npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2488) hide show

package/dist/cjs/server/router/cloudflare.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"cloudflare.js","names":["out: ShamirApplyServerLockResponse","e: any","out: ShamirRemoveServerLockResponse","normalizedHeaders: Record<string, string>","v","base: Logger","allowedOrigin: string \| '' \| undefined","out: Record<string, string>","e: any","body: unknown","res","headersObj: Record<string, string>","rawBody: unknown","result","currentKeyId: string \| null","shamirReady: boolean \| null","shamirCurrentKeyId: string \| null","shamirError: string \| undefined","e: unknown"],"sources":["../../../../src/core/WalletIframe/validation.ts","../../../../src/server/core/shamirHandlers.ts","../../../../src/server/core/SessionService.ts","../../../../src/server/email-recovery/zkEmail/index.ts","../../../../src/server/email-recovery/emailParsers.ts","../../../../src/server/core/logger.ts","../../../../src/server/router/logger.ts","../../../../src/server/router/cloudflare-adaptor.ts"],"sourcesContent":["// Shared runtime validation helpers for Wallet Iframe code.\n\nexport function isObject(x: unknown): x is Record<string, unknown> {\n return x !== null && typeof x === 'object';\n}\n\nexport function isString(x: unknown): x is string {\n return typeof x === 'string';\n}\n\nexport function isNonEmptyString(x: unknown): x is string {\n return typeof x === 'string' && x.length > 0;\n}\n\nexport function isNumber(x: unknown): x is number {\n return typeof x === 'number';\n}\n\nexport function isFiniteNumber(x: unknown): x is number {\n return typeof x === 'number' && Number.isFinite(x);\n}\n\nexport function isFunction(x: unknown): x is Function {\n return typeof x === 'function';\n}\n\nexport function isBoolean(x: unknown): x is boolean {\n return typeof x === 'boolean';\n}\n\nexport function isArray<T = unknown>(x: unknown): x is T[] {\n return Array.isArray(x);\n}\n\n// ========= Assertions (throw on mismatch) =========\n\nexport function assertString(val: unknown, name = 'value'): string {\n if (typeof val !== 'string') throw new Error(`Invalid ${name}: expected string`);\n return val;\n}\n\nexport function assertNumber(val: unknown, name = 'value'): number {\n if (typeof val !== 'number' \|\| !Number.isFinite(val)) throw new Error(`Invalid ${name}: expected finite number`);\n return val;\n}\n\nexport function assertBoolean(val: unknown, name = 'value'): boolean {\n if (typeof val !== 'boolean') throw new Error(`Invalid ${name}: expected boolean`);\n return val;\n}\n\nexport function assertObject<T extends Record<string, unknown> = Record<string, unknown>>(val: unknown, name = 'value'): T {\n if (!isObject(val)) throw new Error(`Invalid ${name}: expected object`);\n return val as T;\n}\n\nexport function assertArray<T = unknown>(val: unknown, name = 'value'): T[] {\n if (!Array.isArray(val)) throw new Error(`Invalid ${name}: expected array`);\n return val as T[];\n}\n\n// Shallowly remove function-valued properties (postMessage/clone safety)\nexport function stripFunctionsShallow<T extends Record<string, unknown>>(obj?: T): Partial<T> \| undefined {\n if (!obj \|\| !isObject(obj)) return undefined;\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(obj)) {\n if (!isFunction(v)) out[k] = v as unknown;\n }\n return out as Partial<T>;\n}\n\n// ===============================\n// SignedTransaction shape helpers\n// ===============================\n\nexport interface PlainSignedTransactionLike {\n transaction: unknown;\n signature: unknown;\n borsh_bytes?: unknown;\n borshBytes?: unknown;\n base64Encode?: unknown;\n}\n\nexport function isPlainSignedTransactionLike(x: unknown): x is PlainSignedTransactionLike {\n if (!isObject(x)) return false;\n const hasTx = 'transaction' in x;\n const hasSig = 'signature' in x;\n const bytes = x as { borsh_bytes?: unknown; borshBytes?: unknown };\n const hasBytes = Array.isArray(bytes.borsh_bytes) \|\| bytes.borshBytes instanceof Uint8Array;\n const hasMethod = typeof (x as { base64Encode?: unknown }).base64Encode === 'function';\n return hasTx && hasSig && hasBytes && !hasMethod;\n}\n\nexport function extractBorshBytesFromPlainSignedTx(x: PlainSignedTransactionLike): number[] {\n const asArray = Array.isArray(x.borsh_bytes) ? (x.borsh_bytes as number[]) : undefined;\n if (asArray) return asArray;\n const asU8 = (x.borshBytes instanceof Uint8Array) ? x.borshBytes : undefined;\n return Array.from(asU8 \|\| new Uint8Array());\n}\n","import type {\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n} from './types';\nimport type { ShamirService } from './ShamirService';\nimport { isString } from '../../core/WalletIframe/validation';\n\nexport async function handleApplyServerLock(\n service: ShamirService,\n request: { body?: { kek_c_b64u?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const kek_c_b64u = request.body?.kek_c_b64u;\n if (!isString(kek_c_b64u) \|\| !kek_c_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_c_b64u required and must be a non-empty string' }),\n };\n }\n\n const out: ShamirApplyServerLockResponse = await service.applyServerLock(kek_c_b64u);\n const keyId = service.getCurrentShamirKeyId();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ ...out, keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveServerLock(\n service: ShamirService,\n request: { body?: { kek_cs_b64u?: string; keyId?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const body = request.body;\n if (!body) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'Missing body' }),\n };\n }\n const { kek_cs_b64u, keyId } = body;\n if (!isString(kek_cs_b64u) \|\| !kek_cs_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_cs_b64u required and must be a non-empty string' }),\n };\n }\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const providedKeyId = String(keyId);\n const currentKeyId = service.getCurrentShamirKeyId();\n let out: ShamirRemoveServerLockResponse;\n\n if (currentKeyId && providedKeyId === currentKeyId) {\n out = await service.removeServerLock(kek_cs_b64u);\n } else if (service.hasGraceKey(providedKeyId)) {\n out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u } as ShamirRemoveServerLockRequest);\n } else {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'unknown keyId' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(out),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleGetShamirKeyInfo(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureReady();\n const currentKeyId = service.getCurrentShamirKeyId();\n const graceKeyIds = service.getGraceKeyIds();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n currentKeyId,\n p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,\n graceKeyIds,\n }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleListGraceKeys(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureGraceKeysLoaded();\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ graceKeyIds: service.getGraceKeyIds() }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleAddGraceKey(\n service: ShamirService,\n request: { e_s_b64u?: string; d_s_b64u?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const { e_s_b64u, d_s_b64u } = request \|\| ({} as any);\n if (!isString(e_s_b64u) \|\| !e_s_b64u \|\| !isString(d_s_b64u) \|\| !d_s_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'e_s_b64u and d_s_b64u required' }),\n };\n }\n\n await service.ensureGraceKeysLoaded();\n const added = await service.addGraceKeyInternal({ e_s_b64u, d_s_b64u }, { persist: true, skipIfExists: true });\n if (!added) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'failed to add grace key' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ keyId: added.keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveGraceKey(\n service: ShamirService,\n request: { keyId?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const keyId = request?.keyId;\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const removed = await service.removeGraceKeyInternal(keyId, { persist: true });\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ removed }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n","\nexport interface SessionConfig {\n jwt?: {\n /* Required: JWT signing hook; return a complete token /\n signToken?: (input: { header: Record<string, unknown>; payload: Record<string, unknown> }) => Promise<string> \| string;\n /* Required: JWT verification hook /\n verifyToken?: (token: string) => Promise<{ valid: boolean; payload?: any }> \| { valid: boolean; payload?: any };\n /* Optional: sliding refresh window (seconds) to allow /session/refresh before exp, default 900 (15 min) /\n refreshWindowSec?: number;\n /* Optional: build additional claims to include in the payload /\n buildClaims?: (input: { sub: string; context?: Record<string, unknown> }) => Promise<Record<string, unknown> \| void> \| Record<string, unknown> \| void;\n };\n cookie?: {\n /* Cookie name. Default: 'w3a_session' /\n name?: string;\n /* Optional override: build Set-Cookie header for a new token /\n buildSetHeader?: (token: string) => string;\n /* Optional override: build Set-Cookie header that clears the cookie /\n buildClearHeader?: () => string;\n /* Optional override: extract token from headers (Authorization/Cookie) /\n extractToken?: (headers: Record<string, string \| string[] \| undefined>, cookieName: string) => string \| null;\n };\n}\n\nexport class SessionService<TClaims = any> {\n private cfg: NonNullable<SessionConfig>;\n\n constructor(cfg: NonNullable<SessionConfig>) {\n this.cfg = cfg \|\| ({} as any);\n }\n\n getCookieName(): string {\n return this.cfg?.cookie?.name \|\| 'w3a_session';\n }\n\n buildSetCookie(token: string): string {\n if (this.cfg?.cookie?.buildSetHeader) return this.cfg.cookie.buildSetHeader(token);\n const name = this.getCookieName();\n const cookieParts = [`${name}=${token}`];\n const path = '/';\n const httpOnly = true;\n const secure = true; // default secure\n const sameSite = 'Lax';\n const maxAge = 24 3600; // 1 day default\n cookieParts.push(`Path=${path}`);\n if (httpOnly) cookieParts.push('HttpOnly');\n if (secure) cookieParts.push('Secure');\n if (sameSite) cookieParts.push(`SameSite=${sameSite}`);\n if (maxAge) {\n cookieParts.push(`Max-Age=${maxAge}`);\n const expires = new Date(Date.now() + (maxAge * 1000)).toUTCString();\n cookieParts.push(`Expires=${expires}`);\n }\n return cookieParts.join('; ');\n }\n\n buildClearCookie(): string {\n if (this.cfg?.cookie?.buildClearHeader) return this.cfg.cookie.buildClearHeader();\n const name = this.getCookieName();\n const path = '/';\n const secure = true;\n const httpOnly = true;\n const parts = [\n `${name}=`,\n `Path=${path}`,\n 'Max-Age=0',\n 'Expires=Thu, 01 Jan 1970 00:00:00 GMT'\n ];\n if (httpOnly) parts.push('HttpOnly');\n if (secure) parts.push('Secure');\n const sameSite = 'Lax';\n if (sameSite) parts.push(`SameSite=${sameSite}`);\n return parts.join('; ');\n }\n\n /** Sign a JWT with configured algorithm. Adds iat/exp and copies iss/aud. /\n async signJwt(sub: string, extraClaims?: Record<string, unknown>): Promise<string> {\n const jwt = this.cfg?.jwt \|\| {};\n const built = await Promise.resolve(jwt.buildClaims?.({ sub, context: extraClaims })) \|\| {};\n const payload = { sub, ...(extraClaims \|\| {}), ...(built \|\| {}) } as Record<string, unknown>;\n if (typeof jwt.signToken === 'function') {\n // Full override of signing: user supplies the complete token\n const token = await Promise.resolve(jwt.signToken({ header: { typ: 'JWT' }, payload } as any));\n return token;\n }\n throw new Error('SessionService: No JWT signing hook or provider configured');\n }\n\n /* Verify signature and expiration. Returns payload on success. /\n async verifyJwt(token: string): Promise<{ valid: boolean; payload?: any }> {\n const verify = this.cfg?.jwt?.verifyToken;\n if (typeof verify !== 'function') return { valid: false };\n return await Promise.resolve(verify(token));\n }\n\n parse(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; claims?: TClaims } \| { ok: false }>{\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n let token: string \| null = null;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (!token && cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) { token = (v \|\| '').trim(); break; }\n }\n }\n if (!token) return Promise.resolve({ ok: false });\n return this.verifyJwt(token).then(v => v.valid ? { ok: true, claims: v.payload as TClaims } : { ok: false });\n }\n\n // === token helpers ===\n extractTokenFromHeaders(headers: Record<string, string \| string[] \| undefined>): string \| null {\n if (this.cfg?.cookie?.extractToken) return this.cfg.cookie.extractToken(headers, this.getCookieName());\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) return authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) return (v \|\| '').trim();\n }\n }\n return null;\n }\n\n async refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>{\n try {\n const token = this.extractTokenFromHeaders(headers);\n if (!token) return { ok: false, code: 'unauthorized', message: 'No session token' };\n const v = await this.verifyJwt(token);\n if (!v.valid) return { ok: false, code: 'unauthorized', message: 'Invalid token' };\n const payload: any = v.payload \|\| {};\n if (!this.isWithinRefreshWindow(payload)) return { ok: false, code: 'not_eligible', message: 'Not within refresh window' };\n const sub = String(payload.sub \|\| '');\n if (!sub) return { ok: false, code: 'invalid_claims', message: 'Missing sub claim' };\n const next = await this.signJwt(sub);\n return { ok: true, jwt: next };\n } catch (e: any) {\n return { ok: false, code: 'internal', message: e?.message \|\| 'Refresh failed' };\n }\n }\n\n nowSeconds(): number { return Math.floor(Date.now() / 1000); }\n\n private isWithinRefreshWindow(payload: any): boolean {\n try {\n const now = this.nowSeconds();\n const exp = Number(payload?.exp \|\| 0);\n if (!exp \|\| now >= exp) return false; // no refresh if already expired\n const windowSec = Number(this.cfg?.jwt?.refreshWindowSec \|\| 15 60);\n return (exp - now) <= windowSec;\n } catch { return false; }\n }\n}\n\n/\n Utility: parse comma-separated list of origins into a normalized unique list\n * - canonicalizes to protocol + host + optional port\n * - lowercases host, strips path/query/hash, trims spaces/trailing slashes\n /\nexport function parseCsvList(input?: string): string[] {\n const out = new Set<string>();\n for (const raw of String(input \|\| '').split(',')) {\n const s = raw.trim();\n if (!s) continue;\n try {\n const u = new URL(s);\n const host = u.hostname.toLowerCase();\n const port = u.port ? `:${u.port}` : '';\n const proto = u.protocol === 'http:' \|\| u.protocol === 'https:' ? u.protocol : 'https:';\n out.add(`${proto}//${host}${port}`);\n } catch {\n const stripped = s.replace(/\\/$/, '');\n if (stripped) out.add(stripped);\n }\n }\n return Array.from(out);\n}\n\n/\n * Utility: merge multiple CSV lists of origins and return normalized list or ''\n /\nexport function buildCorsOrigins(...inputs: Array<string \| undefined>): string[] \| '' {\n const merged = new Set<string>();\n for (const input of inputs) {\n for (const origin of parseCsvList(input)) merged.add(origin);\n }\n const list = Array.from(merged);\n return list.length > 0 ? list : '';\n}\n","import { ZkEmailProverClient, type ZkEmailProverClientOptions, type ZkEmailProverError } from './proverClient';\n\nexport { ZkEmailProverClient } from './proverClient';\nexport type { ZkEmailProverClientOptions, ZkEmailProverError, ZkEmailProverResponse } from './proverClient';\n\nexport interface ForwardableEmailPayload {\n from: string;\n to: string;\n headers: Record<string, string>;\n raw?: string;\n rawSize?: number;\n}\n\nexport type NormalizedEmailResult =\n \| { ok: true; payload: ForwardableEmailPayload }\n \| { ok: false; code: string; message: string };\n\nexport interface GenerateZkEmailProofResult {\n proof: unknown;\n publicInputs: string[];\n}\n\nexport interface ParsedZkEmailBindings {\n accountId: string;\n newPublicKey: string;\n fromEmail: string;\n timestamp: string;\n requestId: string;\n}\n\n/*\n Build a minimal ForwardableEmailPayload from a raw RFC822 email string.\n * This is primarily used by server-side helpers that receive only a raw\n * email blob (no pre-normalized headers).\n /\nexport function buildForwardablePayloadFromRawEmail(raw: string): ForwardableEmailPayload {\n const safeRaw = typeof raw === 'string' ? raw : '';\n const lines = safeRaw.split(/\\r?\\n/);\n\n const getHeader = (name: string): string \| undefined => {\n const line = lines.find(l => new RegExp(`^${name}:`, 'i').test(l));\n if (!line) return undefined;\n const idx = line.indexOf(':');\n const rest = idx >= 0 ? line.slice(idx + 1) : '';\n const value = rest.trim();\n return value \|\| undefined;\n };\n\n const fromHeader = getHeader('from') \|\| 'unknown@zkemail.local';\n const toHeader = getHeader('to') \|\| 'recover@zkemail.local';\n\n const headers: Record<string, string> = {};\n const subjectHeader = getHeader('subject');\n const dateHeader = getHeader('date');\n\n if (fromHeader) headers.from = fromHeader;\n if (toHeader) headers.to = toHeader;\n if (subjectHeader) headers.subject = subjectHeader;\n if (dateHeader) headers.date = dateHeader;\n\n return {\n from: fromHeader,\n to: toHeader,\n headers,\n raw: safeRaw,\n rawSize: safeRaw.length,\n };\n}\n\nexport function normalizeForwardableEmailPayload(input: unknown): NormalizedEmailResult {\n if (!input \|\| typeof input !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'JSON body required' };\n }\n\n const body = input as Partial<ForwardableEmailPayload>;\n const { from, to, headers, raw, rawSize } = body;\n\n if (!from \|\| typeof from !== 'string' \|\| !to \|\| typeof to !== 'string') {\n return { ok: false, code: 'invalid_email', message: 'from and to are required' };\n }\n\n if (!headers \|\| typeof headers !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'headers object is required' };\n }\n\n const normalizedHeaders: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers as Record<string, unknown>)) {\n normalizedHeaders[String(k).toLowerCase()] = String(v);\n }\n\n return {\n ok: true,\n payload: {\n from,\n to,\n headers: normalizedHeaders,\n raw: typeof raw === 'string' ? raw : undefined,\n rawSize: typeof rawSize === 'number' ? rawSize : undefined,\n },\n };\n}\n\n/\n Parse NEAR accountId from the Subject line inside a raw RFC822 email.\n \n Expected format (case-insensitive on \"Subject\" and \"recover\"):\n * Subject: recover-123ABC bob.testnet ed25519:<pk>\n \n Returns the parsed accountId (e.g. \"bob.testnet\") or null if not found.\n /\nexport function parseAccountIdFromSubject(raw: string \| undefined \| null): string \| null {\n if (!raw \|\| typeof raw !== 'string') return null;\n\n // Accept either a full RFC822 message (with \"Subject: ...\" header)\n // or a bare Subject value (\"recover-123ABC bob.testnet ed25519:<pk>\").\n let subjectText = '';\n const lines = raw.split(/\\r?\\n/);\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = raw.trim();\n }\n\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format: \"recover-<request_id> <accountId> [ed25519:<pk>]\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)(?:\\s+ed25519:[^\\s]+)?\\s$/i\n );\n if (match?.[2]) {\n return match[2];\n }\n\n return null;\n}\n\nfunction parseSubjectBindings(\n rawSubject: string \| undefined \| null\n): { accountId: string; newPublicKey: string; requestId: string } \| null {\n if (!rawSubject \|\| typeof rawSubject !== 'string') return null;\n\n const lines = rawSubject.split(/\\r?\\n/);\n let subjectText = '';\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = rawSubject.trim();\n }\n if (!subjectText) return null;\n\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n\n return {\n accountId,\n newPublicKey,\n requestId,\n };\n}\n\nexport function extractZkEmailBindingsFromPayload(\n payload: ForwardableEmailPayload\n): ParsedZkEmailBindings \| null {\n const raw = payload.raw \|\| '';\n const lines = raw.split(/\\r?\\n/);\n\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n const subjectBindings = parseSubjectBindings(subjectLine ?? '');\n if (!subjectBindings) {\n return null;\n }\n\n const headers = payload.headers \|\| {};\n let fromEmailRaw: string \| undefined =\n (headers['from'] as any) \|\|\n (headers['x-from-email'] as any);\n let dateRaw: string \| undefined =\n (headers['date'] as any) \|\|\n (headers['x-original-date'] as any);\n\n // Fallback: if headers object does not contain from/date,\n // attempt to parse them from the raw RFC822 email lines.\n if (!fromEmailRaw \|\| !dateRaw) {\n for (const line of lines) {\n if (!fromEmailRaw && /^from:/i.test(line)) {\n const idx = line.indexOf(':');\n fromEmailRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (!dateRaw && /^date:/i.test(line)) {\n const idx = line.indexOf(':');\n dateRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (fromEmailRaw && dateRaw) break;\n }\n }\n\n const fromEmail = String(fromEmailRaw \|\| '').trim();\n const timestamp = String(dateRaw \|\| '').trim();\n\n if (!fromEmail \|\| !timestamp) {\n return null;\n }\n\n return {\n accountId: subjectBindings.accountId,\n newPublicKey: subjectBindings.newPublicKey,\n fromEmail,\n timestamp,\n requestId: subjectBindings.requestId,\n };\n}\n\nexport async function generateZkEmailProofFromPayload(\n payload: ForwardableEmailPayload,\n prover: ZkEmailProverClientOptions \| ZkEmailProverClient\n): Promise<GenerateZkEmailProofResult> {\n if (!payload.raw \|\| typeof payload.raw !== 'string') {\n const err: ZkEmailProverError = Object.assign(\n new Error('raw email contents are required to generate a zk-email proof'),\n { code: 'missing_raw_email' }\n );\n throw err;\n }\n\n const client =\n (prover && typeof (prover as any).proveEmail === 'function')\n ? (prover as ZkEmailProverClient)\n : new ZkEmailProverClient(prover as ZkEmailProverClientOptions);\n\n const res = await client.proveEmail(payload.raw);\n\n return {\n proof: res.proof,\n publicInputs: res.publicSignals,\n };\n}\n","import type { EmailRecoveryMode } from './types';\nimport { normalizeForwardableEmailPayload, parseAccountIdFromSubject } from './zkEmail';\nimport { ensureEd25519Prefix } from '../../core/nearCrypto';\n\nexport enum EmailRecoveryModeHint {\n ZkEmail = 'zk-email',\n TeeEncrypted = 'tee-encrypted',\n OnchainPublic = 'onchain-public',\n}\n\nexport function normalizeRecoveryMode(raw: string \| undefined \| null): EmailRecoveryMode \| null {\n if (!raw) return null;\n const value = raw.trim().toLowerCase();\n if (value === EmailRecoveryModeHint.ZkEmail) return 'zk-email';\n if (value === EmailRecoveryModeHint.TeeEncrypted) return 'tee-encrypted';\n if (value === EmailRecoveryModeHint.OnchainPublic) return 'onchain-public';\n return null;\n}\n\nexport function extractRecoveryModeFromBody(emailBlob?: string): EmailRecoveryMode \| null {\n if (!emailBlob) return null;\n\n const lines = emailBlob.split(/\\r?\\n/);\n const bodyStartIndex = lines.findIndex(line => line.trim() === '');\n if (bodyStartIndex === -1) return null;\n\n const bodyLines = lines.slice(bodyStartIndex + 1);\n const firstNonEmptyBodyLine = bodyLines.find(line => line.trim() !== '');\n if (!firstNonEmptyBodyLine) return null;\n\n const candidate = firstNonEmptyBodyLine.trim();\n const normalized = normalizeRecoveryMode(candidate);\n if (normalized) return normalized;\n\n const lower = candidate.toLowerCase();\n if (lower.includes(EmailRecoveryModeHint.ZkEmail)) return 'zk-email';\n if (lower.includes(EmailRecoveryModeHint.TeeEncrypted)) return 'tee-encrypted';\n if (lower.includes(EmailRecoveryModeHint.OnchainPublic)) return 'onchain-public';\n\n return null;\n}\n\ntype HeaderValue = string \| string[] \| undefined;\ntype HeadersLike = Headers \| Record<string, HeaderValue> \| undefined;\n\nexport type RecoverEmailParseResult =\n \| { ok: true; accountId: string; emailBlob: string; explicitMode?: string }\n \| { ok: false; status: number; code: string; message: string };\n\nfunction getHeader(headers: HeadersLike, name: string): string \| undefined {\n if (!headers) return undefined;\n\n const maybeHeaders = headers as any;\n if (typeof maybeHeaders.get === 'function') {\n const v = maybeHeaders.get(name);\n return (typeof v === 'string') ? v : undefined;\n }\n\n const record = headers as Record<string, HeaderValue>;\n const v = record[name.toLowerCase()] ?? record[name];\n if (Array.isArray(v)) return (typeof v[0] === 'string') ? v[0] : undefined;\n return (typeof v === 'string') ? v : undefined;\n}\n\nfunction parseExplicitMode(body: unknown, headers?: HeadersLike): string \| undefined {\n const modeFromBody =\n (typeof (body as any)?.explicitMode === 'string' ? String((body as any).explicitMode) : '') \|\|\n (typeof (body as any)?.explicit_mode === 'string' ? String((body as any).explicit_mode) : '');\n const modeFromHeader = getHeader(headers, 'x-email-recovery-mode') \|\| getHeader(headers, 'x-recovery-mode') \|\| '';\n const raw = (modeFromBody \|\| modeFromHeader).trim();\n return raw ? raw : undefined;\n}\n\nexport function parseRecoverEmailRequest(body: unknown, opts: { headers?: HeadersLike } = {}): RecoverEmailParseResult {\n const explicitMode = parseExplicitMode(body, opts.headers);\n\n const normalized = normalizeForwardableEmailPayload(body);\n if (!normalized.ok) {\n return { ok: false, status: 400, code: normalized.code, message: normalized.message };\n }\n\n const payload = normalized.payload;\n const emailBlob = payload.raw \|\| '';\n const emailHeaders = payload.headers \|\| {};\n\n const subjectHeader = emailHeaders['subject'];\n const parsedAccountId = parseAccountIdFromSubject(subjectHeader \|\| emailBlob);\n const headerAccountId = String(emailHeaders['x-near-account-id'] \|\| emailHeaders['x-account-id'] \|\| '').trim();\n const accountId = (parsedAccountId \|\| headerAccountId \|\| '').trim();\n\n if (!accountId) {\n return { ok: false, status: 400, code: 'missing_account', message: 'x-near-account-id header is required' };\n }\n if (!emailBlob) {\n return { ok: false, status: 400, code: 'missing_email', message: 'raw email blob is required' };\n }\n\n return { ok: true, accountId, emailBlob, explicitMode };\n}\n\nconst EMAIL_ADDRESS_REGEX =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\nexport function canonicalizeEmail(input: string): string {\n const raw = String(input \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(EMAIL_ADDRESS_REGEX);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n}\n\nexport function parseHeaderValue(rawEmail: string, name: string): string \| undefined {\n try {\n const raw = String(rawEmail \|\| '');\n if (!raw) return undefined;\n\n const lines = raw.split(/\\r?