@sourceregistry/node-jwt 1.5.2 → 1.5.4

package/README.md

@@ -164,12 +164,13 @@ const jwks = await JWKS.fromWeb('https://issuer.example', {
 });
 
 const jwk = await jwks.key('my-kid');
+const keyObject = jwk?.toKeyObject();
 const keys = await jwks.list();
 const rsaKeys = await jwks.find({ kty: 'RSA' });
 const firstSigKey = await jwks.findFirst({ use: 'sig' });
 
 // Force refresh
-await jwks.refresh();
+await jwks.refresh(); // returns resolver for chaining
 
 // Access cached JWKS snapshot
 const current = jwks.export();
@@ -184,6 +185,15 @@ const current = jwks.export();
 * `overrideEndpointCheck` — skip automatic `/.well-known/jwks.json` append
 * `cache` — custom cache backend with `{ get(key), set(key, value) }`
 
+`fromWeb()` resolver methods:
+
+* `key(kid)` — returns a normalized key (or `undefined`) extended with `toKeyObject()`
+* `list()` — returns all normalized keys
+* `find(query)` — returns normalized matching keys
+* `findFirst(query)` — returns first normalized match or `undefined`
+* `refresh()` — forces reload and returns the resolver instance
+* `export()` — returns the current cached JWKS snapshot
+
 ### 🔹 Local Examples
 
 See runnable examples in:
@@ -204,6 +214,30 @@ See runnable examples in:
 * ✅ Timing-safe signature comparison
 * ✅ No insecure defaults
 
+## ✅ Production Checklist
+
+Use this profile in production verification paths:
+
+```ts
+import { verify } from '@sourceregistry/node-jwt';
+
+const result = verify(token, publicKeyOrSecret, {
+  algorithms: ['RS256'],           // pin expected algorithm(s)
+  issuer: 'https://issuer.example',
+  audience: 'my-service',
+  clockSkew: 30,                   // seconds
+  maxTokenAge: 3600                // seconds
+});
+```
+
+Recommended operational checks:
+
+* Pin `algorithms` in every verify call (do not rely on implicit acceptance).
+* Always validate `issuer` and `audience` for external tokens.
+* Use short token lifetimes and enforce `maxTokenAge`.
+* Rotate keys regularly and configure JWKS cache `ttl` for your threat model.
+* Monitor and alert on verification failures (`INVALID_SIGNATURE`, `INVALID_CLAIM`, `INVALID_OPTIONS`).
+
 ---
 
 ## 🔏 ECDSA Signature Format: DER vs JOSE (New)

package/dist/index-BgMSfLZD.cjs

@@ -0,0 +1,2 @@
+"use strict";const i=require("crypto"),w={encode:e=>Buffer.from(e).toString("base64url"),decode:e=>Buffer.from(e,"base64url").toString()},P=(e,t)=>e.length!==t.length?!1:i.timingSafeEqual(Buffer.from(e),Buffer.from(t)),x=/^[A-Za-z0-9_-]+$/;function k(e){return typeof e=="object"&&e!==null&&!Array.isArray(e)}function E(e){return typeof e=="number"&&Number.isFinite(e)}function _(e){return Array.isArray(e)&&e.every(t=>typeof t=="string")}function G(e){const t=[{claim:"iss",valid:e.iss===void 0||typeof e.iss=="string",expected:"string"},{claim:"sub",valid:e.sub===void 0||typeof e.sub=="string",expected:"string"},{claim:"jti",valid:e.jti===void 0||typeof e.jti=="string",expected:"string"},{claim:"sid",valid:e.sid===void 0||typeof e.sid=="string",expected:"string"},{claim:"iat",valid:e.iat===void 0||E(e.iat),expected:"number"},{claim:"exp",valid:e.exp===void 0||E(e.exp),expected:"number"},{claim:"nbf",valid:e.nbf===void 0||E(e.nbf),expected:"number"}];for(const r of t)if(!r.valid)return{reason:`Invalid "${r.claim}" claim: expected ${r.expected}`,code:"INVALID_CLAIM"};return e.aud!==void 0&&!(typeof e.aud=="string"||_(e.aud))?{reason:'Invalid "aud" claim: expected string or string[]',code:"INVALID_CLAIM"}:null}function q(e){if(e.signatureFormat!==void 0&&e.signatureFormat!=="der"&&e.signatureFormat!=="jose")return{reason:'Invalid signatureFormat option: expected "der" or "jose"',code:"INVALID_OPTIONS"};if(e.clockSkew!==void 0&&(!E(e.clockSkew)||e.clockSkew<0))return{reason:"Invalid clockSkew option: expected a non-negative finite number",code:"INVALID_OPTIONS"};if(e.maxTokenAge!==void 0&&(!E(e.maxTokenAge)||e.maxTokenAge<0))return{reason:"Invalid maxTokenAge option: expected a non-negative finite number",code:"INVALID_OPTIONS"};if(e.issuer!==void 0&&typeof e.issuer!="string")return{reason:"Invalid issuer option: expected string",code:"INVALID_OPTIONS"};if(e.subject!==void 0&&typeof e.subject!="string")return{reason:"Invalid subject option: expected string",code:"INVALID_OPTIONS"};if(e.jwtId!==void 0&&typeof e.jwtId!="string")return{reason:"Invalid jwtId option: expected string",code:"INVALID_OPTIONS"};if(e.audience!==void 0&&!(typeof e.audience=="string"||_(e.audience)))return{reason:"Invalid audience option: expected string or string[]",code:"INVALID_OPTIONS"};if(e.algorithms!==void 0){if(!Array.isArray(e.algorithms))return{reason:"Invalid algorithms option: expected an array",code:"INVALID_OPTIONS"};const t=e.algorithms.find(r=>!(r in h));if(t)return{reason:`Invalid algorithms option: unsupported algorithm "${t}"`,code:"INVALID_OPTIONS"}}return null}function B(e){switch(e){case"ES256":case"ES256K":return 64;case"ES384":return 96;case"ES512":return 132;default:throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${e}`)}}function z(e,t){let r=0;if(e[r++]!==48)throw new Error("Invalid DER ECDSA signature");let n=e[r++];if(n&128){const A=n&127;n=0;for(let S=0;S<A;S++)n=n<<8|e[r++]}if(e[r++]!==2)throw new Error("Invalid DER ECDSA signature (r)");const c=e[r++];let f=e.subarray(r,r+c);if(r+=c,e[r++]!==2)throw new Error("Invalid DER ECDSA signature (s)");const a=e[r++];let o=e.subarray(r,r+a);for(;f.length>t/2&&f[0]===0;)f=f.subarray(1);for(;o.length>t/2&&o[0]===0;)o=o.subarray(1);const g=Buffer.concat([Buffer.alloc(t/2-f.length,0),f]),u=Buffer.concat([Buffer.alloc(t/2-o.length,0),o]);return Buffer.concat([g,u])}function J(e){const t=e.length/2;let r=e.subarray(0,t),n=e.subarray(t);for(;r.length>1&&r[0]===0&&(r[1]&128)===0;)r=r.subarray(1);for(;n.length>1&&n[0]===0&&(n[1]&128)===0;)n=n.subarray(1);r[0]&128&&(r=Buffer.concat([Buffer.from([0]),r])),n[0]&128&&(n=Buffer.concat([Buffer.from([0]),n]));const c=Buffer.concat([Buffer.from([2,r.length]),r]),f=Buffer.concat([Buffer.from([2,n.length]),n]),a=c.length+f.length;let o;if(a<128)o=Buffer.from([a]);else{const g=[];let u=a;for(;u>0;)g.unshift(u&255),u>>=8;o=Buffer.from([128|g.length,...g])}return Buffer.concat([Buffer.from([48]),o,c,f])}function W(e){return e==="ES256"||e==="ES384"||e==="ES512"||e==="ES256K"}const h={HS256:{sign:(e,t)=>i.createHmac("sha256",t).update(e).digest("base64url"),verify:(e,t,r)=>{const n=i.createHmac("sha256",t).update(e).digest("base64url");return P(n,r)}},HS384:{sign:(e,t)=>i.createHmac("sha384",t).update(e).digest("base64url"),verify:(e,t,r)=>{const n=i.createHmac("sha384",t).update(e).digest("base64url");return P(n,r)}},HS512:{sign:(e,t)=>i.createHmac("sha512",t).update(e).digest("base64url"),verify:(e,t,r)=>{const n=i.createHmac("sha512",t).update(e).digest("base64url");return P(n,r)}},RS256:{sign:(e,t)=>i.createSign("RSA-SHA256").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("RSA-SHA256").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},RS384:{sign:(e,t)=>i.createSign("RSA-SHA384").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("RSA-SHA384").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},RS512:{sign:(e,t)=>i.createSign("RSA-SHA512").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("RSA-SHA512").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},ES256:{sign:(e,t)=>i.createSign("SHA256").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("SHA256").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},ES384:{sign:(e,t)=>i.createSign("SHA384").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("SHA384").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},ES512:{sign:(e,t)=>i.createSign("SHA512").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("SHA512").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},ES256K:{sign:(e,t)=>i.createSign("SHA256").update(e).end().sign(t).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("SHA256").update(e).end().verify(t,Buffer.from(r,"base64url"))}catch{return!1}}},PS256:{sign:(e,t)=>i.createSign("RSA-SHA256").update(e).end().sign({key:t,padding:i.constants.RSA_PKCS1_PSS_PADDING,saltLength:32}).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("RSA-SHA256").update(e).end().verify({key:t,padding:i.constants.RSA_PKCS1_PSS_PADDING,saltLength:32},Buffer.from(r,"base64url"))}catch{return!1}}},PS384:{sign:(e,t)=>i.createSign("RSA-SHA384").update(e).end().sign({key:t,padding:i.constants.RSA_PKCS1_PSS_PADDING,saltLength:48}).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("RSA-SHA384").update(e).end().verify({key:t,padding:i.constants.RSA_PKCS1_PSS_PADDING,saltLength:48},Buffer.from(r,"base64url"))}catch{return!1}}},PS512:{sign:(e,t)=>i.createSign("RSA-SHA512").update(e).end().sign({key:t,padding:i.constants.RSA_PKCS1_PSS_PADDING,saltLength:64}).toString("base64url"),verify:(e,t,r)=>{try{return i.createVerify("RSA-SHA512").update(e).end().verify({key:t,padding:i.constants.RSA_PKCS1_PSS_PADDING,saltLength:64},Buffer.from(r,"base64url"))}catch{return!1}}},EdDSA:{sign:(e,t)=>i.sign(null,typeof e=="string"?Buffer.from(e,"utf8"):e,t).toString("base64url"),verify:(e,t,r)=>{try{return i.verify(null,typeof e=="string"?Buffer.from(e,"utf8"):e,t,Buffer.from(r,"base64url"))}catch{return!1}}}},X=Object.keys(h);function R(e){if(e.type==="secret")return"HS256";if(e.type!=="private")throw new Error("Only private or symmetric keys can be used to sign JWTs");const t=e.asymmetricKeyType,r=e.asymmetricKeyDetails;switch(t){case"rsa":return"RS256";case"rsa-pss":{const n=r?.hashAlgorithm??"sha256";switch(n){case"sha256":return"PS256";case"sha384":return"PS384";case"sha512":return"PS512";default:throw new Error(`Unsupported RSA-PSS hash algorithm: ${n}`)}}case"ec":{const n=r?.namedCurve;switch(n){case"P-256":case"prime256v1":return"ES256";case"P-384":case"secp384r1":return"ES384";case"P-521":case"secp521r1":return"ES512";case"secp256k1":return"ES256K";default:throw new Error(`Unsupported EC curve: ${n}`)}}case"ed25519":return"EdDSA";default:throw new Error(`Unsupported asymmetric key type: ${t}`)}}function Y(e){if(typeof e=="object"&&"type"in e)return e;try{return i.createPrivateKey(e)}catch{const t=typeof e=="string"?Buffer.from(e,"utf8"):Buffer.isBuffer(e)?e:(()=>{throw new Error("Unsupported key type")})();return i.createSecretKey(t)}}const O=e=>{const t=e.split(".");if(t.length!