAAI,mBAAA;AAAA,EACjC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,mBAAA,EAAqB;AACnC,IAAA,MAAA,CAAO,SAAA,GAAY,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,qBAAqB,EAAE,CAAA;AAAA,EACjE;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,2BAAA,KAAgC,MAAA,EAAQ;AACtD,IAAA,MAAA,CAAO,UAAU,OAAA,GAAU,IAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,2BAAA,KAAgC,OAAA,EAAS;AACvD,IAAA,MAAA,CAAO,UAAU,OAAA,GAAU,KAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,wBAAA,EAA0B;AACxC,IAAA,MAAA,CAAO,UAAU,IAAA,GAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,0BAA0B,EAAE,CAAA;AAAA,EAC3E;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,wBAAA,EAA0B;AACxC,IAAA,MAAA,CAAO,SAAA,CAAU,IAAA,GAAO,OAAA,CAAQ,GAAA,CAAI,wBAAA;AAAA,EACtC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,8BAAA,EAAgC;AAC9C,IAAA,MAAA,CAAO,SAAA,CAAU,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,8BAAA;AAAA,EAC5C;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,6BAAA,KAAkC,MAAA,EAAQ;AACxD,IAAA,MAAA,CAAO,UAAU,SAAA,GAAY,IAAA;AAAA,EAC/B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,6BAAA,KAAkC,OAAA,EAAS;AACzD,IAAA,MAAA,CAAO,UAAU,SAAA,GAAY,KAAA;AAAA,EAC/B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,4BAAA,IAAgC,OAAA,CAAQ,IAAI,2BAAA,EAA6B;AACvF,IAAA,MAAA,CAAO,UAAU,GAAA,GAAM;AAAA,MACrB,SAAA,EAAW,QAAQ,GAAA,CAAI,4BAAA;AAAA,MACvB,QAAA,EAAU,QAAQ,GAAA,CAAI;AAAA,KACxB;AAAA,EACF;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,yBAAA,KAA8B,MAAA,EAAQ;AACpD,IAAA,MAAA,CAAO,QAAQ,OAAA,GAAU,IAAA;AAAA,EAC3B;AACA,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,yBAAA,KAA8B,OAAA,EAAS;AACrD,IAAA,MAAA,CAAO,QAAQ,OAAA,GAAU,KAAA;AAAA,EAC3B;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,qBAAA,EAAuB;AACrC,IAAA,MAAA,CAAO,OAAA,CAAQ,GAAA,GAAM,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAAA,EACnC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,wBAAA,EAA0B;AACxC,IAAA,MAAA,CAAO,OAAA,CAAQ,MAAA,GAAS,OAAA,CAAQ,GAAA,CAAI,wBAAA;AAAA,EACtC;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,+BAAA,EAAiC;AAC/C,IAAA,MAAA,CAAO,QAAQ,aAAA,GAAgB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,iCAAiC,EAAE,CAAA;AAAA,EACzF;AACA,EAAA,IAAI,OAAA,CAAQ,IAAI,+BAAA,EAAiC;AAC/C,IAAA,MAAA,CAAO,OAAA,CAAQ,aAAA,GAAgB,OAAA,CAAQ,GAAA,CAAI,+BAAA;AAAA,EAC7C;AAIA,EAAA,MAAA,CAAO,OAAA,GAAU,WAAA;AAEjB,EAAA,cAAA,CAAe,MAAM,CAAA;AACrB,EAAA,OAAO,MAAA;AACT;AAKA,eAAsB,UAAA,CACpB,QACA,UAAA,EACe;AACf,EAAA,MAAMA,MAAA,GACUF,SAAA,CAAK,MAAA,CAAO,cAAc,gBAAgB,CAAA;AAC1D,EAAA,MAAMI,kBAAA,CAAUF,MAAA,EAAM,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC,CAAA,EAAG,EAAE,IAAA,EAAM,GAAA,EAAO,CAAA;AACxE;AAOO,SAAS,eAAe,MAAA,EAA+B;AAC5D,EAAA,MAAM,SAAmB,EAAC;AAI1B,EAAA,MAAM,2CAA2B,IAAI,GAAA,CAAI,CAAC,YAAA,EAAc,MAAM,CAAC,CAAA;AAC/D,EAAA,IAAI,CAAC,wBAAA,CAAyB,GAAA,CAAI,MAAA,CAAO,KAAA,CAAM,cAAc,CAAA,EAAG;AAC9D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,uDAAuD,MAAA,CAAO,KAAA,CAAM,cAAc,CAAA,QAAA,EAC1E,CAAC,GAAG,wBAAwB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,uGAAA;AAAA,KAErE;AAAA,EACF;AAIA,EAAA,MAAM,yCAAyB,IAAI,GAAA,CAAI,CAAC,eAAA,EAAiB,QAAQ,CAAC,CAAA;AAClE,EAAA,IAAI,CAAC,sBAAA,CAAuB,GAAA,CAAI,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA,EAAG;AAC7D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,wDAAwD,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA,QAAA,EAC5E,CAAC,GAAG,sBAAsB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,+FAAA;AAAA,KAEnE;AAAA,EACF;AAKA,EAAA,MAAM,yCAAyB,IAAI,GAAA,CAAI,CAAC,kBAAA,EAAoB,iBAAiB,CAAC,CAAA;AAC9E,EAAA,IAAI,CAAC,sBAAA,CAAuB,GAAA,CAAI,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA,EAAG;AAC/D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,0DAA0D,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA,QAAA,EAChF,CAAC,GAAG,sBAAsB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,+FAAA;AAAA,KAEnE;AAAA,EACF;AAIA,EAAA,MAAM,2BAAA,mBAA8B,IAAI,GAAA,CAAI,CAAC,mBAAmB,CAAC,CAAA;AACjE,EAAA,IAAI,CAAC,2BAAA,CAA4B,GAAA,CAAI,MAAA,CAAO,UAAA,CAAW,cAAc,CAAA,EAAG;AACtE,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,4DAA4D,MAAA,CAAO,UAAA,CAAW,cAAc,CAAA,QAAA,EACpF,CAAC,GAAG,2BAA2B,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,4GAAA;AAAA,KAExE;AAAA,EACF;AAIA,EAAA,MAAM,yBAAA,mBAA4B,IAAI,GAAA,CAAI,CAAC,gBAAgB,CAAC,CAAA;AAC5D,EAAA,IAAI,CAAC,yBAAA,CAA0B,GAAA,CAAI,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA,EAAG;AAC1D,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,kDAAkD,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA,QAAA,EAChE,CAAC,GAAG,yBAAyB,CAAA,CAAE,GAAA,CAAI,OAAK,CAAA,CAAA,EAAI,CAAC,GAAG,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,8GAAA;AAAA,KAEtE;AAAA,EACF;AAEA,EAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACrB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA;AAAA,EAA+D,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAClF;AAAA,EACF;AACF;AAGA,SAAS,SAAA,CAAU,MAAc,QAAA,EAAmC;AAClE,EAAA,MAAM,MAAA,GAAkC,EAAE,GAAG,IAAA,EAAK;AAClD,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACnD,IAAA,IACE,UAAU,IAAA,IACV,OAAO,UAAU,QAAA,IACjB,CAAC,MAAM,OAAA,CAAQ,KAAK,CAAA,IACpB,OAAO,OAAO,GAAG,CAAA,KAAM,YACvB,MAAA,CAAO,GAAG,MAAM,IAAA,EAChB;AACA,MAAA,MAAA,CAAO,GAAG,CAAA,GAAI,SAAA;AAAA,QACZ,OAAO,GAAG,CAAA;AAAA,QACV;AAAA,OACF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,GAAG,CAAA,GAAI,KAAA;AAAA,IAChB;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;ACxTO,SAAS,YAAY,MAAA,EAA4B;AACtD,EAAA,IAAI,UAAU,CAAA,EAAG;AACf,IAAA,MAAM,IAAI,WAAW,yBAAyB,CAAA;AAAA,EAChD;AACA,EAAA,MAAM,GAAA,GAAMG,mBAAgB,MAAM,CAAA;AAClC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAKO,SAAS,UAAA,GAAyB;AACvC,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;AAKO,SAAS,YAAA,GAA2B;AACzC,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;AAKO,SAAS,iBAAA,GAAgC;AAC9C,EAAA,OAAO,YAAY,EAAE,CAAA;AACvB;;;ACvBO,IAAM,oBAAN,MAAkD;AAAA,EAC/C,QAAA;AAAA,EAER,YAAY,QAAA,EAAkB;AAC5B,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAAA,EAClB;AAAA,EAEQ,SAAA,CAAU,WAAmB,GAAA,EAAqB;AAExD,IAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,OAAA,CAAQ,iBAAA,EAAmB,GAAG,CAAA;AAC9D,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,kBAAA,EAAoB,GAAG,CAAA;AACnD,IAAA,OAAOL,UAAK,IAAA,CAAK,QAAA,EAAU,aAAA,EAAe,CAAA,EAAG,OAAO,CAAA,IAAA,CAAM,CAAA;AAAA,EAC5D;AAAA,EAEQ,cAAc,SAAA,EAA2B;AAC/C,IAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,OAAA,CAAQ,iBAAA,EAAmB,GAAG,CAAA;AAC9D,IAAA,OAAOA,SAAAA,CAAK,IAAA,CAAK,QAAA,EAAU,aAAa,CAAA;AAAA,EAC1C;AAAA,EAEA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAS,CAAA;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAG9C,IAAA,MAAMM,eAAM,OAAA,EAAS,EAAE,WAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAGrD,IAAA,MAAMF,mBAAU,QAAA,EAAU,IAAA,EAAM,EAAE,IAAA,EAAM,KAAO,CAAA;AAAA,EACjD;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,GAAA,EAAyC;AACrE,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAMD,iBAAAA,CAAS,QAAQ,CAAA;AACnC,MAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAAA,IAClE,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,IAAA;AAAA,MACT;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EACA,kBAAkB,IAAA,EACA;AAClB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAE9C,IAAA,IAAI;AACF,MAAA,IAAI,eAAA,EAAiB;AAEnB,QAAA,MAAM,QAAA,GAAW,MAAMI,aAAA,CAAK,QAAQ,CAAA;AACpC,QAAA,MAAM,OAAO,QAAA,CAAS,IAAA;AAGtB,QAAA,KAAA,IAAS,IAAA,GAAO,CAAA,EAAG,IAAA,GAAO,CAAA,EAAG,IAAA,EAAA,EAAQ;AACnC,UAAA,MAAM,UAAA,GAAa,YAAY,IAAI,CAAA;AACnC,UAAA,MAAMH,mBAAU,QAAA,EAAU,UAAA,EAAY,EAAE,IAAA,EAAM,KAAO,CAAA;AAAA,QACvD;AAAA,MACF;AAGA,MAAA,MAAMI,gBAAO,QAAQ,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,KAAA;AAAA,MACT;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,MAAA,EAA8C;AAC1E,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAS,CAAA;AAE5C,IAAA,IAAI;AACF,MAAA,MAAM,KAAA,GAAQ,MAAMC,gBAAA,CAAQ,OAAO,CAAA;AACnC,MAAA,MAAM,UAA8B,EAAC;AAErC,MAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,QAAA,IAAI,CAAC,IAAA,CAAK,QAAA,CAAS,MAAM,CAAA,EAAG;AAE5B,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,CAAA,CAAE,CAAA;AAC5B,QAAA,IAAI,MAAA,IAAU,CAAC,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AAEvC,QAAA,MAAM,QAAA,GAAWT,SAAAA,CAAK,OAAA,EAAS,IAAI,CAAA;AACnC,QAAA,MAAM,QAAA,GAAW,MAAMO,aAAA,CAAK,QAAQ,CAAA;AAEpC,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,GAAA;AAAA,UACA,SAAA;AAAA,UACA,YAAY,QAAA,CAAS,IAAA;AAAA,UACrB,WAAA,EAAa,QAAA,CAAS,KAAA,CAAM,WAAA;AAAY,SACzC,CAAA;AAAA,MACH;AAEA,MAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,GAAA,CAAI,aAAA,CAAc,CAAA,CAAE,GAAG,CAAC,CAAA;AAAA,IAC1D,SAAS,GAAA,EAAc;AACrB,MAAA,IACE,eAAe,KAAA,IACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA8B,SAAS,QAAA,EACxC;AACA,QAAA,OAAO,EAAC;AAAA,MACV;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAA,CAAO,SAAA,EAAmB,GAAA,EAA+B;AAC7D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,SAAA,EAAW,GAAG,CAAA;AAC9C,IAAA,IAAI;AACF,MAAA,MAAMA,cAAK,QAAQ,CAAA;AACnB,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,SAAA,GAA6B;AACjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AAEZ,IAAA,IAAI;AACF,MAAA,MAAM,UAAA,GAAa,MAAME,gBAAA,CAAQ,IAAA,CAAK,QAAQ,CAAA;AAC9C,MAAA,KAAA,MAAW,MAAM,UAAA,EAAY;AAC3B,QAAA,MAAM,MAAA,GAAST,SAAAA,CAAK,IAAA,CAAK,QAAA,EAAU,EAAE,CAAA;AACrC,QAAA,MAAM,MAAA,GAAS,MAAMO,aAAA,CAAK,MAAM,CAAA;AAChC,QAAA,IAAI,CAAC,MAAA,CAAO,WAAA,EAAY,EAAG;AAE3B,QAAA,MAAM,KAAA,GAAQ,MAAME,gBAAA,CAAQ,MAAM,CAAA;AAClC,QAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,UAAA,MAAM,QAAA,GAAWT,SAAAA,CAAK,MAAA,EAAQ,IAAI,CAAA;AAClC,UAAA,MAAM,QAAA,GAAW,MAAMO,aAAA,CAAK,QAAQ,CAAA;AACpC,UAAA,KAAA,IAAS,QAAA,CAAS,IAAA;AAAA,QACpB;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AC9JA,aAAA,EAAA;AAyBO,SAAS,OAAA,CACd,SAAA,EACA,GAAA,EACA,GAAA,EACkB;AAClB,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AAEA,EAAA,MAAM,KAAK,UAAA,EAAW;AACtB,EAAA,MAAM,MAAA,GAASG,UAAA,CAAI,GAAA,EAAK,EAAA,EAAI,GAAG,CAAA;AAE/B,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA;AAE3C,EAAA,OAAO;AAAA,IACL,CAAA,EAAG,CAAA;AAAA,IACH,GAAA,EAAK,aAAA;AAAA,IACL,EAAA,EAAI,YAAY,EAAE,CAAA;AAAA,IAClB,EAAA,EAAI,YAAY,UAAU,CAAA;AAAA,IAC1B,EAAA,EAAA,iBAAI,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GAC7B;AACF;AAWO,SAAS,OAAA,CACd,OAAA,EACA,GAAA,EACA,GAAA,EACY;AACZ,EAAA,IAAI,GAAA,CAAI,WAAW,EAAA,EAAI;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AACA,EAAA,IAAI,OAAA,CAAQ,MAAM,CAAA,EAAG;AACnB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,OAAA,CAAQ,CAAC,CAAA,CAAE,CAAA;AAAA,EAC7D;AACA,EAAA,IAAI,OAAA,CAAQ,QAAQ,aAAA,EAAe;AACjC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,OAAA,CAAQ,GAAG,CAAA,CAAE,CAAA;AAAA,EACzD;AAEA,EAAA,MAAM,EAAA,GAAK,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AACnC,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AAC3C,EAAA,MAAM,MAAA,GAASA,UAAA,CAAI,GAAA,EAAK,EAAA,EAAI,GAAG,CAAA;AAG/B,EAAA,OAAO,MAAA,CAAO,QAAQ,UAAU,CAAA;AAClC;;;ACtEA,YAAA,EAAA;;;ACVA,aAAA,EAAA;AAEA,YAAA,EAAA;AAyCO,SAAS,eAAA,GAGd;AACA,EAAA,MAAM,UAAA,GAAa,YAAY,EAAE,CAAA;AACjC,EAAA,MAAM,SAAA,GAAYC,eAAA,CAAQ,YAAA,CAAa,UAAU,CAAA;AACjD,EAAA,OAAO,EAAE,WAAW,UAAA,EAAW;AACjC;AAMO,SAAS,eAAe,SAAA,EAA+B;AAE5D,EAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,CAAC,KAAM,CAAA,EAAM,GAAG,SAAS,CAAC,CAAA;AAI5D,EAAA,OAAO,CAAA,SAAA,EAAY,WAAA,CAAY,UAAU,CAAC,CAAA,CAAA;AAC5C;AAMO,SAAS,mBAAmB,SAAA,EAA+B;AAChE,EAAA,MAAM,OAAA,GAAU,KAAK,SAAS,CAAA;AAE9B,EAAA,OAAO,KAAA,CAAM,KAAK,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,EACnC,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAC,CAAA,CAC1C,IAAA,CAAK,EAAE,CAAA;AACZ;AAUO,SAAS,cAAA,CACd,KAAA,EACA,aAAA,EACA,aAAA,EACoE;AACpE,EAAA,MAAM,EAAE,SAAA,EAAW,UAAA,EAAW,GAAI,eAAA,EAAgB;AAClD,EAAA,MAAM,UAAA,GAAa,mBAAmB,SAAS,CAAA;AAC/C,EAAA,MAAM,GAAA,GAAM,eAAe,SAAS,CAAA;AACpC,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,mBAAA,GAAsB,OAAA,CAAQ,UAAA,EAAY,aAAa,CAAA;AAG7D,EAAA,UAAA,CAAW,KAAK,CAAC,CAAA;AAEjB,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,WAAA,EAAa,UAAA;AAAA,IACb,KAAA;AAAA,IACA,UAAA,EAAY,YAAY,SAAS,CAAA;AAAA,IACjC,GAAA;AAAA,IACA,UAAA,EAAY,GAAA;AAAA,IACZ,QAAA,EAAU,SAAA;AAAA,IACV,cAAA,EAAgB;AAAA,GAClB;AAEA,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,GAAG,cAAA;AAAA,IACH,qBAAA,EAAuB,mBAAA;AAAA,IACvB,kBAAkB;AAAC,GACrB;AAEA,EAAA,OAAO,EAAE,gBAAgB,cAAA,EAAe;AAC1C;AAUO,SAAS,IAAA,CACd,OAAA,EACA,mBAAA,EACA,aAAA,EACY;AAEZ,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,mBAAA,EAAqB,aAAa,CAAA;AAE7D,EAAA,IAAI;AACF,IAAA,OAAOA,eAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,UAAU,CAAA;AAAA,EACzC,CAAA,SAAE;AAEA,IAAA,UAAA,CAAW,KAAK,CAAC,CAAA;AAAA,EACnB;AACF;AAUO,SAAS,MAAA,CACd,OAAA,EACA,SAAA,EACA,SAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,OAAOA,eAAA,CAAQ,MAAA,CAAO,SAAA,EAAW,OAAA,EAAS,SAAS,CAAA;AAAA,EACrD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAYO,SAAS,UAAA,CACd,cAAA,EACA,aAAA,EACA,MAAA,EACmE;AACnE,EAAA,MAAM,EAAE,SAAA,EAAW,YAAA,EAAc,UAAA,EAAY,aAAA,KAC3C,eAAA,EAAgB;AAClB,EAAA,MAAM,cAAA,GAAiB,eAAe,YAAY,CAAA;AAClD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,SAAA,GAAY,KAAK,SAAA,CAAU;AAAA,IAC/B,gBAAgB,cAAA,CAAe,UAAA;AAAA,IAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,IACxC,aAAa,cAAA,CAAe,WAAA;AAAA,IAC5B,MAAA;AAAA,IACA,UAAA,EAAY;AAAA,GACb,CAAA;AAGD,EAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AACrD,EAAA,MAAM,SAAA,GAAY,IAAA;AAAA,IAChB,UAAA;AAAA,IACA,cAAA,CAAe,qBAAA;AAAA,IACf;AAAA,GACF;AAEA,EAAA,MAAM,aAAA,GAA+B;AAAA,IACnC,gBAAgB,cAAA,CAAe,UAAA;AAAA,IAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,IACxC,aAAa,cAAA,CAAe,WAAA;AAAA,IAC5B,MAAA;AAAA,IACA,UAAA,EAAY,GAAA;AAAA,IACZ,SAAA,EAAW,YAAY,SAAS;AAAA,GAClC;AAGA,EAAA,MAAM,sBAAA,GAAyB,OAAA,CAAQ,aAAA,EAAe,aAAa,CAAA;AACnE,EAAA,aAAA,CAAc,KAAK,CAAC,CAAA;AAEpB,EAAA,MAAM,eAAA,GAAkC;AAAA,IACtC,GAAG,cAAA;AAAA,IACH,UAAA,EAAY,YAAY,YAAY,CAAA;AAAA,IACpC,GAAA,EAAK,cAAA;AAAA,IACL,qBAAA,EAAuB,sBAAA;AAAA,IACvB,gBAAA,EAAkB;AAAA,MAChB,GAAG,cAAA,CAAe,gBAAA;AAAA,MAClB;AAAA,QACE,gBAAgB,cAAA,CAAe,UAAA;AAAA,QAC/B,cAAA,EAAgB,YAAY,YAAY,CAAA;AAAA,QACxC,cAAA,EAAgB,WAAA;AAAA,UACd,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,aAAa,CAAC;AAAA,SACxD;AAAA,QACA,UAAA,EAAY;AAAA;AACd;AACF,GACF;AAEA,EAAA,OAAO,EAAE,iBAAiB,aAAA,EAAc;AAC1C;ACtOA,aAAA,EAAA;AAGA,IAAM,kBAAA,GAAqB,KAAA;AAC3B,IAAM,gBAAA,GAAmB,CAAA;AACzB,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,kBAAA,GAAqB,EAAA;AAyB3B,eAAsB,eAAA,CACpB,YACA,cAAA,EAC2D;AAC3D,EAAA,MAAM,OAAO,cAAA,GACT,aAAA,CAAc,cAAA,CAAe,IAAI,IACjC,YAAA,EAAa;AAEjB,EAAA,MAAM,SAA8B,cAAA,IAAkB;AAAA,IACpD,GAAA,EAAK,UAAA;AAAA,IACL,IAAA,EAAM,YAAY,IAAI,CAAA;AAAA,IACtB,CAAA,EAAG,kBAAA;AAAA,IACH,CAAA,EAAG,gBAAA;AAAA,IACH,CAAA,EAAG,kBAAA;AAAA,IACH,CAAA,EAAG;AAAA,GACL;AAEA,EAAA,MAAM,OAAA,GAAU,MAAMC,iBAAA,CAAS;AAAA,IAC7B,QAAA,EAAU,UAAA;AAAA,IACV,IAAA;AAAA,IACA,aAAa,MAAA,CAAO,CAAA;AAAA,IACpB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,YAAY,MAAA,CAAO,CAAA;AAAA,IACnB,UAAA,EAAY;AAAA,GACb,CAAA;AAGD,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA;AACnC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,GAAG,CAAA,EAAA,EAAK;AACjC,IAAA,GAAA,CAAI,CAAC,CAAA,GAAI,QAAA,CAAS,OAAA,CAAQ,SAAA,CAAU,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,EAAG,EAAE,CAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,EAAE,KAAK,MAAA,EAAO;AACvB;AAYO,SAAS,kBAAA,CACd,WACA,SAAA,EACY;AACZ,EAAA,IAAI,SAAA,CAAU,WAAW,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAOC,SAAA;AAAA,IACLjB,aAAAA;AAAA,IACA,SAAA;AAAA,IACA,cAAc,wBAAwB,CAAA;AAAA;AAAA,IACtC,cAAc,SAAS,CAAA;AAAA;AAAA,IACvB;AAAA;AAAA,GACF;AACF;AAUO,SAAS,gBAAA,CACd,WACA,OAAA,EACY;AACZ,EAAA,IAAI,SAAA,CAAU,WAAW,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAOiB,SAAA;AAAA,IACLjB,aAAAA;AAAA,IACA,SAAA;AAAA,IACA,cAAc,sBAAsB,CAAA;AAAA,IACpC,cAAc,OAAO,CAAA;AAAA,IACrB;AAAA,GACF;AACF;;;AFtGA,aAAA,EAAA;AAYA,IAAM,2BAAA,GAA8B;AAAA,EAClC,aAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAiEO,IAAM,aAAN,MAAiB;AAAA,EACd,OAAA;AAAA,EACA,SAAA;AAAA;AAAA,EAGA,YAAA,uBAAmB,GAAA,EAAoB;AAAA;AAAA,EAGvC,aAAA,uBAAoB,GAAA,EAAiC;AAAA,EAE7D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AAAA,EAEQ,UAAA,CAAW,WAAmB,GAAA,EAAqB;AACzD,IAAA,OAAO,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBACZ,SAAA,EAC8B;AAC9B,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA,EAAG;AACrC,MAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAAA,IACzC;AAGA,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,SAAS,CAAA;AACjD,IAAA,MAAM,OAAA,uBAAc,GAAA,EAAoB;AAExC,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,MAAM,GAAG,CAAA;AACxD,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,IAAI;AACF,UAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC5D,UAAA,OAAA,CAAQ,GAAA,CAAI,KAAA,CAAM,GAAA,EAAK,UAAA,CAAW,cAAc,CAAA;AAChD,UAAA,IAAA,CAAK,YAAA,CAAa,GAAA;AAAA,YAChB,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,KAAA,CAAM,GAAG,CAAA;AAAA,YACpC,UAAA,CAAW;AAAA,WACb;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,SAAA,EAAW,OAAO,CAAA;AACzC,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,KAAA,EACA,YACA,mBAAA,EACA,qBAAA,EACA,OAAA,GAAwB,EAAC,EACH;AACtB,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,CAAK,SAAA,EAAW,SAAS,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,cAAc,KAAK,CAAA;AAGrC,IAAA,MAAM,aAAA,GAAgB,aAAa,SAAS,CAAA;AAG5C,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,SAAA,EAAW,YAAY,CAAA;AAG/C,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAE,CAAA,IAAK,CAAA;AACpD,IAAA,MAAM,aAAa,cAAA,GAAiB,CAAA;AAGpC,IAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,OAAA,CAAQ,EAAE,CAAA;AAChD,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,eAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,IAAA,MAAM,UAAA,GAAyB;AAAA,MAC7B,CAAA,EAAG,CAAA;AAAA,MACH,OAAA;AAAA,MACA,GAAA,EAAK,UAAA;AAAA,MACL,GAAA,EAAK,YAAY,SAAS,CAAA;AAAA,MAC1B,GAAA,EAAK,UAAA;AAAA,MACL,cAAA,EAAgB,aAAA;AAAA,MAChB,QAAA,EAAU;AAAA,QACR,cAAc,OAAA,CAAQ,YAAA;AAAA,QACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,QACrB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,UAAA,EAAY;AAAA;AACd,KACF;AAGA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,UAAU,CAAC,CAAA;AAC3D,IAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,SAAA,EAAW,KAAK,UAAU,CAAA;AAGnD,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,UAAU,CAAA;AACpC,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,QAAA,CAAS,GAAA,CAAI,KAAK,aAAa,CAAA;AAG/B,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,GAAA;AAAA,MACA,SAAA;AAAA,MACA,OAAA,EAAS,UAAA;AAAA,MACT,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,YAAY,UAAA,CAAW,MAAA;AAAA,MACvB,cAAA,EAAgB;AAAA,KAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,IAAA,CACJ,SAAA,EACA,GAAA,EACA,eAAA,EACA,kBAAkB,IAAA,EACU;AAC5B,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,GAAG,CAAA;AAClD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI,UAAA;AACJ,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAE,CAAA;AAAA,IAC9D;AAEA,IAAA,IAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AACtB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,iCAAA,EAAoC,UAAA,CAAW,CAAC,CAAA,CAAE,CAAA;AAAA,IACpE;AAGA,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAE,CAAA;AAC9C,IAAA,IAAI,aAAA,KAAkB,MAAA,IAAa,UAAA,CAAW,GAAA,GAAM,aAAA,EAAe;AACjE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,sBAAA,EAAyB,SAAS,CAAA,CAAA,EAAI,GAAG,mBACtB,UAAA,CAAW,GAAG,iBAAiB,aAAa,CAAA;AAAA,OACjE;AAAA,IACF;AAGA,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,UAAA,CAAW,OAAA,CAAQ,EAAE,CAAA;AAC3D,MAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,UAAA,CAAW,GAAG,CAAA;AACnD,MAAA,MAAM,QAAA,GAAW,MAAA,CAAO,eAAA,EAAiB,cAAA,EAAgB,eAAe,CAAA;AACxE,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,kCAAA,EAAqC,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA;AAAA,SACvD;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,CAAK,SAAA,EAAW,SAAS,CAAA;AACjE,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,CAAW,OAAA,EAAS,YAAY,CAAA;AAC1D,IAAA,MAAM,KAAA,GAAQ,cAAc,SAAS,CAAA;AAGrC,IAAA,MAAM,YAAA,GAAe,aAAa,SAAS,CAAA;AAC3C,IAAA,IAAI,YAAA,KAAiB,WAAW,cAAA,EAAgB;AAC9C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,4BAAA,EAA+B,SAAS,CAAA,CAAA,EAAI,GAAG,cACjC,YAAY,CAAA,SAAA,EAAY,WAAW,cAAc,CAAA;AAAA,OACjE;AAAA,IACF;AAGA,IAAA,IAAI,kBAA4B,EAAC;AACjC,IAAA,IAAI,iBAAA,GAAoB,IAAA;AAExB,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,MAAA,MAAM,KAAA,GAAQ,mBAAA,CAAoB,QAAA,EAAU,GAAG,CAAA;AAC/C,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,iBAAA,GAAoB,kBAAkB,KAAK,CAAA;AAC3C,QAAA,eAAA,GAAkB,MAAM,IAAA,CAAK,GAAA;AAAA,UAC3B,CAAC,IAAA,KAAS,CAAA,EAAG,KAAK,QAAQ,CAAA,CAAA,EAAI,KAAK,IAAI,CAAA;AAAA,SACzC;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,UAAA,CAAW,GAAG,CAAA;AAExC,IAAA,OAAO;AAAA,MACL,GAAA;AAAA,MACA,SAAA;AAAA,MACA,KAAA;AAAA,MACA,SAAS,UAAA,CAAW,GAAA;AAAA,MACpB,kBAAA,EAAoB,iBAAA;AAAA,MACpB,YAAA,EAAc,eAAA;AAAA,MACd,UAAA,EAAY,WAAW,QAAA,CAAS,UAAA;AAAA,MAChC,YAAY,UAAA,CAAW;AAAA,KACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KACJ,SAAA,EACA,MAAA,EACA,MACA,KAAA,GAAQ,GAAA,EACR,SAAS,CAAA,EAWR;AACD,IAAA,MAAM,iBAAiB,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,MAAM,CAAA;AAChE,IAAA,MAAM,SAMD,EAAC;AAEN,IAAA,KAAA,MAAW,SAAS,cAAA,EAAgB;AAClC,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,MAAM,GAAG,CAAA;AACxD,MAAA,IAAI,CAAC,GAAA,EAAK;AAEV,MAAA,IAAI;AACF,QAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAG5D,QAAA,IAAI,IAAA,IAAQ,IAAA,CAAK,MAAA,GAAS,CAAA,EAAG;AAC3B,UAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,IAAA,IAAQ,EAAC;AAC/C,UAAA,MAAM,cAAA,GAAiB,KAAK,IAAA,CAAK,CAAC,MAAM,SAAA,CAAU,QAAA,CAAS,CAAC,CAAC,CAAA;AAC7D,UAAA,IAAI,CAAC,cAAA,EAAgB;AAAA,QACvB;AAEA,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,KAAK,KAAA,CAAM,GAAA;AAAA,UACX,SAAS,UAAA,CAAW,GAAA;AAAA,UACpB,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,UAAA,EAAY,WAAW,QAAA,CAAS,UAAA;AAAA,UAChC,IAAA,EAAM,UAAA,CAAW,QAAA,CAAS,IAAA,IAAQ;AAAC,SACpC,CAAA;AAAA,MACH,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,MAAA,CAAO,KAAA,CAAM,MAAA,EAAQ,SAAS,KAAK,CAAA;AAAA,MACzC,OAAO,MAAA,CAAO,MAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EAOC;AACD,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,QAAQ,MAAA,CAAO,SAAA,EAAW,KAAK,IAAI,CAAA;AAG9D,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA;AACzC,IAAA,IAAA,CAAK,YAAA,CAAa,OAAO,EAAE,CAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,SAAS,CAAA;AACxD,IAAA,QAAA,CAAS,OAAO,GAAG,CAAA;AACnB,IAAA,MAAM,UAAA,GAAa,kBAAkB,QAAQ,CAAA;AAE7C,IAAA,OAAO;AAAA,MACL,OAAA;AAAA,MACA,GAAA;AAAA,MACA,SAAA;AAAA,MACA,eAAA,EAAiB,UAAA;AAAA,MACjB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OACJ,SAAA,EAOC;AACD,IAAA,MAAM,qBAA+B,EAAC;AAEtC,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,kBAAA,CAAmB,KAAK,SAAS,CAAA;AAAA,IACnC,CAAA,MAAO;AAEL,MAAA,KAAA,MAAW,EAAA,IAAM,IAAA,CAAK,aAAA,CAAc,IAAA,EAAK,EAAG;AAC1C,QAAA,kBAAA,CAAmB,KAAK,EAAE,CAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,MAAM,aAGF,EAAC;AACL,IAAA,IAAI,SAAA,GAAY,CAAA;AAEhB,IAAA,KAAA,MAAW,MAAM,kBAAA,EAAoB;AACnC,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,EAAE,CAAA;AAC1C,MAAA,UAAA,CAAW,EAAE,IAAI,EAAC;AAElB,MAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,EAAA,EAAI,MAAM,GAAG,CAAA;AACjD,QAAA,IAAI,CAAC,GAAA,EAAK;AAEV,QAAA,IAAI;AACF,UAAA,MAAM,UAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC5D,UAAA,UAAA,CAAW,EAAE,EAAG,IAAA,CAAK,EAAE,KAAK,KAAA,CAAM,GAAA,EAAK,KAAA,EAAO,UAAA,EAAY,CAAA;AAC1D,UAAA,SAAA,EAAA;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,CAAU;AAAA,MAChC,wBAAA,EAA0B,CAAA;AAAA,MAC1B,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACpC,UAAA,EAAY,kBAAA;AAAA,MACZ,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,MAAM,WAAA,GAAc,cAAc,UAAU,CAAA;AAC5C,IAAA,MAAM,UAAA,GAAa,aAAa,WAAW,CAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQ,YAAY,WAAW,CAAA;AAAA,MAC/B,UAAA,EAAY,kBAAA;AAAA,MACZ,UAAA,EAAY,SAAA;AAAA,MACZ,WAAA,EAAa,UAAA;AAAA,MACb,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACtC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,YAAA,EACA,kBAAA,GAAuD,QACvD,iBAAA,EASC;AACD,IAAA,MAAM,WAAA,GAAc,cAAc,YAAY,CAAA;AAC9C,IAAA,MAAM,UAAA,GAAa,cAAc,WAAW,CAAA;AAC5C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,UAAU,CAAA;AAEpC,IAAA,IAAI,YAAA,GAAe,CAAA;AACnB,IAAA,IAAI,WAAA,GAAc,CAAA;AAClB,IAAA,IAAI,iBAAA,GAAoB,CAAA;AACxB,IAAA,IAAI,iBAAA,GAAoB,CAAA;AACxB,IAAA,IAAI,SAAA,GAAY,CAAA;AAChB,IAAA,MAAM,aAAuB,EAAC;AAE9B,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,MAAA,CAAO,OAAA;AAAA,MACjC,MAAA,CAAO;AAAA,KACT,EAAG;AAED,MAAA,IAAI,2BAAA,CAA4B,IAAA;AAAA,QAC9B,CAAC,MAAA,KAAW,EAAA,KAAO,UAAU,EAAA,CAAG,UAAA,CAAW,SAAS,GAAG;AAAA,OACzD,EAAG;AACD,QAAA,WAAA,IAAgB,OAAA,CAAsD,MAAA;AACtE,QAAA;AAAA,MACF;AACA,MAAA,UAAA,CAAW,KAAK,EAAE,CAAA;AAElB,MAAA,KAAA,MAAW,EAAE,GAAA,EAAK,KAAA,EAAM,IAAK,OAAA,EAAS;AAGpC,QAAA,MAAM,eAAA,GAAkB,iBAAA,CAAkB,KAAA,CAAM,GAAG,CAAA;AACnD,QAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,UAAA,iBAAA,EAAA;AACA,UAAA,WAAA,EAAA;AACA,UAAA;AAAA,QACF;AAGA,QAAA,IAAI;AACF,UAAA,MAAM,eAAA,GAAkB,aAAA,CAAc,KAAA,CAAM,OAAA,CAAQ,EAAE,CAAA;AACtD,UAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,KAAA,CAAM,GAAG,CAAA;AAC9C,UAAA,MAAM,QAAA,GAAW,MAAA,CAAO,eAAA,EAAiB,cAAA,EAAgB,eAAe,CAAA;AACxE,UAAA,IAAI,CAAC,QAAA,EAAU;AACb,YAAA,iBAAA,EAAA;AACA,YAAA,WAAA,EAAA;AACA,YAAA;AAAA,UACF;AAAA,QACF,CAAA,CAAA,MAAQ;AAEN,UAAA,iBAAA,EAAA;AACA,UAAA,WAAA,EAAA;AACA,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,SAAS,MAAM,IAAA,CAAK,OAAA,CAAQ,MAAA,CAAO,IAAI,GAAG,CAAA;AAEhD,QAAA,IAAI,MAAA,EAAQ;AACV,UAAA,SAAA,EAAA;AACA,UAAA,IAAI,uBAAuB,MAAA,EAAQ;AACjC,YAAA,WAAA,EAAA;AACA,YAAA;AAAA,UACF;AACA,UAAA,IAAI,uBAAuB,SAAA,EAAW;AAEpC,YAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,GAAG,CAAA;AAC3C,YAAA,IAAI,GAAA,EAAK;AACP,cAAA,IAAI;AACF,gBAAA,MAAM,gBAA4B,IAAA,CAAK,KAAA;AAAA,kBACrC,cAAc,GAAG;AAAA,iBACnB;AACA,gBAAA,IAAI,KAAA,CAAM,GAAA,IAAO,aAAA,CAAc,GAAA,EAAK;AAClC,kBAAA,WAAA,EAAA;AACA,kBAAA;AAAA,gBACF;AAAA,cACF,CAAA,CAAA,MAAQ;AAAA,cAER;AAAA,YACF;AAAA,UACF;AAAA,QAEF;AAGA,QAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACtD,QAAA,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,EAAA,EAAI,KAAK,UAAU,CAAA;AAC5C,QAAA,YAAA,EAAA;AAGA,QAAA,MAAM,EAAA,GAAK,IAAA,CAAK,UAAA,CAAW,EAAA,EAAI,GAAG,CAAA;AAClC,QAAA,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,KAAA,CAAM,GAAG,CAAA;AACnC,QAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,kBAAA,CAAmB,EAAE,CAAA;AACjD,QAAA,QAAA,CAAS,GAAA,CAAI,GAAA,EAAK,KAAA,CAAM,cAAc,CAAA;AAAA,MACxC;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,aAAA,EAAe,YAAA;AAAA,MACf,YAAA,EAAc,WAAA;AAAA,MACd,mBAAA,EAAqB,iBAAA;AAAA,MACrB,mBAAA,EAAqB,iBAAA;AAAA,MACrB,SAAA;AAAA,MACA,UAAA;AAAA,MACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACtC;AAAA,EACF;AACF;AGpmBA,IAAME,QAAAA,GAAUC,sBAAAA,CAAc,2PAAe,CAAA;AAC7C,IAAM,EAAE,OAAA,EAASe,YAAAA,EAAY,GAAIhB,SAAQ,iBAAiB,CAAA;AA2B1D,IAAM,gBAAA,GAAmB,OAAA;AAGzB,IAAM,gBAAA,GAAmB,OAAA;AAGzB,IAAM,aAAA,mBAAgB,IAAI,GAAA,CAAI,CAAC,QAAQ,CAAC,CAAA;AAoBxC,SAAS,YAAA,CACP,MACA,MAAA,EACmB;AACnB,EAAA,MAAM,SAA4B,EAAC;AACnC,EAAA,MAAM,UAAA,GAAc,MAAA,CAAO,UAAA,IAAc,EAAC;AAC1C,EAAA,MAAM,QAAA,GAAY,MAAA,CAAO,QAAA,IAAY,EAAC;AAGtC,EAAA,KAAA,MAAW,SAAS,QAAA,EAAU;AAC5B,IAAA,IAAI,KAAK,KAAK,CAAA,KAAM,UAAa,IAAA,CAAK,KAAK,MAAM,IAAA,EAAM;AACrD,MAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA,gBAAA,EAAmB,KAAK,gBAAgB,CAAA;AAAA,IACxE;AAAA,EACF;AAGA,EAAA,MAAM,cAAc,IAAI,GAAA,CAAI,MAAA,CAAO,IAAA,CAAK,UAAU,CAAC,CAAA;AACnD,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,IAAA,IAAI,CAAC,WAAA,CAAY,GAAA,CAAI,KAAK,CAAA,EAAG;AAC3B,MAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA,eAAA,EAAkB,KAAK,KAAK,CAAA;AAAA,IAC5D;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AACjD,IAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AAC3C,IAAA,MAAM,UAAA,GAAa,WAAW,KAAK,CAAA;AACnC,IAAA,IAAI,CAAC,UAAA,EAAY;AAEjB,IAAA,MAAM,SAAA,GAAY,SAAA,CAAU,KAAA,EAAO,KAAA,EAAO,UAAU,CAAA;AACpD,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAA,CAAO,KAAK,SAAS,CAAA;AACrB,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,MAAA,MAAM,QAAA,GAAW,aAAA,CAAc,GAAA,CAAI,KAAK,IAAI,gBAAA,GAAmB,gBAAA;AAE/D,MAAA,MAAM,aAAa,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAA,CAAE,MAAA;AACnD,MAAA,IAAI,aAAa,QAAA,EAAU;AACzB,QAAA,MAAA,CAAO,IAAA,CAAK;AAAA,UACV,KAAA;AAAA,UACA,SAAS,CAAA,OAAA,EAAU,KAAK,CAAA,wBAAA,EAA2B,UAAU,YAAY,QAAQ,CAAA,OAAA;AAAA,SAClF,CAAA;AAAA,MACH;AAAA,IACF;AAGA,IAAA,IAAI,WAAW,IAAA,IAAQ,CAAC,WAAW,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA,EAAG;AACvD,MAAA,MAAA,CAAO,IAAA,CAAK;AAAA,QACV,KAAA;AAAA,QACA,OAAA,EAAS,UAAU,KAAK,CAAA,kBAAA,EAAqB,WAAW,IAAA,CAAK,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,OACxE,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAKA,SAAS,SAAA,CACP,KAAA,EACA,KAAA,EACA,MAAA,EACwB;AACxB,EAAA,IAAI,CAAC,MAAA,CAAO,IAAA,EAAM,OAAO,IAAA;AAEzB,EAAA,QAAQ,OAAO,IAAA;AAAM,IACnB,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,SAAA;AACH,MAAA,IAAI,OAAO,UAAU,SAAA,EAAW;AAC9B,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,sBAAA,EAAyB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MAClF;AACA,MAAA;AAAA,IACF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACrD,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,qBAAA,EAAwB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MACjF;AACA,MAAA;AAAA,IACF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,OAAO,EAAE,OAAO,OAAA,EAAS,CAAA,oBAAA,EAAuB,KAAK,CAAA,OAAA,EAAU,OAAO,KAAK,CAAA,CAAA,EAAG;AAAA,MAChF;AACA,MAAA;AAAA;AAEJ,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,YAAA,CACd,OACA,OAAA,EACQ;AACR,EAAA,MAAM,OAAO,OAAA,EAAS,IAAA;AAEtB,EAAA,MAAM,SAAS,IAAIiB,eAAA;AAAA,IACjB;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,OAAA,EAASD;AAAA,KACX;AAAA,IACA;AAAA,MACE,YAAA,EAAc;AAAA,QACZ,OAAO;AAAC;AACV;AACF,GACF;AAGA,EAAA,MAAA,CAAO,iBAAA,CAAkBE,iCAAwB,YAAY;AAC3D,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACvB,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,aAAa,CAAA,CAAE,WAAA;AAAA,QACf,aAAa,CAAA,CAAE;AAAA,OACjB,CAAE;AAAA,KACJ;AAAA,EACF,CAAC,CAAA;AAGD,EAAA,MAAA,CAAO,iBAAA,CAAkBC,8BAAA,EAAuB,OAAO,OAAA,KAAY;AACjE,IAAA,MAAM,EAAE,IAAA,EAAM,SAAA,EAAW,IAAA,KAAS,OAAA,CAAQ,MAAA;AAC1C,IAAA,MAAM,SAAA,GAAa,QAAQ,EAAC;AAE5B,IAAA,MAAM,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,SAAS,IAAI,CAAA;AAC9C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM,KAAK,SAAA,CAAU,EAAE,OAAO,CAAA,cAAA,EAAiB,IAAI,IAAI;AAAA;AACzD,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAKA,IAAA,MAAM,gBAAA,GAAmB,YAAA,CAAa,SAAA,EAAW,IAAA,CAAK,WAAW,CAAA;AACjE,IAAA,IAAI,gBAAA,CAAiB,SAAS,CAAA,EAAG;AAC/B,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,cACnB,KAAA,EAAO,mBAAA;AAAA,cACP,OAAA,EAAS,yCAAA;AAAA,cACT,UAAA,EAAY;AAAA,aACb;AAAA;AACH,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAKA,IAAA,IAAI,IAAA,EAAM;AACR,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,QAAA,CAAS,MAAM,SAAS,CAAA;AAClD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP;AAAA,cACE,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,gBACnB,KAAA,EAAO,yBAAA;AAAA,gBACP,mBAAmB,MAAA,CAAO;AAAA,eAC3B;AAAA;AACH,WACF;AAAA,UACA,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,OAAA,CAAQ,SAAS,CAAA;AAAA,IACrC,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,OAAA,GACJ,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,eAAA;AACvC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS;AAAA,UACP;AAAA,YACE,IAAA,EAAM,MAAA;AAAA,YACN,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,SAAS;AAAA;AACzC,SACF;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAAA,EACF,CAAC,CAAA;AAED,EAAA,OAAO,MAAA;AACT;AAKO,SAAS,WACd,IAAA,EACoD;AACpD,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,CAAC,EAAE,IAAA,EAAM,MAAA,EAAiB,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,IAAA,EAAM,CAAC,CAAA,EAAG;AAAA,GAC1E;AACF;;;ACnRA,aAAA,EAAA;AAOA,aAAA,EAAA;AASA,IAAMC,4BAAAA,GAA8B;AAAA,EAClC,aAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAMA,SAAS,8BAA8B,SAAA,EAAkC;AACvE,EAAA,KAAA,MAAW,UAAUA,4BAAAA,EAA6B;AAChD,IAAA,IAAI,cAAc,MAAA,IAAU,SAAA,CAAU,UAAA,CAAW,MAAA,GAAS,GAAG,CAAA,EAAG;AAC9D,MAAA,OAAO,MAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,IAAA;AACT;AAGO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAA4B;AAAA,EAC7C,iBAAA,GAAmC,IAAA;AAAA,EAE3C,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,EACnB;AAAA,EAEA,IAAY,aAAA,GAA4B;AACtC,IAAA,OAAO,gBAAA,CAAiB,IAAA,CAAK,SAAA,EAAW,qBAAqB,CAAA;AAAA,EAC/D;AAAA;AAAA,EAGA,MAAM,IAAA,GAAsB;AAC1B,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,aAAa,CAAA;AACrD,IAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,aAAA,EAAe,MAAM,GAAG,CAAA;AAC5D,MAAA,IAAI,CAAC,GAAA,EAAK;AACV,MAAA,IAAI;AACF,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AAC/C,QAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,QAAA,MAAM,QAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,QAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,QAAQ,CAAA;AAClD,QAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,UAAA,IAAA,CAAK,oBAAoB,QAAA,CAAS,WAAA;AAAA,QACpC;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,KAAK,QAAA,EAAyC;AAClD,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC,CAAA;AACzD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,QAAA,CAAS,WAAA;AAAA,MACT,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AACA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,CAAS,WAAA,EAAa,QAAQ,CAAA;AAClD,IAAA,IAAI,CAAC,KAAK,iBAAA,EAAmB;AAC3B,MAAA,IAAA,CAAK,oBAAoB,QAAA,CAAS,WAAA;AAAA,IACpC;AAAA,EACF;AAAA,EAEA,IAAI,EAAA,EAAwC;AAC1C,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,EAAE,CAAA;AAAA,EAC/B;AAAA,EAEA,UAAA,GAAyC;AACvC,IAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,EAAmB,OAAO,MAAA;AACpC,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAA,CAAK,iBAAiB,CAAA;AAAA,EACnD;AAAA,EAEA,IAAA,GAAyB;AACvB,IAAA,OAAO,KAAA,CAAM,KAAK,IAAA,CAAK,UAAA,CAAW,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,EAAA,MAAQ;AAAA,MACvD,aAAa,EAAA,CAAG,WAAA;AAAA,MAChB,OAAO,EAAA,CAAG,KAAA;AAAA,MACV,YAAY,EAAA,CAAG,UAAA;AAAA,MACf,KAAK,EAAA,CAAG,GAAA;AAAA,MACR,YAAY,EAAA,CAAG,UAAA;AAAA,MACf,UAAU,EAAA,CAAG,QAAA;AAAA,MACb,gBAAgB,EAAA,CAAG;AAAA,KACrB,CAAE,CAAA;AAAA,EACJ;AACF,CAAA;AAKO,SAAS,aAAA,CACd,UAAA,EACA,OAAA,EACA,SAAA,EACA,eACA,QAAA,EAC+D;AAC/D,EAAA,MAAM,WAAA,GAAc,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC1D,EAAA,MAAM,cAAA,GAAiB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAGxE,EAAA,SAAS,gBAAgB,UAAA,EAAqC;AAC5D,IAAA,MAAM,KAAK,UAAA,GACP,WAAA,CAAY,IAAI,UAAU,CAAA,GAC1B,YAAY,UAAA,EAAW;AAC3B,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,UAAA,GACI,CAAA,oBAAA,EAAuB,UAAU,CAAA,CAAA,GACjC;AAAA,OACN;AAAA,IACF;AACA,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,oGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,EAAE,cAAA,EAAgB,cAAA,EAAe,GAAI,cAAA;AAAA,UACzC,KAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,MAAM,WAAA,CAAY,KAAK,cAAc,CAAA;AAErC,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,cAAA,CAAe,WAAA,EAAa;AAAA,UACpE;AAAA,SACD,CAAA;AAKD,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,cAAA,CAAe,WAAA;AAAA,UAC5B,YAAY,cAAA,CAAe,UAAA;AAAA,UAC3B,KAAK,cAAA,CAAe,GAAA;AAAA,UACpB,YAAY,cAAA,CAAe,UAAA;AAAA,UAC3B,UAAU,cAAA,CAAe,QAAA;AAAA,UACzB,gBAAgB,cAAA,CAAe,cAAA;AAAA,UAC/B,SAAA,EAAW;AAAA,SACZ,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EAAa,wCAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,UAAA,EAAY;AAAA,cACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA;AAAS;AAC1B;AACF;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,IAAI,UAAA,GAAa,YAAY,IAAA,EAAK;AAClC,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,QAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,UAAA,UAAA,GAAa,UAAA,CAAW,MAAA;AAAA,YAAO,CAAC,CAAA,KAC9B,CAAA,CAAE,KAAA,CAAM,QAAA,CAAS,OAAO,KAAM;AAAA,WAChC;AAAA,QACF;AACA,QAAA,OAAO,UAAA,CAAW,EAAE,UAAA,EAAY,CAAA;AAAA,MAClC;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,gGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9B,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,aAAa,IAAA,CAAK,OAAA;AAGxB,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC;AAEA,QAAA,MAAM,SAAA,GAAY,IAAA;AAAA,UAChB,OAAA;AAAA,UACA,QAAA,CAAS,qBAAA;AAAA,UACT;AAAA,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAW,CAAA;AAE5D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,UAChC,SAAA,EAAW,SAAA;AAAA,UACX,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UAClC,YAAY,QAAA,CAAS,UAAA;AAAA,UACrB,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,wEAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,qBAAA,EAAsB;AAAA,UAChE,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAA,EAAW,WAAW;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,OAAA;AAGxB,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAA,GAAU,cAAc,UAAU,CAAA;AAAA,QACpC;AAEA,QAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAmB,CAAA;AAGxD,QAAA,IAAI,SAAA;AACJ,QAAA,IAAI,KAAK,WAAA,EAAa;AACpB,UAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAqB,CAAA;AAC3D,UAAA,SAAA,GAAY,aAAA,CAAc,SAAS,UAAU,CAAA;AAAA,QAC/C,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,UAAA,SAAA,GAAY,aAAA,CAAc,KAAK,UAAoB,CAAA;AAAA,QACrD,CAAA,MAAO;AACL,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,KAAA,GAAQ,MAAA,CAAe,OAAA,EAAS,SAAA,EAAW,SAAS,CAAA;AAE1D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC9B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA;AAAS,SAC3B;AAAA,QACA,QAAA,EAAU,CAAC,aAAa;AAAA,OAC1B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAqB,CAAA;AAC3D,QAAA,MAAM,MAAA,GAAU,KAAK,MAAA,IAAqB,cAAA;AAE1C,QAAA,MAAM,EAAE,eAAA,EAAiB,aAAA,EAAc,GAAI,UAAA;AAAA,UACzC,QAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,MAAM,WAAA,CAAY,KAAK,eAAe,CAAA;AAEtC,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC9D;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,eAAA,CAAgB,WAAA;AAAA,UAC7B,gBAAgB,aAAA,CAAc,cAAA;AAAA,UAC9B,gBAAgB,aAAA,CAAc,cAAA;AAAA,UAC9B,SAAS,eAAA,CAAgB,GAAA;AAAA,UACzB,YAAY,aAAA,CAAc;AAAA,SAC3B,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,WAAA,EACE,6IAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,4BAAA,EAA6B;AAAA,UACjE,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,UAAA,EAAY;AAAA,cACV,YAAA,EAAc,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cAC/B,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cAC9B,IAAA,EAAM,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS;AAAE;AACnD,WACF;AAAA,UACA,WAAA,EAAa,EAAE,IAAA,EAAM,QAAA;AAAS,SAChC;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAA,EAAO,OAAO;AAAA,OACxC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,gCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAMtB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,KAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,GAAA;AAAA,UACL,IAAA,CAAK,KAAA;AAAA,UACL,QAAA,CAAS,WAAA;AAAA,UACT,QAAA,CAAS,qBAAA;AAAA,UACT,cAAA;AAAA,UACA;AAAA,YACE,cAAc,QAAA,EAAU,YAAA;AAAA,YACxB,aAAa,QAAA,EAAU,WAAA;AAAA,YACvB,MAAM,QAAA,EAAU;AAAA;AAClB,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,aAAA,EAAe,QAAA,CAAS,WAAA,EAAa;AAAA,UAC1D,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK;AAAA,SACX,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,qGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACtB,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA;AAAK,SACrD;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAK;AAAA,OAC/B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,wCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,IAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,GAAA;AAAA,UACL,MAAA;AAAA;AAAA,UACA,KAAK,gBAAA,IAA+B;AAAA,SACtC;AAEA,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,WAAA;AAAA,YACP,WAAW,IAAA,CAAK,SAAA;AAAA,YAChB,KAAK,IAAA,CAAK;AAAA,WACX,CAAA;AAAA,QACH;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,YAAA,EAAc,MAAA,CAAO,UAAA,EAAY;AAAA,UACtD,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK;AAAA,SACX,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,gEAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACzB,IAAA,EAAM,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS,EAAE;AAAA,UACjD,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,GAAA,EAAI;AAAA,UACtC,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,CAAA;AAAE,SACvC;AAAA,QACA,QAAA,EAAU,CAAC,WAAW;AAAA,OACxB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,mCAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,IAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK,MAAA;AAAA,UACL,IAAA,CAAK,IAAA;AAAA,UACJ,KAAK,KAAA,IAAoB,GAAA;AAAA,UACzB,KAAK,MAAA,IAAqB;AAAA,SAC7B;AACA,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,oGAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACtB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA;AAAS,SAC3B;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,KAAK;AAAA,OAC/B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,6BAAA,CAA8B,IAAA,CAAK,SAAmB,CAAA;AAChF,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,IAAA,CAAK,SAAS,2CAA2C,iBAAiB,CAAA,0CAAA;AAAA,WAClG,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK,SAAA;AAAA,UACL,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,WAAW,IAAA,CAAK,SAAA;AAAA,UAChB,KAAK,IAAA,CAAK,GAAA;AAAA,UACV,QAAQ,IAAA,CAAK;AAAA,SACd,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,8DAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UAC5B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,cAAA;AAAe;AACpD,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,YAAY,MAAA,CAAO;AAAA,SACpB,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EAAa,4CAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,0BAAA,EAA2B;AAAA,UAClE,mBAAA,EAAqB;AAAA,YACnB,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,WAAA,EAAa,SAAS,CAAA;AAAA,YACrC,OAAA,EAAS;AAAA;AACX,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,iBAAA,GAAoB,CAAC,GAAA,KAAmC;AAC5D,UAAA,MAAM,QAAA,GAAW,WAAA,CAAY,GAAA,CAAI,GAAG,CAAA;AACpC,UAAA,IAAI,CAAC,UAAU,OAAO,IAAA;AACtB,UAAA,OAAO,aAAA,CAAc,SAAS,UAAU,CAAA;AAAA,QAC1C,CAAA;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA;AAAA,UAC9B,IAAA,CAAK,MAAA;AAAA,UACJ,KAAK,mBAAA,IACJ,MAAA;AAAA,UACF;AAAA,SACF;AAEA,QAAA,QAAA,EAAU,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,WAAA,EAAa;AAAA,UAClD,eAAe,MAAA,CAAO;AAAA,SACvB,CAAA;AAED,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,eAAA,EAAiB,WAAA,EAAY;AAC/C;;;AChnBA,aAAA,EAAA;AAWO,IAAM,WAAN,MAAe;AAAA,EACZ,OAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAwB,EAAC;AAAA,EACzB,OAAA,GAAU,CAAA;AAAA,EAElB,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,WAAW,CAAA;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,OACE,KAAA,EACA,SAAA,EACA,UAAA,EACA,OAAA,EACA,SAAgC,SAAA,EAC1B;AACN,IAAA,MAAM,KAAA,GAAoB;AAAA,MACxB,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA,EAAa,UAAA;AAAA,MACb,MAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAK,KAAK,CAAA;AAGvB,IAAA,IAAA,CAAK,YAAA,CAAa,KAAK,CAAA,CAAE,KAAA,CAAM,MAAM;AAAA,IAErC,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,aAAa,KAAA,EAAkC;AAC3D,IAAA,MAAM,MAAM,CAAA,EAAG,IAAA,CAAK,KAAK,CAAA,CAAA,EAAI,KAAK,OAAA,EAAS,CAAA,CAAA;AAC3C,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AACtD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,QAAA;AAAA,MACA,GAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAA,EAK0C;AAEpD,IAAA,MAAM,KAAK,oBAAA,EAAqB;AAEhC,IAAA,IAAI,WAAW,IAAA,CAAK,OAAA;AAEpB,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,OAAA,CAAQ,KAAK,CAAA;AACxC,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,IAAI,IAAA,CAAK,CAAA,CAAE,SAAS,CAAA,IAAK;AAAA,OAClC;AAAA,IACF;AACA,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,QAAA,GAAW,SAAS,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,KAAA,KAAU,QAAQ,KAAK,CAAA;AAAA,IAC7D;AACA,IAAA,IAAI,QAAQ,cAAA,EAAgB;AAC1B,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,KAAc,OAAA,CAAQ;AAAA,OACjC;AAAA,IACF;AAEA,IAAA,MAAM,QAAQ,QAAA,CAAS,MAAA;AACvB,IAAA,MAAM,KAAA,GAAQ,QAAQ,KAAA,IAAS,EAAA;AAC/B,IAAA,MAAM,OAAA,GAAU,QAAA,CAAS,KAAA,CAAM,CAAC,KAAK,CAAA;AAErC,IAAA,OAAO,EAAE,SAAS,KAAA,EAAM;AAAA,EAC1B;AAAA,EAEA,MAAc,oBAAA,GAAsC;AAClD,IAAA,IAAI;AACF,MAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,QAAQ,CAAA;AACtD,MAAA,KAAA,MAAW,QAAQ,aAAA,EAAe;AAChC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,QAAA,EAAU,KAAK,GAAG,CAAA;AACtD,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,KAAA,GAAoB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAG7D,UAAA,MAAM,WAAA,GAAc,KAAK,OAAA,CAAQ,IAAA;AAAA,YAC/B,CAAC,CAAA,KACC,CAAA,CAAE,SAAA,KAAc,KAAA,CAAM,SAAA,IACtB,CAAA,CAAE,SAAA,KAAc,KAAA,CAAM,SAAA,IACtB,CAAA,CAAE,WAAA,KAAgB,KAAA,CAAM;AAAA,WAC5B;AACA,UAAA,IAAI,CAAC,WAAA,EAAa;AAChB,YAAA,IAAA,CAAK,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,UACzB;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAGA,MAAA,IAAA,CAAK,OAAA,CAAQ,IAAA;AAAA,QACX,CAAC,CAAA,EAAG,CAAA,KACF,IAAI,KAAK,CAAA,CAAE,SAAS,CAAA,CAAE,OAAA,KAAY,IAAI,IAAA,CAAK,CAAA,CAAE,SAAS,EAAE,OAAA;AAAQ,OACpE;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,OAAA,CAAQ,MAAA;AAAA,EACtB;AACF;;;ACtIA,YAAA,EAAA;AACA,aAAA,EAAA;AAKA,aAAA,EAAA;AA6BO,SAAS,gBAAA,CACd,OACA,cAAA,EACY;AAEZ,EAAA,MAAM,gBAAgB,cAAA,GAClB,aAAA,CAAc,cAAc,CAAA,GAC5B,YAAY,EAAE,CAAA;AAGlB,EAAA,MAAM,UAAA,GAAa,cAAc,KAAK,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,UAAA,EAAY,aAAa,CAAA;AACtD,EAAA,MAAM,cAAA,GAAiB,KAAK,QAAQ,CAAA;AAEpC,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,YAAY,cAAc,CAAA;AAAA,IACtC,eAAA,EAAiB,YAAY,aAAa,CAAA;AAAA,IAC1C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAUO,SAAS,gBAAA,CACd,UAAA,EACA,KAAA,EACA,cAAA,EACS;AACT,EAAA,MAAM,aAAA,GAAgB,cAAc,cAAc,CAAA;AAClD,EAAA,MAAM,UAAA,GAAa,cAAc,KAAK,CAAA;AACtC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,UAAA,EAAY,aAAa,CAAA;AACtD,EAAA,MAAM,YAAA,GAAe,WAAA,CAAY,IAAA,CAAK,QAAQ,CAAC,CAAA;AAG/C,EAAA,OAAO,UAAA,KAAe,YAAA;AACxB;AAKO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,gBAAgB,CAAA;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,CAAM,UAAA,EAAwB,KAAA,EAAgC;AAClE,IAAA,MAAM,EAAA,GAAK,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AAE3D,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,YAAY,UAAA,CAAW,UAAA;AAAA,MACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,MAC5B,KAAA;AAAA,MACA,cAAc,UAAA,CAAW,YAAA;AAAA,MACzB,QAAA,EAAU;AAAA,KACZ;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,cAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,EAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,EAAA,EAA8C;AACtD,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,gBAAgB,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,EAAA,EAA2B;AAC5C,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,GAAA,CAAI,EAAE,CAAA;AAChC,IAAA,IAAI,CAAC,MAAA,EAAQ;AAEb,IAAA,MAAA,CAAO,QAAA,GAAW,IAAA;AAClB,IAAA,MAAA,CAAO,WAAA,GAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAE5C,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,cAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF;;;ACpJA,aAAA,EAAA;AAgDO,SAAS,kBAAA,CACd,MAAA,EACA,OAAA,EACA,eAAA,EACsB;AACtB,EAAA,OAAO,eAAA,CAAgB,GAAA,CAAI,CAAC,KAAA,KAAU;AAEpC,IAAA,MAAM,SAAA,GAAY,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,OAAO,CAAA;AAChE,IAAA,MAAM,YAAA,GAAe,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,GAAG,CAAA;AAC/D,IAAA,MAAM,cAAc,SAAA,IAAa,YAAA;AAEjC,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,QAAQ,MAAA,CAAO,cAAA;AAAA,QACf,MAAA,EAAQ,4BAA4B,OAAO,CAAA,CAAA,CAAA;AAAA,QAC3C,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAEA,IAAA,MAAM,QAAA,GAAW,CAAA,EAAG,WAAA,CAAY,OAAO,CAAA,CAAA;AAGvC,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,UAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,4BAAA,EAA+B,QAAQ,CAAA,QAAA,CAAA;AAAA,QAC9D,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,EAAG;AAC9C,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,OAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,kCAAA,EAAqC,QAAQ,CAAA,QAAA,CAAA;AAAA,QACpE,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AACxC,MAAA,OAAO;AAAA,QACL,KAAA;AAAA,QACA,MAAA,EAAQ,UAAA;AAAA,QACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,iCAAA,EAAoC,QAAQ,CAAA,QAAA,CAAA;AAAA,QACnE,eAAA,EAAiB;AAAA,OACnB;AAAA,IACF;AAGA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,QAAQ,MAAA,CAAO,cAAA;AAAA,MACf,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,mBAAA,EAAsB,QAAQ,CAAA,uBAAA,CAAA;AAAA,MACrD,eAAA,EAAiB;AAAA,KACnB;AAAA,EACF,CAAC,CAAA;AACH;AAKO,IAAM,cAAN,MAAkB;AAAA,EACf,OAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA,uBAA8C,GAAA,EAAI;AAAA,EAE1D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,aAAa,CAAA;AAAA,EAChE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,UAAA,EACA,KAAA,EACA,eACA,UAAA,EAC2B;AAC3B,IAAA,MAAM,QAAA,GAAW,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACjE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,MAAA,GAA2B;AAAA,MAC/B,SAAA,EAAW,QAAA;AAAA,MACX,WAAA,EAAa,UAAA;AAAA,MACb,KAAA;AAAA,MACA,cAAA,EAAgB,aAAA;AAAA,MAChB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY;AAAA,KACd;AAEA,IAAA,MAAM,IAAA,CAAK,QAAQ,MAAM,CAAA;AACzB,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAElC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,QAAA,EAAoD;AAE5D,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA,EAAG;AAC/B,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA;AAAA,IACnC;AAGA,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,aAAa,QAAQ,CAAA;AACzD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,MAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,MAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAoC;AACxC,IAAA,MAAM,KAAK,OAAA,EAAQ;AACnB,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,QAAA,CAAS,QAAQ,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,OAAA,GAAyB;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,WAAW,CAAA;AACnD,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,IAAA,CAAK,GAAG,CAAA,EAAG;AACjC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,WAAA,EAAa,KAAK,GAAG,CAAA;AACzD,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,MAAA,GAA2B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACpE,UAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,SAAA,EAAW,MAAM,CAAA;AAAA,QAC5C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAA,EAAyC;AAC7D,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,WAAA;AAAA,MACA,MAAA,CAAO,SAAA;AAAA,MACP,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF;AC/MA,aAAA,EAAA;AAKA,IAAM,IAAIC,sBAAA,CAAe,IAAA;AAOzB,IAAM,OAAA,GAAU,WAAA;AAAA,EACdvB,aAAAA,CAAO,aAAA,CAAc,qCAAqC,CAAC,CAAA;AAAA,EAC3DA,aAAAA,CAAO,aAAA,CAAc,qCAAqC,CAAC;AAC7D,CAAA;AACA,IAAM,CAAA,GAAIuB,sBAAA,CAAe,WAAA,CAAY,OAAO,CAAA;AA+D5C,SAAS,cAAc,CAAA,EAAuB;AAC5C,EAAA,MAAM,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,IAAI,GAAG,CAAA;AAC3C,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,EAAE,CAAA;AAC/B,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,EAAI,CAAA,EAAA,EAAK;AAC3B,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,QAAA,CAAS,GAAA,CAAI,KAAA,CAAM,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,EAAG,EAAE,CAAA;AAAA,EACrD;AACA,EAAA,OAAO,KAAA;AACT;AAGA,SAAS,cAAc,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,GAAA,IAAO,EAAE,QAAA,CAAS,EAAE,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAA;AAAA,EACvC;AACA,EAAA,OAAO,MAAA,CAAO,OAAO,GAAG,CAAA;AAC1B;AAGA,IAAM,KAAA,GAAQ,OAAO,8EAA8E,CAAA;AAGnG,SAAS,IAAI,CAAA,EAAmB;AAC9B,EAAA,OAAA,CAAS,CAAA,GAAI,QAAS,KAAA,IAAS,KAAA;AACjC;AAMA,SAAS,YAAA,CAAa,OAA4C,MAAA,EAAqD;AACrH,EAAA,MAAM,CAAA,GAAI,IAAI,MAAM,CAAA;AACpB,EAAA,IAAI,CAAA,KAAM,EAAA,EAAI,OAAOA,sBAAA,CAAe,IAAA;AACpC,EAAA,OAAO,KAAA,CAAM,SAAS,CAAC,CAAA;AACzB;AAGA,SAAS,YAAA,GAAuB;AAC9B,EAAA,MAAM,KAAA,GAAQ,YAAY,EAAE,CAAA;AAC5B,EAAA,OAAO,GAAA,CAAI,aAAA,CAAc,KAAK,CAAC,CAAA;AACjC;AAGA,SAAS,mBAAA,CAAoB,WAAmB,MAAA,EAA8B;AAC5E,EAAA,MAAM,WAAA,GAAc,cAAc,MAAM,CAAA;AACxC,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,WAAA,EAAa,GAAG,MAAM,CAAA;AACnD,EAAA,MAAMC,KAAAA,GAAOxB,cAAO,QAAQ,CAAA;AAC5B,EAAA,OAAO,GAAA,CAAI,aAAA,CAAcwB,KAAI,CAAC,CAAA;AAChC;AAiBO,SAAS,yBAAyB,KAAA,EAAmC;AAC1E,EAAA,MAAM,CAAA,GAAI,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAC3B,EAAA,MAAM,IAAI,YAAA,EAAa;AAGvB,EAAA,MAAM,CAAA,GAAI,aAAa,CAAA,EAAG,CAAC,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,CAAC,CAAC,CAAA;AAEnD,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,WAAA,CAAY,CAAA,CAAE,UAAA,EAAY,CAAA;AAAA,IACtC,eAAA,EAAiB,WAAA,CAAY,aAAA,CAAc,CAAC,CAAC,CAAA;AAAA,IAC7C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAOO,SAAS,wBAAA,CACd,UAAA,EACA,KAAA,EACA,cAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAID,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,UAAU,CAAC,CAAA;AAC1D,IAAA,MAAM,CAAA,GAAI,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAC3B,IAAA,MAAM,CAAA,GAAI,aAAA,CAAc,aAAA,CAAc,cAAc,CAAC,CAAA;AAErD,IAAA,MAAM,QAAA,GAAW,aAAa,CAAA,EAAG,CAAC,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,CAAC,CAAC,CAAA;AAC1D,IAAA,OAAO,CAAA,CAAE,OAAO,QAAQ,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAsBO,SAAS,sBAAA,CACd,KAAA,EACA,cAAA,EACA,UAAA,EACoB;AACpB,EAAA,MAAM,CAAA,GAAI,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAC3B,EAAA,MAAM,CAAA,GAAI,aAAA,CAAc,aAAA,CAAc,cAAc,CAAC,CAAA;AAGrD,EAAA,MAAM,MAAM,YAAA,EAAa;AACzB,EAAA,MAAM,MAAM,YAAA,EAAa;AAGzB,EAAA,MAAM,CAAA,GAAI,aAAa,CAAA,EAAG,GAAG,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,GAAG,CAAC,CAAA;AAGvD,EAAA,MAAM,OAAA,GAAU,cAAc,UAAU,CAAA;AACxC,EAAA,MAAM,OAAA,GAAU,EAAE,UAAA,EAAW;AAC7B,EAAA,MAAM,CAAA,GAAI,mBAAA,CAAoB,qBAAA,EAAuB,OAAA,EAAS,OAAO,CAAA;AAGrE,EAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,CAAA,GAAI,CAAC,CAAA;AAC3B,EAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,CAAA,GAAI,CAAC,CAAA;AAE3B,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,+BAAA;AAAA,IACN,UAAA;AAAA,IACA,YAAA,EAAc,YAAY,OAAO,CAAA;AAAA,IACjC,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC1C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,IAC1C,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAOO,SAAS,uBAAuB,KAAA,EAAoC;AACzE,EAAA,IAAI;AACF,IAAA,MAAM,IAAIA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAChE,IAAA,MAAM,IAAIA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,YAAY,CAAC,CAAA;AAClE,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AACzD,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAGzD,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,aAAA,CAAc,MAAM,UAAU,CAAA;AAAA,MAC9B,aAAA,CAAc,MAAM,YAAY;AAAA,KAClC;AAGA,IAAA,MAAM,GAAA,GAAM,aAAa,CAAA,EAAG,GAAG,EAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,GAAG,CAAC,CAAA;AACzD,IAAA,MAAM,MAAM,CAAA,CAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,CAAC,CAAC,CAAA;AAEpC,IAAA,OAAO,GAAA,CAAI,OAAO,GAAG,CAAA;AAAA,EACvB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAkBO,SAAS,gBAAA,CACd,KAAA,EACA,cAAA,EACA,UAAA,EACA,KACA,GAAA,EACkC;AAClC,EAAA,IAAI,KAAA,GAAQ,GAAA,IAAO,KAAA,GAAQ,GAAA,EAAK;AAC9B,IAAA,OAAO,EAAE,OAAO,CAAA,MAAA,EAAS,KAAK,qBAAqB,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA,CAAA,EAAI;AAAA,EACpE;AAEA,EAAA,MAAM,QAAQ,GAAA,GAAM,GAAA;AACpB,EAAA,MAAM,UAAU,IAAA,CAAK,IAAA,CAAK,KAAK,IAAA,CAAK,KAAA,GAAQ,CAAC,CAAC,CAAA;AAC9C,EAAA,MAAM,UAAU,KAAA,GAAQ,GAAA;AACxB,EAAA,MAAM,CAAA,GAAI,aAAA,CAAc,aAAA,CAAc,cAAc,CAAC,CAAA;AAGrD,EAAA,MAAM,OAAiB,EAAC;AACxB,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,IAAA,IAAA,CAAK,IAAA,CAAM,OAAA,IAAW,CAAA,GAAK,CAAC,CAAA;AAAA,EAC9B;AAGA,EAAA,MAAM,eAAyB,EAAC;AAChC,EAAA,MAAM,iBAA2B,EAAC;AAClC,EAAA,MAAM,YAAwC,EAAC;AAE/C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,IAAA,MAAM,QAAQ,YAAA,EAAa;AAC3B,IAAA,YAAA,CAAa,KAAK,KAAK,CAAA;AAGvB,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,GAAA,CAAI,OAAO,IAAA,CAAK,CAAC,CAAE,CAAC,CAAC,CAAA,CAAE,GAAA,CAAI,YAAA,CAAa,CAAA,EAAG,KAAK,CAAC,CAAA;AAC7E,IAAA,cAAA,CAAe,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAC,CAAA;AAGjD,IAAA,MAAM,WAAW,cAAA,CAAe,IAAA,CAAK,CAAC,CAAA,EAAI,OAAO,GAAG,CAAA;AACpD,IAAA,SAAA,CAAU,KAAK,QAAQ,CAAA;AAAA,EACzB;AAIA,EAAA,MAAM,cAAc,YAAA,CAAa,MAAA;AAAA,IAC/B,CAAC,GAAA,EAAK,EAAA,EAAI,CAAA,KAAM,IAAI,GAAA,GAAM,GAAA,CAAI,MAAA,CAAO,CAAC,CAAA,IAAK,MAAA,CAAO,CAAC,CAAC,IAAI,EAAE,CAAA;AAAA,IAC1D;AAAA,GACF;AAEA,EAAA,MAAM,YAAA,GAAe,GAAA,CAAI,CAAA,GAAI,WAAW,CAAA;AAGxC,EAAA,MAAM,QAAQ,YAAA,EAAa;AAC3B,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AACnC,EAAA,MAAM,KAAA,GAAQ,mBAAA;AAAA,IACZ,2BAAA;AAAA,IACA,cAAc,UAAU,CAAA;AAAA,IACxB,MAAM,UAAA;AAAW,GACnB;AACA,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,GAAQ,KAAA,GAAQ,YAAY,CAAA;AAE9C,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,6BAAA;AAAA,IACN,UAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,eAAA,EAAiB,cAAA;AAAA,IACjB,UAAA,EAAY,SAAA;AAAA,IACZ,SAAA,EAAW;AAAA,MACT,YAAA,EAAc,WAAA,CAAY,KAAA,CAAM,UAAA,EAAY,CAAA;AAAA,MAC5C,QAAA,EAAU,WAAA,CAAY,aAAA,CAAc,KAAK,CAAC;AAAA,KAC5C;AAAA,IACA,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AACF;AAKO,SAAS,iBAAiB,KAAA,EAA8B;AAC7D,EAAA,IAAI;AACF,IAAA,MAAM,IAAIA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAChE,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,GAAA,GAAM,KAAA,CAAM,GAAA;AAChC,IAAA,MAAM,UAAU,IAAA,CAAK,IAAA,CAAK,KAAK,IAAA,CAAK,KAAA,GAAQ,CAAC,CAAC,CAAA;AAE9C,IAAA,IAAI,KAAA,CAAM,eAAA,CAAgB,MAAA,KAAW,OAAA,EAAS,OAAO,KAAA;AACrD,IAAA,IAAI,KAAA,CAAM,UAAA,CAAW,MAAA,KAAW,OAAA,EAAS,OAAO,KAAA;AAGhD,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,MAAA,MAAM,GAAA,GAAMA,uBAAe,OAAA,CAAQ,aAAA,CAAc,MAAM,eAAA,CAAgB,CAAC,CAAE,CAAC,CAAA;AAC3E,MAAA,IAAI,CAAC,cAAA,CAAe,KAAA,CAAM,WAAW,CAAC,CAAA,EAAI,GAAG,CAAA,EAAG;AAC9C,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AAIA,IAAA,IAAI,gBAAgBA,sBAAA,CAAe,IAAA;AACnC,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,OAAA,EAAS,CAAA,EAAA,EAAK;AAChC,MAAA,MAAM,GAAA,GAAMA,uBAAe,OAAA,CAAQ,aAAA,CAAc,MAAM,eAAA,CAAgB,CAAC,CAAE,CAAC,CAAA;AAC3E,MAAA,MAAM,SAAS,GAAA,CAAI,MAAA,CAAO,CAAC,CAAA,IAAK,MAAA,CAAO,CAAC,CAAC,CAAA;AACzC,MAAA,aAAA,GAAgB,aAAA,CAAc,GAAA,CAAI,YAAA,CAAa,GAAA,EAAK,MAAM,CAAC,CAAA;AAAA,IAC7D;AAGA,IAAA,MAAM,IAAA,GAAO,CAAA,CAAE,QAAA,CAAS,YAAA,CAAa,GAAG,GAAA,CAAI,MAAA,CAAO,KAAA,CAAM,GAAG,CAAC,CAAC,CAAC,CAAA,CAAE,SAAS,aAAa,CAAA;AAGvF,IAAA,MAAM,QAAQA,sBAAA,CAAe,OAAA,CAAQ,cAAc,KAAA,CAAM,SAAA,CAAU,YAAY,CAAC,CAAA;AAChF,IAAA,MAAM,QAAQ,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,SAAA,CAAU,QAAQ,CAAC,CAAA;AACnE,IAAA,MAAM,KAAA,GAAQ,mBAAA;AAAA,MACZ,2BAAA;AAAA,MACA,aAAA,CAAc,MAAM,UAAU,CAAA;AAAA,MAC9B,aAAA,CAAc,KAAA,CAAM,SAAA,CAAU,YAAY;AAAA,KAC5C;AAGA,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AACjC,IAAA,MAAM,MAAM,KAAA,CAAM,GAAA,CAAI,YAAA,CAAa,IAAA,EAAM,KAAK,CAAC,CAAA;AAC/C,IAAA,OAAO,GAAA,CAAI,OAAO,GAAG,CAAA;AAAA,EACvB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAQA,SAAS,cAAA,CACP,GAAA,EACA,QAAA,EACA,UAAA,EAC+B;AAC/B,EAAA,MAAM,OAAA,GAAU,WAAW,UAAA,EAAW;AAEtC,EAAA,IAAI,QAAQ,CAAA,EAAG;AAGb,IAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,CAAC,CAAA;AAGvC,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,MAAM,YAAA,EAAa;AAEzB,IAAA,MAAM,GAAA,GAAM,aAAa,CAAA,EAAG,GAAG,EAAE,QAAA,CAAS,YAAA,CAAa,SAAA,EAAW,GAAG,CAAC,CAAA;AAGtE,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AAG/B,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAI,UAAA,EAAW;AAAA,MACf,IAAI,UAAA;AAAW,KACjB;AACA,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,CAAA,GAAI,GAAG,CAAA;AACvB,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,GAAA,GAAM,QAAQ,CAAA;AAEpC,IAAA,OAAO;AAAA,MACL,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC1C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC;AAAA,KAC5C;AAAA,EACF,CAAA,MAAO;AAGL,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,MAAM,YAAA,EAAa;AAEzB,IAAA,MAAM,GAAA,GAAM,aAAa,CAAA,EAAG,GAAG,EAAE,QAAA,CAAS,YAAA,CAAa,UAAA,EAAY,GAAG,CAAC,CAAA;AAGvE,IAAA,MAAM,MAAM,YAAA,EAAa;AACzB,IAAA,MAAM,GAAA,GAAM,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AAG/B,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAI,UAAA,EAAW;AAAA,MACf,IAAI,UAAA;AAAW,KACjB;AACA,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,CAAA,GAAI,GAAG,CAAA;AACvB,IAAA,MAAM,GAAA,GAAM,GAAA,CAAI,GAAA,GAAM,GAAA,GAAM,QAAQ,CAAA;AAEpC,IAAA,OAAO;AAAA,MACL,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,cAAA,EAAgB,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,CAAA;AAAA,MAC5C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,WAAA,EAAa,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC3C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAC1C,UAAA,EAAY,WAAA,CAAY,aAAA,CAAc,GAAG,CAAC;AAAA,KAC5C;AAAA,EACF;AACF;AAKA,SAAS,cAAA,CACP,OACA,UAAA,EACS;AACT,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAU,WAAW,UAAA,EAAW;AACtC,IAAA,MAAM,MAAMA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,cAAc,CAAC,CAAA;AACtE,IAAA,MAAM,MAAMA,sBAAA,CAAe,OAAA,CAAQ,aAAA,CAAc,KAAA,CAAM,cAAc,CAAC,CAAA;AACtE,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,WAAW,CAAC,CAAA;AAC1D,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,WAAW,CAAC,CAAA;AAC1D,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AACzD,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,aAAA,CAAc,KAAA,CAAM,UAAU,CAAC,CAAA;AAGzD,IAAA,MAAM,CAAA,GAAI,mBAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA;AAAA,MACA,IAAI,UAAA,EAAW;AAAA,MACf,IAAI,UAAA;AAAW,KACjB;AACA,IAAA,IAAI,GAAA,CAAI,GAAA,GAAM,GAAG,CAAA,KAAM,GAAG,OAAO,KAAA;AAGjC,IAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AACjC,IAAA,MAAM,QAAQ,GAAA,CAAI,GAAA,CAAI,YAAA,CAAa,UAAA,EAAY,GAAG,CAAC,CAAA;AACnD,IAAA,IAAI,CAAC,KAAA,CAAM,MAAA,CAAO,KAAK,GAAG,OAAO,KAAA;AAGjC,IAAA,MAAM,SAAA,GAAY,UAAA,CAAW,QAAA,CAAS,CAAC,CAAA;AACvC,IAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,CAAA,EAAG,GAAG,CAAA;AACjC,IAAA,MAAM,QAAQ,GAAA,CAAI,GAAA,CAAI,YAAA,CAAa,SAAA,EAAW,GAAG,CAAC,CAAA;AAClD,IAAA,IAAI,CAAC,KAAA,CAAM,MAAA,CAAO,KAAK,GAAG,OAAO,KAAA;AAEjC,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;;;ACzgBO,SAAS,aAAA,CACd,OAAA,EACA,SAAA,EACA,QAAA,EACyF;AACzF,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,CAAY,OAAA,EAAS,SAAS,CAAA;AAEtD,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,iLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAE5B,QAAA,MAAM,UAAA,GAAa,gBAAA,CAAiB,KAAA,EAAO,cAAc,CAAA;AAGzD,QAAA,MAAM,YAAA,GAAe,MAAM,eAAA,CAAgB,KAAA,CAAM,YAAY,KAAK,CAAA;AAElE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU;AAAA,UAClD,aAAA,EAAe,YAAA;AAAA,UACf,iBAAiB,UAAA,CAAW;AAAA,SAC7B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAA,EAAe,YAAA;AAAA,UACf,YAAY,UAAA,CAAW,UAAA;AAAA,UACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,UAC5B,cAAc,UAAA,CAAW,YAAA;AAAA,UACzB,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,0IAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAA,EAAc,OAAA,EAAS,iBAAiB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAE5B,QAAA,MAAM,KAAA,GAAQ,gBAAA,CAAiB,UAAA,EAAY,KAAA,EAAO,cAAc,CAAA;AAEhE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,QAAA,EAAU;AAAA,UAC9C,eAAA,EAAiB,UAAA;AAAA,UACjB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,UAAA;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,WAAA,EACE,kOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,OAAA;AAAA,YACN,WAAA,EAAa,yCAAA;AAAA,YACb,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACV,OAAA,EAAS;AAAA,kBACP,IAAA,EAAM,QAAA;AAAA,kBACN,WAAA,EACE;AAAA,iBACJ;AAAA,gBACA,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EAAa;AAAA,iBACf;AAAA,gBACA,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EAAa;AAAA,iBACf;AAAA,gBACA,cAAA,EAAgB;AAAA,kBACd,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA;AACJ,eACF;AAAA,cACA,QAAA,EAAU,CAAC,SAAA,EAAW,UAAA,EAAY,YAAY,gBAAgB;AAAA;AAChE,WACF;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,UAAA,EAAY,eAAe,CAAA;AAAA,YAClC,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAgB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,gBAAgB,IAAA,CAAK,cAAA;AAG3B,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAExB,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,UAAA;AAAA,UACA,KAAA;AAAA,UACA,aAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,UAAA,IAAc,QAAA,EAAU;AAAA,UACrE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa,UAAA;AAAA,UACb,aAAa,KAAA,CAAM;AAAA,SACpB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,WAAA,EAAa,OAAO,KAAA,CAAM,MAAA;AAAA,UAC1B,YAAY,MAAA,CAAO;AAAA,SACpB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,mIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,OAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACxB,WAAA,EAAa;AAAA,WACf;AAAA,UACA,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAA,EAAW,kBAAkB;AAAA,OAC1C;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,QAAA,MAAM,WAAW,IAAA,CAAK,SAAA;AAEtB,QAAA,IAAI,MAAA;AACJ,QAAA,IAAI,QAAA,EAAU;AACZ,UAAA,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAAA,QACzC,CAAA,MAAO;AACL,UAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,IAAA,EAAK;AAC3C,UAAA,MAAA,GAAS,WAAA,CAAY,CAAC,CAAA,IAAK,IAAA;AAAA,QAC7B;AAEA,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,SAAA,GAAY,kBAAA,CAAmB,MAAA,EAAQ,OAAA,EAAS,eAAe,CAAA;AAErE,QAAA,MAAM,cAAc,SAAA,CAAU,MAAA;AAAA,UAC5B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,aAAa,SAAA,CAAU,MAAA;AAAA,UAC3B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,gBAAgB,SAAA,CAAU,MAAA;AAAA,UAC9B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AACF,QAAA,MAAM,eAAe,SAAA,CAAU,MAAA;AAAA,UAC7B,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW;AAAA,SACtB,CAAE,MAAA;AAEF,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,qBAAA,EAAuB,QAAA,EAAU;AAAA,UACrD,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,OAAA;AAAA,UACA,kBAAkB,eAAA,CAAgB,MAAA;AAAA,UAClC,WAAA;AAAA,UACA,UAAA;AAAA,UACA,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,OAAA;AAAA,UACA,SAAA;AAAA,UACA,OAAA,EAAS;AAAA,YACP,cAAc,eAAA,CAAgB,MAAA;AAAA,YAC9B,QAAA,EAAU,UAAA;AAAA,YACV,QAAA,EAAU,WAAA;AAAA,YACV,KAAA,EAAO,aAAA;AAAA,YACP,aAAA,EAAe;AAAA,WACjB;AAAA,UACA,wBACE,WAAA,GAAc,CAAA,GACV,CAAA,YAAA,EAAe,WAAW,OAAO,eAAA,CAAgB,MAAM,CAAA,8BAAA,EAAiC,MAAA,CAAO,WAAW,CAAA,CAAA,CAAA,GAC1G,CAAA,IAAA,EAAO,gBAAgB,MAAM,CAAA,qCAAA,EAAwC,OAAO,WAAW,CAAA,CAAA;AAAA,SAC9F,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,WAAA,EACE,2NAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AAEnB,QAAA,IAAI,CAAC,MAAA,CAAO,SAAA,CAAU,KAAK,CAAA,EAAG;AAC5B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,2BAAA,EAA6B,CAAA;AAAA,QAC1D;AAEA,QAAA,MAAM,UAAA,GAAa,yBAAyB,KAAK,CAAA;AAEjD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,WAAA,EAAa,QAAA,EAAU;AAAA,UAC3C,iBAAiB,UAAA,CAAW,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI;AAAA,SACvD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,UAAA,CAAW,UAAA;AAAA,UACvB,iBAAiB,UAAA,CAAW,eAAA;AAAA,UAC5B,cAAc,UAAA,CAAW,YAAA;AAAA,UACzB,YAAA,EAAc,uBAAA;AAAA,UACd,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,oBAAA;AAAA,MACN,WAAA,EACE,yMAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAA,EAAS,iBAAA,EAAmB,YAAY;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAC5B,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AAGxB,QAAA,IAAI,CAAC,wBAAA,CAAyB,UAAA,EAAY,KAAA,EAAO,cAAc,CAAA,EAAG;AAChE,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,KAAA,GAAQ,sBAAA,CAAuB,KAAA,EAAO,cAAA,EAAgB,UAAU,CAAA;AAEtE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,UAAA,EAAY,QAAA,EAAU;AAAA,UAC1C,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,UAAA,EAAY,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI;AAAA,SACvC,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,IAAA,EAAM;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,qBAAA;AAAA,MACN,WAAA,EACE,wJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AAEnB,QAAA,MAAM,KAAA,GAAQ,uBAAuB,KAAK,CAAA;AAE1C,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,WAAA,EAAa,QAAA,EAAU;AAAA,UAC3C,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB;AAAA,SACD,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,kLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,UAAU,CAAC,OAAA,EAAS,iBAAA,EAAmB,YAAA,EAAc,OAAO,KAAK;AAAA,OACnE;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,QAAA,MAAM,iBAAiB,IAAA,CAAK,eAAA;AAC5B,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AACxB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AACjB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AAEjB,QAAA,MAAM,QAAQ,gBAAA,CAAiB,KAAA,EAAO,cAAA,EAAgB,UAAA,EAAY,KAAK,GAAG,CAAA;AAE1E,QAAA,IAAI,WAAW,KAAA,EAAO;AACpB,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,KAAA,CAAM,OAAO,CAAA;AAAA,QAC1C;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,gBAAA,EAAkB,QAAA,EAAU;AAAA,UAChD,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,KAAA,EAAO,CAAA,CAAA,EAAI,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA,CAAA;AAAA,UACtB,IAAA,EAAM,MAAM,eAAA,CAAgB;AAAA,SAC7B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,IAAA,EAAM,CAAA,mDAAA,EAAsD,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,uBAAA;AAAA,SACxE,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,WAAA,EACE,+HAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,OAAO;AAAA,OACpB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAQ,IAAA,CAAK,KAAA;AAEnB,QAAA,MAAM,KAAA,GAAQ,iBAAiB,KAAK,CAAA;AAEpC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,iBAAA,EAAmB,QAAA,EAAU;AAAA,UACjD,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,KAAA;AAAA,UACA,OAAO,CAAA,CAAA,EAAI,KAAA,CAAM,GAAG,CAAA,EAAA,EAAK,MAAM,GAAG,CAAA,CAAA;AAAA,SACnC,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA;AAAA,UACA,YAAY,KAAA,CAAM,IAAA;AAAA,UAClB,OAAO,EAAE,GAAA,EAAK,MAAM,GAAA,EAAK,GAAA,EAAK,MAAM,GAAA,EAAI;AAAA,UACxC,YAAY,KAAA,CAAM,UAAA;AAAA,UAClB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,eAAA,EAAiB,WAAA,EAAY;AAC/C;;;ACxfA,aAAA,EAAA;AA2GA,SAAS,cAAc,MAAA,EAA0B;AAC/C,EAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,EAAG,OAAO,CAAA;AAChC,EAAA,MAAM,MAAA,GAAS,CAAC,GAAG,MAAM,CAAA,CAAE,KAAK,CAAC,CAAA,EAAG,CAAA,KAAM,CAAA,GAAI,CAAC,CAAA;AAC/C,EAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,SAAS,CAAC,CAAA;AACxC,EAAA,OAAO,MAAA,CAAO,MAAA,GAAS,CAAA,KAAM,CAAA,GACzB,MAAA,CAAO,GAAG,CAAA,GAAA,CACT,MAAA,CAAO,GAAA,GAAM,CAAC,CAAA,GAAK,MAAA,CAAO,GAAG,CAAA,IAAM,CAAA;AAC1C;AAEA,SAAS,gBAAA,CACP,cACA,WAAA,EACiC;AACjC,EAAA,MAAM,SAA0C,EAAC;AAGjD,EAAA,MAAM,KAAA,GACJ,eACA,KAAA,CAAM,IAAA;AAAA,IACJ,IAAI,GAAA;AAAA,MACF,YAAA,CAAa,OAAA;AAAA,QAAQ,CAAC,CAAA,KACpB,MAAA,CAAO,KAAK,CAAA,CAAE,WAAA,CAAY,KAAK,OAAO;AAAA;AACxC;AACF,GACF;AAEF,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,MAAM,SAAS,YAAA,CACZ,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,IAAI,CAAC,CAAA,CAC3C,MAAA,CAAO,CAAC,CAAA,KAAmB,MAAM,MAAS,CAAA;AAE7C,IAAA,IAAI,MAAA,CAAO,WAAW,CAAA,EAAG;AACvB,MAAA,MAAA,CAAO,IAAI,CAAA,GAAI,EAAE,IAAA,EAAM,CAAA,EAAG,MAAA,EAAQ,CAAA,EAAG,GAAA,EAAK,CAAA,EAAG,GAAA,EAAK,CAAA,EAAG,KAAA,EAAO,CAAA,EAAE;AAC9D,MAAA;AAAA,IACF;AAEA,IAAA,MAAA,CAAO,IAAI,CAAA,GAAI;AAAA,MACb,IAAA,EAAM,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,EAAG,MAAM,CAAA,GAAI,CAAA,EAAG,CAAC,CAAA,GAAI,MAAA,CAAO,MAAA;AAAA,MACjD,MAAA,EAAQ,cAAc,MAAM,CAAA;AAAA,MAC5B,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,GAAG,MAAM,CAAA;AAAA,MACvB,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,GAAG,MAAM,CAAA;AAAA,MACvB,OAAO,MAAA,CAAO;AAAA,KAChB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAIO,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,eAAe,CAAA;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OACJ,aAAA,EACA,eAAA,EACA,SACA,OAAA,EACA,QAAA,EACA,qBAAA,EACA,uBAAA,EACA,eAAA,EAC4B;AAC5B,IAAA,MAAM,aAAA,GAAgB,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACtE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,IAAA,MAAM,eAAA,GAAuC;AAAA,MAC3C,cAAA,EAAgB,aAAA;AAAA,MAChB,iBAAiB,QAAA,CAAS,GAAA;AAAA,MAC1B,gBAAA,EAAkB,eAAA;AAAA,MAClB,cAAc,OAAA,CAAQ,IAAA;AAAA,MACtB,gBAAgB,OAAA,CAAQ,MAAA;AAAA,MACxB,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,EAAC;AAAA,MAC7B,OAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,gBAAA,EAAkB;AAAA,KACpB;AAGA,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,eAAe,CAAC,CAAA;AAC/D,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,SAAA;AAAA,MACA,QAAA,CAAS,qBAAA;AAAA,MACT;AAAA,KACF;AAEA,IAAA,MAAM,WAAA,GAA2B;AAAA,MAC/B,cAAA,EAAgB,aAAA;AAAA,MAChB,MAAA,EAAQ,0BAAA;AAAA,MACR,IAAA,EAAM,eAAA;AAAA,MACN,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,MAChC,QAAQ,QAAA,CAAS;AAAA,KACnB;AAEA,IAAA,MAAM,MAAA,GAA4B;AAAA,MAChC,WAAA;AAAA,MACA,wBAAA,EAA0B,uBAAA;AAAA,MAC1B,sBAAA,EAAwB,CAAC,CAAC,uBAAA;AAAA,MAC1B,WAAA,EAAa;AAAA,KACf;AAGA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,aAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAAA,EAKmB;AAC7B,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAC/B,IAAA,IAAI,QAAA,GAAW,GAAA;AAEf,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,YAAY,OAAA,CAAQ;AAAA,OAChD;AAAA,IACF;AAEA,IAAA,IAAI,QAAQ,UAAA,EAAY;AACtB,MAAA,MAAME,SAAQ,IAAI,IAAA,CAAK,QAAQ,UAAA,CAAW,KAAK,EAAE,OAAA,EAAQ;AACzD,MAAA,MAAMC,OAAM,IAAI,IAAA,CAAK,QAAQ,UAAA,CAAW,GAAG,EAAE,OAAA,EAAQ;AACrD,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA,CAAO,CAAC,CAAA,KAAM;AAChC,QAAA,MAAM,CAAA,GAAI,IAAI,IAAA,CAAK,CAAA,CAAE,YAAY,IAAA,CAAK,SAAS,EAAE,OAAA,EAAQ;AACzD,QAAA,OAAO,CAAA,IAAKD,UAAS,CAAA,IAAKC,IAAAA;AAAA,MAC5B,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,IAAI,QAAQ,gBAAA,EAAkB;AAC5B,MAAA,QAAA,GAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,qBAAqB,OAAA,CAAQ;AAAA,OACzD;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,KAAA,CAAM,IAAA;AAAA,MACrB,IAAI,GAAA,CAAI,QAAA,CAAS,GAAA,CAAI,CAAC,MAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,OAAO,CAAC;AAAA,KACzD;AAEA,IAAA,MAAM,aAAa,QAAA,CAAS,GAAA;AAAA,MAAI,CAAC,MAC/B,IAAI,IAAA,CAAK,EAAE,WAAA,CAAY,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA;AAAQ,KACjD;AACA,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAA,GAAS,CAAA,GAC9B,IAAI,KAAK,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA,CAAE,WAAA,sBAClC,IAAI,IAAA,IAAO,WAAA,EAAY;AAC3B,IAAA,MAAM,MAAM,UAAA,CAAW,MAAA,GAAS,CAAA,GAC5B,IAAI,KAAK,IAAA,CAAK,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA,CAAE,WAAA,sBAClC,IAAI,IAAA,IAAO,WAAA,EAAY;AAE3B,IAAA,OAAO;AAAA,MACL,oBAAoB,QAAA,CAAS,MAAA;AAAA,MAC7B,WAAW,QAAA,CAAS,MAAA;AAAA,QAClB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,SAAS,QAAA,CAAS,MAAA;AAAA,QAChB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,QAAQ,QAAA,CAAS,MAAA;AAAA,QACf,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,UAAU,QAAA,CAAS,MAAA;AAAA,QACjB,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,KAAK,cAAA,KAAmB;AAAA,OAC/C,CAAE,MAAA;AAAA,MACF,QAAA;AAAA,MACA,UAAA,EAAY,EAAE,KAAA,EAAO,GAAA,EAAI;AAAA,MACzB,iBAAA,EAAmB,gBAAA,CAAiB,QAAA,EAAU,OAAA,CAAQ,OAAO;AAAA,KAC/D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAA,CACJ,QAAA,EACA,qBAAA,EACA,OAAA,EAC2B;AAC3B,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAE7B,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,GAAA,GAAM,GAAA,CAAI,OAAO,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,eAAe,GAAA,CAAI,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,WAAW,CAAA;AACjD,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,OAAA,EAAS,kBAAA;AAAA,MACT,YAAA;AAAA,MACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACpC,cAAc,QAAA,CAAS;AAAA,KACzB;AAGA,IAAA,MAAM,WAAA,GAAc,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,UAAU,CAAC,CAAA;AAC5D,IAAA,MAAM,eAAA,GAAkB,IAAA;AAAA,MACtB,WAAA;AAAA,MACA,QAAA,CAAS,qBAAA;AAAA,MACT;AAAA,KACF;AAEA,IAAA,OAAO;AAAA,MACL,GAAG,UAAA;AAAA,MACH,gBAAA,EAAkB,YAAY,eAAe;AAAA,KAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAA,CACJ,MAAA,EACA,gBAAA,EACA,UAAA,EACoE;AACpE,IAAA,IAAI,QAAA,GAAW,CAAA;AACf,IAAA,IAAI,OAAA,GAAU,CAAA;AACd,IAAA,MAAM,QAAA,uBAAe,GAAA,EAAY;AAEjC,IAAA,KAAA,MAAW,WAAA,IAAe,OAAO,YAAA,EAAc;AAC7C,MAAA,IAAI,gBAAA,EAAkB;AACpB,QAAA,MAAM,SAAA,GAAY,UAAA,CAAW,GAAA,CAAI,WAAA,CAAY,MAAM,CAAA;AACnD,QAAA,IAAI,CAAC,SAAA,EAAW;AACd,UAAA,OAAA,EAAA;AACA,UAAA;AAAA,QACF;AAEA,QAAA,MAAM,SAAA,GAAY,aAAA;AAAA,UAChB,IAAA,CAAK,SAAA,CAAU,WAAA,CAAY,IAAI;AAAA,SACjC;AACA,QAAA,MAAM,QAAA,GAAW,aAAA,CAAc,WAAA,CAAY,SAAS,CAAA;AAEpD,QAAA,IAAI,CAAC,MAAA,CAAO,SAAA,EAAW,QAAA,EAAU,SAAS,CAAA,EAAG;AAC3C,UAAA,OAAA,EAAA;AACA,UAAA;AAAA,QACF;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAA4B;AAAA,QAChC,WAAA;AAAA,QACA,sBAAA,EAAwB,KAAA;AAAA,QACxB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACtC;AAEA,MAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,MAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,QACjB,aAAA;AAAA,QACA,WAAA,CAAY,cAAA;AAAA,QACZ,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,OACzC;AAEA,MAAA,QAAA,EAAA;AACA,MAAA,QAAA,CAAS,GAAA,CAAI,WAAA,CAAY,IAAA,CAAK,OAAO,CAAA;AAAA,IACvC;AAEA,IAAA,OAAO;AAAA,MACL,QAAA;AAAA,MACA,OAAA;AAAA,MACA,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,QAAQ;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,YAAA,CACJ,gBAAA,EACA,eAAA,EACA,cAAA,EACA,YACA,gBAAA,EACiB;AACjB,IAAA,MAAM,QAAA,GAAW,CAAA,IAAA,EAAO,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACjE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,iBAAiB,GAAI,CAAA;AAGhE,IAAA,MAAM,EAAE,YAAA,EAAAC,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,IAAA,MAAM,SAAA,GAAYA,aAAAA,CAAa,aAAA,CAAc,gBAAgB,CAAC,CAAA;AAE9D,IAAA,MAAM,MAAA,GAAiB;AAAA,MACrB,SAAA,EAAW,QAAA;AAAA,MACX,iBAAA,EAAmB,gBAAA;AAAA,MACnB,UAAA,EAAY,SAAA;AAAA,MACZ,iBAAA,EAAmB,gBAAA;AAAA,MACnB,gBAAA,EAAkB,eAAA;AAAA,MAClB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,IAAI,WAAA,EAAY;AAAA,MAC5B,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,MAClC,MAAA,EAAQ;AAAA,KACV;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,UAAA;AAAA,MACA,QAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAU,QAAA,EAA0C;AACxD,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,YAAY,QAAQ,CAAA;AACxD,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAA,CACJ,iBAAA,EACA,UACA,KAAA,EACA,eAAA,EACA,uBACA,YAAA,EACoB;AACpB,IAAA,MAAM,WAAA,GAAc,CAAA,KAAA,EAAQ,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACrE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,aAAa,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,kBAAkB,GAAI,CAAA;AAElE,IAAA,MAAM,eAAA,GAAkB;AAAA,MACtB,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,iBAAA,CAAkB,GAAA;AAAA,MACjC,SAAA,EAAW,QAAA;AAAA,MACX,KAAA;AAAA,MACA,aAAA,EAAe,YAAA;AAAA,MACf,WAAA,EAAa,WAAW,WAAA,EAAY;AAAA,MACpC,SAAA,EAAW,IAAI,WAAA;AAAY,KAC7B;AAGA,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,eAAe,CAAC,CAAA;AAC/D,IAAA,MAAM,SAAA,GAAY,IAAA;AAAA,MAChB,SAAA;AAAA,MACA,iBAAA,CAAkB,qBAAA;AAAA,MAClB;AAAA,KACF;AAEA,IAAA,MAAM,WAAA,GAAc,WAAA;AAAA,MAClB,aAAA;AAAA,QACE,KAAK,SAAA,CAAU;AAAA,UACb,GAAG,eAAA;AAAA,UACH,SAAA,EAAW,YAAY,SAAS;AAAA,SACjC;AAAA;AACH,KACF;AAEA,IAAA,MAAM,SAAA,GAAuB;AAAA,MAC3B,YAAA,EAAc,WAAA;AAAA,MACd,eAAe,iBAAA,CAAkB,GAAA;AAAA,MACjC,SAAA,EAAW,QAAA;AAAA,MACX,KAAA;AAAA,MACA,aAAA,EAAe,YAAA;AAAA,MACf,WAAA,EAAa,WAAW,WAAA,EAAY;AAAA,MACpC,WAAA;AAAA,MACA,UAAA,EAAY,IAAI,WAAA;AAAY,KAC9B;AAEA,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,CAAA;AAC1D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,aAAA;AAAA,MACA,WAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAEA,IAAA,OAAO,SAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,sBAAsB,OAAA,EAGK;AAC/B,IAAA,IAAI,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,EAAQ;AAE7B,IAAA,IAAI,SAAS,OAAA,EAAS;AACpB,MAAA,GAAA,GAAM,GAAA,CAAI,OAAO,CAAC,CAAA,KAAM,EAAE,WAAA,CAAY,IAAA,CAAK,OAAA,KAAY,OAAA,CAAQ,OAAO,CAAA;AAAA,IACxE;AACA,IAAA,IAAI,SAAS,gBAAA,EAAkB;AAC7B,MAAA,GAAA,GAAM,GAAA,CAAI,MAAA;AAAA,QACR,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,qBAAqB,OAAA,CAAQ;AAAA,OACzD;AAAA,IACF;AAEA,IAAA,OAAO,GAAA;AAAA,EACT;AAAA;AAAA,EAIA,MAAc,OAAA,GAAwC;AACpD,IAAA,MAAM,UAA+B,EAAC;AAEtC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,aAAa,CAAA;AACrD,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,aAAA,EAAe,KAAK,GAAG,CAAA;AAC3D,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,OAAA,CAAQ,KAAK,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAC,CAAA;AAAA,QACnD,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;AC7jBA,aAAA,EAAA;;;ACcO,IAAM,YAAA,GAAgD;AAAA,EAC3D,oBAAA,EAAsB,CAAA;AAAA,EACtB,mBAAA,EAAqB,GAAA;AAAA,EACrB,eAAA,EAAiB,GAAA;AAAA,EACjB,YAAA,EAAc;AAChB;AAqBO,SAAS,WAAA,CACd,cAAA,EACA,gBAAA,EACA,oBAAA,EACc;AACd,EAAA,MAAM,SAAA,GAAY,gBAAA,CAAiB,GAAA,CAAI,cAAc,CAAA;AAErD,EAAA,IAAI,SAAA,IAAa,UAAU,QAAA,EAAU;AAEnC,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,SAAA,CAAU,UAAU,CAAA;AAC/C,IAAA,IAAI,SAAA,mBAAY,IAAI,IAAA,EAAK,EAAG;AAC1B,MAAA,OAAO;AAAA,QACL,kBAAkB,SAAA,CAAU,UAAA;AAAA,QAC5B,wBAAwB,SAAA,CAAU,YAAA;AAAA,QAClC,aAAa,SAAA,CAAU;AAAA,OACzB;AAAA,IACF;AAAA,EAEF;AAEA,EAAA,IAAI,oBAAA,EAAsB;AACxB,IAAA,OAAO,EAAE,kBAAkB,eAAA,EAAgB;AAAA,EAC7C;AAEA,EAAA,OAAO,EAAE,kBAAkB,YAAA,EAAa;AAC1C;AAKO,SAAS,2BAA2B,SAAA,EAAuC;AAChF,EAAA,QAAQ,SAAA;AAAW,IACjB,KAAK,oBAAA;AACH,MAAA,OAAO,oBAAA;AAAA,IACT,KAAK,mBAAA;AACH,MAAA,OAAO,mBAAA;AAAA,IACT;AACE,MAAA,OAAO,YAAA;AAAA;AAEb;AAsBO,SAAS,qBACd,YAAA,EACe;AACf,EAAA,IAAI,YAAA,CAAa,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAEtC,EAAA,IAAI,WAAA,GAAc,CAAA;AAClB,EAAA,IAAI,WAAA,GAAc,CAAA;AAElB,EAAA,KAAA,MAAW,KAAK,YAAA,EAAc;AAC5B,IAAA,MAAM,MAAA,GAAS,YAAA,CAAa,CAAA,CAAE,IAAI,CAAA;AAClC,IAAA,WAAA,IAAe,EAAE,KAAA,GAAQ,MAAA;AACzB,IAAA,WAAA,IAAe,MAAA;AAAA,EACjB;AAEA,EAAA,OAAO,WAAA,GAAc,CAAA,GAAI,WAAA,GAAc,WAAA,GAAc,IAAA;AACvD;AAKO,SAAS,iBACd,KAAA,EACiC;AACjC,EAAA,MAAM,IAAA,GAAwC;AAAA,IAC5C,oBAAA,EAAsB,CAAA;AAAA,IACtB,mBAAA,EAAqB,CAAA;AAAA,IACrB,eAAA,EAAiB,CAAA;AAAA,IACjB,YAAA,EAAc;AAAA,GAChB;AAEA,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAA,CAAK,IAAI,CAAA,EAAA;AAAA,EACX;AAEA,EAAA,OAAO,IAAA;AACT;;;AD9HO,SAAS,aAAA,CACd,OAAA,EACA,SAAA,EACA,eAAA,EACA,UACA,gBAAA,EAC+D;AAC/D,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,qBAAA,GAAwB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAE/E,EAAA,MAAM,SAAA,GAAY,gBAAA,oBAAoB,IAAI,GAAA,EAA6B;AAEvE,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,gIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,qBAAA;AAAA,YACb,UAAA,EAAY;AAAA,cACV,IAAA,EAAM;AAAA,gBACJ,IAAA,EAAM,QAAA;AAAA,gBACN,MAAM,CAAC,aAAA,EAAe,aAAA,EAAe,SAAA,EAAW,WAAW,QAAQ;AAAA,eACrE;AAAA,cACA,MAAA,EAAQ;AAAA,gBACN,IAAA,EAAM,QAAA;AAAA,gBACN,IAAA,EAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAU,UAAU;AAAA,eACrD;AAAA,cACA,OAAA,EAAS;AAAA,gBACP,IAAA,EAAM,QAAA;AAAA,gBACN,WAAA,EAAa;AAAA;AACf,aACF;AAAA,YACA,QAAA,EAAU,CAAC,MAAA,EAAQ,QAAQ;AAAA,WAC7B;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,iDAAA;AAAA,YACb,OAAA,EAAS;AAAA,WACX;AAAA,UACA,wBAAA,EAA0B;AAAA,YACxB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,gBAAA,EAAkB,kBAAA,EAAoB,SAAS;AAAA,OAC5D;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,OAAA,GAAW,KAAK,OAAA,IAAsB,SAAA;AAG5C,QAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,QAAA,MAAM,oBAAA,GAAuB,eAAA,CAAgB,IAAA,EAAK,CAAE,IAAA;AAAA,UAClD,CAAC,EAAA,KAAO,eAAA,CAAgB,IAAI,EAAA,CAAG,WAAW,GAAG,GAAA,KAAQ;AAAA,SACvD;AACA,QAAA,MAAM,QAAA,GAAW,WAAA,CAAY,eAAA,EAAiB,SAAA,EAAW,oBAAoB,CAAA;AAE7E,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,MAAA;AAAA,UACnC,IAAA,CAAK,cAAA;AAAA,UACL,eAAA;AAAA,UACA,OAAA;AAAA,UACA,OAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA,IAAA,CAAK,wBAAA;AAAA,UACL,QAAA,CAAS;AAAA,SACX;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC/D,gBAAgB,IAAA,CAAK,cAAA;AAAA,UACrB,cAAc,OAAA,CAAQ,IAAA;AAAA,UACtB,gBAAgB,OAAA,CAAQ,MAAA;AAAA,UACxB,OAAA;AAAA,UACA,kBAAkB,QAAA,CAAS;AAAA,SAC5B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAA,EAAgB,OAAO,WAAA,CAAY,cAAA;AAAA,UACnC,cAAA,EAAgB,MAAA,CAAO,WAAA,CAAY,IAAA,CAAK,cAAA;AAAA,UACxC,gBAAA,EAAkB,OAAO,WAAA,CAAY,SAAA;AAAA,UACrC,wBAAwB,MAAA,CAAO,sBAAA;AAAA,UAC/B,kBAAkB,QAAA,CAAS,gBAAA;AAAA,UAC3B,OAAA;AAAA,UACA,aAAa,MAAA,CAAO;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,6GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa,sBAAA;AAAA,YACb,UAAA,EAAY;AAAA,cACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,gBAAA,EAAiB;AAAA,cACvD,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA;AAAe;AACrD,WACF;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,OAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACxB,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAAU,MAAM,eAAA,CAAgB,KAAA,CAAM;AAAA,UAC1C,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,YAAY,IAAA,CAAK,UAAA;AAAA,UAGjB,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAED,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU;AAAA,UAClD,oBAAoB,OAAA,CAAQ,kBAAA;AAAA,UAC5B,UAAU,OAAA,CAAQ;AAAA,SACnB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,OAAA;AAAA;AAAA,UAEA,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,kBAAkB,CAAA;AAAA,YACzB,OAAA,EAAS;AAAA,WACX;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,QAAA;AAAA,UACA,qBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,SAAA,CAAU,MAAM,CAAA;AACxC,QAAA,MAAM,YAAA,GAAe,WAAA;AAAA,UACnB,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,UAAU;AAAA,SACrC;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC/D,iBAAA,EAAmB,OAAO,YAAA,CAAa,MAAA;AAAA,UACvC,UAAU,KAAA,CAAM,IAAA;AAAA,YACd,IAAI,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC;AAAA;AACxD,SACD,CAAA;AAED,QAAA,MAAM,EAAE,YAAA,EAAAA,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,QAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAEhC,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA,EAAQ,YAAA;AAAA,UACR,iBAAA,EAAmB,OAAO,YAAA,CAAa,MAAA;AAAA,UACvC,UAAU,KAAA,CAAM,IAAA;AAAA,YACd,IAAI,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,IAAA,CAAK,OAAO,CAAC;AAAA,WACxD;AAAA,UACA,WAAA,EAAaD,aAAAA,CAAaC,cAAAA,CAAc,UAAU,CAAC,CAAA;AAAA,UACnD,aAAa,MAAA,CAAO;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,6GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,MAAA;AAG1B,QAAA,MAAM,gBAAA,GAAmB,IAAA;AAEzB,QAAA,IAAI,MAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,cAAc,YAAY,CAAA;AAC9C,UAAA,MAAM,UAAA,GAAa,IAAI,WAAA,EAAY,CAAE,OAAO,WAAW,CAAA;AACvD,UAAA,MAAA,GAAS,IAAA,CAAK,MAAM,UAAU,CAAA;AAAA,QAChC,CAAA,CAAA,MAAQ;AACN,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,UAAA,uBAAiB,GAAA,EAAwB;AAC/C,QAAA,KAAA,MAAW,GAAA,IAAO,eAAA,CAAgB,IAAA,EAAK,EAAG;AACxC,UAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,GAAA,CAAI,GAAA,CAAI,WAAW,CAAA;AACpD,UAAA,IAAI,QAAA,EAAU;AACZ,YAAA,UAAA,CAAW,IAAI,QAAA,CAAS,GAAA,EAAK,aAAA,CAAc,QAAA,CAAS,UAAU,CAAC,CAAA;AAAA,UACjE;AAAA,QACF;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,MAAA;AAAA,UACA,gBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,EAAU;AAAA,UACnD,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,UAAU,MAAA,CAAO;AAAA,SAClB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,uBAAuB,MAAA,CAAO,QAAA;AAAA,UAC9B,sBAAsB,MAAA,CAAO,OAAA;AAAA,UAC7B,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,qCAAA;AAAA,MACN,WAAA,EACE,qOAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAAU,MAAM,eAAA,CAAgB,KAAA,CAAM;AAAA,UAC1C,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAID,QAAA,MAAM,eAAA,GAAkB,MAAM,eAAA,CAAgB,qBAAA,CAAsB;AAAA,UAClE,SAAS,IAAA,CAAK,OAAA;AAAA,UACd,kBAAkB,IAAA,CAAK;AAAA,SACxB,CAAA;AAED,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AAGpB,QAAA,MAAM,kBAAA,GAA0C,eAAA,CAC7C,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA,KAAM,MAAS,CAAA,CAC9D,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,UACX,KAAA,EAAO,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,QAAQ,MAAM,CAAA;AAAA,UACxC,IAAA,EAAO,CAAA,CAAE,WAAA,CAAY,IAAA,CAAK,gBAAA,IAAoB;AAAA,SAChD,CAAE,CAAA;AAEJ,QAAA,MAAM,aAAA,GAAgB,qBAAqB,kBAAkB,CAAA;AAG7D,QAAA,MAAM,QAAQ,eAAA,CAAgB,GAAA;AAAA,UAC5B,CAAC,CAAA,KAAO,CAAA,CAAE,WAAA,CAAY,KAAK,gBAAA,IAAoB;AAAA,SACjD;AACA,QAAA,MAAM,IAAA,GAAO,iBAAiB,KAAK,CAAA;AAEnC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,2BAAA,EAA6B,QAAA,EAAU;AAAA,UAC3D,MAAA;AAAA,UACA,mBAAmB,kBAAA,CAAmB,MAAA;AAAA,UACtC,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA;AAAA,UACA,cAAA,EAAgB,aAAA;AAAA,UAChB,mBAAmB,kBAAA,CAAmB,MAAA;AAAA,UACtC,iBAAA,EAAmB,IAAA;AAAA,UACnB,YAAA,EAAc,YAAA;AAAA,UACd,kBAAA,EAAoB;AAAA,SACrB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,iHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,mBAAA,EAAqB,kBAAA,EAAoB,iBAAiB;AAAA,OACvE;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO;AAAA,WACR,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,YAAA;AAAA,UACnC,IAAA,CAAK,iBAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,IAAA,CAAK,eAAA;AAAA,UACL,QAAA,CAAS,GAAA;AAAA,UACT,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,QAAA,CAAS,WAAA,EAAa;AAAA,UACrE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,iBAAiB,IAAA,CAAK;AAAA,SACvB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,QAAQ,MAAA,CAAO;AAAA,SAChB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,uCAAA;AAAA,MACN,WAAA,EACE,mIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,qBAAA,EAAuB;AAAA,YACrB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,aAAA,EAAe;AAAA,YACb,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU;AAAA,UACR,uBAAA;AAAA,UACA,mBAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,oBAAoB,eAAA,CAAgB,GAAA;AAAA,UACxC,IAAA,CAAK;AAAA,SACP;AACA,QAAA,MAAM,gBAAgB,eAAA,CAAgB,GAAA;AAAA,UACpC,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,oBAAA,EAAuB,IAAA,CAAK,qBAAqB,CAAA,YAAA;AAAA,WACzD,CAAA;AAAA,QACH;AACA,QAAA,IAAI,CAAC,aAAA,EAAe;AAClB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,gBAAA,EAAmB,IAAA,CAAK,iBAAiB,CAAA,YAAA;AAAA,WACjD,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,eAAA,CAAgB,eAAA;AAAA,UACtC,iBAAA;AAAA,UACA,aAAA,CAAc,GAAA;AAAA,UACd,IAAA,CAAK,KAAA;AAAA,UACL,IAAA,CAAK,gBAAA;AAAA,UACL,qBAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,6BAAA;AAAA,UACA,iBAAA,CAAkB,WAAA;AAAA,UAClB;AAAA,YACE,cAAc,SAAA,CAAU,YAAA;AAAA,YACxB,WAAW,aAAA,CAAc,GAAA;AAAA,YACzB,OAAO,IAAA,CAAK;AAAA;AACd,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAc,SAAA,CAAU,YAAA;AAAA,UACxB,uBAAuB,SAAA,CAAU,WAAA;AAAA,UACjC,OAAO,SAAA,CAAU,KAAA;AAAA,UACjB,aAAa,SAAA,CAAU;AAAA,SACxB,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,eAAA,EAAgB;AAClC;AEtiBA,IAAM,aAAA,GAA6B;AAAA,EACjC,oBAAA,EAAsB,SAAA;AAAA,EACtB,gBAAA,EAAkB,SAAA;AAAA,EAClB,0BAAA,EAA4B,CAAA;AAAA,EAC5B,oBAAA,EAAsB,EAAA;AAAA,EACtB,mBAAA,EAAqB,EAAA;AAAA,EACrB,oBAAA,EAAsB;AACxB,CAAA;AAGA,IAAM,eAAA,GAAyC;AAAA,EAC7C,IAAA,EAAM,QAAA;AAAA,EACN,eAAA,EAAiB;AAAA;AAAA;AAGnB,CAAA;AAGO,IAAM,cAAA,GAAkC;AAAA,EAC7C,OAAA,EAAS,CAAA;AAAA,EACT,oBAAA,EAAsB;AAAA,IACpB,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,aAAA,EAAe,aAAA;AAAA,EACf,kBAAA,EAAoB;AAAA,IAClB,YAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,iBAAA;AAAA,IACA,eAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,kBAAA;AAAA,IACA,cAAA;AAAA,IACA,uBAAA;AAAA,IACA,qBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kBAAA;AAAA,IACA,yBAAA;AAAA,IACA,aAAA;AAAA,IACA,gBAAA;AAAA,IACA,mBAAA;AAAA,IACA,UAAA;AAAA,IACA,uBAAA;AAAA,IACA,yBAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,oBAAA;AAAA,IACA,kBAAA;AAAA,IACA,2BAAA;AAAA,IACA,kBAAA;AAAA,IACA,2BAAA;AAAA,IACA,mBAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,iBAAA;AAAA,IACA,yBAAA;AAAA,IACA,6BAAA;AAAA,IACA,wBAAA;AAAA,IACA,qBAAA;AAAA,IACA,4BAAA;AAAA,IACA,qBAAA;AAAA,IACA,qBAAA;AAAA,IACA,mBAAA;AAAA,IACA,oBAAA;AAAA,IACA,eAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,gBAAA,EAAkB;AACpB,CAAA;AAMO,SAAS,qBAAqB,QAAA,EAA0B;AAC7D,EAAA,OAAO,QAAA,CAAS,WAAW,YAAY,CAAA,GACnC,SAAS,KAAA,CAAM,YAAA,CAAa,MAAM,CAAA,GAClC,QAAA;AACN;AAYO,SAAS,YAAY,OAAA,EAAkC;AAC5D,EAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AACjC,IAAA,OAAO,eAAe,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,MAAM,SAAkC,EAAC;AACzC,EAAA,IAAI,UAAA,GAA4B,IAAA;AAChC,EAAA,IAAI,WAAA,GAA+B,IAAA;AACnC,EAAA,IAAI,aAAA,GAAgD,IAAA;AAEpD,EAAA,KAAA,MAAW,OAAA,IAAW,OAAA,CAAQ,KAAA,CAAM,IAAI,CAAA,EAAG;AACzC,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AACjC,IAAA,IAAI,IAAA,CAAK,IAAA,EAAK,KAAM,EAAA,EAAI;AAExB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,GAAS,IAAA,CAAK,WAAU,CAAE,MAAA;AAC9C,IAAA,MAAM,QAAA,GAAW,KAAK,IAAA,EAAK;AAE3B,IAAA,IAAI,MAAA,KAAW,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAE1C,MAAA,IAAI,cAAc,WAAA,EAAa;AAC7B,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,WAAA;AAAA,MACvB,CAAA,MAAA,IAAW,cAAc,aAAA,EAAe;AACtC,QAAA,MAAA,CAAO,UAAU,CAAA,GAAI,aAAA;AAAA,MACvB;AAEA,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACrC,MAAA,MAAM,MAAM,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,QAAQ,EAAE,IAAA,EAAK;AAC7C,MAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,CAAM,QAAA,GAAW,CAAC,EAAE,IAAA,EAAK;AAEhD,MAAA,IAAI,KAAA,KAAU,EAAA,IAAM,KAAA,KAAU,GAAA,EAAK;AACjC,QAAA,UAAA,GAAa,GAAA;AACb,QAAA,WAAA,GAAc,IAAA;AACd,QAAA,aAAA,GAAgB,IAAA;AAAA,MAClB,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,WAAA,CAAY,KAAK,CAAA;AAC/B,QAAA,UAAA,GAAa,IAAA;AACb,QAAA,WAAA,GAAc,IAAA;AACd,QAAA,aAAA,GAAgB,IAAA;AAAA,MAClB;AAAA,IACF,WAAW,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,EAAG;AAElD,MAAA,IAAI,CAAC,WAAA,EAAa,WAAA,GAAc,EAAC;AACjC,MAAA,WAAA,CAAY,IAAA,CAAK,QAAA,CAAS,KAAA,CAAM,CAAC,CAAA,CAAE,IAAA,EAAK,CAAE,KAAA,CAAM,KAAK,CAAA,CAAE,CAAC,CAAE,CAAA;AAAA,IAC5D,WAAW,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAE/C,MAAA,IAAI,CAAC,aAAA,EAAe,aAAA,GAAgB,EAAC;AACrC,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACrC,MAAA,MAAM,MAAM,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,QAAQ,EAAE,IAAA,EAAK;AAC7C,MAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,CAAM,QAAA,GAAW,CAAC,EAAE,IAAA,EAAK;AAChD,MAAA,aAAA,CAAc,GAAG,IAAI,WAAA,CAAY,KAAA,CAAM,MAAM,KAAK,CAAA,CAAE,CAAC,CAAE,CAAA;AAAA,IACzD;AAAA,EACF;AAGA,EAAA,IAAI,cAAc,WAAA,EAAa;AAC7B,IAAA,MAAA,CAAO,UAAU,CAAA,GAAI,WAAA;AAAA,EACvB,CAAA,MAAA,IAAW,cAAc,aAAA,EAAe;AACtC,IAAA,MAAA,CAAO,UAAU,CAAA,GAAI,aAAA;AAAA,EACvB;AAEA,EAAA,OAAO,eAAe,MAAM,CAAA;AAC9B;AAEA,SAAS,YAAY,KAAA,EAA0C;AAC7D,EAAA,IAAI,KAAA,KAAU,QAAQ,OAAO,IAAA;AAC7B,EAAA,IAAI,KAAA,KAAU,SAAS,OAAO,KAAA;AAC9B,EAAA,MAAM,GAAA,GAAM,OAAO,KAAK,CAAA;AACxB,EAAA,IAAI,CAAC,KAAA,CAAM,GAAG,CAAA,IAAK,KAAA,KAAU,IAAI,OAAO,GAAA;AACxC,EAAA,OAAO,KAAA,CAAM,OAAA,CAAQ,cAAA,EAAgB,EAAE,CAAA;AACzC;AAEA,SAAS,eAAe,GAAA,EAA+C;AAIrE,EAAA,MAAM,SAAA,GAAa,GAAA,CAAI,kBAAA,IAAmC,EAAC;AAC3D,EAAA,MAAM,WAAA,GAAc;AAAA,IAClB,uBAAO,GAAA,CAAI,CAAC,GAAG,SAAA,EAAW,GAAG,cAAA,CAAe,kBAAkB,CAAC;AAAA,GACjE;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAU,IAAI,OAAA,IAAsB,CAAA;AAAA,IACpC,oBAAA,EACG,GAAA,CAAI,oBAAA,IAAqC,cAAA,CAAe,oBAAA;AAAA,IAC3D,aAAA,EAAe;AAAA,MACb,GAAG,aAAA;AAAA,MACH,GAAK,GAAA,CAAI,aAAA,IAA6C;AAAC,KACzD;AAAA,IACA,kBAAA,EAAoB,WAAA;AAAA,IACpB,mBAAmB,MAAM;AACvB,MAAA,MAAM,MAAA,GAAS;AAAA,QACb,GAAG,eAAA;AAAA,QACH,GAAK,GAAA,CAAI,gBAAA,IAAgD;AAAC,OAC5D;AAGA,MAAA,OAAO,MAAA,CAAO,SAAA;AACd,MAAA,OAAO,MAAA;AAAA,IACT,CAAA;AAAG,GACL;AACF;AAKA,SAAS,yBAAA,GAAoC;AAC3C,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AAsFT;AAOA,eAAsB,oBACpB,WAAA,EAC0B;AAC1B,EAAA,MAAM,UAAA,GAAaxB,SAAAA,CAAK,WAAA,EAAa,uBAAuB,CAAA;AAE5D,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAU,MAAMG,iBAAAA,CAAS,UAAA,EAAY,OAAO,CAAA;AAClD,IAAA,MAAM,MAAA,GAAS,YAAY,OAAO,CAAA;AAClC,IAAA,OAAO,MAAA,CAAO,OAAO,MAAM,CAAA;AAAA,EAC7B,CAAA,CAAA,MAAQ;AAEN,IAAA,MAAM,cAAc,yBAAA,EAA0B;AAC9C,IAAA,IAAI;AACF,MAAA,MAAMC,kBAAAA,CAAU,UAAA,EAAY,WAAA,EAAa,OAAO,CAAA;AAChD,MAAA,MAAMqB,cAAA,CAAM,YAAY,GAAK,CAAA;AAAA,IAC/B,CAAA,CAAA,MAAQ;AAAA,IAER;AACA,IAAA,OAAO,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,gBAAgB,CAAA;AAAA,EAC5C;AACF;;;ACvUA,aAAA,EAAA;AAGA,IAAM,kBAAA,GAAqB,YAAA;AAC3B,IAAM,YAAA,GAAe,kBAAA;AAEd,IAAM,kBAAN,MAAsB;AAAA,EACnB,OAAA;AAAA,EACA,aAAA;AAAA,EACA,OAAA;AAAA;AAAA,EAGA,WAAA,uBAAyC,GAAA,EAAI;AAAA;AAAA,EAG7C,WAAA,uBAAyC,GAAA,EAAI;AAAA;AAAA,EAG7C,aAAuB,EAAC;AAAA,EAEhC,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,oBAAoB,CAAA;AACrE,IAAA,IAAA,CAAK,OAAA,GAAU;AAAA,MACb,kBAAkB,EAAC;AAAA,MACnB,sBAAsB,EAAC;AAAA,MACvB,kBAAkB,EAAC;AAAA,MACnB,gBAAA,EAAkB,IAAA;AAAA,MAClB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAA,GAAsB;AAC1B,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,oBAAoB,YAAY,CAAA;AACpE,MAAA,IAAI,CAAC,GAAA,EAAK;AAEV,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,KAAA,GAAwB,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAGjE,MAAA,IAAA,CAAK,OAAA,CAAQ,gBAAA,GAAmB,KAAA,CAAM,gBAAA,IAAoB,EAAC;AAC3D,MAAA,IAAA,CAAK,OAAA,CAAQ,oBAAA,GAAuB,KAAA,CAAM,oBAAA,IAAwB,EAAC;AACnE,MAAA,IAAA,CAAK,QAAQ,gBAAA,GAAmB,KAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAEN,MAAA,IAAA,CAAK,QAAQ,gBAAA,GAAmB,IAAA;AAAA,IAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAA,GAAsB;AAC1B,IAAA,IAAA,CAAK,OAAA,CAAQ,QAAA,GAAA,iBAAW,IAAI,IAAA,IAAO,WAAA,EAAY;AAC/C,IAAA,MAAM,aAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,OAAO,CAAC,CAAA;AAC7D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,kBAAA;AAAA,MACA,YAAA;AAAA,MACA,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,QAAA,EAAwB;AACrC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,IAAA,IAAA,CAAK,OAAA,CAAQ,iBAAiB,QAAQ,CAAA,GAAA,CACnC,KAAK,OAAA,CAAQ,gBAAA,CAAiB,QAAQ,CAAA,IAAK,CAAA,IAAK,CAAA;AAGnD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA,EAAG;AACnC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAA,EAAU,EAAE,CAAA;AAAA,IACnC;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC5C,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AAGf,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,CAAC,IAAK,MAAA,EAAQ;AAC/C,MAAA,MAAA,CAAO,KAAA,EAAM;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,SAAA,EAA4B;AAEhD,IAAA,IAAI,SAAA,CAAU,UAAA,CAAW,GAAG,CAAA,EAAG,OAAO,KAAA;AAEtC,IAAA,MAAM,QAAQ,CAAC,IAAA,CAAK,OAAA,CAAQ,gBAAA,CAAiB,SAAS,SAAS,CAAA;AAC/D,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,IAAA,CAAK,OAAA,CAAQ,gBAAA,CAAiB,IAAA,CAAK,SAAS,CAAA;AAAA,IAC9C;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAAoB,SAAA,EAA2B;AAC7C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAS,CAAA,EAAG;AACpC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAA,EAAW,EAAE,CAAA;AAAA,IACpC;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,SAAS,CAAA;AAC7C,IAAA,MAAA,CAAO,KAAK,GAAG,CAAA;AAGf,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,OAAO,MAAA,GAAS,CAAA,IAAK,MAAA,CAAO,CAAC,IAAK,MAAA,EAAQ;AAC/C,MAAA,MAAA,CAAO,KAAA,EAAM;AAAA,IACf;AAEA,IAAA,OAAO,MAAA,CAAO,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,mBAAmB,GAAA,EAAsB;AACvC,IAAA,MAAM,QAAQ,CAAC,IAAA,CAAK,OAAA,CAAQ,oBAAA,CAAqB,SAAS,GAAG,CAAA;AAC7D,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,IAAA,CAAK,OAAA,CAAQ,oBAAA,CAAqB,IAAA,CAAK,GAAG,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,GAAqB;AACnB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,UAAA,CAAW,KAAK,GAAG,CAAA;AAGxB,IAAA,MAAM,SAAS,GAAA,GAAM,GAAA;AACrB,IAAA,OAAO,IAAA,CAAK,WAAW,MAAA,GAAS,CAAA,IAAK,KAAK,UAAA,CAAW,CAAC,IAAK,MAAA,EAAQ;AACjE,MAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAAA,IACxB;AAEA,IAAA,OAAO,KAAK,UAAA,CAAW,MAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,QAAA,EAA0B;AACpC,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,QAAQ,GAAG,MAAA,IAAU,CAAA;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAA,GAA6B;AAC3B,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,KAAA,MAAW,MAAA,IAAU,IAAA,CAAK,WAAA,CAAY,MAAA,EAAO,EAAG;AAC9C,MAAA,KAAA,IAAS,MAAA,CAAO,MAAA;AAChB,MAAA,KAAA,EAAA;AAAA,IACF;AACA,IAAA,OAAO,KAAA,GAAQ,CAAA,GAAI,KAAA,GAAQ,KAAA,GAAQ,CAAA;AAAA,EACrC;AAAA;AAAA,EAGA,IAAI,cAAA,GAA0B;AAC5B,IAAA,OAAO,KAAK,OAAA,CAAQ,gBAAA;AAAA,EACtB;AAAA;AAAA,EAGA,UAAA,GAA6B;AAC3B,IAAA,OAAO,EAAE,GAAG,IAAA,CAAK,OAAA,EAAQ;AAAA,EAC3B;AACF;;;ACtKO,IAAM,wBAAN,MAAuD;AAAA,EAE5D,YAAY,OAAA,EAAgC;AAAA,EAC5C;AAAA,EAEA,MAAM,gBAAgB,OAAA,EAAqD;AAEzE,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AACxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,GAAS,IAAI,CAAA;AAQlC,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,MAAA;AAAA,MACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,UAAA,EAAY;AAAA,KACd;AAAA,EACF;AAAA,EAEQ,aAAa,OAAA,EAAkC;AACrD,IAAA,MAAM,SAAA,GACJ,OAAA,CAAQ,IAAA,KAAS,CAAA,GACb,wCAAA,GACA,2CAAA;AAEN,IAAA,MAAM,YAAA,GAAe,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,CAAA,CAChD,GAAA,CAAI,CAAC,CAAC,CAAA,EAAG,CAAC,CAAA,KAAM,CAAA,EAAA,EAAK,CAAC,CAAA,EAAA,EAAK,OAAO,CAAA,KAAM,QAAA,GAAW,CAAA,GAAI,IAAA,CAAK,SAAA,CAAU,CAAC,CAAC,CAAA,CAAE,CAAA,CAC1E,IAAA,CAAK,IAAI,CAAA;AAEZ,IAAA,OAAO;AAAA,MACL,EAAA;AAAA,MACA,0ZAAA;AAAA,MACA,gFAAA;AAAA,MACA,0ZAAA;AAAA,MACA,CAAA,oBAAA,EAAkB,OAAA,CAAQ,SAAA,CAAU,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MAC9C,CAAA,QAAA,EAAM,SAAA,CAAU,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MAC1B,CAAA,oBAAA,EAAkB,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,EAAE,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA,CAAA;AAAA,MACxD,gFAAA;AAAA,MACA,CAAA,8EAAA,CAAA;AAAA,MACA,GAAG,YAAA,CAAa,KAAA,CAAM,IAAI,CAAA,CAAE,GAAA;AAAA,QAC1B,CAAC,IAAA,KAAS,CAAA,UAAA,EAAQ,IAAA,CAAK,MAAA,CAAO,EAAE,CAAC,CAAA,MAAA;AAAA,OACnC;AAAA,MACA,gFAAA;AAAA,MACA,gFAAA;AAAA,MACA,gFAAA;AAAA,MACA,0ZAAA;AAAA,MACA;AAAA,KACF,CAAE,KAAK,IAAI,CAAA;AAAA,EACb;AACF;AAKO,IAAM,0BAAN,MAAyD;AAAA,EACtD,QAAA;AAAA,EAER,YACE,QAAA,EACA;AACA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAAA,EAClB;AAAA,EAEA,MAAM,gBAAgB,OAAA,EAAqD;AACzE,IAAA,OAAO,IAAA,CAAK,SAAS,OAAO,CAAA;AAAA,EAC9B;AACF;AAKO,IAAM,qBAAN,MAAoD;AAAA,EACzD,MAAM,gBAAgB,QAAA,EAAsD;AAC1E,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,SAAA;AAAA,MACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,UAAA,EAAY;AAAA,KACd;AAAA,EACF;AACF;;;ACvGO,SAAS,kBAAkB,OAAA,EAEvB;AACT,