\\n/);\n const headerLines: string[] = [];\n\n // Only consider the header section (until the first blank line).\n for (const line of lines) {\n if (line.trim() === '') break;\n\n // RFC822 header folding: lines starting with whitespace continue previous header.\n if (/^\\s/.test(line) && headerLines.length > 0) {\n headerLines[headerLines.length - 1] += ` ${line.trim()}`;\n continue;\n }\n\n headerLines.push(line);\n }\n\n const headerName = name.trim();\n if (!headerName) return undefined;\n\n const re = new RegExp(`^${headerName.replace(/[.+?^${}()\|[\\]\\\\]/g, '\\\\$&')}\\\\s:`, 'i');\n const found = headerLines.find((l) => re.test(l));\n if (!found) return undefined;\n\n const idx = found.indexOf(':');\n const value = idx >= 0 ? found.slice(idx + 1).trim() : '';\n return value \|\| undefined;\n } catch {\n return undefined;\n }\n}\n\nexport function parseRecoverSubjectBindings(\n rawEmail: string\n): { requestId: string; accountId: string; newPublicKey: string } \| null {\n // Accept either a full RFC822 email or a bare Subject value.\n let subjectText = (parseHeaderValue(rawEmail, 'subject') \|\| String(rawEmail \|\| '')).trim();\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes.\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n return { requestId, accountId, newPublicKey: ensureEd25519Prefix(newPublicKey) };\n}\n","export type Logger = {\n debug?: (...args: unknown[]) => void;\n info?: (...args: unknown[]) => void;\n warn?: (...args: unknown[]) => void;\n error?: (...args: unknown[]) => void;\n log?: (...args: unknown[]) => void;\n};\n\nexport type NormalizedLogger = {\n debug: (...args: unknown[]) => void;\n info: (...args: unknown[]) => void;\n warn: (...args: unknown[]) => void;\n error: (...args: unknown[]) => void;\n};\n\nfunction safe(fn?: (...args: unknown[]) => void): (...args: unknown[]) => void {\n if (!fn) return () => {};\n return (...args: unknown[]) => {\n try {\n fn(...args);\n } catch {\n // Never allow logging to break request handling.\n }\n };\n}\n\n/*\n Library code should never call `console.` directly; the host decides where logs go.\n - Default: no logs\n * - To enable: pass `logger: console` (or a structured logger) to the host config.\n /\nexport function normalizeLogger(logger?: Logger \| null): NormalizedLogger {\n if (!logger) {\n return { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} };\n }\n\n const base: Logger = logger;\n const log = typeof base.log === 'function' ? base.log.bind(base) : undefined;\n\n const debug = (typeof base.debug === 'function' ? base.debug.bind(base) : log);\n const info = (typeof base.info === 'function' ? base.info.bind(base) : log);\n const warn = (typeof base.warn === 'function' ? base.warn.bind(base) : log);\n const error = (typeof base.error === 'function' ? base.error.bind(base) : log);\n\n return {\n debug: safe(debug),\n info: safe(info),\n warn: safe(warn),\n error: safe(error),\n };\n}\n\n","import type { Logger, NormalizedLogger } from '../core/logger';\nimport { normalizeLogger } from '../core/logger';\n\nexport type RouterLogger = Logger;\nexport type NormalizedRouterLogger = NormalizedLogger;\nexport const normalizeRouterLogger = normalizeLogger;\n","import type { AuthService } from '../core/AuthService';\nimport {\n handleApplyServerLock,\n handleRemoveServerLock,\n handleGetShamirKeyInfo,\n} from '../core/shamirHandlers';\nimport { buildCorsOrigins } from '../core/SessionService';\nimport type { SessionAdapter } from './express-adaptor';\nimport type { CreateAccountAndRegisterRequest } from '../core/types';\nimport { parseRecoverEmailRequest } from '../email-recovery/emailParsers';\nimport type { DelegateActionPolicy } from '../delegateAction';\nimport type { RouterLogger } from './logger';\nimport { normalizeRouterLogger } from './logger';\n\nexport interface RelayRouterOptions {\n healthz?: boolean;\n readyz?: boolean;\n // Optional list(s) of CORS origins (CSV strings or literal origins).\n // Pass raw strings; the router normalizes/merges internally.\n corsOrigins?: Array<string \| undefined>;\n /\n Optional route for submitting NEP-461 SignedDelegate meta-transactions.\n \n - When omitted: disabled.\n * - When set: enabled at `route`.\n \n `policy` is server-controlled and is never read from the request body.\n /\n signedDelegate?: {\n route: string;\n policy?: DelegateActionPolicy;\n };\n // Optional: customize session route paths\n sessionRoutes?: { auth?: string; logout?: string };\n // Optional: pluggable session adapter\n session?: SessionAdapter \| null;\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n\n// Minimal Worker runtime types (avoid adding @cloudflare/workers-types dependency here)\nexport interface CfEnv {\n // Optional env overrides for `/.well-known/webauthn` (ROR origins list).\n //\n // Note: Do not add an index signature here. Cloudflare env bindings can include\n // KV namespaces, Durable Objects, etc., and requiring `[key: string]: string`\n // makes real-world `Env` types not assignable.\n ROR_CONTRACT_ID?: string;\n WEBAUTHN_CONTRACT_ID?: string;\n ROR_METHOD?: string;\n}\n\n/\n Convenience env shape matching the `examples/relay-cloudflare-worker` configuration.\n * This is optional — you can define your own `Env` type with different binding names.\n /\nexport interface RelayCloudflareWorkerEnv {\n RELAYER_ACCOUNT_ID: string;\n RELAYER_PRIVATE_KEY: string;\n // Optional overrides (SDK provides defaults when omitted)\n NEAR_RPC_URL?: string;\n NETWORK_ID?: string;\n WEBAUTHN_CONTRACT_ID: string;\n ACCOUNT_INITIAL_BALANCE?: string;\n CREATE_ACCOUNT_AND_REGISTER_GAS?: string;\n ZK_EMAIL_PROVER_BASE_URL?: string;\n ZK_EMAIL_PROVER_TIMEOUT_MS?: string;\n SHAMIR_P_B64U: string;\n SHAMIR_E_S_B64U: string;\n SHAMIR_D_S_B64U: string;\n EXPECTED_ORIGIN?: string;\n EXPECTED_WALLET_ORIGIN?: string;\n ENABLE_ROTATION?: string;\n RECOVER_EMAIL_RECIPIENT?: string;\n}\n\nexport interface CfExecutionContext {\n waitUntil(promise: Promise<unknown>): void;\n passThroughOnException(): void\n}\nexport interface CfScheduledEvent {\n scheduledTime?: number;\n cron?: string\n}\nexport interface CfEmailMessage {\n from: string;\n to: string;\n // Cloudflare uses `Headers`, but keep this flexible for userland tests.\n headers: Headers \| Iterable<[string, string]> \| Record<string, string>;\n raw: ReadableStream \| ArrayBuffer \| string;\n rawSize?: number;\n setReject(reason: string): void;\n}\n\nexport type FetchHandler = (request: Request, env?: CfEnv, ctx?: CfExecutionContext) => Promise<Response>;\nexport type ScheduledHandler = (event: CfScheduledEvent, env?: CfEnv, ctx?: CfExecutionContext) => Promise<void>;\nexport type EmailHandler = (message: CfEmailMessage, env?: CfEnv, ctx?: CfExecutionContext) => Promise<void>;\n\nfunction normalizePath(path: string): string {\n const trimmed = String(path \|\| '').trim();\n if (!trimmed) return '';\n return trimmed.startsWith('/') ? trimmed : `/${trimmed}`;\n}\n\nfunction json(body: unknown, init?: ResponseInit, extraHeaders?: Record<string, string>): Response {\n const headers = new Headers({ 'Content-Type': 'application/json; charset=utf-8' });\n\n // Merge init.headers into our base headers (ResponseInit headers are otherwise overwritten).\n const initHeaders = (init as any)?.headers as HeadersInit \| undefined;\n if (initHeaders) {\n try {\n new Headers(initHeaders).forEach((v, k) => headers.set(k, v));\n } catch { }\n }\n\n if (extraHeaders) {\n for (const [k, v] of Object.entries(extraHeaders)) headers.set(k, v);\n }\n\n const { headers: _omit, ...rest } = init \|\| {};\n return new Response(JSON.stringify(body), { status: 200, ...rest, headers });\n}\n\nfunction withCors(headers: Headers, opts?: RelayRouterOptions, request?: Request): void {\n if (!opts?.corsOrigins) return;\n let allowedOrigin: string \| '' \| undefined;\n const normalized = buildCorsOrigins(...(opts.corsOrigins \|\| []));\n if (normalized === '') {\n allowedOrigin = '';\n headers.set('Access-Control-Allow-Origin', '');\n } else if (Array.isArray(normalized)) {\n const origin = request?.headers.get('Origin') \|\| '';\n if (origin && normalized.includes(origin)) {\n allowedOrigin = origin;\n headers.set('Access-Control-Allow-Origin', origin);\n headers.append('Vary', 'Origin');\n }\n }\n headers.set('Access-Control-Allow-Methods', 'GET,POST,OPTIONS');\n headers.set('Access-Control-Allow-Headers', 'Content-Type,Authorization');\n // Only advertise credentials when we echo back a specific origin (not '')\n if (allowedOrigin && allowedOrigin !== '') {\n headers.set('Access-Control-Allow-Credentials', 'true');\n }\n}\n\nfunction normalizeEmailAddress(input: string): string {\n const trimmed = String(input \|\| '').trim();\n const angleStart = trimmed.indexOf('<');\n const angleEnd = trimmed.indexOf('>');\n if (angleStart !== -1 && angleEnd > angleStart) {\n return trimmed.slice(angleStart + 1, angleEnd).trim().toLowerCase();\n }\n return trimmed.toLowerCase();\n}\n\nfunction normalizeRejectReason(input: unknown): string {\n return String(input \|\| '')\n .replace(/[\\r\\n]+/g, ' ')\n .replace(/\\s+/g, ' ')\n .trim();\n}\n\nfunction toLowercaseHeaderRecord(input: unknown): Record<string, string> {\n const out: Record<string, string> = {};\n if (!input) return out;\n\n const maybeHeaders = input as any;\n if (typeof maybeHeaders.forEach === 'function') {\n try {\n maybeHeaders.forEach((v: unknown, k: unknown) => {\n out[String(k).toLowerCase()] = String(v);\n });\n return out;\n } catch { }\n }\n\n if (typeof maybeHeaders[Symbol.iterator] === 'function') {\n try {\n for (const entry of maybeHeaders as Iterable<unknown>) {\n if (!Array.isArray(entry)) continue;\n const [k, v] = entry as any[];\n out[String(k).toLowerCase()] = String(v);\n }\n return out;\n } catch { }\n }\n\n if (typeof input === 'object') {\n for (const [k, v] of Object.entries(input as Record<string, unknown>)) {\n out[String(k).toLowerCase()] = String(v);\n }\n }\n\n return out;\n}\n\nasync function buildForwardableEmailPayloadFromCloudflareMessage(message: CfEmailMessage): Promise<{\n from: string;\n to: string;\n headers: Record<string, string>;\n raw: string;\n rawSize?: number;\n}> {\n const from = String(message?.from \|\| '');\n const to = String(message?.to \|\| '');\n const headers = toLowercaseHeaderRecord((message as any)?.headers);\n\n let raw = '';\n try {\n raw = await new Response((message as any)?.raw).text();\n } catch { }\n\n const rawSize = typeof (message as any)?.rawSize === 'number' ? (message as any).rawSize : undefined;\n\n return { from, to, headers, raw, rawSize };\n}\n\nexport interface CloudflareEmailHandlerOptions {\n /\n Optional recipient allowlist for emails processed by this handler (case-insensitive).\n * If unset, any `to` is accepted.\n /\n expectedRecipient?: string;\n /\n If true (default), unexpected recipients only log a warning (Cloudflare routing\n * is usually already scoped). If false, the handler rejects the email.\n /\n allowUnexpectedRecipient?: boolean;\n /\n When true, logs email metadata (from/to/subject). Defaults to false.\n /\n verbose?: boolean;\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n\nexport function createCloudflareEmailHandler(service: AuthService, opts: CloudflareEmailHandlerOptions = {}): EmailHandler {\n const logger = normalizeRouterLogger(opts.logger);\n const expectedRecipient = normalizeEmailAddress(opts.expectedRecipient \|\| '');\n const allowUnexpectedRecipient = opts.allowUnexpectedRecipient !== false;\n const verbose = Boolean(opts.verbose);\n\n return async (message: CfEmailMessage): Promise<void> => {\n try {\n const payload = await buildForwardableEmailPayloadFromCloudflareMessage(message);\n\n const to = normalizeEmailAddress(payload.to);\n if (expectedRecipient) {\n if (to !== expectedRecipient) {\n logger.warn('[email] unexpected recipient', { to, expectedRecipient });\n if (!allowUnexpectedRecipient) {\n message.setReject('Email recovery relayer rejected email: unexpected recipient');\n return;\n }\n }\n }\n\n if (verbose) {\n logger.info('[email] from/to', { from: payload.from, to: payload.to, subject: payload.headers['subject'] });\n }\n\n const parsed = parseRecoverEmailRequest(payload as any, { headers: payload.headers });\n if (!parsed.ok) {\n logger.warn('[email] rejecting', { code: parsed.code, message: parsed.message });\n message.setReject(`Email recovery relayer rejected email: ${parsed.message}`);\n return;\n }\n\n if (!service.emailRecovery) {\n logger.warn('[email] rejecting: EmailRecoveryService not configured');\n message.setReject('Email recovery relayer rejected email: email recovery service unavailable');\n return;\n }\n\n const result = await service.emailRecovery.requestEmailRecovery({\n accountId: parsed.accountId,\n emailBlob: parsed.emailBlob,\n explicitMode: parsed.explicitMode,\n });\n\n if (!result?.success) {\n logger.warn('[email] recovery failed', {\n accountId: parsed.accountId,\n error: result?.error \|\| 'unknown',\n message: result?.message,\n });\n const reason = normalizeRejectReason(result?.message \|\| result?.error \|\| 'recovery failed');\n message.setReject(`Email recovery relayer rejected email: ${reason}`);\n return;\n }\n\n logger.info('[email] recovery submitted', { accountId: parsed.accountId });\n } catch (e: any) {\n logger.error('[email] internal error', { message: e?.message \|\| String(e) });\n message.setReject('Email recovery relayer rejected email: internal error');\n }\n };\n}\n\nexport function createCloudflareRouter(service: AuthService, opts: RelayRouterOptions = {}): FetchHandler {\n const notFound = () => new Response('Not Found', { status: 404 });\n const mePath = opts.sessionRoutes?.auth \|\| '/session/auth';\n const logoutPath = opts.sessionRoutes?.logout \|\| '/session/logout';\n const logger = normalizeRouterLogger(opts.logger);\n const signedDelegatePath = (() => {\n if (!opts.signedDelegate) return '';\n const raw = String(opts.signedDelegate.route \|\| '').trim();\n if (!raw) throw new Error('RelayRouterOptions.signedDelegate.route is required');\n return normalizePath(raw);\n })();\n const signedDelegatePolicy = opts.signedDelegate?.policy;\n\n return async function handler(request: Request, env?: CfEnv, ctx?: CfExecutionContext): Promise<Response> {\n const url = new URL(request.url);\n const { pathname } = url;\n const method = request.method.toUpperCase();\n\n // Preflight CORS\n if (method === 'OPTIONS') {\n const res = new Response(null, { status: 204 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n // Helper to adapt AuthService HTTP-like handlers to Response\n const toResponse = (out: { status: number; headers: Record<string, string>; body: string }) => {\n const res = new Response(out.body, { status: out.status, headers: out.headers });\n withCors(res.headers, opts, request);\n return res;\n };\n\n const isObject = (v: unknown): v is Record<string, unknown> => typeof v === 'object' && v !== null;\n\n try {\n // ROR well-known manifest; allow override via env (optional)\n if (method === 'GET' && (pathname === '/.well-known/webauthn' \|\| pathname === '/.well-known/webauthn/')) {\n const contractId = (env?.ROR_CONTRACT_ID \|\| env?.WEBAUTHN_CONTRACT_ID \|\| '').toString().trim() \|\| undefined;\n const methodName = (env?.ROR_METHOD \|\| '').toString().trim() \|\| undefined;\n const origins = await service.getRorOrigins({ contractId, method: methodName });\n const res = json({ origins }, { status: 200, headers: { 'Cache-Control': 'max-age=60, stale-while-revalidate=600' } });\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (method === 'POST' && pathname === '/create_account_and_register_user') {\n let body: unknown;\n try { body = await request.json(); } catch { body = null; }\n if (!isObject(body)) {\n const res = json({ code: 'invalid_body', message: 'JSON body required' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n const new_account_id = typeof body.new_account_id === 'string' ? body.new_account_id : '';\n const new_public_key = typeof body.new_public_key === 'string' ? body.new_public_key : '';\n const vrf_data = isObject(body.vrf_data) ? body.vrf_data : null;\n const webauthn_registration = isObject(body.webauthn_registration) ? body.webauthn_registration : null;\n const deterministic_vrf_public_key = (body as Record<string, unknown>).deterministic_vrf_public_key;\n const authenticator_options = isObject((body as Record<string, unknown>).authenticator_options)\n ? (body as Record<string, unknown>).authenticator_options\n : undefined;\n\n if (!new_account_id) {\n const res = json({ code: 'invalid_body', message: 'Missing or invalid new_account_id' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n if (!new_public_key) {\n const res = json({ code: 'invalid_body', message: 'Missing or invalid new_public_key' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n if (!vrf_data) {\n const res = json({ code: 'invalid_body', message: 'Missing or invalid vrf_data' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n if (!webauthn_registration) {\n const res = json({ code: 'invalid_body', message: 'Missing or invalid webauthn_registration' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n const input = {\n new_account_id,\n new_public_key,\n vrf_data,\n webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options,\n } as unknown as CreateAccountAndRegisterRequest;\n\n const result = await service.createAccountAndRegisterUser(input);\n const res = json(result, { status: result.success ? 200 : 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n // SignedDelegate meta-tx submission (optional)\n if (signedDelegatePath && pathname === signedDelegatePath) {\n if (method === 'OPTIONS') {\n const res = new Response(null, { status: 204 });\n withCors(res.headers, opts, request);\n return res;\n }\n if (method !== 'POST') return notFound();\n\n let body: unknown;\n try { body = await request.json(); } catch { body = null; }\n const valid = isObject(body) && typeof (body as any).hash === 'string' && Boolean((body as any).hash) && Boolean((body as any).signedDelegate);\n if (!valid) {\n const res = json({ ok: false, code: 'invalid_body', message: 'Expected { hash, signedDelegate }' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n const result = await service.executeSignedDelegate({\n hash: String((body as any).hash),\n signedDelegate: (body as any).signedDelegate,\n policy: signedDelegatePolicy,\n });\n\n if (!result \|\| !result.ok) {\n const res = json({\n ok: false,\n code: result?.code \|\| 'delegate_execution_failed',\n message: result?.error \|\| 'Failed to execute delegate action',\n }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n const res = json({\n ok: true,\n relayerTxHash: result.transactionHash \|\| null,\n status: 'submitted',\n outcome: result.outcome ?? null,\n }, { status: 200 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (method === 'POST' && pathname === '/vrf/apply-server-lock') {\n const shamir = service.shamirService;\n if (!shamir \|\| !(await shamir.ensureReady())) {\n const res = json({ code: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' }, { status: 503 });\n withCors(res.headers, opts, request);\n return res;\n }\n let body: unknown; try { body = await request.json(); } catch { body = null; }\n const valid = isObject(body) && typeof body.kek_c_b64u === 'string' && body.kek_c_b64u.length > 0;\n if (!valid) {\n const res = json({ code: 'invalid_body', message: 'kek_c_b64u is required' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n const out = await handleApplyServerLock(shamir, {\n body: { kek_c_b64u: String((body as Record<string, unknown>).kek_c_b64u) },\n });\n return toResponse(out);\n }\n\n if (method === 'POST' && pathname === '/verify-authentication-response') {\n let body: unknown; try { body = await request.json(); } catch { body = null; }\n const valid = isObject(body)\n && isObject((body as any).vrf_data)\n && isObject((body as any).webauthn_authentication);\n if (!valid) {\n const res = json({ code: 'invalid_body', message: 'vrf_data and webauthn_authentication are required' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n try {\n const sessionKind = ((body as any)?.sessionKind \|\| (body as any)?.session_kind) === 'cookie' ? 'cookie' : 'jwt';\n const result = await service.verifyAuthenticationResponse(body as any);\n const status = result.success ? 200 : 400;\n if (status !== 200) {\n const res = json({ code: 'not_verified', message: result.message \|\| 'Authentication verification failed' }, { status });\n withCors(res.headers, opts, request);\n return res;\n }\n const res = json(result, { status: 200 });\n const session = opts.session;\n if (session && result.verified) {\n try {\n const userId = String((body as any).vrf_data?.user_id \|\| '');\n const token = await session.signJwt(userId, { rpId: (body as any).vrf_data?.rp_id, blockHeight: (body as any).vrf_data?.block_height });\n logger.info(`[relay] creating ${sessionKind === 'cookie' ? 'HttpOnly session' : 'JWT'} for`, userId);\n if (sessionKind === 'cookie') {\n res.headers.set('Set-Cookie', session.buildSetCookie(token));\n } else {\n const payload = await res.clone().json();\n return new Response(JSON.stringify({ ...payload, jwt: token }), { status: 200, headers: res.headers });\n }\n } catch {}\n }\n withCors(res.headers, opts, request);\n return res;\n } catch (e: any) {\n const res = json({ code: 'internal', message: e?.message \|\| 'Internal error' }, { status: 500 });\n withCors(res.headers, opts, request);\n return res;\n }\n }\n\n if (method === 'GET' && pathname === mePath) {\n try {\n const headersObj: Record<string, string> = {};\n request.headers.forEach((v, k) => { headersObj[k] = v; });\n const session = opts.session;\n if (!session) {\n const res = json({ authenticated: false, code: 'sessions_disabled', message: 'Sessions are not configured' }, { status: 501 });\n withCors(res.headers, opts, request);\n return res;\n }\n const parsed = await session.parse(headersObj);\n const res = json(parsed.ok ? { authenticated: true, claims: (parsed as any).claims } : { authenticated: false }, { status: parsed.ok ? 200 : 401 });\n withCors(res.headers, opts, request);\n return res;\n } catch (e: any) {\n const res = json({ authenticated: false, code: 'internal', message: e?.message \|\| 'Internal error' }, { status: 500 });\n withCors(res.headers, opts, request);\n return res;\n }\n }\n\n if (method === 'POST' && pathname === logoutPath) {\n const res = json({ success: true }, { status: 200 });\n const session = opts.session;\n if (session) {\n // Clear cookie with Max-Age=0\n res.headers.set('Set-Cookie', session.buildClearCookie());\n }\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (method === 'POST' && pathname === '/session/refresh') {\n let body: unknown; try { body = await request.json(); } catch { body = null; }\n const sessionKind = ((body as any)?.sessionKind \|\| (body as any)?.session_kind) === 'cookie' ? 'cookie' : 'jwt';\n const session = opts.session;\n if (!session) {\n const res = json({ code: 'sessions_disabled', message: 'Sessions are not configured' }, { status: 501 });\n withCors(res.headers, opts, request);\n return res;\n }\n const out = await session.refresh(Object.fromEntries(request.headers.entries()));\n if (!out.ok \|\| !out.jwt) {\n const res = json({ code: out.code \|\| 'not_eligible', message: out.message \|\| 'Refresh not eligible' }, { status: (out.code === 'unauthorized') ? 401 : 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n const res = json(sessionKind === 'cookie' ? { ok: true } : { ok: true, jwt: out.jwt }, { status: 200 });\n if (sessionKind === 'cookie' && out.jwt) {\n try {\n res.headers.set('Set-Cookie', session.buildSetCookie(out.jwt));\n } catch {}\n }\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (method === 'POST' && pathname === '/recover-email') {\n const prefer = String(request.headers.get('prefer') \|\| '').toLowerCase();\n const respondAsync =\n prefer.includes('respond-async') \|\|\n String(url.searchParams.get('async') \|\| '').trim() === '1' \|\|\n String(url.searchParams.get('respond_async') \|\| '').trim() === '1';\n\n let rawBody: unknown; try { rawBody = await request.json(); } catch { rawBody = null; }\n const parsed = parseRecoverEmailRequest(rawBody, { headers: request.headers });\n if (!parsed.ok) {\n const res = json({ code: parsed.code, message: parsed.message }, { status: parsed.status });\n withCors(res.headers, opts, request);\n return res;\n }\n const { accountId, emailBlob, explicitMode } = parsed;\n\n if (!service.emailRecovery) {\n const res = json(\n { code: 'email_recovery_unavailable', message: 'EmailRecoveryService is not configured on this server' },\n { status: 503 }\n );\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (respondAsync && ctx && typeof ctx.waitUntil === 'function') {\n ctx.waitUntil(\n service.emailRecovery\n .requestEmailRecovery({ accountId, emailBlob, explicitMode })\n .then((result) => {\n logger.info('[recover-email] async complete', {\n success: result?.success === true,\n accountId,\n error: result?.success ? undefined : result?.error,\n });\n })\n .catch((err: any) => {\n logger.error('[recover-email] async error', {\n accountId,\n error: err?.message \|\| String(err),\n });\n })\n );\n const res = json({ success: true, queued: true, accountId }, { status: 202 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n const result = await service.emailRecovery.requestEmailRecovery({ accountId, emailBlob, explicitMode });\n const res = json(result, { status: result.success ? 202 : 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (method === 'POST' && pathname === '/vrf/remove-server-lock') {\n const shamir = service.shamirService;\n if (!shamir \|\| !(await shamir.ensureReady())) {\n const res = json({ code: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' }, { status: 503 });\n withCors(res.headers, opts, request);\n return res;\n }\n let body: unknown; try { body = await request.json(); } catch { body = null; }\n const valid = isObject(body)\n && typeof body.kek_cs_b64u === 'string' && body.kek_cs_b64u.length > 0\n && typeof (body as Record<string, unknown>).keyId === 'string'\n && String((body as Record<string, unknown>).keyId).length > 0;\n if (!valid) {\n const res = json({ code: 'invalid_body', message: 'kek_cs_b64u and keyId are required' }, { status: 400 });\n withCors(res.headers, opts, request);\n return res;\n }\n const out = await handleRemoveServerLock(shamir, {\n body: {\n kek_cs_b64u: String((body as Record<string, unknown>).kek_cs_b64u),\n keyId: String((body as Record<string, unknown>).keyId),\n },\n });\n return toResponse(out);\n }\n\n if (method === 'GET' && pathname === '/shamir/key-info') {\n const shamir = service.shamirService;\n if (!shamir \|\| !