==3)throw new Error('Invalid JWT: must contain exactly 3 parts separated by "."');const[r,n,c]=t;if(!r||!n||!c)throw new Error("Invalid JWT: empty part detected");if(!x.test(r)||!x.test(n)||!x.test(c))throw new Error("Invalid JWT: non-base64url characters detected");try{const f=JSON.parse(w.decode(r)),a=JSON.parse(w.decode(n));if(!k(f)||!k(a))throw new Error("header and payload must be JSON objects");const o=f,g=a;if(typeof o.alg!="string"||o.alg.length===0)throw new Error("header.alg must be a non-empty string");if(o.typ!==void 0&&typeof o.typ!="string")throw new Error("header.typ must be a string");if(o.kid!==void 0&&typeof o.kid!="string")throw new Error("header.kid must be a string");return{header:o,payload:g,signature:c}}catch(f){throw new Error(`Invalid JWT: malformed header or payload (${f.message})`)}},V=(e,t,r={})=>{const n=Y(t),c=r.alg??R(n),f=r.signatureFormat??"der",a=r.typ??"JWT";if(!(c in h))throw new Error(`Unsupported algorithm: ${c}`);const o={alg:c,typ:a};r.kid&&(o.kid=r.kid);const g=w.encode(JSON.stringify(o)),u=w.encode(JSON.stringify(e)),A=`${g}.${u}`;let S=h[c].sign(A,t);if(f==="jose"&&W(c)){const m=Buffer.from(S,"base64url");S=z(m,B(c)).toString("base64url")}return`${g}.${u}.${S}`},L=(e,t,r={})=>{const n=q(r);if(n)return{valid:!1,error:n};let c;try{c=O(e)}catch(s){return{valid:!1,error:{reason:s.message,code:"INVALID_TOKEN"}}}const{header:f,payload:a,signature:o}=c,g=G(a);if(g)return{valid:!1,error:g};const u=f.alg;if(!(u in h))return{valid:!1,error:{reason:`Unsupported or unknown algorithm: ${f.alg}`,code:"INVALID_ALGORITHM"}};if(r.algorithms&&r.algorithms.length>0&&!r.algorithms.includes(u))return{valid:!1,error:{reason:`Algorithm "${u}" is not in the allowed algorithms list`,code:"ALGORITHM_NOT_ALLOWED"}};if(f.typ!==void 0&&f.typ!=="JWT")return{valid:!1,error:{reason:`Invalid token type: expected 'JWT', got '${f.typ}'`,code:"INVALID_TYPE"}};const[A,S]=e.split("."),m=`${A}.${S}`;if(W(u)){const s=r.signatureFormat;let d;if(s==="jose")try{const y=Buffer.from(o,"base64url"),v=J(y).toString("base64url");d=h[u].verify(m,t,v)}catch{d=!1}else if(s==="der")d=h[u].verify(m,t,o);else if(d=h[u].verify(m,t,o),!d)try{const y=Buffer.from(o,"base64url");if(y.length===B(u)){const v=J(y).toString("base64url");d=h[u].verify(m,t,v)}}catch{}if(!d)return{valid:!1,error:{reason:"Signature verification failed",code:"INVALID_SIGNATURE"}}}else{let s=!1;try{s=h[u].verify(m,t,o)}catch{s=!1}if(!s)return{valid:!1,error:{reason:"Signature verification failed",code:"INVALID_SIGNATURE"}}}const b=Math.floor(Date.now()/1e3),l=r.clockSkew??0;if(!r.ignoreExpiration&&a.exp!==void 0&&b>a.exp+l)return{valid:!1,error:{reason:"Token expired",code:"TOKEN_EXPIRED"}};if(a.nbf!==void 0&&b+l<a.nbf)return{valid:!1,error:{reason:"Token not yet valid",code:"TOKEN_NOT_ACTIVE"}};if(a.iat!==void 0&&b+l<a.iat)return{valid:!1,error:{reason:"Token issued in the future",code:"TOKEN_FUTURE_ISSUED"}};if(r.maxTokenAge!==void 0&&a.iat!==void 0){const s=b-a.iat;if(s>r.maxTokenAge)return{valid:!1,error:{reason:`Token age (${s}s) exceeds maximum allowed age (${r.maxTokenAge}s)`,code:"TOKEN_TOO_OLD"}}}if(r.issuer!==void 0){if(a.iss===void 0)return{valid:!1,error:{reason:'Token missing required issuer claim ("iss")',code:"MISSING_ISSUER"}};if(r.issuer!==a.iss)return{valid:!1,error:{reason:`Invalid token issuer: expected "${r.issuer}", got "${a.iss}"`,code:"INVALID_ISSUER"}}}if(r.subject!==void 0){if(a.sub===void 0)return{valid:!1,error:{reason:'Token missing required subject claim ("sub")',code:"MISSING_SUBJECT"}};if(r.subject!==a.sub)return{valid:!1,error:{reason:`Invalid token subject: expected "${r.subject}", got "${a.sub}"`,code:"INVALID_SUBJECT"}}}if(r.audience!==void 0){const s=a.aud;if(s===void 0)return{valid:!1,error:{reason:'Token missing required audience claim ("aud")',code:"MISSING_AUDIENCE"}};const d=Array.isArray(r.audience)?r.audience:[r.audience],y=Array.isArray(s)?s:[s];if(!d.some(p=>y.includes(p)))return{valid:!1,error:{reason:"Audience claim mismatch",code:"INVALID_AUDIENCE"}}}if(r.jwtId!==void 0){if(a.jti===void 0)return{valid:!1,error:{reason:'Token missing required JWT ID claim ("jti")',code:"MISSING_JTI"}};if(r.jwtId!==a.jti)return{valid:!1,error:{reason:`Invalid JWT ID: expected "${r.jwtId}", got "${a.jti}"`,code:"INVALID_JTI"}}}return{valid:!0,header:f,payload:a,signature:o}},Z={sign:V,verify:L,decode:O,algorithms:h};function $(e){if(!e||typeof e!="object")throw new Error("Invalid KeyObject");return e.export({format:"jwk"})}function N(e){if(!e||typeof e!="object")throw new Error("Invalid JWK");switch(e.kty){case"oct":{if(!("k"in e)||typeof e.k!="string")throw new Error('Invalid oct JWK: missing "k"');return i.createSecretKey(Buffer.from(e.k,"base64url"))}case"RSA":case"EC":case"OKP":return"d"in e&&typeof e.d=="string"?i.createPrivateKey({format:"jwk",key:e}):i.createPublicKey({format:"jwk",key:e});default:throw new Error(`Unsupported JWK key type: ${e.kty}`)}}function H(e){if(!e||typeof e!="object")throw new Error("Invalid KeyObject");const r=(e.type==="private"?i.createPublicKey(e):e).export({format:"jwk"});return delete r.d,delete r.p,delete r.q,delete r.dp,delete r.dq,delete r.qi,r}function D(e,t="sha256"){if(!e||typeof e!="object")throw new Error("Invalid JWK");let r;switch(e.kty){case"RSA":r={e:e.e,kty:e.kty,n:e.n};break;case"EC":r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":r={crv:e.crv,kty:e.kty,x:e.x};break;case"oct":r={k:e.k,kty:e.kty};break;default:throw new Error(`Unsupported JWK key type: ${e.kty}`)}const n=JSON.stringify(Object.keys(r).sort().reduce((c,f)=>(c[f]=r[f],c),{}));return i.createHash(t).update(n).digest("base64url")}function U(e){if(e.x5c?.length)return i.createHash("sha1").update(Buffer.from(e.x5c[0],"base64")).digest("base64url")}const Q={export:$,import:N,toPublic:H,thumbprint:D};function C(e,t){if(!e||!Array.isArray(e.keys))throw new Error("Invalid JWKS");let r;if(t&&(r=e.keys.find(n=>n.kid===t)),!r&&e.keys.length===1&&(r=e.keys[0]),!r)throw new Error("Key not found in JWKS");return N(r)}function K(e){return{keys:I(...e.keys)}}function I(...e){return e.map(t=>{const r={...t,kid:t.kid??D(t),x5t:t.x5t??U(t)};return Object.defineProperty(r,"toKeyObject",{enumerable:!1,configurable:!1,writable:!1,value:()=>N(r)}),r})}const j=async(e,t={})=>{const r=typeof e=="string"?e:e.toString(),n=t.fetch??globalThis.fetch,c=Math.max(0,t.ttl??5*6e4),f=Math.max(0,t.timeoutMs??5e3),a="/.well-known/jwks.json";if(!n)throw new Error("No fetch implementation available");const o=(()=>{if(t.endpointOverride){const l=t.endpointOverride;try{return new URL(l,r).toString()}catch{return l}}return t.overrideEndpointCheck||r.endsWith(a)?r:`${r.replace(/\/+$/,"")}${a}`})(),g=(()=>{if(t.cache)return t.cache;let l;return{get:()=>l,set:(s,d)=>{l=d}}})();let u,A=0,S,m=0;const b=async l=>{if(S)return S;S=(async()=>{const s=new AbortController;let d;f>0&&(d=setTimeout(()=>s.abort(),f));let y;try{y=await n(o,{signal:s.signal})}catch(p){throw s.signal.aborted?new Error(`JWKS fetch timed out after ${f}ms`):p}finally{d&&clearTimeout(d)}if(!y.ok)throw new Error(`Failed to fetch JWKS: ${y.status} ${y.statusText}`);const v=await y.json();if(!v||typeof v!="object"||!Array.isArray(v.keys))throw new Error("Invalid JWKS");return K(v)})();try{const s=await S;return u=s,await g.set(o,s),m=0,c>0&&(A=Date.now()+c),s}catch(s){if(!l||!u)throw s;if(m+=1,c>0){const d=Math.min(Math.max(c,3e4)*Math.pow(2,m-1),9e5);A=Date.now()+d}return console.warn(`JWKS refresh failed for "${o}", using stale cache.`,s),u}finally{S=void 0}};return u=await g.get(o),u?(u=K(u),c>0&&(A=Date.now()+c)):u=await b(!1),{async list(){return c>0&&Date.now()>=A&&await b(!0),I(...u.keys)},async refresh(){return await b(!1),this},async key(l){const d=(await this.list()).find(y=>y.kid===l);if(d)return I(d)[0]},async find(l){const s=await this.list(),d=Object.entries(l);return d.length===0?I(...s):I(...s.filter(y=>d.every(([v,p])=>{const T=y[v];return Array.isArray(p)?Array.isArray(T)&&T.length===p.length&&T.every((M,F)=>M===p[F]):T===p})))},async findFirst(l){return this.find(l).then(([s])=>s)},export(){return u}}},ee={toKeyObject:C,normalize:K,fromWeb:j};exports.AutodetectAlgorithm=R;exports.JWK=Q;exports.JWKS=ee;exports.JWKSToKeyObject=C;exports.JWT=Z;exports.SignatureAlgorithm=h;exports.SupportedAlgorithms=X;exports.base64Url=w;exports.computeX5T=U;exports.decode=O;exports.exportJWK=$;exports.fromWeb=j;exports.getJWKThumbprint=D;exports.importJWK=N;exports.normalizeJWK=I;exports.normalizeJWKS=K;exports.sign=V;exports.toPublicJWK=H;exports.verify=L;
+//# sourceMappingURL=index-BgMSfLZD.cjs.map

package/dist/index-BgMSfLZD.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index-BgMSfLZD.cjs","sources":["../src/jwt/index.ts","../src/jwks/index.ts"],"sourcesContent":["import crypto, {\n    createHmac,\n    createSign,\n    createVerify,\n    createPrivateKey,\n    createSecretKey,\n    sign as cryptoSign,\n    verify as cryptoVerify,\n    timingSafeEqual,\n    type BinaryLike,\n    type KeyLike,\n    type KeyObject\n} from 'crypto';\n\n// Base64URL helpers (padding-safe)\nexport const base64Url = {\n    encode: (input: string | Buffer): string => Buffer.from(input).toString('base64url'),\n    decode: (input: string): string => Buffer.from(input, 'base64url').toString()\n};\n\n/**\n * Timing-safe string comparison to prevent timing attacks\n * @param a\n * @param b\n */\nconst timingSafeCompare = (a: string, b: string): boolean => {\n    if (a.length !== b.length) {\n        return false;\n    }\n    return timingSafeEqual(Buffer.from(a), Buffer.from(b));\n};\n\n// Standard JWT payload claims\nexport interface JWTPayload {\n    /**\n     * Issuer\n     */\n    iss?: string;\n    /**\n     * Subject\n     */\n    sub?: string;\n    /**\n     * Audience\n     */\n    aud?: string | string[];\n    /**\n     * Expiration Time (as UNIX timestamp)\n     */\n    exp?: number;\n    /**\n     * Not Before (as UNIX timestamp)\n     */\n    nbf?: number;\n    /**\n     * Issued At (as UNIX timestamp)\n     */\n    iat?: number;\n    /**\n     * JWT ID\n     */\n    jti?: string;\n    /**\n     * Session ID\n     */\n    sid?: string;\n\n    /**\n     * Custom claims\n     */\n    [key: string]: unknown;\n}\n\nexport interface JWTHeader {\n    alg: string; // Allow unknown algs during decode\n    typ?: string;\n    kid?: string;\n}\n\nexport interface JWT {\n    header: JWTHeader;\n    payload: JWTPayload;\n    signature: string;\n}\n\nconst BASE64URL_SEGMENT_REGEX = /^[A-Za-z0-9_-]+$/;\n\nfunction isPlainObject(input: unknown): input is Record<string, unknown> {\n    return typeof input === 'object' && input !