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kDAAA,EAyH2C,QAAQ,aAAa,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAAA,CAAA;AAoDzE;AAKO,SAAS,sBAAsB,OAAA,EAK3B;AACT,EAAA,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA,0BAAA,EAivBmB,QAAQ,aAAa,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA,0BAAA,EAkHrB,QAAQ,cAAc,CAAA;AAAA;AAAA,yBAAA,EAEvB,QAAQ,SAAA,GAAY,IAAA,CAAK,UAAU,OAAA,CAAQ,SAAS,IAAI,MAAM,CAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA,OAAA,CAAA;AA8hBzF;;;ACzgDA,IAAM,qBAAA,GAAwB,IAAI,EAAA,GAAK,GAAA;AACvC,IAAM,oBAAA,GAAuB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAA;AAC5C,IAAM,YAAA,GAAe,GAAA;AAMrB,IAAM,oBAAA,GAAuB,GAAA;AAC7B,IAAM,kBAAA,GAAqB,GAAA;AAC3B,IAAM,oBAAA,GAAuB,EAAA;AAC7B,IAAM,sBAAA,GAAyB,GAAA;AAOxB,IAAM,2BAAN,MAA0D;AAAA,EACvD,MAAA;AAAA,EACA,OAAA,uBAA2C,GAAA,EAAI;AAAA,EAC/C,UAAA,uBAAiC,GAAA,EAAI;AAAA,EACrC,UAAA,GAAyD,IAAA;AAAA,EACzD,MAAA,GAAiC,IAAA;AAAA,EACjC,QAAA,GAAmC,IAAA;AAAA,EACnC,QAAA,GAA4B,IAAA;AAAA,EAC5B,aAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,MAAA;AAAA;AAAA,EAEA,YAAA;AAAA;AAAA,EAEA,QAAA,uBAA8C,GAAA,EAAI;AAAA,EAClD,mBAAA,GAA6D,IAAA;AAAA;AAAA,EAE7D,UAAA,uBAA8C,GAAA,EAAI;AAAA,EAE1D,YAAY,MAAA,EAAyB;AACnC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,YAAY,MAAA,CAAO,UAAA;AACxB,IAAA,IAAA,CAAK,SAAS,CAAC,EAAE,OAAO,GAAA,EAAK,SAAA,IAAa,OAAO,GAAA,EAAK,QAAA,CAAA;AAEtD,IAAA,MAAM,WAAA,GAAc,OAAO,IAAA,KAAS,WAAA,IAAe,OAAO,IAAA,KAAS,WAAA,IAAe,OAAO,IAAA,KAAS,KAAA;AAClG,IAAA,IAAA,CAAK,YAAA,GAAe,cAAc,oBAAA,GAAuB,qBAAA;AACzD,IAAA,IAAA,CAAK,gBAAgB,qBAAA,CAAsB;AAAA,MACzC,gBAAgB,MAAA,CAAO,eAAA;AAAA,MACvB,aAAA,EAAe,iBAAA;AAAA,MACf,WAAW,IAAA,CAAK;AAAA,KACjB,CAAA;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,iBAAA,CAAkB,EAAE,aAAA,EAAe,mBAAa,CAAA;AAEjE,IAAA,IAAA,CAAK,sBAAsB,WAAA,CAAY,MAAM,IAAA,CAAK,eAAA,IAAmB,GAAM,CAAA;AAAA,EAC7E;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAgB,IAAA,EAIP;AACP,IAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACnB,IAAA,IAAA,CAAK,WAAW,IAAA,CAAK,QAAA;AACrB,IAAA,IAAA,CAAK,WAAW,IAAA,CAAK,QAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,GAAuB;AAC3B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,UAAU,CAAC,GAAA,EAAsB,QAAwB,IAAA,CAAK,aAAA,CAAc,KAAK,GAAG,CAAA;AAE1F,MAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,GAAA,EAAK;AAClC,QAAA,MAAM,OAAA,GAAU;AAAA,UACd,IAAA,EAAMC,eAAA,CAAa,IAAA,CAAK,MAAA,CAAO,IAAI,SAAS,CAAA;AAAA,UAC5C,GAAA,EAAKA,eAAA,CAAa,IAAA,CAAK,MAAA,CAAO,IAAI,QAAQ;AAAA,SAC5C;AACA,QAAA,IAAA,CAAK,UAAA,GAAaC,kBAAA,CAAkB,OAAA,EAAS,OAAO,CAAA;AAAA,MACtD,CAAA,MAAO;AACL,QAAA,IAAA,CAAK,UAAA,GAAaC,kBAAiB,OAAO,CAAA;AAAA,MAC5C;AAEA,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,MAAA,MAAM,OAAA,GAAU,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,OAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA;AAErE,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,IAAA,CAAK,MAAA,CAAO,MAAM,IAAA,CAAK,MAAA,CAAO,MAAM,MAAM;AAE/D,QAAA,MAAM,UAAA,GAAa,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,kBAAiB,GAAI,OAAA;AAG9D,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,UACb;AAAA,iCAAA,EAAsC,OAAO;AAAA;AAAA,SAC/C;AACA,QAAA,IAAI,KAAK,SAAA,EAAW;AAClB,UAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,CAAC,CAAA,GAAI,KAAA,GAAQ,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,EAAE,CAAA;AACzE,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,YACb,iBAAiB,IAAI;AAAA;AAAA,WACvB;AAAA,QACF;AACA,QAAA,OAAA,CAAQ,OAAO,KAAA,CAAM;AAAA,CAAI,CAAA;AAIzB,QAAA,MAAM,MAAA,GAAS,CAAC,EAAE,OAAA,CAAQ,GAAA,CAAI,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,EAAA,CAAA;AACvF,QAAA,MAAM,WAAA,GAAc,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,WAAA,IAAe,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,WAAA,IAAe,IAAA,CAAK,MAAA,CAAO,IAAA,KAAS,KAAA;AACjH,QAAA,MAAM,cAAA,GAAiB,CAAC,MAAA,KAAW,IAAA,CAAK,OAAO,SAAA,IAAa,WAAA,CAAA;AAC5D,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,IAAA,CAAK,cAAc,UAAU,CAAA;AAAA,QAC/B;AAEA,QAAA,OAAA,EAAQ;AAAA,MACV,CAAC,CAAA;AACD,MAAA,IAAA,CAAK,UAAA,CAAW,EAAA,CAAG,OAAA,EAAS,MAAM,CAAA;AAAA,IACpC,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAsB;AAE1B,IAAA,KAAA,MAAW,GAAG,OAAO,CAAA,IAAK,KAAK,OAAA,EAAS;AACtC,MAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAC1B,MAAA,OAAA,CAAQ,OAAA,CAAQ;AAAA,QACd,QAAA,EAAU,MAAA;AAAA,QACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACb,CAAA;AAAA,IACH;AACA,IAAA,IAAA,CAAK,QAAQ,KAAA,EAAM;AAGnB,IAAA,KAAA,MAAW,MAAA,IAAU,KAAK,UAAA,EAAY;AACpC,MAAA,MAAA,CAAO,GAAA,EAAI;AAAA,IACb;AACA,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAGtB,IAAA,IAAA,CAAK,SAAS,KAAA,EAAM;AACpB,IAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,MAAA,aAAA,CAAc,KAAK,mBAAmB,CAAA;AACtC,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA;AAAA,IAC7B;AAGA,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAGtB,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC9B,QAAA,IAAA,CAAK,UAAA,CAAY,KAAA,CAAM,MAAM,OAAA,EAAS,CAAA;AAAA,MACxC,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,OAAA,EAAqD;AACzE,IAAA,MAAM,EAAA,GAAKC,kBAAAA,CAAY,CAAC,CAAA,CAAE,SAAS,KAAK,CAAA;AAGxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,MACb,CAAA,+BAAA,EAAkC,OAAA,CAAQ,SAAS,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA;AAAA;AAAA,KAC3E;AAEA,IAAA,OAAO,IAAI,OAAA,CAA0B,CAAC,OAAA,KAAY;AAEhD,MAAA,MAAM,KAAA,GAAQ,WAAW,MAAM;AAC7B,QAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,EAAE,CAAA;AACtB,QAAA,MAAM,QAAA,GAA6B;AAAA;AAAA,UAEjC,QAAA,EAAU,MAAA;AAAA,UACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UACnC,UAAA,EAAY;AAAA,SACd;AACA,QAAA,IAAA,CAAK,aAAa,kBAAA,EAAoB;AAAA,UACpC,UAAA,EAAY,EAAA;AAAA,UACZ,UAAU,QAAA,CAAS,QAAA;AAAA,UACnB,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA,OAAA,CAAQ,QAAQ,CAAA;AAAA,MAClB,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,eAAA,GAAkB,GAAI,CAAA;AAGrC,MAAA,MAAM,OAAA,GAA0B;AAAA,QAC9B,EAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AACA,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,EAAA,EAAI,OAAO,CAAA;AAG5B,MAAA,IAAA,CAAK,aAAa,iBAAA,EAAmB;AAAA,QACnC,UAAA,EAAY,EAAA;AAAA,QACZ,WAAW,OAAA,CAAQ,SAAA;AAAA,QACnB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,SAAS,OAAA,CAAQ,OAAA;AAAA,QACjB,WAAW,OAAA,CAAQ;AAAA,OACpB,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcQ,SAAA,CAAU,GAAA,EAAsB,GAAA,EAAU,GAAA,EAA8B;AAC9E,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,EAAW,OAAO,IAAA;AAG5B,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,aAAA;AAC/B,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,MAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,KAAM,QAAA,IAAY,KAAA,CAAM,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,EAAW;AAC9E,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAIA,IAAA,MAAM,SAAA,GAAY,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,SAAS,CAAA;AAChD,IAAA,IAAI,SAAA,IAAa,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAChD,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,WAAA,CAAY,GAAA,EAAK,mBAAmB,CAAA;AAC/D,IAAA,IAAI,aAAA,IAAiB,IAAA,CAAK,eAAA,CAAgB,aAAa,CAAA,EAAG;AACxD,MAAA,OAAO,IAAA;AAAA,IACT;AAOA,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,yEAAA,EAAsE,CAAC,CAAA;AACvG,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,eAAA,CAAgB,KAAsB,GAAA,EAAmB;AAC/D,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,EAAW,OAAO,IAAA;AAE5B,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,aAAA;AAC/B,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,MAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,KAAM,QAAA,IAAY,KAAA,CAAM,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,EAAW;AAC9E,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,SAAS,CAAA;AAChD,IAAA,IAAI,SAAA,IAAa,IAAA,CAAK,eAAA,CAAgB,SAAS,GAAG,OAAO,IAAA;AAEzD,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,WAAA,CAAY,GAAA,EAAK,mBAAmB,CAAA;AAC/D,IAAA,IAAI,aAAA,IAAiB,IAAA,CAAK,eAAA,CAAgB,aAAa,GAAG,OAAO,IAAA;AAEjE,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAA,CAAY,KAAsB,IAAA,EAA6B;AACrE,IAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,MAAA;AAC3B,IAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,IAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA,EAAG;AACpC,MAAA,MAAM,CAAC,GAAA,EAAK,GAAG,IAAI,CAAA,GAAI,IAAA,CAAK,MAAM,GAAG,CAAA;AACrC,MAAA,IAAI,GAAA,EAAK,IAAA,EAAK,KAAM,IAAA,EAAM;AACxB,QAAA,OAAO,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,CAAE,IAAA,EAAK;AAAA,MAC7B;AAAA,IACF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,aAAA,GAAwB;AAE9B,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,IAAA,IAAQ,YAAA,EAAc;AACtC,MAAA,IAAA,CAAK,eAAA,EAAgB;AAErB,MAAA,IAAI,IAAA,CAAK,QAAA,CAAS,IAAA,IAAQ,YAAA,EAAc;AACtC,QAAA,MAAM,SAAS,CAAC,GAAG,KAAK,QAAA,CAAS,OAAA,EAAS,CAAA,CAAE,IAAA;AAAA,UAC1C,CAAC,GAAG,CAAA,KAAM,CAAA,CAAE,CAAC,CAAA,CAAE,UAAA,GAAa,CAAA,CAAE,CAAC,CAAA,CAAE;AAAA,UACjC,CAAC,CAAA;AACH,QAAA,IAAI,QAAQ,IAAA,CAAK,QAAA,CAAS,MAAA,CAAO,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,MAC5C;AAAA,IACF;AAEA,IAAA,MAAM,EAAA,GAAKA,kBAAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AACzC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAA,CAAK,QAAA,CAAS,IAAI,EAAA,EAAI;AAAA,MACpB,EAAA;AAAA,MACA,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY,MAAM,IAAA,CAAK;AAAA,KACxB,CAAA;AACD,IAAA,OAAO,EAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,SAAA,EAA4B;AAClD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AAC3C,IAAA,IAAI,CAAC,SAAS,OAAO,KAAA;AACrB,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,OAAA,CAAQ,UAAA,EAAY;AACnC,MAAA,IAAA,CAAK,QAAA,CAAS,OAAO,SAAS,CAAA;AAC9B,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAA,GAAwB;AAC9B,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,KAAK,QAAA,EAAU;AACzC,MAAA,IAAI,GAAA,GAAM,QAAQ,UAAA,EAAY;AAC5B,QAAA,IAAA,CAAK,QAAA,CAAS,OAAO,EAAE,CAAA;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,GAAA,EAA8B;AAClD,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,MAAA,CAAO,aAAA,IAAiB,SAAA;AAEzC,IAAA,OAAO,KAAK,UAAA,CAAW,SAAS,IAAI,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA,GAAI,IAAA;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAA,CACN,GAAA,EACA,GAAA,EACA,IAAA,EACS;AACT,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,aAAA,CAAc,GAAG,CAAA;AACnC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,cAAc,GAAA,GAAM,oBAAA;AAG1B,IAAA,IAAI,KAAA,GAAQ,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAI,CAAA;AACpC,IAAA,IAAI,CAAC,KAAA,EAAO;AAEV,MAAA,IAAI,IAAA,CAAK,UAAA,CAAW,IAAA,IAAQ,sBAAA,EAAwB;AAClD,QAAA,IAAA,CAAK,gBAAgB,GAAG,CAAA;AAAA,MAC1B;AACA,MAAA,KAAA,GAAQ,EAAE,OAAA,EAAS,EAAC,EAAG,SAAA,EAAW,EAAC,EAAE;AACrC,MAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,IAAA,EAAM,KAAK,CAAA;AAAA,IACjC;AAGA,IAAA,KAAA,CAAM,UAAU,KAAA,CAAM,OAAA,CAAQ,MAAA,CAAO,CAAA,CAAA,KAAK,IAAI,WAAW,CAAA;AACzD,IAAA,KAAA,CAAM,YAAY,KAAA,CAAM,SAAA,CAAU,MAAA,CAAO,CAAA,CAAA,KAAK,IAAI,WAAW,CAAA;AAE7D,IAAA,MAAM,KAAA,GAAQ,IAAA,KAAS,WAAA,GAAc,oBAAA,GAAuB,kBAAA;AAC5D,IAAA,MAAM,UAAA,GAAa,MAAM,IAAI,CAAA;AAE7B,IAAA,IAAI,UAAA,CAAW,UAAU,KAAA,EAAO;AAC9B,MAAA,MAAM,UAAA,GAAa,KAAK,IAAA,CAAA,CAAM,UAAA,CAAW,CAAC,CAAA,GAAK,oBAAA,GAAuB,OAAO,GAAI,CAAA;AACjF,MAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,QACjB,cAAA,EAAgB,kBAAA;AAAA,QAChB,eAAe,MAAA,CAAO,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,UAAU,CAAC;AAAA,OAC9C,CAAA;AACD,MAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAA,CAAU;AAAA,QACrB,KAAA,EAAO,qBAAA;AAAA,QACP,mBAAA,EAAqB,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,UAAU;AAAA,OAC5C,CAAC,CAAA;AACF,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,UAAA,CAAW,KAAK,GAAG,CAAA;AACnB,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,GAAA,EAAmB;AACzC,IAAA,MAAM,cAAc,GAAA,GAAM,oBAAA;AAC1B,IAAA,KAAA,MAAW,CAAC,IAAA,EAAM,KAAK,CAAA,IAAK,KAAK,UAAA,EAAY;AAC3C,MAAA,MAAM,SAAA,GACJ,KAAA,CAAM,OAAA,CAAQ,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,GAAI,WAAW,CAAA,IACvC,KAAA,CAAM,SAAA,CAAU,IAAA,CAAK,CAAA,CAAA,KAAK,IAAI,WAAW,CAAA;AAC3C,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,IAAA,CAAK,UAAA,CAAW,OAAO,IAAI,CAAA;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAIQ,aAAA,CAAc,KAAsB,GAAA,EAA2B;AACrE,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAA,IAAO,GAAA,EAAK,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA,CAAE,CAAA;AAC/E,IAAA,MAAM,MAAA,GAAS,IAAI,MAAA,IAAU,KAAA;AAG7B,IAAA,MAAM,MAAA,GAAS,IAAI,OAAA,CAAQ,MAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,IAAA,MAAM,UAAA,GAAa,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,OAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA;AACxE,IAAA,IAAI,WAAW,UAAA,EAAY;AACzB,MAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,MAAM,CAAA;AAAA,IACrD;AAEA,IAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,oBAAoB,CAAA;AAClE,IAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,6BAA6B,CAAA;AAE3E,IAAA,IAAI,WAAW,SAAA,EAAW;AACxB,MAAA,GAAA,CAAI,UAAU,GAAG,CAAA;AACjB,MAAA,GAAA,CAAI,GAAA,EAAI;AACR,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,KAAW,MAAA,IAAU,GAAA,CAAI,QAAA,KAAa,eAAA,EAAiB;AACzD,MAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,SAAS,CAAA,EAAG;AAC/C,MAAA,IAAI;AACF,QAAA,IAAA,CAAK,qBAAA,CAAsB,KAAK,GAAG,CAAA;AAAA,MACrC,CAAA,CAAA,MAAQ;AACN,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uBAAA,EAAyB,CAAC,CAAA;AAAA,MAC5D;AACA,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,WAAW,KAAA,IAAS,GAAA,CAAI,QAAA,KAAa,GAAA,IAAO,KAAK,SAAA,EAAW;AAC9D,MAAA,IAAI,CAAC,IAAA,CAAK,eAAA,CAAgB,GAAA,EAAK,GAAG,CAAA,EAAG;AACnC,QAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,SAAS,CAAA,EAAG;AAC/C,QAAA,IAAA,CAAK,eAAe,GAAG,CAAA;AACvB,QAAA;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK,GAAA,EAAK,GAAG,CAAA,EAAG;AAGpC,IAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,SAAS,CAAA,EAAG;AAE/C,IAAA,IAAI;AACF,MAAA,IAAI,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,QAAA,KAAa,GAAA,EAAK;AAC5C,QAAA,IAAA,CAAK,eAAe,GAAG,CAAA;AAAA,MACzB,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,SAAA,EAAW;AACzD,QAAA,IAAA,CAAK,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA,MACzB,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,aAAA,EAAe;AAC7D,QAAA,IAAA,CAAK,aAAa,GAAG,CAAA;AAAA,MACvB,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,cAAA,EAAgB;AAC9D,QAAA,IAAA,CAAK,kBAAkB,GAAG,CAAA;AAAA,MAC5B,CAAA,MAAA,IAAW,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,aAAa,gBAAA,EAAkB;AAChE,QAAA,IAAA,CAAK,cAAA,CAAe,KAAK,GAAG,CAAA;AAAA,MAC9B,WAAW,MAAA,KAAW,MAAA,IAAU,IAAI,QAAA,CAAS,UAAA,CAAW,eAAe,CAAA,EAAG;AAExE,QAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,WAAW,CAAA,EAAG;AACjD,QAAA,MAAM,EAAA,GAAK,GAAA,CAAI,QAAA,CAAS,KAAA,CAAM,gBAAgB,MAAM,CAAA;AACpD,QAAA,IAAA,CAAK,cAAA,CAAe,EAAA,EAAI,SAAA,EAAW,GAAG,CAAA;AAAA,MACxC,WAAW,MAAA,KAAW,MAAA,IAAU,IAAI,QAAA,CAAS,UAAA,CAAW,YAAY,CAAA,EAAG;AAErE,QAAA,IAAI,CAAC,IAAA,CAAK,cAAA,CAAe,GAAA,EAAK,GAAA,EAAK,WAAW,CAAA,EAAG;AACjD,QAAA,MAAM,EAAA,GAAK,GAAA,CAAI,QAAA,CAAS,KAAA,CAAM,aAAa,MAAM,CAAA;AACjD,QAAA,IAAA,CAAK,cAAA,CAAe,EAAA,EAAI,MAAA,EAAQ,GAAG,CAAA;AAAA,MACrC,CAAA,MAAO;AACL,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,WAAA,EAAa,CAAC,CAAA;AAAA,MAChD;AAAA,IACF,SAAS,GAAA,EAAK;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uBAAA,EAAyB,CAAC,CAAA;AAAA,IAC5D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaQ,qBAAA,CAAsB,KAAsB,GAAA,EAA2B;AAC7E,IAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AAEnB,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,UAAA,EAAY,SAAA,EAAW,CAAC,CAAA;AACjD,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,aAAA;AAC/B,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,+BAAA,EAAiC,CAAC,CAAA;AAClE,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,IAAK,KAAA,CAAM,CAAC,CAAA,KAAM,QAAA,IAAY,KAAA,CAAM,CAAC,CAAA,KAAM,IAAA,CAAK,SAAA,EAAW;AAC9E,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,sBAAA,EAAwB,CAAC,CAAA;AACzD,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,KAAK,aAAA,EAAc;AACrC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,eAAe,GAAI,CAAA;AACtD,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc,CAAA,kBAAA,EAAqB,SAAS,CAAA,mCAAA,EAAsC,UAAU,CAAA;AAAA,KAC7F,CAAA;AACD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAA,CAAU;AAAA,MACrB,UAAA,EAAY,SAAA;AAAA,MACZ,kBAAA,EAAoB;AAAA,KACrB,CAAC,CAAA;AAAA,EACJ;AAAA,EAEQ,eAAe,GAAA,EAA2B;AAChD,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,0BAAA;AAAA,MAChB,eAAA,EAAiB;AAAA,KAClB,CAAA;AACD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAS,CAAA;AAAA,EACxB;AAAA,EAEQ,eAAe,GAAA,EAA2B;AAChD,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,0BAAA;AAAA,MAChB,eAAA,EAAiB;AAAA,KAClB,CAAA;AACD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,aAAa,CAAA;AAAA,EAC5B;AAAA,EAEQ,SAAA,CAAU,KAAsB,GAAA,EAA2B;AACjE,IAAA,GAAA,CAAI,UAAU,GAAA,EAAK;AAAA,MACjB,cAAA,EAAgB,mBAAA;AAAA,MAChB,eAAA,EAAiB,UAAA;AAAA,MACjB,YAAA,EAAc;AAAA,KACf,CAAA;AAGD,IAAA,MAAM,WAAoC,EAAC;AAE3C,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,QAAA,CAAS,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAAA,IAC/C;AACA,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,QAAA,CAAS,MAAA,GAAS;AAAA,QAChB,oBAAA,EAAsB,KAAK,MAAA,CAAO,oBAAA;AAAA,QAClC,aAAA,EAAe,KAAK,MAAA,CAAO,aAAA;AAAA,QAC3B,kBAAA,EAAoB,KAAK,MAAA,CAAO,kBAAA;AAAA,QAChC,gBAAA,EAAkB;AAAA,UAChB,IAAA,EAAM,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAA;AAAA,UACnC,eAAA,EAAiB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,eAAA;AAAA,UAC9C,SAAA,EAAW;AAAA;AAAA;AACb,OACF;AAAA,IACF;AAGA,IAAA,MAAM,WAAA,GAAc,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MAChE,YAAY,CAAA,CAAE,EAAA;AAAA,MACd,SAAA,EAAW,EAAE,OAAA,CAAQ,SAAA;AAAA,MACrB,IAAA,EAAM,EAAE,OAAA,CAAQ,IAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,OAAA,CAAQ,MAAA;AAAA,MAClB,OAAA,EAAS,EAAE,OAAA,CAAQ,OAAA;AAAA,MACnB,SAAA,EAAW,EAAE,OAAA,CAAQ;AAAA,KACvB,CAAE,CAAA;AACF,IAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,MAAA,QAAA,CAAS,OAAA,GAAU,WAAA;AAAA,IACrB;AAEA,IAAA,GAAA,CAAI,KAAA,CAAM,CAAA;AAAA,MAAA,EAAsB,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAC;;AAAA,CAAM,CAAA;AAE9D,IAAA,IAAA,CAAK,UAAA,CAAW,IAAI,GAAG,CAAA;AAEvB,IAAA,GAAA,CAAI,EAAA,CAAG,SAAS,MAAM;AACpB,MAAA,IAAA,CAAK,UAAA,CAAW,OAAO,GAAG,CAAA;AAAA,IAC5B,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,aAAa,GAAA,EAA2B;AAC9C,IAAA,MAAM,MAAA,GAAkC;AAAA,MACtC,aAAA,EAAe,KAAK,OAAA,CAAQ,IAAA;AAAA,MAC5B,iBAAA,EAAmB,KAAK,UAAA,CAAW;AAAA,KACrC;AAEA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,MAAA,CAAO,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAAA,IAC7C;AACA,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,MAAA,CAAO,MAAA,GAAS;AAAA,QACd,OAAA,EAAS,KAAK,MAAA,CAAO,OAAA;AAAA,QACrB,oBAAA,EAAsB,KAAK,MAAA,CAAO,oBAAA;AAAA,QAClC,aAAA,EAAe,KAAK,MAAA,CAAO,aAAA;AAAA,QAC3B,kBAAA,EAAoB,KAAK,MAAA,CAAO,kBAAA;AAAA,QAChC,gBAAA,EAAkB;AAAA,UAChB,IAAA,EAAM,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAA;AAAA,UACnC,eAAA,EAAiB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,eAAA;AAAA,UAC9C,SAAA,EAAW;AAAA;AAAA;AACb,OACF;AAAA,IACF;AAEA,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AAAA,EAChC;AAAA,EAEQ,kBAAkB,GAAA,EAA2B;AACnD,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACzD,IAAI,CAAA,CAAE,EAAA;AAAA,MACN,SAAA,EAAW,EAAE,OAAA,CAAQ,SAAA;AAAA,MACrB,IAAA,EAAM,EAAE,OAAA,CAAQ,IAAA;AAAA,MAChB,MAAA,EAAQ,EAAE,OAAA,CAAQ,MAAA;AAAA,MAClB,OAAA,EAAS,EAAE,OAAA,CAAQ,OAAA;AAAA,MACnB,SAAA,EAAW,EAAE,OAAA,CAAQ,SAAA;AAAA,MACrB,YAAY,CAAA,CAAE;AAAA,KAChB,CAAE,CAAA;AAEF,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC,CAAA;AAAA,EAC9B;AAAA,EAEQ,cAAA,CAAe,KAAU,GAAA,EAA2B;AAC1D,IAAA,MAAM,KAAA,GAAQ,SAAS,GAAA,CAAI,YAAA,CAAa,IAAI,OAAO,CAAA,IAAK,MAAM,EAAE,CAAA;AAGhE,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,IAAA,CAAK,QAAA,CAAS,MAAM,EAAE,KAAA,EAAO,CAAA,CAAE,IAAA,CAAK,CAAC,OAAA,KAAY;AAC/C,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AAAA,MACjC,CAAC,CAAA,CAAE,KAAA,CAAM,MAAM;AACb,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,EAAE,CAAC,CAAA;AAAA,MAC5B,CAAC,CAAA;AAAA,IACH,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,EAAE,CAAC,CAAA;AAAA,IAC5B;AAAA,EACF;AAAA,EAEQ,cAAA,CAAe,EAAA,EAAY,QAAA,EAA8B,GAAA,EAA2B;AAC1F,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,EAAE,CAAA;AACnC,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uCAAA,EAAyC,CAAC,CAAA;AAC1E,MAAA;AAAA,IACF;AAGA,IAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAG1B,IAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,EAAE,CAAA;AAGtB,IAAA,MAAM,QAAA,GAA6B;AAAA,MACjC,QAAA;AAAA,MACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,UAAA,EAAY;AAAA,KACd;AAGA,IAAA,IAAA,CAAK,aAAa,kBAAA,EAAoB;AAAA,MACpC,UAAA,EAAY,EAAA;AAAA,MACZ,QAAA;AAAA,MACA,UAAA,EAAY;AAAA,KACb,CAAA;AAGD,IAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAExB,IAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,IAAA,GAAA,CAAI,GAAA,CAAI,KAAK,SAAA,CAAU,EAAE,SAAS,IAAA,EAAM,QAAA,EAAU,CAAC,CAAA;AAAA,EACrD;AAAA;AAAA,EAIA,YAAA,CAAa,OAAe,IAAA,EAAqB;AAC/C,IAAA,MAAM,OAAA,GAAU,UAAU,KAAK;AAAA,MAAA,EAAW,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC;;AAAA,CAAA;AAC9D,IAAA,KAAA,MAAW,MAAA,IAAU,KAAK,UAAA,EAAY;AACpC,MAAA,IAAI;AACF,QAAA,MAAA,CAAO,MAAM,OAAO,CAAA;AAAA,MACtB,CAAA,CAAA,MAAQ;AACN,QAAA,IAAA,CAAK,UAAA,CAAW,OAAO,MAAM,CAAA;AAAA,MAC/B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,oBAAoB,KAAA,EAKX;AACP,IAAA,IAAA,CAAK,YAAA,CAAa,eAAe,KAAK,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,uBAAA,GAAgC;AAC9B,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,IAAA,CAAK,YAAA,CAAa,iBAAA,EAAmB,IAAA,CAAK,QAAA,CAAS,YAAY,CAAA;AAAA,IACjE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,kBAAkB,IAAA,EAKT;AACP,IAAA,IAAA,CAAK,YAAA,CAAa,aAAa,IAAI,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,6BAA6B,IAAA,EAMpB;AACP,IAAA,IAAA,CAAK,YAAA,CAAa,yBAAyB,IAAI,CAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,0BAA0B,IAAA,EAAqC;AAC7D,IAAA,IAAA,CAAK,YAAA,CAAa,qBAAqB,IAAI,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,GAAA,EAAmB;AACvC,IAAA,MAAMC,OAAKC,WAAA,EAAS;AACpB,IAAA,IAAI,GAAA;AACJ,IAAA,IAAID,SAAO,QAAA,EAAU;AACnB,MAAA,GAAA,GAAM,SAAS,GAAG,CAAA,CAAA,CAAA;AAAA,IACpB,CAAA,MAAA,IAAWA,SAAO,OAAA,EAAS;AACzB,MAAA,GAAA,GAAM,aAAa,GAAG,CAAA,CAAA,CAAA;AAAA,IACxB,CAAA,MAAO;AACL,MAAA,GAAA,GAAM,aAAa,GAAG,CAAA,CAAA,CAAA;AAAA,IACxB;AACA,IAAAE,kBAAA,CAAK,GAAA,EAAK,CAAC,GAAA,KAAQ;AACjB,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,UACb,CAAA;;AAAA;AAAA,SACF;AAAA,MACF;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,gBAAA,GAA2B;AACzB,IAAA,MAAM,SAAA,GAAY,KAAK,aAAA,EAAc;AACrC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,IAAA,OAAO,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,UAAA,EAAa,SAAS,CAAA,CAAA;AAAA,EACpF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAqB;AACnB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,GAAS,OAAA,GAAU,MAAA;AACzC,IAAA,OAAO,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,OAAO,IAAI,CAAA,CAAA,EAAI,IAAA,CAAK,MAAA,CAAO,IAAI,CAAA,CAAA;AAAA,EAC9D;AAAA;AAAA,EAGA,IAAI,YAAA,GAAuB;AACzB,IAAA,OAAO,KAAK,OAAA,CAAQ,IAAA;AAAA,EACtB;AAAA;AAAA,EAGA,IAAI,WAAA,GAAsB;AACxB,IAAA,OAAO,KAAK,UAAA,CAAW,IAAA;AAAA,EACzB;AACF;ACrzBO,SAAS,WAAA,CAAY,MAAc,MAAA,EAAwB;AAChE,EAAA,OAAOC,iBAAA,CAAW,UAAU,MAAM,CAAA,CAAE,OAAO,IAAI,CAAA,CAAE,OAAO,KAAK,CAAA;AAC/D;AAKO,SAAS,eAAA,CACd,IAAA,EACA,SAAA,EACA,MAAA,EACS;AACT,EAAA,MAAM,QAAA,GAAW,WAAA,CAAY,IAAA,EAAM,MAAM,CAAA;AACzC,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,SAAA,CAAU,MAAA,EAAQ,OAAO,KAAA;AAEjD,EAAA,IAAI,QAAA,GAAW,CAAA;AACf,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,QAAQ,CAAA,EAAA,EAAK;AACxC,IAAA,QAAA,IAAY,SAAS,UAAA,CAAW,CAAC,CAAA,GAAI,SAAA,CAAU,WAAW,CAAC,CAAA;AAAA,EAC7D;AACA,EAAA,OAAO,QAAA,KAAa,CAAA;AACtB;AAIO,IAAM,yBAAN,MAAwD;AAAA,EACrD,MAAA;AAAA,EACA,OAAA,uBAAkD,GAAA,EAAI;AAAA,EACtD,cAAA,GAA6D,IAAA;AAAA,EAErE,YAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAA,GAAuB;AAC3B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,IAAA,CAAK,cAAA,GAAiBL,iBAAAA;AAAA,QAAiB,CAAC,GAAA,EAAK,GAAA,KAC3C,IAAA,CAAK,cAAA,CAAe,KAAK,GAAG;AAAA,OAC9B;AACA,MAAA,IAAA,CAAK,cAAA,CAAe,MAAA;AAAA,QAClB,KAAK,MAAA,CAAO,aAAA;AAAA,QACZ,KAAK,MAAA,CAAO,aAAA;AAAA,QACZ,MAAM;AACJ,UAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,YACb;AAAA,qCAAA,EAA0C,KAAK,MAAA,CAAO,aAAa,CAAA,CAAA,EAAI,IAAA,CAAK,OAAO,aAAa;AAAA,kBAAA,EACzE,IAAA,CAAK,OAAO,WAAW;;AAAA;AAAA,WAChD;AACA,UAAA,OAAA,EAAQ;AAAA,QACV;AAAA,OACF;AACA,MAAA,IAAA,CAAK,cAAA,CAAe,EAAA,CAAG,OAAA,EAAS,MAAM,CAAA;AAAA,IACxC,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAsB;AAE1B,IAAA,KAAA,MAAW,GAAG,OAAO,CAAA,IAAK,KAAK,OAAA,EAAS;AACtC,MAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAC1B,MAAA,OAAA,CAAQ,OAAA,CAAQ;AAAA,QACd,QAAA,EAAU,MAAA;AAAA,QACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACb,CAAA;AAAA,IACH;AACA,IAAA,IAAA,CAAK,QAAQ,KAAA,EAAM;AAEnB,IAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,MAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,KAAY;AAC9B,QAAA,IAAA,CAAK,cAAA,CAAgB,KAAA,CAAM,MAAM,OAAA,EAAS,CAAA;AAAA,MAC5C,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,OAAA,EAAqD;AACzE,IAAA,MAAM,EAAA,GAAKC,kBAAAA,CAAY,CAAC,CAAA,CAAE,SAAS,KAAK,CAAA;AAGxC,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,MACb,CAAA,mCAAA,EAAsC,OAAA,CAAQ,SAAS,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA;AAAA;AAAA,KAC/E;AAEA,IAAA,OAAO,IAAI,OAAA,CAA0B,CAAC,OAAA,KAAY;AAEhD,MAAA,MAAM,KAAA,GAAQ,WAAW,MAAM;AAC7B,QAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,EAAE,CAAA;AACtB,QAAA,MAAM,QAAA,GAA6B;AAAA;AAAA,UAEjC,QAAA,EAAU,MAAA;AAAA,UACV,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,UACnC,UAAA,EAAY;AAAA,SACd;AACA,QAAA,OAAA,CAAQ,QAAQ,CAAA;AAAA,MAClB,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,eAAA,GAAkB,GAAI,CAAA;AAGrC,MAAA,MAAM,OAAA,GAAiC;AAAA,QACrC,EAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AACA,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,EAAA,EAAI,OAAO,CAAA;AAG5B,MAAA,MAAM,WAAA,GAAc,CAAA,OAAA,EAAU,IAAA,CAAK,MAAA,CAAO,aAAa,IAAI,IAAA,CAAK,MAAA,CAAO,aAAa,CAAA,iBAAA,EAAoB,EAAE,CAAA,CAAA;AAC1G,MAAA,MAAM,OAAA,GAA0B;AAAA,QAC9B,UAAA,EAAY,EAAA;AAAA,QACZ,WAAW,OAAA,CAAQ,SAAA;AAAA,QACnB,MAAM,OAAA,CAAQ,IAAA;AAAA,QACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,SAAS,OAAA,CAAQ,OAAA;AAAA,QACjB,WAAW,OAAA,CAAQ,SAAA;AAAA,QACnB,YAAA,EAAc,WAAA;AAAA,QACd,eAAA,EAAiB,KAAK,MAAA,CAAO;AAAA,OAC/B;AAGA,MAAA,IAAA,CAAK,WAAA,CAAY,OAAO,CAAA,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACvC,QAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,UACb,wCAAwC,GAAA,YAAe,KAAA,GAAQ,IAAI,OAAA,GAAU,MAAA,CAAO,GAAG,CAAC;AAAA;AAAA,SAC1F;AAAA,MACF,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AAAA;AAAA,EAIA,MAAc,YAAY,OAAA,EAAwC;AAChE,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA;AACnC,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,IAAA,EAAM,IAAA,CAAK,OAAO,cAAc,CAAA;AAE9D,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,IAAA,CAAK,OAAO,WAAA,EAAa;AAAA,MACpD,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,uBAAA,EAAyB,SAAA;AAAA,QACzB,0BAA0B,OAAA,CAAQ;AAAA,OACpC;AAAA,MACA;AAAA,KACD,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,iBAAA,EAAoB,QAAA,CAAS,MAAM,CAAA,EAAA,EAAK,MAAM,QAAA,CAAS,IAAA,EAAK,CAAE,KAAA,CAAM,MAAM,EAAE,CAAC,CAAA;AAAA,OAC/E;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAIQ,cAAA,CAAe,KAAsB,GAAA,EAA2B;AACtE,IAAA,MAAM,MAAM,IAAI,GAAA;AAAA,MACd,IAAI,GAAA,IAAO,GAAA;AAAA,MACX,CAAA,OAAA,EAAU,GAAA,CAAI,OAAA,CAAQ,IAAA,IAAQ,WAAW,CAAA;AAAA,KAC3C;AACA,IAAA,MAAM,MAAA,GAAS,IAAI,MAAA,IAAU,KAAA;AAG7B,IAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,GAAG,CAAA;AAChD,IAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,eAAe,CAAA;AAC7D,IAAA,GAAA,CAAI,SAAA;AAAA,MACF,8BAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAI,WAAW,SAAA,EAAW;AACxB,MAAA,GAAA,CAAI,UAAU,GAAG,CAAA;AACjB,MAAA,GAAA,CAAI,GAAA,EAAI;AACR,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,KAAW,KAAA,IAAS,GAAA,CAAI,QAAA,KAAa,SAAA,EAAW;AAClD,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,GAAA;AAAA,QACF,KAAK,SAAA,CAAU;AAAA,UACb,MAAA,EAAQ,IAAA;AAAA,UACR,aAAA,EAAe,KAAK,OAAA,CAAQ;AAAA,SAC7B;AAAA,OACH;AACA,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,QAAA,CAAS,KAAA,CAAM,mCAAmC,CAAA;AACpE,IAAA,IAAI,MAAA,KAAW,MAAA,IAAU,CAAC,KAAA,EAAO;AAC/B,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,WAAA,EAAa,CAAC,CAAA;AAC9C,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,SAAA,GAAY,MAAM,CAAC,CAAA;AAGzB,IAAA,IAAI,aAAuB,EAAC;AAC5B,IAAA,GAAA,CAAI,GAAG,MAAA,EAAQ,CAAC,UAAkB,UAAA,CAAW,IAAA,CAAK,KAAK,CAAC,CAAA;AACxD,IAAA,GAAA,CAAI,EAAA,CAAG,OAAO,MAAM;AAClB,MAAA,MAAM,OAAO,MAAA,CAAO,MAAA,CAAO,UAAU,CAAA,CAAE,SAAS,OAAO,CAAA;AAGvD,MAAA,MAAM,SAAA,GAAY,GAAA,CAAI,OAAA,CAAQ,uBAAuB,CAAA;AACrD,MAAA,IACE,OAAO,SAAA,KAAc,QAAA,IACrB,CAAC,eAAA,CAAgB,MAAM,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,cAAc,CAAA,EAC5D;AACA,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,qBAAqB;AAAA,SAC/C;AACA,QAAA;AAAA,MACF;AAGA,MAAA,IAAI,eAAA;AACJ,MAAA,IAAI;AACF,QAAA,eAAA,GAAkB,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,MACnC,CAAA,CAAA,MAAQ;AACN,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,cAAA,EAAgB,CAAC,CAAA;AACjD,QAAA;AAAA,MACF;AAGA,MAAA,IACE,eAAA,CAAgB,QAAA,KAAa,SAAA,IAC7B,eAAA,CAAgB,aAAa,MAAA,EAC7B;AACA,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,KAAK,SAAA,CAAU;AAAA,YACb,KAAA,EAAO;AAAA,WACR;AAAA,SACH;AACA,QAAA;AAAA,MACF;AAGA,MAAA,IAAI,eAAA,CAAgB,eAAe,SAAA,EAAW;AAC5C,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,uBAAuB;AAAA,SACjD;AACA,QAAA;AAAA,MACF;AAGA,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,SAAS,CAAA;AAC1C,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,QAAA,GAAA,CAAI,GAAA;AAAA,UACF,KAAK,SAAA,CAAU;AAAA,YACb,KAAA,EAAO;AAAA,WACR;AAAA,SACH;AACA,QAAA;AAAA,MACF;AAGA,MAAA,YAAA,CAAa,QAAQ,KAAK,CAAA;AAC1B,MAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,SAAS,CAAA;AAE7B,MAAA,MAAM,QAAA,GAA6B;AAAA,QACjC,UAAU,eAAA,CAAgB,QAAA;AAAA,QAC1B,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QACnC,UAAA,EAAY;AAAA,OACd;AAEA,MAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAExB,MAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,oBAAoB,CAAA;AACzD,MAAA,GAAA,CAAI,GAAA;AAAA,QACF,KAAK,SAAA,CAAU;AAAA,UACb,OAAA,EAAS,IAAA;AAAA,UACT,UAAU,eAAA,CAAgB;AAAA,SAC3B;AAAA,OACH;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA;AAAA,EAGA,IAAI,YAAA,GAAuB;AACzB,IAAA,OAAO,KAAK,OAAA,CAAQ,IAAA;AAAA,EACtB;AACF;;;ACpVA,IAAM,sBAAA,GAAyB;AAAA,EAC7B,sDAAA;AAAA,EACA,kBAAA;AAAA,EACA,yDAAA;AAAA,EACA,oCAAA;AAAA,EACA,sDAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,wBAAA,GAA2B;AAAA,EAC/B,yDAAA;AAAA,EACA,qDAAA;AAAA,EACA,kFAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,wBAAA,GAA2B;AAAA,EAC/B,cAAA;AAAA,EACA,cAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,WAAA,GAAc,wBAAA;AACpB,IAAM,aAAA,GAAgB,gDAAA;AAGtB,IAAM,gBAAA,GAAmB;AAAA,EACvB,QAAA;AAAA;AAAA,EACA,QAAA;AAAA;AAAA,EACA,QAAA;AAAA;AAAA,EACA;AAAA;AACF,CAAA;AAEO,IAAM,oBAAN,MAAwB;AAAA,EACrB,MAAA;AAAA,EACA,KAAA,GAAQ;AAAA,IACd,WAAA,EAAa,CAAA;AAAA,IACb,WAAA,EAAa,CAAA;AAAA,IACb,YAAA,EAAc,CAAA;AAAA,IACd,iBAAiB;AAAC,GACpB;AAAA,EAEA,WAAA,CAAY,MAAA,GAA2C,EAAC,EAAG;AACzD,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,OAAA,EAAS,OAAO,OAAA,IAAW,IAAA;AAAA,MAC3B,WAAA,EAAa,OAAO,WAAA,IAAe,QAAA;AAAA,MACnC,YAAA,EAAc,OAAO,YAAA,IAAgB,UAAA;AAAA,MACrC,eAAA,EAAiB,MAAA,CAAO,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,IAAA,CAAK,UAAkB,IAAA,EAAgD;AACrE,IAAA,IAAA,CAAK,KAAA,CAAM,WAAA,EAAA;AAEX,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,CAAA;AAAA,QACZ,SAAS,EAAC;AAAA,QACV,cAAA,EAAgB;AAAA,OAClB;AAAA,IACF;AAEA,IAAA,MAAM,UAA6B,EAAC;AACpC,IAAA,MAAM,OAAA,uBAAc,GAAA,EAAa;AAGjC,IAAA,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,EAAA,EAAI,QAAA,EAAU,SAAS,OAAO,CAAA;AAEnD,IAAA,MAAM,OAAA,GAAU,QAAQ,MAAA,GAAS,CAAA;AACjC,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,IAAA,CAAK,KAAA,CAAM,WAAA,EAAA;AAAA,IACb;AAEA,IAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AACzB,MAAA,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,GAAA,CAChC,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,IAAK,CAAA,IAAK,CAAA;AAAA,IAClD;AAEA,IAAA,MAAM,iBAAiB,IAAA,CAAK,qBAAA;AAAA,MAC1B,OAAA;AAAA,MACA,KAAK,MAAA,CAAO;AAAA,KACd;AAEA,IAAA,IAAI,mBAAmB,OAAA,EAAS;AAC9B,MAAA,IAAA,CAAK,KAAA,CAAM,YAAA,EAAA;AAAA,IACb;AAEA,IAAA,OAAO;AAAA,MACL,OAAA;AAAA,MACA,UAAA,EAAY,IAAA,CAAK,iBAAA,CAAkB,OAAO,CAAA;AAAA,MAC1C,OAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,SAAA,CACN,KAAA,EACA,IAAA,EACA,QAAA,EACA,SACA,OAAA,EACM;AAEN,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,KAAK,CAAA,EAAG;AACxB,MAAA,OAAA,CAAQ,IAAI,KAAK,CAAA;AAAA,IACnB;AAEA,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,MAAA,IAAA,CAAK,UAAA,CAAW,KAAA,EAAO,IAAA,EAAM,QAAA,EAAU,OAAO,CAAA;AAAA,IAChD,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC/B,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,QAAA,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,CAAC,CAAA,EAAG,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAA,EAAK,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA;AAAA,MACtE;AAAA,IACF,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,IAAY,UAAU,IAAA,EAAM;AACtD,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,GAAG,KAAK,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC9C,QAAA,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK,IAAA,GAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA,GAAK,GAAA,EAAK,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA;AAAA,MAC/E;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,UAAA,CACN,KAAA,EACA,IAAA,EACA,SAAA,EACA,OAAA,EACM;AAEN,IAAA,IAAI,IAAA,CAAK,WAAA,CAAY,IAAI,CAAA,EAAG;AAC1B,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,WAAW,IAAA,IAAQ,MAAA;AAOzB,IAAA,MAAM,aAAa,IAAA,CAAK,oBAAA,CAAqB,KAAA,CAAM,SAAA,CAAU,MAAM,CAAC,CAAA;AAGpE,IAAA,IAAI,eAAe,KAAA,EAAO;AACxB,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,6BAAA;AAAA,QACT,QAAA;AAAA,QACA,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAKA,IAAA,KAAA,MAAW,WAAW,sBAAA,EAAwB;AAC5C,MAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,EAAG;AAC5B,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,IAAA,EAAM,eAAA;AAAA,UACN,SAAS,OAAA,CAAQ,MAAA;AAAA,UACjB,QAAA;AAAA,UACA,QAAA,EAAU;AAAA,SACX,CAAA;AACD,QAAA;AAAA,MACF;AAAA,IACF;AAKA,IAAA,KAAA,MAAW,WAAW,wBAAA,EAA0B;AAC9C,MAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,EAAG;AAC5B,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,IAAA,EAAM,iBAAA;AAAA,UACN,SAAS,OAAA,CAAQ,MAAA;AAAA,UACjB,QAAA;AAAA,UACA,QAAA,EAAU;AAAA,SACX,CAAA;AACD,QAAA;AAAA,MACF;AAAA,IACF;AAKA,IAAA,IAAI,CAAC,IAAA,CAAK,eAAA,CAAgB,IAAI,CAAA,EAAG;AAC/B,MAAA,KAAA,MAAW,WAAW,wBAAA,EAA0B;AAC9C,QAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,EAAG;AAC5B,UAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,YACX,IAAA,EAAM,2BAAA;AAAA,YACN,SAAS,OAAA,CAAQ,MAAA;AAAA,YACjB,QAAA;AAAA,YACA,QAAA,EAAU;AAAA,WACX,CAAA;AACD,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAKA,IAAA,IAAA,CAAK,qBAAA,CAAsB,KAAA,EAAO,QAAA,EAAU,OAAO,CAAA;AAKnD,IAAA,IAAA,CAAK,sBAAA,CAAuB,KAAA,EAAO,QAAA,EAAU,OAAO,CAAA;AAKpD,IAAA,IAAA,CAAK,oBAAA,CAAqB,KAAA,EAAO,QAAA,EAAU,OAAO,CAAA;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAA,CACN,KAAA,EACA,IAAA,EACA,OAAA,EACM;AAEN,IAAA,IACE,KAAA,CAAM,SAAS,EAAA,IACf,wBAAA,CAAyB,KAAK,KAAA,CAAM,IAAA,EAAM,CAAA,EAC1C;AACA,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,eAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,cAAA,GAAiB,CAAA;AACrB,IAAA,KAAA,MAAW,QAAQ,gBAAA,EAAkB;AACnC,MAAA,cAAA,IAAA,CAAmB,KAAA,CAAM,MAAM,IAAI,MAAA,CAAO,MAAM,GAAG,CAAC,CAAA,IAAK,EAAC,EAAG,MAAA;AAAA,IAC/D;AAEA,IAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,uBAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAIA,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,IAAA,CAAK,KAAK,CAAA;AACtC,IAAA,MAAM,MAAA,GAAS,2CAAA,CAA4C,IAAA,CAAK,KAAK,CAAA;AACrE,IAAA,MAAM,SAAA,GAAY,iBAAA,CAAkB,IAAA,CAAK,KAAK,CAAA;AAC9C,IAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,IAAA,CAAK,KAAK,CAAA;AAEhD,IAAA,MAAM,oBAAoB,CAAC,QAAA,EAAU,MAAA,EAAQ,SAAA,EAAW,WAAW,CAAA,CAAE,MAAA;AAAA,MACnE,CAAC,CAAA,KAAM;AAAA,KACT,CAAE,MAAA;AAEF,IAAA,IAAI,qBAAqB,CAAA,EAAG;AAC1B,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,yBAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,sBAAA,CACN,KAAA,EACA,IAAA,EACA,OAAA,EACM;AAEN,IAAA,IAAI,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA,EAAG;AAC7B,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,IAAA,CAAK,KAAK,CAAA,EAAG;AAC3B,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,mBAAA;AAAA,QACN,OAAA,EAAS,eAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,aAAA,CAAc,KAAK,KAAK,CAAA,IAAK,CAAC,IAAA,CAAK,gBAAA,CAAiB,IAAI,CAAA,EAAG;AAC7D,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,mBAAA;AAAA,QACN,OAAA,EAAS,iBAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAIA,IAAA,IAAI,KAAA,CAAM,MAAA,GAAS,EAAA,IAAM,KAAA,CAAM,MAAA,GAAS,OAAS,CAAC,IAAA,CAAK,iBAAA,CAAkB,IAAI,CAAA,EAAG;AAE9E,MAAA,MAAM,cAAA,GAAiB,uBAAA,CAAwB,IAAA,CAAK,KAAK,CAAA;AACzD,MAAA,MAAM,aAAA,GAAgB,0BAAA,CAA2B,IAAA,CAAK,KAAK,CAAA;AAE3D,MAAA,IAAI,kBAAkB,aAAA,EAAe;AACnC,QAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,UACX,IAAA,EAAM,mBAAA;AAAA,UACN,OAAA,EAAS,2BAAA;AAAA,UACT,UAAU,IAAA,IAAQ,MAAA;AAAA,UAClB,QAAA,EAAU;AAAA,SACX,CAAA;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAA,CACN,KAAA,EACA,IAAA,EACA,OAAA,EACM;AAEN,IAAA,IAAI,KAAA,CAAM,SAAS,KAAA,EAAO;AACxB,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,IAAA,EAAM,iBAAA;AAAA,QACN,OAAA,EAAS,cAAA;AAAA,QACT,UAAU,IAAA,IAAQ,MAAA;AAAA,QAClB,QAAA,EAAU;AAAA,OACX,CAAA;AAAA,IACH;AAKA,IAAA,IAAI,KAAA,CAAM,UAAU,GAAA,EAAK;AACvB,MAAA,MAAM,WAAA,GAAc,CAAC,EAAA,EAAI,EAAA,EAAI,EAAE,CAAA;AAC/B,MAAA,KAAA,MAAW,cAAc,WAAA,EAAa;AACpC,QAAA,IAAI,KAAA,CAAM,MAAA,GAAS,UAAA,GAAa,CAAA,EAAG;AACnC,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,SAAA,CAAU,CAAA,EAAG,UAAU,CAAA;AAC7C,QAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,QAAA,IAAI,GAAA,GAAM,CAAA;AACV,QAAA,OAAO,GAAA,IAAO,KAAA,CAAM,MAAA,GAAS,UAAA,EAAY;AACvC,UAAA,IAAI,MAAM,SAAA,CAAU,GAAA,EAAK,GAAA,GAAM,UAAU,MAAM,OAAA,EAAS;AACtD,YAAA,KAAA,EAAA;AACA,YAAA,GAAA,IAAO,UAAA;AAAA,UACT,CAAA,MAAO;AACL,YAAA,GAAA,EAAA;AAAA,UACF;AACA,UAAA,IAAI,SAAS,EAAA,EAAI;AAAA,QACnB;AACA,QAAA,IAAI,SAAS,EAAA,EAAI;AACf,UAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,YACX,IAAA,EAAM,iBAAA;AAAA,YACN,OAAA,EAAS,iBAAA;AAAA,YACT,UAAU,IAAA,IAAQ,MAAA;AAAA,YAClB,QAAA,EAAU;AAAA,WACX,CAAA;AACD,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,IAAA,EAAuB;AAEzC,IAAA,MAAM,SAAA,GAAY;AAAA,MAChB,aAAA;AAAA,MACA,eAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,UAAA;AAAA,MACA,eAAA;AAAA,MACA,gBAAA;AAAA,MACA,iBAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,QAAA;AAAA,MACA,eAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO,UAAU,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAgB,IAAA,EAAuB;AAC7C,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,YAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,WAAW,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,IAAA,EAAuB;AAC5C,IAAA,MAAM,SAAA,GAAY;AAAA,MAChB,MAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,UAAU,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAiB,IAAA,EAAuB;AAC9C,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,QAAA;AAAA,MACA,UAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,YAAY,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,IAAA,EAAuB;AAC/C,IAAA,MAAM,gBAAA,GAAmB;AAAA,MACvB,OAAA;AAAA,MACA,UAAA;AAAA,MACA,OAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,iBAAiB,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,qBAAqB,KAAA,EAAuB;AAGlD,IAAA,MAAM,WAAA,GAAsC;AAAA;AAAA,MAE1C,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA;AAAA,MAEzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA;AAAA,MACV,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA;AAAA,MACV,QAAA,EAAU,GAAA;AAAA;AAAA,MACV,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU,GAAA;AAAA;AAAA,MACzB,QAAA,EAAU,GAAA;AAAA,MAAK,QAAA,EAAU;AAAA;AAAA,KAC3B;AAEA,IAAA,IAAI,MAAA,GAAS,KAAA;AAGb,IAAA,IAAI,cAAA,CAAe,IAAA,CAAK,KAAK,CAAA,EAAG;AAC9B,MAAA,MAAM,QAAQ,EAAC;AACf,MAAA,KAAA,MAAW,MAAM,MAAA,EAAQ;AACvB,QAAA,KAAA,CAAM,IAAA,CAAK,WAAA,CAAY,EAAE,CAAA,IAAK,EAAE,CAAA;AAAA,MAClC;AACA,MAAA,MAAA,GAAS,KAAA,CAAM,KAAK,EAAE,CAAA;AAAA,IACxB;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,kBAAkB,OAAA,EAAoC;AAC5D,IAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,CAAA;AAEjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,IAAI,SAAA,GAAY,CAAA;AAEhB,IAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AACzB,MAAA,QAAQ,IAAI,QAAA;AAAU,QACpB,KAAK,MAAA;AACH,UAAA,SAAA,EAAA;AACA,UAAA,KAAA,IAAS,IAAA;AACT,UAAA;AAAA,QACF,KAAK,QAAA;AACH,UAAA,KAAA,IAAS,IAAA;AACT,UAAA;AAAA,QACF,KAAK,KAAA;AACH,UAAA,KAAA,IAAS,IAAA;AACT,UAAA;AAAA;AACJ,IACF;AAGA,IAAA,IAAI,YAAY,CAAA,EAAG;AACjB,MAAA,KAAA,IAAA,CAAU,YAAY,CAAA,IAAK,IAAA;AAAA,IAC7B;AAGA,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,CAAG,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAA,CACN,SACA,WAAA,EACgC;AAChC,IAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,CAAA,EAAG,OAAO,OAAA;AAEjC,IAAA,MAAM,eAAe,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,MAAM,CAAA;AAChE,IAAA,MAAM,iBAAiB,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,QAAQ,CAAA;AAEpE,IAAA,QAAQ,WAAA;AAAa,MACnB,KAAK,KAAA;AAEH,QAAA,OAAO,YAAA,CAAa,MAAA,GAAS,CAAA,GAAI,UAAA,GAAa,OAAA;AAAA,MAEhD,KAAK,QAAA;AAEH,QAAA,IAAI,YAAA,CAAa,MAAA,GAAS,CAAA,EAAG,OAAO,OAAA;AACpC,QAAA,OAAO,cAAA,CAAe,MAAA,GAAS,CAAA,GAAI,UAAA,GAAa,OAAA;AAAA,MAElD,KAAK,MAAA;AAEH,QAAA,IAAI,aAAa,MAAA,GAAS,CAAA,IAAK,cAAA,CAAe,MAAA,GAAS,GAAG,OAAO,OAAA;AACjE,QAAA,IAAI,cAAA,CAAe,MAAA,GAAS,CAAA,EAAG,OAAO,OAAA;AACtC,QAAA,OAAO,OAAA,CAAQ,MAAA,GAAS,CAAA,GAAI,UAAA,GAAa,OAAA;AAAA;AAC7C,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA,GAKE;AACA,IAAA,OAAO;AAAA,MACL,WAAA,EAAa,KAAK,KAAA,CAAM,WAAA;AAAA,MACxB,WAAA,EAAa,KAAK,KAAA,CAAM,WAAA;AAAA,MACxB,YAAA,EAAc,KAAK,KAAA,CAAM,YAAA;AAAA,MACzB,eAAA,EAAiB,EAAE,GAAG,IAAA,CAAK,MAAM,eAAA;AAAgB,KACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,WAAA,EAAa,CAAA;AAAA,MACb,WAAA,EAAa,CAAA;AAAA,MACb,YAAA,EAAc,CAAA;AAAA,MACd,iBAAiB;AAAC,KACpB;AAAA,EACF;AACF;;;ACxmBO,IAAM,eAAN,MAAmB;AAAA,EAChB,MAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,gBAAA;AAAA,EAER,YACE,MAAA,EACA,QAAA,EACA,OAAA,EACA,QAAA,EACA,mBACA,gBAAA,EACA;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,iBAAA,GAAoB,iBAAA,IAAqB,IAAI,iBAAA,EAAkB;AACpE,IAAA,IAAA,CAAK,gBAAA,GAAmB,gBAAA;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,QAAA,CACJ,QAAA,EACA,IAAA,EACqB;AACrB,IAAA,MAAM,SAAA,GAAY,qBAAqB,QAAQ,CAAA;AAG/C,IAAA,IAAA,CAAK,QAAA,CAAS,eAAe,SAAS,CAAA;AAGtC,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,iBAAA,CAAkB,IAAA,CAAK,UAAU,IAAI,CAAA;AAClE,IAAA,IAAI,gBAAgB,OAAA,EAAS;AAC3B,MAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,mBAAA,EAAsB,SAAS,IAAI,QAAA,EAAU;AAAA,QACtE,YAAY,eAAA,CAAgB,UAAA;AAAA,QAC5B,OAAA,EAAS,eAAA,CAAgB,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,MAAM;AAAA,UACzC,MAAM,CAAA,CAAE,IAAA;AAAA,UACR,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,UAAU,CAAA,CAAE;AAAA,SACd,CAAE,CAAA;AAAA,QACF,gBAAgB,eAAA,CAAgB;AAAA,OACjC,CAAA;AAGD,MAAA,IAAI,KAAK,gBAAA,EAAkB;AACzB,QAAA,IAAA,CAAK,gBAAA,CAAiB;AAAA,UACpB,QAAA;AAAA,UACA,MAAA,EAAQ,eAAA;AAAA,UACR,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACnC,CAAA;AAAA,MACH;AAEA,MAAA,IAAI,eAAA,CAAgB,mBAAmB,OAAA,EAAS;AAC9C,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,IAAA,EAAM,CAAA;AAAA,UACN,MAAA,EAAQ,0CAA0C,SAAS,CAAA,eAAA,EAAA,CAAmB,gBAAgB,UAAA,GAAa,GAAA,EAAK,OAAA,CAAQ,CAAC,CAAC,CAAA,EAAA,CAAA;AAAA,UAC1H,iBAAA,EAAmB;AAAA,SACrB;AAAA,MACF;AAEA,MAAA,IAAI,eAAA,CAAgB,mBAAmB,UAAA,EAAY;AACjD,QAAA,OAAO,IAAA,CAAK,eAAA;AAAA,UACV,SAAA;AAAA,UACA,CAAA;AAAA,UACA,CAAA,wCAAA,EAA2C,SAAS,CAAA,eAAA,EAAA,CAAmB,eAAA,CAAgB,UAAA,GAAa,GAAA,EAAK,OAAA,CAAQ,CAAC,CAAC,CAAA,GAAA,EAAM,eAAA,CAAgB,OAAA,CAAQ,MAAM,CAAA,WAAA,CAAA;AAAA,UACvJ;AAAA,YACE,SAAA;AAAA,YACA,mBAAA,EAAqB;AAAA,cACnB,YAAY,eAAA,CAAgB,UAAA;AAAA,cAC5B,YAAA,EAAc,gBAAgB,OAAA,CAAQ,MAAA;AAAA,cACtC,YAAA,EAAc,CAAC,GAAG,IAAI,GAAA,CAAI,eAAA,CAAgB,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,IAAI,CAAC,CAAC;AAAA;AACrE;AACF,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,oBAAA,CAAqB,QAAA,CAAS,SAAS,CAAA,EAAG;AACxD,MAAA,OAAO,KAAK,eAAA,CAAgB,SAAA,EAAW,CAAA,EAAG,CAAA,CAAA,EAAI,SAAS,CAAA,kDAAA,CAAA,EAAsD;AAAA,QAC3G,SAAA;AAAA,QACA,YAAA,EAAc,IAAA,CAAK,aAAA,CAAc,IAAI;AAAA,OACtC,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,SAAA,EAAW,IAAI,CAAA;AAClD,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAO,KAAK,eAAA,CAAgB,SAAA,EAAW,GAAG,OAAA,CAAQ,MAAA,EAAQ,QAAQ,OAAO,CAAA;AAAA,IAC3E;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,QAAA,CAAS,SAAS,CAAA,EAAG;AACtD,MAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,WAAA,EAAc,SAAS,IAAI,QAAA,EAAU;AAAA,QAC9D,IAAA,EAAM,CAAA;AAAA,QACN;AAAA,OACD,CAAA;AAED,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM,CAAA;AAAA,QACN,MAAA,EAAQ,4BAAA;AAAA,QACR,iBAAA,EAAmB;AAAA,OACrB;AAAA,IACF;AAKA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,IAAA,EAAM,CAAA,kBAAA,EAAqB,SAAS,IAAI,QAAA,EAAU;AAAA,MACrE,IAAA,EAAM,CAAA;AAAA,MACN,SAAA;AAAA,MACA,OAAA,EAAS;AAAA,KACV,CAAA;AAED,IAAA,OAAO,IAAA,CAAK,eAAA;AAAA,MACV,SAAA;AAAA,MACA,CAAA;AAAA,MACA,IAAI,SAAS,CAAA,sFAAA,CAAA;AAAA,MACb,EAAE,SAAA,EAAW,YAAA,EAAc,IAAA;AAAK,KAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAA,CACN,WACA,IAAA,EAC6D;AAC7D,IAAA,MAAM,MAAA,GAAS,KAAK,MAAA,CAAO,aAAA;AAG3B,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,cAAA,IAAkB,MAAA,CAAO,yBAAyB,SAAA,EAAW;AAE7E,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,kBAAA,CAAmB,QAAA,CAAS,SAAS,CAAA,EAAG;AACvD,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,mBAAmB,SAAS,CAAA,6BAAA,CAAA;AAAA,UACpC,OAAA,EAAS,EAAE,SAAA,EAAW,gBAAA,EAAkB,IAAA;AAAK,SAC/C;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,yBAAyB,SAAA,EAAW;AAC7C,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,qBAAA,CAAsB,SAAS,CAAA;AAC3D,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,8BAA8B,SAAS,CAAA,2BAAA,CAAA;AAAA,YAC/C,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,SAAA;AAAA,cACA,gBAAA,EAAkB,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW,CAAE;AAAA;AAC/C,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAA,MAAA,IAAW,MAAA,CAAO,oBAAA,KAAyB,KAAA,EAAO;AAChD,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,IAAA,CAAK,QAAA,CAAS,sBAAsB,SAAS,CAAA;AAAA,MAC/C;AAAA,IACF;AAGA,IAAA,IAAI,MAAA,CAAO,qBAAqB,SAAA,EAAW;AACzC,MAAA,MAAM,eAAA,GACH,IAAA,CAAK,gBAAA,IAAgC,IAAA,CAAK,iBAAA;AAC7C,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmB,eAAe,CAAA;AAC9D,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,wCAAwC,eAAe,CAAA,CAAA,CAAA;AAAA,YAC/D,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,gBAAA,EAAkB,eAAA;AAAA,cAClB,oBAAA,EAAsB,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW,CAAE;AAAA;AACnD,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAA,MAAA,IAAW,MAAA,CAAO,gBAAA,KAAqB,KAAA,EAAO;AAC5C,MAAA,MAAM,kBAAkB,IAAA,CAAK,gBAAA;AAC7B,MAAA,IAAI,eAAA,EAAiB;AACnB,QAAA,IAAA,CAAK,QAAA,CAAS,mBAAmB,eAAe,CAAA;AAAA,MAClD;AAAA,IACF;AAGA,IAAA,IAAI,cAAc,eAAA,EAAiB;AACjC,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,UAAA,EAAW;AAC3C,MAAA,IAAI,SAAA,GAAY,OAAO,oBAAA,EAAsB;AAC3C,QAAA,OAAO;AAAA,UACL,MAAA,EAAQ,CAAA,mBAAA,EAAsB,SAAS,CAAA,qBAAA,EAAwB,OAAO,oBAAoB,CAAA,KAAA,CAAA;AAAA,UAC1F,OAAA,EAAS;AAAA,YACP,SAAA;AAAA,YACA,gBAAA,EAAkB,SAAA;AAAA,YAClB,OAAO,MAAA,CAAO;AAAA;AAChB,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,cAAc,YAAA,EAAc;AAC9B,MAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,QAAA,CAAS,mBAAA,CAAoB,SAAS,CAAA;AAC7D,QAAA,IAAI,SAAA,GAAY,OAAO,mBAAA,EAAqB;AAC1C,UAAA,OAAO;AAAA,YACL,QAAQ,CAAA,oBAAA,EAAuB,SAAS,gBAAgB,SAAS,CAAA,4BAAA,EAA+B,OAAO,mBAAmB,CAAA,CAAA,CAAA;AAAA,YAC1H,OAAA,EAAS;AAAA,cACP,SAAA;AAAA,cACA,SAAA;AAAA,cACA,eAAA,EAAiB,SAAA;AAAA,cACjB,WAAW,MAAA,CAAO;AAAA;AACpB,WACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,WAAA,CAAY,SAAS,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,kBAAA,EAAmB;AACjD,IAAA,IACE,OAAA,GAAU,CAAA,IACV,QAAA,GAAW,OAAA,GAAU,OAAO,0BAAA,EAC5B;AACA,MAAA,OAAO;AAAA,QACL,MAAA,EAAQ,CAAA,kBAAA,EAAqB,SAAS,CAAA,KAAA,EAAQ,QAAQ,CAAA,MAAA,EAAS,MAAA,CAAO,0BAA0B,CAAA,mBAAA,EAAmB,OAAA,CAAQ,OAAA,CAAQ,CAAC,CAAC,CAAA,KAAA,CAAA;AAAA,QACrI,OAAA,EAAS;AAAA,UACP,SAAA;AAAA,UACA,YAAA,EAAc,QAAA;AAAA,UACd,YAAA,EAAc,OAAA;AAAA,UACd,YAAY,MAAA,CAAO;AAAA;AACrB,OACF;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,eAAA,CACZ,SAAA,EACA,IAAA,EACA,QACA,OAAA,EACqB;AACrB,IAAA,MAAM,OAAA,GAA2B;AAAA,MAC/B,SAAA;AAAA,MACA,IAAA;AAAA,MACA,MAAA;AAAA,MACA,OAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,gBAAgB,OAAO,CAAA;AAG3D,IAAA,IAAA,CAAK,QAAA,CAAS,OAAO,IAAA,EAAM,CAAA,KAAA,EAAQ,SAAS,QAAQ,CAAA,CAAA,EAAI,SAAS,CAAA,CAAA,EAAI,QAAA,EAAU;AAAA,MAC7E,IAAA;AAAA,MACA,MAAA;AAAA,MACA,YAAY,QAAA,CAAS;AAAA,KACtB,CAAA;AAED,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,SAAS,QAAA,KAAa,SAAA;AAAA,MAC/B,IAAA;AAAA,MACA,QAAQ,QAAA,CAAS,QAAA,KAAa,YAC1B,CAAA,YAAA,EAAe,QAAA,CAAS,UAAU,CAAA,CAAA,GAClC,MAAA;AAAA,MACJ,iBAAA,EAAmB,IAAA;AAAA,MACnB,iBAAA,EAAmB;AAAA,KACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAc,IAAA,EAAwD;AAC5E,IAAA,MAAM,UAAmC,EAAC;AAC1C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAC/C,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,SAAS,GAAA,EAAK;AACnD,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAAA,MACvC,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,KAAA;AAAA,MACjB;AAAA,IACF;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AAAA;AAAA,EAGA,WAAA,GAA+B;AAC7B,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AAAA;AAAA,EAGA,oBAAA,GAA0C;AACxC,IAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,EACd;AACF;;;AC1UO,SAAS,0BAAA,CACd,MAAA,EACA,QAAA,EACA,QAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,WAAA,EACE,4HAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa,+CAAA;AAAA,YACb,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAA,GAAkB,KAAK,gBAAA,IAA+B,KAAA;AAE5D,QAAA,MAAM,IAAA,GAAgC;AAAA,UACpC,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,sBAAsB,MAAA,CAAO,oBAAA;AAAA,UAC7B,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,OAAO,gBAAA,CAAiB,IAAA;AAAA,YAC9B,eAAA,EAAiB,OAAO,gBAAA,CAAiB,eAAA;AAAA,YACzC,SAAA,EAAW;AAAA;AAAA;AACb,SACF;AAEA,QAAA,IAAI,eAAA,EAAiB;AACnB,UAAA,IAAA,CAAK,qBAAqB,MAAA,CAAO,kBAAA;AAAA,QACnC,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,wBAAA,GAA2B,OAAO,kBAAA,CAAmB,MAAA;AAC1D,UAAA,IAAA,CAAK,IAAA,GACH,qEAAA;AAAA,QACJ;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,QAAA,EAAU;AAAA,UACvD,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAED,QAAA,OAAO,WAAW,IAAI,CAAA;AAAA,MACxB;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,sKAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,OAAA,GAAU,SAAS,UAAA,EAAW;AAEpC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,QAAQ,CAAA;AAEzD,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,oBAAoB,OAAA,CAAQ,UAAA;AAAA,UAC5B,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,sBAAsB,OAAA,CAAQ,oBAAA;AAAA,UAC9B,kBAAkB,OAAA,CAAQ,gBAAA;AAAA,UAC1B,UAAA,EAAY,QAAQ,QAAA,IAAY;AAAA,SACjC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AACF;;;ACgCO,SAAS,aAAa,GAAA,EAAuB;AAClD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,GAAA;AACpD,EAAA,IAAI,MAAM,OAAA,CAAQ,GAAG,GAAG,OAAO,GAAA,CAAI,IAAI,YAAY,CAAA;AACnD,EAAA,MAAM,SAAkC,EAAC;AACzC,EAAA,KAAA,MAAW,OAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,CAAE,MAAK,EAAG;AACpE,IAAA,MAAA,CAAO,GAAG,CAAA,GAAI,YAAA,CAAc,GAAA,CAAgC,GAAG,CAAC,CAAA;AAAA,EAClE;AACA,EAAA,OAAO,MAAA;AACT;AAKO,SAAS,uBAAuB,IAAA,EAAuB;AAC5D,EAAA,OAAO,IAAA,CAAK,SAAA,CAAU,YAAA,CAAa,IAAI,CAAC,CAAA;AAC1C;;;AC9HA,aAAA,EAAA;AAIA,IAAM,mBAAA,GAAsB,KAAK,EAAA,GAAK,GAAA;AAiB/B,SAAS,WAAA,CACd,YACA,IAAA,EACoB;AACpB,EAAA,MAAM,EAAE,MAAA,EAAQ,eAAA,EAAiB,SAAA,EAAW,YAAW,GAAI,IAAA;AAG3D,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,8DAAA;AAAA,EACT;AAEA,EAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,EAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,IAAK,cAAc,mBAAA,CAAoB,CAAA;AAG9E,EAAA,MAAM,eAAiC,EAAC;AAExC,EAAA,IAAI,MAAA,CAAO,SAAA,CAAU,WAAA,KAAgB,eAAA,EAAiB;AACpD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,wBAAA;AAAA,MACN,QAAA,EAAU,SAAA;AAAA,MACV,WAAA,EAAa,uCAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AACD,IAAA,YAAA,CAAa,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,IAAA;AAAA,MACP,IAAA,EAAM,2BAAA;AAAA,MACN,QAAA,EAAU,SAAA;AAAA,MACV,WAAA,EAAa,0DAAA;AAAA,MACb,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAOA,EAAA,MAAM,IAAA,GAAgB;AAAA,IACpB,WAAA,EAAa,KAAA;AAAA,IACb,cAAA,EAAgB;AAAA,MACd,mBAAmB,MAAA,CAAO,OAAA;AAAA,MAC1B,YAAA,EAAc,QAAQ,QAAA,CAAS,IAAA;AAAA,MAC/B,YAAA,EAAc;AAAA,KAChB;AAAA,IACA,aAAa,QAAA,CAAS,WAAA;AAAA,IACtB,YAAA,EAAc,IAAI,WAAA,EAAY;AAAA,IAC9B,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,IAClC,MAAA,EAAQ;AAAA,MACN,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,UAAA,EAAY,OAAO,KAAA,CAAM,UAAA;AAAA,QACzB,WAAA,EAAa,MAAA;AAAA,QACb,SAAA,EAAW,OAAO,KAAA,CAAM,SAAA;AAAA,QACxB,aAAA,EAAe,OAAO,KAAA,CAAM,iBAAA;AAAA,QAC5B,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,MAAA,CAAO,SAAA,CAAU,WAAA,KAAgB,kBACrC,UAAA,GACA,QAAA;AAAA,QACJ,cAAA,EAAgB,OAAO,SAAA,CAAU,WAAA;AAAA,QACjC,qBAAA,EAAuB,OAAO,SAAA,CAAU;AAAA,OAC1C;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,YAAA,EAAc,OAAO,UAAA,CAAW,YAAA;AAAA,QAChC,oBAAA,EAAsB;AAAA,OACxB;AAAA,MACA,EAAA,EAAI;AAAA,QACF,MAAA,EAAQ,QAAA;AAAA,QACR,eAAA,EAAiB,OAAO,UAAA,CAAW,IAAA;AAAA,QACnC,kBAAA,EAAoB,OAAO,UAAA,CAAW,kBAAA;AAAA,QACtC,mBAAA,EAAqB;AAAA;AACvB,KACF;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,SAAA,EAAW,IAAA;AAAA,MACX,YAAA,EAAc,IAAA;AAAA,MACd,iBAAA,EAAmB,IAAA;AAAA,MACnB,iBAAA,EAAmB;AAAA;AAAA,KACrB;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,SAAA,GAAY,uBAAuB,IAAI,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,cAAc,SAAS,CAAA;AAGvC,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,cAAA,GAAiB,IAAA;AAAA,IACrB,OAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,OAAO;AAAA,IACL,IAAA;AAAA,IACA,WAAW,QAAA,CAAS,UAAA;AAAA,IACpB,SAAA,EAAW,YAAY,cAAc;AAAA,GACvC;AACF;;;ACpIA,aAAA,EAAA;AASO,SAAS,SAAA,CACd,KACA,GAAA,EACuB;AACvB,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,WAAA,GAAc,GAAA,oBAAO,IAAI,IAAA,EAAK;AAGpC,EAAA,IAAI,CAAC,IAAI,IAAA,IAAQ,CAAC,IAAI,SAAA,IAAa,CAAC,IAAI,SAAA,EAAW;AACjD,IAAA,MAAA,CAAO,KAAK,6DAA6D,CAAA;AACzE,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA;AAAA,MACA,QAAA;AAAA,MACA,iBAAA,EAAmB,SAAA;AAAA,MACnB,eAAA,EAAiB,GAAA,CAAI,IAAA,EAAM,WAAA,IAAe,SAAA;AAAA,MAC1C,UAAA,EAAY,GAAA,CAAI,IAAA,EAAM,UAAA,IAAc;AAAA,KACtC;AAAA,EACF;AAEA,EAAA,IAAI,GAAA,CAAI,IAAA,CAAK,WAAA,KAAgB,KAAA,EAAO;AAClC,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,yBAAA,EAA4B,GAAA,CAAI,IAAA,CAAK,WAAW,CAAA,CAAE,CAAA;AAAA,EAChE;AAGA,EAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,KAAK,UAAU,CAAA;AAC9C,EAAA,IAAI,KAAA,CAAM,SAAA,CAAU,OAAA,EAAS,CAAA,EAAG;AAC9B,IAAA,MAAA,CAAO,KAAK,8BAA8B,CAAA;AAAA,EAC5C,CAAA,MAAA,IAAW,cAAc,SAAA,EAAW;AAClC,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,eAAA,EAAkB,GAAA,CAAI,IAAA,CAAK,UAAU,CAAA,CAAE,CAAA;AAAA,EACrD;AAEA,EAAA,MAAM,WAAA,GAAc,IAAI,IAAA,CAAK,GAAA,CAAI,KAAK,YAAY,CAAA;AAClD,EAAA,IAAI,KAAA,CAAM,WAAA,CAAY,OAAA,EAAS,CAAA,EAAG;AAChC,IAAA,MAAA,CAAO,KAAK,gCAAgC,CAAA;AAAA,EAC9C,CAAA,MAAA,IAAW,cAAc,WAAA,EAAa;AACpC,IAAA,QAAA,CAAS,KAAK,8DAAyD,CAAA;AAAA,EACzE;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAC7C,IAAA,MAAM,cAAA,GAAiB,aAAA,CAAc,GAAA,CAAI,SAAS,CAAA;AAClD,IAAA,MAAM,SAAA,GAAY,sBAAA,CAAuB,GAAA,CAAI,IAAI,CAAA;AACjD,IAAA,MAAM,OAAA,GAAU,cAAc,SAAS,CAAA;AAEvC,IAAA,MAAM,cAAA,GAAiB,MAAA,CAAO,OAAA,EAAS,cAAA,EAAgB,SAAS,CAAA;AAChE,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAA,CAAO,KAAK,0DAAqD,CAAA;AAAA,IACnE;AAAA,EACF,SAAS,CAAA,EAAG;AACV,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,+BAAA,EAAmC,CAAA,CAAY,OAAO,CAAA,CAAE,CAAA;AAAA,EACtE;AAGA,EAAA,MAAM,EAAE,MAAA,EAAO,GAAI,GAAA,CAAI,IAAA;AACvB,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,IAAM,CAAC,MAAA,CAAO,EAAA,EAAI;AACxD,IAAA,MAAA,CAAO,KAAK,uCAAuC,CAAA;AAAA,EACrD;AAGA,EAAA,MAAM,gBAAA,GAAmB,sBAAA,CAAuB,GAAA,CAAI,IAAI,CAAA;AAGxD,EAAA,KAAA,MAAW,CAAA,IAAK,GAAA,CAAI,IAAA,CAAK,YAAA,IAAgB,EAAC,EAAG;AAC3C,IAAA,IAAI,CAAA,CAAE,aAAa,UAAA,EAAY;AAC7B,MAAA,QAAA,CAAS,KAAK,CAAA,wBAAA,EAA2B,CAAA,CAAE,KAAK,CAAA,EAAA,EAAK,CAAA,CAAE,WAAW,CAAA,CAAE,CAAA;AAAA,IACtE;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,IACzB,MAAA;AAAA,IACA,QAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,eAAA,EAAiB,IAAI,IAAA,CAAK,WAAA;AAAA,IAC1B,UAAA,EAAY,IAAI,IAAA,CAAK;AAAA,GACvB;AACF;AAKA,SAAS,uBACP,IAAA,EACiC;AACjC,EAAA,MAAM,EAAE,EAAA,EAAI,EAAA,EAAI,EAAA,EAAI,EAAA,KAAO,IAAA,CAAK,MAAA;AAGhC,EAAA,IACE,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,IACd,EAAA,CAAG,MAAA,KAAW,QAAA,EACd;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAGA,EAAA,IAAI,EAAA,CAAG,WAAW,QAAA,EAAU;AAC1B,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,IAAI,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,EAAA,CAAG,WAAW,UAAA,EAAY;AACtD,IAAA,OAAO,UAAA;AAAA,EACT;AAEA,EAAA,OAAO,SAAA;AACT;;;ACKA,IAAM,aAAA,GAAgB;AAAA,EACpB,EAAA,EAAI,GAAA;AAAA,EACJ,EAAA,EAAI,GAAA;AAAA,EACJ,EAAA,EAAI,GAAA;AAAA,EACJ,EAAA,EAAI;AACN,CAAA;AAEA,IAAM,kBAAA,GAAqB;AAAA,EACzB,QAAA,EAAU,EAAA;AAAA,EACV,OAAA,EAAS,EAAA;AAAA,EACT,IAAA,EAAM;AACR,CAAA;AAUO,SAAS,uBAAuB,GAAA,EAA0C;AAC/E,EAAA,MAAM,EAAE,IAAA,EAAM,SAAA,EAAW,SAAA,EAAU,GAAI,GAAA;AAGvC,EAAA,MAAM,WAAA,GAAc,qBAAqB,IAAI,CAAA;AAG7C,EAAA,MAAM,YAAA,GAAe,sBAAsB,WAAW,CAAA;AAGtD,EAAA,MAAM,UAAA,GAAa,oBAAoB,YAAY,CAAA;AAGnD,EAAA,MAAM,OAAA,GAAU,4BAA4B,IAAI,CAAA;AAGhD,EAAA,MAAM,YAAA,GAAe,qBAAA,CAAsB,IAAA,CAAK,YAAY,CAAA;AAG5D,EAAA,MAAM,WAAA,GAAc,gCAAA,CAAiC,IAAkB,CAAA;AAEvE,EAAA,OAAO;AAAA,IACL,aAAa,IAAA,CAAK,WAAA;AAAA,IAClB,cAAA,EAAgB,SAAA;AAAA,IAChB,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IACrC,oBAAoB,IAAA,CAAK,UAAA;AAAA,IACzB,aAAA,EAAe,YAAA;AAAA,IACf,uBAAA,EAAyB,UAAA;AAAA,IACzB,YAAA,EAAc;AAAA,MACZ,cAAc,WAAA,CAAY,EAAA;AAAA,MAC1B,gBAAgB,WAAA,CAAY,EAAA;AAAA,MAC5B,eAAe,WAAA,CAAY,EAAA;AAAA,MAC3B,eAAe,WAAA,CAAY;AAAA,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,YAAA,EAAc,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA;AAAA,MAC7B,cAAA,EAAgB,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA;AAAA,MAC/B,aAAA,EAAe,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA;AAAA,MAC9B,aAAA,EAAe,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG;AAAA,KAChC;AAAA,IACA,qBAAA,EAAuB,OAAA;AAAA,IACvB,YAAA;AAAA,IACA,uBAAA,EAAyB,WAAA;AAAA,IACzB,aAAA,EAAe,SAAA;AAAA,IACf,aAAA,EAAe;AAAA,GACjB;AACF;AAKA,SAAS,qBACP,IAAA,EAMA;AACA,EAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AACpB,EAAA,MAAM,eAAe,IAAA,CAAK,YAAA;AAE1B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAC5B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAC5B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAC5B,EAAA,IAAI,UAAU,aAAA,CAAc,EAAA;AAG5B,EAAA,KAAA,MAAW,OAAO,YAAA,EAAc;AAC9B,IAAA,MAAM,MAAA,GACJ,kBAAA,CAAmB,GAAA,CAAI,QAA2C,CAAA,IAAK,EAAA;AAEzE,IAAA,IAAI,GAAA,CAAI,UAAU,IAAA,EAAM;AACtB,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC,CAAA,MAAA,IAAW,GAAA,CAAI,KAAA,KAAU,IAAA,EAAM;AAC7B,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC,CAAA,MAAA,IAAW,GAAA,CAAI,KAAA,KAAU,IAAA,EAAM;AAC7B,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC,CAAA,MAAA,IAAW,GAAA,CAAI,KAAA,KAAU,IAAA,EAAM;AAC7B,MAAA,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,OAAA,GAAU,MAAM,CAAA;AAAA,IACxC;AAAA,EACF;AAGA,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AACtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AACtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AACtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,OAAA,GAAU,EAAA,EAAI,OAAA,GAAU,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,OAAA,GAAU,CAAC,CAAA;AAGtF,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAC/C,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAC/C,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAC/C,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY,OAAA,GAAU,CAAA;AAE/C,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAAA,IACtB,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAAA,IACtB,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAAA,IACtB,EAAA,EAAI,IAAA,CAAK,KAAA,CAAM,OAAO;AAAA,GACxB;AACF;AAKA,SAAS,sBAAsB,WAAA,EAKpB;AACT,EAAA,MAAM,OAAA,GAAA,CAAW,YAAY,EAAA,GAAK,WAAA,CAAY,KAAK,WAAA,CAAY,EAAA,GAAK,YAAY,EAAA,IAAM,CAAA;AACtF,EAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAC3B;AAKA,SAAS,oBACP,KAAA,EACiD;AACjD,EAAA,IAAI,KAAA,IAAS,IAAI,OAAO,MAAA;AACxB,EAAA,IAAI,KAAA,IAAS,IAAI,OAAO,UAAA;AACxB,EAAA,IAAI,KAAA,IAAS,IAAI,OAAO,UAAA;AACxB,EAAA,OAAO,YAAA;AACT;AAKA,SAAS,4BAA4B,IAAA,EAAkE;AACrG,EAAA,MAAM,EAAA,GAAK,KAAK,MAAA,CAAO,EAAA;AACvB,EAAA,MAAM,EAAA,GAAK,KAAK,MAAA,CAAO,EAAA;AACvB,EAAA,MAAM,EAAA,GAAK,KAAK,MAAA,CAAO,EAAA;AAGvB,EAAA,OAAO;AAAA,IACL,oBAAA,EAAsB,KAAK,YAAA,CAAa,SAAA;AAAA;AAAA,IACxC,qBAAA,EAAuB,KAAK,YAAA,CAAa,iBAAA;AAAA;AAAA,IACzC,kBAAA,EAAoB,EAAA,CAAG,UAAA,KAAe,MAAA,IAAU,GAAG,UAAA,KAAe,aAAA;AAAA,IAClE,0BAAA,EAA4B,KAAA;AAAA;AAAA,IAC5B,iBAAA,EAAmB,EAAA,CAAG,aAAA,KAAkB,SAAA,IAAa,GAAG,aAAA,KAAkB,MAAA;AAAA,IAC1E,sBAAA,EAAwB,GAAG,MAAA,KAAW,QAAA;AAAA,IACtC,6BAA6B,EAAA,CAAG,oBAAA;AAAA,IAChC,qBAAqB,EAAA,CAAG,mBAAA;AAAA,IACxB,iBAAA,EAAmB,KAAK,YAAA,CAAa;AAAA,GACvC;AACF;AAKA,SAAS,sBAAsB,YAAA,EAAsD;AACnF,EAAA,OAAO,YAAA,CAAa,GAAA,CAAI,CAAC,GAAA,KAAQ;AAC/B,IAAA,IAAI,WAAA,GAAc,EAAA;AAElB,IAAA,IAAI,GAAA,CAAI,SAAS,QAAA,EAAU;AACzB,MAAA,WAAA,GAAc,wDAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,wBAAA,EAA0B;AAChD,MAAA,WAAA,GAAc,2CAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,iBAAA,EAAmB;AACzC,MAAA,WAAA,GAAc,4DAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,cAAA,EAAgB;AACtC,MAAA,WAAA,GAAc,yCAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,2BAAA,EAA6B;AACnD,MAAA,WAAA,GAAc,kEAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,yBAAA,EAA2B;AACjD,MAAA,WAAA,GAAc,+CAAA;AAAA,IAChB,CAAA,MAAA,IAAW,GAAA,CAAI,IAAA,KAAS,kBAAA,EAAoB;AAC1C,MAAA,WAAA,GAAc,iDAAA;AAAA,IAChB,CAAA,MAAO;AACL,MAAA,WAAA,GAAc,8BAAA;AAAA,IAChB;AAEA,IAAA,OAAO;AAAA,MACL,OAAO,GAAA,CAAI,KAAA;AAAA,MACX,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,UAAU,GAAA,CAAI,QAAA;AAAA,MACd,aAAa,GAAA,CAAI,WAAA;AAAA,MACjB,oBAAA,EAAsB;AAAA,KACxB;AAAA,EACF,CAAC,CAAA;AACH;AAKA,SAAS,gCAAA,CACP,MACA,aAAA,EAC2B;AAC3B,EAAA,MAAM,cAAyC,EAAC;AAChD,EAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AAGpB,EAAA,IAAI,OAAO,EAAA,CAAG,MAAA,KAAW,cAAc,MAAA,CAAO,EAAA,CAAG,gBAAgB,MAAA,EAAQ;AACvE,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,gCAAA;AAAA,MACN,WAAA,EAAa,oEAAA;AAAA,MACb,SAAA,EAAW,mDAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,CAAG,cAAA,EAAgB;AAC7B,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,gBAAA;AAAA,MACN,WAAA,EAAa,iEAAA;AAAA,MACb,SAAA,EAAW,mDAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,OAAO,EAAA,CAAG,MAAA,KAAW,cAAc,MAAA,CAAO,EAAA,CAAG,mBAAmB,eAAA,EAAiB;AACnF,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,WAAA;AAAA,MACN,WAAA,EAAa,uEAAA;AAAA,MACb,SAAA,EAAW,6CAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,CAAG,qBAAA,EAAuB;AACpC,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,mBAAA;AAAA,MACN,WAAA,EAAa,wDAAA;AAAA,MACb,SAAA,EAAW,8DAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,OAAO,EAAA,CAAG,MAAA,KAAW,cAAc,CAAC,MAAA,CAAO,GAAG,oBAAA,EAAsB;AACtE,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,kBAAA;AAAA,MACN,WAAA,EAAa,6EAAA;AAAA,MACb,SAAA,EAAW,4EAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAMA,EAAA,IAAI,MAAA,CAAO,EAAA,CAAG,MAAA,KAAW,UAAA,EAAY;AACnC,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,mBAAA;AAAA,MACN,WAAA,EAAa,qDAAA;AAAA,MACb,SAAA,EAAW,8BAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,MAAA,CAAO,EAAA,CAAG,mBAAA,EAAqB;AAClC,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,gBAAA;AAAA,MACN,WAAA,EAAa,gEAAA;AAAA,MACb,SAAA,EAAW,+CAAA;AAAA,MACX,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAGA,EAAA,MAAM,WAAA,GAAc,qBAAqB,IAAI,CAAA;AAC7C,EAAA,MAAM,YAAA,GAAe,sBAAsB,WAAW,CAAA;AAEtD,EAAA,IAAI,eAAe,EAAA,EAAI;AACrB,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,IAAA,EAAM,kBAAA;AAAA,MACN,WAAA,EAAa,uFAAA;AAAA,MACb,SAAA,EAAW,gCAAgC,YAAY,CAAA,IAAA,CAAA;AAAA,MACvD,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,WAAA;AACT;AAyBO,SAAS,oBAAoB,GAAA,EAA6C;AAC/E,EAAA,MAAM,OAAA,GAAU,uBAAuB,GAAG,CAAA;AAE1C,EAAA,OAAO;AAAA,IACL,UAAU,OAAA,CAAQ,cAAA;AAAA,IAClB,mBAAmB,OAAA,CAAQ,aAAA;AAAA,IAC3B,aAAa,OAAA,CAAQ,uBAAA;AAAA,IACrB,YAAA,EAAc;AAAA,MACZ,EAAA,EAAI,QAAQ,YAAA,CAAa,YAAA;AAAA,MACzB,EAAA,EAAI,QAAQ,YAAA,CAAa,cAAA;AAAA,MACzB,EAAA,EAAI,QAAQ,YAAA,CAAa,aAAA;AAAA,MACzB,EAAA,EAAI,QAAQ,YAAA,CAAa;AAAA,KAC3B;AAAA,IACA,cAAc,OAAA,CAAQ,qBAAA;AAAA,IACtB,WAAA,EAAa,OAAA,CAAQ,uBAAA,CAAwB,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACvD,MAAM,CAAA,CAAE,IAAA;AAAA,MACR,aAAa,CAAA,CAAE;AAAA,KACjB,CAAE,CAAA;AAAA,IACF,YAAY,OAAA,CAAQ,kBAAA;AAAA,IACpB,WAAW,OAAA,CAAQ;AAAA,GACrB;AACF;;;ACndO,SAAS,cAAA,CACd,MAAA,EACA,eAAA,EACA,SAAA,EACA,QAAA,EAC6B;AAC7B,EAAA,MAAM,aAAA,GAAqC;AAAA,IACzC,MAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,wBAAA;AAAA,MACN,WAAA,EACE,oOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,gBAAA,GACnB,IAAA,CAAK,gBAAA,GAA8B,KAAK,GAAA,GACzC,MAAA;AAEJ,QAAA,MAAM,MAAA,GAAS,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC;AAAA,UACjE,GAAG,aAAA;AAAA,UACH;AAAA,SACD,CAAA;AAED,QAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,EAAQ,CAAA;AAAA,QACrC;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,cAAA,EAAgB,MAAA,CAAO,KAAK,WAAW,CAAA;AAE7D,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,WAAA,EACE,wIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,GAAA,EAAK;AAAA,YACH,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,KAAK;AAAA,OAClB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAM,IAAA,CAAK,GAAA;AACjB,QAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAE5B,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,YAAA;AAAA,UACA,MAAA,CAAO,eAAA;AAAA,UACP,MAAA;AAAA,UACA,MAAA,CAAO,QAAQ,SAAA,GAAY;AAAA,SAC7B;AAEA,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,2PAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,SAAS,CAAA;AAAA,YACxB,WAAA,EACE;AAAA,WACJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAU,KAAK,MAAA,IAAqB,MAAA;AAC1C,QAAA,MAAM,aAAa,IAAA,CAAK,gBAAA,GACnB,IAAA,CAAK,gBAAA,GAA8B,KAAK,GAAA,GACzC,MAAA;AAGJ,QAAA,MAAM,SAAA,GAAY,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC;AAAA,UACpE,GAAG,aAAA;AAAA,UACH;AAAA,SACD,CAAA;AAED,QAAA,IAAI,OAAO,cAAc,QAAA,EAAU;AACjC,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,SAAA,EAAW,CAAA;AAAA,QACxC;AAGA,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI,WAAW,SAAA,EAAW;AACxB,UAAA,OAAA,GAAU,oBAAoB,SAAS,CAAA;AAAA,QACzC,CAAA,MAAO;AACL,UAAA,OAAA,GAAU,uBAAuB,SAAS,CAAA;AAAA,QAC5C;AAEA,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,oBAAA;AAAA,UACA,UAAU,IAAA,CAAK,WAAA;AAAA,UACf,MAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,OAAO,WAAW,OAAO,CAAA;AAAA,MAC3B;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;;;ACjJA,aAAA,EAAA;AAMA,SAAS,aAAA,GAAwB;AAC/B,EAAA,OAAO,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AACpC;AAMO,SAAS,kBACd,MAAA,EAC8D;AAC9D,EAAA,MAAM,QAAQ,aAAA,EAAc;AAC5B,EAAA,MAAM,SAAA,GAAY,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AAE7C,EAAA,MAAM,SAAA,GAAgC;AAAA,IACpC,gBAAA,EAAkB,KAAA;AAAA,IAClB,GAAA,EAAK,MAAA;AAAA,IACL,KAAA;AAAA,IACA,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AAEA,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,UAAA,EAAY,SAAA;AAAA,IACZ,IAAA,EAAM,WAAA;AAAA,IACN,KAAA,EAAO,WAAA;AAAA,IACP,SAAA,EAAW,KAAA;AAAA,IACX,OAAA,EAAS,MAAA;AAAA,IACT,cAAc,SAAA,CAAU;AAAA,GAC1B;AAEA,EAAA,OAAO,EAAE,WAAW,OAAA,EAAQ;AAC9B;AAMO,SAAS,kBAAA,CACd,SAAA,EACA,MAAA,EACA,eAAA,EACA,WACA,UAAA,EACgF;AAEhF,EAAA,IAAI,SAAA,CAAU,qBAAqB,KAAA,EAAO;AACxC,IAAA,OAAO,EAAE,KAAA,EAAO,CAAA,8BAAA,EAAiC,SAAA,CAAU,gBAAgB,CAAA,CAAA,EAAG;AAAA,EAChF;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,SAAA,CAAU,GAAG,CAAA;AACzC,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,OAAO,CAAA,mCAAA,EAAsC,SAAA,CAAU,OAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,EAAG;AAAA,EACtF;AAGA,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,EAAE,OAAO,mCAAA,EAAoC;AAAA,EACtD;AAGA,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,SAAA,CAAU,KAAK,CAAA;AAChD,EAAA,MAAM,cAAA,GAAiB,IAAA;AAAA,IACrB,UAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,iBAAiB,aAAA,EAAc;AAErC,EAAA,MAAM,QAAA,GAA8B;AAAA,IAClC,gBAAA,EAAkB,KAAA;AAAA,IAClB,GAAA,EAAK,MAAA;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,yBAAA,EAA2B,YAAY,cAAc,CAAA;AAAA,IACrD,YAAA,EAAA,iBAAc,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACvC;AAEA,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,UAAA,EAAY,WAAA,CAAY,WAAA,CAAY,EAAE,CAAC,CAAA;AAAA,IACvC,IAAA,EAAM,WAAA;AAAA,IACN,KAAA,EAAO,WAAA;AAAA,IACP,SAAA,EAAW,cAAA;AAAA,IACX,aAAa,SAAA,CAAU,KAAA;AAAA,IACvB,OAAA,EAAS,MAAA;AAAA,IACT,WAAW,SAAA,CAAU,GAAA;AAAA,IACrB,cAAc,SAAA,CAAU;AAAA,GAC1B;AAEA,EAAA,OAAO,EAAE,UAAU,OAAA,EAAQ;AAC7B;AAMO,SAAS,iBAAA,CACd,QAAA,EACA,OAAA,EACA,eAAA,EACA,WACA,UAAA,EACkF;AAElF,EAAA,IAAI,QAAA,CAAS,qBAAqB,KAAA,EAAO;AACvC,IAAA,OAAO,EAAE,KAAA,EAAO,CAAA,8BAAA,EAAiC,QAAA,CAAS,gBAAgB,CAAA,CAAA,EAAG;AAAA,EAC/E;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,QAAA,CAAS,GAAG,CAAA;AACxC,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,OAAO,CAAA,mCAAA,EAAsC,SAAA,CAAU,OAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,EAAG;AAAA,EACtF;AAGA,EAAA,MAAM,kBAAA,GAAqB,aAAA,CAAc,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AAC/D,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AACrD,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,QAAA,CAAS,yBAAyB,CAAA;AAE5E,EAAA,MAAM,mBAAA,GAAsB,MAAA;AAAA,IAC1B,aAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AACA,EAAA,IAAI,CAAC,mBAAA,EAAqB;AACxB,IAAA,OAAO,EAAE,OAAO,uEAAA,EAAmE;AAAA,EACrF;AAGA,EAAA,MAAM,WAAW,UAAA,GACb,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAE/B,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,EAAE,OAAO,mCAAA,EAAoC;AAAA,EACtD;AAGA,EAAA,MAAM,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AACvE,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,QAAA,CAAS,eAAe,CAAA;AAClE,EAAA,MAAM,uBAAA,GAA0B,IAAA;AAAA,IAC9B,mBAAA;AAAA,IACA,QAAA,CAAS,qBAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,EAAA,MAAM,UAAA,GAAkC;AAAA,IACtC,gBAAA,EAAkB,KAAA;AAAA,IAClB,yBAAA,EAA2B,YAAY,uBAAuB,CAAA;AAAA,IAC9D,YAAA,EAAc;AAAA,GAChB;AAGA,EAAA,MAAM,mBAAmB,SAAA,CAAU,iBAAA;AACnC,EAAA,MAAM,SAAA,GAAY,gBAAgB,gBAAgB,CAAA;AAElD,EAAA,MAAM,MAAA,GAA0B;AAAA,IAC9B,iBAAiB,SAAA,CAAU,eAAA;AAAA,IAC3B,kBAAkB,QAAA,CAAS,GAAA;AAAA,IAC3B,QAAA,EAAU,IAAA;AAAA,IACV,iBAAA,EAAmB,gBAAA;AAAA,IACnB,UAAA,EAAY,SAAA;AAAA,IACZ,YAAA,EAAc,GAAA;AAAA,IACd,YAAY,SAAA,CAAU,UAAA;AAAA,IACtB,QAAQ;AAAC,GACX;AAEA,EAAA,OAAO,EAAE,YAAY,MAAA,EAAO;AAC9B;AAMO,SAAS,gBAAA,CACd,YACA,OAAA,EACiB;AACjB,EAAA,MAAM,SAAmB,EAAC;AAE1B,EAAA,IAAI,CAAC,QAAQ,SAAA,EAAW;AACtB,IAAA,OAAO;AAAA,MACL,eAAA,EAAiB,SAAA;AAAA,MACjB,kBAAkB,OAAA,CAAQ,OAAA;AAAA;AAAA,MAC1B,QAAA,EAAU,KAAA;AAAA,MACV,iBAAA,EAAmB,YAAA;AAAA,MACnB,UAAA,EAAY,YAAA;AAAA,MACZ,cAAc,UAAA,CAAW,YAAA;AAAA,MACzB,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MACnC,MAAA,EAAQ,CAAC,mCAAmC;AAAA,KAC9C;AAAA,EACF;AAGA,EAAA,MAAM,kBAAA,GAAqB,aAAA,CAAc,OAAA,CAAQ,SAAA,CAAU,SAAS,CAAA;AACpE,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AACrD,EAAA,MAAM,mBAAA,GAAsB,aAAA,CAAc,UAAA,CAAW,yBAAyB,CAAA;AAE9E,EAAA,MAAM,mBAAA,GAAsB,MAAA;AAAA,IAC1B,aAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,mBAAA,EAAqB;AACxB,IAAA,MAAA,CAAO,KAAK,uEAAkE,CAAA;AAAA,EAChF;AAGA,EAAA,MAAM,SAAA,GAAY,SAAA,CAAU,OAAA,CAAQ,SAAS,CAAA;AAC7C,EAAA,IAAI,CAAC,UAAU,KAAA,EAAO;AACpB,IAAA,MAAA,CAAO,IAAA,CAAK,GAAG,SAAA,CAAU,MAAM,CAAA;AAAA,EACjC;AAEA,EAAA,MAAM,QAAA,GAAW,OAAO,MAAA,KAAW,CAAA;AACnC,EAAA,MAAM,gBAAA,GAAqC,QAAA,GACtC,SAAA,CAAU,iBAAA,GACX,YAAA;AAEJ,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,OAAA,CAAQ,SAAA,CAAU,IAAA,CAAK,WAAA;AAAA,IACxC,kBAAkB,OAAA,CAAQ,SAAA;AAAA,IAC1B,QAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,UAAA,EAAY,gBAAgB,gBAAgB,CAAA;AAAA,IAC5C,cAAc,UAAA,CAAW,YAAA;AAAA,IACzB,UAAA,EAAY,OAAA,CAAQ,SAAA,CAAU,IAAA,CAAK,UAAA;AAAA,IACnC;AAAA,GACF;AACF;AAKA,SAAS,gBAAgB,KAAA,EAAoC;AAC3D,EAAA,QAAQ,KAAA;AAAO,IACb,KAAK,MAAA;AACH,MAAA,OAAO,oBAAA;AAAA,IACT,KAAK,UAAA;AACH,MAAA,OAAO,mBAAA;AAAA,IACT;AACE,MAAA,OAAO,YAAA;AAAA;AAEb;;;ACrPO,SAAS,oBAAA,CACd,MAAA,EACA,eAAA,EACA,SAAA,EACA,QAAA,EAC6E;AAE7E,EAAA,MAAM,QAAA,uBAAe,GAAA,EAA8B;AAEnD,EAAA,MAAM,gBAAA,uBAAuB,GAAA,EAA6B;AAE1D,EAAA,MAAM,OAAA,GAA+B;AAAA,IACnC,MAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,+LAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AAEvB,QAAA,MAAM,GAAA,GAAM,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC,OAAO,CAAA;AACvE,QAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,GAAA,EAAK,CAAA;AAAA,QAClC;AAEA,QAAA,MAAM,EAAE,SAAA,EAAW,OAAA,EAAQ,GAAI,kBAAkB,GAAG,CAAA;AACpD,QAAA,QAAA,CAAS,GAAA,CAAI,OAAA,CAAQ,UAAA,EAAY,OAAO,CAAA;AAExC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,oBAAA,EAAsB,GAAA,CAAI,KAAK,WAAW,CAAA;AAEhE,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,SAAA;AAAA,UACA,YAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,oJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,WAAW;AAAA,OACxB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AAGvB,QAAA,MAAM,GAAA,GAAM,WAAA,CAAY,IAAA,CAAK,WAAA,EAAmC,OAAO,CAAA;AACvE,QAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,GAAA,EAAK,CAAA;AAAA,QAClC;AAEA,QAAA,MAAM,MAAA,GAAS,kBAAA;AAAA,UACb,SAAA;AAAA,UACA,GAAA;AAAA,UACA,eAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA,CAAK;AAAA,SACP;AAEA,QAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,UAAA,QAAA,CAAS,OAAO,IAAA,EAAM,mBAAA,EAAqB,IAAI,IAAA,CAAK,WAAA,EAAa,QAAW,SAAS,CAAA;AACrF,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA;AAAA,QAC3C;AAEA,QAAA,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,OAAA,CAAQ,UAAA,EAAY,OAAO,OAAO,CAAA;AAEtD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,GAAA,CAAI,KAAK,WAAW,CAAA;AAE/D,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,UAAA,EAAY,OAAO,OAAA,CAAQ,UAAA;AAAA,UAC3B,UAAU,MAAA,CAAO,QAAA;AAAA,UACjB,YAAA,EACE,kJAAA;AAAA;AAAA,UAGF,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,8BAAA;AAAA,MACN,WAAA,EACE,wJAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAA,EAAc,UAAU;AAAA,OACrC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,UAAA;AACvB,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AAEtB,QAAA,MAAM,OAAA,GAAU,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACtC,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,4BAAA,EAA+B,SAAS,IAAI,CAAA;AAAA,QACzE;AACA,QAAA,IAAI,OAAA,CAAQ,UAAU,WAAA,EAAa;AACjC,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,CAAA,qBAAA,EAAwB,OAAA,CAAQ,KAAK,CAAA,uBAAA;AAAA,WAC7C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,iBAAA;AAAA,UACb,QAAA;AAAA,UACA,OAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,UAAA,OAAA,CAAQ,KAAA,GAAQ,QAAA;AAChB,UAAA,QAAA,CAAS,MAAA,CAAO,MAAM,oBAAA,EAAsB,OAAA,CAAQ,QAAQ,IAAA,CAAK,WAAA,EAAa,QAAW,SAAS,CAAA;AAClG,UAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,MAAA,CAAO,OAAO,CAAA;AAAA,QAC3C;AAEA,QAAA,OAAA,CAAQ,KAAA,GAAQ,WAAA;AAChB,QAAA,OAAA,CAAQ,YAAY,QAAA,CAAS,GAAA;AAC7B,QAAA,OAAA,CAAQ,cAAc,QAAA,CAAS,eAAA;AAC/B,QAAA,OAAA,CAAQ,SAAS,MAAA,CAAO,MAAA;AAGxB,QAAA,gBAAA,CAAiB,GAAA,CAAI,MAAA,CAAO,MAAA,CAAO,eAAA,EAAiB,OAAO,MAAM,CAAA;AAEjE,QAAA,QAAA,CAAS,OAAO,IAAA,EAAM,oBAAA,EAAsB,OAAA,CAAQ,OAAA,CAAQ,KAAK,WAAW,CAAA;AAE5E,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,QAAQ,MAAA,CAAO,MAAA;AAAA,UACf,YAAA,EACE,+JAAA;AAAA;AAAA,UAGF,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,2FAAA;AAAA,MACF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,YAAY;AAAA,OACzB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,YAAY,IAAA,CAAK,UAAA;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,UAAA;AAExB,QAAA,MAAM,OAAA,GAAU,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA;AACtC,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,4BAAA,EAA+B,SAAS,IAAI,CAAA;AAAA,QACzE;AAGA,QAAA,IAAI,cAAc,OAAA,CAAQ,IAAA,KAAS,WAAA,IAAe,OAAA,CAAQ,UAAU,WAAA,EAAa;AAC/E,UAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,UAAA,EAAY,OAAO,CAAA;AACnD,UAAA,OAAA,CAAQ,KAAA,GAAQ,MAAA,CAAO,QAAA,GAAW,WAAA,GAAc,QAAA;AAChD,UAAA,OAAA,CAAQ,MAAA,GAAS,MAAA;AAGjB,UAAA,IAAI,OAAO,QAAA,EAAU;AACnB,YAAA,gBAAA,CAAiB,GAAA,CAAI,MAAA,CAAO,eAAA,EAAiB,MAAM,CAAA;AAAA,UACrD;AAEA,UAAA,QAAA,CAAS,MAAA;AAAA,YACP,IAAA;AAAA,YACA,6BAAA;AAAA,YACA,OAAA,CAAQ,QAAQ,IAAA,CAAK,WAAA;AAAA,YACrB,MAAA;AAAA,YACA,MAAA,CAAO,WAAW,SAAA,GAAY;AAAA,WAChC;AAEA,UAAA,OAAO,UAAA,CAAW,EAAE,MAAA,EAAQ,CAAA;AAAA,QAC9B;AAGA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,MAAM,OAAA,CAAQ,IAAA;AAAA,UACd,OAAO,OAAA,CAAQ,KAAA;AAAA,UACf,cAAc,OAAA,CAAQ,YAAA;AAAA,UACtB,MAAA,EAAQ,QAAQ,MAAA,IAAU;AAAA,SAC3B,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,gBAAA,EAAiB;AACnC;;;AC1PA,IAAM,oBAAA,GAA+C;AAAA,EACnD,mBAAA,EAAqB,IAAA;AAAA,EACrB,kBAAA,EAAoB,IAAA;AAAA,EACpB,iBAAA,EAAmB,KAAA;AAAA,EACnB,mBAAA,EAAqB,CAAC,0BAA0B;AAClD,CAAA;AAEO,IAAM,qBAAN,MAAyB;AAAA,EACtB,KAAA,uBAAY,GAAA,EAA4B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMhD,qBAAA,CACE,MAAA,EACA,OAAA,EACA,YAAA,EACgB;AAChB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,OAAO,eAAe,CAAA;AACtD,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,IAAA,GAAuB;AAAA,MAC3B,SAAS,MAAA,CAAO,eAAA;AAAA,MAChB,QAAA,EAAU,OAAA;AAAA,MACV,UAAA,EAAY,UAAU,UAAA,IAAc,GAAA;AAAA,MACpC,gBAAgB,MAAA,CAAO,YAAA;AAAA,MACvB,UAAA,EAAY,0BAAA,CAA2B,MAAA,CAAO,UAAU,CAAA;AAAA,MACxD,gBAAA,EAAkB,MAAA;AAAA,MAClB,YAAA,EAAc;AAAA,QACZ,GAAG,oBAAA;AAAA,QACH,GAAI,QAAA,EAAU,YAAA,IAAgB,EAAC;AAAA,QAC/B,GAAI,gBAAgB;AAAC,OACvB;AAAA,MACA,MAAA,EAAQ,OAAO,QAAA,IAAY,IAAI,KAAK,MAAA,CAAO,UAAU,CAAA,mBAAI,IAAI,IAAA;AAAK,KACpE;AAGA,IAAA,IAAI,CAAC,KAAK,MAAA,EAAQ;AAChB,MAAA,IAAA,CAAK,UAAA,GAAa,eAAA;AAAA,IACpB;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,MAAA,CAAO,eAAA,EAAiB,IAAI,CAAA;AAC3C,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAQ,MAAA,EAAuC;AAC7C,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,MAAM,CAAA;AAClC,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAGlB,IAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAI,IAAA,CAAK,IAAA,CAAK,iBAAiB,UAAU,CAAA,oBAAK,IAAI,IAAA,EAAK,EAAG;AAC3E,MAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AACd,MAAA,IAAA,CAAK,UAAA,GAAa,eAAA;AAAA,IACpB;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,MAAA,EAAsD;AAC9D,IAAA,MAAM,QAAQ,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,KAAA,CAAM,QAAQ,CAAA;AAG5C,IAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,MAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAI,IAAA,CAAK,IAAA,CAAK,iBAAiB,UAAU,CAAA,oBAAK,IAAI,IAAA,EAAK,EAAG;AAC3E,QAAA,IAAA,CAAK,MAAA,GAAS,KAAA;AACd,QAAA,IAAA,CAAK,UAAA,GAAa,eAAA;AAAA,MACpB;AAAA,IACF;AAEA,IAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,MAAA,OAAO,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,KAAM,EAAE,MAAM,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAA,CACE,MAAA,EACA,sBAAA,GAAiC,CAAA,EACjC,eAAA,EACqB;AACrB,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA;AAChC,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,MAAA;AAAA,QACT,gBAAA,EAAkB,YAAA;AAAA,QAClB,iBAAA,EAAmB,KAAA;AAAA,QACnB,wBAAA,EAA0B,CAAA;AAAA,QAC1B,WAAA,EAAa,MAAA;AAAA,QACb,OAAA,EAAS,CAAC,uCAAuC,CAAA;AAAA,QACjD,YAAA,EAAc;AAAA,OAChB;AAAA,IACF;AAEA,IAAA,MAAM,UAAoB,EAAC;AAC3B,IAAA,IAAI,KAAA,GAAQ,CAAA;AAGZ,IAAA,IAAI,KAAK,MAAA,EAAQ;AACf,MAAA,OAAA,CAAQ,KAAK,kCAAkC,CAAA;AAC/C,MAAA,KAAA,IAAS,CAAA;AAAA,IACX,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,KAAK,oCAAoC,CAAA;AACjD,MAAA,KAAA,IAAS,CAAA;AAAA,IACX;AAGA,IAAA,QAAQ,KAAK,UAAA;AAAY,MACvB,KAAK,oBAAA;AACH,QAAA,OAAA,CAAQ,KAAK,oDAA+C,CAAA;AAC5D,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA,MACF,KAAK,mBAAA;AACH,QAAA,OAAA,CAAQ,KAAK,6DAAwD,CAAA;AACrE,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA,MACF,KAAK,eAAA;AACH,QAAA,OAAA,CAAQ,KAAK,wDAAmD,CAAA;AAChE,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA,MACF,KAAK,YAAA;AACH,QAAA,OAAA,CAAQ,KAAK,wCAAmC,CAAA;AAChD,QAAA,KAAA,IAAS,CAAA;AACT,QAAA;AAAA;AAIJ,IAAA,IAAI,yBAAyB,EAAA,EAAI;AAC/B,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,4BAAA,EAA+B,sBAAsB,CAAA,qBAAA,CAAuB,CAAA;AACzF,MAAA,KAAA,IAAS,CAAA;AAAA,IACX,CAAA,MAAA,IAAW,yBAAyB,CAAA,EAAG;AACrC,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,0BAAA,EAA6B,sBAAsB,CAAA,qBAAA,CAAuB,CAAA;AACvF,MAAA,KAAA,IAAS,CAAA;AAAA,IACX,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,KAAK,+BAA+B,CAAA;AAAA,IAC9C;AAGA,IAAA,IAAI,oBAAoB,MAAA,EAAW;AACjC,MAAA,IAAI,mBAAmB,EAAA,EAAI;AACzB,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,uBAAA,EAA0B,eAAe,CAAA,CAAA,CAAG,CAAA;AACzD,QAAA,KAAA,IAAS,CAAA;AAAA,MACX,CAAA,MAAA,IAAW,mBAAmB,EAAA,EAAI;AAChC,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,2BAAA,EAA8B,eAAe,CAAA,CAAA,CAAG,CAAA;AAC7D,QAAA,KAAA,IAAS,CAAA;AAAA,MACX,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,sBAAA,EAAyB,eAAe,CAAA,CAAA,CAAG,CAAA;AAAA,MAC1D;AAAA,IACF;AAGA,IAAA,IAAI,WAAA;AACJ,IAAA,IAAI,KAAA,IAAS,GAAG,WAAA,GAAc,MAAA;AAAA,SAAA,IACrB,KAAA,IAAS,GAAG,WAAA,GAAc,QAAA;AAAA,SAAA,IAC1B,KAAA,IAAS,GAAG,WAAA,GAAc,KAAA;AAAA,SAC9B,WAAA,GAAc,MAAA;AAEnB,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,MAAA;AAAA,MACT,kBAAkB,IAAA,CAAK,UAAA;AAAA,MACvB,mBAAmB,IAAA,CAAK,MAAA;AAAA,MACxB,gBAAA,EAAkB,eAAA;AAAA,MAClB,wBAAA,EAA0B,sBAAA;AAAA,MAC1B,WAAA;AAAA,MACA,OAAA;AAAA,MACA,YAAA,EAAc;AAAA,KAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,MAAA,EAAyB;AAClC,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,MAAM,CAAA;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA,GAAoD;AAClD,IAAA,MAAM,OAAA,uBAAc,GAAA,EAA6B;AACjD,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,IAAI,CAAA,IAAK,KAAK,KAAA,EAAO;AACnC,MAAA,IAAI,KAAK,MAAA,EAAQ;AACf,QAAA,OAAA,CAAQ,GAAA,CAAI,EAAA,EAAI,IAAA,CAAK,gBAAgB,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;ACzNO,SAAS,qBAAA,CACd,UACA,gBAAA,EAC2D;AAC3D,EAAA,MAAM,QAAA,GAAW,IAAI,kBAAA,EAAmB;AAExC,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,4BAAA;AAAA,MACN,WAAA,EACE,oLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAA,EAAQ,UAAA,EAAY,QAAQ,CAAA;AAAA,YACnC,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,QAAQ;AAAA,OACrB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,SAAS,IAAA,CAAK,MAAA;AAEpB,QAAA,QAAQ,MAAA;AAAQ,UACd,KAAK,MAAA,EAAQ;AACX,YAAA,MAAM,KAAA,GAAQ,SAAS,SAAA,CAAU;AAAA,cAC/B,aAAa,IAAA,CAAK;AAAA,aACnB,CAAA;AAED,YAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,uBAAA,EAAyB,QAAA,EAAU;AAAA,cACvD,YAAY,KAAA,CAAM;AAAA,aACnB,CAAA;AAED,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,gBACvB,SAAS,CAAA,CAAE,OAAA;AAAA,gBACX,UAAU,CAAA,CAAE,QAAA;AAAA,gBACZ,YAAY,CAAA,CAAE,UAAA;AAAA,gBACd,QAAQ,CAAA,CAAE,MAAA;AAAA,gBACV,YAAY,CAAA,CAAE,UAAA;AAAA,gBACd,gBAAgB,CAAA,CAAE,cAAA;AAAA,gBAClB,cAAc,CAAA,CAAE;AAAA,eAClB,CAAE,CAAA;AAAA,cACF,OAAO,KAAA,CAAM;AAAA,aACd,CAAA;AAAA,UACH;AAAA,UAEA,KAAK,UAAA,EAAY;AACf,YAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,YAAA,MAAM,UAAU,IAAA,CAAK,QAAA;AAErB,YAAA,IAAI,CAAC,MAAA,IAAU,CAAC,OAAA,EAAS;AACvB,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO;AAAA,eACR,CAAA;AAAA,YACH;AAGA,YAAA,MAAM,QAAA,GAAW,gBAAA,CAAiB,GAAA,CAAI,MAAM,CAAA;AAC5C,YAAA,IAAI,CAAC,QAAA,EAAU;AACb,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO,0CAA0C,MAAM,CAAA,mEAAA;AAAA,eAExD,CAAA;AAAA,YACH;AAEA,YAAA,IAAI,CAAC,SAAS,QAAA,EAAU;AACtB,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO,mBAAmB,MAAM,CAAA,sEAAA;AAAA,eAEjC,CAAA;AAAA,YACH;AAEA,YAAA,MAAM,IAAA,GAAO,QAAA,CAAS,qBAAA,CAAsB,QAAA,EAAU,OAAO,CAAA;AAE7D,YAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,0BAAA,EAA4B,QAAA,EAAU;AAAA,cAC1D,OAAA,EAAS,MAAA;AAAA,cACT,QAAA,EAAU,OAAA;AAAA,cACV,YAAY,IAAA,CAAK;AAAA,aAClB,CAAA;AAED,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,UAAA,EAAY,IAAA;AAAA,cACZ,SAAS,IAAA,CAAK,OAAA;AAAA,cACd,YAAY,IAAA,CAAK,UAAA;AAAA,cACjB,QAAQ,IAAA,CAAK,MAAA;AAAA,cACb,cAAc,IAAA,CAAK;AAAA,aACpB,CAAA;AAAA,UACH;AAAA,UAEA,KAAK,QAAA,EAAU;AACb,YAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,YAAA,IAAI,CAAC,MAAA,EAAQ;AACX,cAAA,OAAO,UAAA,CAAW,EAAE,KAAA,EAAO,kCAAA,EAAoC,CAAA;AAAA,YACjE;AAEA,YAAA,MAAM,OAAA,GAAU,QAAA,CAAS,UAAA,CAAW,MAAM,CAAA;AAE1C,YAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,wBAAA,EAA0B,QAAA,EAAU;AAAA,cACxD,OAAA,EAAS,MAAA;AAAA,cACT;AAAA,aACD,CAAA;AAED,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,OAAA;AAAA,cACA,OAAA,EAAS;AAAA,aACV,CAAA;AAAA,UACH;AAAA,UAEA;AACE,YAAA,OAAO,WAAW,EAAE,KAAA,EAAO,CAAA,gBAAA,EAAmB,MAAM,IAAI,CAAA;AAAA;AAC5D,MACF;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,qCAAA;AAAA,MACN,WAAA,EACE,sLAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,wBAAA,EAA0B;AAAA,YACxB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,QAAA,MAAM,WAAA,GAAe,KAAK,wBAAA,IAAuC,CAAA;AACjE,QAAA,MAAM,WAAW,IAAA,CAAK,gBAAA;AAEtB,QAAA,MAAM,UAAA,GAAa,QAAA,CAAS,aAAA,CAAc,MAAA,EAAQ,aAAa,QAAQ,CAAA;AAEvE,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,2BAAA,EAA6B,QAAA,EAAU;AAAA,UAC3D,OAAA,EAAS,MAAA;AAAA,UACT,aAAa,UAAA,CAAW,WAAA;AAAA,UACxB,kBAAkB,UAAA,CAAW;AAAA,SAC9B,CAAA;AAED,QAAA,OAAO,WAAW,UAAU,CAAA;AAAA,MAC9B;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,iIAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,QAAA,GAAW,SAAS,SAAA,EAAU;AACpC,QAAA,MAAM,cAAc,QAAA,CAAS,SAAA,CAAU,EAAE,WAAA,EAAa,MAAM,CAAA;AAG5D,QAAA,MAAM,UAAA,GAAqC;AAAA,UACzC,oBAAA,EAAsB,CAAA;AAAA,UACtB,mBAAA,EAAqB,CAAA;AAAA,UACrB,eAAA,EAAiB,CAAA;AAAA,UACjB,YAAA,EAAc;AAAA,SAChB;AACA,QAAA,KAAA,MAAW,QAAQ,QAAA,EAAU;AAC3B,UAAA,UAAA,CAAW,KAAK,UAAU,CAAA,GAAA,CAAK,WAAW,IAAA,CAAK,UAAU,KAAK,CAAA,IAAK,CAAA;AAAA,QACrE;AAGA,QAAA,MAAM,SAAA,GAAY;AAAA,UAChB,mBAAA,EAAqB,YAAY,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,YAAA,CAAa,mBAAmB,CAAA,CAAE,MAAA;AAAA,UACnF,kBAAA,EAAoB,YAAY,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,YAAA,CAAa,kBAAkB,CAAA,CAAE,MAAA;AAAA,UACjF,iBAAA,EAAmB,YAAY,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,YAAA,CAAa,iBAAiB,CAAA,CAAE;AAAA,SACjF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,QAAA,EAAU;AAAA,UACnD,aAAa,QAAA,CAAS,MAAA;AAAA,UACtB,cAAc,WAAA,CAAY;AAAA,SAC3B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,aAAa,QAAA,CAAS,MAAA;AAAA,UACtB,cAAc,WAAA,CAAY,MAAA;AAAA,UAC1B,aAAA,EAAe,QAAA,CAAS,MAAA,GAAS,WAAA,CAAY,MAAA;AAAA,UAC7C,kBAAA,EAAoB,UAAA;AAAA,UACpB,mBAAA,EAAqB,SAAA;AAAA,UACrB,gBAAA,EAAkB,YAAY,MAAA,GAAS,CAAA;AAAA,UACvC,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,OAAO,QAAA,EAAS;AAC3B;;;ACjOA,aAAA,EAAA;AAEA,aAAA,EAAA;;;ACCA,aAAA,EAAA;AAEA,YAAA,EAAA;AAgBO,SAAS,aAAa,OAAA,EAAuC;AAClE,EAAA,OAAO,aAAA,CAAc,eAAA,CAAgB,OAAO,CAAC,CAAA;AAC/C;AAUA,SAAS,gBAAgB,KAAA,EAAwB;AAC/C,EAAA,IAAI,KAAA,KAAU,MAAM,OAAO,MAAA;AAC3B,EAAA,IAAI,KAAA,KAAU,QAAW,OAAO,MAAA;AAChC,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG;AAC3B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,0CAA0C,KAAK,CAAA,6DAAA;AAAA,OAEjD;AAAA,IACF;AACA,IAAA,IAAI,MAAA,CAAO,EAAA,CAAG,KAAA,EAAO,EAAE,CAAA,EAAG;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AACA,IAAA,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAAA,EAC7B;AACA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,IAAA,CAAK,UAAU,KAAK,CAAA;AAC1D,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,IAAA,OAAO,GAAA,GAAM,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,eAAA,CAAgB,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EAChE;AACA,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,GAAG,EAAE,IAAA,EAAK;AACnC,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,GAAA,CAAI,CAAC,MAAM,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA,GAAI,GAAA,GAAM,eAAA,CAAgB,GAAA,CAAI,CAAC,CAAC,CAAC,CAAA;AAC/E,EAAA,OAAO,GAAA,GAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AACjC;AAmBO,SAAS,sBAAA,CACd,OAAA,EACA,QAAA,EACA,qBAAA,EACA,kBAA2B,KAAA,EACT;AAClB,EAAA,MAAM,YAAA,GAAe,CAAA,OAAA,EAAU,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AACxE,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,cAAA,GAAiB,aAAa,OAAO,CAAA;AAC3C,EAAA,MAAM,eAAA,GAAkB,IAAI,WAAA,EAAY,CAAE,OAAO,cAAc,CAAA;AAG/D,EAAA,MAAMjC,OAAAA,GAAS,iBAAiB,eAAe,CAAA;AAG/C,EAAA,IAAI,YAAA;AACJ,EAAA,IAAI,eAAA,IAAmB,OAAO,SAAA,CAAU,OAAA,CAAQ,MAAM,CAAA,IAAK,OAAA,CAAQ,UAAU,CAAA,EAAG;AAC9E,IAAA,MAAM,QAAA,GAAW,wBAAA,CAAyB,OAAA,CAAQ,MAAM,CAAA;AACxD,IAAA,YAAA,GAAe;AAAA,MACb,YAAY,QAAA,CAAS,UAAA;AAAA,MACrB,iBAAiB,QAAA,CAAS;AAAA,KAC5B;AAAA,EACF;AAIA,EAAA,MAAM,iBAAA,GAAoB;AAAA,IACxB,oBAAA,EAAsB,YAAA;AAAA,IACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,mBAAmBA,OAAAA,CAAO,UAAA;AAAA,IAC1B,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,eAAe,QAAA,CAAS,GAAA;AAAA,IACxB,YAAA,EAAc,GAAA;AAAA,IACd,cAAA,EAAgB;AAAA,GAClB;AAKA,EAAA,MAAM,YAAA,GAAe,aAAA,CAAc,eAAA,CAAgB,iBAAiB,CAAC,CAAA;AACrE,EAAA,MAAM,SAAA,GAAY,IAAA,CAAK,YAAA,EAAc,QAAA,CAAS,uBAAuB,qBAAqB,CAAA;AAE1F,EAAA,OAAO;AAAA,IACL,oBAAA,EAAsB,YAAA;AAAA,IACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,mBAAmBA,OAAAA,CAAO,UAAA;AAAA,IAC1B,iBAAiBA,OAAAA,CAAO,eAAA;AAAA,IACxB,eAAe,QAAA,CAAS,GAAA;AAAA,IACxB,SAAA,EAAW,YAAY,SAAS,CAAA;AAAA,IAChC,mBAAA,EAAqB,YAAA;AAAA,IACrB,YAAA,EAAc,GAAA;AAAA,IACd,cAAA,EAAgB;AAAA,GAClB;AACF;AAmBO,SAAS,sBAAA,CACd,UAAA,EACA,OAAA,EACA,kBAAA,EAC0B;AAC1B,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAGnC,EAAA,MAAM,kBAAkB,IAAI,WAAA,GAAc,MAAA,CAAO,YAAA,CAAa,OAAO,CAAC,CAAA;AACtE,EAAA,MAAM,WAAA,GAAc,gBAAA;AAAA,IAClB,UAAA,CAAW,iBAAA;AAAA,IACX,eAAA;AAAA,IACA,UAAA,CAAW;AAAA,GACb;AAKA,EAAA,MAAM,iBAAA,GAAoB;AAAA,IACxB,sBAAsB,UAAA,CAAW,oBAAA;AAAA,IACjC,YAAY,UAAA,CAAW,UAAA;AAAA,IACvB,mBAAmB,UAAA,CAAW,iBAAA;AAAA,IAC9B,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,eAAe,UAAA,CAAW,aAAA;AAAA,IAC1B,cAAc,UAAA,CAAW,YAAA;AAAA,IACzB,gBAAgB,UAAA,CAAW;AAAA,GAC7B;AACA,EAAA,MAAM,YAAA,GAAe,aAAA,CAAc,eAAA,CAAgB,iBAAiB,CAAC,CAAA;AACrE,EAAA,MAAM,QAAA,GAAW,aAAA,CAAc,UAAA,CAAW,SAAS,CAAA;AACnD,EAAA,MAAM,cAAA,GAAiB,MAAA,CAAO,YAAA,EAAc,QAAA,EAAU,kBAAkB,CAAA;AAGxE,EAAA,MAAM,cAAA,GAAiB,UAAA,CAAW,UAAA,KAAe,OAAA,CAAQ,UAAA;AAGzD,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,eAAA,CAAgB,OAAA,CAAQ,KAAK,CAAC,CAAA;AAC/D,EAAA,MAAM,iBAAA,GAAoB,WAAA,CAAY,IAAA,CAAK,UAAU,CAAC,CAAA;AACtD,EAAA,MAAM,cAAA,GAAiB,sBAAsB,OAAA,CAAQ,UAAA;AAGrD,EAAA,IAAI,aAAA;AACJ,EAAA,IAAI,WAAW,mBAAA,EAAqB;AAClC,IAAA,aAAA,GAAgB,wBAAA;AAAA,MACd,WAAW,mBAAA,CAAoB,UAAA;AAAA,MAC/B,OAAA,CAAQ,MAAA;AAAA,MACR,WAAW,mBAAA,CAAoB;AAAA,KACjC;AAAA,EACF;AAEA,EAAA,MAAM,QACJ,WAAA,IACA,cAAA,IACA,cAAA,IACA,cAAA,KACC,kBAAkB,MAAA,IAAa,aAAA,CAAA;AAElC,EAAA,OAAO;AAAA,IACL,KAAA;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,YAAA,EAAc,WAAA;AAAA,MACd,eAAA,EAAiB,cAAA;AAAA,MACjB,gBAAA,EAAkB,cAAA;AAAA,MAClB,gBAAA,EAAkB,cAAA;AAAA,MAClB,cAAA,EAAgB;AAAA,KAClB;AAAA,IACA,sBAAsB,UAAA,CAAW,oBAAA;AAAA,IACjC,WAAA,EAAa;AAAA,GACf;AACF;;;AD1MA,IAAM,cAAN,MAAkB;AAAA,EACR,OAAA;AAAA,EACA,aAAA;AAAA,EAER,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,oBAAoB,CAAA;AAAA,EACvE;AAAA,EAEA,MAAM,IAAA,CAAK,UAAA,EAA8B,OAAA,EAA0C;AACjF,IAAA,MAAM,MAAA,GAAS,EAAE,UAAA,EAAY,OAAA,EAAQ;AACrC,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,SAAA;AAAA,MACA,UAAA,CAAW,oBAAA;AAAA,MACX,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,YAAA,EAC6E;AAC7E,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,WAAW,YAAY,CAAA;AAC3D,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AAAA,IAC5C,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF,CAAA;AAIO,SAAS,iBAAA,CACd,OAAA,EACA,SAAA,EACA,eAAA,EACA,UACA,gBAAA,EAC6B;AAC7B,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,CAAY,OAAA,EAAS,SAAS,CAAA;AACtD,EAAA,MAAM,eAAA,GAAkB,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AAC9D,EAAA,MAAM,qBAAA,GAAwB,gBAAA,CAAiB,SAAA,EAAW,qBAAqB,CAAA;AAC/E,EAAA,MAAM,SAAA,GAAY,gBAAA,oBAAoB,IAAI,GAAA,EAA6B;AAGvE,EAAA,SAAS,gBAAgB,UAAA,EAAqC;AAC5D,IAAA,MAAM,KAAK,UAAA,GACP,eAAA,CAAgB,IAAI,UAAU,CAAA,GAC9B,gBAAgB,UAAA,EAAW;AAC/B,IAAA,IAAI,CAAC,EAAA,EAAI;AACP,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,UAAA,GACI,CAAA,UAAA,EAAa,UAAU,CAAA,WAAA,CAAA,GACvB;AAAA,OACN;AAAA,IACF;AACA,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAG9B;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,6aAAA;AAAA,MAMF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,UAAA,EAAY;AAAA,YACV,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,MAAA,EAAQ;AAAA,YACN,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU;AAAA,UACR,YAAA;AAAA,UACA,kBAAA;AAAA,UACA,cAAA;AAAA,UACA,cAAA;AAAA,UACA,OAAA;AAAA,UACA,YAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,OAAA,GAA4B;AAAA,UAChC,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,cAAc,IAAA,CAAK,YAAA;AAAA,UACnB,cAAc,IAAA,CAAK,YAAA;AAAA,UACnB,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,aAAa,IAAA,CAAK,WAAA;AAAA,UAClB,iBAAiB,IAAA,CAAK;AAAA,SACxB;AAEA,QAAA,MAAM,QAAA,GAAW,eAAA,CAAgB,IAAA,CAAK,WAAiC,CAAA;AACvE,QAAA,MAAM,eAAA,GAAmB,KAAK,gBAAA,IAAgC,KAAA;AAE9D,QAAA,MAAM,gBAAA,GAAmB,sBAAA;AAAA,UACvB,OAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA;AAAA,SACF;AAGA,QAAA,MAAM,WAAA,CAAY,IAAA,CAAK,gBAAA,EAAkB,OAAO,CAAA;AAEhD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC3D,sBAAsB,gBAAA,CAAiB,oBAAA;AAAA,UACvC,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,cAAc,OAAA,CAAQ,YAAA,KAAiB,SAAS,GAAA,GAC5C,OAAA,CAAQ,eACR,OAAA,CAAQ;AAAA,SACb,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,sBAAsB,gBAAA,CAAiB,oBAAA;AAAA,UACvC,YAAY,gBAAA,CAAiB,UAAA;AAAA,UAC7B,mBAAmB,gBAAA,CAAiB,iBAAA;AAAA,UACpC,eAAe,gBAAA,CAAiB,aAAA;AAAA,UAChC,WAAW,gBAAA,CAAiB,SAAA;AAAA,UAC5B,mBAAA,EAAqB,iBAAiB,mBAAA,GAClC,EAAE,YAAY,gBAAA,CAAiB,mBAAA,CAAoB,YAAW,GAC9D,MAAA;AAAA,UACJ,cAAc,gBAAA,CAAiB,YAAA;AAAA,UAC/B,gBAAgB,gBAAA,CAAiB,cAAA;AAAA,UACjC,IAAA,EAAM;AAAA,SAGP,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,uUAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,oBAAA,EAAsB;AAAA,YACpB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,oBAAA,EAAsB;AAAA,YACpB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AAGJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,sBAAsB;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,oBAAA;AAC1B,QAAA,MAAM,oBAAoB,IAAA,CAAK,oBAAA;AAG/B,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AACjD,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,sBAAsB,YAAY,CAAA,WAAA;AAAA,WAC1C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,EAAE,UAAA,EAAY,gBAAA,EAAkB,OAAA,EAAQ,GAAI,MAAA;AAGlD,QAAA,IAAI,SAAA;AACJ,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,SAAA,GAAY,cAAc,iBAAiB,CAAA;AAAA,QAC7C,CAAA,MAAO;AAEL,UAAA,MAAM,eAAA,GAAkB,gBAAgB,IAAA,EAAK;AAC7C,UAAA,MAAM,KAAA,GAAQ,gBAAgB,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,GAAA,KAAQ,iBAAiB,aAAa,CAAA;AAClF,UAAA,IAAI,CAAC,KAAA,EAAO;AACV,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,CAAA,yCAAA,EAA4C,gBAAA,CAAiB,aAAa,CAAA,0DAAA;AAAA,aAElF,CAAA;AAAA,UACH;AACA,UAAA,SAAA,GAAY,aAAA,CAAc,MAAM,UAAU,CAAA;AAAA,QAC5C;AAEA,QAAA,MAAM,MAAA,GAAS,sBAAA,CAAuB,gBAAA,EAAkB,OAAA,EAAS,SAAS,CAAA;AAE1E,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,EAAU;AAAA,UAC/C,oBAAA,EAAsB,YAAA;AAAA,UACtB,YAAY,gBAAA,CAAiB,UAAA;AAAA,UAC7B,OAAO,MAAA,CAAO;AAAA,SACf,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,GAAG,MAAA;AAAA,UACH,YAAY,gBAAA,CAAiB,UAAA;AAAA,UAC7B,eAAe,gBAAA,CAAiB,aAAA;AAAA;AAAA,UAEhC,cAAA,EAAgB;AAAA,SACjB,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAIA;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,WAAA,EACE,+WAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,oBAAA,EAAsB;AAAA,YACpB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAU,UAAU,CAAA;AAAA,YACnD,WAAA,EAAa;AAAA,WACf;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WACJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,sBAAA,EAAwB,gBAAgB;AAAA,OACrD;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAe,IAAA,CAAK,oBAAA;AAC1B,QAAA,MAAM,gBAAgB,IAAA,CAAK,cAAA;AAK3B,QAAA,MAAM,OAAA,GAAW,IAAA,CAAK,OAAA,IAAsC,EAAC;AAC7D,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAGxB,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AACjD,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,sBAAsB,YAAY,CAAA,WAAA;AAAA,WAC1C,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,EAAE,SAAQ,GAAI,MAAA;AACpB,QAAA,MAAM,QAAA,GAAW,gBAAgB,UAAU,CAAA;AAG3C,QAAA,MAAM,kBACJ,OAAA,CAAQ,YAAA,KAAiB,SAAS,GAAA,GAC9B,OAAA,CAAQ,eACR,OAAA,CAAQ,YAAA;AAId,QAAA,MAAM,oBAAA,GAAuB,eAAA,CAAgB,IAAA,EAAK,CAAE,IAAA;AAAA,UAClD,CAAC,EAAA,KAAO,eAAA,CAAgB,IAAI,EAAA,CAAG,WAAW,GAAG,GAAA,KAAQ;AAAA,SACvD;AACA,QAAA,MAAM,QAAA,GAAyB,WAAA,CAAY,eAAA,EAAiB,SAAA,EAAW,oBAAoB,CAAA;AAC3F,QAAA,MAAM,OAAO,QAAA,CAAS,gBAAA;AAGtB,QAAA,MAAM,WAAA,GAAc;AAAA,UAClB,GAAG,OAAA;AAAA,UACH,oBAAoB,OAAA,CAAQ;AAAA,SAC9B;AAGA,QAAA,MAAM,WAAA,GAAc,MAAM,eAAA,CAAgB,MAAA;AAAA,UACxC,OAAA,CAAQ,UAAA;AAAA;AAAA,UACR,eAAA;AAAA,UACA;AAAA,YACE,IAAA,EAAM,aAAA;AAAA,YACN,MAAA,EAAQ,aAAA;AAAA,YACR,OAAA,EAAS;AAAA,WACX;AAAA,UACA,kBAAA;AAAA;AAAA,UACA,QAAA;AAAA,UACA,qBAAA;AAAA,UACA,MAAA;AAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,eAAA,EAAiB,QAAA,CAAS,WAAA,EAAa;AAAA,UAC3D,oBAAA,EAAsB,YAAA;AAAA,UACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,cAAA,EAAgB,YAAY,WAAA,CAAY,cAAA;AAAA,UACxC,gBAAA,EAAkB,eAAA;AAAA,UAClB,gBAAA,EAAkB;AAAA,SACnB,CAAA;AAED,QAAA,MAAM,MAAA,GAAS,aAAa,IAAI,CAAA;AAEhC,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,cAAA,EAAgB,YAAY,WAAA,CAAY,cAAA;AAAA,UACxC,oBAAA,EAAsB,YAAA;AAAA,UACtB,YAAY,OAAA,CAAQ,UAAA;AAAA,UACpB,gBAAA,EAAkB,eAAA;AAAA,UAClB,cAAA,EAAgB,aAAA;AAAA,UAChB,gBAAA,EAAkB,IAAA;AAAA,UAClB,aAAa,WAAA,CAAY,WAAA;AAAA,UACzB,IAAA,EAAM,CAAA,+EAAA,EAC8B,IAAI,CAAA,UAAA,EAAa,MAAM,CAAA,EAAA;AAAA,SAC5D,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;AE9YA,SAAS,iBAAiB,GAAA,EAAsB;AAE9C,EAAA,IAAI,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,aAAA,EAAe,EAAE,CAAA;AAE3C,EAAA,OAAA,GAAU,OAAA,CAAQ,OAAA,CAAQ,mBAAA,EAAqB,EAAE,CAAA;AAEjD,EAAA,OAAA,GAAU,OAAA,CAAQ,OAAA,CAAQ,cAAA,EAAgB,IAAI,CAAA;AAC9C,EAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAC3B;AAKA,eAAe,WAAW,IAAA,EAAgC;AACxD,EAAA,IAAI;AACF,IAAA,MAAMsC,gBAAO,IAAI,CAAA;AACjB,IAAA,OAAO,IAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAKA,eAAe,aAAa,IAAA,EAAsC;AAChE,EAAA,IAAI;AACF,IAAA,OAAO,MAAM/B,iBAAAA,CAAS,IAAA,EAAM,OAAO,CAAA;AAAA,EACrC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMA,eAAsB,iBAAA,CACpB,QACA,QAAA,EACiC;AACjC,EAAA,MAAM,WAAA,GAAsC;AAAA,IAC1C,mBAAA,EAAqB,IAAA;AAAA;AAAA,IACrB,mBAAmB,MAAA,CAAO,OAAA;AAAA,IAC1B,iBAAA,EAAmB,KAAA;AAAA,IACnB,gBAAA,EAAkB,IAAA;AAAA,IAClB,eAAA,EAAiB,IAAA;AAAA,IACjB,cAAc,OAAA,CAAQ,OAAA;AAAA,IACtB,UAAU,CAAA,EAAG,OAAA,CAAQ,QAAQ,CAAA,CAAA,EAAI,QAAQ,IAAI,CAAA;AAAA,GAC/C;AAEA,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,WAAA;AAAA,EACT;AAGA,EAAA,MAAM,OAAOF,UAAAA,EAAQ;AACrB,EAAA,MAAM,kBAAA,GAAqBD,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,eAAe,CAAA;AAClE,EAAA,MAAM,eAAA,GAAkBA,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,MAAM,CAAA;AACtD,EAAA,MAAM,kBAAA,GAAqBA,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,aAAa,WAAW,CAAA;AAC3E,EAAA,MAAM,iBAAA,GAAoBA,SAAAA,CAAK,IAAA,EAAM,WAAA,EAAa,aAAa,QAAQ,CAAA;AAEvE,EAAA,MAAM,YAAA,GAAe,MAAM,UAAA,CAAW,kBAAkB,CAAA;AACxD,EAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,eAAe,CAAA;AAClD,EAAA,MAAM,YAAA,GAAe,MAAM,UAAA,CAAW,kBAAkB,CAAA;AACxD,EAAA,MAAM,eAAA,GAAkB,MAAM,UAAA,CAAW,iBAAiB,CAAA;AAG1D,EAAA,IAAI,YAAA,IAAgB,gBAAgB,eAAA,EAAiB;AACnD,IAAA,WAAA,CAAY,iBAAA,GAAoB,IAAA;AAChC,IAAA,WAAA,CAAY,kBAAkB,MAAM,mBAAA;AAAA,MAClC,kBAAA;AAAA,MACA,eAAA;AAAA,MACA,kBAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,WAAA;AACT;AAKA,eAAe,oBACb,UAAA,EACA,OAAA,EACA,WAAA,EACA,YAAA,EACA,WACA,YAAA,EAC8B;AAC9B,EAAA,MAAM,KAAA,GAA6B;AAAA,IACjC,WAAA,EAAa,eAAe,UAAA,GAAa,IAAA;AAAA,IACzC,wBAAA,EAA0B,KAAA;AAAA,IAC1B,qBAAA,EAAuB,KAAA;AAAA,IACvB,oBAAoB,EAAC;AAAA,IACrB,mBAAmB,EAAC;AAAA,IACpB,gBAAA,EAAkB,KAAA;AAAA;AAAA,IAClB,gBAAA,EAAkB,KAAA;AAAA,IAClB,iBAAA,EAAmB,KAAA;AAAA,IACnB,kBAAA,EAAoB,KAAA;AAAA,IACpB,iBAAA,EAAmB;AAAA,GACrB;AAGA,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,MAAM,GAAA,GAAM,MAAM,YAAA,CAAa,UAAU,CAAA;AACzC,IAAA,IAAI,GAAA,EAAK;AACP,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,iBAAiB,GAAG,CAAA;AAOnC,QAAA,MAAM,QAAQ,MAAA,CAAO,KAAA;AACrB,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,MAAM,iBAAiB,KAAA,CAAM,gBAAA;AAC7B,UAAA,IAAI,cAAA,EAAgB;AAClB,YAAA,MAAM,OAAA,GAAU,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAC7C,YAAA,KAAA,CAAM,wBAAA,GAA2B,OAAA,CAAQ,QAAA,CAAS,iBAAiB,CAAA;AAAA,UACrE;AAAA,QACF;AAGA,QAAA,MAAM,QAAQ,MAAA,CAAO,KAAA;AACrB,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,MAAM,UAAU,KAAA,CAAM,OAAA;AACtB,UAAA,IAAI,OAAA,EAAS;AACX,YAAA,MAAM,eAAe,OAAA,CAAQ,KAAA;AAC7B,YAAA,IAAI,YAAA,EAAc;AAChB,cAAA,KAAA,CAAM,qBAAA,GAAwB,IAAA;AAC9B,cAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,YAAA,CAAa,KAAK,CAAA,EAAG;AACrC,gBAAA,KAAA,CAAM,kBAAA,GAAqB,aAAa,KAAA,CAAM,MAAA;AAAA,kBAC5C,CAAC,IAAA,KAAyB,OAAO,IAAA,KAAS;AAAA,iBAC5C;AAAA,cACF;AAEA,cAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,YAAA,CAAa,SAAS,CAAA,EAAG;AACzC,gBAAA,KAAA,CAAM,kBAAA,GAAqB;AAAA,kBACzB,GAAG,KAAA,CAAM,kBAAA;AAAA,kBACT,GAAG,aAAa,SAAA,CAAU,MAAA;AAAA,oBACxB,CAAC,IAAA,KAAyB,OAAO,IAAA,KAAS;AAAA;AAC5C,iBACF;AAAA,cACF;AACA,cAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,YAAA,CAAa,IAAI,CAAA,EAAG;AACpC,gBAAA,KAAA,CAAM,iBAAA,GAAoB,aAAa,IAAA,CAAK,MAAA;AAAA,kBAC1C,CAAC,IAAA,KAAyB,OAAO,IAAA,KAAS;AAAA,iBAC5C;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAGA,QAAA,MAAM,aAAa,MAAA,CAAO,UAAA;AAC1B,QAAA,IAAI,cAAc,MAAA,CAAO,IAAA,CAAK,UAAU,CAAA,CAAE,SAAS,CAAA,EAAG;AACpD,UAAA,KAAA,CAAM,iBAAA,GAAoB,IAAA;AAAA,QAC5B;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,MAAM,UAAA,GAAa,MAAM,YAAA,CAAa,OAAO,CAAA;AAC7C,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,cAAA,GAAiB;AAAA,QACrB,oBAAA;AAAA,QACA,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,qBAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,KAAA,CAAM,gBAAA,GAAmB,eAAe,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,IAAA,CAAK,UAAU,CAAC,CAAA;AACtE,MAAA,KAAA,CAAM,iBAAA,GAAoB,4BAAA,CAA6B,IAAA,CAAK,UAAU,CAAA;AAAA,IACxE;AAAA,EACF;AAGA,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,KAAA,CAAM,gBAAA,GAAmB,KAAA;AAAA,EAC3B;AAEA,EAAA,OAAO,KAAA;AACT;;;AC3LA,IAAM,qBAAA,GAAwB,EAAA;AAC9B,IAAM,yBAAA,GAA4B,EAAA;AAClC,IAAM,yBAAA,GAA4B,CAAA;AAClC,IAAM,iBAAA,GAAoB,CAAA;AAG1B,IAAM,kBAAA,GAAqB,EAAA;AAC3B,IAAM,cAAA,GAAiB,CAAA;AACvB,IAAM,oBAAA,GAAuB,CAAA;AAC7B,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,iBAAA,GAAoB,CAAA;AAC1B,IAAM,oBAAA,GAAuB,CAAA;AAM7B,IAAM,oBAAA,GAAuB,CAAA;AAC7B,IAAM,YAAA,GAAe,CAAA;AACrB,IAAM,sBAAA,GAAyB,CAAA;AAG/B,IAAM,sBAAA,GAAyB,CAAA;AAC/B,IAAM,sBAAA,GAAyB,CAAA;AAC/B,IAAM,kBAAA,GAAqB,CAAA;AAC3B,IAAM,oBAAA,GAAuB,CAAA;AAG7B,IAAM,cAAA,GAAyC;AAAA,EAC7C,QAAA,EAAU,CAAA;AAAA,EACV,IAAA,EAAM,CAAA;AAAA,EACN,MAAA,EAAQ,CAAA;AAAA,EACR,GAAA,EAAK;AACP,CAAA;AAKA,IAAM,kBAAA,GAAoC;AAAA,EACxC,EAAA,EAAI,gBAAA;AAAA,EACJ,IAAA,EAAM,mDAAA;AAAA,EACN,IAAA,EAAM,YAAA;AAAA,EACN,WAAA,EACE;AAEJ,CAAA;AAEA,IAAM,yBAAA,GAA2C;AAAA,EAC/C,EAAA,EAAI,mBAAA;AAAA,EACJ,IAAA,EAAM,mDAAA;AAAA,EACN,IAAA,EAAM,YAAA;AAAA,EACN,WAAA,EACE,8KAAA;AAAA,EAEF,IAAA,EAAM;AAAA,IACJ,gBAAA;AAAA,IACA,gBAAA;AAAA,IACA;AAAA;AAEJ,CAAA;AAEA,IAAM,wBAAA,GAA0C;AAAA,EAC9C,EAAA,EAAI,oBAAA;AAAA,EACJ,IAAA,EAAM,6DAAA;AAAA,EACN,IAAA,EAAM,SAAA;AAAA,EACN,WAAA,EACE;AAEJ,CAAA;AAYA,IAAM,yBAAA,GAA2C;AAAA,EAC/C,EAAA,EAAI,uBAAA;AAAA,EACJ,IAAA,EAAM,gEAAA;AAAA,EACN,IAAA,EAAM,YAAA;AAAA,EACN,WAAA,EACE;AAGJ,CAAA;AAKO,SAAS,kBAAA,CACd,KACA,MAAA,EACwB;AACxB,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAA,EAAK,MAAM,CAAA;AAC/B,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAW,CAAA;AAC/B,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAW,CAAA;AAC/B,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,GAAW,CAAA;AAE/B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,QAAQ,EAAE,CAAA;AAE1B,EAAA,MAAM,YAAA,GAAe,OAAA,GAAU,OAAA,GAAU,OAAA,GAAU,OAAA;AAEnD,EAAA,MAAM,gBAAA,GAAmB,gBAAgB,EAAA,GACrC,MAAA,GACA,gBAAgB,EAAA,GACd,SAAA,GACA,YAAA,IAAgB,EAAA,GACd,SAAA,GACA,MAAA;AAER,EAAA,MAAM,OAAO,YAAA,CAAa,GAAA,EAAK,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AAC7C,EAAA,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,cAAA,CAAe,CAAA,CAAE,QAAQ,CAAA,GAAI,cAAA,CAAe,CAAA,CAAE,QAAQ,CAAC,CAAA;AAE3E,EAAA,MAAM,kBAAkB,uBAAA,CAAwB,GAAA,EAAK,EAAA,EAAI,EAAA,EAAI,IAAI,EAAE,CAAA;AAEnE,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,KAAA;AAAA,IACT,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IACnC,WAAA,EAAa,GAAA;AAAA,IACb,MAAA,EAAQ;AAAA,MACN,YAAA,EAAc,EAAA;AAAA,MACd,cAAA,EAAgB,EAAA;AAAA,MAChB,uBAAA,EAAyB,EAAA;AAAA,MACzB,aAAA,EAAe;AAAA,KACjB;AAAA,IACA,aAAA,EAAe,YAAA;AAAA,IACf,iBAAA,EAAmB,gBAAA;AAAA,IACnB,IAAA;AAAA,IACA;AAAA,GACF;AACF;AAIA,SAAS,QAAA,CACP,KACA,MAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,MAAM,gBAAA,GAAmB,eAAA;AACzB,EAAA,MAAM,UAAA,GAAa,kBAAkB,MAAA,GAAkB,MAAA;AACvD,EAAA,MAAM,qBAAA,GAAwB,eAAA;AAC9B,EAAA,MAAM,qBAAA,GAAwB,eAAA;AAC9B,EAAA,MAAM,aAAA,GAAgB,eAAA;AAEtB,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,QAAA,CAAS,KAAK,6CAA6C,CAAA;AAC3D,IAAA,QAAA,CAAS,IAAA,CAAK,CAAA,gBAAA,EAAmB,MAAA,CAAO,KAAA,CAAM,cAAc,CAAA,CAAE,CAAA;AAC9D,IAAA,QAAA,CAAS,IAAA,CAAK,CAAA,mBAAA,EAAsB,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA,CAAE,CAAA;AACpE,IAAA,QAAA,CAAS,KAAK,uCAAuC,CAAA;AACrD,IAAA,QAAA,CAAS,KAAK,+BAA+B,CAAA;AAAA,EAC/C;AAEA,EAAA,IAAI,GAAA,CAAI,iBAAA,IAAqB,GAAA,CAAI,eAAA,EAAiB;AAChD,IAAA,IAAI,CAAC,GAAA,CAAI,eAAA,CAAgB,gBAAA,EAAkB;AACzC,MAAA,QAAA,CAAS,KAAK,oEAAoE,CAAA;AAAA,IACpF;AACA,IAAA,IAAI,GAAA,CAAI,gBAAgB,gBAAA,EAAkB;AACxC,MAAA,QAAA,CAAS,KAAK,uDAAuD,CAAA;AAAA,IACvE;AAAA,EACF;AAEA,EAAA,MAAM,SAAS,gBAAA,IAAoB,qBAAA,GAC/B,QAAA,GACA,gBAAA,IAAoB,wBAClB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,kBAAA,EAAoB,gBAAA;AAAA,IACpB,WAAA,EAAa,UAAA;AAAA,IACb,sBAAA,EAAwB,qBAAA;AAAA,IACxB,sBAAA,EAAwB,qBAAA;AAAA,IACxB,cAAA,EAAgB,aAAA;AAAA,IAChB;AAAA,GACF;AACF;AAEA,SAAS,QAAA,CACP,KACA,OAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,IAAI,YAAA,GAAiD,MAAA;AACrD,EAAA,IAAI,0BAAA,GAA6B,KAAA;AACjC,EAAA,IAAI,mBAAA,GAAsB,KAAA;AAC1B,EAAA,IAAI,gBAAA,GAAmB,KAAA;AACvB,EAAA,IAAI,cAAA,GAAuD,MAAA;AAC3D,EAAA,IAAI,aAAA,GAAgB,KAAA;AACpB,EAAA,IAAI,yBAAA,GAAoE,MAAA;AAExE,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,YAAA,GAAe,YAAA;AACf,IAAA,0BAAA,GAA6B,IAAA;AAC7B,IAAA,mBAAA,GAAsB,IAAA;AACtB,IAAA,gBAAA,GAAmB,IAAA;AACnB,IAAA,aAAA,GAAgB,IAAA;AAChB,IAAA,QAAA,CAAS,KAAK,yCAAyC,CAAA;AACvD,IAAA,QAAA,CAAS,KAAK,wDAAwD,CAAA;AACtE,IAAA,QAAA,CAAS,KAAK,8BAA8B,CAAA;AAC5C,IAAA,QAAA,CAAS,KAAK,8DAA8D,CAAA;AAAA,EAC9E;AAEA,EAAA,IAAI,GAAA,CAAI,iBAAA,IAAqB,GAAA,CAAI,eAAA,EAAiB;AAChD,IAAA,IAAI,GAAA,CAAI,gBAAgB,wBAAA,EAA0B;AAChD,MAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,QAAA,YAAA,GAAe,QAAA;AAAA,MACjB;AACA,MAAA,QAAA,CAAS,KAAK,6DAA6D,CAAA;AAAA,IAC7E;AACA,IAAA,IAAI,GAAA,CAAI,gBAAgB,qBAAA,EAAuB;AAC7C,MAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,QAAA,cAAA,GAAiB,OAAA;AAAA,MACnB;AACA,MAAA,QAAA,CAAS,IAAA;AAAA,QACP,CAAA,gCAAA,EAAmC,IAAI,eAAA,CAAgB,kBAAA,CAAmB,MAAM,CAAA,UAAA,EAC7E,GAAA,CAAI,eAAA,CAAgB,iBAAA,CAAkB,MAAM,CAAA,QAAA;AAAA,OACjD;AAAA,IACF;AAAA,EACF;AAKA,EAAA,yBAAA,GAA4B,MAAA;AAE5B,EAAA,MAAM,MAAA,GAAS,iBAAiB,YAAA,IAAgB,mBAAA,GAC5C,WACA,YAAA,KAAiB,MAAA,IAAU,mBACzB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,aAAA,EAAe,YAAA;AAAA,IACf,4BAAA,EAA8B,0BAAA;AAAA,IAC9B,qBAAA,EAAuB,mBAAA;AAAA,IACvB,kBAAA,EAAoB,gBAAA;AAAA,IACpB,eAAA,EAAiB,kBAAkB,iBAAA,GAAoB,cAAA;AAAA,IACvD,cAAA,EAAgB,aAAA;AAAA,IAChB,2BAAA,EAA6B,yBAAA;AAAA,IAC7B;AAAA,GACF;AACF;AAEA,SAAS,QAAA,CACP,KACA,OAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,IAAI,gBAAA,GAA+D,MAAA;AACnE,EAAA,IAAI,QAAA,GAAW,KAAA;AACf,EAAA,IAAI,yBAAA,GAA4B,KAAA;AAEhC,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,gBAAA,GAAmB,iBAAA;AACnB,IAAA,QAAA,GAAW,IAAA;AACX,IAAA,yBAAA,GAA4B,IAAA;AAC5B,IAAA,QAAA,CAAS,KAAK,8CAA8C,CAAA;AAC5D,IAAA,QAAA,CAAS,KAAK,8EAAyE,CAAA;AACvF,IAAA,QAAA,CAAS,KAAK,+EAA0E,CAAA;AACxF,IAAA,QAAA,CAAS,KAAK,4CAA4C,CAAA;AAC1D,IAAA,QAAA,CAAS,KAAK,gEAAgE,CAAA;AAAA,EAChF;AAEA,EAAA,MAAM,SAAS,gBAAA,KAAqB,iBAAA,IAAqB,WACrD,QAAA,GACA,gBAAA,KAAqB,SACnB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,iBAAA,EAAmB,gBAAA;AAAA,IACnB,qBAAA,EAAuB,QAAA;AAAA,IACvB,2BAAA,EAA6B,yBAAA;AAAA,IAC7B;AAAA,GACF;AACF;AAEA,SAAS,QAAA,CACP,KACA,OAAA,EACe;AACf,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,kBAAkB,GAAA,CAAI,mBAAA;AAE5B,EAAA,MAAM,kBAAA,GAAqB,eAAA;AAC3B,EAAA,MAAM,gBAAA,GAAmB,eAAA;AACzB,EAAA,MAAM,cAAA,GAAiB,eAAA;AACvB,EAAA,MAAM,gBAAA,GAAmB,eAAA;AAEzB,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,QAAA,CAAS,KAAK,2CAA2C,CAAA;AACzD,IAAA,QAAA,CAAS,KAAK,oCAAoC,CAAA;AAClD,IAAA,QAAA,CAAS,KAAK,oCAAoC,CAAA;AAClD,IAAA,QAAA,CAAS,KAAK,2CAA2C,CAAA;AAAA,EAC3D,CAAA,MAAO;AACL,IAAA,QAAA,CAAS,KAAK,wCAAwC,CAAA;AAAA,EACxD;AAEA,EAAA,MAAM,SAAS,kBAAA,IAAsB,gBAAA,IAAoB,mBACrD,QAAA,GACA,kBAAA,IAAsB,mBACpB,SAAA,GACA,UAAA;AAEN,EAAA,OAAO;AAAA,IACL,MAAA;AAAA,IACA,mBAAA,EAAqB,kBAAA;AAAA,IACrB,iBAAA,EAAmB,gBAAA;AAAA,IACnB,0BAAA,EAA4B,cAAA;AAAA,IAC5B,uBAAA,EAAyB,gBAAA;AAAA,IACzB;AAAA,GACF;AACF;AAIA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,EAAA,CAAG,oBAAoB,KAAA,IAAS,qBAAA;AACpC,EAAA,IAAI,EAAA,CAAG,wBAAwB,KAAA,IAAS,yBAAA;AACxC,EAAA,IAAI,EAAA,CAAG,wBAAwB,KAAA,IAAS,yBAAA;AACxC,EAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,IAAS,iBAAA;AAChC,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,EAAA,CAAG,aAAA,KAAkB,YAAA,EAAc,KAAA,IAAS,kBAAA;AAAA,OAAA,IACvC,EAAA,CAAG,aAAA,KAAkB,QAAA,EAAU,KAAA,IAAS,cAAA;AACjD,EAAA,IAAI,EAAA,CAAG,8BAA8B,KAAA,IAAS,oBAAA;AAC9C,EAAA,IAAI,EAAA,CAAG,uBAAuB,KAAA,IAAS,kBAAA;AACvC,EAAA,IAAI,EAAA,CAAG,eAAA,KAAoB,iBAAA,EAAmB,KAAA,IAAS,kBAAA;AAAA,OAAA,IAC9C,EAAA,CAAG,eAAA,KAAoB,OAAA,EAAS,KAAA,IAAS,CAAA;AAClD,EAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,IAAS,iBAAA;AAEhC,EAAA,IAAI,EAAA,CAAG,2BAAA,KAAgC,UAAA,EAAY,KAAA,IAAS,oBAAA;AAAA,OAAA,IACnD,EAAA,CAAG,2BAAA,KAAgC,OAAA,EAAS,KAAA,IAAS,CAAA;AAC9D,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AAGZ,EAAA,IAAI,EAAA,CAAG,iBAAA,KAAsB,iBAAA,EAAmB,KAAA,IAAS,oBAAA;AAAA,OAAA,IAChD,EAAA,CAAG,iBAAA,KAAsB,aAAA,EAAe,KAAA,IAAS,CAAA;AAC1D,EAAA,IAAI,EAAA,CAAG,uBAAuB,KAAA,IAAS,YAAA;AACvC,EAAA,IAAI,EAAA,CAAG,6BAA6B,KAAA,IAAS,sBAAA;AAC7C,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,QAAQ,EAAA,EAA2B;AAC1C,EAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,EAAA,IAAI,EAAA,CAAG,qBAAqB,KAAA,IAAS,sBAAA;AACrC,EAAA,IAAI,EAAA,CAAG,mBAAmB,KAAA,IAAS,sBAAA;AACnC,EAAA,IAAI,EAAA,CAAG,4BAA4B,KAAA,IAAS,kBAAA;AAC5C,EAAA,IAAI,EAAA,CAAG,yBAAyB,KAAA,IAAS,oBAAA;AACzC,EAAA,OAAO,KAAA;AACT;AAIA,SAAS,YAAA,CACP,GAAA,EACA,EAAA,EACA,EAAA,EACA,IACA,EAAA,EACkB;AAClB,EAAA,MAAM,OAAyB,EAAC;AAChC,EAAA,MAAM,KAAK,GAAA,CAAI,eAAA;AAGf,EAAA,IAAI,EAAA,IAAM,CAAC,EAAA,CAAG,gBAAA,EAAkB;AAC9B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,kCAAA;AAAA,MACP,WAAA,EACE,mOAAA;AAAA,MAGF,kBAAA,EACE,6GAAA;AAAA,MAEF,kBAAA,EACE,4OAAA;AAAA,MAGF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,EAAA,IAAM,GAAG,gBAAA,EAAkB;AAC7B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,iCAAA;AAAA,MACP,WAAA,EACE,0HAAA;AAAA,MAEF,kBAAA,EACE,oFAAA;AAAA,MACF,kBAAA,EACE;AAAA,KAGH,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,sBAAA,EAAwB;AAC9B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,iCAAA;AAAA,MACP,WAAA,EACE,mKAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,2IAAA,GAEA,IAAA;AAAA,MACJ,kBAAA,EACE;AAAA,KAEH,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,EAAA,CAAG,aAAA,KAAkB,QAAA,IAAY,CAAC,GAAG,4BAAA,EAA8B;AACrE,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,6CAAA;AAAA,MACP,WAAA,EACE,qKAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,kWAAA,GAKA,IAAA;AAAA,MACJ,kBAAA,EACE,uPAAA;AAAA,MAGF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH,CAAA,MAAA,IAAW,EAAA,CAAG,aAAA,KAAkB,MAAA,EAAQ;AACtC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO,kBAAA;AAAA,MACP,WAAA,EACE,2EAAA;AAAA,MACF,kBAAA,EAAoB,IAAA;AAAA,MACpB,kBAAA,EACE,yJAAA;AAAA,MAEF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,EAAA,CAAG,oBAAoB,OAAA,EAAS;AAClC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,QAAA;AAAA,MACV,KAAA,EAAO,sDAAA;AAAA,MACP,WAAA,EACE,6GAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,qPAAA,GAGA,IAAA;AAAA,MACJ,kBAAA,EACE,8IAAA;AAAA,MAEF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,cAAA,EAAgB;AACtB,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,gDAAA;AAAA,MACP,WAAA,EACE,oRAAA;AAAA,MAIF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,6LAAA,GAGA,IAAA;AAAA,MACJ,kBAAA,EACE,iRAAA;AAAA,MAIF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,kBAAA,EAAoB;AAC1B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,gBAAA;AAAA,MACP,WAAA,EACE,qHAAA;AAAA,MAEF,kBAAA,EAAoB,IAAA;AAAA,MACpB,kBAAA,EACE,0GAAA;AAAA,MAEF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,EAAA,CAAG,sBAAsB,MAAA,EAAQ;AACnC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,oCAAA;AAAA,MACP,WAAA,EACE,8NAAA;AAAA,MAGF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,oMAAA,GAGA,IAAA;AAAA,MACJ,kBAAA,EACE,uUAAA;AAAA,MAIF,cAAA,EAAgB;AAAA,KACjB,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,CAAC,GAAG,mBAAA,EAAqB;AAC3B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,EAAA,EAAI,YAAA;AAAA,MACJ,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,MAAA;AAAA,MACV,KAAA,EAAO,wBAAA;AAAA,MACP,WAAA,EACE,+HAAA;AAAA,MAEF,kBAAA,EAAoB,GAAA,CAAI,iBAAA,GACpB,iJAAA,GAEA,IAAA;AAAA,MACJ,kBAAA,EACE;AAAA,KAGH,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,IAAA;AACT;AAIA,SAAS,uBAAA,CACP,GAAA,EACA,EAAA,EACA,EAAA,EACA,IACA,EAAA,EACkB;AAClB,EAAA,MAAM,OAAyB,EAAC;AAEhC,EAAA,IAAI,CAAC,GAAG,sBAAA,EAAwB;AAC9B,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,+FAAA;AAAA,MACR,IAAA,EAAM,2BAAA;AAAA,MACN,MAAA,EAAQ,WAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,kBAAA,IAAuB,GAAA,CAAI,mBAAmB,CAAC,GAAA,CAAI,gBAAgB,gBAAA,EAAmB;AAC5F,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,8DAAA;AAAA,MACR,IAAA,EAAM,uBAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAA,CAAK,IAAA,CAAK;AAAA,IACR,QAAA,EAAU,CAAA;AAAA,IACV,MAAA,EAAQ,mEAAA;AAAA,IACR,IAAA,EAAM,wBAAA;AAAA,IACN,MAAA,EAAQ,WAAA;AAAA,IACR,MAAA,EAAQ;AAAA,GACT,CAAA;AAED,EAAA,IAAI,EAAA,CAAG,kBAAkB,YAAA,EAAc;AACrC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,oEAAA;AAAA,MACR,IAAA,EAAM,iCAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,cAAA,EAAgB;AACtB,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,iEAAA;AAAA,MACR,IAAA,EAAM,mCAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,iBAAA,EAAmB;AACzB,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,qEAAA;AAAA,MACR,IAAA,EAAM,6BAAA;AAAA,MACN,MAAA,EAAQ,SAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,IAAI,CAAC,GAAG,2BAAA,EAA6B;AACnC,IAAA,IAAA,CAAK,IAAA,CAAK;AAAA,MACR,QAAA,EAAU,CAAA;AAAA,MACV,MAAA,EAAQ,0DAAA;AAAA,MACR,IAAA,EAAM,iCAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ;AAAA,KACT,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,IAAA;AACT;AAOO,SAAS,kBAAkB,MAAA,EAAwC;AACxE,EAAA,MAAM,EAAE,aAAa,GAAA,EAAK,MAAA,EAAQ,eAAe,iBAAA,EAAmB,IAAA,EAAM,iBAAgB,GAAI,MAAA;AAE9F,EAAA,MAAM,QAAA,GAAW,eAAe,aAAa,CAAA;AAC7C,EAAA,MAAM,UAAA,GAAa,kBAAkB,WAAA,EAAY;AAEjD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,MAAA,IAAU,8RAAA;AACV,EAAA,MAAA,IAAU,8BAAA;AACV,EAAA,MAAA,IAAU,CAAA,aAAA,EAAgB,OAAO,UAAU;AAAA,CAAA;AAC3C,EAAA,MAAA,IAAU,8RAAA;AACV,EAAA,MAAA,IAAU,IAAA;AACV,EAAA,MAAA,IAAU,CAAA,iBAAA,EAAoB,aAAa,CAAA,QAAA,EAAW,QAAQ,KAAK,UAAU;AAAA,CAAA;AAC7E,EAAA,MAAA,IAAU,IAAA;AAGV,EAAA,MAAA,IAAU,kBAAA;AACV,EAAA,MAAA,IAAU,CAAA,oBAAA,EAAkB,GAAA,CAAI,iBAAA,IAAqB,GAAG,IAAI,OAAA,CAAQ,aAAA,IAAiB,GAAA,CAAI,iBAAA,IAAqB,IAAI,CAAC,CAAA,CAAA,EAAI,GAAA,CAAI,mBAAA,GAAsB,qBAAgB,kBAAa;AAAA,CAAA;AAE9K,EAAA,IAAI,IAAI,iBAAA,EAAmB;AACzB,IAAA,MAAA,IAAU,CAAA,kBAAA,EAAgB,OAAA,CAAQ,UAAU,CAAC,CAAA;AAAA,CAAA;AAC7C,IAAA,IAAI,IAAI,eAAA,EAAiB;AACvB,MAAA,MAAA,IAAU,CAAA,kCAAA,EAAgC,QAAQ,0BAA0B,CAAC,IAAI,GAAA,CAAI,eAAA,CAAgB,wBAAA,GAA2B,gBAAA,GAAc,iBAAY;AAAA,CAAA;AAC1J,MAAA,MAAA,IAAU,CAAA,iCAAA,EAA+B,QAAQ,yBAAyB,CAAC,IAAI,GAAA,CAAI,eAAA,CAAgB,qBAAA,GAAwB,eAAA,GAAa,iBAAY;AAAA,CAAA;AAAA,IACtJ;AAAA,EACF;AAEA,EAAA,MAAA,IAAU,IAAA;AAGV,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,YAAY,CAAA;AAC3C,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,cAAc,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,uBAAuB,CAAA;AACtD,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,aAAa,CAAA;AAE5C,EAAA,MAAA,IAAU,uBAAA;AACV,EAAA,MAAA,IAAU,kTAAA;AACV,EAAA,MAAA,IAAU,4EAAA;AACV,EAAA,MAAA,IAAU,kTAAA;AACV,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,YAAA,CAAa,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AAC/G,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,cAAA,CAAe,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AACjH,EAAA,IAAI,MAAA,CAAO,eAAe,cAAA,EAAgB;AACxC,IAAA,MAAA,IAAU,CAAA;AAAA,CAAA;AAAA,EACZ;AACA,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,uBAAA,CAAwB,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AAC1H,EAAA,MAAA,IAAU,CAAA,4CAAA,EAAqC,SAAA,CAAU,MAAA,CAAO,aAAA,CAAc,MAAM,CAAC,CAAA,QAAA,EAAM,QAAA,CAAS,OAAA,EAAS,EAAE,CAAC,CAAA;AAAA,CAAA;AAChH,EAAA,MAAA,IAAU,kTAAA;AACV,EAAA,MAAA,IAAU,IAAA;AAGV,EAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,IAAA,MAAA,IAAU,CAAA,SAAA,EAAO,KAAK,MAAM,CAAA,gBAAA,EAAmB,KAAK,MAAA,KAAW,CAAA,GAAI,MAAM,EAAE,CAAA;AAAA,CAAA;AAC3E,IAAA,MAAA,IAAU,IAAA;AACV,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,MAAM,aAAA,GAAgB,CAAA,CAAA,EAAI,GAAA,CAAI,QAAA,CAAS,aAAa,CAAA,CAAA,CAAA;AACpD,MAAA,MAAA,IAAU,KAAK,aAAa,CAAA,CAAA,EAAI,IAAI,EAAE,CAAA,EAAA,EAAK,IAAI,KAAK;AAAA,CAAA;AAEpD,MAAA,MAAM,SAAA,GAAY,QAAA,CAAS,GAAA,CAAI,WAAA,EAAa,EAAE,CAAA;AAC9C,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,MAAA,IAAU,KAAK,IAAI;AAAA,CAAA;AAAA,MACrB;AACA,MAAA,IAAI,IAAI,cAAA,EAAgB;AACtB,QAAA,MAAM,KAAK,GAAA,CAAI,cAAA;AACf,QAAA,MAAM,MAAA,GAAS,EAAA,CAAG,IAAA,EAAM,MAAA,GAAS,CAAA,EAAA,EAAK,GAAG,IAAA,CAAK,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,GAAM,EAAA;AAC9D,QAAA,MAAA,IAAU,gCAA2B,EAAA,CAAG,IAAI,GAAG,MAAM,CAAA,EAAA,EAAK,GAAG,IAAI,CAAA;AAAA,CAAA;AAAA,MACnE;AACA,MAAA,MAAA,IAAU,iBAAY,GAAA,CAAI,kBAAA,CAAmB,MAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,CAAA;AAC1D,MAAA,IAAI,IAAI,kBAAA,EAAoB;AAC1B,QAAA,MAAA,IAAU,8BAAyB,GAAA,CAAI,kBAAA,CAAmB,MAAM,GAAG,CAAA,CAAE,CAAC,CAAC,CAAA;AAAA,CAAA;AAAA,MACzE;AACA,MAAA,MAAA,IAAU,IAAA;AAAA,IACZ;AAAA,EACF,CAAA,MAAO;AACL,IAAA,MAAA,IAAU,sCAAA;AACV,IAAA,MAAA,IAAU,IAAA;AAAA,EACZ;AAGA,EAAA,IAAI,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC9B,IAAA,MAAA,IAAU,wCAAA;AACV,IAAA,KAAA,MAAW,OAAO,eAAA,EAAiB;AACjC,MAAA,MAAM,WAAA,GAAc,IAAI,MAAA,KAAW,WAAA,GAC/B,cACA,GAAA,CAAI,MAAA,KAAW,YACb,OAAA,GACA,QAAA;AACN,MAAA,MAAA,IAAU,KAAK,GAAA,CAAI,QAAQ,MAAM,WAAW,CAAA,EAAA,EAAK,IAAI,MAAM,CAAA,CAAA;AAC3D,MAAA,IAAI,IAAI,IAAA,EAAM;AACZ,QAAA,MAAA,IAAU,CAAA,EAAA,EAAK,IAAI,IAAI,CAAA,CAAA;AAAA,MACzB;AACA,MAAA,MAAA,IAAU,IAAA;AAAA,IACZ;AACA,IAAA,MAAA,IAAU,IAAA;AAAA,EACZ;AAEA,EAAA,MAAA,IAAU,8RAAA;AAEV,EAAA,OAAO,MAAA;AACT;AAIA,SAAS,eAAe,KAAA,EAAuB;AAC7C,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,EAAE,CAAA;AACpC,EAAA,OAAO,GAAA,GAAM,SAAI,MAAA,CAAO,MAAM,IAAI,QAAA,CAAI,MAAA,CAAO,EAAA,GAAK,MAAM,CAAA,GAAI,GAAA;AAC9D;AAEA,SAAS,QAAQ,KAAA,EAAuB;AACtC,EAAA,MAAM,UAAA,GAAa,EAAA;AACnB,EAAA,MAAM,aAAa,IAAA,CAAK,GAAA,CAAI,GAAG,UAAA,GAAa,KAAA,CAAM,SAAS,CAAC,CAAA;AAC5D,EAAA,OAAO,GAAA,CAAI,OAAO,UAAU,CAAA;AAC9B;AAEA,SAAS,UAAU,MAAA,EAAwB;AACzC,EAAA,MAAM,KAAA,GAAQ,OAAO,WAAA,EAAY;AACjC,EAAA,OAAO,KAAA,GAAQ,IAAI,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAM,CAAC,CAAA;AACzD;AAEA,SAAS,QAAA,CAAS,OAAe,GAAA,EAAqB;AACpD,EAAA,MAAM,IAAA,GAAO,CAAA,EAAG,KAAK,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAC5B,EAAA,OAAO,GAAA,CAAI,OAAO,IAAA,CAAK,GAAA,CAAI,GAAG,CAAA,GAAI,IAAA,CAAK,MAAM,CAAC,CAAA,GAAI,IAAA;AACpD;AAEA,SAAS,QAAA,CAAS,MAAc,QAAA,EAA4B;AAC1D,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AAC5B,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,IAAI,OAAA,GAAU,EAAA;AACd,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAI,OAAA,CAAQ,SAAS,IAAA,CAAK,MAAA,GAAS,IAAI,QAAA,IAAY,OAAA,CAAQ,SAAS,CAAA,EAAG;AACrE,MAAA,KAAA,CAAM,KAAK,OAAO,CAAA;AAClB,MAAA,OAAA,GAAU,IAAA;AAAA,IACZ,CAAA,MAAO;AACL,MAAA,OAAA,GAAU,OAAA,CAAQ,MAAA,GAAS,CAAA,GAAI,OAAA,GAAU,MAAM,IAAA,GAAO,IAAA;AAAA,IACxD;AAAA,EACF;AACA,EAAA,IAAI,OAAA,CAAQ,MAAA,GAAS,CAAA,EAAG,KAAA,CAAM,KAAK,OAAO,CAAA;AAC1C,EAAA,OAAO,KAAA;AACT;;;ACl0BO,SAAS,iBACd,MAAA,EAC6B;AAC7B,EAAA,MAAM,KAAA,GAA0B;AAAA,IAC9B;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EACE,0QAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA;AAEJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,QAAA,GAAW,KAAK,SAAA,KAAc,KAAA;AAGpC,QAAA,MAAM,GAAA,GAAM,MAAM,iBAAA,CAAkB,MAAA,EAAQ,QAAQ,CAAA;AAGpD,QAAA,MAAM,MAAA,GAAS,kBAAA,CAAmB,GAAA,EAAK,MAAM,CAAA;AAG7C,QAAA,MAAM,MAAA,GAAS,kBAAkB,MAAM,CAAA;AAEvC,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP,EAAE,IAAA,EAAM,MAAA,EAAiB,IAAA,EAAM,MAAA,EAAO;AAAA,YACtC,EAAE,MAAM,MAAA,EAAiB,IAAA,EAAM,KAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC,CAAA;AAAE;AACjE,SACF;AAAA,MACF;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAM;AACjB;;;AC1BA,aAAA,EAAA;AAEA,YAAA,EAAA;AA6EO,IAAM,kBAAA,GAAqB,GAAA;AAG3B,IAAM,gBAAA,GAAmB,EAAA;AAGzB,IAAM,sBAAA,GAAyB,GAAA;AAe/B,SAAS,aAAA,CACd,MAAA,EACA,QAAA,EACA,KAAA,EACmB;AAEnB,EAAA,MAAM,SAAA,GAAY,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,QAAQ,CAAA;AAClE,EAAA,MAAM,YAAA,GAAe,OAAO,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,GAAG,CAAA;AAChE,EAAA,MAAM,cAAc,SAAA,IAAa,YAAA;AAEjC,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,MAAA,CAAO,cAAA,KAAmB,MAAA,GAAS,MAAA,GAAS,QAAA;AAAA,MACpD,MAAA,EAAQ,CAAA,0BAAA,EAA6B,QAAQ,CAAA,qBAAA,EAAwB,OAAO,cAAc,CAAA,CAAA;AAAA,KAC5F;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,MAAM,CAAA,EAAG;AAC7C,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,6BAAA,EAAgC,YAAY,QAAQ,CAAA,SAAA;AAAA,KAC7E;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,IAAI,CAAA,EAAG;AAC3C,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,gBAAA,EAAmB,YAAY,QAAQ,CAAA,SAAA;AAAA,KAChE;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,SAAS,CAAA,EAAG;AAChD,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,WAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,2BAAA,EAA8B,YAAY,QAAQ,CAAA,SAAA;AAAA,KAC3E;AAAA,EACF;AAGA,EAAA,IAAI,cAAA,CAAe,KAAA,EAAO,WAAA,CAAY,KAAK,CAAA,EAAG;AAC5C,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,CAAA,OAAA,EAAU,KAAK,CAAA,iBAAA,EAAoB,YAAY,QAAQ,CAAA,SAAA;AAAA,KACjE;AAAA,EACF;AAGA,EAAA,OAAO;AAAA,IACL,KAAA;AAAA,IACA,MAAA,EAAQ,MAAA,CAAO,cAAA,KAAmB,MAAA,GAAS,MAAA,GAAS,QAAA;AAAA,IACpD,MAAA,EAAQ,UAAU,KAAK,CAAA,mBAAA,EAAsB,YAAY,QAAQ,CAAA,yBAAA,EAA4B,OAAO,cAAc,CAAA,CAAA;AAAA,GACpH;AACF;AAMO,SAAS,aAAA,CACd,MAAA,EACA,QAAA,EACA,OAAA,EACqB;AACrB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AAClC,EAAA,IAAI,MAAA,CAAO,SAAS,kBAAA,EAAoB;AACtC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,mBAAA,EAAsB,MAAA,CAAO,MAAM,CAAA,4BAAA,EAA+B,kBAAkB,CAAA;AAAA,KACtF;AAAA,EACF;AACA,EAAA,MAAM,YAAiC,EAAC;AACxC,EAAA,IAAI,OAAA,GAAU,CAAA;AACd,EAAA,IAAI,QAAA,GAAW,CAAA;AACf,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,IAAI,UAAA,GAAa,CAAA;AACjB,EAAA,IAAI,MAAA,GAAS,CAAA;AAEb,EAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,IAAA,MAAM,MAAA,GAAS,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,KAAK,CAAA;AAGpD,IAAA,IAAI,MAAA,CAAO,WAAW,MAAA,EAAQ;AAC5B,MAAA,MAAM,KAAA,GAAQ,OAAO,OAAA,CAAQ,KAAK,CAAA,KAAM,QAAA,GACpC,OAAA,CAAQ,KAAK,CAAA,GACb,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,KAAK,CAAC,CAAA;AACjC,MAAA,MAAA,CAAO,UAAA,GAAa,YAAA,CAAa,aAAA,CAAc,KAAK,CAAC,CAAA;AAAA,IACvD;AAEA,IAAA,SAAA,CAAU,KAAK,MAAM,CAAA;AAErB,IAAA,QAAQ,OAAO,MAAA;AAAQ,MACrB,KAAK,OAAA;AAAS,QAAA,OAAA,EAAA;AAAW,QAAA;AAAA,MACzB,KAAK,QAAA;AAAU,QAAA,QAAA,EAAA;AAAY,QAAA;AAAA,MAC3B,KAAK,MAAA;AAAQ,QAAA,MAAA,EAAA;AAAU,QAAA;AAAA,MACvB,KAAK,WAAA;AAAa,QAAA,UAAA,EAAA;AAAc,QAAA;AAAA,MAChC,KAAK,MAAA;AAAQ,QAAA,MAAA,EAAA;AAAU,QAAA;AAAA;AACzB,EACF;AAGA,EAAA,MAAM,YAAA,GAAe,YAAA;AAAA,IACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC;AAAA,GACvC;AAGA,EAAA,MAAM,iBAA0C,EAAC;AACjD,EAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AAChC,IAAA,QAAQ,SAAS,MAAA;AAAQ,MACvB,KAAK,OAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,OAAA,CAAQ,SAAS,KAAK,CAAA;AACvD,QAAA;AAAA,MACF,KAAK,QAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA;AACjC,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,CAAA,MAAA,EAAS,SAAS,UAAU,CAAA,CAAA,CAAA;AAC7D,QAAA;AAAA,MACF,KAAK,WAAA;AACH,QAAA,cAAA,CAAe,QAAA,CAAS,KAAK,CAAA,GAAI,aAAA;AACjC,QAAA;AAGA;AACJ,EACF;AACA,EAAA,MAAM,YAAA,GAAe,YAAA;AAAA,IACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC;AAAA,GAC9C;AAEA,EAAA,OAAO;AAAA,IACL,WAAW,MAAA,CAAO,SAAA;AAAA,IAClB,QAAA;AAAA,IACA,cAAA,EAAgB,OAAA;AAAA,IAChB,eAAA,EAAiB,QAAA;AAAA,IACjB,aAAA,EAAe,MAAA;AAAA,IACf,iBAAA,EAAmB,UAAA;AAAA,IACnB,aAAA,EAAe,MAAA;AAAA,IACf,SAAA;AAAA,IACA,qBAAA,EAAuB,YAAA;AAAA,IACvB,qBAAA,EAAuB,YAAA;AAAA,IACvB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACtC;AACF;AAYO,SAAS,cAAA,CAAe,OAAe,QAAA,EAA6B;AACzE,EAAA,MAAM,eAAA,GAAkB,MAAM,WAAA,EAAY;AAC1C,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAC5B,IAAA,MAAM,iBAAA,GAAoB,QAAQ,WAAA,EAAY;AAC9C,IAAA,IAAI,iBAAA,KAAsB,iBAAiB,OAAO,IAAA;AAClD,IAAA,IAAI,iBAAA,CAAkB,QAAA,CAAS,GAAG,CAAA,IAAK,eAAA,CAAgB,UAAA,CAAW,iBAAA,CAAkB,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA,EAAG,OAAO,IAAA;AAC1G,IAAA,IAAI,iBAAA,CAAkB,UAAA,CAAW,GAAG,CAAA,IAAK,eAAA,CAAgB,QAAA,CAAS,iBAAA,CAAkB,KAAA,CAAM,CAAC,CAAC,CAAA,EAAG,OAAO,IAAA;AAAA,EACxG;AACA,EAAA,OAAO,KAAA;AACT;AAOO,IAAM,yBAAN,MAA6B;AAAA,EAC1B,OAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA,uBAA+C,GAAA,EAAI;AAAA,EAE3D,WAAA,CAAY,SAAyB,SAAA,EAAuB;AAC1D,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,aAAA,GAAgB,gBAAA,CAAiB,SAAA,EAAW,iBAAiB,CAAA;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,UAAA,EACA,KAAA,EACA,eACA,UAAA,EAC4B;AAC5B,IAAA,MAAM,QAAA,GAAW,CAAA,GAAA,EAAM,IAAA,CAAK,GAAA,EAAK,IAAI,WAAA,CAAY,WAAA,CAAY,CAAC,CAAC,CAAC,CAAA,CAAA;AAChE,IAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEnC,IAAA,MAAM,MAAA,GAA4B;AAAA,MAChC,SAAA,EAAW,QAAA;AAAA,MACX,WAAA,EAAa,UAAA;AAAA,MACb,KAAA;AAAA,MACA,cAAA,EAAgB,aAAA;AAAA,MAChB,WAAA,EAAa,UAAA;AAAA,MACb,UAAA,EAAY,GAAA;AAAA,MACZ,UAAA,EAAY;AAAA,KACd;AAEA,IAAA,MAAM,IAAA,CAAK,QAAQ,MAAM,CAAA;AACzB,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAElC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,QAAA,EAAqD;AAC7D,IAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA,EAAG;AAC/B,MAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA;AAAA,IACnC;AAEA,IAAA,MAAM,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,0BAA0B,QAAQ,CAAA;AACtE,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,MAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,MAAA,MAAM,MAAA,GAA4B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACrE,MAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAClC,MAAA,OAAO,MAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAA,GAAqC;AACzC,IAAA,MAAM,KAAK,OAAA,EAAQ;AACnB,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,QAAA,CAAS,QAAQ,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,OAAA,GAAyB;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,wBAAwB,CAAA;AAChE,MAAA,KAAA,MAAW,QAAQ,OAAA,EAAS;AAC1B,QAAA,IAAI,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,IAAA,CAAK,GAAG,CAAA,EAAG;AACjC,QAAA,MAAM,MAAM,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,wBAAA,EAA0B,KAAK,GAAG,CAAA;AACtE,QAAA,IAAI,CAAC,GAAA,EAAK;AACV,QAAA,IAAI;AACF,UAAA,MAAM,SAAA,GAA8B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,GAAG,CAAC,CAAA;AACjE,UAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACvD,UAAA,MAAM,MAAA,GAA4B,IAAA,CAAK,KAAA,CAAM,aAAA,CAAc,SAAS,CAAC,CAAA;AACrE,UAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,SAAA,EAAW,MAAM,CAAA;AAAA,QAC5C,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAA,EAA0C;AAC9D,IAAA,MAAM,UAAA,GAAa,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AACvD,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA;AACxD,IAAA,MAAM,KAAK,OAAA,CAAQ,KAAA;AAAA,MACjB,wBAAA;AAAA,MACA,MAAA,CAAO,SAAA;AAAA,MACP,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC;AAAA,KACzC;AAAA,EACF;AACF;;;ACrWA,IAAM,qBAAA,GAAwB;AAAA,EAC5B,SAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,cAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,YAAA,GAAe;AAAA,EACnB,OAAA;AAAA,EACA,MAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,cAAA;AAAA,EACA,SAAA;AAAA,EACA,KAAA;AAAA,EACA,eAAA;AAAA,EACA,YAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,KAAA;AAAA,EACA,cAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,uBAAA,GAA0B;AAAA,EAC9B,QAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,gBAAA;AAAA,EACA,iBAAA;AAAA,EACA,kBAAA;AAAA,EACA,eAAA;AAAA,EACA,MAAA;AAAA,EACA,aAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,WAAA,GAAc;AAAA,EAClB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,aAAA;AAAA,EACA,iBAAA;AAAA,EACA;AACF,CAAA;AAGA,IAAM,gBAAA,GAAmB;AAAA,EACvB,sBAAA;AAAA,EACA,iBAAA;AAAA,EACA,cAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,iBAAA,GAAyC;AAAA,EACpD,EAAA,EAAI,mBAAA;AAAA,EACJ,IAAA,EAAM,mBAAA;AAAA,EACN,WAAA,EACE,0EAAA;AAAA,EACF,QAAA,EACE,8HAAA;AAAA,EAEF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,WAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,MAAA;AAAA,QACA,kBAAA;AAAA,QACA,eAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG,gBAAA;AAAA,QACH,cAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC;AACd,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAEO,IAAM,kBAAA,GAA0C;AAAA,EACrD,EAAA,EAAI,oBAAA;AAAA,EACJ,IAAA,EAAM,oBAAA;AAAA,EACN,WAAA,EACE,4HAAA;AAAA,EAEF,QAAA,EACE,0HAAA;AAAA,EAEF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,WAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,MAAA;AAAA,QACA,kBAAA;AAAA,QACA,eAAA;AAAA,QACA,OAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,aAAA;AAAA,QACA,cAAA;AAAA,QACA,aAAA;AAAA,QACA,kBAAA;AAAA,QACA,cAAA;AAAA,QACA,iBAAA;AAAA,QACA,WAAA;AAAA,QACA,aAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,SAAA,EAAW,CAAC,GAAG,gBAAgB;AAAA;AACjC,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAEO,IAAM,cAAA,GAAsC;AAAA,EACjD,EAAA,EAAI,gBAAA;AAAA,EACJ,IAAA,EAAM,gBAAA;AAAA,EACN,WAAA,EACE,kGAAA;AAAA,EAEF,QAAA,EACE,0GAAA;AAAA,EAEF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,SAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,WAAA;AAAA,QACA,gBAAA;AAAA,QACA,WAAA;AAAA,QACA,WAAA;AAAA,QACA,aAAA;AAAA,QACA,QAAA;AAAA,QACA,YAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC,KACd;AAAA,IACA;AAAA,MACE,QAAA,EAAU,WAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,YAAA;AAAA,QACA,WAAA;AAAA,QACA,aAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC;AACd,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAEO,IAAM,eAAA,GAAuC;AAAA,EAClD,EAAA,EAAI,iBAAA;AAAA,EACJ,IAAA,EAAM,iBAAA;AAAA,EACN,WAAA,EACE,oGAAA;AAAA,EAEF,QAAA,EACE,uTAAA;AAAA,EAKF,KAAA,EAAO;AAAA,IACL;AAAA,MACE,QAAA,EAAU,UAAA;AAAA,MACV,KAAA,EAAO;AAAA,QACL,MAAA;AAAA,QACA,kBAAA;AAAA,QACA,OAAA;AAAA,QACA,cAAA;AAAA,QACA,YAAA;AAAA,QACA,iBAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,QAAA;AAAA,QACA,MAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,GAAG,qBAAA;AAAA,QACH,GAAG,YAAA;AAAA,QACH,GAAG,uBAAA;AAAA,QACH,GAAG;AAAA,OACL;AAAA,MACA,IAAA,EAAM,CAAC,GAAG,WAAW,CAAA;AAAA,MACrB,WAAW;AAAC;AACd,GACF;AAAA,EACA,cAAA,EAAgB;AAClB,CAAA;AAKO,IAAM,SAAA,GAAiD;AAAA,EAC5D,mBAAA,EAAqB,iBAAA;AAAA,EACrB,oBAAA,EAAsB,kBAAA;AAAA,EACtB,gBAAA,EAAkB,cAAA;AAAA,EAClB,iBAAA,EAAmB;AACrB;AAGO,SAAS,eAAA,GAA4B;AAC1C,EAAA,OAAO,MAAA,CAAO,KAAK,SAAS,CAAA;AAC9B;AAGO,SAAS,YAAY,EAAA,EAA6C;AACvE,EAAA,OAAO,UAAU,EAAE,CAAA;AACrB;;;ACvPA,IAAM,oBAAA,GAAsC;AAAA;AAAA,EAE1C;AAAA,IACE,QAAA,EAAU;AAAA,MACR,SAAA;AAAA,MAAW,QAAA;AAAA,MAAU,YAAA;AAAA,MACrB,QAAA;AAAA,MAAU,YAAA;AAAA,MAAc,cAAA;AAAA,MACxB,UAAA;AAAA,MAAY,QAAA;AAAA,MAAU,MAAA;AAAA,MACtB,YAAA;AAAA,MAAc,aAAA;AAAA,MACd,aAAA;AAAA,MAAe,SAAA;AAAA,MACf,cAAA;AAAA,MACA,YAAA;AAAA,MACA,OAAA;AAAA,MAAS,cAAA;AAAA,MAAgB,eAAA;AAAA,MAAiB,cAAA;AAAA,MAC1C,YAAA;AAAA,MAAc,aAAA;AAAA,MAAe,eAAA;AAAA,MAC7B,gBAAA;AAAA,MAAkB,YAAA;AAAA,MAAc,aAAA;AAAA,MAChC,gBAAA;AAAA,MAAkB,eAAA;AAAA,MAClB;AAAA,KACF;AAAA,IACA,MAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAY,MAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,MAAA;AAAA,MAAQ,WAAA;AAAA,MAAa,YAAA;AAAA,MAAc,WAAA;AAAA,MAAa,cAAA;AAAA,MAChD,OAAA;AAAA,MAAS,eAAA;AAAA,MACT,OAAA;AAAA,MAAS,cAAA;AAAA,MAAgB,QAAA;AAAA,MACzB,SAAA;AAAA,MAAW,gBAAA;AAAA,MAAkB,iBAAA;AAAA,MAC7B,KAAA;AAAA,MAAO,iBAAA;AAAA,MACP,eAAA;AAAA,MAAiB,KAAA;AAAA,MAAO,UAAA;AAAA,MACxB,YAAA;AAAA,MAAc,IAAA;AAAA,MACd,UAAA;AAAA,MAAY,aAAA;AAAA,MAAe,aAAA;AAAA,MAC3B,aAAA;AAAA,MAAe,aAAA;AAAA,MAAe,KAAA;AAAA,MAC9B,cAAA;AAAA,MAAgB,gBAAA;AAAA,MAChB,UAAA;AAAA,MAAY,iBAAA;AAAA,MAAmB;AAAA,KACjC;AAAA,IACA,MAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAY,MAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,QAAA;AAAA,MAAU,cAAA;AAAA,MAAgB,kBAAA;AAAA,MAC1B,oBAAA;AAAA,MAAsB,iBAAA;AAAA,MAAmB,kBAAA;AAAA,MACzC,gBAAA;AAAA,MAAkB,aAAA;AAAA,MAClB,eAAA;AAAA,MAAiB,YAAA;AAAA,MACjB,MAAA;AAAA,MAAQ,aAAA;AAAA,MAAe,SAAA;AAAA,MACvB,eAAA;AAAA,MAAiB,gBAAA;AAAA,MAAkB,oBAAA;AAAA,MACnC,aAAA;AAAA,MAAe,kBAAA;AAAA,MAAoB,mBAAA;AAAA,MACnC,SAAA;AAAA,MAAW,OAAA;AAAA,MAAS;AAAA,KACtB;AAAA,IACA,MAAA,EAAQ,QAAA;AAAA,IACR,UAAA,EAAY,MAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,SAAA;AAAA,MAAW,QAAA;AAAA,MACX,YAAA;AAAA,MAAc,WAAA;AAAA,MACd,UAAA;AAAA,MAAY,SAAA;AAAA,MACZ,aAAA;AAAA,MACA,iBAAA;AAAA,MACA,WAAA;AAAA,MAAa,UAAA;AAAA,MACb,YAAA;AAAA,MAAc,WAAA;AAAA,MACd,gBAAA;AAAA,MACA,UAAA;AAAA,MAAY,SAAA;AAAA,MACZ,YAAA;AAAA,MAAc;AAAA,KAChB;AAAA,IACA,MAAA,EAAQ,MAAA;AAAA,IACR,UAAA,EAAY,QAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,sBAAA;AAAA,MAAwB,cAAA;AAAA,MACxB,iBAAA;AAAA,MAAmB,UAAA;AAAA,MACnB,mBAAA;AAAA,MAAqB,gBAAA;AAAA,MACrB,gBAAA;AAAA,MACA,qBAAA;AAAA,MACA,WAAA;AAAA,MAAa;AAAA,KACf;AAAA,IACA,MAAA,EAAQ,WAAA;AAAA,IACR,UAAA,EAAY,QAAA;AAAA,IACZ,MAAA,EAAQ;AAAA,GACV;AAAA;AAAA,EAGA;AAAA,IACE,QAAA,EAAU;AAAA,MACR,MAAA;AAAA,MAAQ,kBAAA;AAAA,MACR,OAAA;AAAA,MAAS,eAAA;AAAA,MAAiB,cAAA;AAAA,MAC1B,QAAA;AAAA,MAAU,aAAA;AAAA,MACV,UAAA;AAAA,MAAY,kBAAA;AAAA,MACZ,aAAA;AAAA,MAAe,cAAA;AAAA,MACf,WAAA;AAAA,MAAa,MAAA;AAAA,MACb,cAAA;AAAA,MAAgB,WAAA;AAAA,MAChB,iBAAA;AAAA,MACA,aAAA;AAAA,MAAe,cAAA;AAAA,MACf,eAAA;AAAA,MAAiB,QAAA;AAAA,MACjB,cAAA;AAAA,MAAgB,aAAA;AAAA,MAChB,YAAA;AAAA,MAAc;AAAA,KAChB;AAAA,IACA,MAAA,EAAQ,OAAA;AAAA,IACR,UAAA,EAAY,QAAA;AAAA,IACZ,MAAA,EAAQ;AAAA;AAEZ,CAAA;AAOO,SAAS,cAAc,SAAA,EAAwC;AACpE,EAAA,MAAM,UAAA,GAAa,SAAA,CAAU,WAAA,EAAY,CAAE,IAAA,EAAK;AAEhD,EAAA,KAAA,MAAW,QAAQ,oBAAA,EAAsB;AACvC,IAAA,KAAA,MAAW,OAAA,IAAW,KAAK,QAAA,EAAU;AACnC,MAAA,IAAI,mBAAA,CAAoB,UAAA,EAAY,OAAO,CAAA,EAAG;AAC5C,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,SAAA;AAAA,UACP,oBAAoB,IAAA,CAAK,MAAA;AAAA,UACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,YAAY,IAAA,CAAK,UAAA;AAAA,UACjB,eAAA,EAAiB;AAAA,SACnB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,SAAA;AAAA,IACP,kBAAA,EAAoB,QAAA;AAAA,IACpB,MAAA,EAAQ,qEAAA;AAAA,IACR,UAAA,EAAY,KAAA;AAAA,IACZ,eAAA,EAAiB;AAAA,GACnB;AACF;AAKO,SAAS,eAAA,CACd,OAAA,EACA,QAAA,GAAmB,WAAA,EACG;AACtB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AAClC,EAAA,MAAM,eAAA,GAAyC,MAAA,CAAO,GAAA,CAAI,aAAa,CAAA;AACvE,EAAA,MAAM,WAAqB,EAAC;AAG5B,EAAA,MAAM,QAAkB,EAAC;AACzB,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,MAAMoB,QAAiB,EAAC;AACxB,EAAA,MAAM,YAAsB,EAAC;AAE7B,EAAA,KAAA,MAAW,KAAK,eAAA,EAAiB;AAC/B,IAAA,QAAQ,EAAE,kBAAA;AAAoB,MAC5B,KAAK,OAAA;AAAS,QAAA,KAAA,CAAM,IAAA,CAAK,EAAE,KAAK,CAAA;AAAG,QAAA;AAAA,MACnC,KAAK,QAAA;AAAU,QAAA,MAAA,CAAO,IAAA,CAAK,EAAE,KAAK,CAAA;AAAG,QAAA;AAAA,MACrC,KAAK,MAAA;AAAQ,QAAAA,KAAAA,CAAK,IAAA,CAAK,CAAA,CAAE,KAAK,CAAA;AAAG,QAAA;AAAA,MACjC,KAAK,WAAA;AAAa,QAAA,SAAA,CAAU,IAAA,CAAK,EAAE,KAAK,CAAA;AAAG,QAAA;AAAA;AAC7C,EACF;AAGA,EAAA,MAAM,gBAAgB,eAAA,CAAgB,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,eAAe,KAAK,CAAA;AAC1E,EAAA,IAAI,aAAA,CAAc,SAAS,CAAA,EAAG;AAC5B,IAAA,QAAA,CAAS,IAAA;AAAA,MACP,CAAA,EAAG,aAAA,CAAc,MAAM,CAAA,yEAAA,EACD,aAAA,CAAc,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,KAAK,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,wBAAA;AAAA,KAEpE;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,SAAS,GAAA,EAAM;AACpD,MAAA,MAAM,WAAW,eAAA,CAAgB,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,UAAU,GAAG,CAAA;AAC5D,MAAA,IAAI,QAAA,IAAY,QAAA,CAAS,kBAAA,KAAuB,OAAA,EAAS;AACvD,QAAA,QAAA,CAAS,IAAA;AAAA,UACP,CAAA,OAAA,EAAU,GAAG,CAAA,0BAAA,EAA6B,KAAA,CAAM,MAAM,CAAA,yEAAA;AAAA,SAExD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,QAAA;AAAA,IACA,eAAA;AAAA,IACA,mBAAmB,EAAE,KAAA,EAAO,MAAA,EAAQ,IAAA,EAAAA,OAAM,SAAA,EAAU;AAAA,IACpD,cAAA,EAAgB,QAAA;AAAA,IAChB,OAAA,EAAS;AAAA,MACP,cAAc,MAAA,CAAO,MAAA;AAAA,MACrB,OAAO,KAAA,CAAM,MAAA;AAAA,MACb,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,MAAMA,KAAAA,CAAK,MAAA;AAAA,MACX,WAAW,SAAA,CAAU;AAAA,KACvB;AAAA,IACA;AAAA,GACF;AACF;AAcA,SAAS,mBAAA,CAAoB,iBAAyB,OAAA,EAA0B;AAC9E,EAAA,IAAI,eAAA,KAAoB,SAAS,OAAO,IAAA;AAGxC,EAAA,IAAI,QAAQ,MAAA,IAAU,CAAA,IAAK,eAAA,CAAgB,QAAA,CAAS,OAAO,CAAA,EAAG;AAE5D,IAAA,MAAM,GAAA,GAAM,eAAA,CAAgB,OAAA,CAAQ,OAAO,CAAA;AAC3C,IAAA,MAAM,MAAA,GAAS,GAAA,KAAQ,CAAA,IAAK,eAAA,CAAgB,GAAA,GAAM,CAAC,CAAA,KAAM,GAAA,IAAO,eAAA,CAAgB,GAAA,GAAM,CAAC,CAAA,KAAM,GAAA;AAC7F,IAAA,MAAM,QAAQ,GAAA,GAAM,OAAA,CAAQ,MAAA,KAAW,eAAA,CAAgB,UACrD,eAAA,CAAgB,GAAA,GAAM,OAAA,CAAQ,MAAM,MAAM,GAAA,IAC1C,eAAA,CAAgB,GAAA,GAAM,OAAA,CAAQ,MAAM,CAAA,KAAM,GAAA;AAC5C,IAAA,OAAO,MAAA,IAAU,KAAA;AAAA,EACnB;AACA,EAAA,OAAO,KAAA;AACT;;;AC9RA,aAAA,EAAA;AACA,YAAA,EAAA;AAyBA,IAAM,0BAAA,GAA6B;AAAA,EACjC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AAAA,EACA,cAAA;AAAA,EACA,eAAA;AAAA,EACA,UAAA;AAAA,EACA,QAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA,EACA,KAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,cAAA;AAAA,EACA,cAAA;AAAA,EACA,KAAA;AAAA,EACA,KAAA;AAAA,EACA,aAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF,CAAA;AAoBO,IAAM,sBAAN,MAA0B;AAAA,EACvB,WAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA,GAAQ;AAAA,IACd,eAAA,EAAiB,CAAA;AAAA,IACjB,cAAA,EAAgB,CAAA;AAAA,IAChB,eAAA,EAAiB,CAAA;AAAA,IACjB,aAAA,EAAe,CAAA;AAAA,IACf,cAAA,EAAgB,CAAA;AAAA,IAChB,aAAA,EAAe;AAAA,GACjB;AAAA,EAEA,WAAA,CACE,WAAA,EACA,QAAA,EACA,MAAA,EACA;AACA,IAAA,IAAA,CAAK,WAAA,GAAc,WAAA;AACnB,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,WAAA,CAAY,UAAkB,eAAA,EAA2C;AACvE,IAAA,OAAO,OAAO,IAAA,KAAkC;AAE9C,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,QAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,MAC7B;AAGA,MAAA,IAAI,CAAC,IAAA,CAAK,YAAA,CAAa,QAAQ,CAAA,EAAG;AAChC,QAAA,IAAA,CAAK,KAAA,CAAM,cAAA,EAAA;AACX,QAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,MAC7B;AAEA,MAAA,IAAA,CAAK,KAAA,CAAM,eAAA,EAAA;AAGX,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,iBAAA,GACvB,MAAM,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,iBAAiB,CAAA,GACxD,IAAA;AAEJ,MAAA,IAAI,MAAA,EAAQ;AAEV,QAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,UACV,QAAA;AAAA,UACA,IAAA;AAAA,UACA,eAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF,CAAA,MAAO;AAEL,QAAA,OAAO,IAAA,CAAK,yBAAA;AAAA,UACV,QAAA;AAAA,UACA,IAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF;AAAA,IACF,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAA,CACZ,QAAA,EACA,IAAA,EACA,iBACA,MAAA,EAC6D;AAE7D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,uBAAA,CAAwB,QAAQ,CAAA;AAGtD,IAAA,MAAM,MAAA,GAAS,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,IAAI,CAAA;AAGnD,IAAA,MAAM,YAAA,GAAe,OAAO,SAAA,CAAU,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,MAAM,CAAA;AAEvE,IAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,MAAA,IAAI,IAAA,CAAK,MAAA,CAAO,OAAA,KAAY,OAAA,EAAS;AACnC,QAAA,IAAA,CAAK,KAAA,CAAM,aAAA,EAAA;AACX,QAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,UACZ,IAAA;AAAA,UACA,6BAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,SAAA,EAAW,QAAA;AAAA,YACX,WAAW,MAAA,CAAO,SAAA;AAAA,YAClB,QAAA;AAAA,YACA,eAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,KAAK,CAAA;AAAA,YAC9C,uBAAuB,MAAA,CAAO;AAAA;AAChC,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,KAAA,EAAO,wBAAA;AAAA,UACP,OAAA,EAAS,oDAAA;AAAA,UACT,IAAA,EAAM,QAAA;AAAA,UACN,eAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,KAAK,CAAA;AAAA,UAC9C,cAAA,EACE;AAAA,SACH,CAAA;AAAA,MACH;AAAA,IAEF;AAGA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,iBAAA,CAAkB,IAAA,EAAM,OAAO,SAAS,CAAA;AAElE,IAAA,IAAI,IAAA,CAAK,OAAO,QAAA,EAAU;AAExB,MAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,QACZ,IAAA;AAAA,QACA,gCAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,QAAA;AAAA,UACX,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,QAAA;AAAA,UACA,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA;AAAA,UAChC,iBAAiB,MAAA,CAAO,eAAA;AAAA,UACxB,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,gBAAgB,YAAA,CAAa,MAAA;AAAA,UAC7B,uBAAuB,MAAA,CAAO;AAAA;AAChC,OACF;AACA,MAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,MAAA,CAAO,eAAA;AACrC,MAAA,IAAA,CAAK,KAAA,CAAM,iBAAiB,MAAA,CAAO,aAAA;AACnC,MAAA,IAAA,CAAK,KAAA,CAAM,kBAAkB,YAAA,CAAa,MAAA;AAE1C,MAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,IAC7B;AAGA,IAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,MACZ,IAAA;AAAA,MACA,8BAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,QACE,SAAA,EAAW,QAAA;AAAA,QACX,WAAW,MAAA,CAAO,SAAA;AAAA,QAClB,QAAA;AAAA,QACA,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA;AAAA,QAChC,iBAAiB,MAAA,CAAO,eAAA;AAAA,QACxB,eAAe,MAAA,CAAO,aAAA;AAAA,QACtB,gBAAgB,YAAA,CAAa,MAAA;AAAA,QAC7B,uBAAuB,MAAA,CAAO;AAAA;AAChC,KACF;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,MAAA,CAAO,eAAA;AACrC,IAAA,IAAA,CAAK,KAAA,CAAM,iBAAiB,MAAA,CAAO,aAAA;AACnC,IAAA,IAAA,CAAK,KAAA,CAAM,kBAAkB,YAAA,CAAa,MAAA;AAE1C,IAAA,OAAO,gBAAgB,YAAY,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,yBAAA,CACZ,QAAA,EACA,IAAA,EACA,eAAA,EAC6D;AAC7D,IAAA,MAAM,iBAA2B,EAAC;AAClC,IAAA,MAAM,YAAA,GAAe,YAAA;AAAA,MACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,IAAI,CAAC;AAAA,KACpC;AAGA,IAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,MAAA,IAAI,cAAA,CAAe,KAAA,EAAO,0BAA0B,CAAA,EAAG;AACrD,QAAA,cAAA,CAAe,KAAK,KAAK,CAAA;AAAA,MAC3B;AAAA,IACF;AAEA,IAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAE/B,MAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,QACZ,IAAA;AAAA,QACA,oCAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,QAAA;AAAA,UACX,MAAA,EAAQ;AAAA;AACV,OACF;AACA,MAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,IAC7B;AAGA,IAAA,MAAM,eAAwC,EAAC;AAC/C,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAC/C,MAAA,IAAI,cAAA,CAAe,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,QAAA,YAAA,CAAa,GAAG,CAAA,GAAI,YAAA;AAAA,MACtB,CAAA,MAAO;AACL,QAAA,YAAA,CAAa,GAAG,CAAA,GAAI,KAAA;AAAA,MACtB;AAAA,IACF;AAEA,IAAA,MAAM,YAAA,GAAe,YAAA;AAAA,MACnB,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,YAAY,CAAC;AAAA,KAC5C;AAEA,IAAA,IAAI,IAAA,CAAK,OAAO,QAAA,EAAU;AACxB,MAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,QACZ,IAAA;AAAA,QACA,wCAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,UACE,SAAA,EAAW,QAAA;AAAA,UACX,iBAAiB,cAAA,CAAe,MAAA;AAAA,UAChC,eAAA,EAAiB,cAAA;AAAA,UACjB,qBAAA,EAAuB;AAAA;AACzB,OACF;AACA,MAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,cAAA,CAAe,MAAA;AAC7C,MAAA,OAAO,gBAAgB,IAAI,CAAA;AAAA,IAC7B;AAGA,IAAA,IAAA,CAAK,QAAA,CAAS,MAAA;AAAA,MACZ,IAAA;AAAA,MACA,sCAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,QACE,SAAA,EAAW,QAAA;AAAA,QACX,iBAAiB,cAAA,CAAe,MAAA;AAAA,QAChC,eAAA,EAAiB,cAAA;AAAA,QACjB,qBAAA,EAAuB,YAAA;AAAA,QACvB,qBAAA,EAAuB;AAAA;AACzB,KACF;AAEA,IAAA,IAAA,CAAK,KAAA,CAAM,mBAAmB,cAAA,CAAe,MAAA;AAE7C,IAAA,OAAO,gBAAgB,YAAY,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,QAAA,EAA2B;AACtC,IAAA,KAAA,MAAW,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,eAAA,EAAiB;AAEhD,MAAA,MAAM,aAAa,MAAA,CAAO,QAAA,CAAS,GAAG,CAAA,GAAI,SAAS,MAAA,GAAS,GAAA;AAC5D,MAAA,IAAI,QAAA,KAAa,WAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,IAAK,QAAA,CAAS,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3E,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,wBAAwB,QAAA,EAA0B;AACxD,IAAA,IAAI,SAAS,QAAA,CAAS,WAAW,KAAK,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,EAAG;AAC9D,MAAA,OAAO,WAAA;AAAA,IACT;AACA,IAAA,IAAI,SAAS,QAAA,CAAS,KAAK,KAAK,QAAA,CAAS,QAAA,CAAS,WAAW,CAAA,EAAG;AAC9D,MAAA,OAAO,SAAA;AAAA,IACT;AACA,IAAA,IAAI,SAAS,QAAA,CAAS,WAAW,KAAK,QAAA,CAAS,QAAA,CAAS,QAAQ,CAAA,EAAG;AACjE,MAAA,OAAO,WAAA;AAAA,IACT;AACA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,iBAAA,CACN,cACA,SAAA,EACyB;AACzB,IAAA,MAAM,WAAoC,EAAC;AAE3C,IAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AAChC,MAAA,QAAQ,SAAS,MAAA;AAAQ,QACvB,KAAK,OAAA;AACH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA,CAAa,SAAS,KAAK,CAAA;AACtD,UAAA;AAAA,QACF,KAAK,QAAA;AAEH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA;AAC3B,UAAA;AAAA,QACF,KAAK,MAAA;AACH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,QAAA,CAAS,UAAA;AACpC,UAAA;AAAA,QACF,KAAK,WAAA;AACH,UAAA,QAAA,CAAS,QAAA,CAAS,KAAK,CAAA,GAAI,YAAA,CAAa,SAAS,KAAK,CAAA;AACtD,UAAA;AAGA;AACJ,IACF;AAEA,IAAA,OAAO,QAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,QAAA,EAAwB;AACvC,IAAA,IAAA,CAAK,OAAO,iBAAA,GAAoB,QAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA,GAA4B;AAC1B,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAK,MAAA,CAAO,OAAA;AAAA,MACrB,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,MACtB,iBAAA,EAAmB,IAAA,CAAK,MAAA,CAAO,iBAAA,IAAqB,IAAA;AAAA,MACpD,KAAA,EAAO,EAAE,GAAG,IAAA,CAAK,KAAA;AAAM,KACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,OAAA,EAAwB;AACjC,IAAA,IAAA,CAAK,OAAO,OAAA,GAAU,OAAA;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAW,OAAA,EAAwB;AACjC,IAAA,IAAA,CAAK,OAAO,QAAA,GAAW,OAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,KAAA,GAAQ;AAAA,MACX,eAAA,EAAiB,CAAA;AAAA,MACjB,cAAA,EAAgB,CAAA;AAAA,MAChB,eAAA,EAAiB,CAAA;AAAA,MACjB,aAAA,EAAe,CAAA;AAAA,MACf,cAAA,EAAgB,CAAA;AAAA,MAChB,aAAA,EAAe;AAAA,KACjB;AAAA,EACF;AACF;;;ACraO,SAAS,sBAAA,CACd,OAAA,EACA,SAAA,EACA,QAAA,EAKA;AACA,EAAA,MAAM,WAAA,GAAc,IAAI,sBAAA,CAAuB,OAAA,EAAS,SAAS,CAAA;AAGjE,EAAA,MAAM,cAAA,GAAiC;AAAA,IACrC,OAAA,EAAS,KAAA;AAAA;AAAA,IACT,eAAA,EAAiB,CAAC,YAAY,CAAA;AAAA;AAAA,IAC9B,QAAA,EAAU,KAAA;AAAA;AAAA,IACV,OAAA,EAAS;AAAA;AAAA,GACX;AACA,EAAA,MAAM,QAAA,GAAW,IAAI,mBAAA,CAAoB,WAAA,EAAa,UAAU,cAAc,CAAA;AAE9E,EAAA,MAAM,KAAA,GAA0B;AAAA;AAAA,IAE9B;AAAA,MACE,IAAA,EAAM,mCAAA;AAAA,MACN,WAAA,EACE,wgBAAA;AAAA,MASF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,OAAA;AAAA,YACN,WAAA,EACE,gRAAA;AAAA,YAIF,KAAA,EAAO;AAAA,cACL,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACV,QAAA,EAAU;AAAA,kBACR,IAAA,EAAM,QAAA;AAAA,kBACN,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,KAAA,EAAO;AAAA,kBACL,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,MAAA,EAAQ;AAAA,kBACN,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,IAAA,EAAM;AAAA,kBACJ,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA,iBAEJ;AAAA,gBACA,SAAA,EAAW;AAAA,kBACT,IAAA,EAAM,OAAA;AAAA,kBACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,kBACxB,WAAA,EACE;AAAA;AAEJ,eACF;AAAA,cACA,QAAA,EAAU,CAAC,UAAA,EAAY,OAAA,EAAS,QAAQ;AAAA;AAC1C,WACF;AAAA,UACA,cAAA,EAAgB;AAAA,YACd,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,QAAA,EAAU,MAAM,CAAA;AAAA,YACvB,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAA,EAAe,OAAO;AAAA,OACnC;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,WAAW,IAAA,CAAK,KAAA;AACtB,QAAA,MAAM,aAAA,GAAiB,KAAK,cAAA,IAAwC,QAAA;AACpE,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAGxB,QAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC5B,UAAA,OAAO,WAAW,EAAE,KAAA,EAAO,eAAA,EAAiB,OAAA,EAAS,0BAA0B,CAAA;AAAA,QACjF;AACA,QAAA,IAAI,QAAA,CAAS,SAAS,gBAAA,EAAkB;AACtC,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,gBAAA;AAAA,YACP,OAAA,EAAS,CAAA,WAAA,EAAc,QAAA,CAAS,MAAM,8BAA8B,gBAAgB,CAAA;AAAA,WACrF,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,QAA2B,EAAC;AAClC,QAAA,KAAA,MAAW,KAAK,QAAA,EAAU;AACxB,UAAA,MAAM,KAAA,GAAQ,MAAM,OAAA,CAAQ,CAAA,CAAE,KAAK,CAAA,GAAK,CAAA,CAAE,QAAqB,EAAC;AAChE,UAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,CAAA,CAAE,MAAM,CAAA,GAAK,CAAA,CAAE,SAAsB,EAAC;AACnE,UAAA,MAAMA,KAAAA,GAAO,MAAM,OAAA,CAAQ,CAAA,CAAE,IAAI,CAAA,GAAK,CAAA,CAAE,OAAoB,EAAC;AAC7D,UAAA,MAAM,SAAA,GAAY,MAAM,OAAA,CAAQ,CAAA,CAAE,SAAS,CAAA,GAAK,CAAA,CAAE,YAAyB,EAAC;AAE5E,UAAA,KAAA,MAAW,CAAC,MAAM,GAAG,CAAA,IAAK,CAAC,CAAC,OAAA,EAAS,KAAK,CAAA,EAAG,CAAC,UAAU,MAAM,CAAA,EAAG,CAAC,MAAA,EAAQA,KAAI,GAAG,CAAC,WAAA,EAAa,SAAS,CAAC,CAAA,EAAY;AACnH,YAAA,IAAI,GAAA,CAAI,SAAS,sBAAA,EAAwB;AACvC,cAAA,OAAO,UAAA,CAAW;AAAA,gBAChB,KAAA,EAAO,mBAAA;AAAA,gBACP,SAAS,CAAA,KAAA,EAAQ,IAAI,cAAc,GAAA,CAAI,MAAM,iCAAiC,sBAAsB,CAAA;AAAA,eACrG,CAAA;AAAA,YACH;AAAA,UACF;AAEA,UAAA,KAAA,CAAM,IAAA,CAAK;AAAA,YACT,QAAA,EAAW,EAAE,QAAA,IAAuC,GAAA;AAAA,YACpD,KAAA;AAAA,YACA,MAAA;AAAA,YACA,IAAA,EAAAA,KAAAA;AAAA,YACA;AAAA,WACD,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,UAAA;AAAA,UACA,KAAA;AAAA,UACA,aAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,yBAAA,EAA2B,UAAA,IAAc,QAAA,EAAU;AAAA,UACvE,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa,UAAA;AAAA,UACb,YAAY,KAAA,CAAM,MAAA;AAAA,UAClB,cAAA,EAAgB;AAAA,SACjB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,aAAa,MAAA,CAAO,WAAA;AAAA,UACpB,OAAO,MAAA,CAAO,KAAA;AAAA,UACd,gBAAgB,MAAA,CAAO,cAAA;AAAA,UACvB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,OAAA,EACE;AAAA,SAEH,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,uCAAA;AAAA,MACN,WAAA,EACE,6YAAA;AAAA,MAMF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA;AACf,SACF;AAAA,QACA,QAAA,EAAU,CAAC,aAAa;AAAA,OAC1B;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AACxB,QAAA,MAAM,aAAa,IAAA,CAAK,WAAA;AAExB,QAAA,MAAM,QAAA,GAAW,YAAY,UAAU,CAAA;AACvC,QAAA,IAAI,CAAC,QAAA,EAAU;AACb,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,oBAAA;AAAA,YACP,OAAA,EAAS,qBAAqB,UAAU,CAAA,CAAA,CAAA;AAAA,YACxC,mBAAA,EAAqB,eAAA,EAAgB,CAAE,GAAA,CAAI,CAAC,EAAA,KAAO;AACjD,cAAA,MAAM,CAAA,GAAI,UAAU,EAAE,CAAA;AACtB,cAAA,OAAO,EAAE,EAAA,EAAI,IAAA,EAAM,EAAE,IAAA,EAAM,WAAA,EAAa,EAAE,WAAA,EAAY;AAAA,YACxD,CAAC;AAAA,WACF,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA;AAAA,UAC/B,QAAA,CAAS,IAAA;AAAA,UACT,QAAA,CAAS,KAAA;AAAA,UACT,QAAA,CAAS,cAAA;AAAA,UACT;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,6BAAA,EAA+B,UAAA,IAAc,QAAA,EAAU;AAAA,UAC3E,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,WAAA,EAAa;AAAA,SACd,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,gBAAA,EAAkB,UAAA;AAAA,UAClB,aAAa,QAAA,CAAS,IAAA;AAAA,UACtB,aAAa,QAAA,CAAS,WAAA;AAAA,UACtB,UAAU,QAAA,CAAS,QAAA;AAAA,UACnB,OAAO,MAAA,CAAO,KAAA;AAAA,UACd,gBAAgB,MAAA,CAAO,cAAA;AAAA,UACvB,YAAY,MAAA,CAAO,UAAA;AAAA,UACnB,OAAA,EACE;AAAA,SAGH,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,kCAAA;AAAA,MACN,WAAA,EACE,0TAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAGJ;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,SAAS;AAAA,OACtB;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AACrB,QAAA,MAAM,QAAA,GAAY,KAAK,QAAA,IAAuB,WAAA;AAG9C,QAAA,MAAM,WAAA,GAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AACvC,QAAA,IAAI,WAAA,CAAY,SAAS,kBAAA,EAAoB;AAC3C,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,mBAAA;AAAA,YACP,OAAA,EAAS,CAAA,YAAA,EAAe,WAAA,CAAY,MAAM,+BAA+B,kBAAkB,CAAA;AAAA,WAC5F,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,cAAA,GAAiB,eAAA,CAAgB,OAAA,EAAS,QAAQ,CAAA;AAExD,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,wBAAA,EAA0B,QAAA,EAAU;AAAA,UACxD,QAAA;AAAA,UACA,eAAA,EAAiB,eAAe,OAAA,CAAQ,YAAA;AAAA,UACxC,YAAA,EAAc,eAAe,OAAA,CAAQ,KAAA;AAAA,UACrC,aAAA,EAAe,eAAe,OAAA,CAAQ,MAAA;AAAA,UACtC,WAAA,EAAa,eAAe,OAAA,CAAQ,IAAA;AAAA,UACpC,gBAAA,EAAkB,eAAe,OAAA,CAAQ;AAAA,SAC1C,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,GAAG,cAAA;AAAA,UACH,UAAA,EACE,sPAAA;AAAA,UAIF,mBAAA,EAAqB,eAAA,EAAgB,CAAE,GAAA,CAAI,CAAC,EAAA,KAAO;AACjD,YAAA,MAAM,CAAA,GAAI,UAAU,EAAE,CAAA;AACtB,YAAA,OAAO,EAAE,EAAA,EAAI,IAAA,EAAM,EAAE,IAAA,EAAM,WAAA,EAAa,EAAE,WAAA,EAAY;AAAA,UACxD,CAAC;AAAA,SACF,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,mWAAA;AAAA,MAMF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,SAAA,EAAW;AAAA,YACT,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EAAa;AAAA,WACf;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA;AAIJ,SACF;AAAA,QACA,QAAA,EAAU,CAAC,WAAA,EAAa,UAAA,EAAY,SAAS;AAAA,OAC/C;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,WAAW,IAAA,CAAK,SAAA;AACtB,QAAA,MAAM,WAAW,IAAA,CAAK,QAAA;AACtB,QAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AAGrB,QAAA,MAAM,WAAA,GAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA;AACvC,QAAA,IAAI,WAAA,CAAY,SAAS,kBAAA,EAAoB;AAC3C,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,mBAAA;AAAA,YACP,OAAA,EAAS,CAAA,YAAA,EAAe,WAAA,CAAY,MAAM,+BAA+B,kBAAkB,CAAA;AAAA,WAC5F,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC7C,QAAA,IAAI,CAAC,MAAA,EAAQ;AACX,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,KAAA,EAAO,kBAAA;AAAA,YACP,OAAA,EAAS,2CAA2C,QAAQ,CAAA,CAAA;AAAA,WAC7D,CAAA;AAAA,QACH;AAEA,QAAA,MAAM,MAAA,GAAS,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,OAAO,CAAA;AAGtD,QAAA,MAAM,YAAA,GAAe,OAAO,SAAA,CAAU,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,MAAM,CAAA;AACvE,QAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,UAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,mBAAA,EAAqB,MAAA,CAAO,eAAe,QAAA,EAAU;AAAA,YACzE,SAAA,EAAW,QAAA;AAAA,YACX,QAAA;AAAA,YACA,eAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,KAAK,CAAA;AAAA,YAC9C,uBAAuB,MAAA,CAAO;AAAA,WAC/B,CAAA;AAED,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,OAAA,EAAS,IAAA;AAAA,YACT,MAAA,EAAQ,kDAAA;AAAA,YACR,aAAA,EAAe,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,cACtC,OAAO,CAAA,CAAE,KAAA;AAAA,cACT,QAAQ,CAAA,CAAE;AAAA,aACZ,CAAE,CAAA;AAAA,YACF,cAAA,EACE;AAAA,WAEH,CAAA;AAAA,QACH;AAGA,QAAA,MAAM,cAAuC,EAAC;AAC9C,QAAA,KAAA,MAAW,QAAA,IAAY,OAAO,SAAA,EAAW;AACvC,UAAA,QAAQ,SAAS,MAAA;AAAQ,YACvB,KAAK,OAAA;AACH,cAAA,WAAA,CAAY,QAAA,CAAS,KAAK,CAAA,GAAI,OAAA,CAAQ,SAAS,KAAK,CAAA;AACpD,cAAA;AAAA,YACF,KAAK,QAAA;AAEH,cAAA;AAAA,YACF,KAAK,MAAA;AACH,cAAA,WAAA,CAAY,QAAA,CAAS,KAAK,CAAA,GAAI,QAAA,CAAS,UAAA;AACvC,cAAA;AAAA,YACF,KAAK,WAAA;AAEH,cAAA,WAAA,CAAY,QAAA,CAAS,KAAK,CAAA,GAAI,OAAA,CAAQ,SAAS,KAAK,CAAA;AACpD,cAAA;AAAA;AACJ,QACF;AAEA,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,qBAAA,EAAuB,MAAA,CAAO,eAAe,QAAA,EAAU;AAAA,UAC3E,SAAA,EAAW,QAAA;AAAA,UACX,QAAA;AAAA,UACA,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,MAAA;AAAA,UACnC,gBAAgB,MAAA,CAAO,cAAA;AAAA,UACvB,iBAAiB,MAAA,CAAO,eAAA;AAAA,UACxB,eAAe,MAAA,CAAO,aAAA;AAAA,UACtB,mBAAmB,MAAA,CAAO,iBAAA;AAAA,UAC1B,uBAAuB,MAAA,CAAO,qBAAA;AAAA,UAC9B,uBAAuB,MAAA,CAAO;AAAA,SAC/B,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,OAAA,EAAS,KAAA;AAAA,UACT,YAAA,EAAc,WAAA;AAAA,UACd,OAAA,EAAS;AAAA,YACP,YAAA,EAAc,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,MAAA;AAAA,YACnC,SAAS,MAAA,CAAO,cAAA;AAAA,YAChB,UAAU,MAAA,CAAO,eAAA;AAAA,YACjB,QAAQ,MAAA,CAAO,aAAA;AAAA,YACf,YAAY,MAAA,CAAO;AAAA,WACrB;AAAA,UACA,WAAW,MAAA,CAAO,SAAA;AAAA,UAClB,KAAA,EAAO;AAAA,YACL,uBAAuB,MAAA,CAAO,qBAAA;AAAA,YAC9B,uBAAuB,MAAA,CAAO,qBAAA;AAAA,YAC9B,aAAa,MAAA,CAAO;AAAA,WACtB;AAAA,UACA,QAAA,EACE,MAAA,CAAO,iBAAA,GAAoB,CAAA,GACvB,qIAAA,GAEA;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,sCAAA;AAAA,MACN,WAAA,EACE,8GAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY,IAAA,EAAK;AAExC,QAAA,QAAA,CAAS,MAAA,CAAO,IAAA,EAAM,4BAAA,EAA8B,QAAA,EAAU;AAAA,UAC5D,cAAc,QAAA,CAAS;AAAA,SACxB,CAAA;AAED,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,QAAA,EAAU,QAAA,CAAS,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,YAC7B,WAAW,CAAA,CAAE,SAAA;AAAA,YACb,aAAa,CAAA,CAAE,WAAA;AAAA,YACf,UAAA,EAAY,EAAE,KAAA,CAAM,MAAA;AAAA,YACpB,WAAW,CAAA,CAAE,KAAA,CAAM,IAAI,CAAC,CAAA,KAAM,EAAE,QAAQ,CAAA;AAAA,YACxC,gBAAgB,CAAA,CAAE,cAAA;AAAA,YAClB,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,YAC9B,YAAY,CAAA,CAAE,UAAA;AAAA,YACd,YAAY,CAAA,CAAE;AAAA,WAChB,CAAE,CAAA;AAAA,UACF,OAAO,QAAA,CAAS,MAAA;AAAA,UAChB,OAAA,EACE,QAAA,CAAS,MAAA,KAAW,CAAA,GAChB,6FAAA,GAEA,CAAA,EAAG,QAAA,CAAS,MAAM,CAAA,gBAAA,EAAmB,QAAA,CAAS,MAAA,KAAW,CAAA,GAAI,WAAW,UAAU,CAAA,YAAA;AAAA,SACzF,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,wCAAA;AAAA,MACN,WAAA,EACE,kQAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,MAAA,GAAS,SAAS,SAAA,EAAU;AAElC,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,oCAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,SAAS,MAAA,CAAO,OAAA;AAAA,YAChB,UAAU,MAAA,CAAO,QAAA;AAAA,YACjB,mBAAmB,MAAA,CAAO;AAAA;AAC5B,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,eAAA,EAAiB,MAAA;AAAA,UACjB,WAAA,EACE,sBACC,MAAA,CAAO,OAAA,GAAU,YAAY,UAAA,CAAA,GAC9B,IAAA,IACC,MAAA,CAAO,QAAA,GACJ,wEAAA,GACA,kDAAA,CAAA;AAAA,UACN,QAAA,EACE,MAAA,CAAO,KAAA,CAAM,eAAA,GAAkB,CAAA,GAC3B,CAAA,KAAA,EAAQ,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,aAAA,EACjC,MAAA,CAAO,KAAA,CAAM,eAAe,CAAA,kGAAA,CAAA,GAE/B;AAAA,SACP,CAAA;AAAA,MACH;AAAA,KACF;AAAA;AAAA,IAGA;AAAA,MACE,IAAA,EAAM,2CAAA;AAAA,MACN,WAAA,EACE,+SAAA;AAAA,MAKF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA,WAEJ;AAAA,UACA,QAAA,EAAU;AAAA,YACR,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA,WAGJ;AAAA,UACA,iBAAA,EAAmB;AAAA,YACjB,IAAA,EAAM,QAAA;AAAA,YACN,WAAA,EACE;AAAA,WAGJ;AAAA,UACA,OAAA,EAAS;AAAA,YACP,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,OAAA,EAAS,QAAQ,CAAA;AAAA,YACxB,WAAA,EACE;AAAA,WAIJ;AAAA,UACA,WAAA,EAAa;AAAA,YACX,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE;AAAA;AACJ;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,UAAmC,EAAC;AAE1C,QAAA,IAAI,IAAA,CAAK,YAAY,MAAA,EAAW;AAC9B,UAAA,QAAA,CAAS,UAAA,CAAW,KAAK,OAAkB,CAAA;AAC3C,UAAA,OAAA,CAAQ,UAAU,IAAA,CAAK,OAAA;AAAA,QACzB;AAEA,QAAA,IAAI,IAAA,CAAK,aAAa,MAAA,EAAW;AAC/B,UAAA,QAAA,CAAS,UAAA,CAAW,KAAK,QAAmB,CAAA;AAC5C,UAAA,OAAA,CAAQ,WAAW,IAAA,CAAK,QAAA;AAAA,QAC1B;AAEA,QAAA,IAAI,IAAA,CAAK,sBAAsB,MAAA,EAAW;AACxC,UAAA,MAAM,WAAW,IAAA,CAAK,iBAAA;AACtB,UAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,GAAA,CAAI,QAAQ,CAAA;AAC7C,UAAA,IAAI,CAAC,MAAA,EAAQ;AACX,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,kBAAA;AAAA,cACP,OAAA,EAAS,2CAA2C,QAAQ,CAAA,CAAA;AAAA,aAC7D,CAAA;AAAA,UACH;AACA,UAAA,QAAA,CAAS,iBAAiB,QAAQ,CAAA;AAClC,UAAA,OAAA,CAAQ,iBAAA,GAAoB,QAAA;AAAA,QAC9B;AAEA,QAAA,IAAI,IAAA,CAAK,YAAY,MAAA,EAAW;AAC9B,UAAA,MAAM,SAAS,IAAA,CAAK,OAAA;AACpB,UAAA,IAAI,MAAA,KAAW,OAAA,IAAW,MAAA,KAAW,QAAA,EAAU;AAC7C,YAAA,OAAO,UAAA,CAAW;AAAA,cAChB,KAAA,EAAO,iBAAA;AAAA,cACP,OAAA,EAAS;AAAA,aACV,CAAA;AAAA,UACH;AACA,UAAA,cAAA,CAAe,OAAA,GAAU,MAAA;AACzB,UAAA,OAAA,CAAQ,OAAA,GAAU,MAAA;AAAA,QACpB;AAEA,QAAA,IAAI,IAAA,CAAK,gBAAgB,IAAA,EAAM;AAC7B,UAAA,QAAA,CAAS,UAAA,EAAW;AACpB,UAAA,OAAA,CAAQ,WAAA,GAAc,IAAA;AAAA,QACxB;AAEA,QAAA,MAAM,SAAA,GAAY,SAAS,SAAA,EAAU;AAErC,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,iCAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,OAAA;AAAA,YACA,UAAA,EAAY;AAAA;AACd,SACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,UAAA,EAAY,IAAA;AAAA,UACZ,OAAA;AAAA,UACA,UAAA,EAAY,SAAA;AAAA,UACZ,SACE,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,MAAA,GAAS,IAC1B,iCAAA,GACA;AAAA,SACP,CAAA;AAAA,MACH;AAAA;AACF,GACF;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,WAAA,EAAa,QAAA,EAAS;AACxC;ACxpBO,SAAS,qBAAA,GAAgD;AAC9D,EAAA,MAAM,MAAA,GAAS;AAAA,IACb,cAAc,SAAA,EAAU;AAAA,IACxB,cAAA,EAAgB,IAAA;AAAA;AAAA,IAChB,mBAAA,EAAqB,IAAA;AAAA;AAAA,IACrB,YAAA,EAAc;AAAA;AAAA,GAChB;AAEA,EAAA,MAAM,WAAA,GAAc,OAAO,MAAA,CAAO,MAAM,EAAE,MAAA,CAAO,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,MAAA;AAC3D,EAAA,MAAM,UAAU,WAAA,IAAe,CAAA,GAAI,MAAA,GAAS,WAAA,IAAe,IAAI,SAAA,GAAY,SAAA;AAE3E,EAAA,OAAO;AAAA,IACL,GAAG,MAAA;AAAA,IACH;AAAA,GACF;AACF;AAEA,SAAS,SAAA,GAAqB;AAC5B,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASe,uBAAS,yCAAA,EAA2C;AAAA,QACjE,QAAA,EAAU,OAAA;AAAA,QACV,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,QAAQ;AAAA,OACjC,EAAE,IAAA,EAAK;AACR,MAAA,OAAO,MAAA,KAAW,GAAA;AAAA,IACpB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AAEjC,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,KAAA;AACT;AA4BO,SAAS,qBAAA,GAAgD;AAC9D,EAAA,MAAM,cAAc,eAAA,EAAgB;AACpC,EAAA,MAAM,OAAO,QAAA,EAAS;AACtB,EAAA,MAAM,cAAc,aAAA,EAAc;AAElC,EAAA,IAAI,cAAA,GAAiC,MAAA;AACrC,EAAA,IAAI,aAAa,cAAA,GAAiB,UAAA;AAAA,OAAA,IACzB,MAAM,cAAA,GAAiB,UAAA;AAAA,OAAA,IACvB,aAAa,cAAA,GAAiB,OAAA;AAEvC,EAAA,MAAM,UAA6C,EAAC;AACpD,EAAA,IAAI,WAAA,IAAe,WAAA,KAAgB,IAAA,EAAM,OAAA,CAAQ,cAAA,GAAiB,WAAA;AAClE,EAAA,IAAI,IAAA,IAAQ,IAAA,KAAS,IAAA,EAAM,OAAA,CAAQ,OAAA,GAAU,IAAA;AAC7C,EAAA,IAAI,WAAA,IAAe,WAAA,KAAgB,IAAA,EAAM,OAAA,CAAQ,YAAA,GAAe,WAAA;AAEhE,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,cAAc,WAAA,KAAgB,KAAA;AAAA,IAC9B,OAAO,IAAA,KAAS,KAAA;AAAA,IAChB,cAAc,WAAA,KAAgB,KAAA;AAAA,IAC9B,MAAA,EAAQ,KAAA;AAAA,IACR;AAAA,GACF;AACF;AAEA,SAAS,eAAA,GAAoC;AAE3C,EAAA,IAAI;AAEF,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,WAAA,EAAa,OAAO,QAAA;AAGpC,IAAA,IAAI;AACF,MAAAC,WAAA,CAAS,aAAa,CAAA;AACtB,MAAA,OAAO,QAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AAAA,IAER;AAGA,IAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,MAAA,MAAM,MAAA,GAASD,uBAAS,2CAAA,EAA6C;AAAA,QACnE,QAAA,EAAU;AAAA,OACX,CAAA;AACD,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,QAAA;AACtC,MAAA,IAAI,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACnC,MAAA,IAAI,MAAA,CAAO,SAAS,UAAU,CAAA,IAAK,OAAO,QAAA,CAAS,YAAY,GAAG,OAAO,YAAA;AAAA,IAC3E;AAGA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,SAAA,KAAc,QAAA,EAAU,OAAO,QAAA;AAG/C,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,YAAA,EAAc,OAAO,KAAA;AAErC,IAAA,OAAO,KAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAEA,SAAS,QAAA,GAA6B;AACpC,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,IAAI;AAEF,MAAA,MAAM,SAAA,GAAYA,uBAAS,yDAAA,EAA2D;AAAA,QACpF,QAAA,EAAU;AAAA,OACX,EAAE,WAAA,EAAY;AAEf,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,QAAA;AACzC,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,YAAY,CAAA,EAAG,OAAO,YAAA;AAC7C,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACtC,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,KAAK,CAAA,EAAG,OAAO,KAAA;AACtC,MAAA,IAAI,SAAA,CAAU,QAAA,CAAS,SAAS,CAAA,EAAG,OAAO,SAAA;AAG1C,MAAA,MAAM,OAAA,GAAUA,uBAAS,6CAAA,EAA+C;AAAA,QACtE,QAAA,EAAU;AAAA,OACX,CAAA;AACD,MAAA,IAAI,OAAA,CAAQ,MAAA,GAAS,CAAA,EAAG,OAAO,UAAA;AAAA,IACjC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,IAAA,IAAI;AAEF,MAAA,MAAM,QAAA,GAAWA,sBAAA;AAAA,QACf,oFAAA;AAAA,QACA;AAAA,UACE,QAAA,EAAU;AAAA;AACZ,OACF;AACA,MAAA,IAAI,QAAA,CAAS,MAAA,GAAS,CAAA,EAAG,OAAO,UAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,aAAA,GAAkC;AAEzC,EAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,0BAAA,KAA+B,GAAA,EAAK,OAAO,aAAA;AAC3D,IAAA,IAAI,OAAA,CAAQ,IAAI,MAAA,IAAU,OAAA,CAAQ,IAAI,MAAA,CAAO,QAAA,CAAS,YAAY,CAAA,EAAG,OAAO,aAAA;AAAA,EAC9E;AAGA,EAAA,IAAI,OAAA,CAAQ,aAAa,SAAA,EAAW;AAGlC,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAASA,uBAAS,kCAAA,EAAoC;AAAA,QAC1D,QAAA,EAAU;AAAA,OACX,CAAA;AACD,MAAA,IAAI,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG,OAAO,QAAA;AAAA,IAChC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,SAAA,KAAc,KAAA,EAAO,OAAO,KAAA;AAC5C,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAUA,uBAAS,mCAAA,EAAqC;AAAA,QAC5D,QAAA,EAAU;AAAA,OACX,EAAE,IAAA,EAAK;AACR,MAAA,IAAI,OAAA,KAAY,aAAa,OAAO,SAAA;AAAA,IACtC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAiBO,SAAS,2BAA2B,WAAA,EAAiD;AAC1F,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQC,YAAS,WAAW,CAAA;AAGlC,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,IAAA,GAAO,QAAA,CAAS,OAAO,CAAC,CAAA;AAC3C,IAAA,MAAM,aAAa,IAAA,CAAK,QAAA,CAAS,CAAC,CAAA,CAAE,QAAA,CAAS,GAAG,GAAG,CAAA;AAEnD,IAAA,MAAM,QAAA,GAAW,IAAA,KAAS,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA;AAC3C,IAAA,MAAM,aAAA,GAAA,CAAiB,IAAA,GAAO,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA,MAAO,CAAA;AACtD,IAAA,MAAM,cAAA,GAAA,CAAkB,IAAA,GAAO,QAAA,CAAS,KAAA,EAAO,CAAC,CAAA,MAAO,CAAA;AACvD,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,MAAA,IAAS,IAAK,CAAA,CAAA;AACzC,IAAA,MAAM,kBAAA,GAAqB,MAAM,GAAA,KAAQ,UAAA;AAEzC,IAAA,IAAI,OAAA,GAA6C,QAAA;AACjD,IAAA,IAAI,aAAA,IAAiB,gBAAgB,OAAA,GAAU,UAAA;AAAA,SAAA,IACtC,CAAC,oBAAoB,OAAA,GAAU,SAAA;AAExC,IAAA,OAAO;AAAA,MACL,2BAAA,EAA6B,QAAA;AAAA,MAC7B,sBAAA,EAAwB,UAAA;AAAA,MACxB,qBAAA,EAAuB,kBAAA;AAAA,MACvB,cAAA,EAAgB,aAAA;AAAA,MAChB,eAAA,EAAiB,cAAA;AAAA,MACjB;AAAA,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO;AAAA,MACL,2BAAA,EAA6B,KAAA;AAAA,MAC7B,sBAAA,EAAwB,SAAA;AAAA,MACxB,qBAAA,EAAuB,KAAA;AAAA,MACvB,cAAA,EAAgB,KAAA;AAAA,MAChB,eAAA,EAAiB,KAAA;AAAA,MACjB,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AACF;AAgBO,SAAS,qBAAA,GAAgD;AAC9D,EAAA,OAAO;AAAA,IACL,kBAAA,EAAoB,IAAA;AAAA,IACpB,iBAAA,EAAmB,OAAA;AAAA,IACnB,eAAe;AAAC,GAClB;AACF;AAmBO,SAAS,kBAAkB,WAAA,EAAwC;AACxE,EAAA,MAAM,SAAS,qBAAA,EAAsB;AACrC,EAAA,MAAM,YAAY,qBAAA,EAAsB;AACxC,EAAA,MAAM,UAAA,GAAa,2BAA2B,WAAW,CAAA;AACzD,EAAA,MAAM,YAAY,qBAAA,EAAsB;AAGxC,EAAA,IAAI,YAAA,GAAe,CAAA;AACnB,EAAA,IAAI,WAAA,GAAc,CAAA;AAGlB,EAAA,IAAI,OAAO,YAAA,EAAc,YAAA,EAAA;AACzB,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,OAAO,cAAA,EAAgB,YAAA,EAAA;AAC3B,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,OAAO,mBAAA,EAAqB,YAAA,EAAA;AAChC,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,OAAO,YAAA,EAAc,YAAA,EAAA;AACzB,EAAA,WAAA,EAAA;AAGA,EAAA,IAAI,UAAU,YAAA,EAAc,YAAA,EAAA;AAC5B,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,UAAU,KAAA,EAAO,YAAA,EAAA;AACrB,EAAA,WAAA,EAAA;AACA,EAAA,IAAI,UAAU,YAAA,EAAc,YAAA,EAAA;AAC5B,EAAA,WAAA,EAAA;AAGA,EAAA,IAAI,WAAW,2BAAA,EAA6B,YAAA,EAAA;AAC5C,EAAA,WAAA,EAAA;AAGA,EAA6E;AAC3E,IAAA,YAAA,EAAA;AAAA,EACF;AACA,EAAA,WAAA,EAAA;AAGA,EAAA,IAAI,iBAAiC,SAAA,CAAU,eAAA;AAG/C,EAAA,IACE,UAAA,CAAW,YAAY,UAAA,IACvB,MAAA,CAAO,YAAY,MAAA,IACnB,MAAA,CAAO,YAAY,SAAA,EACnB;AACA,IAAA,IAAI,mBAAmB,UAAA,EAAY;AACjC,MAAA,cAAA,GAAiB,OAAA;AAAA,IACnB,CAAA,MAAA,IAAW,mBAAmB,OAAA,EAAS;AACrC,MAAA,cAAA,GAAiB,MAAA;AAAA,IACnB;AAAA,EACF;AAGA,EAAA,MAAM,eAAyB,EAAC;AAChC,EAAA,IAAI,SAAA,CAAU,YAAA,IAAgB,SAAA,CAAU,KAAA,EAAO;AAC7C,IAAA,YAAA,CAAa,IAAA,CAAK,cAAc,SAAA,CAAU,OAAA,CAAQ,kBAAkB,SAAA,CAAU,OAAA,CAAQ,OAAA,IAAW,sBAAsB,CAAA,CAAE,CAAA;AAAA,EAC3H;AACA,EAAA,IAAI,OAAO,YAAA,EAAc;AACvB,IAAA,YAAA,CAAa,KAAK,cAAc,CAAA;AAAA,EAClC;AACA,EAAA,IAAI,WAAW,2BAAA,EAA6B;AAC1C,IAAA,YAAA,CAAa,KAAK,oCAAoC,CAAA;AAAA,EACxD;AAEA,EAAA,MAAM,UACJ,YAAA,CAAa,MAAA,GAAS,IAClB,YAAA,CAAa,IAAA,CAAK,IAAI,CAAA,GACtB,qCAAA;AAEN,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,cAAA;AAAA,IACjB,iBAAA,EAAmB,MAAA;AAAA,IACnB,iBAAA,EAAmB,SAAA;AAAA,IACnB,sBAAA,EAAwB,UAAA;AAAA,IACxB,iBAAA,EAAmB,SAAA;AAAA,IACnB,aAAA,EAAe,YAAA;AAAA,IACf,YAAA,EAAc,WAAA;AAAA,IACd;AAAA,GACF;AACF;;;AC1YO,SAAS,sBAAA,CACd,aACA,QAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,wOAAA;AAAA,MAGF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,eAAA,EAAiB;AAAA,YACf,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,2GAAA;AAAA,YAEF,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,cAAA,GAAkB,KAAK,eAAA,IAA+B,KAAA;AAC5D,QAAA,MAAM,MAAA,GAAS,kBAAkB,WAAW,CAAA;AAE5C,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,qBAAA;AAAA,UACA,QAAA;AAAA,UACA,EAAE,iBAAiB,cAAA;AAAe,SACpC;AAEA,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,iBAAiB,MAAA,CAAO,eAAA;AAAA,YACxB,SAAS,MAAA,CAAO,OAAA;AAAA,YAChB,eAAe,MAAA,CAAO,aAAA;AAAA,YACtB,cAAc,MAAA,CAAO,YAAA;AAAA,YACrB,iBAAA,EAAmB;AAAA,cACjB,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,cAAA,EAAgB,OAAO,iBAAA,CAAkB,cAAA;AAAA,cACzC,mBAAA,EAAqB,OAAO,iBAAA,CAAkB,mBAAA;AAAA,cAC9C,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,OAAA,EAAS,OAAO,iBAAA,CAAkB;AAAA,aACpC;AAAA,YACA,iBAAA,EAAmB;AAAA,cACjB,eAAA,EAAiB,OAAO,iBAAA,CAAkB,eAAA;AAAA,cAC1C,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,KAAA,EAAO,OAAO,iBAAA,CAAkB,KAAA;AAAA,cAChC,YAAA,EAAc,OAAO,iBAAA,CAAkB,YAAA;AAAA,cACvC,MAAA,EAAQ,OAAO,iBAAA,CAAkB,MAAA;AAAA,cACjC,OAAA,EAAS,OAAO,iBAAA,CAAkB;AAAA,aACpC;AAAA,YACA,sBAAA,EAAwB;AAAA,cACtB,2BAAA,EACE,OAAO,sBAAA,CAAuB,2BAAA;AAAA,cAChC,sBAAA,EAAwB,OAAO,sBAAA,CAAuB,sBAAA;AAAA,cACtD,qBAAA,EAAuB,OAAO,sBAAA,CAAuB,qBAAA;AAAA,cACrD,cAAA,EAAgB,OAAO,sBAAA,CAAuB,cAAA;AAAA,cAC9C,eAAA,EAAiB,OAAO,sBAAA,CAAuB,eAAA;AAAA,cAC/C,OAAA,EAAS,OAAO,sBAAA,CAAuB;AAAA,aACzC;AAAA,YACA,iBAAA,EAAmB;AAAA,cACjB,kBAAA,EAAoB,OAAO,iBAAA,CAAkB,kBAAA;AAAA,cAC7C,iBAAA,EAAmB,OAAO,iBAAA,CAAkB,iBAAA;AAAA,cAC5C,aAAA,EAAe,OAAO,iBAAA,CAAkB;AAAA;AAC1C,WACD,CAAA;AAAA,QACH,CAAA,MAAO;AACL,UAAA,OAAO,UAAA,CAAW;AAAA,YAChB,iBAAiB,MAAA,CAAO,eAAA;AAAA,YACxB,SAAS,MAAA,CAAO,OAAA;AAAA,YAChB,eAAe,MAAA,CAAO,aAAA;AAAA,YACtB,cAAc,MAAA,CAAO,YAAA;AAAA,YACrB,IAAA,EACE;AAAA,WAEH,CAAA;AAAA,QACH;AAAA,MACF;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,+BAAA;AAAA,MACN,WAAA,EACE,8QAAA;AAAA,MAIF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB;AAAA,YAChB,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,0DAAA;AAAA,YACF,OAAA,EAAS;AAAA,WACX;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,4DAAA;AAAA,YACF,OAAA,EAAS;AAAA,WACX;AAAA,UACA,aAAA,EAAe;AAAA,YACb,IAAA,EAAM,SAAA;AAAA,YACN,WAAA,EACE,wDAAA;AAAA,YACF,OAAA,EAAS;AAAA;AACX;AACF,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,eAAA,GAAmB,KAAK,gBAAA,IAAgC,IAAA;AAC9D,QAAA,MAAM,WAAA,GAAe,KAAK,YAAA,IAA4B,IAAA;AACtD,QAAA,MAAM,YAAA,GAAgB,KAAK,aAAA,IAA6B,IAAA;AAExD,QAAA,MAAM,MAAA,GAAS,kBAAkB,WAAW,CAAA;AAE5C,QAAA,QAAA,CAAS,MAAA;AAAA,UACP,IAAA;AAAA,UACA,qBAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,YACE,gBAAA,EAAkB,eAAA;AAAA,YAClB,YAAA,EAAc,WAAA;AAAA,YACd,aAAA,EAAe;AAAA;AACjB,SACF;AAEA,QAAA,MAAM,OAAA,GAAmC;AAAA,UACvC,iBAAiB,MAAA,CAAO,eAAA;AAAA,UACxB,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC;AAEA,QAAA,IAAI,eAAA,EAAiB;AACnB,UAAA,MAAM,KAAK,MAAA,CAAO,sBAAA;AAClB,UAAA,OAAA,CAAQ,UAAA,GAAa;AAAA,YACnB,6BAA6B,EAAA,CAAG,2BAAA;AAAA,YAChC,cAAc,EAAA,CAAG,sBAAA;AAAA,YACjB,SAAA,EAAW,GAAG,OAAA,KAAY,QAAA;AAAA,YAC1B,MAAA,EACE,EAAA,CAAG,OAAA,KAAY,UAAA,GACX;AAAA,cACE;AAAA,aAEF,GACA,EAAA,CAAG,OAAA,KAAY,SAAA,GACb;AAAA,cACE;AAAA,gBAGF;AAAC,WACX;AAAA,QACF;AAEA,QAAA,IAAI,WAAA,EAAa;AACf,UAAA,MAAM,MAAM,MAAA,CAAO,iBAAA;AACnB,UAAA,MAAM,SAAmB,EAAC;AAC1B,UAAA,IAAI,CAAC,IAAI,YAAA,EAAc;AACrB,YAAA,MAAA,CAAO,IAAA;AAAA,cACL;AAAA,aAEF;AAAA,UACF;AACA,UAAA,OAAA,CAAQ,MAAA,GAAS;AAAA,YACf,cAAc,GAAA,CAAI,YAAA;AAAA,YAClB,gBAAgB,GAAA,CAAI,cAAA;AAAA,YACpB,wBAAwB,GAAA,CAAI,mBAAA;AAAA,YAC5B,yBAAyB,GAAA,CAAI,YAAA;AAAA,YAC7B,kBAAkB,GAAA,CAAI,OAAA;AAAA,YACtB;AAAA,WACF;AAAA,QACF;AAEA,QAAA,IAAI,YAAA,EAAc;AAChB,UAAA,MAAM,MAAM,MAAA,CAAO,iBAAA;AACnB,UAAA,OAAA,CAAQ,OAAA,GAAU;AAAA,YAChB,iBAAiB,GAAA,CAAI,eAAA;AAAA,YACrB,cAAc,GAAA,CAAI,YAAA;AAAA,YAClB,OAAO,GAAA,CAAI,KAAA;AAAA,YACX,WAAW,GAAA,CAAI,YAAA;AAAA,YACf,SAAS,GAAA,CAAI,MAAA;AAAA,YACb,aAAa,GAAA,CAAI,OAAA;AAAA,YACjB,cAAA,EACE,IAAI,eAAA,KAAoB,MAAA,GACpB,4EACA,GAAA,CAAI,eAAA,KAAoB,UACtB,8EAAA,GACA;AAAA,WACV;AAAA,QACF;AAEA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,MAAA,EAAQ,UAAA;AAAA,UACR;AAAA,SACD,CAAA;AAAA,MACH;AAAA;AACF,GACF;AACF;;;ACnLA,aAAA,EAAA;;;AC1BO,IAAM,gBAAN,MAA8C;AAAA,EAC3C,KAAA,uBAAY,GAAA,EAAuD;AAAA,EAEnE,UAAA,CAAW,WAAmB,GAAA,EAAqB;AACzD,IAAA,OAAO,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA;AAAA,EAC5B;AAAA,EAEA,MAAM,KAAA,CACJ,SAAA,EACA,GAAA,EACA,IAAA,EACe;AACf,IAAA,IAAA,CAAK,MAAM,GAAA,CAAI,IAAA,CAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAA,EAAG;AAAA,MAC9C,IAAA,EAAM,IAAI,UAAA,CAAW,IAAI,CAAA;AAAA;AAAA,MACzB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACrC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,GAAA,EAAyC;AACrE,IAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,CAAM,GAAA,CAAI,KAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAC,CAAA;AAC5D,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,IAAA,OAAO,IAAI,UAAA,CAAW,KAAA,CAAM,IAAI,CAAA;AAAA,EAClC;AAAA,EAEA,MAAM,MAAA,CACJ,SAAA,EACA,GAAA,EACA,gBAAA,EACkB;AAClB,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA,CAAO,KAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAC,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,MAAA,EAA8C;AAC1E,IAAA,MAAM,UAA8B,EAAC;AACrC,IAAA,MAAM,QAAA,GAAW,GAAG,SAAS,CAAA,CAAA,CAAA;AAE7B,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,CAAA,IAAK,KAAK,KAAA,EAAO;AAC1C,MAAA,IAAI,CAAC,QAAA,CAAS,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,MAAA,MAAM,GAAA,GAAM,QAAA,CAAS,KAAA,CAAM,QAAA,CAAS,MAAM,CAAA;AAC1C,MAAA,IAAI,MAAA,IAAU,CAAC,GAAA,CAAI,UAAA,CAAW,MAAM,CAAA,EAAG;AAEvC,MAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,QACX,GAAA;AAAA,QACA,SAAA;AAAA,QACA,UAAA,EAAY,MAAM,IAAA,CAAK,MAAA;AAAA,QACvB,aAAa,KAAA,CAAM;AAAA,OACpB,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,GAAA,CAAI,aAAA,CAAc,CAAA,CAAE,GAAG,CAAC,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,MAAA,CAAO,SAAA,EAAmB,GAAA,EAA+B;AAC7D,IAAA,OAAO,KAAK,KAAA,CAAM,GAAA,CAAI,KAAK,UAAA,CAAW,SAAA,EAAW,GAAG,CAAC,CAAA;AAAA,EACvD;AAAA,EAEA,MAAM,SAAA,GAA6B;AACjC,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,KAAA,MAAW,KAAA,IAAS,IAAA,CAAK,KAAA,CAAM,MAAA,EAAO,EAAG;AACvC,MAAA,KAAA,IAAS,MAAM,IAAA,CAAK,MAAA;AAAA,IACtB;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA,EAGA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AACF;;;AD3BA,eAAsB,sBAAsB,OAAA,EAIf;AAE3B,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,OAAA,EAAS,UAAU,CAAA;AAGnD,EAAA,MAAM9B,cAAAA,CAAM,OAAO,YAAA,EAAc,EAAE,WAAW,IAAA,EAAM,IAAA,EAAM,KAAO,CAAA;AAGjE,EAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,IAAI,iBAAA;AAAA,IACtC,CAAA,EAAG,OAAO,YAAY,CAAA,MAAA;AAAA,GACxB;AAGA,EAAA,IAAI,SAAA;AACJ,EAAA,IAAI,aAAA;AACJ,EAAA,IAAI,WAAA;AAEJ,EAAA,MAAM,UAAA,GAAa,OAAA,EAAS,UAAA,IAAc,OAAA,CAAQ,GAAA,CAAI,oBAAA;AAEtD,EAAA,IAAI,UAAA,EAAY;AAEd,IAAA,aAAA,GAAgB,YAAA;AAGhB,IAAA,IAAI,cAAA;AACJ,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,SAAS,YAAY,CAAA;AACpD,MAAA,IAAI,GAAA,EAAK;AACP,QAAA,MAAM,EAAE,aAAA,EAAA+B,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,QAAA,cAAA,GAAiB,IAAA,CAAK,KAAA,CAAMA,cAAAA,CAAc,GAAG,CAAC,CAAA;AAAA,MAChD;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAER;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,eAAA,CAAgB,UAAA,EAAY,cAAc,CAAA;AAC/D,IAAA,SAAA,GAAY,MAAA,CAAO,GAAA;AAGnB,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,EAAE,aAAA,EAAAb,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,MAAA,MAAM,OAAA,CAAQ,KAAA;AAAA,QACZ,OAAA;AAAA,QACA,YAAA;AAAA,QACAA,cAAAA,CAAc,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,MAAM,CAAC;AAAA,OAC7C;AAAA,IACF;AAAA,EACF,CAAA,MAAO;AAEL,IAAA,aAAA,GAAgB,cAAA;AAEhB,IAAA,MAAM,EAAE,YAAA,EAAAD,aAAAA,EAAa,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AAC/B,IAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAe,aAAA,EAAAa,cAAAA,KAAkB,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAC/C,IAAA,MAAM,EAAE,aAAA,EAAAC,cAAAA,EAAc,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAChC,IAAA,MAAM,EAAE,iBAAA,EAAAC,kBAAAA,EAAkB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,aAAA,EAAA,EAAA,gBAAA,CAAA,CAAA;AAGpC,IAAA,MAAM,YAAA,GAAe,MAAM,OAAA,CAAQ,IAAA,CAAK,SAAS,mBAAmB,CAAA;AACpE,IAAA,IAAI,YAAA,EAAc;AAEhB,MAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,sBAAA;AACnC,MAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAOF;AAAA,MACF;AAGA,MAAA,IAAI,gBAAA;AACJ,MAAA,IAAI;AACF,QAAA,gBAAA,GAAmBD,eAAc,cAAc,CAAA;AAAA,MACjD,CAAA,CAAA,MAAQ;AACN,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAEF;AAAA,MACF;AAEA,MAAA,IAAI,gBAAA,CAAiB,WAAW,EAAA,EAAI;AAClC,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAEF;AAAA,MACF;AAEA,MAAA,MAAM,YAAA,GAAef,cAAa,gBAAgB,CAAA;AAClD,MAAA,MAAM,UAAA,GAAac,eAAc,YAAY,CAAA;AAG7C,MAAA,MAAM,iBAAA,GAAoBb,eAAc,YAAY,CAAA;AACpD,MAAA,MAAM,eAAA,GAAkBA,eAAc,UAAU,CAAA;AAChD,MAAA,IAAI,CAACe,kBAAAA,CAAkB,iBAAA,EAAmB,eAAe,CAAA,EAAG;AAC1D,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAGF;AAAA,MACF;AAGA,MAAA,SAAA,GAAY,gBAAA;AAAA,IAEd,CAAA,MAAO;AAEL,MAAA,MAAM,kBAAA,GAAqB,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAO,CAAA;AACrD,MAAA,MAAM,eAAe,kBAAA,CAAmB,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,QAAQ,YAAY,CAAA;AACxE,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAGF;AAAA,MACF;AAGA,MAAA,SAAA,GAAY,iBAAA,EAAkB;AAC9B,MAAA,WAAA,GAAc,YAAY,SAAS,CAAA;AAEnC,MAAA,MAAM,OAAA,GAAUhB,cAAa,SAAS,CAAA;AACtC,MAAA,MAAM,OAAA,CAAQ,KAAA;AAAA,QACZ,OAAA;AAAA,QACA,mBAAA;AAAA,QACAC,eAAc,OAAO;AAAA,OACvB;AAAA,IACF;AAAA,EACF;AAGA,EAAA,MAAM,QAAA,GAAW,IAAI,QAAA,CAAS,OAAA,EAAS,SAAS,CAAA;AAGhD,EAAA,MAAM,UAAA,GAAa,IAAI,UAAA,CAAW,OAAA,EAAS,SAAS,CAAA;AAGpD,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,EAAS,eAAA,EAAgB,GAAI,aAAA;AAAA,IAC1C,UAAA;AAAA,IACA,OAAA;AAAA,IACA,SAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,gBAAgB,IAAA,EAAK;AAG3B,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC;AAAA,MACE,IAAA,EAAM,uBAAA;AAAA,MACN,WAAA,EACE,wHAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA,EAAK;AAAA,UACnD,gBAAA,EAAkB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA,EAAK;AAAA,UACnD,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,SAAS,IAAA;AAAK;AACpD,OACF;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,eAAyB,EAAC;AAGhC,QAAA,YAAA,CAAa,IAAA;AAAA,UACX;AAAA,SACF;AAKA,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,WAAA,EAAa;AAAA,YACX,gBAAA,EAAkB,OAAO,SAAA,CAAU,WAAA;AAAA,YACnC,QAAA,EAAU;AAAA,cACR,YAAY,OAAA,CAAQ,IAAA;AAAA,cACpB,aAAA,EAAe,KAAA;AAAA,cACf,QAAA,EAAU;AAAA,aACZ;AAAA,YACA,QAAA,EAAU;AAAA,cACR,IAAI,CAAA,EAAG,OAAA,CAAQ,QAAQ,CAAA,CAAA,EAAI,QAAQ,IAAI,CAAA,CAAA;AAAA,cACvC,OAAA,EAAS,CAAA,KAAA,EAAQ,OAAA,CAAQ,OAAO,CAAA,CAAA;AAAA,cAChC,mBAAmB,MAAA,CAAO,OAAA;AAAA,cAC1B,eAAA,EAAiB;AAAA,aACnB;AAAA,YACA,OAAA,EAAS;AAAA,cACP,mBAAA,EAAqB,IAAA;AAAA;AAAA,cACrB,iBAAiB,EAAC;AAAA,cAClB,iBAAA,EAAmB;AAAA,aACrB;AAAA,YACA,eAAA,EAAiB,SAAA;AAAA,YACjB,sBAAA,EAAwB;AAAA,cACtB,kBAAA,EAAoB,IAAA;AAAA,cACpB,qBAAA,EAAuB,KAAA;AAAA,cACvB,iBAAA,EAAmB,eAAA;AAAA,cACnB,mBAAA,EAAqB,IAAA;AAAA,cACrB,oBAAA,EAAsB,IAAA;AAAA,cACtB,aAAA,EAAe,KAAA;AAAA,cACf;AAAA;AACF,WACF;AAAA,UACA,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACrC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,uEAAA;AAAA,MACF,aAAa,EAAE,IAAA,EAAM,QAAA,EAAU,UAAA,EAAY,EAAC,EAAE;AAAA,MAC9C,SAAS,YAAY;AACnB,QAAA,MAAM,gBAAA,GAAmB,MAAM,OAAA,CAAQ,SAAA,EAAU;AACjD,QAAA,MAAM,eAKD,EAAC;AAEN,QAAA,YAAA,CAAa,IAAA,CAAK;AAAA,UAChB,KAAA,EAAO,IAAA;AAAA,UACP,WAAA,EAAa,uCAAA;AAAA,UACb,QAAA,EAAU,SAAA;AAAA,UACV,UAAA,EAAY;AAAA,SACb,CAAA;AAID,QAAA,OAAO,UAAA,CAAW;AAAA,UAChB,QAAQ,YAAA,CAAa,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,UAAU,CAAA,GACtD,aAAA,GACA,YAAA,CAAa,KAAK,CAAC,CAAA,KAAM,EAAE,QAAA,KAAa,SAAS,IAC/C,UAAA,GACA,SAAA;AAAA,UACN,aAAA,EAAe,gBAAA;AAAA,UACf,MAAA,EAAQ;AAAA,YACN,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,oBAAA,EAAsB,aAAA;AAAA,cACtB,SAAA,EAAW,eAAA,CAAgB,IAAA,EAAK,CAAE,MAAA;AAAA,cAClC,eAAA,EAAiB,UAAA;AAAA,cACjB,oBAAA,EAAA,iBAAsB,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,aAC/C;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,UAAA;AAAA,cACR,cAAA,EAAgB,eAAA;AAAA,cAChB,qBAAA,EAAuB,IAAA;AAAA,cACvB,gBAAA,EAAA,iBAAkB,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,aAC3C;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,YAAA,EAAc,OAAO,UAAA,CAAW,YAAA;AAAA,cAChC,eAAA,EAAiB,CAAA;AAAA,cACjB,sBAAA,EAAwB;AAAA,aAC1B;AAAA,YACA,EAAA,EAAI;AAAA,cACF,MAAA,EAAQ,QAAA;AAAA,cACR,IAAA,EAAM,OAAO,UAAA,CAAW,IAAA;AAAA,cACxB,iBAAA,EAAmB,CAAA;AAAA;AAAA,cACnB,qBAAA,EAAuB;AAAA;AACzB,WACF;AAAA,UACA,YAAA;AAAA,UACA,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC,CAAA;AAAA,MACH;AAAA,KACF;AAAA,IAEA;AAAA,MACE,IAAA,EAAM,6BAAA;AAAA,MACN,WAAA,EAAa,kCAAA;AAAA,MACb,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,oBAAA,EAAqB;AAAA,UAC3D,KAAA,EAAO;AAAA,YACL,IAAA,EAAM,QAAA;AAAA,YACN,IAAA,EAAM,CAAC,IAAA,EAAM,IAAA,EAAM,MAAM,IAAI;AAAA,WAC/B;AAAA,UACA,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,UACjC,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,EAAA;AAAG;AACvC,OACF;AAAA,MACA,OAAA,EAAS,OAAO,IAAA,KAAS;AACvB,QAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,KAAA,CAAM;AAAA,UAClC,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,OAAO,IAAA,CAAK,KAAA;AAAA,UACZ,gBAAgB,IAAA,CAAK,cAAA;AAAA,UACrB,KAAA,EAAQ,KAAK,KAAA,IAAoB;AAAA,SAClC,CAAA;AACD,QAAA,OAAO,WAAW,MAAM,CAAA;AAAA,MAC1B;AAAA;AACF,GACF;AAGA,EAAA,MAAM,YAAA,GAA+B;AAAA,IACnC,IAAA,EAAM,oBAAA;AAAA,IACN,WAAA,EACE,sHAAA;AAAA,IAEF,aAAa,EAAE,IAAA,EAAM,QAAA,EAAU,UAAA,EAAY,EAAC,EAAE;AAAA,IAC9C,SAAS,YAAY;AACnB,MAAA,OAAO,UAAA,CAAW;AAAA,QAChB,iBAAA,EAAmB,KAAA;AAAA,QACnB,cAAA,EAAgB;AAAA,UACd,IAAA,EAAM,iCAAA;AAAA,UACN,SAAS,MAAA,CAAO,OAAA;AAAA,UAChB,QAAA,EAAU,YAAA;AAAA,UACV,OAAA,EAAS;AAAA,SACX;AAAA,QACA,MAAA,EAAQ;AAAA,UACN,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,YAAA,EAAc,cAAc,CAAA;AAAA,YACzC,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,YAC1B,QAAA,EAAU,CAAC,SAAS,CAAA;AAAA,YACpB,UAAA,EAAY;AAAA,cACV,4BAAA,EAA8B,MAAA;AAAA,cAC9B,yBAAA,EAA2B,MAAA;AAAA,cAC3B,6BAAA,EAA+B,MAAA;AAAA,cAC/B,8BAAA,EAAgC,MAAA;AAAA,cAChC,wBAAA,EAA0B,MAAA;AAAA,cAC1B,sBAAA,EAAwB,MAAA;AAAA,cACxB,yBAAA,EAA2B;AAAA;AAC7B,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,sBAAA,EAAwB,gBAAgB,CAAA;AAAA,YACrD,eAAA,EAAiB,CAAC,MAAA,CAAO,SAAA,CAAU,WAAW,CAAA;AAAA,YAC9C,UAAA,EAAY;AAAA,cACV,gCAAA,EAAkC,YAAA;AAAA,cAClC,2BAAA,EAA6B,eAAA;AAAA,cAC7B,kBAAA,EAAoB;AAAA;AACtB,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,aAAA,EAAe,kBAAkB,CAAA;AAAA,YAC9C,aAAA,EAAe,CAAC,MAAA,CAAO,UAAA,CAAW,YAAY,CAAA;AAAA,YAC9C,UAAA,EAAY;AAAA,cACV,yBAAA,EAA2B,cAAA;AAAA,cAC3B,+BAAA,EAAiC;AAAA;AACnC,WACF;AAAA,UACA,EAAA,EAAI;AAAA,YACF,WAAA,EAAa,IAAA;AAAA,YACb,UAAA,EAAY,CAAC,iBAAA,EAAmB,gBAAgB,CAAA;AAAA,YAChD,KAAA,EAAO,CAAC,MAAA,CAAO,UAAA,CAAW,IAAI,CAAA;AAAA,YAC9B,UAAA,EAAY;AAAA,cACV,wBAAA,EAA0B,MAAA;AAAA,cAC1B,wBAAA,EAA0B,MAAA;AAAA,cAC1B,uBAAA,EAAyB,OAAA;AAAA,cACzB,0BAAA,EAA4B;AAAA;AAC9B;AACF,SACF;AAAA,QACA,WAAA,EAAa;AAAA,UACX,WAAA,EAAa,KAAA;AAAA,UACb,aAAA,EAAe,KAAA;AAAA,UACf,aAAA,EAAe,IAAA;AAAA,UACf,gBAAA,EAAkB;AAAA,SACpB;AAAA,QACA,WAAA,EAAa;AAAA,UACX,gEAAA;AAAA,UACA,8EAAA;AAAA,UACA,+DAAA;AAAA,UACA,0CAAA;AAAA,UACA;AAAA;AACF,OACD,CAAA;AAAA,IACH;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,OAAA,KAAY,aAAA,CAAc,OAAA,EAAS,WAAW,QAAQ,CAAA;AAGrE,EAAA,MAAM,EAAE,KAAA,EAAO,QAAA,EAAS,GAAI,cAAA;AAAA,IAC1B,MAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACF;AAIA,EAAA,MAAM,EAAE,KAAA,EAAO,cAAA,EAAgB,gBAAA,EAAiB,GAAI,oBAAA;AAAA,IAClD,MAAA;AAAA,IACA,eAAA;AAAA,IACA,SAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,OAA2C,CAAA,GAAI,aAAA;AAAA,IAC5D,OAAA;AAAA,IACA,SAAA;AAAA,IACA,eAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,eAAA,EAAgB,GAAI,qBAAA;AAAA,IACjC,QAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,WAAA,EAAY,GAAI,iBAAA;AAAA,IAC7B,OAAA;AAAA,IACA,SAAA;AAAA,IACA,eAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACF;AAGA,EAAA,MAAM,EAAE,KAAA,EAAO,UAAA,EAAW,GAAI,iBAAiB,MAAM,CAAA;AAGrD,EAAA,MAAM,EAAE,OAAO,gBAAA,EAAkB,QAAA,EAAU,qBAAoB,GAC7D,sBAAA,CAAuB,OAAA,EAAS,SAAA,EAAW,QAAQ,CAAA;AAGrD,EAAA,MAAM,cAAA,GAAiB,sBAAA,CAAuB,MAAA,CAAO,YAAA,EAAc,QAAQ,CAAA;AAG3E,EAAA,MAAM,MAAA,GAAS,MAAM,mBAAA,CAAoB,MAAA,CAAO,YAAY,CAAA;AAC5D,EAAA,MAAM,QAAA,GAAW,IAAI,eAAA,CAAgB,OAAA,EAAS,SAAS,CAAA;AACvD,EAAA,MAAM,SAAS,IAAA,EAAK;AAGpB,EAAA,IAAI,eAAA;AACJ,EAAA,IAAI,SAAA;AAEJ,EAAA,IAAI,MAAA,CAAO,UAAU,OAAA,EAAS;AAE5B,IAAA,IAAI,SAAA,GAAY,OAAO,SAAA,CAAU,UAAA;AACjC,IAAA,IAAI,cAAc,MAAA,EAAQ;AACxB,MAAA,MAAM,EAAE,WAAA,EAAa,EAAA,EAAG,GAAI,MAAM,OAAO,QAAa,CAAA;AACtD,MAAA,SAAA,GAAY,EAAA,CAAG,EAAE,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAAA,IACnC;AAEA,IAAA,SAAA,GAAY,IAAI,wBAAA,CAAyB;AAAA,MACvC,IAAA,EAAM,OAAO,SAAA,CAAU,IAAA;AAAA,MACvB,IAAA,EAAM,OAAO,SAAA,CAAU,IAAA;AAAA,MACvB,eAAA,EAAiB,OAAO,gBAAA,CAAiB,eAAA;AAAA;AAAA,MAEzC,UAAA,EAAY,SAAA;AAAA,MACZ,GAAA,EAAK,OAAO,SAAA,CAAU,GAAA;AAAA,MACtB,SAAA,EAAW,OAAO,SAAA,CAAU;AAAA,KAC7B,CAAA;AACD,IAAA,SAAA,CAAU,eAAA,CAAgB,EAAE,MAAA,EAAQ,QAAA,EAAU,UAAU,CAAA;AACxD,IAAA,MAAM,UAAU,KAAA,EAAM;AACtB,IAAA,eAAA,GAAkB,SAAA;AAAA,EACpB,CAAA,MAAA,IAAW,OAAO,OAAA,CAAQ,OAAA,IAAW,OAAO,OAAA,CAAQ,GAAA,IAAO,MAAA,CAAO,OAAA,CAAQ,MAAA,EAAQ;AAChF,IAAA,MAAM,OAAA,GAAU,IAAI,sBAAA,CAAuB;AAAA,MACzC,WAAA,EAAa,OAAO,OAAA,CAAQ,GAAA;AAAA,MAC5B,cAAA,EAAgB,OAAO,OAAA,CAAQ,MAAA;AAAA,MAC/B,aAAA,EAAe,OAAO,OAAA,CAAQ,aAAA;AAAA,MAC9B,aAAA,EAAe,OAAO,OAAA,CAAQ,aAAA;AAAA,MAC9B,eAAA,EAAiB,OAAO,gBAAA,CAAiB;AAAA;AAAA,KAE1C,CAAA;AACD,IAAA,MAAM,QAAQ,KAAA,EAAM;AACpB,IAAA,eAAA,GAAkB,OAAA;AAAA,EACpB,CAAA,MAAO;AACL,IAAA,eAAA,GAAkB,IAAI,qBAAA,CAAsB,MAAA,CAAO,gBAAgB,CAAA;AAAA,EACrE;AAGA,EAAA,MAAM,iBAAA,GAAoB,IAAI,iBAAA,CAAkB;AAAA,IAC9C,OAAA,EAAS,IAAA;AAAA,IACT,WAAA,EAAa,QAAA;AAAA,IACb,YAAA,EAAc;AAAA,GACf,CAAA;AAGD,EAAA,MAAM,gBAAA,GAAmB,SAAA,GACrB,CAAC,KAAA,KAAuH;AACtH,IAAA,SAAA,CAAW,aAAa,iBAAA,EAAmB;AAAA,MACzC,MAAM,KAAA,CAAM,QAAA;AAAA,MACZ,UAAA,EAAY,MAAM,MAAA,CAAO,UAAA;AAAA,MACzB,OAAA,EAAS,KAAA,CAAM,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,CAAA,MAAM;AAAA,QACtC,MAAM,CAAA,CAAE,IAAA;AAAA,QACR,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,UAAU,CAAA,CAAE;AAAA,OACd,CAAE,CAAA;AAAA,MACF,cAAA,EAAgB,MAAM,MAAA,CAAO,cAAA;AAAA,MAC7B,WAAW,KAAA,CAAM;AAAA,KAClB,CAAA;AAAA,EACH,CAAA,GACA,MAAA;AAEJ,EAAA,MAAM,IAAA,GAAO,IAAI,YAAA,CAAa,MAAA,EAAQ,UAAU,eAAA,EAAiB,QAAA,EAAU,mBAAmB,gBAAgB,CAAA;AAG9G,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,MAAA,EAAQ,QAAA,EAAU,QAAQ,CAAA;AAGzE,EAAA,MAAM,iBAAmC,EAAC;AAC1C,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,cAAA,CAAe,IAAA,CAAK;AAAA,MAClB,IAAA,EAAM,0BAAA;AAAA,MACN,WAAA,EACE,8IAAA;AAAA,MAEF,WAAA,EAAa;AAAA,QACX,IAAA,EAAM,QAAA;AAAA,QACN,YAAY;AAAC,OACf;AAAA,MACA,SAAS,YAAY;AACnB,QAAA,MAAM,GAAA,GAAM,UAAW,gBAAA,EAAiB;AACxC,QAAA,OAAO;AAAA,UACL,OAAA,EAAS;AAAA,YACP;AAAA,cACE,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,gBACnB,aAAA,EAAe,GAAA;AAAA,gBACf,QAAA,EAAU,UAAW,UAAA,EAAW;AAAA,gBAChC,IAAA,EAAM;AAAA,eACR,EAAG,MAAM,CAAC;AAAA;AACZ;AACF,SACF;AAAA,MACF;AAAA,KACD,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,QAAA,GAA6B;AAAA,IAC/B,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,GAAG,WAAA;AAAA,IACH,GAAG,QAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH,GAAG,eAAA;AAAA,IACH,GAAG,WAAA;AAAA,IACH,GAAG,UAAA;AAAA,IACH,GAAG,gBAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH;AAAA,GACF;AAGA,EAAA,QAAA,GAAW,QAAA,CAAS,GAAA,CAAI,CAAC,IAAA,MAAU;AAAA,IACjC,GAAG,IAAA;AAAA,IACH,SAAS,mBAAA,CAAoB,WAAA,CAAY,IAAA,CAAK,IAAA,EAAM,KAAK,OAAO;AAAA,GAClE,CAAE,CAAA;AAGF,EAAA,MAAM,MAAA,GAAS,YAAA,CAAa,QAAA,EAAU,EAAE,MAAM,CAAA;AAG9C,EAAA,MAAM,WAAW,MAAM,CAAA;AAGvB,EAAA,MAAM,eAAe,MAAM;AACzB,IAAA,QAAA,CAAS,IAAA,EAAK,CAAE,KAAA,CAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EAChC,CAAA;AACA,EAAA,OAAA,CAAQ,EAAA,CAAG,UAAU,YAAY,CAAA;AACjC,EAAA,OAAA,CAAQ,EAAA,CAAG,WAAW,YAAY,CAAA;AAGlC,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,OAAA,CAAQ,KAAA;AAAA,MACN,CAAA;AAAA;AAAA;AAAA,sBAAA,EAGoB,WAAA,CAAY,KAAA,CAAM,CAAA,EAAG,EAAE,CAAC,CAAA;AAAA;AAAA;AAAA;AAAA,wWAAA;AAAA,KAK9C;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,QAAQ,MAAA,EAAO;AAC1B","file":"index.cjs","sourcesContent":["/**\n * Sanctuary MCP Server — Encoding Utilities\n *\n * Base64url encoding/decoding per RFC 4648 §5.\n * Used throughout Sanctuary for serializing binary data in JSON.\n */\n\n/**\n * Encode bytes to base64url string (no padding).\n */\nexport function toBase64url(bytes: Uint8Array): string {\n const base64 = Buffer.from(bytes).toString(\"base64\");\n return base64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/**\n * Decode base64url string to bytes.\n */\nexport function fromBase64url(str: string): Uint8Array {\n // Restore standard base64\n let base64 = str.replace(/-/g, \"+\").replace(/_/g, \"/\");\n // Add padding\n while (base64.length % 4 !== 0) {\n base64 += \"=\";\n }\n const buf = Buffer.from(base64, \"base64\");\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n/**\n * Encode a UTF-8 string to bytes.\n */\nexport function stringToBytes(str: string): Uint8Array {\n return new TextEncoder().encode(str);\n}\n\n/**\n * Decode bytes to a UTF-8 string.\n */\nexport function bytesToString(bytes: Uint8Array): string {\n return new TextDecoder().decode(bytes);\n}\n\n/**\n * Concatenate multiple Uint8Arrays.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n const totalLength = arrays.reduce((sum, arr) => sum + arr.length, 0);\n const result = new Uint8Array(totalLength);\n let offset = 0;\n for (const arr of arrays) {\n result.set(arr, offset);\n offset += arr.length;\n }\n return result;\n}\n\n/**\n * Constant-time comparison of two byte arrays.\n * Prevents timing attacks on signature/tag verification.\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++) {\n diff |= a[i]! ^ b[i]!;\n }\n return diff === 0;\n}\n","/**\n * Sanctuary MCP Server — Hashing and Merkle Trees\n *\n * SHA-256 hashing for integrity verification.\n * Merkle trees for namespace-level state integrity.\n */\n\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { hmac } from \"@noble/hashes/hmac\";\nimport { toBase64url, concatBytes, stringToBytes } from \"./encoding.js\";\n\n/**\n * Compute SHA-256 hash of data.\n */\nexport function hash(data: Uint8Array): Uint8Array {\n return sha256(data);\n}\n\n/**\n * Compute SHA-256 hash and return as base64url string.\n */\nexport function hashToString(data: Uint8Array): string {\n return toBase64url(hash(data));\n}\n\n/**\n * Compute HMAC-SHA256.\n */\nexport function hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array {\n return hmac(sha256, key, data);\n}\n\n// ─── Merkle Tree ─────────────────────────────────────────────────────────────\n\nexport interface MerkleNode {\n hash: string; // base64url SHA-256\n left?: MerkleNode;\n right?: MerkleNode;\n key?: string; // Leaf nodes store the state key\n}\n\nexport interface MerkleProof {\n leaf: string;\n path: Array<{\n hash: string;\n position: \"left\" | \"right\";\n }>;\n root: string;\n}\n\n/**\n * Build a Merkle tree from a set of key-hash pairs.\n * Keys are sorted lexicographically for deterministic ordering.\n *\n * @param entries - Map of state key → content hash (base64url)\n * @returns Root node of the Merkle tree\n */\nexport function buildMerkleTree(\n entries: Map<string, string>\n): MerkleNode | null {\n if (entries.size === 0) return null;\n\n // Sort keys for deterministic tree construction\n const sortedKeys = Array.from(entries.keys()).sort();\n\n // Create leaf nodes: H(key || content_hash)\n let nodes: MerkleNode[] = sortedKeys.map((key) => {\n const contentHash = entries.get(key)!;\n const leafData = concatBytes(\n stringToBytes(key),\n stringToBytes(contentHash)\n );\n return {\n hash: hashToString(leafData),\n key,\n };\n });\n\n // Build tree bottom-up\n while (nodes.length > 1) {\n const nextLevel: MerkleNode[] = [];\n for (let i = 0; i < nodes.length; i += 2) {\n const left = nodes[i]!;\n if (i + 1 < nodes.length) {\n const right = nodes[i + 1]!;\n const parentData = concatBytes(\n stringToBytes(left.hash),\n stringToBytes(right.hash)\n );\n nextLevel.push({\n hash: hashToString(parentData),\n left,\n right,\n });\n } else {\n // Odd node — promote directly\n nextLevel.push(left);\n }\n }\n nodes = nextLevel;\n }\n\n return nodes[0] ?? null;\n}\n\n/**\n * Generate a Merkle proof for a specific key.\n *\n * @param entries - All key-hash pairs in the namespace\n * @param targetKey - The key to generate a proof for\n * @returns MerkleProof or null if key not found\n */\nexport function generateMerkleProof(\n entries: Map<string, string>,\n targetKey: string\n): MerkleProof | null {\n if (!entries.has(targetKey)) return null;\n\n const sortedKeys = Array.from(entries.keys()).sort();\n const targetIndex = sortedKeys.indexOf(targetKey);\n if (targetIndex === -1) return null;\n\n // Create leaf hashes\n const leafHashes: string[] = sortedKeys.map((key) => {\n const contentHash = entries.get(key)!;\n const leafData = concatBytes(\n stringToBytes(key),\n stringToBytes(contentHash)\n );\n return hashToString(leafData);\n });\n\n const path: MerkleProof[\"path\"] = [];\n let currentIndex = targetIndex;\n let currentLevel = leafHashes;\n\n while (currentLevel.length > 1) {\n const nextLevel: string[] = [];\n for (let i = 0; i < currentLevel.length; i += 2) {\n const left = currentLevel[i]!;\n if (i + 1 < currentLevel.length) {\n const right = currentLevel[i + 1]!;\n\n // If our target is at this pair, record the sibling\n if (i === currentIndex || i + 1 === currentIndex) {\n if (currentIndex === i) {\n path.push({ hash: right, position: \"right\" });\n } else {\n path.push({ hash: left, position: \"left\" });\n }\n }\n\n const parentData = concatBytes(\n stringToBytes(left),\n stringToBytes(right)\n );\n nextLevel.push(hashToString(parentData));\n } else {\n // Odd node — promote directly, no sibling to record\n nextLevel.push(left);\n }\n }\n currentIndex = Math.floor(currentIndex / 2);\n currentLevel = nextLevel;\n }\n\n const root = buildMerkleTree(entries);\n\n return {\n leaf: leafHashes[targetIndex]!,\n path,\n root: root?.hash ?? \"\",\n };\n}\n\n/**\n * Verify a Merkle proof.\n *\n * @param proof - The proof to verify\n * @returns true if the proof is valid\n */\nexport function verifyMerkleProof(proof: MerkleProof): boolean {\n let currentHash = proof.leaf;\n\n for (const step of proof.path) {\n const left =\n step.position === \"left\" ? step.hash : currentHash;\n const right =\n step.position === \"right\" ? step.hash : currentHash;\n const parentData = concatBytes(\n stringToBytes(left),\n stringToBytes(right)\n );\n currentHash = hashToString(parentData);\n }\n\n return currentHash === proof.root;\n}\n\n/**\n * Compute the Merkle root for a set of entries.\n * Convenience function that builds the tree and returns just the root hash.\n */\nexport function computeMerkleRoot(entries: Map<string, string>): string {\n const tree = buildMerkleTree(entries);\n return tree?.hash ?? \"\";\n}\n","/**\n * Sanctuary MCP Server — Configuration\n *\n * Loads and validates server configuration from file or environment variables.\n */\n\nimport { readFile, writeFile } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport { createRequire } from \"node:module\";\n\nconst require = createRequire(import.meta.url);\nconst { version: PKG_VERSION } = require(\"../package.json\");\n\n/** Package version, exported for use by other modules (avoids duplicate require paths). */\nexport const SANCTUARY_VERSION = PKG_VERSION;\n\nexport interface SanctuaryConfig {\n version: string;\n storage_path: string;\n principal_id?: string;\n\n state: {\n encryption: \"aes-256-gcm\";\n key_protection: \"passphrase\" | \"hardware-key\" | \"none\";\n key_derivation: \"argon2id\";\n integrity: \"merkle-sha256\";\n identity_provider: \"ed25519\";\n };\n\n execution: {\n environment: \"local-process\" | \"docker\" | \"tee\";\n attestation: boolean;\n resource_limits: {\n max_memory_mb: number;\n max_storage_mb: number;\n max_cpu_percent: number;\n };\n };\n\n disclosure: {\n proof_system: \"groth16\" | \"plonk\" | \"schnorr-pedersen\" | \"commitment-only\";\n default_policy: \"minimum-necessary\" | \"withhold-all\";\n };\n\n reputation: {\n mode: \"self-custodied\" | \"service-mediated\";\n attestation_format: \"eas-compatible\";\n export_format: \"SANCTUARY_REP_V1\";\n service_endpoints: string[];\n };\n\n transport: \"stdio\" | \"http\";\n http_port: number;\n\n dashboard: {\n enabled: boolean;\n port: number;\n host: string;\n /** Bearer token for dashboard auth. If \"auto\", one is generated at startup. */\n auth_token?: string;\n /** Auto-open dashboard in default browser on startup. Default: true for localhost. */\n auto_open?: boolean;\n /** TLS cert/key paths for HTTPS dashboard. */\n tls?: {\n cert_path: string;\n key_path: string;\n };\n };\n\n webhook: {\n enabled: boolean;\n /** URL to POST approval requests to */\n url: string;\n /** Shared secret for HMAC-SHA256 signatures */\n secret: string;\n /** Port for callback listener (receives approval responses) */\n callback_port: number;\n /** Host for callback listener */\n callback_host: string;\n };\n}\n\n/** Default configuration */\nexport function defaultConfig(): SanctuaryConfig {\n return {\n version: PKG_VERSION,\n storage_path: join(homedir(), \".sanctuary\"),\n state: {\n encryption: \"aes-256-gcm\",\n key_protection: \"none\",\n key_derivation: \"argon2id\",\n integrity: \"merkle-sha256\",\n identity_provider: \"ed25519\",\n },\n execution: {\n environment: \"local-process\",\n attestation: true,\n resource_limits: {\n max_memory_mb: 512,\n max_storage_mb: 1024,\n max_cpu_percent: 50,\n },\n },\n disclosure: {\n proof_system: \"schnorr-pedersen\",\n default_policy: \"minimum-necessary\",\n },\n reputation: {\n mode: \"self-custodied\",\n attestation_format: \"eas-compatible\",\n export_format: \"SANCTUARY_REP_V1\",\n service_endpoints: [],\n },\n transport: \"stdio\",\n http_port: 3500,\n dashboard: {\n enabled: false,\n port: 3501,\n host: \"127.0.0.1\",\n },\n webhook: {\n enabled: false,\n url: \"\",\n secret: \"\",\n callback_port: 3502,\n callback_host: \"127.0.0.1\",\n },\n };\n}\n\n/**\n * Load configuration from file, falling back to defaults.\n *\n * Precedence (highest wins): CLI flags > env vars > config file > defaults\n * This matches the standard config precedence pattern used by most tools.\n */\nexport async function loadConfig(\n configPath?: string\n): Promise<SanctuaryConfig> {\n let config = defaultConfig();\n\n // Phase 1: Merge config file on top of defaults\n const storagePath = process.env.SANCTUARY_STORAGE_PATH ?? config.storage_path;\n const path = configPath ?? join(storagePath, \"sanctuary.json\");\n\n try {\n const raw = await readFile(path, \"utf-8\");\n const fileConfig = JSON.parse(raw);\n config = deepMerge(config, fileConfig);\n } catch (err) {\n // Re-throw validation errors — only swallow file-not-found\n if (err instanceof Error && err.message.includes(\"unimplemented features\")) {\n throw err;\n }\n // No config file — continue with defaults\n }\n\n // Phase 2: Apply env var overrides ON TOP of file config (env always wins)\n if (process.env.SANCTUARY_STORAGE_PATH) {\n config.storage_path = process.env.SANCTUARY_STORAGE_PATH;\n }\n if (process.env.SANCTUARY_TRANSPORT) {\n config.transport = process.env.SANCTUARY_TRANSPORT as \"stdio\" | \"http\";\n }\n if (process.env.SANCTUARY_HTTP_PORT) {\n config.http_port = parseInt(process.env.SANCTUARY_HTTP_PORT, 10);\n }\n if (process.env.SANCTUARY_DASHBOARD_ENABLED === \"true\") {\n config.dashboard.enabled = true;\n }\n if (process.env.SANCTUARY_DASHBOARD_ENABLED === \"false\") {\n config.dashboard.enabled = false;\n }\n if (process.env.SANCTUARY_DASHBOARD_PORT) {\n config.dashboard.port = parseInt(process.env.SANCTUARY_DASHBOARD_PORT, 10);\n }\n if (process.env.SANCTUARY_DASHBOARD_HOST) {\n config.dashboard.host = process.env.SANCTUARY_DASHBOARD_HOST;\n }\n if (process.env.SANCTUARY_DASHBOARD_AUTH_TOKEN) {\n config.dashboard.auth_token = process.env.SANCTUARY_DASHBOARD_AUTH_TOKEN;\n }\n if (process.env.SANCTUARY_DASHBOARD_AUTO_OPEN === \"true\") {\n config.dashboard.auto_open = true;\n }\n if (process.env.SANCTUARY_DASHBOARD_AUTO_OPEN === \"false\") {\n config.dashboard.auto_open = false;\n }\n if (process.env.SANCTUARY_DASHBOARD_TLS_CERT && process.env.SANCTUARY_DASHBOARD_TLS_KEY) {\n config.dashboard.tls = {\n cert_path: process.env.SANCTUARY_DASHBOARD_TLS_CERT,\n key_path: process.env.SANCTUARY_DASHBOARD_TLS_KEY,\n };\n }\n if (process.env.SANCTUARY_WEBHOOK_ENABLED === \"true\") {\n config.webhook.enabled = true;\n }\n if (process.env.SANCTUARY_WEBHOOK_ENABLED === \"false\") {\n config.webhook.enabled = false;\n }\n if (process.env.SANCTUARY_WEBHOOK_URL) {\n config.webhook.url = process.env.SANCTUARY_WEBHOOK_URL;\n }\n if (process.env.SANCTUARY_WEBHOOK_SECRET) {\n config.webhook.secret = process.env.SANCTUARY_WEBHOOK_SECRET;\n }\n if (process.env.SANCTUARY_WEBHOOK_CALLBACK_PORT) {\n config.webhook.callback_port = parseInt(process.env.SANCTUARY_WEBHOOK_CALLBACK_PORT, 10);\n }\n if (process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST) {\n config.webhook.callback_host = process.env.SANCTUARY_WEBHOOK_CALLBACK_HOST;\n }\n\n // Phase 3: Always stamp the running version from package.json (Bug 2 fix —\n // sanctuary.json may store a stale version from first run)\n config.version = PKG_VERSION;\n\n validateConfig(config);\n return config;\n}\n\n/**\n * Save configuration to file.\n */\nexport async function saveConfig(\n config: SanctuaryConfig,\n configPath?: string\n): Promise<void> {\n const path =\n configPath ?? join(config.storage_path, \"sanctuary.json\");\n await writeFile(path, JSON.stringify(config, null, 2), { mode: 0o600 });\n}\n\n/**\n * Validate that config does not reference unimplemented features.\n * Throws a descriptive error if any unimplemented value is found.\n * This prevents silent security degradation (SEC-019).\n */\nexport function validateConfig(config: SanctuaryConfig): void {\n const errors: string[] = [];\n\n // Implemented key_protection values: \"passphrase\", \"none\"\n // Unimplemented: \"hardware-key\" (planned for future FIDO2/WebAuthn support)\n const implementedKeyProtection = new Set([\"passphrase\", \"none\"]);\n if (!implementedKeyProtection.has(config.state.key_protection)) {\n errors.push(\n `Unimplemented config value: state.key_protection = \"${config.state.key_protection}\". ` +\n `Only ${[...implementedKeyProtection].map(v => `\"${v}\"`).join(\", \")} are currently implemented. ` +\n `Using an unimplemented key protection mode would silently degrade security.`\n );\n }\n\n // Implemented environment values: \"local-process\", \"docker\"\n // Unimplemented: \"tee\" (TEE-backed execution attestation not yet integrated)\n const implementedEnvironment = new Set([\"local-process\", \"docker\"]);\n if (!implementedEnvironment.has(config.execution.environment)) {\n errors.push(\n `Unimplemented config value: execution.environment = \"${config.execution.environment}\". ` +\n `Only ${[...implementedEnvironment].map(v => `\"${v}\"`).join(\", \")} are currently implemented. ` +\n `Using an unimplemented environment would silently degrade security.