@strapi/provider-upload-aws-s3 5.35.0 → 5.36.1

package/README.md

@@ -29,6 +29,7 @@ npm install @strapi/provider-upload-aws-s3 --save
   - `ACL` is the access control list for the object. Defaults to `public-read`.
   - `signedUrlExpires` is the number of seconds before a signed URL expires. (See [how signed URLs work](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html)). Defaults to 15 minutes and URLs are only signed when ACL is set to `private`.
   - `Bucket` is the name of the bucket to upload to.
+- `providerOptions.providerConfig` contains extended configuration options (see below).
 - `actionOptions` is passed directly to the parameters to each method respectively. You can find the complete list of [upload/ uploadStream options](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#upload-property) and [delete options](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#deleteObject-property)
 
 See the [documentation about using a provider](https://docs.strapi.io/developer-docs/latest/plugins/upload.html#using-a-provider) for information on installing and using a provider. To understand how environment variables are used in Strapi, please refer to the [documentation about environment variables](https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/environment.html#environment-variables).
@@ -72,6 +73,159 @@ module.exports = ({ env }) => ({
 });
 ```
 
+## Extended Provider Configuration
+
+The `providerConfig` option provides additional features for data integrity, security, and cost optimization.
+
+### Checksum Validation
+
+Enable automatic checksum calculation to ensure data integrity during uploads. The SDK calculates a checksum on the client side, and S3 validates it server-side.
+
+```js
+providerOptions: {
+  s3Options: { /* ... */ },
+  providerConfig: {
+    checksumAlgorithm: 'CRC64NVME', // Options: 'CRC32', 'CRC32C', 'SHA1', 'SHA256', 'CRC64NVME'
+  },
+},
+```
+
+`CRC64NVME` is recommended for best performance on modern hardware.
+
+### Conditional Writes (Prevent Overwrites)
+
+Prevent accidental file overwrites due to race conditions by enabling conditional writes. When enabled, uploads will fail if an object with the same key already exists.
+
+```js
+providerConfig: {
+  preventOverwrite: true,
+},
+```
+
+### Storage Class Configuration (AWS S3 only)
+
+Optimize storage costs by specifying a storage class for uploaded objects. Use lower-cost classes for infrequently accessed data.
+
+**Note:** Storage classes are AWS S3-specific. Other S3-compatible providers (MinIO, DigitalOcean Spaces, IONOS, Wasabi) will ignore this setting.
+
+```js
+providerConfig: {
+  storageClass: 'INTELLIGENT_TIERING', // Auto-optimizes costs
+},
+```
+
+Available storage classes (AWS S3):
+
+- `STANDARD` - Frequently accessed data (default)
+- `INTELLIGENT_TIERING` - Automatic cost optimization
+- `STANDARD_IA` - Infrequently accessed data
+- `ONEZONE_IA` - Infrequently accessed, single AZ
+- `GLACIER` - Archive storage
+- `DEEP_ARCHIVE` - Long-term archive
+- `GLACIER_IR` - Glacier Instant Retrieval
+
+### Server-Side Encryption
+
+Configure server-side encryption for compliance requirements (GDPR, HIPAA, etc.).
+
+```js
+providerConfig: {
+  encryption: {
+    type: 'AES256', // S3-managed encryption
+  },
+},
+```
+
+For KMS-managed encryption (AWS S3 only):
+
+```js
+providerConfig: {
+  encryption: {
+    type: 'aws:kms',
+    kmsKeyId: env('AWS_KMS_KEY_ID'),
+  },
+},
+```
+
+Available encryption types:
+
+- `AES256` - S3-managed keys (SSE-S3) - supported by most S3-compatible providers
+- `aws:kms` - AWS KMS-managed keys (SSE-KMS) - AWS S3 only
+- `aws:kms:dsse` - Dual-layer SSE with KMS - AWS S3 only
+
+### Object Tagging
+
+Apply tags to uploaded objects for cost allocation, lifecycle policies, and organization.
+
+```js
+providerConfig: {
+  tags: {
+    project: 'website',
+    environment: 'production',
+    team: 'backend',
+  },
+},
+```
+
+### Multipart Upload Configuration
+
+Configure multipart upload behavior for large files.