(await shamir.ensureReady())) {\n const res = json({ code: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' }, { status: 503 });\n withCors(res.headers, opts, request);\n return res;\n }\n const out = await handleGetShamirKeyInfo(shamir);\n return toResponse(out);\n }\n\n if (opts.healthz && method === 'GET' && pathname === '/healthz') {\n // Surface simple CORS info for diagnostics (normalized)\n const allowed = buildCorsOrigins(...(opts.corsOrigins \|\| []));\n const corsAllowed = allowed === '' ? '' : allowed;\n const shamir = service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n let currentKeyId: string \| null = null;\n if (shamirConfigured && shamir) {\n try {\n const { currentKeyId: id } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n currentKeyId = id \|\| null;\n } catch {}\n }\n\n const proverBaseUrl = service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;\n const zkEmailConfigured = Boolean(proverBaseUrl);\n\n const res = json({\n ok: true,\n // Backwards-compatible field (was previously top-level).\n currentKeyId,\n shamir: { configured: shamirConfigured, currentKeyId },\n zkEmail: { configured: zkEmailConfigured, proverBaseUrl },\n cors: { allowedOrigins: corsAllowed },\n }, { status: 200 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n if (opts.readyz && method === 'GET' && pathname === '/readyz') {\n const allowed = buildCorsOrigins(...(opts.corsOrigins \|\| []));\n const corsAllowed = allowed === '' ? '' : allowed;\n\n const shamir = service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n\n let shamirReady: boolean \| null = null;\n let shamirCurrentKeyId: string \| null = null;\n let shamirError: string \| undefined;\n if (shamirConfigured && shamir) {\n try {\n await shamir.ensureReady();\n shamirReady = true;\n const { currentKeyId } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n shamirCurrentKeyId = currentKeyId \|\| null;\n } catch (e: any) {\n shamirReady = false;\n shamirError = e?.message \|\| String(e);\n }\n }\n\n const zk = service.emailRecovery\n ? await service.emailRecovery.checkZkEmailProverHealth()\n : { configured: false, baseUrl: null, healthy: null as boolean \| null };\n\n const ok =\n (shamirConfigured ? shamirReady === true : true) &&\n (zk.configured ? zk.healthy === true : true);\n\n const res = json({\n ok,\n shamir: {\n configured: shamirConfigured,\n ready: shamirConfigured ? shamirReady : null,\n currentKeyId: shamirCurrentKeyId,\n error: shamirError,\n },\n zkEmail: zk,\n cors: { allowedOrigins: corsAllowed },\n }, { status: ok ? 200 : 503 });\n withCors(res.headers, opts, request);\n return res;\n }\n\n return notFound();\n } catch (e: unknown) {\n const res = json({ code: 'internal', message: e instanceof Error ? e.message : String(e) }, { status: 500 });\n withCors(res.headers, opts, request);\n return res;\n }\n };\n}\n\n/\n Optional cron hook factory for Cloudflare Workers.\n * Default is inactive (no-op). Enable explicitly in your Worker entry.\n \n Example:\n * const cron = createCloudflareCron(service, { enabled: env.ENABLE_ROTATION === '1', rotate: false });\n * export default { fetch: router, scheduled: cron };\n /\nexport interface CloudflareCronOptions {\n enabled?: boolean; // default false\n rotate?: boolean; // if true, will attempt to rotate Shamir keypair (not persisted in Workers)\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n\nexport function createCloudflareCron(service: AuthService, opts: CloudflareCronOptions = {}): ScheduledHandler {\n const logger = normalizeRouterLogger(opts.logger);\n const enabled = Boolean(opts.enabled);\n const doRotate = Boolean(opts.rotate);\n if (!enabled) {\n return async () => { / no-op by default */ };\n }\n return async (_event: CfScheduledEvent) => {\n try {\n if (doRotate) {\n // Rotation in Workers is ephemeral unless you persist keys externally.\n // This call rotates in-memory only and logs the result.\n const shamir = service.shamirService;\n if (!shamir) {\n logger.warn('[cloudflare-cron] Shamir not configured; skipping rotation');\n } else {\n const rotation = await shamir.rotateShamirServerKeypair();\n logger.info('[cloudflare-cron] rotated key', rotation.newKeyId, 'graceIds:', rotation.graceKeyIds);\n }\n } else {\n logger.info('[cloudflare-cron] enabled but rotate=false (no action)');\n }\n } catch (e: unknown) {\n logger.error('[cloudflare-cron] failed', e instanceof Error ? e.message : String(e));\n }\n };\n}\n"],"mappings":";;AAMA,SAAgB,SAAS,GAAyB;AAChD,QAAO,OAAO,MAAM;;;;;ACEtB,eAAsB,sBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,aAAa,QAAQ,MAAM;AACjC,MAAI,CAAC,SAAS,eAAe,CAAC,WAC5B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAMA,MAAqC,MAAM,QAAQ,gBAAgB;EACzE,MAAM,QAAQ,QAAQ;AAEtB,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,GAAG;IAAK;;;UAE1BC,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAGlC,MAAM,EAAE,aAAa,UAAU;AAC/B,MAAI,CAAC,SAAS,gBAAgB,CAAC,YAC7B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAGlC,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,gBAAgB,OAAO;EAC7B,MAAM,eAAe,QAAQ;EAC7B,IAAIC;AAEJ,MAAI,gBAAgB,kBAAkB,aACpC,OAAM,MAAM,QAAQ,iBAAiB;WAC5B,QAAQ,YAAY,eAC7B,OAAM,MAAM,QAAQ,6BAA6B,eAAe,EAAE;MAElE,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;;UAEhBD,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;EACd,MAAM,eAAe,QAAQ;EAC7B,MAAM,cAAc,QAAQ;AAE5B,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IACnB;IACA,QAAQ,QAAQ,mBAAmB,iBAAiB;IACpD;;;UAGGA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;;;;AC0C5D,SAAgB,aAAa,OAA0B;CACrD,MAAM,sBAAM,IAAI;AAChB,MAAK,MAAM,OAAO,OAAO,SAAS,IAAI,MAAM,MAAM;EAChD,MAAM,IAAI,IAAI;AACd,MAAI,CAAC,EAAG;AACR,MAAI;GACF,MAAM,IAAI,IAAI,IAAI;GAClB,MAAM,OAAO,EAAE,SAAS;GACxB,MAAM,OAAO,EAAE,OAAO,IAAI,EAAE,SAAS;GACrC,MAAM,QAAQ,EAAE,aAAa,WAAW,EAAE,aAAa,WAAW,EAAE,WAAW;AAC/E,OAAI,IAAI,GAAG,MAAM,IAAI,OAAO;UACtB;GACN,MAAM,WAAW,EAAE,QAAQ,OAAO;AAClC,OAAI,SAAU,KAAI,IAAI;;;AAG1B,QAAO,MAAM,KAAK;;AAMpB,SAAgB,iBAAiB,GAAG,QAAmD;CACrF,MAAM,yBAAS,IAAI;AACnB,MAAK,MAAM,SAAS,OAClB,MAAK,MAAM,UAAU,aAAa,OAAQ,QAAO,IAAI;CAEvD,MAAM,OAAO,MAAM,KAAK;AACxB,QAAO,KAAK,SAAS,IAAI,OAAO;;;;;ACzHlC,SAAgB,iCAAiC,OAAuC;AACtF,KAAI,CAAC,SAAS,OAAO,UAAU,SAC7B,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAM,OAAO;CACb,MAAM,EAAE,MAAM,IAAI,SAAS,KAAK,YAAY;AAE5C,KAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,OAAO,OAAO,SAC5D,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;AAGtD,KAAI,CAAC,WAAW,OAAO,YAAY,SACjC,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAME,oBAA4C;AAClD,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,SAClC,mBAAkB,OAAO,GAAG,iBAAiB,OAAO;AAGtD,QAAO;EACL,IAAI;EACJ,SAAS;GACP;GACA;GACA,SAAS;GACT,KAAK,OAAO,QAAQ,WAAW,MAAM;GACrC,SAAS,OAAO,YAAY,WAAW,UAAU;;;;;;;;;;;;AAavD,SAAgB,0BAA0B,KAA+C;AACvF,KAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;CAI5C,IAAI,cAAc;CAClB,MAAM,QAAQ,IAAI,MAAM;CACxB,MAAM,cAAc,MAAM,MAAK,SAAQ,aAAa,KAAK;AACzD,KAAI,aAAa;EACf,MAAM,MAAM,YAAY,QAAQ;EAChC,MAAM,UAAU,OAAO,IAAI,YAAY,MAAM,MAAM,KAAK;AACxD,gBAAc,QAAQ;OAEtB,eAAc,IAAI;AAGpB,KAAI,CAAC,YAAa,QAAO;AAGzB,eAAc,YAAY,QAAQ,kBAAkB,IAAI;AACxD,KAAI,CAAC,YAAa,QAAO;CAGzB,MAAM,QAAQ,YAAY,MACxB;AAEF,KAAI,QAAQ,GACV,QAAO,MAAM;AAGf,QAAO;;;;;AC3FT,SAAS,UAAU,SAAsB,MAAkC;AACzE,KAAI,CAAC,QAAS,QAAO;CAErB,MAAM,eAAe;AACrB,KAAI,OAAO,aAAa,QAAQ,YAAY;EAC1C,MAAMC,MAAI,aAAa,IAAI;AAC3B,SAAQ,OAAOA,QAAM,WAAYA,MAAI;;CAGvC,MAAM,SAAS;CACf,MAAM,IAAI,OAAO,KAAK,kBAAkB,OAAO;AAC/C,KAAI,MAAM,QAAQ,GAAI,QAAQ,OAAO,EAAE,OAAO,WAAY,EAAE,KAAK;AACjE,QAAQ,OAAO,MAAM,WAAY,IAAI;;AAGvC,SAAS,kBAAkB,MAAe,SAA2C;CACnF,MAAM,gBACH,OAAQ,MAAc,iBAAiB,WAAW,OAAQ,KAAa,gBAAgB,QACvF,OAAQ,MAAc,kBAAkB,WAAW,OAAQ,KAAa,iBAAiB;CAC5F,MAAM,iBAAiB,UAAU,SAAS,4BAA4B,UAAU,SAAS,sBAAsB;CAC/G,MAAM,OAAO,gBAAgB,gBAAgB;AAC7C,QAAO,MAAM,MAAM;;AAGrB,SAAgB,yBAAyB,MAAe,OAAkC,IAA6B;CACrH,MAAM,eAAe,kBAAkB,MAAM,KAAK;CAElD,MAAM,aAAa,iCAAiC;AACpD,KAAI,CAAC,WAAW,GACd,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM,WAAW;EAAM,SAAS,WAAW;;CAG9E,MAAM,UAAU,WAAW;CAC3B,MAAM,YAAY,QAAQ,OAAO;CACjC,MAAM,eAAe,QAAQ,WAAW;CAExC,MAAM,gBAAgB,aAAa;CACnC,MAAM,kBAAkB,0BAA0B,iBAAiB;CACnE,MAAM,kBAAkB,OAAO,aAAa,wBAAwB,aAAa,mBAAmB,IAAI;CACxG,MAAM,aAAa,mBAAmB,mBAAmB,IAAI;AAE7D,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAmB,SAAS;;AAErE,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAiB,SAAS;;AAGnE,QAAO;EAAE,IAAI;EAAM;EAAW;EAAW;;;;;;AClF3C,SAAS,KAAK,IAAiE;AAC7E,KAAI,CAAC,GAAI,cAAa;AACtB,SAAQ,GAAG,SAAoB;AAC7B,MAAI;AACF,MAAG,GAAG;UACA;;;;;;;;AAWZ,SAAgB,gBAAgB,QAA0C;AACxE,KAAI,CAAC,OACH,QAAO;EAAE,aAAa;EAAI,YAAY;EAAI,YAAY;EAAI,aAAa;;CAGzE,MAAMC,OAAe;CACrB,MAAM,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,IAAI,KAAK,QAAQ;CAEnE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;CAC1E,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;AAE1E,QAAO;EACL,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,OAAO,KAAK;;;;;;AC3ChB,MAAa,wBAAwB;;;;AC6FrC,SAAS,cAAc,MAAsB;CAC3C,MAAM,UAAU,OAAO,QAAQ,IAAI;AACnC,KAAI,CAAC,QAAS,QAAO;AACrB,QAAO,QAAQ,WAAW,OAAO,UAAU,IAAI;;AAGjD,SAAS,KAAK,MAAe,MAAqB,cAAiD;CACjG,MAAM,UAAU,IAAI,QAAQ,EAAE,gBAAgB;CAG9C,MAAM,cAAe,MAAc;AACnC,KAAI,YACF,KAAI;AACF,MAAI,QAAQ,aAAa,SAAS,GAAG,MAAM,QAAQ,IAAI,GAAG;SACpD;AAGV,KAAI,aACF,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,cAAe,SAAQ,IAAI,GAAG;CAGpE,MAAM,EAAE,SAAS,MAAO,GAAG,SAAS,QAAQ;AAC5C,QAAO,IAAI,SAAS,KAAK,UAAU,OAAO;EAAE,QAAQ;EAAK,GAAG;EAAM;;;AAGpE,SAAS,SAAS,SAAkB,MAA2B,SAAyB;AACtF,KAAI,CAAC,MAAM,YAAa;CACxB,IAAIC;CACJ,MAAM,aAAa,iBAAiB,GAAI,KAAK,eAAe;AAC5D,KAAI,eAAe,KAAK;AACtB,kBAAgB;AAChB,UAAQ,IAAI,+BAA+B;YAClC,MAAM,QAAQ,aAAa;EACpC,MAAM,SAAS,SAAS,QAAQ,IAAI,aAAa;AACjD,MAAI,UAAU,WAAW,SAAS,SAAS;AACzC,mBAAgB;AAChB,WAAQ,IAAI,+BAA+B;AAC3C,WAAQ,OAAO,QAAQ;;;AAG3B,SAAQ,IAAI,gCAAgC;AAC5C,SAAQ,IAAI,gCAAgC;AAE5C,KAAI,iBAAiB,kBAAkB,IACrC,SAAQ,IAAI,oCAAoC;;AAIpD,SAAS,sBAAsB,OAAuB;CACpD,MAAM,UAAU,OAAO,SAAS,IAAI;CACpC,MAAM,aAAa,QAAQ,QAAQ;CACnC,MAAM,WAAW,QAAQ,QAAQ;AACjC,KAAI,eAAe,MAAM,WAAW,WAClC,QAAO,QAAQ,MAAM,aAAa,GAAG,UAAU,OAAO;AAExD,QAAO,QAAQ;;AAGjB,SAAS,sBAAsB,OAAwB;AACrD,QAAO,OAAO,SAAS,IACpB,QAAQ,YAAY,KACpB,QAAQ,QAAQ,KAChB;;AAGL,SAAS,wBAAwB,OAAwC;CACvE,MAAMC,MAA8B;AACpC,KAAI,CAAC,MAAO,QAAO;CAEnB,MAAM,eAAe;AACrB,KAAI,OAAO,aAAa,YAAY,WAClC,KAAI;AACF,eAAa,SAAS,GAAY,MAAe;AAC/C,OAAI,OAAO,GAAG,iBAAiB,OAAO;;AAExC,SAAO;SACD;AAGV,KAAI,OAAO,aAAa,OAAO,cAAc,WAC3C,KAAI;AACF,OAAK,MAAM,SAAS,cAAmC;AACrD,OAAI,CAAC,MAAM,QAAQ,OAAQ;GAC3B,MAAM,CAAC,GAAG,KAAK;AACf,OAAI,OAAO,GAAG,iBAAiB,OAAO;;AAExC,SAAO;SACD;AAGV,KAAI,OAAO,UAAU,SACnB,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,OAClC,KAAI,OAAO,GAAG,iBAAiB,OAAO;AAI1C,QAAO;;AAGT,eAAe,kDAAkD,SAM9D;CACD,MAAM,OAAO,OAAO,SAAS,QAAQ;CACrC,MAAM,KAAK,OAAO,SAAS,MAAM;CACjC,MAAM,UAAU,wBAAyB,SAAiB;CAE1D,IAAI,MAAM;AACV,KAAI;AACF,QAAM,MAAM,IAAI,SAAU,SAAiB,KAAK;SAC1C;CAER,MAAM,UAAU,OAAQ,SAAiB,YAAY,WAAY,QAAgB,UAAU;AAE3F,QAAO;EAAE;EAAM;EAAI;EAAS;EAAK;;;AAsBnC,SAAgB,6BAA6B,SAAsB,OAAsC,IAAkB;CACzH,MAAM,SAAS,sBAAsB,KAAK;CAC1C,MAAM,oBAAoB,sBAAsB,KAAK,qBAAqB;CAC1E,MAAM,2BAA2B,KAAK,6BAA6B;CACnE,MAAM,UAAU,QAAQ,KAAK;AAE7B,QAAO,OAAO,YAA2C;AACvD,MAAI;GACF,MAAM,UAAU,MAAM,kDAAkD;GAExE,MAAM,KAAK,sBAAsB,QAAQ;AACzC,OAAI,mBACF;QAAI,OAAO,mBAAmB;AAC5B,YAAO,KAAK,gCAAgC;MAAE;MAAI;;AAClD,SAAI,CAAC,0BAA0B;AAC7B,cAAQ,UAAU;AAClB;;;;AAKN,OAAI,QACF,QAAO,KAAK,mBAAmB;IAAE,MAAM,QAAQ;IAAM,IAAI,QAAQ;IAAI,SAAS,QAAQ,QAAQ;;GAGhG,MAAM,SAAS,yBAAyB,SAAgB,EAAE,SAAS,QAAQ;AAC3E,OAAI,CAAC,OAAO,IAAI;AACd,WAAO,KAAK,qBAAqB;KAAE,MAAM,OAAO;KAAM,SAAS,OAAO;;AACtE,YAAQ,UAAU,0CAA0C,OAAO;AACnE;;AAGF,OAAI,CAAC,QAAQ,eAAe;AAC1B,WAAO,KAAK;AACZ,YAAQ,UAAU;AAClB;;GAGF,MAAM,SAAS,MAAM,QAAQ,cAAc,qBAAqB;IAC9D,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,cAAc,OAAO;;AAGvB,OAAI,CAAC,QAAQ,SAAS;AACpB,WAAO,KAAK,2BAA2B;KACrC,WAAW,OAAO;KAClB,OAAO,QAAQ,SAAS;KACxB,SAAS,QAAQ;;IAEnB,MAAM,SAAS,sBAAsB,QAAQ,WAAW,QAAQ,SAAS;AACzE,YAAQ,UAAU,0CAA0C;AAC5D;;AAGF,UAAO,KAAK,8BAA8B,EAAE,WAAW,OAAO;WACvDC,GAAQ;AACf,UAAO,MAAM,0BAA0B,EAAE,SAAS,GAAG,WAAW,OAAO;AACvE,WAAQ,UAAU;;;;AAKxB,SAAgB,uBAAuB,SAAsB,OAA2B,IAAkB;CACxG,MAAM,iBAAiB,IAAI,SAAS,aAAa,EAAE,QAAQ;CAC3D,MAAM,SAAS,KAAK,eAAe,QAAQ;CAC3C,MAAM,aAAa,KAAK,eAAe,UAAU;CACjD,MAAM,SAAS,sBAAsB,KAAK;CAC1C,MAAM,4BAA4B;AAChC,MAAI,CAAC,KAAK,eAAgB,QAAO;EACjC,MAAM,MAAM,OAAO,KAAK,eAAe,SAAS,IAAI;AACpD,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM;AAC1B,SAAO,cAAc;;CAEvB,MAAM,uBAAuB,KAAK,gBAAgB;AAElD,QAAO,eAAe,QAAQ,SAAkB,KAAa,KAA6C;EACxG,MAAM,MAAM,IAAI,IAAI,QAAQ;EAC5B,MAAM,EAAE,aAAa;EACrB,MAAM,SAAS,QAAQ,OAAO;AAG9B,MAAI,WAAW,WAAW;GACxB,MAAM,MAAM,IAAI,SAAS,MAAM,EAAE,QAAQ;AACzC,YAAS,IAAI,SAAS,MAAM;AAC5B,UAAO;;EAIT,MAAM,cAAc,QAA2E;GAC7F,MAAM,MAAM,IAAI,SAAS,IAAI,MAAM;IAAE,QAAQ,IAAI;IAAQ,SAAS,IAAI;;AACtE,YAAS,IAAI,SAAS,MAAM;AAC5B,UAAO;;EAGT,MAAM,YAAY,MAA6C,OAAO,MAAM,YAAY,MAAM;AAE9F,MAAI;AAEF,OAAI,WAAW,UAAU,aAAa,2BAA2B,aAAa,2BAA2B;IACvG,MAAM,cAAc,KAAK,mBAAmB,KAAK,wBAAwB,IAAI,WAAW,UAAU;IAClG,MAAM,cAAc,KAAK,cAAc,IAAI,WAAW,UAAU;IAChE,MAAM,UAAU,MAAM,QAAQ,cAAc;KAAE;KAAY,QAAQ;;IAClE,MAAM,MAAM,KAAK,EAAE,WAAW;KAAE,QAAQ;KAAK,SAAS,EAAE,iBAAiB;;AACzE,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,OAAI,WAAW,UAAU,aAAa,qCAAqC;IACzE,IAAIC;AACJ,QAAI;AAAE,YAAO,MAAM,QAAQ;YAAgB;AAAE,YAAO;;AACpD,QAAI,CAAC,SAAS,OAAO;KACnB,MAAMC,QAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAAwB,EAAE,QAAQ;AACpF,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAGT,MAAM,iBAAiB,OAAO,KAAK,mBAAmB,WAAW,KAAK,iBAAiB;IACvF,MAAM,iBAAiB,OAAO,KAAK,mBAAmB,WAAW,KAAK,iBAAiB;IACvF,MAAM,WAAW,SAAS,KAAK,YAAY,KAAK,WAAW;IAC3D,MAAM,wBAAwB,SAAS,KAAK,yBAAyB,KAAK,wBAAwB;IAClG,MAAM,+BAAgC,KAAiC;IACvE,MAAM,wBAAwB,SAAU,KAAiC,yBACpE,KAAiC,wBAClC;AAEJ,QAAI,CAAC,gBAAgB;KACnB,MAAMA,QAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAAuC,EAAE,QAAQ;AACnG,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;AAET,QAAI,CAAC,gBAAgB;KACnB,MAAMA,QAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAAuC,EAAE,QAAQ;AACnG,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;AAET,QAAI,CAAC,UAAU;KACb,MAAMA,QAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAAiC,EAAE,QAAQ;AAC7F,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;AAET,QAAI,CAAC,uBAAuB;KAC1B,MAAMA,QAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAA8C,EAAE,QAAQ;AAC1G,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAGT,MAAM,QAAQ;KACZ;KACA;KACA;KACA;KACA;KACA;;IAGF,MAAM,SAAS,MAAM,QAAQ,6BAA6B;IAC1D,MAAM,MAAM,KAAK,QAAQ,EAAE,QAAQ,OAAO,UAAU,MAAM;AAC1D,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAIT,OAAI,sBAAsB,aAAa,oBAAoB;AACzD,QAAI,WAAW,WAAW;KACxB,MAAMA,QAAM,IAAI,SAAS,MAAM,EAAE,QAAQ;AACzC,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;AAET,QAAI,WAAW,OAAQ,QAAO;IAE9B,IAAID;AACJ,QAAI;AAAE,YAAO,MAAM,QAAQ;YAAgB;AAAE,YAAO;;IACpD,MAAM,QAAQ,SAAS,SAAS,OAAQ,KAAa,SAAS,YAAY,QAAS,KAAa,SAAS,QAAS,KAAa;AAC/H,QAAI,CAAC,OAAO;KACV,MAAMC,QAAM,KAAK;MAAE,IAAI;MAAO,MAAM;MAAgB,SAAS;QAAuC,EAAE,QAAQ;AAC9G,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAGT,MAAM,SAAS,MAAM,QAAQ,sBAAsB;KACjD,MAAM,OAAQ,KAAa;KAC3B,gBAAiB,KAAa;KAC9B,QAAQ;;AAGV,QAAI,CAAC,UAAU,CAAC,OAAO,IAAI;KACzB,MAAMA,QAAM,KAAK;MACf,IAAI;MACJ,MAAM,QAAQ,QAAQ;MACtB,SAAS,QAAQ,SAAS;QACzB,EAAE,QAAQ;AACb,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAGT,MAAM,MAAM,KAAK;KACf,IAAI;KACJ,eAAe,OAAO,mBAAmB;KACzC,QAAQ;KACR,SAAS,OAAO,WAAW;OAC1B,EAAE,QAAQ;AACb,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,OAAI,WAAW,UAAU,aAAa,0BAA0B;IAC9D,MAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,UAAU,CAAE,MAAM,OAAO,eAAgB;KAC5C,MAAM,MAAM,KAAK;MAAE,MAAM;MAAmB,SAAS;QAAoD,EAAE,QAAQ;AACnH,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;IAET,IAAID;AAAe,QAAI;AAAE,YAAO,MAAM,QAAQ;YAAgB;AAAE,YAAO;;IACvE,MAAM,QAAQ,SAAS,SAAS,OAAO,KAAK,eAAe,YAAY,KAAK,WAAW,SAAS;AAChG,QAAI,CAAC,OAAO;KACV,MAAM,MAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAA4B,EAAE,QAAQ;AACxF,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;IAET,MAAM,MAAM,MAAM,sBAAsB,QAAQ,EAC9C,MAAM,EAAE,YAAY,OAAQ,KAAiC;AAE/D,WAAO,WAAW;;AAGpB,OAAI,WAAW,UAAU,aAAa,mCAAmC;IACvE,IAAIA;AAAe,QAAI;AAAE,YAAO,MAAM,QAAQ;YAAgB;AAAE,YAAO;;IACvE,MAAM,QAAQ,SAAS,SAClB,SAAU,KAAa,aACvB,SAAU,KAAa;AAC5B,QAAI,CAAC,OAAO;KACV,MAAM,MAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAAuD,EAAE,QAAQ;AACnH,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;AAET,QAAI;KACF,MAAM,eAAgB,MAAc,eAAgB,MAAc,kBAAkB,WAAW,WAAW;KAC1G,MAAM,SAAS,MAAM,QAAQ,6BAA6B;KAC1D,MAAM,SAAS,OAAO,UAAU,MAAM;AACtC,SAAI,WAAW,KAAK;MAClB,MAAMC,QAAM,KAAK;OAAE,MAAM;OAAgB,SAAS,OAAO,WAAW;SAAwC,EAAE;AAC9G,eAASA,MAAI,SAAS,MAAM;AAC5B,aAAOA;;KAET,MAAM,MAAM,KAAK,QAAQ,EAAE,QAAQ;KACnC,MAAM,UAAU,KAAK;AACrB,SAAI,WAAW,OAAO,SACpB,KAAI;MACF,MAAM,SAAS,OAAQ,KAAa,UAAU,WAAW;MACzD,MAAM,QAAQ,MAAM,QAAQ,QAAQ,QAAQ;OAAE,MAAO,KAAa,UAAU;OAAO,aAAc,KAAa,UAAU;;AACxH,aAAO,KAAK,oBAAoB,gBAAgB,WAAW,qBAAqB,MAAM,OAAO;AAC7F,UAAI,gBAAgB,SAClB,KAAI,QAAQ,IAAI,cAAc,QAAQ,eAAe;WAChD;OACL,MAAM,UAAU,MAAM,IAAI,QAAQ;AAClC,cAAO,IAAI,SAAS,KAAK,UAAU;QAAE,GAAG;QAAS,KAAK;WAAU;QAAE,QAAQ;QAAK,SAAS,IAAI;;;aAExF;AAEV,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;aACAF,GAAQ;KACf,MAAM,MAAM,KAAK;MAAE,MAAM;MAAY,SAAS,GAAG,WAAW;QAAoB,EAAE,QAAQ;AAC1F,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;;AAIX,OAAI,WAAW,SAAS,aAAa,OACnC,KAAI;IACF,MAAMG,aAAqC;AAC3C,YAAQ,QAAQ,SAAS,GAAG,MAAM;AAAE,gBAAW,KAAK;;IACpD,MAAM,UAAU,KAAK;AACrB,QAAI,CAAC,SAAS;KACZ,MAAMD,QAAM,KAAK;MAAE,eAAe;MAAO,MAAM;MAAqB,SAAS;QAAiC,EAAE,QAAQ;AACxH,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAET,MAAM,SAAS,MAAM,QAAQ,MAAM;IACnC,MAAM,MAAM,KAAK,OAAO,KAAK;KAAE,eAAe;KAAM,QAAS,OAAe;QAAW,EAAE,eAAe,SAAS,EAAE,QAAQ,OAAO,KAAK,MAAM;AAC7I,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;YACAF,GAAQ;IACf,MAAM,MAAM,KAAK;KAAE,eAAe;KAAO,MAAM;KAAY,SAAS,GAAG,WAAW;OAAoB,EAAE,QAAQ;AAChH,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAIX,OAAI,WAAW,UAAU,aAAa,YAAY;IAChD,MAAM,MAAM,KAAK,EAAE,SAAS,QAAQ,EAAE,QAAQ;IAC9C,MAAM,UAAU,KAAK;AACrB,QAAI,QAEF,KAAI,QAAQ,IAAI,cAAc,QAAQ;AAExC,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,OAAI,WAAW,UAAU,aAAa,oBAAoB;IACxD,IAAIC;AAAe,QAAI;AAAE,YAAO,MAAM,QAAQ;YAAgB;AAAE,YAAO;;IACvE,MAAM,eAAgB,MAAc,eAAgB,MAAc,kBAAkB,WAAW,WAAW;IAC1G,MAAM,UAAU,KAAK;AACrB,QAAI,CAAC,SAAS;KACZ,MAAMC,QAAM,KAAK;MAAE,MAAM;MAAqB,SAAS;QAAiC,EAAE,QAAQ;AAClG,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAET,MAAM,MAAM,MAAM,QAAQ,QAAQ,OAAO,YAAY,QAAQ,QAAQ;AACrE,QAAI,CAAC,IAAI,MAAM,CAAC,IAAI,KAAK;KACvB,MAAMA,QAAM,KAAK;MAAE,MAAM,IAAI,QAAQ;MAAgB,SAAS,IAAI,WAAW;QAA0B,EAAE,QAAS,IAAI,SAAS,iBAAkB,MAAM;AACvJ,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAET,MAAM,MAAM,KAAK,gBAAgB,WAAW,EAAE,IAAI,SAAS;KAAE,IAAI;KAAM,KAAK,IAAI;OAAO,EAAE,QAAQ;AACjG,QAAI,gBAAgB,YAAY,IAAI,IAClC,KAAI;AACF,SAAI,QAAQ,IAAI,cAAc,QAAQ,eAAe,IAAI;YACnD;AAEV,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,OAAI,WAAW,UAAU,aAAa,kBAAkB;IACtD,MAAM,SAAS,OAAO,QAAQ,QAAQ,IAAI,aAAa,IAAI;IAC3D,MAAM,eACJ,OAAO,SAAS,oBAChB,OAAO,IAAI,aAAa,IAAI,YAAY,IAAI,WAAW,OACvD,OAAO,IAAI,aAAa,IAAI,oBAAoB,IAAI,WAAW;IAEjE,IAAIE;AAAkB,QAAI;AAAE,eAAU,MAAM,QAAQ;YAAgB;AAAE,eAAU;;IAChF,MAAM,SAAS,yBAAyB,SAAS,EAAE,SAAS,QAAQ;AACpE,QAAI,CAAC,OAAO,IAAI;KACd,MAAMF,QAAM,KAAK;MAAE,MAAM,OAAO;MAAM,SAAS,OAAO;QAAW,EAAE,QAAQ,OAAO;AAClF,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAET,MAAM,EAAE,WAAW,WAAW,iBAAiB;AAE/C,QAAI,CAAC,QAAQ,eAAe;KAC1B,MAAMA,QAAM,KACV;MAAE,MAAM;MAA8B,SAAS;QAC/C,EAAE,QAAQ;AAEZ,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;AAGT,QAAI,gBAAgB,OAAO,OAAO,IAAI,cAAc,YAAY;AAC9D,SAAI,UACF,QAAQ,cACL,qBAAqB;MAAE;MAAW;MAAW;QAC7C,MAAM,aAAW;AAChB,aAAO,KAAK,kCAAkC;OAC5C,SAASG,UAAQ,YAAY;OAC7B;OACA,OAAOA,UAAQ,UAAU,SAAYA,UAAQ;;QAGhD,OAAO,QAAa;AACnB,aAAO,MAAM,+BAA+B;OAC1C;OACA,OAAO,KAAK,WAAW,OAAO;;;KAItC,MAAMH,QAAM,KAAK;MAAE,SAAS;MAAM,QAAQ;MAAM;QAAa,EAAE,QAAQ;AACvE,cAASA,MAAI,SAAS,MAAM;AAC5B,YAAOA;;IAGT,MAAM,SAAS,MAAM,QAAQ,cAAc,qBAAqB;KAAE;KAAW;KAAW;;IACxF,MAAM,MAAM,KAAK,QAAQ,EAAE,QAAQ,OAAO,UAAU,MAAM;AAC1D,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,OAAI,WAAW,UAAU,aAAa,2BAA2B;IAC/D,MAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,UAAU,CAAE,MAAM,OAAO,eAAgB;KAC5C,MAAM,MAAM,KAAK;MAAE,MAAM;MAAmB,SAAS;QAAoD,EAAE,QAAQ;AACnH,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;IAET,IAAID;AAAe,QAAI;AAAE,YAAO,MAAM,QAAQ;YAAgB;AAAE,YAAO;;IACvE,MAAM,QAAQ,SAAS,SAClB,OAAO,KAAK,gBAAgB,YAAY,KAAK,YAAY,SAAS,KAClE,OAAQ,KAAiC,UAAU,YACnD,OAAQ,KAAiC,OAAO,SAAS;AAC9D,QAAI,CAAC,OAAO;KACV,MAAM,MAAM,KAAK;MAAE,MAAM;MAAgB,SAAS;QAAwC,EAAE,QAAQ;AACpG,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;IAET,MAAM,MAAM,MAAM,uBAAuB,QAAQ,EAC/C,MAAM;KACJ,aAAa,OAAQ,KAAiC;KACtD,OAAO,OAAQ,KAAiC;;AAGpD,WAAO,WAAW;;AAGpB,OAAI,WAAW,SAAS,aAAa,oBAAoB;IACvD,MAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,UAAU,CAAE,MAAM,OAAO,eAAgB;KAC5C,MAAM,MAAM,KAAK;MAAE,MAAM;MAAmB,SAAS;QAAoD,EAAE,QAAQ;AACnH,cAAS,IAAI,SAAS,MAAM;AAC5B,YAAO;;IAET,MAAM,MAAM,MAAM,uBAAuB;AACzC,WAAO,WAAW;;AAGpB,OAAI,KAAK,WAAW,WAAW,SAAS,aAAa,YAAY;IAE/D,MAAM,UAAU,iBAAiB,GAAI,KAAK,eAAe;IACzD,MAAM,cAAc,YAAY,MAAM,MAAM;IAC5C,MAAM,SAAS,QAAQ;IACvB,MAAM,mBAAmB,QAAQ,UAAU,OAAO;IAClD,IAAIK,eAA8B;AAClC,QAAI,oBAAoB,OACtB,KAAI;KACF,MAAM,EAAE,cAAc,OAAO,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAC/E,oBAAe,MAAM;YACf;IAGV,MAAM,gBAAgB,QAAQ,eAAe,+BAA+B;IAC5E,MAAM,oBAAoB,QAAQ;IAElC,MAAM,MAAM,KAAK;KACf,IAAI;KAEJ;KACA,QAAQ;MAAE,YAAY;MAAkB;;KACxC,SAAS;MAAE,YAAY;MAAmB;;KAC1C,MAAM,EAAE,gBAAgB;OACvB,EAAE,QAAQ;AACb,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,OAAI,KAAK,UAAU,WAAW,SAAS,aAAa,WAAW;IAC7D,MAAM,UAAU,iBAAiB,GAAI,KAAK,eAAe;IACzD,MAAM,cAAc,YAAY,MAAM,MAAM;IAE5C,MAAM,SAAS,QAAQ;IACvB,MAAM,mBAAmB,QAAQ,UAAU,OAAO;IAElD,IAAIC,cAA8B;IAClC,IAAIC,qBAAoC;IACxC,IAAIC;AACJ,QAAI,oBAAoB,OACtB,KAAI;AACF,WAAM,OAAO;AACb,mBAAc;KACd,MAAM,EAAE,iBAAiB,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAC3E,0BAAqB,gBAAgB;aAC9BT,GAAQ;AACf,mBAAc;AACd,mBAAc,GAAG,WAAW,OAAO;;IAIvC,MAAM,KAAK,QAAQ,gBACf,MAAM,QAAQ,cAAc,6BAC5B;KAAE,YAAY;KAAO,SAAS;KAAM,SAAS;;IAEjD,MAAM,MACH,mBAAmB,gBAAgB,OAAO,UAC1C,GAAG,aAAa,GAAG,YAAY,OAAO;IAEzC,MAAM,MAAM,KAAK;KACf;KACA,QAAQ;MACN,YAAY;MACZ,OAAO,mBAAmB,cAAc;MACxC,cAAc;MACd,OAAO;;KAET,SAAS;KACT,MAAM,EAAE,gBAAgB;OACvB,EAAE,QAAQ,KAAK,MAAM;AACxB,aAAS,IAAI,SAAS,MAAM;AAC5B,WAAO;;AAGT,UAAO;WACAU,GAAY;GACnB,MAAM,MAAM,KAAK;IAAE,MAAM;IAAY,SAAS,aAAa,QAAQ,EAAE,UAAU,OAAO;MAAM,EAAE,QAAQ;AACtG,YAAS,IAAI,SAAS,MAAM;AAC5B,UAAO;;;;AAoBb,SAAgB,qBAAqB,SAAsB,OAA8B,IAAsB;CAC7G,MAAM,SAAS,sBAAsB,KAAK;CAC1C,MAAM,UAAU,QAAQ,KAAK;CAC7B,MAAM,WAAW,QAAQ,KAAK;AAC9B,KAAI,CAAC,QACH,QAAO,YAAY;AAErB,QAAO,OAAO,WAA6B;AACzC,MAAI;AACF,OAAI,UAAU;IAGZ,MAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,OACH,QAAO,KAAK;SACP;KACL,MAAM,WAAW,MAAM,OAAO;AAC9B,YAAO,KAAK,iCAAiC,SAAS,UAAU,aAAa,SAAS;;SAGxF,QAAO,KAAK;WAEPA,GAAY;AACnB,UAAO,MAAM,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO"}
1	+ {"version":3,"file":"cloudflare.js","names":["normalizedHeaders: Record<string, string>","v","base: Logger","out: Record<string, string>","e: any","e: unknown","allowedOrigin: string \| '' \| undefined","out: Record<string, string>","thresholdKeygen:\n \| (Awaited<ReturnType<NonNullable<typeof threshold>['keygenFromClientVerifyingShareForRegistration']>> & { ok: true })\n \| null","thresholdWarning: string \| null","response: CreateAccountAndRegisterResult","e: unknown","out: ShamirApplyServerLockResponse","e: any","out: ShamirRemoveServerLockResponse","currentKeyId: string \| null","shamirReady: boolean \| null","shamirCurrentKeyId: string \| null","shamirError: string \| undefined","e: any","result","e: any","isObject","threshold","result","e: any","effectiveOpts: RelayRouterOptions","handlers: Array<(c: CloudflareRelayContext) => Promise<Response \| null>>","baseCtx: Omit<CloudflareRelayContext, 'request' \| 'url' \| 'pathname' \| 'method'>","ctx: CloudflareRelayContext","e: unknown"],"sources":["../../../../src/utils/validation.ts","../../../../src/server/email-recovery/zkEmail/index.ts","../../../../src/server/email-recovery/emailParsers.ts","../../../../src/server/core/logger.ts","../../../../src/server/router/logger.ts","../../../../src/server/router/cloudflare/email.ts","../../../../src/server/router/cloudflare/cron.ts","../../../../src/server/core/SessionService.ts","../../../../src/server/router/cloudflare/http.ts","../../../../src/server/router/cloudflare/routes/createAccountAndRegisterUser.ts","../../../../src/server/core/shamirHandlers.ts","../../../../src/server/router/cloudflare/routes/health.ts","../../../../src/server/router/cloudflare/routes/recoverEmail.ts","../../../../src/server/router/relay.ts","../../../../src/server/router/cloudflare/routes/sessions.ts","../../../../src/server/router/cloudflare/routes/shamir.ts","../../../../src/server/router/cloudflare/routes/signedDelegate.ts","../../../../src/server/threshold/statusCodes.ts","../../../../src/server/core/ThresholdService/validation.ts","../../../../src/server/router/commonRouterUtils.ts","../../../../src/server/router/cloudflare/routes/thresholdEd25519.ts","../../../../src/server/router/cloudflare/routes/verifyAuthenticationResponse.ts","../../../../src/server/router/cloudflare/routes/wellKnown.ts","../../../../src/server/router/routerOptions.ts","../../../../src/server/router/cloudflare/createCloudflareRouter.ts"],"sourcesContent":["\nexport interface ValidationResult {\n valid: boolean;\n error?: string;\n}\n\n// ==============================\n// Normalization helpers (shared)\n// ==============================\n\n/* Strict string coercion: returns the value only when it's already a string. /\nexport function toOptionalString(value: unknown): string {\n return typeof value === 'string' ? value : '';\n}\n\n/* Strict string coercion + trimming. /\nexport function toOptionalTrimmedString(value: unknown): string {\n return toOptionalString(value).trim();\n}\n\n/* String coercion + trimming (useful at IO boundaries). /\nexport function toTrimmedString(value: unknown): string {\n return String(value ?? '').trim();\n}\n\n/* Remove trailing `/` characters (e.g. base URL normalization). /\nexport function stripTrailingSlashes(value: string): string {\n return String(value ?? '').replace(/\\/+$/, '');\n}\n\n/* Ensure a non-empty string starts with `/` (path normalization). /\nexport function ensureLeadingSlash(value: string): string {\n const trimmed = String(value ?? '').trim();\n if (!trimmed) return '';\n return trimmed.startsWith('/') ? trimmed : `/${trimmed}`;\n}\n\n/* Normalize an app base path like `/sdk` (leading slash, no trailing slashes except `/`). /\nexport function toBasePath(value?: string, fallback = '/sdk'): string {\n const base = ensureLeadingSlash(typeof value === 'string' ? value : fallback) \|\| ensureLeadingSlash(fallback) \|\| '/';\n if (base === '/') return '/';\n return base.replace(/\\/+$/, '');\n}\n\n/* Best-effort origin normalization (used by CSP/Permissions-Policy helpers). /\nexport function toOriginOrUndefined(input?: string): string \| undefined {\n try {\n const v = (input \|\| '').trim();\n if (!v) return undefined;\n // Next/Caddy/etc. expect an origin, not a path\n return new URL(v, 'http://dummy').origin === 'http://dummy' ? new URL(v).origin : v;\n } catch {\n return input?.trim() \|\| undefined;\n }\n}\n\n/\n Strict origin sanitizer for Related Origin Requests (ROR).\n * - Allows `https://<host>[:port]` and `http://localhost[:port]` only.\n * - Rejects paths (except `/`), queries, and hashes.