== null && !Array.isArray(input);\n}\n\nfunction isFiniteNumber(input: unknown): input is number {\n    return typeof input === 'number' && Number.isFinite(input);\n}\n\nfunction isStringArray(input: unknown): input is string[] {\n    return Array.isArray(input) && input.every((value) => typeof value === 'string');\n}\n\nfunction validateRegisteredClaims(payload: JWTPayload): { reason: string; code: string } | null {\n    const claimValidators: Array<{ claim: keyof JWTPayload; valid: boolean; expected: string }> = [\n        {claim: 'iss', valid: payload.iss === undefined || typeof payload.iss === 'string', expected: 'string'},\n        {claim: 'sub', valid: payload.sub === undefined || typeof payload.sub === 'string', expected: 'string'},\n        {claim: 'jti', valid: payload.jti === undefined || typeof payload.jti === 'string', expected: 'string'},\n        {claim: 'sid', valid: payload.sid === undefined || typeof payload.sid === 'string', expected: 'string'},\n        {claim: 'iat', valid: payload.iat === undefined || isFiniteNumber(payload.iat), expected: 'number'},\n        {claim: 'exp', valid: payload.exp === undefined || isFiniteNumber(payload.exp), expected: 'number'},\n        {claim: 'nbf', valid: payload.nbf === undefined || isFiniteNumber(payload.nbf), expected: 'number'},\n    ];\n\n    for (const entry of claimValidators) {\n        if (!entry.valid) {\n            return {\n                reason: `Invalid \"${entry.claim}\" claim: expected ${entry.expected}`,\n                code: 'INVALID_CLAIM'\n            };\n        }\n    }\n\n    if (payload.aud !== undefined) {\n        const isValidAudience = typeof payload.aud === 'string' || isStringArray(payload.aud);\n        if (!isValidAudience) {\n            return {\n                reason: 'Invalid \"aud\" claim: expected string or string[]',\n                code: 'INVALID_CLAIM'\n            };\n        }\n    }\n\n    return null;\n}\n\nfunction validateVerifyOptions(options: VerifyOptions): { reason: string; code: string } | null {\n    if (options.signatureFormat !== undefined && options.signatureFormat !== 'der' && options.signatureFormat !== 'jose') {\n        return {\n            reason: 'Invalid signatureFormat option: expected \"der\" or \"jose\"',\n            code: 'INVALID_OPTIONS'\n        };\n    }\n\n    if (options.clockSkew !== undefined && (!isFiniteNumber(options.clockSkew) || options.clockSkew < 0)) {\n        return {\n            reason: 'Invalid clockSkew option: expected a non-negative finite number',\n            code: 'INVALID_OPTIONS'\n        };\n    }\n\n    if (options.maxTokenAge !== undefined && (!isFiniteNumber(options.maxTokenAge) || options.maxTokenAge < 0)) {\n        return {\n            reason: 'Invalid maxTokenAge option: expected a non-negative finite number',\n            code: 'INVALID_OPTIONS'\n        };\n    }\n\n    if (options.issuer !== undefined && typeof options.issuer !== 'string') {\n        return {\n            reason: 'Invalid issuer option: expected string',\n            code: 'INVALID_OPTIONS'\n        };\n    }\n\n    if (options.subject !== undefined && typeof options.subject !== 'string') {\n        return {\n            reason: 'Invalid subject option: expected string',\n            code: 'INVALID_OPTIONS'\n        };\n    }\n\n    if (options.jwtId !== undefined && typeof options.jwtId !== 'string') {\n        return {\n            reason: 'Invalid jwtId option: expected string',\n            code: 'INVALID_OPTIONS'\n        };\n    }\n\n    if (options.audience !== undefined) {\n        const isValidAudience = typeof options.audience === 'string' || isStringArray(options.audience);\n        if (!isValidAudience) {\n            return {\n                reason: 'Invalid audience option: expected string or string[]',\n                code: 'INVALID_OPTIONS'\n            };\n        }\n    }\n\n    if (options.algorithms !== undefined) {\n        if (!Array.isArray(options.algorithms)) {\n            return {\n                reason: 'Invalid algorithms option: expected an array',\n                code: 'INVALID_OPTIONS'\n            };\n        }\n\n        const invalidAlgorithm = options.algorithms.find((alg) => !(alg in SignatureAlgorithm));\n        if (invalidAlgorithm) {\n            return {\n                reason: `Invalid algorithms option: unsupported algorithm \"${invalidAlgorithm}\"`,\n                code: 'INVALID_OPTIONS'\n            };\n        }\n    }\n\n    return null;\n}\n\n\n//JOSE-helpers\nfunction joseLenForAlg(alg: string): number {\n    switch (alg) {\n        case 'ES256':\n        case 'ES256K':\n            return 64;  // 32 + 32\n        case 'ES384':\n            return 96;  // 48 + 48\n        case 'ES512':\n            return 132; // 66 + 66 (P-521)\n        /* c8 ignore next 2 */\n        default:\n            throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${alg}`);\n    }\n}\n\nfunction derToJose(der: Buffer, outLen: number): Buffer {\n    let i = 0;\n    if (der[i++] !== 0x30) throw new Error('Invalid DER ECDSA signature');\n\n    // seq length (short/long form)\n    let seqLen = der[i++];\n    if (seqLen & 0x80) {\n        const n = seqLen & 0x7f;\n        seqLen = 0;\n        for (let k = 0; k < n; k++) seqLen = (seqLen << 8) | der[i++];\n    }\n\n    if (der[i++] !== 0x02) throw new Error('Invalid DER ECDSA signature (r)');\n    const rLen = der[i++];\n    let r = der.subarray(i, i + rLen);\n    i += rLen;\n\n    if (der[i++] !== 0x02) throw new Error('Invalid DER ECDSA signature (s)');\n    const sLen = der[i++];\n    let s = der.subarray(i, i + sLen);\n\n    // strip leading zeros\n    while (r.length > outLen / 2 && r[0] === 0x00) r = r.subarray(1);\n    while (s.length > outLen / 2 && s[0] === 0x00) s = s.subarray(1);\n\n    const rPad = Buffer.concat([Buffer.alloc(outLen / 2 - r.length, 0), r]);\n    const sPad = Buffer.concat([Buffer.alloc(outLen / 2 - s.length, 0), s]);\n    return Buffer.concat([rPad, sPad]);\n}\n\nfunction joseToDer(jose: Buffer): Buffer {\n    const half = jose.length / 2;\n    let r = jose.subarray(0, half);\n    let s = jose.subarray(half);\n\n    // trim leading zeros\n    while (r.length > 1 && r[0] === 0x00 && (r[1] & 0x80) === 0) r = r.subarray(1);\n    while (s.length > 1 && s[0] === 0x00 && (s[1] & 0x80) === 0) s = s.subarray(1);\n\n    // if high bit set, prepend 0x00\n    if (r[0] & 0x80) r = Buffer.concat([Buffer.from([0x00]), r]);\n    if (s[0] & 0x80) s = Buffer.concat([Buffer.from([0x00]), s]);\n\n    const rPart = Buffer.concat([Buffer.from([0x02, r.length]), r]);\n    const sPart = Buffer.concat([Buffer.from([0x02, s.length]), s]);\n\n    const seqLen = rPart.length + sPart.length;\n\n    let lenBytes: Buffer;\n    if (seqLen < 0x80) {\n        lenBytes = Buffer.from([seqLen]);\n    } else {\n        const tmp: number[] = [];\n        let n = seqLen;\n        while (n > 0) {\n            tmp.unshift(n & 0xff);\n            n >>= 8;\n        }\n        lenBytes = Buffer.from([0x80 | tmp.length, ...tmp]);\n    }\n\n    return Buffer.concat([Buffer.from([0x30]), lenBytes, rPart, sPart]);\n}\n\nfunction isEcdsaAlg(alg: string): boolean {\n    return alg === 'ES256' || alg === 'ES384' || alg === 'ES512' || alg === 'ES256K';\n}\n\n\n// Signature algorithms\nexport const SignatureAlgorithm = {\n    // HMAC\n    HS256: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createHmac('sha256', secret).update(data).digest('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            const expected = createHmac('sha256', secret).update(data).digest('base64url');\n            return timingSafeCompare(expected, signature);\n        }\n    },\n    HS384: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createHmac('sha384', secret).update(data).digest('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            const expected = createHmac('sha384', secret).update(data).digest('base64url');\n            return timingSafeCompare(expected, signature);\n        }\n    },\n    HS512: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createHmac('sha512', secret).update(data).digest('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            const expected = createHmac('sha512', secret).update(data).digest('base64url');\n            return timingSafeCompare(expected, signature);\n        }\n    },\n\n    // RSA (DER-encoded signatures, base64url)\n    RS256: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('RSA-SHA256').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('RSA-SHA256')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    RS384: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('RSA-SHA384').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('RSA-SHA384')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    RS512: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('RSA-SHA512').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('RSA-SHA512')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n\n    // ECDSA (DER-encoded by default — no dsaEncoding!)\n    ES256: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('SHA256').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('SHA256')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    ES384: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('SHA384').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('SHA384')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    ES512: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('SHA512').