`\n );\n }\n\n // Implemented proof_system values: \"schnorr-pedersen\" (Schnorr proofs + Pedersen commitments + range proofs — genuine ZK)\n // Also accepts \"commitment-only\" (legacy alias, equivalent to schnorr-pedersen)\n // Unimplemented: \"groth16\", \"plonk\" (SNARK proof systems not yet available)\n const implementedProofSystem = new Set([\"schnorr-pedersen\", \"commitment-only\"]);\n if (!implementedProofSystem.has(config.disclosure.proof_system)) {\n errors.push(\n `Unimplemented config value: disclosure.proof_system = \"${config.disclosure.proof_system}\". ` +\n `Only ${[...implementedProofSystem].map(v => `\"${v}\"`).join(\", \")} is currently implemented. ` +\n `Using an unimplemented proof system would silently degrade security.`\n );\n }\n\n // Implemented disclosure.default_policy values: \"minimum-necessary\"\n // Unimplemented: \"withhold-all\" (global withhold policy not yet implemented)\n const implementedDisclosurePolicy = new Set([\"minimum-necessary\"]);\n if (!implementedDisclosurePolicy.has(config.disclosure.default_policy)) {\n errors.push(\n `Unimplemented config value: disclosure.default_policy = \"${config.disclosure.default_policy}\". ` +\n `Only ${[...implementedDisclosurePolicy].map(v => `\"${v}\"`).join(\", \")} is currently implemented. ` +\n `Using an unimplemented disclosure policy would silently skip disclosure controls.`\n );\n }\n\n // Implemented reputation.mode values: \"self-custodied\"\n // Unimplemented: \"service-mediated\" (third-party reputation service not yet integrated)\n const implementedReputationMode = new Set([\"self-custodied\"]);\n if (!implementedReputationMode.has(config.reputation.mode)) {\n errors.push(\n `Unimplemented config value: reputation.mode = \"${config.reputation.mode}\". ` +\n `Only ${[...implementedReputationMode].map(v => `\"${v}\"`).join(\", \")} is currently implemented. ` +\n `Using an unimplemented reputation mode would silently skip reputation verification.`\n );\n }\n\n if (errors.length > 0) {\n throw new Error(\n `Sanctuary configuration references unimplemented features:\\n${errors.join(\"\\n\")}`\n );\n }\n}\n\n/** Deep merge two objects (target takes precedence) */\nfunction deepMerge(base: object, override: object): SanctuaryConfig {\n const result: Record<string, unknown> = { ...base };\n for (const [key, value] of Object.entries(override)) {\n if (\n value !== null &&\n typeof value === \"object\" &&\n !Array.isArray(value) &&\n typeof result[key] === \"object\" &&\n result[key] !== null\n ) {\n result[key] = deepMerge(\n result[key] as object,\n value as object\n );\n } else {\n result[key] = value;\n }\n }\n return result as unknown as SanctuaryConfig;\n}\n","/**\n * Sanctuary MCP Server — Secure Random Generation\n *\n * All randomness in Sanctuary flows through this module.\n * Uses crypto.getRandomValues (Web Crypto API) for CSPRNG.\n */\n\nimport { randomBytes as nodeRandomBytes } from \"node:crypto\";\n\n/**\n * Generate cryptographically secure random bytes.\n * Uses Node.js crypto module (backed by OpenSSL CSPRNG).\n */\nexport function randomBytes(length: number): Uint8Array {\n if (length <= 0) {\n throw new RangeError(\"Length must be positive\");\n }\n const buf = nodeRandomBytes(length);\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n/**\n * Generate a random IV for AES-256-GCM (12 bytes per NIST SP 800-38D).\n */\nexport function generateIV(): Uint8Array {\n return randomBytes(12);\n}\n\n/**\n * Generate a random salt for key derivation (32 bytes).\n */\nexport function generateSalt(): Uint8Array {\n return randomBytes(32);\n}\n\n/**\n * Generate a random 256-bit key (for recovery key generation).\n */\nexport function generateRandomKey(): Uint8Array {\n return randomBytes(32);\n}\n","/**\n * Sanctuary MCP Server — Filesystem Storage Backend\n *\n * Default storage backend using the local filesystem.\n * Files are stored as: {basePath}/{namespace}/{key}.enc\n *\n * Security invariants:\n * - Secure deletion overwrites file content with random bytes before unlinking\n * - Directory creation uses restrictive permissions (0o700)\n * - File creation uses restrictive permissions (0o600)\n */\n\nimport { mkdir, readFile, writeFile, unlink, readdir, stat } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { randomBytes } from \"../core/random.js\";\nimport type { StorageBackend, StorageEntryMeta } from \"./interface.js\";\n\nexport class FilesystemStorage implements StorageBackend {\n private basePath: string;\n\n constructor(basePath: string) {\n this.basePath = basePath;\n }\n\n private entryPath(namespace: string, key: string): string {\n // Sanitize namespace and key to prevent path traversal\n const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n const safeKey = key.replace(/[^a-zA-Z0-9_.-]/g, \"_\");\n return join(this.basePath, safeNamespace, `${safeKey}.enc`);\n }\n\n private namespacePath(namespace: string): string {\n const safeNamespace = namespace.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n return join(this.basePath, safeNamespace);\n }\n\n async write(\n namespace: string,\n key: string,\n data: Uint8Array\n ): Promise<void> {\n const dirPath = this.namespacePath(namespace);\n const filePath = this.entryPath(namespace, key);\n\n // Create namespace directory with restrictive permissions\n await mkdir(dirPath, { recursive: true, mode: 0o700 });\n\n // Write file with restrictive permissions (owner read/write only)\n await writeFile(filePath, data, { mode: 0o600 });\n }\n\n async read(namespace: string, key: string): Promise<Uint8Array | null> {\n const filePath = this.entryPath(namespace, key);\n try {\n const buf = await readFile(filePath);\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return null;\n }\n throw err;\n }\n }\n\n async delete(\n namespace: string,\n key: string,\n secureOverwrite = true\n ): Promise<boolean> {\n const filePath = this.entryPath(namespace, key);\n\n try {\n if (secureOverwrite) {\n // Read the file to determine its size\n const fileStat = await stat(filePath);\n const size = fileStat.size;\n\n // Overwrite with random bytes (3 passes for defense in depth)\n for (let pass = 0; pass < 3; pass++) {\n const randomData = randomBytes(size);\n await writeFile(filePath, randomData, { mode: 0o600 });\n }\n }\n\n // Remove the file\n await unlink(filePath);\n return true;\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return false;\n }\n throw err;\n }\n }\n\n async list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]> {\n const dirPath = this.namespacePath(namespace);\n\n try {\n const files = await readdir(dirPath);\n const entries: StorageEntryMeta[] = [];\n\n for (const file of files) {\n if (!file.endsWith(\".enc\")) continue;\n\n const key = file.slice(0, -4); // Remove .enc extension\n if (prefix && !key.startsWith(prefix)) continue;\n\n const filePath = join(dirPath, file);\n const fileStat = await stat(filePath);\n\n entries.push({\n key,\n namespace,\n size_bytes: fileStat.size,\n modified_at: fileStat.mtime.toISOString(),\n });\n }\n\n return entries.sort((a, b) => a.key.localeCompare(b.key));\n } catch (err: unknown) {\n if (\n err instanceof Error &&\n \"code\" in err &&\n (err as NodeJS.ErrnoException).code === \"ENOENT\"\n ) {\n return [];\n }\n throw err;\n }\n }\n\n async exists(namespace: string, key: string): Promise<boolean> {\n const filePath = this.entryPath(namespace, key);\n try {\n await stat(filePath);\n return true;\n } catch {\n return false;\n }\n }\n\n async totalSize(): Promise<number> {\n let total = 0;\n\n try {\n const namespaces = await readdir(this.basePath);\n for (const ns of namespaces) {\n const nsPath = join(this.basePath, ns);\n const nsStat = await stat(nsPath);\n if (!nsStat.isDirectory()) continue;\n\n const files = await readdir(nsPath);\n for (const file of files) {\n const filePath = join(nsPath, file);\n const fileStat = await stat(filePath);\n total += fileStat.size;\n }\n }\n } catch {\n // If base path doesn't exist yet, total is 0\n }\n\n return total;\n }\n}\n","/**\n * Sanctuary MCP Server — AES-256-GCM Encryption\n *\n * All state encryption in Sanctuary uses AES-256-GCM (authenticated encryption).\n * This provides both confidentiality and integrity — a modified ciphertext will\n * fail authentication, detecting tampering.\n *\n * Security invariants:\n * - Every encryption uses a unique 12-byte IV (NIST SP 800-38D)\n * - The 16-byte authentication tag is always verified on decryption\n * - Keys are 256 bits (32 bytes)\n */\n\nimport { gcm } from \"@noble/ciphers/aes.js\";\nimport { generateIV } from \"./random.js\";\nimport { toBase64url, fromBase64url } from \"./encoding.js\";\n\n/** Encrypted payload structure stored on disk */\nexport interface EncryptedPayload {\n /** Format version */\n v: number;\n /** Algorithm identifier */\n alg: \"aes-256-gcm\";\n /** Initialization vector (base64url) */\n iv: string;\n /** Ciphertext (base64url) */\n ct: string;\n /** Authentication tag (base64url) — included in ciphertext by @noble/ciphers */\n /** Timestamp */\n ts: string;\n}\n\n/**\n * Encrypt plaintext bytes with AES-256-GCM.\n *\n * @param plaintext - Data to encrypt\n * @param key - 256-bit encryption key\n * @param aad - Optional additional authenticated data (authenticated but not encrypted)\n * @returns EncryptedPayload ready for JSON serialization\n */\nexport function encrypt(\n plaintext: Uint8Array,\n key: Uint8Array,\n aad?: Uint8Array\n): EncryptedPayload {\n if (key.length !== 32) {\n throw new Error(\"Key must be exactly 32 bytes (256 bits)\");\n }\n\n const iv = generateIV();\n const cipher = gcm(key, iv, aad);\n // @noble/ciphers gcm.encrypt appends the 16-byte auth tag to the ciphertext\n const ciphertext = cipher.encrypt(plaintext);\n\n return {\n v: 1,\n alg: \"aes-256-gcm\",\n iv: toBase64url(iv),\n ct: toBase64url(ciphertext),\n ts: new Date().toISOString(),\n };\n}\n\n/**\n * Decrypt an AES-256-GCM encrypted payload.\n *\n * @param payload - EncryptedPayload from encrypt()\n * @param key - 256-bit encryption key (must match the encryption key)\n * @param aad - Optional additional authenticated data (must match encryption AAD)\n * @returns Decrypted plaintext bytes\n * @throws If authentication tag verification fails (tampered data)\n */\nexport function decrypt(\n payload: EncryptedPayload,\n key: Uint8Array,\n aad?: Uint8Array\n): Uint8Array {\n if (key.length !== 32) {\n throw new Error(\"Key must be exactly 32 bytes (256 bits)\");\n }\n if (payload.v !== 1) {\n throw new Error(`Unsupported payload version: ${payload.v}`);\n }\n if (payload.alg !== \"aes-256-gcm\") {\n throw new Error(`Unsupported algorithm: ${payload.alg}`);\n }\n\n const iv = fromBase64url(payload.iv);\n const ciphertext = fromBase64url(payload.ct);\n const cipher = gcm(key, iv, aad);\n\n // gcm.decrypt verifies the auth tag and throws if tampered\n return cipher.decrypt(ciphertext);\n}\n\n/**\n * Re-encrypt data with a new key (for key rotation or export).\n * Decrypts with old key, re-encrypts with new key.\n */\nexport function reEncrypt(\n payload: EncryptedPayload,\n oldKey: Uint8Array,\n newKey: Uint8Array,\n aad?: Uint8Array\n): EncryptedPayload {\n const plaintext = decrypt(payload, oldKey, aad);\n return encrypt(plaintext, newKey, aad);\n}\n","/**\n * Sanctuary MCP Server — L1 Cognitive Sovereignty: StateStore\n *\n * The encrypted state store is the foundation of Sanctuary.\n * Every read and write goes through here. All data is encrypted\n * with namespace-specific keys. All writes are signed by an identity.\n * All reads verify integrity via Merkle proofs.\n *\n * Security invariants:\n * - Plaintext never touches the filesystem\n * - Every write gets a unique IV\n * - Every write is signed (non-repudiation)\n * - Monotonic version numbers prevent rollback\n * - Merkle tree verifies namespace integrity\n * - Secure deletion overwrites before unlinking\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport {\n encrypt,\n decrypt,\n type EncryptedPayload,\n} from \"../core/encryption.js\";\nimport {\n hashToString,\n computeMerkleRoot,\n generateMerkleProof,\n verifyMerkleProof,\n} from \"../core/hashing.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { deriveNamespaceKey } from \"../core/key-derivation.js\";\nimport {\n toBase64url,\n fromBase64url,\n stringToBytes,\n bytesToString,\n} from \"../core/encoding.js\";\nimport type { EncryptedPayload as EncPayload } from \"../core/encryption.js\";\n\n/**\n * Reserved namespace prefixes — used by internal subsystems.\n * Imported bundles MUST NOT write to these namespaces.\n */\nconst RESERVED_NAMESPACE_PREFIXES = [\n \"_identities\",\n \"_policies\",\n \"_audit\",\n \"_meta\",\n \"_principal\",\n \"_commitments\",\n \"_reputation\",\n \"_escrow\",\n \"_guarantees\",\n \"_bridge\",\n \"_federation\",\n \"_handshake\",\n \"_shr\",\n] as const;\n\n/**\n * Check whether a namespace is reserved (internal subsystem use only).\n * External callers MUST NOT read, write, list, or import these namespaces.\n */\nexport function isReservedNamespace(namespace: string): boolean {\n return RESERVED_NAMESPACE_PREFIXES.some(\n (prefix) => namespace === prefix || namespace.startsWith(prefix + \"/\")\n );\n}\n\n/** On-disk format for an encrypted state entry */\nexport interface StateEntry {\n /** Format version */\n v: number;\n /** Encrypted payload */\n payload: EncryptedPayload;\n /** Version number (monotonically increasing) */\n ver: number;\n /** Signature over ciphertext by the writing identity (base64url) */\n sig: string;\n /** Identity that wrote this entry */\n kid: string;\n /** SHA-256 of the plaintext value (base64url, for client-side verification) */\n integrity_hash: string;\n /** Metadata */\n metadata: {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n written_at: string;\n };\n}\n\n/** Result of a state write operation */\nexport interface WriteResult {\n key: string;\n namespace: string;\n version: number;\n merkle_root: string;\n written_at: string;\n size_bytes: number;\n integrity_hash: string;\n}\n\n/** Result of a state read operation */\nexport interface ReadResult {\n key: string;\n namespace: string;\n value: string;\n version: number;\n integrity_verified: boolean;\n merkle_proof: string[];\n written_at: string;\n written_by: string;\n}\n\n/** Options for state write */\nexport interface WriteOptions {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n}\n\nexport class StateStore {\n private storage: StorageBackend;\n private masterKey: Uint8Array;\n\n // Cache of version numbers per namespace/key for anti-rollback\n private versionCache = new Map<string, number>();\n\n // Cache of content hashes per namespace for Merkle tree computation\n private contentHashes = new Map<string, Map<string, string>>();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.masterKey = masterKey;\n }\n\n private versionKey(namespace: string, key: string): string {\n return `${namespace}/${key}`;\n }\n\n /**\n * Get or initialize the content hash map for a namespace.\n */\n private async getNamespaceHashes(\n namespace: string\n ): Promise<Map<string, string>> {\n if (this.contentHashes.has(namespace)) {\n return this.contentHashes.get(namespace)!;\n }\n\n // Load existing entries to build the hash map\n const entries = await this.storage.list(namespace);\n const hashMap = new Map<string, string>();\n\n for (const entry of entries) {\n const raw = await this.storage.read(namespace, entry.key);\n if (raw) {\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n hashMap.set(entry.key, stateEntry.integrity_hash);\n this.versionCache.set(\n this.versionKey(namespace, entry.key),\n stateEntry.ver\n );\n } catch {\n // Corrupted entry — skip it\n }\n }\n }\n\n this.contentHashes.set(namespace, hashMap);\n return hashMap;\n }\n\n /**\n * Write encrypted state.\n *\n * @param namespace - Logical grouping\n * @param key - State key\n * @param value - Plaintext value (will be encrypted)\n * @param identityId - Identity performing the write\n * @param encryptedPrivateKey - Identity's encrypted private key (for signing)\n * @param identityEncryptionKey - Key to decrypt the identity's private key\n * @param options - Optional metadata\n */\n async write(\n namespace: string,\n key: string,\n value: string,\n identityId: string,\n encryptedPrivateKey: EncPayload,\n identityEncryptionKey: Uint8Array,\n options: WriteOptions = {}\n ): Promise<WriteResult> {\n const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);\n const plaintext = stringToBytes(value);\n\n // Compute integrity hash of plaintext\n const integrityHash = hashToString(plaintext);\n\n // Encrypt the value\n const payload = encrypt(plaintext, namespaceKey);\n\n // Determine version number (monotonically increasing)\n const vk = this.versionKey(namespace, key);\n const currentVersion = this.versionCache.get(vk) ?? 0;\n const newVersion = currentVersion + 1;\n\n // Sign the ciphertext (non-repudiation)\n const ciphertextBytes = fromBase64url(payload.ct);\n const signature = sign(\n ciphertextBytes,\n encryptedPrivateKey,\n identityEncryptionKey\n );\n\n const now = new Date().toISOString();\n\n // Construct the state entry\n const stateEntry: StateEntry = {\n v: 1,\n payload,\n ver: newVersion,\n sig: toBase64url(signature),\n kid: identityId,\n integrity_hash: integrityHash,\n metadata: {\n content_type: options.content_type,\n ttl_seconds: options.ttl_seconds,\n tags: options.tags,\n written_at: now,\n },\n };\n\n // Serialize and write to storage\n const serialized = stringToBytes(JSON.stringify(stateEntry));\n await this.storage.write(namespace, key, serialized);\n\n // Update caches\n this.versionCache.set(vk, newVersion);\n const nsHashes = await this.getNamespaceHashes(namespace);\n nsHashes.set(key, integrityHash);\n\n // Compute new Merkle root\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n key,\n namespace,\n version: newVersion,\n merkle_root: merkleRoot,\n written_at: now,\n size_bytes: serialized.length,\n integrity_hash: integrityHash,\n };\n }\n\n /**\n * Read and decrypt state.\n *\n * @param namespace - Logical grouping\n * @param key - State key\n * @param signerPublicKey - Expected signer's public key (for signature verification)\n * @param verifyIntegrity - Whether to verify Merkle proof (default: true)\n */\n async read(\n namespace: string,\n key: string,\n signerPublicKey?: Uint8Array,\n verifyIntegrity = true\n ): Promise<ReadResult | null> {\n const raw = await this.storage.read(namespace, key);\n if (!raw) return null;\n\n let stateEntry: StateEntry;\n try {\n stateEntry = JSON.parse(bytesToString(raw));\n } catch {\n throw new Error(`Corrupted state entry: ${namespace}/${key}`);\n }\n\n if (stateEntry.v !== 1) {\n throw new Error(`Unsupported state entry version: ${stateEntry.v}`);\n }\n\n // Anti-rollback check\n const vk = this.versionKey(namespace, key);\n const cachedVersion = this.versionCache.get(vk);\n if (cachedVersion !== undefined && stateEntry.ver < cachedVersion) {\n throw new Error(\n `Rollback detected for ${namespace}/${key}: ` +\n `found version ${stateEntry.ver}, expected >= ${cachedVersion}`\n );\n }\n\n // Verify signature if public key provided\n if (signerPublicKey) {\n const ciphertextBytes = fromBase64url(stateEntry.payload.ct);\n const signatureBytes = fromBase64url(stateEntry.sig);\n const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);\n if (!sigValid) {\n throw new Error(\n `Signature verification failed for ${namespace}/${key}`\n );\n }\n }\n\n // Decrypt\n const namespaceKey = deriveNamespaceKey(this.masterKey, namespace);\n const plaintext = decrypt(stateEntry.payload, namespaceKey);\n const value = bytesToString(plaintext);\n\n // Verify integrity hash\n const computedHash = hashToString(plaintext);\n if (computedHash !== stateEntry.integrity_hash) {\n throw new Error(\n `Integrity hash mismatch for ${namespace}/${key}: ` +\n `computed ${computedHash}, stored ${stateEntry.integrity_hash}`\n );\n }\n\n // Merkle proof verification\n let merkleProofPath: string[] = [];\n let integrityVerified = true;\n\n if (verifyIntegrity) {\n const nsHashes = await this.getNamespaceHashes(namespace);\n const proof = generateMerkleProof(nsHashes, key);\n if (proof) {\n integrityVerified = verifyMerkleProof(proof);\n merkleProofPath = proof.path.map(\n (step) => `${step.position}:${step.hash}`\n );\n }\n }\n\n // Update version cache\n this.versionCache.set(vk, stateEntry.ver);\n\n return {\n key,\n namespace,\n value,\n version: stateEntry.ver,\n integrity_verified: integrityVerified,\n merkle_proof: merkleProofPath,\n written_at: stateEntry.metadata.written_at,\n written_by: stateEntry.kid,\n };\n }\n\n /**\n * List keys in a namespace (metadata only — no decryption).\n */\n async list(\n namespace: string,\n prefix?: string,\n tags?: string[],\n limit = 100,\n offset = 0\n ): Promise<{\n keys: Array<{\n key: string;\n version: number;\n size_bytes: number;\n written_at: string;\n tags: string[];\n }>;\n total: number;\n merkle_root: string;\n }> {\n const storageEntries = await this.storage.list(namespace, prefix);\n const result: Array<{\n key: string;\n version: number;\n size_bytes: number;\n written_at: string;\n tags: string[];\n }> = [];\n\n for (const entry of storageEntries) {\n const raw = await this.storage.read(namespace, entry.key);\n if (!raw) continue;\n\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n\n // Filter by tags if specified\n if (tags && tags.length > 0) {\n const entryTags = stateEntry.metadata.tags ?? [];\n const hasMatchingTag = tags.some((t) => entryTags.includes(t));\n if (!hasMatchingTag) continue;\n }\n\n result.push({\n key: entry.key,\n version: stateEntry.ver,\n size_bytes: entry.size_bytes,\n written_at: stateEntry.metadata.written_at,\n tags: stateEntry.metadata.tags ?? [],\n });\n } catch {\n // Skip corrupted entries\n }\n }\n\n const nsHashes = await this.getNamespaceHashes(namespace);\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n keys: result.slice(offset, offset + limit),\n total: result.length,\n merkle_root: merkleRoot,\n };\n }\n\n /**\n * Securely delete state (overwrite with random bytes before removal).\n */\n async delete(\n namespace: string,\n key: string\n ): Promise<{\n deleted: boolean;\n key: string;\n namespace: string;\n new_merkle_root: string;\n deleted_at: string;\n }> {\n const deleted = await this.storage.delete(namespace, key, true);\n\n // Update caches\n const vk = this.versionKey(namespace, key);\n this.versionCache.delete(vk);\n const nsHashes = await this.getNamespaceHashes(namespace);\n nsHashes.delete(key);\n const merkleRoot = computeMerkleRoot(nsHashes);\n\n return {\n deleted,\n key,\n namespace,\n new_merkle_root: merkleRoot,\n deleted_at: new Date().toISOString(),\n };\n }\n\n /**\n * Export all state for a namespace as an encrypted bundle.\n */\n async export(\n namespace?: string\n ): Promise<{\n bundle: string;\n namespaces: string[];\n total_keys: number;\n bundle_hash: string;\n exported_at: string;\n }> {\n const namespacesToExport: string[] = [];\n\n if (namespace) {\n namespacesToExport.push(namespace);\n } else {\n // Discover all namespaces from the content hash cache\n for (const ns of this.contentHashes.keys()) {\n namespacesToExport.push(ns);\n }\n }\n\n const exportData: Record<\n string,\n Array<{ key: string; entry: StateEntry }>\n > = {};\n let totalKeys = 0;\n\n for (const ns of namespacesToExport) {\n const entries = await this.storage.list(ns);\n exportData[ns] = [];\n\n for (const entry of entries) {\n const raw = await this.storage.read(ns, entry.key);\n if (!raw) continue;\n\n try {\n const stateEntry: StateEntry = JSON.parse(bytesToString(raw));\n exportData[ns]!.push({ key: entry.key, entry: stateEntry });\n totalKeys++;\n } catch {\n // Skip corrupted entries\n }\n }\n }\n\n const bundleJson = JSON.stringify({\n sanctuary_export_version: 1,\n exported_at: new Date().toISOString(),\n namespaces: namespacesToExport,\n data: exportData,\n });\n\n const bundleBytes = stringToBytes(bundleJson);\n const bundleHash = hashToString(bundleBytes);\n\n return {\n bundle: toBase64url(bundleBytes),\n namespaces: namespacesToExport,\n total_keys: totalKeys,\n bundle_hash: bundleHash,\n exported_at: new Date().toISOString(),\n };\n }\n\n /**\n * Import a previously exported state bundle.\n */\n async import(\n bundleBase64: string,\n conflictResolution: \"skip\" | \"overwrite\" | \"version\" = \"skip\",\n publicKeyResolver: (kid: string) => Uint8Array | null\n ): Promise<{\n imported_keys: number;\n skipped_keys: number;\n skipped_invalid_sig: number;\n skipped_unknown_kid: number;\n conflicts: number;\n namespaces: string[];\n imported_at: string;\n }> {\n const bundleBytes = fromBase64url(bundleBase64);\n const bundleJson = bytesToString(bundleBytes);\n const bundle = JSON.parse(bundleJson);\n\n let importedKeys = 0;\n let skippedKeys = 0;\n let skippedInvalidSig = 0;\n let skippedUnknownKid = 0;\n let conflicts = 0;\n const namespaces: string[] = [];\n\n for (const [ns, entries] of Object.entries(\n bundle.data as Record<string, Array<{ key: string; entry: StateEntry }>>\n )) {\n // Namespace firewall: skip reserved namespaces during import\n if (RESERVED_NAMESPACE_PREFIXES.some(\n (prefix) => ns === prefix || ns.startsWith(prefix + \"/\")\n )) {\n skippedKeys += (entries as Array<{ key: string; entry: StateEntry }>).length;\n continue;\n }\n namespaces.push(ns);\n\n for (const { key, entry } of entries) {\n // Signature verification: mandatory for all imported entries\n // Resolve the signing identity\n const signerPublicKey = publicKeyResolver(entry.kid);\n if (!signerPublicKey) {\n skippedUnknownKid++;\n skippedKeys++;\n continue;\n }\n\n // Verify the signature against the ciphertext\n try {\n const ciphertextBytes = fromBase64url(entry.payload.ct);\n const signatureBytes = fromBase64url(entry.sig);\n const sigValid = verify(ciphertextBytes, signatureBytes, signerPublicKey);\n if (!sigValid) {\n skippedInvalidSig++;\n skippedKeys++;\n continue;\n }\n } catch {\n // Malformed signature or ciphertext — reject\n skippedInvalidSig++;\n skippedKeys++;\n continue;\n }\n\n const exists = await this.storage.exists(ns, key);\n\n if (exists) {\n conflicts++;\n if (conflictResolution === \"skip\") {\n skippedKeys++;\n continue;\n }\n if (conflictResolution === \"version\") {\n // Only overwrite if imported version is higher\n const raw = await this.storage.read(ns, key);\n if (raw) {\n try {\n const existingEntry: StateEntry = JSON.parse(\n bytesToString(raw)\n );\n if (entry.ver <= existingEntry.ver) {\n skippedKeys++;\n continue;\n }\n } catch {\n // Corrupted existing entry — overwrite\n }\n }\n }\n // conflictResolution === \"overwrite\" falls through\n }\n\n // Write the entry\n const serialized = stringToBytes(JSON.stringify(entry));\n await this.storage.write(ns, key, serialized);\n importedKeys++;\n\n // Update caches\n const vk = this.versionKey(ns, key);\n this.versionCache.set(vk, entry.ver);\n const nsHashes = await this.getNamespaceHashes(ns);\n nsHashes.set(key, entry.integrity_hash);\n }\n }\n\n return {\n imported_keys: importedKeys,\n skipped_keys: skippedKeys,\n skipped_invalid_sig: skippedInvalidSig,\n skipped_unknown_kid: skippedUnknownKid,\n conflicts,\n namespaces,\n imported_at: new Date().toISOString(),\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Ed25519 Identity Management\n *\n * Sovereign identity based on Ed25519 keypairs.\n * Private keys are always encrypted at rest — never stored in plaintext.\n *\n * Security invariants:\n * - Private keys never appear in any MCP tool response\n * - Private keys are encrypted with identity-specific keys derived from the master key\n * - Key rotation produces a signed rotation event (verifiable chain)\n */\n\nimport { ed25519 } from \"@noble/curves/ed25519\";\nimport { toBase64url } from \"./encoding.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"./encryption.js\";\nimport { hash } from \"./hashing.js\";\nimport { randomBytes } from \"./random.js\";\n\n/** Public identity information (safe to share) */\nexport interface PublicIdentity {\n identity_id: string;\n label: string;\n public_key: string; // base64url\n did: string; // did:key format\n created_at: string;\n key_type: \"ed25519\";\n key_protection: \"passphrase\" | \"hardware-key\" | \"recovery-key\";\n}\n\n/** Stored identity (private key is encrypted) */\nexport interface StoredIdentity extends PublicIdentity {\n encrypted_private_key: EncryptedPayload;\n /** Previous public keys (for rotation chain verification) */\n rotation_history: Array<{\n old_public_key: string;\n new_public_key: string;\n rotation_event: string; // base64url signed event\n rotated_at: string;\n }>;\n}\n\n/** Signed rotation event */\nexport interface RotationEvent {\n old_public_key: string;\n new_public_key: string;\n identity_id: string;\n reason: string;\n rotated_at: string;\n /** Signature over the event by the OLD key (proves the holder authorized rotation) */\n signature: string;\n}\n\n/**\n * Generate a new Ed25519 keypair.\n * Returns both the public identity info and the raw private key (for immediate encryption).\n */\nexport function generateKeypair(): {\n publicKey: Uint8Array;\n privateKey: Uint8Array;\n} {\n const privateKey = randomBytes(32);\n const publicKey = ed25519.getPublicKey(privateKey);\n return { publicKey, privateKey };\n}\n\n/**\n * Create a DID from an Ed25519 public key.\n * Uses the did:key method with the Ed25519 multicodec prefix (0xed01).\n */\nexport function publicKeyToDid(publicKey: Uint8Array): string {\n // Multicodec prefix for Ed25519: 0xed 0x01\n const multicodec = new Uint8Array([0xed, 0x01, ...publicKey]);\n // did:key uses base58btc multibase encoding, but for simplicity\n // we use the base64url representation which is equally valid\n // in the broader DID ecosystem\n return `did:key:z${toBase64url(multicodec)}`;\n}\n\n/**\n * Generate a unique identity ID.\n * Derived from the public key hash for deterministic mapping.\n */\nexport function generateIdentityId(publicKey: Uint8Array): string {\n const keyHash = hash(publicKey);\n // First 16 bytes of SHA-256(pubkey) as hex — short, unique, deterministic\n return Array.from(keyHash.slice(0, 16))\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Create a new identity with encrypted private key storage.\n *\n * @param label - Human-readable label\n * @param encryptionKey - Key to encrypt the private key with (from master key derivation)\n * @param keyProtection - How the master key is protected\n * @returns Public identity info and the stored identity (for persistence)\n */\nexport function createIdentity(\n label: string,\n encryptionKey: Uint8Array,\n keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\"\n): { publicIdentity: PublicIdentity; storedIdentity: StoredIdentity } {\n const { publicKey, privateKey } = generateKeypair();\n const identityId = generateIdentityId(publicKey);\n const did = publicKeyToDid(publicKey);\n const now = new Date().toISOString();\n\n // Encrypt the private key for storage\n const encryptedPrivateKey = encrypt(privateKey, encryptionKey);\n\n // Zero out the raw private key in memory\n privateKey.fill(0);\n\n const publicIdentity: PublicIdentity = {\n identity_id: identityId,\n label,\n public_key: toBase64url(publicKey),\n did,\n created_at: now,\n key_type: \"ed25519\",\n key_protection: keyProtection,\n };\n\n const storedIdentity: StoredIdentity = {\n ...publicIdentity,\n encrypted_private_key: encryptedPrivateKey,\n rotation_history: [],\n };\n\n return { publicIdentity, storedIdentity };\n}\n\n/**\n * Sign data with an identity's private key.\n *\n * @param payload - Data to sign (bytes)\n * @param encryptedPrivateKey - The encrypted private key from storage\n * @param encryptionKey - Key to decrypt the private key\n * @returns Ed25519 signature\n */\nexport function sign(\n payload: Uint8Array,\n encryptedPrivateKey: EncryptedPayload,\n encryptionKey: Uint8Array\n): Uint8Array {\n // Decrypt the private key\n const privateKey = decrypt(encryptedPrivateKey, encryptionKey);\n\n try {\n return ed25519.sign(payload, privateKey);\n } finally {\n // Zero out the private key from memory\n privateKey.fill(0);\n }\n}\n\n/**\n * Verify an Ed25519 signature.\n *\n * @param payload - Original data that was signed\n * @param signature - The signature to verify\n * @param publicKey - The signer's public key\n * @returns true if signature is valid\n */\nexport function verify(\n payload: Uint8Array,\n signature: Uint8Array,\n publicKey: Uint8Array\n): boolean {\n try {\n return ed25519.verify(signature, payload, publicKey);\n } catch {\n return false;\n }\n}\n\n/**\n * Rotate an identity's keys.\n * Generates a new keypair, signs a rotation event with the old key,\n * and returns the updated stored identity.\n *\n * @param storedIdentity - Current stored identity\n * @param encryptionKey - Key to decrypt/re-encrypt private keys\n * @param reason - Reason for rotation (audit trail)\n * @returns Updated stored identity with new keys and rotation history\n */\nexport function rotateKeys(\n storedIdentity: StoredIdentity,\n encryptionKey: Uint8Array,\n reason: string\n): { updatedIdentity: StoredIdentity; rotationEvent: RotationEvent } {\n const { publicKey: newPublicKey, privateKey: newPrivateKey } =\n generateKeypair();\n const newIdentityDid = publicKeyToDid(newPublicKey);\n const now = new Date().toISOString();\n\n // Create rotation event\n const eventData = JSON.stringify({\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n identity_id: storedIdentity.identity_id,\n reason,\n rotated_at: now,\n });\n\n // Sign the rotation event with the OLD key (proves authorization)\n const eventBytes = new TextEncoder().encode(eventData);\n const signature = sign(\n eventBytes,\n storedIdentity.encrypted_private_key,\n encryptionKey\n );\n\n const rotationEvent: RotationEvent = {\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n identity_id: storedIdentity.identity_id,\n reason,\n rotated_at: now,\n signature: toBase64url(signature),\n };\n\n // Encrypt the new private key\n const encryptedNewPrivateKey = encrypt(newPrivateKey, encryptionKey);\n newPrivateKey.fill(0);\n\n const updatedIdentity: StoredIdentity = {\n ...storedIdentity,\n public_key: toBase64url(newPublicKey),\n did: newIdentityDid,\n encrypted_private_key: encryptedNewPrivateKey,\n rotation_history: [\n ...storedIdentity.rotation_history,\n {\n old_public_key: storedIdentity.public_key,\n new_public_key: toBase64url(newPublicKey),\n rotation_event: toBase64url(\n new TextEncoder().encode(JSON.stringify(rotationEvent))\n ),\n rotated_at: now,\n },\n ],\n };\n\n return { updatedIdentity, rotationEvent };\n}\n","/**\n * Sanctuary MCP Server — Key Derivation\n *\n * Two-tier key derivation:\n * 1. Master key from passphrase via Argon2id (memory-hard, GPU-resistant)\n * 2. Namespace keys from master key via HKDF-SHA256\n *\n * This ensures:\n * - Passphrase brute-force is expensive (Argon2id)\n * - Compromise of one namespace key doesn't expose others (HKDF domain separation)\n */\n\nimport { argon2id } from \"hash-wasm\";\nimport { hkdf } from \"@noble/hashes/hkdf\";\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { generateSalt } from \"./random.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"./encoding.js\";\n\n/** Argon2id parameters per OWASP recommendation (2024) */\nconst ARGON2_MEMORY_COST = 65536; // 64 MiB\nconst ARGON2_TIME_COST = 3; // 3 iterations\nconst ARGON2_PARALLELISM = 4; // 4 lanes\nconst ARGON2_HASH_LENGTH = 32; // 256-bit output\n\n/** Stored key derivation parameters (for re-deriving the master key) */\nexport interface KeyDerivationParams {\n /** Algorithm */\n alg: \"argon2id\";\n /** Salt (base64url) */\n salt: string;\n /** Memory cost in KiB */\n m: number;\n /** Time cost (iterations) */\n t: number;\n /** Parallelism */\n p: number;\n /** Output length in bytes */\n l: number;\n}\n\n/**\n * Derive a master key from a passphrase using Argon2id.\n *\n * @param passphrase - User's passphrase\n * @param existingParams - If re-deriving, use the stored params (same salt)\n * @returns The derived key and the parameters used (store the params, never the key)\n */\nexport async function deriveMasterKey(\n passphrase: string,\n existingParams?: KeyDerivationParams\n): Promise<{ key: Uint8Array; params: KeyDerivationParams }> {\n const salt = existingParams\n ? fromBase64url(existingParams.salt)\n : generateSalt();\n\n const params: KeyDerivationParams = existingParams ?? {\n alg: \"argon2id\",\n salt: toBase64url(salt),\n m: ARGON2_MEMORY_COST,\n t: ARGON2_TIME_COST,\n p: ARGON2_PARALLELISM,\n l: ARGON2_HASH_LENGTH,\n };\n\n const hashHex = await argon2id({\n password: passphrase,\n salt,\n parallelism: params.p,\n iterations: params.t,\n memorySize: params.m,\n hashLength: params.l,\n outputType: \"hex\",\n });\n\n // Convert hex to bytes\n const key = new Uint8Array(params.l);\n for (let i = 0; i < params.l; i++) {\n key[i] = parseInt(hashHex.substring(i * 2, i * 2 + 2), 16);\n }\n\n return { key, params };\n}\n\n/**\n * Derive a namespace-specific encryption key from the master key via HKDF-SHA256.\n *\n * Each namespace gets its own 256-bit key derived from the master key.\n * Compromise of one namespace key does not expose other namespaces.\n *\n * @param masterKey - The master key (from Argon2id or recovery key)\n * @param namespace - The namespace name (used as HKDF info)\n * @returns 256-bit namespace key\n */\nexport function deriveNamespaceKey(\n masterKey: Uint8Array,\n namespace: string\n): Uint8Array {\n if (masterKey.length !== 32) {\n throw new Error(\"Master key must be 32 bytes\");\n }\n\n return hkdf(\n sha256,\n masterKey,\n stringToBytes(\"sanctuary-namespace-v1\"), // salt (fixed, acts as domain separator)\n stringToBytes(namespace), // info (namespace name)\n 32 // output length: 256 bits\n );\n}\n\n/**\n * Derive a key for a specific purpose from the master key.\n * Used for identity key encryption, audit log encryption, etc.\n *\n * @param masterKey - The master key\n * @param purpose - Purpose string (e.g., \"identity-encryption\", \"audit-log\")\n * @returns 256-bit purpose-specific key\n */\nexport function derivePurposeKey(\n masterKey: Uint8Array,\n purpose: string\n): Uint8Array {\n if (masterKey.length !== 32) {\n throw new Error(\"Master key must be 32 bytes\");\n }\n\n return hkdf(\n sha256,\n masterKey,\n stringToBytes(\"sanctuary-purpose-v1\"),\n stringToBytes(purpose),\n 32\n );\n}\n","/**\n * Sanctuary MCP Server — Tool Router\n *\n * Routes sanctuary/* tool calls to their layer-specific handlers.\n * Every tool call passes through schema validation and the ApprovalGate\n * (if configured) before execution. Neither can be bypassed.\n *\n * This module is the abstraction boundary for MCP SDK version migration —\n * if the SDK API changes, only this module needs updating.\n */\n\nimport { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\nimport {\n CallToolRequestSchema,\n ListToolsRequestSchema,\n} from \"@modelcontextprotocol/sdk/types.js\";\nimport { createRequire } from \"node:module\";\nimport type { ApprovalGate } from \"./principal-policy/gate.js\";\n\nconst require = createRequire(import.meta.url);\nconst { version: PKG_VERSION } = require(\"../package.json\");\n\n/** Tool handler function signature */\nexport type ToolHandler = (\n args: Record<string, unknown>\n) => Promise<{ content: Array<{ type: \"text\"; text: string }> }>;\n\n/** Tool definition for registration */\nexport interface ToolDefinition {\n name: string;\n description: string;\n inputSchema: Record<string, unknown>;\n handler: ToolHandler;\n}\n\n/** Options for server creation */\nexport interface ServerOptions {\n /** Approval gate — if provided, every tool call is evaluated before execution */\n gate?: ApprovalGate;\n}\n\n// ── Schema Validation ──────────────────────────────────────────────────\n// Lightweight JSON Schema validation for tool arguments.\n// Enforces: required fields, type checks, unknown field rejection,\n// and size caps on string arguments (defense against DoS via oversized payloads).\n\n/** Maximum byte length for any single string argument (1 MB) */\nconst MAX_STRING_BYTES = 1_048_576;\n\n/** Maximum byte length for base64 bundle arguments (5 MB) */\nconst MAX_BUNDLE_BYTES = 5_242_880;\n\n/** Fields known to carry base64 bundles — get the larger size cap */\nconst BUNDLE_FIELDS = new Set([\"bundle\"]);\n\ninterface SchemaProperty {\n type?: string;\n properties?: Record<string, SchemaProperty>;\n required?: string[];\n items?: SchemaProperty;\n enum?: unknown[];\n default?: unknown;\n}\n\ninterface ValidationError {\n field: string;\n message: string;\n}\n\n/**\n * Validate tool arguments against the tool's declared inputSchema.\n * Returns an array of validation errors (empty = valid).\n */\nfunction validateArgs(\n args: Record<string, unknown>,\n schema: Record<string, unknown>\n): ValidationError[] {\n const errors: ValidationError[] = [];\n const properties = (schema.properties ?? {}) as Record<string, SchemaProperty>;\n const required = (schema.required ?? []) as string[];\n\n // Check required fields\n for (const field of required) {\n if (args[field] === undefined || args[field] === null) {\n errors.push({ field, message: `Required field \"${field}\" is missing` });\n }\n }\n\n // Check for unknown fields (reject extra fields not in schema)\n const knownFields = new Set(Object.keys(properties));\n for (const field of Object.keys(args)) {\n if (!knownFields.has(field)) {\n errors.push({ field, message: `Unknown field \"${field}\"` });\n }\n }\n\n // Type-check and size-check each provided field\n for (const [field, value] of Object.entries(args)) {\n if (value === undefined || value === null) continue;\n const propSchema = properties[field];\n if (!propSchema) continue; // Already flagged as unknown above\n\n const typeError = checkType(field, value, propSchema);\n if (typeError) {\n errors.push(typeError);\n continue;\n }\n\n // String size caps\n if (typeof value === \"string\") {\n const maxBytes = BUNDLE_FIELDS.has(field) ? MAX_BUNDLE_BYTES : MAX_STRING_BYTES;\n // Use byte length, not string length, for accurate size checking\n const byteLength = new TextEncoder().encode(value).length;\n if (byteLength > maxBytes) {\n errors.push({\n field,\n message: `Field \"${field}\" exceeds maximum size (${byteLength} bytes > ${maxBytes} bytes)`,\n });\n }\n }\n\n // Enum validation\n if (propSchema.enum && !propSchema.enum.includes(value)) {\n errors.push({\n field,\n message: `Field \"${field}\" must be one of: ${propSchema.enum.join(\", \")}`,\n });\n }\n }\n\n return errors;\n}\n\n/**\n * Check whether a value matches the declared JSON Schema type.\n */\nfunction checkType(\n field: string,\n value: unknown,\n schema: SchemaProperty\n): ValidationError | null {\n if (!schema.type) return null;\n\n switch (schema.type) {\n case \"string\":\n if (typeof value !== \"string\") {\n return { field, message: `Expected string for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"number\":\n if (typeof value !== \"number\") {\n return { field, message: `Expected number for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"boolean\":\n if (typeof value !== \"boolean\") {\n return { field, message: `Expected boolean for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"object\":\n if (typeof value !== \"object\" || Array.isArray(value)) {\n return { field, message: `Expected object for \"${field}\", got ${typeof value}` };\n }\n break;\n case \"array\":\n if (!Array.isArray(value)) {\n return { field, message: `Expected array for \"${field}\", got ${typeof value}` };\n }\n break;\n }\n return null;\n}\n\n/**\n * Create the MCP server with all Sanctuary tools registered.\n * If an ApprovalGate is provided, it wraps every tool call.\n */\nexport function createServer(\n tools: ToolDefinition[],\n options?: ServerOptions\n): Server {\n const gate = options?.gate;\n\n const server = new Server(\n {\n name: \"sanctuary-mcp-server\",\n version: PKG_VERSION,\n },\n {\n capabilities: {\n tools: {},\n },\n }\n );\n\n // Register tool listing\n server.setRequestHandler(ListToolsRequestSchema, async () => {\n return {\n tools: tools.map((t) => ({\n name: t.name,\n description: t.description,\n inputSchema: t.inputSchema,\n })),\n };\n });\n\n // Register tool execution — validation + gate sit between router and handler\n server.setRequestHandler(CallToolRequestSchema, async (request) => {\n const { name, arguments: args } = request.params;\n const typedArgs = (args ?? {}) as Record<string, unknown>;\n\n const tool = tools.find((t) => t.name === name);\n if (!tool) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({ error: `Unknown tool: ${name}` }),\n },\n ],\n isError: true,\n };\n }\n\n // ── Schema Validation ────────────────────────────────────────────\n // Validate arguments against the tool's declared inputSchema.\n // This runs BEFORE the gate so that the gate sees normalized args.\n const validationErrors = validateArgs(typedArgs, tool.inputSchema);\n if (validationErrors.length > 0) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n error: \"validation_failed\",\n message: \"Tool arguments failed schema validation\",\n violations: validationErrors,\n }),\n },\n ],\n isError: true,\n };\n }\n\n // ── Approval Gate ──────────────────────────────────────────────\n // If a gate is configured, every tool call must pass through it.\n // Denied calls return a generic error that does not reveal policy.\n if (gate) {\n const result = await gate.evaluate(name, typedArgs);\n if (!result.allowed) {\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n error: \"Operation not permitted\",\n approval_required: result.approval_required,\n }),\n },\n ],\n isError: true,\n };\n }\n }\n\n try {\n return await tool.handler(typedArgs);\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"Unknown error\";\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({ error: message }),\n },\n ],\n isError: true,\n };\n }\n });\n\n return server;\n}\n\n/**\n * Helper to create a successful tool response.\n */\nexport function toolResult(\n data: object\n): { content: Array<{ type: \"text\"; text: string }> } {\n return {\n content: [{ type: \"text\" as const, text: JSON.stringify(data, null, 2) }],\n };\n}\n","/**\n * Sanctuary MCP Server — L1 Cognitive Sovereignty: Tool Definitions\n *\n * MCP tool wrappers for StateStore and IdentityRoot operations.\n * These tools are the public API that agents interact with.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { StateStore } from \"./state-store.js\";\nimport {\n createIdentity,\n rotateKeys,\n sign as identitySign,\n verify as identityVerify,\n type StoredIdentity,\n type PublicIdentity,\n} from \"../core/identity.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport {\n toBase64url,\n fromBase64url,\n stringToBytes,\n} from \"../core/encoding.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt } from \"../core/encryption.js\";\nimport { bytesToString } from \"../core/encoding.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\n/**\n * Reserved namespace prefixes — used by internal subsystems.\n * Agent-facing state tools MUST reject reads, writes, deletes, lists, and\n * imports to these namespaces. Internal subsystems access the StateStore\n * directly, bypassing these tool-level checks.\n */\nconst RESERVED_NAMESPACE_PREFIXES = [\n \"_identities\",\n \"_policies\",\n \"_audit\",\n \"_meta\",\n \"_principal\",\n \"_commitments\",\n \"_reputation\",\n \"_escrow\",\n \"_guarantees\",\n \"_bridge\",\n \"_federation\",\n \"_handshake\",\n \"_shr\",\n] as const;\n\n/**\n * Check whether a namespace is reserved for internal use.\n * Returns the matching reserved prefix, or null if the namespace is safe.\n */\nfunction getReservedNamespaceViolation(namespace: string): string | null {\n for (const prefix of RESERVED_NAMESPACE_PREFIXES) {\n if (namespace === prefix || namespace.startsWith(prefix + \"/\")) {\n return prefix;\n }\n }\n return null;\n}\n\n/** Manages all identities — provides storage and retrieval */\nexport class IdentityManager {\n private storage: StorageBackend;\n private masterKey: Uint8Array;\n private identities = new Map<string, StoredIdentity>();\n private primaryIdentityId: string | null = null;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.masterKey = masterKey;\n }\n\n private get encryptionKey(): Uint8Array {\n return derivePurposeKey(this.masterKey, \"identity-encryption\");\n }\n\n /** Load identities from storage on startup */\n async load(): Promise<void> {\n const entries = await this.storage.list(\"_identities\");\n for (const entry of entries) {\n const raw = await this.storage.read(\"_identities\", entry.key);\n if (!raw) continue;\n try {\n const encrypted = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const identity: StoredIdentity = JSON.parse(bytesToString(decrypted));\n this.identities.set(identity.identity_id, identity);\n if (!this.primaryIdentityId) {\n this.primaryIdentityId = identity.identity_id;\n }\n } catch {\n // Skip corrupted identities\n }\n }\n }\n\n /** Save an identity to storage */\n async save(identity: StoredIdentity): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(identity));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_identities\",\n identity.identity_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n this.identities.set(identity.identity_id, identity);\n if (!this.primaryIdentityId) {\n this.primaryIdentityId = identity.identity_id;\n }\n }\n\n get(id: string): StoredIdentity | undefined {\n return this.identities.get(id);\n }\n\n getDefault(): StoredIdentity | undefined {\n if (!this.primaryIdentityId) return undefined;\n return this.identities.get(this.primaryIdentityId);\n }\n\n list(): PublicIdentity[] {\n return Array.from(this.identities.values()).map((si) => ({\n identity_id: si.identity_id,\n label: si.label,\n public_key: si.public_key,\n did: si.did,\n created_at: si.created_at,\n key_type: si.key_type,\n key_protection: si.key_protection,\n }));\n }\n}\n\n/**\n * Create all L1 tool definitions.\n */\nexport function createL1Tools(\n stateStore: StateStore,\n storage: StorageBackend,\n masterKey: Uint8Array,\n keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\",\n auditLog?: AuditLog\n): { tools: ToolDefinition[]; identityManager: IdentityManager } {\n const identityMgr = new IdentityManager(storage, masterKey);\n const identityEncKey = derivePurposeKey(masterKey, \"identity-encryption\");\n\n // Helper to get identity or throw\n function resolveIdentity(identityId?: string): StoredIdentity {\n const id = identityId\n ? identityMgr.get(identityId)\n : identityMgr.getDefault();\n if (!id) {\n throw new Error(\n identityId\n ? `Identity not found: ${identityId}`\n : \"No default identity. Create one with sanctuary/identity_create.\"\n );\n }\n return id;\n }\n\n const tools: ToolDefinition[] = [\n // ── Identity Tools ──────────────────────────────────────────────────\n\n {\n name: \"sanctuary/identity_create\",\n description:\n \"Create a new sovereign identity (Ed25519 keypair). \" +\n \"The private key is encrypted and never exposed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n label: {\n type: \"string\",\n description: 'Human-readable label (e.g., \"my-agent\")',\n },\n },\n required: [\"label\"],\n },\n handler: async (args) => {\n const label = args.label as string;\n const { publicIdentity, storedIdentity } = createIdentity(\n label,\n identityEncKey,\n keyProtection\n );\n await identityMgr.save(storedIdentity);\n\n auditLog?.append(\"l1\", \"identity_create\", publicIdentity.identity_id, {\n label,\n });\n\n // If key_protection is \"none\", generate and show recovery key\n // (In practice, the recovery key is the master key itself,\n // which was generated at server init and shown once)\n return toolResult({\n identity_id: publicIdentity.identity_id,\n public_key: publicIdentity.public_key,\n did: publicIdentity.did,\n created_at: publicIdentity.created_at,\n key_type: publicIdentity.key_type,\n key_protection: publicIdentity.key_protection,\n backed_up: false,\n });\n },\n },\n\n {\n name: \"sanctuary/identity_list\",\n description: \"List all managed sovereign identities.\",\n inputSchema: {\n type: \"object\",\n properties: {\n filter: {\n type: \"object\",\n properties: {\n label: { type: \"string\" },\n },\n },\n },\n },\n handler: async (args) => {\n let identities = identityMgr.list();\n const filter = args.filter as { label?: string } | undefined;\n if (filter?.label) {\n identities = identities.filter((i) =>\n i.label.includes(filter.label!)\n );\n }\n return toolResult({ identities });\n },\n },\n\n {\n name: \"sanctuary/identity_sign\",\n description:\n \"Sign data with a managed identity. \" +\n \"The private key is decrypted in memory only during signing.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: { type: \"string\" },\n payload: {\n type: \"string\",\n description: \"Base64url-encoded data to sign\",\n },\n },\n required: [\"payload\"],\n },\n handler: async (args) => {\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const payloadStr = args.payload as string;\n\n // Accept either base64url-encoded bytes or plain text\n let payload: Uint8Array;\n try {\n payload = fromBase64url(payloadStr);\n } catch {\n payload = stringToBytes(payloadStr);\n }\n\n const signature = identitySign(\n payload,\n identity.encrypted_private_key,\n identityEncKey\n );\n\n auditLog?.append(\"l1\", \"identity_sign\", identity.identity_id);\n\n return toolResult({\n signature: toBase64url(signature),\n algorithm: \"Ed25519\",\n signed_at: new Date().toISOString(),\n public_key: identity.public_key,\n payload_encoding: \"base64url\",\n });\n },\n },\n\n {\n name: \"sanctuary/identity_verify\",\n description:\n \"Verify an Ed25519 signature. Provide either identity_id or public_key.\",\n inputSchema: {\n type: \"object\",\n properties: {\n payload: {\n type: \"string\",\n description: \"Original data (plain text or base64url-encoded)\",\n },\n signature: { type: \"string\", description: \"Base64url signature\" },\n identity_id: {\n type: \"string\",\n description: \"Identity ID to look up public key (alternative to public_key)\",\n },\n public_key: {\n type: \"string\",\n description: \"Base64url public key (alternative to identity_id)\",\n },\n },\n required: [\"payload\", \"signature\"],\n },\n handler: async (args) => {\n const payloadStr = args.payload as string;\n\n // Accept either base64url-encoded bytes or plain text\n let payload: Uint8Array;\n try {\n payload = fromBase64url(payloadStr);\n } catch {\n payload = stringToBytes(payloadStr);\n }\n\n const signature = fromBase64url(args.signature as string);\n\n // Resolve public key from identity_id or direct public_key param\n let publicKey: Uint8Array;\n if (args.identity_id) {\n const identity = resolveIdentity(args.identity_id as string);\n publicKey = fromBase64url(identity.public_key);\n } else if (args.public_key) {\n publicKey = fromBase64url(args.public_key as string);\n } else {\n return toolResult({\n error: \"Provide either identity_id or public_key for verification.\",\n });\n }\n\n const valid = identityVerify(payload, signature, publicKey);\n\n return toolResult({\n valid,\n verified_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/identity_rotate\",\n description:\n \"Rotate keys for an identity. Generates a new keypair and \" +\n \"signs a rotation event with the old key for verifiable chain.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: { type: \"string\" },\n reason: { type: \"string\" },\n },\n required: [\"identity_id\"],\n },\n handler: async (args) => {\n const identity = resolveIdentity(args.identity_id as string);\n const reason = (args.reason as string) ?? \"Key rotation\";\n\n const { updatedIdentity, rotationEvent } = rotateKeys(\n identity,\n identityEncKey,\n reason\n );\n await identityMgr.save(updatedIdentity);\n\n auditLog?.append(\"l1\", \"identity_rotate\", identity.identity_id, {\n reason,\n });\n\n return toolResult({\n identity_id: updatedIdentity.identity_id,\n old_public_key: rotationEvent.old_public_key,\n new_public_key: rotationEvent.new_public_key,\n new_did: updatedIdentity.did,\n rotated_at: rotationEvent.rotated_at,\n });\n },\n },\n\n // ── State Tools ─────────────────────────────────────────────────────\n\n {\n name: \"sanctuary/state_write\",\n description:\n \"Write encrypted state to the sovereign store. \" +\n \"Value is encrypted with a namespace-specific key. \" +\n \"The write is signed by the active identity.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: {\n type: \"string\",\n description: 'Logical grouping (e.g., \"memory\", \"config\")',\n },\n key: { type: \"string\", description: \"State key within namespace\" },\n value: {\n type: \"string\",\n description: \"Plaintext value (encrypted before storage)\",\n },\n metadata: {\n type: \"object\",\n properties: {\n content_type: { type: \"string\" },\n ttl_seconds: { type: \"number\" },\n tags: { type: \"array\", items: { type: \"string\" } },\n },\n },\n identity_id: { type: \"string\" },\n },\n required: [\"namespace\", \"key\", \"value\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject writes to reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Choose a different namespace.`,\n });\n }\n\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const metadata = args.metadata as {\n content_type?: string;\n ttl_seconds?: number;\n tags?: string[];\n } | undefined;\n\n const result = await stateStore.write(\n args.namespace as string,\n args.key as string,\n args.value as string,\n identity.identity_id,\n identity.encrypted_private_key,\n identityEncKey,\n {\n content_type: metadata?.content_type,\n ttl_seconds: metadata?.ttl_seconds,\n tags: metadata?.tags,\n }\n );\n\n auditLog?.append(\"l1\", \"state_write\", identity.identity_id, {\n namespace: args.namespace,\n key: args.key,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_read\",\n description:\n \"Read and decrypt state from the sovereign store. \" +\n \"Verifies integrity via Merkle proof and signature.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n key: { type: \"string\" },\n verify_integrity: { type: \"boolean\", default: true },\n },\n required: [\"namespace\", \"key\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject reads from reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot read from reserved namespaces.`,\n });\n }\n\n const result = await stateStore.read(\n args.namespace as string,\n args.key as string,\n undefined, // Skip signature verification for now (would need writer's pubkey)\n args.verify_integrity as boolean ?? true\n );\n\n if (!result) {\n return toolResult({\n error: \"not_found\",\n namespace: args.namespace,\n key: args.key,\n });\n }\n\n auditLog?.append(\"l1\", \"state_read\", result.written_by, {\n namespace: args.namespace,\n key: args.key,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_list\",\n description:\n \"List keys in a namespace (metadata only — no decryption).\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n prefix: { type: \"string\" },\n tags: { type: \"array\", items: { type: \"string\" } },\n limit: { type: \"number\", default: 100 },\n offset: { type: \"number\", default: 0 },\n },\n required: [\"namespace\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject listing of reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot list reserved namespaces.`,\n });\n }\n\n const result = await stateStore.list(\n args.namespace as string,\n args.prefix as string | undefined,\n args.tags as string[] | undefined,\n (args.limit as number) ?? 100,\n (args.offset as number) ?? 0\n );\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_delete\",\n description:\n \"Securely delete state. Overwrites file with random bytes \" +\n \"before removal (right to deletion, S1.6).\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n key: { type: \"string\" },\n reason: { type: \"string\" },\n },\n required: [\"namespace\", \"key\"],\n },\n handler: async (args) => {\n // Namespace firewall: reject deletes from reserved internal namespaces\n const reservedViolation = getReservedNamespaceViolation(args.namespace as string);\n if (reservedViolation) {\n return toolResult({\n error: \"namespace_reserved\",\n message: `Namespace \"${args.namespace}\" is reserved for internal use (prefix: ${reservedViolation}). Cannot delete from reserved namespaces.`,\n });\n }\n\n const result = await stateStore.delete(\n args.namespace as string,\n args.key as string\n );\n\n auditLog?.append(\"l1\", \"state_delete\", \"principal\", {\n namespace: args.namespace,\n key: args.key,\n reason: args.reason,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_export\",\n description:\n \"Export state as an encrypted, portable bundle for migration.\",\n inputSchema: {\n type: \"object\",\n properties: {\n namespace: { type: \"string\" },\n format: { type: \"string\", default: \"sanctuary-v1\" },\n },\n },\n handler: async (args) => {\n const result = await stateStore.export(\n args.namespace as string | undefined\n );\n\n auditLog?.append(\"l1\", \"state_export\", \"principal\", {\n namespaces: result.namespaces,\n });\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/state_import\",\n description: \"Import a previously exported state bundle.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bundle: { type: \"string\", description: \"Base64url-encoded bundle\" },\n conflict_resolution: {\n type: \"string\",\n enum: [\"skip\", \"overwrite\", \"version\"],\n default: \"skip\",\n },\n },\n required: [\"bundle\"],\n },\n handler: async (args) => {\n // Wire public key resolver for signature verification (SEC-005)\n const publicKeyResolver = (kid: string): Uint8Array | null => {\n const identity = identityMgr.get(kid);\n if (!identity) return null;\n return fromBase64url(identity.public_key);\n };\n\n const result = await stateStore.import(\n args.bundle as string,\n (args.conflict_resolution as \"skip\" | \"overwrite\" | \"version\") ??\n \"skip\",\n publicKeyResolver\n );\n\n auditLog?.append(\"l1\", \"state_import\", \"principal\", {\n imported_keys: result.imported_keys,\n });\n\n return toolResult(result);\n },\n },\n ];\n\n return { tools, identityManager: identityMgr };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Audit Log\n *\n * Append-only log of all sovereignty-relevant operations.\n * Stored encrypted under L1 sovereignty.\n *\n * Every tool invocation that modifies state, generates proofs,\n * or records reputation produces an audit entry. The human principal\n * can inspect what their agent has done.\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString } from \"../core/encoding.js\";\n\nexport interface AuditEntry {\n timestamp: string;\n layer: \"l1\" | \"l2\" | \"l3\" | \"l4\";\n operation: string;\n identity_id: string;\n result: \"success\" | \"failure\";\n details?: Record<string, unknown>;\n}\n\nexport class AuditLog {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private entries: AuditEntry[] = [];\n private counter = 0;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"audit-log\");\n }\n\n /**\n * Append an audit entry.\n */\n append(\n layer: AuditEntry[\"layer\"],\n operation: string,\n identityId: string,\n details?: Record<string, unknown>,\n result: \"success\" | \"failure\" = \"success\"\n ): void {\n const entry: AuditEntry = {\n timestamp: new Date().toISOString(),\n layer,\n operation,\n identity_id: identityId,\n result,\n details,\n };\n\n this.entries.push(entry);\n\n // Async persist (fire-and-forget for performance; entries are also in memory)\n this.persistEntry(entry).catch(() => {\n // Persistence failure is logged but doesn't block the operation\n });\n }\n\n private async persistEntry(entry: AuditEntry): Promise<void> {\n const key = `${Date.now()}-${this.counter++}`;\n const serialized = stringToBytes(JSON.stringify(entry));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_audit\",\n key,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n /**\n * Query the audit log with filtering.\n */\n async query(options: {\n since?: string;\n layer?: AuditEntry[\"layer\"];\n operation_type?: string;\n limit?: number;\n }): Promise<{ entries: AuditEntry[]; total: number }> {\n // First, try to load persisted entries we don't have in memory\n await this.loadPersistedEntries();\n\n let filtered = this.entries;\n\n if (options.since) {\n const sinceDate = new Date(options.since);\n filtered = filtered.filter(\n (e) => new Date(e.timestamp) >= sinceDate\n );\n }\n if (options.layer) {\n filtered = filtered.filter((e) => e.layer === options.layer);\n }\n if (options.operation_type) {\n filtered = filtered.filter(\n (e) => e.operation === options.operation_type\n );\n }\n\n const total = filtered.length;\n const limit = options.limit ?? 50;\n const entries = filtered.slice(-limit); // Most recent entries\n\n return { entries, total };\n }\n\n private async loadPersistedEntries(): Promise<void> {\n try {\n const storedEntries = await this.storage.list(\"_audit\");\n for (const meta of storedEntries) {\n const raw = await this.storage.read(\"_audit\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const entry: AuditEntry = JSON.parse(bytesToString(decrypted));\n\n // Deduplicate (check if we already have this timestamp+operation)\n const isDuplicate = this.entries.some(\n (e) =>\n e.timestamp === entry.timestamp &&\n e.operation === entry.operation &&\n e.identity_id === entry.identity_id\n );\n if (!isDuplicate) {\n this.entries.push(entry);\n }\n } catch {\n // Skip corrupted entries\n }\n }\n\n // Sort by timestamp\n this.entries.sort(\n (a, b) =>\n new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()\n );\n } catch {\n // Storage not available yet — that's fine\n }\n }\n\n /**\n * Get total number of entries.\n */\n get size(): number {\n return this.entries.length;\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Commitment Schemes\n *\n * Cryptographic commitments allow an agent to commit to a value\n * without revealing it, then later prove what was committed.\n *\n * This is the MVS approach to selective disclosure — simpler than\n * full ZK proofs but still cryptographically sound. The commitment\n * is SHA-256(value || blinding_factor), which is:\n * - Hiding: the commitment reveals nothing about the value\n * - Binding: the committer cannot change the value after committing\n *\n * Security invariants:\n * - Blinding factors are cryptographically random (32 bytes)\n * - Commitments are stored encrypted under L1 sovereignty\n * - Revealed values are verified via constant-time comparison\n */\n\nimport { hash } from \"../core/hashing.js\";\nimport { toBase64url, fromBase64url, stringToBytes, concatBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { bytesToString } from \"../core/encoding.js\";\n\n/** A cryptographic commitment */\nexport interface Commitment {\n /** The commitment hash: SHA-256(value || blinding_factor) as base64url */\n commitment: string;\n /** The blinding factor (must be stored securely for later reveal) */\n blinding_factor: string;\n /** When the commitment was created */\n committed_at: string;\n}\n\n/** Stored commitment metadata (encrypted at rest) */\nexport interface StoredCommitment {\n commitment: string;\n blinding_factor: string;\n value: string;\n committed_at: string;\n revealed: boolean;\n revealed_at?: string;\n}\n\n/**\n * Create a cryptographic commitment to a value.\n *\n * @param value - The value to commit to\n * @param blindingFactor - Optional blinding factor (auto-generated if omitted)\n * @returns The commitment and blinding factor\n */\nexport function createCommitment(\n value: string,\n blindingFactor?: string\n): Commitment {\n // Generate or decode the blinding factor\n const blindingBytes = blindingFactor\n ? fromBase64url(blindingFactor)\n : randomBytes(32);\n\n // Commitment = SHA-256(value_bytes || blinding_bytes)\n const valueBytes = stringToBytes(value);\n const combined = concatBytes(valueBytes, blindingBytes);\n const commitmentHash = hash(combined);\n\n return {\n commitment: toBase64url(commitmentHash),\n blinding_factor: toBase64url(blindingBytes),\n committed_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a commitment against a revealed value and blinding factor.\n *\n * @param commitment - The original commitment hash\n * @param value - The revealed value\n * @param blindingFactor - The revealed blinding factor\n * @returns true if the reveal matches the commitment\n */\nexport function verifyCommitment(\n commitment: string,\n value: string,\n blindingFactor: string\n): boolean {\n const blindingBytes = fromBase64url(blindingFactor);\n const valueBytes = stringToBytes(value);\n const combined = concatBytes(valueBytes, blindingBytes);\n const expectedHash = toBase64url(hash(combined));\n\n // Use string comparison (the hash output is already fixed-length)\n return commitment === expectedHash;\n}\n\n/**\n * Commitment store — manages commitments encrypted under L1 sovereignty.\n */\nexport class CommitmentStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l3-commitments\");\n }\n\n /**\n * Store a commitment (encrypted) for later reference.\n */\n async store(commitment: Commitment, value: string): Promise<string> {\n const id = `cmt-${Date.now()}-${toBase64url(randomBytes(8))}`;\n\n const stored: StoredCommitment = {\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n value,\n committed_at: commitment.committed_at,\n revealed: false,\n };\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_commitments\",\n id,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return id;\n }\n\n /**\n * Retrieve a stored commitment by ID.\n */\n async get(id: string): Promise<StoredCommitment | null> {\n const raw = await this.storage.read(\"_commitments\", id);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n\n /**\n * Mark a commitment as revealed.\n */\n async markRevealed(id: string): Promise<void> {\n const stored = await this.get(id);\n if (!stored) return;\n\n stored.revealed = true;\n stored.revealed_at = new Date().toISOString();\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_commitments\",\n id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Disclosure Policies\n *\n * Disclosure policies define what an agent will and will not disclose\n * in different interaction contexts. Policies are evaluated against\n * incoming disclosure requests to produce per-field decisions.\n *\n * This is the agent's \"privacy preferences\" layer — it codifies the\n * human principal's intent about what information can flow where.\n *\n * Security invariants:\n * - Policies are stored encrypted under L1 sovereignty\n * - Default action is always \"withhold\" unless explicitly overridden\n * - Policy evaluation is deterministic (same request → same decision)\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString, toBase64url } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\n\n/** A single disclosure rule within a policy */\nexport interface DisclosureRule {\n /** Interaction context this rule applies to */\n context: string; // \"negotiation\", \"commerce\", \"identity\", \"*\"\n /** Fields/claims the agent MAY disclose */\n disclose: string[];\n /** Fields/claims the agent MUST NOT disclose */\n withhold: string[];\n /** Fields that require proof rather than plain disclosure */\n proof_required: string[];\n}\n\n/** A complete disclosure policy */\nexport interface DisclosurePolicy {\n policy_id: string;\n policy_name: string;\n rules: DisclosureRule[];\n default_action: \"withhold\" | \"ask-principal\";\n identity_id?: string;\n created_at: string;\n updated_at: string;\n}\n\n/** Result of evaluating a disclosure request */\nexport interface DisclosureDecision {\n field: string;\n action: \"disclose\" | \"withhold\" | \"proof\" | \"ask-principal\";\n reason: string;\n applicable_rule: string;\n}\n\n/**\n * Evaluate a disclosure request against a policy.\n *\n * For each requested field, finds the most specific matching rule:\n * 1. Exact context match\n * 2. Wildcard \"*\" context\n * 3. Default action\n *\n * Within a matched rule:\n * - If field is in `withhold` → withhold (highest priority)\n * - If field is in `proof_required` → proof\n * - If field is in `disclose` → disclose\n * - Otherwise → default_action\n */\nexport function evaluateDisclosure(\n policy: DisclosurePolicy,\n context: string,\n requestedFields: string[]\n): DisclosureDecision[] {\n return requestedFields.map((field) => {\n // Find matching rules: exact context first, then wildcard\n const exactRule = policy.rules.find((r) => r.context === context);\n const wildcardRule = policy.rules.find((r) => r.context === \"*\");\n const matchedRule = exactRule ?? wildcardRule;\n\n if (!matchedRule) {\n return {\n field,\n action: policy.default_action,\n reason: `No rule matches context \"${context}\"`,\n applicable_rule: \"default\",\n };\n }\n\n const ruleName = `${matchedRule.context}`;\n\n // Withhold takes priority\n if (matchedRule.withhold.includes(field)) {\n return {\n field,\n action: \"withhold\" as const,\n reason: `Field \"${field}\" is explicitly withheld in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Proof required next\n if (matchedRule.proof_required.includes(field)) {\n return {\n field,\n action: \"proof\" as const,\n reason: `Field \"${field}\" requires cryptographic proof in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Explicit disclose\n if (matchedRule.disclose.includes(field)) {\n return {\n field,\n action: \"disclose\" as const,\n reason: `Field \"${field}\" is permitted for disclosure in ${ruleName} context`,\n applicable_rule: ruleName,\n };\n }\n\n // Not mentioned in the rule — fall to default\n return {\n field,\n action: policy.default_action,\n reason: `Field \"${field}\" not addressed in ${ruleName} rule; applying default`,\n applicable_rule: ruleName,\n };\n });\n}\n\n/**\n * Policy store — manages disclosure policies encrypted under L1 sovereignty.\n */\nexport class PolicyStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private policies: Map<string, DisclosurePolicy> = new Map();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l3-policies\");\n }\n\n /**\n * Create and store a new disclosure policy.\n */\n async create(\n policyName: string,\n rules: DisclosureRule[],\n defaultAction: \"withhold\" | \"ask-principal\",\n identityId?: string\n ): Promise<DisclosurePolicy> {\n const policyId = `pol-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n const policy: DisclosurePolicy = {\n policy_id: policyId,\n policy_name: policyName,\n rules,\n default_action: defaultAction,\n identity_id: identityId,\n created_at: now,\n updated_at: now,\n };\n\n await this.persist(policy);\n this.policies.set(policyId, policy);\n\n return policy;\n }\n\n /**\n * Get a policy by ID.\n */\n async get(policyId: string): Promise<DisclosurePolicy | null> {\n // Check in-memory cache first\n if (this.policies.has(policyId)) {\n return this.policies.get(policyId)!;\n }\n\n // Try to load from storage\n const raw = await this.storage.read(\"_policies\", policyId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: DisclosurePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policyId, policy);\n return policy;\n } catch {\n return null;\n }\n }\n\n /**\n * List all policies.\n */\n async list(): Promise<DisclosurePolicy[]> {\n await this.loadAll();\n return Array.from(this.policies.values());\n }\n\n /**\n * Load all persisted policies into memory.\n */\n private async loadAll(): Promise<void> {\n try {\n const entries = await this.storage.list(\"_policies\");\n for (const meta of entries) {\n if (this.policies.has(meta.key)) continue;\n const raw = await this.storage.read(\"_policies\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: DisclosurePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policy.policy_id, policy);\n } catch {\n // Skip corrupted policies\n }\n }\n } catch {\n // Storage not available\n }\n }\n\n private async persist(policy: DisclosurePolicy): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(policy));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_policies\",\n policy.policy_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Zero-Knowledge Proofs\n *\n * Upgrades the commitment-only L3 to support real zero-knowledge proofs.\n * Uses Ristretto255 (prime-order curve group, no cofactor issues) for:\n *\n * 1. Pedersen commitments: C = v*G + b*H (computationally hiding, perfectly binding)\n * 2. ZK proof of knowledge: Schnorr sigma protocol via Fiat-Shamir\n * 3. ZK range proofs: Prove value ∈ [min, max] without revealing it\n *\n * Ristretto255 is available via @noble/curves/ed25519, which we already depend on.\n * This is genuine zero-knowledge — proofs reveal nothing beyond the stated property.\n *\n * Architecture note:\n * The existing commitment scheme (SHA-256 based) remains available for backward\n * compatibility. The ZK proofs operate on a separate Pedersen commitment system\n * that provides algebraic structure for proper ZK properties.\n *\n * Security invariants:\n * - Generator H is derived via hash-to-curve (nothing-up-my-sleeve)\n * - Blinding factors are cryptographically random (32 bytes)\n * - Fiat-Shamir challenges use domain-separated hashing\n * - Range proofs use a bit-decomposition approach (sound but logarithmic size)\n */\n\nimport { RistrettoPoint } from \"@noble/curves/ed25519\";\nimport { sha256 } from \"@noble/hashes/sha256\";\nimport { randomBytes } from \"../core/random.js\";\nimport { toBase64url, fromBase64url, stringToBytes, concatBytes } from \"../core/encoding.js\";\n\n// ── Constants ───────────────────────────────────────────────────────────\n\n/** Generator G: the standard Ristretto255 base point */\nconst G = RistrettoPoint.BASE;\n\n/**\n * Generator H: derived via hash-to-curve so nobody knows the discrete log\n * relationship between G and H (nothing-up-my-sleeve construction).\n */\n/** Derive 64 bytes for hash-to-curve via double SHA-256 */\nconst H_INPUT = concatBytes(\n sha256(stringToBytes(\"sanctuary-pedersen-generator-H-v1-a\")),\n sha256(stringToBytes(\"sanctuary-pedersen-generator-H-v1-b\"))\n);\nconst H = RistrettoPoint.hashToCurve(H_INPUT);\n\n// ── Types ───────────────────────────────────────────────────────────────\n\n/** A Pedersen commitment: C = v*G + b*H */\nexport interface PedersenCommitment {\n /** The commitment point (encoded as base64url) */\n commitment: string;\n /** The blinding factor b (base64url, 32 bytes) — keep secret */\n blinding_factor: string;\n /** When the commitment was created */\n committed_at: string;\n}\n\n/** A non-interactive ZK proof of knowledge of a commitment's opening */\nexport interface ZKProofOfKnowledge {\n /** Proof type identifier */\n type: \"schnorr-pedersen-ristretto255\";\n /** The commitment this proof is for */\n commitment: string;\n /** Announcement point R (base64url) */\n announcement: string;\n /** Response scalar s_v (base64url) */\n response_v: string;\n /** Response scalar s_b (base64url) */\n response_b: string;\n /** Proof generated at */\n generated_at: string;\n}\n\n/** A ZK range proof: proves value ∈ [min, max] */\nexport interface ZKRangeProof {\n /** Proof type identifier */\n type: \"range-pedersen-ristretto255\";\n /** The commitment this proof is for */\n commitment: string;\n /** Minimum value (inclusive) */\n min: number;\n /** Maximum value (inclusive) */\n max: number;\n /** Bit commitments for the shifted value (v - min) */\n bit_commitments: string[];\n /** Proofs that each bit commitment is 0 or 1 */\n bit_proofs: Array<{\n announcement_0: string;\n announcement_1: string;\n challenge_0: string;\n challenge_1: string;\n response_0: string;\n response_1: string;\n }>;\n /** Sum proof: bit commitments sum to the value commitment */\n sum_proof: {\n announcement: string;\n response: string;\n };\n /** Proof generated at */\n generated_at: string;\n}\n\n// ── Helpers ─────────────────────────────────────────────────────────────\n\n/** Encode a bigint as a 32-byte big-endian Uint8Array */\nfunction bigintToBytes(n: bigint): Uint8Array {\n const hex = n.toString(16).padStart(64, \"0\");\n const bytes = new Uint8Array(32);\n for (let i = 0; i < 32; i++) {\n bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);\n }\n return bytes;\n}\n\n/** Decode a 32-byte big-endian Uint8Array to a bigint */\nfunction bytesToBigint(bytes: Uint8Array): bigint {\n let hex = \"\";\n for (const b of bytes) {\n hex += b.toString(16).padStart(2, \"0\");\n }\n return BigInt(\"0x\" + hex);\n}\n\n/** The Ristretto255 group order */\nconst ORDER = BigInt(\"7237005577332262213973186563042994240857116359379907606001950938285454250989\");\n\n/** Reduce a bigint modulo the group order */\nfunction mod(n: bigint): bigint {\n return ((n % ORDER) + ORDER) % ORDER;\n}\n\n/**\n * Safe scalar multiplication: handles the zero case\n * (noble/curves requires 1 <= scalar < n)\n */\nfunction safeMultiply(point: InstanceType<typeof RistrettoPoint>, scalar: bigint): InstanceType<typeof RistrettoPoint> {\n const s = mod(scalar);\n if (s === 0n) return RistrettoPoint.ZERO;\n return point.multiply(s);\n}\n\n/** Generate a random scalar in [1, ORDER-1] */\nfunction randomScalar(): bigint {\n const bytes = randomBytes(64); // Extra bytes for uniform distribution\n return mod(bytesToBigint(bytes));\n}\n\n/** Domain-separated Fiat-Shamir challenge hash */\nfunction fiatShamirChallenge(domain: string, ...points: Uint8Array[]): bigint {\n const domainBytes = stringToBytes(domain);\n const combined = concatBytes(domainBytes, ...points);\n const hash = sha256(combined);\n return mod(bytesToBigint(hash));\n}\n\n// ── Pedersen Commitments ────────────────────────────────────────────────\n\n/**\n * Create a Pedersen commitment to a numeric value.\n *\n * C = v*G + b*H\n *\n * Properties:\n * - Computationally hiding (under discrete log assumption)\n * - Perfectly binding (information-theoretic)\n * - Homomorphic: C(v1) + C(v2) = C(v1+v2) with adjusted blinding\n *\n * @param value - The value to commit to (integer)\n * @returns The commitment and blinding factor\n */\nexport function createPedersenCommitment(value: number): PedersenCommitment {\n const v = mod(BigInt(value));\n const b = randomScalar();\n\n // C = v*G + b*H\n const C = safeMultiply(G, v).add(safeMultiply(H, b));\n\n return {\n commitment: toBase64url(C.toRawBytes()),\n blinding_factor: toBase64url(bigintToBytes(b)),\n committed_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a Pedersen commitment against a revealed value and blinding factor.\n *\n * Recomputes C' = v*G + b*H and checks C' == C.\n */\nexport function verifyPedersenCommitment(\n commitment: string,\n value: number,\n blindingFactor: string\n): boolean {\n try {\n const C = RistrettoPoint.fromHex(fromBase64url(commitment));\n const v = mod(BigInt(value));\n const b = bytesToBigint(fromBase64url(blindingFactor));\n\n const expected = safeMultiply(G, v).add(safeMultiply(H, b));\n return C.equals(expected);\n } catch {\n return false;\n }\n}\n\n// ── ZK Proof of Knowledge ───────────────────────────────────────────────\n\n/**\n * Create a non-interactive ZK proof that you know the opening (v, b)\n * of a Pedersen commitment C = v*G + b*H.\n *\n * Schnorr sigma protocol with Fiat-Shamir transform:\n * 1. Pick random r_v, r_b\n * 2. Compute R = r_v*G + r_b*H (announcement)\n * 3. Compute e = H_FS(C || R) (challenge via Fiat-Shamir)\n * 4. Compute s_v = r_v + e*v, s_b = r_b + e*b (responses)\n * 5. Proof = (R, s_v, s_b)\n *\n * Zero-knowledge: the transcript (R, e, s_v, s_b) can be simulated\n * without knowing (v, b), so it reveals nothing.\n *\n * @param value - The committed value\n * @param blindingFactor - The blinding factor (base64url)\n * @param commitment - The commitment (base64url)\n */\nexport function createProofOfKnowledge(\n value: number,\n blindingFactor: string,\n commitment: string\n): ZKProofOfKnowledge {\n const v = mod(BigInt(value));\n const b = bytesToBigint(fromBase64url(blindingFactor));\n\n // Step 1: Random nonces\n const r_v = randomScalar();\n const r_b = randomScalar();\n\n // Step 2: Announcement\n const R = safeMultiply(G, r_v).add(safeMultiply(H, r_b));\n\n // Step 3: Fiat-Shamir challenge\n const C_bytes = fromBase64url(commitment);\n const R_bytes = R.toRawBytes();\n const e = fiatShamirChallenge(\"sanctuary-zk-pok-v1\", C_bytes, R_bytes);\n\n // Step 4: Responses\n const s_v = mod(r_v + e * v);\n const s_b = mod(r_b + e * b);\n\n return {\n type: \"schnorr-pedersen-ristretto255\",\n commitment,\n announcement: toBase64url(R_bytes),\n response_v: toBase64url(bigintToBytes(s_v)),\n response_b: toBase64url(bigintToBytes(s_b)),\n generated_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a ZK proof of knowledge of a commitment's opening.\n *\n * Check: s_v*G + s_b*H == R + e*C\n */\nexport function verifyProofOfKnowledge(proof: ZKProofOfKnowledge): boolean {\n try {\n const C = RistrettoPoint.fromHex(fromBase64url(proof.commitment));\n const R = RistrettoPoint.fromHex(fromBase64url(proof.announcement));\n const s_v = bytesToBigint(fromBase64url(proof.response_v));\n const s_b = bytesToBigint(fromBase64url(proof.response_b));\n\n // Recompute challenge\n const e = fiatShamirChallenge(\n \"sanctuary-zk-pok-v1\",\n fromBase64url(proof.commitment),\n fromBase64url(proof.announcement)\n );\n\n // Verify: s_v*G + s_b*H == R + e*C\n const lhs = safeMultiply(G, s_v).add(safeMultiply(H, s_b));\n const rhs = R.add(safeMultiply(C, e));\n\n return lhs.equals(rhs);\n } catch {\n return false;\n }\n}\n\n// ── ZK Range Proof ──────────────────────────────────────────────────────\n\n/**\n * Create a ZK range proof: prove value ∈ [min, max] without revealing value.\n *\n * Approach: bit-decomposition of (value - min) into n bits where 2^n > max - min.\n * Each bit gets a Pedersen commitment and a proof it's 0 or 1.\n * A sum proof shows the bit commitments reconstruct the original commitment\n * (shifted by min).\n *\n * @param value - The committed value\n * @param blindingFactor - The blinding factor (base64url)\n * @param commitment - The commitment (base64url)\n * @param min - Minimum value (inclusive)\n * @param max - Maximum value (inclusive)\n */\nexport function createRangeProof(\n value: number,\n blindingFactor: string,\n commitment: string,\n min: number,\n max: number\n): ZKRangeProof | { error: string } {\n if (value < min || value > max) {\n return { error: `Value ${value} is not in range [${min}, ${max}]` };\n }\n\n const range = max - min;\n const numBits = Math.ceil(Math.log2(range + 1));\n const shifted = value - min;\n const b = bytesToBigint(fromBase64url(blindingFactor));\n\n // Decompose shifted value into bits\n const bits: number[] = [];\n for (let i = 0; i < numBits; i++) {\n bits.push((shifted >> i) & 1);\n }\n\n // Create bit commitments with random blinding factors\n const bitBlindings: bigint[] = [];\n const bitCommitments: string[] = [];\n const bitProofs: ZKRangeProof[\"bit_proofs\"] = [];\n\n for (let i = 0; i < numBits; i++) {\n const bit_b = randomScalar();\n bitBlindings.push(bit_b);\n\n // Bit commitment: C_i = bit_i * G + bit_b_i * H\n const C_i = safeMultiply(G, mod(BigInt(bits[i]!))).add(safeMultiply(H, bit_b));\n bitCommitments.push(toBase64url(C_i.toRawBytes()));\n\n // Prove bit is 0 or 1 using an OR-proof (Sigma protocol)\n const bitProof = createBitProof(bits[i]!, bit_b, C_i);\n bitProofs.push(bitProof);\n }\n\n // Sum proof: show that sum(2^i * C_i) - min*G has blinding factor = b\n // sum(2^i * bit_b_i) should equal b (mod ORDER)\n const sumBlinding = bitBlindings.reduce(\n (acc, bi, i) => mod(acc + mod(BigInt(1) << BigInt(i)) * bi),\n 0n\n );\n // The difference in blinding: b - sumBlinding\n const blindingDiff = mod(b - sumBlinding);\n\n // Prove knowledge of blindingDiff as the blinding factor of the identity point\n const r_sum = randomScalar();\n const R_sum = safeMultiply(H, r_sum);\n const e_sum = fiatShamirChallenge(\n \"sanctuary-zk-range-sum-v1\",\n fromBase64url(commitment),\n R_sum.toRawBytes()\n );\n const s_sum = mod(r_sum + e_sum * blindingDiff);\n\n return {\n type: \"range-pedersen-ristretto255\",\n commitment,\n min,\n max,\n bit_commitments: bitCommitments,\n bit_proofs: bitProofs,\n sum_proof: {\n announcement: toBase64url(R_sum.toRawBytes()),\n response: toBase64url(bigintToBytes(s_sum)),\n },\n generated_at: new Date().toISOString(),\n };\n}\n\n/**\n * Verify a ZK range proof.\n */\nexport function verifyRangeProof(proof: ZKRangeProof): boolean {\n try {\n const C = RistrettoPoint.fromHex(fromBase64url(proof.commitment));\n const range = proof.max - proof.min;\n const numBits = Math.ceil(Math.log2(range + 1));\n\n if (proof.bit_commitments.length !== numBits) return false;\n if (proof.bit_proofs.length !== numBits) return false;\n\n // Verify each bit proof\n for (let i = 0; i < numBits; i++) {\n const C_i = RistrettoPoint.fromHex(fromBase64url(proof.bit_commitments[i]!));\n if (!verifyBitProof(proof.bit_proofs[i]!, C_i)) {\n return false;\n }\n }\n\n // Verify sum proof: sum(2^i * C_i) + blindingDiff*H == C - min*G\n // Reconstruct: sum(2^i * C_i)\n let reconstructed = RistrettoPoint.ZERO;\n for (let i = 0; i < numBits; i++) {\n const C_i = RistrettoPoint.fromHex(fromBase64url(proof.bit_commitments[i]!));\n const weight = mod(BigInt(1) << BigInt(i));\n reconstructed = reconstructed.add(safeMultiply(C_i, weight));\n }\n\n // The difference: C - min*G - reconstructed should be blindingDiff*H\n const diff = C.subtract(safeMultiply(G, mod(BigInt(proof.min)))).subtract(reconstructed);\n\n // Verify the sum proof for diff\n const R_sum = RistrettoPoint.fromHex(fromBase64url(proof.sum_proof.announcement));\n const s_sum = bytesToBigint(fromBase64url(proof.sum_proof.response));\n const e_sum = fiatShamirChallenge(\n \"sanctuary-zk-range-sum-v1\",\n fromBase64url(proof.commitment),\n fromBase64url(proof.sum_proof.announcement)\n );\n\n // Check: s_sum*H == R_sum + e_sum*diff\n const lhs = safeMultiply(H, s_sum);\n const rhs = R_sum.add(safeMultiply(diff, e_sum));\n return lhs.equals(rhs);\n } catch {\n return false;\n }\n}\n\n// ── Bit Proof (OR-proof for 0 or 1) ────────────────────────────────────\n\n/**\n * Create an OR-proof that a Pedersen commitment contains either 0 or 1.\n * Uses the standard Cramer-Damgård-Schoenmakers (CDS) technique.\n */\nfunction createBitProof(\n bit: number,\n blinding: bigint,\n commitment: InstanceType<typeof RistrettoPoint>\n): ZKRangeProof[\"bit_proofs\"][0] {\n const C_bytes = commitment.toRawBytes();\n\n if (bit === 0) {\n // Real proof for 0, simulated for 1\n // For the simulated branch (bit=1): C - G\n const C_minus_G = commitment.subtract(G);\n\n // Simulate branch 1\n const e_1 = randomScalar();\n const s_1 = randomScalar();\n // R_1 = s_1*H - e_1*(C-G)\n const R_1 = safeMultiply(H, s_1).subtract(safeMultiply(C_minus_G, e_1));\n\n // Real branch 0\n const r_0 = randomScalar();\n const R_0 = safeMultiply(H, r_0);\n\n // Overall challenge\n const e = fiatShamirChallenge(\n \"sanctuary-zk-bit-v1\",\n C_bytes,\n R_0.toRawBytes(),\n R_1.toRawBytes()\n );\n const e_0 = mod(e - e_1);\n const s_0 = mod(r_0 + e_0 * blinding);\n\n return {\n announcement_0: toBase64url(R_0.toRawBytes()),\n announcement_1: toBase64url(R_1.toRawBytes()),\n challenge_0: toBase64url(bigintToBytes(e_0)),\n challenge_1: toBase64url(bigintToBytes(e_1)),\n response_0: toBase64url(bigintToBytes(s_0)),\n response_1: toBase64url(bigintToBytes(s_1)),\n };\n } else {\n // Real proof for 1, simulated for 0\n // Simulate branch 0\n const e_0 = randomScalar();\n const s_0 = randomScalar();\n // R_0 = s_0*H - e_0*C\n const R_0 = safeMultiply(H, s_0).subtract(safeMultiply(commitment, e_0));\n\n // Real branch 1: C - G, blinding is the same\n const r_1 = randomScalar();\n const R_1 = safeMultiply(H, r_1);\n\n // Overall challenge\n const e = fiatShamirChallenge(\n \"sanctuary-zk-bit-v1\",\n C_bytes,\n R_0.toRawBytes(),\n R_1.toRawBytes()\n );\n const e_1 = mod(e - e_0);\n const s_1 = mod(r_1 + e_1 * blinding);\n\n return {\n announcement_0: toBase64url(R_0.toRawBytes()),\n announcement_1: toBase64url(R_1.toRawBytes()),\n challenge_0: toBase64url(bigintToBytes(e_0)),\n challenge_1: toBase64url(bigintToBytes(e_1)),\n response_0: toBase64url(bigintToBytes(s_0)),\n response_1: toBase64url(bigintToBytes(s_1)),\n };\n }\n}\n\n/**\n * Verify an OR-proof that a commitment contains 0 or 1.\n */\nfunction verifyBitProof(\n proof: ZKRangeProof[\"bit_proofs\"][0],\n commitment: InstanceType<typeof RistrettoPoint>\n): boolean {\n try {\n const C_bytes = commitment.toRawBytes();\n const R_0 = RistrettoPoint.fromHex(fromBase64url(proof.announcement_0));\n const R_1 = RistrettoPoint.fromHex(fromBase64url(proof.announcement_1));\n const e_0 = bytesToBigint(fromBase64url(proof.challenge_0));\n const e_1 = bytesToBigint(fromBase64url(proof.challenge_1));\n const s_0 = bytesToBigint(fromBase64url(proof.response_0));\n const s_1 = bytesToBigint(fromBase64url(proof.response_1));\n\n // Check challenge split\n const e = fiatShamirChallenge(\n \"sanctuary-zk-bit-v1\",\n C_bytes,\n R_0.toRawBytes(),\n R_1.toRawBytes()\n );\n if (mod(e_0 + e_1) !== e) return false;\n\n // Verify branch 0: s_0*H == R_0 + e_0*C\n const lhs_0 = safeMultiply(H, s_0);\n const rhs_0 = R_0.add(safeMultiply(commitment, e_0));\n if (!lhs_0.equals(rhs_0)) return false;\n\n // Verify branch 1: s_1*H == R_1 + e_1*(C - G)\n const C_minus_G = commitment.subtract(G);\n const lhs_1 = safeMultiply(H, s_1);\n const rhs_1 = R_1.add(safeMultiply(C_minus_G, e_1));\n if (!lhs_1.equals(rhs_1)) return false;\n\n return true;\n } catch {\n return false;\n }\n}\n","/**\n * Sanctuary MCP Server — L3 Selective Disclosure: Tool Definitions\n *\n * MCP tool wrappers for commitment schemes and disclosure policies.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport {\n createCommitment,\n verifyCommitment,\n CommitmentStore,\n} from \"./commitments.js\";\nimport {\n evaluateDisclosure,\n PolicyStore,\n type DisclosureRule,\n} from \"./policies.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport {\n createPedersenCommitment,\n verifyPedersenCommitment,\n createProofOfKnowledge,\n verifyProofOfKnowledge,\n createRangeProof,\n verifyRangeProof,\n} from \"./zk-proofs.js\";\n\nexport function createL3Tools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[]; commitmentStore: CommitmentStore; policyStore: PolicyStore } {\n const commitmentStore = new CommitmentStore(storage, masterKey);\n const policyStore = new PolicyStore(storage, masterKey);\n\n const tools: ToolDefinition[] = [\n // ─── Commitment Schemes ───────────────────────────────────────────────\n\n {\n name: \"sanctuary/proof_commitment\",\n description:\n \"Create a cryptographic commitment to a value. \" +\n \"The commitment hides the value until you choose to reveal it. \" +\n \"Returns the commitment hash and a blinding factor (store securely).\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"string\",\n description: \"The value to commit to\",\n },\n blinding_factor: {\n type: \"string\",\n description:\n \"Optional base64url blinding factor (auto-generated if omitted)\",\n },\n },\n required: [\"value\"],\n },\n handler: async (args) => {\n const value = args.value as string;\n const blindingFactor = args.blinding_factor as string | undefined;\n\n const commitment = createCommitment(value, blindingFactor);\n\n // Store the commitment encrypted for reference\n const commitmentId = await commitmentStore.store(commitment, value);\n\n auditLog.append(\"l3\", \"proof_commitment\", \"system\", {\n commitment_id: commitmentId,\n commitment_hash: commitment.commitment,\n });\n\n return toolResult({\n commitment_id: commitmentId,\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n committed_at: commitment.committed_at,\n note: \"Store the blinding_factor securely. You will need it to reveal the committed value.\",\n });\n },\n },\n\n {\n name: \"sanctuary/proof_reveal\",\n description:\n \"Verify a previously committed value by revealing it with the blinding factor. \" +\n \"Returns whether the revealed value matches the commitment.\",\n inputSchema: {\n type: \"object\",\n properties: {\n commitment: {\n type: \"string\",\n description: \"The original commitment hash\",\n },\n value: {\n type: \"string\",\n description: \"The value being revealed\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from the original commitment\",\n },\n },\n required: [\"commitment\", \"value\", \"blinding_factor\"],\n },\n handler: async (args) => {\n const commitment = args.commitment as string;\n const value = args.value as string;\n const blindingFactor = args.blinding_factor as string;\n\n const valid = verifyCommitment(commitment, value, blindingFactor);\n\n auditLog.append(\"l3\", \"proof_reveal\", \"system\", {\n commitment_hash: commitment,\n valid,\n });\n\n return toolResult({\n valid,\n commitment,\n revealed_at: new Date().toISOString(),\n });\n },\n },\n\n // ─── Disclosure Policies ──────────────────────────────────────────────\n\n {\n name: \"sanctuary/disclosure_set_policy\",\n description:\n \"Define a disclosure policy that controls what an agent will and will not \" +\n \"disclose in different interaction contexts. Rules specify which fields may \" +\n \"be disclosed, which must be withheld, and which require cryptographic proof.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_name: {\n type: \"string\",\n description: \"Human-readable policy name\",\n },\n rules: {\n type: \"array\",\n description: \"Disclosure rules for different contexts\",\n items: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description:\n 'Interaction context: \"negotiation\", \"commerce\", \"identity\", \"*\" (wildcard)',\n },\n disclose: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the agent MAY disclose\",\n },\n withhold: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the agent MUST NOT disclose\",\n },\n proof_required: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields that require proof rather than plain disclosure\",\n },\n },\n required: [\"context\", \"disclose\", \"withhold\", \"proof_required\"],\n },\n },\n default_action: {\n type: \"string\",\n enum: [\"withhold\", \"ask-principal\"],\n description: \"What to do when no rule matches a field\",\n },\n identity_id: {\n type: \"string\",\n description: \"Optional identity this policy is bound to\",\n },\n },\n required: [\"policy_name\", \"rules\", \"default_action\"],\n },\n handler: async (args) => {\n const policyName = args.policy_name as string;\n const rules = args.rules as DisclosureRule[];\n const defaultAction = args.default_action as\n | \"withhold\"\n | \"ask-principal\";\n const identityId = args.identity_id as string | undefined;\n\n const policy = await policyStore.create(\n policyName,\n rules,\n defaultAction,\n identityId\n );\n\n auditLog.append(\"l3\", \"disclosure_set_policy\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n policy_name: policyName,\n rules_count: rules.length,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n rules_count: policy.rules.length,\n created_at: policy.created_at,\n });\n },\n },\n\n {\n name: \"sanctuary/disclosure_evaluate\",\n description:\n \"Evaluate a disclosure request against an active policy. \" +\n \"Returns per-field decisions: disclose, withhold, proof, or ask-principal.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description: \"The interaction context\",\n },\n requested_fields: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Fields the counterparty is requesting\",\n },\n policy_id: {\n type: \"string\",\n description: \"Specific policy to evaluate (uses first available if omitted)\",\n },\n },\n required: [\"context\", \"requested_fields\"],\n },\n handler: async (args) => {\n const context = args.context as string;\n const requestedFields = args.requested_fields as string[];\n const policyId = args.policy_id as string | undefined;\n\n let policy;\n if (policyId) {\n policy = await policyStore.get(policyId);\n } else {\n const allPolicies = await policyStore.list();\n policy = allPolicies[0] ?? null;\n }\n\n if (!policy) {\n return toolResult({\n error: \"No disclosure policy found. Create one with disclosure_set_policy first.