+
+```js
+providerConfig: {
+  multipart: {
+    partSize: 10 * 1024 * 1024, // 10MB per part
+    queueSize: 4,               // Number of parallel uploads
+    leavePartsOnError: false,   // Clean up on failure
+  },
+},
+```
+
+### Complete Configuration Example
+
+```js
+module.exports = ({ env }) => ({
+  upload: {
+    config: {
+      provider: 'aws-s3',
+      providerOptions: {
+        baseUrl: env('CDN_URL'),
+        rootPath: env('CDN_ROOT_PATH'),
+        s3Options: {
+          credentials: {
+            accessKeyId: env('AWS_ACCESS_KEY_ID'),
+            secretAccessKey: env('AWS_ACCESS_SECRET'),
+          },
+          region: env('AWS_REGION'),
+          params: {
+            ACL: 'private',
+            signedUrlExpires: 15 * 60,
+            Bucket: env('AWS_BUCKET'),
+          },
+        },
+        providerConfig: {
+          checksumAlgorithm: 'CRC64NVME',
+          preventOverwrite: true,
+          storageClass: 'INTELLIGENT_TIERING',
+          encryption: {
+            type: 'aws:kms',
+            kmsKeyId: env('AWS_KMS_KEY_ID'),
+          },
+          tags: {
+            application: 'strapi',
+            environment: env('NODE_ENV'),
+          },
+          multipart: {
+            partSize: 10 * 1024 * 1024,
+            queueSize: 4,
+          },
+        },
+      },
+    },
+  },
+});
+```
+
 ### Configuration for a private S3 bucket and signed URLs
 
 If your bucket is configured to be private, you will need to set the `ACL` option to `private` in the `params` object. This will ensure file URLs are signed.
@@ -113,7 +267,25 @@ module.exports = ({ env }) => ({
 
 #### Configuration for S3 compatible services
 
-This plugin may work with S3 compatible services by using the `endpoint`. Scaleway example:
+This plugin works with S3-compatible services by using the `endpoint` option. The provider automatically constructs correct URLs for S3-compatible services that return incorrect `Location` formats for multipart uploads (e.g. IONOS, MinIO).
+
+**Important:** Some providers require `forcePathStyle: true` in the `s3Options`. This is needed when the provider does not support virtual-hosted-style URLs (e.g. `bucket.endpoint.com`), and instead uses path-style URLs (e.g. `endpoint.com/bucket`).
+
+| Provider            | `forcePathStyle` | `ACL`             | Notes                             |
+| ------------------- | ---------------- | ----------------- | --------------------------------- |
+| IONOS               | `true`           | Supported         | Multipart Location bug auto-fixed |
+| MinIO               | `true`           | Supported         |                                   |
+| Contabo             | `true`           | Supported         |                                   |
+| Hetzner             | `true`           | Supported         |                                   |
+| DigitalOcean Spaces | Not needed       | Supported         |                                   |
+| Wasabi              | Not needed       | Supported         |                                   |
+| Scaleway            | Not needed       | Supported         |                                   |
+| Vultr               | Not needed       | Supported         |                                   |
+| Backblaze B2        | Not needed       | Supported         |                                   |
+| Cloudflare R2       | Not needed       | **Not supported** | Omit `ACL` from params            |
+
+##### Scaleway example
+
 `./config/plugins.js`
 
 ```js
@@ -123,14 +295,16 @@ module.exports = ({ env }) => ({
     config: {
       provider: 'aws-s3',
       providerOptions: {
-        credentials: {
-          accessKeyId: env('SCALEWAY_ACCESS_KEY_ID'),
-          secretAccessKey: env('SCALEWAY_ACCESS_SECRET'),
-        },
-        region: env('SCALEWAY_REGION'), // e.g "fr-par"
-        endpoint: env('SCALEWAY_ENDPOINT'), // e.g. "https://s3.fr-par.scw.cloud"
-        params: {
-          Bucket: env('SCALEWAY_BUCKET'),
+        s3Options: {
+          credentials: {
+            accessKeyId: env('SCALEWAY_ACCESS_KEY_ID'),
+            secretAccessKey: env('SCALEWAY_ACCESS_SECRET'),
+          },
+          region: env('SCALEWAY_REGION'), // e.g "fr-par"
+          endpoint: env('SCALEWAY_ENDPOINT'), // e.g. "https://s3.fr-par.scw.cloud"
+          params: {