\n * - Normalizes hostname casing.\n /\nexport function toRorOriginOrNull(value: unknown): string \| null {\n if (typeof value !== 'string') return null;\n const raw = toTrimmedString(value);\n if (!raw) return null;\n try {\n const u = new URL(raw);\n const scheme = u.protocol;\n const host = u.hostname.toLowerCase();\n const port = u.port ? `:${u.port}` : '';\n const isHttps = scheme === 'https:';\n const isLocalhostHttp = scheme === 'http:' && host === 'localhost';\n if (!isHttps && !isLocalhostHttp) return null;\n if ((u.pathname && u.pathname !== '/') \|\| u.search \|\| u.hash) return null;\n return `${scheme}//${host}${port}`;\n } catch {\n return null;\n }\n}\n\n/* Collapse a string into a single line by normalizing whitespace. /\nexport function toSingleLine(value: unknown): string {\n return String(value ?? '')\n .replace(/[\\r\\n]+/g, ' ')\n .replace(/\\s+/g, ' ')\n .trim();\n}\n\n/\n Ensure a key string has the NEAR Ed25519 prefix (`ed25519:`).\n \n - Accepts either `ed25519:<base58>` or a bare `<base58>` string.\n * - Canonicalizes `ED25519:` → `ed25519:`.\n * - If a different prefix is present (e.g. `secp256k1:`), returns the input unchanged.\n /\nexport function ensureEd25519Prefix(value: string): string {\n const raw = String(value ?? '').trim();\n if (!raw) return '';\n\n if (/^[a-z0-9_]+:/i.test(raw)) {\n if (/^ed25519:/i.test(raw)) {\n return `ed25519:${raw.replace(/^ed25519:/i, '')}`;\n }\n return raw;\n }\n\n return `ed25519:${raw}`;\n}\n\nexport interface NearAccountValidationOptions {\n /* Restrict to specific suffixes (e.g., ['testnet', 'near']) /\n allowedSuffixes?: string[];\n /* Require Top-level domains with exactly 2 parts (username.suffix) instead of allowing subdomains /\n requireTopLevelDomain?: boolean;\n}\n\n/\n Validate NEAR account ID format with optional suffix restrictions\n * @param nearAccountId - The account ID to validate\n * @param options - Optional validation constraints\n /\nexport function validateNearAccountId(\n nearAccountId: string,\n options: NearAccountValidationOptions = {\n allowedSuffixes: ['testnet', 'near'],\n requireTopLevelDomain: false\n }\n): ValidationResult {\n if (!nearAccountId \|\| typeof nearAccountId !== 'string') {\n return { valid: false, error: 'Account ID must be a non-empty string' };\n }\n\n const parts = nearAccountId.split('.');\n if (parts.length < 2) {\n return { valid: false, error: 'Account ID must contain at least one dot (e.g., username.testnet)' };\n }\n\n // Check for exact two parts requirement (e.g., server registration)\n if (options.requireTopLevelDomain && parts.length !== 2) {\n const suffixList = options.allowedSuffixes?.join(', ') \|\| 'valid suffixes';\n return {\n valid: false,\n error: `Invalid NEAR account ID format. Expected format: <username>.<suffix> where suffix is one of: ${suffixList}`\n };\n }\n\n const username = parts[0];\n const suffix = parts[parts.length - 1]; // Last part for suffix checking\n const domain = parts.slice(1).join('.');\n\n // Validate username part\n if (!username \|\| username.length === 0) {\n return { valid: false, error: 'Username part cannot be empty' };\n }\n\n if (!/^[a-z0-9_\\-]+$/.test(username)) {\n return { valid: false, error: 'Username can only contain lowercase letters, numbers, underscores, and hyphens' };\n }\n\n // Validate domain part\n if (!domain \|\| domain.length === 0) {\n return { valid: false, error: 'Domain part cannot be empty' };\n }\n\n // Check allowed suffixes if specified\n if (options.allowedSuffixes && options.allowedSuffixes.length > 0) {\n // Check if the account ID ends with any of the allowed suffixes\n const matchesAnySuffix = options.allowedSuffixes.some(allowedSuffix => {\n // For single-part suffixes, check the last part\n if (!allowedSuffix.includes('.')) {\n return suffix === allowedSuffix;\n }\n // For multi-part suffixes, check if the account ID ends with the full suffix\n return nearAccountId.endsWith(`.${allowedSuffix}`);\n });\n\n if (!matchesAnySuffix) {\n return {\n valid: false,\n error: `Invalid NEAR account ID suffix. Expected account to end with one of: ${options.allowedSuffixes.join(', ')}`\n };\n }\n }\n\n return { valid: true };\n}\n\n/\n Lightweight NEAR account ID validation used by server-side helpers.\n * - length: 2..64\n * - chars: lowercase letters, digits, `_`, `.`, `-`\n /\nexport function isValidAccountId(accountId: unknown): accountId is string {\n if (typeof accountId !== 'string') return false;\n if (!accountId \|\| accountId.length < 2 \|\| accountId.length > 64) return false;\n return /^[a-z0-9_.-]+$/.test(accountId);\n}\n\n// ===========================\n// Runtime validation helpers\n// ===========================\n\nexport function isObject(x: unknown): x is Record<string, unknown> {\n return x !== null && typeof x === 'object';\n}\n\nexport function isString(x: unknown): x is string {\n return typeof x === 'string';\n}\n\nexport function isNonEmptyString(x: unknown): x is string {\n return typeof x === 'string' && x.length > 0;\n}\n\nexport function isNumber(x: unknown): x is number {\n return typeof x === 'number';\n}\n\nexport function isFiniteNumber(x: unknown): x is number {\n return typeof x === 'number' && Number.isFinite(x);\n}\n\nexport function isFunction(x: unknown): x is Function {\n return typeof x === 'function';\n}\n\nexport function isBoolean(x: unknown): x is boolean {\n return typeof x === 'boolean';\n}\n\nexport function isArray<T = unknown>(x: unknown): x is T[] {\n return Array.isArray(x);\n}\n\nexport function assertString(val: unknown, name = 'value'): string {\n if (typeof val !== 'string') throw new Error(`Invalid ${name}: expected string`);\n return val;\n}\n\nexport function assertNumber(val: unknown, name = 'value'): number {\n if (typeof val !== 'number' \|\| !Number.isFinite(val)) throw new Error(`Invalid ${name}: expected finite number`);\n return val;\n}\n\nexport function assertBoolean(val: unknown, name = 'value'): boolean {\n if (typeof val !== 'boolean') throw new Error(`Invalid ${name}: expected boolean`);\n return val;\n}\n\nexport function assertObject<T extends Record<string, unknown> = Record<string, unknown>>(val: unknown, name = 'value'): T {\n if (!isObject(val)) throw new Error(`Invalid ${name}: expected object`);\n return val as T;\n}\n\nexport function assertArray<T = unknown>(val: unknown, name = 'value'): T[] {\n if (!Array.isArray(val)) throw new Error(`Invalid ${name}: expected array`);\n return val as T[];\n}\n\nexport function stripFunctionsShallow<T extends Record<string, unknown>>(obj?: T): Partial<T> \| undefined {\n if (!obj \|\| !isObject(obj)) return undefined;\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(obj)) {\n if (!isFunction(v)) out[k] = v as unknown;\n }\n return out as Partial<T>;\n}\n\nexport interface PlainSignedTransactionLike {\n transaction: unknown;\n signature: unknown;\n borsh_bytes?: unknown;\n borshBytes?: unknown;\n base64Encode?: unknown;\n}\n\nexport function isPlainSignedTransactionLike(x: unknown): x is PlainSignedTransactionLike {\n if (!isObject(x)) return false;\n const hasTx = 'transaction' in x;\n const hasSig = 'signature' in x;\n const bytes = x as { borsh_bytes?: unknown; borshBytes?: unknown };\n const hasBytes = Array.isArray(bytes.borsh_bytes) \|\| bytes.borshBytes instanceof Uint8Array;\n const hasMethod = typeof (x as { base64Encode?: unknown }).base64Encode === 'function';\n return hasTx && hasSig && hasBytes && !hasMethod;\n}\n\nexport function extractBorshBytesFromPlainSignedTx(x: PlainSignedTransactionLike): number[] {\n const asArray = Array.isArray(x.borsh_bytes) ? (x.borsh_bytes as number[]) : undefined;\n if (asArray) return asArray;\n const asU8 = (x.borshBytes instanceof Uint8Array) ? x.borshBytes : undefined;\n return Array.from(asU8 \|\| new Uint8Array());\n}\n","import { ZkEmailProverClient, type ZkEmailProverClientOptions, type ZkEmailProverError } from './proverClient';\n\nexport { ZkEmailProverClient } from './proverClient';\nexport type { ZkEmailProverClientOptions, ZkEmailProverError, ZkEmailProverResponse } from './proverClient';\n\nexport interface ForwardableEmailPayload {\n from: string;\n to: string;\n headers: Record<string, string>;\n raw?: string;\n rawSize?: number;\n}\n\nexport type NormalizedEmailResult =\n \| { ok: true; payload: ForwardableEmailPayload }\n \| { ok: false; code: string; message: string };\n\nexport interface GenerateZkEmailProofResult {\n proof: unknown;\n publicInputs: string[];\n}\n\nexport interface ParsedZkEmailBindings {\n accountId: string;\n newPublicKey: string;\n fromEmail: string;\n timestamp: string;\n requestId: string;\n}\n\n/\n Build a minimal ForwardableEmailPayload from a raw RFC822 email string.\n * This is primarily used by server-side helpers that receive only a raw\n * email blob (no pre-normalized headers).\n /\nexport function buildForwardablePayloadFromRawEmail(raw: string): ForwardableEmailPayload {\n const safeRaw = typeof raw === 'string' ? raw : '';\n const lines = safeRaw.split(/\\r?\\n/);\n\n const getHeader = (name: string): string \| undefined => {\n const line = lines.find(l => new RegExp(`^${name}:`, 'i').test(l));\n if (!line) return undefined;\n const idx = line.indexOf(':');\n const rest = idx >= 0 ? line.slice(idx + 1) : '';\n const value = rest.trim();\n return value \|\| undefined;\n };\n\n const fromHeader = getHeader('from') \|\| 'unknown@zkemail.local';\n const toHeader = getHeader('to') \|\| 'recover@zkemail.local';\n\n const headers: Record<string, string> = {};\n const subjectHeader = getHeader('subject');\n const dateHeader = getHeader('date');\n\n if (fromHeader) headers.from = fromHeader;\n if (toHeader) headers.to = toHeader;\n if (subjectHeader) headers.subject = subjectHeader;\n if (dateHeader) headers.date = dateHeader;\n\n return {\n from: fromHeader,\n to: toHeader,\n headers,\n raw: safeRaw,\n rawSize: safeRaw.length,\n };\n}\n\nexport function normalizeForwardableEmailPayload(input: unknown): NormalizedEmailResult {\n if (!input \|\| typeof input !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'JSON body required' };\n }\n\n const body = input as Partial<ForwardableEmailPayload>;\n const { from, to, headers, raw, rawSize } = body;\n\n if (!from \|\| typeof from !== 'string' \|\| !to \|\| typeof to !== 'string') {\n return { ok: false, code: 'invalid_email', message: 'from and to are required' };\n }\n\n if (!headers \|\| typeof headers !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'headers object is required' };\n }\n\n const normalizedHeaders: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers as Record<string, unknown>)) {\n normalizedHeaders[String(k).toLowerCase()] = String(v);\n }\n\n return {\n ok: true,\n payload: {\n from,\n to,\n headers: normalizedHeaders,\n raw: typeof raw === 'string' ? raw : undefined,\n rawSize: typeof rawSize === 'number' ? rawSize : undefined,\n },\n };\n}\n\n/\n Parse NEAR accountId from the Subject line inside a raw RFC822 email.\n \n Expected format (case-insensitive on \"Subject\" and \"recover\"):\n * Subject: recover-123ABC bob.testnet ed25519:<pk>\n \n Returns the parsed accountId (e.g. \"bob.testnet\") or null if not found.\n /\nexport function parseAccountIdFromSubject(raw: string \| undefined \| null): string \| null {\n if (!raw \|\| typeof raw !== 'string') return null;\n\n // Accept either a full RFC822 message (with \"Subject: ...\" header)\n // or a bare Subject value (\"recover-123ABC bob.testnet ed25519:<pk>\").\n let subjectText = '';\n const lines = raw.split(/\\r?\\n/);\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = raw.trim();\n }\n\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format: \"recover-<request_id> <accountId> [ed25519:<pk>]\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)(?:\\s+ed25519:[^\\s]+)?\\s$/i\n );\n if (match?.[2]) {\n return match[2];\n }\n\n return null;\n}\n\nfunction parseSubjectBindings(\n rawSubject: string \| undefined \| null\n): { accountId: string; newPublicKey: string; requestId: string } \| null {\n if (!rawSubject \|\| typeof rawSubject !== 'string') return null;\n\n const lines = rawSubject.split(/\\r?\\n/);\n let subjectText = '';\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = rawSubject.trim();\n }\n if (!subjectText) return null;\n\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n\n return {\n accountId,\n newPublicKey,\n requestId,\n };\n}\n\nexport function extractZkEmailBindingsFromPayload(\n payload: ForwardableEmailPayload\n): ParsedZkEmailBindings \| null {\n const raw = payload.raw \|\| '';\n const lines = raw.split(/\\r?\\n/);\n\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n const subjectBindings = parseSubjectBindings(subjectLine ?? '');\n if (!subjectBindings) {\n return null;\n }\n\n const headers = payload.headers \|\| {};\n let fromEmailRaw: string \| undefined =\n (headers['from'] as any) \|\|\n (headers['x-from-email'] as any);\n let dateRaw: string \| undefined =\n (headers['date'] as any) \|\|\n (headers['x-original-date'] as any);\n\n // Fallback: if headers object does not contain from/date,\n // attempt to parse them from the raw RFC822 email lines.\n if (!fromEmailRaw \|\| !dateRaw) {\n for (const line of lines) {\n if (!fromEmailRaw && /^from:/i.test(line)) {\n const idx = line.indexOf(':');\n fromEmailRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (!dateRaw && /^date:/i.test(line)) {\n const idx = line.indexOf(':');\n dateRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (fromEmailRaw && dateRaw) break;\n }\n }\n\n const fromEmail = String(fromEmailRaw \|\| '').trim();\n const timestamp = String(dateRaw \|\| '').trim();\n\n if (!fromEmail \|\| !timestamp) {\n return null;\n }\n\n return {\n accountId: subjectBindings.accountId,\n newPublicKey: subjectBindings.newPublicKey,\n fromEmail,\n timestamp,\n requestId: subjectBindings.requestId,\n };\n}\n\nexport async function generateZkEmailProofFromPayload(\n payload: ForwardableEmailPayload,\n prover: ZkEmailProverClientOptions \| ZkEmailProverClient\n): Promise<GenerateZkEmailProofResult> {\n if (!payload.raw \|\| typeof payload.raw !== 'string') {\n const err: ZkEmailProverError = Object.assign(\n new Error('raw email contents are required to generate a zk-email proof'),\n { code: 'missing_raw_email' }\n );\n throw err;\n }\n\n const client =\n (prover && typeof (prover as any).proveEmail === 'function')\n ? (prover as ZkEmailProverClient)\n : new ZkEmailProverClient(prover as ZkEmailProverClientOptions);\n\n const res = await client.proveEmail(payload.raw);\n\n return {\n proof: res.proof,\n publicInputs: res.publicSignals,\n };\n}\n","import type { EmailRecoveryMode } from './types';\nimport { normalizeForwardableEmailPayload, parseAccountIdFromSubject } from './zkEmail';\nimport { ensureEd25519Prefix } from '../../core/nearCrypto';\n\nexport enum EmailRecoveryModeHint {\n ZkEmail = 'zk-email',\n TeeEncrypted = 'tee-encrypted',\n OnchainPublic = 'onchain-public',\n}\n\nexport function parseRecoveryMode(raw: string \| undefined \| null): EmailRecoveryMode \| null {\n if (!raw) return null;\n const value = raw.trim().toLowerCase();\n if (value === EmailRecoveryModeHint.ZkEmail) return 'zk-email';\n if (value === EmailRecoveryModeHint.TeeEncrypted) return 'tee-encrypted';\n if (value === EmailRecoveryModeHint.OnchainPublic) return 'onchain-public';\n return null;\n}\n\nexport function extractRecoveryModeFromBody(emailBlob?: string): EmailRecoveryMode \| null {\n if (!emailBlob) return null;\n\n const lines = emailBlob.split(/\\r?\\n/);\n const bodyStartIndex = lines.findIndex(line => line.trim() === '');\n if (bodyStartIndex === -1) return null;\n\n const bodyLines = lines.slice(bodyStartIndex + 1);\n const firstNonEmptyBodyLine = bodyLines.find(line => line.trim() !== '');\n if (!firstNonEmptyBodyLine) return null;\n\n const candidate = firstNonEmptyBodyLine.trim();\n const normalized = parseRecoveryMode(candidate);\n if (normalized) return normalized;\n\n const lower = candidate.toLowerCase();\n if (lower.includes(EmailRecoveryModeHint.ZkEmail)) return 'zk-email';\n if (lower.includes(EmailRecoveryModeHint.TeeEncrypted)) return 'tee-encrypted';\n if (lower.includes(EmailRecoveryModeHint.OnchainPublic)) return 'onchain-public';\n\n return null;\n}\n\ntype HeaderValue = string \| string[] \| undefined;\ntype HeadersLike = Headers \| Record<string, HeaderValue> \| undefined;\n\nexport type RecoverEmailParseResult =\n \| { ok: true; accountId: string; emailBlob: string; explicitMode?: string }\n \| { ok: false; status: number; code: string; message: string };\n\nfunction getHeader(headers: HeadersLike, name: string): string \| undefined {\n if (!headers) return undefined;\n\n const maybeHeaders = headers as any;\n if (typeof maybeHeaders.get === 'function') {\n const v = maybeHeaders.get(name);\n return (typeof v === 'string') ? v : undefined;\n }\n\n const record = headers as Record<string, HeaderValue>;\n const v = record[name.toLowerCase()] ?? record[name];\n if (Array.isArray(v)) return (typeof v[0] === 'string') ? v[0] : undefined;\n return (typeof v === 'string') ? v : undefined;\n}\n\nfunction parseExplicitMode(body: unknown, headers?: HeadersLike): string \| undefined {\n const modeFromBody =\n (typeof (body as any)?.explicitMode === 'string' ? String((body as any).explicitMode) : '') \|\|\n (typeof (body as any)?.explicit_mode === 'string' ? String((body as any).explicit_mode) : '');\n const modeFromHeader = getHeader(headers, 'x-email-recovery-mode') \|\| getHeader(headers, 'x-recovery-mode') \|\| '';\n const raw = (modeFromBody \|\| modeFromHeader).trim();\n return raw ? raw : undefined;\n}\n\nexport function parseRecoverEmailRequest(body: unknown, opts: { headers?: HeadersLike } = {}): RecoverEmailParseResult {\n const explicitMode = parseExplicitMode(body, opts.headers);\n\n const normalized = normalizeForwardableEmailPayload(body);\n if (!normalized.ok) {\n return { ok: false, status: 400, code: normalized.code, message: normalized.message };\n }\n\n const payload = normalized.payload;\n const emailBlob = payload.raw \|\| '';\n const emailHeaders = payload.headers \|\| {};\n\n const subjectHeader = emailHeaders['subject'];\n const parsedAccountId = parseAccountIdFromSubject(subjectHeader \|\| emailBlob);\n const headerAccountId = String(emailHeaders['x-near-account-id'] \|\| emailHeaders['x-account-id'] \|\| '').trim();\n const accountId = (parsedAccountId \|\| headerAccountId \|\| '').trim();\n\n if (!accountId) {\n return { ok: false, status: 400, code: 'missing_account', message: 'x-near-account-id header is required' };\n }\n if (!emailBlob) {\n return { ok: false, status: 400, code: 'missing_email', message: 'raw email blob is required' };\n }\n\n return { ok: true, accountId, emailBlob, explicitMode };\n}\n\nconst EMAIL_ADDRESS_REGEX =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\nexport function canonicalizeEmail(input: string): string {\n const raw = String(input \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(EMAIL_ADDRESS_REGEX);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n}\n\nexport function parseHeaderValue(rawEmail: string, name: string): string \| undefined {\n try {\n const raw = String(rawEmail \|\| '');\n if (!raw) return undefined;\n\n const lines = raw.split(/\\r?\\n/);\n const headerLines: string[] = [];\n\n // Only consider the header section (until the first blank line).\n for (const line of lines) {\n if (line.trim() === '') break;\n\n // RFC822 header folding: lines starting with whitespace continue previous header.\n if (/^\\s/.test(line) && headerLines.length > 0) {\n headerLines[headerLines.length - 1] += ` ${line.trim()}`;\n continue;\n }\n\n headerLines.push(line);\n }\n\n const headerName = name.trim();\n if (!headerName) return undefined;\n\n const re = new RegExp(`^${headerName.replace(/[.+?^${}()\|[\\]\\\\]/g, '\\\\$&')}\\\\s:`, 'i');\n const found = headerLines.find((l) => re.test(l));\n if (!found) return undefined;\n\n const idx = found.indexOf(':');\n const value = idx >= 0 ? found.slice(idx + 1).trim() : '';\n return value \|\| undefined;\n } catch {\n return undefined;\n }\n}\n\nexport function parseRecoverSubjectBindings(\n rawEmail: string\n): { requestId: string; accountId: string; newPublicKey: string } \| null {\n // Accept either a full RFC822 email or a bare Subject value.\n let subjectText = (parseHeaderValue(rawEmail, 'subject') \|\| String(rawEmail \|\| '')).trim();\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes.\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n return { requestId, accountId, newPublicKey: ensureEd25519Prefix(newPublicKey) };\n}\n","export type Logger = {\n debug?: (...args: unknown[]) => void;\n info?: (...args: unknown[]) => void;\n warn?: (...args: unknown[]) => void;\n error?: (...args: unknown[]) => void;\n log?: (...args: unknown[]) => void;\n};\n\nexport type NormalizedLogger = {\n debug: (...args: unknown[]) => void;\n info: (...args: unknown[]) => void;\n warn: (...args: unknown[]) => void;\n error: (...args: unknown[]) => void;\n};\n\nfunction safe(fn?: (...args: unknown[]) => void): (...args: unknown[]) => void {\n if (!fn) return () => {};\n return (...args: unknown[]) => {\n try {\n fn(...args);\n } catch {\n // Never allow logging to break request handling.\n }\n };\n}\n\n/*\n Library code should never call `console.` directly; the host decides where logs go.\n - Default: no logs\n * - To enable: pass `logger: console` (or a structured logger) to the host config.\n /\nexport function normalizeLogger(logger?: Logger \| null): NormalizedLogger {\n if (!logger) {\n return { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} };\n }\n\n const base: Logger = logger;\n const log = typeof base.log === 'function' ? base.log.bind(base) : undefined;\n\n const debug = (typeof base.debug === 'function' ? base.debug.bind(base) : log);\n const info = (typeof base.info === 'function' ? base.info.bind(base) : log);\n const warn = (typeof base.warn === 'function' ? base.warn.bind(base) : log);\n const error = (typeof base.error === 'function' ? base.error.bind(base) : log);\n\n return {\n debug: safe(debug),\n info: safe(info),\n warn: safe(warn),\n error: safe(error),\n };\n}\n\nexport const coerceLogger = normalizeLogger;\n","import type { Logger, NormalizedLogger } from '../core/logger';\nimport { coerceLogger } from '../core/logger';\n\nexport type RouterLogger = Logger;\nexport type NormalizedRouterLogger = NormalizedLogger;\nexport const coerceRouterLogger = coerceLogger;\n/* @deprecated use `coerceRouterLogger` /\nexport const normalizeRouterLogger = coerceRouterLogger;\n","import type { AuthService } from '../../core/AuthService';\nimport { parseRecoverEmailRequest } from '../../email-recovery/emailParsers';\nimport type { RouterLogger } from '../logger';\nimport { coerceRouterLogger } from '../logger';\nimport type { EmailHandler, CfEmailMessage } from './types';\nimport { toSingleLine } from '../../../utils/validation';\n\nfunction toEmailAddress(input: string): string {\n const trimmed = String(input \|\| '').trim();\n const angleStart = trimmed.indexOf('<');\n const angleEnd = trimmed.indexOf('>');\n if (angleStart !== -1 && angleEnd > angleStart) {\n return trimmed.slice(angleStart + 1, angleEnd).trim().toLowerCase();\n }\n return trimmed.toLowerCase();\n}\n\nfunction toLowercaseHeaderRecord(input: unknown): Record<string, string> {\n const out: Record<string, string> = {};\n if (!input) return out;\n\n const maybeHeaders = input as any;\n if (typeof maybeHeaders.forEach === 'function') {\n try {\n maybeHeaders.forEach((v: unknown, k: unknown) => {\n out[String(k).toLowerCase()] = String(v);\n });\n return out;\n } catch { }\n }\n\n if (typeof maybeHeaders[Symbol.iterator] === 'function') {\n try {\n for (const entry of maybeHeaders as Iterable<unknown>) {\n if (!Array.isArray(entry)) continue;\n const [k, v] = entry as any[];\n out[String(k).toLowerCase()] = String(v);\n }\n return out;\n } catch { }\n }\n\n if (typeof input === 'object') {\n for (const [k, v] of Object.entries(input as Record<string, unknown>)) {\n out[String(k).toLowerCase()] = String(v);\n }\n }\n\n return out;\n}\n\nasync function buildForwardableEmailPayloadFromCloudflareMessage(message: CfEmailMessage): Promise<{\n from: string;\n to: string;\n headers: Record<string, string>;\n raw: string;\n rawSize?: number;\n}> {\n const from = String(message?.from \|\| '');\n const to = String(message?.to \|\| '');\n const headers = toLowercaseHeaderRecord((message as any)?.headers);\n\n let raw = '';\n try {\n raw = await new Response((message as any)?.raw).text();\n } catch { }\n\n const rawSize = typeof (message as any)?.rawSize === 'number' ? (message as any).rawSize : undefined;\n\n return { from, to, headers, raw, rawSize };\n}\n\nexport interface CloudflareEmailHandlerOptions {\n /\n Optional recipient allowlist for emails processed by this handler (case-insensitive).\n * If unset, any `to` is accepted.\n /\n expectedRecipient?: string;\n /\n If true (default), unexpected recipients only log a warning (Cloudflare routing\n * is usually already scoped). If false, the handler rejects the email.\n /\n allowUnexpectedRecipient?: boolean;\n /\n When true, logs email metadata (from/to/subject). Defaults to false.\n /\n verbose?: boolean;\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n\nexport function createCloudflareEmailHandler(service: AuthService, opts: CloudflareEmailHandlerOptions = {}): EmailHandler {\n const logger = coerceRouterLogger(opts.logger);\n const expectedRecipient = toEmailAddress(opts.expectedRecipient \|\| '');\n const allowUnexpectedRecipient = opts.allowUnexpectedRecipient !== false;\n const verbose = Boolean(opts.verbose);\n\n return async (message: CfEmailMessage): Promise<void> => {\n try {\n const payload = await buildForwardableEmailPayloadFromCloudflareMessage(message);\n\n const to = toEmailAddress(payload.to);\n if (expectedRecipient) {\n if (to !