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('SHA512')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    ES256K: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('SHA256').update(data).end().sign(secret).toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('SHA256')\n                    .update(data)\n                    .end()\n                    .verify(secret, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    PS256: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('RSA-SHA256')\n                .update(data)\n                .end()\n                .sign({\n                    //@ts-ignore\n                    key: secret,\n                    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n                    saltLength: 32\n                })\n                .toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('RSA-SHA256')\n                    .update(data)\n                    .end()\n                    .verify({\n                        //@ts-ignore\n                        key: secret,\n                        padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n                        saltLength: 32\n                    }, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    PS384: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('RSA-SHA384')\n                .update(data)\n                .end()\n                .sign({\n                    //@ts-ignore\n                    key: secret,\n                    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n                    saltLength: 48\n                })\n                .toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('RSA-SHA384')\n                    .update(data)\n                    .end()\n                    .verify({\n                        //@ts-ignore\n                        key: secret,\n                        padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n                        saltLength: 48\n                    }, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    PS512: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            createSign('RSA-SHA512')\n                .update(data)\n                .end()\n                .sign({\n                    //@ts-ignore\n                    key: secret,\n                    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n                    saltLength: 64\n                })\n                .toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return createVerify('RSA-SHA512')\n                    .update(data)\n                    .end()\n                    .verify({\n                        //@ts-ignore\n                        key: secret,\n                        padding: crypto.constants.RSA_PKCS1_PSS_PADDING,\n                        saltLength: 64\n                    }, Buffer.from(signature, 'base64url'));\n            } catch {\n                return false;\n            }\n        }\n    },\n    EdDSA: {\n        sign: (data: BinaryLike, secret: KeyLike) =>\n            cryptoSign(null, typeof data === 'string' ? Buffer.from(data, 'utf8') : data, secret)\n                .toString('base64url'),\n        verify: (data: BinaryLike, secret: KeyLike, signature: string) => {\n            try {\n                return cryptoVerify(\n                    null,\n                    typeof data === 'string' ? Buffer.from(data, 'utf8') : data,\n                    secret,\n                    Buffer.from(signature, 'base64url')\n                );\n            } catch {\n                return false;\n            }\n        }\n    }\n} as const;\n\nexport type SupportedAlgorithm = keyof typeof SignatureAlgorithm;\n\nexport const SupportedAlgorithms = Object.keys(SignatureAlgorithm) as Array<SupportedAlgorithm>;\n\n/**\n * Autodetection of algorithm for KeyObjects\n * @param key\n * @constructor\n */\nexport function AutodetectAlgorithm(key: KeyObject): SupportedAlgorithm {\n    if (key.type === 'secret') return 'HS256';\n    if (key.type !== 'private') throw new Error('Only private or symmetric keys can be used to sign JWTs');\n\n    const asymKeyType = key.asymmetricKeyType;\n    const details = key.asymmetricKeyDetails;\n\n    switch (asymKeyType) {\n        case 'rsa':\n            return 'RS256';\n        case 'rsa-pss': {\n            const hash = details?.hashAlgorithm ?? 'sha256';\n            switch (hash) {\n                case 'sha256':\n                    return 'PS256';\n                case 'sha384':\n                    return 'PS384';\n                case 'sha512':\n                    return 'PS512';\n                default:\n                    throw new Error(`Unsupported RSA-PSS hash algorithm: ${hash}`);\n            }\n        }\n        case 'ec': {\n            const curve = details?.namedCurve;\n            switch (curve) {\n                case 'P-256':\n                case 'prime256v1':\n                    return 'ES256';\n                case 'P-384':\n                case 'secp384r1':\n                    return 'ES384';\n                case 'P-521':\n                case 'secp521r1':\n                    return 'ES512';\n                case 'secp256k1':\n                    return 'ES256K';\n                default:\n                    throw new Error(`Unsupported EC curve: ${curve}`);\n            }\n        }\n        case 'ed25519':\n            return 'EdDSA';\n        default:\n            throw new Error(`Unsupported asymmetric key type: ${asymKeyType}`);\n    }\n}\n\n/**\n * Normalize KeyLike input to a KeyObject\n * @param key\n */\nfunction toKeyObject(key: KeyLike): KeyObject {\n    // Already a KeyObject (private, public, or secret)\n    if (typeof key === 'object' && 'type' in key) return key as KeyObject;\n\n    // Try asymmetric private key (PEM / DER / JWK)\n    try {\n        return createPrivateKey(key);\n    } catch {\n        // Fallback: symmetric key (HMAC)\n        const buffer =\n            typeof key === 'string'\n                ? Buffer.from(key, 'utf8')\n                : Buffer.isBuffer(key)\n                    ? key\n                    : (() => {\n                        throw new Error('Unsupported key type');\n                    })();\n\n        return createSecretKey(buffer);\n    }\n}\n\n/**\n * Decode a JWT string into its parts (without verification)\n * @param token\n */\nexport const decode = (token: string): JWT => {\n    const parts = token.split('.');\n    if (parts.length !== 3) {\n        throw new Error('Invalid JWT: must contain exactly 3 parts separated by \".\"');\n    }\n\n    const [headerPart, payloadPart, signature] = parts;\n\n    if (!headerPart || !payloadPart || !signature) {\n        throw new Error('Invalid JWT: empty part detected');\n    }\n\n    if (!BASE64URL_SEGMENT_REGEX.test(headerPart) || !BASE64URL_SEGMENT_REGEX.test(payloadPart) || !BASE64URL_SEGMENT_REGEX.test(signature)) {\n        throw new Error('Invalid JWT: non-base64url characters detected');\n    }\n\n    try {\n        const decodedHeader = JSON.parse(base64Url.decode(headerPart));\n        const decodedPayload = JSON.parse(base64Url.decode(payloadPart));\n\n        if (!isPlainObject(decodedHeader) || !isPlainObject(decodedPayload)) {\n            throw new Error('header and payload must be JSON objects');\n        }\n\n        const header = decodedHeader as unknown as JWTHeader;\n        const payload = decodedPayload as JWTPayload;\n\n        if (typeof header.alg !== 'string' || header.alg.length === 0) {\n            throw new Error('header.alg must be a non-empty string');\n        }\n        if (header.typ !== undefined && typeof header.typ !== 'string') {\n            throw new Error('header.typ must be a string');\n        }\n        if (header.kid !== undefined && typeof header.kid !== 'string') {\n            throw new Error('header.kid must be a string');\n        }\n\n        return {header, payload, signature};\n    } catch (err) {\n        throw new Error(`Invalid JWT: malformed header or payload (${(err as Error).message})`);\n    }\n}\n\nexport type SignOptions = {\n    alg?: SupportedAlgorithm;\n    kid?: string;\n    typ?: string;\n    /**\n     * default 'der'\n     */\n    signatureFormat?: 'der' | 'jose';\n}\n\n/**\n * Sign a JWT\n * @param payload\n * @param secret\n * @param options\n */\nexport const sign = (\n    payload: JWTPayload,\n    secret: KeyLike,\n    options: SignOptions = {}\n): string => {\n    const key = toKeyObject(secret);\n    const alg = options.alg ?? AutodetectAlgorithm(key);\n    const signatureFormat = options.signatureFormat ?? 'der';\n    const typ = options.typ ?? 'JWT';\n\n    if (!(alg in SignatureAlgorithm)) throw new Error(`Unsupported algorithm: ${alg}`);\n\n    const header: JWTHeader = {alg, typ};\n    if (options.kid) header.kid = options.kid;\n\n    const headerEncoded = base64Url.encode(JSON.stringify(header));\n    const payloadEncoded = base64Url.encode(JSON.stringify(payload));\n\n    const signingInput = `${headerEncoded}.${payloadEncoded}`;\n\n    // existing DER/base64url signature from algorithms\n    let signature = SignatureAlgorithm[alg].sign(signingInput, secret);\n\n    // If ES* and caller requested JOSE, convert the DER signature bytes to JOSE bytes\n    if (signatureFormat === 'jose' && isEcdsaAlg(alg)) {\n        const der = Buffer.from(signature, 'base64url');\n        const jose = derToJose(der, joseLenForAlg(alg));\n        signature = jose.toString('base64url');\n    }\n\n    return `${headerEncoded}.${payloadEncoded}.${signature}`;\n\n};\n\nexport type VerifyOptions = {\n    algorithms?: SupportedAlgorithm[]; // Whitelist of allowed algorithms\n    issuer?: string;\n    subject?: string;\n    audience?: string | string[];\n    jwtId?: string;\n    ignoreExpiration?: boolean;\n    clockSkew?: number; // in seconds, default 0\n    maxTokenAge?: number; // Maximum age in seconds\n    signatureFormat?: 'der' | 'jose';\n};\n\n/**\n * Verify and validate a JWT\n * @param token\n * @param secret\n * @param options\n */\nexport const verify = (\n    token: string,\n    secret: KeyLike,\n    options: VerifyOptions  = {}\n):\n    | { valid: true; header: JWTHeader; payload: JWTPayload; signature: string }\n    | { valid: false; error: { reason: string; code: string } } => {\n    const invalidOptions = validateVerifyOptions(options);\n    if (invalidOptions) {\n        return {\n            valid: false,\n            error: invalidOptions\n        };\n    }\n\n    let decoded: JWT;\n    try {\n        decoded = decode(token);\n    } catch (err) {\n        return {\n            valid: false,\n            error: {\n                reason: (err as Error).message,\n                code: 'INVALID_TOKEN'\n            }\n        };\n    }\n\n    const {header, payload, signature} = decoded;\n    const invalidClaims = validateRegisteredClaims(payload);\n    if (invalidClaims) {\n        return {\n            valid: false,\n            error: invalidClaims\n        };\n    }\n\n    // Validate algorithm\n    const alg = header.alg as SupportedAlgorithm;\n    if (!