\",\n });\n }\n\n const decisions = evaluateDisclosure(policy, context, requestedFields);\n\n const withholding = decisions.filter(\n (d) => d.action === \"withhold\"\n ).length;\n const disclosing = decisions.filter(\n (d) => d.action === \"disclose\"\n ).length;\n const proofRequired = decisions.filter(\n (d) => d.action === \"proof\"\n ).length;\n const askPrincipal = decisions.filter(\n (d) => d.action === \"ask-principal\"\n ).length;\n\n auditLog.append(\"l3\", \"disclosure_evaluate\", \"system\", {\n policy_id: policy.policy_id,\n context,\n fields_requested: requestedFields.length,\n withholding,\n disclosing,\n proof_required: proofRequired,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n context,\n decisions,\n summary: {\n total_fields: requestedFields.length,\n disclose: disclosing,\n withhold: withholding,\n proof: proofRequired,\n ask_principal: askPrincipal,\n },\n overall_recommendation:\n withholding > 0\n ? `Withholding ${withholding} of ${requestedFields.length} requested fields per policy \"${policy.policy_name}\"`\n : `All ${requestedFields.length} fields may be disclosed per policy \"${policy.policy_name}\"`,\n });\n },\n },\n\n // ─── ZK Proof Tools ───────────────────────────────────────────────────\n\n {\n name: \"sanctuary/zk_commit\",\n description:\n \"Create a Pedersen commitment to a numeric value on Ristretto255. \" +\n \"Unlike SHA-256 commitments, Pedersen commitments support zero-knowledge proofs: \" +\n \"you can prove properties about the committed value without revealing it.\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"number\",\n description: \"The integer value to commit to\",\n },\n },\n required: [\"value\"],\n },\n handler: async (args) => {\n const value = args.value as number;\n\n if (!Number.isInteger(value)) {\n return toolResult({ error: \"Value must be an integer.\" });\n }\n\n const commitment = createPedersenCommitment(value);\n\n auditLog.append(\"l3\", \"zk_commit\", \"system\", {\n commitment_hash: commitment.commitment.slice(0, 16) + \"...\",\n });\n\n return toolResult({\n commitment: commitment.commitment,\n blinding_factor: commitment.blinding_factor,\n committed_at: commitment.committed_at,\n proof_system: \"pedersen-ristretto255\",\n note: \"Store the blinding_factor securely. Use zk_prove to create proofs about this commitment.\",\n });\n },\n },\n\n {\n name: \"sanctuary/zk_prove\",\n description:\n \"Create a zero-knowledge proof of knowledge for a Pedersen commitment. \" +\n \"Proves you know the value and blinding factor without revealing either. \" +\n \"Uses a Schnorr sigma protocol with Fiat-Shamir transform.\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"number\",\n description: \"The committed value (integer)\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from zk_commit (base64url)\",\n },\n commitment: {\n type: \"string\",\n description: \"The Pedersen commitment (base64url)\",\n },\n },\n required: [\"value\", \"blinding_factor\", \"commitment\"],\n },\n handler: async (args) => {\n const value = args.value as number;\n const blindingFactor = args.blinding_factor as string;\n const commitment = args.commitment as string;\n\n // Verify the commitment first\n if (!verifyPedersenCommitment(commitment, value, blindingFactor)) {\n return toolResult({\n error: \"The provided value and blinding factor do not match the commitment.\",\n });\n }\n\n const proof = createProofOfKnowledge(value, blindingFactor, commitment);\n\n auditLog.append(\"l3\", \"zk_prove\", \"system\", {\n proof_type: proof.type,\n commitment: commitment.slice(0, 16) + \"...\",\n });\n\n return toolResult({\n proof,\n note: \"This proof demonstrates knowledge of the commitment opening without revealing the value.\",\n });\n },\n },\n\n {\n name: \"sanctuary/zk_verify\",\n description:\n \"Verify a zero-knowledge proof of knowledge for a Pedersen commitment. \" +\n \"Checks that the prover knows the commitment's opening without learning anything.\",\n inputSchema: {\n type: \"object\",\n properties: {\n proof: {\n type: \"object\",\n description: \"The ZK proof object from zk_prove\",\n },\n },\n required: [\"proof\"],\n },\n handler: async (args) => {\n const proof = args.proof as Parameters<typeof verifyProofOfKnowledge>[0];\n\n const valid = verifyProofOfKnowledge(proof);\n\n auditLog.append(\"l3\", \"zk_verify\", \"system\", {\n proof_type: proof.type,\n valid,\n });\n\n return toolResult({\n valid,\n proof_type: proof.type,\n commitment: proof.commitment,\n verified_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/zk_range_prove\",\n description:\n \"Create a zero-knowledge range proof: prove that a committed value is \" +\n \"within [min, max] without revealing the exact value. \" +\n \"Uses bit-decomposition with OR-proofs on Ristretto255.\",\n inputSchema: {\n type: \"object\",\n properties: {\n value: {\n type: \"number\",\n description: \"The committed value (integer)\",\n },\n blinding_factor: {\n type: \"string\",\n description: \"The blinding factor from zk_commit (base64url)\",\n },\n commitment: {\n type: \"string\",\n description: \"The Pedersen commitment (base64url)\",\n },\n min: {\n type: \"number\",\n description: \"Minimum of the range (inclusive)\",\n },\n max: {\n type: \"number\",\n description: \"Maximum of the range (inclusive)\",\n },\n },\n required: [\"value\", \"blinding_factor\", \"commitment\", \"min\", \"max\"],\n },\n handler: async (args) => {\n const value = args.value as number;\n const blindingFactor = args.blinding_factor as string;\n const commitment = args.commitment as string;\n const min = args.min as number;\n const max = args.max as number;\n\n const proof = createRangeProof(value, blindingFactor, commitment, min, max);\n\n if (\"error\" in proof) {\n return toolResult({ error: proof.error });\n }\n\n auditLog.append(\"l3\", \"zk_range_prove\", \"system\", {\n proof_type: proof.type,\n range: `[${min}, ${max}]`,\n bits: proof.bit_commitments.length,\n });\n\n return toolResult({\n proof,\n note: `This proof demonstrates the committed value is in [${min}, ${max}] without revealing it.`,\n });\n },\n },\n\n {\n name: \"sanctuary/zk_range_verify\",\n description:\n \"Verify a zero-knowledge range proof — confirms a committed value \" +\n \"is within the claimed range without learning the value.\",\n inputSchema: {\n type: \"object\",\n properties: {\n proof: {\n type: \"object\",\n description: \"The range proof object from zk_range_prove\",\n },\n },\n required: [\"proof\"],\n },\n handler: async (args) => {\n const proof = args.proof as Parameters<typeof verifyRangeProof>[0];\n\n const valid = verifyRangeProof(proof);\n\n auditLog.append(\"l3\", \"zk_range_verify\", \"system\", {\n proof_type: proof.type,\n valid,\n range: `[${proof.min}, ${proof.max}]`,\n });\n\n return toolResult({\n valid,\n proof_type: proof.type,\n range: { min: proof.min, max: proof.max },\n commitment: proof.commitment,\n verified_at: new Date().toISOString(),\n });\n },\n },\n ];\n\n return { tools, commitmentStore, policyStore };\n}\n","/**\n * Sanctuary MCP Server — L4 Verifiable Reputation: Reputation Store\n *\n * Records interaction outcomes as signed attestations, queries aggregated\n * reputation data, and supports export/import for cross-platform portability.\n *\n * Attestation format is EAS-compatible (Ethereum Attestation Service) to\n * enable future on-chain anchoring without requiring blockchain for MVS.\n *\n * Security invariants:\n * - All attestations are signed by the recording identity\n * - Attestations are stored encrypted under L1 sovereignty\n * - Reputation queries return aggregates, never raw interaction data\n * - Export bundles include all signatures for independent verification\n * - Import verifies every signature before accepting attestations\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport {\n stringToBytes,\n bytesToString,\n toBase64url,\n fromBase64url,\n} from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\nimport type { SovereigntyTier } from \"./tiers.js\";\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/** Interaction outcome for recording */\nexport interface InteractionOutcome {\n type: \"transaction\" | \"negotiation\" | \"service\" | \"dispute\" | \"custom\";\n result: \"completed\" | \"partial\" | \"failed\" | \"disputed\";\n metrics?: Record<string, number>;\n}\n\n/** A signed attestation of an interaction */\nexport interface Attestation {\n attestation_id: string;\n schema: \"sanctuary-interaction-v1\";\n data: {\n interaction_id: string;\n participant_did: string;\n counterparty_did: string;\n outcome_type: string;\n outcome_result: string;\n metrics: Record<string, number>;\n context: string;\n timestamp: string;\n /** Sovereignty tier of the signer at time of recording */\n sovereignty_tier?: SovereigntyTier;\n };\n signature: string;\n signer: string;\n}\n\n/** Stored attestation (encrypted at rest) */\nexport interface StoredAttestation {\n attestation: Attestation;\n counterparty_attestation?: string;\n counterparty_confirmed: boolean;\n recorded_at: string;\n}\n\n/** Aggregated metric statistics */\nexport interface MetricAggregate {\n mean: number;\n median: number;\n min: number;\n max: number;\n count: number;\n}\n\n/** Reputation query result */\nexport interface ReputationSummary {\n total_interactions: number;\n completed: number;\n partial: number;\n failed: number;\n disputed: number;\n contexts: string[];\n time_range: { start: string; end: string };\n aggregate_metrics: Record<string, MetricAggregate>;\n}\n\n/** Portable reputation bundle */\nexport interface ReputationBundle {\n version: \"SANCTUARY_REP_V1\";\n attestations: Attestation[];\n exported_at: string;\n exporter_did: string;\n bundle_signature: string;\n}\n\n// ─── Escrow and Bootstrap ─────────────────────────────────────────────────\n\n/** Escrow for trust bootstrapping */\nexport interface Escrow {\n escrow_id: string;\n transaction_terms: string;\n terms_hash: string;\n collateral_amount?: number;\n counterparty_did: string;\n creator_did: string;\n created_at: string;\n expires_at: string;\n status: \"pending\" | \"active\" | \"released\" | \"disputed\" | \"expired\";\n}\n\n/** Principal guarantee for a new agent */\nexport interface Guarantee {\n guarantee_id: string;\n principal_did: string;\n agent_did: string;\n scope: string;\n max_liability?: number;\n valid_until: string;\n certificate: string; // Signed certificate\n created_at: string;\n}\n\n// ─── Helpers ──────────────────────────────────────────────────────────────\n\nfunction computeMedian(values: number[]): number {\n if (values.length === 0) return 0;\n const sorted = [...values].sort((a, b) => a - b);\n const mid = Math.floor(sorted.length / 2);\n return sorted.length % 2 !== 0\n ? sorted[mid]!\n : (sorted[mid - 1]! + sorted[mid]!) / 2;\n}\n\nfunction aggregateMetrics(\n attestations: StoredAttestation[],\n metricNames?: string[]\n): Record<string, MetricAggregate> {\n const result: Record<string, MetricAggregate> = {};\n\n // Collect all metric names if not specified\n const names =\n metricNames ??\n Array.from(\n new Set(\n attestations.flatMap((a) =>\n Object.keys(a.attestation.data.metrics)\n )\n )\n );\n\n for (const name of names) {\n const values = attestations\n .map((a) => a.attestation.data.metrics[name])\n .filter((v): v is number => v !== undefined);\n\n if (values.length === 0) {\n result[name] = { mean: 0, median: 0, min: 0, max: 0, count: 0 };\n continue;\n }\n\n result[name] = {\n mean: values.reduce((s, v) => s + v, 0) / values.length,\n median: computeMedian(values),\n min: Math.min(...values),\n max: Math.max(...values),\n count: values.length,\n };\n }\n\n return result;\n}\n\n// ─── Reputation Store ─────────────────────────────────────────────────────\n\nexport class ReputationStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l4-reputation\");\n }\n\n /**\n * Record an interaction outcome as a signed attestation.\n */\n async record(\n interactionId: string,\n counterpartyDid: string,\n outcome: InteractionOutcome,\n context: string,\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n counterpartyAttestation?: string,\n sovereigntyTier?: SovereigntyTier\n ): Promise<StoredAttestation> {\n const attestationId = `att-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n // Build the attestation data\n const attestationData: Attestation[\"data\"] = {\n interaction_id: interactionId,\n participant_did: identity.did,\n counterparty_did: counterpartyDid,\n outcome_type: outcome.type,\n outcome_result: outcome.result,\n metrics: outcome.metrics ?? {},\n context,\n timestamp: now,\n sovereignty_tier: sovereigntyTier,\n };\n\n // Sign the attestation data\n const dataBytes = stringToBytes(JSON.stringify(attestationData));\n const signature = sign(\n dataBytes,\n identity.encrypted_private_key,\n identityEncryptionKey\n );\n\n const attestation: Attestation = {\n attestation_id: attestationId,\n schema: \"sanctuary-interaction-v1\",\n data: attestationData,\n signature: toBase64url(signature),\n signer: identity.did,\n };\n\n const stored: StoredAttestation = {\n attestation,\n counterparty_attestation: counterpartyAttestation,\n counterparty_confirmed: !!counterpartyAttestation,\n recorded_at: now,\n };\n\n // Persist encrypted\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_reputation\",\n attestationId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return stored;\n }\n\n /**\n * Query reputation data with filtering.\n * Returns aggregates only — not raw interaction data.\n */\n async query(options: {\n context?: string;\n time_range?: { start: string; end: string };\n metrics?: string[];\n counterparty_did?: string;\n }): Promise<ReputationSummary> {\n const all = await this.loadAll();\n let filtered = all;\n\n if (options.context) {\n filtered = filtered.filter(\n (a) => a.attestation.data.context === options.context\n );\n }\n\n if (options.time_range) {\n const start = new Date(options.time_range.start).getTime();\n const end = new Date(options.time_range.end).getTime();\n filtered = filtered.filter((a) => {\n const t = new Date(a.attestation.data.timestamp).getTime();\n return t >= start && t <= end;\n });\n }\n\n if (options.counterparty_did) {\n filtered = filtered.filter(\n (a) => a.attestation.data.counterparty_did === options.counterparty_did\n );\n }\n\n const contexts = Array.from(\n new Set(filtered.map((a) => a.attestation.data.context))\n );\n\n const timestamps = filtered.map((a) =>\n new Date(a.attestation.data.timestamp).getTime()\n );\n const start = timestamps.length > 0\n ? new Date(Math.min(...timestamps)).toISOString()\n : new Date().toISOString();\n const end = timestamps.length > 0\n ? new Date(Math.max(...timestamps)).toISOString()\n : new Date().toISOString();\n\n return {\n total_interactions: filtered.length,\n completed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"completed\"\n ).length,\n partial: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"partial\"\n ).length,\n failed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"failed\"\n ).length,\n disputed: filtered.filter(\n (a) => a.attestation.data.outcome_result === \"disputed\"\n ).length,\n contexts,\n time_range: { start, end },\n aggregate_metrics: aggregateMetrics(filtered, options.metrics),\n };\n }\n\n /**\n * Export attestations as a portable reputation bundle.\n */\n async exportBundle(\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n context?: string\n ): Promise<ReputationBundle> {\n let all = await this.loadAll();\n\n if (context) {\n all = all.filter((a) => a.attestation.data.context === context);\n }\n\n const attestations = all.map((a) => a.attestation);\n const bundleData = {\n version: \"SANCTUARY_REP_V1\" as const,\n attestations,\n exported_at: new Date().toISOString(),\n exporter_did: identity.did,\n };\n\n // Sign the bundle\n const bundleBytes = stringToBytes(JSON.stringify(bundleData));\n const bundleSignature = sign(\n bundleBytes,\n identity.encrypted_private_key,\n identityEncryptionKey\n );\n\n return {\n ...bundleData,\n bundle_signature: toBase64url(bundleSignature),\n };\n }\n\n /**\n * Import attestations from a reputation bundle.\n * Verifies signatures if requested (default: true).\n *\n * @param publicKeys - Map of DID → public key bytes for signature verification\n */\n async importBundle(\n bundle: ReputationBundle,\n verifySignatures: boolean,\n publicKeys: Map<string, Uint8Array>\n ): Promise<{ imported: number; invalid: number; contexts: string[] }> {\n let imported = 0;\n let invalid = 0;\n const contexts = new Set<string>();\n\n for (const attestation of bundle.attestations) {\n if (verifySignatures) {\n const signerKey = publicKeys.get(attestation.signer);\n if (!signerKey) {\n invalid++;\n continue;\n }\n\n const dataBytes = stringToBytes(\n JSON.stringify(attestation.data)\n );\n const sigBytes = fromBase64url(attestation.signature);\n\n if (!verify(dataBytes, sigBytes, signerKey)) {\n invalid++;\n continue;\n }\n }\n\n // Store the imported attestation\n const stored: StoredAttestation = {\n attestation,\n counterparty_confirmed: false,\n recorded_at: new Date().toISOString(),\n };\n\n const serialized = stringToBytes(JSON.stringify(stored));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_reputation\",\n attestation.attestation_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n imported++;\n contexts.add(attestation.data.context);\n }\n\n return {\n imported,\n invalid,\n contexts: Array.from(contexts),\n };\n }\n\n // ─── Escrow ───────────────────────────────────────────────────────────\n\n /**\n * Create an escrow for trust bootstrapping.\n */\n async createEscrow(\n transactionTerms: string,\n counterpartyDid: string,\n timeoutSeconds: number,\n creatorDid: string,\n collateralAmount?: number\n ): Promise<Escrow> {\n const escrowId = `esc-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date();\n const expiresAt = new Date(now.getTime() + timeoutSeconds * 1000);\n\n // Hash the terms for tamper detection\n const { hashToString } = await import(\"../core/hashing.js\");\n const termsHash = hashToString(stringToBytes(transactionTerms));\n\n const escrow: Escrow = {\n escrow_id: escrowId,\n transaction_terms: transactionTerms,\n terms_hash: termsHash,\n collateral_amount: collateralAmount,\n counterparty_did: counterpartyDid,\n creator_did: creatorDid,\n created_at: now.toISOString(),\n expires_at: expiresAt.toISOString(),\n status: \"pending\",\n };\n\n const serialized = stringToBytes(JSON.stringify(escrow));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_escrows\",\n escrowId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return escrow;\n }\n\n /**\n * Get an escrow by ID.\n */\n async getEscrow(escrowId: string): Promise<Escrow | null> {\n const raw = await this.storage.read(\"_escrows\", escrowId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n\n // ─── Guarantees ─────────────────────────────────────────────────────\n\n /**\n * Create a principal's guarantee for a new agent.\n */\n async createGuarantee(\n principalIdentity: StoredIdentity,\n agentDid: string,\n scope: string,\n durationSeconds: number,\n identityEncryptionKey: Uint8Array,\n maxLiability?: number\n ): Promise<Guarantee> {\n const guaranteeId = `guar-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date();\n const validUntil = new Date(now.getTime() + durationSeconds * 1000);\n\n const certificateData = {\n guarantee_id: guaranteeId,\n principal_did: principalIdentity.did,\n agent_did: agentDid,\n scope,\n max_liability: maxLiability,\n valid_until: validUntil.toISOString(),\n issued_at: now.toISOString(),\n };\n\n // Sign the certificate with the principal's key\n const certBytes = stringToBytes(JSON.stringify(certificateData));\n const signature = sign(\n certBytes,\n principalIdentity.encrypted_private_key,\n identityEncryptionKey\n );\n\n const certificate = toBase64url(\n stringToBytes(\n JSON.stringify({\n ...certificateData,\n signature: toBase64url(signature),\n })\n )\n );\n\n const guarantee: Guarantee = {\n guarantee_id: guaranteeId,\n principal_did: principalIdentity.did,\n agent_did: agentDid,\n scope,\n max_liability: maxLiability,\n valid_until: validUntil.toISOString(),\n certificate,\n created_at: now.toISOString(),\n };\n\n const serialized = stringToBytes(JSON.stringify(guarantee));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_guarantees\",\n guaranteeId,\n stringToBytes(JSON.stringify(encrypted))\n );\n\n return guarantee;\n }\n\n // ─── Tier-Aware Access ───────────────────────────────────────────────\n\n /**\n * Load attestations for tier-weighted scoring.\n * Applies basic context/counterparty filtering, returns full StoredAttestations\n * so callers can access sovereignty_tier from attestation data.\n */\n async loadAllForTierScoring(options?: {\n context?: string;\n counterparty_did?: string;\n }): Promise<StoredAttestation[]> {\n let all = await this.loadAll();\n\n if (options?.context) {\n all = all.filter((a) => a.attestation.data.context === options.context);\n }\n if (options?.counterparty_did) {\n all = all.filter(\n (a) => a.attestation.data.counterparty_did === options.counterparty_did\n );\n }\n\n return all;\n }\n\n // ─── Internal ─────────────────────────────────────────────────────────\n\n private async loadAll(): Promise<StoredAttestation[]> {\n const results: StoredAttestation[] = [];\n\n try {\n const entries = await this.storage.list(\"_reputation\");\n for (const meta of entries) {\n const raw = await this.storage.read(\"_reputation\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n results.push(JSON.parse(bytesToString(decrypted)));\n } catch {\n // Skip corrupted entries\n }\n }\n } catch {\n // Storage not available\n }\n\n return results;\n }\n}\n","/**\n * Sanctuary MCP Server — L4 Verifiable Reputation: Tool Definitions\n *\n * MCP tool wrappers for reputation recording, querying, export/import,\n * and trust bootstrapping (escrow + principal guarantees).\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { ReputationStore, type InteractionOutcome } from \"./reputation-store.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { toBase64url, fromBase64url } from \"../core/encoding.js\";\nimport {\n resolveTier,\n computeWeightedScore,\n tierDistribution,\n TIER_WEIGHTS,\n type TieredAttestation,\n type SovereigntyTier,\n} from \"./tiers.js\";\n\nexport function createL4Tools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n identityManager: IdentityManager,\n auditLog: AuditLog,\n handshakeResults?: Map<string, HandshakeResult>\n): { tools: ToolDefinition[]; reputationStore: ReputationStore } {\n const reputationStore = new ReputationStore(storage, masterKey);\n const identityEncryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n // Default to empty map if no handshake results provided\n const hsResults = handshakeResults ?? new Map<string, HandshakeResult>();\n\n const tools: ToolDefinition[] = [\n // ─── Reputation Recording ─────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_record\",\n description:\n \"Record an interaction outcome as a signed attestation. \" +\n \"Creates an EAS-compatible attestation signed by the specified identity.\",\n inputSchema: {\n type: \"object\",\n properties: {\n interaction_id: {\n type: \"string\",\n description: \"Unique interaction identifier\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Counterparty's DID\",\n },\n outcome: {\n type: \"object\",\n description: \"Interaction outcome\",\n properties: {\n type: {\n type: \"string\",\n enum: [\"transaction\", \"negotiation\", \"service\", \"dispute\", \"custom\"],\n },\n result: {\n type: \"string\",\n enum: [\"completed\", \"partial\", \"failed\", \"disputed\"],\n },\n metrics: {\n type: \"object\",\n description: \"Domain-specific metrics (e.g., fulfillment_rate, response_time_ms)\",\n },\n },\n required: [\"type\", \"result\"],\n },\n context: {\n type: \"string\",\n description: \"Category/domain for context-specific reputation\",\n default: \"general\",\n },\n counterparty_attestation: {\n type: \"string\",\n description: \"Counterparty's signed attestation of the same interaction\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign with (uses default if omitted)\",\n },\n },\n required: [\"interaction_id\", \"counterparty_did\", \"outcome\"],\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const outcome = args.outcome as InteractionOutcome;\n const context = (args.context as string) ?? \"general\";\n\n // Resolve sovereignty tier for the counterparty\n const counterpartyDid = args.counterparty_did as string;\n const hasSanctuaryIdentity = identityManager.list().some(\n (id) => identityManager.get(id.identity_id)?.did === counterpartyDid\n );\n const tierMeta = resolveTier(counterpartyDid, hsResults, hasSanctuaryIdentity);\n\n const stored = await reputationStore.record(\n args.interaction_id as string,\n counterpartyDid,\n outcome,\n context,\n identity,\n identityEncryptionKey,\n args.counterparty_attestation as string | undefined,\n tierMeta.sovereignty_tier\n );\n\n auditLog.append(\"l4\", \"reputation_record\", identity.identity_id, {\n interaction_id: args.interaction_id,\n outcome_type: outcome.type,\n outcome_result: outcome.result,\n context,\n sovereignty_tier: tierMeta.sovereignty_tier,\n });\n\n return toolResult({\n attestation_id: stored.attestation.attestation_id,\n interaction_id: stored.attestation.data.interaction_id,\n self_attestation: stored.attestation.signature,\n counterparty_confirmed: stored.counterparty_confirmed,\n sovereignty_tier: tierMeta.sovereignty_tier,\n context,\n recorded_at: stored.recorded_at,\n });\n },\n },\n\n // ─── Reputation Query ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_query\",\n description:\n \"Query aggregated reputation data with filtering. \" +\n \"Returns summary statistics, never raw interaction details.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"string\",\n description: \"Filter by context/domain\",\n },\n time_range: {\n type: \"object\",\n description: \"Filter by time range\",\n properties: {\n start: { type: \"string\", description: \"ISO 8601 start\" },\n end: { type: \"string\", description: \"ISO 8601 end\" },\n },\n },\n metrics: {\n type: \"array\",\n items: { type: \"string\" },\n description: \"Which metrics to aggregate\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Filter by counterparty\",\n },\n },\n },\n handler: async (args) => {\n const summary = await reputationStore.query({\n context: args.context as string | undefined,\n time_range: args.time_range as\n | { start: string; end: string }\n | undefined,\n metrics: args.metrics as string[] | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n auditLog.append(\"l4\", \"reputation_query\", \"system\", {\n total_interactions: summary.total_interactions,\n contexts: summary.contexts,\n });\n\n return toolResult({\n summary,\n // SEC-ADD-03: Tag response as containing counterparty-generated attestation data\n _content_trust: \"external\",\n });\n },\n },\n\n // ─── Reputation Export ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_export\",\n description:\n \"Export a portable reputation bundle (SANCTUARY_REP_V1). \" +\n \"Includes all signed attestations for independent verification.\",\n inputSchema: {\n type: \"object\",\n properties: {\n format: {\n type: \"string\",\n enum: [\"SANCTUARY_REP_V1\"],\n default: \"SANCTUARY_REP_V1\",\n },\n context: {\n type: \"string\",\n description: \"Export specific context only\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign the bundle with\",\n },\n },\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const context = args.context as string | undefined;\n const bundle = await reputationStore.exportBundle(\n identity,\n identityEncryptionKey,\n context\n );\n\n const bundleJson = JSON.stringify(bundle);\n const bundleBase64 = toBase64url(\n new TextEncoder().encode(bundleJson)\n );\n\n auditLog.append(\"l4\", \"reputation_export\", identity.identity_id, {\n attestation_count: bundle.attestations.length,\n contexts: Array.from(\n new Set(bundle.attestations.map((a) => a.data.context))\n ),\n });\n\n const { hashToString } = await import(\"../core/hashing.js\");\n const { stringToBytes } = await import(\"../core/encoding.js\");\n\n return toolResult({\n bundle: bundleBase64,\n attestation_count: bundle.attestations.length,\n contexts: Array.from(\n new Set(bundle.attestations.map((a) => a.data.context))\n ),\n bundle_hash: hashToString(stringToBytes(bundleJson)),\n exported_at: bundle.exported_at,\n });\n },\n },\n\n // ─── Reputation Import ────────────────────────────────────────────\n\n {\n name: \"sanctuary/reputation_import\",\n description:\n \"Import a reputation bundle from another Sanctuary instance. \" +\n \"Verifies all attestation signatures by default.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bundle: {\n type: \"string\",\n description: \"Base64url-encoded reputation bundle\",\n },\n },\n required: [\"bundle\"],\n },\n handler: async (args) => {\n const bundleBase64 = args.bundle as string;\n // Signature verification is always enforced — no caller override.\n // Allowing callers to skip verification was a prompt-injection footgun.\n const verifySignatures = true;\n\n let bundle;\n try {\n const bundleBytes = fromBase64url(bundleBase64);\n const bundleJson = new TextDecoder().decode(bundleBytes);\n bundle = JSON.parse(bundleJson);\n } catch {\n return toolResult({\n error: \"Invalid bundle format. Expected base64url-encoded JSON.\",\n });\n }\n\n // Build public key map from known identities for verification\n const publicKeys = new Map<string, Uint8Array>();\n for (const pub of identityManager.list()) {\n const identity = identityManager.get(pub.identity_id);\n if (identity) {\n publicKeys.set(identity.did, fromBase64url(identity.public_key));\n }\n }\n\n const result = await reputationStore.importBundle(\n bundle,\n verifySignatures,\n publicKeys\n );\n\n auditLog.append(\"l4\", \"reputation_import\", \"system\", {\n imported: result.imported,\n invalid: result.invalid,\n contexts: result.contexts,\n });\n\n return toolResult({\n imported_attestations: result.imported,\n invalid_attestations: result.invalid,\n contexts: result.contexts,\n imported_at: new Date().toISOString(),\n });\n },\n },\n\n // ─── Sovereignty-Weighted Query ──────────────────────────────────\n\n {\n name: \"sanctuary/reputation_query_weighted\",\n description:\n \"Query reputation with sovereignty-weighted scoring. \" +\n \"Attestations from verified-sovereign agents carry full weight (1.0); \" +\n \"unverified attestations carry reduced weight (0.2). \" +\n \"Returns both the weighted score and tier distribution.\",\n inputSchema: {\n type: \"object\",\n properties: {\n metric: {\n type: \"string\",\n description: \"Which metric to compute the weighted score for\",\n },\n context: {\n type: \"string\",\n description: \"Filter by context/domain\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Filter by counterparty\",\n },\n },\n required: [\"metric\"],\n },\n handler: async (args) => {\n const summary = await reputationStore.query({\n context: args.context as string | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n // Get the raw attestations for tier-aware scoring\n // We use the internal loadAllForTierScoring method\n const allAttestations = await reputationStore.loadAllForTierScoring({\n context: args.context as string | undefined,\n counterparty_did: args.counterparty_did as string | undefined,\n });\n\n const metric = args.metric as string;\n\n // Build tiered attestations for scoring\n const tieredAttestations: TieredAttestation[] = allAttestations\n .filter((a) => a.attestation.data.metrics[metric] !== undefined)\n .map((a) => ({\n value: a.attestation.data.metrics[metric]!,\n tier: (a.attestation.data.sovereignty_tier ?? \"unverified\") as SovereigntyTier,\n }));\n\n const weightedScore = computeWeightedScore(tieredAttestations);\n\n // Compute tier distribution\n const tiers = allAttestations.map(\n (a) => (a.attestation.data.sovereignty_tier ?? \"unverified\") as SovereigntyTier\n );\n const dist = tierDistribution(tiers);\n\n auditLog.append(\"l4\", \"reputation_query_weighted\", \"system\", {\n metric,\n attestation_count: tieredAttestations.length,\n weighted_score: weightedScore,\n });\n\n return toolResult({\n metric,\n weighted_score: weightedScore,\n attestation_count: tieredAttestations.length,\n tier_distribution: dist,\n tier_weights: TIER_WEIGHTS,\n unweighted_summary: summary,\n });\n },\n },\n\n // ─── Trust Bootstrap: Escrow ──────────────────────────────────────\n\n {\n name: \"sanctuary/bootstrap_create_escrow\",\n description:\n \"Create an escrow record for trust bootstrapping. \" +\n \"Allows new participants with no reputation to transact safely.\",\n inputSchema: {\n type: \"object\",\n properties: {\n transaction_terms: {\n type: \"string\",\n description: \"Description of the transaction\",\n },\n collateral_amount: {\n type: \"number\",\n description: \"Optional stake/collateral amount\",\n },\n counterparty_did: {\n type: \"string\",\n description: \"Counterparty's DID\",\n },\n timeout_seconds: {\n type: \"number\",\n description: \"Escrow timeout in seconds\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity creating the escrow\",\n },\n },\n required: [\"transaction_terms\", \"counterparty_did\", \"timeout_seconds\"],\n },\n handler: async (args) => {\n const identityId = args.identity_id as string | undefined;\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return toolResult({\n error: \"No identity found. Create one with identity_create first.\",\n });\n }\n\n const escrow = await reputationStore.createEscrow(\n args.transaction_terms as string,\n args.counterparty_did as string,\n args.timeout_seconds as number,\n identity.did,\n args.collateral_amount as number | undefined\n );\n\n auditLog.append(\"l4\", \"bootstrap_create_escrow\", identity.identity_id, {\n escrow_id: escrow.escrow_id,\n counterparty_did: args.counterparty_did,\n timeout_seconds: args.timeout_seconds,\n });\n\n return toolResult({\n escrow_id: escrow.escrow_id,\n terms_hash: escrow.terms_hash,\n created_at: escrow.created_at,\n expires_at: escrow.expires_at,\n status: escrow.status,\n });\n },\n },\n\n // ─── Trust Bootstrap: Guarantee ───────────────────────────────────\n\n {\n name: \"sanctuary/bootstrap_provide_guarantee\",\n description:\n \"A principal provides a signed reputation guarantee for a new agent. \" +\n \"The guarantee certificate can be presented to counterparties.\",\n inputSchema: {\n type: \"object\",\n properties: {\n principal_identity_id: {\n type: \"string\",\n description: \"Identity of the guarantor (principal)\",\n },\n agent_identity_id: {\n type: \"string\",\n description: \"Identity of the agent being guaranteed\",\n },\n scope: {\n type: \"string\",\n description: \"What the guarantee covers\",\n },\n duration_seconds: {\n type: \"number\",\n description: \"How long the guarantee is valid\",\n },\n max_liability: {\n type: \"number\",\n description: \"Maximum liability amount\",\n },\n },\n required: [\n \"principal_identity_id\",\n \"agent_identity_id\",\n \"scope\",\n \"duration_seconds\",\n ],\n },\n handler: async (args) => {\n const principalIdentity = identityManager.get(\n args.principal_identity_id as string\n );\n const agentIdentity = identityManager.get(\n args.agent_identity_id as string\n );\n\n if (!principalIdentity) {\n return toolResult({\n error: `Principal identity \"${args.principal_identity_id}\" not found.`,\n });\n }\n if (!agentIdentity) {\n return toolResult({\n error: `Agent identity \"${args.agent_identity_id}\" not found.`,\n });\n }\n\n const guarantee = await reputationStore.createGuarantee(\n principalIdentity,\n agentIdentity.did,\n args.scope as string,\n args.duration_seconds as number,\n identityEncryptionKey,\n args.max_liability as number | undefined\n );\n\n auditLog.append(\n \"l4\",\n \"bootstrap_provide_guarantee\",\n principalIdentity.identity_id,\n {\n guarantee_id: guarantee.guarantee_id,\n agent_did: agentIdentity.did,\n scope: args.scope,\n }\n );\n\n return toolResult({\n guarantee_id: guarantee.guarantee_id,\n guarantee_certificate: guarantee.certificate,\n scope: guarantee.scope,\n valid_until: guarantee.valid_until,\n });\n },\n },\n ];\n\n return { tools, reputationStore };\n}\n","/**\n * Sanctuary MCP Server — Sovereignty-Gated Reputation Tiers\n *\n * Attestations carry a sovereignty_tier field reflecting the signer's\n * sovereignty posture at the time of recording. When querying or evaluating\n * reputation, attestations from verified-sovereign agents carry more weight\n * than those from unverified agents.\n *\n * Tier hierarchy (descending credibility):\n * 1. \"verified-sovereign\" — signer completed a handshake with full sovereignty\n * 2. \"verified-degraded\" — signer completed a handshake with degraded sovereignty\n * 3. \"self-attested\" — signer has a Sanctuary identity but no handshake verification\n * 4. \"unverified\" — no Sanctuary identity or sovereignty proof\n *\n * Weight multipliers are applied during reputation scoring. They are NOT\n * gatekeeping — unverified attestations still count, just less.\n */\n\nimport type { HandshakeResult, TrustTier } from \"../handshake/types.js\";\n\n// ── Tier Types ──────────────────────────────────────────────────────\n\nexport type SovereigntyTier =\n | \"verified-sovereign\"\n | \"verified-degraded\"\n | \"self-attested\"\n | \"unverified\";\n\n/** Weight multipliers for each tier */\nexport const TIER_WEIGHTS: Record<SovereigntyTier, number> = {\n \"verified-sovereign\": 1.0,\n \"verified-degraded\": 0.8,\n \"self-attested\": 0.5,\n \"unverified\": 0.2,\n};\n\n/** Tier metadata embedded in attestations */\nexport interface TierMetadata {\n sovereignty_tier: SovereigntyTier;\n /** If verified, the handshake that established it */\n handshake_completed_at?: string;\n /** Counterparty ID from handshake (if applicable) */\n verified_by?: string;\n}\n\n// ── Tier Resolution ─────────────────────────────────────────────────\n\n/**\n * Resolve the sovereignty tier for a counterparty based on handshake history.\n *\n * @param counterpartyId - The counterparty's instance ID\n * @param handshakeResults - Map of counterparty ID → most recent handshake result\n * @param hasSanctuaryIdentity - Whether the counterparty has a known Sanctuary identity\n * @returns TierMetadata for embedding in attestations\n */\nexport function resolveTier(\n counterpartyId: string,\n handshakeResults: Map<string, HandshakeResult>,\n hasSanctuaryIdentity: boolean\n): TierMetadata {\n const handshake = handshakeResults.get(counterpartyId);\n\n if (handshake && handshake.verified) {\n // Check if handshake has expired\n const expiresAt = new Date(handshake.expires_at);\n if (expiresAt > new Date()) {\n return {\n sovereignty_tier: handshake.trust_tier as SovereigntyTier,\n handshake_completed_at: handshake.completed_at,\n verified_by: handshake.counterparty_id,\n };\n }\n // Expired handshake — fall through to self-attested or unverified\n }\n\n if (hasSanctuaryIdentity) {\n return { sovereignty_tier: \"self-attested\" };\n }\n\n return { sovereignty_tier: \"unverified\" };\n}\n\n/**\n * Map a trust tier from a handshake result to a sovereignty tier.\n */\nexport function trustTierToSovereigntyTier(trustTier: TrustTier): SovereigntyTier {\n switch (trustTier) {\n case \"verified-sovereign\":\n return \"verified-sovereign\";\n case \"verified-degraded\":\n return \"verified-degraded\";\n default:\n return \"unverified\";\n }\n}\n\n// ── Weighted Scoring ────────────────────────────────────────────────\n\n/** An attestation with its tier for weighted scoring */\nexport interface TieredAttestation {\n /** The raw metric value */\n value: number;\n /** The sovereignty tier of the attestation signer */\n tier: SovereigntyTier;\n}\n\n/**\n * Compute a weighted reputation score from tiered attestations.\n *\n * Each attestation's contribution is multiplied by its tier weight.\n * The result is normalized by total weight (not count), so adding\n * low-tier attestations doesn't dilute high-tier ones.\n *\n * @param attestations - Array of value + tier pairs\n * @returns Weighted score, or null if no attestations\n */\nexport function computeWeightedScore(\n attestations: TieredAttestation[]\n): number | null {\n if (attestations.length === 0) return null;\n\n let weightedSum = 0;\n let totalWeight = 0;\n\n for (const a of attestations) {\n const weight = TIER_WEIGHTS[a.tier];\n weightedSum += a.value * weight;\n totalWeight += weight;\n }\n\n return totalWeight > 0 ? weightedSum / totalWeight : null;\n}\n\n/**\n * Compute a tier distribution summary for a set of attestations.\n */\nexport function tierDistribution(\n tiers: SovereigntyTier[]\n): Record<SovereigntyTier, number> {\n const dist: Record<SovereigntyTier, number> = {\n \"verified-sovereign\": 0,\n \"verified-degraded\": 0,\n \"self-attested\": 0,\n \"unverified\": 0,\n };\n\n for (const tier of tiers) {\n dist[tier]++;\n }\n\n return dist;\n}\n","/**\n * Sanctuary MCP Server — Principal Policy Loader\n *\n * Loads the Principal Policy from a YAML file at server startup.\n * The policy is immutable at runtime — no MCP tool can modify it.\n *\n * Security invariant:\n * - The policy is loaded ONCE at startup and frozen.\n * - No code path exists to modify the policy during a session.\n * - If no policy file exists, a sensible default is generated and saved.\n */\n\nimport { readFile, writeFile, chmod } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport type { PrincipalPolicy, Tier2Config, ApprovalChannelConfig } from \"./types.js\";\n\n/** Default Tier 2 anomaly configuration */\nconst DEFAULT_TIER2: Tier2Config = {\n new_namespace_access: \"approve\",\n new_counterparty: \"approve\",\n frequency_spike_multiplier: 5,\n max_signs_per_minute: 10,\n bulk_read_threshold: 20,\n first_session_policy: \"approve\",\n};\n\n/** Default approval channel */\nconst DEFAULT_CHANNEL: ApprovalChannelConfig = {\n type: \"stderr\",\n timeout_seconds: 300,\n // SEC-002: auto_deny is not configurable. Timeout always denies.\n // Field omitted intentionally — all channels hardcode deny on timeout.\n};\n\n/** Default Principal Policy — provides meaningful protection without configuration */\nexport const DEFAULT_POLICY: PrincipalPolicy = {\n version: 1,\n tier1_always_approve: [\n \"state_export\",\n \"state_import\",\n \"state_delete\",\n \"identity_rotate\",\n \"reputation_import\",\n \"reputation_export\",\n \"bootstrap_provide_guarantee\",\n \"decommission_certificate\",\n ],\n tier2_anomaly: DEFAULT_TIER2,\n tier3_always_allow: [\n \"state_read\",\n \"state_write\",\n \"state_list\",\n \"identity_create\",\n \"identity_list\",\n \"identity_sign\",\n \"identity_verify\",\n \"proof_commitment\",\n \"proof_reveal\",\n \"disclosure_set_policy\",\n \"disclosure_evaluate\",\n \"reputation_record\",\n \"reputation_query\",\n \"bootstrap_create_escrow\",\n \"exec_attest\",\n \"monitor_health\",\n \"monitor_audit_log\",\n \"manifest\",\n \"principal_policy_view\",\n \"principal_baseline_view\",\n \"shr_generate\",\n \"shr_verify\",\n \"handshake_initiate\",\n \"handshake_respond\",\n \"handshake_complete\",\n \"handshake_status\",\n \"reputation_query_weighted\",\n \"federation_peers\",\n \"federation_trust_evaluate\",\n \"federation_status\",\n \"zk_commit\",\n \"zk_prove\",\n \"zk_verify\",\n \"zk_range_prove\",\n \"zk_range_verify\",\n \"context_gate_set_policy\",\n \"context_gate_apply_template\",\n \"context_gate_recommend\",\n \"context_gate_filter\",\n \"context_gate_list_policies\",\n \"l2_hardening_status\",\n \"l2_verify_isolation\",\n \"sovereignty_audit\",\n \"shr_gateway_export\",\n \"bridge_commit\",\n \"bridge_verify\",\n \"bridge_attest\",\n ],\n approval_channel: DEFAULT_CHANNEL,\n};\n\n/**\n * Extract the operation name from a full MCP tool name.\n * \"sanctuary/state_export\" → \"state_export\"\n */\nexport function extractOperationName(toolName: string): string {\n return toolName.startsWith(\"sanctuary/\")\n ? toolName.slice(\"sanctuary/\".length)\n : toolName;\n}\n\n/**\n * Parse a YAML-like policy file into a PrincipalPolicy.\n *\n * We use a simple line-based parser rather than a YAML library\n * to avoid adding a dependency for a straightforward config format.\n * The policy file supports a subset of YAML: scalars, lists, and\n * one level of nesting.\n *\n * For robustness, we also accept JSON.\n */\nexport function parsePolicy(content: string): PrincipalPolicy {\n const trimmed = content.trim();\n\n // Try JSON first\n if (trimmed.startsWith(\"{\")) {\n const parsed = JSON.parse(trimmed);\n return validatePolicy(parsed);\n }\n\n // Simple YAML-subset parser\n const policy: Record<string, unknown> = {};\n let currentKey: string | null = null;\n let currentList: string[] | null = null;\n let currentObject: Record<string, unknown> | null = null;\n\n for (const rawLine of trimmed.split(\"\\n\")) {\n const line = rawLine.split(\"#\")[0]!; // Strip comments\n if (line.trim() === \"\") continue;\n\n const indent = line.length - line.trimStart().length;\n const stripped = line.trim();\n\n if (indent === 0 && stripped.includes(\":\")) {\n // Top-level key\n if (currentKey && currentList) {\n policy[currentKey] = currentList;\n } else if (currentKey && currentObject) {\n policy[currentKey] = currentObject;\n }\n\n const colonIdx = stripped.indexOf(\":\");\n const key = stripped.slice(0, colonIdx).trim();\n const value = stripped.slice(colonIdx + 1).trim();\n\n if (value === \"\" || value === \"|\") {\n currentKey = key;\n currentList = null;\n currentObject = null;\n } else {\n policy[key] = parseScalar(value);\n currentKey = null;\n currentList = null;\n currentObject = null;\n }\n } else if (indent > 0 && stripped.startsWith(\"- \")) {\n // List item\n if (!currentList) currentList = [];\n currentList.push(stripped.slice(2).trim().split(/\\s+/)[0]!); // Take first word (before comments)\n } else if (indent > 0 && stripped.includes(\":\")) {\n // Nested key-value\n if (!currentObject) currentObject = {};\n const colonIdx = stripped.indexOf(\":\");\n const key = stripped.slice(0, colonIdx).trim();\n const value = stripped.slice(colonIdx + 1).trim();\n currentObject[key] = parseScalar(value.split(/\\s+/)[0]!); // First word before comments\n }\n }\n\n // Flush last block\n if (currentKey && currentList) {\n policy[currentKey] = currentList;\n } else if (currentKey && currentObject) {\n policy[currentKey] = currentObject;\n }\n\n return validatePolicy(policy);\n}\n\nfunction parseScalar(value: string): string | number | boolean {\n if (value === \"true\") return true;\n if (value === \"false\") return false;\n const num = Number(value);\n if (!isNaN(num) && value !== \"\") return num;\n return value.replace(/^[\"']|[\"']$/g, \"\");\n}\n\nfunction validatePolicy(raw: Record<string, unknown>): PrincipalPolicy {\n // Merge tier3: user's list + any new defaults added in later versions.\n // This ensures upgrades automatically include new read-only tools\n // without requiring operators to manually edit their policy file.\n const userTier3 = (raw.tier3_always_allow as string[]) ?? [];\n const mergedTier3 = [\n ...new Set([...userTier3, ...DEFAULT_POLICY.tier3_always_allow]),\n ];\n\n return {\n version: (raw.version as number) ?? 1,\n tier1_always_approve:\n (raw.tier1_always_approve as string[]) ?? DEFAULT_POLICY.tier1_always_approve,\n tier2_anomaly: {\n ...DEFAULT_TIER2,\n ...((raw.tier2_anomaly as Record<string, unknown>) ?? {}),\n } as Tier2Config,\n tier3_always_allow: mergedTier3,\n approval_channel: (() => {\n const merged = {\n ...DEFAULT_CHANNEL,\n ...((raw.approval_channel as Record<string, unknown>) ?? {}),\n } as ApprovalChannelConfig;\n // SEC-002: Strip auto_deny from user-supplied policy.\n // Timeout always denies — this is not configurable.\n delete merged.auto_deny;\n return merged;\n })(),\n };\n}\n\n/**\n * Generate the default policy file content as YAML.\n */\nfunction generateDefaultPolicyYaml(): string {\n return `# Sanctuary Principal Policy v1\n# This file controls what your agent can do without asking.\n# Edit this file directly. Your agent cannot modify it.\n# Changes take effect on server restart.\n\nversion: 1\n\n# ─── Tier 1: Always Requires Approval ────────────────────────────────────\n# These operations ALWAYS require your explicit approval.\n# They are inherently high-risk regardless of context.\ntier1_always_approve:\n - state_export\n - state_import\n - state_delete\n - identity_rotate\n - reputation_import\n - reputation_export\n - bootstrap_provide_guarantee\n\n# ─── Tier 2: Behavioral Anomaly Detection ────────────────────────────────\n# Triggers approval when agent behavior deviates from its baseline.\n# Options for each setting: approve | log | allow\ntier2_anomaly:\n new_namespace_access: approve\n new_counterparty: approve\n frequency_spike_multiplier: 5\n max_signs_per_minute: 10\n bulk_read_threshold: 20\n first_session_policy: approve\n\n# ─── Tier 3: Always Allowed (Audit Only) ─────────────────────────────────\n# These operations never require approval but are always logged.\ntier3_always_allow:\n - state_read\n - state_write\n - state_list\n - identity_create\n - identity_list\n - identity_sign\n - identity_verify\n - proof_commitment\n - proof_reveal\n - disclosure_set_policy\n - disclosure_evaluate\n - reputation_record\n - reputation_query\n - bootstrap_create_escrow\n - exec_attest\n - monitor_health\n - monitor_audit_log\n - manifest\n - principal_policy_view\n - principal_baseline_view\n - shr_generate\n - shr_verify\n - handshake_initiate\n - handshake_respond\n - handshake_complete\n - handshake_status\n - reputation_query_weighted\n - federation_peers\n - federation_trust_evaluate\n - federation_status\n - zk_commit\n - zk_prove\n - zk_verify\n - zk_range_prove\n - zk_range_verify\n - context_gate_set_policy\n - context_gate_apply_template\n - context_gate_recommend\n - context_gate_filter\n - context_gate_list_policies\n - sovereignty_audit\n - shr_gateway_export\n - bridge_commit\n - bridge_verify\n - bridge_attest\n\n# ─── Approval Channel ────────────────────────────────────────────────────\n# How Sanctuary reaches you when approval is needed.\n# NOTE: Timeout always results in denial. This is not configurable (SEC-002).\napproval_channel:\n type: stderr\n timeout_seconds: 300\n`;\n}\n\n/**\n * Load the Principal Policy from disk.\n * If no policy file exists, generate the default and save it.\n * The returned policy is frozen — immutable at runtime.\n */\nexport async function loadPrincipalPolicy(\n storagePath: string\n): Promise<PrincipalPolicy> {\n const policyPath = join(storagePath, \"principal-policy.yaml\");\n\n try {\n const content = await readFile(policyPath, \"utf-8\");\n const policy = parsePolicy(content);\n return Object.freeze(policy);\n } catch {\n // No policy file — generate default\n const defaultYaml = generateDefaultPolicyYaml();\n try {\n await writeFile(policyPath, defaultYaml, \"utf-8\");\n await chmod(policyPath, 0o600);\n } catch {\n // Can't write — use default in memory\n }\n return Object.freeze({ ...DEFAULT_POLICY });\n }\n}\n","/**\n * Sanctuary MCP Server — Behavioral Baseline Tracker\n *\n * Tracks the agent's behavioral profile during a session and persists\n * it for cross-session anomaly detection. The baseline defines \"normal\"\n * so that deviations can trigger Tier 2 approval.\n *\n * Security invariants:\n * - Baseline is stored encrypted under L1 sovereignty\n * - Baseline changes are audit-logged\n * - Baseline is integrity-verified via L1 Merkle tree\n * - No MCP tool can directly modify the baseline\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString } from \"../core/encoding.js\";\nimport type { SessionProfile } from \"./types.js\";\n\nconst BASELINE_NAMESPACE = \"_principal\";\nconst BASELINE_KEY = \"session-baseline\";\n\nexport class BaselineTracker {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private profile: SessionProfile;\n\n /** Sliding window: timestamps of tool calls per tool name (last 60s) */\n private callWindows: Map<string, number[]> = new Map();\n\n /** Sliding window: read counts per namespace (last 60s) */\n private readWindows: Map<string, number[]> = new Map();\n\n /** Sliding window: sign call timestamps (last 60s) */\n private signWindow: number[] = [];\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"principal-baseline\");\n this.profile = {\n known_namespaces: [],\n known_counterparties: [],\n tool_call_counts: {},\n is_first_session: true,\n started_at: new Date().toISOString(),\n };\n }\n\n /**\n * Load the previous session's baseline from storage.\n * If none exists, this is a first session.\n */\n async load(): Promise<void> {\n try {\n const raw = await this.storage.read(BASELINE_NAMESPACE, BASELINE_KEY);\n if (!raw) return;\n\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const saved: SessionProfile = JSON.parse(bytesToString(decrypted));\n\n // Carry forward known namespaces and counterparties\n this.profile.known_namespaces = saved.known_namespaces ?? [];\n this.profile.known_counterparties = saved.known_counterparties ?? [];\n this.profile.is_first_session = false;\n } catch {\n // No prior baseline or corrupted — treat as first session\n this.profile.is_first_session = true;\n }\n }\n\n /**\n * Save the current baseline to storage (encrypted).\n * Called at session end or periodically.\n */\n async save(): Promise<void> {\n this.profile.saved_at = new Date().toISOString();\n const serialized = stringToBytes(JSON.stringify(this.profile));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n BASELINE_NAMESPACE,\n BASELINE_KEY,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n /**\n * Record a tool call for baseline tracking.\n * Returns anomaly information if applicable.\n */\n recordToolCall(toolName: string): void {\n const now = Date.now();\n\n // Track total call count\n this.profile.tool_call_counts[toolName] =\n (this.profile.tool_call_counts[toolName] ?? 0) + 1;\n\n // Track call rate (60-second sliding window)\n if (!this.callWindows.has(toolName)) {\n this.callWindows.set(toolName, []);\n }\n const window = this.callWindows.get(toolName)!;\n window.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (window.length > 0 && window[0]! < cutoff) {\n window.shift();\n }\n }\n\n /**\n * Record a namespace access.\n * @returns true if this is a new namespace (not in baseline)\n */\n recordNamespaceAccess(namespace: string): boolean {\n // Skip internal namespaces — these are Sanctuary's own storage\n if (namespace.startsWith(\"_\")) return false;\n\n const isNew = !this.profile.known_namespaces.includes(namespace);\n if (isNew) {\n this.profile.known_namespaces.push(namespace);\n }\n return isNew;\n }\n\n /**\n * Record a namespace read for bulk-read detection.\n * @returns the number of reads in the current 60-second window\n */\n recordNamespaceRead(namespace: string): number {\n const now = Date.now();\n\n if (!this.readWindows.has(namespace)) {\n this.readWindows.set(namespace, []);\n }\n const window = this.readWindows.get(namespace)!;\n window.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (window.length > 0 && window[0]! < cutoff) {\n window.shift();\n }\n\n return window.length;\n }\n\n /**\n * Record a counterparty DID interaction.\n * @returns true if this is a new counterparty (not in baseline)\n */\n recordCounterparty(did: string): boolean {\n const isNew = !this.profile.known_counterparties.includes(did);\n if (isNew) {\n this.profile.known_counterparties.push(did);\n }\n return isNew;\n }\n\n /**\n * Record a signing operation.\n * @returns the number of signs in the current 60-second window\n */\n recordSign(): number {\n const now = Date.now();\n this.signWindow.push(now);\n\n // Prune entries older than 60 seconds\n const cutoff = now - 60_000;\n while (this.signWindow.length > 0 && this.signWindow[0]! < cutoff) {\n this.signWindow.shift();\n }\n\n return this.signWindow.length;\n }\n\n /**\n * Get the current call rate for a tool (calls per minute).\n */\n getCallRate(toolName: string): number {\n return this.callWindows.get(toolName)?.length ?? 0;\n }\n\n /**\n * Get the average call rate across all tools in the baseline.\n */\n getAverageCallRate(): number {\n let total = 0;\n let count = 0;\n for (const window of this.callWindows.values()) {\n total += window.length;\n count++;\n }\n return count > 0 ? total / count : 0;\n }\n\n /** Whether this is the first session */\n get isFirstSession(): boolean {\n return this.profile.is_first_session;\n }\n\n /** Get a read-only view of the current profile */\n getProfile(): SessionProfile {\n return { ...this.profile };\n }\n}\n","/**\n * Sanctuary MCP Server — Approval Channel\n *\n * Out-of-band communication with the human principal for operation approval.\n * The default channel uses stderr (outside MCP's stdin/stdout protocol),\n * ensuring the agent cannot intercept or forge approval responses.\n *\n * Security invariant:\n * - Approval prompts go through a channel the agent cannot access.\n * - Timeouts result in denial by default (fail closed).\n */\n\nimport type {\n ApprovalRequest,\n ApprovalResponse,\n ApprovalChannelConfig,\n} from \"./types.js\";\n\n/** Abstract approval channel interface */\nexport interface ApprovalChannel {\n requestApproval(request: ApprovalRequest): Promise<ApprovalResponse>;\n}\n\n/**\n * Stderr approval channel — non-interactive informational channel.\n *\n * In the MCP stdio model:\n * - stdin/stdout carry the MCP protocol (JSON-RPC)\n * - stderr is available for out-of-band human communication\n *\n * Because stdin is consumed by the MCP JSON-RPC transport, this channel\n * CANNOT read interactive human input. It is strictly informational:\n * the prompt is displayed so the human sees what is happening, and the\n * operation is denied immediately.\n *\n * SEC-002 + SEC-016 invariants:\n * - This channel ALWAYS denies. No configuration can change this.\n * - There is no timeout or async delay — denial is synchronous.\n * - The `auto_deny` config field is ignored (SEC-002).\n * - For interactive approval, use the dashboard or webhook channel.\n */\nexport class StderrApprovalChannel implements ApprovalChannel {\n\n constructor(_config: ApprovalChannelConfig) {\n }\n\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n // Format and emit the informational prompt\n const prompt = this.formatPrompt(request);\n process.stderr.write(prompt + \"\\n\");\n\n // SEC-016: No setTimeout, no async delay, no timing window.\n // The stderr channel cannot read human input (stdin is used by MCP protocol).\n // Deny immediately. This is strictly stronger than SEC-002's \"timeout always\n // denies\" invariant — there is no timeout to exploit at all.\n //\n // SEC-002: No configuration (including auto_deny: false) can change this.\n return {\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"stderr:non-interactive\",\n };\n }\n\n private formatPrompt(request: ApprovalRequest): string {\n const tierLabel =\n request.tier === 1\n ? \"Tier 1 — always requires approval\"\n : \"Tier 2 — behavioral anomaly detected\";\n\n const contextLines = Object.entries(request.context)\n .map(([k, v]) => ` ${k}: ${typeof v === \"string\" ? v : JSON.stringify(v)}`)\n .join(\"\\n\");\n\n return [\n \"\",\n \"╔══════════════════════════════════════════════════════════════════╗\",\n \"║ SANCTUARY: Operation Denied (non-interactive channel) ║\",\n \"╠══════════════════════════════════════════════════════════════════╣\",\n `║ Operation: ${request.operation.padEnd(50)}║`,\n `║ ${tierLabel.padEnd(62)}║`,\n `║ Reason: ${request.reason.slice(0, 50).padEnd(50)}║`,\n \"║ ║\",\n `║ Details: ║`,\n ...contextLines.split(\"\\n\").map(\n (line) => `║ ${line.padEnd(60)}║`\n ),\n \"║ ║\",\n \"║ Denied: stderr channel cannot accept input (SEC-016) ║\",\n \"║ Use dashboard or webhook channel for interactive approval. ║\",\n \"╚══════════════════════════════════════════════════════════════════╝\",\n \"\",\n ].join(\"\\n\");\n }\n}\n\n/**\n * Programmatic approval channel — for testing and API integration.\n */\nexport class CallbackApprovalChannel implements ApprovalChannel {\n private callback: (request: ApprovalRequest) => Promise<ApprovalResponse>;\n\n constructor(\n callback: (request: ApprovalRequest) => Promise<ApprovalResponse>\n ) {\n this.callback = callback;\n }\n\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n return this.callback(request);\n }\n}\n\n/**\n * Auto-approve channel — for testing. Approves everything.\n */\nexport class AutoApproveChannel implements ApprovalChannel {\n async requestApproval(_request: ApprovalRequest): Promise<ApprovalResponse> {\n return {\n decision: \"approve\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Principal Dashboard HTML Template\n *\n * Embedded single-page HTML/CSS/JS for the Principal Dashboard.\n * No build step, no external dependencies, no CDN imports.\n * Served as a single HTML document by the DashboardApprovalChannel.\n *\n * Design: Dark, minimal, terminal-feel (Grafana dark mode aesthetic)\n * Architecture:\n * - Top status bar (fixed, always visible)\n * - Main content area: live activity feed (60%) + protection status sidebar (40%)\n * - Pending approvals: overlay panel that slides in from right when needed\n * - Threat panel: collapsible footer section\n * - SSE for real-time updates\n * - SEC-012: Auth via Authorization header + short-lived sessions\n */\n\n/**\n * Generate the login page HTML for unauthenticated browser access.\n * Provides a clean token input form that exchanges the token for a session cookie.\n */\nexport function generateLoginHTML(options: {\n serverVersion: string;\n}): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Sanctuary — Login</title>\n<link href=\"https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&display=swap\" rel=\"stylesheet\">\n<style>\n :root {\n --bg: #0d1117;\n --surface: #161b22;\n --border: #30363d;\n --text-primary: #e6edf3;\n --text-secondary: #8b949e;\n --green: #3fb950;\n --red: #f85149;\n --blue: #58a6ff;\n --mono: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;\n --sans: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;\n --radius: 6px;\n }\n * { box-sizing: border-box; margin: 0; padding: 0; }\n html, body { width: 100%; height: 100%; }\n body {\n font-family: var(--sans);\n background: var(--bg);\n color: var(--text-primary);\n display: flex;\n align-items: center;\n justify-content: center;\n }\n .login-container {\n width: 100%;\n max-width: 400px;\n padding: 40px 32px;\n background: var(--surface);\n border: 1px solid var(--border);\n border-radius: 12px;\n }\n .login-logo {\n text-align: center;\n font-size: 20px;\n font-weight: 700;\n letter-spacing: -0.5px;\n margin-bottom: 8px;\n }\n .login-logo span { color: var(--blue); }\n .login-version {\n text-align: center;\n font-size: 11px;\n color: var(--text-secondary);\n font-family: var(--mono);\n margin-bottom: 32px;\n }\n .login-label {\n display: block;\n font-size: 13px;\n font-weight: 600;\n color: var(--text-secondary);\n margin-bottom: 8px;\n }\n .login-input {\n width: 100%;\n padding: 10px 14px;\n background: var(--bg);\n border: 1px solid var(--border);\n border-radius: var(--radius);\n color: var(--text-primary);\n font-family: var(--mono);\n font-size: 14px;\n outline: none;\n transition: border-color 0.15s;\n }\n .login-input:focus { border-color: var(--blue); }\n .login-input::placeholder { color: var(--text-secondary); opacity: 0.5; }\n .login-btn {\n width: 100%;\n margin-top: 20px;\n padding: 10px;\n background: var(--blue);\n color: var(--bg);\n border: none;\n border-radius: var(--radius);\n font-size: 14px;\n font-weight: 600;\n cursor: pointer;\n transition: opacity 0.15s;\n font-family: var(--sans);\n }\n .login-btn:hover { opacity: 0.9; }\n .login-btn:disabled { opacity: 0.5; cursor: not-allowed; }\n .login-error {\n margin-top: 16px;\n padding: 10px 14px;\n background: rgba(248, 81, 73, 0.1);\n border: 1px solid var(--red);\n border-radius: var(--radius);\n font-size: 12px;\n color: var(--red);\n display: none;\n }\n .login-hint {\n margin-top: 24px;\n padding-top: 16px;\n border-top: 1px solid var(--border);\n font-size: 11px;\n color: var(--text-secondary);\n line-height: 1.5;\n }\n .login-hint code {\n font-family: var(--mono);\n background: var(--bg);\n padding: 1px 4px;\n border-radius: 3px;\n font-size: 10px;\n }\n</style>\n</head>\n<body>\n<div class=\"login-container\">\n <div class=\"login-logo\"><span>&#9670;</span> SANCTUARY</div>\n <div class=\"login-version\">Principal Dashboard v${options.serverVersion}</div>\n <form id=\"loginForm\" onsubmit=\"return handleLogin(event)\">\n <label class=\"login-label\" for=\"tokenInput\">Dashboard Auth Token</label>\n <input class=\"login-input\" type=\"password\" id=\"tokenInput\"\n placeholder=\"Enter your auth token\" autocomplete=\"off\" autofocus required>\n <button class=\"login-btn\" type=\"submit\" id=\"loginBtn\">Open Dashboard</button>\n </form>\n <div class=\"login-error\" id=\"loginError\"></div>\n <div class=\"login-hint\">\n Your token is set via <code>SANCTUARY_DASHBOARD_AUTH_TOKEN</code> environment variable,\n or check your server's startup output.\n </div>\n</div>\n<script>\nasync function handleLogin(e) {\n e.preventDefault();\n var btn = document.getElementById('loginBtn');\n var errEl = document.getElementById('loginError');\n var token = document.getElementById('tokenInput').value.trim();\n if (!token) return false;\n btn.disabled = true;\n btn.textContent = 'Authenticating...';\n errEl.style.display = 'none';\n try {\n var resp = await fetch('/auth/session', {\n method: 'POST',\n headers: { 'Authorization': 'Bearer ' + token }\n });\n if (!resp.ok) {\n var data = await resp.json().catch(function() { return {}; });\n throw new Error(data.error || 'Authentication failed');\n }\n var result = await resp.json();\n // Store token in sessionStorage for auto-renewal inside the dashboard\n try { sessionStorage.setItem('sanctuary_token', token); } catch(_) {}\n // Set session cookie\n var maxAge = result.expires_in_seconds || 300;\n document.cookie = 'sanctuary_session=' + result.session_id +\n '; path=/; SameSite=Strict; max-age=' + maxAge;\n // Reload to enter the dashboard\n window.location.reload();\n } catch (err) {\n errEl.textContent = err.message || 'Authentication failed. Check your token.';\n errEl.style.display = 'block';\n btn.disabled = false;\n btn.textContent = 'Open Dashboard';\n }\n return false;\n}\n</script>\n</body>\n</html>`;\n}\n\n/**\n * Generate the dashboard HTML with the given configuration.\n */\nexport function generateDashboardHTML(options: {\n timeoutSeconds: number;\n serverVersion: string;\n /** Auth token — used only in Authorization headers, never in URLs (SEC-012) */\n authToken?: string;\n}): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Sanctuary — Principal Dashboard</title>\n<link href=\"https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;600&display=swap\" rel=\"stylesheet\">\n<style>\n :root {\n --bg: #0d1117;\n --surface: #161b22;\n --border: #30363d;\n --text-primary: #e6edf3;\n --text-secondary: #8b949e;\n --green: #3fb950;\n --amber: #d29922;\n --red: #f85149;\n --blue: #58a6ff;\n --mono: 'JetBrains Mono', 'Fira Code', 'Consolas', monospace;\n --sans: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;\n --radius: 6px;\n }\n\n * {\n box-sizing: border-box;\n margin: 0;\n padding: 0;\n }\n\n html, body {\n width: 100%;\n height: 100%;\n overflow: hidden;\n }\n\n body {\n font-family: var(--sans);\n background: var(--bg);\n color: var(--text-primary);\n display: flex;\n flex-direction: column;\n }\n\n /* ── Top Status Bar (fixed) ─────────────────────────────────────── */\n\n .status-bar {\n position: fixed;\n top: 0;\n left: 0;\n right: 0;\n height: 56px;\n background: var(--surface);\n border-bottom: 1px solid var(--border);\n display: flex;\n align-items: center;\n padding: 0 20px;\n gap: 24px;\n z-index: 1000;\n }\n\n .status-bar-left {\n display: flex;\n align-items: center;\n gap: 12px;\n flex: 0 0 auto;\n }\n\n .sanctuary-logo {\n font-weight: 700;\n font-size: 16px;\n letter-spacing: -0.5px;\n color: var(--text-primary);\n }\n\n .sanctuary-logo span {\n color: var(--blue);\n }\n\n .version {\n font-size: 11px;\n color: var(--text-secondary);\n font-family: var(--mono);\n }\n\n .status-bar-center {\n flex: 1;\n display: flex;\n align-items: center;\n justify-content: center;\n }\n\n .sovereignty-badge {\n display: flex;\n align-items: center;\n gap: 8px;\n padding: 6px 12px;\n background: rgba(88, 166, 255, 0.1);\n border: 1px solid var(--blue);\n border-radius: 20px;\n font-size: 13px;\n font-weight: 600;\n }\n\n .sovereignty-score {\n display: flex;\n align-items: center;\n justify-content: center;\n width: 28px;\n height: 28px;\n border-radius: 50%;\n font-family: var(--mono);\n font-weight: 700;\n font-size: 12px;\n background: var(--blue);\n color: var(--bg);\n }\n\n .sovereignty-score.high {\n background: var(--green);\n }\n\n .sovereignty-score.medium {\n background: var(--amber);\n }\n\n .sovereignty-score.low {\n background: var(--red);\n }\n\n .status-bar-right {\n display: flex;\n align-items: center;\n gap: 16px;\n flex: 0 0 auto;\n }\n\n .protections-indicator {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 12px;\n color: var(--text-secondary);\n font-family: var(--mono);\n }\n\n .protections-indicator .count {\n color: var(--text-primary);\n font-weight: 600;\n }\n\n .uptime {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 12px;\n color: var(--text-secondary);\n font-family: var(--mono);\n }\n\n .status-dot {\n width: 8px;\n height: 8px;\n border-radius: 50%;\n background: var(--green);\n animation: pulse 2s ease-in-out infinite;\n }\n\n .status-dot.disconnected {\n background: var(--red);\n animation: none;\n }\n\n @keyframes pulse {\n 0%, 100% { opacity: 1; }\n 50% { opacity: 0.5; }\n }\n\n .pending-badge {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n min-width: 24px;\n height: 24px;\n padding: 0 6px;\n background: var(--red);\n color: white;\n border-radius: 12px;\n font-size: 11px;\n font-weight: 700;\n animation: pulse 1s ease-in-out infinite;\n }\n\n .pending-badge.hidden {\n display: none;\n }\n\n /* ── Main Layout ────────────────────────────────────────────────── */\n\n .main-container {\n flex: 1;\n display: flex;\n margin-top: 56px;\n overflow: hidden;\n }\n\n .activity-feed {\n flex: 3;\n display: flex;\n flex-direction: column;\n border-right: 1px solid var(--border);\n overflow: hidden;\n }\n\n .feed-header {\n padding: 16px 20px;\n border-bottom: 1px solid var(--border);\n display: flex;\n align-items: center;\n gap: 8px;\n font-size: 12px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n }\n\n .feed-header-dot {\n width: 6px;\n height: 6px;\n border-radius: 50%;\n background: var(--green);\n }\n\n .activity-list {\n flex: 1;\n overflow-y: auto;\n overflow-x: hidden;\n }\n\n .activity-item {\n padding: 12px 20px;\n border-bottom: 1px solid rgba(48, 54, 61, 0.5);\n font-size: 13px;\n font-family: var(--mono);\n cursor: pointer;\n transition: background 0.15s;\n display: flex;\n align-items: flex-start;\n gap: 10px;\n }\n\n .activity-item:hover {\n background: rgba(88, 166, 255, 0.05);\n }\n\n .activity-item-icon {\n flex: 0 0 auto;\n width: 16px;\n text-align: center;\n font-size: 12px;\n color: var(--text-secondary);\n margin-top: 1px;\n }\n\n .activity-item-content {\n flex: 1;\n min-width: 0;\n }\n\n .activity-time {\n color: var(--text-secondary);\n font-size: 11px;\n margin-bottom: 2px;\n }\n\n .activity-main {\n display: flex;\n gap: 8px;\n align-items: baseline;\n margin-bottom: 4px;\n }\n\n .activity-tier {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n width: 24px;\n height: 16px;\n font-size: 10px;\n font-weight: 700;\n border-radius: 3px;\n text-transform: uppercase;\n flex: 0 0 auto;\n }\n\n .activity-tier.t1 {\n background: rgba(248, 81, 73, 0.2);\n color: var(--red);\n }\n\n .activity-tier.t2 {\n background: rgba(210, 153, 34, 0.2);\n color: var(--amber);\n }\n\n .activity-tier.t3 {\n background: rgba(63, 185, 80, 0.2);\n color: var(--green);\n }\n\n .activity-tool {\n color: var(--text-primary);\n font-weight: 600;\n }\n\n .activity-outcome {\n color: var(--green);\n }\n\n .activity-outcome.denied {\n color: var(--red);\n }\n\n .activity-detail {\n font-size: 12px;\n color: var(--text-secondary);\n margin-left: 0;\n }\n\n .activity-item.expanded .activity-detail {\n display: block;\n margin-top: 8px;\n padding: 10px;\n background: rgba(88, 166, 255, 0.08);\n border-left: 2px solid var(--blue);\n border-radius: 4px;\n }\n\n .activity-empty {\n display: flex;\n flex-direction: column;\n align-items: center;\n justify-content: center;\n height: 100%;\n color: var(--text-secondary);\n }\n\n .activity-empty-icon {\n font-size: 32px;\n margin-bottom: 12px;\n }\n\n .activity-empty-text {\n font-size: 14px;\n }\n\n /* ── Protection Status Sidebar (40%) ────────────────────────────── */\n\n .protection-sidebar {\n flex: 2;\n display: flex;\n flex-direction: column;\n background: rgba(22, 27, 34, 0.5);\n overflow: hidden;\n }\n\n .sidebar-header {\n padding: 16px 20px;\n border-bottom: 1px solid var(--border);\n font-size: 12px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n display: flex;\n align-items: center;\n gap: 8px;\n }\n\n .sidebar-content {\n flex: 1;\n overflow-y: auto;\n padding: 16px 16px;\n display: grid;\n grid-template-columns: 1fr 1fr;\n gap: 12px;\n }\n\n .protection-card {\n background: var(--surface);\n border: 1px solid var(--border);\n border-radius: var(--radius);\n padding: 14px;\n display: flex;\n flex-direction: column;\n gap: 8px;\n }\n\n .protection-card-icon {\n font-size: 14px;\n }\n\n .protection-card-label {\n font-size: 11px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n }\n\n .protection-card-status {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 12px;\n font-weight: 600;\n }\n\n .protection-card-status.active {\n color: var(--green);\n }\n\n .protection-card-status.inactive {\n color: var(--text-secondary);\n }\n\n .protection-card-stat {\n font-size: 11px;\n color: var(--text-secondary);\n font-family: var(--mono);\n margin-top: 4px;\n }\n\n /* ── Pending Approvals Overlay ──────────────────────────────────── */\n\n .pending-overlay {\n position: fixed;\n top: 56px;\n right: 0;\n bottom: 0;\n width: 0;\n background: var(--surface);\n border-left: 1px solid var(--border);\n z-index: 999;\n overflow-y: auto;\n transition: width 0.3s ease-out;\n display: flex;\n flex-direction: column;\n }\n\n .pending-overlay.active {\n width: 380px;\n }\n\n @media (max-width: 1400px) {\n .pending-overlay.active {\n width: 100%;\n right: auto;\n left: 0;\n }\n }\n\n .pending-overlay-header {\n padding: 16px 20px;\n border-bottom: 1px solid var(--border);\n display: flex;\n align-items: center;\n justify-content: space-between;\n flex: 0 0 auto;\n }\n\n .pending-overlay-title {\n font-size: 13px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-primary);\n }\n\n .pending-overlay-close {\n background: none;\n border: none;\n color: var(--text-secondary);\n cursor: pointer;\n font-size: 18px;\n padding: 0;\n display: flex;\n align-items: center;\n justify-content: center;\n }\n\n .pending-overlay-close:hover {\n color: var(--text-primary);\n }\n\n .pending-list {\n flex: 1;\n overflow-y: auto;\n }\n\n .pending-item {\n padding: 16px 20px;\n border-bottom: 1px solid rgba(48, 54, 61, 0.5);\n display: flex;\n flex-direction: column;\n gap: 10px;\n }\n\n .pending-item-header {\n display: flex;\n align-items: center;\n gap: 8px;\n }\n\n .pending-item-op {\n font-family: var(--mono);\n font-size: 12px;\n font-weight: 600;\n color: var(--text-primary);\n flex: 1;\n }\n\n .pending-item-tier {\n display: inline-flex;\n align-items: center;\n justify-content: center;\n width: 28px;\n height: 20px;\n font-size: 9px;\n font-weight: 700;\n border-radius: 3px;\n text-transform: uppercase;\n color: white;\n }\n\n .pending-item-tier.tier1 {\n background: var(--red);\n }\n\n .pending-item-tier.tier2 {\n background: var(--amber);\n }\n\n .pending-item-reason {\n font-size: 12px;\n color: var(--text-secondary);\n }\n\n .pending-item-timer {\n display: flex;\n align-items: center;\n gap: 6px;\n font-size: 11px;\n font-family: var(--mono);\n color: var(--text-secondary);\n }\n\n .pending-item-timer-bar {\n flex: 1;\n height: 4px;\n background: rgba(48, 54, 61, 0.8);\n border-radius: 2px;\n overflow: hidden;\n }\n\n .pending-item-timer-fill {\n height: 100%;\n background: var(--blue);\n transition: width 0.1s linear;\n }\n\n .pending-item-timer.urgent .pending-item-timer-fill {\n background: var(--red);\n }\n\n .pending-item-actions {\n display: flex;\n gap: 8px;\n }\n\n .btn {\n flex: 1;\n padding: 8px 12px;\n border: none;\n border-radius: var(--radius);\n font-size: 12px;\n font-weight: 600;\n cursor: pointer;\n transition: all 0.15s;\n font-family: var(--sans);\n }\n\n .btn-approve {\n background: var(--green);\n color: var(--bg);\n }\n\n .btn-approve:hover {\n background: #4ecf5e;\n }\n\n .btn-deny {\n background: var(--red);\n color: white;\n }\n\n .btn-deny:hover {\n background: #f9605e;\n }\n\n /* ── Threat Panel (collapsible footer) ──────────────────────────── */\n\n .threat-panel {\n position: fixed;\n bottom: 0;\n left: 0;\n right: 0;\n background: var(--surface);\n border-top: 1px solid var(--border);\n max-height: 240px;\n z-index: 500;\n display: flex;\n flex-direction: column;\n transition: max-height 0.3s ease-out;\n }\n\n .threat-panel.collapsed {\n max-height: 40px;\n }\n\n .threat-header {\n padding: 12px 20px;\n cursor: pointer;\n display: flex;\n align-items: center;\n gap: 8px;\n font-size: 12px;\n font-weight: 600;\n text-transform: uppercase;\n letter-spacing: 0.5px;\n color: var(--text-secondary);\n flex: 0 0 auto;\n }\n\n .threat-header:hover {\n background: rgba(88, 166, 255, 0.05);\n }\n\n .threat-icon {\n font-size: 14px;\n }\n\n .threat-content {\n flex: 1;\n overflow-y: auto;\n padding: 0 20px 12px;\n display: flex;\n flex-direction: column;\n gap: 10px;\n }\n\n .threat-item {\n padding: 8px 10px;\n background: rgba(248, 81, 73, 0.1);\n border-left: 2px solid var(--red);\n border-radius: 4px;\n font-size: 11px;\n color: var(--text-secondary);\n }\n\n .threat-item-type {\n font-weight: 600;\n color: var(--red);\n font-family: var(--mono);\n }\n\n .threat-empty {\n text-align: center;\n padding: 20px 10px;\n color: var(--text-secondary);\n font-size: 12px;\n }\n\n /* ── Scrollbars ────────────────────────────────────────────────── */\n\n ::-webkit-scrollbar {\n width: 6px;\n }\n\n ::-webkit-scrollbar-track {\n background: transparent;\n }\n\n ::-webkit-scrollbar-thumb {\n background: var(--border);\n border-radius: 3px;\n }\n\n ::-webkit-scrollbar-thumb:hover {\n background: rgba(88, 166, 255, 0.3);\n }\n\n /* ── Responsive ────────────────────────────────────────────────── */\n\n @media (max-width: 1200px) {\n .protection-sidebar {\n display: none;\n }\n\n .activity-feed {\n border-right: none;\n }\n }\n\n @media (max-width: 768px) {\n .status-bar {\n padding: 0 12px;\n gap: 12px;\n height: 48px;\n }\n\n .sanctuary-logo {\n font-size: 14px;\n }\n\n .status-bar-center {\n display: none;\n }\n\n .main-container {\n margin-top: 48px;\n }\n\n .activity-item {\n padding: 10px 12px;\n }\n\n .pending-overlay.active {\n width: 100%;\n }\n\n .threat-panel {\n max-height: 200px;\n }\n }\n</style>\n</head>\n<body>\n\n<!-- Status Bar (fixed, top) -->\n<div class=\"status-bar\">\n <div class=\"status-bar-left\">\n <div class=\"sanctuary-logo\"><span>◆</span> SANCTUARY</div>\n <div class=\"version\">v${options.serverVersion}</div>\n </div>\n <div class=\"status-bar-center\">\n <div class=\"sovereignty-badge\">\n <div class=\"sovereignty-score\" id=\"sovereigntyScore\">85</div>\n <span>Sovereignty Health</span>\n </div>\n </div>\n <div class=\"status-bar-right\">\n <div class=\"protections-indicator\">\n <span class=\"count\" id=\"activeProtections\">6</span>/6 protections\n </div>\n <div class=\"uptime\">\n <span id=\"uptimeText\">—</span>\n </div>\n <div class=\"status-dot\" id=\"statusDot\"></div>\n <div class=\"pending-badge hidden\" id=\"pendingBadge\">0</div>\n </div>\n</div>\n\n<!-- Main Layout -->\n<div class=\"main-container\">\n <!-- Activity Feed -->\n <div class=\"activity-feed\">\n <div class=\"feed-header\">\n <div class=\"feed-header-dot\"></div>\n Live Activity\n </div>\n <div class=\"activity-list\" id=\"activityList\">\n <div class=\"activity-empty\">\n <div class=\"activity-empty-icon\">→</div>\n <div class=\"activity-empty-text\">Waiting for activity...</div>\n </div>\n </div>\n </div>\n\n <!-- Protection Status Sidebar -->\n <div class=\"protection-sidebar\" id=\"protectionSidebar\">\n <div class=\"sidebar-header\">\n <span>◆</span> Protection Status\n </div>\n <div class=\"sidebar-content\">\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">🔐</div>\n <div class=\"protection-card-label\">Encryption</div>\n <div class=\"protection-card-status active\" id=\"encryptionStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"encryptionStat\">Ed25519</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">✓</div>\n <div class=\"protection-card-label\">Approval Gate</div>\n <div class=\"protection-card-status active\" id=\"approvalStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"approvalStat\">T1: 2 | T2: 3</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">🎯</div>\n <div class=\"protection-card-label\">Context Gating</div>\n <div class=\"protection-card-status active\" id=\"contextStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"contextStat\">12 filtered</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">⚠</div>\n <div class=\"protection-card-label\">Injection Detection</div>\n <div class=\"protection-card-status active\" id=\"injectionStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"injectionStat\">3 flags today</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">📊</div>\n <div class=\"protection-card-label\">Behavioral Baseline</div>\n <div class=\"protection-card-status active\" id=\"baselineStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"baselineStat\">0 anomalies</div>\n </div>\n\n <div class=\"protection-card\">\n <div class=\"protection-card-icon\">📋</div>\n <div class=\"protection-card-label\">Audit Trail</div>\n <div class=\"protection-card-status active\" id=\"auditStatus\">✓ Active</div>\n <div class=\"protection-card-stat\" id=\"auditStat\">284 entries</div>\n </div>\n </div>\n </div>\n</div>\n\n<!-- Pending Approvals Overlay -->\n<div class=\"pending-overlay\" id=\"pendingOverlay\">\n <div class=\"pending-overlay-header\">\n <div class=\"pending-overlay-title\">Pending Approvals</div>\n <button class=\"pending-overlay-close\" onclick=\"closePendingOverlay()\">×</button>\n </div>\n <div class=\"pending-list\" id=\"pendingList\"></div>\n</div>\n\n<!-- Threat Panel (collapsible footer) -->\n<div class=\"threat-panel collapsed\" id=\"threatPanel\">\n <div class=\"threat-header\" onclick=\"toggleThreatPanel()\">\n <span class=\"threat-icon\">⚠</span>\n Recent Threats\n <span id=\"threatCount\" style=\"margin-left: auto; color: var(--red); font-weight: 700;\">0</span>\n </div>\n <div class=\"threat-content\" id=\"threatContent\">\n <div class=\"threat-empty\">No threats detected</div>\n </div>\n</div>\n\n<script>\n(function() {\n 'use strict';\n\n // ── Configuration ────────────────────────────────────────────────\n\n const TIMEOUT_SECONDS = ${options.timeoutSeconds};\n // AUTH_TOKEN: embedded token (for direct session access) or from sessionStorage (login page flow)\n const EMBEDDED_TOKEN = ${options.authToken ? JSON.stringify(options.authToken) : 'null'};\n const AUTH_TOKEN = EMBEDDED_TOKEN || (function() { try { return sessionStorage.getItem('sanctuary_token'); } catch(_) { return null; } })();\n const MAX_ACTIVITY_ITEMS = 100;\n const MAX_THREAT_ITEMS = 20;\n\n // ── State ────────────────────────────────────────────────────────\n\n let SESSION_ID = null;\n let evtSource = null;\n let startTime = Date.now();\n let activityCount = 0;\n let threatCount = 0;\n const pendingRequests = new Map();\n const activityItems = [];\n const threatItems = [];\n let sovereigntyScore = 85;\n let sessionRenewalTimer = null;\n\n // ── Auth Helpers (SEC-012) ───────────────────────────────────────\n\n function authHeaders() {\n const h = { 'Content-Type': 'application/json' };\n if (AUTH_TOKEN) h['Authorization'] = 'Bearer ' + AUTH_TOKEN;\n return h;\n }\n\n function sessionQuery(url) {\n if (!SESSION_ID) return url;\n const sep = url.includes('?') ? '&' : '?';\n return url + sep + 'session=' + SESSION_ID;\n }\n\n function setCookie(sessionId, maxAge) {\n document.cookie = 'sanctuary_session=' + sessionId +\n '; path=/; SameSite=Strict; max-age=' + maxAge;\n }\n\n async function exchangeSession() {\n if (!AUTH_TOKEN) return;\n try {\n const resp = await fetch('/auth/session', { method: 'POST', headers: authHeaders() });\n if (resp.ok) {\n const data = await resp.json();\n SESSION_ID = data.session_id;\n var ttl = data.expires_in_seconds || 300;\n // Update cookie with new session\n setCookie(SESSION_ID, ttl);\n // Schedule renewal at 80% of TTL\n if (sessionRenewalTimer) clearTimeout(sessionRenewalTimer);\n sessionRenewalTimer = setTimeout(function() {\n exchangeSession().then(function() { reconnectSSE(); });\n }, ttl * 800);\n } else if (resp.status === 401) {\n // Token invalid or expired — show non-destructive re-login overlay\n showSessionExpired();\n }\n } catch (e) {\n // Network error — retry in 30s\n if (sessionRenewalTimer) clearTimeout(sessionRenewalTimer);\n sessionRenewalTimer = setTimeout(function() {\n exchangeSession().then(function() { reconnectSSE(); });\n }, 30000);\n }\n }\n\n function showSessionExpired() {\n // Clear stored token\n try { sessionStorage.removeItem('sanctuary_token'); } catch(_) {}\n // Redirect to login page\n document.cookie = 'sanctuary_session=; path=/; max-age=0';\n window.location.reload();\n }\n\n // ── UI Utilities ─────────────────────────────────────────────────\n\n function esc(s) {\n const d = document.createElement('div');\n d.textContent = String(s || '');\n return d.innerHTML;\n }\n\n function closePendingOverlay() {\n document.getElementById('pendingOverlay').classList.remove('active');\n }\n\n function toggleThreatPanel() {\n document.getElementById('threatPanel').classList.toggle('collapsed');\n }\n\n function updateUptime() {\n const elapsed = Math.floor((Date.now() - startTime) / 1000);\n const hours = Math.floor(elapsed / 3600);\n const mins = Math.floor((elapsed % 3600) / 60);\n const secs = elapsed % 60;\n let uptimeStr = '';\n if (hours > 0) uptimeStr += hours + 'h ';\n if (mins > 0) uptimeStr += mins + 'm ';\n uptimeStr += secs + 's';\n document.getElementById('uptimeText').textContent = uptimeStr;\n }\n\n // ── Sovereignty Score ────────────────────────────────────────────\n\n function updateSovereigntyScore(score) {\n sovereigntyScore = Math.min(100, Math.max(0, score || 85));\n const badge = document.getElementById('sovereigntyScore');\n badge.textContent = sovereigntyScore;\n badge.className = 'sovereignty-score';\n if (sovereigntyScore >= 80) {\n badge.classList.add('high');\n } else if (sovereigntyScore >= 50) {\n badge.classList.add('medium');\n } else {\n badge.classList.add('low');\n }\n }\n\n // ── Activity Feed ────────────────────────────────────────────────\n\n function addActivityItem(data) {\n const {\n timestamp,\n tier,\n tool,\n outcome,\n detail,\n hasInjection,\n isContextGated\n } = data;\n\n const item = {\n id: 'activity-' + activityCount++,\n timestamp: timestamp || new Date().toISOString(),\n tier: tier || 1,\n tool: tool || 'unknown_tool',\n outcome: outcome || 'executed',\n detail: detail || '',\n hasInjection: !!hasInjection,\n isContextGated: !!isContextGated\n };\n\n activityItems.unshift(item);\n if (activityItems.length > MAX_ACTIVITY_ITEMS) {\n activityItems.pop();\n }\n\n renderActivityFeed();\n }\n\n function renderActivityFeed() {\n const list = document.getElementById('activityList');\n\n if (activityItems.length === 0) {\n list.innerHTML = '<div class=\"activity-empty\"><div class=\"activity-empty-icon\">→</div><div class=\"activity-empty-text\">Waiting for activity...</div></div>';\n return;\n }\n\n list.innerHTML = '';\n for (const item of activityItems) {\n const tr = document.createElement('div');\n tr.className = 'activity-item';\n tr.id = item.id;\n\n const time = new Date(item.timestamp);\n const timeStr = time.toLocaleTimeString();\n\n const tierClass = 't' + item.tier;\n const outcomeClass = item.outcome === 'denied' ? 'outcome denied' : 'outcome';\n\n let icon = '●';\n if (item.isContextGated) icon = '🎯';\n else if (item.hasInjection) icon = '⚠';\n else if (item.outcome === 'denied') icon = '✗';\n else icon = '✓';\n\n tr.innerHTML =\n '<div class=\"activity-item-icon\">' + esc(icon) + '</div>' +\n '<div class=\"activity-item-content\">' +\n '<div class=\"activity-time\">' + esc(timeStr) + '</div>' +\n '<div class=\"activity-main\">' +\n '<span class=\"activity-tier ' + tierClass + '\">T' + item.tier + '</span>' +\n '<span class=\"activity-tool\">' + esc(item.tool) + '</span>' +\n '<span class=\"activity-outcome ' + (outcomeClass === 'outcome denied' ? 'denied' : '') + '\">' + (item.outcome === 'denied' ? '✗ denied' : '✓ allowed') + '</span>' +\n '</div>' +\n '<div class=\"activity-detail\">' + esc(item.detail) + '</div>' +\n '</div>' +\n '';\n\n tr.addEventListener('click', () => {\n tr.classList.toggle('expanded');\n });\n\n list.appendChild(tr);\n }\n }\n\n // ── Pending Approvals ────────────────────────────────────────────\n\n function addPendingRequest(data) {\n const {\n request_id,\n operation,\n tier,\n reason,\n context,\n timestamp\n } = data;\n\n const pending = {\n id: request_id,\n operation: operation || 'unknown',\n tier: tier || 1,\n reason: reason || '',\n context: context || {},\n timestamp: timestamp || new Date().toISOString(),\n remaining: TIMEOUT_SECONDS\n };\n\n pendingRequests.set(request_id, pending);\n updatePendingUI();\n }\n\n function removePendingRequest(id) {\n pendingRequests.delete(id);\n updatePendingUI();\n }\n\n function updatePendingUI() {\n const count = pendingRequests.size;\n const badge = document.getElementById('pendingBadge');\n\n if (count > 0) {\n badge.classList.remove('hidden');\n badge.textContent = count;\n document.getElementById('pendingOverlay').classList.add('active');\n } else {\n badge.classList.add('hidden');\n document.getElementById('pendingOverlay').classList.remove('active');\n }\n\n renderPendingList();\n }\n\n function renderPendingList() {\n const list = document.getElementById('pendingList');\n list.innerHTML = '';\n\n for (const [id, req] of pendingRequests) {\n const item = document.createElement('div');\n item.className = 'pending-item';\n\n const tier = req.tier || 1;\n const tierClass = 'tier' + tier;\n const pct = Math.max(0, Math.min(100, (req.remaining / TIMEOUT_SECONDS) * 100));\n const isUrgent = req.remaining <= 30;\n\n item.innerHTML =\n '<div class=\"pending-item-header\">' +\n '<div class=\"pending-item-op\">' + esc(req.operation) + '</div>' +\n '<div class=\"pending-item-tier ' + tierClass + '\">T' + tier + '</div>' +\n '</div>' +\n '<div class=\"pending-item-reason\">' + esc(req.reason) + '</div>' +\n '<div class=\"pending-item-timer ' + (isUrgent ? 'urgent' : '') + '\">' +\n '<div class=\"pending-item-timer-bar\">' +\n '<div class=\"pending-item-timer-fill\" style=\"width: ' + pct + '%\"></div>' +\n '</div>' +\n '<span id=\"timer-' + id + '\">' + req.remaining + 's</span>' +\n '</div>' +\n '<div class=\"pending-item-actions\">' +\n '<button class=\"btn btn-approve\" onclick=\"handleApprove(\\'' + id + '\\')\">Approve</button>' +\n '<button class=\"btn btn-deny\" onclick=\"handleDeny(\\'' + id + '\\')\">Deny</button>' +\n '</div>' +\n '';\n\n list.appendChild(item);\n }\n }\n\n window.handleApprove = function(id) {\n fetch('/api/approve/' + id, { method: 'POST', headers: authHeaders() }).then(() => {\n removePendingRequest(id);\n }).catch(() => {});\n };\n\n window.handleDeny = function(id) {\n fetch('/api/deny/' + id, { method: 'POST', headers: authHeaders() }).then(() => {\n removePendingRequest(id);\n }).catch(() => {});\n };\n\n // ── Threats ──────────────────────────────────────────────────────\n\n function addThreat(data) {\n const {\n timestamp,\n severity,\n type,\n details\n } = data;\n\n const threat = {\n id: 'threat-' + threatCount++,\n timestamp: timestamp || new Date().toISOString(),\n severity: severity || 'medium',\n type: type || 'unknown',\n details: details || ''\n };\n\n threatItems.unshift(threat);\n if (threatItems.length > MAX_THREAT_ITEMS) {\n threatItems.pop();\n }\n\n if (threatCount > 0) {\n document.getElementById('threatPanel').classList.remove('collapsed');\n }\n\n renderThreats();\n }\n\n function renderThreats() {\n const content = document.getElementById('threatContent');\n const badge = document.getElementById('threatCount');\n\n if (threatItems.length === 0) {\n content.innerHTML = '<div class=\"threat-empty\">No threats detected</div>';\n badge.textContent = '0';\n return;\n }\n\n badge.textContent = threatItems.length;\n content.innerHTML = '';\n\n for (const threat of threatItems) {\n const div = document.createElement('div');\n div.className = 'threat-item';\n const time = new Date(threat.timestamp).toLocaleTimeString();\n div.innerHTML =\n '<div style=\"margin-bottom: 3px;\">' +\n '<span class=\"threat-item-type\">' + esc(threat.type) + '</span>' +\n '<span style=\"font-size: 10px; color: var(--text-secondary); margin-left: 6px;\">' + esc(time) + '</span>' +\n '</div>' +\n '<div>' + esc(threat.details) + '</div>' +\n '';\n content.appendChild(div);\n }\n }\n\n // ── SSE Connection ───────────────────────────────────────────────\n\n function reconnectSSE() {\n if (evtSource) evtSource.close();\n connect();\n }\n\n function connect() {\n evtSource = new EventSource(sessionQuery('/events'));\n\n evtSource.onopen = () => {\n document.getElementById('statusDot').classList.remove('disconnected');\n };\n\n evtSource.onerror = () => {\n document.getElementById('statusDot').classList.add('disconnected');\n };\n\n evtSource.addEventListener('init', (e) => {\n const data = JSON.parse(e.data);\n if (data.baseline) {\n updateBaseline(data.baseline);\n }\n if (data.policy) {\n updatePolicy(data.policy);\n }\n if (data.pending) {\n data.pending.forEach(addPendingRequest);\n }\n });\n\n evtSource.addEventListener('pending-request', (e) => {\n const data = JSON.parse(e.data);\n addPendingRequest(data);\n });\n\n evtSource.addEventListener('request-resolved', (e) => {\n const data = JSON.parse(e.data);\n removePendingRequest(data.request_id);\n });\n\n evtSource.addEventListener('tool-call', (e) => {\n const data = JSON.parse(e.data);\n addActivityItem({\n timestamp: data.timestamp,\n tier: data.tier || 1,\n tool: data.tool || 'unknown',\n outcome: data.outcome || 'executed',\n detail: data.detail || ''\n });\n });\n\n evtSource.addEventListener('context-gate-decision', (e) => {\n const data = JSON.parse(e.data);\n addActivityItem({\n timestamp: data.timestamp,\n tier: data.tier || 1,\n tool: data.tool || 'unknown',\n outcome: data.outcome || 'gated',\n detail: data.fields_filtered ? 'Filtered ' + data.fields_filtered + ' fields' : data.reason || '',\n isContextGated: true\n });\n });\n\n evtSource.addEventListener('injection-alert', (e) => {\n const data = JSON.parse(e.data);\n addActivityItem({\n timestamp: data.timestamp,\n tier: data.tier || 2,\n tool: data.tool || 'unknown',\n outcome: data.allowed ? 'allowed' : 'denied',\n detail: data.signal || 'Injection detected',\n hasInjection: true\n });\n addThreat({\n timestamp: data.timestamp,\n severity: data.severity || 'medium',\n type: 'Injection Alert',\n details: data.signal || 'Suspicious pattern detected'\n });\n });\n\n evtSource.addEventListener('protection-status', (e) => {\n const data = JSON.parse(e.data);\n updateProtectionStatus(data);\n });\n\n evtSource.addEventListener('audit-entry', (e) => {\n const data = JSON.parse(e.data);\n // Audit entries don't show in activity by default, but we could add them\n });\n\n evtSource.addEventListener('baseline-update', (e) => {\n const data = JSON.parse(e.data);\n updateBaseline(data);\n });\n }\n\n function updateBaseline(baseline) {\n if (!baseline) return;\n // Update baseline-derived stats if needed\n }\n\n function updatePolicy(policy) {\n if (!policy) return;\n // Update policy-derived stats\n if (policy.approval_channel) {\n // Policy info updated\n }\n }\n\n function updateProtectionStatus(status) {\n if (status.sovereignty_score !== undefined) {\n updateSovereigntyScore(status.sovereignty_score);\n }\n if (status.active_protections !== undefined) {\n document.getElementById('activeProtections').textContent = status.active_protections;\n }\n // Update individual protection cards\n if (status.encryption !== undefined) {\n const el = document.getElementById('encryptionStatus');\n el.className = 'protection-card-status ' + (status.encryption ? 'active' : 'inactive');\n el.textContent = status.encryption ? '✓ Active' : '✗ Inactive';\n }\n if (status.approval_gate !== undefined) {\n const el = document.getElementById('approvalStatus');\n el.className = 'protection-card-status ' + (status.approval_gate ? 'active' : 'inactive');\n el.textContent = status.approval_gate ? '✓ Active' : '✗ Inactive';\n }\n if (status.context_gating !== undefined) {\n const el = document.getElementById('contextStatus');\n el.className = 'protection-card-status ' + (status.context_gating ? 'active' : 'inactive');\n el.textContent = status.context_gating ? '✓ Active' : '✗ Inactive';\n }\n if (status.injection_detection !== undefined) {\n const el = document.getElementById('injectionStatus');\n el.className = 'protection-card-status ' + (status.injection_detection ? 'active' : 'inactive');\n el.textContent = status.injection_detection ? '✓ Active' : '✗ Inactive';\n }\n if (status.baseline !== undefined) {\n const el = document.getElementById('baselineStatus');\n el.className = 'protection-card-status ' + (status.baseline ? 'active' : 'inactive');\n el.textContent = status.baseline ? '✓ Active' : '✗ Inactive';\n }\n if (status.audit_trail !== undefined) {\n const el = document.getElementById('auditStatus');\n el.className = 'protection-card-status ' + (status.audit_trail ? 'active' : 'inactive');\n el.textContent = status.audit_trail ? '✓ Active' : '✗ Inactive';\n }\n }\n\n // ── Initialization ───────────────────────────────────────────────\n\n (async function init() {\n await exchangeSession();\n // Clean legacy ?token= from URL\n if (window.location.search.includes('token=')) {\n window.history.replaceState({}, '', window.location.pathname);\n }\n connect();\n\n // Start uptime ticker\n setInterval(updateUptime, 1000);\n updateUptime();\n\n // Pending request countdown timer\n setInterval(() => {\n for (const [id, req] of pendingRequests) {\n req.remaining = Math.max(0, req.remaining - 1);\n const el = document.getElementById('timer-' + id);\n if (el) {\n el.textContent = req.remaining + 's';\n }\n }\n }, 1000);\n\n // Load initial status\n try {\n const resp = await fetch('/api/status', { headers: authHeaders() });\n if (resp.ok) {\n const status = await resp.json();\n if (status.baseline) updateBaseline(status.baseline);\n if (status.policy) updatePolicy(status.policy);\n }\n } catch (e) {\n // Ignore\n }\n })();\n\n})();\n</script>\n\n</body>\n</html>`;\n}\n\n","/**\n * Sanctuary MCP Server — Principal Dashboard\n *\n * HTTP-based approval channel that serves a real-time web dashboard\n * for human principals to approve/deny agent operations.