== expectedRecipient) {\n logger.warn('[email] unexpected recipient', { to, expectedRecipient });\n if (!allowUnexpectedRecipient) {\n message.setReject('Email recovery relayer rejected email: unexpected recipient');\n return;\n }\n }\n }\n\n if (verbose) {\n logger.info('[email] from/to', { from: payload.from, to: payload.to, subject: payload.headers['subject'] });\n }\n\n const parsed = parseRecoverEmailRequest(payload as any, { headers: payload.headers });\n if (!parsed.ok) {\n logger.warn('[email] rejecting', { code: parsed.code, message: parsed.message });\n message.setReject(`Email recovery relayer rejected email: ${parsed.message}`);\n return;\n }\n\n if (!service.emailRecovery) {\n logger.warn('[email] rejecting: EmailRecoveryService not configured');\n message.setReject('Email recovery relayer rejected email: email recovery service unavailable');\n return;\n }\n\n const result = await service.emailRecovery.requestEmailRecovery({\n accountId: parsed.accountId,\n emailBlob: parsed.emailBlob,\n explicitMode: parsed.explicitMode,\n });\n\n if (!result?.success) {\n logger.warn('[email] recovery failed', {\n accountId: parsed.accountId,\n error: result?.error \|\| 'unknown',\n message: result?.message,\n });\n const reason = toSingleLine(result?.message \|\| result?.error \|\| 'recovery failed');\n message.setReject(`Email recovery relayer rejected email: ${reason}`);\n return;\n }\n\n logger.info('[email] recovery submitted', { accountId: parsed.accountId });\n } catch (e: any) {\n logger.error('[email] internal error', { message: e?.message \|\| String(e) });\n message.setReject('Email recovery relayer rejected email: internal error');\n }\n };\n}\n","import type { AuthService } from '../../core/AuthService';\nimport type { RouterLogger } from '../logger';\nimport { coerceRouterLogger } from '../logger';\nimport type { CfScheduledEvent, ScheduledHandler } from './types';\n\n/\n Optional cron hook factory for Cloudflare Workers.\n * Default is inactive (no-op). Enable explicitly in your Worker entry.\n \n Example:\n * const cron = createCloudflareCron(service, { enabled: env.ENABLE_ROTATION === '1', rotate: false });\n * export default { fetch: router, scheduled: cron };\n /\nexport interface CloudflareCronOptions {\n enabled?: boolean; // default false\n rotate?: boolean; // if true, will attempt to rotate Shamir keypair (not persisted in Workers)\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n\nexport function createCloudflareCron(service: AuthService, opts: CloudflareCronOptions = {}): ScheduledHandler {\n const logger = coerceRouterLogger(opts.logger);\n const enabled = Boolean(opts.enabled);\n const doRotate = Boolean(opts.rotate);\n if (!enabled) {\n return async () => { / no-op by default / };\n }\n return async (_event: CfScheduledEvent) => {\n try {\n if (doRotate) {\n // Rotation in Workers is ephemeral unless you persist keys externally.\n // This call rotates in-memory only and logs the result.\n const shamir = service.shamirService;\n if (!shamir) {\n logger.warn('[cloudflare-cron] Shamir not configured; skipping rotation');\n } else {\n const rotation = await shamir.rotateShamirServerKeypair();\n logger.info('[cloudflare-cron] rotated key', rotation.newKeyId, 'graceIds:', rotation.graceKeyIds);\n }\n } else {\n logger.info('[cloudflare-cron] enabled but rotate=false (no action)');\n }\n } catch (e: unknown) {\n logger.error('[cloudflare-cron] failed', e instanceof Error ? e.message : String(e));\n }\n };\n}\n","\nexport interface SessionConfig {\n jwt?: {\n /* Required: JWT signing hook; return a complete token /\n signToken?: (input: { header: Record<string, unknown>; payload: Record<string, unknown> }) => Promise<string> \| string;\n /* Required: JWT verification hook /\n verifyToken?: (token: string) => Promise<{ valid: boolean; payload?: any }> \| { valid: boolean; payload?: any };\n /* Optional: sliding refresh window (seconds) to allow /session/refresh before exp, default 900 (15 min) /\n refreshWindowSec?: number;\n /* Optional: build additional claims to include in the payload /\n buildClaims?: (input: { sub: string; context?: Record<string, unknown> }) => Promise<Record<string, unknown> \| void> \| Record<string, unknown> \| void;\n };\n cookie?: {\n /* Cookie name. Default: 'w3a_session' /\n name?: string;\n /* Optional override: build Set-Cookie header for a new token /\n buildSetHeader?: (token: string) => string;\n /* Optional override: build Set-Cookie header that clears the cookie /\n buildClearHeader?: () => string;\n /* Optional override: extract token from headers (Authorization/Cookie) /\n extractToken?: (headers: Record<string, string \| string[] \| undefined>, cookieName: string) => string \| null;\n };\n}\n\nexport class SessionService<TClaims extends Record<string, unknown> = Record<string, unknown>> {\n private cfg: NonNullable<SessionConfig>;\n\n constructor(cfg: NonNullable<SessionConfig>) {\n this.cfg = cfg \|\| ({} as any);\n }\n\n getCookieName(): string {\n return this.cfg?.cookie?.name \|\| 'w3a_session';\n }\n\n buildSetCookie(token: string): string {\n if (this.cfg?.cookie?.buildSetHeader) return this.cfg.cookie.buildSetHeader(token);\n const name = this.getCookieName();\n const cookieParts = [`${name}=${token}`];\n const path = '/';\n const httpOnly = true;\n const secure = true; // default secure\n const sameSite = 'Lax';\n const maxAge = 24 3600; // 1 day default\n cookieParts.push(`Path=${path}`);\n if (httpOnly) cookieParts.push('HttpOnly');\n if (secure) cookieParts.push('Secure');\n if (sameSite) cookieParts.push(`SameSite=${sameSite}`);\n if (maxAge) {\n cookieParts.push(`Max-Age=${maxAge}`);\n const expires = new Date(Date.now() + (maxAge * 1000)).toUTCString();\n cookieParts.push(`Expires=${expires}`);\n }\n return cookieParts.join('; ');\n }\n\n buildClearCookie(): string {\n if (this.cfg?.cookie?.buildClearHeader) return this.cfg.cookie.buildClearHeader();\n const name = this.getCookieName();\n const path = '/';\n const secure = true;\n const httpOnly = true;\n const parts = [\n `${name}=`,\n `Path=${path}`,\n 'Max-Age=0',\n 'Expires=Thu, 01 Jan 1970 00:00:00 GMT'\n ];\n if (httpOnly) parts.push('HttpOnly');\n if (secure) parts.push('Secure');\n const sameSite = 'Lax';\n if (sameSite) parts.push(`SameSite=${sameSite}`);\n return parts.join('; ');\n }\n\n /** Sign a JWT with configured algorithm. Adds iat/exp and copies iss/aud. /\n async signJwt(sub: string, extraClaims?: Record<string, unknown>): Promise<string> {\n const jwt = this.cfg?.jwt \|\| {};\n const built = await Promise.resolve(jwt.buildClaims?.({ sub, context: extraClaims })) \|\| {};\n const payload = { sub, ...(extraClaims \|\| {}), ...(built \|\| {}) } as Record<string, unknown>;\n if (typeof jwt.signToken === 'function') {\n // Full override of signing: user supplies the complete token\n const token = await Promise.resolve(jwt.signToken({ header: { typ: 'JWT' }, payload } as any));\n return token;\n }\n throw new Error('SessionService: No JWT signing hook or provider configured');\n }\n\n /* Verify signature and expiration. Returns payload on success. /\n async verifyJwt(token: string): Promise<{ valid: boolean; payload?: any }> {\n const verify = this.cfg?.jwt?.verifyToken;\n if (typeof verify !== 'function') return { valid: false };\n return await Promise.resolve(verify(token));\n }\n\n parse(\n headers: Record<string, string \| string[] \| undefined>\n ): Promise<{ ok: true; claims: TClaims } \| { ok: false }> {\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n let token: string \| null = null;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (!token && cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) { token = (v \|\| '').trim(); break; }\n }\n }\n if (!token) return Promise.resolve({ ok: false });\n return this.verifyJwt(token).then(v =>\n v.valid\n ? { ok: true, claims: v.payload as TClaims }\n : { ok: false }\n );\n }\n\n // === token helpers ===\n extractTokenFromHeaders(headers: Record<string, string \| string[] \| undefined>): string \| null {\n if (this.cfg?.cookie?.extractToken) return this.cfg.cookie.extractToken(headers, this.getCookieName());\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) return authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) return (v \|\| '').trim();\n }\n }\n return null;\n }\n\n async refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>{\n try {\n const token = this.extractTokenFromHeaders(headers);\n if (!token) return { ok: false, code: 'unauthorized', message: 'No session token' };\n const v = await this.verifyJwt(token);\n if (!v.valid) return { ok: false, code: 'unauthorized', message: 'Invalid token' };\n const payload: any = v.payload \|\| {};\n if (!this.isWithinRefreshWindow(payload)) return { ok: false, code: 'not_eligible', message: 'Not within refresh window' };\n const sub = String(payload.sub \|\| '');\n if (!sub) return { ok: false, code: 'invalid_claims', message: 'Missing sub claim' };\n const next = await this.signJwt(sub);\n return { ok: true, jwt: next };\n } catch (e: any) {\n return { ok: false, code: 'internal', message: e?.message \|\| 'Refresh failed' };\n }\n }\n\n nowSeconds(): number { return Math.floor(Date.now() / 1000); }\n\n private isWithinRefreshWindow(payload: any): boolean {\n try {\n const now = this.nowSeconds();\n const exp = Number(payload?.exp \|\| 0);\n if (!exp \|\| now >= exp) return false; // no refresh if already expired\n const windowSec = Number(this.cfg?.jwt?.refreshWindowSec \|\| 15 60);\n return (exp - now) <= windowSec;\n } catch { return false; }\n }\n}\n\n/\n Utility: parse comma-separated list of origins into a normalized unique list\n * - canonicalizes to protocol + host + optional port\n * - lowercases host, strips path/query/hash, trims spaces/trailing slashes\n /\nexport function parseCsvList(input?: string): string[] {\n const out = new Set<string>();\n for (const raw of String(input \|\| '').split(',')) {\n const s = raw.trim();\n if (!s) continue;\n try {\n const u = new URL(s);\n const host = u.hostname.toLowerCase();\n const port = u.port ? `:${u.port}` : '';\n const proto = u.protocol === 'http:' \|\| u.protocol === 'https:' ? u.protocol : 'https:';\n out.add(`${proto}//${host}${port}`);\n } catch {\n const stripped = s.replace(/\\/$/, '');\n if (stripped) out.add(stripped);\n }\n }\n return Array.from(out);\n}\n\n/\n * Utility: merge multiple CSV lists of origins and return normalized list or ''\n /\nexport function buildCorsOrigins(...inputs: Array<string \| undefined>): string[] \| '' {\n const merged = new Set<string>();\n for (const input of inputs) {\n for (const origin of parseCsvList(input)) merged.add(origin);\n }\n const list = Array.from(merged);\n return list.length > 0 ? list : '';\n}\n","import { buildCorsOrigins } from '../../core/SessionService';\nimport type { RelayRouterOptions } from '../relay';\n\nexport function json(body: unknown, init?: ResponseInit, extraHeaders?: Record<string, string>): Response {\n const headers = new Headers({ 'Content-Type': 'application/json; charset=utf-8' });\n\n // Merge init.headers into our base headers (ResponseInit headers are otherwise overwritten).\n const initHeaders = init?.headers;\n if (initHeaders) {\n try {\n new Headers(initHeaders).forEach((v, k) => headers.set(k, v));\n } catch { }\n }\n\n if (extraHeaders) {\n for (const [k, v] of Object.entries(extraHeaders)) headers.set(k, v);\n }\n\n const { headers: _omit, ...rest } = init \|\| {};\n return new Response(JSON.stringify(body), { status: 200, ...rest, headers });\n}\n\nexport function withCors(headers: Headers, opts?: RelayRouterOptions, request?: Request): void {\n if (!opts?.corsOrigins) return;\n let allowedOrigin: string \| '' \| undefined;\n const normalized = buildCorsOrigins(...(opts.corsOrigins \|\| []));\n if (normalized === '') {\n allowedOrigin = '';\n headers.set('Access-Control-Allow-Origin', '');\n } else if (Array.isArray(normalized)) {\n const origin = request?.headers.get('Origin') \|\| '';\n if (origin && normalized.includes(origin)) {\n allowedOrigin = origin;\n headers.set('Access-Control-Allow-Origin', origin);\n headers.append('Vary', 'Origin');\n }\n }\n headers.set('Access-Control-Allow-Methods', 'GET,POST,OPTIONS');\n headers.set('Access-Control-Allow-Headers', 'Content-Type,Authorization');\n // Only advertise credentials when we echo back a specific origin (not '')\n if (allowedOrigin && allowedOrigin !== '') {\n headers.set('Access-Control-Allow-Credentials', 'true');\n }\n}\n\nexport function toResponse(out: { status: number; headers: Record<string, string>; body: string }): Response {\n return new Response(out.body, { status: out.status, headers: out.headers });\n}\n\nexport function isObject(v: unknown): v is Record<string, unknown> {\n return typeof v === 'object' && v !== null;\n}\n\nexport async function readJson(request: Request): Promise<unknown> {\n try {\n return await request.json();\n } catch {\n return null;\n }\n}\n\nexport function headersToRecord(headers: Headers): Record<string, string> {\n const out: Record<string, string> = {};\n headers.forEach((v, k) => { out[k] = v; });\n return out;\n}\n","import type { CreateAccountAndRegisterRequest, CreateAccountAndRegisterResult } from '../../../core/types';\nimport type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { isObject, json, readJson } from '../http';\n\nexport async function handleCreateAccountAndRegisterUser(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'POST' \|\| ctx.pathname !== '/create_account_and_register_user') return null;\n\n const body = await readJson(ctx.request);\n if (!isObject(body)) {\n return json({ code: 'invalid_body', message: 'JSON body required' }, { status: 400 });\n }\n\n const new_account_id = typeof body.new_account_id === 'string' ? body.new_account_id : '';\n const new_public_key = typeof body.new_public_key === 'string' ? body.new_public_key : '';\n const threshold_ed25519 = isObject((body as Record<string, unknown>).threshold_ed25519)\n ? (body as Record<string, unknown>).threshold_ed25519\n : undefined;\n const vrf_data = isObject(body.vrf_data) ? body.vrf_data : null;\n const webauthn_registration = isObject(body.webauthn_registration) ? body.webauthn_registration : null;\n const deterministic_vrf_public_key = (body as Record<string, unknown>).deterministic_vrf_public_key;\n const authenticator_options = isObject((body as Record<string, unknown>).authenticator_options)\n ? (body as Record<string, unknown>).authenticator_options\n : undefined;\n\n if (!new_account_id) {\n return json({ code: 'invalid_body', message: 'Missing or invalid new_account_id' }, { status: 400 });\n }\n if (!new_public_key) {\n return json({ code: 'invalid_body', message: 'Missing or invalid new_public_key' }, { status: 400 });\n }\n if (!vrf_data) {\n return json({ code: 'invalid_body', message: 'Missing or invalid vrf_data' }, { status: 400 });\n }\n if (!webauthn_registration) {\n return json({ code: 'invalid_body', message: 'Missing or invalid webauthn_registration' }, { status: 400 });\n }\n\n const threshold = ctx.opts.threshold;\n const thresholdClientVerifyingShareB64u = isObject(threshold_ed25519)\n && typeof (threshold_ed25519 as Record<string, unknown>).client_verifying_share_b64u === 'string'\n ? String((threshold_ed25519 as Record<string, unknown>).client_verifying_share_b64u \|\| '').trim()\n : '';\n let thresholdKeygen:\n \| (Awaited<ReturnType<NonNullable<typeof threshold>['keygenFromClientVerifyingShareForRegistration']>> & { ok: true })\n \| null = null;\n let thresholdWarning: string \| null = null;\n\n if (thresholdClientVerifyingShareB64u) {\n if (!threshold) {\n thresholdWarning = 'threshold signing is not configured on this server';\n } else {\n const rpId = typeof (vrf_data as { rp_id?: unknown; rpId?: unknown }).rp_id === 'string'\n ? String((vrf_data as { rp_id?: string }).rp_id \|\| '')\n : (typeof (vrf_data as { rpId?: unknown }).rpId === 'string' ? String((vrf_data as { rpId?: string }).rpId \|\| '') : '');\n if (!rpId.trim()) {\n thresholdWarning = 'missing vrf_data.rp_id';\n } else {\n const out = await threshold.keygenFromClientVerifyingShareForRegistration({\n nearAccountId: new_account_id,\n rpId,\n clientVerifyingShareB64u: thresholdClientVerifyingShareB64u,\n });\n if (!out.ok) {\n thresholdWarning = out.message \|\| 'threshold-ed25519 registration keygen failed';\n } else {\n thresholdKeygen = out;\n }\n }\n }\n }\n\n const input = {\n new_account_id,\n new_public_key,\n vrf_data,\n webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options,\n } as unknown as CreateAccountAndRegisterRequest;\n\n const result = await ctx.service.createAccountAndRegisterUser(input);\n let response: CreateAccountAndRegisterResult = result;\n\n if (result.success && threshold && thresholdKeygen) {\n try {\n await threshold.putRelayerKeyMaterial({\n relayerKeyId: thresholdKeygen.relayerKeyId,\n publicKey: thresholdKeygen.publicKey,\n relayerSigningShareB64u: thresholdKeygen.relayerSigningShareB64u,\n relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u,\n });\n response = {\n ...response,\n thresholdEd25519: {\n relayerKeyId: thresholdKeygen.relayerKeyId,\n publicKey: thresholdKeygen.publicKey,\n relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u,\n clientParticipantId: thresholdKeygen.clientParticipantId,\n relayerParticipantId: thresholdKeygen.relayerParticipantId,\n participantIds: thresholdKeygen.participantIds,\n },\n };\n } catch (e: unknown) {\n thresholdWarning = thresholdWarning \|\| ((e && typeof e === 'object' && 'message' in e)\n ? String((e as { message?: unknown }).message \|\| 'threshold signing persistence failed')\n : String(e \|\| 'threshold signing persistence failed'));\n }\n }\n\n if (result.success && thresholdWarning) {\n response = {\n ...response,\n message: `${response.message \|\| 'Account created and registered successfully'} (threshold enrollment skipped: ${thresholdWarning})`,\n };\n }\n\n return json(response, { status: response.success ? 200 : 400 });\n}\n","import type {\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n} from './types';\nimport type { ShamirService } from './ShamirService';\nimport { isString } from '@/utils/validation';\n\nexport async function handleApplyServerLock(\n service: ShamirService,\n request: { body?: { kek_c_b64u?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const kek_c_b64u = request.body?.kek_c_b64u;\n if (!isString(kek_c_b64u) \|\| !kek_c_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_c_b64u required and must be a non-empty string' }),\n };\n }\n\n const out: ShamirApplyServerLockResponse = await service.applyServerLock(kek_c_b64u);\n const keyId = service.getCurrentShamirKeyId();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ ...out, keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveServerLock(\n service: ShamirService,\n request: { body?: { kek_cs_b64u?: string; keyId?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const body = request.body;\n if (!body) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'Missing body' }),\n };\n }\n const { kek_cs_b64u, keyId } = body;\n if (!isString(kek_cs_b64u) \|\| !kek_cs_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_cs_b64u required and must be a non-empty string' }),\n };\n }\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const providedKeyId = String(keyId);\n const currentKeyId = service.getCurrentShamirKeyId();\n let out: ShamirRemoveServerLockResponse;\n\n if (currentKeyId && providedKeyId === currentKeyId) {\n out = await service.removeServerLock(kek_cs_b64u);\n } else if (service.hasGraceKey(providedKeyId)) {\n out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u } as ShamirRemoveServerLockRequest);\n } else {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'unknown keyId' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(out),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleGetShamirKeyInfo(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureReady();\n const currentKeyId = service.getCurrentShamirKeyId();\n const graceKeyIds = service.getGraceKeyIds();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n currentKeyId,\n p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,\n graceKeyIds,\n }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleListGraceKeys(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureGraceKeysLoaded();\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ graceKeyIds: service.getGraceKeyIds() }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleAddGraceKey(\n service: ShamirService,\n request: { e_s_b64u?: string; d_s_b64u?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const { e_s_b64u, d_s_b64u } = request \|\| ({} as any);\n if (!isString(e_s_b64u) \|\| !e_s_b64u \|\| !isString(d_s_b64u) \|\| !d_s_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'e_s_b64u and d_s_b64u required' }),\n };\n }\n\n await service.ensureGraceKeysLoaded();\n const added = await service.addGraceKeyInternal({ e_s_b64u, d_s_b64u }, { persist: true, skipIfExists: true });\n if (!added) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'failed to add grace key' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ keyId: added.keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveGraceKey(\n service: ShamirService,\n request: { keyId?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const keyId = request?.keyId;\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const removed = await service.removeGraceKeyInternal(keyId, { persist: true });\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ removed }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n","import { buildCorsOrigins } from '../../../core/SessionService';\nimport { handleGetShamirKeyInfo } from '../../../core/shamirHandlers';\nimport type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { json } from '../http';\n\nexport async function handleHealth(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (!ctx.opts.healthz \|\| ctx.method !== 'GET' \|\| ctx.pathname !== '/healthz') return null;\n\n // Surface simple CORS info for diagnostics (normalized)\n const allowed = buildCorsOrigins(...(ctx.opts.corsOrigins \|\| []));\n const corsAllowed = allowed === '' ? '' : allowed;\n const shamir = ctx.service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n const thresholdConfigured = Boolean(ctx.opts.threshold);\n let currentKeyId: string \| null = null;\n if (shamirConfigured && shamir) {\n try {\n const { currentKeyId: id } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n currentKeyId = id \|\| null;\n } catch { }\n }\n\n const proverBaseUrl = ctx.service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;\n const zkEmailConfigured = Boolean(proverBaseUrl);\n\n return json({\n ok: true,\n // Backwards-compatible field (was previously top-level).\n currentKeyId,\n shamir: { configured: shamirConfigured, currentKeyId },\n zkEmail: { configured: zkEmailConfigured, proverBaseUrl },\n thresholdEd25519: { configured: thresholdConfigured },\n cors: { allowedOrigins: corsAllowed },\n }, { status: 200 });\n}\n\nexport async function handleReady(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (!ctx.opts.readyz \|\| ctx.method !== 'GET' \|\| ctx.pathname !== '/readyz') return null;\n\n const allowed = buildCorsOrigins(...(ctx.opts.corsOrigins \|\| []));\n const corsAllowed = allowed === '' ? '' : allowed;\n\n const shamir = ctx.service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n const thresholdConfigured = Boolean(ctx.opts.threshold);\n\n let shamirReady: boolean \| null = null;\n let shamirCurrentKeyId: string \| null = null;\n let shamirError: string \| undefined;\n if (shamirConfigured && shamir) {\n try {\n await shamir.ensureReady();\n shamirReady = true;\n const { currentKeyId } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n shamirCurrentKeyId = currentKeyId \|\| null;\n } catch (e: any) {\n shamirReady = false;\n shamirError = e?.message \|\| String(e);\n }\n }\n\n const zk = ctx.service.emailRecovery\n ? await ctx.service.emailRecovery.checkZkEmailProverHealth()\n : { configured: false, baseUrl: null, healthy: null as boolean \| null };\n\n const ok =\n (shamirConfigured ? shamirReady === true : true) &&\n (zk.configured ? zk.healthy === true : true);\n\n return json({\n ok,\n shamir: {\n configured: shamirConfigured,\n ready: shamirConfigured ? shamirReady : null,\n currentKeyId: shamirCurrentKeyId,\n error: shamirError,\n },\n thresholdEd25519: { configured: thresholdConfigured },\n zkEmail: zk,\n cors: { allowedOrigins: corsAllowed },\n }, { status: ok ? 200 : 503 });\n}\n","import { parseRecoverEmailRequest } from '../../../email-recovery/emailParsers';\nimport type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { json, readJson } from '../http';\n\nexport async function handleRecoverEmail(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'POST' \|\| ctx.pathname !== '/recover-email') return null;\n\n const prefer = String(ctx.request.headers.get('prefer') \|\| '').toLowerCase();\n const respondAsync =\n prefer.includes('respond-async') \|\|\n String(ctx.url.searchParams.get('async') \|\| '').trim() === '1' \|\|\n String(ctx.url.searchParams.get('respond_async') \|\| '').trim() === '1';\n\n const rawBody = await readJson(ctx.request);\n const parsed = parseRecoverEmailRequest(rawBody, { headers: ctx.request.headers });\n if (!parsed.ok) {\n return json({ code: parsed.code, message: parsed.message }, { status: parsed.status });\n }\n const { accountId, emailBlob, explicitMode } = parsed;\n\n if (!ctx.service.emailRecovery) {\n return json(\n { code: 'email_recovery_unavailable', message: 'EmailRecoveryService is not configured on this server' },\n { status: 503 }\n );\n }\n\n if (respondAsync && ctx.cfCtx && typeof ctx.cfCtx.waitUntil === 'function') {\n ctx.cfCtx.waitUntil(\n ctx.service.emailRecovery\n .requestEmailRecovery({ accountId, emailBlob, explicitMode })\n .then((result) => {\n ctx.logger.info('[recover-email] async complete', {\n success: result?.success === true,\n accountId,\n error: result?.success ? undefined : result?.error,\n });\n })\n .catch((err: any) => {\n ctx.logger.error('[recover-email] async error', {\n accountId,\n error: err?.message \|\| String(err),\n });\n })\n );\n return json({ success: true, queued: true, accountId }, { status: 202 });\n }\n\n const result = await ctx.service.emailRecovery.requestEmailRecovery({ accountId, emailBlob, explicitMode });\n return json(result, { status: result.success ? 202 : 400 });\n}\n","import type { DelegateActionPolicy } from '../delegateAction';\nimport type { RouterLogger } from './logger';\nimport type {\n ThresholdEd25519AuthorizeWithSessionRequest,\n ThresholdEd25519AuthorizeRequest,\n ThresholdEd25519AuthorizeResponse,\n ThresholdEd25519CosignFinalizeRequest,\n ThresholdEd25519CosignFinalizeResponse,\n ThresholdEd25519CosignInitRequest,\n ThresholdEd25519CosignInitResponse,\n ThresholdEd25519KeygenRequest,\n ThresholdEd25519KeygenResponse,\n ThresholdEd25519SessionRequest,\n ThresholdEd25519SessionResponse,\n ThresholdEd25519SignFinalizeRequest,\n ThresholdEd25519SignFinalizeResponse,\n ThresholdEd25519SignInitRequest,\n ThresholdEd25519SignInitResponse,\n} from '../core/types';\n\n// Minimal session adapter interface expected by the routers.\nexport type SessionClaims = Record<string, unknown>;\n\nexport type SessionKind = 'cookie' \| 'jwt';\n\nexport function parseSessionKind(body: unknown): SessionKind {\n const v = (body && typeof body === 'object' && !Array.isArray(body))\n ? (body as Record<string, unknown>)\n : {};\n const raw = v.sessionKind ?? v.session_kind;\n return raw === 'cookie' ? 