(alg in SignatureAlgorithm)) {\n        return {\n            valid: false,\n            error: {\n                reason: `Unsupported or unknown algorithm: ${header.alg}`,\n                code: 'INVALID_ALGORITHM'\n            }\n        };\n    }\n\n    // Algorithm whitelist validation (prevents algorithm confusion attacks)\n    if (options.algorithms && options.algorithms.length > 0) {\n        if (!options.algorithms.includes(alg)) {\n            return {\n                valid: false,\n                error: {\n                    reason: `Algorithm \"${alg}\" is not in the allowed algorithms list`,\n                    code: 'ALGORITHM_NOT_ALLOWED'\n                }\n            };\n        }\n    }\n\n    // Validate 'typ' header (must be 'JWT' if present)\n    if (header.typ !== undefined && header.typ !== 'JWT') {\n        return {\n            valid: false,\n            error: {\n                reason: `Invalid token type: expected 'JWT', got '${header.typ}'`,\n                code: 'INVALID_TYPE'\n            }\n        };\n    }\n\n    // Verify signature against the exact original JWT signing input.\n    const [headerPart, payloadPart] = token.split('.');\n    const signingInput = `${headerPart}.${payloadPart}`;\n\n    if (!isEcdsaAlg(alg)) {\n        // non-ES* algorithms unchanged\n        let isValidSignature = false;\n        try {\n            isValidSignature = SignatureAlgorithm[alg].verify(signingInput, secret, signature);\n        } catch {\n            isValidSignature = false;\n        }\n        if (!isValidSignature) {\n            return {valid: false, error: {reason: \"Signature verification failed\", code: 'INVALID_SIGNATURE'}};\n        }\n    } else {\n        // ES* algorithms: verify DER by default, but allow JOSE + auto-detect\n        const format = options.signatureFormat; // undefined means \"auto\"\n\n        let ok: boolean;\n\n        // 1) If explicitly JOSE -> convert to DER for verification\n        if (format === 'jose') {\n            try {\n                const jose = Buffer.from(signature, 'base64url');\n                const derSigB64Url = joseToDer(jose).toString('base64url');\n                ok = SignatureAlgorithm[alg].verify(signingInput, secret, derSigB64Url);\n            } catch {\n                ok = false;\n            }\n        }\n        // 2) If explicitly DER -> verify as-is\n        else if (format === 'der') {\n            ok = SignatureAlgorithm[alg].verify(signingInput, secret, signature);\n        }\n        // 3) Auto-detect: try DER first, then JOSE\n        else {\n            ok = SignatureAlgorithm[alg].verify(signingInput, secret, signature);\n            if (!ok) {\n                try {\n                    const jose = Buffer.from(signature, 'base64url');\n                    // quick sanity: only attempt conversion if size matches expected\n                    if (jose.length === joseLenForAlg(alg)) {\n                        const derSigB64Url = joseToDer(jose).toString('base64url');\n                        ok = SignatureAlgorithm[alg].verify(signingInput, secret, derSigB64Url);\n                    }\n                } catch {\n                    // ignore\n                }\n            }\n        }\n\n        if (!ok) {\n            return {valid: false, error: {reason: \"Signature verification failed\", code: 'INVALID_SIGNATURE'}};\n        }\n    }\n\n    // Time validation\n    const now = Math.floor(Date.now() / 1000);\n    const skew = options.clockSkew ?? 0;\n\n    if (!options.ignoreExpiration) {\n        if (payload.exp !== undefined && now > payload.exp + skew) {\n            return {\n                valid: false,\n                error: {\n                    reason: 'Token expired',\n                    code: 'TOKEN_EXPIRED'\n                }\n            };\n        }\n    }\n\n    if (payload.nbf !== undefined && now + skew < payload.nbf) {\n        return {\n            valid: false,\n            error: {\n                reason: 'Token not yet valid',\n                code: 'TOKEN_NOT_ACTIVE'\n            }\n        };\n    }\n\n    if (payload.iat !== undefined && now + skew < payload.iat) {\n        return {\n            valid: false,\n            error: {\n                reason: 'Token issued in the future',\n                code: 'TOKEN_FUTURE_ISSUED'\n            }\n        };\n    }\n\n    // Maximum token age validation\n    if (options.maxTokenAge !== undefined && payload.iat !== undefined) {\n        const tokenAge = now - payload.iat;\n        if (tokenAge > options.maxTokenAge) {\n            return {\n                valid: false,\n                error: {\n                    reason: `Token age (${tokenAge}s) exceeds maximum allowed age (${options.maxTokenAge}s)`,\n                    code: 'TOKEN_TOO_OLD'\n                }\n            };\n        }\n    }\n\n    // --- Claim validations (only if options provided) ---\n\n    // Issuer (`iss`)\n    if (options.issuer !== undefined) {\n        if (payload.iss === undefined) {\n            return {\n                valid: false,\n                error: {\n                    reason: 'Token missing required issuer claim (\"iss\")',\n                    code: 'MISSING_ISSUER'\n                }\n            };\n        }\n        if (options.issuer !== payload.iss) {\n            return {\n                valid: false,\n                error: {\n                    reason: `Invalid token issuer: expected \"${options.issuer}\", got \"${payload.iss}\"`,\n                    code: 'INVALID_ISSUER'\n                }\n            };\n        }\n    }\n\n    // Subject (`sub`)\n    if (options.subject !== undefined) {\n        if (payload.sub === undefined) {\n            return {\n                valid: false,\n                error: {\n                    reason: 'Token missing required subject claim (\"sub\")',\n                    code: 'MISSING_SUBJECT'\n                }\n            };\n        }\n        if (options.subject !== payload.sub) {\n            return {\n                valid: false,\n                error: {\n                    reason: `Invalid token subject: expected \"${options.subject}\", got \"${payload.sub}\"`,\n                    code: 'INVALID_SUBJECT'\n                }\n            };\n        }\n    }\n\n    // Audience (`aud`)\n    if (options.audience !== undefined) {\n        const aud = payload.aud;\n        if (aud === undefined) {\n            return {\n                valid: false,\n                error: {\n                    reason: 'Token missing required audience claim (\"aud\")',\n                    code: 'MISSING_AUDIENCE'\n                }\n            };\n        }\n\n        const expectedAud = Array.isArray(options.audience) ? options.audience : [options.audience];\n        const tokenAud = Array.isArray(aud) ? aud : [aud];\n\n        const hasMatch = expectedAud.some(a => tokenAud.includes(a));\n        if (!hasMatch) {\n            return {\n                valid: false,\n                error: {\n                    reason: 'Audience claim mismatch',\n                    code: 'INVALID_AUDIENCE'\n                }\n            };\n        }\n    }\n\n    // JWT ID (`jti`)\n    if (options.jwtId !== undefined) {\n        if (payload.jti === undefined) {\n            return {\n                valid: false,\n                error: {\n                    reason: 'Token missing required JWT ID claim (\"jti\")',\n                    code: 'MISSING_JTI'\n                }\n            };\n        }\n        if (options.jwtId !== payload.jti) {\n            return {\n                valid: false,\n                error: {\n                    reason: `Invalid JWT ID: expected \"${options.jwtId}\", got \"${payload.jti}\"`,\n                    code: 'INVALID_JTI'\n                }\n            };\n        }\n    }\n\n    return {valid: true, header, payload, signature};\n};\n\n//namespace export\nexport const JWT = {\n    sign,\n    verify,\n    decode,\n    algorithms: SignatureAlgorithm\n} as const;\n","import {\n    createPrivateKey,\n    createPublicKey,\n    createSecretKey,\n    createHash,\n    type KeyObject\n} from 'crypto';\n\n// JWK Types\nexport type JWK =\n    | RSAJWK\n    | ECJWK\n    | OKPJWK\n    | OctJWK;\n\nexport type JWKWithHelpers = JWK & {\n    toKeyObject(): KeyObject;\n};\n\nexport interface BaseJWK {\n    kty: string;\n    kid?: string;\n    alg?: string;\n    use?: 'sig' | 'enc';\n    key_ops?: Array<'sign' | 'verify'>;\n    x5c?: string[]; // X.509 cert chain\n    x5t?: string;   // Base64url thumbprint\n}\n\nexport interface RSAJWK extends BaseJWK {\n    kty: 'RSA';\n    n: string;\n    e: string;\n    d?: string;\n    p?: string;\n    q?: string;\n    dp?: string;\n    dq?: string;\n    qi?: string;\n}\n\nexport interface ECJWK extends BaseJWK {\n    kty: 'EC';\n    crv: 'P-256' | 'P-384' | 'P-521' | 'secp256k1';\n    x: string;\n    y: string;\n    d?: string;\n}\n\nexport interface OKPJWK extends BaseJWK {\n    kty: 'OKP';\n    crv: 'Ed25519';\n    x: string;\n    d?: string;\n}\n\nexport interface OctJWK extends BaseJWK {\n    kty: 'oct';\n    k: string;\n}\n\n/**\n * Export KeyObject to JWK\n * @param key\n */\nexport function exportJWK(key: KeyObject): JWK {\n    if (!key || typeof key !== 'object') throw new Error('Invalid KeyObject');\n    return key.export({format: 'jwk'}) as JWK;\n}\n\n/**\n * Import JWK to KeyObject\n * @param jwk\n */\nexport function importJWK(jwk: JWK): KeyObject {\n    if (!jwk || typeof jwk !== 'object') throw new Error('Invalid JWK');\n\n    switch (jwk.kty) {\n        case 'oct': {\n            if (!('k' in jwk) || typeof jwk.k !== 'string') {\n                throw new Error('Invalid oct JWK: missing \"k\"');\n            }\n\n            return createSecretKey(Buffer.from(jwk.k, 'base64url'));\n        }\n\n        case 'RSA':\n        case 'EC':\n        case 'OKP': {\n            // private key\n            if ('d' in jwk && typeof (jwk as any).d === 'string') {\n                // @ts-ignore\n                return createPrivateKey({format: 'jwk', key: jwk});\n            }\n\n            // public key\n            // @ts-ignore\n            return createPublicKey({format: 'jwk', key: jwk});\n        }\n\n        default:\n            throw new Error(`Unsupported JWK key type: ${(jwk as any).kty}`);\n    }\n}\n\n/**\n * Export public-only JWK\n * @param key\n */\nexport function toPublicJWK(key: KeyObject): JWK {\n    if (!key || typeof key !