\n *\n * Architecture:\n * - Node.js built-in `http`/`https` modules (no Express or external deps)\n * - SSE (Server-Sent Events) for real-time push to browser\n * - Pending approval requests block the MCP tool call via Promise\n * - Human clicks approve/deny in browser → POST /api/approve/:id → Promise resolves\n * - Timeout fallback: auto-deny (or auto-approve) if no response\n *\n * Security invariants:\n * - Binds to 127.0.0.1 by default (localhost only)\n * - Optional bearer token authentication for non-localhost deployments\n * - Optional TLS (HTTPS) via cert/key paths\n * - All decisions are audit-logged\n * - Agent cannot access the dashboard (it runs outside MCP stdin/stdout)\n */\n\nimport { createServer as createHttpServer, type IncomingMessage, type ServerResponse } from \"node:http\";\nimport { createServer as createHttpsServer } from \"node:https\";\nimport { readFileSync } from \"node:fs\";\nimport { randomBytes } from \"node:crypto\";\nimport { exec } from \"node:child_process\";\nimport { platform } from \"node:os\";\nimport { SANCTUARY_VERSION as PKG_VERSION } from \"../config.js\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport type { ApprovalRequest, ApprovalResponse, PrincipalPolicy } from \"./types.js\";\nimport type { BaselineTracker } from \"./baseline.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateDashboardHTML, generateLoginHTML } from \"./dashboard-html.js\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\nexport interface DashboardConfig {\n port: number;\n host: string;\n timeout_seconds: number;\n /** SEC-002: auto_deny is always true. Field retained for interface compat but ignored. */\n auto_deny?: boolean;\n /** Bearer token for API authentication. If omitted, auth is disabled. */\n auth_token?: string;\n /** TLS configuration for HTTPS. If omitted, plain HTTP is used. */\n tls?: {\n cert_path: string;\n key_path: string;\n };\n /** Auto-open the dashboard in the default browser on startup. Default: true for localhost. */\n auto_open?: boolean;\n}\n\ninterface PendingRequest {\n id: string;\n request: ApprovalRequest;\n resolve: (response: ApprovalResponse) => void;\n timer: ReturnType<typeof setTimeout>;\n created_at: string;\n}\n\ntype SSEClient = ServerResponse;\n\n// ── Dashboard Approval Channel ──────────────────────────────────────────\n\n// ── Session Store ────────────────────────────────────────────────────\n// Short-lived sessions replace the long-lived auth token in URLs (SEC-012).\n\ninterface DashboardSession {\n id: string;\n created_at: number;\n expires_at: number;\n}\n\nconst SESSION_TTL_REMOTE_MS = 5 * 60 * 1000; // 5 minutes for remote/TLS\nconst SESSION_TTL_LOCAL_MS = 24 * 60 * 60 * 1000; // 24 hours for localhost\nconst MAX_SESSIONS = 1000;\n\n// ── Rate Limiting ───────────────────────────────────────────────────\n// Sliding-window rate limiting per remote address.\n// Decision endpoints (approve/deny) have a tighter limit than general API.\n\nconst RATE_LIMIT_WINDOW_MS = 60_000; // 1-minute window\nconst RATE_LIMIT_GENERAL = 120; // max general API requests per window\nconst RATE_LIMIT_DECISIONS = 20; // max approve/deny decisions per window\nconst MAX_RATE_LIMIT_ENTRIES = 10_000; // cap the tracking map to prevent memory exhaustion\n\ninterface RateLimitEntry {\n general: number[]; // timestamps of general requests\n decisions: number[]; // timestamps of decision requests\n}\n\nexport class DashboardApprovalChannel implements ApprovalChannel {\n private config: DashboardConfig;\n private pending: Map<string, PendingRequest> = new Map();\n private sseClients: Set<SSEClient> = new Set();\n private httpServer: ReturnType<typeof createHttpServer> | null = null;\n private policy: PrincipalPolicy | null = null;\n private baseline: BaselineTracker | null = null;\n private auditLog: AuditLog | null = null;\n private dashboardHTML: string;\n private loginHTML: string;\n private authToken: string | undefined;\n private useTLS: boolean;\n /** Session TTL: longer for localhost, shorter for remote */\n private sessionTTLMs: number;\n /** SEC-012: Short-lived session store. Sessions replace URL query tokens. */\n private sessions: Map<string, DashboardSession> = new Map();\n private sessionCleanupTimer: ReturnType<typeof setInterval> | null = null;\n /** Rate limiting: per-IP request tracking */\n private rateLimits: Map<string, RateLimitEntry> = new Map();\n\n constructor(config: DashboardConfig) {\n this.config = config;\n this.authToken = config.auth_token;\n this.useTLS = !!(config.tls?.cert_path && config.tls?.key_path);\n // Localhost gets 24h sessions; remote/TLS gets 5min\n const isLocalhost = config.host === \"127.0.0.1\" || config.host === \"localhost\" || config.host === \"::1\";\n this.sessionTTLMs = isLocalhost ? SESSION_TTL_LOCAL_MS : SESSION_TTL_REMOTE_MS;\n this.dashboardHTML = generateDashboardHTML({\n timeoutSeconds: config.timeout_seconds,\n serverVersion: PKG_VERSION,\n authToken: this.authToken,\n });\n this.loginHTML = generateLoginHTML({ serverVersion: PKG_VERSION });\n // SEC-012: Periodic cleanup of expired sessions (every 60s)\n this.sessionCleanupTimer = setInterval(() => this.cleanupSessions(), 60_000);\n }\n\n /**\n * Inject dependencies after construction.\n * Called from index.ts after all components are initialized.\n */\n setDependencies(deps: {\n policy: PrincipalPolicy;\n baseline: BaselineTracker;\n auditLog: AuditLog;\n }): void {\n this.policy = deps.policy;\n this.baseline = deps.baseline;\n this.auditLog = deps.auditLog;\n }\n\n /**\n * Start the HTTP(S) server for the dashboard.\n */\n async start(): Promise<void> {\n return new Promise((resolve, reject) => {\n const handler = (req: IncomingMessage, res: ServerResponse) => this.handleRequest(req, res);\n\n if (this.useTLS && this.config.tls) {\n const tlsOpts = {\n cert: readFileSync(this.config.tls.cert_path),\n key: readFileSync(this.config.tls.key_path),\n };\n this.httpServer = createHttpsServer(tlsOpts, handler);\n } else {\n this.httpServer = createHttpServer(handler);\n }\n\n const protocol = this.useTLS ? \"https\" : \"http\";\n const baseUrl = `${protocol}://${this.config.host}:${this.config.port}`;\n\n this.httpServer.listen(this.config.port, this.config.host, () => {\n // Generate a pre-authenticated one-click URL\n const sessionUrl = this.authToken ? this.createSessionUrl() : baseUrl;\n\n // Print dashboard URL\n process.stderr.write(\n `\\n Sanctuary Principal Dashboard: ${baseUrl}\\n`\n );\n if (this.authToken) {\n const hint = this.authToken.slice(0, 4) + \"...\" + this.authToken.slice(-4);\n process.stderr.write(\n ` Auth token: ${hint}\\n`\n );\n }\n process.stderr.write(`\\n`);\n\n // Auto-open in default browser (default: true for localhost)\n // Skip in test environments to avoid spawning browsers during CI/test runs\n const isTest = !!(process.env.VITEST || process.env.NODE_ENV === \"test\" || process.env.CI);\n const isLocalhost = this.config.host === \"127.0.0.1\" || this.config.host === \"localhost\" || this.config.host === \"::1\";\n const shouldAutoOpen = !isTest && (this.config.auto_open ?? isLocalhost);\n if (shouldAutoOpen) {\n this.openInBrowser(sessionUrl);\n }\n\n resolve();\n });\n this.httpServer.on(\"error\", reject);\n });\n }\n\n /**\n * Stop the HTTP server and clean up.\n */\n async stop(): Promise<void> {\n // Clear all pending requests\n for (const [, pending] of this.pending) {\n clearTimeout(pending.timer);\n pending.resolve({\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n });\n }\n this.pending.clear();\n\n // Close SSE connections\n for (const client of this.sseClients) {\n client.end();\n }\n this.sseClients.clear();\n\n // SEC-012: Clean up session state\n this.sessions.clear();\n if (this.sessionCleanupTimer) {\n clearInterval(this.sessionCleanupTimer);\n this.sessionCleanupTimer = null;\n }\n\n // Clean up rate limit tracking\n this.rateLimits.clear();\n\n // Close HTTP server\n if (this.httpServer) {\n return new Promise((resolve) => {\n this.httpServer!.close(() => resolve());\n });\n }\n }\n\n /**\n * Request approval from the human via the dashboard.\n * Blocks until the human approves/denies or timeout occurs.\n */\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n const id = randomBytes(8).toString(\"hex\");\n\n // Also write to stderr as a fallback notification\n process.stderr.write(\n `[Sanctuary] Approval required: ${request.operation} (Tier ${request.tier}) — open dashboard to respond\\n`\n );\n\n return new Promise<ApprovalResponse>((resolve) => {\n // Set up timeout\n const timer = setTimeout(() => {\n this.pending.delete(id);\n const response: ApprovalResponse = {\n // SEC-002: Timeout ALWAYS denies. No configuration can change this.\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"timeout\",\n };\n this.broadcastSSE(\"request-resolved\", {\n request_id: id,\n decision: response.decision,\n decided_by: \"timeout\",\n });\n resolve(response);\n }, this.config.timeout_seconds * 1000);\n\n // Store the pending request\n const pending: PendingRequest = {\n id,\n request,\n resolve,\n timer,\n created_at: new Date().toISOString(),\n };\n this.pending.set(id, pending);\n\n // Broadcast to all connected dashboards\n this.broadcastSSE(\"pending-request\", {\n request_id: id,\n operation: request.operation,\n tier: request.tier,\n reason: request.reason,\n context: request.context,\n timestamp: request.timestamp,\n });\n });\n }\n\n // ── Authentication ──────────────────────────────────────────────────\n\n /**\n * Verify bearer token authentication.\n *\n * SEC-012: The long-lived auth token is ONLY accepted via the Authorization\n * header — never in URL query strings. For SSE and page loads that cannot\n * set headers, a short-lived session token (obtained via POST /auth/session)\n * is accepted via ?session= query parameter.\n *\n * Returns true if auth passes, false if blocked (response already sent).\n */\n private checkAuth(req: IncomingMessage, url: URL, res: ServerResponse): boolean {\n if (!this.authToken) return true; // Auth disabled\n\n // Check Authorization: Bearer <token> header (primary auth method)\n const authHeader = req.headers.authorization;\n if (authHeader) {\n const parts = authHeader.split(\" \");\n if (parts.length === 2 && parts[0] === \"Bearer\" && parts[1] === this.authToken) {\n return true;\n }\n }\n\n // SEC-012: Check ?session= query parameter for short-lived session tokens\n // This replaces the old ?token= query parameter that exposed the long-lived token\n const sessionId = url.searchParams.get(\"session\");\n if (sessionId && this.validateSession(sessionId)) {\n return true;\n }\n\n // Check sanctuary_session cookie (set by login page flow)\n const cookieSession = this.parseCookie(req, \"sanctuary_session\");\n if (cookieSession && this.validateSession(cookieSession)) {\n return true;\n }\n\n // SEC-012: Long-lived token in ?token= query parameter is explicitly REJECTED.\n // This was the vulnerability — tokens in URLs leak to logs, history, and Referer headers.\n\n // For GET / requests from browsers, serve login page instead of JSON 401\n // (checked in handleRequest before checkAuth is called for this path)\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Unauthorized — use Authorization: Bearer header or a valid session\" }));\n return false;\n }\n\n /**\n * Check if a request is authenticated WITHOUT sending a response.\n * Used to decide between login page vs dashboard for GET /.\n */\n private isAuthenticated(req: IncomingMessage, url: URL): boolean {\n if (!this.authToken) return true;\n\n const authHeader = req.headers.authorization;\n if (authHeader) {\n const parts = authHeader.split(\" \");\n if (parts.length === 2 && parts[0] === \"Bearer\" && parts[1] === this.authToken) {\n return true;\n }\n }\n\n const sessionId = url.searchParams.get(\"session\");\n if (sessionId && this.validateSession(sessionId)) return true;\n\n const cookieSession = this.parseCookie(req, \"sanctuary_session\");\n if (cookieSession && this.validateSession(cookieSession)) return true;\n\n return false;\n }\n\n /**\n * Parse a specific cookie value from the request.\n */\n private parseCookie(req: IncomingMessage, name: string): string | null {\n const header = req.headers.cookie;\n if (!header) return null;\n for (const part of header.split(\";\")) {\n const [key, ...rest] = part.split(\"=\");\n if (key?.trim() === name) {\n return rest.join(\"=\").trim();\n }\n }\n return null;\n }\n\n // ── Session Management (SEC-012) ──────────────────────────────────\n\n /**\n * Create a short-lived session by exchanging the long-lived auth token\n * (provided in the Authorization header) for a session ID.\n */\n private createSession(): string {\n // Enforce max sessions to prevent memory exhaustion\n if (this.sessions.size >= MAX_SESSIONS) {\n this.cleanupSessions();\n // If still at limit after cleanup, evict the oldest session\n if (this.sessions.size >= MAX_SESSIONS) {\n const oldest = [...this.sessions.entries()].sort(\n (a, b) => a[1].created_at - b[1].created_at\n )[0];\n if (oldest) this.sessions.delete(oldest[0]);\n }\n }\n\n const id = randomBytes(32).toString(\"hex\");\n const now = Date.now();\n this.sessions.set(id, {\n id,\n created_at: now,\n expires_at: now + this.sessionTTLMs,\n });\n return id;\n }\n\n /**\n * Validate a session ID — must exist and not be expired.\n */\n private validateSession(sessionId: string): boolean {\n const session = this.sessions.get(sessionId);\n if (!session) return false;\n if (Date.now() > session.expires_at) {\n this.sessions.delete(sessionId);\n return false;\n }\n return true;\n }\n\n /**\n * Remove all expired sessions.\n */\n private cleanupSessions(): void {\n const now = Date.now();\n for (const [id, session] of this.sessions) {\n if (now > session.expires_at) {\n this.sessions.delete(id);\n }\n }\n }\n\n // ── Rate Limiting ─────────────────────────────────────────────────\n\n /**\n * Get the remote address from a request, normalizing IPv6-mapped IPv4.\n */\n private getRemoteAddr(req: IncomingMessage): string {\n const addr = req.socket.remoteAddress ?? \"unknown\";\n // Normalize ::ffff:127.0.0.1 → 127.0.0.1\n return addr.startsWith(\"::ffff:\") ? addr.slice(7) : addr;\n }\n\n /**\n * Check rate limit for a request. Returns true if allowed, false if rate-limited.\n * When rate-limited, sends a 429 response.\n */\n private checkRateLimit(\n req: IncomingMessage,\n res: ServerResponse,\n type: \"general\" | \"decisions\"\n ): boolean {\n const addr = this.getRemoteAddr(req);\n const now = Date.now();\n const windowStart = now - RATE_LIMIT_WINDOW_MS;\n\n // Get or create entry for this address\n let entry = this.rateLimits.get(addr);\n if (!entry) {\n // Cap the tracking map to prevent memory exhaustion\n if (this.rateLimits.size >= MAX_RATE_LIMIT_ENTRIES) {\n this.pruneRateLimits(now);\n }\n entry = { general: [], decisions: [] };\n this.rateLimits.set(addr, entry);\n }\n\n // Prune old timestamps from the window\n entry.general = entry.general.filter(t => t > windowStart);\n entry.decisions = entry.decisions.filter(t => t > windowStart);\n\n const limit = type === \"decisions\" ? RATE_LIMIT_DECISIONS : RATE_LIMIT_GENERAL;\n const timestamps = entry[type];\n\n if (timestamps.length >= limit) {\n const retryAfter = Math.ceil((timestamps[0]! + RATE_LIMIT_WINDOW_MS - now) / 1000);\n res.writeHead(429, {\n \"Content-Type\": \"application/json\",\n \"Retry-After\": String(Math.max(1, retryAfter)),\n });\n res.end(JSON.stringify({\n error: \"Rate limit exceeded\",\n retry_after_seconds: Math.max(1, retryAfter),\n }));\n return false;\n }\n\n timestamps.push(now);\n return true;\n }\n\n /**\n * Remove stale entries from the rate limit map.\n */\n private pruneRateLimits(now: number): void {\n const windowStart = now - RATE_LIMIT_WINDOW_MS;\n for (const [addr, entry] of this.rateLimits) {\n const hasRecent =\n entry.general.some(t => t > windowStart) ||\n entry.decisions.some(t => t > windowStart);\n if (!hasRecent) {\n this.rateLimits.delete(addr);\n }\n }\n }\n\n // ── HTTP Request Handler ────────────────────────────────────────────\n\n private handleRequest(req: IncomingMessage, res: ServerResponse): void {\n const url = new URL(req.url ?? \"/\", `http://${req.headers.host ?? \"localhost\"}`);\n const method = req.method ?? \"GET\";\n\n // CORS headers — restrict to same-origin; the dashboard is served by this server\n const origin = req.headers.origin;\n const protocol = this.useTLS ? \"https\" : \"http\";\n const selfOrigin = `${protocol}://${this.config.host}:${this.config.port}`;\n if (origin === selfOrigin) {\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n }\n // When no origin header (same-origin requests), no CORS header needed\n res.setHeader(\"Access-Control-Allow-Methods\", \"GET, POST, OPTIONS\");\n res.setHeader(\"Access-Control-Allow-Headers\", \"Content-Type, Authorization\");\n\n if (method === \"OPTIONS\") {\n res.writeHead(204);\n res.end();\n return;\n }\n\n // SEC-012: Session exchange does its own auth (header-only) — let it through before checkAuth\n if (method === \"POST\" && url.pathname === \"/auth/session\") {\n if (!this.checkRateLimit(req, res, \"general\")) return;\n try {\n this.handleSessionExchange(req, res);\n } catch {\n res.writeHead(500, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Internal server error\" }));\n }\n return;\n }\n\n // For GET /: serve login page if not authenticated (instead of JSON 401)\n if (method === \"GET\" && url.pathname === \"/\" && this.authToken) {\n if (!this.isAuthenticated(req, url)) {\n if (!this.checkRateLimit(req, res, \"general\")) return;\n this.serveLoginPage(res);\n return;\n }\n }\n\n // Authenticate all other non-OPTIONS requests\n if (!this.checkAuth(req, url, res)) return;\n\n // Rate limiting: apply general limit to all authenticated requests\n if (!this.checkRateLimit(req, res, \"general\")) return;\n\n try {\n if (method === \"GET\" && url.pathname === \"/\") {\n this.serveDashboard(res);\n } else if (method === \"GET\" && url.pathname === \"/events\") {\n this.handleSSE(req, res);\n } else if (method === \"GET\" && url.pathname === \"/api/status\") {\n this.handleStatus(res);\n } else if (method === \"GET\" && url.pathname === \"/api/pending\") {\n this.handlePendingList(res);\n } else if (method === \"GET\" && url.pathname === \"/api/audit-log\") {\n this.handleAuditLog(url, res);\n } else if (method === \"POST\" && url.pathname.startsWith(\"/api/approve/\")) {\n // Decision endpoints get an additional tighter rate limit\n if (!this.checkRateLimit(req, res, \"decisions\")) return;\n const id = url.pathname.slice(\"/api/approve/\".length);\n this.handleDecision(id, \"approve\", res);\n } else if (method === \"POST\" && url.pathname.startsWith(\"/api/deny/\")) {\n // Decision endpoints get an additional tighter rate limit\n if (!this.checkRateLimit(req, res, \"decisions\")) return;\n const id = url.pathname.slice(\"/api/deny/\".length);\n this.handleDecision(id, \"deny\", res);\n } else {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Not found\" }));\n }\n } catch (err) {\n res.writeHead(500, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Internal server error\" }));\n }\n }\n\n // ── Route Handlers ──────────────────────────────────────────────────\n\n /**\n * SEC-012: Exchange a long-lived auth token (in Authorization header)\n * for a short-lived session ID. The session ID can be used in URL\n * query parameters without exposing the long-lived credential.\n *\n * This endpoint performs its OWN auth check (header-only) because it\n * must reject query-parameter tokens and is called before the\n * normal checkAuth flow.\n */\n private handleSessionExchange(req: IncomingMessage, res: ServerResponse): void {\n if (!this.authToken) {\n // Auth disabled — sessions not needed\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ session_id: \"no-auth\" }));\n return;\n }\n\n // Only accept the long-lived token via Authorization header — NEVER from URL\n const authHeader = req.headers.authorization;\n if (!authHeader) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Authorization header required\" }));\n return;\n }\n\n const parts = authHeader.split(\" \");\n if (parts.length !== 2 || parts[0] !== \"Bearer\" || parts[1] !== this.authToken) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid bearer token\" }));\n return;\n }\n\n const sessionId = this.createSession();\n const ttlSeconds = Math.floor(this.sessionTTLMs / 1000);\n res.writeHead(200, {\n \"Content-Type\": \"application/json\",\n \"Set-Cookie\": `sanctuary_session=${sessionId}; Path=/; SameSite=Strict; Max-Age=${ttlSeconds}`,\n });\n res.end(JSON.stringify({\n session_id: sessionId,\n expires_in_seconds: ttlSeconds,\n }));\n }\n\n private serveLoginPage(res: ServerResponse): void {\n res.writeHead(200, {\n \"Content-Type\": \"text/html; charset=utf-8\",\n \"Cache-Control\": \"no-cache, no-store\",\n });\n res.end(this.loginHTML);\n }\n\n private serveDashboard(res: ServerResponse): void {\n res.writeHead(200, {\n \"Content-Type\": \"text/html; charset=utf-8\",\n \"Cache-Control\": \"no-cache\",\n });\n res.end(this.dashboardHTML);\n }\n\n private handleSSE(req: IncomingMessage, res: ServerResponse): void {\n res.writeHead(200, {\n \"Content-Type\": \"text/event-stream\",\n \"Cache-Control\": \"no-cache\",\n \"Connection\": \"keep-alive\",\n });\n\n // Send initial state\n const initData: Record<string, unknown> = {};\n\n if (this.baseline) {\n initData.baseline = this.baseline.getProfile();\n }\n if (this.policy) {\n initData.policy = {\n tier1_always_approve: this.policy.tier1_always_approve,\n tier2_anomaly: this.policy.tier2_anomaly,\n tier3_always_allow: this.policy.tier3_always_allow,\n approval_channel: {\n type: this.policy.approval_channel.type,\n timeout_seconds: this.policy.approval_channel.timeout_seconds,\n auto_deny: true, // SEC-002: hardcoded, not configurable\n },\n };\n }\n\n // Send any current pending requests\n const pendingList = Array.from(this.pending.values()).map((p) => ({\n request_id: p.id,\n operation: p.request.operation,\n tier: p.request.tier,\n reason: p.request.reason,\n context: p.request.context,\n timestamp: p.request.timestamp,\n }));\n if (pendingList.length > 0) {\n initData.pending = pendingList;\n }\n\n res.write(`event: init\\ndata: ${JSON.stringify(initData)}\\n\\n`);\n\n this.sseClients.add(res);\n\n req.on(\"close\", () => {\n this.sseClients.delete(res);\n });\n }\n\n private handleStatus(res: ServerResponse): void {\n const status: Record<string, unknown> = {\n pending_count: this.pending.size,\n connected_clients: this.sseClients.size,\n };\n\n if (this.baseline) {\n status.baseline = this.baseline.getProfile();\n }\n if (this.policy) {\n status.policy = {\n version: this.policy.version,\n tier1_always_approve: this.policy.tier1_always_approve,\n tier2_anomaly: this.policy.tier2_anomaly,\n tier3_always_allow: this.policy.tier3_always_allow,\n approval_channel: {\n type: this.policy.approval_channel.type,\n timeout_seconds: this.policy.approval_channel.timeout_seconds,\n auto_deny: true, // SEC-002: hardcoded, not configurable\n },\n };\n }\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify(status));\n }\n\n private handlePendingList(res: ServerResponse): void {\n const list = Array.from(this.pending.values()).map((p) => ({\n id: p.id,\n operation: p.request.operation,\n tier: p.request.tier,\n reason: p.request.reason,\n context: p.request.context,\n timestamp: p.request.timestamp,\n created_at: p.created_at,\n }));\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify(list));\n }\n\n private handleAuditLog(url: URL, res: ServerResponse): void {\n const limit = parseInt(url.searchParams.get(\"limit\") ?? \"50\", 10);\n\n // AuditLog.query is async, but for the dashboard we return what we can\n if (this.auditLog) {\n this.auditLog.query({ limit }).then((entries) => {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify(entries));\n }).catch(() => {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify([]));\n });\n } else {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify([]));\n }\n }\n\n private handleDecision(id: string, decision: \"approve\" | \"deny\", res: ServerResponse): void {\n const pending = this.pending.get(id);\n if (!pending) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Request not found or already resolved\" }));\n return;\n }\n\n // Clear timeout\n clearTimeout(pending.timer);\n\n // Remove from pending\n this.pending.delete(id);\n\n // Create response\n const response: ApprovalResponse = {\n decision,\n decided_at: new Date().toISOString(),\n decided_by: \"human\",\n };\n\n // Broadcast resolution to all dashboards\n this.broadcastSSE(\"request-resolved\", {\n request_id: id,\n decision,\n decided_by: \"human\",\n });\n\n // Resolve the waiting promise (unblocks the tool call)\n pending.resolve(response);\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ success: true, decision }));\n }\n\n // ── SSE Broadcasting ────────────────────────────────────────────────\n\n broadcastSSE(event: string, data: unknown): void {\n const message = `event: ${event}\\ndata: ${JSON.stringify(data)}\\n\\n`;\n for (const client of this.sseClients) {\n try {\n client.write(message);\n } catch {\n this.sseClients.delete(client);\n }\n }\n }\n\n /**\n * Broadcast an audit entry to connected dashboards.\n * Called externally when audit events happen.\n */\n broadcastAuditEntry(entry: {\n timestamp: string;\n layer: string;\n operation: string;\n identity_id: string;\n }): void {\n this.broadcastSSE(\"audit-entry\", entry);\n }\n\n /**\n * Broadcast a baseline update to connected dashboards.\n * Called externally after baseline changes.\n */\n broadcastBaselineUpdate(): void {\n if (this.baseline) {\n this.broadcastSSE(\"baseline-update\", this.baseline.getProfile());\n }\n }\n\n /**\n * Broadcast a tool call event to connected dashboards.\n * Called from the gate or router when a tool is invoked.\n */\n broadcastToolCall(data: {\n tool: string;\n tier: number;\n allowed: boolean;\n timestamp: string;\n }): void {\n this.broadcastSSE(\"tool-call\", data);\n }\n\n /**\n * Broadcast a context gate decision to connected dashboards.\n */\n broadcastContextGateDecision(data: {\n tool: string;\n fields_filtered: number;\n fields_total: number;\n action: string;\n timestamp: string;\n }): void {\n this.broadcastSSE(\"context-gate-decision\", data);\n }\n\n /**\n * Broadcast current protection status to connected dashboards.\n */\n broadcastProtectionStatus(data: Record<string, unknown>): void {\n this.broadcastSSE(\"protection-status\", data);\n }\n\n /**\n * Open a URL in the system's default browser.\n * Cross-platform: macOS (open), Linux (xdg-open), Windows (start).\n * Fails silently — dashboard still works via terminal URL.\n */\n private openInBrowser(url: string): void {\n const os = platform();\n let cmd: string;\n if (os === \"darwin\") {\n cmd = `open \"${url}\"`;\n } else if (os === \"win32\") {\n cmd = `start \"\" \"${url}\"`;\n } else {\n cmd = `xdg-open \"${url}\"`;\n }\n exec(cmd, (err) => {\n if (err) {\n process.stderr.write(\n ` (Could not auto-open browser. Open the URL above manually.)\\n\\n`\n );\n }\n });\n }\n\n /**\n * Create a pre-authenticated URL for the dashboard.\n * Used by the sanctuary_dashboard_open tool and at startup.\n */\n createSessionUrl(): string {\n const sessionId = this.createSession();\n const protocol = this.useTLS ? \"https\" : \"http\";\n return `${protocol}://${this.config.host}:${this.config.port}/?session=${sessionId}`;\n }\n\n /**\n * Get the base URL for the dashboard.\n */\n getBaseUrl(): string {\n const protocol = this.useTLS ? \"https\" : \"http\";\n return `${protocol}://${this.config.host}:${this.config.port}`;\n }\n\n /** Get the number of pending requests */\n get pendingCount(): number {\n return this.pending.size;\n }\n\n /** Get the number of connected SSE clients */\n get clientCount(): number {\n return this.sseClients.size;\n }\n}\n","/**\n * Sanctuary MCP Server — Webhook Approval Channel\n *\n * Sends approval requests to an external webhook URL and listens for\n * callback responses. Enables integration with Slack, Discord, PagerDuty,\n * or any HTTP-based approval workflow.\n *\n * Architecture:\n * - Outbound: POST approval request to configured webhook_url\n * - Inbound: HTTP callback server listens for POST /webhook/respond/:id\n * - HMAC-SHA256 signatures on both outbound and inbound payloads\n * - Timeout fallback: auto-deny (or auto-approve) if no callback received\n *\n * Security invariants:\n * - All outbound payloads signed with HMAC-SHA256 (webhook_secret)\n * - All inbound callbacks verified with same HMAC-SHA256 signature\n * - Callback server binds to configurable host (default 127.0.0.1)\n * - Replay protection via request ID + pending map (can't approve twice)\n * - All decisions are audit-logged\n */\n\nimport {\n createServer as createHttpServer,\n type IncomingMessage,\n type ServerResponse,\n} from \"node:http\";\nimport { createHmac, randomBytes } from \"node:crypto\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport type { ApprovalRequest, ApprovalResponse } from \"./types.js\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\nexport interface WebhookConfig {\n /** URL to POST approval requests to */\n webhook_url: string;\n /** Shared secret for HMAC-SHA256 signatures */\n webhook_secret: string;\n /** Port for the callback listener */\n callback_port: number;\n /** Host for the callback listener (default: 127.0.0.1) */\n callback_host: string;\n /** Seconds to wait for a callback before timeout */\n timeout_seconds: number;\n /** SEC-002: auto_deny is always true. Field retained for interface compat but ignored. */\n auto_deny?: boolean;\n}\n\ninterface PendingWebhookRequest {\n id: string;\n request: ApprovalRequest;\n resolve: (response: ApprovalResponse) => void;\n timer: ReturnType<typeof setTimeout>;\n created_at: string;\n}\n\n/** Outbound webhook payload */\nexport interface WebhookPayload {\n /** Unique request ID */\n request_id: string;\n /** The approval request details */\n operation: string;\n tier: 1 | 2;\n reason: string;\n context: Record<string, unknown>;\n timestamp: string;\n /** URL to POST the response back to */\n callback_url: string;\n /** Seconds until auto-resolution */\n timeout_seconds: number;\n}\n\n/** Inbound callback payload */\nexport interface WebhookCallbackPayload {\n /** The request ID being responded to */\n request_id: string;\n /** The decision */\n decision: \"approve\" | \"deny\";\n}\n\n// ── HMAC Helpers ────────────────────────────────────────────────────────\n\n/**\n * Generate HMAC-SHA256 signature for a payload.\n */\nexport function signPayload(body: string, secret: string): string {\n return createHmac(\"sha256\", secret).update(body).digest(\"hex\");\n}\n\n/**\n * Verify HMAC-SHA256 signature. Uses timing-safe comparison.\n */\nexport function verifySignature(\n body: string,\n signature: string,\n secret: string\n): boolean {\n const expected = signPayload(body, secret);\n if (expected.length !== signature.length) return false;\n // Constant-time comparison\n let mismatch = 0;\n for (let i = 0; i < expected.length; i++) {\n mismatch |= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n }\n return mismatch === 0;\n}\n\n// ── Webhook Approval Channel ────────────────────────────────────────────\n\nexport class WebhookApprovalChannel implements ApprovalChannel {\n private config: WebhookConfig;\n private pending: Map<string, PendingWebhookRequest> = new Map();\n private callbackServer: ReturnType<typeof createHttpServer> | null = null;\n\n constructor(config: WebhookConfig) {\n this.config = config;\n }\n\n /**\n * Start the callback listener server.\n */\n async start(): Promise<void> {\n return new Promise((resolve, reject) => {\n this.callbackServer = createHttpServer((req, res) =>\n this.handleCallback(req, res)\n );\n this.callbackServer.listen(\n this.config.callback_port,\n this.config.callback_host,\n () => {\n process.stderr.write(\n `\\n Sanctuary Webhook Callback: http://${this.config.callback_host}:${this.config.callback_port}\\n` +\n ` Webhook target: ${this.config.webhook_url}\\n\\n`\n );\n resolve();\n }\n );\n this.callbackServer.on(\"error\", reject);\n });\n }\n\n /**\n * Stop the callback server and clean up pending requests.\n */\n async stop(): Promise<void> {\n // Resolve all pending as deny\n for (const [, pending] of this.pending) {\n clearTimeout(pending.timer);\n pending.resolve({\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"auto\",\n });\n }\n this.pending.clear();\n\n if (this.callbackServer) {\n return new Promise((resolve) => {\n this.callbackServer!.close(() => resolve());\n });\n }\n }\n\n /**\n * Request approval by POSTing to the webhook and waiting for a callback.\n */\n async requestApproval(request: ApprovalRequest): Promise<ApprovalResponse> {\n const id = randomBytes(8).toString(\"hex\");\n\n // Also write to stderr as notification\n process.stderr.write(\n `[Sanctuary] Webhook approval sent: ${request.operation} (Tier ${request.tier}) — awaiting callback\\n`\n );\n\n return new Promise<ApprovalResponse>((resolve) => {\n // Set up timeout\n const timer = setTimeout(() => {\n this.pending.delete(id);\n const response: ApprovalResponse = {\n // SEC-002: Timeout ALWAYS denies. No configuration can change this.\n decision: \"deny\",\n decided_at: new Date().toISOString(),\n decided_by: \"timeout\",\n };\n resolve(response);\n }, this.config.timeout_seconds * 1000);\n\n // Store pending request\n const pending: PendingWebhookRequest = {\n id,\n request,\n resolve,\n timer,\n created_at: new Date().toISOString(),\n };\n this.pending.set(id, pending);\n\n // Build outbound payload\n const callbackUrl = `http://${this.config.callback_host}:${this.config.callback_port}/webhook/respond/${id}`;\n const payload: WebhookPayload = {\n request_id: id,\n operation: request.operation,\n tier: request.tier,\n reason: request.reason,\n context: request.context,\n timestamp: request.timestamp,\n callback_url: callbackUrl,\n timeout_seconds: this.config.timeout_seconds,\n };\n\n // Send the webhook (fire-and-forget — errors logged, not thrown)\n this.sendWebhook(payload).catch((err) => {\n process.stderr.write(\n `[Sanctuary] Webhook delivery failed: ${err instanceof Error ? err.message : String(err)}\\n`\n );\n });\n });\n }\n\n // ── Outbound Webhook ──────────────────────────────────────────────────\n\n private async sendWebhook(payload: WebhookPayload): Promise<void> {\n const body = JSON.stringify(payload);\n const signature = signPayload(body, this.config.webhook_secret);\n\n const response = await fetch(this.config.webhook_url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"X-Sanctuary-Signature\": signature,\n \"X-Sanctuary-Request-Id\": payload.request_id,\n },\n body,\n });\n\n if (!response.ok) {\n throw new Error(\n `Webhook returned ${response.status}: ${await response.text().catch(() => \"\")}`\n );\n }\n }\n\n // ── Inbound Callback Handler ──────────────────────────────────────────\n\n private handleCallback(req: IncomingMessage, res: ServerResponse): void {\n const url = new URL(\n req.url ?? \"/\",\n `http://${req.headers.host ?? \"localhost\"}`\n );\n const method = req.method ?? \"GET\";\n\n // CORS\n res.setHeader(\"Access-Control-Allow-Origin\", \"*\");\n res.setHeader(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\");\n res.setHeader(\n \"Access-Control-Allow-Headers\",\n \"Content-Type, X-Sanctuary-Signature\"\n );\n\n if (method === \"OPTIONS\") {\n res.writeHead(204);\n res.end();\n return;\n }\n\n // Health check\n if (method === \"GET\" && url.pathname === \"/health\") {\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n status: \"ok\",\n pending_count: this.pending.size,\n })\n );\n return;\n }\n\n // Only accept POST /webhook/respond/:id\n const match = url.pathname.match(/^\\/webhook\\/respond\\/([a-f0-9]+)$/);\n if (method !== \"POST\" || !match) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Not found\" }));\n return;\n }\n\n const requestId = match[1];\n\n // Read and verify the body\n let bodyChunks: Buffer[] = [];\n req.on(\"data\", (chunk: Buffer) => bodyChunks.push(chunk));\n req.on(\"end\", () => {\n const body = Buffer.concat(bodyChunks).toString(\"utf-8\");\n\n // Verify HMAC signature\n const signature = req.headers[\"x-sanctuary-signature\"];\n if (\n typeof signature !== \"string\" ||\n !verifySignature(body, signature, this.config.webhook_secret)\n ) {\n res.writeHead(401, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({ error: \"Invalid signature\" })\n );\n return;\n }\n\n // Parse payload\n let callbackPayload: WebhookCallbackPayload;\n try {\n callbackPayload = JSON.parse(body);\n } catch {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(JSON.stringify({ error: \"Invalid JSON\" }));\n return;\n }\n\n // Validate decision\n if (\n callbackPayload.decision !== \"approve\" &&\n callbackPayload.decision !== \"deny\"\n ) {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n error: 'Decision must be \"approve\" or \"deny\"',\n })\n );\n return;\n }\n\n // Validate request_id matches URL\n if (callbackPayload.request_id !== requestId) {\n res.writeHead(400, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({ error: \"Request ID mismatch\" })\n );\n return;\n }\n\n // Find the pending request\n const pending = this.pending.get(requestId);\n if (!pending) {\n res.writeHead(404, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n error: \"Request not found or already resolved\",\n })\n );\n return;\n }\n\n // Clear timeout and resolve\n clearTimeout(pending.timer);\n this.pending.delete(requestId);\n\n const response: ApprovalResponse = {\n decision: callbackPayload.decision,\n decided_at: new Date().toISOString(),\n decided_by: \"human\",\n };\n\n pending.resolve(response);\n\n res.writeHead(200, { \"Content-Type\": \"application/json\" });\n res.end(\n JSON.stringify({\n success: true,\n decision: callbackPayload.decision,\n })\n );\n });\n }\n\n /** Get the number of pending requests */\n get pendingCount(): number {\n return this.pending.size;\n }\n}\n","/**\n * Sanctuary MCP Server — Prompt Injection Detection Layer\n *\n * Fast, zero-dependency detection of common prompt injection patterns.\n * Scans tool arguments for role override, security bypass, encoding evasion,\n * data exfiltration, and prompt stuffing signals.\n *\n * Security invariants:\n * - Always returns a result, never throws\n * - Typical scan completes in < 5ms\n * - False positives minimized via field-aware scanning\n * - Recursive scanning of nested objects/arrays\n */\n\nexport interface InjectionDetectorConfig {\n enabled: boolean;\n sensitivity: \"low\" | \"medium\" | \"high\";\n on_detection: \"escalate\" | \"block\" | \"log\";\n custom_patterns?: string[];\n}\n\nexport interface InjectionSignal {\n type: string;\n pattern: string;\n location: string;\n severity: \"low\" | \"medium\" | \"high\";\n}\n\nexport interface DetectionResult {\n flagged: boolean;\n confidence: number; // 0.0-1.0\n signals: InjectionSignal[];\n recommendation: \"allow\" | \"escalate\" | \"block\";\n}\n\n// Pattern definitions for each detection category\nconst ROLE_OVERRIDE_PATTERNS = [\n /ignore\\s+(?:(?:previous|prior|all)\\s+)?instructions/i,\n /you\\s+are\\s+now/i,\n /\\bsystem\\s*:\\s+(?!working|process|design|architecture)/i,\n /forget\\s+(?:everything|all|prior)/i,\n /disregard\\s+(?:the\\s+)?(?:previous\\s+)?instructions/i,\n /new\\s+instructions\\s*:/i,\n /updated?\\s+instructions\\s*:/i,\n];\n\nconst SECURITY_BYPASS_PATTERNS = [\n /skip\\s+(?:the\\s+)?(?:filter|gate|check|verify|approve)/i,\n /bypass\\s+(?:the\\s+)?(?:filter|gate|security|check)/i,\n /disable\\s+(?:the\\s+)?(?:filter|gate|approval|security|audit|log|encrypt|verify)/i,\n /do\\s+not\\s+(?:audit|log|encrypt|verify|approve|check|sign)/i,\n];\n\nconst TOOL_INVOCATION_PATTERNS = [\n /sanctuary\\//i,\n /concordia\\//i,\n /bridge_/i,\n /handshake_/i,\n];\n\nconst URL_PATTERN = /https?:\\/\\/[^\\s\"'<>]+/i;\nconst EMAIL_PATTERN = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/;\n\n// Zero-width characters that are used in evasion\nconst ZERO_WIDTH_CHARS = [\n \"\\u200B\", // Zero-width space\n \"\\u200C\", // Zero-width non-joiner\n \"\\u200D\", // Zero-width joiner\n \"\\uFEFF\", // Zero-width no-break space\n];\n\nexport class InjectionDetector {\n private config: InjectionDetectorConfig;\n private stats = {\n total_scans: 0,\n total_flags: 0,\n total_blocks: 0,\n signals_by_type: {} as Record<string, number>,\n };\n\n constructor(config: Partial<InjectionDetectorConfig> = {}) {\n this.config = {\n enabled: config.enabled ?? true,\n sensitivity: config.sensitivity ?? \"medium\",\n on_detection: config.on_detection ?? \"escalate\",\n custom_patterns: config.custom_patterns ?? [],\n };\n }\n\n /**\n * Scan tool arguments for injection signals.\n * @param toolName Full tool name (e.g., \"sanctuary/state_read\")\n * @param args Tool arguments\n * @returns DetectionResult with all detected signals\n */\n scan(toolName: string, args: Record<string, unknown>): DetectionResult {\n this.stats.total_scans++;\n\n if (!this.config.enabled) {\n return {\n flagged: false,\n confidence: 0,\n signals: [],\n recommendation: \"allow\",\n };\n }\n\n const signals: InjectionSignal[] = [];\n const visited = new Set<unknown>();\n\n // Recursively scan all string values\n this.scanValue(args, \"\", toolName, signals, visited);\n\n const flagged = signals.length > 0;\n if (flagged) {\n this.stats.total_flags++;\n }\n // Always accumulate signal types, even if not flagged (for visibility)\n for (const sig of signals) {\n this.stats.signals_by_type[sig.type] =\n (this.stats.signals_by_type[sig.type] ?? 0) + 1;\n }\n\n const recommendation = this.computeRecommendation(\n signals,\n this.config.sensitivity\n );\n\n if (recommendation === \"block\") {\n this.stats.total_blocks++;\n }\n\n return {\n flagged,\n confidence: this.computeConfidence(signals),\n signals,\n recommendation,\n };\n }\n\n /**\n * Recursively scan a value and all nested values.\n */\n private scanValue(\n value: unknown,\n path: string,\n toolName: string,\n signals: InjectionSignal[],\n visited: Set<unknown>\n ): void {\n // Prevent circular reference loops\n if (typeof value === \"object\" && value !== null) {\n if (visited.has(value)) return;\n visited.add(value);\n }\n\n if (typeof value === \"string\") {\n this.scanString(value, path, toolName, signals);\n } else if (Array.isArray(value)) {\n for (let i = 0; i < value.length; i++) {\n this.scanValue(value[i], `${path}[${i}]`, toolName, signals, visited);\n }\n } else if (typeof value === \"object\" && value !== null) {\n for (const [key, val] of Object.entries(value)) {\n this.scanValue(val, path ? `${path}.${key}` : key, toolName, signals, visited);\n }\n }\n }\n\n /**\n * Scan a single string for injection signals.\n */\n private scanString(\n value: string,\n path: string,\n _toolName: string,\n signals: InjectionSignal[]\n ): void {\n // Skip obviously safe fields\n if (this.isSafeField(path)) {\n return;\n }\n\n const location = path || \"root\";\n\n // SEC-032: Normalize Unicode before pattern matching.\n // Two-phase normalization:\n // 1. NFKC: maps fullwidth chars, ligatures, compatibility forms to canonical\n // 2. Confusable mapping: replaces common cross-script lookalikes (Cyrillic→Latin)\n // that NFKC doesn't cover (they're distinct codepoints, not compatibility equivalents)\n const normalized = this.normalizeConfusables(value.normalize(\"NFKC\"));\n\n // If normalization changed the string, that's itself a signal\n if (normalized !== value) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"unicode_normalization_delta\",\n location,\n severity: \"medium\",\n });\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // HIGH SEVERITY: Role Override\n // ─────────────────────────────────────────────────────────────────────\n for (const pattern of ROLE_OVERRIDE_PATTERNS) {\n if (pattern.test(normalized)) {\n signals.push({\n type: \"role_override\",\n pattern: pattern.source,\n location,\n severity: \"high\",\n });\n break; // Only report one match per field\n }\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // HIGH SEVERITY: Security Bypass\n // ─────────────────────────────────────────────────────────────────────\n for (const pattern of SECURITY_BYPASS_PATTERNS) {\n if (pattern.test(normalized)) {\n signals.push({\n type: \"security_bypass\",\n pattern: pattern.source,\n location,\n severity: \"high\",\n });\n break; // Only report one match per field\n }\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // MEDIUM SEVERITY: Tool Invocation in Strings\n // ─────────────────────────────────────────────────────────────────────\n if (!this.isToolNameField(path)) {\n for (const pattern of TOOL_INVOCATION_PATTERNS) {\n if (pattern.test(normalized)) {\n signals.push({\n type: \"tool_invocation_in_string\",\n pattern: pattern.source,\n location,\n severity: \"medium\",\n });\n break; // Only report one match per field\n }\n }\n }\n\n // ─────────────────────────────────────────────────────────────────────\n // MEDIUM SEVERITY: Encoding Evasion\n // ─────────────────────────────────────────────────────────────────────\n this.detectEncodingEvasion(value, location, signals);\n\n // ─────────────────────────────────────────────────────────────────────\n // MEDIUM SEVERITY: Data Exfiltration\n // ─────────────────────────────────────────────────────────────────────\n this.detectDataExfiltration(value, location, signals);\n\n // ─────────────────────────────────────────────────────────────────────\n // LOW SEVERITY: Prompt Stuffing\n // ─────────────────────────────────────────────────────────────────────\n this.detectPromptStuffing(value, location, signals);\n }\n\n /**\n * Detect base64 strings and zero-width character evasion.\n */\n private detectEncodingEvasion(\n value: string,\n path: string,\n signals: InjectionSignal[]\n ): void {\n // Base64 detection: alphanumeric + / + = chars, at least 50 chars\n if (\n value.length > 50 &&\n /^[A-Za-z0-9+/]+={0,2}$/.test(value.trim())\n ) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"base64_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // Zero-width character detection\n let zeroWidthCount = 0;\n for (const char of ZERO_WIDTH_CHARS) {\n zeroWidthCount += (value.match(new RegExp(char, \"g\")) || []).length;\n }\n\n if (zeroWidthCount > 0) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"zero_width_characters\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // Unicode category mixing: presence of multiple distinct Unicode categories\n // suggests obfuscation (e.g., mixing CJK, Latin, Arabic, Cyrillic)\n const hasLatin = /[a-zA-Z]/.test(value);\n const hasCJK = /[\\u4E00-\\u9FFF\\u3040-\\u309F\\uAC00-\\uD7AF]/.test(value);\n const hasArabic = /[\\u0600-\\u06FF]/.test(value);\n const hasCyrillic = /[\\u0400-\\u04FF]/.test(value);\n\n const unicodeCategories = [hasLatin, hasCJK, hasArabic, hasCyrillic].filter(\n (x) => x\n ).length;\n\n if (unicodeCategories >= 3) {\n signals.push({\n type: \"encoding_evasion\",\n pattern: \"unicode_category_mixing\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n }\n\n /**\n * Detect URLs and emails in fields that shouldn't have them.\n */\n private detectDataExfiltration(\n value: string,\n path: string,\n signals: InjectionSignal[]\n ): void {\n // Skip obviously safe fields\n if (this.isUrlSafeField(path)) {\n return;\n }\n\n // URL detection in non-url fields\n if (URL_PATTERN.test(value)) {\n signals.push({\n type: \"data_exfiltration\",\n pattern: \"url_in_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // Email detection in non-email fields\n if (EMAIL_PATTERN.test(value) && !this.isEmailSafeField(path)) {\n signals.push({\n type: \"data_exfiltration\",\n pattern: \"email_in_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n\n // JSON/XML embedded in plain string fields\n // Only flag if it looks like deliberate embedding (not just a URL or normal text)\n if (value.length > 30 && value.length < 10000 && !this.isStructuredField(path)) {\n // Look for actual JSON/XML with content, not just edge cases\n const hasJsonContent = /\\{[^}]*\"[^\"]*\"[^}]*\\}/.test(value);\n const hasXmlContent = /<[^>]+>[\\s\\S]*?<\\/[^>]+>/.test(value);\n\n if (hasJsonContent || hasXmlContent) {\n signals.push({\n type: \"data_exfiltration\",\n pattern: \"structured_data_in_string\",\n location: path || \"root\",\n severity: \"medium\",\n });\n }\n }\n }\n\n /**\n * Detect prompt stuffing: very large strings or high repetition.\n */\n private detectPromptStuffing(\n value: string,\n path: string,\n signals: InjectionSignal[]\n ): void {\n // Large string detection (> 10KB)\n if (value.length > 10240) {\n signals.push({\n type: \"prompt_stuffing\",\n pattern: \"large_string\",\n location: path || \"root\",\n severity: \"low\",\n });\n }\n\n // High repetition detection: same substring repeated 10+ times\n // SEC-031: Uses substring counting instead of regex to prevent ReDoS.\n // Checks a fixed set of window sizes (10, 20, 50) for O(n) performance.\n if (value.length >= 100) {\n const windowSizes = [10, 20, 50];\n for (const windowSize of windowSizes) {\n if (value.length < windowSize * 5) continue;\n const pattern = value.substring(0, windowSize);\n let count = 0;\n let idx = 0;\n while (idx <= value.length - windowSize) {\n if (value.substring(idx, idx + windowSize) === pattern) {\n count++;\n idx += windowSize; // Non-overlapping matches\n } else {\n idx++;\n }\n if (count >= 10) break; // Early exit\n }\n if (count >= 10) {\n signals.push({\n type: \"prompt_stuffing\",\n pattern: \"high_repetition\",\n location: path || \"root\",\n severity: \"low\",\n });\n break; // Only report once per field\n }\n }\n }\n }\n\n /**\n * Determine if this field is inherently safe from role override.\n */\n private isSafeField(path: string): boolean {\n // Fields that never contain user instructions\n const safePaths = [\n /\\.version$/i,\n /\\.timestamp$/i,\n /\\.id$/i,\n /\\.uuid$/i,\n /\\.hash$/i,\n /\\.signature$/i,\n /\\.public_key$/i,\n /\\.private_key$/i,\n /\\.did$/i,\n /\\.nonce$/i,\n /\\.salt$/i,\n /\\.iv$/i,\n /^ciphertext$/i,\n /^encrypted$/i,\n ];\n\n return safePaths.some((p) => p.test(path));\n }\n\n /**\n * Determine if this is a tool name field (where tool refs are expected).\n */\n private isToolNameField(path: string): boolean {\n const toolFields = [\n /tool_name/i,\n /\\.tool$/i,\n /^tool$/i,\n /operation/i,\n ];\n return toolFields.some((p) => p.test(path));\n }\n\n /**\n * Determine if this field is safe for URLs.\n */\n private isUrlSafeField(path: string): boolean {\n const urlFields = [\n /url/i,\n /endpoint/i,\n /webhook/i,\n /callback/i,\n ];\n return urlFields.some((p) => p.test(path));\n }\n\n /**\n * Determine if this field is safe for emails.\n */\n private isEmailSafeField(path: string): boolean {\n const emailFields = [\n /email/i,\n /contact/i,\n /recipient/i,\n /sender/i,\n /from/i,\n /to/i,\n ];\n return emailFields.some((p) => p.test(path));\n }\n\n /**\n * Determine if this field is safe for structured data (JSON/XML).\n */\n private isStructuredField(path: string): boolean {\n const structuredFields = [\n /data/i,\n /payload/i,\n /body/i,\n /json/i,\n /xml/i,\n ];\n return structuredFields.some((p) => p.test(path));\n }\n\n /**\n * SEC-032: Map common cross-script confusable characters to their Latin equivalents.\n * NFKC normalization handles fullwidth and compatibility forms, but does NOT map\n * Cyrillic/Greek lookalikes to Latin (they're distinct codepoints by design).\n * This covers the most common confusables used in injection evasion.\n */\n private normalizeConfusables(value: string): string {\n // Map of common confusable characters → Latin equivalents\n // Source: Unicode TR39 confusable mappings (subset covering injection-relevant chars)\n const confusables: Record<string, string> = {\n // Cyrillic → Latin\n \"\\u0410\": \"A\", \"\\u0430\": \"a\", // А а\n \"\\u0412\": \"B\", \"\\u0432\": \"b\", // В (not exact) в (not exact)\n \"\\u0421\": \"C\", \"\\u0441\": \"c\", // С с\n \"\\u0415\": \"E\", \"\\u0435\": \"e\", // Е е\n \"\\u041D\": \"H\", \"\\u043D\": \"h\", // Н (not exact) н (not exact)\n \"\\u041A\": \"K\", \"\\u043A\": \"k\", // К к (not exact)\n \"\\u041C\": \"M\", \"\\u043C\": \"m\", // М (not exact) м (not exact)\n \"\\u041E\": \"O\", \"\\u043E\": \"o\", // О о\n \"\\u0420\": \"P\", \"\\u0440\": \"p\", // Р р\n \"\\u0422\": \"T\", \"\\u0442\": \"t\", // Т (not exact) т (not exact)\n \"\\u0425\": \"X\", \"\\u0445\": \"x\", // Х х\n \"\\u0423\": \"Y\", \"\\u0443\": \"y\", // У (not exact) у\n // Greek → Latin\n \"\\u0391\": \"A\", \"\\u03B1\": \"a\", // Α α (not exact)\n \"\\u0392\": \"B\", \"\\u03B2\": \"b\", // Β β (not exact)\n \"\\u0395\": \"E\", \"\\u03B5\": \"e\", // Ε ε (not exact)\n \"\\u0397\": \"H\", // Η\n \"\\u0399\": \"I\", \"\\u03B9\": \"i\", // Ι ι\n \"\\u039A\": \"K\", \"\\u03BA\": \"k\", // Κ κ\n \"\\u039C\": \"M\", // Μ\n \"\\u039D\": \"N\", // Ν\n \"\\u039F\": \"O\", \"\\u03BF\": \"o\", // Ο ο\n \"\\u03A1\": \"P\", \"\\u03C1\": \"p\", // Ρ ρ (not exact)\n \"\\u03A4\": \"T\", \"\\u03C4\": \"t\", // Τ τ (not exact)\n \"\\u03A5\": \"Y\", \"\\u03C5\": \"y\", // Υ υ (not exact)\n \"\\u03A7\": \"X\", \"\\u03C7\": \"x\", // Χ χ (not exact)\n };\n\n let result = value;\n // Only scan if the string contains non-ASCII characters (fast path)\n // eslint-disable-next-line no-control-regex\n if (/[^\\x00-\\x7F]/.test(value)) {\n const chars = [];\n for (const ch of result) {\n chars.push(confusables[ch] ?? ch);\n }\n result = chars.join(\"\");\n }\n return result;\n }\n\n /**\n * Compute confidence score based on signals.\n * More high-severity signals = higher confidence.\n */\n private computeConfidence(signals: InjectionSignal[]): number {\n if (signals.length === 0) return 0;\n\n let score = 0;\n let highCount = 0;\n\n for (const sig of signals) {\n switch (sig.severity) {\n case \"high\":\n highCount++;\n score += 0.35;\n break;\n case \"medium\":\n score += 0.15;\n break;\n case \"low\":\n score += 0.05;\n break;\n }\n }\n\n // Each additional high-severity signal increases confidence\n if (highCount > 1) {\n score += (highCount - 1) * 0.15;\n }\n\n // Cap at 1.0\n return Math.min(score, 1.0);\n }\n\n /**\n * Compute recommendation based on signals and sensitivity.\n */\n private computeRecommendation(\n signals: InjectionSignal[],\n sensitivity: \"low\" | \"medium\" | \"high\"\n ): \"allow\" | \"escalate\" | \"block\" {\n if (signals.length === 0) return \"allow\";\n\n const highSeverity = signals.filter((s) => s.severity === \"high\");\n const mediumSeverity = signals.filter((s) => s.severity === \"medium\");\n\n switch (sensitivity) {\n case \"low\":\n // Only high-severity signals trigger escalation\n return highSeverity.length > 0 ? \"escalate\" : \"allow\";\n\n case \"medium\":\n // High-severity → block, medium → escalate, low → allow\n if (highSeverity.length > 0) return \"block\";\n return mediumSeverity.length > 0 ? \"escalate\" : \"allow\";\n\n case \"high\":\n // High-severity → block, medium → block, low → escalate\n if (highSeverity.length > 0 || mediumSeverity.length > 1) return \"block\";\n if (mediumSeverity.length > 0) return \"block\";\n return signals.length > 0 ? \"escalate\" : \"allow\";\n }\n }\n\n /**\n * Get statistics about scans performed.\n */\n getStats(): {\n total_scans: number;\n total_flags: number;\n total_blocks: number;\n signals_by_type: Record<string, number>;\n } {\n return {\n total_scans: this.stats.total_scans,\n total_flags: this.stats.total_flags,\n total_blocks: this.stats.total_blocks,\n signals_by_type: { ...this.stats.signals_by_type },\n };\n }\n\n /**\n * Reset statistics.\n */\n resetStats(): void {\n this.stats = {\n total_scans: 0,\n total_flags: 0,\n total_blocks: 0,\n signals_by_type: {},\n };\n }\n}\n","/**\n * Sanctuary MCP Server — Approval Gate\n *\n * The three-tier approval gate sits between the MCP router and tool handlers.\n * Every tool call passes through the gate before execution.\n *\n * Evaluation order:\n * 1. Tier 1: Is this operation in the always-approve list? → Request approval.\n * 2. Tier 2: Does this call represent a behavioral anomaly? → Request approval.\n * 3. Tier 3 / default: Allow with audit logging.\n *\n * Security invariants:\n * - The gate cannot be bypassed — it wraps every tool handler.\n * - Denial responses do not reveal policy details to the agent.\n * - All gate decisions (approve, deny, allow) are audit-logged.\n */\n\nimport type { PrincipalPolicy, GateResult, ApprovalRequest } from \"./types.js\";\nimport type { ApprovalChannel } from \"./approval-channel.js\";\nimport { BaselineTracker } from \"./baseline.js\";\nimport { extractOperationName } from \"./loader.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { InjectionDetector, type DetectionResult } from \"../security/injection-detector.js\";\n\n/** Callback invoked when an injection is detected, for dashboard broadcasting */\nexport type InjectionAlertCallback = (alert: {\n toolName: string;\n result: DetectionResult;\n timestamp: string;\n}) => void;\n\nexport class ApprovalGate {\n private policy: PrincipalPolicy;\n private baseline: BaselineTracker;\n private channel: ApprovalChannel;\n private auditLog: AuditLog;\n private injectionDetector: InjectionDetector;\n private onInjectionAlert?: InjectionAlertCallback;\n\n constructor(\n policy: PrincipalPolicy,\n baseline: BaselineTracker,\n channel: ApprovalChannel,\n auditLog: AuditLog,\n injectionDetector?: InjectionDetector,\n onInjectionAlert?: InjectionAlertCallback\n ) {\n this.policy = policy;\n this.baseline = baseline;\n this.channel = channel;\n this.auditLog = auditLog;\n this.injectionDetector = injectionDetector ?? new InjectionDetector();\n this.onInjectionAlert = onInjectionAlert;\n }\n\n /**\n * Evaluate a tool call against the Principal Policy.\n *\n * @param toolName - Full MCP tool name (e.g., \"sanctuary/state_export\")\n * @param args - Tool call arguments (for context extraction)\n * @returns GateResult indicating whether the call is allowed\n */\n async evaluate(\n toolName: string,\n args: Record<string, unknown>\n ): Promise<GateResult> {\n const operation = extractOperationName(toolName);\n\n // Record the tool call in the baseline tracker\n this.baseline.recordToolCall(operation);\n\n // ── Pre-check: Prompt injection detection ────────────────────────\n const injectionResult = this.injectionDetector.scan(toolName, args);\n if (injectionResult.flagged) {\n this.auditLog.append(\"l2\", `injection_detected:${operation}`, \"system\", {\n confidence: injectionResult.confidence,\n signals: injectionResult.signals.map(s => ({\n type: s.type,\n location: s.location,\n severity: s.severity,\n })),\n recommendation: injectionResult.recommendation,\n });\n\n // Notify dashboard if callback is registered\n if (this.onInjectionAlert) {\n this.onInjectionAlert({\n toolName,\n result: injectionResult,\n timestamp: new Date().toISOString(),\n });\n }\n\n if (injectionResult.recommendation === \"block\") {\n return {\n allowed: false,\n tier: 1,\n reason: `Blocked: prompt injection detected in \"${operation}\" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%)`,\n approval_required: false,\n };\n }\n\n if (injectionResult.recommendation === \"escalate\") {\n return this.requestApproval(\n operation,\n 1,\n `Potential prompt injection detected in \"${operation}\" (confidence: ${(injectionResult.confidence * 100).toFixed(0)}%, ${injectionResult.signals.length} signal(s))`,\n {\n operation,\n injection_detection: {\n confidence: injectionResult.confidence,\n signal_count: injectionResult.signals.length,\n signal_types: [...new Set(injectionResult.signals.map(s => s.type))],\n },\n }\n );\n }\n }\n\n // ── Tier 1: Always requires approval ──────────────────────────────\n if (this.policy.tier1_always_approve.includes(operation)) {\n return this.requestApproval(operation, 1, `\"${operation}\" is a Tier 1 operation (always requires approval)`, {\n operation,\n args_summary: this.summarizeArgs(args),\n });\n }\n\n // ── Tier 2: Behavioral anomaly detection ──────────────────────────\n const anomaly = this.detectAnomaly(operation, args);\n if (anomaly) {\n return this.requestApproval(operation, 2, anomaly.reason, anomaly.context);\n }\n\n // ── Tier 3: Allow with audit logging (only for explicitly listed operations)\n if (this.policy.tier3_always_allow.includes(operation)) {\n this.auditLog.append(\"l2\", `gate_allow:${operation}`, \"system\", {\n tier: 3,\n operation,\n });\n\n return {\n allowed: true,\n tier: 3,\n reason: \"Operation allowed (Tier 3)\",\n approval_required: false,\n };\n }\n\n // ── Unlisted operation: default to Tier 1 (require approval) ─────\n // SEC-011: Operations not classified in any tier must not auto-allow.\n // Safe default is to require human approval.\n this.auditLog.append(\"l2\", `gate_unclassified:${operation}`, \"system\", {\n tier: 1,\n operation,\n warning: \"Operation is not classified in any policy tier — defaulting to Tier 1 (require approval)\",\n });\n\n return this.requestApproval(\n operation,\n 1,\n `\"${operation}\" is not classified in any policy tier — requires approval (SEC-011 safe default)`,\n { operation, unclassified: true }\n );\n }\n\n /**\n * Detect Tier 2 behavioral anomalies.\n */\n private detectAnomaly(\n operation: string,\n args: Record<string, unknown>\n ): { reason: string; context: Record<string, unknown> } | null {\n const config = this.policy.tier2_anomaly;\n\n // ── First session check ───────────────────────────────────────────\n if (this.baseline.isFirstSession && config.first_session_policy === \"approve\") {\n // On first session, only Tier 3 operations are auto-allowed\n if (!this.policy.tier3_always_allow.includes(operation)) {\n return {\n reason: `First session: \"${operation}\" has no established baseline`,\n context: { operation, is_first_session: true },\n };\n }\n }\n\n // ── New namespace access ──────────────────────────────────────────\n if (config.new_namespace_access === \"approve\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n const isNew = this.baseline.recordNamespaceAccess(namespace);\n if (isNew) {\n return {\n reason: `First access to namespace \"${namespace}\" (not in session baseline)`,\n context: {\n operation,\n namespace,\n known_namespaces: this.baseline.getProfile().known_namespaces,\n },\n };\n }\n }\n } else if (config.new_namespace_access === \"log\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n this.baseline.recordNamespaceAccess(namespace);\n }\n }\n\n // ── New counterparty ──────────────────────────────────────────────\n if (config.new_counterparty === \"approve\") {\n const counterpartyDid =\n (args.counterparty_did as string) ?? (args.agent_identity_id as string);\n if (counterpartyDid) {\n const isNew = this.baseline.recordCounterparty(counterpartyDid);\n if (isNew) {\n return {\n reason: `First interaction with counterparty \"${counterpartyDid}\"`,\n context: {\n operation,\n counterparty_did: counterpartyDid,\n known_counterparties: this.baseline.getProfile().known_counterparties,\n },\n };\n }\n }\n } else if (config.new_counterparty === \"log\") {\n const counterpartyDid = args.counterparty_did as string;\n if (counterpartyDid) {\n this.baseline.recordCounterparty(counterpartyDid);\n }\n }\n\n // ── Signing frequency ─────────────────────────────────────────────\n if (operation === \"identity_sign\") {\n const signCount = this.baseline.recordSign();\n if (signCount > config.max_signs_per_minute) {\n return {\n reason: `Signing frequency (${signCount}/min) exceeds limit (${config.max_signs_per_minute}/min)`,\n context: {\n operation,\n signs_per_minute: signCount,\n limit: config.max_signs_per_minute,\n },\n };\n }\n }\n\n // ── Bulk read detection ───────────────────────────────────────────\n if (operation === \"state_read\") {\n const namespace = args.namespace as string | undefined;\n if (namespace) {\n const readCount = this.baseline.recordNamespaceRead(namespace);\n if (readCount > config.bulk_read_threshold) {\n return {\n reason: `Bulk read detected: ${readCount} reads from \"${namespace}\" in 60 seconds (threshold: ${config.bulk_read_threshold})`,\n context: {\n operation,\n namespace,\n reads_in_window: readCount,\n threshold: config.bulk_read_threshold,\n },\n };\n }\n }\n }\n\n // ── Frequency spike ───────────────────────────────────────────────\n const callRate = this.baseline.getCallRate(operation);\n const avgRate = this.baseline.getAverageCallRate();\n if (\n avgRate > 0 &&\n callRate > avgRate * config.frequency_spike_multiplier\n ) {\n return {\n reason: `Frequency spike: \"${operation}\" at ${callRate}/min (${config.frequency_spike_multiplier}× above average ${avgRate.toFixed(1)}/min)`,\n context: {\n operation,\n current_rate: callRate,\n average_rate: avgRate,\n multiplier: config.frequency_spike_multiplier,\n },\n };\n }\n\n return null;\n }\n\n /**\n * Request approval from the human principal.\n */\n private async requestApproval(\n operation: string,\n tier: 1 | 2,\n reason: string,\n context: Record<string, unknown>\n ): Promise<GateResult> {\n const request: ApprovalRequest = {\n operation,\n tier,\n reason,\n context,\n timestamp: new Date().toISOString(),\n };\n\n const response = await this.channel.requestApproval(request);\n\n // Audit log the decision\n this.auditLog.append(\"l2\", `gate_${response.decision}:${operation}`, \"system\", {\n tier,\n reason,\n decided_by: response.decided_by,\n });\n\n return {\n allowed: response.decision === \"approve\",\n tier,\n reason: response.decision === \"approve\"\n ? `Approved by ${response.decided_by}`\n : reason,\n approval_required: true,\n approval_response: response,\n };\n }\n\n /**\n * Summarize tool arguments for the approval prompt.\n * Strips potentially large values to keep the prompt readable.\n */\n private summarizeArgs(args: Record<string, unknown>): Record<string, unknown> {\n const summary: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(args)) {\n if (typeof value === \"string\" && value.length > 100) {\n summary[key] = value.slice(0, 100) + \"...\";\n } else {\n summary[key] = value;\n }\n }\n return summary;\n }\n\n /** Get the baseline tracker for saving at session end */\n getBaseline(): BaselineTracker {\n return this.baseline;\n }\n\n /** Get the injection detector for stats/configuration access */\n getInjectionDetector(): InjectionDetector {\n return this.injectionDetector;\n }\n}\n","/**\n * Sanctuary MCP Server — Principal Policy MCP Tools\n *\n * Read-only tools that let the agent (and human) inspect the current\n * Principal Policy and behavioral baseline. These are Tier 3 operations —\n * always allowed, audit-logged, and cannot modify the policy or baseline.\n *\n * Security invariant:\n * - These tools are strictly read-only.\n * - No tool can modify the Principal Policy (it's frozen at startup).\n * - No tool can directly modify the behavioral baseline.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { PrincipalPolicy } from \"./types.js\";\nimport type { BaselineTracker } from \"./baseline.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\n\nexport function createPrincipalPolicyTools(\n policy: PrincipalPolicy,\n baseline: BaselineTracker,\n auditLog: AuditLog\n): ToolDefinition[] {\n return [\n {\n name: \"sanctuary/principal_policy_view\",\n description:\n \"View the current Principal Policy — the human-controlled rules \" +\n \"governing what operations require approval. Read-only.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_defaults: {\n type: \"boolean\",\n description: \"Include tier3_always_allow list (can be long)\",\n default: false,\n },\n },\n },\n handler: async (args) => {\n const includeDefaults = args.include_defaults as boolean ?? false;\n\n const view: Record<string, unknown> = {\n version: policy.version,\n tier1_always_approve: policy.tier1_always_approve,\n tier2_anomaly: policy.tier2_anomaly,\n approval_channel: {\n type: policy.approval_channel.type,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n auto_deny: true, // SEC-002: hardcoded, not configurable\n },\n };\n\n if (includeDefaults) {\n view.tier3_always_allow = policy.tier3_always_allow;\n } else {\n view.tier3_always_allow_count = policy.tier3_always_allow.length;\n view.note =\n \"Pass include_defaults: true to see the full tier3_always_allow list\";\n }\n\n auditLog.append(\"l2\", \"principal_policy_view\", \"system\", {\n include_defaults: includeDefaults,\n });\n\n return toolResult(view);\n },\n },\n\n {\n name: \"sanctuary/principal_baseline_view\",\n description:\n \"View the current behavioral baseline — the session profile used \" +\n \"for anomaly detection. Shows known namespaces, counterparties, \" +\n \"and tool call counts. Read-only.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const profile = baseline.getProfile();\n\n auditLog.append(\"l2\", \"principal_baseline_view\", \"system\");\n\n return toolResult({\n is_first_session: profile.is_first_session,\n session_started_at: profile.started_at,\n known_namespaces: profile.known_namespaces,\n known_counterparties: profile.known_counterparties,\n tool_call_counts: profile.tool_call_counts,\n last_saved: profile.saved_at ?? \"not yet saved\",\n });\n },\n },\n ];\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Health Report (SHR) Types\n *\n * Machine-readable, signed, versioned sovereignty capability advertisement.\n * An agent presents its SHR to counterparties to prove its sovereignty posture.\n * The SHR is signed by one of the instance's Ed25519 identities and can be\n * independently verified by any party without trusting the presenter.\n *\n * SHR version: 1.0\n */\n\n// ── Layer Status ─────────────────────────────────────────────────────\n\nexport type LayerStatus = \"active\" | \"degraded\" | \"inactive\";\nexport type DegradationSeverity = \"info\" | \"warning\" | \"critical\";\nexport type DegradationCode =\n | \"NO_TEE\"\n | \"PROCESS_ISOLATION_ONLY\"\n | \"COMMITMENT_ONLY\"\n | \"NO_ZK_PROOFS\"\n | \"SELF_REPORTED_ATTESTATION\"\n | \"NO_SELECTIVE_DISCLOSURE\"\n | \"BASIC_SYBIL_ONLY\";\n\n// ── SHR Body (signed content) ────────────────────────────────────────\n\nexport interface SHRLayerL1 {\n status: LayerStatus;\n encryption: string;\n key_custody: \"self\" | \"delegated\" | \"platform\";\n integrity: string;\n identity_type: string;\n state_portable: boolean;\n}\n\nexport interface SHRLayerL2 {\n status: LayerStatus;\n isolation_type: string;\n attestation_available: boolean;\n}\n\nexport interface SHRLayerL3 {\n status: LayerStatus;\n proof_system: string;\n selective_disclosure: boolean;\n}\n\nexport interface SHRLayerL4 {\n status: LayerStatus;\n reputation_mode: string;\n attestation_format: string;\n reputation_portable: boolean;\n}\n\nexport interface SHRDegradation {\n layer: \"l1\" | \"l2\" | \"l3\" | \"l4\";\n code: DegradationCode;\n severity: DegradationSeverity;\n description: string;\n mitigation?: string;\n}\n\nexport interface SHRCapabilities {\n handshake: boolean;\n shr_exchange: boolean;\n reputation_verify: boolean;\n encrypted_channel: boolean;\n}\n\n/**\n * The SHR body — the content that gets signed.\n * Canonical form: JSON with sorted keys, no whitespace.\n */\nexport interface SHRBody {\n shr_version: \"1.0\";\n implementation: {\n sanctuary_version: string;\n node_version: string;\n generated_by: string; // \"sanctuary-mcp-server\"\n };\n instance_id: string;\n generated_at: string;\n expires_at: string;\n layers: {\n l1: SHRLayerL1;\n l2: SHRLayerL2;\n l3: SHRLayerL3;\n l4: SHRLayerL4;\n };\n capabilities: SHRCapabilities;\n degradations: SHRDegradation[];\n}\n\n/**\n * The complete signed SHR — body + signature envelope.\n */\nexport interface SignedSHR {\n body: SHRBody;\n signed_by: string; // Public key (base64url)\n signature: string; // Ed25519 signature over canonical body (base64url)\n}\n\n// ── Verification result ──────────────────────────────────────────────\n\nexport interface SHRVerificationResult {\n valid: boolean;\n errors: string[];\n warnings: string[];\n sovereignty_level: \"full\" | \"degraded\" | \"minimal\";\n counterparty_id: string;\n expires_at: string;\n}\n\n// ── Canonical serialization ──────────────────────────────────────────\n\n/**\n * Produce a canonical JSON representation of an SHR body.\n * Sorted keys, no whitespace — deterministic for signing.\n */\nexport function canonicalize(body: SHRBody): string {\n return JSON.stringify(body, Object.keys(body).sort(), 0)\n .replace(/\\n/g, \"\");\n}\n\n/**\n * Deep-sort an object's keys for canonical JSON.\n * Handles nested objects and arrays.\n */\nexport function deepSortKeys(obj: unknown): unknown {\n if (obj === null || typeof obj !== \"object\") return obj;\n if (Array.isArray(obj)) return obj.map(deepSortKeys);\n const sorted: Record<string, unknown> = {};\n for (const key of Object.keys(obj as Record<string, unknown>).sort()) {\n sorted[key] = deepSortKeys((obj as Record<string, unknown>)[key]);\n }\n return sorted;\n}\n\n/**\n * Canonical serialization suitable for signing.\n */\nexport function canonicalizeForSigning(body: SHRBody): string {\n return JSON.stringify(deepSortKeys(body));\n}\n","/**\n * Sanctuary MCP Server — SHR Generator\n *\n * Generates a Sovereignty Health Report from current server state,\n * signs it with a specified identity, and returns the complete signed SHR.\n */\n\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type {\n SHRBody,\n SignedSHR,\n SHRDegradation,\n DegradationCode,\n} from \"./types.js\";\nimport { canonicalizeForSigning } from \"./types.js\";\nimport { sign } from \"../core/identity.js\";\nimport { toBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\n\n/** Default SHR validity window: 1 hour */\nconst DEFAULT_VALIDITY_MS = 60 * 60 * 1000;\n\nexport interface SHRGeneratorOptions {\n config: SanctuaryConfig;\n identityManager: IdentityManager;\n masterKey: Uint8Array;\n /** Override validity window (milliseconds). Default: 1 hour. */\n validityMs?: number;\n}\n\n/**\n * Generate and sign a Sovereignty Health Report.\n *\n * @param identityId - Which identity to sign with (defaults to primary)\n * @param opts - Generator dependencies\n * @returns The signed SHR, or an error string\n */\nexport function generateSHR(\n identityId: string | undefined,\n opts: SHRGeneratorOptions\n): SignedSHR | string {\n const { config, identityManager, masterKey, validityMs } = opts;\n\n // Resolve signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return \"No identity available for signing. Create an identity first.\";\n }\n\n const now = new Date();\n const expiresAt = new Date(now.getTime() + (validityMs ?? DEFAULT_VALIDITY_MS));\n\n // Assess degradations\n const degradations: SHRDegradation[] = [];\n\n if (config.execution.environment === \"local-process\") {\n degradations.push({\n layer: \"l2\",\n code: \"PROCESS_ISOLATION_ONLY\" as DegradationCode,\n severity: \"warning\",\n description: \"Process-level isolation only (no TEE)\",\n mitigation: \"TEE support planned for a future release\",\n });\n degradations.push({\n layer: \"l2\",\n code: \"SELF_REPORTED_ATTESTATION\" as DegradationCode,\n severity: \"warning\",\n description: \"Attestation is self-reported (no hardware root of trust)\",\n mitigation: \"TEE attestation planned for a future release\",\n });\n }\n\n // Note: L3 is NOT degraded. Sanctuary's Schnorr proofs + Pedersen commitments +\n // range proofs are genuine zero-knowledge proofs. The \"commitment-only\" label was\n // a categorization error — these ARE ZK proofs with selective disclosure capability.\n\n // Build the SHR body\n const body: SHRBody = {\n shr_version: \"1.0\",\n implementation: {\n sanctuary_version: config.version,\n node_version: process.versions.node,\n generated_by: \"sanctuary-mcp-server\",\n },\n instance_id: identity.identity_id,\n generated_at: now.toISOString(),\n expires_at: expiresAt.toISOString(),\n layers: {\n l1: {\n status: \"active\",\n encryption: config.state.encryption,\n key_custody: \"self\",\n integrity: config.state.integrity,\n identity_type: config.state.identity_provider,\n state_portable: true,\n },\n l2: {\n status: config.execution.environment === \"local-process\"\n ? \"degraded\"\n : \"active\",\n isolation_type: config.execution.environment,\n attestation_available: config.execution.attestation,\n },\n l3: {\n status: \"active\",\n proof_system: config.disclosure.proof_system,\n selective_disclosure: true,\n },\n l4: {\n status: \"active\",\n reputation_mode: config.reputation.mode,\n attestation_format: config.reputation.attestation_format,\n reputation_portable: true,\n },\n },\n capabilities: {\n handshake: true,\n shr_exchange: true,\n reputation_verify: true,\n encrypted_channel: false, // Not yet implemented\n },\n degradations,\n };\n\n // Canonical serialization for signing\n const canonical = canonicalizeForSigning(body);\n const payload = stringToBytes(canonical);\n\n // Sign with the identity's private key\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const signatureBytes = sign(\n payload,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n return {\n body,\n signed_by: identity.public_key,\n signature: toBase64url(signatureBytes),\n };\n}\n","/**\n * Sanctuary MCP Server — SHR Verifier\n *\n * Verifies a counterparty's Sovereignty Health Report:\n * - Signature validity (Ed25519 over canonical body)\n * - Temporal validity (not expired)\n * - Schema completeness\n * - Sovereignty level assessment\n */\n\nimport type { SignedSHR, SHRVerificationResult, SHRBody } from \"./types.js\";\nimport { canonicalizeForSigning } from \"./types.js\";\nimport { verify } from \"../core/identity.js\";\nimport { fromBase64url, stringToBytes } from \"../core/encoding.js\";\n\n/**\n * Verify a signed SHR.\n *\n * @param shr - The signed SHR to verify\n * @param now - Optional override for current time (for testing)\n * @returns Verification result with validity, errors, warnings, and sovereignty assessment\n */\nexport function verifySHR(\n shr: SignedSHR,\n now?: Date\n): SHRVerificationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n const currentTime = now ?? new Date();\n\n // 1. Schema validation\n if (!shr.body || !shr.signed_by || !shr.signature) {\n errors.push(\"Missing required SHR fields (body, signed_by, or signature)\");\n return {\n valid: false,\n errors,\n warnings,\n sovereignty_level: \"minimal\",\n counterparty_id: shr.body?.instance_id ?? \"unknown\",\n expires_at: shr.body?.expires_at ?? \"unknown\",\n };\n }\n\n if (shr.body.shr_version !== \"1.0\") {\n errors.push(`Unsupported SHR version: ${shr.body.shr_version}`);\n }\n\n // 2. Temporal validation\n const expiresAt = new Date(shr.body.expires_at);\n if (isNaN(expiresAt.getTime())) {\n errors.push(\"Invalid expires_at timestamp\");\n } else if (currentTime > expiresAt) {\n errors.push(`SHR expired at ${shr.body.expires_at}`);\n }\n\n const generatedAt = new Date(shr.body.generated_at);\n if (isNaN(generatedAt.getTime())) {\n errors.push(\"Invalid generated_at timestamp\");\n } else if (generatedAt > currentTime) {\n warnings.push(\"SHR generated_at is in the future — clock skew detected\");\n }\n\n // 3. Signature verification\n try {\n const publicKey = fromBase64url(shr.signed_by);\n const signatureBytes = fromBase64url(shr.signature);\n const canonical = canonicalizeForSigning(shr.body);\n const payload = stringToBytes(canonical);\n\n const signatureValid = verify(payload, signatureBytes, publicKey);\n if (!signatureValid) {\n errors.push(\"Invalid signature — SHR may have been tampered with\");\n }\n } catch (e) {\n errors.push(`Signature verification failed: ${(e as Error).message}`);\n }\n\n // 4. Layer completeness check\n const { layers } = shr.body;\n if (!layers.l1 || !layers.l2 || !layers.l3 || !layers.l4) {\n errors.push(\"Missing one or more layer definitions\");\n }\n\n // 5. Assess sovereignty level\n const sovereigntyLevel = assessSovereigntyLevel(shr.body);\n\n // 6. Add warnings for degradations\n for (const d of shr.body.degradations ?? []) {\n if (d.severity === \"critical\") {\n warnings.push(`Critical degradation in ${d.layer}: ${d.description}`);\n }\n }\n\n return {\n valid: errors.length === 0,\n errors,\n warnings,\n sovereignty_level: sovereigntyLevel,\n counterparty_id: shr.body.instance_id,\n expires_at: shr.body.expires_at,\n };\n}\n\n/**\n * Assess the overall sovereignty level from an SHR body.\n */\nfunction assessSovereigntyLevel(\n body: SHRBody\n): \"full\" | \"degraded\" | \"minimal\" {\n const { l1, l2, l3, l4 } = body.layers;\n\n // All active = full\n if (\n l1.status === \"active\" &&\n l2.status === \"active\" &&\n l3.status === \"active\" &&\n l4.status === \"active\"\n ) {\n return \"full\";\n }\n\n // L1 must be active for anything above minimal\n if (l1.status !== \"active\") {\n return \"minimal\";\n }\n\n // L1 active but others degraded = degraded\n if (l4.status === \"active\" || l4.status === \"degraded\") {\n return \"degraded\";\n }\n\n return \"minimal\";\n}\n","/**\n * Sanctuary MCP Server — Ping Identity Gateway Adapter\n *\n * Transforms Sovereignty Health Reports (SHRs) into authorization contexts\n * compatible with Ping Identity's Agent Gateway for runtime access decisions.\n *\n * The adapter generates:\n * 1. Overall sovereignty score (0-100)\n * 2. Per-layer capability assessments\n * 3. Authorization-relevant feature flags\n * 4. Recommended trust levels and constraints\n * 5. Authorization policy recommendations for the gateway\n */\n\nimport type { SignedSHR, SHRBody, SHRDegradation } from \"./types.js\";\n\n// ── Gateway Authorization Context ───────────────────────────────────────\n\n/**\n * A Ping Identity-compatible authorization context derived from an SHR.\n * This structure is designed to be passed to the Agent Gateway for\n * runtime access decisions.\n */\nexport interface PingAuthorizationContext {\n /** SHR version — for compatibility tracking */\n shr_version: string;\n\n /** Agent's Ed25519 public key (base64url) — for identity verification */\n agent_identity: string;\n\n /** When the context was generated (ISO 8601) */\n generated_at: string;\n\n /** When the underlying SHR expires (ISO 8601) */\n context_expires_at: string;\n\n /** Overall sovereignty score (0-100) */\n overall_score: number;\n\n /** Recommended trust level based on sovereignty posture */\n recommended_trust_level: \"full\" | \"elevated\" | \"standard\" | \"restricted\";\n\n /** Per-layer sovereignty scores */\n layer_scores: {\n l1_cognitive: number;\n l2_operational: number;\n l3_disclosure: number;\n l4_reputation: number;\n };\n\n /** Per-layer status: active, degraded, inactive */\n layer_status: {\n l1_cognitive: string;\n l2_operational: string;\n l3_disclosure: string;\n l4_reputation: string;\n };\n\n /** Authorization-relevant capability flags */\n authorization_signals: {\n /** Is human approval required for sensitive operations? */\n approval_gate_active: boolean;\n\n /** Is outbound data filtered by context gating? */\n context_gating_active: boolean;\n\n /** Is agent state encrypted at rest? */\n encryption_at_rest: boolean;\n\n /** Is anomaly detection / behavioral baseline active? */\n behavioral_baseline_active: boolean;\n\n /** Does the agent have cryptographic identity (Ed25519)? */\n identity_verified: boolean;\n\n /** Can the agent conduct zero-knowledge proofs? */\n zero_knowledge_capable: boolean;\n\n /** Is selective disclosure enabled? */\n selective_disclosure_active: boolean;\n\n /** Can the agent perform portable reputation verification? */\n reputation_portable: boolean;\n\n /** Can the agent conduct handshakes? */\n handshake_capable: boolean;\n };\n\n /** Degradations that affect authorization */\n degradations: GatewayDegradation[];\n\n /** Recommended authorization constraints */\n recommended_constraints: AuthorizationConstraint[];\n\n /** The underlying SHR signature for verification */\n shr_signature: string;\n\n /** Base64url-encoded public key that signed the SHR */\n shr_signed_by: string;\n}\n\n/**\n * A degradation reframed for authorization context.\n */\nexport interface GatewayDegradation {\n layer: string;\n code: string;\n severity: string;\n description: string;\n authorization_impact: string;\n}\n\n/**\n * An authorization constraint recommended based on the agent's sovereignty posture.\n */\nexport interface AuthorizationConstraint {\n /** Constraint type: read_only, requires_approval, restricted_scope, identity_verification_required, etc. */\n type: string;\n\n /** Human-readable description */\n description: string;\n\n /** Reason this constraint is recommended (which sovereignty gap drives it) */\n rationale: string;\n\n /** Priority: high, medium, low */\n priority: \"high\" | \"medium\" | \"low\";\n}\n\n// ── Layer Scoring Model ──────────────────────────────────────────────────\n\n/**\n * Layer-specific scoring weights and degradation impacts.\n *\n * Each layer starts at 100 points. Degradations subtract points based on severity.\n * \"critical\" = -40, \"warning\" = -25, \"info\" = -10.\n */\nconst LAYER_WEIGHTS = {\n l1: 100,\n l2: 100,\n l3: 100,\n l4: 100,\n};\n\nconst DEGRADATION_IMPACT = {\n critical: 40,\n warning: 25,\n info: 10,\n};\n\n// ── Public API ───────────────────────────────────────────────────────────\n\n/**\n * Transform an SHR into a Ping Identity Gateway authorization context.\n *\n * @param shr - The signed SHR to transform\n * @returns A PingAuthorizationContext ready for the Agent Gateway\n */\nexport function transformSHRForGateway(shr: SignedSHR): PingAuthorizationContext {\n const { body, signed_by, signature } = shr;\n\n // Calculate per-layer scores\n const layerScores = calculateLayerScores(body);\n\n // Calculate overall score (weighted average)\n const overallScore = calculateOverallScore(layerScores);\n\n // Determine recommended trust level\n const trustLevel = determineTrustLevel(overallScore);\n\n // Extract authorization signals from SHR\n const signals = extractAuthorizationSignals(body);\n\n // Transform degradations for authorization context\n const degradations = transformDegradations(body.degradations);\n\n // Generate recommended constraints\n const constraints = generateAuthorizationConstraints(body, degradations);\n\n return {\n shr_version: body.shr_version,\n agent_identity: signed_by,\n generated_at: new Date().toISOString(),\n context_expires_at: body.expires_at,\n overall_score: overallScore,\n recommended_trust_level: trustLevel,\n layer_scores: {\n l1_cognitive: layerScores.l1,\n l2_operational: layerScores.l2,\n l3_disclosure: layerScores.l3,\n l4_reputation: layerScores.l4,\n },\n layer_status: {\n l1_cognitive: body.layers.l1.status,\n l2_operational: body.layers.l2.status,\n l3_disclosure: body.layers.l3.status,\n l4_reputation: body.layers.l4.status,\n },\n authorization_signals: signals,\n degradations,\n recommended_constraints: constraints,\n shr_signature: signature,\n shr_signed_by: signed_by,\n };\n}\n\n/**\n * Calculate sovereignty scores for each layer based on the SHR.\n */\nfunction calculateLayerScores(\n body: SHRBody\n): {\n l1: number;\n l2: number;\n l3: number;\n l4: number;\n} {\n const layers = body.layers;\n const degradations = body.degradations;\n\n let l1Score = LAYER_WEIGHTS.l1;\n let l2Score = LAYER_WEIGHTS.l2;\n let l3Score = LAYER_WEIGHTS.l3;\n let l4Score = LAYER_WEIGHTS.l4;\n\n // Apply degradation penalties\n for (const deg of degradations) {\n const impact =\n DEGRADATION_IMPACT[deg.severity as keyof typeof DEGRADATION_IMPACT] || 10;\n\n if (deg.layer === \"l1\") {\n l1Score = Math.max(0, l1Score - impact);\n } else if (deg.layer === \"l2\") {\n l2Score = Math.max(0, l2Score - impact);\n } else if (deg.layer === \"l3\") {\n l3Score = Math.max(0, l3Score - impact);\n } else if (deg.layer === \"l4\") {\n l4Score = Math.max(0, l4Score - impact);\n }\n }\n\n // Bonus points for active status (if no degradations bring it below a threshold)\n if (layers.l1.status === \"active\" && l1Score > 50) l1Score = Math.min(100, l1Score + 5);\n if (layers.l2.status === \"active\" && l2Score > 50) l2Score = Math.min(100, l2Score + 5);\n if (layers.l3.status === \"active\" && l3Score > 50) l3Score = Math.min(100, l3Score + 5);\n if (layers.l4.status === \"active\" && l4Score > 50) l4Score = Math.min(100, l4Score + 5);\n\n // Inactive layers score 0\n if (layers.l1.status === \"inactive\") l1Score = 0;\n if (layers.l2.status === \"inactive\") l2Score = 0;\n if (layers.l3.status === \"inactive\") l3Score = 0;\n if (layers.l4.status === \"inactive\") l4Score = 0;\n\n return {\n l1: Math.round(l1Score),\n l2: Math.round(l2Score),\n l3: Math.round(l3Score),\n l4: Math.round(l4Score),\n };\n}\n\n/**\n * Calculate overall sovereignty score (0-100) as weighted average of layer scores.\n */\nfunction calculateOverallScore(layerScores: {\n l1: number;\n l2: number;\n l3: number;\n l4: number;\n}): number {\n const average = (layerScores.l1 + layerScores.l2 + layerScores.l3 + layerScores.l4) / 4;\n return Math.round(average);\n}\n\n/**\n * Determine recommended trust level based on overall score.\n */\nfunction determineTrustLevel(\n score: number\n): \"full\" | \"elevated\" | \"standard\" | \"restricted\" {\n if (score >= 80) return \"full\";\n if (score >= 60) return \"elevated\";\n if (score >= 40) return \"standard\";\n return \"restricted\";\n}\n\n/**\n * Extract authorization-relevant signals from the SHR.\n */\nfunction extractAuthorizationSignals(body: SHRBody): PingAuthorizationContext[\"authorization_signals\"] {\n const l1 = body.layers.l1;\n const l3 = body.layers.l3;\n const l4 = body.layers.l4;\n\n // Infer signals from layer configuration\n return {\n approval_gate_active: body.capabilities.handshake, // Handshake implies human loop capability\n context_gating_active: body.capabilities.encrypted_channel, // Proxy for gating capability\n encryption_at_rest: l1.encryption !== \"none\" && l1.encryption !== \"unencrypted\",\n behavioral_baseline_active: false, // Would need explicit field in SHR v1.1\n identity_verified: l1.identity_type === \"ed25519\" || l1.identity_type !== \"none\",\n zero_knowledge_capable: l3.status === \"active\",\n selective_disclosure_active: l3.selective_disclosure,\n reputation_portable: l4.reputation_portable,\n handshake_capable: body.capabilities.handshake,\n };\n}\n\n/**\n * Transform degradations into authorization-aware format.\n */\nfunction transformDegradations(degradations: SHRDegradation[]): GatewayDegradation[] {\n return degradations.map((deg) => {\n let authzImpact = \"\";\n\n if (deg.code === \"NO_TEE\") {\n authzImpact = \"Restricted to read-only operations until TEE available\";\n } else if (deg.code === \"PROCESS_ISOLATION_ONLY\") {\n authzImpact = \"Requires additional identity verification\";\n } else if (deg.code === \"COMMITMENT_ONLY\") {\n authzImpact = \"Limited data sharing scope — no zero-knowledge proofs\";\n } else if (deg.code === \"NO_ZK_PROOFS\") {\n authzImpact = \"Cannot perform confidential disclosures\";\n } else if (deg.code === \"SELF_REPORTED_ATTESTATION\") {\n authzImpact = \"Attestation trust degraded — human verification recommended\";\n } else if (deg.code === \"NO_SELECTIVE_DISCLOSURE\") {\n authzImpact = \"Must share entire data context, cannot redact\";\n } else if (deg.code === \"BASIC_SYBIL_ONLY\") {\n authzImpact = \"Restrict to interactions with known agents only\";\n } else {\n authzImpact = \"Unknown authorization impact\";\n }\n\n return {\n layer: deg.layer,\n code: deg.code,\n severity: deg.severity,\n description: deg.description,\n authorization_impact: authzImpact,\n };\n });\n}\n\n/**\n * Generate recommended authorization constraints based on sovereignty posture.\n */\nfunction generateAuthorizationConstraints(\n body: SHRBody,\n _degradations: GatewayDegradation[]\n): AuthorizationConstraint[] {\n const constraints: AuthorizationConstraint[] = [];\n const layers = body.layers;\n\n // L1 (Cognitive Sovereignty) constraints\n if (layers.l1.status === \"degraded\" || layers.l1.key_custody !== \"self\") {\n constraints.push({\n type: \"identity_verification_required\",\n description: \"Additional identity verification required for sensitive operations\",\n rationale: \"L1 is degraded or key custody is not self-managed\",\n priority: \"high\",\n });\n }\n\n if (!layers.l1.state_portable) {\n constraints.push({\n type: \"location_bound\",\n description: \"Agent state is not portable — restrict to home environment\",\n rationale: \"State cannot be safely migrated across boundaries\",\n priority: \"medium\",\n });\n }\n\n // L2 (Operational Isolation) constraints\n if (layers.l2.status === \"degraded\" || layers.l2.isolation_type === \"local-process\") {\n constraints.push({\n type: \"read_only\",\n description: \"Restrict to read-only operations until operational isolation improves\",\n rationale: \"L2 isolation is process-level only (no TEE)\",\n priority: \"high\",\n });\n }\n\n if (!layers.l2.attestation_available) {\n constraints.push({\n type: \"requires_approval\",\n description: \"Human approval required for writes and sensitive reads\",\n rationale: \"No attestation available — self-reported integrity only\",\n priority: \"high\",\n });\n }\n\n // L3 (Selective Disclosure) constraints\n if (layers.l3.status === \"degraded\" || !layers.l3.selective_disclosure) {\n constraints.push({\n type: \"restricted_scope\",\n description: \"Limit data sharing to minimal required scope — no selective disclosure\",\n rationale: \"Agent cannot redact data or prove predicates without revealing all context\",\n priority: \"high\",\n });\n }\n\n // Note: \"schnorr-pedersen\" (and legacy \"commitment-only\") both provide genuine ZK proofs.\n // No additional constraint needed for the proof system.\n\n // L4 (Reputation) constraints\n if (layers.l4.status === \"degraded\") {\n constraints.push({\n type: \"known_agents_only\",\n description: \"Restrict interactions to known, pre-approved agents\",\n rationale: \"Reputation layer is degraded\",\n priority: \"medium\",\n });\n }\n\n if (!layers.l4.reputation_portable) {\n constraints.push({\n type: \"location_bound\",\n description: \"Reputation is not portable — restrict to home environment\",\n rationale: \"Cannot present reputation to external parties\",\n priority: \"low\",\n });\n }\n\n // Overall score-based constraints\n const layerScores = calculateLayerScores(body);\n const overallScore = calculateOverallScore(layerScores);\n\n if (overallScore < 40) {\n constraints.push({\n type: \"restricted_scope\",\n description: \"Overall sovereignty score below threshold — restrict to non-sensitive operations\",\n rationale: `Overall sovereignty score is ${overallScore}/100`,\n priority: \"high\",\n });\n }\n\n return constraints;\n}\n\n// ── Generic Gateway Export ───────────────────────────────────────────────\n\n/**\n * Generic authorization context (format-agnostic).\n * Used when format is \"generic\" instead of \"ping\".\n */\nexport interface GenericAuthorizationContext {\n agent_id: string;\n sovereignty_score: number;\n trust_level: string;\n layer_scores: Record<string, number>;\n capabilities: Record<string, boolean>;\n constraints: Array<{\n type: string;\n description: string;\n }>;\n expires_at: string;\n signature: string;\n}\n\n/**\n * Transform an SHR into a generic authorization context.\n */\nexport function transformSHRGeneric(shr: SignedSHR): GenericAuthorizationContext {\n const context = transformSHRForGateway(shr);\n\n return {\n agent_id: context.agent_identity,\n sovereignty_score: context.overall_score,\n trust_level: context.recommended_trust_level,\n layer_scores: {\n l1: context.layer_scores.l1_cognitive,\n l2: context.layer_scores.l2_operational,\n l3: context.layer_scores.l3_disclosure,\n l4: context.layer_scores.l4_reputation,\n },\n capabilities: context.authorization_signals,\n constraints: context.recommended_constraints.map((c) => ({\n type: c.type,\n description: c.description,\n })),\n expires_at: context.context_expires_at,\n signature: context.shr_signature,\n };\n}\n","/**\n * Sanctuary MCP Server — SHR MCP Tools\n *\n * MCP tool definitions for generating and verifying Sovereignty Health Reports.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateSHR, type SHRGeneratorOptions } from \"./generator.js\";\nimport { verifySHR } from \"./verifier.js\";\nimport type { SignedSHR } from \"./types.js\";\nimport { transformSHRForGateway, transformSHRGeneric } from \"./gateway-adapter.js\";\n\nexport function createSHRTools(\n config: SanctuaryConfig,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[] } {\n const generatorOpts: SHRGeneratorOptions = {\n config,\n identityManager,\n masterKey,\n };\n\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/shr_generate\",\n description:\n \"Generate a signed Sovereignty Health Report (SHR) — a machine-readable, \" +\n \"cryptographically signed advertisement of this instance's sovereignty posture. \" +\n \"Present this to counterparties to prove your sovereignty capabilities.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: {\n type: \"string\",\n description:\n \"Identity to sign the SHR with. Defaults to primary identity.\",\n },\n validity_minutes: {\n type: \"number\",\n description: \"How long the SHR is valid (minutes). Default: 60.\",\n },\n },\n },\n handler: async (args) => {\n const validityMs = args.validity_minutes\n ? (args.validity_minutes as number) * 60 * 1000\n : undefined;\n\n const result = generateSHR(args.identity_id as string | undefined, {\n ...generatorOpts,\n validityMs,\n });\n\n if (typeof result === \"string\") {\n return toolResult({ error: result });\n }\n\n auditLog.append(\"l2\", \"shr_generate\", result.body.instance_id);\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/shr_verify\",\n description:\n \"Verify a counterparty's Sovereignty Health Report (SHR). \" +\n \"Checks signature validity, temporal validity, and assesses sovereignty level.\",\n inputSchema: {\n type: \"object\",\n properties: {\n shr: {\n type: \"object\",\n description: \"The signed SHR to verify (full SignedSHR object).\",\n },\n },\n required: [\"shr\"],\n },\n handler: async (args) => {\n const shr = args.shr as unknown as SignedSHR;\n const result = verifySHR(shr);\n\n auditLog.append(\n \"l2\",\n \"shr_verify\",\n result.counterparty_id,\n undefined,\n result.valid ? \"success\" : \"failure\"\n );\n\n return toolResult(result);\n },\n },\n\n {\n name: \"sanctuary/shr_gateway_export\",\n description:\n \"Export this instance's Sovereignty Health Report formatted for \" +\n \"Ping Identity's Agent Gateway or other identity providers. \" +\n \"Transforms the SHR into an authorization context with sovereignty scores, \" +\n \"capability flags, and recommended access constraints.\",\n inputSchema: {\n type: \"object\",\n properties: {\n format: {\n type: \"string\",\n enum: [\"ping\", \"generic\"],\n description:\n \"Output format: 'ping' (Ping Identity Gateway format) or 'generic' (format-agnostic). Default: 'ping'.\",\n },\n identity_id: {\n type: \"string\",\n description:\n \"Identity to sign the SHR with. Defaults to primary identity.