+            Bucket: env('SCALEWAY_BUCKET'),
+          },
         },
       },
     },
@@ -139,6 +313,58 @@ module.exports = ({ env }) => ({
 });
 ```
 
+##### IONOS / MinIO / Contabo example (forcePathStyle required)
+
+```js
+module.exports = ({ env }) => ({
+  upload: {
+    config: {
+      provider: 'aws-s3',
+      providerOptions: {
+        s3Options: {
+          credentials: {
+            accessKeyId: env('S3_ACCESS_KEY_ID'),
+            secretAccessKey: env('S3_ACCESS_SECRET'),
+          },
+          region: env('S3_REGION'),
+          endpoint: env('S3_ENDPOINT'),
+          forcePathStyle: true, // Required for these providers
+          params: {
+            Bucket: env('S3_BUCKET'),
+          },
+        },
+      },
+    },
+  },
+});
+```
+
+##### Cloudflare R2 example (no ACL support)
+
+```js
+module.exports = ({ env }) => ({
+  upload: {
+    config: {
+      provider: 'aws-s3',
+      providerOptions: {
+        s3Options: {
+          credentials: {
+            accessKeyId: env('R2_ACCESS_KEY_ID'),
+            secretAccessKey: env('R2_ACCESS_SECRET'),
+          },
+          region: 'auto',
+          endpoint: env('R2_ENDPOINT'), // e.g. "https://<account-id>.r2.cloudflarestorage.com"
+          params: {
+            Bucket: env('R2_BUCKET'),
+            // Do NOT set ACL - R2 does not support ACLs
+          },
+        },
+      },
+    },
+  },
+});
+```
+
 ### Security Middleware Configuration
 
 Due to the default settings in the Strapi Security Middleware you will need to modify the `contentSecurityPolicy` settings to properly see thumbnail previews in the Media Library. You should replace `strapi::security` string with the object bellow instead as explained in the [middleware configuration](https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/required/middlewares.html#loading-order) documentation.
@@ -253,3 +479,28 @@ upload: {
 ```
 
 This configuration ensures compatibility with the updated AWS SDK while providing flexibility in URL format selection, catering to various user needs.
+
+## Security Considerations
+
+This provider includes several security measures to protect against common attack vectors.
+
+### Path Traversal Prevention
+
+File paths, hashes, and extensions are sanitized to prevent directory traversal attacks. Sequences like `../` are removed, and special characters in file extensions are filtered.
+
+### Parameter Injection Protection
+
+The `customParams` option allows passing additional parameters to S3 operations. However, critical security parameters (`Bucket`, `Key`, `Body`) cannot be overridden via `customParams` to prevent unauthorized access to other buckets or objects.
+
+### URL Protocol Validation
+
+Only `http://` and `https://` protocols are accepted for S3 response URLs. This prevents potential injection of dangerous protocols like `file://`, `javascript:`, or `data:`.
+
+### Recommendations
+
+1. **Use Private ACL**: Set `ACL: 'private'` for sensitive content and use signed URLs for access.
+2. **Enable Encryption**: Configure server-side encryption for data at rest.
+3. **Enable Checksums**: Use `checksumAlgorithm` to ensure data integrity during uploads.
+4. **Use Conditional Writes**: Enable `preventOverwrite: true` to prevent accidental overwrites.
+5. **Apply Least Privilege**: Use the minimum required IAM permissions listed above.
+6. **Enable Bucket Versioning**: Consider enabling S3 versioning for recovery from accidental deletions.

package/dist/index.d.ts

@@ -2,8 +2,36 @@
 /// <reference types="node" />
 /// <reference types="node" />
 import type { ReadStream } from 'node:fs';
-import { DeleteObjectCommandOutput, CompleteMultipartUploadCommandOutput, AbortMultipartUploadCommandOutput, S3ClientConfig, ObjectCannedACL } from '@aws-sdk/client-s3';
+import { DeleteObjectCommandOutput, CompleteMultipartUploadCommandOutput, AbortMultipartUploadCommandOutput, S3ClientConfig, ObjectCannedACL, StorageClass, ServerSideEncryption } from '@aws-sdk/client-s3';
 import type { AwsCredentialIdentity } from '@aws-sdk/types';
+/**
+ * Supported checksum algorithms for data integrity validation.
+ * CRC64NVME is recommended for best performance on modern hardware.
+ */
+export type SupportedChecksumAlgorithm = 'CRC32' | 'CRC32C' | 'SHA1' | 'SHA256' | 'CRC64NVME';
+/**
+ * Supported S3 storage classes for cost optimization.