== 'object') {\n        throw new Error('Invalid KeyObject');\n    }\n\n    const publicKey =\n        key.type === 'private'\n            ? createPublicKey(key)\n            : key;\n\n    const jwk = publicKey.export({format: 'jwk'}) as JWK;\n\n    // Ensure private fields are not present\n    delete (jwk as any).d;\n    delete (jwk as any).p;\n    delete (jwk as any).q;\n    delete (jwk as any).dp;\n    delete (jwk as any).dq;\n    delete (jwk as any).qi;\n    return jwk;\n}\n\n/**\n * RFC 7638 JWK thumbprint\n * @param jwk\n * @param hashAlg\n */\nexport function getJWKThumbprint(jwk: JWK, hashAlg: 'sha256' = 'sha256'): string {\n    if (!jwk || typeof jwk !== 'object') {\n        throw new Error('Invalid JWK');\n    }\n\n    let fields: Record<string, string>;\n\n    switch (jwk.kty) {\n        case 'RSA':\n            fields = {e: jwk.e, kty: jwk.kty, n: jwk.n};\n            break;\n\n        case 'EC':\n            fields = {crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y};\n            break;\n\n        case 'OKP':\n            fields = {crv: jwk.crv, kty: jwk.kty, x: jwk.x};\n            break;\n\n        case 'oct':\n            fields = {k: jwk.k, kty: jwk.kty};\n            break;\n\n        default:\n            throw new Error(`Unsupported JWK key type: ${(jwk as any).kty}`);\n    }\n\n    // Lexicographically sorted JSON\n    const json = JSON.stringify(\n        Object.keys(fields)\n            .sort()\n            .reduce((acc, k) => {\n                acc[k] = fields[k];\n                return acc;\n            }, {} as Record<string, string>)\n    );\n\n    return createHash(hashAlg)\n        .update(json)\n        .digest('base64url');\n}\n\n\n/**\n * Compute x5t (SHA-1) from first cert in x5c if not set\n * @param jwk\n */\nexport function computeX5T(jwk: JWK): string | undefined {\n    if (!jwk.x5c?.length) return undefined;\n    return createHash('sha1').update(Buffer.from(jwk.x5c[0], 'base64')).digest('base64url');\n}\n\nexport const JWK = {\n    export: exportJWK,\n    import: importJWK,\n    toPublic: toPublicJWK,\n    thumbprint: getJWKThumbprint,\n}\n\nexport interface JWKS {\n    keys: JWK[];\n}\n\n/**\n * Convert JWKS specific key of first key to KeyObject\n * @param jwks\n * @param kid\n * @constructor\n */\nexport function JWKSToKeyObject(\n    jwks: JWKS,\n    kid?: string\n): KeyObject {\n    if (!jwks || !Array.isArray(jwks.keys)) throw new Error('Invalid JWKS');\n\n    let jwk: JWK | undefined;\n\n    if (kid) jwk = jwks.keys.find(k => k.kid === kid);\n\n    // Fallback: single-key JWKS\n    if (!jwk && jwks.keys.length === 1) jwk = jwks.keys[0];\n\n    if (!jwk) throw new Error('Key not found in JWKS');\n    return importJWK(jwk);\n}\n\n/**\n * Normalize JWKS\n * @param jwks\n */\nexport function normalizeJWKS(jwks: JWKS): JWKS {\n    return {\n        keys: normalizeJWK(...jwks.keys)\n    };\n}\n\nexport function normalizeJWK(...keys: JWK[]): JWKWithHelpers[] {\n    return keys.map((jwk) => {\n        const normalized = {\n            ...jwk,\n            kid: jwk.kid ?? getJWKThumbprint(jwk),\n            x5t: jwk.x5t ?? computeX5T(jwk)\n        } as JWKWithHelpers;\n\n        // Keep helper API out of object enumeration/serialization.\n        Object.defineProperty(normalized, 'toKeyObject', {\n            enumerable: false,\n            configurable: false,\n            writable: false,\n            value: () => importJWK(normalized)\n        });\n\n        return normalized;\n    })\n}\n\nexport const fromWeb = async (\n    url: string | URL,\n    options: Partial<{\n        fetch: typeof fetch;\n        ttl: number;\n        timeoutMs: number;\n        endpointOverride: string;\n        overrideEndpointCheck: boolean;\n        cache: {\n            get: (key: string) => JWKS | undefined | Promise<JWKS | undefined>;\n            set: (key: string, value: JWKS) => void | Promise<void>;\n        };\n    }> = {}\n) => {\n    const baseUrl = typeof url === 'string' ? url : url.toString();\n    const fetchFn = options.fetch ?? globalThis.fetch;\n    const ttl = Math.max(0, options.ttl ?? 5 * 60_000);\n    const timeoutMs = Math.max(0, options.timeoutMs ?? 5_000);\n    const wellKnownPath = '/.well-known/jwks.json';\n\n    if (!fetchFn) {\n        throw new Error('No fetch implementation available');\n    }\n\n    const endpoint = (() => {\n        if (options.endpointOverride) {\n            const override = options.endpointOverride;\n            try {\n                return new URL(override, baseUrl).toString();\n            } catch {\n                return override;\n            }\n        }\n\n        if (options.overrideEndpointCheck) {\n            return baseUrl;\n        }\n\n        if (baseUrl.endsWith(wellKnownPath)) {\n            return baseUrl;\n        }\n\n        return `${baseUrl.replace(/\\/+$/, '')}${wellKnownPath}`;\n    })();\n\n    const cache = (() => {\n        if (options.cache) return options.cache;\n        let memoryValue: JWKS | undefined;\n        return {\n            get: () => memoryValue,\n            set: (_key: string, value: JWKS) => {\n                memoryValue = value;\n            }\n        };\n    })();\n\n    let cachedJWKS: JWKS | undefined;\n    let nextRefreshAt = 0;\n    let refreshInFlight: Promise<JWKS> | undefined;\n    let consecutiveFailures = 0;\n\n    const fetchJWKS = async (allowStaleOnFailure: boolean): Promise<JWKS> => {\n        if (refreshInFlight) return refreshInFlight;\n\n        refreshInFlight = (async () => {\n            const controller = new AbortController();\n            let timeoutHandle: ReturnType<typeof setTimeout> | undefined;\n\n            if (timeoutMs > 0) {\n                timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);\n            }\n\n            let response: Response;\n            try {\n                response = await fetchFn(endpoint, {signal: controller.signal});\n            } catch (error) {\n                if (controller.signal.aborted) {\n                    throw new Error(`JWKS fetch timed out after ${timeoutMs}ms`);\n                }\n                throw error;\n            } finally {\n                if (timeoutHandle) clearTimeout(timeoutHandle);\n            }\n\n            if (!response.ok) {\n                throw new Error(`Failed to fetch JWKS: ${response.status} ${response.statusText}`);\n            }\n\n            const body = await response.json();\n            if (!body || typeof body !== 'object' || !Array.isArray((body as any).keys)) {\n                throw new Error('Invalid JWKS');\n            }\n\n            return normalizeJWKS(body as JWKS);\n        })();\n\n        try {\n            const fresh = await refreshInFlight;\n            cachedJWKS = fresh;\n            await cache.set(endpoint, fresh);\n            consecutiveFailures = 0;\n            if (ttl > 0) nextRefreshAt = Date.now() + ttl;\n            return fresh;\n        } catch (error) {\n            if (!allowStaleOnFailure || !cachedJWKS) {\n                throw error;\n            }\n\n            consecutiveFailures += 1;\n            /* c8 ignore start - stale-on-failure is only reachable when ttl > 0 (auto-refresh path) */\n            if (ttl > 0) {\n                const backoff = Math.min(\n                    Math.max(ttl, 30_000) * Math.pow(2, consecutiveFailures - 1),\n                    15 * 60_000\n                );\n                nextRefreshAt = Date.now() + backoff;\n            }\n            /* c8 ignore stop */\n            console.warn(`JWKS refresh failed for \"${endpoint}\", using stale cache.`, error);\n            return cachedJWKS;\n        } finally {\n            refreshInFlight = undefined;\n        }\n    };\n\n    cachedJWKS = await cache.get(endpoint);\n    if (!cachedJWKS) {\n        cachedJWKS = await fetchJWKS(false);\n    } else {\n        cachedJWKS = normalizeJWKS(cachedJWKS);\n        if (ttl > 0) nextRefreshAt = Date.now() + ttl;\n    }\n\n\n    return ({\n        async list(): Promise<JWKWithHelpers[]> {\n            if (ttl > 0 && Date.now() >= nextRefreshAt) {\n                await fetchJWKS(true);\n            }\n            return normalizeJWK(...(cachedJWKS as JWKS).keys);\n        },\n        async refresh() {\n            await fetchJWKS(false);\n            return this;\n        },\n        async key(kid: string): Promise<JWKWithHelpers | undefined> {\n            const keys = await this.list();\n            const key = keys.find((v) => v.kid === kid)\n            if (!key) return undefined;\n            return normalizeJWK(key)[0];\n        },\n        async find(input: Partial<BaseJWK>): Promise<JWKWithHelpers[]> {\n            const keys = await this.list();\n            const entries = Object.entries(input) as Array<[keyof BaseJWK, BaseJWK[keyof BaseJWK]]>;\n\n            if (entries.length === 0) return normalizeJWK(...keys);\n\n            return normalizeJWK(...keys.filter((key) =>\n                entries.every(([field, expected]) => {\n                    const value = key[field];\n                    if (Array.isArray(expected)) {\n                        return Array.isArray(value)\n                            && value.length === expected.length\n                            && value.every((item, i) => item === expected[i]);\n                    }\n                    return value === expected;\n                })\n            ));\n        },\n        async findFirst(input: Partial<BaseJWK>): Promise<JWKWithHelpers | undefined> {\n            return this.find(input).then(([key]) => key);\n        },\n        export(): JWKS | undefined {\n            return cachedJWKS;\n        }\n    });\n}\n\nexport const JWKS = {\n    toKeyObject: JWKSToKeyObject,\n    normalize: normalizeJWKS,\n    