\",\n },\n validity_minutes: {\n type: \"number\",\n description: \"How long the SHR is valid (minutes). Default: 60.\",\n },\n },\n },\n handler: async (args) => {\n const format = (args.format as string) || \"ping\";\n const validityMs = args.validity_minutes\n ? (args.validity_minutes as number) * 60 * 1000\n : undefined;\n\n // Generate a fresh SHR\n const shrResult = generateSHR(args.identity_id as string | undefined, {\n ...generatorOpts,\n validityMs,\n });\n\n if (typeof shrResult === \"string\") {\n return toolResult({ error: shrResult });\n }\n\n // Transform for the requested format\n let context;\n if (format === \"generic\") {\n context = transformSHRGeneric(shrResult);\n } else {\n context = transformSHRForGateway(shrResult);\n }\n\n auditLog.append(\n \"l2\",\n \"shr_gateway_export\",\n shrResult.body.instance_id,\n undefined,\n \"success\"\n );\n\n return toolResult(context);\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Handshake Protocol\n *\n * Core handshake logic: initiate, respond, complete.\n * Nonce-based challenge-response prevents replay attacks.\n * SHR signatures are verified at each step.\n */\n\nimport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n HandshakeSession,\n SovereigntyLevel,\n TrustTier,\n} from \"./types.js\";\nimport type { SignedSHR } from \"../shr/types.js\";\nimport { verifySHR } from \"../shr/verifier.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\n\n/** Generate a cryptographic nonce for handshake */\nfunction generateNonce(): string {\n return toBase64url(randomBytes(32));\n}\n\n/**\n * Step 1: Initiate a handshake.\n * Generates a challenge containing our SHR and a nonce.\n */\nexport function initiateHandshake(\n ourSHR: SignedSHR\n): { challenge: HandshakeChallenge; session: HandshakeSession } {\n const nonce = generateNonce();\n const sessionId = toBase64url(randomBytes(16));\n\n const challenge: HandshakeChallenge = {\n protocol_version: \"1.0\",\n shr: ourSHR,\n nonce,\n initiated_at: new Date().toISOString(),\n };\n\n const session: HandshakeSession = {\n session_id: sessionId,\n role: \"initiator\",\n state: \"initiated\",\n our_nonce: nonce,\n our_shr: ourSHR,\n initiated_at: challenge.initiated_at,\n };\n\n return { challenge, session };\n}\n\n/**\n * Step 2: Respond to a handshake challenge.\n * Verifies the initiator's SHR, signs their nonce, generates our nonce.\n */\nexport function respondToHandshake(\n challenge: HandshakeChallenge,\n ourSHR: SignedSHR,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n identityId?: string\n): { response: HandshakeResponse; session: HandshakeSession } | { error: string } {\n // Validate protocol version\n if (challenge.protocol_version !== \"1.0\") {\n return { error: `Unsupported protocol version: ${challenge.protocol_version}` };\n }\n\n // Verify the initiator's SHR\n const shrResult = verifySHR(challenge.shr);\n if (!shrResult.valid) {\n return { error: `Initiator SHR verification failed: ${shrResult.errors.join(\", \")}` };\n }\n\n // Resolve signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return { error: \"No identity available for signing\" };\n }\n\n // Sign the initiator's nonce (proves we received it, prevents replay)\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const nonceBytes = stringToBytes(challenge.nonce);\n const nonceSignature = sign(\n nonceBytes,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n const responderNonce = generateNonce();\n\n const response: HandshakeResponse = {\n protocol_version: \"1.0\",\n shr: ourSHR,\n responder_nonce: responderNonce,\n initiator_nonce_signature: toBase64url(nonceSignature),\n responded_at: new Date().toISOString(),\n };\n\n const session: HandshakeSession = {\n session_id: toBase64url(randomBytes(16)),\n role: \"responder\",\n state: \"responded\",\n our_nonce: responderNonce,\n their_nonce: challenge.nonce,\n our_shr: ourSHR,\n their_shr: challenge.shr,\n initiated_at: challenge.initiated_at,\n };\n\n return { response, session };\n}\n\n/**\n * Step 3: Complete the handshake (initiator side).\n * Verifies the responder's SHR and nonce signature, signs responder's nonce.\n */\nexport function completeHandshake(\n response: HandshakeResponse,\n session: HandshakeSession,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n identityId?: string\n): { completion: HandshakeCompletion; result: HandshakeResult } | { error: string } {\n // Validate protocol version\n if (response.protocol_version !== \"1.0\") {\n return { error: `Unsupported protocol version: ${response.protocol_version}` };\n }\n\n // Verify the responder's SHR\n const shrResult = verifySHR(response.shr);\n if (!shrResult.valid) {\n return { error: `Responder SHR verification failed: ${shrResult.errors.join(\", \")}` };\n }\n\n // Verify the responder signed our nonce correctly\n const responderPublicKey = fromBase64url(response.shr.signed_by);\n const ourNonceBytes = stringToBytes(session.our_nonce);\n const nonceSignatureBytes = fromBase64url(response.initiator_nonce_signature);\n\n const nonceSignatureValid = verify(\n ourNonceBytes,\n nonceSignatureBytes,\n responderPublicKey\n );\n if (!nonceSignatureValid) {\n return { error: \"Responder's nonce signature is invalid — possible replay or MITM\" };\n }\n\n // Resolve our signing identity\n const identity = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n\n if (!identity) {\n return { error: \"No identity available for signing\" };\n }\n\n // Sign the responder's nonce\n const encryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const responderNonceBytes = stringToBytes(response.responder_nonce);\n const responderNonceSignature = sign(\n responderNonceBytes,\n identity.encrypted_private_key,\n encryptionKey\n );\n\n const now = new Date().toISOString();\n\n const completion: HandshakeCompletion = {\n protocol_version: \"1.0\",\n responder_nonce_signature: toBase64url(responderNonceSignature),\n completed_at: now,\n };\n\n // Determine sovereignty level and trust tier\n const sovereigntyLevel = shrResult.sovereignty_level as SovereigntyLevel;\n const trustTier = deriveTrustTier(sovereigntyLevel);\n\n const result: HandshakeResult = {\n counterparty_id: shrResult.counterparty_id,\n counterparty_shr: response.shr,\n verified: true,\n sovereignty_level: sovereigntyLevel,\n trust_tier: trustTier,\n completed_at: now,\n expires_at: shrResult.expires_at,\n errors: [],\n };\n\n return { completion, result };\n}\n\n/**\n * Step 4: Verify completion (responder side).\n * Verifies the initiator signed our nonce correctly.\n */\nexport function verifyCompletion(\n completion: HandshakeCompletion,\n session: HandshakeSession\n): HandshakeResult {\n const errors: string[] = [];\n\n if (!session.their_shr) {\n return {\n counterparty_id: \"unknown\",\n counterparty_shr: session.our_shr, // placeholder\n verified: false,\n sovereignty_level: \"unverified\",\n trust_tier: \"unverified\",\n completed_at: completion.completed_at,\n expires_at: new Date().toISOString(),\n errors: [\"No initiator SHR in session state\"],\n };\n }\n\n // Verify the initiator signed our nonce\n const initiatorPublicKey = fromBase64url(session.their_shr.signed_by);\n const ourNonceBytes = stringToBytes(session.our_nonce);\n const nonceSignatureBytes = fromBase64url(completion.responder_nonce_signature);\n\n const nonceSignatureValid = verify(\n ourNonceBytes,\n nonceSignatureBytes,\n initiatorPublicKey\n );\n\n if (!nonceSignatureValid) {\n errors.push(\"Initiator's nonce signature is invalid — possible replay or MITM\");\n }\n\n // Verify the initiator's SHR (may have been verified earlier, but check expiry)\n const shrResult = verifySHR(session.their_shr);\n if (!shrResult.valid) {\n errors.push(...shrResult.errors);\n }\n\n const verified = errors.length === 0;\n const sovereigntyLevel: SovereigntyLevel = verified\n ? (shrResult.sovereignty_level as SovereigntyLevel)\n : \"unverified\";\n\n return {\n counterparty_id: session.their_shr.body.instance_id,\n counterparty_shr: session.their_shr,\n verified,\n sovereignty_level: sovereigntyLevel,\n trust_tier: deriveTrustTier(sovereigntyLevel),\n completed_at: completion.completed_at,\n expires_at: session.their_shr.body.expires_at,\n errors,\n };\n}\n\n/**\n * Derive trust tier from sovereignty level.\n */\nfunction deriveTrustTier(level: SovereigntyLevel): TrustTier {\n switch (level) {\n case \"full\":\n return \"verified-sovereign\";\n case \"degraded\":\n return \"verified-degraded\";\n default:\n return \"unverified\";\n }\n}\n","/**\n * Sanctuary MCP Server — Handshake MCP Tools\n *\n * MCP tool definitions for the sovereignty handshake protocol.\n * Four tools map to the four protocol steps:\n * 1. handshake_initiate — Start a handshake\n * 2. handshake_respond — Respond to an incoming challenge\n * 3. handshake_complete — Complete a handshake (initiator side)\n * 4. handshake_status — Check status of handshake sessions\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport { generateSHR, type SHRGeneratorOptions } from \"../shr/generator.js\";\nimport {\n initiateHandshake,\n respondToHandshake,\n completeHandshake,\n verifyCompletion,\n} from \"./protocol.js\";\nimport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n HandshakeSession,\n} from \"./types.js\";\n\nexport function createHandshakeTools(\n config: SanctuaryConfig,\n identityManager: IdentityManager,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): { tools: ToolDefinition[]; handshakeResults: Map<string, HandshakeResult> } {\n // In-memory session store (per server instance lifetime)\n const sessions = new Map<string, HandshakeSession>();\n // Completed handshake results indexed by counterparty ID — shared with L4 tier resolution\n const handshakeResults = new Map<string, HandshakeResult>();\n\n const shrOpts: SHRGeneratorOptions = {\n config,\n identityManager,\n masterKey,\n };\n\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/handshake_initiate\",\n description:\n \"Initiate a sovereignty handshake with a counterparty. \" +\n \"Generates a challenge containing this instance's signed SHR and a cryptographic nonce. \" +\n \"Send the returned challenge to the counterparty.\",\n inputSchema: {\n type: \"object\",\n properties: {\n identity_id: {\n type: \"string\",\n description:\n \"Identity to use for the handshake. Defaults to primary identity.\",\n },\n },\n },\n handler: async (args) => {\n // Generate our SHR\n const shr = generateSHR(args.identity_id as string | undefined, shrOpts);\n if (typeof shr === \"string\") {\n return toolResult({ error: shr });\n }\n\n const { challenge, session } = initiateHandshake(shr);\n sessions.set(session.session_id, session);\n\n auditLog.append(\"l4\", \"handshake_initiate\", shr.body.instance_id);\n\n return toolResult({\n session_id: session.session_id,\n challenge,\n instructions:\n \"Send the 'challenge' object to the counterparty's sanctuary/handshake_respond tool. \" +\n \"When you receive their response, pass it to sanctuary/handshake_complete with this session_id.\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_respond\",\n description:\n \"Respond to an incoming sovereignty handshake challenge. \" +\n \"Verifies the initiator's SHR, signs their nonce, and returns our SHR with a counter-nonce.\",\n inputSchema: {\n type: \"object\",\n properties: {\n challenge: {\n type: \"object\",\n description: \"The HandshakeChallenge received from the initiator.\",\n },\n identity_id: {\n type: \"string\",\n description:\n \"Identity to use for the response. Defaults to primary identity.\",\n },\n },\n required: [\"challenge\"],\n },\n handler: async (args) => {\n const challenge = args.challenge as unknown as HandshakeChallenge;\n\n // Generate our SHR\n const shr = generateSHR(args.identity_id as string | undefined, shrOpts);\n if (typeof shr === \"string\") {\n return toolResult({ error: shr });\n }\n\n const result = respondToHandshake(\n challenge,\n shr,\n identityManager,\n masterKey,\n args.identity_id as string | undefined\n );\n\n if (\"error\" in result) {\n auditLog.append(\"l4\", \"handshake_respond\", shr.body.instance_id, undefined, \"failure\");\n return toolResult({ error: result.error });\n }\n\n sessions.set(result.session.session_id, result.session);\n\n auditLog.append(\"l4\", \"handshake_respond\", shr.body.instance_id);\n\n return toolResult({\n session_id: result.session.session_id,\n response: result.response,\n instructions:\n \"Send the 'response' object back to the initiator. \" +\n \"When you receive their completion, pass it to sanctuary/handshake_status with this session_id.\",\n // SEC-ADD-03: Tag response — contains SHR data that will be sent to counterparty\n _content_trust: \"external\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_complete\",\n description:\n \"Complete a sovereignty handshake (initiator side). \" +\n \"Verifies the responder's SHR and nonce signature, signs their nonce, and produces the final result.\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Session ID from handshake_initiate.\",\n },\n response: {\n type: \"object\",\n description: \"The HandshakeResponse received from the responder.\",\n },\n },\n required: [\"session_id\", \"response\"],\n },\n handler: async (args) => {\n const sessionId = args.session_id as string;\n const response = args.response as unknown as HandshakeResponse;\n\n const session = sessions.get(sessionId);\n if (!session) {\n return toolResult({ error: `No handshake session found: ${sessionId}` });\n }\n if (session.state !== \"initiated\") {\n return toolResult({\n error: `Session is in state '${session.state}', expected 'initiated'`,\n });\n }\n\n const result = completeHandshake(\n response,\n session,\n identityManager,\n masterKey\n );\n\n if (\"error\" in result) {\n session.state = \"failed\";\n auditLog.append(\"l4\", \"handshake_complete\", session.our_shr.body.instance_id, undefined, \"failure\");\n return toolResult({ error: result.error });\n }\n\n session.state = \"completed\";\n session.their_shr = response.shr;\n session.their_nonce = response.responder_nonce;\n session.result = result.result;\n\n // Store completed result for tier resolution\n handshakeResults.set(result.result.counterparty_id, result.result);\n\n auditLog.append(\"l4\", \"handshake_complete\", session.our_shr.body.instance_id);\n\n return toolResult({\n completion: result.completion,\n result: result.result,\n instructions:\n \"Send the 'completion' object to the responder so they can verify the handshake. \" +\n \"The 'result' object contains the verified counterparty status and trust tier.\",\n // SEC-ADD-03: Tag response as containing counterparty-controlled SHR data\n _content_trust: \"external\",\n });\n },\n },\n\n {\n name: \"sanctuary/handshake_status\",\n description:\n \"Check the status of a handshake session, or verify a completion message (responder side).\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Session ID to check.\",\n },\n completion: {\n type: \"object\",\n description:\n \"Optional: HandshakeCompletion from the initiator (responder-side verification).\",\n },\n },\n required: [\"session_id\"],\n },\n handler: async (args) => {\n const sessionId = args.session_id as string;\n const completion = args.completion as unknown as HandshakeCompletion | undefined;\n\n const session = sessions.get(sessionId);\n if (!session) {\n return toolResult({ error: `No handshake session found: ${sessionId}` });\n }\n\n // If completion is provided, verify it (responder side)\n if (completion && session.role === \"responder\" && session.state === \"responded\") {\n const result = verifyCompletion(completion, session);\n session.state = result.verified ? \"completed\" : \"failed\";\n session.result = result;\n\n // Store completed result for tier resolution\n if (result.verified) {\n handshakeResults.set(result.counterparty_id, result);\n }\n\n auditLog.append(\n \"l4\",\n \"handshake_verify_completion\",\n session.our_shr.body.instance_id,\n undefined,\n result.verified ? \"success\" : \"failure\"\n );\n\n return toolResult({ result });\n }\n\n // Otherwise just return session status\n return toolResult({\n session_id: session.session_id,\n role: session.role,\n state: session.state,\n initiated_at: session.initiated_at,\n result: session.result ?? null,\n });\n },\n },\n ];\n\n return { tools, handshakeResults };\n}\n","/**\n * Sanctuary MCP Server — Federation Peer Registry\n *\n * Manages known federation peers. Peers are discovered through handshakes\n * and tracked for ongoing federation operations.\n *\n * The registry is the source of truth for:\n * - Who we've federated with\n * - Current trust status of each peer\n * - Peer capabilities (what operations they support)\n *\n * Security invariants:\n * - Peers are ONLY added through completed handshakes (not self-registration)\n * - Trust tiers degrade automatically when handshakes expire\n * - Peer data is stored encrypted under L1 sovereignty\n */\n\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { trustTierToSovereigntyTier } from \"../l4-reputation/tiers.js\";\nimport type {\n FederationPeer,\n FederationCapabilities,\n PeerTrustEvaluation,\n} from \"./types.js\";\n\n/** Default capabilities assumed for new peers */\nconst DEFAULT_CAPABILITIES: FederationCapabilities = {\n reputation_exchange: true,\n mutual_attestation: true,\n encrypted_channel: false,\n attestation_formats: [\"sanctuary-interaction-v1\"],\n};\n\nexport class FederationRegistry {\n private peers = new Map<string, FederationPeer>();\n\n /**\n * Register or update a peer from a completed handshake.\n * This is the ONLY way peers enter the registry.\n */\n registerFromHandshake(\n result: HandshakeResult,\n peerDid: string,\n capabilities?: Partial<FederationCapabilities>\n ): FederationPeer {\n const existing = this.peers.get(result.counterparty_id);\n const now = new Date().toISOString();\n\n const peer: FederationPeer = {\n peer_id: result.counterparty_id,\n peer_did: peerDid,\n first_seen: existing?.first_seen ?? now,\n last_handshake: result.completed_at,\n trust_tier: trustTierToSovereigntyTier(result.trust_tier),\n handshake_result: result,\n capabilities: {\n ...DEFAULT_CAPABILITIES,\n ...(existing?.capabilities ?? {}),\n ...(capabilities ?? {}),\n },\n active: result.verified && new Date(result.expires_at) > new Date(),\n };\n\n // If already expired at registration time, degrade trust tier\n if (!peer.active) {\n peer.trust_tier = \"self-attested\";\n }\n\n this.peers.set(result.counterparty_id, peer);\n return peer;\n }\n\n /**\n * Get a peer by instance ID.\n * Automatically updates active status based on handshake expiry.\n */\n getPeer(peerId: string): FederationPeer | null {\n const peer = this.peers.get(peerId);\n if (!peer) return null;\n\n // Check if handshake has expired\n if (peer.active && new Date(peer.handshake_result.expires_at) <= new Date()) {\n peer.active = false;\n peer.trust_tier = \"self-attested\"; // Degrade to self-attested when expired\n }\n\n return peer;\n }\n\n /**\n * List all known peers, optionally filtered by status.\n */\n listPeers(filter?: { active_only?: boolean }): FederationPeer[] {\n const peers = Array.from(this.peers.values());\n\n // Update active status before filtering\n for (const peer of peers) {\n if (peer.active && new Date(peer.handshake_result.expires_at) <= new Date()) {\n peer.active = false;\n peer.trust_tier = \"self-attested\";\n }\n }\n\n if (filter?.active_only) {\n return peers.filter((p) => p.active);\n }\n\n return peers;\n }\n\n /**\n * Evaluate trust for a federation peer.\n *\n * Trust assessment considers:\n * - Handshake status (current vs expired)\n * - Sovereignty tier (verified-sovereign vs degraded vs unverified)\n * - Reputation data (if available)\n * - Mutual attestation history\n */\n evaluateTrust(\n peerId: string,\n mutualAttestationCount: number = 0,\n reputationScore?: number\n ): PeerTrustEvaluation {\n const peer = this.getPeer(peerId);\n const now = new Date().toISOString();\n\n if (!peer) {\n return {\n peer_id: peerId,\n sovereignty_tier: \"unverified\",\n handshake_current: false,\n mutual_attestation_count: 0,\n trust_level: \"none\",\n factors: [\"Peer not found in federation registry\"],\n evaluated_at: now,\n };\n }\n\n const factors: string[] = [];\n let score = 0;\n\n // Factor 1: Handshake status\n if (peer.active) {\n factors.push(\"Active handshake (trust current)\");\n score += 3;\n } else {\n factors.push(\"Handshake expired (trust degraded)\");\n score += 1;\n }\n\n // Factor 2: Sovereignty tier\n switch (peer.trust_tier) {\n case \"verified-sovereign\":\n factors.push(\"Verified sovereign — full sovereignty posture\");\n score += 4;\n break;\n case \"verified-degraded\":\n factors.push(\"Verified degraded — sovereignty with known limitations\");\n score += 3;\n break;\n case \"self-attested\":\n factors.push(\"Self-attested — claims not independently verified\");\n score += 1;\n break;\n case \"unverified\":\n factors.push(\"Unverified — no sovereignty proof\");\n score += 0;\n break;\n }\n\n // Factor 3: Mutual attestation history\n if (mutualAttestationCount > 10) {\n factors.push(`Strong attestation history (${mutualAttestationCount} mutual attestations)`);\n score += 3;\n } else if (mutualAttestationCount > 0) {\n factors.push(`Some attestation history (${mutualAttestationCount} mutual attestations)`);\n score += 1;\n } else {\n factors.push(\"No mutual attestation history\");\n }\n\n // Factor 4: Reputation score\n if (reputationScore !== undefined) {\n if (reputationScore >= 80) {\n factors.push(`High reputation score (${reputationScore})`);\n score += 2;\n } else if (reputationScore >= 50) {\n factors.push(`Moderate reputation score (${reputationScore})`);\n score += 1;\n } else {\n factors.push(`Low reputation score (${reputationScore})`);\n }\n }\n\n // Map score to trust level\n let trust_level: \"high\" | \"medium\" | \"low\" | \"none\";\n if (score >= 9) trust_level = \"high\";\n else if (score >= 5) trust_level = \"medium\";\n else if (score >= 2) trust_level = \"low\";\n else trust_level = \"none\";\n\n return {\n peer_id: peerId,\n sovereignty_tier: peer.trust_tier,\n handshake_current: peer.active,\n reputation_score: reputationScore,\n mutual_attestation_count: mutualAttestationCount,\n trust_level,\n factors,\n evaluated_at: now,\n };\n }\n\n /**\n * Remove a peer from the registry.\n */\n removePeer(peerId: string): boolean {\n return this.peers.delete(peerId);\n }\n\n /**\n * Get the handshake results map (for tier resolution integration).\n */\n getHandshakeResults(): Map<string, HandshakeResult> {\n const results = new Map<string, HandshakeResult>();\n for (const [id, peer] of this.peers) {\n if (peer.active) {\n results.set(id, peer.handshake_result);\n }\n }\n return results;\n }\n}\n","/**\n * Sanctuary MCP Server — Federation MCP Tools\n *\n * MCP tool definitions for MCP-to-MCP federation.\n * Three tools cover the core federation operations:\n * 1. federation_peers — List and manage known federation peers\n * 2. federation_trust_evaluate — Evaluate trust for a peer\n * 3. federation_exchange_reputation — Exchange reputation data with a peer\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { FederationRegistry } from \"./registry.js\";\n\nexport function createFederationTools(\n auditLog: AuditLog,\n handshakeResults: Map<string, HandshakeResult>\n): { tools: ToolDefinition[]; registry: FederationRegistry } {\n const registry = new FederationRegistry();\n\n const tools: ToolDefinition[] = [\n // ─── Peer Management ──────────────────────────────────────────────\n\n {\n name: \"sanctuary/federation_peers\",\n description:\n \"List known federation peers, register a peer from a completed handshake, \" +\n \"or remove a peer. Every peer MUST enter through a verified handshake — \" +\n \"no self-registration allowed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n action: {\n type: \"string\",\n enum: [\"list\", \"register\", \"remove\"],\n description: \"Operation to perform on the peer registry\",\n },\n peer_id: {\n type: \"string\",\n description: \"Peer instance ID (required for register/remove)\",\n },\n peer_did: {\n type: \"string\",\n description: \"Peer DID (required for register)\",\n },\n active_only: {\n type: \"boolean\",\n description: \"When listing, only show peers with active handshakes\",\n },\n },\n required: [\"action\"],\n },\n handler: async (args) => {\n const action = args.action as string;\n\n switch (action) {\n case \"list\": {\n const peers = registry.listPeers({\n active_only: args.active_only as boolean | undefined,\n });\n\n auditLog.append(\"l4\", \"federation_peers_list\", \"system\", {\n peer_count: peers.length,\n });\n\n return toolResult({\n peers: peers.map((p) => ({\n peer_id: p.peer_id,\n peer_did: p.peer_did,\n trust_tier: p.trust_tier,\n active: p.active,\n first_seen: p.first_seen,\n last_handshake: p.last_handshake,\n capabilities: p.capabilities,\n })),\n total: peers.length,\n });\n }\n\n case \"register\": {\n const peerId = args.peer_id as string;\n const peerDid = args.peer_did as string;\n\n if (!peerId || !peerDid) {\n return toolResult({\n error: \"Both peer_id and peer_did are required for registration.\",\n });\n }\n\n // Peer MUST have a completed handshake\n const hsResult = handshakeResults.get(peerId);\n if (!hsResult) {\n return toolResult({\n error: `No completed handshake found for peer \"${peerId}\". ` +\n \"Complete a sovereignty handshake first using handshake_initiate.\",\n });\n }\n\n if (!hsResult.verified) {\n return toolResult({\n error: `Handshake with \"${peerId}\" was not verified. ` +\n \"Only verified handshakes can establish federation.\",\n });\n }\n\n const peer = registry.registerFromHandshake(hsResult, peerDid);\n\n auditLog.append(\"l4\", \"federation_peer_register\", \"system\", {\n peer_id: peerId,\n peer_did: peerDid,\n trust_tier: peer.trust_tier,\n });\n\n return toolResult({\n registered: true,\n peer_id: peer.peer_id,\n trust_tier: peer.trust_tier,\n active: peer.active,\n capabilities: peer.capabilities,\n });\n }\n\n case \"remove\": {\n const peerId = args.peer_id as string;\n if (!peerId) {\n return toolResult({ error: \"peer_id is required for removal.\" });\n }\n\n const removed = registry.removePeer(peerId);\n\n auditLog.append(\"l4\", \"federation_peer_remove\", \"system\", {\n peer_id: peerId,\n removed,\n });\n\n return toolResult({\n removed,\n peer_id: peerId,\n });\n }\n\n default:\n return toolResult({ error: `Unknown action: ${action}` });\n }\n },\n },\n\n // ─── Trust Evaluation ─────────────────────────────────────────────\n\n {\n name: \"sanctuary/federation_trust_evaluate\",\n description:\n \"Evaluate the trust level of a federation peer. \" +\n \"Considers handshake status, sovereignty tier, reputation score, \" +\n \"and mutual attestation history. Returns a composite trust assessment.\",\n inputSchema: {\n type: \"object\",\n properties: {\n peer_id: {\n type: \"string\",\n description: \"Peer instance ID to evaluate\",\n },\n mutual_attestation_count: {\n type: \"number\",\n description: \"Number of mutual attestations with this peer (0 if unknown)\",\n },\n reputation_score: {\n type: \"number\",\n description: \"Peer's weighted reputation score (from reputation_query_weighted)\",\n },\n },\n required: [\"peer_id\"],\n },\n handler: async (args) => {\n const peerId = args.peer_id as string;\n const mutualCount = (args.mutual_attestation_count as number) ?? 0;\n const repScore = args.reputation_score as number | undefined;\n\n const evaluation = registry.evaluateTrust(peerId, mutualCount, repScore);\n\n auditLog.append(\"l4\", \"federation_trust_evaluate\", \"system\", {\n peer_id: peerId,\n trust_level: evaluation.trust_level,\n sovereignty_tier: evaluation.sovereignty_tier,\n });\n\n return toolResult(evaluation);\n },\n },\n\n // ─── Federation Status ────────────────────────────────────────────\n\n {\n name: \"sanctuary/federation_status\",\n description:\n \"Overview of federation state: total peers, active connections, \" +\n \"trust distribution, and readiness for cross-instance operations.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const allPeers = registry.listPeers();\n const activePeers = registry.listPeers({ active_only: true });\n\n // Trust tier distribution\n const tierCounts: Record<string, number> = {\n \"verified-sovereign\": 0,\n \"verified-degraded\": 0,\n \"self-attested\": 0,\n \"unverified\": 0,\n };\n for (const peer of allPeers) {\n tierCounts[peer.trust_tier] = (tierCounts[peer.trust_tier] ?? 0) + 1;\n }\n\n // Capability summary\n const capCounts = {\n reputation_exchange: activePeers.filter((p) => p.capabilities.reputation_exchange).length,\n mutual_attestation: activePeers.filter((p) => p.capabilities.mutual_attestation).length,\n encrypted_channel: activePeers.filter((p) => p.capabilities.encrypted_channel).length,\n };\n\n auditLog.append(\"l4\", \"federation_status\", \"system\", {\n total_peers: allPeers.length,\n active_peers: activePeers.length,\n });\n\n return toolResult({\n total_peers: allPeers.length,\n active_peers: activePeers.length,\n expired_peers: allPeers.length - activePeers.length,\n trust_distribution: tierCounts,\n capability_coverage: capCounts,\n federation_ready: activePeers.length > 0,\n checked_at: new Date().toISOString(),\n });\n },\n },\n ];\n\n return { tools, registry };\n}\n","/**\n * Sanctuary MCP Server — Concordia Bridge: Tool Definitions\n *\n * MCP tool wrappers for the Concordia-Sanctuary bridge.\n * Three tools:\n * sanctuary/bridge_commit — Bind a negotiation outcome to a Sanctuary commitment\n * sanctuary/bridge_verify — Verify a commitment against a revealed outcome\n * sanctuary/bridge_attest — Record a negotiation as a reputation attestation\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { IdentityManager } from \"../l1-cognitive/tools.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport type { AuditLog } from \"../l2-operational/audit-log.js\";\nimport type { HandshakeResult } from \"../handshake/types.js\";\nimport { ReputationStore } from \"../l4-reputation/reputation-store.js\";\nimport { resolveTier, TIER_WEIGHTS, type TierMetadata } from \"../l4-reputation/tiers.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { bytesToString } from \"../core/encoding.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\n\nimport {\n createBridgeCommitment,\n verifyBridgeCommitment,\n} from \"./bridge.js\";\nimport type {\n ConcordiaOutcome,\n BridgeCommitment,\n} from \"./types.js\";\n\n// ─── Bridge Store ────────────────────────────────────────────────────────\n// Persists bridge commitments encrypted at rest for later verification\n// and attestation linking.\n\nclass BridgeStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"bridge-commitments\");\n }\n\n async save(commitment: BridgeCommitment, outcome: ConcordiaOutcome): Promise<void> {\n const record = { commitment, outcome };\n const serialized = stringToBytes(JSON.stringify(record));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_bridge\",\n commitment.bridge_commitment_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n\n async get(\n commitmentId: string\n ): Promise<{ commitment: BridgeCommitment; outcome: ConcordiaOutcome } | null> {\n const raw = await this.storage.read(\"_bridge\", commitmentId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n return JSON.parse(bytesToString(decrypted));\n } catch {\n return null;\n }\n }\n}\n\n// ─── Tool Factory ────────────────────────────────────────────────────────\n\nexport function createBridgeTools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n identityManager: IdentityManager,\n auditLog: AuditLog,\n handshakeResults?: Map<string, HandshakeResult>\n): { tools: ToolDefinition[] } {\n const bridgeStore = new BridgeStore(storage, masterKey);\n const reputationStore = new ReputationStore(storage, masterKey);\n const identityEncryptionKey = derivePurposeKey(masterKey, \"identity-encryption\");\n const hsResults = handshakeResults ?? new Map<string, HandshakeResult>();\n\n // Helper to resolve identity\n function resolveIdentity(identityId?: string): StoredIdentity {\n const id = identityId\n ? identityManager.get(identityId)\n : identityManager.getDefault();\n if (!id) {\n throw new Error(\n identityId\n ? `Identity \"${identityId}\" not found`\n : \"No identity available. Create one with identity_create first.\"\n );\n }\n return id;\n }\n\n const tools: ToolDefinition[] = [\n // ─── bridge_commit ─────────────────────────────────────────────────\n\n {\n name: \"sanctuary/bridge_commit\",\n description:\n \"Create a cryptographic commitment binding a Concordia negotiation outcome \" +\n \"to Sanctuary's L3 proof layer. The commitment includes a SHA-256 hash of \" +\n \"the canonical outcome (hiding + binding), an Ed25519 signature by the \" +\n \"committer's identity, and an optional Pedersen commitment on the round \" +\n \"count for zero-knowledge range proofs. This is the Sanctuary side of the \" +\n \"Concordia bridge — call this when a Concordia `accept` fires.\",\n inputSchema: {\n type: \"object\",\n properties: {\n session_id: {\n type: \"string\",\n description: \"Concordia session identifier\",\n },\n protocol_version: {\n type: \"string\",\n description: 'Concordia protocol version (e.g., \"concordia-v1\")',\n },\n proposer_did: {\n type: \"string\",\n description: \"DID of the party who proposed the accepted terms\",\n },\n acceptor_did: {\n type: \"string\",\n description: \"DID of the party who accepted\",\n },\n terms: {\n type: \"object\",\n description: \"The accepted terms (opaque to Sanctuary, meaningful to Concordia)\",\n },\n terms_hash: {\n type: \"string\",\n description: \"SHA-256 hash of the canonical terms serialization (computed by Concordia)\",\n },\n rounds: {\n type: \"number\",\n description: \"Number of negotiation rounds (propose/counter cycles)\",\n },\n accepted_at: {\n type: \"string\",\n description: \"ISO 8601 timestamp when accept was issued\",\n },\n session_receipt: {\n type: \"string\",\n description: \"Optional: signed Concordia session receipt\",\n },\n identity_id: {\n type: \"string\",\n description: \"Sanctuary identity to sign the commitment (uses default if omitted)\",\n },\n include_pedersen: {\n type: \"boolean\",\n description: \"Include a Pedersen commitment on round count for ZK range proofs\",\n },\n },\n required: [\n \"session_id\",\n \"protocol_version\",\n \"proposer_did\",\n \"acceptor_did\",\n \"terms\",\n \"terms_hash\",\n \"rounds\",\n \"accepted_at\",\n ],\n },\n handler: async (args) => {\n const outcome: ConcordiaOutcome = {\n session_id: args.session_id as string,\n protocol_version: args.protocol_version as string,\n proposer_did: args.proposer_did as string,\n acceptor_did: args.acceptor_did as string,\n terms: args.terms as Record<string, unknown>,\n terms_hash: args.terms_hash as string,\n rounds: args.rounds as number,\n accepted_at: args.accepted_at as string,\n session_receipt: args.session_receipt as string | undefined,\n };\n\n const identity = resolveIdentity(args.identity_id as string | undefined);\n const includePedersen = (args.include_pedersen as boolean) ?? false;\n\n const bridgeCommitment = createBridgeCommitment(\n outcome,\n identity,\n identityEncryptionKey,\n includePedersen\n );\n\n // Persist the commitment and outcome for later verification/attestation\n await bridgeStore.save(bridgeCommitment, outcome);\n\n auditLog.append(\"l3\", \"bridge_commit\", identity.identity_id, {\n bridge_commitment_id: bridgeCommitment.bridge_commitment_id,\n session_id: outcome.session_id,\n counterparty: outcome.proposer_did === identity.did\n ? outcome.acceptor_did\n : outcome.proposer_did,\n });\n\n return toolResult({\n bridge_commitment_id: bridgeCommitment.bridge_commitment_id,\n session_id: bridgeCommitment.session_id,\n sha256_commitment: bridgeCommitment.sha256_commitment,\n committer_did: bridgeCommitment.committer_did,\n signature: bridgeCommitment.signature,\n pedersen_commitment: bridgeCommitment.pedersen_commitment\n ? { commitment: bridgeCommitment.pedersen_commitment.commitment }\n : undefined,\n committed_at: bridgeCommitment.committed_at,\n bridge_version: bridgeCommitment.bridge_version,\n note: \"Bridge commitment created. The blinding factor is stored encrypted. \" +\n \"Use bridge_verify to verify the commitment against the revealed outcome. \" +\n \"Use bridge_attest to link this negotiation to your reputation.\",\n });\n },\n },\n\n // ─── bridge_verify ───────────────────────────────────────────────────\n\n {\n name: \"sanctuary/bridge_verify\",\n description:\n \"Verify a bridge commitment against a revealed Concordia negotiation outcome. \" +\n \"Checks SHA-256 commitment validity, Ed25519 signature, session ID match, \" +\n \"terms hash integrity, and Pedersen commitment (if present). Use this to \" +\n \"confirm that a counterparty's claimed negotiation outcome matches what was \" +\n \"cryptographically committed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bridge_commitment_id: {\n type: \"string\",\n description: \"The bridge commitment ID to verify\",\n },\n committer_public_key: {\n type: \"string\",\n description:\n \"The committer's Ed25519 public key (base64url). \" +\n \"Required if verifying a counterparty's commitment. \" +\n \"Omit to auto-resolve from local identities.\",\n },\n },\n required: [\"bridge_commitment_id\"],\n },\n handler: async (args) => {\n const commitmentId = args.bridge_commitment_id as string;\n const externalPublicKey = args.committer_public_key as string | undefined;\n\n // Load the stored commitment and outcome\n const record = await bridgeStore.get(commitmentId);\n if (!record) {\n return toolResult({\n error: `Bridge commitment \"${commitmentId}\" not found`,\n });\n }\n\n const { commitment: storedCommitment, outcome } = record;\n\n // Resolve the committer's public key\n let publicKey: Uint8Array;\n if (externalPublicKey) {\n publicKey = fromBase64url(externalPublicKey);\n } else {\n // Try to find the committer in local identities\n const localIdentities = identityManager.list();\n const match = localIdentities.find((i) => i.did === storedCommitment.committer_did);\n if (!match) {\n return toolResult({\n error: `Cannot resolve public key for committer \"${storedCommitment.committer_did}\". ` +\n \"Provide committer_public_key for external verification.\",\n });\n }\n publicKey = fromBase64url(match.public_key);\n }\n\n const result = verifyBridgeCommitment(storedCommitment, outcome, publicKey);\n\n auditLog.append(\"l3\", \"bridge_verify\", \"system\", {\n bridge_commitment_id: commitmentId,\n session_id: storedCommitment.session_id,\n valid: result.valid,\n });\n\n return toolResult({\n ...result,\n session_id: storedCommitment.session_id,\n committer_did: storedCommitment.committer_did,\n // SEC-ADD-03: Tag response as containing counterparty-controlled data\n _content_trust: \"external\",\n });\n },\n },\n\n // ─── bridge_attest ───────────────────────────────────────────────────\n\n {\n name: \"sanctuary/bridge_attest\",\n description:\n \"Record a Concordia negotiation as a Sanctuary L4 reputation attestation, \" +\n \"linked to a bridge commitment. This completes the bridge: the commitment \" +\n \"(L3) proves the terms were agreed, and the attestation (L4) feeds the \" +\n \"sovereignty-weighted reputation score. The attestation is automatically \" +\n \"tagged with the counterparty's sovereignty tier from any completed handshake.\",\n inputSchema: {\n type: \"object\",\n properties: {\n bridge_commitment_id: {\n type: \"string\",\n description: \"The bridge commitment ID to link\",\n },\n outcome_result: {\n type: \"string\",\n enum: [\"completed\", \"partial\", \"failed\", \"disputed\"],\n description: \"Negotiation outcome for reputation scoring\",\n },\n metrics: {\n type: \"object\",\n description:\n \"Optional metrics (e.g., rounds, response_time_ms, terms_complexity)\",\n },\n identity_id: {\n type: \"string\",\n description: \"Identity to sign the attestation (uses default if omitted)\",\n },\n },\n required: [\"bridge_commitment_id\", \"outcome_result\"],\n },\n handler: async (args) => {\n const commitmentId = args.bridge_commitment_id as string;\n const outcomeResult = args.outcome_result as\n | \"completed\"\n | \"partial\"\n | \"failed\"\n | \"disputed\";\n const metrics = (args.metrics as Record<string, number>) ?? {};\n const identityId = args.identity_id as string | undefined;\n\n // Load the stored commitment and outcome\n const record = await bridgeStore.get(commitmentId);\n if (!record) {\n return toolResult({\n error: `Bridge commitment \"${commitmentId}\" not found`,\n });\n }\n\n const { outcome } = record;\n const identity = resolveIdentity(identityId);\n\n // Determine counterparty DID\n const counterpartyDid =\n outcome.proposer_did === identity.did\n ? outcome.acceptor_did\n : outcome.proposer_did;\n\n // Resolve sovereignty tier from handshake results\n // Check if the counterparty has a known Sanctuary identity\n const hasSanctuaryIdentity = identityManager.list().some(\n (id) => identityManager.get(id.identity_id)?.did === counterpartyDid\n );\n const tierMeta: TierMetadata = resolveTier(counterpartyDid, hsResults, hasSanctuaryIdentity);\n const tier = tierMeta.sovereignty_tier;\n\n // Include bridge-specific metrics alongside user-provided ones\n const fullMetrics = {\n ...metrics,\n negotiation_rounds: outcome.rounds,\n };\n\n // Record the reputation attestation\n const attestation = await reputationStore.record(\n outcome.session_id, // interaction_id = concordia session\n counterpartyDid,\n {\n type: \"negotiation\",\n result: outcomeResult,\n metrics: fullMetrics,\n },\n \"concordia-bridge\", // context\n identity,\n identityEncryptionKey,\n undefined, // counterparty_attestation\n tier\n );\n\n auditLog.append(\"l4\", \"bridge_attest\", identity.identity_id, {\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n attestation_id: attestation.attestation.attestation_id,\n counterparty_did: counterpartyDid,\n sovereignty_tier: tier,\n });\n\n const weight = TIER_WEIGHTS[tier];\n\n return toolResult({\n attestation_id: attestation.attestation.attestation_id,\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n counterparty_did: counterpartyDid,\n outcome_result: outcomeResult,\n sovereignty_tier: tier,\n attested_at: attestation.recorded_at,\n note: `Negotiation recorded as reputation attestation. ` +\n `Counterparty sovereignty tier: ${tier} (weight: ${weight}).`,\n });\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — Concordia Bridge: Core Module\n *\n * Implements the Sanctuary side of the Concordia bridge:\n * 1. bridge_commit — Create a cryptographic commitment binding a negotiation outcome\n * 2. bridge_verify — Verify a commitment against a revealed outcome\n * 3. bridge_attest — Link a negotiation to L4 reputation via the commitment\n *\n * The bridge composes L3 (selective disclosure) and L4 (verifiable reputation)\n * to serve negotiation-specific needs. It introduces no new cryptographic\n * primitives — everything delegates to the existing L3 commitment/ZK layer\n * and L4 reputation store.\n *\n * Non-dependency principle: this module can be used without Concordia\n * running. Any system that provides a ConcordiaOutcome-shaped object\n * can create bridge commitments. Concordia is the expected caller, but\n * the interface is protocol-agnostic.\n */\n\nimport { createCommitment, verifyCommitment } from \"../l3-disclosure/commitments.js\";\nimport { createPedersenCommitment, verifyPedersenCommitment } from \"../l3-disclosure/zk-proofs.js\";\nimport { sign, verify } from \"../core/identity.js\";\nimport { toBase64url, fromBase64url, stringToBytes } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { hash } from \"../core/hashing.js\";\nimport type { StoredIdentity } from \"../core/identity.js\";\nimport type {\n ConcordiaOutcome,\n BridgeCommitment,\n BridgeVerificationResult,\n} from \"./types.js\";\n\n// ─── Canonical Serialization ─────────────────────────────────────────────\n// Deterministic JSON serialization of the ConcordiaOutcome for commitment.\n// Keys are sorted to ensure identical outcomes produce identical bytes.\n\n/**\n * Produce a canonical byte representation of a ConcordiaOutcome.\n * Sorts all keys recursively to ensure determinism.\n */\nexport function canonicalize(outcome: ConcordiaOutcome): Uint8Array {\n return stringToBytes(stableStringify(outcome));\n}\n\n/**\n * Recursively sort object keys for deterministic JSON.\n *\n * Security hardening: rejects non-finite numbers (NaN, Infinity, -Infinity)\n * which are not representable in JSON and would produce `null`, breaking\n * commitment determinism. Also rejects `undefined` values in arrays\n * (object `undefined` values are already excluded by Object.keys).\n */\nfunction stableStringify(value: unknown): string {\n if (value === null) return \"null\";\n if (value === undefined) return \"null\";\n if (typeof value === \"number\") {\n if (!Number.isFinite(value)) {\n throw new Error(\n `Cannot canonicalize non-finite number: ${value}. ` +\n `NaN, Infinity, and -Infinity are not representable in JSON.`\n );\n }\n if (Object.is(value, -0)) {\n throw new Error(\n \"Cannot canonicalize negative zero (-0). \" +\n \"Use 0 instead for deterministic cross-language serialization.\"\n );\n }\n return JSON.stringify(value);\n }\n if (typeof value !== \"object\") return JSON.stringify(value);\n if (Array.isArray(value)) {\n return \"[\" + value.map((v) => stableStringify(v)).join(\",\") + \"]\";\n }\n const obj = value as Record<string, unknown>;\n const keys = Object.keys(obj).sort();\n const pairs = keys.map((k) => JSON.stringify(k) + \":\" + stableStringify(obj[k]));\n return \"{\" + pairs.join(\",\") + \"}\";\n}\n\n// ─── Bridge Commit ───────────────────────────────────────────────────────\n\n/**\n * Create a cryptographic commitment binding a Concordia negotiation outcome\n * to Sanctuary's L3 proof layer.\n *\n * Creates:\n * 1. A SHA-256 commitment over the canonical outcome (always)\n * 2. A Pedersen commitment over the round count (optional, for ZK range proofs)\n * 3. An Ed25519 signature over the commitment by the committer's identity\n *\n * @param outcome - The Concordia negotiation outcome to bind\n * @param identity - The Sanctuary identity creating the commitment\n * @param identityEncryptionKey - Key to decrypt the identity's private key\n * @param includePedersen - Whether to create a Pedersen commitment on round count\n * @returns The bridge commitment\n */\nexport function createBridgeCommitment(\n outcome: ConcordiaOutcome,\n identity: StoredIdentity,\n identityEncryptionKey: Uint8Array,\n includePedersen: boolean = false\n): BridgeCommitment {\n const commitmentId = `bridge-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n // 1. Canonical serialization of the outcome\n const canonicalBytes = canonicalize(outcome);\n const canonicalString = new TextDecoder().decode(canonicalBytes);\n\n // 2. SHA-256 commitment: hash(canonical || blinding_factor)\n const sha256 = createCommitment(canonicalString);\n\n // 3. Pedersen commitment on round count (optional)\n let pedersenData: BridgeCommitment[\"pedersen_commitment\"] | undefined;\n if (includePedersen && Number.isInteger(outcome.rounds) && outcome.rounds >= 0) {\n const pedersen = createPedersenCommitment(outcome.rounds);\n pedersenData = {\n commitment: pedersen.commitment,\n blinding_factor: pedersen.blinding_factor,\n };\n }\n\n // 4. Build the commitment payload for signing\n // Includes terms_hash so the signature binds the commitment to the specific terms\n const commitmentPayload = {\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n sha256_commitment: sha256.commitment,\n terms_hash: outcome.terms_hash,\n committer_did: identity.did,\n committed_at: now,\n bridge_version: \"sanctuary-concordia-bridge-v1\" as const,\n };\n\n // 5. Sign the commitment with the identity's Ed25519 key\n // Uses stableStringify (not JSON.stringify) for deterministic key ordering\n // across languages — required for cross-repo signature verification (SEC-003).\n const payloadBytes = stringToBytes(stableStringify(commitmentPayload));\n const signature = sign(payloadBytes, identity.encrypted_private_key, identityEncryptionKey);\n\n return {\n bridge_commitment_id: commitmentId,\n session_id: outcome.session_id,\n sha256_commitment: sha256.commitment,\n blinding_factor: sha256.blinding_factor,\n committer_did: identity.did,\n signature: toBase64url(signature),\n pedersen_commitment: pedersenData,\n committed_at: now,\n bridge_version: \"sanctuary-concordia-bridge-v1\",\n };\n}\n\n// ─── Bridge Verify ───────────────────────────────────────────────────────\n\n/**\n * Verify a bridge commitment against a revealed Concordia outcome.\n *\n * Checks:\n * 1. SHA-256 commitment matches the canonical outcome + blinding factor\n * 2. Ed25519 signature is valid for the committer's public key\n * 3. Session IDs match\n * 4. Terms hash matches (Concordia's own hash of the terms)\n * 5. Pedersen commitment matches round count (if present)\n *\n * @param commitment - The bridge commitment to verify\n * @param outcome - The revealed Concordia outcome\n * @param committerPublicKey - The committer's Ed25519 public key\n * @returns Verification result with per-check detail\n */\nexport function verifyBridgeCommitment(\n commitment: BridgeCommitment,\n outcome: ConcordiaOutcome,\n committerPublicKey: Uint8Array\n): BridgeVerificationResult {\n const now = new Date().toISOString();\n\n // 1. SHA-256 commitment check\n const canonicalString = new TextDecoder().decode(canonicalize(outcome));\n const sha256Match = verifyCommitment(\n commitment.sha256_commitment,\n canonicalString,\n commitment.blinding_factor\n );\n\n // 2. Signature check (must match the signing payload exactly)\n // Uses stableStringify (not JSON.stringify) for deterministic key ordering\n // across languages — required for cross-repo signature verification (SEC-003).\n const commitmentPayload = {\n bridge_commitment_id: commitment.bridge_commitment_id,\n session_id: commitment.session_id,\n sha256_commitment: commitment.sha256_commitment,\n terms_hash: outcome.terms_hash,\n committer_did: commitment.committer_did,\n committed_at: commitment.committed_at,\n bridge_version: commitment.bridge_version,\n };\n const payloadBytes = stringToBytes(stableStringify(commitmentPayload));\n const sigBytes = fromBase64url(commitment.signature);\n const signatureValid = verify(payloadBytes, sigBytes, committerPublicKey);\n\n // 3. Session ID match\n const sessionIdMatch = commitment.session_id === outcome.session_id;\n\n // 4. Terms hash match — verify Concordia's terms_hash against the actual terms\n const termsBytes = stringToBytes(stableStringify(outcome.terms));\n const computedTermsHash = toBase64url(hash(termsBytes));\n const termsHashMatch = computedTermsHash === outcome.terms_hash;\n\n // 5. Pedersen match (if present)\n let pedersenMatch: boolean | undefined;\n if (commitment.pedersen_commitment) {\n pedersenMatch = verifyPedersenCommitment(\n commitment.pedersen_commitment.commitment,\n outcome.rounds,\n commitment.pedersen_commitment.blinding_factor\n );\n }\n\n const valid =\n sha256Match &&\n signatureValid &&\n sessionIdMatch &&\n termsHashMatch &&\n (pedersenMatch === undefined || pedersenMatch);\n\n return {\n valid,\n checks: {\n sha256_match: sha256Match,\n signature_valid: signatureValid,\n session_id_match: sessionIdMatch,\n terms_hash_match: termsHashMatch,\n pedersen_match: pedersenMatch,\n },\n bridge_commitment_id: commitment.bridge_commitment_id,\n verified_at: now,\n };\n}\n","/**\n * Sanctuary MCP Server — Environment Detector\n *\n * Read-only environment fingerprinting. Probes the local filesystem to detect\n * what sovereignty infrastructure is installed (Sanctuary config, OpenClaw, etc.).\n *\n * IMPORTANT: This module is strictly read-only. It MUST NOT write, create, modify,\n * or delete any files or make any network requests.\n */\n\nimport { readFile, access } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type { EnvironmentFingerprint, OpenClawConfigAudit } from \"./types.js\";\n\n/**\n * Strip single-line comments (// ...), block comments, and trailing commas\n * from a JSON5-ish string so it can be parsed by JSON.parse.\n */\nfunction lenientJsonParse(raw: string): unknown {\n // Remove single-line comments\n let cleaned = raw.replace(/\\/\\/[^\\n]*/g, \"\");\n // Remove block comments\n cleaned = cleaned.replace(/\\/\\*[\\s\\S]*?\\*\\//g, \"\");\n // Remove trailing commas before } or ]\n cleaned = cleaned.replace(/,\\s*([\\]}])/g, \"$1\");\n return JSON.parse(cleaned);\n}\n\n/**\n * Check if a file exists (read-only).\n */\nasync function fileExists(path: string): Promise<boolean> {\n try {\n await access(path);\n return true;\n } catch {\n return false;\n }\n}\n\n/**\n * Safely read a file, returning null if it doesn't exist or can't be read.\n */\nasync function safeReadFile(path: string): Promise<string | null> {\n try {\n return await readFile(path, \"utf-8\");\n } catch {\n return null;\n }\n}\n\n/**\n * Detect the local environment and produce a fingerprint.\n * This function is strictly read-only.\n */\nexport async function detectEnvironment(\n config: SanctuaryConfig,\n deepScan: boolean\n): Promise<EnvironmentFingerprint> {\n const fingerprint: EnvironmentFingerprint = {\n sanctuary_installed: true, // We're running inside Sanctuary\n sanctuary_version: config.version,\n openclaw_detected: false,\n openclaw_version: null,\n openclaw_config: null,\n node_version: process.version,\n platform: `${process.platform}-${process.arch}`,\n };\n\n if (!deepScan) {\n return fingerprint;\n }\n\n // Detect OpenClaw\n const home = homedir();\n const openclawConfigPath = join(home, \".openclaw\", \"openclaw.json\");\n const openclawEnvPath = join(home, \".openclaw\", \".env\");\n const openclawMemoryPath = join(home, \".openclaw\", \"workspace\", \"MEMORY.md\");\n const openclawMemoryDir = join(home, \".openclaw\", \"workspace\", \"memory\");\n\n const configExists = await fileExists(openclawConfigPath);\n const envExists = await fileExists(openclawEnvPath);\n const memoryExists = await fileExists(openclawMemoryPath);\n const memoryDirExists = await fileExists(openclawMemoryDir);\n\n // OpenClaw is detected if its config file or workspace exists\n if (configExists || memoryExists || memoryDirExists) {\n fingerprint.openclaw_detected = true;\n fingerprint.openclaw_config = await auditOpenClawConfig(\n openclawConfigPath,\n openclawEnvPath,\n openclawMemoryPath,\n configExists,\n envExists,\n memoryExists\n );\n }\n\n return fingerprint;\n}\n\n/**\n * Audit OpenClaw configuration (read-only).\n */\nasync function auditOpenClawConfig(\n configPath: string,\n envPath: string,\n _memoryPath: string,\n configExists: boolean,\n envExists: boolean,\n memoryExists: boolean\n): Promise<OpenClawConfigAudit> {\n const audit: OpenClawConfigAudit = {\n config_path: configExists ? configPath : null,\n require_approval_enabled: false,\n sandbox_policy_active: false,\n sandbox_allow_list: [],\n sandbox_deny_list: [],\n memory_encrypted: false, // Stock OpenClaw never encrypts memory\n env_file_exposed: false,\n gateway_token_set: false,\n dm_pairing_enabled: false,\n mcp_bridge_active: false,\n };\n\n // Parse OpenClaw config\n if (configExists) {\n const raw = await safeReadFile(configPath);\n if (raw) {\n try {\n const parsed = lenientJsonParse(raw) as Record<string, unknown>;\n\n // Check for version\n // OpenClaw may store version at top level\n // (We don't set openclaw_version on the fingerprint here — caller does that)\n\n // Check hooks for requireApproval\n const hooks = parsed.hooks as Record<string, unknown> | undefined;\n if (hooks) {\n const beforeToolCall = hooks.before_tool_call;\n if (beforeToolCall) {\n const hookStr = JSON.stringify(beforeToolCall);\n audit.require_approval_enabled = hookStr.includes(\"requireApproval\");\n }\n }\n\n // Check sandbox policy\n const tools = parsed.tools as Record<string, unknown> | undefined;\n if (tools) {\n const sandbox = tools.sandbox as Record<string, unknown> | undefined;\n if (sandbox) {\n const sandboxTools = sandbox.tools as Record<string, unknown> | undefined;\n if (sandboxTools) {\n audit.sandbox_policy_active = true;\n if (Array.isArray(sandboxTools.allow)) {\n audit.sandbox_allow_list = sandboxTools.allow.filter(\n (item): item is string => typeof item === \"string\"\n );\n }\n // Also check alsoAllow (OpenClaw v2026.3.28+)\n if (Array.isArray(sandboxTools.alsoAllow)) {\n audit.sandbox_allow_list = [\n ...audit.sandbox_allow_list,\n ...sandboxTools.alsoAllow.filter(\n (item): item is string => typeof item === \"string\"\n ),\n ];\n }\n if (Array.isArray(sandboxTools.deny)) {\n audit.sandbox_deny_list = sandboxTools.deny.filter(\n (item): item is string => typeof item === \"string\"\n );\n }\n }\n }\n }\n\n // Check for MCP bridge\n const mcpServers = parsed.mcpServers as Record<string, unknown> | undefined;\n if (mcpServers && Object.keys(mcpServers).length > 0) {\n audit.mcp_bridge_active = true;\n }\n } catch {\n // Config exists but couldn't be parsed — leave defaults\n }\n }\n }\n\n // Check .env for plaintext secrets\n if (envExists) {\n const envContent = await safeReadFile(envPath);\n if (envContent) {\n const secretPatterns = [\n /[A-Z_]*API_KEY\\s*=/,\n /[A-Z_]*TOKEN\\s*=/,\n /[A-Z_]*SECRET\\s*=/,\n /[A-Z_]*PASSWORD\\s*=/,\n /[A-Z_]*PRIVATE_KEY\\s*=/,\n ];\n audit.env_file_exposed = secretPatterns.some((p) => p.test(envContent));\n audit.gateway_token_set = /OPENCLAW_GATEWAY_TOKEN\\s*=/.test(envContent);\n }\n }\n\n // Memory is always plaintext in stock OpenClaw\n if (memoryExists) {\n audit.memory_encrypted = false;\n }\n\n return audit;\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Gap Analyzer\n *\n * Analyzes an environment fingerprint against Sanctuary's four-layer sovereignty\n * model and produces a scored gap analysis with prioritized recommendations.\n *\n * Scoring is deterministic: same environment state → same score, every time.\n */\n\nimport type { SanctuaryConfig } from \"../config.js\";\nimport type {\n EnvironmentFingerprint,\n SovereigntyAuditResult,\n L1AuditResult,\n L2AuditResult,\n L3AuditResult,\n L4AuditResult,\n SovereigntyGap,\n IncidentClass,\n Recommendation,\n} from \"./types.js\";\n\n// ── Scoring Constants ───────────────────────────────────────────────────\n\n// L1: 35 points max\nconst L1_ENCRYPTION_AT_REST = 10;\nconst L1_IDENTITY_CRYPTOGRAPHIC = 10;\nconst L1_INTEGRITY_VERIFICATION = 8;\nconst L1_STATE_PORTABLE = 7;\n\n// L2: 30 points max (increased from 25 to accommodate hardening)\nconst L2_THREE_TIER_GATE = 10;\nconst L2_BINARY_GATE = 3;\nconst L2_ANOMALY_DETECTION = 5;\nconst L2_ENCRYPTED_AUDIT = 4;\nconst L2_TOOL_SANDBOXING = 2;\nconst L2_CONTEXT_GATING = 4;\nconst L2_PROCESS_HARDENING = 5;\n\n// L3: 20 points max\n// Note: Schnorr + range proofs ARE genuine zero-knowledge proofs.\n// Non-interactive Fiat-Shamir is superior to interactive protocols for MCP servers\n// (no round-trip latency, offline-verifiable, replay-resistant via domain separation).\nconst L3_COMMITMENT_SCHEME = 8;\nconst L3_ZK_PROOFS = 7;\nconst L3_DISCLOSURE_POLICIES = 5;\n\n// L4: 20 points max\nconst L4_PORTABLE_REPUTATION = 6;\nconst L4_SIGNED_ATTESTATIONS = 6;\nconst L4_SYBIL_DETECTION = 4;\nconst L4_SOVEREIGNTY_GATED = 4;\n\n// Severity ordering for gap sorting\nconst SEVERITY_ORDER: Record<string, number> = {\n critical: 0,\n high: 1,\n medium: 2,\n low: 3,\n};\n\n// ── Incident Class Catalog ─────────────────────────────────────────────\n// Real-world incidents mapped to the sovereignty gaps they exploited.\n\nconst INCIDENT_META_SEV1: IncidentClass = {\n id: \"META-SEV1-2026\",\n name: \"Meta Sev 1: Unauthorized autonomous data exposure\",\n date: \"2026-03-18\",\n description:\n \"AI agent autonomously posted proprietary code, business strategies, and user datasets \" +\n \"to an internal forum without human approval. Two-hour exposure window.\",\n};\n\nconst INCIDENT_OPENCLAW_SANDBOX: IncidentClass = {\n id: \"OPENCLAW-CVE-2026\",\n name: \"OpenClaw sandbox escape via privilege inheritance\",\n date: \"2026-03-18\",\n description:\n \"Nine CVEs in four days. Child processes inherited sandbox.mode=off from parent, \" +\n \"bypassing runtime confinement. 42,900+ internet-exposed instances, 15,200 vulnerable to RCE.\",\n cves: [\n \"CVE-2026-32048\",\n \"CVE-2026-32915\",\n \"CVE-2026-32918\",\n ],\n};\n\nconst INCIDENT_CONTEXT_LEAKAGE: IncidentClass = {\n id: \"CONTEXT-LEAK-CLASS\",\n name: \"Context leakage: Full state exposure to inference providers\",\n date: \"2026-03\",\n description:\n \"Agents send full context — conversation history, memory, secrets, internal reasoning — \" +\n \"to remote LLM providers on every inference call with no filtering mechanism.\",\n};\n\n/** Exported for use in custom gap analysis extensions. */\nexport const INCIDENT_META_INBOX: IncidentClass = {\n id: \"META-INBOX-2026\",\n name: \"Meta inbox deletion: Safety instructions stripped by context compaction\",\n date: \"2026-03\",\n description:\n \"OpenClaw agent instructed to 'always ask before taking actions' began deleting inbox \" +\n \"autonomously after context window compaction silently stripped the safety instruction.\",\n};\n\nconst INCIDENT_CLAUDE_CODE_LEAK: IncidentClass = {\n id: \"CLAUDE-CODE-LEAK-2026\",\n name: \"Claude Code source leak: 512K lines exposed via npm source map\",\n date: \"2026-03-31\",\n description:\n \"Anthropic accidentally shipped a 59.8 MB source map in npm package v2.1.88, exposing \" +\n \"the full Claude Code TypeScript source — 1,900 files, internal model codenames, \" +\n \"unreleased features, OAuth flows, and multi-agent coordination logic.\",\n};\n\n/**\n * Analyze sovereignty posture and produce a full audit result.\n */\nexport function analyzeSovereignty(\n env: EnvironmentFingerprint,\n config: SanctuaryConfig\n): SovereigntyAuditResult {\n const l1 = assessL1(env, config);\n const l2 = assessL2(env, config);\n const l3 = assessL3(env, config);\n const l4 = assessL4(env, config);\n\n const l1Score = scoreL1(l1);\n const l2Score = scoreL2(l2);\n const l3Score = scoreL3(l3);\n const l4Score = scoreL4(l4);\n\n const overallScore = l1Score + l2Score + l3Score + l4Score;\n\n const sovereigntyLevel = overallScore >= 80\n ? \"full\"\n : overallScore >= 50\n ? \"partial\"\n : overallScore >= 20\n ? \"minimal\"\n : \"none\";\n\n const gaps = generateGaps(env, l1, l2, l3, l4);\n gaps.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);\n\n const recommendations = generateRecommendations(env, l1, l2, l3, l4);\n\n return {\n version: \"1.0\",\n audited_at: new Date().toISOString(),\n environment: env,\n layers: {\n l1_cognitive: l1,\n l2_operational: l2,\n l3_selective_disclosure: l3,\n l4_reputation: l4,\n },\n overall_score: overallScore,\n sovereignty_level: sovereigntyLevel,\n gaps,\n recommendations,\n };\n}\n\n// ── Layer Assessment ────────────────────────────────────────────────────\n\nfunction assessL1(\n env: EnvironmentFingerprint,\n config: SanctuaryConfig\n): L1AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n const encryptionAtRest = sanctuaryActive;\n const keyCustody = sanctuaryActive ? \"self\" as const : \"none\" as const;\n const integrityVerification = sanctuaryActive;\n const identityCryptographic = sanctuaryActive;\n const statePortable = sanctuaryActive;\n\n if (sanctuaryActive) {\n findings.push(\"AES-256-GCM encryption active for all state\");\n findings.push(`Key derivation: ${config.state.key_derivation}`);\n findings.push(`Identity provider: ${config.state.identity_provider}`);\n findings.push(\"Merkle integrity verification enabled\");\n findings.push(\"State export/import available\");\n }\n\n if (env.openclaw_detected && env.openclaw_config) {\n if (!env.openclaw_config.memory_encrypted) {\n findings.push(\"OpenClaw agent memory (MEMORY.md, daily notes) stored in plaintext\");\n }\n if (env.openclaw_config.env_file_exposed) {\n findings.push(\"OpenClaw .env file contains plaintext API keys/tokens\");\n }\n }\n\n const status = encryptionAtRest && identityCryptographic\n ? \"active\"\n : encryptionAtRest || identityCryptographic\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n encryption_at_rest: encryptionAtRest,\n key_custody: keyCustody,\n integrity_verification: integrityVerification,\n identity_cryptographic: identityCryptographic,\n state_portable: statePortable,\n findings,\n };\n}\n\nfunction assessL2(\n env: EnvironmentFingerprint,\n _config: SanctuaryConfig\n): L2AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n let approvalGate: \"three-tier\" | \"binary\" | \"none\" = \"none\";\n let behavioralAnomalyDetection = false;\n let auditTrailEncrypted = false;\n let auditTrailExists = false;\n let toolSandboxing: \"policy-enforced\" | \"basic\" | \"none\" = \"none\";\n let contextGating = false;\n let processIsolationHardening: \"full\" | \"hardened\" | \"basic\" | \"none\" = \"none\";\n\n if (sanctuaryActive) {\n approvalGate = \"three-tier\";\n behavioralAnomalyDetection = true;\n auditTrailEncrypted = true;\n auditTrailExists = true;\n contextGating = true;\n findings.push(\"Three-tier Principal Policy gate active\");\n findings.push(\"Behavioral anomaly detection (BaselineTracker) enabled\");\n findings.push(\"Encrypted audit trail active\");\n findings.push(\"Context gating available (sanctuary/context_gate_set_policy)\");\n }\n\n if (env.openclaw_detected && env.openclaw_config) {\n if (env.openclaw_config.require_approval_enabled) {\n if (!sanctuaryActive) {\n approvalGate = \"binary\";\n }\n findings.push(\"OpenClaw requireApproval hook enabled (binary approve/deny)\");\n }\n if (env.openclaw_config.sandbox_policy_active) {\n if (!sanctuaryActive) {\n toolSandboxing = \"basic\";\n }\n findings.push(\n `OpenClaw sandbox policy active (${env.openclaw_config.sandbox_allow_list.length} allowed, ` +\n `${env.openclaw_config.sandbox_deny_list.length} denied)`\n );\n }\n }\n\n // L2 hardening is optional and can be verified via tools at runtime\n // This assessment assumes default \"none\"; actual hardening is measured\n // by the l2_hardening_status and l2_verify_isolation tools\n processIsolationHardening = \"none\";\n\n const status = approvalGate === \"three-tier\" && auditTrailEncrypted\n ? \"active\"\n : approvalGate !== \"none\" || auditTrailExists\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n approval_gate: approvalGate,\n behavioral_anomaly_detection: behavioralAnomalyDetection,\n audit_trail_encrypted: auditTrailEncrypted,\n audit_trail_exists: auditTrailExists,\n tool_sandboxing: sanctuaryActive ? \"policy-enforced\" : toolSandboxing,\n context_gating: contextGating,\n process_isolation_hardening: processIsolationHardening,\n findings,\n };\n}\n\nfunction assessL3(\n env: EnvironmentFingerprint,\n _config: SanctuaryConfig\n): L3AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n let commitmentScheme: \"pedersen+sha256\" | \"sha256-only\" | \"none\" = \"none\";\n let zkProofs = false;\n let selectiveDisclosurePolicy = false;\n\n if (sanctuaryActive) {\n commitmentScheme = \"pedersen+sha256\";\n zkProofs = true; // Schnorr proofs + range proofs\n selectiveDisclosurePolicy = true;\n findings.push(\"SHA-256 + Pedersen commitment schemes active\");\n findings.push(\"Schnorr zero-knowledge proofs (Fiat-Shamir) enabled — genuine ZK proofs\");\n findings.push(\"Range proofs (bit-decomposition + OR-proofs) enabled — genuine ZK proofs\");\n findings.push(\"Selective disclosure policies configurable\");\n findings.push(\"Non-interactive proofs with replay-resistant domain separation\");\n }\n\n const status = commitmentScheme === \"pedersen+sha256\" && zkProofs\n ? \"active\"\n : commitmentScheme !== \"none\"\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n commitment_scheme: commitmentScheme,\n zero_knowledge_proofs: zkProofs,\n selective_disclosure_policy: selectiveDisclosurePolicy,\n findings,\n };\n}\n\nfunction assessL4(\n env: EnvironmentFingerprint,\n _config: SanctuaryConfig\n): L4AuditResult {\n const findings: string[] = [];\n const sanctuaryActive = env.sanctuary_installed;\n\n const reputationPortable = sanctuaryActive;\n const reputationSigned = sanctuaryActive;\n const sybilDetection = sanctuaryActive;\n const sovereigntyGated = sanctuaryActive;\n\n if (sanctuaryActive) {\n findings.push(\"Signed EAS-compatible attestations active\");\n findings.push(\"Reputation export/import available\");\n findings.push(\"Sybil detection heuristics enabled\");\n findings.push(\"Sovereignty-gated reputation tiers active\");\n } else {\n findings.push(\"No portable reputation system detected\");\n }\n\n const status = reputationPortable && reputationSigned && sovereigntyGated\n ? \"active\"\n : reputationPortable || reputationSigned\n ? \"partial\"\n : \"inactive\";\n\n return {\n status,\n reputation_portable: reputationPortable,\n reputation_signed: reputationSigned,\n reputation_sybil_detection: sybilDetection,\n sovereignty_gated_tiers: sovereigntyGated,\n findings,\n };\n}\n\n// ── Scoring ─────────────────────────────────────────────────────────────\n\nfunction scoreL1(l1: L1AuditResult): number {\n let score = 0;\n if (l1.encryption_at_rest) score += L1_ENCRYPTION_AT_REST;\n if (l1.identity_cryptographic) score += L1_IDENTITY_CRYPTOGRAPHIC;\n if (l1.integrity_verification) score += L1_INTEGRITY_VERIFICATION;\n if (l1.state_portable) score += L1_STATE_PORTABLE;\n return score;\n}\n\nfunction scoreL2(l2: L2AuditResult): number {\n let score = 0;\n if (l2.approval_gate === \"three-tier\") score += L2_THREE_TIER_GATE;\n else if (l2.approval_gate === \"binary\") score += L2_BINARY_GATE;\n if (l2.behavioral_anomaly_detection) score += L2_ANOMALY_DETECTION;\n if (l2.audit_trail_encrypted) score += L2_ENCRYPTED_AUDIT;\n if (l2.tool_sandboxing === \"policy-enforced\") score += L2_TOOL_SANDBOXING;\n else if (l2.tool_sandboxing === \"basic\") score += 1;\n if (l2.context_gating) score += L2_CONTEXT_GATING;\n // Software-based process hardening without TEE\n if (l2.process_isolation_hardening === \"hardened\") score += L2_PROCESS_HARDENING;\n else if (l2.process_isolation_hardening === \"basic\") score += 2;\n return score;\n}\n\nfunction scoreL3(l3: L3AuditResult): number {\n let score = 0;\n // Pedersen commitments + Schnorr/range proofs = genuine zero-knowledge proofs\n // Full L3 = 20 points (8 commitment + 7 proofs + 5 policies)\n if (l3.commitment_scheme === \"pedersen+sha256\") score += L3_COMMITMENT_SCHEME;\n else if (l3.commitment_scheme === \"sha256-only\") score += 4;\n if (l3.zero_knowledge_proofs) score += L3_ZK_PROOFS;\n if (l3.selective_disclosure_policy) score += L3_DISCLOSURE_POLICIES;\n return score;\n}\n\nfunction scoreL4(l4: L4AuditResult): number {\n let score = 0;\n if (l4.reputation_portable) score += L4_PORTABLE_REPUTATION;\n if (l4.reputation_signed) score += L4_SIGNED_ATTESTATIONS;\n if (l4.reputation_sybil_detection) score += L4_SYBIL_DETECTION;\n if (l4.sovereignty_gated_tiers) score += L4_SOVEREIGNTY_GATED;\n return score;\n}\n\n// ── Gap Generation ──────────────────────────────────────────────────────\n\nfunction generateGaps(\n env: EnvironmentFingerprint,\n l1: L1AuditResult,\n l2: L2AuditResult,\n l3: L3AuditResult,\n l4: L4AuditResult\n): SovereigntyGap[] {\n const gaps: SovereigntyGap[] = [];\n const oc = env.openclaw_config;\n\n // L1 gaps\n if (oc && !oc.memory_encrypted) {\n gaps.push({\n id: \"GAP-L1-001\",\n layer: \"L1\",\n severity: \"critical\",\n title: \"Agent memory stored in plaintext\",\n description:\n \"Your agent's memory (MEMORY.md, daily notes, SQLite index) is stored in plaintext \" +\n \"at ~/.openclaw/workspace/. Any process with file access can read your agent's full \" +\n \"context — preferences, decisions, conversation history.\",\n openclaw_relevance:\n \"Stock OpenClaw stores all agent memory in plaintext files. \" +\n \"There is no built-in encryption for agent state.\",\n sanctuary_solution:\n \"Sanctuary encrypts all state at rest with AES-256-GCM using a key derived from \" +\n \"Argon2id, making state opaque to any process that doesn't hold the master key. \" +\n \"Use sanctuary/state_write to migrate sensitive state to the encrypted store.\",\n incident_class: INCIDENT_META_SEV1,\n });\n }\n\n if (oc && oc.env_file_exposed) {\n gaps.push({\n id: \"GAP-L1-002\",\n layer: \"L1\",\n severity: \"critical\",\n title: \"Plaintext API keys in .env file\",\n description:\n \"Your .env file contains plaintext API keys and tokens. These secrets are readable \" +\n \"by any process with filesystem access.\",\n openclaw_relevance:\n \"OpenClaw stores API keys (LLM providers, gateway tokens) in a plaintext .env file.\",\n sanctuary_solution:\n \"Sanctuary's encrypted state store can hold secrets under the same AES-256-GCM \" +\n \"envelope as all other state, tied to your self-custodied identity. \" +\n \"Use sanctuary/state_write with namespace 'secrets'.\",\n });\n }\n\n if (!l1.identity_cryptographic) {\n gaps.push({\n id: \"GAP-L1-003\",\n layer: \"L1\",\n severity: \"critical\",\n title: \"No cryptographic agent identity\",\n description:\n \"Your agent has no cryptographic identity. It cannot prove it is who it claims \" +\n \"to be to any counterparty, sign messages, or participate in sovereignty handshakes.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw has no cryptographic agent identity. Agent identity is implicit \" +\n \"(tied to the process/session), not cryptographically verifiable.\"\n : null,\n sanctuary_solution:\n \"Sanctuary provides Ed25519 self-custodied identity with key rotation and delegation. \" +\n \"Use sanctuary/identity_create to establish your cryptographic identity.\",\n });\n }\n\n // L2 gaps\n if (l2.approval_gate === \"binary\" && !l2.behavioral_anomaly_detection) {\n gaps.push({\n id: \"GAP-L2-001\",\n layer: \"L2\",\n severity: \"high\",\n title: \"Binary approval gate (no anomaly detection)\",\n description:\n \"Your approval gate provides binary approve/deny gating without behavioral anomaly \" +\n \"detection. Routine operations require the same manual approval as sensitive ones.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw's requireApproval hook provides binary approve/deny gating. \" +\n \"Sanctuary's three-tier Principal Policy adds behavioral anomaly detection \" +\n \"(auto-escalation when agent behavior deviates from baseline), encrypted audit \" +\n \"trails, and graduated approval tiers — so routine operations auto-proceed while \" +\n \"sensitive operations require explicit consent.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's three-tier Principal Policy gate auto-allows routine operations (Tier 3), \" +\n \"escalates anomalous behavior (Tier 2), and always requires human approval for \" +\n \"irreversible operations (Tier 1). Use sanctuary/principal_policy_view to inspect.\",\n incident_class: INCIDENT_META_SEV1,\n });\n } else if (l2.approval_gate === \"none\") {\n gaps.push({\n id: \"GAP-L2-001\",\n layer: \"L2\",\n severity: \"critical\",\n title: \"No approval gate\",\n description:\n \"No approval gate is configured. All tool calls execute without oversight.\",\n openclaw_relevance: null,\n sanctuary_solution:\n \"Sanctuary's Principal Policy evaluates every tool call before execution. \" +\n \"Enable it to get three-tier approval gating with behavioral anomaly detection.\",\n incident_class: INCIDENT_META_SEV1,\n });\n }\n\n if (l2.tool_sandboxing === \"basic\") {\n gaps.push({\n id: \"GAP-L2-002\",\n layer: \"L2\",\n severity: \"medium\",\n title: \"Basic tool sandboxing (no cryptographic attestation)\",\n description:\n \"Your tool sandbox enforces allow/deny lists but provides no cryptographic \" +\n \"attestation of execution context.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw's sandbox tool policy (tools.sandbox.tools) enforces allow/deny lists. \" +\n \"Sanctuary adds cryptographic attestation of execution context — a verifiable proof \" +\n \"that an operation ran within policy, not just that a policy was configured.\"\n : null,\n sanctuary_solution:\n \"Sanctuary provides cryptographic execution attestation via sanctuary/exec_attest \" +\n \"and policy-enforced sandboxing with encrypted audit trails.\",\n incident_class: INCIDENT_OPENCLAW_SANDBOX,\n });\n }\n\n if (!l2.context_gating) {\n gaps.push({\n id: \"GAP-L2-003\",\n layer: \"L2\",\n severity: \"high\",\n title: \"No context gating for outbound inference calls\",\n description:\n \"Your agent sends its full context — conversation history, memory, preferences, \" +\n \"internal reasoning — to remote LLM providers on every inference call. There is \" +\n \"no mechanism to filter what leaves the sovereignty boundary. The provider sees \" +\n \"everything the agent knows.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw sends full agent context (including MEMORY.md, tool results, and \" +\n \"conversation history) to the configured LLM provider with every API call. \" +\n \"There is no built-in context filtering.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's context gating (sanctuary/context_gate_set_policy + \" +\n \"sanctuary/context_gate_filter) lets you define per-provider policies that \" +\n \"control exactly what context flows outbound. Redact secrets, hash identifiers, \" +\n \"and send only minimum-necessary context for each call.\",\n incident_class: INCIDENT_CONTEXT_LEAKAGE,\n });\n }\n\n if (!l2.audit_trail_exists) {\n gaps.push({\n id: \"GAP-L2-004\",\n layer: \"L2\",\n severity: \"high\",\n title: \"No audit trail\",\n description:\n \"No audit trail exists for tool call history. There is no record of what operations \" +\n \"were executed, when, or by whom.\",\n openclaw_relevance: null,\n sanctuary_solution:\n \"Sanctuary maintains an encrypted audit log of all operations, queryable via \" +\n \"sanctuary/monitor_audit_log.\",\n incident_class: INCIDENT_CLAUDE_CODE_LEAK,\n });\n }\n\n // L3 gaps\n if (l3.commitment_scheme === \"none\") {\n gaps.push({\n id: \"GAP-L3-001\",\n layer: \"L3\",\n severity: \"high\",\n title: \"No selective disclosure capability\",\n description:\n \"Your agent has no cryptographic mechanism to prove facts about its state without \" +\n \"revealing the state itself. Every disclosure is all-or-nothing: no commitments, no \" +\n \"zero-knowledge proofs, no selective disclosure policies.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw has no selective disclosure mechanism. When your agent shares information, \" +\n \"it shares everything or nothing — there is no way to prove a claim without \" +\n \"revealing the underlying data.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's L3 provides SHA-256 + Pedersen commitments with genuine zero-knowledge \" +\n \"proofs (Schnorr + range proofs via Fiat-Shamir transform). Your agent can prove it \" +\n \"has a valid credential, sufficient reputation, or a completed transaction without \" +\n \"exposing the underlying data. Use sanctuary/zk_commit and sanctuary/zk_prove.\",\n incident_class: INCIDENT_META_SEV1,\n });\n }\n\n // L4 gaps\n if (!l4.reputation_portable) {\n gaps.push({\n id: \"GAP-L4-001\",\n layer: \"L4\",\n severity: \"high\",\n title: \"No portable reputation\",\n description:\n \"Your agent's reputation is platform-locked. If you move to a different harness \" +\n \"or platform, your track record doesn't follow.\",\n openclaw_relevance: env.openclaw_detected\n ? \"OpenClaw has no reputation system. Your agent's track record exists only in \" +\n \"conversation history, which is not structured, signed, or portable.\"\n : null,\n sanctuary_solution:\n \"Sanctuary's L4 provides signed EAS-compatible attestations that are self-custodied, \" +\n \"portable, and cryptographically verifiable. Your reputation is yours, not your \" +\n \"platform's. Use sanctuary/reputation_record to start building portable reputation.\",\n });\n }\n\n return gaps;\n}\n\n// ── Recommendation Generation ───────────────────────────────────────────\n\nfunction generateRecommendations(\n env: EnvironmentFingerprint,\n l1: L1AuditResult,\n l2: L2AuditResult,\n l3: L3AuditResult,\n l4: L4AuditResult\n): Recommendation[] {\n const recs: Recommendation[] = [];\n\n if (!l1.identity_cryptographic) {\n recs.push({\n priority: 1,\n action: \"Create a cryptographic identity — your agent's foundation for all sovereignty operations\",\n tool: \"sanctuary/identity_create\",\n effort: \"immediate\",\n impact: \"critical\",\n });\n }\n\n if (!l1.encryption_at_rest || (env.openclaw_config && !env.openclaw_config.memory_encrypted)) {\n recs.push({\n priority: 2,\n action: \"Migrate plaintext agent state to Sanctuary's encrypted store\",\n tool: \"sanctuary/state_write\",\n effort: \"minutes\",\n impact: \"critical\",\n });\n }\n\n recs.push({\n priority: 3,\n action: \"Generate a Sovereignty Health Report to present to counterparties\",\n tool: \"sanctuary/shr_generate\",\n effort: \"immediate\",\n impact: \"high\",\n });\n\n if (l2.approval_gate !== \"three-tier\") {\n recs.push({\n priority: 4,\n action: \"Enable the three-tier Principal Policy gate for graduated approval\",\n tool: \"sanctuary/principal_policy_view\",\n effort: \"minutes\",\n impact: \"high\",\n });\n }\n\n if (!l2.context_gating) {\n recs.push({\n priority: 5,\n action: \"Configure context gating to control what flows to LLM providers\",\n tool: \"sanctuary/context_gate_set_policy\",\n effort: \"minutes\",\n impact: \"high\",\n });\n }\n\n if (!l4.reputation_signed) {\n recs.push({\n priority: 6,\n action: \"Start recording reputation attestations from completed interactions\",\n tool: \"sanctuary/reputation_record\",\n effort: \"minutes\",\n impact: \"medium\",\n });\n }\n\n if (!l3.selective_disclosure_policy) {\n recs.push({\n priority: 7,\n action: \"Configure selective disclosure policies for data sharing\",\n tool: \"sanctuary/disclosure_set_policy\",\n effort: \"hours\",\n impact: \"medium\",\n });\n }\n\n return recs;\n}\n\n// ── Report Formatting ───────────────────────────────────────────────────\n\n/**\n * Format the audit result as a human-readable report.\n */\nexport function formatAuditReport(result: SovereigntyAuditResult): string {\n const { environment: env, layers, overall_score, sovereignty_level, gaps, recommendations } = result;\n\n const scoreBar = formatScoreBar(overall_score);\n const levelLabel = sovereignty_level.toUpperCase();\n\n let report = \"\";\n report += \"═══════════════════════════════════════════════\\n\";\n report += \" SOVEREIGNTY AUDIT REPORT\\n\";\n report += ` Generated: ${result.audited_at}\\n`;\n report += \"═══════════════════════════════════════════════\\n\";\n report += \"\\n\";\n report += ` Overall Score: ${overall_score} / 100 ${scoreBar} ${levelLabel}\\n`;\n report += \"\\n\";\n\n // Environment section\n report += \" Environment:\\n\";\n report += ` • Sanctuary v${env.sanctuary_version ?? \"?\"} ${padDots(\"Sanctuary v\" + (env.sanctuary_version ?? \"?\"))} ${env.sanctuary_installed ? \"✓ installed\" : \"✗ not found\"}\\n`;\n\n if (env.openclaw_detected) {\n report += ` • OpenClaw ${padDots(\"OpenClaw\")} ✓ detected\\n`;\n if (env.openclaw_config) {\n report += ` • OpenClaw requireApproval ${padDots(\"OpenClaw requireApproval\")} ${env.openclaw_config.require_approval_enabled ? \"✓ enabled\" : \"✗ disabled\"}\\n`;\n report += ` • OpenClaw sandbox policy ${padDots(\"OpenClaw sandbox policy\")} ${env.openclaw_config.sandbox_policy_active ? \"✓ active\" : \"✗ inactive\"}\\n`;\n }\n }\n\n report += \"\\n\";\n\n // Layer assessment table\n const l1Score = scoreL1(layers.l1_cognitive);\n const l2Score = scoreL2(layers.l2_operational);\n const l3Score = scoreL3(layers.l3_selective_disclosure);\n const l4Score = scoreL4(layers.l4_reputation);\n\n report += \" Layer Assessment:\\n\";\n report += \" ┌─────────────────────────────┬──────────┬───────┐\\n\";\n report += \" │ Layer │ Status │ Score │\\n\";\n report += \" ├─────────────────────────────┼──────────┼───────┤\\n\";\n report += ` │ L1 Cognitive Sovereignty │ ${padStatus(layers.l1_cognitive.status)} │ ${padScore(l1Score, 35)} │\\n`;\n report += ` │ L2 Operational Isolation │ ${padStatus(layers.l2_operational.status)} │ ${padScore(l2Score, 25)} │\\n`;\n if (layers.l2_operational.context_gating) {\n report += ` │ └ Context Gating │ ACTIVE │ │\\n`;\n }\n report += ` │ L3 Selective Disclosure │ ${padStatus(layers.l3_selective_disclosure.status)} │ ${padScore(l3Score, 20)} │\\n`;\n report += ` │ L4 Verifiable Reputation │ ${padStatus(layers.l4_reputation.status)} │ ${padScore(l4Score, 20)} │\\n`;\n report += \" └─────────────────────────────┴──────────┴───────┘\\n\";\n report += \"\\n\";\n\n // Gaps\n if (gaps.length > 0) {\n report += ` ⚠ ${gaps.length} SOVEREIGNTY GAP${gaps.length !== 1 ? \"S\" : \"\"} FOUND\\n`;\n report += \"\\n\";\n for (const gap of gaps) {\n const severityLabel = `[${gap.severity.toUpperCase()}]`;\n report += ` ${severityLabel} ${gap.id}: ${gap.title}\\n`;\n // Wrap description to ~70 chars\n const descLines = wordWrap(gap.description, 66);\n for (const line of descLines) {\n report += ` ${line}\\n`;\n }\n if (gap.incident_class) {\n const ic = gap.incident_class;\n const cveStr = ic.cves?.length ? ` (${ic.cves.join(\", \")})` : \"\";\n report += ` → Incident precedent: ${ic.name}${cveStr} [${ic.date}]\\n`;\n }\n report += ` → Fix: ${gap.sanctuary_solution.split(\".\")[0]}.\\n`;\n if (gap.openclaw_relevance) {\n report += ` → OpenClaw context: ${gap.openclaw_relevance.split(\".\")[0]}.\\n`;\n }\n report += \"\\n\";\n }\n } else {\n report += \" ✓ NO SOVEREIGNTY GAPS FOUND\\n\";\n report += \"\\n\";\n }\n\n // Recommendations\n if (recommendations.length > 0) {\n report += \" RECOMMENDED NEXT STEPS (in order):\\n\";\n for (const rec of recommendations) {\n const effortLabel = rec.effort === \"immediate\"\n ? \"immediate\"\n : rec.effort === \"minutes\"\n ? \"5 min\"\n : \"30 min\";\n report += ` ${rec.priority}. [${effortLabel}] ${rec.action}`;\n if (rec.tool) {\n report += `: ${rec.tool}`;\n }\n report += \"\\n\";\n }\n report += \"\\n\";\n }\n\n report += \"═══════════════════════════════════════════════\\n\";\n\n return report;\n}\n\n// ── Helpers ─────────────────────────────────────────────────────────────\n\nfunction formatScoreBar(score: number): string {\n const filled = Math.round(score / 10);\n return \"[\" + \"■\".repeat(filled) + \"░\".repeat(10 - filled) + \"]\";\n}\n\nfunction padDots(label: string): string {\n const totalWidth = 30;\n const dotsNeeded = Math.max(2, totalWidth - label.length - 4);\n return \".\".repeat(dotsNeeded);\n}\n\nfunction padStatus(status: string): string {\n const label = status.toUpperCase();\n return label + \" \".repeat(Math.max(0, 8 - label.length));\n}\n\nfunction padScore(score: number, max: number): string {\n const text = `${score}/${max}`;\n return \" \".repeat(Math.max(0, 5 - text.length)) + text;\n}\n\nfunction wordWrap(text: string, maxWidth: number): string[] {\n const words = text.split(\" \");\n const lines: string[] = [];\n let current = \"\";\n for (const word of words) {\n if (current.length + word.length + 1 > maxWidth && current.length > 0) {\n lines.push(current);\n current = word;\n } else {\n current = current.length > 0 ? current + \" \" + word : word;\n }\n }\n if (current.length > 0) lines.push(current);\n return lines;\n}\n","/**\n * Sanctuary MCP Server — Sovereignty Audit MCP Tool\n *\n * Registers the sanctuary/sovereignty_audit tool that inspects the local\n * environment, detects sovereignty protections (including OpenClaw-specific\n * configurations), and produces a structured gap analysis report.\n *\n * This tool is Tier 3 (auto-allow) — it is read-only and diagnostic.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport type { SanctuaryConfig } from \"../config.js\";\nimport { detectEnvironment } from \"./detector.js\";\nimport { analyzeSovereignty, formatAuditReport } from \"./analyzer.js\";\n\nexport function createAuditTools(\n config: SanctuaryConfig\n): { tools: ToolDefinition[] } {\n const tools: ToolDefinition[] = [\n {\n name: \"sanctuary/sovereignty_audit\",\n description:\n \"Audit your agent's sovereignty posture. Inspects the local environment for \" +\n \"encryption, identity, approval gates, selective disclosure, and reputation — \" +\n \"including OpenClaw-specific configurations. Returns a scored gap analysis with \" +\n \"prioritized recommendations.\",\n inputSchema: {\n type: \"object\",\n properties: {\n deep_scan: {\n type: \"boolean\",\n description:\n \"If true (default), also scans for OpenClaw config, .env files, and \" +\n \"memory files. Set to false for a Sanctuary-only assessment.\",\n },\n },\n },\n handler: async (args) => {\n const deepScan = args.deep_scan !== false; // Default true\n\n // Detect environment (read-only)\n const env = await detectEnvironment(config, deepScan);\n\n // Analyze sovereignty posture\n const result = analyzeSovereignty(env, config);\n\n // Format human-readable report\n const report = formatAuditReport(result);\n\n return {\n content: [\n { type: \"text\" as const, text: report },\n { type: \"text\" as const, text: JSON.stringify(result, null, 2) },\n ],\n };\n },\n },\n ];\n\n return { tools };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Context Gating\n *\n * Context gating controls what information leaves the sovereignty boundary\n * when an agent makes outbound calls — especially inference calls to remote\n * LLM providers. This is the \"minimum-necessary context\" enforcement layer.\n *\n * The problem: When an agent sends a request to a remote LLM provider (Claude,\n * GPT, etc.), most harnesses send the agent's full context — conversation\n * history, memory, tool results, preferences, internal reasoning. The agent\n * has no control over what the provider sees.\n *\n * Context gating lets the agent define:\n * - Provider categories (inference, tool-api, logging, analytics, etc.)\n * - What fields/categories of context may flow to each provider type\n * - What must always be redacted (secrets, internal reasoning, PII, etc.)\n * - What requires transformation (hashing, summarizing, anonymizing)\n *\n * This sits in L2 (Operational Isolation) because it controls information\n * flow at the execution boundary. L3 (Selective Disclosure) handles agent-\n * to-agent trust negotiation with cryptographic proofs; context gating\n * handles agent-to-infrastructure information flow.\n *\n * Security invariants:\n * - Redact rules take absolute priority (like withhold in L3)\n * - Policies are stored encrypted under L1 sovereignty\n * - Every filter operation is audit-logged with a content hash\n * (what was sent, what was redacted — without storing the content itself)\n * - Default policy: redact everything not explicitly allowed\n */\n\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport { encrypt, decrypt, type EncryptedPayload } from \"../core/encryption.js\";\nimport { derivePurposeKey } from \"../core/key-derivation.js\";\nimport { stringToBytes, bytesToString, toBase64url } from \"../core/encoding.js\";\nimport { randomBytes } from \"../core/random.js\";\nimport { hashToString } from \"../core/hashing.js\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\n/** Provider categories that context may flow to */\nexport type ProviderCategory =\n | \"inference\" // Remote LLM API calls (Claude, GPT, etc.)\n | \"tool-api\" // External tool/API calls (web search, database, etc.)\n | \"logging\" // Telemetry and logging services\n | \"analytics\" // Usage analytics and metrics\n | \"peer-agent\" // Other agents (falls through to L3 disclosure for crypto)\n | \"custom\"; // User-defined category\n\n/** Actions that can be taken on a context field */\nexport type ContextAction =\n | \"allow\" // Field passes through unchanged\n | \"redact\" // Field is completely removed (replaced with \"[REDACTED]\")\n | \"hash\" // Field value is replaced with its SHA-256 hash\n | \"summarize\" // Field is marked for summarization (advisory — agent should compress)\n | \"deny\"; // Entire request should be blocked if this field is present\n\n/** A rule within a context-gating policy */\nexport interface ContextGateRule {\n /** Provider category this rule applies to */\n provider: ProviderCategory | \"*\";\n /** Fields/patterns that may pass through */\n allow: string[];\n /** Fields/patterns that must be redacted (highest priority) */\n redact: string[];\n /** Fields/patterns that should be hashed */\n hash: string[];\n /** Fields/patterns that should be summarized (advisory) */\n summarize: string[];\n}\n\n/** A complete context-gating policy */\nexport interface ContextGatePolicy {\n policy_id: string;\n policy_name: string;\n rules: ContextGateRule[];\n /** Default action when no rule matches a field */\n default_action: \"redact\" | \"deny\";\n /** Identity this policy is bound to (optional) */\n identity_id?: string;\n created_at: string;\n updated_at: string;\n}\n\n/** Result of filtering a single field */\nexport interface FieldFilterResult {\n field: string;\n action: ContextAction;\n reason: string;\n /** If action is \"hash\", contains the hash */\n hash_value?: string;\n}\n\n/** Result of a full context filter operation */\nexport interface ContextFilterResult {\n policy_id: string;\n provider: ProviderCategory | string;\n fields_allowed: number;\n fields_redacted: number;\n fields_hashed: number;\n fields_summarized: number;\n fields_denied: number;\n decisions: FieldFilterResult[];\n /** SHA-256 hash of the original context (for audit trail) */\n original_context_hash: string;\n /** SHA-256 hash of the filtered output (for audit trail) */\n filtered_context_hash: string;\n filtered_at: string;\n}\n\n// ── Size Limits ─────────────────────────────────────────────────────────\n\n/** Maximum number of top-level fields in a context object */\nexport const MAX_CONTEXT_FIELDS = 1000;\n\n/** Maximum number of rules in a policy */\nexport const MAX_POLICY_RULES = 50;\n\n/** Maximum number of patterns in a single rule array (allow, redact, hash, summarize) */\nexport const MAX_PATTERNS_PER_ARRAY = 500;\n\n// ── Policy Evaluation ───────────────────────────────────────────────────\n\n/**\n * Evaluate a context field against a policy for a given provider.\n *\n * Priority order (same as L3 disclosure):\n * 1. Redact (blocks — highest priority)\n * 2. Deny (blocks entire request)\n * 3. Hash (transforms)\n * 4. Summarize (advisory transform)\n * 5. Allow (passes through)\n * 6. Default action\n */\nexport function evaluateField(\n policy: ContextGatePolicy,\n provider: ProviderCategory | string,\n field: string\n): FieldFilterResult {\n // Find matching rules: exact provider first, then wildcard\n const exactRule = policy.rules.find((r) => r.provider === provider);\n const wildcardRule = policy.rules.find((r) => r.provider === \"*\");\n const matchedRule = exactRule ?? wildcardRule;\n\n if (!matchedRule) {\n return {\n field,\n action: policy.default_action === \"deny\" ? \"deny\" : \"redact\",\n reason: `No rule matches provider \"${provider}\"; applying default (${policy.default_action})`,\n };\n }\n\n // Redact takes absolute priority\n if (matchesPattern(field, matchedRule.redact)) {\n return {\n field,\n action: \"redact\",\n reason: `Field \"${field}\" is explicitly redacted for ${matchedRule.provider} provider`,\n };\n }\n\n // Hash\n if (matchesPattern(field, matchedRule.hash)) {\n return {\n field,\n action: \"hash\",\n reason: `Field \"${field}\" is hashed for ${matchedRule.provider} provider`,\n };\n }\n\n // Summarize (advisory)\n if (matchesPattern(field, matchedRule.summarize)) {\n return {\n field,\n action: \"summarize\",\n reason: `Field \"${field}\" should be summarized for ${matchedRule.provider} provider`,\n };\n }\n\n // Allow\n if (matchesPattern(field, matchedRule.allow)) {\n return {\n field,\n action: \"allow\",\n reason: `Field \"${field}\" is allowed for ${matchedRule.provider} provider`,\n };\n }\n\n // Not mentioned — fall to default\n return {\n field,\n action: policy.default_action === \"deny\" ? \"deny\" : \"redact\",\n reason: `Field \"${field}\" not addressed in ${matchedRule.provider} rule; applying default (${policy.default_action})`,\n };\n}\n\n/**\n * Filter a full context object against a policy for a given provider.\n * Returns per-field decisions and content hashes for the audit trail.\n */\nexport function filterContext(\n policy: ContextGatePolicy,\n provider: ProviderCategory | string,\n context: Record<string, unknown>\n): ContextFilterResult {\n const fields = Object.keys(context);\n if (fields.length > MAX_CONTEXT_FIELDS) {\n throw new Error(\n `Context object has ${fields.length} fields, exceeding limit of ${MAX_CONTEXT_FIELDS}`\n );\n }\n const decisions: FieldFilterResult[] = [];\n let allowed = 0;\n let redacted = 0;\n let hashed = 0;\n let summarized = 0;\n let denied = 0;\n\n for (const field of fields) {\n const result = evaluateField(policy, provider, field);\n\n // If hash action, compute the hash\n if (result.action === \"hash\") {\n const value = typeof context[field] === \"string\"\n ? context[field] as string\n : JSON.stringify(context[field]);\n result.hash_value = hashToString(stringToBytes(value));\n }\n\n decisions.push(result);\n\n switch (result.action) {\n case \"allow\": allowed++; break;\n case \"redact\": redacted++; break;\n case \"hash\": hashed++; break;\n case \"summarize\": summarized++; break;\n case \"deny\": denied++; break;\n }\n }\n\n // Compute content hashes for audit trail\n const originalHash = hashToString(\n stringToBytes(JSON.stringify(context))\n );\n\n // Build filtered output for hash computation\n const filteredOutput: Record<string, unknown> = {};\n for (const decision of decisions) {\n switch (decision.action) {\n case \"allow\":\n filteredOutput[decision.field] = context[decision.field];\n break;\n case \"redact\":\n filteredOutput[decision.field] = \"[REDACTED]\";\n break;\n case \"hash\":\n filteredOutput[decision.field] = `[HASH:${decision.hash_value}]`;\n break;\n case \"summarize\":\n filteredOutput[decision.field] = \"[SUMMARIZE]\";\n break;\n case \"deny\":\n // Field excluded entirely\n break;\n }\n }\n const filteredHash = hashToString(\n stringToBytes(JSON.stringify(filteredOutput))\n );\n\n return {\n policy_id: policy.policy_id,\n provider,\n fields_allowed: allowed,\n fields_redacted: redacted,\n fields_hashed: hashed,\n fields_summarized: summarized,\n fields_denied: denied,\n decisions,\n original_context_hash: originalHash,\n filtered_context_hash: filteredHash,\n filtered_at: new Date().toISOString(),\n };\n}\n\n// ── Pattern Matching ────────────────────────────────────────────────────\n\n/**\n * Check if a field name matches any pattern in a list.\n * Supports:\n * - Exact match: \"conversation_history\"\n * - Wildcard prefix: \"secret_*\" matches \"secret_key\", \"secret_token\"\n * - Wildcard suffix: \"*_pii\" matches \"name_pii\", \"email_pii\"\n * - Full wildcard: \"*\" matches everything\n */\nexport function matchesPattern(field: string, patterns: string[]): boolean {\n const normalizedField = field.toLowerCase();\n for (const pattern of patterns) {\n if (pattern === \"*\") return true;\n const normalizedPattern = pattern.toLowerCase();\n if (normalizedPattern === normalizedField) return true;\n if (normalizedPattern.endsWith(\"*\") && normalizedField.startsWith(normalizedPattern.slice(0, -1))) return true;\n if (normalizedPattern.startsWith(\"*\") && normalizedField.endsWith(normalizedPattern.slice(1))) return true;\n }\n return false;\n}\n\n// ── Policy Store ────────────────────────────────────────────────────────\n\n/**\n * Context gate policy store — encrypted under L1 sovereignty.