'cookie' : 'jwt';\n}\n\nexport interface SessionAdapter {\n signJwt(sub: string, extra?: Record<string, unknown>): Promise<string>;\n parse(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: true; claims: SessionClaims } \| { ok: false }>;\n buildSetCookie(token: string): string;\n buildClearCookie(): string;\n refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>;\n}\n\nexport type ThresholdEd25519RegistrationKeygenResult =\n \| {\n ok: true;\n clientParticipantId: number;\n relayerParticipantId: number;\n participantIds: number[];\n relayerKeyId: string;\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n }\n \| { ok: false; code: string; message: string };\n\nexport interface ThresholdSigningAdapter {\n keygenFromClientVerifyingShareForRegistration(input: {\n nearAccountId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n }): Promise<ThresholdEd25519RegistrationKeygenResult>;\n putRelayerKeyMaterial(input: {\n relayerKeyId: string;\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n }): Promise<void>;\n thresholdEd25519Keygen(request: ThresholdEd25519KeygenRequest): Promise<ThresholdEd25519KeygenResponse>;\n authorizeThresholdEd25519(request: ThresholdEd25519AuthorizeRequest): Promise<ThresholdEd25519AuthorizeResponse>;\n authorizeThresholdEd25519WithSession(input: {\n sessionId: string;\n userId: string;\n request: ThresholdEd25519AuthorizeWithSessionRequest;\n }): Promise<ThresholdEd25519AuthorizeResponse>;\n thresholdEd25519Session(request: ThresholdEd25519SessionRequest): Promise<ThresholdEd25519SessionResponse>;\n thresholdEd25519SignInit(request: ThresholdEd25519SignInitRequest): Promise<ThresholdEd25519SignInitResponse>;\n thresholdEd25519SignFinalize(request: ThresholdEd25519SignFinalizeRequest): Promise<ThresholdEd25519SignFinalizeResponse>;\n /*\n Internal coordinator→cosigner cosigning API (optional).\n * When omitted, relayer-fleet cosigning mode is unsupported.\n /\n thresholdEd25519CosignInit?: (request: ThresholdEd25519CosignInitRequest) => Promise<ThresholdEd25519CosignInitResponse>;\n thresholdEd25519CosignFinalize?: (request: ThresholdEd25519CosignFinalizeRequest) => Promise<ThresholdEd25519CosignFinalizeResponse>;\n}\n\nexport interface RelayRouterOptions {\n healthz?: boolean;\n readyz?: boolean;\n /\n Optional list(s) of CORS origins (CSV strings or literal origins).\n * Pass raw strings; the router normalizes/merges internally.\n /\n corsOrigins?: Array<string \| undefined>;\n /\n Optional route for submitting NEP-461 SignedDelegate meta-transactions.\n * - When omitted: disabled.\n * - When set: enabled at `route`.\n * `policy` is server-controlled and is never read from the request body.\n */\n signedDelegate?: {\n route: string;\n policy?: DelegateActionPolicy;\n };\n // Optional: customize session route paths\n sessionRoutes?: { auth?: string; logout?: string };\n // Optional: pluggable session adapter\n session?: SessionAdapter \| null;\n // Optional: pluggable threshold signing service\n threshold?: ThresholdSigningAdapter \| null;\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n","import { parseSessionKind } from '../../relay';\nimport type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { headersToRecord, json, readJson } from '../http';\n\nexport async function handleSessionAuth(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'GET' \|\| ctx.pathname !== ctx.mePath) return null;\n\n try {\n const session = ctx.opts.session;\n if (!session) {\n return json({ authenticated: false, code: 'sessions_disabled', message: 'Sessions are not configured' }, { status: 501 });\n }\n\n const parsed = await session.parse(headersToRecord(ctx.request.headers));\n return json(\n parsed.ok\n ? { authenticated: true, claims: parsed.claims }\n : { authenticated: false },\n { status: parsed.ok ? 200 : 401 }\n );\n } catch (e: any) {\n return json({ authenticated: false, code: 'internal', message: e?.message \|\| 'Internal error' }, { status: 500 });\n }\n}\n\nexport async function handleSessionLogout(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'POST' \|\| ctx.pathname !== ctx.logoutPath) return null;\n\n const res = json({ success: true }, { status: 200 });\n const session = ctx.opts.session;\n if (session) {\n // Clear cookie with Max-Age=0\n res.headers.set('Set-Cookie', session.buildClearCookie());\n }\n return res;\n}\n\nexport async function handleSessionRefresh(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'POST' \|\| ctx.pathname !== '/session/refresh') return null;\n\n const body = await readJson(ctx.request);\n const sessionKind = parseSessionKind(body);\n const session = ctx.opts.session;\n if (!session) {\n return json({ code: 'sessions_disabled', message: 'Sessions are not configured' }, { status: 501 });\n }\n const out = await session.refresh(Object.fromEntries(ctx.request.headers.entries()));\n if (!out.ok \|\| !out.jwt) {\n return json(\n { code: out.code \|\| 'not_eligible', message: out.message \|\| 'Refresh not eligible' },\n { status: (out.code === 'unauthorized') ? 401 : 400 }\n );\n }\n const res = json(sessionKind === 'cookie' ? { ok: true } : { ok: true, jwt: out.jwt }, { status: 200 });\n if (sessionKind === 'cookie' && out.jwt) {\n try {\n res.headers.set('Set-Cookie', session.buildSetCookie(out.jwt));\n } catch { }\n }\n return res;\n}\n","import {\n handleApplyServerLock,\n handleRemoveServerLock,\n handleGetShamirKeyInfo,\n} from '../../../core/shamirHandlers';\nimport type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { isObject, json, readJson, toResponse } from '../http';\n\nexport async function handleShamir(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method === 'POST' && ctx.pathname === '/vrf/apply-server-lock') {\n const shamir = ctx.service.shamirService;\n if (!shamir \|\| !(await shamir.ensureReady())) {\n return json({ code: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' }, { status: 503 });\n }\n\n const body = await readJson(ctx.request);\n const valid = isObject(body) && typeof body.kek_c_b64u === 'string' && body.kek_c_b64u.length > 0;\n if (!valid) {\n return json({ code: 'invalid_body', message: 'kek_c_b64u is required' }, { status: 400 });\n }\n\n const out = await handleApplyServerLock(shamir, {\n body: { kek_c_b64u: String((body as Record<string, unknown>).kek_c_b64u) },\n });\n return toResponse(out);\n }\n\n if (ctx.method === 'POST' && ctx.pathname === '/vrf/remove-server-lock') {\n const shamir = ctx.service.shamirService;\n if (!shamir \|\| !(await shamir.ensureReady())) {\n return json({ code: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' }, { status: 503 });\n }\n\n const body = await readJson(ctx.request);\n const valid = isObject(body)\n && typeof body.kek_cs_b64u === 'string' && body.kek_cs_b64u.length > 0\n && typeof (body as Record<string, unknown>).keyId === 'string'\n && String((body as Record<string, unknown>).keyId).length > 0;\n if (!valid) {\n return json({ code: 'invalid_body', message: 'kek_cs_b64u and keyId are required' }, { status: 400 });\n }\n\n const out = await handleRemoveServerLock(shamir, {\n body: {\n kek_cs_b64u: String((body as Record<string, unknown>).kek_cs_b64u),\n keyId: String((body as Record<string, unknown>).keyId),\n },\n });\n return toResponse(out);\n }\n\n if (ctx.method === 'GET' && ctx.pathname === '/shamir/key-info') {\n const shamir = ctx.service.shamirService;\n if (!shamir \|\| !(await shamir.ensureReady())) {\n return json({ code: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' }, { status: 503 });\n }\n const out = await handleGetShamirKeyInfo(shamir);\n return toResponse(out);\n }\n\n return null;\n}\n","import type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { isObject, json, readJson } from '../http';\n\nexport async function handleSignedDelegate(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (!ctx.signedDelegatePath \|\| ctx.pathname !== ctx.signedDelegatePath) return null;\n if (ctx.method !== 'POST') return null;\n\n const body = await readJson(ctx.request);\n const valid = isObject(body)\n && typeof (body as any).hash === 'string'\n && Boolean((body as any).hash)\n && Boolean((body as any).signedDelegate);\n if (!valid) {\n return json({ ok: false, code: 'invalid_body', message: 'Expected { hash, signedDelegate }' }, { status: 400 });\n }\n\n const result = await ctx.service.executeSignedDelegate({\n hash: String((body as any).hash),\n signedDelegate: (body as any).signedDelegate,\n policy: ctx.signedDelegatePolicy,\n });\n\n if (!result \|\| !result.ok) {\n return json({\n ok: false,\n code: result?.code \|\| 'delegate_execution_failed',\n message: result?.error \|\| 'Failed to execute delegate action',\n }, { status: 400 });\n }\n\n return json({\n ok: true,\n relayerTxHash: result.transactionHash \|\| null,\n status: 'submitted',\n outcome: result.outcome ?? null,\n }, { status: 200 });\n}\n","export type ThresholdEd25519RouteResult = { ok: boolean; code?: string };\n\nexport function thresholdEd25519StatusCode(result: ThresholdEd25519RouteResult): number {\n if (result.ok) return 200;\n switch (result.code) {\n case 'not_found':\n return 404;\n case 'not_implemented':\n return 501;\n case 'threshold_disabled':\n return 503;\n case 'internal':\n return 500;\n case 'unauthorized':\n return 401;\n default:\n return 400;\n }\n}\n","import type { AccessKeyList } from '../../../core/NearClient';\nimport { alphabetizeStringify, sha256BytesUtf8 } from '../../../utils/digests';\nimport { ensureEd25519Prefix, toOptionalString, toTrimmedString } from '../../../utils/validation';\nimport {\n THRESHOLD_ED25519_2P_PARTICIPANT_IDS,\n normalizeThresholdEd25519ParticipantIds,\n} from '../../../threshold/participants';\n\nexport type ThresholdValidationOk = { ok: true };\nexport type ThresholdValidationErr = { ok: false; code: string; message: string };\nexport type ThresholdValidationResult = ThresholdValidationOk \| ThresholdValidationErr;\n\nexport function isObject(v: unknown): v is Record<string, unknown> {\n return !!v && typeof v === 'object' && !Array.isArray(v);\n}\n\nexport function isValidNumber(v: unknown): v is number {\n return typeof v === 'number' && Number.isFinite(v);\n}\n\nexport function toPrefixWithColon(prefix: unknown, defaultPrefix: string): string {\n const p = toOptionalString(prefix);\n if (!p) return defaultPrefix;\n return p.endsWith(':') ? p : `${p}:`;\n}\n\nexport function toThresholdEd25519KeyPrefix(prefix: unknown): string {\n return toPrefixWithColon(prefix, 'w3a:threshold-ed25519:key:');\n}\n\nexport function toThresholdEd25519SessionPrefix(prefix: unknown): string {\n return toPrefixWithColon(prefix, 'w3a:threshold-ed25519:sess:');\n}\n\nexport function toThresholdEd25519AuthPrefix(prefix: unknown): string {\n return toPrefixWithColon(prefix, 'w3a:threshold-ed25519:auth:');\n}\n\nexport type ParsedThresholdEd25519KeyRecord = {\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n};\n\nexport function parseThresholdEd25519KeyRecord(raw: unknown): ParsedThresholdEd25519KeyRecord \| null {\n if (!isObject(raw)) return null;\n const publicKey = toOptionalString(raw.publicKey);\n const relayerSigningShareB64u = toOptionalString(raw.relayerSigningShareB64u);\n const relayerVerifyingShareB64u = toOptionalString(raw.relayerVerifyingShareB64u);\n if (!publicKey \|\| !relayerSigningShareB64u \|\| !relayerVerifyingShareB64u) return null;\n return { publicKey, relayerSigningShareB64u, relayerVerifyingShareB64u };\n}\n\nexport type ParsedThresholdEd25519Commitments = { hiding: string; binding: string };\n\nexport function parseThresholdEd25519Commitments(raw: unknown): ParsedThresholdEd25519Commitments \| null {\n if (!isObject(raw)) return null;\n const hiding = toOptionalString(raw.hiding);\n const binding = toOptionalString(raw.binding);\n if (!hiding \|\| !binding) return null;\n return { hiding, binding };\n}\n\nexport type ParsedThresholdEd25519CommitmentsById = Record<string, ParsedThresholdEd25519Commitments>;\n\nexport function parseThresholdEd25519CommitmentsById(raw: unknown): ParsedThresholdEd25519CommitmentsById \| null {\n if (!isObject(raw)) return null;\n const out: ParsedThresholdEd25519CommitmentsById = {};\n for (const [k, v] of Object.entries(raw)) {\n const key = toTrimmedString(k);\n if (!key) return null;\n const commitments = parseThresholdEd25519Commitments(v);\n if (!commitments) return null;\n out[key] = commitments;\n }\n return Object.keys(out).length ? out : null;\n}\n\nexport type ParsedThresholdEd25519MpcSessionRecord = {\n expiresAtMs: number;\n relayerKeyId: string;\n purpose: string;\n intentDigestB64u: string;\n signingDigestB64u: string;\n userId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n participantIds: number[];\n};\n\nexport function parseThresholdEd25519MpcSessionRecord(raw: unknown): ParsedThresholdEd25519MpcSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const purpose = toOptionalString(raw.purpose);\n const intentDigestB64u = toOptionalString(raw.intentDigestB64u);\n const signingDigestB64u = toOptionalString(raw.signingDigestB64u);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const clientVerifyingShareB64u = toOptionalString(raw.clientVerifyingShareB64u);\n const participantIds = normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n if (!isValidNumber(expiresAtMs)) return null;\n if (\n !relayerKeyId \|\|\n !purpose \|\|\n !intentDigestB64u \|\|\n !signingDigestB64u \|\|\n !userId \|\|\n !rpId \|\|\n !clientVerifyingShareB64u\n ) return null;\n return {\n expiresAtMs,\n relayerKeyId,\n purpose,\n intentDigestB64u,\n signingDigestB64u,\n userId,\n rpId,\n clientVerifyingShareB64u,\n participantIds,\n };\n}\n\nexport type ParsedThresholdEd25519SigningSessionRecord = {\n expiresAtMs: number;\n mpcSessionId: string;\n relayerKeyId: string;\n signingDigestB64u: string;\n userId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n commitmentsById: ParsedThresholdEd25519CommitmentsById;\n relayerSigningShareB64u?: string;\n relayerNoncesB64u: string;\n participantIds: number[];\n};\n\nexport function parseThresholdEd25519SigningSessionRecord(raw: unknown): ParsedThresholdEd25519SigningSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const mpcSessionId = toOptionalString(raw.mpcSessionId);\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const signingDigestB64u = toOptionalString(raw.signingDigestB64u);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const clientVerifyingShareB64u = toOptionalString(raw.clientVerifyingShareB64u);\n const commitmentsById = parseThresholdEd25519CommitmentsById(raw.commitmentsById);\n const relayerSigningShareB64u = toOptionalString(raw.relayerSigningShareB64u);\n const relayerNoncesB64u = toOptionalString(raw.relayerNoncesB64u);\n const participantIds =\n normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n if (!isValidNumber(expiresAtMs)) return null;\n if (\n !mpcSessionId \|\|\n !relayerKeyId \|\|\n !signingDigestB64u \|\|\n !userId \|\|\n !rpId \|\|\n !clientVerifyingShareB64u \|\|\n !commitmentsById \|\|\n !relayerNoncesB64u\n ) {\n return null;\n }\n return {\n expiresAtMs,\n mpcSessionId,\n relayerKeyId,\n signingDigestB64u,\n userId,\n rpId,\n clientVerifyingShareB64u,\n commitmentsById,\n ...(relayerSigningShareB64u ? { relayerSigningShareB64u } : {}),\n relayerNoncesB64u,\n participantIds,\n };\n}\n\nexport type ParsedThresholdEd25519StringById = Record<string, string>;\n\nexport function parseThresholdEd25519StringById(raw: unknown): ParsedThresholdEd25519StringById \| null {\n if (!isObject(raw)) return null;\n const out: ParsedThresholdEd25519StringById = {};\n for (const [k, v] of Object.entries(raw)) {\n const key = toTrimmedString(k);\n const value = toOptionalString(v);\n if (!key \|\| !value) return null;\n out[key] = value;\n }\n return Object.keys(out).length ? out : null;\n}\n\nexport type ParsedThresholdEd25519CoordinatorSigningSessionRecord =\n {\n mode: 'cosigner';\n expiresAtMs: number;\n mpcSessionId: string;\n relayerKeyId: string;\n signingDigestB64u: string;\n userId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n commitmentsById: ParsedThresholdEd25519CommitmentsById;\n participantIds: number[];\n groupPublicKey: string;\n cosignerIds: number[];\n cosignerRelayerUrlsById: ParsedThresholdEd25519StringById;\n cosignerCoordinatorGrantsById: ParsedThresholdEd25519StringById;\n relayerVerifyingSharesById: ParsedThresholdEd25519StringById;\n };\n\nexport function parseThresholdEd25519CoordinatorSigningSessionRecord(raw: unknown): ParsedThresholdEd25519CoordinatorSigningSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const mpcSessionId = toOptionalString(raw.mpcSessionId);\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const signingDigestB64u = toOptionalString(raw.signingDigestB64u);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const clientVerifyingShareB64u = toOptionalString(raw.clientVerifyingShareB64u);\n const commitmentsById = parseThresholdEd25519CommitmentsById(raw.commitmentsById);\n const participantIds =\n normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n const relayerVerifyingSharesById = parseThresholdEd25519StringById(raw.relayerVerifyingSharesById);\n\n if (!isValidNumber(expiresAtMs)) return null;\n if (\n !mpcSessionId \|\|\n !relayerKeyId \|\|\n !signingDigestB64u \|\|\n !userId \|\|\n !rpId \|\|\n !clientVerifyingShareB64u \|\|\n !commitmentsById \|\|\n !relayerVerifyingSharesById\n ) {\n return null;\n }\n\n const mode = toOptionalString(raw.mode);\n if (mode !== 'cosigner') return null;\n\n const groupPublicKey = toOptionalString(raw.groupPublicKey);\n const cosignerIds = normalizeThresholdEd25519ParticipantIds(raw.cosignerIds);\n const cosignerRelayerUrlsById = parseThresholdEd25519StringById(raw.cosignerRelayerUrlsById);\n const cosignerCoordinatorGrantsById = parseThresholdEd25519StringById(raw.cosignerCoordinatorGrantsById);\n if (!groupPublicKey \|\| !cosignerIds \|\| !cosignerRelayerUrlsById \|\| !cosignerCoordinatorGrantsById) return null;\n return {\n mode: 'cosigner',\n expiresAtMs,\n mpcSessionId,\n relayerKeyId,\n signingDigestB64u,\n userId,\n rpId,\n clientVerifyingShareB64u,\n commitmentsById,\n participantIds,\n groupPublicKey,\n cosignerIds,\n cosignerRelayerUrlsById,\n cosignerCoordinatorGrantsById,\n relayerVerifyingSharesById,\n };\n}\n\nexport type ParsedThresholdEd25519AuthSessionRecord = {\n expiresAtMs: number;\n relayerKeyId: string;\n userId: string;\n rpId: string;\n participantIds: number[];\n};\n\nexport function parseThresholdEd25519AuthSessionRecord(raw: unknown): ParsedThresholdEd25519AuthSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const participantIds =\n normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n if (!isValidNumber(expiresAtMs)) return null;\n if (!relayerKeyId \|\| !userId \|\| !rpId) return null;\n return { expiresAtMs, relayerKeyId, userId, rpId, participantIds };\n}\n\nexport type ThresholdEd25519SessionClaims = {\n sub: string;\n kind: 'threshold_ed25519_session_v1';\n sessionId: string;\n relayerKeyId: string;\n rpId: string;\n};\n\nexport function parseThresholdEd25519SessionClaims(raw: unknown): ThresholdEd25519SessionClaims \| null {\n if (!isObject(raw)) return null;\n const kind = toOptionalString(raw.kind);\n if (kind !== 'threshold_ed25519_session_v1') return null;\n const sub = toOptionalString(raw.sub);\n const sessionId = toOptionalString(raw.sessionId);\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const rpId = toOptionalString(raw.rpId);\n if (!sub \|\| !sessionId \|\| !relayerKeyId \|\| !rpId) return null;\n return { sub, kind, sessionId, relayerKeyId, rpId };\n}\n\nexport function normalizeByteArray32(input: unknown): Uint8Array \| null {\n if (input instanceof Uint8Array) {\n return input.length === 32 ? input : null;\n }\n if (!Array.isArray(input) \|\| input.length !== 32) return null;\n const out = new Uint8Array(32);\n for (let i = 0; i < 32; i++) {\n const v = Number(input[i]);\n if (!Number.isFinite(v) \|\| v < 0 \|\| v > 255) return null;\n out[i] = v;\n }\n return out;\n}\n\nexport function bytesEqual32(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== 32 \|\| b.length !== 32) return false;\n for (let i = 0; i < 32; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n}\n\nexport function toNearPublicKeyStr(v: unknown): string {\n return ensureEd25519Prefix(toOptionalString(v));\n}\n\nexport function normalizeActionForIntentDigest(a: unknown): Record<string, unknown> {\n if (!isObject(a)) return { action_type: '' };\n const actionType = toOptionalString(a.action_type);\n switch (actionType) {\n case 'FunctionCall':\n return {\n action_type: actionType,\n args: toOptionalString(a.args),\n deposit: toOptionalString(a.deposit),\n gas: toOptionalString(a.gas),\n method_name: toOptionalString(a.method_name),\n };\n case 'Transfer':\n return { action_type: actionType, deposit: toOptionalString(a.deposit) };\n case 'Stake':\n return { action_type: actionType, stake: toOptionalString(a.stake), public_key: toOptionalString(a.public_key) };\n case 'AddKey':\n return { action_type: actionType, public_key: toOptionalString(a.public_key), access_key: toOptionalString(a.access_key) };\n case 'DeleteKey':\n return { action_type: actionType, public_key: toOptionalString(a.public_key) };\n case 'DeleteAccount':\n return { action_type: actionType, beneficiary_id: toOptionalString(a.beneficiary_id) };\n case 'DeployContract':\n return { action_type: actionType, code: Array.isArray(a.code) ? a.code : [] };\n case 'DeployGlobalContract':\n return {\n action_type: actionType,\n code: Array.isArray(a.code) ? a.code : [],\n deploy_mode: toOptionalString(a.deploy_mode),\n };\n case 'UseGlobalContract':\n return {\n action_type: actionType,\n account_id: toOptionalString(a.account_id) \|\| undefined,\n code_hash: toOptionalString(a.code_hash) \|\| undefined,\n };\n case 'CreateAccount':\n case 'SignedDelegate':\n default:\n return { action_type: actionType };\n }\n}\n\nexport function extractAuthorizeSigningPublicKey(purpose: string, signingPayload: unknown): string {\n if (!isObject(signingPayload)) return '';\n if (purpose === 'near_tx') {\n const ctx = isObject(signingPayload.transactionContext) ? signingPayload.transactionContext : null;\n return toNearPublicKeyStr(ctx?.nearPublicKeyStr);\n }\n if (purpose === 'nep461_delegate') {\n const delegate = isObject(signingPayload.delegate) ? signingPayload.delegate : null;\n return toNearPublicKeyStr(delegate?.publicKey);\n }\n return '';\n}\n\nexport async function ensureRelayerKeyIsActiveAccessKey(input: {\n nearAccountId: unknown;\n relayerPublicKey: unknown;\n expectedSigningPublicKey?: unknown;\n viewAccessKeyList: (accountId: string) => Promise<AccessKeyList>;\n}): Promise<ThresholdValidationResult> {\n const nearAccountId = toOptionalString(input.nearAccountId);\n const relayerPublicKey = toNearPublicKeyStr(input.relayerPublicKey);\n const expectedSigningPublicKey = toNearPublicKeyStr(input.expectedSigningPublicKey);\n if (!nearAccountId) return { ok: false, code: 'invalid_body', message: 'nearAccountId is required' };\n if (!relayerPublicKey) return { ok: false, code: 'internal', message: 'Missing relayer public key for relayerKeyId' };\n\n if (expectedSigningPublicKey && expectedSigningPublicKey !== relayerPublicKey) {\n return { ok: false, code: 'unauthorized', message: 'relayerKeyId does not match signingPayload public key' };\n }\n\n try {\n const list = await input.viewAccessKeyList(nearAccountId);\n const keys = list.keys \|\| [];\n const found = keys.some((k) => toNearPublicKeyStr(k.public_key) === relayerPublicKey);\n if (!found) {\n return { ok: false, code: 'unauthorized', message: 'relayerKeyId public key is not an active access key for nearAccountId' };\n }\n return { ok: true };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to query NEAR access keys');\n return { ok: false, code: 'internal', message: `Failed to verify access key scope: ${msg}` };\n }\n}\n\ntype NearTxAuthorizeSigningPayload = {\n kind?: string;\n txSigningRequests: Array<{\n nearAccountId: string;\n receiverId: string;\n actions: unknown[];\n }>;\n transactionContext: {\n nearPublicKeyStr: string;\n nextNonce: string;\n txBlockHash: string;\n txBlockHeight?: string;\n };\n};\n\ntype Nep461DelegateAuthorizeSigningPayload = {\n kind?: string;\n delegate: {\n senderId: string;\n receiverId: string;\n actions: unknown[];\n nonce: string;\n maxBlockHeight: string;\n publicKey: string;\n };\n};\n\ntype Nep413AuthorizeSigningPayload = {\n kind?: string;\n nearAccountId: string;\n message: string;\n recipient: string;\n nonce: string;\n state?: string;\n};\n\nexport async function verifyThresholdEd25519AuthorizeSigningPayload(input: {\n purpose: string;\n signingPayload: unknown;\n signingDigest32: Uint8Array;\n intentDigest32: Uint8Array;\n userId: string;\n ensureSignerWasm: () => Promise<void>;\n computeNearTxSigningDigests: (payload: unknown) => unknown;\n computeDelegateSigningDigest: (payload: unknown) => unknown;\n computeNep413SigningDigest: (payload: unknown) => unknown;\n}): Promise<ThresholdValidationResult> {\n const purpose = input.purpose;\n const signingPayload = input.signingPayload;\n if (!isObject(signingPayload)) {\n return { ok: false, code: 'invalid_body', message: 'signingPayload (object) is required for threshold authorization' };\n }\n\n const kind = toOptionalString(signingPayload.kind);\n const expectedKind = purpose;\n if (kind && kind !== expectedKind) {\n return { ok: false, code: 'invalid_body', message: `signingPayload.kind must match purpose (${expectedKind})` };\n }\n\n // 1) Recompute intent_digest_32 from signingPayload and compare to VRF-bound digest.\n let intentDigest32Computed: Uint8Array;\n try {\n if (purpose === 'near_tx') {\n const payload = signingPayload as Partial<NearTxAuthorizeSigningPayload>;\n const txs = payload.txSigningRequests;\n if (!Array.isArray(txs) \|\| !txs.length) throw new Error('signingPayload.txSigningRequests is required');\n const nearAccountId = toOptionalString(txs[0]?.nearAccountId);\n if (!nearAccountId) throw new Error('txSigningRequests[0].nearAccountId is required');\n for (const tx of txs) {\n if (toOptionalString(tx?.nearAccountId) !== nearAccountId) {\n throw new Error('All txSigningRequests[].nearAccountId must match');\n }\n }\n if (nearAccountId !== input.userId) throw new Error('txSigningRequests[].nearAccountId must match vrf_data.user_id');\n const txInputs = txs.map((tx) => ({\n receiverId: toOptionalString(tx?.receiverId),\n actions: Array.isArray(tx?.actions) ? tx.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }));\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep461_delegate') {\n const payload = signingPayload as Partial<Nep461DelegateAuthorizeSigningPayload>;\n const d = payload.delegate;\n if (!isObject(d)) throw new Error('signingPayload.delegate is required');\n const senderId = toOptionalString(d.senderId);\n if (!senderId) throw new Error('delegate.senderId is required');\n if (senderId !