+ */
+export type SupportedStorageClass = 'STANDARD' | 'REDUCED_REDUNDANCY' | 'STANDARD_IA' | 'ONEZONE_IA' | 'INTELLIGENT_TIERING' | 'GLACIER' | 'DEEP_ARCHIVE' | 'GLACIER_IR';
+/**
+ * Server-side encryption types.
+ */
+export type EncryptionType = 'AES256' | 'aws:kms' | 'aws:kms:dsse';
+/**
+ * Encryption configuration for server-side encryption.
+ */
+export interface EncryptionConfig {
+    type: EncryptionType;
+    kmsKeyId?: string;
+}
+/**
+ * Multipart upload configuration for large files.
+ */
+export interface MultipartConfig {
+    partSize?: number;
+    queueSize?: number;
+    leavePartsOnError?: boolean;
+}
 export interface File {
     name: string;
     alternativeText?: string;
@@ -23,37 +51,112 @@ export interface File {
     provider_metadata?: Record<string, unknown>;
     stream?: ReadStream;
     buffer?: Buffer;
+    etag?: string;
 }
 export type UploadCommandOutput = (CompleteMultipartUploadCommandOutput | AbortMultipartUploadCommandOutput) & {
     Location: string;
+    ETag?: string;
 };
 export interface AWSParams {
     Bucket: string;
     ACL?: ObjectCannedACL;
     signedUrlExpires?: number;
 }
+/**
+ * Extended configuration options for the S3 provider.
+ */
+export interface ProviderConfig {
+    /**
+     * Checksum algorithm for data integrity validation during upload.
+     * When enabled, the SDK calculates a checksum and S3 validates it server-side.
+     */
+    checksumAlgorithm?: SupportedChecksumAlgorithm;
+    /**
+     * When true, uploads will fail if an object with the same key already exists.
+     * This prevents accidental overwrites due to race conditions.
+     */
+    preventOverwrite?: boolean;
+    /**
+     * S3 storage class for uploaded objects.
+     * Use lower-cost classes for infrequently accessed data.
+     */
+    storageClass?: SupportedStorageClass;
+    /**
+     * Server-side encryption configuration.
+     */
+    encryption?: EncryptionConfig;
+    /**
+     * Tags to apply to uploaded objects.
+     * Useful for cost allocation and lifecycle policies.
+     */
+    tags?: Record<string, string>;
+    /**
+     * Multipart upload configuration for large files.
+     */
+    multipart?: MultipartConfig;
+}
 export interface DefaultOptions extends S3ClientConfig {
     accessKeyId?: AwsCredentialIdentity['accessKeyId'];
     secretAccessKey?: AwsCredentialIdentity['secretAccessKey'];
     credentials?: AwsCredentialIdentity;
     params?: AWSParams;
-    [k: string]: any;
+    [k: string]: unknown;
 }
 export type InitOptions = (DefaultOptions | {
     s3Options: DefaultOptions;
 }) & {
     baseUrl?: string;
     rootPath?: string;
-    [k: string]: any;
+    providerConfig?: ProviderConfig;
+    [k: string]: unknown;
 };
 declare const _default: {
-    init({ baseUrl, rootPath, s3Options, ...legacyS3Options }: InitOptions): {
+    init({ baseUrl, rootPath, s3Options, providerConfig, ...legacyS3Options }: InitOptions): {
+        /**
+         * Returns whether the bucket is configured with private ACL.
+         */
         isPrivate(): boolean;
+        /**
+         * Returns the current provider configuration.
+         */
+        getProviderConfig(): ProviderConfig | undefined;
+        /**
+         * Generates a signed URL for accessing a private object.
+         */
         getSignedUrl(file: File, customParams: any): Promise<{
             url: string;
         }>;
+        /**
+         * Uploads a file using streaming.
+         */
         uploadStream(file: File, customParams?: {}): Promise<void>;
+        /**
+         * Uploads a file to S3.
+         */
         upload(file: File, customParams?: {}): Promise<void>;
+        /**
+         * Uploads a file only if it matches the expected ETag (optimistic locking).
+         * Throws PreconditionFailed error if ETag does not match.
+         */
+        uploadIfMatch(file: File, expectedETag: string, customParams?: {}): Promise<void>;
+        /**
+         * Retrieves object metadata including ETag.