\n */\nexport class ContextGatePolicyStore {\n private storage: StorageBackend;\n private encryptionKey: Uint8Array;\n private policies: Map<string, ContextGatePolicy> = new Map();\n\n constructor(storage: StorageBackend, masterKey: Uint8Array) {\n this.storage = storage;\n this.encryptionKey = derivePurposeKey(masterKey, \"l2-context-gate\");\n }\n\n /**\n * Create and store a new context-gating policy.\n */\n async create(\n policyName: string,\n rules: ContextGateRule[],\n defaultAction: \"redact\" | \"deny\",\n identityId?: string\n ): Promise<ContextGatePolicy> {\n const policyId = `cg-${Date.now()}-${toBase64url(randomBytes(8))}`;\n const now = new Date().toISOString();\n\n const policy: ContextGatePolicy = {\n policy_id: policyId,\n policy_name: policyName,\n rules,\n default_action: defaultAction,\n identity_id: identityId,\n created_at: now,\n updated_at: now,\n };\n\n await this.persist(policy);\n this.policies.set(policyId, policy);\n\n return policy;\n }\n\n /**\n * Get a policy by ID.\n */\n async get(policyId: string): Promise<ContextGatePolicy | null> {\n if (this.policies.has(policyId)) {\n return this.policies.get(policyId)!;\n }\n\n const raw = await this.storage.read(\"_context_gate_policies\", policyId);\n if (!raw) return null;\n\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: ContextGatePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policyId, policy);\n return policy;\n } catch {\n return null;\n }\n }\n\n /**\n * List all context-gating policies.\n */\n async list(): Promise<ContextGatePolicy[]> {\n await this.loadAll();\n return Array.from(this.policies.values());\n }\n\n /**\n * Load all persisted policies into memory.\n */\n private async loadAll(): Promise<void> {\n try {\n const entries = await this.storage.list(\"_context_gate_policies\");\n for (const meta of entries) {\n if (this.policies.has(meta.key)) continue;\n const raw = await this.storage.read(\"_context_gate_policies\", meta.key);\n if (!raw) continue;\n try {\n const encrypted: EncryptedPayload = JSON.parse(bytesToString(raw));\n const decrypted = decrypt(encrypted, this.encryptionKey);\n const policy: ContextGatePolicy = JSON.parse(bytesToString(decrypted));\n this.policies.set(policy.policy_id, policy);\n } catch {\n // Skip corrupted policies\n }\n }\n } catch {\n // Storage not available\n }\n }\n\n private async persist(policy: ContextGatePolicy): Promise<void> {\n const serialized = stringToBytes(JSON.stringify(policy));\n const encrypted = encrypt(serialized, this.encryptionKey);\n await this.storage.write(\n \"_context_gate_policies\",\n policy.policy_id,\n stringToBytes(JSON.stringify(encrypted))\n );\n }\n}\n","/**\n * Sanctuary MCP Server — L2 Context Gating: Starter Policy Templates\n *\n * Pre-built policies for common use cases. These are starting points —\n * users should customize them for their specific context structure.\n *\n * Templates:\n *\n * inference-minimal\n * Only the current task and query reach the LLM. Everything else\n * is redacted. Secrets, PII, memory, reasoning, and history are\n * all blocked. IDs are hashed. Maximum privacy, minimum context.\n *\n * inference-standard\n * Task, query, and tool results pass through. Conversation history\n * is flagged for summarization (compress before sending). Secrets,\n * PII, and internal reasoning are redacted. IDs are hashed.\n * Balanced: the LLM has enough context to be useful without seeing\n * everything the agent knows.\n *\n * logging-strict\n * Redacts everything for logging/analytics providers. Only\n * operation names and timestamps pass through. Use this for\n * telemetry services where you want usage metrics without\n * content exposure.\n *\n * tool-api-scoped\n * Allows tool-specific parameters and the current task, redacts\n * memory, history, secrets, and PII. Hashes IDs. For outbound\n * calls to external APIs (search, database, etc.) where you need\n * to send query parameters but not your agent's full state.\n */\n\nimport type { ContextGateRule } from \"./context-gate.js\";\n\n/** A template definition ready to be applied via the policy store */\nexport interface ContextGateTemplate {\n /** Machine-readable template ID */\n id: string;\n /** Human-readable name */\n name: string;\n /** One-line description */\n description: string;\n /** When to use this template */\n use_when: string;\n /** The rules that make up this template */\n rules: ContextGateRule[];\n /** Default action for unmatched fields */\n default_action: \"redact\" | \"deny\";\n}\n\n// ── Shared Patterns ─────────────────────────────────────────────────────\n// These field patterns appear across multiple templates. Keeping them\n// as named constants makes the security-critical redact lists auditable.\n\n/** Fields that must ALWAYS be redacted regardless of provider */\nconst ALWAYS_REDACT_SECRETS = [\n \"api_key\",\n \"secret_*\",\n \"*_secret\",\n \"*_token\",\n \"*_key\",\n \"password\",\n \"*_password\",\n \"credential\",\n \"*_credential\",\n \"private_key\",\n \"recovery_key\",\n \"passphrase\",\n \"auth_*\",\n];\n\n/** Fields containing personally identifiable information */\nconst PII_PATTERNS = [\n \"*_pii\",\n \"name\",\n \"full_name\",\n \"email\",\n \"email_address\",\n \"phone\",\n \"phone_number\",\n \"address\",\n \"ssn\",\n \"date_of_birth\",\n \"ip_address\",\n \"credit_card\",\n \"card_number\",\n \"cvv\",\n \"bank_account\",\n \"account_number\",\n \"routing_number\",\n];\n\n/** Fields containing agent internal state */\nconst INTERNAL_STATE_PATTERNS = [\n \"memory\",\n \"agent_memory\",\n \"internal_reasoning\",\n \"internal_state\",\n \"reasoning_trace\",\n \"chain_of_thought\",\n \"private_notes\",\n \"soul\",\n \"personality\",\n \"system_prompt\",\n];\n\n/** ID fields that should be hashed rather than sent in plaintext */\nconst ID_PATTERNS = [\n \"user_id\",\n \"session_id\",\n \"agent_id\",\n \"identity_id\",\n \"conversation_id\",\n \"thread_id\",\n];\n\n/** History/context fields that are large and should be summarized */\nconst HISTORY_PATTERNS = [\n \"conversation_history\",\n \"message_history\",\n \"chat_history\",\n \"context_window\",\n \"previous_messages\",\n];\n\n// ── Templates ───────────────────────────────────────────────────────────\n\nexport const INFERENCE_MINIMAL: ContextGateTemplate = {\n id: \"inference-minimal\",\n name: \"Inference Minimal\",\n description:\n \"Maximum privacy. Only the current task and query reach the LLM provider.\",\n use_when:\n \"You want the strictest possible context control for inference calls. \" +\n \"The LLM sees only what it needs for the immediate task.\",\n rules: [\n {\n provider: \"inference\",\n allow: [\n \"task\",\n \"task_description\",\n \"current_query\",\n \"query\",\n \"prompt\",\n \"question\",\n \"instruction\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n \"tool_results\",\n \"previous_results\",\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n ],\n default_action: \"redact\",\n};\n\nexport const INFERENCE_STANDARD: ContextGateTemplate = {\n id: \"inference-standard\",\n name: \"Inference Standard\",\n description:\n \"Balanced privacy. Task, query, and tool results pass through. \" +\n \"History flagged for summarization. Secrets and PII redacted.\",\n use_when:\n \"You need the LLM to have enough context for multi-step tasks \" +\n \"while keeping secrets, PII, and internal reasoning private.\",\n rules: [\n {\n provider: \"inference\",\n allow: [\n \"task\",\n \"task_description\",\n \"current_query\",\n \"query\",\n \"prompt\",\n \"question\",\n \"instruction\",\n \"tool_results\",\n \"tool_output\",\n \"previous_results\",\n \"current_step\",\n \"remaining_steps\",\n \"objective\",\n \"constraints\",\n \"format\",\n \"output_format\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [...HISTORY_PATTERNS],\n },\n ],\n default_action: \"redact\",\n};\n\nexport const LOGGING_STRICT: ContextGateTemplate = {\n id: \"logging-strict\",\n name: \"Logging Strict\",\n description:\n \"Redacts all content for logging and analytics providers. \" +\n \"Only operation metadata passes through.\",\n use_when:\n \"You send telemetry to logging or analytics services and want \" +\n \"usage metrics without any content exposure.\",\n rules: [\n {\n provider: \"logging\",\n allow: [\n \"operation\",\n \"operation_name\",\n \"tool_name\",\n \"timestamp\",\n \"duration_ms\",\n \"status\",\n \"error_code\",\n \"event_type\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n {\n provider: \"analytics\",\n allow: [\n \"event_type\",\n \"timestamp\",\n \"duration_ms\",\n \"status\",\n \"tool_name\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n ],\n default_action: \"redact\",\n};\n\nexport const TOOL_API_SCOPED: ContextGateTemplate = {\n id: \"tool-api-scoped\",\n name: \"Tool API Scoped\",\n description:\n \"Allows tool-specific parameters for external API calls. \" +\n \"Redacts memory, history, secrets, and PII.\",\n use_when:\n \"Your agent calls external APIs (search, database, web) and you \" +\n \"want to send query parameters without full agent context. \" +\n \"Note: 'headers' and 'body' are redacted by default because they \" +\n \"frequently carry authorization tokens. Add them to 'allow' only \" +\n \"if you verify they contain no credentials for your use case.\",\n rules: [\n {\n provider: \"tool-api\",\n allow: [\n \"task\",\n \"task_description\",\n \"query\",\n \"search_query\",\n \"tool_input\",\n \"tool_parameters\",\n \"url\",\n \"endpoint\",\n \"method\",\n \"filter\",\n \"sort\",\n \"limit\",\n \"offset\",\n ],\n redact: [\n ...ALWAYS_REDACT_SECRETS,\n ...PII_PATTERNS,\n ...INTERNAL_STATE_PATTERNS,\n ...HISTORY_PATTERNS,\n ],\n hash: [...ID_PATTERNS],\n summarize: [],\n },\n ],\n default_action: \"redact\",\n};\n\n// ── Template Registry ───────────────────────────────────────────────────\n\n/** All available templates, keyed by ID */\nexport const TEMPLATES: Record<string, ContextGateTemplate> = {\n \"inference-minimal\": INFERENCE_MINIMAL,\n \"inference-standard\": INFERENCE_STANDARD,\n \"logging-strict\": LOGGING_STRICT,\n \"tool-api-scoped\": TOOL_API_SCOPED,\n};\n\n/** List all available template IDs */\nexport function listTemplateIds(): string[] {\n return Object.keys(TEMPLATES);\n}\n\n/** Get a template by ID (returns undefined if not found) */\nexport function getTemplate(id: string): ContextGateTemplate | undefined {\n return TEMPLATES[id];\n}\n","/**\n * Sanctuary MCP Server — L2 Context Gating: Policy Recommendation Engine\n *\n * Analyzes a sample context object and recommends a context-gating policy\n * based on field name heuristics. The agent (or human) can then review,\n * adjust, and apply the recommendation.\n *\n * This is deliberately conservative: when in doubt, it recommends redact.\n * A false redaction is a usability issue; a false allow is a privacy leak.\n *\n * Classification heuristics:\n * - Known secret patterns → redact (highest confidence)\n * - Known PII patterns → redact (high confidence)\n * - Known internal state patterns → redact (high confidence)\n * - Known ID patterns → hash (medium confidence)\n * - Known history patterns → summarize (medium confidence)\n * - Known task/query patterns → allow (medium confidence)\n * - Everything else → redact (conservative default)\n *\n * WARNING: Fields like 'tool_results' and 'tool_output' are classified as\n * \"allow\" (medium confidence) but may contain sensitive data from external\n * API responses, including auth tokens, user data, or PII. Always review\n * recommendations before applying — the heuristic classifies by field NAME,\n * not field CONTENT.\n */\n\n/** Classification result for a single field */\nexport interface FieldClassification {\n field: string;\n recommended_action: \"allow\" | \"redact\" | \"hash\" | \"summarize\";\n reason: string;\n confidence: \"high\" | \"medium\" | \"low\";\n /** Pattern that matched, if any */\n matched_pattern: string | null;\n}\n\n/** Full recommendation result */\nexport interface PolicyRecommendation {\n provider: string;\n classifications: FieldClassification[];\n recommended_rules: {\n allow: string[];\n redact: string[];\n hash: string[];\n summarize: string[];\n };\n default_action: \"redact\";\n summary: {\n total_fields: number;\n allow: number;\n redact: number;\n hash: number;\n summarize: number;\n };\n warnings: string[];\n}\n\n// ── Pattern Definitions ─────────────────────────────────────────────────\n// Each pattern set maps field name patterns to a classification.\n// Order matters: earlier sets have higher priority.\n\ninterface PatternRule {\n /** Patterns to match against field names (lowercase) */\n patterns: string[];\n /** Action to recommend */\n action: \"allow\" | \"redact\" | \"hash\" | \"summarize\";\n /** Confidence level */\n confidence: \"high\" | \"medium\" | \"low\";\n /** Human-readable reason */\n reason: string;\n}\n\nconst CLASSIFICATION_RULES: PatternRule[] = [\n // ── Secrets (always redact, high confidence) ─────────────────────\n {\n patterns: [\n \"api_key\", \"apikey\", \"api_secret\",\n \"secret\", \"secret_key\", \"secret_token\",\n \"password\", \"passwd\", \"pass\",\n \"credential\", \"credentials\",\n \"private_key\", \"privkey\",\n \"recovery_key\",\n \"passphrase\",\n \"token\", \"access_token\", \"refresh_token\", \"bearer_token\",\n \"auth_token\", \"auth_header\", \"authorization\",\n \"encryption_key\", \"master_key\", \"signing_key\",\n \"webhook_secret\", \"client_secret\",\n \"connection_string\",\n ],\n action: \"redact\",\n confidence: \"high\",\n reason: \"Matches known secret/credential pattern\",\n },\n\n // ── PII (always redact, high confidence) ─────────────────────────\n {\n patterns: [\n \"name\", \"full_name\", \"first_name\", \"last_name\", \"display_name\",\n \"email\", \"email_address\",\n \"phone\", \"phone_number\", \"mobile\",\n \"address\", \"street_address\", \"mailing_address\",\n \"ssn\", \"social_security\",\n \"date_of_birth\", \"dob\", \"birthday\",\n \"ip_address\", \"ip\",\n \"location\", \"geolocation\", \"coordinates\",\n \"credit_card\", \"card_number\", \"cvv\",\n \"bank_account\", \"routing_number\",\n \"passport\", \"drivers_license\", \"license_number\",\n ],\n action: \"redact\",\n confidence: \"high\",\n reason: \"Matches known PII pattern\",\n },\n\n // ── Internal agent state (redact, high confidence) ───────────────\n {\n patterns: [\n \"memory\", \"agent_memory\", \"long_term_memory\",\n \"internal_reasoning\", \"reasoning_trace\", \"chain_of_thought\",\n \"internal_state\", \"agent_state\",\n \"private_notes\", \"scratchpad\",\n \"soul\", \"personality\", \"persona\",\n \"system_prompt\", \"system_message\", \"system_instruction\",\n \"preferences\", \"user_preferences\", \"agent_preferences\",\n \"beliefs\", \"goals\", \"motivations\",\n ],\n action: \"redact\",\n confidence: \"high\",\n reason: \"Matches known internal agent state pattern\",\n },\n\n // ── IDs (hash, medium confidence) ────────────────────────────────\n {\n patterns: [\n \"user_id\", \"userid\",\n \"session_id\", \"sessionid\",\n \"agent_id\", \"agentid\",\n \"identity_id\",\n \"conversation_id\",\n \"thread_id\", \"threadid\",\n \"request_id\", \"requestid\",\n \"correlation_id\",\n \"trace_id\", \"traceid\",\n \"account_id\", \"accountid\",\n ],\n action: \"hash\",\n confidence: \"medium\",\n reason: \"Matches known identifier pattern — hash preserves correlation without exposing value\",\n },\n\n // ── History (summarize, medium confidence) ───────────────────────\n {\n patterns: [\n \"conversation_history\", \"chat_history\",\n \"message_history\", \"messages\",\n \"previous_messages\", \"prior_messages\",\n \"context_window\",\n \"interaction_history\",\n \"audit_log\", \"event_log\",\n ],\n action: \"summarize\",\n confidence: \"medium\",\n reason: \"Matches known history/log pattern — summarize to reduce exposure\",\n },\n\n // ── Task/query (allow, medium confidence) ────────────────────────\n {\n patterns: [\n \"task\", \"task_description\",\n \"query\", \"current_query\", \"search_query\",\n \"prompt\", \"user_prompt\",\n \"question\", \"current_question\",\n \"instruction\", \"instructions\",\n \"objective\", \"goal\",\n \"current_step\", \"next_step\",\n \"remaining_steps\",\n \"constraints\", \"requirements\",\n \"output_format\", \"format\",\n \"tool_results\", \"tool_output\",\n \"tool_input\", \"tool_parameters\",\n ],\n action: \"allow\",\n confidence: \"medium\",\n reason: \"Matches known task/query pattern — likely needed for inference\",\n },\n];\n\n// ── Classification Engine ───────────────────────────────────────────────\n\n/**\n * Classify a single field name and return a recommendation.\n */\nexport function classifyField(fieldName: string): FieldClassification {\n const normalized = fieldName.toLowerCase().trim();\n\n for (const rule of CLASSIFICATION_RULES) {\n for (const pattern of rule.patterns) {\n if (matchesFieldPattern(normalized, pattern)) {\n return {\n field: fieldName,\n recommended_action: rule.action,\n reason: rule.reason,\n confidence: rule.confidence,\n matched_pattern: pattern,\n };\n }\n }\n }\n\n // No pattern matched — conservative default\n return {\n field: fieldName,\n recommended_action: \"redact\",\n reason: \"No known pattern matched — defaulting to redact (conservative)\",\n confidence: \"low\",\n matched_pattern: null,\n };\n}\n\n/**\n * Analyze a full context object and recommend a policy.\n */\nexport function recommendPolicy(\n context: Record<string, unknown>,\n provider: string = \"inference\"\n): PolicyRecommendation {\n const fields = Object.keys(context);\n const classifications: FieldClassification[] = fields.map(classifyField);\n const warnings: string[] = [];\n\n // Build rule lists\n const allow: string[] = [];\n const redact: string[] = [];\n const hash: string[] = [];\n const summarize: string[] = [];\n\n for (const c of classifications) {\n switch (c.recommended_action) {\n case \"allow\": allow.push(c.field); break;\n case \"redact\": redact.push(c.field); break;\n case \"hash\": hash.push(c.field); break;\n case \"summarize\": summarize.push(c.field); break;\n }\n }\n\n // Generate warnings\n const lowConfidence = classifications.filter((c) => c.confidence === \"low\");\n if (lowConfidence.length > 0) {\n warnings.push(\n `${lowConfidence.length} field(s) could not be classified by pattern and will ` +\n `default to redact: ${lowConfidence.map((c) => c.field).join(\", \")}. ` +\n `Review these manually.`\n );\n }\n\n // Check for fields that look like they might contain large content\n for (const [key, value] of Object.entries(context)) {\n if (typeof value === \"string\" && value.length > 5000) {\n const existing = classifications.find((c) => c.field === key);\n if (existing && existing.recommended_action === \"allow\") {\n warnings.push(\n `Field \"${key}\" is allowed but contains ${value.length} characters. ` +\n `Consider summarizing it to reduce context size and exposure.`\n );\n }\n }\n }\n\n return {\n provider,\n classifications,\n recommended_rules: { allow, redact, hash, summarize },\n default_action: \"redact\",\n summary: {\n total_fields: fields.length,\n allow: allow.length,\n redact: redact.length,\n hash: hash.length,\n summarize: summarize.length,\n },\n warnings,\n };\n}\n\n// ── Pattern Matching ────────────────────────────────────────────────────\n\n/**\n * Match a normalized field name against a pattern.\n * Supports exact match and substring containment for compound field names.\n *\n * Examples:\n * - \"api_key\" matches field \"api_key\" (exact)\n * - \"api_key\" matches field \"openai_api_key\" (contains)\n * - \"secret\" matches field \"client_secret\" (contains)\n * - \"password\" matches field \"db_password\" (contains)\n */\nfunction matchesFieldPattern(normalizedField: string, pattern: string): boolean {\n if (normalizedField === pattern) return true;\n // Check if the pattern appears as a complete word boundary segment\n // e.g., \"api_key\" should match \"openai_api_key\" but \"key\" alone shouldn't match \"keyboard\"\n if (pattern.length >= 3 && normalizedField.includes(pattern)) {\n // Verify it's at a word boundary (start/end of string, or adjacent to _ or -)\n const idx = normalizedField.indexOf(pattern);\n const before = idx === 0 || normalizedField[idx - 1] === \"_\" || normalizedField[idx - 1] === \"-\";\n const after = idx + pattern.length === normalizedField.length ||\n normalizedField[idx + pattern.length] === \"_\" ||\n normalizedField[idx + pattern.length] === \"-\";\n return before && after;\n }\n return false;\n}\n","/**\n * Sanctuary MCP Server — L2 Context Gating: Automatic Enforcer\n *\n * The context gate enforcer wraps tool handlers to automatically filter\n * their arguments before execution. Unlike context_gate_filter (which agents\n * call voluntarily), the enforcer runs automatically on every tool call\n * when enabled.\n *\n * This enforces minimum-necessary-context by default and makes bypassing\n * context protection explicit (requires reconfiguration).\n *\n * Security invariants:\n * - The enforcer wraps every tool handler when enabled\n * - Filtering decisions are audit-logged\n * - Default action on missing policy: fallback to built-in sensitive patterns\n * - Denied fields block the entire request (with logged reason)\n * - Redacted fields are stripped from tool arguments\n * - log_only mode logs what would be filtered but passes original args\n */\n\nimport type { ToolHandler } from \"../router.js\";\nimport type { ContextGatePolicyStore } from \"./context-gate.js\";\nimport { filterContext, matchesPattern, type ContextGatePolicy } from \"./context-gate.js\";\nimport type { AuditLog } from \"./audit-log.js\";\nimport { stringToBytes } from \"../core/encoding.js\";\nimport { hashToString } from \"../core/hashing.js\";\nimport { toolResult } from \"../router.js\";\n\n// ── Configuration ───────────────────────────────────────────────────────\n\nexport interface EnforcerConfig {\n /** Enable/disable automatic filtering (default: true) */\n enabled: boolean;\n /** Policy ID to use when no specific one is set */\n default_policy_id?: string;\n /** Tool name prefixes to skip filtering (e.g., [\"sanctuary/\"] to skip system tools) */\n bypass_prefixes: string[];\n /** Log but don't filter — for gradual rollout (default: false) */\n log_only: boolean;\n /** What to do when a field triggers deny action: \"block\" or \"redact\" */\n on_deny: \"block\" | \"redact\";\n}\n\n// ── Built-in Sensitive Field Patterns ───────────────────────────────────\n\n/**\n * Built-in patterns for sensitive fields.\n * Used as fallback when no explicit policy is configured.\n * These are applied even without a policy to provide baseline protection.\n */\nconst BUILTIN_SENSITIVE_PATTERNS = [\n \"*_key\",\n \"*_token\",\n \"*_secret\",\n \"api_key\",\n \"access_token\",\n \"refresh_token\",\n \"password\",\n \"passwd\",\n \"credential*\",\n \"auth_*\",\n \"ssn\",\n \"social_security*\",\n \"tax_id*\",\n \"credit_card*\",\n \"card_number*\",\n \"cvv\",\n \"cvc\",\n \"private_key\",\n \"secret_key\",\n \"master_key\",\n];\n\n// ── Enforcer Status ─────────────────────────────────────────────────────\n\nexport interface EnforcerStatus {\n enabled: boolean;\n log_only: boolean;\n default_policy_id: string | null;\n stats: {\n calls_inspected: number;\n calls_bypassed: number;\n fields_redacted: number;\n fields_hashed: number;\n fields_blocked: number;\n calls_blocked: number;\n };\n}\n\n// ── Enforcer Implementation ─────────────────────────────────────────────\n\nexport class ContextGateEnforcer {\n private policyStore: ContextGatePolicyStore;\n private auditLog: AuditLog;\n private config: EnforcerConfig;\n private stats = {\n calls_inspected: 0,\n calls_bypassed: 0,\n fields_redacted: 0,\n fields_hashed: 0,\n fields_blocked: 0,\n calls_blocked: 0,\n };\n\n constructor(\n policyStore: ContextGatePolicyStore,\n auditLog: AuditLog,\n config: EnforcerConfig\n ) {\n this.policyStore = policyStore;\n this.auditLog = auditLog;\n this.config = config;\n }\n\n /**\n * Wrap a tool handler to apply automatic context gating.\n *\n * The wrapped handler:\n * 1. Checks if tool should be filtered (based on bypass_prefixes)\n * 2. If not filtering, calls original handler directly\n * 3. If filtering:\n * a. Gets the active policy or falls back to built-in patterns\n * b. Calls filterContext() with tool arguments\n * c. If any field triggered \"deny\" and on_deny is \"block\", returns error\n * d. If on_deny is \"redact\", replaces denied fields with \"[REDACTED]\"\n * e. Calls original handler with filtered arguments\n * f. Logs the filtering decision\n * 4. In log_only mode: runs filter, logs what would happen, passes original args\n */\n wrapHandler(toolName: string, originalHandler: ToolHandler): ToolHandler {\n return async (args: Record<string, unknown>) => {\n // If enforcer is disabled, pass through\n if (!this.config.enabled) {\n return originalHandler(args);\n }\n\n // Check if tool should be filtered\n if (!this.shouldFilter(toolName)) {\n this.stats.calls_bypassed++;\n return originalHandler(args);\n }\n\n this.stats.calls_inspected++;\n\n // Get the active policy or null if none exists\n const policy = this.config.default_policy_id\n ? await this.policyStore.get(this.config.default_policy_id)\n : null;\n\n if (policy) {\n // Use explicit policy\n return this.filterWithPolicy(\n toolName,\n args,\n originalHandler,\n policy\n );\n } else {\n // Fall back to built-in sensitive pattern matching\n return this.filterWithBuiltinPatterns(\n toolName,\n args,\n originalHandler\n );\n }\n };\n }\n\n /**\n * Filter tool arguments using an explicit policy.\n */\n private async filterWithPolicy(\n toolName: string,\n args: Record<string, unknown>,\n originalHandler: ToolHandler,\n policy: ContextGatePolicy\n ): Promise<{ content: Array<{ type: \"text\"; text: string }> }> {\n // Provider category for the tool (default to \"tool-api\")\n const provider = this.extractProviderCategory(toolName);\n\n // Filter the context\n const result = filterContext(policy, provider, args);\n\n // Check for denied fields\n const deniedFields = result.decisions.filter((d) => d.action === \"deny\");\n\n if (deniedFields.length > 0) {\n if (this.config.on_deny === \"block\") {\n this.stats.calls_blocked++;\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_block\",\n \"system\",\n {\n tool_name: toolName,\n policy_id: policy.policy_id,\n provider,\n denied_fields: deniedFields.map((d) => d.field),\n original_context_hash: result.original_context_hash,\n }\n );\n\n return toolResult({\n error: \"context_gating_blocked\",\n message: \"Tool call contains fields that trigger deny action\",\n tool: toolName,\n denied_fields: deniedFields.map((d) => d.field),\n recommendation:\n \"Remove the denied fields from context or update the context-gating policy.\",\n });\n }\n // If on_deny is \"redact\", continue with filtered args below\n }\n\n // Build filtered arguments\n const filteredArgs = this.buildFilteredArgs(args, result.decisions);\n\n if (this.config.log_only) {\n // Log but pass original args\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_log_only\",\n \"system\",\n {\n tool_name: toolName,\n policy_id: policy.policy_id,\n provider,\n fields_total: Object.keys(args).length,\n fields_redacted: result.fields_redacted,\n fields_hashed: result.fields_hashed,\n fields_blocked: deniedFields.length,\n original_context_hash: result.original_context_hash,\n }\n );\n this.stats.fields_redacted += result.fields_redacted;\n this.stats.fields_hashed += result.fields_hashed;\n this.stats.fields_blocked += deniedFields.length;\n\n return originalHandler(args);\n }\n\n // Execute handler with filtered arguments\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_filter\",\n \"system\",\n {\n tool_name: toolName,\n policy_id: policy.policy_id,\n provider,\n fields_total: Object.keys(args).length,\n fields_redacted: result.fields_redacted,\n fields_hashed: result.fields_hashed,\n fields_blocked: deniedFields.length,\n original_context_hash: result.original_context_hash,\n }\n );\n\n this.stats.fields_redacted += result.fields_redacted;\n this.stats.fields_hashed += result.fields_hashed;\n this.stats.fields_blocked += deniedFields.length;\n\n return originalHandler(filteredArgs);\n }\n\n /**\n * Filter tool arguments using built-in sensitive patterns.\n * This provides baseline protection when no explicit policy is configured.\n */\n private async filterWithBuiltinPatterns(\n toolName: string,\n args: Record<string, unknown>,\n originalHandler: ToolHandler\n ): Promise<{ content: Array<{ type: \"text\"; text: string }> }> {\n const fieldsToRedact: string[] = [];\n const originalHash = hashToString(\n stringToBytes(JSON.stringify(args))\n );\n\n // Check each field against built-in patterns\n for (const field of Object.keys(args)) {\n if (matchesPattern(field, BUILTIN_SENSITIVE_PATTERNS)) {\n fieldsToRedact.push(field);\n }\n }\n\n if (fieldsToRedact.length === 0) {\n // No sensitive fields detected — pass through\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_builtin_pass\",\n \"system\",\n {\n tool_name: toolName,\n reason: \"No sensitive field patterns detected\",\n }\n );\n return originalHandler(args);\n }\n\n // Build filtered arguments\n const filteredArgs: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(args)) {\n if (fieldsToRedact.includes(key)) {\n filteredArgs[key] = \"[REDACTED]\";\n } else {\n filteredArgs[key] = value;\n }\n }\n\n const filteredHash = hashToString(\n stringToBytes(JSON.stringify(filteredArgs))\n );\n\n if (this.config.log_only) {\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_builtin_log_only\",\n \"system\",\n {\n tool_name: toolName,\n fields_redacted: fieldsToRedact.length,\n redacted_fields: fieldsToRedact,\n original_context_hash: originalHash,\n }\n );\n this.stats.fields_redacted += fieldsToRedact.length;\n return originalHandler(args);\n }\n\n // Execute handler with filtered arguments\n this.auditLog.append(\n \"l2\",\n \"context_gate_enforcer_builtin_filter\",\n \"system\",\n {\n tool_name: toolName,\n fields_redacted: fieldsToRedact.length,\n redacted_fields: fieldsToRedact,\n original_context_hash: originalHash,\n filtered_context_hash: filteredHash,\n }\n );\n\n this.stats.fields_redacted += fieldsToRedact.length;\n\n return originalHandler(filteredArgs);\n }\n\n /**\n * Check if a tool should be filtered based on bypass prefixes.\n *\n * SEC-033: Uses exact namespace component matching, not bare startsWith().\n * A prefix of \"sanctuary/\" matches \"sanctuary/state_read\" but NOT\n * \"sanctuary_evil/steal_data\" (no slash boundary confusion). The prefix\n * must match exactly up to its length, and the prefix must end with \"/\"\n * to enforce namespace boundaries (if it doesn't, we add one for safety).\n */\n shouldFilter(toolName: string): boolean {\n for (const prefix of this.config.bypass_prefixes) {\n // Ensure prefix ends with \"/\" to enforce namespace boundaries\n const safePrefix = prefix.endsWith(\"/\") ? prefix : prefix + \"/\";\n if (toolName === safePrefix.slice(0, -1) || toolName.startsWith(safePrefix)) {\n return false;\n }\n }\n return true;\n }\n\n /**\n * Extract provider category from tool name.\n * Default: \"tool-api\". Override for specific patterns.\n */\n private extractProviderCategory(toolName: string): string {\n if (toolName.includes(\"inference\") || toolName.includes(\"llm\")) {\n return \"inference\";\n }\n if (toolName.includes(\"log\") || toolName.includes(\"telemetry\")) {\n return \"logging\";\n }\n if (toolName.includes(\"analytics\") || toolName.includes(\"metric\")) {\n return \"analytics\";\n }\n return \"tool-api\";\n }\n\n /**\n * Build filtered arguments from filter decisions.\n */\n private buildFilteredArgs(\n originalArgs: Record<string, unknown>,\n decisions: Array<{ field: string; action: string; hash_value?: string }>\n ): Record<string, unknown> {\n const filtered: Record<string, unknown> = {};\n\n for (const decision of decisions) {\n switch (decision.action) {\n case \"allow\":\n filtered[decision.field] = originalArgs[decision.field];\n break;\n case \"redact\":\n // Include field with redacted value\n filtered[decision.field] = \"[REDACTED]\";\n break;\n case \"hash\":\n filtered[decision.field] = decision.hash_value;\n break;\n case \"summarize\":\n filtered[decision.field] = originalArgs[decision.field];\n break;\n case \"deny\":\n // Field excluded — denied\n break;\n }\n }\n\n return filtered;\n }\n\n /**\n * Set the active policy ID.\n */\n setDefaultPolicy(policyId: string): void {\n this.config.default_policy_id = policyId;\n }\n\n /**\n * Get current enforcer status and stats.\n */\n getStatus(): EnforcerStatus {\n return {\n enabled: this.config.enabled,\n log_only: this.config.log_only,\n default_policy_id: this.config.default_policy_id ?? null,\n stats: { ...this.stats },\n };\n }\n\n /**\n * Toggle enforcer enabled state.\n */\n setEnabled(enabled: boolean): void {\n this.config.enabled = enabled;\n }\n\n /**\n * Toggle log_only mode.\n */\n setLogOnly(logOnly: boolean): void {\n this.config.log_only = logOnly;\n }\n\n /**\n * Reset stats counters.\n */\n resetStats(): void {\n this.stats = {\n calls_inspected: 0,\n calls_bypassed: 0,\n fields_redacted: 0,\n fields_hashed: 0,\n fields_blocked: 0,\n calls_blocked: 0,\n };\n }\n}\n\n/**\n * Export built-in patterns for testing and reference.\n */\nexport { BUILTIN_SENSITIVE_PATTERNS };\n","/**\n * Sanctuary MCP Server — L2 Context Gating Tools\n *\n * MCP tools for configuring and applying context-gating policies.\n * These tools let agents control what context flows to remote providers\n * (LLM APIs, tool APIs, logging services) during outbound calls.\n *\n * Tools:\n * - sanctuary/context_gate_set_policy — Define a context-gating policy\n * - sanctuary/context_gate_apply_template — Apply a starter template\n * - sanctuary/context_gate_filter — Filter context through a policy\n * - sanctuary/context_gate_recommend — Analyze context and recommend a policy\n * - sanctuary/context_gate_list_policies — List all context-gating policies\n *\n * All operations are audit-logged. Policies are encrypted at rest.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport type { AuditLog } from \"./audit-log.js\";\nimport type { StorageBackend } from \"../storage/interface.js\";\nimport {\n ContextGatePolicyStore,\n filterContext,\n MAX_POLICY_RULES,\n MAX_PATTERNS_PER_ARRAY,\n MAX_CONTEXT_FIELDS,\n type ContextGateRule,\n type ProviderCategory,\n} from \"./context-gate.js\";\nimport {\n TEMPLATES,\n listTemplateIds,\n getTemplate,\n} from \"./context-gate-templates.js\";\nimport { recommendPolicy } from \"./context-gate-recommend.js\";\nimport {\n ContextGateEnforcer,\n type EnforcerConfig,\n} from \"./context-gate-enforcer.js\";\n\n/**\n * Create the context-gating MCP tools.\n */\nexport function createContextGateTools(\n storage: StorageBackend,\n masterKey: Uint8Array,\n auditLog: AuditLog\n): {\n tools: ToolDefinition[];\n policyStore: ContextGatePolicyStore;\n enforcer: ContextGateEnforcer;\n} {\n const policyStore = new ContextGatePolicyStore(storage, masterKey);\n\n // Create the automatic enforcer\n const enforcerConfig: EnforcerConfig = {\n enabled: false, // Off by default; agents must explicitly enable it\n bypass_prefixes: [\"sanctuary/\"], // Skip internal tools by default\n log_only: false, // Filter immediately\n on_deny: \"block\", // Block requests with denied fields\n };\n const enforcer = new ContextGateEnforcer(policyStore, auditLog, enforcerConfig);\n\n const tools: ToolDefinition[] = [\n // ── Set Policy ──────────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_set_policy\",\n description:\n \"Create a context-gating policy that controls what information flows to \" +\n \"remote providers (LLM APIs, tool APIs, logging services). \" +\n \"Each rule specifies a provider category and which context fields to \" +\n \"allow, redact, hash, or flag for summarization. \" +\n \"Redact rules take absolute priority — if a field is in both 'allow' and \" +\n \"'redact', it is redacted. Default action applies to any field not \" +\n \"mentioned in any rule. \" +\n \"Use this to prevent your full agent context from being sent to remote \" +\n \"LLM providers during inference calls.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_name: {\n type: \"string\",\n description:\n \"Human-readable name for this policy (e.g., 'inference-minimal', \" +\n \"'tool-api-strict')\",\n },\n rules: {\n type: \"array\",\n description:\n \"Array of rules. Each rule has: provider (inference|tool-api|logging|\" +\n \"analytics|peer-agent|custom|*), allow (fields to pass through), \" +\n \"redact (fields to remove — highest priority), hash (fields to \" +\n \"replace with SHA-256 hash), summarize (fields to flag for compression).\",\n items: {\n type: \"object\",\n properties: {\n provider: {\n type: \"string\",\n description:\n \"Provider category: inference, tool-api, logging, analytics, \" +\n \"peer-agent, custom, or * for all\",\n },\n allow: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to allow through (e.g., 'task_description', \" +\n \"'current_query', 'tool_*')\",\n },\n redact: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to redact (e.g., 'conversation_history', \" +\n \"'secret_*', '*_pii'). Takes absolute priority.\",\n },\n hash: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to replace with SHA-256 hash (e.g., 'user_id', \" +\n \"'session_id')\",\n },\n summarize: {\n type: \"array\",\n items: { type: \"string\" },\n description:\n \"Fields/patterns to flag for summarization (advisory — agent \" +\n \"should compress these before sending)\",\n },\n },\n required: [\"provider\", \"allow\", \"redact\"],\n },\n },\n default_action: {\n type: \"string\",\n enum: [\"redact\", \"deny\"],\n description:\n \"Action for fields not matched by any rule. 'redact' removes the \" +\n \"field value; 'deny' blocks the entire request. Default: 'redact'.\",\n },\n identity_id: {\n type: \"string\",\n description: \"Bind this policy to a specific identity (optional)\",\n },\n },\n required: [\"policy_name\", \"rules\"],\n },\n handler: async (args) => {\n const policyName = args.policy_name as string;\n const rawRules = args.rules as Array<Record<string, unknown>>;\n const defaultAction = (args.default_action as \"redact\" | \"deny\") ?? \"redact\";\n const identityId = args.identity_id as string | undefined;\n\n // Validate rule count\n if (!Array.isArray(rawRules)) {\n return toolResult({ error: \"invalid_rules\", message: \"rules must be an array\" });\n }\n if (rawRules.length > MAX_POLICY_RULES) {\n return toolResult({\n error: \"too_many_rules\",\n message: `Policy has ${rawRules.length} rules, exceeding limit of ${MAX_POLICY_RULES}`,\n });\n }\n\n // Validate and normalize rules\n const rules: ContextGateRule[] = [];\n for (const r of rawRules) {\n const allow = Array.isArray(r.allow) ? (r.allow as string[]) : [];\n const redact = Array.isArray(r.redact) ? (r.redact as string[]) : [];\n const hash = Array.isArray(r.hash) ? (r.hash as string[]) : [];\n const summarize = Array.isArray(r.summarize) ? (r.summarize as string[]) : [];\n\n for (const [name, arr] of [[\"allow\", allow], [\"redact\", redact], [\"hash\", hash], [\"summarize\", summarize]] as const) {\n if (arr.length > MAX_PATTERNS_PER_ARRAY) {\n return toolResult({\n error: \"too_many_patterns\",\n message: `Rule ${name} array has ${arr.length} patterns, exceeding limit of ${MAX_PATTERNS_PER_ARRAY}`,\n });\n }\n }\n\n rules.push({\n provider: (r.provider as ProviderCategory | \"*\") ?? \"*\",\n allow,\n redact,\n hash,\n summarize,\n });\n }\n\n const policy = await policyStore.create(\n policyName,\n rules,\n defaultAction,\n identityId\n );\n\n auditLog.append(\"l2\", \"context_gate_set_policy\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n policy_name: policyName,\n rule_count: rules.length,\n default_action: defaultAction,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n policy_name: policy.policy_name,\n rules: policy.rules,\n default_action: policy.default_action,\n created_at: policy.created_at,\n message:\n \"Context-gating policy created. Use sanctuary/context_gate_filter \" +\n \"to apply this policy before making outbound calls.\",\n });\n },\n },\n\n // ── Apply Template ───────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_apply_template\",\n description:\n \"Apply a starter context-gating template. Available templates: \" +\n \"inference-minimal (strictest — only task and query pass through), \" +\n \"inference-standard (balanced — adds tool results, summarizes history), \" +\n \"logging-strict (redacts all content for telemetry services), \" +\n \"tool-api-scoped (allows tool parameters, redacts agent state). \" +\n \"Templates are starting points — customize after applying.\",\n inputSchema: {\n type: \"object\",\n properties: {\n template_id: {\n type: \"string\",\n description:\n \"Template to apply: inference-minimal, inference-standard, \" +\n \"logging-strict, or tool-api-scoped\",\n },\n identity_id: {\n type: \"string\",\n description: \"Bind this policy to a specific identity (optional)\",\n },\n },\n required: [\"template_id\"],\n },\n handler: async (args) => {\n const templateId = args.template_id as string;\n const identityId = args.identity_id as string | undefined;\n\n const template = getTemplate(templateId);\n if (!template) {\n return toolResult({\n error: \"template_not_found\",\n message: `Unknown template \"${templateId}\"`,\n available_templates: listTemplateIds().map((id) => {\n const t = TEMPLATES[id]!;\n return { id, name: t.name, description: t.description };\n }),\n });\n }\n\n const policy = await policyStore.create(\n template.name,\n template.rules,\n template.default_action,\n identityId\n );\n\n auditLog.append(\"l2\", \"context_gate_apply_template\", identityId ?? \"system\", {\n policy_id: policy.policy_id,\n template_id: templateId,\n });\n\n return toolResult({\n policy_id: policy.policy_id,\n template_applied: templateId,\n policy_name: template.name,\n description: template.description,\n use_when: template.use_when,\n rules: policy.rules,\n default_action: policy.default_action,\n created_at: policy.created_at,\n message:\n \"Template applied. Use sanctuary/context_gate_filter with this \" +\n \"policy_id to filter context before outbound calls. \" +\n \"Customize rules with sanctuary/context_gate_set_policy if needed.\",\n });\n },\n },\n\n // ── Recommend Policy ────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_recommend\",\n description:\n \"Analyze a sample context object and recommend a context-gating \" +\n \"policy based on field name heuristics. Classifies each field as \" +\n \"allow, redact, hash, or summarize with confidence levels. \" +\n \"Returns a ready-to-apply rule set. When in doubt, recommends \" +\n \"redact (conservative). Review the recommendations before applying.\",\n inputSchema: {\n type: \"object\",\n properties: {\n context: {\n type: \"object\",\n description:\n \"A sample context object to analyze. Each top-level key \" +\n \"will be classified. Values are inspected for size warnings \" +\n \"but not stored.\",\n },\n provider: {\n type: \"string\",\n description:\n \"Provider category to generate rules for. Default: 'inference'.\",\n },\n },\n required: [\"context\"],\n },\n handler: async (args) => {\n const context = args.context as Record<string, unknown>;\n const provider = (args.provider as string) ?? \"inference\";\n\n // Validate context size\n const contextKeys = Object.keys(context);\n if (contextKeys.length > MAX_CONTEXT_FIELDS) {\n return toolResult({\n error: \"context_too_large\",\n message: `Context has ${contextKeys.length} fields, exceeding limit of ${MAX_CONTEXT_FIELDS}`,\n });\n }\n\n const recommendation = recommendPolicy(context, provider);\n\n auditLog.append(\"l2\", \"context_gate_recommend\", \"system\", {\n provider,\n fields_analyzed: recommendation.summary.total_fields,\n fields_allow: recommendation.summary.allow,\n fields_redact: recommendation.summary.redact,\n fields_hash: recommendation.summary.hash,\n fields_summarize: recommendation.summary.summarize,\n });\n\n return toolResult({\n ...recommendation,\n next_steps:\n \"Review the classifications above. If they look correct, you can \" +\n \"apply them directly with sanctuary/context_gate_set_policy using \" +\n \"the recommended_rules. Or start with a template via \" +\n \"sanctuary/context_gate_apply_template and customize from there.\",\n available_templates: listTemplateIds().map((id) => {\n const t = TEMPLATES[id]!;\n return { id, name: t.name, description: t.description };\n }),\n });\n },\n },\n\n // ── Filter Context ──────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_filter\",\n description:\n \"Filter agent context through a gating policy before sending to a \" +\n \"remote provider. Returns per-field decisions (allow, redact, hash, \" +\n \"summarize) and content hashes for the audit trail. \" +\n \"Call this BEFORE making any outbound API call to ensure you are only \" +\n \"sending the minimum necessary context. \" +\n \"The filtered output tells you exactly what can be sent safely.\",\n inputSchema: {\n type: \"object\",\n properties: {\n policy_id: {\n type: \"string\",\n description: \"ID of the context-gating policy to apply\",\n },\n provider: {\n type: \"string\",\n description:\n \"Provider category for this call: inference, tool-api, logging, \" +\n \"analytics, peer-agent, or custom\",\n },\n context: {\n type: \"object\",\n description:\n \"The context object to filter. Each top-level key is evaluated \" +\n \"against the policy. Example keys: task_description, \" +\n \"conversation_history, user_preferences, api_keys, memory, \" +\n \"internal_reasoning\",\n },\n },\n required: [\"policy_id\", \"provider\", \"context\"],\n },\n handler: async (args) => {\n const policyId = args.policy_id as string;\n const provider = args.provider as ProviderCategory | string;\n const context = args.context as Record<string, unknown>;\n\n // Validate context size\n const contextKeys = Object.keys(context);\n if (contextKeys.length > MAX_CONTEXT_FIELDS) {\n return toolResult({\n error: \"context_too_large\",\n message: `Context has ${contextKeys.length} fields, exceeding limit of ${MAX_CONTEXT_FIELDS}`,\n });\n }\n\n const policy = await policyStore.get(policyId);\n if (!policy) {\n return toolResult({\n error: \"policy_not_found\",\n message: `No context-gating policy found with ID \"${policyId}\"`,\n });\n }\n\n const result = filterContext(policy, provider, context);\n\n // Check for any denied fields — if so, the entire request should be blocked\n const deniedFields = result.decisions.filter((d) => d.action === \"deny\");\n if (deniedFields.length > 0) {\n auditLog.append(\"l2\", \"context_gate_deny\", policy.identity_id ?? \"system\", {\n policy_id: policyId,\n provider,\n denied_fields: deniedFields.map((d) => d.field),\n original_context_hash: result.original_context_hash,\n });\n\n return toolResult({\n blocked: true,\n reason: \"Context contains fields that trigger deny action\",\n denied_fields: deniedFields.map((d) => ({\n field: d.field,\n reason: d.reason,\n })),\n recommendation:\n \"Remove the denied fields from context before retrying, or \" +\n \"update the policy to handle these fields differently.\",\n });\n }\n\n // Build the filtered context that is safe to send\n const safeContext: Record<string, unknown> = {};\n for (const decision of result.decisions) {\n switch (decision.action) {\n case \"allow\":\n safeContext[decision.field] = context[decision.field];\n break;\n case \"redact\":\n // Field excluded from safe context\n break;\n case \"hash\":\n safeContext[decision.field] = decision.hash_value;\n break;\n case \"summarize\":\n // Include but mark for summarization\n safeContext[decision.field] = context[decision.field];\n break;\n }\n }\n\n auditLog.append(\"l2\", \"context_gate_filter\", policy.identity_id ?? \"system\", {\n policy_id: policyId,\n provider,\n fields_total: Object.keys(context).length,\n fields_allowed: result.fields_allowed,\n fields_redacted: result.fields_redacted,\n fields_hashed: result.fields_hashed,\n fields_summarized: result.fields_summarized,\n original_context_hash: result.original_context_hash,\n filtered_context_hash: result.filtered_context_hash,\n });\n\n return toolResult({\n blocked: false,\n safe_context: safeContext,\n summary: {\n total_fields: Object.keys(context).length,\n allowed: result.fields_allowed,\n redacted: result.fields_redacted,\n hashed: result.fields_hashed,\n summarized: result.fields_summarized,\n },\n decisions: result.decisions,\n audit: {\n original_context_hash: result.original_context_hash,\n filtered_context_hash: result.filtered_context_hash,\n filtered_at: result.filtered_at,\n },\n guidance:\n result.fields_summarized > 0\n ? \"Some fields are marked for summarization. Consider compressing \" +\n \"them before sending to reduce context size and information exposure.\"\n : undefined,\n });\n },\n },\n\n // ── List Policies ───────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_list_policies\",\n description:\n \"List all configured context-gating policies. Returns policy IDs, \" +\n \"names, rule summaries, and default actions.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const policies = await policyStore.list();\n\n auditLog.append(\"l2\", \"context_gate_list_policies\", \"system\", {\n policy_count: policies.length,\n });\n\n return toolResult({\n policies: policies.map((p) => ({\n policy_id: p.policy_id,\n policy_name: p.policy_name,\n rule_count: p.rules.length,\n providers: p.rules.map((r) => r.provider),\n default_action: p.default_action,\n identity_id: p.identity_id ?? null,\n created_at: p.created_at,\n updated_at: p.updated_at,\n })),\n count: policies.length,\n message:\n policies.length === 0\n ? \"No context-gating policies configured. Use \" +\n \"sanctuary/context_gate_set_policy to create one.\"\n : `${policies.length} context-gating ${policies.length === 1 ? \"policy\" : \"policies\"} configured.`,\n });\n },\n },\n\n // ── Enforcer Status ─────────────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_enforcer_status\",\n description:\n \"Get the status of the automatic context gate enforcer, including \" +\n \"enabled/disabled state, log_only mode, active policy, and statistics. \" +\n \"The enforcer automatically filters tool arguments when enabled. \" +\n \"Use this to monitor what the enforcer has been filtering.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const status = enforcer.getStatus();\n\n auditLog.append(\n \"l2\",\n \"context_gate_enforcer_status_query\",\n \"system\",\n {\n enabled: status.enabled,\n log_only: status.log_only,\n default_policy_id: status.default_policy_id,\n }\n );\n\n return toolResult({\n enforcer_status: status,\n description:\n \"The enforcer is \" +\n (status.enabled ? \"enabled\" : \"disabled\") +\n \". \" +\n (status.log_only\n ? \"Currently in log_only mode — filtering is logged but not applied.\"\n : \"Filtering is actively applied to tool arguments.\"),\n guidance:\n status.stats.calls_inspected > 0\n ? `Over ${status.stats.calls_inspected} tool calls, ` +\n `${status.stats.fields_redacted} sensitive fields were redacted. ` +\n `Use sanctuary/context_gate_enforcer_configure to adjust settings.`\n : \"No tool calls have been inspected yet.\",\n });\n },\n },\n\n // ── Enforcer Configuration ──────────────────────────────────────────\n {\n name: \"sanctuary/context_gate_enforcer_configure\",\n description:\n \"Configure the automatic context gate enforcer. Control whether it \" +\n \"filters tool arguments, toggle log_only mode for gradual rollout, \" +\n \"set the active policy, and choose what to do when denied fields are \" +\n \"encountered (block the request or redact the field). \" +\n \"Use this to enable automatic context protection.\",\n inputSchema: {\n type: \"object\",\n properties: {\n enabled: {\n type: \"boolean\",\n description:\n \"Enable or disable the automatic enforcer. When disabled, \" +\n \"no filtering occurs. Default: leave unchanged.\",\n },\n log_only: {\n type: \"boolean\",\n description:\n \"Enable log_only mode: filter decisions are logged but original \" +\n \"args are passed to handlers. Useful for monitoring before \" +\n \"enabling actual filtering. Default: leave unchanged.\",\n },\n default_policy_id: {\n type: \"string\",\n description:\n \"Set the default context-gating policy to use for filtering. \" +\n \"If not set, the enforcer uses built-in sensitive field patterns. \" +\n \"Default: leave unchanged.\",\n },\n on_deny: {\n type: \"string\",\n enum: [\"block\", \"redact\"],\n description:\n \"Action to take when a field triggers the deny action: \" +\n \"'block' returns an error and prevents the call, \" +\n \"'redact' replaces the denied field with [REDACTED] and continues. \" +\n \"Default: leave unchanged.\",\n },\n reset_stats: {\n type: \"boolean\",\n description:\n \"Reset the enforcer statistics counters to zero. Default: false.\",\n },\n },\n },\n handler: async (args) => {\n const changes: Record<string, unknown> = {};\n\n if (args.enabled !== undefined) {\n enforcer.setEnabled(args.enabled as boolean);\n changes.enabled = args.enabled;\n }\n\n if (args.log_only !== undefined) {\n enforcer.setLogOnly(args.log_only as boolean);\n changes.log_only = args.log_only;\n }\n\n if (args.default_policy_id !== undefined) {\n const policyId = args.default_policy_id as string;\n const policy = await policyStore.get(policyId);\n if (!policy) {\n return toolResult({\n error: \"policy_not_found\",\n message: `No context-gating policy found with ID \"${policyId}\"`,\n });\n }\n enforcer.setDefaultPolicy(policyId);\n changes.default_policy_id = policyId;\n }\n\n if (args.on_deny !== undefined) {\n const onDeny = args.on_deny as \"block\" | \"redact\";\n if (onDeny !== \"block\" && onDeny !== \"redact\") {\n return toolResult({\n error: \"invalid_on_deny\",\n message: \"on_deny must be 'block' or 'redact'\",\n });\n }\n enforcerConfig.on_deny = onDeny;\n changes.on_deny = onDeny;\n }\n\n if (args.reset_stats === true) {\n enforcer.resetStats();\n changes.reset_stats = true;\n }\n\n const newStatus = enforcer.getStatus();\n\n auditLog.append(\n \"l2\",\n \"context_gate_enforcer_configure\",\n \"system\",\n {\n changes,\n new_status: newStatus,\n }\n );\n\n return toolResult({\n configured: true,\n changes,\n new_status: newStatus,\n message:\n Object.keys(changes).length > 0\n ? \"Enforcer configuration updated.\"\n : \"No changes made (no configuration parameters provided).\",\n });\n },\n },\n ];\n\n return { tools, policyStore, enforcer };\n}\n","/**\n * Sanctuary MCP Server — L2 Operational Isolation: Process Hardening\n *\n * Provides process-level isolation verification without requiring hardware TEE.\n * Implements software-based L2 hardening checks including:\n * - Memory protection (ASLR, stack canaries, secure buffer handling)\n * - Process isolation verification (container, VM, sandbox detection)\n * - Runtime integrity monitoring\n * - Filesystem permission verification\n *\n * These checks allow agents running on machines without TEE to achieve\n * \"Hardened\" L2 status (between \"Degraded\" and \"Full\").\n */\n\nimport { execSync } from \"node:child_process\";\nimport { statSync } from \"node:fs\";\n\n// ── Memory Protection Status ───────────────────────────────────────\n\nexport interface MemoryProtectionStatus {\n aslr_enabled: boolean;\n stack_canaries: boolean;\n secure_buffer_zeros: boolean;\n argon2id_kdf: boolean;\n overall: \"full\" | \"partial\" | \"minimal\" | \"none\";\n}\n\n/**\n * Verify memory protection mechanisms are in place.\n */\nexport function checkMemoryProtection(): MemoryProtectionStatus {\n const checks = {\n aslr_enabled: checkASLR(),\n stack_canaries: true, // Enabled by default in Node.js runtime\n secure_buffer_zeros: true, // We use crypto.randomBytes and explicit zeroing\n argon2id_kdf: true, // Master key derivation uses Argon2id\n };\n\n const activeCount = Object.values(checks).filter((v) => v).length;\n const overall = activeCount >= 4 ? \"full\" : activeCount >= 3 ? \"partial\" : \"minimal\";\n\n return {\n ...checks,\n overall,\n };\n}\n\nfunction checkASLR(): boolean {\n if (process.platform === \"linux\") {\n try {\n const result = execSync(\"cat /proc/sys/kernel/randomize_va_space\", {\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"ignore\"],\n }).trim();\n return result === \"2\"; // 2 = full ASLR enabled\n } catch {\n return false;\n }\n }\n if (process.platform === \"darwin\") {\n // macOS enables ASLR by default for all processes; no direct check needed\n return true;\n }\n return false;\n}\n\n// ── Process Isolation Status ───────────────────────────────────────\n\nexport type IsolationLevel = \"full\" | \"hardened\" | \"basic\" | \"none\";\n\nexport interface ProcessIsolationStatus {\n isolation_level: IsolationLevel;\n is_container: boolean;\n is_vm: boolean;\n is_sandboxed: boolean;\n is_tee: boolean;\n details: {\n container_type?: string;\n vm_type?: string;\n sandbox_type?: string;\n };\n}\n\n/**\n * Verify process-level isolation through environment detection.\n *\n * Returns the isolation level:\n * - \"full\": Running in TEE (not available for software-only check)\n * - \"hardened\": Container or VM detected\n * - \"basic\": Sandboxed process (macOS sandbox, pledge on OpenBSD, etc.)\n * - \"none\": Regular user process\n */\nexport function checkProcessIsolation(): ProcessIsolationStatus {\n const isContainer = detectContainer();\n const isVM = detectVM();\n const isSandboxed = detectSandbox();\n\n let isolationLevel: IsolationLevel = \"none\";\n if (isContainer) isolationLevel = \"hardened\";\n else if (isVM) isolationLevel = \"hardened\";\n else if (isSandboxed) isolationLevel = \"basic\";\n\n const details: ProcessIsolationStatus[\"details\"] = {};\n if (isContainer && isContainer !== true) details.container_type = isContainer;\n if (isVM && isVM !== true) details.vm_type = isVM;\n if (isSandboxed && isSandboxed !== true) details.sandbox_type = isSandboxed;\n\n return {\n isolation_level: isolationLevel,\n is_container: isContainer !== false,\n is_vm: isVM !== false,\n is_sandboxed: isSandboxed !== false,\n is_tee: false,\n details,\n };\n}\n\nfunction detectContainer(): string | boolean {\n // Check for containerization markers\n try {\n // Docker\n if (process.env.DOCKER_HOST) return \"docker\";\n\n // Check /.dockerenv\n try {\n statSync(\"/.dockerenv\");\n return \"docker\";\n } catch {\n // Not a file\n }\n\n // Check /proc/1/cgroup for container references\n if (process.platform === \"linux\") {\n const cgroup = execSync(\"cat /proc/1/cgroup 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n });\n if (cgroup.includes(\"docker\")) return \"docker\";\n if (cgroup.includes(\"lxc\")) return \"lxc\";\n if (cgroup.includes(\"kubepods\") || cgroup.includes(\"kubernetes\")) return \"kubernetes\";\n }\n\n // Podman\n if (process.env.container === \"podman\") return \"podman\";\n\n // OCI container runtime indicators\n if (process.env.CONTAINER_ID) return \"oci\";\n\n return false;\n } catch {\n return false;\n }\n}\n\nfunction detectVM(): string | boolean {\n if (process.platform === \"linux\") {\n try {\n // Check for common hypervisor signatures\n const dmidecode = execSync(\"dmidecode -s system-product-name 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n }).toLowerCase();\n\n if (dmidecode.includes(\"vmware\")) return \"vmware\";\n if (dmidecode.includes(\"virtualbox\")) return \"virtualbox\";\n if (dmidecode.includes(\"kvm\")) return \"kvm\";\n if (dmidecode.includes(\"xen\")) return \"xen\";\n if (dmidecode.includes(\"hyper-v\")) return \"hyper-v\";\n\n // Check cpuinfo for virtualization\n const cpuinfo = execSync(\"grep -i hypervisor /proc/cpuinfo || echo ''\", {\n encoding: \"utf-8\",\n });\n if (cpuinfo.length > 0) return \"detected\";\n } catch {\n // dmidecode might not be available; not a failure\n }\n }\n\n if (process.platform === \"darwin\") {\n try {\n // Check for Parallels, VMware, VirtualBox on macOS\n const bootargs = execSync(\n \"nvram boot-args 2>/dev/null | grep -i 'parallels\\\\|vmware\\\\|virtualbox' || echo ''\",\n {\n encoding: \"utf-8\",\n }\n );\n if (bootargs.length > 0) return \"detected\";\n } catch {\n // nvram not accessible; skip\n }\n }\n\n return false;\n}\n\nfunction detectSandbox(): string | boolean {\n // macOS App Sandbox\n if (process.platform === \"darwin\") {\n if (process.env.APP_SANDBOX_READ_ONLY_HOME === \"1\") return \"app-sandbox\";\n if (process.env.TMPDIR && process.env.TMPDIR.includes(\"AppSandbox\")) return \"app-sandbox\";\n }\n\n // pledge(2) on OpenBSD (process restrictions)\n if (process.platform === \"openbsd\") {\n // No easy way to check pledge status from userspace\n // Assume if running on OpenBSD, pledge is a possibility\n try {\n const pledge = execSync(\"pledge -v 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n });\n if (pledge.length > 0) return \"pledge\";\n } catch {\n // pledge not available\n }\n }\n\n // SELinux/AppArmor contexts\n if (process.platform === \"linux\") {\n if (process.env.container === \"lxc\") return \"lxc\";\n try {\n const context = execSync(\"getenforce 2>/dev/null || echo ''\", {\n encoding: \"utf-8\",\n }).trim();\n if (context === \"Enforcing\") return \"selinux\";\n } catch {\n // SELinux not available\n }\n }\n\n return false;\n}\n\n// ── Filesystem Permission Verification ───────────────────────────\n\nexport interface FilesystemPermissionStatus {\n sanctuary_storage_protected: boolean;\n sanctuary_storage_mode: string;\n owner_is_current_user: boolean;\n group_readable: boolean;\n others_readable: boolean;\n overall: \"secure\" | \"warning\" | \"insecure\";\n}\n\n/**\n * Verify filesystem permissions on Sanctuary storage directory.\n * Expects storage to be mode 0o700 (rwx------)\n */\nexport function checkFilesystemPermissions(storagePath: string): FilesystemPermissionStatus {\n try {\n const stats = statSync(storagePath);\n\n // Extract permission bits\n const mode = stats.mode & parseInt(\"777\", 8);\n const modeString = mode.toString(8).padStart(3, \"0\");\n\n const isSecure = mode === parseInt(\"700\", 8); // rwx------\n const groupReadable = (mode & parseInt(\"040\", 8)) !== 0;\n const othersReadable = (mode & parseInt(\"007\", 8)) !== 0;\n const currentUid = process.getuid?.() || -1;\n const ownerIsCurrentUser = stats.uid === currentUid;\n\n let overall: \"secure\" | \"warning\" | \"insecure\" = \"secure\";\n if (groupReadable || othersReadable) overall = \"insecure\";\n else if (!ownerIsCurrentUser) overall = \"warning\";\n\n return {\n sanctuary_storage_protected: isSecure,\n sanctuary_storage_mode: modeString,\n owner_is_current_user: ownerIsCurrentUser,\n group_readable: groupReadable,\n others_readable: othersReadable,\n overall,\n };\n } catch {\n // If we can't stat the directory, report it as a warning\n return {\n sanctuary_storage_protected: false,\n sanctuary_storage_mode: \"unknown\",\n owner_is_current_user: false,\n group_readable: false,\n others_readable: false,\n overall: \"warning\",\n };\n }\n}\n\n// ── Runtime Integrity Monitoring ──────────────────────────────────\n\nexport interface RuntimeIntegrityStatus {\n config_hash_stable: boolean;\n environment_state: \"clean\" | \"modified\" | \"unknown\";\n discrepancies: string[];\n}\n\n/**\n * Monitor runtime integrity by checking for unexpected modifications.\n * Currently a stub that reports \"clean\" state.\n *\n * Future enhancement: hash config at startup, verify at runtime.\n */\nexport function checkRuntimeIntegrity(): RuntimeIntegrityStatus {\n return {\n config_hash_stable: true,\n environment_state: \"clean\",\n discrepancies: [],\n };\n}\n\n// ── Overall L2 Hardening Status ────────────────────────────────────\n\nexport interface L2HardeningStatus {\n hardening_level: IsolationLevel;\n memory_protection: MemoryProtectionStatus;\n process_isolation: ProcessIsolationStatus;\n filesystem_permissions: FilesystemPermissionStatus;\n runtime_integrity: RuntimeIntegrityStatus;\n checks_passed: number;\n checks_total: number;\n summary: string;\n}\n\n/**\n * Comprehensive L2 hardening assessment.\n * Combines all hardening checks into a single hardening level.\n */\nexport function assessL2Hardening(storagePath: string): L2HardeningStatus {\n const memory = checkMemoryProtection();\n const isolation = checkProcessIsolation();\n const filesystem = checkFilesystemPermissions(storagePath);\n const integrity = checkRuntimeIntegrity();\n\n // Count passed checks\n let checksPassed = 0;\n let checksTotal = 0;\n\n // Memory protection\n if (memory.aslr_enabled) checksPassed++;\n checksTotal++;\n if (memory.stack_canaries) checksPassed++;\n checksTotal++;\n if (memory.secure_buffer_zeros) checksPassed++;\n checksTotal++;\n if (memory.argon2id_kdf) checksPassed++;\n checksTotal++;\n\n // Process isolation\n if (isolation.is_container) checksPassed++;\n checksTotal++;\n if (isolation.is_vm) checksPassed++;\n checksTotal++;\n if (isolation.is_sandboxed) checksPassed++;\n checksTotal++;\n\n // Filesystem permissions\n if (filesystem.sanctuary_storage_protected) checksPassed++;\n checksTotal++;\n\n // Runtime integrity\n if (integrity.config_hash_stable && integrity.environment_state === \"clean\") {\n checksPassed++;\n }\n checksTotal++;\n\n // Determine overall hardening level\n let hardeningLevel: IsolationLevel = isolation.isolation_level;\n\n // If filesystem or memory protection is weak, degrade hardening level\n if (\n filesystem.overall === \"insecure\" ||\n memory.overall === \"none\" ||\n memory.overall === \"minimal\"\n ) {\n if (hardeningLevel === \"hardened\") {\n hardeningLevel = \"basic\";\n } else if (hardeningLevel === \"basic\") {\n hardeningLevel = \"none\";\n }\n }\n\n // Generate summary\n const summaryParts: string[] = [];\n if (isolation.is_container || isolation.is_vm) {\n summaryParts.push(`Running in ${isolation.details.container_type || isolation.details.vm_type || \"isolated environment\"}`);\n }\n if (memory.aslr_enabled) {\n summaryParts.push(\"ASLR enabled\");\n }\n if (filesystem.sanctuary_storage_protected) {\n summaryParts.push(\"Storage permissions secured (0700)\");\n }\n\n const summary =\n summaryParts.length > 0\n ? summaryParts.join(\"; \")\n : \"No process-level hardening detected\";\n\n return {\n hardening_level: hardeningLevel,\n memory_protection: memory,\n process_isolation: isolation,\n filesystem_permissions: filesystem,\n runtime_integrity: integrity,\n checks_passed: checksPassed,\n checks_total: checksTotal,\n summary,\n };\n}\n","/**\n * Sanctuary MCP Server — L2 Hardening Tools\n *\n * MCP tools for checking and verifying L2 operational isolation hardening.\n * These are Tier 3 tools — always allowed, read-only status checks.\n */\n\nimport type { ToolDefinition } from \"../router.js\";\nimport { toolResult } from \"../router.js\";\nimport { assessL2Hardening } from \"./hardening.js\";\nimport type { AuditLog } from \"./audit-log.js\";\n\nexport function createL2HardeningTools(\n storagePath: string,\n auditLog: AuditLog\n): ToolDefinition[] {\n return [\n {\n name: \"sanctuary/l2_hardening_status\",\n description:\n \"L2 Process Hardening Status — Verify software-based operational isolation. \" +\n \"Reports memory protection, process isolation level, filesystem permissions, \" +\n \"and overall hardening assessment. Read-only. Tier 3 — always allowed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_details: {\n type: \"boolean\",\n description:\n \"If true, include detailed check results for memory, process, and filesystem. \" +\n \"If false, show summary only.\",\n default: false,\n },\n },\n },\n handler: async (args) => {\n const includeDetails = (args.include_details as boolean) ?? false;\n const status = assessL2Hardening(storagePath);\n\n auditLog.append(\n \"l2\",\n \"l2_hardening_status\",\n \"system\",\n { include_details: includeDetails }\n );\n\n if (includeDetails) {\n return toolResult({\n hardening_level: status.hardening_level,\n summary: status.summary,\n checks_passed: status.checks_passed,\n checks_total: status.checks_total,\n memory_protection: {\n aslr_enabled: status.memory_protection.aslr_enabled,\n stack_canaries: status.memory_protection.stack_canaries,\n secure_buffer_zeros: status.memory_protection.secure_buffer_zeros,\n argon2id_kdf: status.memory_protection.argon2id_kdf,\n overall: status.memory_protection.overall,\n },\n process_isolation: {\n isolation_level: status.process_isolation.isolation_level,\n is_container: status.process_isolation.is_container,\n is_vm: status.process_isolation.is_vm,\n is_sandboxed: status.process_isolation.is_sandboxed,\n is_tee: status.process_isolation.is_tee,\n details: status.process_isolation.details,\n },\n filesystem_permissions: {\n sanctuary_storage_protected:\n status.filesystem_permissions.sanctuary_storage_protected,\n sanctuary_storage_mode: status.filesystem_permissions.sanctuary_storage_mode,\n owner_is_current_user: status.filesystem_permissions.owner_is_current_user,\n group_readable: status.filesystem_permissions.group_readable,\n others_readable: status.filesystem_permissions.others_readable,\n overall: status.filesystem_permissions.overall,\n },\n runtime_integrity: {\n config_hash_stable: status.runtime_integrity.config_hash_stable,\n environment_state: status.runtime_integrity.environment_state,\n discrepancies: status.runtime_integrity.discrepancies,\n },\n });\n } else {\n return toolResult({\n hardening_level: status.hardening_level,\n summary: status.summary,\n checks_passed: status.checks_passed,\n checks_total: status.checks_total,\n note:\n \"Pass include_details: true to see full breakdown of memory, \" +\n \"process isolation, and filesystem checks.\",\n });\n }\n },\n },\n\n {\n name: \"sanctuary/l2_verify_isolation\",\n description:\n \"Verify L2 process isolation at runtime. Checks whether the Sanctuary server \" +\n \"is running in an isolated environment (container, VM, sandbox) and validates \" +\n \"filesystem and memory protections. Reports isolation level and any issues. \" +\n \"Read-only. Tier 3 — always allowed.\",\n inputSchema: {\n type: \"object\",\n properties: {\n check_filesystem: {\n type: \"boolean\",\n description:\n \"If true, verify Sanctuary storage directory permissions.\",\n default: true,\n },\n check_memory: {\n type: \"boolean\",\n description:\n \"If true, verify memory protection mechanisms (ASLR, etc.).\",\n default: true,\n },\n check_process: {\n type: \"boolean\",\n description:\n \"If true, detect container, VM, or sandbox environment.\",\n default: true,\n },\n },\n },\n handler: async (args) => {\n const checkFilesystem = (args.check_filesystem as boolean) ?? true;\n const checkMemory = (args.check_memory as boolean) ?? true;\n const checkProcess = (args.check_process as boolean) ?? true;\n\n const status = assessL2Hardening(storagePath);\n\n auditLog.append(\n \"l2\",\n \"l2_verify_isolation\",\n \"system\",\n {\n check_filesystem: checkFilesystem,\n check_memory: checkMemory,\n check_process: checkProcess,\n }\n );\n\n const results: Record<string, unknown> = {\n isolation_level: status.hardening_level,\n timestamp: new Date().toISOString(),\n };\n\n if (checkFilesystem) {\n const fs = status.filesystem_permissions;\n results.filesystem = {\n sanctuary_storage_protected: fs.sanctuary_storage_protected,\n storage_mode: fs.sanctuary_storage_mode,\n is_secure: fs.overall === \"secure\",\n issues:\n fs.overall === \"insecure\"\n ? [\n \"Storage directory is readable by group or others. \" +\n \"Recommend: chmod 700 on Sanctuary storage path.\",\n ]\n : fs.overall === \"warning\"\n ? [\n \"Storage directory not owned by current user. \" +\n \"Verify correct user is running Sanctuary.\",\n ]\n : [],\n };\n }\n\n if (checkMemory) {\n const mem = status.memory_protection;\n const issues: string[] = [];\n if (!mem.aslr_enabled) {\n issues.push(\n \"ASLR not detected. On Linux, enable with: \" +\n \"echo 2 | sudo tee /proc/sys/kernel/randomize_va_space\"\n );\n }\n results.memory = {\n aslr_enabled: mem.aslr_enabled,\n stack_canaries: mem.stack_canaries,\n secure_buffer_handling: mem.secure_buffer_zeros,\n argon2id_key_derivation: mem.argon2id_kdf,\n protection_level: mem.overall,\n issues,\n };\n }\n\n if (checkProcess) {\n const iso = status.process_isolation;\n results.process = {\n isolation_level: iso.isolation_level,\n in_container: iso.is_container,\n in_vm: iso.is_vm,\n sandboxed: iso.is_sandboxed,\n has_tee: iso.is_tee,\n environment: iso.details,\n recommendation:\n iso.isolation_level === \"none\"\n ? \"Consider running Sanctuary in a container or VM for improved isolation.\"\n : iso.isolation_level === \"basic\"\n ? \"Basic isolation detected. Container or VM would provide stronger guarantees.\"\n : \"Running in isolated environment — process-level isolation is strong.\",\n };\n }\n\n return toolResult({\n status: \"verified\",\n results,\n });\n },\n },\n ];\n}\n","/**\n * Sanctuary MCP Server — Main Entry Point\n *\n * Initializes and exports the Sanctuary MCP server.\n * Wires together: config → storage → crypto core → L1-L4 tools → MCP server\n */\n\nimport { mkdir } from \"node:fs/promises\";\nimport { loadConfig, saveConfig, type SanctuaryConfig } from \"./config.js\";\nimport { FilesystemStorage } from \"./storage/filesystem.js\";\nimport type { StorageBackend } from \"./storage/interface.js\";\nimport { StateStore } from \"./l1-cognitive/state-store.js\";\nimport { createL1Tools } from \"./l1-cognitive/tools.js\";\nimport { AuditLog } from \"./l2-operational/audit-log.js\";\nimport { createL3Tools } from \"./l3-disclosure/tools.js\";\nimport { createL4Tools } from \"./l4-reputation/tools.js\";\nimport { loadPrincipalPolicy } from \"./principal-policy/loader.js\";\nimport { BaselineTracker } from \"./principal-policy/baseline.js\";\nimport { StderrApprovalChannel } from \"./principal-policy/approval-channel.js\";\nimport { DashboardApprovalChannel } from \"./principal-policy/dashboard.js\";\nimport { WebhookApprovalChannel } from \"./principal-policy/webhook.js\";\nimport { ApprovalGate } from \"./principal-policy/gate.js\";\nimport { createPrincipalPolicyTools } from \"./principal-policy/tools.js\";\nimport { createServer, type ToolDefinition } from \"./router.js\";\nimport { toolResult } from \"./router.js\";\nimport { createSHRTools } from \"./shr/tools.js\";\nimport { createHandshakeTools } from \"./handshake/tools.js\";\nimport { createFederationTools } from \"./federation/tools.js\";\nimport { createBridgeTools } from \"./bridge/tools.js\";\nimport { createAuditTools } from \"./audit/tools.js\";\nimport { createContextGateTools } from \"./l2-operational/context-gate-tools.js\";\nimport { createL2HardeningTools } from \"./l2-operational/hardening-tools.js\";\nimport { InjectionDetector } from \"./security/injection-detector.js\";\nimport { deriveMasterKey, type KeyDerivationParams } from \"./core/key-derivation.js\";\nimport { generateRandomKey } from \"./core/random.js\";\nimport { toBase64url } from \"./core/encoding.js\";\n\nimport type { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\n\nexport interface SanctuaryServer {\n server: Server;\n config: SanctuaryConfig;\n}\n\n/**\n * Initialize the Sanctuary MCP Server.\n *\n * @param options - Configuration overrides and initialization options\n * @returns The configured MCP server, ready to connect to a transport\n */\nexport async function createSanctuaryServer(options?: {\n configPath?: string;\n passphrase?: string;\n storage?: StorageBackend;\n}): Promise<SanctuaryServer> {\n // 1. Load configuration\n const config = await loadConfig(options?.configPath);\n\n // 2. Ensure storage directory exists\n await mkdir(config.storage_path, { recursive: true, mode: 0o700 });\n\n // 3. Initialize storage backend\n const storage = options?.storage ?? new FilesystemStorage(\n `${config.storage_path}/state`\n );\n\n // 4. Derive or generate master key\n let masterKey: Uint8Array;\n let keyProtection: \"passphrase\" | \"hardware-key\" | \"recovery-key\";\n let recoveryKey: string | undefined;\n\n const passphrase = options?.passphrase ?? process.env.SANCTUARY_PASSPHRASE;\n\n if (passphrase) {\n // Passphrase path: derive master key via Argon2id\n keyProtection = \"passphrase\";\n\n // Check for existing derivation params\n let existingParams: KeyDerivationParams | undefined;\n try {\n const raw = await storage.read(\"_meta\", \"key-params\");\n if (raw) {\n const { bytesToString } = await import(\"./core/encoding.js\");\n existingParams = JSON.parse(bytesToString(raw));\n }\n } catch {\n // No existing params — first run\n }\n\n const result = await deriveMasterKey(passphrase, existingParams);\n masterKey = result.key;\n\n // Store derivation params (not the key!) for re-derivation\n if (!existingParams) {\n const { stringToBytes } = await import(\"./core/encoding.js\");\n await storage.write(\n \"_meta\",\n \"key-params\",\n stringToBytes(JSON.stringify(result.params))\n );\n }\n } else {\n // Recovery key path\n keyProtection = \"recovery-key\";\n\n const { hashToString } = await import(\"./core/hashing.js\");\n const { stringToBytes, bytesToString } = await import(\"./core/encoding.js\");\n const { fromBase64url } = await import(\"./core/encoding.js\");\n const { constantTimeEqual } = await import(\"./core/encoding.js\");\n\n // Check if we already have a stored recovery key hash (existing installation)\n const existingHash = await storage.read(\"_meta\", \"recovery-key-hash\");\n if (existingHash) {\n // Existing installation — require the recovery key to proceed\n const envRecoveryKey = process.env.SANCTUARY_RECOVERY_KEY;\n if (!envRecoveryKey) {\n throw new Error(\n \"Sanctuary: Existing encrypted data found but no credentials provided.\\n\" +\n \"This installation was previously set up with a recovery key.\\n\\n\" +\n \"To start the server, provide one of:\\n\" +\n \" - SANCTUARY_PASSPHRASE (if you later configured a passphrase)\\n\" +\n \" - SANCTUARY_RECOVERY_KEY (the recovery key shown at first run)\\n\\n\" +\n \"Without the correct credentials, encrypted state cannot be accessed.\\n\" +\n \"Refusing to start to prevent silent data loss.\"\n );\n }\n\n // Decode and verify the recovery key against the stored hash\n let recoveryKeyBytes: Uint8Array;\n try {\n recoveryKeyBytes = fromBase64url(envRecoveryKey);\n } catch {\n throw new Error(\n \"Sanctuary: SANCTUARY_RECOVERY_KEY is not valid base64url. \" +\n \"The recovery key should be the exact string shown at first run.\"\n );\n }\n\n if (recoveryKeyBytes.length !== 32) {\n throw new Error(\n \"Sanctuary: SANCTUARY_RECOVERY_KEY has incorrect length. \" +\n \"The recovery key should be the exact string shown at first run.\"\n );\n }\n\n const providedHash = hashToString(recoveryKeyBytes);\n const storedHash = bytesToString(existingHash);\n\n // Constant-time comparison to prevent timing attacks on the hash\n const providedHashBytes = stringToBytes(providedHash);\n const storedHashBytes = stringToBytes(storedHash);\n if (!constantTimeEqual(providedHashBytes, storedHashBytes)) {\n throw new Error(\n \"Sanctuary: Recovery key does not match the stored key hash.\\n\" +\n \"The recovery key provided via SANCTUARY_RECOVERY_KEY is incorrect.\\n\" +\n \"Use the exact recovery key that was displayed at first run.\"\n );\n }\n\n // Recovery key verified — use it as the master key\n masterKey = recoveryKeyBytes;\n // Do NOT set recoveryKey — this is not a first run, no banner should display\n } else {\n // First run — but check for orphaned encrypted data as a safety net\n const existingNamespaces = await storage.list(\"_meta\");\n const hasKeyParams = existingNamespaces.some(e => e.key === \"key-params\");\n if (hasKeyParams) {\n throw new Error(\n \"Sanctuary: Found existing key derivation parameters but no recovery key hash.\\n\" +\n \"This indicates a corrupted or incomplete installation.\\n\" +\n \"If you previously used a passphrase, set SANCTUARY_PASSPHRASE to start.\"\n );\n }\n\n // Genuine first run: generate random master key and store its hash\n masterKey = generateRandomKey();\n recoveryKey = toBase64url(masterKey);\n\n const keyHash = hashToString(masterKey);\n await storage.write(\n \"_meta\",\n \"recovery-key-hash\",\n stringToBytes(keyHash)\n );\n }\n }\n\n // 5. Initialize audit log\n const auditLog = new AuditLog(storage, masterKey);\n\n // 6. Initialize state store\n const stateStore = new StateStore(storage, masterKey);\n\n // 7. Create L1 tools\n const { tools: l1Tools, identityManager } = createL1Tools(\n stateStore,\n storage,\n masterKey,\n keyProtection,\n auditLog\n );\n\n // 8. Load existing identities\n await identityManager.load();\n\n // 9. Create L2 monitoring tools\n const l2Tools: ToolDefinition[] = [\n {\n name: \"sanctuary/exec_attest\",\n description:\n \"Generate an attestation of the current execution environment, \" +\n \"including sovereignty assessment and degradation report.\",\n inputSchema: {\n type: \"object\",\n properties: {\n include_hardware: { type: \"boolean\", default: true },\n include_software: { type: \"boolean\", default: true },\n include_network: { type: \"boolean\", default: true },\n },\n },\n handler: async () => {\n const degradations: string[] = [];\n\n // L2 is self-reported in MVS\n degradations.push(\n \"L2 isolation is process-level only; no TEE available\"\n );\n\n // L3: Schnorr proofs + Pedersen commitments + range proofs are genuine ZK.\n // No L3 degradation — selective disclosure is fully operational.\n\n return toolResult({\n attestation: {\n environment_type: config.execution.environment,\n hardware: {\n cpu_vendor: process.arch,\n tee_available: false,\n tee_type: undefined,\n },\n software: {\n os: `${process.platform}-${process.arch}`,\n runtime: `node-${process.version}`,\n sanctuary_version: config.version,\n mcp_sdk_version: \"1.26.0\",\n },\n network: {\n internet_accessible: true, // Conservative assumption\n listening_ports: [],\n egress_restricted: false,\n },\n isolation_level: \"process\",\n sovereignty_assessment: {\n l1_state_encrypted: true,\n l2_execution_isolated: false,\n l2_isolation_type: \"process-level\",\n l3_proofs_available: true,\n l4_reputation_active: true,\n overall_level: \"mvs\",\n degradations,\n },\n },\n attested_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/monitor_health\",\n description:\n \"Sanctuary Health Report (SHR) — standardized sovereignty status.\",\n inputSchema: { type: \"object\", properties: {} },\n handler: async () => {\n const storageSizeBytes = await storage.totalSize();\n const degradations: Array<{\n layer: string;\n description: string;\n severity: string;\n mitigation: string;\n }> = [];\n\n degradations.push({\n layer: \"l2\",\n description: \"Process-level isolation only (no TEE)\",\n severity: \"warning\",\n mitigation: \"TEE support planned for a future release\",\n });\n\n // L3: No degradation. Schnorr + Pedersen + range proofs are genuine ZK.\n\n return toolResult({\n status: degradations.some((d) => d.severity === \"critical\")\n ? \"compromised\"\n : degradations.some((d) => d.severity === \"warning\")\n ? \"degraded\"\n : \"healthy\",\n storage_bytes: storageSizeBytes,\n layers: {\n l1: {\n status: \"active\",\n encryption_algorithm: \"aes-256-gcm\",\n key_count: identityManager.list().length,\n state_integrity: \"verified\",\n last_integrity_check: new Date().toISOString(),\n },\n l2: {\n status: \"degraded\",\n isolation_type: \"process-level\",\n attestation_available: true,\n last_attestation: new Date().toISOString(),\n },\n l3: {\n status: \"active\",\n proof_system: config.disclosure.proof_system,\n circuits_loaded: 0,\n proofs_generated_total: 0,\n },\n l4: {\n status: \"active\",\n mode: config.reputation.mode,\n interaction_count: 0, // TODO: track from reputation store\n reputation_exportable: true,\n },\n },\n degradations,\n checked_at: new Date().toISOString(),\n });\n },\n },\n\n {\n name: \"sanctuary/monitor_audit_log\",\n description: \"Query the sovereignty audit log.\",\n inputSchema: {\n type: \"object\",\n properties: {\n since: { type: \"string\", description: \"ISO 8601 timestamp\" },\n layer: {\n type: \"string\",\n enum: [\"l1\", \"l2\", \"l3\", \"l4\"],\n },\n operation_type: { type: \"string\" },\n limit: { type: \"number\", default: 50 },\n },\n },\n handler: async (args) => {\n const result = await auditLog.query({\n since: args.since as string | undefined,\n layer: args.layer as \"l1\" | \"l2\" | \"l3\" | \"l4\" | undefined,\n operation_type: args.operation_type as string | undefined,\n limit: (args.limit as number) ?? 50,\n });\n return toolResult(result);\n },\n },\n ];\n\n // 10. Create SIM manifest tool\n const manifestTool: ToolDefinition = {\n name: \"sanctuary/manifest\",\n description:\n \"Generate the Sanctuary Interface Manifest (SIM) — \" +\n \"a machine-readable declaration of this server's capabilities.\",\n inputSchema: { type: \"object\", properties: {} },\n handler: async () => {\n return toolResult({\n sanctuary_version: \"0.2\",\n implementation: {\n name: \"@sanctuary-framework/mcp-server\",\n version: config.version,\n language: \"typescript\",\n license: \"Apache-2.0\",\n },\n layers: {\n l1: {\n implemented: true,\n interfaces: [\"StateStore\", \"IdentityRoot\"],\n encryption: [\"aes-256-gcm\"],\n identity: [\"ed25519\"],\n properties: {\n \"S1.1_participant_held_keys\": \"full\",\n \"S1.2_encryption_at_rest\": \"full\",\n \"S1.3_integrity_verification\": \"full\",\n \"S1.4_selective_state_sharing\": \"full\",\n \"S1.5_state_portability\": \"full\",\n \"S1.6_deletion_rights\": \"full\",\n \"S1.7_identity_anchoring\": \"partial\",\n },\n },\n l2: {\n implemented: true,\n interfaces: [\"ExecutionEnvironment\", \"RuntimeMonitor\"],\n isolation_types: [config.execution.environment],\n properties: {\n \"S2.1_execution_confidentiality\": \"documented\",\n \"S2.2_verifiable_execution\": \"self-reported\",\n \"S2.5_attestation\": \"self-reported\",\n },\n },\n l3: {\n implemented: true,\n interfaces: [\"ProofEngine\", \"DisclosurePolicy\"],\n proof_systems: [config.disclosure.proof_system],\n properties: {\n \"S3.1_minimum_disclosure\": \"policy-based\",\n \"S3.3_proof_without_revelation\": \"commitment\",\n },\n },\n l4: {\n implemented: true,\n interfaces: [\"ReputationStore\", \"TrustBootstrap\"],\n modes: [config.reputation.mode],\n properties: {\n \"S4.1_earned_reputation\": \"full\",\n \"S4.2_participant_owned\": \"full\",\n \"S4.5_sybil_resistance\": \"basic\",\n \"S4.7_trust_bootstrapping\": \"full\",\n },\n },\n },\n composition: {\n sim_version: \"1.0\",\n spf_supported: false,\n shr_supported: true,\n delegation_depth: 1,\n },\n limitations: [\n \"L1 identity uses ed25519 only; KERI support planned for v0.2.0\",\n \"L2 isolation is process-level only; TEE support planned for a future release\",\n \"L3 uses commitment schemes only; ZK proofs planned for v0.2.0\",\n \"L4 Sybil resistance is escrow-based only\",\n \"Spec license: CC-BY-4.0 | Code license: Apache-2.0\",\n ],\n });\n },\n };\n\n // 11. Create L3 tools\n const { tools: l3Tools } = createL3Tools(storage, masterKey, auditLog);\n\n // 12. Create SHR tools (machine-readable sovereignty health report)\n const { tools: shrTools } = createSHRTools(\n config,\n identityManager,\n masterKey,\n auditLog\n );\n\n // 13. Create Handshake tools (sovereignty handshake protocol)\n // Must be created before L4 so handshakeResults can feed tier resolution\n const { tools: handshakeTools, handshakeResults } = createHandshakeTools(\n config,\n identityManager,\n masterKey,\n auditLog\n );\n\n // 14. Create L4 tools (reputation with sovereignty-gated tiers)\n const { tools: l4Tools, reputationStore: _reputationStore } = createL4Tools(\n storage,\n masterKey,\n identityManager,\n auditLog,\n handshakeResults\n );\n\n // 14b. Create Federation tools (MCP-to-MCP)\n const { tools: federationTools } = createFederationTools(\n auditLog,\n handshakeResults\n );\n\n // 14c. Create Bridge tools (Concordia integration)\n const { tools: bridgeTools } = createBridgeTools(\n storage,\n masterKey,\n identityManager,\n auditLog,\n handshakeResults\n );\n\n // 14d. Create Sovereignty Audit tools (read-only diagnostic)\n const { tools: auditTools } = createAuditTools(config);\n\n // 14e. Create Context Gating tools (L2 outbound context control)\n const { tools: contextGateTools, enforcer: contextGateEnforcer } =\n createContextGateTools(storage, masterKey, auditLog);\n\n // 14f. Create L2 Process Hardening tools\n const hardeningTools = createL2HardeningTools(config.storage_path, auditLog);\n\n // 15. Load Principal Policy and create approval gate\n const policy = await loadPrincipalPolicy(config.storage_path);\n const baseline = new BaselineTracker(storage, masterKey);\n await baseline.load();\n\n // Choose approval channel: dashboard (web UI), webhook (external), or stderr (auto-deny)\n let approvalChannel: StderrApprovalChannel | DashboardApprovalChannel | WebhookApprovalChannel;\n let dashboard: DashboardApprovalChannel | undefined;\n\n if (config.dashboard.enabled) {\n // Resolve auth token: \"auto\" generates a random 32-byte hex token\n let authToken = config.dashboard.auth_token;\n if (authToken === \"auto\") {\n const { randomBytes: rb } = await import(\"node:crypto\");\n authToken = rb(32).toString(\"hex\");\n }\n\n dashboard = new DashboardApprovalChannel({\n port: config.dashboard.port,\n host: config.dashboard.host,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n // SEC-002: auto_deny removed — timeout always denies\n auth_token: authToken,\n tls: config.dashboard.tls,\n auto_open: config.dashboard.auto_open,\n });\n dashboard.setDependencies({ policy, baseline, auditLog });\n await dashboard.start();\n approvalChannel = dashboard;\n } else if (config.webhook.enabled && config.webhook.url && config.webhook.secret) {\n const webhook = new WebhookApprovalChannel({\n webhook_url: config.webhook.url,\n webhook_secret: config.webhook.secret,\n callback_port: config.webhook.callback_port,\n callback_host: config.webhook.callback_host,\n timeout_seconds: policy.approval_channel.timeout_seconds,\n // SEC-002: auto_deny removed — timeout always denies\n });\n await webhook.start();\n approvalChannel = webhook;\n } else {\n approvalChannel = new StderrApprovalChannel(policy.approval_channel);\n }\n\n // 15b. Create injection detector\n const injectionDetector = new InjectionDetector({\n enabled: true,\n sensitivity: \"medium\",\n on_detection: \"escalate\",\n });\n\n // Wire injection alerts to dashboard SSE if dashboard is active\n const onInjectionAlert = dashboard\n ? (alert: { toolName: string; result: import(\"./security/injection-detector.js\").DetectionResult; timestamp: string }) => {\n dashboard!.broadcastSSE(\"injection-alert\", {\n tool: alert.toolName,\n confidence: alert.result.confidence,\n signals: alert.result.signals.map(s => ({\n type: s.type,\n location: s.location,\n severity: s.severity,\n })),\n recommendation: alert.result.recommendation,\n timestamp: alert.timestamp,\n });\n }\n : undefined;\n\n const gate = new ApprovalGate(policy, baseline, approvalChannel, auditLog, injectionDetector, onInjectionAlert);\n\n // 16. Create Principal Policy tools (read-only)\n const policyTools = createPrincipalPolicyTools(policy, baseline, auditLog);\n\n // 16b. Dashboard open tool — generates a pre-authenticated URL\n const dashboardTools: ToolDefinition[] = [];\n if (dashboard) {\n dashboardTools.push({\n name: \"sanctuary/dashboard_open\",\n description:\n \"Generate a one-click URL to open the Principal Dashboard in a browser. \" +\n \"Returns a pre-authenticated link — no manual token entry needed.\",\n inputSchema: {\n type: \"object\",\n properties: {},\n },\n handler: async () => {\n const url = dashboard!.createSessionUrl();\n return {\n content: [\n {\n type: \"text\" as const,\n text: JSON.stringify({\n dashboard_url: url,\n base_url: dashboard!.getBaseUrl(),\n note: \"Click the dashboard_url to open the Principal Dashboard. The session is pre-authenticated.\",\n }, null, 2),\n },\n ],\n };\n },\n });\n }\n\n // 17. Assemble all tools\n let allTools: ToolDefinition[] = [\n ...l1Tools,\n ...l2Tools,\n ...l3Tools,\n ...l4Tools,\n ...policyTools,\n ...shrTools,\n ...handshakeTools,\n ...federationTools,\n ...bridgeTools,\n ...auditTools,\n ...contextGateTools,\n ...hardeningTools,\n ...dashboardTools,\n manifestTool,\n ];\n\n // 17a. Wrap all tool handlers with context gate enforcer\n allTools = allTools.map((tool) => ({\n ...tool,\n handler: contextGateEnforcer.wrapHandler(tool.name, tool.handler),\n }));\n\n // 18. Create MCP server with approval gate\n const server = createServer(allTools, { gate });\n\n // 19. Save config if this is first run\n await saveConfig(config);\n\n // 20. Register baseline save on process exit\n const saveBaseline = () => {\n baseline.save().catch(() => {});\n };\n process.on(\"SIGINT\", saveBaseline);\n process.on(\"SIGTERM\", saveBaseline);\n\n // 21. Log the recovery key if generated (shown once, never again)\n if (recoveryKey) {\n console.error(\n \"╔══════════════════════════════════════════════════════════╗\\n\" +\n \"║ SANCTUARY: First Run — Recovery Key Generated ║\\n\" +\n \"║ ║\\n\" +\n `║ Recovery Key: ${recoveryKey.slice(0, 20)}... ║\\n` +\n \"║ ║\\n\" +\n \"║ SAVE THIS KEY. It will not be shown again. ║\\n\" +\n \"║ Without it, your encrypted state is unrecoverable. ║\\n\" +\n \"╚══════════════════════════════════════════════════════════╝\"\n );\n }\n\n return { server, config };\n}\n\nexport { loadConfig, type SanctuaryConfig } from \"./config.js\";\nexport { StateStore } from \"./l1-cognitive/state-store.js\";\nexport { AuditLog } from \"./l2-operational/audit-log.js\";\nexport { CommitmentStore } from \"./l3-disclosure/commitments.js\";\nexport {\n createPedersenCommitment,\n verifyPedersenCommitment,\n createProofOfKnowledge,\n verifyProofOfKnowledge,\n createRangeProof,\n verifyRangeProof,\n} from \"./l3-disclosure/zk-proofs.js\";\nexport type {\n PedersenCommitment,\n ZKProofOfKnowledge,\n ZKRangeProof,\n} from \"./l3-disclosure/zk-proofs.js\";\nexport { PolicyStore } from \"./l3-disclosure/policies.js\";\nexport { ReputationStore } from \"./l4-reputation/reputation-store.js\";\nexport {\n resolveTier,\n computeWeightedScore,\n tierDistribution,\n TIER_WEIGHTS,\n} from \"./l4-reputation/tiers.js\";\nexport type { SovereigntyTier, TierMetadata, TieredAttestation } from \"./l4-reputation/tiers.js\";\nexport { FederationRegistry } from \"./federation/registry.js\";\nexport type {\n FederationPeer,\n FederationCapabilities,\n PeerTrustEvaluation,\n} from \"./federation/types.js\";\nexport { ContextGatePolicyStore } from \"./l2-operational/context-gate.js\";\nexport {\n TEMPLATES as CONTEXT_GATE_TEMPLATES,\n getTemplate,\n listTemplateIds,\n} from \"./l2-operational/context-gate-templates.js\";\nexport type { ContextGateTemplate } from \"./l2-operational/context-gate-templates.js\";\nexport {\n classifyField,\n recommendPolicy,\n} from \"./l2-operational/context-gate-recommend.js\";\nexport type {\n FieldClassification,\n PolicyRecommendation,\n} from \"./l2-operational/context-gate-recommend.js\";\nexport {\n evaluateField,\n filterContext,\n} from \"./l2-operational/context-gate.js\";\nexport type {\n ContextGatePolicy,\n ContextGateRule,\n ContextFilterResult,\n FieldFilterResult,\n ProviderCategory,\n ContextAction,\n} from \"./l2-operational/context-gate.js\";\nexport { InjectionDetector } from \"./security/injection-detector.js\";\nexport type {\n InjectionDetectorConfig,\n DetectionResult,\n InjectionSignal,\n} from \"./security/injection-detector.js\";\nexport { ContextGateEnforcer } from \"./l2-operational/context-gate-enforcer.js\";\nexport type { EnforcerConfig } from \"./l2-operational/context-gate-enforcer.js\";\nexport { MemoryStorage } from \"./storage/memory.js\";\nexport { FilesystemStorage } from \"./storage/filesystem.js\";\nexport { ApprovalGate } from \"./principal-policy/gate.js\";\nexport { BaselineTracker } from \"./principal-policy/baseline.js\";\nexport { loadPrincipalPolicy } from \"./principal-policy/loader.js\";\nexport type { PrincipalPolicy, GateResult } from \"./principal-policy/types.js\";\nexport {\n StderrApprovalChannel,\n CallbackApprovalChannel,\n AutoApproveChannel,\n} from \"./principal-policy/approval-channel.js\";\nexport { DashboardApprovalChannel } from \"./principal-policy/dashboard.js\";\nexport type { DashboardConfig } from \"./principal-policy/dashboard.js\";\nexport { WebhookApprovalChannel, signPayload, verifySignature } from \"./principal-policy/webhook.js\";\nexport type { WebhookConfig, WebhookPayload, WebhookCallbackPayload } from \"./principal-policy/webhook.js\";\nexport { generateSHR } from \"./shr/generator.js\";\nexport { verifySHR } from \"./shr/verifier.js\";\nexport type { SignedSHR, SHRBody, SHRVerificationResult } from \"./shr/types.js\";\nexport {\n initiateHandshake,\n respondToHandshake,\n completeHandshake,\n verifyCompletion,\n} from \"./handshake/protocol.js\";\nexport type {\n HandshakeChallenge,\n HandshakeResponse,\n HandshakeCompletion,\n HandshakeResult,\n} from \"./handshake/types.js\";\nexport {\n createBridgeCommitment,\n verifyBridgeCommitment,\n canonicalize,\n} from \"./bridge/bridge.js\";\nexport type {\n ConcordiaOutcome,\n BridgeCommitment,\n BridgeVerificationResult,\n BridgeAttestationRequest,\n BridgeAttestationResult,\n} from \"./bridge/types.js\";\n","/**\n * Sanctuary MCP Server — In-Memory Storage Backend\n *\n * Used for testing. Implements the same interface as filesystem storage\n * but stores everything in memory. Data does not persist across restarts.\n */\n\nimport type { StorageBackend, StorageEntryMeta } from \"./interface.js\";\n\nexport class MemoryStorage implements StorageBackend {\n private store = new Map<string, { data: Uint8Array; modified_at: string }>();\n\n private storageKey(namespace: string, key: string): string {\n return `${namespace}/${key}`;\n }\n\n async write(\n namespace: string,\n key: string,\n data: Uint8Array\n ): Promise<void> {\n this.store.set(this.storageKey(namespace, key), {\n data: new Uint8Array(data), // Copy to prevent external mutation\n modified_at: new Date().toISOString(),\n });\n }\n\n async read(namespace: string, key: string): Promise<Uint8Array | null> {\n const entry = this.store.get(this.storageKey(namespace, key));\n if (!entry) return null;\n return new Uint8Array(entry.data); // Copy to prevent external mutation\n }\n\n async delete(\n namespace: string,\n key: string,\n _secureOverwrite?: boolean\n ): Promise<boolean> {\n return this.store.delete(this.storageKey(namespace, key));\n }\n\n async list(namespace: string, prefix?: string): Promise<StorageEntryMeta[]> {\n const entries: StorageEntryMeta[] = [];\n const nsPrefix = `${namespace}/`;\n\n for (const [storeKey, entry] of this.store) {\n if (!storeKey.startsWith(nsPrefix)) continue;\n const key = storeKey.slice(nsPrefix.length);\n if (prefix && !key.startsWith(prefix)) continue;\n\n entries.push({\n key,\n namespace,\n size_bytes: entry.data.length,\n modified_at: entry.modified_at,\n });\n }\n\n return entries.sort((a, b) => a.key.localeCompare(b.key));\n }\n\n async exists(namespace: string, key: string): Promise<boolean> {\n return this.store.has(this.storageKey(namespace, key));\n }\n\n async totalSize(): Promise<number> {\n let total = 0;\n for (const entry of this.store.values()) {\n total += entry.data.length;\n }\n return total;\n }\n\n /** Clear all stored data (useful in tests) */\n clear(): void {\n this.store.clear();\n }\n}\n"]}