== input.userId) throw new Error('delegate.senderId must match vrf_data.user_id');\n const txInputs = [{\n receiverId: toOptionalString(d.receiverId),\n actions: Array.isArray(d.actions) ? d.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }];\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep413') {\n const payload = signingPayload as Partial<Nep413AuthorizeSigningPayload>;\n const nearAccountId = toOptionalString(payload.nearAccountId);\n if (!nearAccountId) throw new Error('signingPayload.nearAccountId is required');\n if (nearAccountId !== input.userId) throw new Error('signingPayload.nearAccountId must match vrf_data.user_id');\n const recipient = toOptionalString(payload.recipient);\n const message = toOptionalString(payload.message);\n const json = alphabetizeStringify({ kind: 'nep413', nearAccountId, recipient, message });\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else {\n throw new Error(`Unsupported purpose: ${purpose}`);\n }\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute intent digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n if (intentDigest32Computed.length !== 32) {\n return { ok: false, code: 'internal', message: `Computed intent digest is not 32 bytes (got ${intentDigest32Computed.length})` };\n }\n if (!bytesEqual32(intentDigest32Computed, input.intentDigest32)) {\n return { ok: false, code: 'intent_digest_mismatch', message: 'signingPayload does not match vrf_data.intent_digest_32' };\n }\n\n // 2) Recompute signing_digest_32 from signingPayload and compare to requested signing digest.\n let signingDigest32Computed: Uint8Array[];\n try {\n await input.ensureSignerWasm();\n signingDigest32Computed = (() => {\n if (purpose === 'near_tx') {\n const digestsUnknown: unknown = input.computeNearTxSigningDigests(signingPayload);\n if (!Array.isArray(digestsUnknown)) throw new Error('near_tx digest recomputation failed');\n return digestsUnknown.map((d, i) => {\n const bytes = normalizeByteArray32(d);\n if (!bytes) throw new Error(`near_tx digest[${i}] is not 32 bytes`);\n return bytes;\n });\n }\n if (purpose === 'nep461_delegate') {\n const digestUnknown: unknown = input.computeDelegateSigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep461_delegate digest is not 32 bytes');\n return [bytes];\n }\n if (purpose === 'nep413') {\n const digestUnknown: unknown = input.computeNep413SigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep413 digest is not 32 bytes');\n return [bytes];\n }\n throw new Error(`Unsupported purpose: ${purpose}`);\n })();\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute signing digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n const match = signingDigest32Computed.some((d) => bytesEqual32(d, input.signingDigest32));\n if (!match) {\n return { ok: false, code: 'signing_digest_mismatch', message: 'signingPayload does not match signing_digest_32' };\n }\n\n return { ok: true };\n}\n\nexport type ThresholdAuthorizeSigningDigestOnlyOk = { ok: true; intentDigest32: Uint8Array };\nexport type ThresholdAuthorizeSigningDigestOnlyResult = ThresholdAuthorizeSigningDigestOnlyOk \| ThresholdValidationErr;\n\nexport async function verifyThresholdEd25519AuthorizeSigningPayloadSigningDigestOnly(input: {\n purpose: string;\n signingPayload: unknown;\n signingDigest32: Uint8Array;\n userId: string;\n ensureSignerWasm: () => Promise<void>;\n computeNearTxSigningDigests: (payload: unknown) => unknown;\n computeDelegateSigningDigest: (payload: unknown) => unknown;\n computeNep413SigningDigest: (payload: unknown) => unknown;\n}): Promise<ThresholdAuthorizeSigningDigestOnlyResult> {\n const purpose = input.purpose;\n const signingPayload = input.signingPayload;\n if (!isObject(signingPayload)) {\n return { ok: false, code: 'invalid_body', message: 'signingPayload (object) is required for threshold authorization' };\n }\n\n const kind = toOptionalString(signingPayload.kind);\n const expectedKind = purpose;\n if (kind && kind !== expectedKind) {\n return { ok: false, code: 'invalid_body', message: `signingPayload.kind must match purpose (${expectedKind})` };\n }\n\n // 1) Recompute intent_digest_32 from signingPayload (not VRF-bound in session mode).\n let intentDigest32Computed: Uint8Array;\n try {\n if (purpose === 'near_tx') {\n const payload = signingPayload as Partial<NearTxAuthorizeSigningPayload>;\n const txs = payload.txSigningRequests;\n if (!Array.isArray(txs) \|\| !txs.length) throw new Error('signingPayload.txSigningRequests is required');\n const nearAccountId = toOptionalString(txs[0]?.nearAccountId);\n if (!nearAccountId) throw new Error('txSigningRequests[0].nearAccountId is required');\n for (const tx of txs) {\n if (toOptionalString(tx?.nearAccountId) !== nearAccountId) {\n throw new Error('All txSigningRequests[].nearAccountId must match');\n }\n }\n if (nearAccountId !== input.userId) throw new Error('txSigningRequests[].nearAccountId must match session user');\n const txInputs = txs.map((tx) => ({\n receiverId: toOptionalString(tx?.receiverId),\n actions: Array.isArray(tx?.actions) ? tx.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }));\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep461_delegate') {\n const payload = signingPayload as Partial<Nep461DelegateAuthorizeSigningPayload>;\n const d = payload.delegate;\n if (!isObject(d)) throw new Error('signingPayload.delegate is required');\n const senderId = toOptionalString(d.senderId);\n if (!senderId) throw new Error('delegate.senderId is required');\n if (senderId !== input.userId) throw new Error('delegate.senderId must match session user');\n const txInputs = [{\n receiverId: toOptionalString(d.receiverId),\n actions: Array.isArray(d.actions) ? d.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }];\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep413') {\n const payload = signingPayload as Partial<Nep413AuthorizeSigningPayload>;\n const nearAccountId = toOptionalString(payload.nearAccountId);\n if (!nearAccountId) throw new Error('signingPayload.nearAccountId is required');\n if (nearAccountId !== input.userId) throw new Error('signingPayload.nearAccountId must match session user');\n const recipient = toOptionalString(payload.recipient);\n const message = toOptionalString(payload.message);\n const json = alphabetizeStringify({ kind: 'nep413', nearAccountId, recipient, message });\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else {\n throw new Error(`Unsupported purpose: ${purpose}`);\n }\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute intent digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n if (intentDigest32Computed.length !== 32) {\n return { ok: false, code: 'internal', message: `Computed intent digest is not 32 bytes (got ${intentDigest32Computed.length})` };\n }\n\n // 2) Recompute signing_digest_32 from signingPayload and compare to requested signing digest.\n let signingDigest32Computed: Uint8Array[];\n try {\n await input.ensureSignerWasm();\n signingDigest32Computed = (() => {\n if (purpose === 'near_tx') {\n const digestsUnknown: unknown = input.computeNearTxSigningDigests(signingPayload);\n if (!Array.isArray(digestsUnknown)) throw new Error('near_tx digest recomputation failed');\n return digestsUnknown.map((d, i) => {\n const bytes = normalizeByteArray32(d);\n if (!bytes) throw new Error(`near_tx digest[${i}] is not 32 bytes`);\n return bytes;\n });\n }\n if (purpose === 'nep461_delegate') {\n const digestUnknown: unknown = input.computeDelegateSigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep461_delegate digest is not 32 bytes');\n return [bytes];\n }\n if (purpose === 'nep413') {\n const digestUnknown: unknown = input.computeNep413SigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep413 digest is not 32 bytes');\n return [bytes];\n }\n throw new Error(`Unsupported purpose: ${purpose}`);\n })();\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute signing digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n const match = signingDigest32Computed.some((d) => bytesEqual32(d, input.signingDigest32));\n if (!match) {\n return { ok: false, code: 'signing_digest_mismatch', message: 'signingPayload does not match signing_digest_32' };\n }\n\n return { ok: true, intentDigest32: intentDigest32Computed };\n}\n","import type {\n ThresholdEd25519AuthorizeRequest,\n ThresholdEd25519AuthorizeWithSessionRequest,\n} from '../core/types';\nimport { parseThresholdEd25519SessionClaims } from '../core/ThresholdService/validation';\nimport type { SessionAdapter } from './relay';\n\ntype PlainObject = Record<string, unknown>;\ntype AuthorizeErr = { ok: false; code: 'sessions_disabled' \| 'unauthorized'; message: string };\n\nfunction isPlainObject(input: unknown): input is PlainObject {\n return !!input && typeof input === 'object' && !Array.isArray(input);\n}\n\nexport function summarizeVrfData(input: unknown): Record<string, unknown> \| undefined {\n if (!isPlainObject(input)) return undefined;\n const user_id = typeof input.user_id === 'string' ? input.user_id : undefined;\n const rp_id = typeof input.rp_id === 'string' ? input.rp_id : undefined;\n const block_height = typeof input.block_height === 'number' ? input.block_height : undefined;\n const has_intent_digest_32 = Array.isArray(input.intent_digest_32) ? true : undefined;\n const intent_digest_32_len = Array.isArray(input.intent_digest_32) ? input.intent_digest_32.length : undefined;\n const has_session_policy_digest_32 = Array.isArray(input.session_policy_digest_32) ? true : undefined;\n const session_policy_digest_32_len = Array.isArray(input.session_policy_digest_32) ? input.session_policy_digest_32.length : undefined;\n return {\n ...(user_id ? { user_id } : {}),\n ...(rp_id ? { rp_id } : {}),\n ...(block_height != null ? { block_height } : {}),\n ...(has_intent_digest_32 != null ? { has_intent_digest_32 } : {}),\n ...(intent_digest_32_len != null ? { intent_digest_32_len } : {}),\n ...(has_session_policy_digest_32 != null ? { has_session_policy_digest_32 } : {}),\n ...(session_policy_digest_32_len != null ? { session_policy_digest_32_len } : {}),\n };\n}\n\nfunction looksLikeWebauthnAuthorizeBody(input: unknown): boolean {\n if (!isPlainObject(input)) return false;\n return isPlainObject(input.vrf_data) && isPlainObject(input.webauthn_authentication);\n}\n\nexport type ThresholdEd25519AuthorizeInputs =\n \| { ok: true; mode: 'webauthn'; request: ThresholdEd25519AuthorizeRequest }\n \| {\n ok: true;\n mode: 'session';\n sessionId: string;\n userId: string;\n request: ThresholdEd25519AuthorizeWithSessionRequest;\n }\n \| AuthorizeErr;\n\nexport async function validateThresholdEd25519AuthorizeInputs(input: {\n body: unknown;\n headers: Record<string, string \| string[] \| undefined>;\n session: SessionAdapter \| null \| undefined;\n}): Promise<ThresholdEd25519AuthorizeInputs> {\n if (looksLikeWebauthnAuthorizeBody(input.body)) {\n return { ok: true, mode: 'webauthn', request: input.body as ThresholdEd25519AuthorizeRequest };\n }\n\n const session = input.session;\n if (!session) {\n return { ok: false, code: 'sessions_disabled', message: 'Sessions are not configured on this server' };\n }\n\n const parsed = await session.parse(input.headers);\n if (!parsed.ok) {\n return { ok: false, code: 'unauthorized', message: 'Missing or invalid threshold session token' };\n }\n\n const claims = parseThresholdEd25519SessionClaims(parsed.claims);\n if (!claims) {\n return { ok: false, code: 'unauthorized', message: 'Invalid threshold session token claims' };\n }\n\n const requestBody = isPlainObject(input.body) ? input.body : {};\n return {\n ok: true,\n mode: 'session',\n sessionId: claims.sessionId,\n userId: claims.sub,\n request: requestBody as unknown as ThresholdEd25519AuthorizeWithSessionRequest,\n };\n}\n","import type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { json, readJson } from '../http';\nimport { thresholdEd25519StatusCode } from '../../../threshold/statusCodes';\nimport type {\n ThresholdEd25519AuthorizeResponse,\n ThresholdEd25519CosignFinalizeRequest,\n ThresholdEd25519CosignInitRequest,\n ThresholdEd25519KeygenRequest,\n ThresholdEd25519SignFinalizeRequest,\n ThresholdEd25519SignInitRequest,\n ThresholdEd25519SessionRequest,\n} from '../../../core/types';\nimport { parseSessionKind } from '../../relay';\nimport {\n summarizeVrfData,\n validateThresholdEd25519AuthorizeInputs,\n} from '../../commonRouterUtils';\n\nexport async function handleThresholdEd25519(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method === 'GET' && ctx.pathname === '/threshold-ed25519/healthz') {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return json({\n ok: false,\n configured: false,\n code: 'threshold_disabled',\n message: 'Threshold signing is not configured on this server',\n }, { status: 503 });\n }\n return json({ ok: true, configured: true }, { status: 200 });\n }\n\n if (ctx.method !== 'POST') return null;\n\n const pathname = ctx.pathname;\n if (\n pathname !== '/threshold-ed25519/keygen'\n && pathname !== '/threshold-ed25519/session'\n && pathname !== '/threshold-ed25519/authorize'\n && pathname !== '/threshold-ed25519/sign/init'\n && pathname !== '/threshold-ed25519/sign/finalize'\n && pathname !== '/threshold-ed25519/internal/cosign/init'\n && pathname !== '/threshold-ed25519/internal/cosign/finalize'\n ) {\n return null;\n }\n\n const body = await readJson(ctx.request);\n const threshold = ctx.opts.threshold;\n\n switch (pathname) {\n case '/threshold-ed25519/keygen': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n const b = (body \|\| {}) as ThresholdEd25519KeygenRequest;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n nearAccountId: typeof b.nearAccountId === 'string' ? b.nearAccountId : undefined,\n clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === 'string' ? b.clientVerifyingShareB64u.length : undefined,\n registrationTxHash: ('registrationTxHash' in b && typeof b.registrationTxHash === 'string') ? b.registrationTxHash : undefined,\n vrf_data: summarizeVrfData((b as unknown as { vrf_data?: unknown }).vrf_data),\n });\n const result = await threshold.thresholdEd25519Keygen(b);\n ctx.logger.info('[threshold-ed25519] response', {\n route: pathname,\n status: thresholdEd25519StatusCode(result),\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n case '/threshold-ed25519/session': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n const session = ctx.opts.session;\n if (!session) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, sessions: false });\n return json({ ok: false, code: 'sessions_disabled', message: 'Sessions are not configured on this server' }, { status: 501 });\n }\n\n const b = (body \|\| {}) as ThresholdEd25519SessionRequest;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n relayerKeyId: typeof b.relayerKeyId === 'string' ? b.relayerKeyId : undefined,\n clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === 'string' ? b.clientVerifyingShareB64u.length : undefined,\n sessionPolicy: b.sessionPolicy ? { version: b.sessionPolicy.version } : undefined,\n vrf_data: summarizeVrfData((b as unknown as { vrf_data?: unknown }).vrf_data),\n });\n\n const result = await threshold.thresholdEd25519Session(b);\n const status = thresholdEd25519StatusCode(result);\n ctx.logger.info('[threshold-ed25519] response', { route: pathname, status, ok: result.ok, ...(result.code ? { code: result.code } : {}) });\n if (!result.ok) return json(result, { status });\n\n const sessionId = String(result.sessionId \|\| '').trim();\n const userId = b.vrf_data.user_id;\n const rpId = b.vrf_data.rp_id;\n const relayerKeyId = b.relayerKeyId;\n const token = await session.signJwt(userId, { kind: 'threshold_ed25519_session_v1', sessionId, relayerKeyId, rpId });\n const sessionKind = parseSessionKind(b);\n\n const res = json(sessionKind === 'cookie' ? { ...result, jwt: undefined } : { ...result, jwt: token }, { status: 200 });\n if (sessionKind === 'cookie') {\n res.headers.set('Set-Cookie', session.buildSetCookie(token));\n }\n return res;\n }\n case '/threshold-ed25519/authorize': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n const b = (body \|\| {}) as Record<string, unknown>;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n relayerKeyId: typeof b.relayerKeyId === 'string' ? b.relayerKeyId : undefined,\n clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === 'string' ? b.clientVerifyingShareB64u.length : undefined,\n purpose: typeof b.purpose === 'string' ? b.purpose : undefined,\n signing_digest_32_len: Array.isArray(b.signing_digest_32) ? b.signing_digest_32.length : undefined,\n vrf_data: summarizeVrfData((b as unknown as { vrf_data?: unknown }).vrf_data),\n });\n\n const respond = (result: ThresholdEd25519AuthorizeResponse): Response => {\n ctx.logger.info('[threshold-ed25519] response', {\n route: pathname,\n status: thresholdEd25519StatusCode(result),\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n return json(result, { status: thresholdEd25519StatusCode(result) });\n };\n\n const validated = await validateThresholdEd25519AuthorizeInputs({\n body,\n headers: Object.fromEntries(ctx.request.headers.entries()),\n session: ctx.opts.session,\n });\n if (!validated.ok) return respond(validated);\n\n const result = validated.mode === 'webauthn'\n ? await threshold.authorizeThresholdEd25519(validated.request)\n : await threshold.authorizeThresholdEd25519WithSession({\n sessionId: validated.sessionId,\n userId: validated.userId,\n request: validated.request,\n });\n return respond(result);\n\n }\n case '/threshold-ed25519/sign/init': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n const b = (body \|\| {}) as ThresholdEd25519SignInitRequest;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n mpcSessionId: typeof b.mpcSessionId === 'string' ? b.mpcSessionId : undefined,\n relayerKeyId: typeof b.relayerKeyId === 'string' ? b.relayerKeyId : undefined,\n nearAccountId: typeof b.nearAccountId === 'string' ? b.nearAccountId : undefined,\n signingDigestB64u_len: typeof b.signingDigestB64u === 'string' ? b.signingDigestB64u.length : undefined,\n });\n const result = await threshold.thresholdEd25519SignInit(b);\n ctx.logger.info('[threshold-ed25519] response', {\n route: pathname,\n status: thresholdEd25519StatusCode(result),\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n case '/threshold-ed25519/sign/finalize': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n const b = (body \|\| {}) as ThresholdEd25519SignFinalizeRequest;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n signingSessionId: typeof b.signingSessionId === 'string' ? b.signingSessionId : undefined,\n clientSignatureShareB64u_len: typeof b.clientSignatureShareB64u === 'string' ? b.clientSignatureShareB64u.length : undefined,\n });\n const result = await threshold.thresholdEd25519SignFinalize(b);\n ctx.logger.info('[threshold-ed25519] response', {\n route: pathname,\n status: thresholdEd25519StatusCode(result),\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n case '/threshold-ed25519/internal/cosign/init': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n if (!threshold.thresholdEd25519CosignInit) {\n const result = { ok: false, code: 'not_found', message: 'threshold-ed25519 cosigner endpoints are not enabled on this server' };\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n const b = (body \|\| {}) as ThresholdEd25519CosignInitRequest;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n coordinatorGrant_len: typeof b.coordinatorGrant === 'string' ? b.coordinatorGrant.length : undefined,\n signingSessionId: typeof b.signingSessionId === 'string' ? b.signingSessionId : undefined,\n cosignerShareB64u_len: typeof b.cosignerShareB64u === 'string' ? b.cosignerShareB64u.length : undefined,\n });\n const result = await threshold.thresholdEd25519CosignInit(b);\n ctx.logger.info('[threshold-ed25519] response', {\n route: pathname,\n status: thresholdEd25519StatusCode(result),\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n case '/threshold-ed25519/internal/cosign/finalize': {\n if (!threshold) {\n ctx.logger.warn('[threshold-ed25519] request', { route: pathname, method: ctx.method, configured: false });\n return json({ ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' }, { status: 503 });\n }\n if (!threshold.thresholdEd25519CosignFinalize) {\n const result = { ok: false, code: 'not_found', message: 'threshold-ed25519 cosigner endpoints are not enabled on this server' };\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n const b = (body \|\| {}) as ThresholdEd25519CosignFinalizeRequest;\n ctx.logger.info('[threshold-ed25519] request', {\n route: pathname,\n method: ctx.method,\n coordinatorGrant_len: typeof b.coordinatorGrant === 'string' ? b.coordinatorGrant.length : undefined,\n signingSessionId: typeof b.signingSessionId === 'string' ? b.signingSessionId : undefined,\n cosignerIds_len: Array.isArray(b.cosignerIds) ? b.cosignerIds.length : undefined,\n });\n const result = await threshold.thresholdEd25519CosignFinalize(b);\n ctx.logger.info('[threshold-ed25519] response', {\n route: pathname,\n status: thresholdEd25519StatusCode(result),\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n return json(result, { status: thresholdEd25519StatusCode(result) });\n }\n default:\n return null;\n }\n}\n","import { parseSessionKind } from '../../relay';\nimport type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { isObject, json, readJson } from '../http';\nimport type { VerifyAuthenticationRequest } from '../../../core/types';\n\nexport async function handleVerifyAuthenticationResponse(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'POST' \|\| ctx.pathname !== '/verify-authentication-response') return null;\n\n const body = await readJson(ctx.request);\n const valid = isObject(body)\n && isObject((body as Record<string, unknown>).vrf_data)\n && isObject((body as Record<string, unknown>).webauthn_authentication);\n if (!valid) {\n return json({ code: 'invalid_body', message: 'vrf_data and webauthn_authentication are required' }, { status: 400 });\n }\n\n try {\n const sessionKind = parseSessionKind(body);\n const req = body as unknown as VerifyAuthenticationRequest;\n const result = await ctx.service.verifyAuthenticationResponse(req);\n const status = result.success ? 200 : 400;\n if (status !== 200) {\n return json({ code: 'not_verified', message: result.message \|\| 'Authentication verification failed' }, { status });\n }\n\n const res = json(result, { status: 200 });\n const session = ctx.opts.session;\n if (session && result.verified) {\n try {\n const userId = String(req.vrf_data?.user_id \|\| '');\n const token = await session.signJwt(userId, { rpId: req.vrf_data?.rp_id, blockHeight: req.vrf_data?.block_height });\n ctx.logger.info(`[relay] creating ${sessionKind === 'cookie' ? 'HttpOnly session' : 'JWT'} for`, userId);\n if (sessionKind === 'cookie') {\n res.headers.set('Set-Cookie', session.buildSetCookie(token));\n } else {\n const payload = await res.clone().json();\n return new Response(JSON.stringify({ ...payload, jwt: token }), { status: 200, headers: res.headers });\n }\n } catch { }\n }\n\n return res;\n } catch (e: any) {\n return json({ code: 'internal', message: e?.message \|\| 'Internal error' }, { status: 500 });\n }\n}\n","import type { CloudflareRelayContext } from '../createCloudflareRouter';\nimport { json } from '../http';\n\nexport async function handleWellKnown(ctx: CloudflareRelayContext): Promise<Response \| null> {\n if (ctx.method !== 'GET') return null;\n if (ctx.pathname !== '/.well-known/webauthn' && ctx.pathname !== '/.well-known/webauthn/') return null;\n\n // ROR well-known manifest; allow override via env (optional)\n const contractId = (ctx.env?.ROR_CONTRACT_ID \|\| ctx.env?.WEBAUTHN_CONTRACT_ID \|\| '').toString().trim() \|\| undefined;\n const methodName = (ctx.env?.ROR_METHOD \|\| '').toString().trim() \|\| undefined;\n const origins = await ctx.service.getRorOrigins({ contractId, method: methodName });\n return json({ origins }, { status: 200, headers: { 'Cache-Control': 'max-age=60, stale-while-revalidate=600' } });\n}\n","import type { AuthService } from '../core/AuthService';\nimport type { RelayRouterOptions } from './relay';\n\nexport function resolveThresholdOption(service: AuthService, opts: RelayRouterOptions): RelayRouterOptions['threshold'] {\n // Preserve \"explicit null disables threshold\" semantics:\n // - `opts.threshold === null` => disabled\n // - `opts.threshold === undefined` => auto-wire from AuthService config\n return opts.threshold !