fromWeb\n}\n"],"names":["base64Url","input","timingSafeCompare","a","b","timingSafeEqual","BASE64URL_SEGMENT_REGEX","isPlainObject","isFiniteNumber","isStringArray","value","validateRegisteredClaims","payload","claimValidators","entry","validateVerifyOptions","options","invalidAlgorithm","alg","SignatureAlgorithm","joseLenForAlg","derToJose","der","outLen","i","seqLen","n","k","rLen","r","sLen","s","rPad","sPad","joseToDer","jose","half","rPart","sPart","lenBytes","tmp","isEcdsaAlg","data","secret","createHmac","signature","expected","createSign","createVerify","crypto","cryptoSign","cryptoVerify","SupportedAlgorithms","AutodetectAlgorithm","key","asymKeyType","details","hash","curve","toKeyObject","createPrivateKey","buffer","createSecretKey","decode","token","parts","headerPart","payloadPart","decodedHeader","decodedPayload","header","err","sign","signatureFormat","typ","headerEncoded","payloadEncoded","signingInput","verify","invalidOptions","decoded","invalidClaims","format","ok","derSigB64Url","isValidSignature","now","skew","tokenAge","aud","expectedAud","tokenAud","JWT","exportJWK","importJWK","jwk","createPublicKey","toPublicJWK","getJWKThumbprint","hashAlg","fields","json","acc","createHash","computeX5T","JWK","JWKSToKeyObject","jwks","kid","normalizeJWKS","normalizeJWK","keys","normalized","fromWeb","url","baseUrl","fetchFn","ttl","timeoutMs","wellKnownPath","endpoint","override","cache","memoryValue","_key","cachedJWKS","nextRefreshAt","refreshInFlight","consecutiveFailures","fetchJWKS","allowStaleOnFailure","controller","timeoutHandle","response","error","body","fresh","backoff","v","entries","field","item","JWKS"],"mappings":"uCAeaA,EAAY,CACrB,OAASC,GAAmC,OAAO,KAAKA,CAAK,EAAE,SAAS,WAAW,EACnF,OAASA,GAA0B,OAAO,KAAKA,EAAO,WAAW,EAAE,SAAA,CACvE,EAOMC,EAAoB,CAACC,EAAWC,IAC9BD,EAAE,SAAWC,EAAE,OACR,GAEJC,EAAAA,gBAAgB,OAAO,KAAKF,CAAC,EAAG,OAAO,KAAKC,CAAC,CAAC,EAwDnDE,EAA0B,mBAEhC,SAASC,EAAcN,EAAkD,CACrE,OAAO,OAAOA,GAAU,UAAYA,IAAU,MAAQ,CAAC,MAAM,QAAQA,CAAK,CAC9E,CAEA,SAASO,EAAeP,EAAiC,CACrD,OAAO,OAAOA,GAAU,UAAY,OAAO,SAASA,CAAK,CAC7D,CAEA,SAASQ,EAAcR,EAAmC,CACtD,OAAO,MAAM,QAAQA,CAAK,GAAKA,EAAM,MAAOS,GAAU,OAAOA,GAAU,QAAQ,CACnF,CAEA,SAASC,EAAyBC,EAA8D,CAC5F,MAAMC,EAAwF,CAC1F,CAAC,MAAO,MAAO,MAAOD,EAAQ,MAAQ,QAAa,OAAOA,EAAQ,KAAQ,SAAU,SAAU,QAAA,EAC9F,CAAC,MAAO,MAAO,MAAOA,EAAQ,MAAQ,QAAa,OAAOA,EAAQ,KAAQ,SAAU,SAAU,QAAA,EAC9F,CAAC,MAAO,MAAO,MAAOA,EAAQ,MAAQ,QAAa,OAAOA,EAAQ,KAAQ,SAAU,SAAU,QAAA,EAC9F,CAAC,MAAO,MAAO,MAAOA,EAAQ,MAAQ,QAAa,OAAOA,EAAQ,KAAQ,SAAU,SAAU,QAAA,EAC9F,CAAC,MAAO,MAAO,MAAOA,EAAQ,MAAQ,QAAaJ,EAAeI,EAAQ,GAAG,EAAG,SAAU,QAAA,EAC1F,CAAC,MAAO,MAAO,MAAOA,EAAQ,MAAQ,QAAaJ,EAAeI,EAAQ,GAAG,EAAG,SAAU,QAAA,EAC1F,CAAC,MAAO,MAAO,MAAOA,EAAQ,MAAQ,QAAaJ,EAAeI,EAAQ,GAAG,EAAG,SAAU,QAAA,CAAQ,EAGtG,UAAWE,KAASD,EAChB,GAAI,CAACC,EAAM,MACP,MAAO,CACH,OAAQ,YAAYA,EAAM,KAAK,qBAAqBA,EAAM,QAAQ,GAClE,KAAM,eAAA,EAKlB,OAAIF,EAAQ,MAAQ,QAEZ,EADoB,OAAOA,EAAQ,KAAQ,UAAYH,EAAcG,EAAQ,GAAG,GAEzE,CACH,OAAQ,mDACR,KAAM,eAAA,EAKX,IACX,CAEA,SAASG,EAAsBC,EAAiE,CAC5F,GAAIA,EAAQ,kBAAoB,QAAaA,EAAQ,kBAAoB,OAASA,EAAQ,kBAAoB,OAC1G,MAAO,CACH,OAAQ,2DACR,KAAM,iBAAA,EAId,GAAIA,EAAQ,YAAc,SAAc,CAACR,EAAeQ,EAAQ,SAAS,GAAKA,EAAQ,UAAY,GAC9F,MAAO,CACH,OAAQ,kEACR,KAAM,iBAAA,EAId,GAAIA,EAAQ,cAAgB,SAAc,CAACR,EAAeQ,EAAQ,WAAW,GAAKA,EAAQ,YAAc,GACpG,MAAO,CACH,OAAQ,oEACR,KAAM,iBAAA,EAId,GAAIA,EAAQ,SAAW,QAAa,OAAOA,EAAQ,QAAW,SAC1D,MAAO,CACH,OAAQ,yCACR,KAAM,iBAAA,EAId,GAAIA,EAAQ,UAAY,QAAa,OAAOA,EAAQ,SAAY,SAC5D,MAAO,CACH,OAAQ,0CACR,KAAM,iBAAA,EAId,GAAIA,EAAQ,QAAU,QAAa,OAAOA,EAAQ,OAAU,SACxD,MAAO,CACH,OAAQ,wCACR,KAAM,iBAAA,EAId,GAAIA,EAAQ,WAAa,QAEjB,EADoB,OAAOA,EAAQ,UAAa,UAAYP,EAAcO,EAAQ,QAAQ,GAE1F,MAAO,CACH,OAAQ,uDACR,KAAM,iBAAA,EAKlB,GAAIA,EAAQ,aAAe,OAAW,CAClC,GAAI,CAAC,MAAM,QAAQA,EAAQ,UAAU,EACjC,MAAO,CACH,OAAQ,+CACR,KAAM,iBAAA,EAId,MAAMC,EAAmBD,EAAQ,WAAW,KAAME,GAAQ,EAAEA,KAAOC,EAAmB,EACtF,GAAIF,EACA,MAAO,CACH,OAAQ,qDAAqDA,CAAgB,IAC7E,KAAM,iBAAA,CAGlB,CAEA,OAAO,IACX,CAIA,SAASG,EAAcF,EAAqB,CACxC,OAAQA,EAAA,CACJ,IAAK,QACL,IAAK,SACD,MAAO,IACX,IAAK,QACD,MAAO,IACX,IAAK,QACD,MAAO,KAEX,QACI,MAAM,IAAI,MAAM,8CAA8CA,CAAG,EAAE,CAAA,CAE/E,CAEA,SAASG,EAAUC,EAAaC,EAAwB,CACpD,IAAIC,EAAI,EACR,GAAIF,EAAIE,GAAG,IAAM,GAAM,MAAM,IAAI,MAAM,6BAA6B,EAGpE,IAAIC,EAASH,EAAIE,GAAG,EACpB,GAAIC,EAAS,IAAM,CACf,MAAMC,EAAID,EAAS,IACnBA,EAAS,EACT,QAASE,EAAI,EAAGA,EAAID,EAAGC,IAAKF,EAAUA,GAAU,EAAKH,EAAIE,GAAG,CAChE,CAEA,GAAIF,EAAIE,GAAG,IAAM,EAAM,MAAM,IAAI,MAAM,iCAAiC,EACxE,MAAMI,EAAON,EAAIE,GAAG,EACpB,IAAIK,EAAIP,EAAI,SAASE,EAAGA,EAAII,CAAI,EAGhC,GAFAJ,GAAKI,EAEDN,EAAIE,GAAG,IAAM,EAAM,MAAM,IAAI,MAAM,iCAAiC,EACxE,MAAMM,EAAOR,EAAIE,GAAG,EACpB,IAAIO,EAAIT,EAAI,SAASE,EAAGA,EAAIM,CAAI,EAGhC,KAAOD,EAAE,OAASN,EAAS,GAAKM,EAAE,CAAC,IAAM,GAAMA,EAAIA,EAAE,SAAS,CAAC,EAC/D,KAAOE,EAAE,OAASR,EAAS,GAAKQ,EAAE,CAAC,IAAM,GAAMA,EAAIA,EAAE,SAAS,CAAC,EAE/D,MAAMC,EAAO,OAAO,OAAO,CAAC,OAAO,MAAMT,EAAS,EAAIM,EAAE,OAAQ,CAAC,EAAGA,CAAC,CAAC,EAChEI,EAAO,OAAO,OAAO,CAAC,OAAO,MAAMV,EAAS,EAAIQ,EAAE,OAAQ,CAAC,EAAGA,CAAC,CAAC,EACtE,OAAO,OAAO,OAAO,CAACC,EAAMC,CAAI,CAAC,CACrC,CAEA,SAASC,EAAUC,EAAsB,CACrC,MAAMC,EAAOD,EAAK,OAAS,EAC3B,IAAI,EAAIA,EAAK,SAAS,EAAGC,CAAI,EACzBL,EAAII,EAAK,SAASC,CAAI,EAG1B,KAAO,EAAE,OAAS,GAAK,EAAE,CAAC,IAAM,IAAS,EAAE,CAAC,EAAI,OAAU,GAAG,EAAI,EAAE,SAAS,CAAC,EAC7E,KAAOL,EAAE,OAAS,GAAKA,EAAE,CAAC,IAAM,IAASA,EAAE,CAAC,EAAI,OAAU,GAAGA,EAAIA,EAAE,SAAS,CAAC,EAGzE,EAAE,CAAC,EAAI,QAAU,OAAO,OAAO,CAAC,OAAO,KAAK,CAAC,CAAI,CAAC,EAAG,CAAC,CAAC,GACvDA,EAAE,CAAC,EAAI,QAAU,OAAO,OAAO,CAAC,OAAO,KAAK,CAAC,CAAI,CAAC,EAAGA,CAAC,CAAC,GAE3D,MAAMM,EAAQ,OAAO,OAAO,CAAC,OAAO,KAAK,CAAC,EAAM,EAAE,MAAM,CAAC,EAAG,CAAC,CAAC,EACxDC,EAAQ,OAAO,OAAO,CAAC,OAAO,KAAK,CAAC,EAAMP,EAAE,MAAM,CAAC,EAAGA,CAAC,CAAC,EAExDN,EAASY,EAAM,OAASC,EAAM,OAEpC,IAAIC,EACJ,GAAId,EAAS,IACTc,EAAW,OAAO,KAAK,CAACd,CAAM,CAAC,MAC5B,CACH,MAAMe,EAAgB,CAAA,EACtB,IAAId,EAAID,EACR,KAAOC,EAAI,GACPc,EAAI,QAAQd,EAAI,GAAI,EACpBA,IAAM,EAEVa,EAAW,OAAO,KAAK,CAAC,IAAOC,EAAI,OAAQ,GAAGA,CAAG,CAAC,CACtD,CAEA,OAAO,OAAO,OAAO,CAAC,OAAO,KAAK,CAAC,EAAI,CAAC,EAAGD,EAAUF,EAAOC,CAAK,CAAC,CACtE,CAEA,SAASG,EAAWvB,EAAsB,CACtC,OAAOA,IAAQ,SAAWA,IAAQ,SAAWA,IAAQ,SAAWA,IAAQ,QAC5E,CAIO,MAAMC,EAAqB,CAE9B,MAAO,CACH,KAAM,CAACuB,EAAkBC,IACrBC,EAAAA,WAAW,SAAUD,CAAM,EAAE,OAAOD,CAAI,EAAE,OAAO,WAAW,EAChE,OAAQ,CAACA,EAAkBC,EAAiBE,IAAsB,CAC9D,MAAMC,EAAWF,aAAW,SAAUD,CAAM,EAAE,OAAOD,CAAI,EAAE,OAAO,WAAW,EAC7E,OAAOxC,EAAkB4C,EAAUD,CAAS,CAChD,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBC,EAAAA,WAAW,SAAUD,CAAM,EAAE,OAAOD,CAAI,EAAE,OAAO,WAAW,EAChE,OAAQ,CAACA,EAAkBC,EAAiBE,IAAsB,CAC9D,MAAMC,EAAWF,aAAW,SAAUD,CAAM,EAAE,OAAOD,CAAI,EAAE,OAAO,WAAW,EAC7E,OAAOxC,EAAkB4C,EAAUD,CAAS,CAChD,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBC,EAAAA,WAAW,SAAUD,CAAM,EAAE,OAAOD,CAAI,EAAE,OAAO,WAAW,EAChE,OAAQ,CAACA,EAAkBC,EAAiBE,IAAsB,CAC9D,MAAMC,EAAWF,aAAW,SAAUD,CAAM,EAAE,OAAOD,CAAI,EAAE,OAAO,WAAW,EAC7E,OAAOxC,EAAkB4C,EAAUD,CAAS,CAChD,CAAA,EAIJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,YAAY,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EACjF,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,YAAY,EAC3B,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,YAAY,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EACjF,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,YAAY,EAC3B,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,YAAY,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EACjF,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,YAAY,EAC3B,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAIJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,QAAQ,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EAC7E,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,QAAQ,EACvB,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,QAAQ,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EAC7E,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,QAAQ,EACvB,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,QAAQ,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EAC7E,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,QAAQ,EACvB,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,OAAQ,CACJ,KAAM,CAACH,EAAkBC,IACrBI,EAAAA,WAAW,QAAQ,EAAE,OAAOL,CAAI,EAAE,MAAM,KAAKC,CAAM,EAAE,SAAS,WAAW,EAC7E,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,QAAQ,EACvB,OAAON,CAAI,EACX,IAAA,EACA,OAAOC,EAAQ,OAAO,KAAKE,EAAW,WAAW,CAAC,CAC3D,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,aAAW,YAAY,EAClB,OAAOL,CAAI,EACX,IAAA,EACA,KAAK,CAEF,IAAKC,EACL,QAASM,EAAO,UAAU,sBAC1B,WAAY,EAAA,CACf,EACA,SAAS,WAAW,EAC7B,OAAQ,CAACP,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,YAAY,EAC3B,OAAON,CAAI,EACX,IAAA,EACA,OAAO,CAEJ,IAAKC,EACL,QAASM,EAAO,UAAU,sBAC1B,WAAY,EAAA,EACb,OAAO,KAAKJ,EAAW,WAAW,CAAC,CAC9C,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,aAAW,YAAY,EAClB,OAAOL,CAAI,EACX,IAAA,EACA,KAAK,CAEF,IAAKC,EACL,QAASM,EAAO,UAAU,sBAC1B,WAAY,EAAA,CACf,EACA,SAAS,WAAW,EAC7B,OAAQ,CAACP,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,YAAY,EAC3B,OAAON,CAAI,EACX,IAAA,EACA,OAAO,CAEJ,IAAKC,EACL,QAASM,EAAO,UAAU,sBAC1B,WAAY,EAAA,EACb,OAAO,KAAKJ,EAAW,WAAW,CAAC,CAC9C,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBI,aAAW,YAAY,EAClB,OAAOL,CAAI,EACX,IAAA,EACA,KAAK,CAEF,IAAKC,EACL,QAASM,EAAO,UAAU,sBAC1B,WAAY,EAAA,CACf,EACA,SAAS,WAAW,EAC7B,OAAQ,CAACP,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOG,EAAAA,aAAa,YAAY,EAC3B,OAAON,CAAI,EACX,IAAA,EACA,OAAO,CAEJ,IAAKC,EACL,QAASM,EAAO,UAAU,sBAC1B,WAAY,EAAA,EACb,OAAO,KAAKJ,EAAW,WAAW,CAAC,CAC9C,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,EAEJ,MAAO,CACH,KAAM,CAACH,EAAkBC,IACrBO,EAAAA,KAAW,KAAM,OAAOR,GAAS,SAAW,OAAO,KAAKA,EAAM,MAAM,EAAIA,EAAMC,CAAM,EAC/E,SAAS,WAAW,EAC7B,OAAQ,CAACD,EAAkBC,EAAiBE,IAAsB,CAC9D,GAAI,CACA,OAAOM,EAAAA,OACH,KACA,OAAOT,GAAS,SAAW,OAAO,KAAKA,EAAM,MAAM,EAAIA,EACvDC,EACA,OAAO,KAAKE,EAAW,WAAW,CAAA,CAE1C,MAAQ,CACJ,MAAO,EACX,CACJ,CAAA,CAER,EAIaO,EAAsB,OAAO,KAAKjC,CAAkB,EAO1D,SAASkC,EAAoBC,EAAoC,CACpE,GAAIA,EAAI,OAAS,SAAU,MAAO,QAClC,GAAIA,EAAI,OAAS,UAAW,MAAM,IAAI,MAAM,yDAAyD,EAErG,MAAMC,EAAcD,EAAI,kBAClBE,EAAUF,EAAI,qBAEpB,OAAQC,EAAA,CACJ,IAAK,MACD,MAAO,QACX,IAAK,UAAW,CACZ,MAAME,EAAOD,GAAS,eAAiB,SACvC,OAAQC,EAAA,CACJ,IAAK,SACD,MAAO,QACX,IAAK,SACD,MAAO,QACX,IAAK,SACD,MAAO,QACX,QACI,MAAM,IAAI,MAAM,uCAAuCA,CAAI,EAAE,CAAA,CAEzE,CACA,IAAK,KAAM,CACP,MAAMC,EAAQF,GAAS,WACvB,OAAQE,EAAA,CACJ,IAAK,QACL,IAAK,aACD,MAAO,QACX,IAAK,QACL,IAAK,YACD,MAAO,QACX,IAAK,QACL,IAAK,YACD,MAAO,QACX,IAAK,YACD,MAAO,SACX,QACI,MAAM,IAAI,MAAM,yBAAyBA,CAAK,EAAE,CAAA,CAE5D,CACA,IAAK,UACD,MAAO,QACX,QACI,MAAM,IAAI,MAAM,oCAAoCH,CAAW,EAAE,CAAA,CAE7E,CAMA,SAASI,EAAYL,EAAyB,CAE1C,GAAI,OAAOA,GAAQ,UAAY,SAAUA,EAAK,OAAOA,EAGrD,GAAI,CACA,OAAOM,EAAAA,iBAAiBN,CAAG,CAC/B,MAAQ,CAEJ,MAAMO,EACF,OAAOP,GAAQ,SACT,OAAO,KAAKA,EAAK,MAAM,EACvB,OAAO,SAASA,CAAG,EACfA,GACC,IAAM,CACL,MAAM,IAAI,MAAM,sBAAsB,CAC1C,GAAA,EAEZ,OAAOQ,EAAAA,gBAAgBD,CAAM,CACjC,CACJ,CAMO,MAAME,EAAUC,GAAuB,CAC1C,MAAMC,EAAQD,EAAM,MAAM,GAAG,EAC7B,GAAIC,EAAM,SAAW,EACjB,MAAM,IAAI,MAAM,4DAA4D,EAGhF,KAAM,CAACC,EAAYC,EAAatB,CAAS,EAAIoB,EAE7C,GAAI,CAACC,GAAc,CAACC,GAAe,CAACtB,EAChC,MAAM,IAAI,MAAM,kCAAkC,EAGtD,GAAI,CAACvC,EAAwB,KAAK4D,CAAU,GAAK,CAAC5D,EAAwB,KAAK6D,CAAW,GAAK,CAAC7D,EAAwB,KAAKuC,CAAS,EAClI,MAAM,IAAI,MAAM,