+         */
+        getObjectMetadata(file: File): Promise<{
+            etag: string | undefined;
+            contentLength: number | undefined;
+            contentType: string | undefined;
+            lastModified: Date | undefined;
+            storageClass: StorageClass | undefined;
+            serverSideEncryption: ServerSideEncryption | undefined;
+        }>;
+        /**
+         * Checks if an object exists in the bucket.
+         */
+        objectExists(file: File): Promise<boolean>;
+        /**
+         * Deletes an object from S3.
+         */
         delete(file: File, customParams?: {}): Promise<DeleteObjectCommandOutput>;
     };
 };

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C,OAAO,EAIL,yBAAyB,EAEzB,oCAAoC,EACpC,iCAAiC,EACjC,cAAc,EACd,eAAe,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAK5D,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5C,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,mBAAmB,GAAG,CAC9B,oCAAoC,GACpC,iCAAiC,CACpC,GAAG;IACF,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,eAAe,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,cAAe,SAAQ,cAAc;IAEpD,WAAW,CAAC,EAAE,qBAAqB,CAAC,aAAa,CAAC,CAAC;IACnD,eAAe,CAAC,EAAE,qBAAqB,CAAC,iBAAiB,CAAC,CAAC;IAE3D,WAAW,CAAC,EAAE,qBAAqB,CAAC;IACpC,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB,CAAC,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC;CAClB;AAED,MAAM,MAAM,WAAW,GAAG,CAAC,cAAc,GAAG;IAAE,SAAS,EAAE,cAAc,CAAA;CAAE,CAAC,GAAG;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC;CAClB,CAAC;;+DA0B2D,WAAW;;2BAwCzC,IAAI,gBAAgB,GAAG,GAAG,QAAQ;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC;2BAsBxD,IAAI;qBAGV,IAAI;qBAGJ,IAAI,sBAAsB,QAAQ,yBAAyB,CAAC;;;AArE/E,wBA+EE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C,OAAO,EAIL,yBAAyB,EAGzB,oCAAoC,EACpC,iCAAiC,EACjC,cAAc,EACd,eAAe,EAEf,YAAY,EACZ,oBAAoB,EACrB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAK5D;;;GAGG;AACH,MAAM,MAAM,0BAA0B,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,WAAW,CAAC;AAE9F;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAC7B,UAAU,GACV,oBAAoB,GACpB,aAAa,GACb,YAAY,GACZ,qBAAqB,GACrB,SAAS,GACT,cAAc,GACd,YAAY,CAAC;AAEjB;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,GAAG,cAAc,CAAC;AAEnE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5C,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,mBAAmB,GAAG,CAC9B,oCAAoC,GACpC,iCAAiC,CACpC,GAAG;IACF,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,eAAe,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,0BAA0B,CAAC;IAE/C;;;OAGG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B;;;OAGG;IACH,YAAY,CAAC,EAAE,qBAAqB,CAAC;IAErC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE9B;;OAEG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;CAC7B;AAED,MAAM,WAAW,cAAe,SAAQ,cAAc;IAEpD,WAAW,CAAC,EAAE,qBAAqB,CAAC,aAAa,CAAC,CAAC;IACnD,eAAe,CAAC,EAAE,qBAAqB,CAAC,iBAAiB,CAAC,CAAC;IAE3D,WAAW,CAAC,EAAE,qBAAqB,CAAC;IACpC,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CACtB;AAED,MAAM,MAAM,WAAW,GAAG,CAAC,cAAc,GAAG;IAAE,SAAS,EAAE,cAAc,CAAA;CAAE,CAAC,GAAG;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;CACtB,CAAC;;+EAoL2E,WAAW;QAqNlF;;WAEG;;QAKH;;WAEG;6BACkB,cAAc,GAAG,SAAS;QAI/C;;WAEG;2BACsB,IAAI,gBAAgB,GAAG,GAAG,QAAQ;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC;QAuB3E;;WAEG;2BACgB,IAAI;QAIvB;;WAEG;qBACU,IAAI;QAIjB;;;WAGG;4BACiB,IAAI,gBAAgB,MAAM;QAI9C;;WAEG;gCACqB,IAAI;;;;;;;;QAI5B;;WAEG;2BACgB,IAAI;QAIvB;;WAEG;qBACU,IAAI,sBAAsB,QAAQ,yBAAyB,CAAC;;;AArS/E,wBAkTE"}