== undefined ? opts.threshold : service.getThresholdSigningService();\n}\n\n","import type { AuthService } from '../../core/AuthService';\nimport type { DelegateActionPolicy } from '../../delegateAction';\nimport { ensureLeadingSlash } from '../../../utils/validation';\nimport type { RelayRouterOptions } from '../relay';\nimport type { NormalizedRouterLogger } from '../logger';\nimport { coerceRouterLogger } from '../logger';\nimport type { CfEnv, CfExecutionContext, FetchHandler } from './types';\nimport { json, withCors } from './http';\nimport { handleCreateAccountAndRegisterUser } from './routes/createAccountAndRegisterUser';\nimport { handleHealth, handleReady } from './routes/health';\nimport { handleRecoverEmail } from './routes/recoverEmail';\nimport { handleSessionAuth, handleSessionLogout, handleSessionRefresh } from './routes/sessions';\nimport { handleShamir } from './routes/shamir';\nimport { handleSignedDelegate } from './routes/signedDelegate';\nimport { handleThresholdEd25519 } from './routes/thresholdEd25519';\nimport { handleVerifyAuthenticationResponse } from './routes/verifyAuthenticationResponse';\nimport { handleWellKnown } from './routes/wellKnown';\nimport { resolveThresholdOption } from '../routerOptions';\n\nexport interface CloudflareRelayContext {\n request: Request;\n url: URL;\n pathname: string;\n method: string;\n env?: CfEnv;\n cfCtx?: CfExecutionContext;\n\n service: AuthService;\n opts: RelayRouterOptions;\n logger: NormalizedRouterLogger;\n\n mePath: string;\n logoutPath: string;\n signedDelegatePath: string;\n signedDelegatePolicy?: DelegateActionPolicy;\n}\n\nexport function createCloudflareRouter(service: AuthService, opts: RelayRouterOptions = {}): FetchHandler {\n const notFound = () => new Response('Not Found', { status: 404 });\n\n const threshold = resolveThresholdOption(service, opts);\n const effectiveOpts: RelayRouterOptions = { ...opts, threshold };\n\n const mePath = effectiveOpts.sessionRoutes?.auth \|\| '/session/auth';\n const logoutPath = effectiveOpts.sessionRoutes?.logout \|\| '/session/logout';\n const logger = coerceRouterLogger(effectiveOpts.logger);\n let signedDelegatePath = '';\n if (effectiveOpts.signedDelegate) {\n signedDelegatePath = ensureLeadingSlash(effectiveOpts.signedDelegate.route) \|\| '/signed-delegate';\n }\n const signedDelegatePolicy = effectiveOpts.signedDelegate?.policy;\n\n const handlers: Array<(c: CloudflareRelayContext) => Promise<Response \| null>> = [\n handleWellKnown,\n handleCreateAccountAndRegisterUser,\n handleSignedDelegate,\n handleShamir,\n handleVerifyAuthenticationResponse,\n handleThresholdEd25519,\n handleSessionAuth,\n handleSessionLogout,\n handleSessionRefresh,\n handleRecoverEmail,\n handleHealth,\n handleReady,\n ];\n\n return async function handler(request: Request, env?: CfEnv, cfCtx?: CfExecutionContext): Promise<Response> {\n const url = new URL(request.url);\n const { pathname } = url;\n const method = request.method.toUpperCase();\n\n // Preflight CORS\n if (method === 'OPTIONS') {\n const res = new Response(null, { status: 204 });\n withCors(res.headers, effectiveOpts, request);\n return res;\n }\n\n const baseCtx: Omit<CloudflareRelayContext, 'request' \| 'url' \| 'pathname' \| 'method'> = {\n env,\n cfCtx,\n service,\n opts: effectiveOpts,\n logger,\n mePath,\n logoutPath,\n signedDelegatePath,\n signedDelegatePolicy,\n };\n\n const ctx: CloudflareRelayContext = {\n ...baseCtx,\n request,\n url,\n pathname,\n method,\n };\n\n try {\n for (const fn of handlers) {\n const res = await fn(ctx);\n if (res) {\n withCors(res.headers, effectiveOpts, request);\n return res;\n }\n }\n\n return notFound();\n } catch (e: unknown) {\n const res = json({ code: 'internal', message: e instanceof Error ? e.message : String(e) }, { status: 500 });\n withCors(res.headers, effectiveOpts, request);\n return res;\n }\n };\n}\n"],"mappings":";;;AAWA,SAAgB,iBAAiB,OAAwB;AACvD,QAAO,OAAO,UAAU,WAAW,QAAQ;;;AAmB7C,SAAgB,mBAAmB,OAAuB;CACxD,MAAM,UAAU,OAAO,SAAS,IAAI;AACpC,KAAI,CAAC,QAAS,QAAO;AACrB,QAAO,QAAQ,WAAW,OAAO,UAAU,IAAI;;;AAgDjD,SAAgB,aAAa,OAAwB;AACnD,QAAO,OAAO,SAAS,IACpB,QAAQ,YAAY,KACpB,QAAQ,QAAQ,KAChB;;AAyHL,SAAgB,SAAS,GAAyB;AAChD,QAAO,OAAO,MAAM;;;;;AC3ItB,SAAgB,iCAAiC,OAAuC;AACtF,KAAI,CAAC,SAAS,OAAO,UAAU,SAC7B,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAM,OAAO;CACb,MAAM,EAAE,MAAM,IAAI,SAAS,KAAK,YAAY;AAE5C,KAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,OAAO,OAAO,SAC5D,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;AAGtD,KAAI,CAAC,WAAW,OAAO,YAAY,SACjC,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAMA,oBAA4C;AAClD,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,SAClC,mBAAkB,OAAO,GAAG,iBAAiB,OAAO;AAGtD,QAAO;EACL,IAAI;EACJ,SAAS;GACP;GACA;GACA,SAAS;GACT,KAAK,OAAO,QAAQ,WAAW,MAAM;GACrC,SAAS,OAAO,YAAY,WAAW,UAAU;;;;;;;;;;;;AAavD,SAAgB,0BAA0B,KAA+C;AACvF,KAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;CAI5C,IAAI,cAAc;CAClB,MAAM,QAAQ,IAAI,MAAM;CACxB,MAAM,cAAc,MAAM,MAAK,SAAQ,aAAa,KAAK;AACzD,KAAI,aAAa;EACf,MAAM,MAAM,YAAY,QAAQ;EAChC,MAAM,UAAU,OAAO,IAAI,YAAY,MAAM,MAAM,KAAK;AACxD,gBAAc,QAAQ;OAEtB,eAAc,IAAI;AAGpB,KAAI,CAAC,YAAa,QAAO;AAGzB,eAAc,YAAY,QAAQ,kBAAkB,IAAI;AACxD,KAAI,CAAC,YAAa,QAAO;CAGzB,MAAM,QAAQ,YAAY,MACxB;AAEF,KAAI,QAAQ,GACV,QAAO,MAAM;AAGf,QAAO;;;;;AC3FT,SAAS,UAAU,SAAsB,MAAkC;AACzE,KAAI,CAAC,QAAS,QAAO;CAErB,MAAM,eAAe;AACrB,KAAI,OAAO,aAAa,QAAQ,YAAY;EAC1C,MAAMC,MAAI,aAAa,IAAI;AAC3B,SAAQ,OAAOA,QAAM,WAAYA,MAAI;;CAGvC,MAAM,SAAS;CACf,MAAM,IAAI,OAAO,KAAK,kBAAkB,OAAO;AAC/C,KAAI,MAAM,QAAQ,GAAI,QAAQ,OAAO,EAAE,OAAO,WAAY,EAAE,KAAK;AACjE,QAAQ,OAAO,MAAM,WAAY,IAAI;;AAGvC,SAAS,kBAAkB,MAAe,SAA2C;CACnF,MAAM,gBACH,OAAQ,MAAc,iBAAiB,WAAW,OAAQ,KAAa,gBAAgB,QACvF,OAAQ,MAAc,kBAAkB,WAAW,OAAQ,KAAa,iBAAiB;CAC5F,MAAM,iBAAiB,UAAU,SAAS,4BAA4B,UAAU,SAAS,sBAAsB;CAC/G,MAAM,OAAO,gBAAgB,gBAAgB;AAC7C,QAAO,MAAM,MAAM;;AAGrB,SAAgB,yBAAyB,MAAe,OAAkC,IAA6B;CACrH,MAAM,eAAe,kBAAkB,MAAM,KAAK;CAElD,MAAM,aAAa,iCAAiC;AACpD,KAAI,CAAC,WAAW,GACd,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM,WAAW;EAAM,SAAS,WAAW;;CAG9E,MAAM,UAAU,WAAW;CAC3B,MAAM,YAAY,QAAQ,OAAO;CACjC,MAAM,eAAe,QAAQ,WAAW;CAExC,MAAM,gBAAgB,aAAa;CACnC,MAAM,kBAAkB,0BAA0B,iBAAiB;CACnE,MAAM,kBAAkB,OAAO,aAAa,wBAAwB,aAAa,mBAAmB,IAAI;CACxG,MAAM,aAAa,mBAAmB,mBAAmB,IAAI;AAE7D,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAmB,SAAS;;AAErE,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAiB,SAAS;;AAGnE,QAAO;EAAE,IAAI;EAAM;EAAW;EAAW;;;;;;AClF3C,SAAS,KAAK,IAAiE;AAC7E,KAAI,CAAC,GAAI,cAAa;AACtB,SAAQ,GAAG,SAAoB;AAC7B,MAAI;AACF,MAAG,GAAG;UACA;;;;;;;;AAWZ,SAAgB,gBAAgB,QAA0C;AACxE,KAAI,CAAC,OACH,QAAO;EAAE,aAAa;EAAI,YAAY;EAAI,YAAY;EAAI,aAAa;;CAGzE,MAAMC,OAAe;CACrB,MAAM,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,IAAI,KAAK,QAAQ;CAEnE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;CAC1E,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;AAE1E,QAAO;EACL,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,OAAO,KAAK;;;AAIhB,MAAa,eAAe;;;;AC/C5B,MAAa,qBAAqB;;;;ACElC,SAAS,eAAe,OAAuB;CAC7C,MAAM,UAAU,OAAO,SAAS,IAAI;CACpC,MAAM,aAAa,QAAQ,QAAQ;CACnC,MAAM,WAAW,QAAQ,QAAQ;AACjC,KAAI,eAAe,MAAM,WAAW,WAClC,QAAO,QAAQ,MAAM,aAAa,GAAG,UAAU,OAAO;AAExD,QAAO,QAAQ;;AAGjB,SAAS,wBAAwB,OAAwC;CACvE,MAAMC,MAA8B;AACpC,KAAI,CAAC,MAAO,QAAO;CAEnB,MAAM,eAAe;AACrB,KAAI,OAAO,aAAa,YAAY,WAClC,KAAI;AACF,eAAa,SAAS,GAAY,MAAe;AAC/C,OAAI,OAAO,GAAG,iBAAiB,OAAO;;AAExC,SAAO;SACD;AAGV,KAAI,OAAO,aAAa,OAAO,cAAc,WAC3C,KAAI;AACF,OAAK,MAAM,SAAS,cAAmC;AACrD,OAAI,CAAC,MAAM,QAAQ,OAAQ;GAC3B,MAAM,CAAC,GAAG,KAAK;AACf,OAAI,OAAO,GAAG,iBAAiB,OAAO;;AAExC,SAAO;SACD;AAGV,KAAI,OAAO,UAAU,SACnB,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,OAClC,KAAI,OAAO,GAAG,iBAAiB,OAAO;AAI1C,QAAO;;AAGT,eAAe,kDAAkD,SAM9D;CACD,MAAM,OAAO,OAAO,SAAS,QAAQ;CACrC,MAAM,KAAK,OAAO,SAAS,MAAM;CACjC,MAAM,UAAU,wBAAyB,SAAiB;CAE1D,IAAI,MAAM;AACV,KAAI;AACF,QAAM,MAAM,IAAI,SAAU,SAAiB,KAAK;SAC1C;CAER,MAAM,UAAU,OAAQ,SAAiB,YAAY,WAAY,QAAgB,UAAU;AAE3F,QAAO;EAAE;EAAM;EAAI;EAAS;EAAK;;;AAsBnC,SAAgB,6BAA6B,SAAsB,OAAsC,IAAkB;CACzH,MAAM,SAAS,mBAAmB,KAAK;CACvC,MAAM,oBAAoB,eAAe,KAAK,qBAAqB;CACnE,MAAM,2BAA2B,KAAK,6BAA6B;CACnE,MAAM,UAAU,QAAQ,KAAK;AAE7B,QAAO,OAAO,YAA2C;AACvD,MAAI;GACF,MAAM,UAAU,MAAM,kDAAkD;GAExE,MAAM,KAAK,eAAe,QAAQ;AAClC,OAAI,mBACF;QAAI,OAAO,mBAAmB;AAC5B,YAAO,KAAK,gCAAgC;MAAE;MAAI;;AAClD,SAAI,CAAC,0BAA0B;AAC7B,cAAQ,UAAU;AAClB;;;;AAKN,OAAI,QACF,QAAO,KAAK,mBAAmB;IAAE,MAAM,QAAQ;IAAM,IAAI,QAAQ;IAAI,SAAS,QAAQ,QAAQ;;GAGhG,MAAM,SAAS,yBAAyB,SAAgB,EAAE,SAAS,QAAQ;AAC3E,OAAI,CAAC,OAAO,IAAI;AACd,WAAO,KAAK,qBAAqB;KAAE,MAAM,OAAO;KAAM,SAAS,OAAO;;AACtE,YAAQ,UAAU,0CAA0C,OAAO;AACnE;;AAGF,OAAI,CAAC,QAAQ,eAAe;AAC1B,WAAO,KAAK;AACZ,YAAQ,UAAU;AAClB;;GAGF,MAAM,SAAS,MAAM,QAAQ,cAAc,qBAAqB;IAC9D,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,cAAc,OAAO;;AAGvB,OAAI,CAAC,QAAQ,SAAS;AACpB,WAAO,KAAK,2BAA2B;KACrC,WAAW,OAAO;KAClB,OAAO,QAAQ,SAAS;KACxB,SAAS,QAAQ;;IAEnB,MAAM,SAAS,aAAa,QAAQ,WAAW,QAAQ,SAAS;AAChE,YAAQ,UAAU,0CAA0C;AAC5D;;AAGF,UAAO,KAAK,8BAA8B,EAAE,WAAW,OAAO;WACvDC,GAAQ;AACf,UAAO,MAAM,0BAA0B,EAAE,SAAS,GAAG,WAAW,OAAO;AACvE,WAAQ,UAAU;;;;;;;ACjIxB,SAAgB,qBAAqB,SAAsB,OAA8B,IAAsB;CAC7G,MAAM,SAAS,mBAAmB,KAAK;CACvC,MAAM,UAAU,QAAQ,KAAK;CAC7B,MAAM,WAAW,QAAQ,KAAK;AAC9B,KAAI,CAAC,QACH,QAAO,YAAY;AAErB,QAAO,OAAO,WAA6B;AACzC,MAAI;AACF,OAAI,UAAU;IAGZ,MAAM,SAAS,QAAQ;AACvB,QAAI,CAAC,OACH,QAAO,KAAK;SACP;KACL,MAAM,WAAW,MAAM,OAAO;AAC9B,YAAO,KAAK,iCAAiC,SAAS,UAAU,aAAa,SAAS;;SAGxF,QAAO,KAAK;WAEPC,GAAY;AACnB,UAAO,MAAM,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO;;;;;;;AC6HvF,SAAgB,aAAa,OAA0B;CACrD,MAAM,sBAAM,IAAI;AAChB,MAAK,MAAM,OAAO,OAAO,SAAS,IAAI,MAAM,MAAM;EAChD,MAAM,IAAI,IAAI;AACd,MAAI,CAAC,EAAG;AACR,MAAI;GACF,MAAM,IAAI,IAAI,IAAI;GAClB,MAAM,OAAO,EAAE,SAAS;GACxB,MAAM,OAAO,EAAE,OAAO,IAAI,EAAE,SAAS;GACrC,MAAM,QAAQ,EAAE,aAAa,WAAW,EAAE,aAAa,WAAW,EAAE,WAAW;AAC/E,OAAI,IAAI,GAAG,MAAM,IAAI,OAAO;UACtB;GACN,MAAM,WAAW,EAAE,QAAQ,OAAO;AAClC,OAAI,SAAU,KAAI,IAAI;;;AAG1B,QAAO,MAAM,KAAK;;AAMpB,SAAgB,iBAAiB,GAAG,QAAmD;CACrF,MAAM,yBAAS,IAAI;AACnB,MAAK,MAAM,SAAS,OAClB,MAAK,MAAM,UAAU,aAAa,OAAQ,QAAO,IAAI;CAEvD,MAAM,OAAO,MAAM,KAAK;AACxB,QAAO,KAAK,SAAS,IAAI,OAAO;;;;;ACjMlC,SAAgB,KAAK,MAAe,MAAqB,cAAiD;CACxG,MAAM,UAAU,IAAI,QAAQ,EAAE,gBAAgB;CAG9C,MAAM,cAAc,MAAM;AAC1B,KAAI,YACF,KAAI;AACF,MAAI,QAAQ,aAAa,SAAS,GAAG,MAAM,QAAQ,IAAI,GAAG;SACpD;AAGV,KAAI,aACF,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,cAAe,SAAQ,IAAI,GAAG;CAGpE,MAAM,EAAE,SAAS,MAAO,GAAG,SAAS,QAAQ;AAC5C,QAAO,IAAI,SAAS,KAAK,UAAU,OAAO;EAAE,QAAQ;EAAK,GAAG;EAAM;;;AAGpE,SAAgB,SAAS,SAAkB,MAA2B,SAAyB;AAC7F,KAAI,CAAC,MAAM,YAAa;CACxB,IAAIC;CACJ,MAAM,aAAa,iBAAiB,GAAI,KAAK,eAAe;AAC5D,KAAI,eAAe,KAAK;AACtB,kBAAgB;AAChB,UAAQ,IAAI,+BAA+B;YAClC,MAAM,QAAQ,aAAa;EACpC,MAAM,SAAS,SAAS,QAAQ,IAAI,aAAa;AACjD,MAAI,UAAU,WAAW,SAAS,SAAS;AACzC,mBAAgB;AAChB,WAAQ,IAAI,+BAA+B;AAC3C,WAAQ,OAAO,QAAQ;;;AAG3B,SAAQ,IAAI,gCAAgC;AAC5C,SAAQ,IAAI,gCAAgC;AAE5C,KAAI,iBAAiB,kBAAkB,IACrC,SAAQ,IAAI,oCAAoC;;AAIpD,SAAgB,WAAW,KAAkF;AAC3G,QAAO,IAAI,SAAS,IAAI,MAAM;EAAE,QAAQ,IAAI;EAAQ,SAAS,IAAI;;;AAGnE,SAAgB,SAAS,GAA0C;AACjE,QAAO,OAAO,MAAM,YAAY,MAAM;;AAGxC,eAAsB,SAAS,SAAoC;AACjE,KAAI;AACF,SAAO,MAAM,QAAQ;SACf;AACN,SAAO;;;AAIX,SAAgB,gBAAgB,SAA0C;CACxE,MAAMC,MAA8B;AACpC,SAAQ,SAAS,GAAG,MAAM;AAAE,MAAI,KAAK;;AACrC,QAAO;;;;;AC5DT,eAAsB,mCAAmC,KAAuD;AAC9G,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,oCAAqC,QAAO;CAE1F,MAAM,OAAO,MAAM,SAAS,IAAI;AAChC,KAAI,CAAC,SAAS,MACZ,QAAO,KAAK;EAAE,MAAM;EAAgB,SAAS;IAAwB,EAAE,QAAQ;CAGjF,MAAM,iBAAiB,OAAO,KAAK,mBAAmB,WAAW,KAAK,iBAAiB;CACvF,MAAM,iBAAiB,OAAO,KAAK,mBAAmB,WAAW,KAAK,iBAAiB;CACvF,MAAM,oBAAoB,SAAU,KAAiC,qBAChE,KAAiC,oBAClC;CACJ,MAAM,WAAW,SAAS,KAAK,YAAY,KAAK,WAAW;CAC3D,MAAM,wBAAwB,SAAS,KAAK,yBAAyB,KAAK,wBAAwB;CAClG,MAAM,+BAAgC,KAAiC;CACvE,MAAM,wBAAwB,SAAU,KAAiC,yBACpE,KAAiC,wBAClC;AAEJ,KAAI,CAAC,eACH,QAAO,KAAK;EAAE,MAAM;EAAgB,SAAS;IAAuC,EAAE,QAAQ;AAEhG,KAAI,CAAC,eACH,QAAO,KAAK;EAAE,MAAM;EAAgB,SAAS;IAAuC,EAAE,QAAQ;AAEhG,KAAI,CAAC,SACH,QAAO,KAAK;EAAE,MAAM;EAAgB,SAAS;IAAiC,EAAE,QAAQ;AAE1F,KAAI,CAAC,sBACH,QAAO,KAAK;EAAE,MAAM;EAAgB,SAAS;IAA8C,EAAE,QAAQ;CAGvG,MAAM,YAAY,IAAI,KAAK;CAC3B,MAAM,oCAAoC,SAAS,sBAC9C,OAAQ,kBAA8C,gCAAgC,WACvF,OAAQ,kBAA8C,+BAA+B,IAAI,SACzF;CACJ,IAAIC,kBAEO;CACX,IAAIC,mBAAkC;AAEtC,KAAI,kCACF,KAAI,CAAC,UACH,oBAAmB;MACd;EACL,MAAM,OAAO,OAAQ,SAAiD,UAAU,WAC5E,OAAQ,SAAgC,SAAS,MAChD,OAAQ,SAAgC,SAAS,WAAW,OAAQ,SAA+B,QAAQ,MAAM;AACtH,MAAI,CAAC,KAAK,OACR,oBAAmB;OACd;GACL,MAAM,MAAM,MAAM,UAAU,8CAA8C;IACxE,eAAe;IACf;IACA,0BAA0B;;AAE5B,OAAI,CAAC,IAAI,GACP,oBAAmB,IAAI,WAAW;OAElC,mBAAkB;;;CAM1B,MAAM,QAAQ;EACZ;EACA;EACA;EACA;EACA;EACA;;CAGF,MAAM,SAAS,MAAM,IAAI,QAAQ,6BAA6B;CAC9D,IAAIC,WAA2C;AAE/C,KAAI,OAAO,WAAW,aAAa,gBACjC,KAAI;AACF,QAAM,UAAU,sBAAsB;GACpC,cAAc,gBAAgB;GAC9B,WAAW,gBAAgB;GAC3B,yBAAyB,gBAAgB;GACzC,2BAA2B,gBAAgB;;AAE7C,aAAW;GACT,GAAG;GACH,kBAAkB;IAChB,cAAc,gBAAgB;IAC9B,WAAW,gBAAgB;IAC3B,2BAA2B,gBAAgB;IAC3C,qBAAqB,gBAAgB;IACrC,sBAAsB,gBAAgB;IACtC,gBAAgB,gBAAgB;;;UAG7BC,GAAY;AACnB,qBAAmB,qBAAsB,KAAK,OAAO,MAAM,YAAY,aAAa,IAChF,OAAQ,EAA4B,WAAW,0CAC/C,OAAO,KAAK;;AAIpB,KAAI,OAAO,WAAW,iBACpB,YAAW;EACT,GAAG;EACH,SAAS,GAAG,SAAS,WAAW,8CAA8C,kCAAkC,iBAAiB;;AAIrI,QAAO,KAAK,UAAU,EAAE,QAAQ,SAAS,UAAU,MAAM;;;;;AC3G3D,eAAsB,sBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,aAAa,QAAQ,MAAM;AACjC,MAAI,CAAC,SAAS,eAAe,CAAC,WAC5B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAMC,MAAqC,MAAM,QAAQ,gBAAgB;EACzE,MAAM,QAAQ,QAAQ;AAEtB,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,GAAG;IAAK;;;UAE1BC,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAGlC,MAAM,EAAE,aAAa,UAAU;AAC/B,MAAI,CAAC,SAAS,gBAAgB,CAAC,YAC7B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAGlC,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,gBAAgB,OAAO;EAC7B,MAAM,eAAe,QAAQ;EAC7B,IAAIC;AAEJ,MAAI,gBAAgB,kBAAkB,aACpC,OAAM,MAAM,QAAQ,iBAAiB;WAC5B,QAAQ,YAAY,eAC7B,OAAM,MAAM,QAAQ,6BAA6B,eAAe,EAAE;MAElE,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;;UAEhBD,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;EACd,MAAM,eAAe,QAAQ;EAC7B,MAAM,cAAc,QAAQ;AAE5B,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IACnB;IACA,QAAQ,QAAQ,mBAAmB,iBAAiB;IACpD;;;UAGGA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;;;;ACnH5D,eAAsB,aAAa,KAAuD;AACxF,KAAI,CAAC,IAAI,KAAK,WAAW,IAAI,WAAW,SAAS,IAAI,aAAa,WAAY,QAAO;CAGrF,MAAM,UAAU,iBAAiB,GAAI,IAAI,KAAK,eAAe;CAC7D,MAAM,cAAc,YAAY,MAAM,MAAM;CAC5C,MAAM,SAAS,IAAI,QAAQ;CAC3B,MAAM,mBAAmB,QAAQ,UAAU,OAAO;CAClD,MAAM,sBAAsB,QAAQ,IAAI,KAAK;CAC7C,IAAIE,eAA8B;AAClC,KAAI,oBAAoB,OACtB,KAAI;EACF,MAAM,EAAE,cAAc,OAAO,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAC/E,iBAAe,MAAM;SACf;CAGV,MAAM,gBAAgB,IAAI,QAAQ,eAAe,+BAA+B;CAChF,MAAM,oBAAoB,QAAQ;AAElC,QAAO,KAAK;EACV,IAAI;EAEJ;EACA,QAAQ;GAAE,YAAY;GAAkB;;EACxC,SAAS;GAAE,YAAY;GAAmB;;EAC1C,kBAAkB,EAAE,YAAY;EAChC,MAAM,EAAE,gBAAgB;IACvB,EAAE,QAAQ;;AAGf,eAAsB,YAAY,KAAuD;AACvF,KAAI,CAAC,IAAI,KAAK,UAAU,IAAI,WAAW,SAAS,IAAI,aAAa,UAAW,QAAO;CAEnF,MAAM,UAAU,iBAAiB,GAAI,IAAI,KAAK,eAAe;CAC7D,MAAM,cAAc,YAAY,MAAM,MAAM;CAE5C,MAAM,SAAS,IAAI,QAAQ;CAC3B,MAAM,mBAAmB,QAAQ,UAAU,OAAO;CAClD,MAAM,sBAAsB,QAAQ,IAAI,KAAK;CAE7C,IAAIC,cAA8B;CAClC,IAAIC,qBAAoC;CACxC,IAAIC;AACJ,KAAI,oBAAoB,OACtB,KAAI;AACF,QAAM,OAAO;AACb,gBAAc;EACd,MAAM,EAAE,iBAAiB,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAC3E,uBAAqB,gBAAgB;UAC9BC,GAAQ;AACf,gBAAc;AACd,gBAAc,GAAG,WAAW,OAAO;;CAIvC,MAAM,KAAK,IAAI,QAAQ,gBACnB,MAAM,IAAI,QAAQ,cAAc,6BAChC;EAAE,YAAY;EAAO,SAAS;EAAM,SAAS;;CAEjD,MAAM,MACH,mBAAmB,gBAAgB,OAAO,UAC1C,GAAG,aAAa,GAAG,YAAY,OAAO;AAEzC,QAAO,KAAK;EACV;EACA,QAAQ;GACN,YAAY;GACZ,OAAO,mBAAmB,cAAc;GACxC,cAAc;GACd,OAAO;;EAET,kBAAkB,EAAE,YAAY;EAChC,SAAS;EACT,MAAM,EAAE,gBAAgB;IACvB,EAAE,QAAQ,KAAK,MAAM;;;;;AC5E1B,eAAsB,mBAAmB,KAAuD;AAC9F,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,iBAAkB,QAAO;CAEvE,MAAM,SAAS,OAAO,IAAI,QAAQ,QAAQ,IAAI,aAAa,IAAI;CAC/D,MAAM,eACJ,OAAO,SAAS,oBAChB,OAAO,IAAI,IAAI,aAAa,IAAI,YAAY,IAAI,WAAW,OAC3D,OAAO,IAAI,IAAI,aAAa,IAAI,oBAAoB,IAAI,WAAW;CAErE,MAAM,UAAU,MAAM,SAAS,IAAI;CACnC,MAAM,SAAS,yBAAyB,SAAS,EAAE,SAAS,IAAI,QAAQ;AACxE,KAAI,CAAC,OAAO,GACV,QAAO,KAAK;EAAE,MAAM,OAAO;EAAM,SAAS,OAAO;IAAW,EAAE,QAAQ,OAAO;CAE/E,MAAM,EAAE,WAAW,WAAW,iBAAiB;AAE/C,KAAI,CAAC,IAAI,QAAQ,cACf,QAAO,KACL;EAAE,MAAM;EAA8B,SAAS;IAC/C,EAAE,QAAQ;AAId,KAAI,gBAAgB,IAAI,SAAS,OAAO,IAAI,MAAM,cAAc,YAAY;AAC1E,MAAI,MAAM,UACR,IAAI,QAAQ,cACT,qBAAqB;GAAE;GAAW;GAAW;KAC7C,MAAM,aAAW;AAChB,OAAI,OAAO,KAAK,kCAAkC;IAChD,SAASC,UAAQ,YAAY;IAC7B;IACA,OAAOA,UAAQ,UAAU,SAAYA,UAAQ;;KAGhD,OAAO,QAAa;AACnB,OAAI,OAAO,MAAM,+BAA+B;IAC9C;IACA,OAAO,KAAK,WAAW,OAAO;;;AAItC,SAAO,KAAK;GAAE,SAAS;GAAM,QAAQ;GAAM;KAAa,EAAE,QAAQ;;CAGpE,MAAM,SAAS,MAAM,IAAI,QAAQ,cAAc,qBAAqB;EAAE;EAAW;EAAW;;AAC5F,QAAO,KAAK,QAAQ,EAAE,QAAQ,OAAO,UAAU,MAAM;;;;;ACxBvD,SAAgB,iBAAiB,MAA4B;CAC3D,MAAM,IAAK,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAQ,QACzD,OACD;CACJ,MAAM,MAAM,EAAE,eAAe,EAAE;AAC/B,QAAO,QAAQ,WAAW,WAAW;;;;;AC1BvC,eAAsB,kBAAkB,KAAuD;AAC7F,KAAI,IAAI,WAAW,SAAS,IAAI,aAAa,IAAI,OAAQ,QAAO;AAEhE,KAAI;EACF,MAAM,UAAU,IAAI,KAAK;AACzB,MAAI,CAAC,QACH,QAAO,KAAK;GAAE,eAAe;GAAO,MAAM;GAAqB,SAAS;KAAiC,EAAE,QAAQ;EAGrH,MAAM,SAAS,MAAM,QAAQ,MAAM,gBAAgB,IAAI,QAAQ;AAC/D,SAAO,KACL,OAAO,KACH;GAAE,eAAe;GAAM,QAAQ,OAAO;MACtC,EAAE,eAAe,SACrB,EAAE,QAAQ,OAAO,KAAK,MAAM;UAEvBC,GAAQ;AACf,SAAO,KAAK;GAAE,eAAe;GAAO,MAAM;GAAY,SAAS,GAAG,WAAW;KAAoB,EAAE,QAAQ;;;AAI/G,eAAsB,oBAAoB,KAAuD;AAC/F,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,IAAI,WAAY,QAAO;CAErE,MAAM,MAAM,KAAK,EAAE,SAAS,QAAQ,EAAE,QAAQ;CAC9C,MAAM,UAAU,IAAI,KAAK;AACzB,KAAI,QAEF,KAAI,QAAQ,IAAI,cAAc,QAAQ;AAExC,QAAO;;AAGT,eAAsB,qBAAqB,KAAuD;AAChG,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,mBAAoB,QAAO;CAEzE,MAAM,OAAO,MAAM,SAAS,IAAI;CAChC,MAAM,cAAc,iBAAiB;CACrC,MAAM,UAAU,IAAI,KAAK;AACzB,KAAI,CAAC,QACH,QAAO,KAAK;EAAE,MAAM;EAAqB,SAAS;IAAiC,EAAE,QAAQ;CAE/F,MAAM,MAAM,MAAM,QAAQ,QAAQ,OAAO,YAAY,IAAI,QAAQ,QAAQ;AACzE,KAAI,CAAC,IAAI,MAAM,CAAC,IAAI,IAClB,QAAO,KACL;EAAE,MAAM,IAAI,QAAQ;EAAgB,SAAS,IAAI,WAAW;IAC5D,EAAE,QAAS,IAAI,SAAS,iBAAkB,MAAM;CAGpD,MAAM,MAAM,KAAK,gBAAgB,WAAW,EAAE,IAAI,SAAS;EAAE,IAAI;EAAM,KAAK,IAAI;IAAO,EAAE,QAAQ;AACjG,KAAI,gBAAgB,YAAY,IAAI,IAClC,KAAI;AACF,MAAI,QAAQ,IAAI,cAAc,QAAQ,eAAe,IAAI;SACnD;AAEV,QAAO;;;;;ACnDT,eAAsB,aAAa,KAAuD;AACxF,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,0BAA0B;EACtE,MAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,CAAC,UAAU,CAAE,MAAM,OAAO,cAC5B,QAAO,KAAK;GAAE,MAAM;GAAmB,SAAS;KAAoD,EAAE,QAAQ;EAGhH,MAAM,OAAO,MAAM,SAAS,IAAI;EAChC,MAAM,QAAQ,SAAS,SAAS,OAAO,KAAK,eAAe,YAAY,KAAK,WAAW,SAAS;AAChG,MAAI,CAAC,MACH,QAAO,KAAK;GAAE,MAAM;GAAgB,SAAS;KAA4B,EAAE,QAAQ;EAGrF,MAAM,MAAM,MAAM,sBAAsB,QAAQ,EAC9C,MAAM,EAAE,YAAY,OAAQ,KAAiC;AAE/D,SAAO,WAAW;;AAGpB,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,2BAA2B;EACvE,MAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,CAAC,UAAU,CAAE,MAAM,OAAO,cAC5B,QAAO,KAAK;GAAE,MAAM;GAAmB,SAAS;KAAoD,EAAE,QAAQ;EAGhH,MAAM,OAAO,MAAM,SAAS,IAAI;EAChC,MAAM,QAAQ,SAAS,SAClB,OAAO,KAAK,gBAAgB,YAAY,KAAK,YAAY,SAAS,KAClE,OAAQ,KAAiC,UAAU,YACnD,OAAQ,KAAiC,OAAO,SAAS;AAC9D,MAAI,CAAC,MACH,QAAO,KAAK;GAAE,MAAM;GAAgB,SAAS;KAAwC,EAAE,QAAQ;EAGjG,MAAM,MAAM,MAAM,uBAAuB,QAAQ,EAC/C,MAAM;GACJ,aAAa,OAAQ,KAAiC;GACtD,OAAO,OAAQ,KAAiC;;AAGpD,SAAO,WAAW;;AAGpB,KAAI,IAAI,WAAW,SAAS,IAAI,aAAa,oBAAoB;EAC/D,MAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,CAAC,UAAU,CAAE,MAAM,OAAO,cAC5B,QAAO,KAAK;GAAE,MAAM;GAAmB,SAAS;KAAoD,EAAE,QAAQ;EAEhH,MAAM,MAAM,MAAM,uBAAuB;AACzC,SAAO,WAAW;;AAGpB,QAAO;;;;;ACzDT,eAAsB,qBAAqB,KAAuD;AAChG,KAAI,CAAC,IAAI,sBAAsB,IAAI,aAAa,IAAI,mBAAoB,QAAO;AAC/E,KAAI,IAAI,WAAW,OAAQ,QAAO;CAElC,MAAM,OAAO,MAAM,SAAS,IAAI;CAChC,MAAM,QAAQ,SAAS,SAClB,OAAQ,KAAa,SAAS,YAC9B,QAAS,KAAa,SACtB,QAAS,KAAa;AAC3B,KAAI,CAAC,MACH,QAAO,KAAK;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;IAAuC,EAAE,QAAQ;CAG3G,MAAM,SAAS,MAAM,IAAI,QAAQ,sBAAsB;EACrD,MAAM,OAAQ,KAAa;EAC3B,gBAAiB,KAAa;EAC9B,QAAQ,IAAI;;AAGd,KAAI,CAAC,UAAU,CAAC,OAAO,GACrB,QAAO,KAAK;EACV,IAAI;EACJ,MAAM,QAAQ,QAAQ;EACtB,SAAS,QAAQ,SAAS;IACzB,EAAE,QAAQ;AAGf,QAAO,KAAK;EACV,IAAI;EACJ,eAAe,OAAO,mBAAmB;EACzC,QAAQ;EACR,SAAS,OAAO,WAAW;IAC1B,EAAE,QAAQ;;;;;ACjCf,SAAgB,2BAA2B,QAA6C;AACtF,KAAI,OAAO,GAAI,QAAO;AACtB,SAAQ,OAAO,MAAf;EACE,KAAK,YACH,QAAO;EACT,KAAK,kBACH,QAAO;EACT,KAAK,qBACH,QAAO;EACT,KAAK,WACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,QACE,QAAO;;;;;;ACJb,SAAgBC,WAAS,GAA0C;AACjE,QAAO,CAAC,CAAC,KAAK,OAAO,MAAM,YAAY,CAAC,MAAM,QAAQ;;AAgSxD,SAAgB,mCAAmC,KAAoD;AACrG,KAAI,CAACA,WAAS,KAAM,QAAO;CAC3B,MAAM,OAAO,iBAAiB,IAAI;AAClC,KAAI,SAAS,+BAAgC,QAAO;CACpD,MAAM,MAAM,iBAAiB,IAAI;CACjC,MAAM,YAAY,iBAAiB,IAAI;CACvC,MAAM,eAAe,iBAAiB,IAAI;CAC1C,MAAM,OAAO,iBAAiB,IAAI;AAClC,KAAI,CAAC,OAAO,CAAC,aAAa,CAAC,gBAAgB,CAAC,KAAM,QAAO;AACzD,QAAO;EAAE;EAAK;EAAM;EAAW;EAAc;;;;;;AC5S/C,SAAS,cAAc,OAAsC;AAC3D,QAAO,CAAC,CAAC,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ;;AAGhE,SAAgB,iBAAiB,OAAqD;AACpF,KAAI,CAAC,cAAc,OAAQ,QAAO;CAClC,MAAM,UAAU,OAAO,MAAM,YAAY,WAAW,MAAM,UAAU;CACpE,MAAM,QAAQ,OAAO,MAAM,UAAU,WAAW,MAAM,QAAQ;CAC9D,MAAM,eAAe,OAAO,MAAM,iBAAiB,WAAW,MAAM,eAAe;CACnF,MAAM,uBAAuB,MAAM,QAAQ,MAAM,oBAAoB,OAAO;CAC5E,MAAM,uBAAuB,MAAM,QAAQ,MAAM,oBAAoB,MAAM,iBAAiB,SAAS;CACrG,MAAM,+BAA+B,MAAM,QAAQ,MAAM,4BAA4B,OAAO;CAC5F,MAAM,+BAA+B,MAAM,QAAQ,MAAM,4BAA4B,MAAM,yBAAyB,SAAS;AAC7H,QAAO;EACL,GAAI,UAAU,EAAE,YAAY;EAC5B,GAAI,QAAQ,EAAE,UAAU;EACxB,GAAI,gBAAgB,OAAO,EAAE,iBAAiB;EAC9C,GAAI,wBAAwB,OAAO,EAAE,yBAAyB;EAC9D,GAAI,wBAAwB,OAAO,EAAE,yBAAyB;EAC9D,GAAI,gCAAgC,OAAO,EAAE,iCAAiC;EAC9E,GAAI,gCAAgC,OAAO,EAAE,iCAAiC;;;AAIlF,SAAS,+BAA+B,OAAyB;AAC/D,KAAI,CAAC,cAAc,OAAQ,QAAO;AAClC,QAAO,cAAc,MAAM,aAAa,cAAc,MAAM;;AAc9D,eAAsB,wCAAwC,OAIjB;AAC3C,KAAI,+BAA+B,MAAM,MACvC,QAAO;EAAE,IAAI;EAAM,MAAM;EAAY,SAAS,MAAM;;CAGtD,MAAM,UAAU,MAAM;AACtB,KAAI,CAAC,QACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAqB,SAAS;;CAG1D,MAAM,SAAS,MAAM,QAAQ,MAAM,MAAM;AACzC,KAAI,CAAC,OAAO,GACV,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,SAAS,mCAAmC,OAAO;AACzD,KAAI,CAAC,OACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,cAAc,cAAc,MAAM,QAAQ,MAAM,OAAO;AAC7D,QAAO;EACL,IAAI;EACJ,MAAM;EACN,WAAW,OAAO;EAClB,QAAQ,OAAO;EACf,SAAS;;;;;;AC9Db,eAAsB,uBAAuB,KAAuD;AAClG,KAAI,IAAI,WAAW,SAAS,IAAI,aAAa,8BAA8B;EACzE,MAAMC,cAAY,IAAI,KAAK;AAC3B,MAAI,CAACA,YACH,QAAO,KAAK;GACV,IAAI;GACJ,YAAY;GACZ,MAAM;GACN,SAAS;KACR,EAAE,QAAQ;AAEf,SAAO,KAAK;GAAE,IAAI;GAAM,YAAY;KAAQ,EAAE,QAAQ;;AAGxD,KAAI,IAAI,WAAW,OAAQ,QAAO;CAElC,MAAM,WAAW,IAAI;AACrB,KACE,aAAa,+BACV,aAAa,gCACb,aAAa,kCACb,aAAa,kCACb,aAAa,sCACb,aAAa,6CACb,aAAa,8CAEhB,QAAO;CAGT,MAAM,OAAO,MAAM,SAAS,IAAI;CAChC,MAAM,YAAY,IAAI,KAAK;AAE3B,SAAQ,UAAR;EACE,KAAK,6BAA6B;AAChC,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;GAElI,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,eAAe,OAAO,EAAE,kBAAkB,WAAW,EAAE,gBAAgB;IACvE,8BAA8B,OAAO,EAAE,6BAA6B,WAAW,EAAE,yBAAyB,SAAS;IACnH,oBAAqB,wBAAwB,KAAK,OAAO,EAAE,uBAAuB,WAAY,EAAE,qBAAqB;IACrH,UAAU,iBAAkB,EAAwC;;GAEtE,MAAM,SAAS,MAAM,UAAU,uBAAuB;AACtD,OAAI,OAAO,KAAK,gCAAgC;IAC9C,OAAO;IACP,QAAQ,2BAA2B;IACnC,IAAI,OAAO;IACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AAE5C,UAAO,KAAK,QAAQ,EAAE,QAAQ,2BAA2B;;EAE3D,KAAK,8BAA8B;AACjC,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;GAElI,MAAM,UAAU,IAAI,KAAK;AACzB,OAAI,CAAC,SAAS;AACZ,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,UAAU;;AAChG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAqB,SAAS;OAAgD,EAAE,QAAQ;;GAGzH,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,cAAc,OAAO,EAAE,iBAAiB,WAAW,EAAE,eAAe;IACpE,8BAA8B,OAAO,EAAE,6BAA6B,WAAW,EAAE,yBAAyB,SAAS;IACnH,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAAE,cAAc,YAAY;IACxE,UAAU,iBAAkB,EAAwC;;GAGtE,MAAM,SAAS,MAAM,UAAU,wBAAwB;GACvD,MAAM,SAAS,2BAA2B;AAC1C,OAAI,OAAO,KAAK,gCAAgC;IAAE,OAAO;IAAU;IAAQ,IAAI,OAAO;IAAI,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AACpI,OAAI,CAAC,OAAO,GAAI,QAAO,KAAK,QAAQ,EAAE;GAEtC,MAAM,YAAY,OAAO,OAAO,aAAa,IAAI;GACjD,MAAM,SAAS,EAAE,SAAS;GAC1B,MAAM,OAAO,EAAE,SAAS;GACxB,MAAM,eAAe,EAAE;GACvB,MAAM,QAAQ,MAAM,QAAQ,QAAQ,QAAQ;IAAE,MAAM;IAAgC;IAAW;IAAc;;GAC7G,MAAM,cAAc,iBAAiB;GAErC,MAAM,MAAM,KAAK,gBAAgB,WAAW;IAAE,GAAG;IAAQ,KAAK;OAAc;IAAE,GAAG;IAAQ,KAAK;MAAS,EAAE,QAAQ;AACjH,OAAI,gBAAgB,SAClB,KAAI,QAAQ,IAAI,cAAc,QAAQ,eAAe;AAEvD,UAAO;;EAET,KAAK,gCAAgC;AACnC,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;GAElI,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,cAAc,OAAO,EAAE,iBAAiB,WAAW,EAAE,eAAe;IACpE,8BAA8B,OAAO,EAAE,6BAA6B,WAAW,EAAE,yBAAyB,SAAS;IACnH,SAAS,OAAO,EAAE,YAAY,WAAW,EAAE,UAAU;IACrD,uBAAuB,MAAM,QAAQ,EAAE,qBAAqB,EAAE,kBAAkB,SAAS;IACzF,UAAU,iBAAkB,EAAwC;;GAGtE,MAAM,WAAW,aAAwD;AACvE,QAAI,OAAO,KAAK,gCAAgC;KAC9C,OAAO;KACP,QAAQ,2BAA2BC;KACnC,IAAIA,SAAO;KACX,GAAIA,SAAO,OAAO,EAAE,MAAMA,SAAO,SAAS;;AAE5C,WAAO,KAAKA,UAAQ,EAAE,QAAQ,2BAA2BA;;GAG3D,MAAM,YAAY,MAAM,wCAAwC;IAC9D;IACA,SAAS,OAAO,YAAY,IAAI,QAAQ,QAAQ;IAChD,SAAS,IAAI,KAAK;;AAEpB,OAAI,CAAC,UAAU,GAAI,QAAO,QAAQ;GAElC,MAAM,SAAS,UAAU,SAAS,aAC9B,MAAM,UAAU,0BAA0B,UAAU,WACpD,MAAM,UAAU,qCAAqC;IACrD,WAAW,UAAU;IACrB,QAAQ,UAAU;IAClB,SAAS,UAAU;;AAEvB,UAAO,QAAQ;;EAGjB,KAAK,gCAAgC;AACnC,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;GAElI,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,cAAc,OAAO,EAAE,iBAAiB,WAAW,EAAE,eAAe;IACpE,cAAc,OAAO,EAAE,iBAAiB,WAAW,EAAE,eAAe;IACpE,eAAe,OAAO,EAAE,kBAAkB,WAAW,EAAE,gBAAgB;IACvE,uBAAuB,OAAO,EAAE,sBAAsB,WAAW,EAAE,kBAAkB,SAAS;;GAEhG,MAAM,SAAS,MAAM,UAAU,yBAAyB;AACxD,OAAI,OAAO,KAAK,gCAAgC;IAC9C,OAAO;IACP,QAAQ,2BAA2B;IACnC,IAAI,OAAO;IACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AAE5C,UAAO,KAAK,QAAQ,EAAE,QAAQ,2BAA2B;;EAE3D,KAAK,oCAAoC;AACvC,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;GAElI,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,kBAAkB,OAAO,EAAE,qBAAqB,WAAW,EAAE,mBAAmB;IAChF,8BAA8B,OAAO,EAAE,6BAA6B,WAAW,EAAE,yBAAyB,SAAS;;GAErH,MAAM,SAAS,MAAM,UAAU,6BAA6B;AAC5D,OAAI,OAAO,KAAK,gCAAgC;IAC9C,OAAO;IACP,QAAQ,2BAA2B;IACnC,IAAI,OAAO;IACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AAE5C,UAAO,KAAK,QAAQ,EAAE,QAAQ,2BAA2B;;EAE3D,KAAK,2CAA2C;AAC9C,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;AAElI,OAAI,CAAC,UAAU,4BAA4B;IACzC,MAAMA,WAAS;KAAE,IAAI;KAAO,MAAM;KAAa,SAAS;;AACxD,WAAO,KAAKA,UAAQ,EAAE,QAAQ,2BAA2BA;;GAE3D,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,sBAAsB,OAAO,EAAE,qBAAqB,WAAW,EAAE,iBAAiB,SAAS;IAC3F,kBAAkB,OAAO,EAAE,qBAAqB,WAAW,EAAE,mBAAmB;IAChF,uBAAuB,OAAO,EAAE,sBAAsB,WAAW,EAAE,kBAAkB,SAAS;;GAEhG,MAAM,SAAS,MAAM,UAAU,2BAA2B;AAC1D,OAAI,OAAO,KAAK,gCAAgC;IAC9C,OAAO;IACP,QAAQ,2BAA2B;IACnC,IAAI,OAAO;IACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AAE5C,UAAO,KAAK,QAAQ,EAAE,QAAQ,2BAA2B;;EAE3D,KAAK,+CAA+C;AAClD,OAAI,CAAC,WAAW;AACd,QAAI,OAAO,KAAK,+BAA+B;KAAE,OAAO;KAAU,QAAQ,IAAI;KAAQ,YAAY;;AAClG,WAAO,KAAK;KAAE,IAAI;KAAO,MAAM;KAAsB,SAAS;OAAwD,EAAE,QAAQ;;AAElI,OAAI,CAAC,UAAU,gCAAgC;IAC7C,MAAMA,WAAS;KAAE,IAAI;KAAO,MAAM;KAAa,SAAS;;AACxD,WAAO,KAAKA,UAAQ,EAAE,QAAQ,2BAA2BA;;GAE3D,MAAM,IAAK,QAAQ;AACnB,OAAI,OAAO,KAAK,+BAA+B;IAC7C,OAAO;IACP,QAAQ,IAAI;IACZ,sBAAsB,OAAO,EAAE,qBAAqB,WAAW,EAAE,iBAAiB,SAAS;IAC3F,kBAAkB,OAAO,EAAE,qBAAqB,WAAW,EAAE,mBAAmB;IAChF,iBAAiB,MAAM,QAAQ,EAAE,eAAe,EAAE,YAAY,SAAS;;GAEzE,MAAM,SAAS,MAAM,UAAU,+BAA+B;AAC9D,OAAI,OAAO,KAAK,gCAAgC;IAC9C,OAAO;IACP,QAAQ,2BAA2B;IACnC,IAAI,OAAO;IACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AAE5C,UAAO,KAAK,QAAQ,EAAE,QAAQ,2BAA2B;;EAE3D,QACE,QAAO;;;;;;ACxPb,eAAsB,mCAAmC,KAAuD;AAC9G,KAAI,IAAI,WAAW,UAAU,IAAI,aAAa,kCAAmC,QAAO;CAExF,MAAM,OAAO,MAAM,SAAS,IAAI;CAChC,MAAM,QAAQ,SAAS,SAClB,SAAU,KAAiC,aAC3C,SAAU,KAAiC;AAChD,KAAI,CAAC,MACH,QAAO,KAAK;EAAE,MAAM;EAAgB,SAAS;IAAuD,EAAE,QAAQ;AAGhH,KAAI;EACF,MAAM,cAAc,iBAAiB;EACrC,MAAM,MAAM;EACZ,MAAM,SAAS,MAAM,IAAI,QAAQ,6BAA6B;EAC9D,MAAM,SAAS,OAAO,UAAU,MAAM;AACtC,MAAI,WAAW,IACb,QAAO,KAAK;GAAE,MAAM;GAAgB,SAAS,OAAO,WAAW;KAAwC,EAAE;EAG3G,MAAM,MAAM,KAAK,QAAQ,EAAE,QAAQ;EACnC,MAAM,UAAU,IAAI,KAAK;AACzB,MAAI,WAAW,OAAO,SACpB,KAAI;GACF,MAAM,SAAS,OAAO,IAAI,UAAU,WAAW;GAC/C,MAAM,QAAQ,MAAM,QAAQ,QAAQ,QAAQ;IAAE,MAAM,IAAI,UAAU;IAAO,aAAa,IAAI,UAAU;;AACpG,OAAI,OAAO,KAAK,oBAAoB,gBAAgB,WAAW,qBAAqB,MAAM,OAAO;AACjG,OAAI,gBAAgB,SAClB,KAAI,QAAQ,IAAI,cAAc,QAAQ,eAAe;QAChD;IACL,MAAM,UAAU,MAAM,IAAI,QAAQ;AAClC,WAAO,IAAI,SAAS,KAAK,UAAU;KAAE,GAAG;KAAS,KAAK;QAAU;KAAE,QAAQ;KAAK,SAAS,IAAI;;;UAExF;AAGV,SAAO;UACAC,GAAQ;AACf,SAAO,KAAK;GAAE,MAAM;GAAY,SAAS,GAAG,WAAW;KAAoB,EAAE,QAAQ;;;;;;ACxCzF,eAAsB,gBAAgB,KAAuD;AAC3F,KAAI,IAAI,WAAW,MAAO,QAAO;AACjC,KAAI,IAAI,aAAa,2BAA2B,IAAI,aAAa,yBAA0B,QAAO;CAGlG,MAAM,cAAc,IAAI,KAAK,mBAAmB,IAAI,KAAK,wBAAwB,IAAI,WAAW,UAAU;CAC1G,MAAM,cAAc,IAAI,KAAK,cAAc,IAAI,WAAW,UAAU;CACpE,MAAM,UAAU,MAAM,IAAI,QAAQ,cAAc;EAAE;EAAY,QAAQ;;AACtE,QAAO,KAAK,EAAE,WAAW;EAAE,QAAQ;EAAK,SAAS,EAAE,iBAAiB;;;;;;ACRtE,SAAgB,uBAAuB,SAAsB,MAA2D;AAItH,QAAO,KAAK,cAAc,SAAY,KAAK,YAAY,QAAQ;;;;;AC8BjE,SAAgB,uBAAuB,SAAsB,OAA2B,IAAkB;CACxG,MAAM,iBAAiB,IAAI,SAAS,aAAa,EAAE,QAAQ;CAE3D,MAAM,YAAY,uBAAuB,SAAS;CAClD,MAAMC,gBAAoC;EAAE,GAAG;EAAM;;CAErD,MAAM,SAAS,cAAc,eAAe,QAAQ;CACpD,MAAM,aAAa,cAAc,eAAe,UAAU;CAC1D,MAAM,SAAS,mBAAmB,cAAc;CAChD,IAAI,qBAAqB;AACzB,KAAI,cAAc,eAChB,sBAAqB,mBAAmB,cAAc,eAAe,UAAU;CAEjF,MAAM,uBAAuB,cAAc,gBAAgB;CAE3D,MAAMC,WAA2E;EAC/E;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGF,QAAO,eAAe,QAAQ,SAAkB,KAAa,OAA+C;EAC1G,MAAM,MAAM,IAAI,IAAI,QAAQ;EAC5B,MAAM,EAAE,aAAa;EACrB,MAAM,SAAS,QAAQ,OAAO;AAG9B,MAAI,WAAW,WAAW;GACxB,MAAM,MAAM,IAAI,SAAS,MAAM,EAAE,QAAQ;AACzC,YAAS,IAAI,SAAS,eAAe;AACrC,UAAO;;EAGT,MAAMC,UAAmF;GACvF;GACA;GACA;GACA,MAAM;GACN;GACA;GACA;GACA;GACA;;EAGF,MAAMC,MAA8B;GAClC,GAAG;GACH;GACA;GACA;GACA;;AAGF,MAAI;AACF,QAAK,MAAM,MAAM,UAAU;IACzB,MAAM,MAAM,MAAM,GAAG;AACrB,QAAI,KAAK;AACP,cAAS,IAAI,SAAS,eAAe;AACrC,YAAO;;;AAIX,UAAO;WACAC,GAAY;GACnB,MAAM,MAAM,KAAK;IAAE,MAAM;IAAY,SAAS,aAAa,QAAQ,EAAE,UAAU,OAAO;MAAM,EAAE,QAAQ;AACtG,YAAS,IAAI,SAAS,eAAe;AACrC,UAAO"}