gDAAgD,EAGpE,GAAI,CACA,MAAMuB,EAAgB,KAAK,MAAMpE,EAAU,OAAOkE,CAAU,CAAC,EACvDG,EAAiB,KAAK,MAAMrE,EAAU,OAAOmE,CAAW,CAAC,EAE/D,GAAI,CAAC5D,EAAc6D,CAAa,GAAK,CAAC7D,EAAc8D,CAAc,EAC9D,MAAM,IAAI,MAAM,yCAAyC,EAG7D,MAAMC,EAASF,EACTxD,EAAUyD,EAEhB,GAAI,OAAOC,EAAO,KAAQ,UAAYA,EAAO,IAAI,SAAW,EACxD,MAAM,IAAI,MAAM,uCAAuC,EAE3D,GAAIA,EAAO,MAAQ,QAAa,OAAOA,EAAO,KAAQ,SAClD,MAAM,IAAI,MAAM,6BAA6B,EAEjD,GAAIA,EAAO,MAAQ,QAAa,OAAOA,EAAO,KAAQ,SAClD,MAAM,IAAI,MAAM,6BAA6B,EAGjD,MAAO,CAAC,OAAAA,EAAQ,QAAA1D,EAAS,UAAAiC,CAAA,CAC7B,OAAS0B,EAAK,CACV,MAAM,IAAI,MAAM,6CAA8CA,EAAc,OAAO,GAAG,CAC1F,CACJ,EAkBaC,EAAO,CAChB5D,EACA+B,EACA3B,EAAuB,CAAA,IACd,CACT,MAAMsC,EAAMK,EAAYhB,CAAM,EACxBzB,EAAMF,EAAQ,KAAOqC,EAAoBC,CAAG,EAC5CmB,EAAkBzD,EAAQ,iBAAmB,MAC7C0D,EAAM1D,EAAQ,KAAO,MAE3B,GAAI,EAAEE,KAAOC,GAAqB,MAAM,IAAI,MAAM,0BAA0BD,CAAG,EAAE,EAEjF,MAAMoD,EAAoB,CAAC,IAAApD,EAAK,IAAAwD,CAAA,EAC5B1D,EAAQ,MAAKsD,EAAO,IAAMtD,EAAQ,KAEtC,MAAM2D,EAAgB3E,EAAU,OAAO,KAAK,UAAUsE,CAAM,CAAC,EACvDM,EAAiB5E,EAAU,OAAO,KAAK,UAAUY,CAAO,CAAC,EAEzDiE,EAAe,GAAGF,CAAa,IAAIC,CAAc,GAGvD,IAAI/B,EAAY1B,EAAmBD,CAAG,EAAE,KAAK2D,EAAclC,CAAM,EAGjE,GAAI8B,IAAoB,QAAUhC,EAAWvB,CAAG,EAAG,CAC/C,MAAMI,EAAM,OAAO,KAAKuB,EAAW,WAAW,EAE9CA,EADaxB,EAAUC,EAAKF,EAAcF,CAAG,CAAC,EAC7B,SAAS,WAAW,CACzC,CAEA,MAAO,GAAGyD,CAAa,IAAIC,CAAc,IAAI/B,CAAS,EAE1D,EAoBaiC,EAAS,CAClBd,EACArB,EACA3B,EAA0B,CAAA,IAGqC,CAC/D,MAAM+D,EAAiBhE,EAAsBC,CAAO,EACpD,GAAI+D,EACA,MAAO,CACH,MAAO,GACP,MAAOA,CAAA,EAIf,IAAIC,EACJ,GAAI,CACAA,EAAUjB,EAAOC,CAAK,CAC1B,OAASO,EAAK,CACV,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAASA,EAAc,QACvB,KAAM,eAAA,CACV,CAER,CAEA,KAAM,CAAC,OAAAD,EAAQ,QAAA1D,EAAS,UAAAiC,CAAA,EAAamC,EAC/BC,EAAgBtE,EAAyBC,CAAO,EACtD,GAAIqE,EACA,MAAO,CACH,MAAO,GACP,MAAOA,CAAA,EAKf,MAAM/D,EAAMoD,EAAO,IACnB,GAAI,EAAEpD,KAAOC,GACT,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,qCAAqCmD,EAAO,GAAG,GACvD,KAAM,mBAAA,CACV,EAKR,GAAItD,EAAQ,YAAcA,EAAQ,WAAW,OAAS,GAC9C,CAACA,EAAQ,WAAW,SAASE,CAAG,EAChC,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,cAAcA,CAAG,0CACzB,KAAM,uBAAA,CACV,EAMZ,GAAIoD,EAAO,MAAQ,QAAaA,EAAO,MAAQ,MAC3C,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,4CAA4CA,EAAO,GAAG,IAC9D,KAAM,cAAA,CACV,EAKR,KAAM,CAACJ,EAAYC,CAAW,EAAIH,EAAM,MAAM,GAAG,EAC3Ca,EAAe,GAAGX,CAAU,IAAIC,CAAW,GAEjD,GAAK1B,EAAWvB,CAAG,EAWZ,CAEH,MAAMgE,EAASlE,EAAQ,gBAEvB,IAAImE,EAGJ,GAAID,IAAW,OACX,GAAI,CACA,MAAM/C,EAAO,OAAO,KAAKU,EAAW,WAAW,EACzCuC,EAAelD,EAAUC,CAAI,EAAE,SAAS,WAAW,EACzDgD,EAAKhE,EAAmBD,CAAG,EAAE,OAAO2D,EAAclC,EAAQyC,CAAY,CAC1E,MAAQ,CACJD,EAAK,EACT,SAGKD,IAAW,MAChBC,EAAKhE,EAAmBD,CAAG,EAAE,OAAO2D,EAAclC,EAAQE,CAAS,UAInEsC,EAAKhE,EAAmBD,CAAG,EAAE,OAAO2D,EAAclC,EAAQE,CAAS,EAC/D,CAACsC,EACD,GAAI,CACA,MAAMhD,EAAO,OAAO,KAAKU,EAAW,WAAW,EAE/C,GAAIV,EAAK,SAAWf,EAAcF,CAAG,EAAG,CACpC,MAAMkE,EAAelD,EAAUC,CAAI,EAAE,SAAS,WAAW,EACzDgD,EAAKhE,EAAmBD,CAAG,EAAE,OAAO2D,EAAclC,EAAQyC,CAAY,CAC1E,CACJ,MAAQ,CAER,CAIR,GAAI,CAACD,EACD,MAAO,CAAC,MAAO,GAAO,MAAO,CAAC,OAAQ,gCAAiC,KAAM,oBAAmB,CAExG,KAnDsB,CAElB,IAAIE,EAAmB,GACvB,GAAI,CACAA,EAAmBlE,EAAmBD,CAAG,EAAE,OAAO2D,EAAclC,EAAQE,CAAS,CACrF,MAAQ,CACJwC,EAAmB,EACvB,CACA,GAAI,CAACA,EACD,MAAO,CAAC,MAAO,GAAO,MAAO,CAAC,OAAQ,gCAAiC,KAAM,oBAAmB,CAExG,CA2CA,MAAMC,EAAM,KAAK,MAAM,KAAK,IAAA,EAAQ,GAAI,EAClCC,EAAOvE,EAAQ,WAAa,EAElC,GAAI,CAACA,EAAQ,kBACLJ,EAAQ,MAAQ,QAAa0E,EAAM1E,EAAQ,IAAM2E,EACjD,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,gBACR,KAAM,eAAA,CACV,EAKZ,GAAI3E,EAAQ,MAAQ,QAAa0E,EAAMC,EAAO3E,EAAQ,IAClD,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,sBACR,KAAM,kBAAA,CACV,EAIR,GAAIA,EAAQ,MAAQ,QAAa0E,EAAMC,EAAO3E,EAAQ,IAClD,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,6BACR,KAAM,qBAAA,CACV,EAKR,GAAII,EAAQ,cAAgB,QAAaJ,EAAQ,MAAQ,OAAW,CAChE,MAAM4E,EAAWF,EAAM1E,EAAQ,IAC/B,GAAI4E,EAAWxE,EAAQ,YACnB,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,cAAcwE,CAAQ,mCAAmCxE,EAAQ,WAAW,KACpF,KAAM,eAAA,CACV,CAGZ,CAKA,GAAIA,EAAQ,SAAW,OAAW,CAC9B,GAAIJ,EAAQ,MAAQ,OAChB,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,8CACR,KAAM,gBAAA,CACV,EAGR,GAAII,EAAQ,SAAWJ,EAAQ,IAC3B,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,mCAAmCI,EAAQ,MAAM,WAAWJ,EAAQ,GAAG,IAC/E,KAAM,gBAAA,CACV,CAGZ,CAGA,GAAII,EAAQ,UAAY,OAAW,CAC/B,GAAIJ,EAAQ,MAAQ,OAChB,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,+CACR,KAAM,iBAAA,CACV,EAGR,GAAII,EAAQ,UAAYJ,EAAQ,IAC5B,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,oCAAoCI,EAAQ,OAAO,WAAWJ,EAAQ,GAAG,IACjF,KAAM,iBAAA,CACV,CAGZ,CAGA,GAAII,EAAQ,WAAa,OAAW,CAChC,MAAMyE,EAAM7E,EAAQ,IACpB,GAAI6E,IAAQ,OACR,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,gDACR,KAAM,kBAAA,CACV,EAIR,MAAMC,EAAc,MAAM,QAAQ1E,EAAQ,QAAQ,EAAIA,EAAQ,SAAW,CAACA,EAAQ,QAAQ,EACpF2E,EAAW,MAAM,QAAQF,CAAG,EAAIA,EAAM,CAACA,CAAG,EAGhD,GAAI,CADaC,EAAY,QAAUC,EAAS,SAASxF,CAAC,CAAC,EAEvD,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,0BACR,KAAM,kBAAA,CACV,CAGZ,CAGA,GAAIa,EAAQ,QAAU,OAAW,CAC7B,GAAIJ,EAAQ,MAAQ,OAChB,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,8CACR,KAAM,aAAA,CACV,EAGR,GAAII,EAAQ,QAAUJ,EAAQ,IAC1B,MAAO,CACH,MAAO,GACP,MAAO,CACH,OAAQ,6BAA6BI,EAAQ,KAAK,WAAWJ,EAAQ,GAAG,IACxE,KAAM,aAAA,CACV,CAGZ,CAEA,MAAO,CAAC,MAAO,GAAM,OAAA0D,EAAQ,QAAA1D,EAAS,UAAAiC,CAAA,CAC1C,EAGa+C,EAAM,CACf,KAAApB,EACA,OAAAM,EACA,OAAAf,EACA,WAAY5C,CAChB,EC76BO,SAAS0E,EAAUvC,EAAqB,CAC3C,GAAI,CAACA,GAAO,OAAOA,GAAQ,SAAU,MAAM,IAAI,MAAM,mBAAmB,EACxE,OAAOA,EAAI,OAAO,CAAC,OAAQ,MAAM,CACrC,CAMO,SAASwC,EAAUC,EAAqB,CAC3C,GAAI,CAACA,GAAO,OAAOA,GAAQ,SAAU,MAAM,IAAI,MAAM,aAAa,EAElE,OAAQA,EAAI,IAAA,CACR,IAAK,MAAO,CACR,GAAI,EAAE,MAAOA,IAAQ,OAAOA,EAAI,GAAM,SAClC,MAAM,IAAI,MAAM,8BAA8B,EAGlD,OAAOjC,EAAAA,gBAAgB,OAAO,KAAKiC,EAAI,EAAG,WAAW,CAAC,CAC1D,CAEA,IAAK,MACL,IAAK,KACL,IAAK,MAED,MAAI,MAAOA,GAAO,OAAQA,EAAY,GAAM,SAEjCnC,EAAAA,iBAAiB,CAAC,OAAQ,MAAO,IAAKmC,EAAI,EAK9CC,EAAAA,gBAAgB,CAAC,OAAQ,MAAO,IAAKD,EAAI,EAGpD,QACI,MAAM,IAAI,MAAM,6BAA8BA,EAAY,GAAG,EAAE,CAAA,CAE3E,CAMO,SAASE,EAAY3C,EAAqB,CAC7C,GAAI,CAACA,GAAO,OAAOA,GAAQ,SACvB,MAAM,IAAI,MAAM,mBAAmB,EAQvC,MAAMyC,GAJFzC,EAAI,OAAS,UACP0C,EAAAA,gBAAgB1C,CAAG,EACnBA,GAEY,OAAO,CAAC,OAAQ,MAAM,EAG5C,cAAQyC,EAAY,EACpB,OAAQA,EAAY,EACpB,OAAQA,EAAY,EACpB,OAAQA,EAAY,GACpB,OAAQA,EAAY,GACpB,OAAQA,EAAY,GACbA,CACX,CAOO,SAASG,EAAiBH,EAAUI,EAAoB,SAAkB,CAC7E,GAAI,CAACJ,GAAO,OAAOA,GAAQ,SACvB,MAAM,IAAI,MAAM,aAAa,EAGjC,IAAIK,EAEJ,OAAQL,EAAI,IAAA,CACR,IAAK,MACDK,EAAS,CAAC,EAAGL,EAAI,EAAG,IAAKA,EAAI,IAAK,EAAGA,EAAI,CAAA,EACzC,MAEJ,IAAK,KACDK,EAAS,CAAC,IAAKL,EAAI,IAAK,IAAKA,EAAI,IAAK,EAAGA,EAAI,EAAG,EAAGA,EAAI,CAAA,EACvD,MAEJ,IAAK,MACDK,EAAS,CAAC,IAAKL,EAAI,IAAK,IAAKA,EAAI,IAAK,EAAGA,EAAI,CAAA,EAC7C,MAEJ,IAAK,MACDK,EAAS,CAAC,EAAGL,EAAI,EAAG,IAAKA,EAAI,GAAA,EAC7B,MAEJ,QACI,MAAM,IAAI,MAAM,6BAA8BA,EAAY,GAAG,EAAE,CAAA,CAIvE,MAAMM,EAAO,KAAK,UACd,OAAO,KAAKD,CAAM,EACb,OACA,OAAO,CAACE,EAAK3E,KACV2E,EAAI3E,CAAC,EAAIyE,EAAOzE,CAAC,EACV2E,GACR,CAAA,CAA4B,CAAA,EAGvC,OAAOC,EAAAA,WAAWJ,CAAO,EACpB,OAAOE,CAAI,EACX,OAAO,WAAW,CAC3B,CAOO,SAASG,EAAWT,EAA8B,CACrD,GAAKA,EAAI,KAAK,OACd,OAAOQ,EAAAA,WAAW,MAAM,EAAE,OAAO,OAAO,KAAKR,EAAI,IAAI,CAAC,EAAG,QAAQ,CAAC,EAAE,OAAO,WAAW,CAC1F,CAEO,MAAMU,EAAM,CACf,OAAQZ,EACR,OAAQC,EACR,SAAUG,EACV,WAAYC,CAChB,EAYO,SAASQ,EACZC,EACAC,EACS,CACT,GAAI,CAACD,GAAQ,CAAC,MAAM,QAAQA,EAAK,IAAI,EAAG,MAAM,IAAI,MAAM,cAAc,EAEtE,IAAIZ,EAOJ,GALIa,MAAWD,EAAK,KAAK,KAAKhF,GAAKA,EAAE,MAAQiF,CAAG,GAG5C,CAACb,GAAOY,EAAK,KAAK,SAAW,IAAGZ,EAAMY,EAAK,KAAK,CAAC,GAEjD,CAACZ,EAAK,MAAM,IAAI,MAAM,uBAAuB,EACjD,OAAOD,EAAUC,CAAG,CACxB,CAMO,SAASc,EAAcF,EAAkB,CAC5C,MAAO,CACH,KAAMG,EAAa,GAAGH,EAAK,IAAI,CAAA,CAEvC,CAEO,SAASG,KAAgBC,EAA+B,CAC3D,OAAOA,EAAK,IAAKhB,GAAQ,CACrB,MAAMiB,EAAa,CACf,GAAGjB,EACH,IAAKA,EAAI,KAAOG,EAAiBH,CAAG,EACpC,IAAKA,EAAI,KAAOS,EAAWT,CAAG,CAAA,EAIlC,cAAO,eAAeiB,EAAY,cAAe,CAC7C,WAAY,GACZ,aAAc,GACd,SAAU,GACV,MAAO,IAAMlB,EAAUkB,CAAU,CAAA,CACpC,EAEMA,CACX,CAAC,CACL,CAEO,MAAMC,EAAU,MACnBC,EACAlG,EAUK,KACJ,CACD,MAAMmG,EAAU,OAAOD,GAAQ,SAAWA,EAAMA,EAAI,SAAA,EAC9CE,EAAUpG,EAAQ,OAAS,WAAW,MACtCqG,EAAM,KAAK,IAAI,EAAGrG,EAAQ,KAAO,EAAI,GAAM,EAC3CsG,EAAY,KAAK,IAAI,EAAGtG,EAAQ,WAAa,GAAK,EAClDuG,EAAgB,yBAEtB,GAAI,CAACH,EACD,MAAM,IAAI,MAAM,mCAAmC,EAGvD,MAAMI,GAAY,IAAM,CACpB,GAAIxG,EAAQ,iBAAkB,CAC1B,MAAMyG,EAAWzG,EAAQ,iBACzB,GAAI,CACA,OAAO,IAAI,IAAIyG,EAAUN,CAAO,EAAE,SAAA,CACtC,MAAQ,CACJ,OAAOM,CACX,CACJ,CAMA,OAJIzG,EAAQ,uBAIRmG,EAAQ,SAASI,CAAa,EACvBJ,EAGJ,GAAGA,EAAQ,QAAQ,OAAQ,EAAE,CAAC,GAAGI,CAAa,EACzD,GAAA,EAEMG,GAAS,IAAM,CACjB,GAAI1G,EAAQ,MAAO,OAAOA,EAAQ,MAClC,IAAI2G,EACJ,MAAO,CACH,IAAK,IAAMA,EACX,IAAK,CAACC,EAAclH,IAAgB,CAChCiH,EAAcjH,CAClB,CAAA,CAER,GAAA,EAEA,IAAImH,EACAC,EAAgB,EAChBC,EACAC,EAAsB,EAE1B,MAAMC,EAAY,MAAOC,GAAgD,CACrE,GAAIH,EAAiB,OAAOA,EAE5BA,GAAmB,SAAY,CAC3B,MAAMI,EAAa,IAAI,gBACvB,IAAIC,EAEAd,EAAY,IACZc,EAAgB,WAAW,IAAMD,EAAW,MAAA,EAASb,CAAS,GAGlE,IAAIe,EACJ,GAAI,CACAA,EAAW,MAAMjB,EAAQI,EAAU,CAAC,OAAQW,EAAW,OAAO,CAClE,OAASG,EAAO,CACZ,MAAIH,EAAW,OAAO,QACZ,IAAI,MAAM,8BAA8Bb,CAAS,IAAI,EAEzDgB,CACV,QAAA,CACQF,gBAA4BA,CAAa,CACjD,CAEA,GAAI,CAACC,EAAS,GACV,MAAM,IAAI,MAAM,yBAAyBA,EAAS,MAAM,IAAIA,EAAS,UAAU,EAAE,EAGrF,MAAME,EAAO,MAAMF,EAAS,KAAA,EAC5B,GAAI,CAACE,GAAQ,OAAOA,GAAS,UAAY,CAAC,MAAM,QAASA,EAAa,IAAI,EACtE,MAAM,IAAI,MAAM,cAAc,EAGlC,OAAO1B,EAAc0B,CAAY,CACrC,GAAA,EAEA,GAAI,CACA,MAAMC,EAAQ,MAAMT,EACpB,OAAAF,EAAaW,EACb,MAAMd,EAAM,IAAIF,EAAUgB,CAAK,EAC/BR,EAAsB,EAClBX,EAAM,IAAGS,EAAgB,KAAK,MAAQT,GACnCmB,CACX,OAASF,EAAO,CACZ,GAAI,CAACJ,GAAuB,CAACL,EACzB,MAAMS,EAKV,GAFAN,GAAuB,EAEnBX,EAAM,EAAG,CACT,MAAMoB,EAAU,KAAK,IACjB,KAAK,IAAIpB,EAAK,GAAM,EAAI,KAAK,IAAI,EAAGW,EAAsB,CAAC,EAC3D,GAAK,EAETF,EAAgB,KAAK,MAAQW,CACjC,CAEA,eAAQ,KAAK,4BAA4BjB,CAAQ,wBAAyBc,CAAK,EACxET,CACX,QAAA,CACIE,EAAkB,MACtB,CACJ,EAEA,OAAAF,EAAa,MAAMH,EAAM,IAAIF,CAAQ,EAChCK,GAGDA,EAAahB,EAAcgB,CAAU,EACjCR,EAAM,IAAGS,EAAgB,KAAK,MAAQT,IAH1CQ,EAAa,MAAMI,EAAU,EAAK,EAO9B,CACJ,MAAM,MAAkC,CACpC,OAAIZ,EAAM,GAAK,KAAK,IAAA,GAASS,GACzB,MAAMG,EAAU,EAAI,EAEjBnB,EAAa,GAAIe,EAAoB,IAAI,CACpD,EACA,MAAM,SAAU,CACZ,aAAMI,EAAU,EAAK,EACd,IACX,EACA,MAAM,IAAIrB,EAAkD,CAExD,MAAMtD,GADO,MAAM,KAAK,KAAA,GACP,KAAMoF,GAAMA,EAAE,MAAQ9B,CAAG,EAC1C,GAAKtD,EACL,OAAOwD,EAAaxD,CAAG,EAAE,CAAC,CAC9B,EACA,MAAM,KAAKrD,EAAoD,CAC3D,MAAM8G,EAAO,MAAM,KAAK,KAAA,EAClB4B,EAAU,OAAO,QAAQ1I,CAAK,EAEpC,OAAI0I,EAAQ,SAAW,EAAU7B,EAAa,GAAGC,CAAI,EAE9CD,EAAa,GAAGC,EAAK,OAAQzD,GAChCqF,EAAQ,MAAM,CAAC,CAACC,EAAO9F,CAAQ,IAAM,CACjC,MAAMpC,EAAQ4C,EAAIsF,CAAK,EACvB,OAAI,MAAM,QAAQ9F,CAAQ,EACf,MAAM,QAAQpC,CAAK,GACnBA,EAAM,SAAWoC,EAAS,QAC1BpC,EAAM,MAAM,CAACmI,EAAMrH,IAAMqH,IAAS/F,EAAStB,CAAC,CAAC,EAEjDd,IAAUoC,CACrB,CAAC,CAAA,CACJ,CACL,EACA,MAAM,UAAU7C,EAA8D,CAC1E,OAAO,KAAK,KAAKA,CAAK,EAAE,KAAK,CAAC,CAACqD,CAAG,IAAMA,CAAG,CAC/C,EACA,QAA2B,CACvB,OAAOuE,CACX,CAAA,CAER,EAEaiB,GAAO,CAChB,YAAapC,EACb,UAAWG,EACX,QAAAI,CACJ"}